ContentslistsavailableatSciVerseScienceDirect
The
Journal
of
Systems
and
Software
jo u r n al h om ep a g e :w w w . e l s e v i e r . c o m / l o c a t e / j s s
A
covert
communication
method
via
spreadsheets
by
secret
sharing
with
a
self-authentication
capability
夽
Che-Wei
Lee
a,1,
Wen-Hsiang
Tsai
a,b,∗aDepartmentofComputerScienceandInformationEngineering,NationalChiaoTungUniversity,Hsinchu30010,Taiwan bDepartmentofInformationCommunication,AsiaUniversity,Taichung41354,Taiwan
a
r
t
i
c
l
e
i
n
f
o
Articlehistory: Received3March2012
Receivedinrevisedform18July2012 Accepted18August2012
Available online 30 August 2012 Keywords: Covertcommunication Secretsharing Informationhiding Self-authentication Spreadsheet
a
b
s
t
r
a
c
t
Anewcovertcommunicationmethodwithaself-authenticationcapabilityforsecretdatahidingin spreadsheetsusingtheinformationsharingtechniqueisproposed.Atthesendersite,asecretmessage istransformedintosharesbyShamir’s(k,n)-thresholdsecretsharingschemewithn=k+1,andthe generatedk+1sharesareembeddedintothenumberitemsinaspreadsheetasiftheyarepartofthe spreadsheetcontent.Andatthereceiversite,everyksharesamongthek+1onesthenareextractedfrom thestego-spreadsheettorecoverk+1copiesofthesecret,andtheconsistencyofthek+1copiesinvalue ischeckedtodeterminewhethertheembeddedsharesareintactornot,achievinganewtypeofblind self-authenticationoftheembeddedsecret.Bydividingthesecretmessageintosegmentsandapplying toeachsegmentthesecretsharingscheme,theintegrityandfidelityofthehiddensecretmessagecanbe verified,achievingacovertcommunicationprocesswiththedoublefunctionsofinformationhidingand self-authentication.Experimentalresultsanddiscussionsondataembeddingcapacity,authentication precision,andsteganalysisissuesarealsoincludedtoshowthefeasibilityoftheproposedmethod.
© 2012 Elsevier Inc. All rights reserved.
1. Introduction
Covertcommunicationisatechniqueofconcealingsecret
infor-mation into a cover medium in an imperceptible way or with
a camouflage effect such that only a sender and an intended
receiverknowtheexistenceofthehiddendataintheresulting
stego-medium.In theliterature, emphaseswere putonthe use
ofmultimedialikeimages,videos,and audios(Wu etal.,1999;
Gopalanetal.,2003;ChaeandManjunath,1999;Cheddadetal.,
2010)becausethesemediaingeneralprovidelargerembeddable
spacesandcauselesssuspicionduetotheirwidedistributions.And
weaknessesexistinginhumanbeings’visualcapabilitiesareoften
exploitedtodesigneffectivecovertcommunicationmethods.For
example,themethodsproposedinBenderetal.(1996),Wuand
Tsai(2003),andYangetal.(2008)replacetheleast-significantbits
ofpixelsincoverimagestoembedinformation,andthatofFridrich
夽 ThisworkissupportedfinanciallybytheNationalScienceCouncil,Taiwan,ROC underProjectNo.99-2631-H-009-001.
∗ Correspondingauthorat:DepartmentofComputerScienceandInformation Engineering,NationalChiaoTungUniversity,Hsinchu30010,Taiwan.
Tel.:+88635728368;fax:+88635734935.
E-mailaddresses:paradiserlee@gmail.com(C.-W.Lee), whtsai@cis.nctu.edu.tw(W.-H.Tsai).
1 Tel.:+88635728368;fax:+88635734935.
and Du (2000)usestheparities of palettecolors, composedby
similarcolors,torepresenthiddenmessagebits.
Inadditiontomethodsdevelopedformultimedia,severalothers
(BrassilandMaxemchuk,1999;LeeandTsai,2010a,b;Zhongetal., 2007;LiuandTsai,2007)usedcovermediaoftext,PDF,orWord
documentsforcovertcommunication.InBrassilandMaxemchuk
(1999),dataareembeddedbyslightlyadjustingthelines,tabs,or
charactersintextfiles.LeeandTsai(2010a,b)usedspecialASCII
codesinPDFfilestoembeddatabetweencharacters.LiuandTsai
(2007)madeuseofthechangetrackingfunctioninMicrosoftWord
toembeddataimperceptiblybyadocumentdegeneration
tech-nique.
Inthisstudy,weproposeanewcovertcommunicationmethod
which applies Shamir’s (k, n)-threshold secret sharing scheme
(Shamir,1979)withn=k+1toagivensecretitem toyieldk+1
shares,andthegeneratedk+1sharesareembeddedintothe
num-beritemsinaspreadsheetasiftheyarepartofthespreadsheet
content.Thepurposeoftransformingthesecretdataintosecret
sharesbythe(k,k+1)-thresholdsecretsharingschemeisnotto
enforcerobustness,buttoyieldablindself-authentication
capa-bility for the embedded secret. Conventionally, the concept of
(k,n)-thresholdsecretsharingisappliedtoprovide
destruction-tolerantcapabilities.Thatis,anyksharescollectedfromnonesmay
beprocessedtorevealthesharedsecreteventhoughupto(n−k)
sharesaredestroyed.Butintheproposedmethod,theschemeof
(k,k+1)-thresholdsecretsharingisdevelopedforthefirsttime
0164-1212/$–seefrontmatter © 2012 Elsevier Inc. All rights reserved. http://dx.doi.org/10.1016/j.jss.2012.08.048
Fig.1. Illustrationofproposedcovertcommunicationmethodviaspreadsheetsbysecretsharing.(a)Generationofastego-spreadsheet.(b)Self-authenticationofthe extractedmessage.
toprovideinsteadaself-authenticationcapabilitybycheckingthe
value-consistencyofk+1resultscomingfromallk+1combinations
todeterminewhethertheextractedsecret isintactornot.That
is,onlywhentheresultscomputedfromanyk sharescollected
fromk+1sharesareallidenticalinvaluecantheextractedsecret
bedecidedtobeintact.Fig.1illustratesthesecoreideasofthe
proposedmethod.
Moreover,toconcealthepresenceofhiddendata,secretshares
arespreadthroughoutthecoverspreadsheetinasparselyfashion.
Andaspreadsheetcontainingnumeralitemswithahighscatterlevel
ismoresuitabletobeusedasacoverspreadsheetforbetter
con-cealment.Meritsoftheproposedmethodincludethefollowing.(1)
Areceivercanconfirmthecorrectnessoftheextractedsecret
mes-sage.(2)Comparedwithsomemethodsusinghashcodesorparity
bitsasredundantdatatoensuretheauthenticityofretrieveddata,
onlyaminorredundancy,i.e.the(k+1)-thshare,isneededinthe
proposedmethod.(3)Byadaptivelychoosinginvolvedparameters,
i.e.thevalueofp,usedinthepolynomialofShamir’smethodfor
theselectedspreadsheet,thenumericalitems’valuesgeneratedby
themethodwillfallintoareasonablerangeofvalues,arousing
lit-tlesuspicionduringcovertcommunication.(4)Usingspreadsheets
ascovermedia,theproposedmethodisfree fromunintentional
destructionofhiddendatalikedatacompressionduringthesecret
transmissionordatakeepingprocess,incontrastwithcovermedia
likeimagesorvideoswhichareoftencompressedignorantlyinsuch
aprocess.Twoexamplesofsuchdocuments,MicrosoftExceland
GoogleDocs,areshowninFig.2.
Theremainderofthispaperisorganizedasfollows.InSection
2,theShamirmethodonwhichtheproposedmethodisbasedis
reviewedfirst.InSection3,thedetailsoftheproposedmethod,
includingsecretmessageembedding,secretmessageextraction,
andself-authenticationoftheextractedmessage,aredescribed.In
Section4,discussionsonrelatedissuesabouttheproposedmethod
aregiven.ExperimentalresultsarepresentedinSection5,followed
byconclusionsinSection6.
2. ReviewofShamir’smethodforsecretsharing
In the (k, n)-threshold secret sharing scheme proposed by
Shamir(1979)withk≤n,asecretdintheformofanintegeris
trans-formedintoshareswhichthenaredistributedtonparticipantsto
keep;andaslongasuptokofthensharescanbecollected,the
originalsecretcanberecovered.Thedetailoftheschememaybe
describedastwoalgorithmsinthefollowing.
Algorithm1. (k,n)-thresholdsecretsharing.
Input:a secretdin theformof aninteger,thenumber nof
participants,andathresholdknotlargerthann.
Output:nsharesintheformofintegersfornparticipantstokeep.
Steps.
1. Chooserandomlyaprimenumberpwhich islargerthanthe
secretd.
2.Selectk−1integervaluesc1,c2,...,ck−1withintherangeof0
throughp−1.
3.Selectndistinctrealvaluesforthevariablesx1,x2,...,xn.
4.Usethefollowing(k−1)-degreepolynomialtocomputen
func-tionvaluesF(xi),calledpartialshares:
F(xi)=(d+c1xi+c2xi2+···+ck−1xk−1i )mod p, (1)
fori=1,2,...,n.
5.Deliverthe2-tuple(xi,F(xi))asasharetotheithparticipant,
wherei=1,2,...,n.
Sincetherearekcoefficients,includingdandc1throughck−1,
in(1)above,itisnecessarytocollectatleastksharesfromthen
participantstoformkequationsoftheformof(1)tosolvethese
kcoefficients inordertorecoverthesecretd.Thisexplainsthe
term,threshold,forkandthename,(k,n)-threshold,fortheShamir
method.Belowisadescriptionoftheequation-solvingprocessfor
secretrecovery.
Algorithm2. Secretrecovery.
Input:k shares collectedfromthe n participantswhere k is
thethresholdmentionedinAlgorithm1;andtheprimenumber
pwhichwaschoseninStep1ofAlgorithm1.
Output:thesecretdhiddeninthesharesandthecoefficientsci
usedintheequationsdescribedby(1)inAlgorithm1,wherei=1,
2,...,k−1.
Steps.
1.Usethekshares(x1,F(x1)),(x2,F(x2)),...,(xk,F(xk))tosetupthe
followingequations:
F(xj)=(d+c1xj+c2xj2+···+ck−1xjk−1)modp, (2)
Fig.2.Examplesofspreadsheets.(a)MicrosoftExcel.(b)GoogleDocs.
2.SolvethekequationsabovebyLagrange’sinterpolationtoobtain
thedesiredsecretvalued(LinandTsai,2004)asfollows:
d=(−1)k−1
F(x1) x2x3...xk (x1−x2)(x1−x3)···(x1−xk)+F(x2 ) x1x2... xk (x2−x1)(x2−x3)···(x2−xk)+···+F(xk ) x1x2...xk−1 (xk−x1)(xk−x2)···(xk−xk−1) modp .3. Computethevaluesc1throughck−1 byexpandingthe
follow-ingequalityandcomparingtheresultwith(2)inStep1while
regardingthevariablexintheequalitybelowtobexjin(2):
F(x)=
F(x1) (x−x2)(x−x3 )···(x−xk) (x1−x2)(x1−x3)···(x1−xk)+F(x2 ) (x−x1)(x−x3)···(x−xk) (x2−x1)(x2−x3)···(x2−xk)+···+F(xk ) (x−x1)(x−x2)···(x−xk−1) (xk−x1)(xk−x2)···(xk−xk−1) mod p .Step3intheabovealgorithmis includedfor thepurposeof
computingthevaluesoftheparametersciintheproposedmethod.
Inotherapplications,ifonlythesecretvaluedneedberecovered,
thisstepmaybeeliminated.
3. Proposedcovertcommunicationmethodusing spreadsheets
3.1. Generationofastego-spreadsheet
In the proposed method, an appropriate cover spreadsheet
S which contains numeric data for disguising generated secret
sharesispreparedfirst.Next,asecretmessageMtobehiddenis
dividedintoseveralsegments,andtakenasinputtoShamir’s(k,
n)-thresholdsecretsharingscheme(Shamir,1979)withcarefully
chosenparameterstogeneratesecretshares.Then,numericitems
inSwhichareselectedbyasecretkeyarereplacedwiththeshares
togenerateastego-spreadsheetS.Inthis process,the
parame-tersinvolvedinEq.(1)ofAlgorithm1areadjustedtosatisfythe
characteristicsoftheinputsecretmessageandthepreparedcover
spreadsheet.Theseparametersinclude:(a)thenumbermofbits
ineachmessagesegment,whichisalsotakentobetheidentical
numbersofbitsinallofthecoefficientsd,c1throughck−1;(b)the
numberkofmessagesegmentsprocessedbytheShamirscheme
eachtime,whichisalsotheminimumnumberkofsecretshares
neededtobecollectedtorecoverthesecret;(c)thetotalnumber
nofgeneratedshares,whichissettobek+1specifically;(d)and
theprimenumberp,whichisthesmallestintegerlargerthanall
thevaluesofthecoefficientsd,c1throughck−1,andthevariables
x1throughxnusedinEq.(1)(Shamir,1979).
Adetailedalgorithmdescribingtheprocessispresentedinthe
following.
Algorithm3. Generationofastego-spreadsheet.
Input:abinarysecretmessageMdividedintom-bitsegments,
aspreadsheetS,asecretkeyK,andthreepre-selectedintegersk,n
(=k+1),andm.
Output:astego-spreadsheetS.
Steps.
Stage1–sharegeneration.
Step1.Choosethesmallestprimenumberpwhichislargerthan
2m−1.
Step2.Takesequentiallykunprocessedm-bitsegmentsfromM
toformagroupG,calledsegmentgroup,andperformthe
followingstepstotransformthesegmentgroupintopartial
shares.
2.1 Transform the k m-bit message segments in G into
integersandtaketheresultstobed,c1,c2,...,ck−1,
respectively.
2.2 Take x1 through xn to be the integers 1 through n,
respectively,wheren=k+1.
2.3 Usethefollowing(k−1)-degreepolynomialto
com-putenpartialsharesF(xi):
F(xi)=(d+c1xi+c2xi2+···+ck−1xk−1i )modp, (3)
wherei=1,2,...,n.
2.4 SaveallF(xi)inorderintoapartial-sharesetFps.
Step3.IfthemessagesegmentsinMarenotexhausted,thengo
toStep 2to processanothersegment group;otherwise,
continue.
Stage2– partialshareembedding.
Step4. TakeanunprocessedpartialshareF(xi)fromFps,and
4.1UsethesecretkeyKtorandomlyselectanumericitem
IinS.
4.2ReplaceIwithF(xi).
Step5.IfthereexistunprocessedpartialsharesinFps,gotoStep4;
otherwise,takethefinalSastheoutputS.
3.2. Algorithmfordataextractionandauthentication
Theproposedblindself-authenticationcapabilityforverifying
arecoveredsecretmessageisfulfilledbythe(k,k+1)-threshold
secretsharingscheme.Inthepast,theconceptof(k,n)-threshold
secretsharingisoftenappliedtodevelopmethodsforsecretimage
sharing(Linand Tsai,2004;Thienand Lin,2002;Chenand Lin,
2010)orimagerepairing(LeeandTsai,2010a,b)with
destruction-tolerant capabilities – any k shares collected from the n ones
maybeprocessedtorevealthesharedsecreteventhoughupto
(n−k)shares aredestroyed. Butin theproposedmethodhere,
theschemeof(k,k+1)-thresholdsecret sharingisdevelopedto
provideaself-authenticationcapabilityforverifyingthe
correct-nessofarecoveredsegmentgroupinthesecretmessage–anyk
sharescollectedfromthek+1onesshould,afterthesecret
recov-eryprocessofAlgorithm2isconducted,revealthesamesecret
valueinnormalcases,meaningthatnodamageeveroccurstothe
k+1shares;otherwise,itcanbedecidedthatsomesharesmust
havebeendestroyed.Bymakinguseofthischaracteristic,blind
self-authenticationofeachsegmentgroupintherecoveredsecret
messageiscarriedout,andverificationoftheintegrityandfidelity
ofthesecretmessagethusachieved.Adetailedalgorithmofsecret
messagerecoveryandself-authenticationisdescribedinthe
fol-lowing.
Algorithm4. Secretdatarecoveryandself-authentication.
Input:astego-spreadsheetS; theprimenumberp,thethree
integersk,n(=k+1),andm,andthesecretkeyKusedinAlgorithm
3.
Output:asecretmessageMhiddeninSpresumably,andareport
abouttheauthenticityofthesegmentswithinM.
Steps.
Stage1–messagesegmentcomputation.
Step1.UsethesecretkeyKtoselectrandomlynumericitemsin
S;takeouttheirvalueswhichpresumablyarethepartial
sharesF(xi)embeddedbyAlgorithm3;andputtheitems
sequentiallyintoasetFpsasapartial-shareset.
Step2.TakeoutinordernpartialsharesfromFps,settheir
corre-spondingxvaluesas1throughn,respectively,andperform
thefollowingstepstorecoverabinarysegmentMiofthe
secretmessageM,ifpossible.
2.1ForeverykpartialsharesF1,F2,...,Fkinthenonesand
theircorrespondingxvaluesx1,x2,...,xk,performthe
followingsteps.
2.1.1 Usethekshares(x1,F1),(x2,F2),...,(xk,Fk)toset
upthefollowingequations:
Fj=F(xj)=(d+c1xj+c2x2j+···+ck−1xk−1j )modp,(4)
wherej=1,2,...,k.
2.1.2 Compute thevalues d and c1 through ck−1 by
expanding thefollowing equalityand
compar-ingtheresultwith(4)inStep2.1.1abovewhile
regardingthevariablexintheequalitybelowto
bexjin(4): F(x)=
F(x1) (x−x2)(x−x3)···(x−xk) (x1−x2)(x1−x3)···(x1−xk)+F(x2) (x−x1)(x−x3)···(x−xk) (x2−x1)(x2−x3)···(x2−xk)+···+F(xk) (x−x1)(x−x2)···(x−xk−1) (xk−x1)(xk−x2)···(xk−xk−1) modp .2.1.3 Putthecomputedvaluesofdandc1throughck−1
asasetintoabufferB.
(Therewillben=k+1setsofvaluesofdandc1throughck1at
theendofStep2.)
Stage2–self-authenticationofthecomputedmessagesegment.
Step3.Takeout then setsof thecoefficientvaluesof dandc1
throughck−1inBandperformthefollowingoperations.
3.1Transformthecoefficientsdandc1throughck−1intok
binarysegments,andconcatenatethemasamessage
segmentMi.
3.2Ifallthensetsofthecoefficientvaluesareidenticalto
oneanother,thenmarkMiasauthenticandappendit
totheendofthedesiredsecretmessageM;else,mark
Miashavingbeendamagedandcontinue.
Step4.IfallsharesembeddedinS areprocessed,thentakethe
finalMastheoutput;otherwise,gotoStep2.
4. Discussionsonrelatedissuesaboutproposedmethod
4.1. Statisticalundetectability
A statisticalanomalycaused by information embeddingis a
reliablecluetodetectthepresenceofthesteganographiccontent
(ProvosandHoneyman,2003).Forthepurposeofresistingsuch
sta-tisticalanalysis,twostrategiesareusedintheproposedmethod.
Oneistospreadsecretsharesthroughoutthecoverspreadsheetin
asparselyandrandomlydistributedfashionsothatlessaffection
isincurredtothestatisticalpropertiesofthecoverspreadsheet
afterinformationembedding.Thiswayofachieving
undetectabil-ityfor a hiddenmessageused intheproposedmethodfollows
theconceptofthefrequency-hopping spreadspectrumtechnique
(Pickholtzetal.,1982)inwhichradiosignalsaretransmittedby
manyfrequencychannelsselectedaccordingtoapseudorandom
sequenceknowntothesenderandthereceiver.Theother
strat-egyistochoosecomparativelyinsignificantpartsofnumericdata
inthespreadsheetforembeddingsecretsharesinordertokeep
alowlevelofembeddingstrengthformaintainingthestatistical
propertiesinastego-spreadsheet.Forexample,wemaychoosethe
decimalfractionsofthenumbersinacoverspreadsheetandreplace
theirvalueswiththoseofthesecretshares,resultingininsignificant
alterationstothestatisticalpropertyinthestego-spreadsheet.
4.2. Activesecurityconsideration
Theproposedmethodnotonlycanpassivelypreventthe
stego-spreadsheetfromdetectionbutalsocanactivelyensurethefidelity
andintegrityofthetransmittedsecret.Intheactiveattackmodel
mentioned in Liu and Tsai(2007), ifan adversarysubtly made
modificationstopassing-bystego-spreadsheetsforthepurposeof
misleadingareceiver,theblindself-authenticationcapability
pro-videdbytheproposedmethodcanbeusedtochecktheauthenticity
oftheretrievedsecretmessage.Whentheauthenticitycheckfails,
itrevealsthatthecommunicationbetweenthetwosideshasbeen
threatenedandappropriatemeasuresshouldbeadopted.
4.3. Embeddingcapacityanalysis
ThevaluekmentionedinStep2ofAlgorithm3determinesthe
Fig.3. Acoverspreadsheetwith300numericitemsofstudents’testscores.(a)Listofthefirst36itemsinthespreadsheet.(b)Listofthelast34itemsinthespreadsheet.
bits,ineachsegmentgroupprocessedbythealgorithm.Itcanbe
figuredoutthatundertheconditionofusingthesamenumber
ofnumericitemsinaspreadsheetfordataembedding,alargerk
impliesalargerembeddingcapacitybutacoarserintegritycheck
inthelaterprocessofself-authentication,whileasmallerkmeans
thereverse.Thereexistsatradeoffhere.
Specifically,for instance,assumethat 10numericitemsin a
coverspreadsheetaretobereplacedwithsecretshares,anda(k,
n)-thresholdsecretsharingschemewithk=9,n=k+1=10isadopted.
Inthiscase,the9coefficientsd,c1,c2,...,andc8,witheachbeingan
m-bitsegmentofthesecretmessage,formthecoefficientsofthe
8-degreepolynomialdescribedby(3),andsoprovide9×m=9m
bits as theembedding capacity by generating10 secret shares
andembeddingthem intothecoverspreadsheet.Asa
compari-son,underthesameconditionbutwith(k,n)=(k,k+1)=(4,5),a
3-degreepolynomialincludingfourm-bitcoefficients isformed,
providingadataembeddingcapacityof4×m=4mbitsafter5
par-tialsharesaregeneratedandembedded.Therefore,if10number
itemsofacoverspreadsheetisprovidedaswell,thenthe10items
canbeusedtoembed2setsof5secretsharesgeneratedfrom2
distinctsegmentgroupsinthesecretmessage,yieldingatotalof
2×4m=8mbitsasthedataembeddingcapacity.Ascanbeobserved
fromthetwocases,theformercaseprovidesalargerembedding
capacityof9msecretmessagebitsyetwithasegmentgroupof9m
bitsastheunitforlaterself-authentication.Contrastively,thelatter
caseprovidesasmallerembeddingcapacityof8msecretmessage
bitsbutafinerauthenticationunitof4m-bitsegmentgroupinthe
secretmessage.
Fromtheabovediscussions,ageneralconclusionaboutthedata
embeddingcapacityoftheproposedmethodismadeasfollows:if
Idenotesthetotalnumberofnumericitemsinacoverspreadsheet
availableforembeddingsecretshares,thentheembeddingcapacity
Coftheproposedmethodbasedona(k,n)-thresholdsecretsharing
schemewithn=k+1is:
C=
In
×m×k (5)
whereI/ndenotesthenumberofsegmentgroupsinthesecret
messageMandmisthenumberofbitsinasegmentofM.
5. Experimentalresults
5.1. Experimentalresultsusingspreadsheetsrecordingstudents’
scores
Aresultoftheexperimentsweconductedusingtheproposed
methodwasbasedontheuseofa coverspreadsheetrecording
300students’scoressavedasanExcelfileasshowninFig.3.Note
thatthisisjustanexample;thetypeofcoverspreadsheetandthe
contentofitneednotberestrictedtobeso.
Thevaluesoftheinvolvedparametersp,mandkinEq.(3)of
theShamirmethodweresettobe101,6,and7,respectively.The
valueoftheprimenumberpwastakentobe101becauseitisthe
smallestintegerlargerthanthefullmarksof100ofthestudents’
testscores.Thevalueofm=6meansthatthelengthofeach
seg-mentoftheinputsecretmessageMwastakentobe6bits,which
satisfiestherequirementof2m−1=63<pmentionedinStep1of
Algorithm3.AndeachmessagesegmentinMwastransformedinto
anintegerforuseasoneofthecoefficientsd,c1,c2,...,ck−1inEq.
(3).Asfork=7,itmeansthatthevaluenisn=k+1=8intheapplied
(k,n)-thresholdsecretsharingscheme,andthatevery7message
segmentsinMareusedasthecoefficientsd,c1,c2,...,c6ofthe
Fig.4.Adialogforenteringinputsecretmessage.
generatedbyAlgorithm3,yieldingaself-authenticationcapacity
ofcheckingevery7messagesegmentsinM.
Furthermore,asshowninFig.4,theinputsecretmessageM
wastakentobethenote:“password:19841221”.Inthiscase,the
18charactersofthemessageweretransformedintoabinarystring
with18×7=126bits(7bitsperASCII-codedcharacter).The126
bitsthenweredividedinto3segmentgroupswitheachgroup
com-posedof7segmentsandeachsegmentconsistingofm=6bits.The
threesegmentgroupscorrespondtothefollowingthreemessage
sections:
Group1:“Passwo”;Group2:“rd: 19”;Group3:“841221.”
Totally,the3segmentgroupsgenerated3×8=24secretshares
whichatlast,bytheuseofasecretkey,wererandomlyembedded
intothecoverspreadsheettoyieldastego-spreadsheet.Welistthe
first36itemsinthestego-spreadsheetinFig.5(a),whereitems
havingbeenreplacedwiththesecretsharesaremarkedinblue.A
listofthefirst36itemsinthecoverspreadsheetisgiveninFig.5(b)
forcomparison.
If the stego-spreadsheet is intentionally modified illegally,
Algorithm4willdetectsuchtamperingbytheself-authentication
operation(seeStep3).Besides,ifsomeembeddedsecretshares
survivethemodification,Algorithm4canreconstructthepartially
correctsecretmessagefromthembytherecoverysteps(Steps2–4).
Someexperimentalresultsofthesefunctionsaredescribednow.
Fig.6showsamodifiedstego-spreadsheetwhereitems16through
26werealteredbyreplacingthemwithothernumbers.Withinthe
11modifieditems,items15and17includetwoembeddedsecret
shares.Thesecretmessageextractedfromsuchamodified
spread-sheetusingAlgorithm4isshowninFig.7.Ascanbeseen,segment
groups2and3ofthesecretmessagewerereconstructedcorrectly,
whilesegmentgroup1isauthenticatedtohavebeenmodifiedand
markedbythealgorithmwithasterisksymbols“*.”
In this case, the strategy of yielding a low embeddingrate
mentionedpreviouslyisusedtoachievethegoalofcreating
unde-tectabilityofthestego-spreadsheet.Inordertoensurethatthis
strategy works, the two-sample Kolmogorov–Smirnov test (KS
test),which isa non-parametric statisticaltest and isusefulto
checkwhethertwodatasamplescomefromthesameprobability
Table1
Experimentalresultsofusingstrategy1withacoverspreadsheetwithhighscatterlevelofnumericdata.
Scores1(300numericitemswith variance917.76andsize25k)
#ofreplacednumeric itemsI
Resultinghypothesis(5%) pvalue Capacity=I/n×m×k (bits)
Embeddingbitrateper numericitem
Embedding bitrate Embeddingrate5% 16 0(cannotreject) 1 2×6×7=84 0.28b 1/298 Embeddingratelimit50.67% 152 1(reject) 0.0309 19×6×7=798 2.66b 1/31
distribution,isusedtoquantitativelycomparetheprobability
dis-tributionof numericdataina stego-spreadsheetwiththatin a
coverspreadsheet.Thenullhypothesisisthattwodatasamples
comefromthesameunderlyingdistributionatthe5%significance
level,andthealternativehypothesisisthattheyarefrom
differ-entdistributions.Theresultofapplyingthetesttothecontentsof
thecoverspreadsheetandthestego-spreadsheetshowninFig.5is
showninTable1givenbelow,inwhichtheresultinghypothesis0
Fig.6. Analteredspreadsheetwithfakeitems16–26.
meansthatthetestcannotrejectthenullhypothesis,thatis,athird
partycannotthinkthattheprobabilitydistributionofthe
stego-spreadsheetisdifferentfromthatofthecoverspreadsheet.The
limitoftheembeddingrateatwhichthetwo-sampleKS-testwill
rejectthenullhypothesis,accordingtoourexperiments,is50.67%
inthiscase.Thismeansthattheembeddingrateshouldbesmaller
than50.67%inordertokeeptheundetectabilitypropertyofthe
stego-spreadsheetwhenasteganalysthastheinformationofthe
probabilitydistributionrelatedtothestego-spreadsheet.
Howtochooseanembeddingratewhichissecureagainstsuch
astatisticaltestdependsonthescatterlevelofthechosennumeric
dataofthecoverspreadsheet.Here,thescatterleveliscomputed
asthevarianceofnumericdatavalues.Intermsofthisparameter,
threespreadsheetsScores1,Scores2,andScores3withthescatter
levelfromhightolowweretestedfurtherinourexperimentsusing
thesamesettingofparameters.Scores1isjusttheoneusedinthe
firstexperimentmentionedaboveandthecorrespondingstatistics
isshowninTable1.TheresultsofusingScores2andScores3are
showninTables2and3,respectively.FromTable2,thelimitof
theembeddingrateusingScores2isseentobe26%whichislower
thanthatusingScores1.AsforScores3,thecorrespondinglimitof
theembeddingrateisdowntobe6.04%asseeninTable3.These
experimentalstatisticsindicatethatthenumericdataofacover
spreadsheetwithahigherscatterlevelcanyieldahigher
embed-dingratewithoutcausingstatisticalanomalies.Thisfactcanalso
beseenfromthemessageembeddingbitratepernumericitem,also
showninthetables.Specifically,theupperboundoftheembedding
bitratepernumericiteminScores1is2.66b,whichishigherthan
thoseinScores2(1.36b)andScores3(0.32b).
5.2. Experimentalresultsusingaspreadsheetofafinancial
statement
AnotherexperimentalresultusingtheMicrosoftExcelfileof
a financialstatementof a companyasthecover spreadsheetis
showninFigs.8–11.Fig.8showsthecoverspreadsheetwith32
candidate numeric items for data embedding. In this case, the
strategy of choosing insignificant parts of numeric data in the
coverspreadsheetforembeddingsecretsharesisusedtokeepa
low levelofembeddingstrengthfor considerationof the
unde-tectabilityof thegenerated stego-spreadsheet.Fig.9shows the
inputsecretmessagewhich wastransformedinto32 sharesby
Algorithm3.Correspondingly,thedecimalfractionsofallofthe
32 numericitemsin thecover spreadsheetof Fig.8wereused
toembedtheshares.Eachsharewastransformedintotwo
dig-itsandembeddedtotherightofthedecimalpointofanumeric
Fig.7.Anextractedsecretmessagewithamessagesegmentretrievedfrom tam-pereditemsinthestego-spreadsheetmarkedbysymbols“*”.
Table2
Experimentalresultsofusingstrategy1withacoverspreadsheetwithmediumscatterlevelofnumericdata.
Scores2(1296numericitemswith variance465.62andsize105k)
#ofreplaced numericitems
Resulting hypothesis(5%)
pvalue Capacity=I/n×m×k (bits)
Embeddingbitrate pernumericitem
Embeddingbitrate Embeddingrate5% 64 0(cannotreject) 0.9999 8×6×7=336 0.26b 1/313
Embeddingratelimit26% 336 1(reject) 0.049 42×6×7=1764 1.36b 1/60
Table3
Experimentalresultsofusingstrategy1withacoverspreadsheetwithlowscatterlevelofnumericdata. Scores3(2250numericitems
withvariance283.11andsize 31k)
#ofreplaced numericitems
Resulting hypothesis(5%)
pvalue Capacity=I/n×m×k (bits)
Embeddingbitrate pernumericitem
Embeddingbitrate
Embeddingrate5% 112 0(cannotreject) 0.3557 14× 6× 7=588 0.26b 1/53 Embeddingratelimit6.04% 136 1(reject) 0.0383 17× 6×7=714 0.32b 1/43
Fig.8.Acoverspreadsheetoffinancialstatementwith32numericitems. Table4
Experimentalresultsofusingstrategy2foracoverspreadsheetofafinancialstatement. Financialstatement(32numeric
itemsandsize15k)
#ofreplaced numericitems
Resultof hypothesis(5%)
pvalue Capacity=I/n×m×k (bits)
Embeddingbitrate pernumericitem
Embeddingbitrate Embeddingrate100% 32 0(cannotreject) 1 4×6×7=168 5.25b 1/89
item.Theresultingstego-spreadsheetisshowninFig.10 which
lookslikeacommonspreadsheet.Asdoneintheprevious
experi-ment,thetwo-sampleKolmogorov–Smirnovtestwasused,andthe
resultisshowninTable4whichsupportstheuseofthestrategy,
Fig.9.Adialogwiththeinputsecretmessage.
accomplishingthegoalofyieldingstatisticalundetectabilityinthe
stego-spreadsheet.
Fig.11showsthestego-spreadsheetwith3numericitems
(high-lighted)beingmodified.The secretmessageextractedfromthe
modifiedstego-spreadsheetis shownin Fig.12(b) inwhichthe
destructedpartofthesecretmessageismarkedbyasterisk
sym-bols.Asacomparison,thesecretmessageextractedfromtheintact
stego-spreadsheetshowninFig.10isshowninFig.12(a).
5.3. Comparisonwithexistingmethods
Forthepurposeofpresentingthecontributionsmadeinthis
study,acomparisonofthecapabilitiesoftheproposedmethodwith
thoseofsomeexistingcovertcommunicationmethodsisgivenin
Table5.
Mostexistinginformationhidingmethodsforcovert
Fig.10.Astego-spreadsheetinwhichthedecimalfractionsofthenumericitemshavebeenmodifiedbyembeddedshares.
Fig.11.Astego-spreadsheetwith3numericitems(highlighted)beingmodified.
2008;FridrichandDu,2000;LeeandTsai,2010a,b;Zhongetal., 2007;LiuandTsai,2007)weredevelopedbasedonthepremise
thatanadversaryalwaysworksinthepassivemode.However,in
practicalcovertcommunication,anactiveattackisdefinedasthe
actionofanadversarywhoseekstodestroythestego-contentorto
activelyintroducesubtlemodificationstopassing-bystego-objects
betweenthetwoparties.Suchanactiveattackmaypossiblycausea
receivertoextractanincorrectsecretmessagewithnoawareness.
Fig.12.Therecoveredsecretmessage.(a)Messageextractedfromtheintactstego-spreadsheetshowninFig.10.(b)Messageextractedfromthemodifiedstego-spreadsheet showninFig.11.
Table5
Comparisonofexistingsteganographicmethodsandproposedmethod.
Manipulationofdata embedding Againstactive attack Modification localization capability
Freefromneedof auxiliaryinformation formessageextraction
Keepingthesizeofacover fileaftertransformedinto stego-version
Benderetal. (1996),Wuand Tsai(2003),Yang etal.(2008)
LSB-based(image) No No Yes Yes
FridrichandDu (2000)
Paritiesofpalettecolors (image)
No No Yes Yes
LeeandTsai (2010a,b)
CertainASCIIcodes(PDF) No No Yes No
Zhongetal.(2007) Characterspacevarying (PDF)
No No Yes Yes
LiuandTsai(2007) Changetrackingtechnique (MSworddocument)
No No No No
Proposedmethod Partialreplacementof numericitems (spreadsheet)
Yes Yes Yes Yes
Contrastivewiththeexistingmethods,theproposedmethodisthe
onlyonewhichhastheself-authenticationcapabilityagainstactive
attacksandsimultaneouslytakesthepassivesteganalyticattack
intotheconsideration.Furthermore,thedestructedpartofasecret
messagecanbelocalizedpreciselybytheproposedmethod,that
is,theproposedmethodhasthecapabilityofmodification
localiza-tionwhichisusefulforverifyingtheintegrityofthesecretmessage
intheproposedmethod.
Furthermore, auxiliary information for message decoding is
requiredin somemethods like(Liuand Tsai,2007).Extra
stor-agespaceisthusrequiredtosavetheinformationforbothparties
inthecommunication,addingaburdentothesystemin
practi-caluse.Contrarily,likethemethodsofBenderetal.(1996),Wu
andTsai(2003),Yangetal.(2008),FridrichandDu(2000),Leeand Tsai(2010a,b)andZhongetal.(2007)theproposedmethoddoes
notneedanyauxiliaryinformation.In addition,themethods in
LeeandTsai(2010a,b)andLiuandTsai(2007)increasethesizeof
thegeneratedstego-fileduetotheprocedureofaddingencoding
codesorchangingtrackingrecordsfordataembedding.Incontrast,
themanipulationofsubstitution/replacementfordataembedding
usedinmethodsofBenderetal.(1996),WuandTsai(2003),Yang
etal.(2008)andFridrichandDu(2000)aswellastheproposed
methodkeepthesizeofacoverfileunchangedafteritis
trans-formedintoastego-version.
Theembeddingbitrateoftheproposedmethodis
compara-tivelysmallerthanthatyieldedbythemethodsofBenderetal.
(1996),WuandTsai(2003)andYangetal.(2008)usingimagesas
covermedia.However,itisnotedthatthesemethodsare
vulnera-bletothewell-knownRSsteganalysis(WangandWang,2004).This
studyaimsatprovidinganewwayofcovertcommunication,and
theissueofimprovingtheembeddingcapacitydeservesfurther
investigationinthefuture.
Ontheotherhand,forfurtherresistingadversary’sattackson
destroyingthestego-content,secretsharesmaybespreadoverto
differentsetsofspreadsheetstoincreasethepossibilityof
retain-inganenoughnumberofsharesforrevealingthesecretmessage.
Atlast,itisworthtonotethattheproposedmethodcanbeequally
appliedtootherdocumentformatsandnotlimitedtoonly
spread-sheetfiles,althoughthenumbersappearinginsuchfilesmaybe
looksmorenaturalthanthoseappearinginotherfiles.
6. Conclusions
Anewcovertcommunicationmethodwithaself-authentication
capabilityviaspreadsheetsusing Shamir’s(k,k+1)secret
shar-ingschemehasbeenproposedinthisstudy.Thesegmentgroups
ofasecretmessagearetransformedintosecretsharesandthen
embeddedasiftheyarepartofthecontentinacoverspreadsheet,
yieldingacamouflageeffectandgeneratingaself-authentication
capability.Eachsegmentgroupof thesecretmessageextracted
fromastego-spreadsheetcanbeblindlyauthenticatedby
check-ingtheresultscomputedfromallthek+1possiblecombinations
ofk sharesoutof k+1 ones—iftheresultingk+1 copiesofthe
recoveredsecretareallidenticaltooneanother,thenthe
stego-spreadsheetisdecidedtobeintact.Incasethestego-spreadsheetis
authenticatedtohavebeenmodified,thealteredpartofthehidden
secretmessagemaybeidentified,andtheundamagedpart
recov-eredcorrectly.Experimental resultshave beenshown toprove
thefeasibilityandeffectivenessoftheproposedmethod.
Deriva-tionsofthedataembeddingcapacityandauthenticationprecision
havealsobeenconducted,anddiscussionsonthesteganalysisissue
included.Futurestudiesmay bedirected toapplicationsofthe
proposedmethodtomultimediaprotectioninthefieldoffragile
watermarking.
References
Bender,W.,Gruhl,D.,Morimoto,N.,Lu,A.,1996.Techniquesfordatahiding.IBM SystemsJournal35(3–4),313–336.
Brassil,J.T.,Maxemchuk,N.F.,1999.Copyrightprotectionfortheelectronic distri-butionoftextdocuments.ProceedingsoftheIEEE87(7),1181–1196. Chae,J.J.,Manjunath,B.S.,1999.Datahidinginvideo.In:Proc.of1999IEEE
Interna-tionalConferenceonImageProcessing,Kobe,Japan,pp.243–246.
Cheddad,A.,Condell,J.,Curran,K.,McKevitt,P.,2010.Digitalimagesteganography: surveyandanalysisofcurrentmethods.SignalProcessing90(3),727–752. Chen,L.S.T.,Lin,J.C.,2010.Multithresholdprogressiveimagesharingwithcompact
shadows.JournalofElectronicImaging19(1),013003.
Fridrich,J.,Du,R.,2000.Securesteganographicmethodsforpaletteimages.In:Proc. of3rdInternationalWorkshopInformationHiding,September1999,Dresden, Germany.Springer-Verlag,Berlin,pp.61–76(alsoinLectureNotesinComputer Science).
Gopalan,K.,etal.,2003.Covertspeechcommunicationviacoverspeechbytone insertion.In:Proc.ofthe2003IEEEAerospaceConference.BigSky,MT,USA. Lee,C.W.,Tsai,W.H.,2010a.AuthenticationofbinarydocumentimagesinPNG
for-matbasedonasecretsharingtechnique.In:Proceedingsof2010International ConferenceonSystemScienceandEngineering,Taipei,Taiwan,pp.133–138. Lee,I.S.,Tsai,W.H.,2010b.AnewapproachtocovertcommunicationviaPDFFiles.
SignalProcessing90(2),557–565.
Lin,C.C.,Tsai,W.H.,2004.Secretimagesharingwithsteganographyand authenti-cation.JournalofSystemsandSoftware73(3),405–414.
Liu,T.Y.,Tsai,W.H.,2007.AnewsteganographicmethodfordatahidinginMicrosoft Worddocumentsbyachangetrackingtechnique.IEEETransactionson Infor-mationForensicsandSecurity2(1),24–30.
Pickholtz,R.L.,Schilling,D.L.,Millstein, L.B.,1982.Theory ofspreadspectrum communications—atutorial.IEEE TransactionsonCommunications 30 (5), 855–884.
Provos,N.,Honeyman,P.,2003.Hideandseek:anintroductiontosteganography. IEEESecurityandPrivacyMagazine1(3),32–44.
Shamir,A.,1979.Howtoshareasecret.CommunicationofACM22(11),612–613. Thien,C.C.,Lin,J.C.,2002.Secretimagesharing.ComputersandGraphics26(1),
Wang,H.,Wang,S.,2004.Cyberwarfare:steganographyvs.steganalysis. Commu-nicationsofACM47(10),76–82.
Wu,D.C.,Tsai,W.H.,2003.Asteganographicmethodforimagesbypixel-value dif-ferencing.PatternRecognitionLetters24(9–10),1613–1626.
Wu,M.,Yu,H.,Gelman,A.,1999.Multi-leveldatahidingfordigitalimageandvideo. In:Proc.ofSPIEPhotonicsEast,Boston,MA,USA,pp.10–21.
Yang,C.H.,Weng,C.Y.,Wang,S.J.,Sun,H.M.,2008.Adaptivedatahidinginedgeareas ofimageswithspatialLSBdomainsystems.IEEETransactionsonInformation ForensicsandSecurity3(3),488–497.
Zhong,S.,Cheng,X.,Chen,T.,2007.DatahidinginakindofPDFtextsforsecret communication.InternationalJournalofNetworkSecurity4(1),17–26.
Che-WeiLeereceivestheB.S.degreeincivilengineering andtheM.S.degreeinelectricalengineeringfromNational ChengKungUniversity,Tainan,Taiwan,in2002and2005, respectively.HeisaPh.D.studentintheDepartmentof ComputerScienceatNationalChiaoTungUniversitysince 2005.Hisresearchinterestsincludeinformationhiding, imageprocessing,andvideotechnologies.
Wen-HsiangTsaireceivedtheB.S.degreeinEEfrom NationalTaiwanUniversity,Taiwan,in1973,theM.S. degreeinEEfromBrownUniversity,USAin1977,andthe Ph.D.degreeinEEfromPurdueUniversity,USAin1979. Since1979,hehasbeenwithNationalChiaoTung Univer-sity(NCTU),Taiwan,whereheisnowaChairProfessorof ComputerScience.Hiscurrentresearchinterestsinclude computervision,informationsecurity,videosurveillance, andautonomousvehicleapplications.