Abstract

This paper proposed an identity-based steganographic scheme, where a receiver with certain authority can recover the secret message ready for him, but cannot detect the existence of other secret messages. The proposed scheme created several separate covert communication channels tagged by the Fuzzy Identity-Based Encryption (FIBE) in one grayscale image. Then each channel is used to embed one secret message by using any content-aware steganographic scheme. Receivers with different attributes can extract different messages corresponded. The Experiments illustrated the feasibility of this identity-based secret message extraction. Further, the proposed scheme presents high undetectability against steganalytic attack launched by receivers without corresponded attributes.

Keywords

Steganography, Multiple Embedding, Fuzzy Identity-Based Encryption

Share and Cite:

1. Introduction

Steganography has been widely applied to secure communication especially in military espionage for a long time. It hides sensitive messages in a cover such as images. The redundancy of these covers is employed for embedding to avoid the hidden messages being detected. So existed steganaographic schemes absorb in improving the undetectability of the hidden messages against different kinds of steganalytic tools.

Steganalytic schemes at [1] [2] [3] [4] in spatial domain extract several sets of features from the cover, and then send them into the classifier such as [5] to analyze whether the test image conceals secret. In view of these, state-of-the-arts steganographic schemes mainly focus on exploring the undetectable region in an image. For example, schemes in [6] [7] extract the directional residuals of a cover image through filtering to define the textural region that is hard to model. Scheme in [8] [9] uses the multivariate Gaussian cover model to minimize the embedding distortion on statistics. What’s more, thanks to the research of Syndrome-Trellis Codes (STC) [10] , researchers no longer need to pay attention on the site of embedding, but only consider how to choose more appropriate distortion function.

Existed steganographic schemes only consider honest receivers and improve the entire security of the hidden messages. Due to the speciality of STC, every receiver with the knowledge of the existence of the hidden messages can extract all the secrets from the cover. However, some receivers may be corrupted in practice. If there are betrayers in the receivers, the secret will be leaked. What’s more, secret messages are usually at specified sensitive levels, one cannot access, or even detect the existence of all these messages. If there are several messages at different security levels that want to be sent, existed steganographic schemes can only embed them into several covers to avoid secret leakage, which increases the communication cost. Additional information will also be necessary to distinguish different owners of these stego images. This is unsafe and inconvenient for practical secure communication.

In this paper, we propose a multiple embedding scheme by combining the Fuzzy Identity-Based Encryption [11] with the typical steganographic techniques. In our scheme, the sender can embed multiple messages associated with different attributes into one cover simultaneously, so that receivers extract the messages in accordance with their identity attributes. Each message needs a specific set of attributes to extract. For those attributes unmatched, receivers even won’t know the existence of other embedded messages. In order to embed multiple messages, we generate masks for each message by using the FIBE based on their specific set of attributes. We embed messages according to their masks, and integrate them into one stego image. The receiver can locate the corresponding messages if and only if their identity attributes are matched, or they wouldn’t know where or whether the messages are hidden.

There are various utilities for the proposed scheme. First, the embedded messages can be partially secure in the presence of corrupted receivers. As shown in the experiments, these receivers cannot detect the other embedded messages with their current knowledge. Second, a hierarchical extraction is available. Consider such a scenario where an operator receives a piece of digital works and finds that there are secret messages with the aid of his identity. He then forwards it to the persons concerned. The ones with higher-level identities can extract more messages, whose existence would not be known to the operator or the others.

The rest of this paper is organized as follows. Section 2 is to introduce the related works of our scheme. In Section 3, we will introduce our propose methods in detail. The experimental result will be show in Section 4 to compare our methods with current methods, and analyze the results. Finally, the paper is concluded in Section 5.

2. Related Works

2.1. Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption (FIBE) is a kind of public key cryptography. Its algorithm model designed is based on the Shamir’s Secret Sharing [12] and bilinear pairings in cyclical group. The sender has a set of attributes and some of them are employ to encrypt the plain text, and only receivers whose attributes conform to the decryption attribute set can decrypt the cipher text. The specific steps of FIBE are described as following:

Setup(d). The authorized agency chooses random $y,t_1,\cdots ,t_n\in {\mathbb{Z}}_q$ . ${\mathbb{Z}}_q$ is a Galois field of prime number q. ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are cyclical groups of q, they exist bilinear paring ${\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ . The system public key PK is:

$\left(Y=e{\left(g,g\right)}^y,T=g^t,\forall t\in {\mathbb{Z}}_q,g\in {\mathbb{G}}_1\right)$

Then the master key MK is:

$\left(y,t_1,\cdots ,t_n\right)\text{.}$

Key Generation. The authorized agency randomly chooses a $d-1$ times polynomial $p\left(x\right)$ satisfying $p\left(0\right)=y$ . We suppose that ${\mathcal{A}}_u$ are the attributes of users. Then the private key of the user is:

$\left(D=g^{\frac{p\left(i\right)}{t_i}},\forall i\in {\mathcal{A}}_u\right)\text{.}$

Encryption. We supposed that ${\mathcal{A}}_c$ is the attribute set for decryption. Then the sender employs it to encrypt the secret $\in {\mathbb{G}}_2$ . Randomly choosing $s\in {\mathbb{Z}}_q$ , the cipher text is:

$\left({\mathcal{A}}_c,E=e{\left(g,g\right)}^{sy}M,E_i=g^{t_{i}s},\forall i\in {\mathcal{A}}_c\right).$

Decryption. When the receiver receives the cipher text, if $\left|{\mathcal{A}}_c\cap {\mathcal{A}}_u\right|>d$ , he chooses d attributes out of $\left|{\mathcal{A}}_c\cap {\mathcal{A}}_u\right|$ , and calculates $e\left(E_i,D_i\right)=e{\left(g,g\right)}^{p\left(i\right)s}$ . We can find that:

$Y^s=e{\left(g,g\right)}^{ys}=e{\left(g,g\right)}^{p\left(0\right)s}$

according to the Lagrange interpolation formula. Then he can decrypt $M=E/Y^s$ .

2.2. Steganographic Algorithm with Minimum Embedded Distortion

After embedding a certain amount of information, pixel values must change in spatial domain of secret images. The difference of pixel values existing between the cover image and the secret image, is generally called distortion. The quantization of image distortion is generally defined by the distortion function. The larger the value of the distortion function, the lower the security of the model.

The distortion function is usually expressed as a mathematical function. The distortion of additive distortion function is generally formed by the cumulative value of each pixel. The mathematical expression is generally expressed as:

$D\left(X,Y\right)=\underset{i=1}{\overset{n_1}{{\displaystyle \sum }}}\underset{j=1}{\overset{n_2}{{\displaystyle \sum }}}{\rho }_{i,j}\left(X,Y_{i,j}\right)\left|X_{i,j}-Y_{i,j}\right|,$

n₁ and n₂ indicate how many pixels are in the horizontal and vertical columns of the cover image, and X_i,j and Y_i,j denote the values of the pixel corresponding to the i-th row and j-th column of the cover image respectively. ${\rho }_{i,j}$ represents the cost of changing the pixel value from X_i,j to Y_i,j. The value of ${\rho }_{i,j}$ is determined by the cost function. The quality of the cost function determines the effect of information embedding. For example, the cost function of WOW [6] denoted as:

${\rho }_i=\underset{\gamma =1}{\overset{3}{{\displaystyle \sum }}}{\left|\left|F^{\left(\gamma \right)}\ast X\right|\ast {\left|F^{\left(\gamma \right)}\right|}^{\curvearrowleft }\right|}^{-1}$

The wavelet bank is $F^{\left(1\right)}=h\cdot g^T$ , $F^{\left(2\right)}=g\cdot h^T$ , $F^{\left(3\right)}=g\cdot g^T$ , g and h are respectively the low-pass and high-pass filters of the Daubechies 8 wavelet decomposition filter. * represents the image filling convolution operation, $\curvearrowleft$ represents the matrix is rotated 90 degrees counterclockwise. After calculating the cost of each point, it is sent to the STC to get the embedded image.

3. Proposed Embedding Method

Our method is demonstrated in Figure 1. We choose one gray level image to embed multiple messages. Assume we have m messages to embed. To embed the i-th message, we use the i-th key to generate a mask using FIBE. Then the cover is divided into several regions according to the mask. The i-th message will be embedded into one region selected. After m rounds’ embedding, all the m messages are embedded in the corresponded regions. By combining all the selected regions and the rest region of the image, we can reconstruct the stego image. The details are introduced in the following subsection.

3.1. Initialization

According to Section 2, we suppose that the sender has a set of attributes $\mathcal{A}{u}_S=\left\{A{u}_1,A{u}_2,\cdots ,A{u}_N\right\}$ , all the attributes employed to extract the mask are from this set. Assume the m messages that will be embedded are ${\mathcal{M}}_s=\left\{M_1,M_2,\cdots ,M_m\right\}$ . The attributes which can be used to extract the i-th mask are denoted as $\mathcal{A}{u}_{M_i}\subseteq \mathcal{A}{u}_S$ . Supposing that $\mathcal{A}{u}_{M_i}$ has k attributes, any $j\left(j\le k\right)$ among k attributes of $\mathcal{A}{u}_{M_i}$ can extract the mask. We consider these j attributes as a threshold. Then the ${\mathbb{Z}}_q=\left\{t_1,t_2,\cdots ,t_N\right\}$ are denoted as the manifold of $\mathcal{A}{u}_S$ .

For the i-th message $M_i$ , we choose the corresponding set ${\mathbb{Z}}_i\subseteq {\mathbb{Z}}_q$ of $\mathcal{A}{u}_{M_i}$ and a random $y_i\in {\mathbb{Z}}_q$ . Let $g_1$ be a generator of ${\mathbb{G}}_1$ . The public key of $M_i$ is $\text{PK}=\left(Y_i=e{\left(g_1,g_1\right)}^{y_i},T_i=g_1^{t_i},\forall t_i\in {\mathbb{Z}}_i\right)$ . The master key of $M_i$ is $\text{MK}=\left({\mathbb{Z}}_i,y_i\right)$ .

For the receiver, we suppose he has a set of j attributes. We choose a random j-1 order function $p\left(x\right)$ satisfying $p\left(0\right)=y$ . Then the secret key of the receiver is $\text{SK}=\left(D_j=g^{p\left(j\right)/t_j},\forall j\in {\mathbb{Z}}_i\right)$ .

3.2. Embedding

Suppose there are m messages to be embedded. We will introduce the procedure of embedding one message, saying, the i-th message. Label each pixel of the image with a unique integer x (Note that the receiver and sender have negotiated the label method). At first, we choose $g_2\in {\mathbb{G}}_1$ , and calculate $K_{\left(x\right)}=g_2^x$ , which is the projection of the pixel in ${\mathbb{G}}_1$ . Then we choose a random $s\in {\mathbb{Z}}_q$ and use $E{n}_{i\left(x\right)}=e{\left(g_1,g_1\right)}^{s{y}_i}{K}_{\left(x\right)}modr$ , where r is the number of regions, to generate a mask $Mas{k}_i=\left\{E{n}_{i\left(x\right)}\right\}$ according to the labels of each pixel. By using this mask, we can divide the cover into r regions.

Secondly, we choose one of the r regions to embed the i-th message, denoted as ${\mathcal{R}}_i$ . In this paper, we use the distortion function defined in WOW (Holub & Fridrich, 2012; Holub) to calculate the costs of changing pixels. Note that the employing of the distortion function is arbitrary. After that, to the pixels which do not belong to the selected region or belong to ${\mathcal{R}}_j,j\ne i$ , we set their costs as $+\infty$ . Then we employ STC to embed the i-th message into the cover and obtain a temporary stego image $\overline{I_i}$ . Record the embedding modification ${\Delta }_i=\overline{I_i}-I$ . It can be observed that all the nonzero elements in ${\Delta }_i$ are located in the selected region.

The procedures of embedding each message should be performed simultaneously, because calculating the cost of a pixel requires the selected regions associated with each message. After all the m messages have been embedded. We combine the modification as $\Delta ={\displaystyle {\sum }_{i=1}^I{\Delta }_i}$ , and generate the final stego image by $\bar{I}=I+\Delta$ .

At last, we send the stego image $\bar{I}$ along with the decryption attribute sets $\left(\mathcal{A}{u}_{M_i},E_i=g_1^{t_{i}s},\forall i\in \mathcal{A}{u}_{M_i},g_2\right)$ to the receivers. The sets can be embedded in the stego image or sent in other secret ways. We will not discuss here.

3.3. Extraction

The extraction procedure is demonstrated in Figure 2. Unlike the decryption of FIBE, our scheme intends to locate the secret base on the plain text, but not to decrypt the secret.

After receiving the stego image, the receiver calculates $K_{\left(x\right)}=g_2^{S_{\left(x\right)}}$ according to subsection 3.2. We suppose his attribute set is ${\mathcal{A}}_r\subseteq \mathcal{A}{u}_S$ , and the i-th message need j attributes to extract. If $\left|{\mathcal{A}}_r\cap \mathcal{A}{u}_{M_i}\right|\ge j$ , the receiver can extract the i-th message. Then the receiver choose j attributes from ${\mathcal{A}}_r\cap \mathcal{A}{u}_{M_i}$ , and calculate $e\left(E_i,D_i\right)=e{\left(g_1,g_1\right)}^{p\left(i\right)s}$ . Then we have $Y_i^s=e{\left(g_1,g_1\right)}^{y_{i}s}$ according to the Lagrange interpolation formula. Finally, we can get $E{n}_{i\left(x\right)}=Y_i{K}_{\left(x\right)}$ and the mask of i-th message. After dividing the stego image into r regions, we employ STC to extract the message from the selected region.

4. Experimental Result

4.1. Experiment Setup

To evaluate the performance of the proposed scheme, we employ 10,000 images of size 512 × 512 from the Boss Base 2 [13] as the test images. Pseudorandom binary sequences are employed as secret messages, which will be embedded in the stego images. These stego images are analyzed by the steganalytic features SRMQ (Fridrich & Kodovsky, 2012) combined with ensemble classifier (Kodovsky, Fridrich, & Holub, 2012). The OOB (out-of-bag) will be used as the secure index of steganographic schemes. At first, we combine the proposed scheme with the approaches WOW (Holub & Fridrich, 2012) and S-UINWARD (Holub, Fridrich, & Denemark, 2014) and compare the security between the proposed and the original. Secondly, we test the performances of varying the number of regions meanwhile fixing the total payload. Finally, we will test the security of the remained messages when some messages have been extracted.

4.2. Effectiveness Assessment

We suppose the region number is r, the message number is m. In each round, every region can employ 1/r of pixels to carry one message. Note that it is possible that averagely 1/r of the selected region’s pixels appear at the regions selected in other m-1 rounds. To deal with this, we define the function of average maximal total payload (AMTP) as:

$\text{AMTP}=m\times \frac{1}{r}{\left(1-\frac{1}{r}\right)}^{m-1}$ . (1)

ATMP represents the maximum total embedding payload that an image can embed in multiple messages in normal situation. According to Equation (1), we calculate the relationship of some situations as in Table 1. By choosing a suitable region number according to the message number, we can get a safe vocation for embedding. As a result, the message number is set as same as the region number in the propose method except noted.

Table 2 simulates some embedding situations. We embed the messages using different attributes sets, and test whether receivers have different attributes sets can extract the messages or not. It can be observed that only the receivers satisfied $\left|{\mathcal{A}}_r\cap \mathcal{A}{u}_{M_i}\right|\ge j$ can extract the i-th message.

In Figure 3, we can observe that the two messages embedded in one cover at the same time. The sites of the first message and second message are separated. What’s more, the sites of embedding are all in the undetectable region defined by WOW. It makes the stego images secure against steganalytic attacks.

We use two distortion functions, namely WOW and S-UINWARD, to control the embedding distortions in the proposed scheme. The region number is set as 2. The securities of the proposed scheme and the original ones are compared in Figure 4(a) by using SRMQ. It can be observed that the performance of the proposed method is approximate to the original ones in the case of lower payload, and performs better when the payload is high. This is because the embedded feature based on the mask makes the position of the embedded point relatively random. Then the steganalytic scheme performing on the entire image is

more difficult to analyze the statistical features. So our scheme has a higher undetectability. Secondly, we compared the influence of different region numbers in the same payload in Figure 4(b). When payload = 0.2, we can observe that the more regions, the higher E_OOB. When payload = 0.4, the E_OOB will reduce instead if the region number is relative high. It is because increasing the regions would reduce the AMTP value.

In Figure 5(a), we observe that when one message has been extracted, the E_OOB of other messages stay in a high level. It means that if someone extracted one of the messages, he can hardly ensure whether there are other messages embedded or not. In Figure 5(b), we can observe that the more messages to extract, the higher E_OOB of the remained messages to get. It means that the security of the remaining messages will not reduce with more messages have been extracted.

Instead, a higher undetectability is achieved.

5. Conclusions

In this paper, we introduce the risk of the receiver’s unreliability, and present the idea of identity-based embedding. Based on the Fuzzy Identity-Based Encryption and WOW, we embed several messages simultaneously into one cover image. The receivers can only extract the message if his attributes is consistent. We first use the attributes set of i-th message to encrypt all the pixels of the cover image, and get the i-th mask to divide several regions. Then we employed one region to embed the i-th message after dealing with the cost of embedding.

By comparing with traditional methods, it can be observed that our proposed scheme is not inferior to them when embedding multiple messages in a low payload. When the payload is higher, our proposed scheme has more excellent experimental result. It is because that the unpredictability of regions copes with the steganalysis well. We also make a discussion between region number and message number, and analyze their average maximal total payload against security. Experiments support that the security of the remained messages will not be affected by knowing that some messages have been extracted.

Regarding the future work, we will try to improve the AMTP of our scheme by using other cryptography methods. Another potential improvement is expanding our scheme from spatial domain to other domains.

Conflicts of Interest

The authors declare no conflicts of interest.

References