On the role of side information in steganography in empirical covers

In an attempt to alleviate the negative impact of unavailable cover model, some steganographic schemes utilize the knowledge of the so-called “precover” when embedding secret data. The precover is typically a higherresolution (unquantized) representation of the cover, such as the raw sensor output before it is converted to an 8-bit per channel color image. The precover object is only available to the sender but not to the Warden, which seems to give a fundamental advantage to the sender. In this paper, we provide theoretical insight for why side-informed embedding schemes for empirical covers might provide high level of security. By adopting a piece-wise polynomial model corrupted by AWGN for the content, we prove that when the cover is sufficiently non-stationary, embedding by minimizing distortion w.r.t. the precover is more secure than by preserving a model estimated from the cover (the so-called model-based steganography). Moreover, the side-informed embedding enjoys four times lower steganographic Fisher information than LSB matching. 1. MOTIVATION The problem of steganography is to devise a scheme using which secret messages can be passed to another party by hiding them in cover objects so that a traffic-monitoring entity called Warden cannot distinguish between genuine cover objects and objects carrying secret data. In steganography by cover modification, the secret is embedded by making changes to the cover. If the cover-source distribution is known and available to the communicating parties as well as the Warden, the rate of perfectly secure steganographic communication is positive 23 even when the actions of both the sender and the (possibly active) Warden are power limited. When the cover source is empirical in nature (e.g., digital media files acquired by a sensor), the individual cover elements, such as pixels or JPEG DCT coefficients follow a highly non-stationary distribution that reflects the content as well as numerous sources of noise. This enormous complexity makes perfect security essentially unachievable in practice – the Warden always seems able to find a representation of the covers within which the actions of the sender can be detected, forcing thus the sender to embed with a vanishing rate as the cover size increases (the so-called square root law of imperfect steganography 7, ). To alleviate the negative impact of unavailable cover model, some steganographic schemes make use of the knowledge of the so-called “precover” when embedding secret data. The precover is usually a higher-resolution (unquantized) representation of the cover, such as the raw image before it is JPEG compressed or raw sensor output before it is converted to an 8-bit per channel color image, such as TIFF or JPEG. Such side-informed schemes provide a very high level of security in practice 18, 19, 21 at least when the security is measured empirically using feature-based steganalyzers implemented using machine learning. The failure of current steganalysis to reliably detect side-informed schemes should, however, be taken with a grain of salt because it could simply mean that current steganalysis lacks the right models (feature spaces). In short, to the best knowledge of the author the role of side-information in steganography in empirical covers is largely unclear with a surprising lack of rigorous arguments. This paper is an attempt to shed more light on this intriguing topic while focusing on finding as simple formalization as possible that already provides valuable insight. In Section 4, we formalize the concepts of precover and cover sources. In particular, we model images as sequences of segments on which the content follows a linearly parametrizable polynomial model corrupted by additive white Gaussian noise (AWGN) similar in nature to the model investigated in. Here, the content is captured by segments’ boundaries and the model E-mail: [email protected]; http://www.ws.binghamton.edu/fridrich parameters. Following a commonly adopted conservative viewpoint, we grant the Warden with a complete knowledge of the model (the so-called fully informed Warden) while the sender needs to estimate the model parameters. This allows us in Section 3 to quantify security in the limit of small payloads by the steganographic Fisher information in the leading term of the Taylor expansion of KL divergence between the cover and stego distributions. In Section 4, we describe three different embedding methods – embedding while preserving an estimated model, Quantization-Index Modulation (QIM), and the simple Least Significant Bit matching (LSBM), and analyze them by computing their steganographic Fisher information. In Section 4.4, we prove that for a highly non-stationary cover (a statement that can be precisely quantified), the QIM has a lower Fisher information than when the sender embeds by preserving an estimated cover model. The QIM is also always more secure than the uninformed LSBM whose steganographic Fisher information is four times larger than that of QIM. Conversely, for less complex covers, the sender is better off to embed while preserving the estimated cover distribution instead of applying the QIM. The paper is concluded in Section 5. Calligraphic font is reserved for sets, while capital letters with their corresponding lower-case letters are used for random variables and their realizations. Matrices will be upright boldface symbols (e.g., Ars is the rsth element of matrix A) with A standing for the transpose. For a statement P , the Iverson bracket [P ] = 1 when P is true, and it is zero when P is false. We reserve the symbols R and Z for the set of real numbers and integers and In for an n× n unity matrix. Gaussian distribution with mean vector μ ∈ R and covariance matrix C ∈ R will be denoted N(μ,C). Finally, we use h2(β) = −β log2 β− (1−β) log2(1−β) for the binary entropy function. Given a countable set of scalar bin centroids, M = {mj}, mj < mj+1, a scalar quantizer is a mapping QM : R → M, defined as QM(x) = argminmj∈M |x −mj |. In this paper, we will assume that QM is uniform, mj = j4, j ∈ Z, where 4 > 0 is the bin width. A uniform quantizer with bin width 4 will be denoted Q4. 2. PRECOVER AND COVER SOURCE An n-element precover source will be represented using a random variable Z , (Z1, . . . , Zn) divided into S ≥ 1 segments containing pixels with indices from Ni , {ni−1 + 1, . . . , ni}, i = 1, . . . , S, where n0 = 0, ni < ni+1, nS = n are segments’ boundaries. On each segment, the content is modeled using a polynomial of degree d corrupted by a AWGN: Z = Hθ + Ξ, (1) where Z , (Zni−1+1, . . . , Zni) , θ , (θ (i) 0 , . . . , θ (i) d ) , Ξ ∼ N(0, σI|Ni|), and