A covert communication method via spreadsheets by secret sharing with a self-authentication capability

ContentslistsavailableatSciVerseScienceDirect

The

Journal

of

Systems

and

Software

jo u r n al h om ep a g e :w w w . e l s e v i e r . c o m / l o c a t e / j s s

A

covert

communication

method

via

spreadsheets

by

secret

sharing

with

a

self-authentication

capability

夽

Che-Wei

Lee

a,1

_,

_Wen-Hsiang

_Tsai

a,b,∗

a_{DepartmentofComputerScienceandInformationEngineering,NationalChiaoTungUniversity,Hsinchu30010,Taiwan} b_{DepartmentofInformationCommunication,AsiaUniversity,Taichung41354,Taiwan}

a

r

t

i

c

l

e

i

n

f

o

Articlehistory: Received3March2012

Receivedinrevisedform18July2012 Accepted18August2012

Available online 30 August 2012 Keywords: Covertcommunication Secretsharing Informationhiding Self-authentication Spreadsheet

a

b

s

t

r

a

c

t

Anewcovertcommunicationmethodwithaself-authenticationcapabilityforsecretdatahidingin spreadsheetsusingtheinformationsharingtechniqueisproposed.Atthesendersite,asecretmessage istransformedintosharesbyShamir’s(k,n)-thresholdsecretsharingschemewithn=k+1,andthe generatedk+1sharesareembeddedintothenumberitemsinaspreadsheetasiftheyarepartofthe spreadsheetcontent.Andatthereceiversite,everyksharesamongthek+1onesthenareextractedfrom thestego-spreadsheettorecoverk+1copiesofthesecret,andtheconsistencyofthek+1copiesinvalue ischeckedtodeterminewhethertheembeddedsharesareintactornot,achievinganewtypeofblind self-authenticationoftheembeddedsecret.Bydividingthesecretmessageintosegmentsandapplying toeachsegmentthesecretsharingscheme,theintegrityandfidelityofthehiddensecretmessagecanbe verified,achievingacovertcommunicationprocesswiththedoublefunctionsofinformationhidingand self-authentication.Experimentalresultsanddiscussionsondataembeddingcapacity,authentication precision,andsteganalysisissuesarealsoincludedtoshowthefeasibilityoftheproposedmethod.

© 2012 Elsevier Inc. All rights reserved.

1. Introduction

Covertcommunicationisatechniqueofconcealingsecret

infor-mation into a cover medium in an imperceptible way or with

a camouflage effect such that only a sender and an intended

receiverknowtheexistenceofthehiddendataintheresulting

stego-medium.In theliterature, emphaseswere putonthe use

ofmultimedialikeimages,videos,and audios(Wu etal.,1999;

Gopalanetal.,2003;ChaeandManjunath,1999;Cheddadetal.,

2010)becausethesemediaingeneralprovidelargerembeddable

spacesandcauselesssuspicionduetotheirwidedistributions.And

weaknessesexistinginhumanbeings’visualcapabilitiesareoften

exploitedtodesigneffectivecovertcommunicationmethods.For

example,themethodsproposedinBenderetal.(1996),Wuand

Tsai(2003),andYangetal.(2008)replacetheleast-significantbits

ofpixelsincoverimagestoembedinformation,andthatofFridrich

夽 ThisworkissupportedfinanciallybytheNationalScienceCouncil,Taiwan,ROC underProjectNo.99-2631-H-009-001.

∗ Correspondingauthorat:DepartmentofComputerScienceandInformation Engineering,NationalChiaoTungUniversity,Hsinchu30010,Taiwan.

Tel.:+88635728368;fax:+88635734935.

E-mailaddresses:paradiserlee@gmail.com(C.-W.Lee), whtsai@cis.nctu.edu.tw(W.-H.Tsai).

1 _{Tel.:+88635728368;fax:+88635734935.}

and Du (2000)usestheparities of palettecolors, composedby

similarcolors,torepresenthiddenmessagebits.

Inadditiontomethodsdevelopedformultimedia,severalothers

(BrassilandMaxemchuk,1999;LeeandTsai,2010a,b;Zhongetal., 2007;LiuandTsai,2007)usedcovermediaoftext,PDF,orWord

documentsforcovertcommunication.InBrassilandMaxemchuk

(1999),dataareembeddedbyslightlyadjustingthelines,tabs,or

charactersintextfiles.LeeandTsai(2010a,b)usedspecialASCII

codesinPDFfilestoembeddatabetweencharacters.LiuandTsai

(2007)madeuseofthechangetrackingfunctioninMicrosoftWord

toembeddataimperceptiblybyadocumentdegeneration

tech-nique.

Inthisstudy,weproposeanewcovertcommunicationmethod

which applies Shamir’s (k, n)-threshold secret sharing scheme

(Shamir,1979)withn=k+1toagivensecretitem toyieldk+1

shares,andthegeneratedk+1sharesareembeddedintothe

num-beritemsinaspreadsheetasiftheyarepartofthespreadsheet

content.Thepurposeoftransformingthesecretdataintosecret

sharesbythe(k,k+1)-thresholdsecretsharingschemeisnotto

enforcerobustness,buttoyieldablindself-authentication

capa-bility for the embedded secret. Conventionally, the concept of

(k,n)-thresholdsecretsharingisappliedtoprovide

destruction-tolerantcapabilities.Thatis,anyksharescollectedfromnonesmay

beprocessedtorevealthesharedsecreteventhoughupto(n−k)

sharesaredestroyed.Butintheproposedmethod,theschemeof

(k,k+1)-thresholdsecretsharingisdevelopedforthefirsttime

0164-1212/$–seefrontmatter © 2012 Elsevier Inc. All rights reserved. http://dx.doi.org/10.1016/j.jss.2012.08.048

Fig.1. Illustrationofproposedcovertcommunicationmethodviaspreadsheetsbysecretsharing.(a)Generationofastego-spreadsheet.(b)Self-authenticationofthe extractedmessage.

toprovideinsteadaself-authenticationcapabilitybycheckingthe

value-consistencyofk+1resultscomingfromallk+1combinations

todeterminewhethertheextractedsecret isintactornot.That

is,onlywhentheresultscomputedfromanyk sharescollected

fromk+1sharesareallidenticalinvaluecantheextractedsecret

bedecidedtobeintact.Fig.1illustratesthesecoreideasofthe

proposedmethod.

Moreover,toconcealthepresenceofhiddendata,secretshares

arespreadthroughoutthecoverspreadsheetinasparselyfashion.

Andaspreadsheetcontainingnumeralitemswithahighscatterlevel

ismoresuitabletobeusedasacoverspreadsheetforbetter

con-cealment.Meritsoftheproposedmethodincludethefollowing.(1)

Areceivercanconfirmthecorrectnessoftheextractedsecret

mes-sage.(2)Comparedwithsomemethodsusinghashcodesorparity

bitsasredundantdatatoensuretheauthenticityofretrieveddata,

onlyaminorredundancy,i.e.the(k+1)-thshare,isneededinthe

proposedmethod.(3)Byadaptivelychoosinginvolvedparameters,

i.e.thevalueofp,usedinthepolynomialofShamir’smethodfor

theselectedspreadsheet,thenumericalitems’valuesgeneratedby

themethodwillfallintoareasonablerangeofvalues,arousing

lit-tlesuspicionduringcovertcommunication.(4)Usingspreadsheets

ascovermedia,theproposedmethodisfree fromunintentional

destructionofhiddendatalikedatacompressionduringthesecret

transmissionordatakeepingprocess,incontrastwithcovermedia

likeimagesorvideoswhichareoftencompressedignorantlyinsuch

aprocess.Twoexamplesofsuchdocuments,MicrosoftExceland

GoogleDocs,areshowninFig.2.

Theremainderofthispaperisorganizedasfollows.InSection

2,theShamirmethodonwhichtheproposedmethodisbasedis

reviewedfirst.InSection3,thedetailsoftheproposedmethod,

includingsecretmessageembedding,secretmessageextraction,

andself-authenticationoftheextractedmessage,aredescribed.In

Section4,discussionsonrelatedissuesabouttheproposedmethod

aregiven.ExperimentalresultsarepresentedinSection5,followed

byconclusionsinSection6.

2. ReviewofShamir’smethodforsecretsharing

In the (k, n)-threshold secret sharing scheme proposed by

Shamir(1979)withk≤n,asecretdintheformofanintegeris

trans-formedintoshareswhichthenaredistributedtonparticipantsto

keep;andaslongasuptokofthensharescanbecollected,the

originalsecretcanberecovered.Thedetailoftheschememaybe

describedastwoalgorithmsinthefollowing.

Algorithm1. (k,n)-thresholdsecretsharing.

Input:a secretdin theformof aninteger,thenumber nof

participants,andathresholdknotlargerthann.

Output:nsharesintheformofintegersfornparticipantstokeep.

Steps.

1. Chooserandomlyaprimenumberpwhich islargerthanthe

secretd.

2.Selectk−1integervaluesc1,c2,...,ck−1withintherangeof0

throughp−1.

3.Selectndistinctrealvaluesforthevariablesx1,x2,...,xn.

4.Usethefollowing(k−1)-degreepolynomialtocomputen

func-tionvaluesF(xi),calledpartialshares:

F(xi)=(d+c1xi+c2x_i2+···+ck−1xk−1_i )_{mod p}, (1)

fori=1,2,...,n.

5.Deliverthe2-tuple(xi,F(xi))asasharetotheithparticipant,

wherei=1,2,...,n.

Sincetherearekcoefficients,includingdandc1throughck−1,

in(1)above,itisnecessarytocollectatleastksharesfromthen

participantstoformkequationsoftheformof(1)tosolvethese

kcoefficients inordertorecoverthesecretd.Thisexplainsthe

term,threshold,forkandthename,(k,n)-threshold,fortheShamir

method.Belowisadescriptionoftheequation-solvingprocessfor

secretrecovery.

Algorithm2. Secretrecovery.

Input:k shares collectedfromthe n participantswhere k is

thethresholdmentionedinAlgorithm1;andtheprimenumber

pwhichwaschoseninStep1ofAlgorithm1.

Output:thesecretdhiddeninthesharesandthecoefficientsci

usedintheequationsdescribedby(1)inAlgorithm1,wherei=1,

2,...,k−1.

Steps.

1.Usethekshares(x1,F(x1)),(x2,F(x2)),...,(xk,F(xk))tosetupthe

followingequations:

F(xj)=(d+c1xj+c2x_j2+···+ck−1xjk−1)modp, (2)

Fig.2.Examplesofspreadsheets.(a)MicrosoftExcel.(b)GoogleDocs.

2.SolvethekequationsabovebyLagrange’sinterpolationtoobtain

thedesiredsecretvalued(LinandTsai,2004)asfollows:

d=(−1)k−1



F(x1) x2x3...xk (x1−x2)(x1−x3)···(x1−xk)+F(x2 ) x1x2... xk (x2−x1)(x2−x3)···(x2−xk)+···+F(xk ) x1x2...xk−1 (xk−x1)(xk−x2)···(xk−xk−1)



modp .

3. Computethevaluesc1throughck−1 byexpandingthe

follow-ingequalityandcomparingtheresultwith(2)inStep1while

regardingthevariablexintheequalitybelowtobexjin(2):

F(x)=



F(x1) (x−x2)(x−x3 )···(x−xk) (x1−x2)(x1−x3)···(x1−xk)+F(x2 ) (x−x1)(x−x3)···(x−xk) (x2−x1)(x2−x3)···(x2−xk)+···+F(xk ) (x−x1)(x−x2)···(x−xk−1) (xk−x1)(xk−x2)···(xk−xk−1)



mod p .

Step3intheabovealgorithmis includedfor thepurposeof

computingthevaluesoftheparametersciintheproposedmethod.

Inotherapplications,ifonlythesecretvaluedneedberecovered,

thisstepmaybeeliminated.

3. Proposedcovertcommunicationmethodusing spreadsheets

3.1. Generationofastego-spreadsheet

In the proposed method, an appropriate cover spreadsheet

S which contains numeric data for disguising generated secret

sharesispreparedfirst.Next,asecretmessageMtobehiddenis

dividedintoseveralsegments,andtakenasinputtoShamir’s(k,

n)-thresholdsecretsharingscheme(Shamir,1979)withcarefully

chosenparameterstogeneratesecretshares.Then,numericitems

inSwhichareselectedbyasecretkeyarereplacedwiththeshares

togenerateastego-spreadsheetS.Inthis process,the

parame-tersinvolvedinEq.(1)ofAlgorithm1areadjustedtosatisfythe

characteristicsoftheinputsecretmessageandthepreparedcover

spreadsheet.Theseparametersinclude:(a)thenumbermofbits

ineachmessagesegment,whichisalsotakentobetheidentical

numbersofbitsinallofthecoefficientsd,c1throughck−1;(b)the

numberkofmessagesegmentsprocessedbytheShamirscheme

eachtime,whichisalsotheminimumnumberkofsecretshares

neededtobecollectedtorecoverthesecret;(c)thetotalnumber

nofgeneratedshares,whichissettobek+1specifically;(d)and

theprimenumberp,whichisthesmallestintegerlargerthanall

thevaluesofthecoefficientsd,c1throughck−1,andthevariables

x1throughxnusedinEq.(1)(Shamir,1979).

Adetailedalgorithmdescribingtheprocessispresentedinthe

following.

Algorithm3. Generationofastego-spreadsheet.

Input:abinarysecretmessageMdividedintom-bitsegments,

aspreadsheetS,asecretkeyK,andthreepre-selectedintegersk,n

(=k+1),andm.

Output:astego-spreadsheetS.

Steps.

Stage1–sharegeneration.

Step1.Choosethesmallestprimenumberpwhichislargerthan

2m_−1.

Step2.Takesequentiallykunprocessedm-bitsegmentsfromM

toformagroupG,calledsegmentgroup,andperformthe

followingstepstotransformthesegmentgroupintopartial

shares.

2.1 Transform the k m-bit message segments in G into

integersandtaketheresultstobed,c1,c2,...,ck−1,

respectively.

2.2 Take x1 through xn to be the integers 1 through n,

respectively,wheren=k+1.

2.3 Usethefollowing(k−1)-degreepolynomialto

com-putenpartialsharesF(xi):

F(xi)=(d+c1xi+c2x_i2+···+ck−1xk−1i )modp, (3)

wherei=1,2,...,n.

2.4 SaveallF(xi)inorderintoapartial-sharesetFps.

Step3.IfthemessagesegmentsinMarenotexhausted,thengo

toStep 2to processanothersegment group;otherwise,

continue.

Stage2– partialshareembedding.

Step4. TakeanunprocessedpartialshareF(xi)fromFps,and

4.1UsethesecretkeyKtorandomlyselectanumericitem

IinS.

4.2ReplaceIwithF(xi).

Step5.IfthereexistunprocessedpartialsharesinFps,gotoStep4;

otherwise,takethefinalSastheoutputS.

3.2. Algorithmfordataextractionandauthentication

Theproposedblindself-authenticationcapabilityforverifying

arecoveredsecretmessageisfulfilledbythe(k,k+1)-threshold

secretsharingscheme.Inthepast,theconceptof(k,n)-threshold

secretsharingisoftenappliedtodevelopmethodsforsecretimage

sharing(Linand Tsai,2004;Thienand Lin,2002;Chenand Lin,

2010)orimagerepairing(LeeandTsai,2010a,b)with

destruction-tolerant capabilities – any k shares collected from the n ones

maybeprocessedtorevealthesharedsecreteventhoughupto

(n−k)shares aredestroyed. Butin theproposedmethodhere,

theschemeof(k,k+1)-thresholdsecret sharingisdevelopedto

provideaself-authenticationcapabilityforverifyingthe

correct-nessofarecoveredsegmentgroupinthesecretmessage–anyk

sharescollectedfromthek+1onesshould,afterthesecret

recov-eryprocessofAlgorithm2isconducted,revealthesamesecret

valueinnormalcases,meaningthatnodamageeveroccurstothe

k+1shares;otherwise,itcanbedecidedthatsomesharesmust

havebeendestroyed.Bymakinguseofthischaracteristic,blind

self-authenticationofeachsegmentgroupintherecoveredsecret

messageiscarriedout,andverificationoftheintegrityandfidelity

ofthesecretmessagethusachieved.Adetailedalgorithmofsecret

messagerecoveryandself-authenticationisdescribedinthe

fol-lowing.

Algorithm4. Secretdatarecoveryandself-authentication.

Input:astego-spreadsheetS; theprimenumberp,thethree

integersk,n(=k+1),andm,andthesecretkeyKusedinAlgorithm

3.

Output:asecretmessageMhiddeninSpresumably,andareport

abouttheauthenticityofthesegmentswithinM.

Steps.

Stage1–messagesegmentcomputation.

Step1.UsethesecretkeyKtoselectrandomlynumericitemsin

S;takeouttheirvalueswhichpresumablyarethepartial

sharesF(xi)embeddedbyAlgorithm3;andputtheitems

sequentiallyintoasetFpsasapartial-shareset.

Step2.TakeoutinordernpartialsharesfromFps,settheir

corre-spondingxvaluesas1throughn,respectively,andperform

thefollowingstepstorecoverabinarysegmentMiofthe

secretmessageM,ifpossible.

2.1ForeverykpartialsharesF1,F2,...,Fkinthenonesand

theircorrespondingxvaluesx1,x2,...,xk,performthe

followingsteps.

2.1.1 Usethekshares(x1,F1),(x2,F2),...,(xk,Fk)toset

upthefollowingequations:

Fj=F(xj)=(d+c1xj+c2x2_j+···+ck−1xk−1_j )_modp,(4)

wherej=1,2,...,k.

2.1.2 Compute thevalues d and c1 through ck−1 by

expanding thefollowing equalityand

compar-ingtheresultwith(4)inStep2.1.1abovewhile

regardingthevariablexintheequalitybelowto

bexjin(4): F(x)=



F(x1) (x−x2)(x−x3)···(x−xk) (x1−x2)(x1−x3)···(x1−xk)+F(x2) (x−x1)(x−x3)···(x−xk) (x2−x1)(x2−x3)···(x2−xk)+···+F(xk) (x−x1)(x−x2)···(x−xk−1) (xk−x1)(xk−x2)···(xk−xk−1)



modp .

2.1.3 Putthecomputedvaluesofdandc1throughck−1

asasetintoabufferB.

(Therewillben=k+1setsofvaluesofdandc1throughck1at

theendofStep2.)

Stage2–self-authenticationofthecomputedmessagesegment.

Step3.Takeout then setsof thecoefficientvaluesof dandc1

throughc_k−1inBandperformthefollowingoperations.

3.1Transformthecoefficientsdandc1throughck−1intok

binarysegments,andconcatenatethemasamessage

segmentMi.

3.2Ifallthensetsofthecoefficientvaluesareidenticalto

oneanother,thenmarkMiasauthenticandappendit

totheendofthedesiredsecretmessageM;else,mark

Miashavingbeendamagedandcontinue.

Step4.IfallsharesembeddedinS areprocessed,thentakethe

finalMastheoutput;otherwise,gotoStep2.

4. Discussionsonrelatedissuesaboutproposedmethod

4.1. Statisticalundetectability

A statisticalanomalycaused by information embeddingis a

reliablecluetodetectthepresenceofthesteganographiccontent

(ProvosandHoneyman,2003).Forthepurposeofresistingsuch

sta-tisticalanalysis,twostrategiesareusedintheproposedmethod.

Oneistospreadsecretsharesthroughoutthecoverspreadsheetin

asparselyandrandomlydistributedfashionsothatlessaffection

isincurredtothestatisticalpropertiesofthecoverspreadsheet

afterinformationembedding.Thiswayofachieving

undetectabil-ityfor a hiddenmessageused intheproposedmethodfollows

theconceptofthefrequency-hopping spreadspectrumtechnique

(Pickholtzetal.,1982)inwhichradiosignalsaretransmittedby

manyfrequencychannelsselectedaccordingtoapseudorandom

sequenceknowntothesenderandthereceiver.Theother

strat-egyistochoosecomparativelyinsignificantpartsofnumericdata

inthespreadsheetforembeddingsecretsharesinordertokeep

alowlevelofembeddingstrengthformaintainingthestatistical

propertiesinastego-spreadsheet.Forexample,wemaychoosethe

decimalfractionsofthenumbersinacoverspreadsheetandreplace

theirvalueswiththoseofthesecretshares,resultingininsignificant

alterationstothestatisticalpropertyinthestego-spreadsheet.

4.2. Activesecurityconsideration

Theproposedmethodnotonlycanpassivelypreventthe

stego-spreadsheetfromdetectionbutalsocanactivelyensurethefidelity

andintegrityofthetransmittedsecret.Intheactiveattackmodel

mentioned in Liu and Tsai(2007), ifan adversarysubtly made

modificationstopassing-bystego-spreadsheetsforthepurposeof

misleadingareceiver,theblindself-authenticationcapability

pro-videdbytheproposedmethodcanbeusedtochecktheauthenticity

oftheretrievedsecretmessage.Whentheauthenticitycheckfails,

itrevealsthatthecommunicationbetweenthetwosideshasbeen

threatenedandappropriatemeasuresshouldbeadopted.

4.3. Embeddingcapacityanalysis

ThevaluekmentionedinStep2ofAlgorithm3determinesthe

Fig.3. Acoverspreadsheetwith300numericitemsofstudents’testscores.(a)Listofthefirst36itemsinthespreadsheet.(b)Listofthelast34itemsinthespreadsheet.

bits,ineachsegmentgroupprocessedbythealgorithm.Itcanbe

figuredoutthatundertheconditionofusingthesamenumber

ofnumericitemsinaspreadsheetfordataembedding,alargerk

impliesalargerembeddingcapacitybutacoarserintegritycheck

inthelaterprocessofself-authentication,whileasmallerkmeans

thereverse.Thereexistsatradeoffhere.

Specifically,for instance,assumethat 10numericitemsin a

coverspreadsheetaretobereplacedwithsecretshares,anda(k,

n)-thresholdsecretsharingschemewithk=9,n=k+1=10isadopted.

Inthiscase,the9coefficientsd,c1,c2,...,andc8,witheachbeingan

m-bitsegmentofthesecretmessage,formthecoefficientsofthe

8-degreepolynomialdescribedby(3),andsoprovide9×m=9m

bits as theembedding capacity by generating10 secret shares

andembeddingthem intothecoverspreadsheet.Asa

compari-son,underthesameconditionbutwith(k,n)=(k,k+1)=(4,5),a

3-degreepolynomialincludingfourm-bitcoefficients isformed,

providingadataembeddingcapacityof4×m=4mbitsafter5

par-tialsharesaregeneratedandembedded.Therefore,if10number

itemsofacoverspreadsheetisprovidedaswell,thenthe10items

canbeusedtoembed2setsof5secretsharesgeneratedfrom2

distinctsegmentgroupsinthesecretmessage,yieldingatotalof

2×4m=8mbitsasthedataembeddingcapacity.Ascanbeobserved

fromthetwocases,theformercaseprovidesalargerembedding

capacityof9msecretmessagebitsyetwithasegmentgroupof9m

bitsastheunitforlaterself-authentication.Contrastively,thelatter

caseprovidesasmallerembeddingcapacityof8msecretmessage

bitsbutafinerauthenticationunitof4m-bitsegmentgroupinthe

secretmessage.

Fromtheabovediscussions,ageneralconclusionaboutthedata

embeddingcapacityoftheproposedmethodismadeasfollows:if

Idenotesthetotalnumberofnumericitemsinacoverspreadsheet

availableforembeddingsecretshares,thentheembeddingcapacity

Coftheproposedmethodbasedona(k,n)-thresholdsecretsharing

schemewithn=k+1is:

C=



I

n



×m×k (5)

whereI/ndenotesthenumberofsegmentgroupsinthesecret

messageMandmisthenumberofbitsinasegmentofM.

5. Experimentalresults

5.1. Experimentalresultsusingspreadsheetsrecordingstudents’

scores

Aresultoftheexperimentsweconductedusingtheproposed

methodwasbasedontheuseofa coverspreadsheetrecording

300students’scoressavedasanExcelfileasshowninFig.3.Note

thatthisisjustanexample;thetypeofcoverspreadsheetandthe

contentofitneednotberestrictedtobeso.

Thevaluesoftheinvolvedparametersp,mandkinEq.(3)of

theShamirmethodweresettobe101,6,and7,respectively.The

valueoftheprimenumberpwastakentobe101becauseitisthe

smallestintegerlargerthanthefullmarksof100ofthestudents’

testscores.Thevalueofm=6meansthatthelengthofeach

seg-mentoftheinputsecretmessageMwastakentobe6bits,which

satisfiestherequirementof2m_{−1=63<pmentionedinStep1of}

Algorithm3.AndeachmessagesegmentinMwastransformedinto

anintegerforuseasoneofthecoefficientsd,c1,c2,...,ck−1inEq.

(3).Asfork=7,itmeansthatthevaluenisn=k+1=8intheapplied

(k,n)-thresholdsecretsharingscheme,andthatevery7message

segmentsinMareusedasthecoefficientsd,c1,c2,...,c6ofthe

Fig.4.Adialogforenteringinputsecretmessage.

generatedbyAlgorithm3,yieldingaself-authenticationcapacity

ofcheckingevery7messagesegmentsinM.

Furthermore,asshowninFig.4,theinputsecretmessageM

wastakentobethenote:“password:19841221”.Inthiscase,the

18charactersofthemessageweretransformedintoabinarystring

with18×7=126bits(7bitsperASCII-codedcharacter).The126

bitsthenweredividedinto3segmentgroupswitheachgroup

com-posedof7segmentsandeachsegmentconsistingofm=6bits.The

threesegmentgroupscorrespondtothefollowingthreemessage

sections:

Group1:“Passwo”;Group2:“rd: 19”;Group3:“841221.”

Totally,the3segmentgroupsgenerated3×8=24secretshares

whichatlast,bytheuseofasecretkey,wererandomlyembedded

intothecoverspreadsheettoyieldastego-spreadsheet.Welistthe

first36itemsinthestego-spreadsheetinFig.5(a),whereitems

havingbeenreplacedwiththesecretsharesaremarkedinblue.A

listofthefirst36itemsinthecoverspreadsheetisgiveninFig.5(b)

forcomparison.

If the stego-spreadsheet is intentionally modified illegally,

Algorithm4willdetectsuchtamperingbytheself-authentication

operation(seeStep3).Besides,ifsomeembeddedsecretshares

survivethemodification,Algorithm4canreconstructthepartially

correctsecretmessagefromthembytherecoverysteps(Steps2–4).

Someexperimentalresultsofthesefunctionsaredescribednow.

Fig.6showsamodifiedstego-spreadsheetwhereitems16through

26werealteredbyreplacingthemwithothernumbers.Withinthe

11modifieditems,items15and17includetwoembeddedsecret

shares.Thesecretmessageextractedfromsuchamodified

spread-sheetusingAlgorithm4isshowninFig.7.Ascanbeseen,segment

groups2and3ofthesecretmessagewerereconstructedcorrectly,

whilesegmentgroup1isauthenticatedtohavebeenmodifiedand

markedbythealgorithmwithasterisksymbols“*.”

In this case, the strategy of yielding a low embeddingrate

mentionedpreviouslyisusedtoachievethegoalofcreating

unde-tectabilityofthestego-spreadsheet.Inordertoensurethatthis

strategy works, the two-sample Kolmogorov–Smirnov test (KS

test),which isa non-parametric statisticaltest and isusefulto

checkwhethertwodatasamplescomefromthesameprobability

Table1

Experimentalresultsofusingstrategy1withacoverspreadsheetwithhighscatterlevelofnumericdata.

Scores1(300numericitemswith variance917.76andsize25k)

#ofreplacednumeric itemsI

Resultinghypothesis(5%) pvalue Capacity=I/n×m×k (bits)

Embeddingbitrateper numericitem

Embedding bitrate Embeddingrate5% 16 0(cannotreject) 1 2×6×7=84 0.28b 1/298 Embeddingratelimit50.67% 152 1(reject) 0.0309 19×6×7=798 2.66b 1/31

distribution,isusedtoquantitativelycomparetheprobability

dis-tributionof numericdataina stego-spreadsheetwiththatin a

coverspreadsheet.Thenullhypothesisisthattwodatasamples

comefromthesameunderlyingdistributionatthe5%significance

level,andthealternativehypothesisisthattheyarefrom

differ-entdistributions.Theresultofapplyingthetesttothecontentsof

thecoverspreadsheetandthestego-spreadsheetshowninFig.5is

showninTable1givenbelow,inwhichtheresultinghypothesis0

Fig.6. Analteredspreadsheetwithfakeitems16–26.

meansthatthetestcannotrejectthenullhypothesis,thatis,athird

partycannotthinkthattheprobabilitydistributionofthe

stego-spreadsheetisdifferentfromthatofthecoverspreadsheet.The

limitoftheembeddingrateatwhichthetwo-sampleKS-testwill

rejectthenullhypothesis,accordingtoourexperiments,is50.67%

inthiscase.Thismeansthattheembeddingrateshouldbesmaller

than50.67%inordertokeeptheundetectabilitypropertyofthe

stego-spreadsheetwhenasteganalysthastheinformationofthe

probabilitydistributionrelatedtothestego-spreadsheet.

Howtochooseanembeddingratewhichissecureagainstsuch

astatisticaltestdependsonthescatterlevelofthechosennumeric

dataofthecoverspreadsheet.Here,thescatterleveliscomputed

asthevarianceofnumericdatavalues.Intermsofthisparameter,

threespreadsheetsScores1,Scores2,andScores3withthescatter

levelfromhightolowweretestedfurtherinourexperimentsusing

thesamesettingofparameters.Scores1isjusttheoneusedinthe

firstexperimentmentionedaboveandthecorrespondingstatistics

isshowninTable1.TheresultsofusingScores2andScores3are

showninTables2and3,respectively.FromTable2,thelimitof

theembeddingrateusingScores2isseentobe26%whichislower

thanthatusingScores1.AsforScores3,thecorrespondinglimitof

theembeddingrateisdowntobe6.04%asseeninTable3.These

experimentalstatisticsindicatethatthenumericdataofacover

spreadsheetwithahigherscatterlevelcanyieldahigher

embed-dingratewithoutcausingstatisticalanomalies.Thisfactcanalso

beseenfromthemessageembeddingbitratepernumericitem,also

showninthetables.Specifically,theupperboundoftheembedding

bitratepernumericiteminScores1is2.66b,whichishigherthan

thoseinScores2(1.36b)andScores3(0.32b).

5.2. Experimentalresultsusingaspreadsheetofafinancial

statement

AnotherexperimentalresultusingtheMicrosoftExcelfileof

a financialstatementof a companyasthecover spreadsheetis

showninFigs.8–11.Fig.8showsthecoverspreadsheetwith32

candidate numeric items for data embedding. In this case, the

strategy of choosing insignificant parts of numeric data in the

coverspreadsheetforembeddingsecretsharesisusedtokeepa

low levelofembeddingstrengthfor considerationof the

unde-tectabilityof thegenerated stego-spreadsheet.Fig.9shows the

inputsecretmessagewhich wastransformedinto32 sharesby

Algorithm3.Correspondingly,thedecimalfractionsofallofthe

32 numericitemsin thecover spreadsheetof Fig.8wereused

toembedtheshares.Eachsharewastransformedintotwo

dig-itsandembeddedtotherightofthedecimalpointofanumeric

Fig.7.Anextractedsecretmessagewithamessagesegmentretrievedfrom tam-pereditemsinthestego-spreadsheetmarkedbysymbols“*”.

Table2

Experimentalresultsofusingstrategy1withacoverspreadsheetwithmediumscatterlevelofnumericdata.

Scores2(1296numericitemswith variance465.62andsize105k)

#ofreplaced numericitems

Resulting hypothesis(5%)

pvalue Capacity=I/n×m×k (bits)

Embeddingbitrate pernumericitem

Embeddingbitrate Embeddingrate5% 64 0(cannotreject) 0.9999 8×6×7=336 0.26b 1/313

Embeddingratelimit26% 336 1(reject) 0.049 42×6×7=1764 1.36b 1/60

Table3

Experimentalresultsofusingstrategy1withacoverspreadsheetwithlowscatterlevelofnumericdata. Scores3(2250numericitems

withvariance283.11andsize 31k)

#ofreplaced numericitems

Resulting hypothesis(5%)

pvalue Capacity=I/n×m×k (bits)

Embeddingbitrate pernumericitem

Embeddingbitrate

Embeddingrate5% 112 0(cannotreject) 0.3557 14× 6× 7=588 0.26b 1/53 Embeddingratelimit6.04% 136 1(reject) 0.0383 17× 6×7=714 0.32b 1/43

Fig.8.Acoverspreadsheetoffinancialstatementwith32numericitems. Table4

Experimentalresultsofusingstrategy2foracoverspreadsheetofafinancialstatement. Financialstatement(32numeric

itemsandsize15k)

#ofreplaced numericitems

Resultof hypothesis(5%)

pvalue Capacity=I/n×m×k (bits)

Embeddingbitrate pernumericitem

Embeddingbitrate Embeddingrate100% 32 0(cannotreject) 1 4×6×7=168 5.25b 1/89

item.Theresultingstego-spreadsheetisshowninFig.10 which

lookslikeacommonspreadsheet.Asdoneintheprevious

experi-ment,thetwo-sampleKolmogorov–Smirnovtestwasused,andthe

resultisshowninTable4whichsupportstheuseofthestrategy,

Fig.9.Adialogwiththeinputsecretmessage.

accomplishingthegoalofyieldingstatisticalundetectabilityinthe

stego-spreadsheet.

Fig.11showsthestego-spreadsheetwith3numericitems

(high-lighted)beingmodified.The secretmessageextractedfromthe

modifiedstego-spreadsheetis shownin Fig.12(b) inwhichthe

destructedpartofthesecretmessageismarkedbyasterisk

sym-bols.Asacomparison,thesecretmessageextractedfromtheintact

stego-spreadsheetshowninFig.10isshowninFig.12(a).

5.3. Comparisonwithexistingmethods

Forthepurposeofpresentingthecontributionsmadeinthis

study,acomparisonofthecapabilitiesoftheproposedmethodwith

thoseofsomeexistingcovertcommunicationmethodsisgivenin

Table5.

Mostexistinginformationhidingmethodsforcovert

Fig.10.Astego-spreadsheetinwhichthedecimalfractionsofthenumericitemshavebeenmodifiedbyembeddedshares.

Fig.11.Astego-spreadsheetwith3numericitems(highlighted)beingmodified.

2008;FridrichandDu,2000;LeeandTsai,2010a,b;Zhongetal., 2007;LiuandTsai,2007)weredevelopedbasedonthepremise

thatanadversaryalwaysworksinthepassivemode.However,in

practicalcovertcommunication,anactiveattackisdefinedasthe

actionofanadversarywhoseekstodestroythestego-contentorto

activelyintroducesubtlemodificationstopassing-bystego-objects

betweenthetwoparties.Suchanactiveattackmaypossiblycausea

receivertoextractanincorrectsecretmessagewithnoawareness.

Fig.12.Therecoveredsecretmessage.(a)Messageextractedfromtheintactstego-spreadsheetshowninFig.10.(b)Messageextractedfromthemodifiedstego-spreadsheet showninFig.11.

Table5

Comparisonofexistingsteganographicmethodsandproposedmethod.

Manipulationofdata embedding Againstactive attack Modification localization capability

Freefromneedof auxiliaryinformation formessageextraction

Keepingthesizeofacover fileaftertransformedinto stego-version

Benderetal. (1996),Wuand Tsai(2003),Yang etal.(2008)

LSB-based(image) No No Yes Yes

FridrichandDu (2000)

Paritiesofpalettecolors (image)

No No Yes Yes

LeeandTsai (2010a,b)

CertainASCIIcodes(PDF) No No Yes No

Zhongetal.(2007) Characterspacevarying (PDF)

No No Yes Yes

LiuandTsai(2007) Changetrackingtechnique (MSworddocument)

No No No No

Proposedmethod Partialreplacementof numericitems (spreadsheet)

Yes Yes Yes Yes

Contrastivewiththeexistingmethods,theproposedmethodisthe

onlyonewhichhastheself-authenticationcapabilityagainstactive

attacksandsimultaneouslytakesthepassivesteganalyticattack

intotheconsideration.Furthermore,thedestructedpartofasecret

messagecanbelocalizedpreciselybytheproposedmethod,that

is,theproposedmethodhasthecapabilityofmodification

localiza-tionwhichisusefulforverifyingtheintegrityofthesecretmessage

intheproposedmethod.

Furthermore, auxiliary information for message decoding is

requiredin somemethods like(Liuand Tsai,2007).Extra

stor-agespaceisthusrequiredtosavetheinformationforbothparties

inthecommunication,addingaburdentothesystemin

practi-caluse.Contrarily,likethemethodsofBenderetal.(1996),Wu

andTsai(2003),Yangetal.(2008),FridrichandDu(2000),Leeand Tsai(2010a,b)andZhongetal.(2007)theproposedmethoddoes

notneedanyauxiliaryinformation.In addition,themethods in

LeeandTsai(2010a,b)andLiuandTsai(2007)increasethesizeof

thegeneratedstego-fileduetotheprocedureofaddingencoding

codesorchangingtrackingrecordsfordataembedding.Incontrast,

themanipulationofsubstitution/replacementfordataembedding

usedinmethodsofBenderetal.(1996),WuandTsai(2003),Yang

etal.(2008)andFridrichandDu(2000)aswellastheproposed

methodkeepthesizeofacoverfileunchangedafteritis

trans-formedintoastego-version.

Theembeddingbitrateoftheproposedmethodis

compara-tivelysmallerthanthatyieldedbythemethodsofBenderetal.

(1996),WuandTsai(2003)andYangetal.(2008)usingimagesas

covermedia.However,itisnotedthatthesemethodsare

vulnera-bletothewell-knownRSsteganalysis(WangandWang,2004).This

studyaimsatprovidinganewwayofcovertcommunication,and

theissueofimprovingtheembeddingcapacitydeservesfurther

investigationinthefuture.

Ontheotherhand,forfurtherresistingadversary’sattackson

destroyingthestego-content,secretsharesmaybespreadoverto

differentsetsofspreadsheetstoincreasethepossibilityof

retain-inganenoughnumberofsharesforrevealingthesecretmessage.

Atlast,itisworthtonotethattheproposedmethodcanbeequally

appliedtootherdocumentformatsandnotlimitedtoonly

spread-sheetfiles,althoughthenumbersappearinginsuchfilesmaybe

looksmorenaturalthanthoseappearinginotherfiles.

6. Conclusions

Anewcovertcommunicationmethodwithaself-authentication

capabilityviaspreadsheetsusing Shamir’s(k,k+1)secret

shar-ingschemehasbeenproposedinthisstudy.Thesegmentgroups

ofasecretmessagearetransformedintosecretsharesandthen

embeddedasiftheyarepartofthecontentinacoverspreadsheet,

yieldingacamouflageeffectandgeneratingaself-authentication

capability.Eachsegmentgroupof thesecretmessageextracted

fromastego-spreadsheetcanbeblindlyauthenticatedby

check-ingtheresultscomputedfromallthek+1possiblecombinations

ofk sharesoutof k+1 ones—iftheresultingk+1 copiesofthe

recoveredsecretareallidenticaltooneanother,thenthe

stego-spreadsheetisdecidedtobeintact.Incasethestego-spreadsheetis

authenticatedtohavebeenmodified,thealteredpartofthehidden

secretmessagemaybeidentified,andtheundamagedpart

recov-eredcorrectly.Experimental resultshave beenshown toprove

thefeasibilityandeffectivenessoftheproposedmethod.

Deriva-tionsofthedataembeddingcapacityandauthenticationprecision

havealsobeenconducted,anddiscussionsonthesteganalysisissue

included.Futurestudiesmay bedirected toapplicationsofthe

proposedmethodtomultimediaprotectioninthefieldoffragile

watermarking.

References

Bender,W.,Gruhl,D.,Morimoto,N.,Lu,A.,1996.Techniquesfordatahiding.IBM SystemsJournal35(3–4),313–336.

Brassil,J.T.,Maxemchuk,N.F.,1999.Copyrightprotectionfortheelectronic distri-butionoftextdocuments.ProceedingsoftheIEEE87(7),1181–1196. Chae,J.J.,Manjunath,B.S.,1999.Datahidinginvideo.In:Proc.of1999IEEE

Interna-tionalConferenceonImageProcessing,Kobe,Japan,pp.243–246.

Cheddad,A.,Condell,J.,Curran,K.,McKevitt,P.,2010.Digitalimagesteganography: surveyandanalysisofcurrentmethods.SignalProcessing90(3),727–752. Chen,L.S.T.,Lin,J.C.,2010.Multithresholdprogressiveimagesharingwithcompact

shadows.JournalofElectronicImaging19(1),013003.

Fridrich,J.,Du,R.,2000.Securesteganographicmethodsforpaletteimages.In:Proc. of3rdInternationalWorkshopInformationHiding,September1999,Dresden, Germany.Springer-Verlag,Berlin,pp.61–76(alsoinLectureNotesinComputer Science).

Gopalan,K.,etal.,2003.Covertspeechcommunicationviacoverspeechbytone insertion.In:Proc.ofthe2003IEEEAerospaceConference.BigSky,MT,USA. Lee,C.W.,Tsai,W.H.,2010a.AuthenticationofbinarydocumentimagesinPNG

for-matbasedonasecretsharingtechnique.In:Proceedingsof2010International ConferenceonSystemScienceandEngineering,Taipei,Taiwan,pp.133–138. Lee,I.S.,Tsai,W.H.,2010b.AnewapproachtocovertcommunicationviaPDFFiles.

SignalProcessing90(2),557–565.

Lin,C.C.,Tsai,W.H.,2004.Secretimagesharingwithsteganographyand authenti-cation.JournalofSystemsandSoftware73(3),405–414.

Liu,T.Y.,Tsai,W.H.,2007.AnewsteganographicmethodfordatahidinginMicrosoft Worddocumentsbyachangetrackingtechnique.IEEETransactionson Infor-mationForensicsandSecurity2(1),24–30.

Pickholtz,R.L.,Schilling,D.L.,Millstein, L.B.,1982.Theory ofspreadspectrum communications—atutorial.IEEE TransactionsonCommunications 30 (5), 855–884.

Provos,N.,Honeyman,P.,2003.Hideandseek:anintroductiontosteganography. IEEESecurityandPrivacyMagazine1(3),32–44.

Shamir,A.,1979.Howtoshareasecret.CommunicationofACM22(11),612–613. Thien,C.C.,Lin,J.C.,2002.Secretimagesharing.ComputersandGraphics26(1),

Wang,H.,Wang,S.,2004.Cyberwarfare:steganographyvs.steganalysis. Commu-nicationsofACM47(10),76–82.

Wu,D.C.,Tsai,W.H.,2003.Asteganographicmethodforimagesbypixel-value dif-ferencing.PatternRecognitionLetters24(9–10),1613–1626.

Wu,M.,Yu,H.,Gelman,A.,1999.Multi-leveldatahidingfordigitalimageandvideo. In:Proc.ofSPIEPhotonicsEast,Boston,MA,USA,pp.10–21.

Yang,C.H.,Weng,C.Y.,Wang,S.J.,Sun,H.M.,2008.Adaptivedatahidinginedgeareas ofimageswithspatialLSBdomainsystems.IEEETransactionsonInformation ForensicsandSecurity3(3),488–497.

Zhong,S.,Cheng,X.,Chen,T.,2007.DatahidinginakindofPDFtextsforsecret communication.InternationalJournalofNetworkSecurity4(1),17–26.

Che-WeiLeereceivestheB.S.degreeincivilengineering andtheM.S.degreeinelectricalengineeringfromNational ChengKungUniversity,Tainan,Taiwan,in2002and2005, respectively.HeisaPh.D.studentintheDepartmentof ComputerScienceatNationalChiaoTungUniversitysince 2005.Hisresearchinterestsincludeinformationhiding, imageprocessing,andvideotechnologies.

Wen-HsiangTsaireceivedtheB.S.degreeinEEfrom NationalTaiwanUniversity,Taiwan,in1973,theM.S. degreeinEEfromBrownUniversity,USAin1977,andthe Ph.D.degreeinEEfromPurdueUniversity,USAin1979. Since1979,hehasbeenwithNationalChiaoTung Univer-sity(NCTU),Taiwan,whereheisnowaChairProfessorof ComputerScience.Hiscurrentresearchinterestsinclude computervision,informationsecurity,videosurveillance, andautonomousvehicleapplications.