COMPLEXITY-THEORETIC FOUNDATIONS OF

STEGANOGRAPHY AND COVERT COMPUTATION

Daniel Apon

TODAY’S TALK

Portrait of an invisible cake.

Hopefully we have a good handle on this!

Alice and Bob want to jointly compute a function without giving away their secrets!

We’re baking a steganographic cake!

Ingredients:

Normal cryptographic notions

Secure multi-party computation

And in the process we answer one of life’s ultimate questions!

How to find out if “he” or “she” is romantically interested in you, without risking embarrassment!

f(xa, xb) = ?

WHAT IS STEGANOGRAPHY?

See us? We’re not doing anything out of the ordinary!

I sure hope Ward didn’t notice!

Now, onto the technical fun stuff!

Woo-hoo!

PRELIMINARIESU(·) = uniform distribution over strings, functions, or finite sets

Given a distribution C over support X, the minimum entropy of C is:

PRELIMINARIESThe statistical distance between two distributions C and D with joint support X is:

Two sequences of distributions, {Ck}k and {Dk}k, are computationally indistinguishable (C ≈ D), if for any PPT adversary A:

is negligible in k.

PRELIMINARIESA family of functions Fk(·) is called pseudorandom if

for

is ≤ ε, for some negligible quantity ε.

PRELIMINARIESAn cryptosystem E is called indistinguishable from random under chosen plaintext attack if

for

is ≤ ε, for some negligible quantity ε.

PRELIMINARIESA channel Ch is a distribution on bit sequences with time-stamped bits, conditioned on the channel history h.Assume over blocks (e.g. symbols) of channel bits b:

Sometimes we think of channels as one-way, sometimes as bidirectional, and sometimes as supporting broadcast messages only.

(They all behave pretty much how you’d expect!)

STEGANOGRAPHYSteganographic theory and an

explicit construction of a steganographic system

STEGANOGRAPHY Intuitively, steganographic secrecy results from

messages that are indistinguishable from arbitrary distributions

First, we need a way to encode messages to achieve arbitrary indistinguishability

Then, we want to compose our new idea with canonical cryptographic themes to produce a functional steganographic system

STEGANOGRAPHY

A stegosystem is a pair of probabilistic algorithms (SE, SD) such that:

SEM takes as input a key {0,1}k, a hiddentext bit-string {0,1}*, a message history h, and a sampling oracle M(h) and returns a sequence of blocks c (the stegotext) from the support of Ch

SDM takes as input a key K, a stegotext c, a message history h, a sampling oracle M(h), and returns a hiddentext m.

STEGANOGRAPHY

Finally, there must be a polynomial p(k) > k such that SEM and SED also satisfy the following relationship:

STEGANOGRAPHYThe Rejection Sampling function:

STEGANOGRAPHY

STEGANOGRAPHY

STEGANOGRAPHY

STEGANOGRAPHYLemma. The probability of failure of RS in the S1 procedure is bounded from above by 3/8 + ε.

Let the channel in question have symbols {S1, …, Sk} and assign each symbol the occurrence probabilities {p1, …, pk} respectively.

Play the following bit-wise RS-based game:

1. Draw Sa from the channel. If F(N, Sa) is correct, output Sa.

2. Otherwise, draw Sb from the channel and output Sb.

STEGANOGRAPHYHow often do we “win”?

Let SE denote the result of this game. Let D denote the event of a non-collision (when the two symbols drawn are different). Note that two successful outcomes are possible here:

1. The first symbol drawn maps to 0 (success). (1/2)

2. The first symbol maps to 1 (failure), but the second symbol drawn is a different symbol that maps to 0. (1/4 Pr[D])

STEGANOGRAPHYSumming over the probabilities of each of these events gives:

Let Si be a symbol with the greatest occurrence probability. Then,

STEGANOGRAPHYAnd finally,

which bounds RS’s probability of failure at 3/8 + ε, which proves the lemma.

STEGANOGRAPHYFinally, we employ an error-correcting code to recover from RS’s chance to fail.

Intuitively, we’re equating sending messages over a noisy channel with the act of sending stegotexts when RS makes mistakes. Basically, we pad redundant parity data into our messages so that the message gets through (with overwhelming probability)!

A code with a stretch of 2n will correct for an error rate of up to 1/2. The well-known Hadamard code could easily be adapted here.

STEGANOGRAPHY

Theorem. If FK is pseudorandom, then S1 is universally steganographically secret against chosen hiddentext attacks.

COVERT COMPUTATIONCovert computation theory, encryption transformations between distributions, and an informal construction of a

two-party covert computation protocol

Would you like to run a covert protocol to determine if we are both members of a

secret, zombie army?

Um…

!!COVERT COMPUTATION

COVERT COMPUTATION STEP 1: First, we design a covert computation protocol

over the uniform channel U. STEP 2: Then, we develop a technique to transform any

stegosystem over the uniform channel into a stegosystem over an arbitrary channel B.

At the end, we have a covert computation protocol over the channel we’re interested in!

This is an important improvement in the overall strategy, because it modularizes and simplifies the design of covert protocols!

COVERT COMPUTATION: STEP 1To design a covert computation protocol over U, we will begin with two cryptographic primitives:

2. Yao’s Protocol for secure multi-party computation

1. Oblivious Transfer

COVERT COMPUTATION: STEP 1Oblivious Transfer

m1 m2 mn

…

I want mi.…whatever it is!

COVERT COMPUTATION: STEP 1Oblivious Transfer1. Alice generates RSA keys, including modulus N, the public exponent e, and the private exponent d, picks two random messages x0 and x1, and sends N, e, x0, and x1 to Bob.

2. Bob picks random message k, encrypts k, and adds xb to the encryption of k, modulo N, and sends the result v to Alice.

3. Alice computes k0 to be the decryption of v - x0 and k1 to be the decryption of v - x1 and sends m0 + k0 and m1+ k1 to Bob.

4. Bob knows kb and so subtracts this from the corresponding messages, obtaining mb from one of them.

COVERT COMPUTATION: STEP 1Yao’s Protocol

xaBut I want to know f(xa, xb)!!

xbI can’t tell you what xa is.

And I can’t tell you what xb is…

Ah ha!f(xa, xb)!!

COVERT COMPUTATION: STEP 1Yao’s ProtocolAssume f can be expressed as a combinatorial circuit that Bob knows. (WLOG, all gates have 2-fan-out.)

1. Bob assigns two uniformly random k-bit values each wire W of the circuit, representing the wire holding the value 0 or 1, respectively.

2. Then Bob assigns a random permutation πi over {0,1} to each wire. If a wire Wi originally had value bi, then it now has “garbled” value:

3. To each gate g, Bob assigns a unique identifier Ig and a table Tg.

4. Each gate g then uses a pseudorandom function F to “garble” its own functionality as follows:

COVERT COMPUTATION: STEP 1Yao’s Protocol

Yao’s Garbled Tables

That is, each Tg outputs the XOR of a pseudorandom function applied to the two values of the “garbled” input wires and the value of the “garbled” output wire.

The result is a bit string that is indistinguishable from random but that is uniquely identifiable and re-usable within the context of a specific execution of Yao’s protocol.

COVERT COMPUTATION: STEP 1Yao’s ProtocolThen to compute f:

1. Bob computes garbled tables Tg and sends them to Alice.

2. As Alice computes the necessary values of each circuit input wire i, Bob and Alice perform an oblivious transfer, with Bob playing the role of sender. Alice learns the uniformly random string that represents the true value, 0 or 1 respectively, for the wire she is interested in.

3. At the end of the protocol (determined by the number of gates in the circuit), Bob applies π-1 to the final output string to learn the value of the computed function.

COVERT COMPUTATION: STEP 1Finally, we define a new protocol COVERT-YAO that is Yao’s Protocol with the modification that all messages sent through oblivious transfers or elsewhere through Yao’s protocol are steganographically encoded over the uniform channel by being run through a stegosystem prior to being transmitted.

Theorem. The COVERT-YAO protocol covertly realizes any functionality f for the uniform channel, U.

COVERT COMPUTATION: STEP 2Now we need to develop a transformation algorithm that, given as input a covert computation protocol for the uniform channel U, outputs a covert computation protocol for an arbitrary channel B.

The first step is to recall the details of our previous stegosystem, and reword its description in terms of hash functions.

COVERT COMPUTATION: STEP 2

Let denote a pair-wise independent family of hash functions H: D {0,1}c.

Let denote an arbitrary distribution with support D.

Let m be the message length, let c be the encryption of hiddentext messages by an appropriate error-correcting code, and let k be an iteration bound.

Then we can reformulate S1 as follows:

COVERT COMPUTATION: STEP 2

COVERT COMPUTATION: STEP 2

Lemma. Let H . Then we have:

That is, the statistical distance between the channel and the output of Encode is negligible. Or in other words, the two distributions are statistically indistinguishable.

COVERT COMPUTATION: STEP 2

Therefore, we can covertly transmit over B by applying Encode at the end of any message-generating process to covert the distribution of bits sent to be statistically indistinguishable from other messages in B.

And so we can define the protocol as:

COVERT COMPUTATION: STEP 2

COVERT COMPUTATION: STEP 2And now, the big finish!

Theorem. If ∏ covertly realizes the functionality f for the uniform channel, then ∑∏ covertly realizes f for the bidirectional channel B.

Corollary. COVERT-YAO is a universal, two-party covert computation protocol.

Questions?