Transcript PPT

COMPLEXITY-THEORETIC FOUNDATIONS
OF STEGANOGRAPHY AND COVERT
COMPUTATION
Daniel Apon
TODAY’S TALK
We’re baking a steganographic cake!
Ingredients:
Normal cryptographic notions
Secure multi-party computation
And in the process we answer one of life’sf(x
ultimate
a , xb) = ?
questions!
Hopefully we have a
Alice and Bob want to
How
tohandle
find
out
if “he” or “she” is
good
on
jointly
compute
athis!
function
Portrait
an invisible cake.
without giving
awayoftheir
romantically
interested
in you, without
secrets!
risking embarrassment!
WHAT IS STEGANOGRAPHY?
See us? We’re not
doing anything out
of the ordinary!
I sure hope Ward
didn’t notice!
Now, onto the
technical fun stuff!
PRELIMINARIES
U(·) = uniform distribution over strings, functions,
or finite sets
Given a distribution C over support X, the minimum
entropy of C is:
PRELIMINARIES
The statistical distance between two distributions C and D
with joint support X is:
Two sequences of distributions, {Ck}k and {Dk}k, are
computationally indistinguishable (C ≈ D), if for any PPT
adversary A:
is negligible in k.
PRELIMINARIES
A family of functions Fk(·) is called pseudorandom if
for
is ≤ ε, for some negligible quantity ε.
PRELIMINARIES
An cryptosystem E is called indistinguishable from random
under chosen plaintext attack if
for
is ≤ ε, for some negligible quantity ε.
PRELIMINARIES
A channel Ch is a distribution on bit sequences with
time-stamped bits, conditioned on the channel
history h.
Assume over blocks (e.g. symbols) of channel bits b:
Sometimes we think of channels as one-way,
sometimes as bidirectional, and sometimes as
supporting broadcast messages only.
(They all behave pretty much how you’d expect!)
STEGANOGRAPHY
Steganographic theory and an
explicit construction of a steganographic system
STEGANOGRAPHY
Intuitively, steganographic secrecy results from
messages that are indistinguishable from arbitrary
distributions
 First, we need a way to encode messages to achieve
arbitrary indistinguishability
 Then, we want to compose our new idea with canonical
cryptographic themes to produce a functional
steganographic system

STEGANOGRAPHY
A stegosystem is a pair of probabilistic algorithms (SE, SD)
such that:
SEM takes as input a key {0,1}k, a hiddentext bit-string
{0,1}*, a message history h, and a sampling oracle M(h)
and returns a sequence of blocks c (the stegotext) from
the support of Ch
SDM takes as input a key K, a stegotext c, a message history
h, a sampling oracle M(h), and returns a hiddentext m.
STEGANOGRAPHY
Finally, there must be a polynomial p(k) > k such that SEM
and SED also satisfy the following relationship:
STEGANOGRAPHY
The Rejection Sampling function:
STEGANOGRAPHY
STEGANOGRAPHY
STEGANOGRAPHY
STEGANOGRAPHY
Lemma. The probability of failure of RS in the S1 procedure
is bounded from above by 3/8 + ε.
Let the channel in question have symbols {S1, …, Sk} and
assign each symbol the occurrence probabilities {p1, …, pk}
respectively.
Play the following bit-wise RS-based game:
1. Draw Sa from the channel. If F(N, Sa) is correct, output Sa.
2. Otherwise, draw Sb from the channel and output Sb.
STEGANOGRAPHY
How often do we “win”?
Let SE denote the result of this game. Let D denote
the event of a non-collision (when the two symbols
drawn are different). Note that two successful
outcomes are possible here:
1. The first symbol drawn maps to 0 (success). (1/2)
2. The first symbol maps to 1 (failure), but the
second symbol drawn is a different symbol that
maps to 0. (1/4 Pr[D])
STEGANOGRAPHY
Summing over the probabilities of each of these events
gives:
Let Si be a symbol with the greatest occurrence
probability. Then,
STEGANOGRAPHY
And finally,
which bounds RS’s probability of failure at 3/8 + ε,
which proves the lemma.
STEGANOGRAPHY
Finally, we employ an error-correcting code to recover from
RS’s chance to fail.
Intuitively, we’re equating sending messages over a
noisy channel with the act of sending stegotexts when
RS makes mistakes. Basically, we pad redundant parity
data into our messages so that the message gets
through (with overwhelming probability)!
A code with a stretch of 2n will correct for an error rate of up
to 1/2. The well-known Hadamard code could easily be
adapted here.
STEGANOGRAPHY
Theorem. If FK is pseudorandom, then S1 is universally
steganographically secret against chosen hiddentext
attacks.
COVERT COMPUTATION
Covert computation theory, encryption transformations
between distributions, and an informal construction of a
two-party covert computation protocol
Would you like to run a
covert protocol to determine
if we are both members of a
secret, zombie army?
COVERT COMPUTATION
!!
Um…
COVERT COMPUTATION
STEP 1: First, we design a covert computation protocol
over the uniform channel U.
 STEP 2: Then, we develop a technique to transform any
stegosystem over the uniform channel into a
stegosystem over an arbitrary channel B.
 At the end, we have a covert computation protocol over
the channel we’re interested in!

This is an important improvement in the overall strategy,
because it modularizes and simplifies the design of covert
protocols!
COVERT COMPUTATION: STEP 1
To design a covert computation protocol over U, we will
begin with two cryptographic primitives:
1. Oblivious Transfer
2. Yao’s Protocol for secure multi-party computation
COVERT COMPUTATION: STEP 1
Oblivious Transfer
m1
m2
mn
…
I want mi.
…whatever it is!
COVERT COMPUTATION: STEP 1
Oblivious Transfer
1. Alice generates RSA keys, including modulus N, the public
exponent e, and the private exponent d, picks two random
messages x0 and x1, and sends N, e, x0, and x1 to Bob.
2. Bob picks random message k, encrypts k, and adds xb to the
encryption of k, modulo N, and sends the result v to Alice.
3. Alice computes k0 to be the decryption of v - x0 and k1 to be
the decryption of v - x1 and sends m0 + k0 and m1+ k1 to Bob.
4. Bob knows kb and so subtracts this from the corresponding
messages, obtaining mb from one of them.
COVERT COMPUTATION: STEP 1 And I can’t tell
you what xb is…
Yao’s Protocol
xa
I can’t tell you
what xa is.
ha! to
ButAh
I want
f(xa,f(x
xb)!!
know
a, xb)!!
xb
COVERT COMPUTATION: STEP 1
Yao’s Protocol
Assume f can be expressed as a combinatorial circuit that Bob
knows. (WLOG, all gates have 2-fan-out.)
1. Bob assigns two uniformly random k-bit values each wire W of the
circuit, representing the wire holding the value 0 or 1, respectively.
2. Then Bob assigns a random permutation πi over {0,1} to each wire.
If a wire Wi originally had value bi, then it now has “garbled” value:
3. To each gate g, Bob assigns a unique identifier Ig and a table Tg.
4. Each gate g then uses a pseudorandom function F to “garble” its
own functionality as follows:
COVERT COMPUTATION: STEP 1
Yao’s Protocol
Yao’s Garbled Tables
That is, each Tg outputs the XOR of a pseudorandom
function applied to the two values of the “garbled” input
wires and the value of the “garbled” output wire.
The result is a bit string that is indistinguishable from
random but that is uniquely identifiable and re-usable
within the context of a specific execution of Yao’s protocol.
COVERT COMPUTATION: STEP 1
Yao’s Protocol
Then to compute f:
1. Bob computes garbled tables Tg and sends them to Alice.
2. As Alice computes the necessary values of each circuit input wire i, Bob
and Alice perform an oblivious transfer, with Bob playing the role of
sender. Alice learns the uniformly random string that represents the true
value, 0 or 1 respectively, for the wire she is interested in.
3. At the end of the protocol (determined by the number of gates in
the circuit), Bob applies π-1 to the final output string to learn the value
of the computed function.
COVERT COMPUTATION: STEP 1
Finally, we define a new protocol COVERT-YAO that is
Yao’s Protocol with the modification that all messages
sent through oblivious transfers or elsewhere through
Yao’s protocol are steganographically encoded over the
uniform channel by being run through a stegosystem
prior to being transmitted.
Theorem. The COVERT-YAO protocol covertly realizes any
functionality f for the uniform channel, U.
COVERT COMPUTATION: STEP 2
Now we need to develop a transformation algorithm that,
given as input a covert computation protocol for the
uniform channel U, outputs a covert computation protocol
for an arbitrary channel B.
The first step is to recall the details of our previous
stegosystem, and reword its description in terms of hash
functions.
COVERT COMPUTATION: STEP 2
Let denote a pair-wise independent family of hash
functions H: D {0,1}c.
Let
denote an arbitrary distribution with support D.
Let m be the message length, let c be the encryption of
hiddentext messages by an appropriate error-correcting
code, and let k be an iteration bound.
Then we can reformulate S1 as follows:
COVERT COMPUTATION: STEP 2
COVERT COMPUTATION: STEP 2
Lemma. Let H
. Then we have:
That is, the statistical distance between the channel and
the output of Encode is negligible. Or in other words, the
two distributions are statistically indistinguishable.
COVERT COMPUTATION: STEP 2
Therefore, we can covertly transmit over B by applying
Encode at the end of any message-generating process to
covert the distribution of bits sent to be statistically
indistinguishable from other messages in B.
And so we can define the protocol
as:
COVERT COMPUTATION: STEP 2
COVERT COMPUTATION: STEP 2
And now, the big finish!
Theorem. If ∏ covertly realizes the functionality f for the
uniform channel, then ∑∏ covertly realizes f for the
bidirectional channel B.
Corollary. COVERT-YAO is a universal, two-party covert
computation protocol.
Questions?