This paper proposed an identity-based steganographic scheme, where a receiver with certain authority can recover the secret message ready for him, but cannot detect the existence of other secret messages. The proposed scheme created several separate covert communication channels tagged by the Fuzzy Identity-Based Encryption (FIBE) in one grayscale image. Then each channel is used to embed one secret message by using any content-aware steganographic scheme. Receivers with different attributes can extract different messages corresponded. The Experiments illustrated the feasibility of this identity-based secret message extraction. Further, the proposed scheme presents high undetectability against steganalytic attack launched by receivers without corresponded attributes.
Steganography has been widely applied to secure communication especially in military espionage for a long time. It hides sensitive messages in a cover such as images. The redundancy of these covers is employed for embedding to avoid the hidden messages being detected. So existed steganaographic schemes absorb in improving the undetectability of the hidden messages against different kinds of steganalytic tools.
Steganalytic schemes at [
Existed steganographic schemes only consider honest receivers and improve the entire security of the hidden messages. Due to the speciality of STC, every receiver with the knowledge of the existence of the hidden messages can extract all the secrets from the cover. However, some receivers may be corrupted in practice. If there are betrayers in the receivers, the secret will be leaked. What’s more, secret messages are usually at specified sensitive levels, one cannot access, or even detect the existence of all these messages. If there are several messages at different security levels that want to be sent, existed steganographic schemes can only embed them into several covers to avoid secret leakage, which increases the communication cost. Additional information will also be necessary to distinguish different owners of these stego images. This is unsafe and inconvenient for practical secure communication.
In this paper, we propose a multiple embedding scheme by combining the Fuzzy Identity-Based Encryption [
There are various utilities for the proposed scheme. First, the embedded messages can be partially secure in the presence of corrupted receivers. As shown in the experiments, these receivers cannot detect the other embedded messages with their current knowledge. Second, a hierarchical extraction is available. Consider such a scenario where an operator receives a piece of digital works and finds that there are secret messages with the aid of his identity. He then forwards it to the persons concerned. The ones with higher-level identities can extract more messages, whose existence would not be known to the operator or the others.
The rest of this paper is organized as follows. Section 2 is to introduce the related works of our scheme. In Section 3, we will introduce our propose methods in detail. The experimental result will be show in Section 4 to compare our methods with current methods, and analyze the results. Finally, the paper is concluded in Section 5.
Fuzzy Identity-Based Encryption (FIBE) is a kind of public key cryptography. Its algorithm model designed is based on the Shamir’s Secret Sharing [
Setup(d). The authorized agency chooses random y , t 1 , ⋯ , t n ∈ ℤ q . ℤ q is a Galois field of prime number q. G 1 and G 2 are cyclical groups of q, they exist bilinear paring G 1 × G 1 → G 2 . The system public key PK is:
( Y = e ( g , g ) y , T = g t , ∀ t ∈ ℤ q , g ∈ G 1 )
Then the master key MK is:
( y , t 1 , ⋯ , t n ) .
Key Generation. The authorized agency randomly chooses a d − 1 times polynomial p ( x ) satisfying p ( 0 ) = y . We suppose that A u are the attributes of users. Then the private key of the user is:
( D = g p ( i ) t i , ∀ i ∈ A u ) .
Encryption. We supposed that A c is the attribute set for decryption. Then the sender employs it to encrypt the secret ∈ G 2 . Randomly choosing s ∈ ℤ q , the cipher text is:
( A c , E = e ( g , g ) s y M , E i = g t i s , ∀ i ∈ A c ) .
Decryption. When the receiver receives the cipher text, if | A c ∩ A u | > d , he chooses d attributes out of | A c ∩ A u | , and calculates e ( E i , D i ) = e ( g , g ) p ( i ) s . We can find that:
Y s = e ( g , g ) y s = e ( g , g ) p ( 0 ) s
according to the Lagrange interpolation formula. Then he can decrypt M = E / Y s .
After embedding a certain amount of information, pixel values must change in spatial domain of secret images. The difference of pixel values existing between the cover image and the secret image, is generally called distortion. The quantization of image distortion is generally defined by the distortion function. The larger the value of the distortion function, the lower the security of the model.
The distortion function is usually expressed as a mathematical function. The distortion of additive distortion function is generally formed by the cumulative value of each pixel. The mathematical expression is generally expressed as:
D ( X , Y ) = ∑ i = 1 n 1 ∑ j = 1 n 2 ρ i , j ( X , Y i , j ) | X i , j − Y i , j | ,
n1 and n2 indicate how many pixels are in the horizontal and vertical columns of the cover image, and Xi,j and Yi,j denote the values of the pixel corresponding to the i-th row and j-th column of the cover image respectively. ρ i , j represents the cost of changing the pixel value from Xi,j to Yi,j. The value of ρ i , j is determined by the cost function. The quality of the cost function determines the effect of information embedding. For example, the cost function of WOW [
ρ i = ∑ γ = 1 3 | | F ( γ ) ∗ X | ∗ | F ( γ ) | ↶ | − 1
The wavelet bank is F ( 1 ) = h ⋅ g T , F ( 2 ) = g ⋅ h T , F ( 3 ) = g ⋅ g T , g and h are respectively the low-pass and high-pass filters of the Daubechies 8 wavelet decomposition filter. * represents the image filling convolution operation, ↶ represents the matrix is rotated 90 degrees counterclockwise. After calculating the cost of each point, it is sent to the STC to get the embedded image.
Our method is demonstrated in
According to Section 2, we suppose that the sender has a set of attributes A u S = { A u 1 , A u 2 , ⋯ , A u N } , all the attributes employed to extract the mask are from this set. Assume the m messages that will be embedded are M s = { M 1 , M 2 , ⋯ , M m } . The attributes which can be used to extract the i-th mask are denoted as A u M i ⊆ A u S . Supposing that A u M i has k attributes, any j ( j ≤ k ) among k attributes of A u M i can extract the mask. We consider these j attributes as a threshold. Then the ℤ q = { t 1 , t 2 , ⋯ , t N } are denoted as the manifold of A u S .
For the i-th message M i , we choose the corresponding set ℤ i ⊆ ℤ q of A u M i and a random y i ∈ ℤ q . Let g 1 be a generator of G 1 . The public key of M i is PK = ( Y i = e ( g 1 , g 1 ) y i , T i = g 1 t i , ∀ t i ∈ ℤ i ) . The master key of M i is MK = ( ℤ i , y i ) .
For the receiver, we suppose he has a set of j attributes. We choose a random j-1 order function p ( x ) satisfying p ( 0 ) = y . Then the secret key of the receiver is SK = ( D j = g p ( j ) / t j , ∀ j ∈ ℤ i ) .
Suppose there are m messages to be embedded. We will introduce the procedure of embedding one message, saying, the i-th message. Label each pixel of the image with a unique integer x (Note that the receiver and sender have negotiated the label method). At first, we choose g 2 ∈ G 1 , and calculate K ( x ) = g 2 x , which is the projection of the pixel in G 1 . Then we choose a random s ∈ ℤ q and use E n i ( x ) = e ( g 1 , g 1 ) s y i K ( x ) m o d r , where r is the number of regions, to generate a mask M a s k i = { E n i ( x ) } according to the labels of each pixel. By using this mask, we can divide the cover into r regions.
Secondly, we choose one of the r regions to embed the i-th message, denoted as R i . In this paper, we use the distortion function defined in WOW (Holub & Fridrich, 2012; Holub) to calculate the costs of changing pixels. Note that the employing of the distortion function is arbitrary. After that, to the pixels which do not belong to the selected region or belong to R j , j ≠ i , we set their costs as + ∞ . Then we employ STC to embed the i-th message into the cover and obtain a temporary stego image I i ¯ . Record the embedding modification Δ i = I i ¯ − I . It can be observed that all the nonzero elements in Δ i are located in the selected region.
The procedures of embedding each message should be performed simultaneously, because calculating the cost of a pixel requires the selected regions associated with each message. After all the m messages have been embedded. We combine the modification as Δ = ∑ i = 1 I Δ i , and generate the final stego image by I ¯ = I + Δ .
At last, we send the stego image I ¯ along with the decryption attribute sets ( A u M i , E i = g 1 t i s , ∀ i ∈ A u M i , g 2 ) to the receivers. The sets can be embedded in the stego image or sent in other secret ways. We will not discuss here.
The extraction procedure is demonstrated in
After receiving the stego image, the receiver calculates K ( x ) = g 2 S ( x ) according to subsection 3.2. We suppose his attribute set is A r ⊆ A u S , and the i-th message need j attributes to extract. If | A r ∩ A u M i | ≥ j , the receiver can extract the i-th message. Then the receiver choose j attributes from A r ∩ A u M i , and calculate e ( E i , D i ) = e ( g 1 , g 1 ) p ( i ) s . Then we have Y i s = e ( g 1 , g 1 ) y i s according to the Lagrange interpolation formula. Finally, we can get E n i ( x ) = Y i K ( x ) and the mask of i-th message. After dividing the stego image into r regions, we employ STC to extract the message from the selected region.
To evaluate the performance of the proposed scheme, we employ 10,000 images of size 512 × 512 from the Boss Base 2 [
We suppose the region number is r, the message number is m. In each round, every region can employ 1/r of pixels to carry one message. Note that it is possible that averagely 1/r of the selected region’s pixels appear at the regions selected in other m-1 rounds. To deal with this, we define the function of average maximal total payload (AMTP) as:
AMTP = m × 1 r ( 1 − 1 r ) m − 1 . (1)
ATMP represents the maximum total embedding payload that an image can embed in multiple messages in normal situation. According to Equation (1), we calculate the relationship of some situations as in
Region Message | 2 | 3 | 4 | 5 | 6 |
---|---|---|---|---|---|
2 | 0.500 | 0.444 | 0.375 | 0.320 | 0.278 |
3 | 0.375 | 0.444 | 0.422 | 0.384 | 0.347 |
4 | 0.250 | 0.395 | 0.422 | 0.410 | 0.386 |
5 | 0.156 | 0.329 | 0.396 | 0.410 | 0.402 |
6 | 0.094 | 0.263 | 0.356 | 0.393 | 0.402 |
A r A u M i | {1, 2} | {1, 3, 5} | {2, 3, 5} | {1, 4} | {1, 2, 3, 4, 5} |
---|---|---|---|---|---|
1 of {1, 4} | true | true | false | true | true |
2 of {3, 5} | false | true | true | false | true |
2 of {1, 4, 5} | false | true | false | true | true |
3 of {2, 3, 5} | false | false | true | false | true |
4 of {1, 2, 3, 4, 5} | false | false | false | false | true |
In
We use two distortion functions, namely WOW and S-UINWARD, to control the embedding distortions in the proposed scheme. The region number is set as 2. The securities of the proposed scheme and the original ones are compared in
more difficult to analyze the statistical features. So our scheme has a higher undetectability. Secondly, we compared the influence of different region numbers in the same payload in
In
Instead, a higher undetectability is achieved.
In this paper, we introduce the risk of the receiver’s unreliability, and present the idea of identity-based embedding. Based on the Fuzzy Identity-Based Encryption and WOW, we embed several messages simultaneously into one cover image. The receivers can only extract the message if his attributes is consistent. We first use the attributes set of i-th message to encrypt all the pixels of the cover image, and get the i-th mask to divide several regions. Then we employed one region to embed the i-th message after dealing with the cost of embedding.
By comparing with traditional methods, it can be observed that our proposed scheme is not inferior to them when embedding multiple messages in a low payload. When the payload is higher, our proposed scheme has more excellent experimental result. It is because that the unpredictability of regions copes with the steganalysis well. We also make a discussion between region number and message number, and analyze their average maximal total payload against security. Experiments support that the security of the remained messages will not be affected by knowing that some messages have been extracted.
Regarding the future work, we will try to improve the AMTP of our scheme by using other cryptography methods. Another potential improvement is expanding our scheme from spatial domain to other domains.
Xu, X.B. and Nie, Q.K. (2018) Identity-Based Steganography in Spatial Domain. Journal of Computer and Communications, 6, 68-77. https://doi.org/10.4236/jcc.2018.63005