Results 1  10
of
38
Provably Secure Steganography
 in Advances in Cryptology: CRYPTO 2002
, 2002
"... Informally, steganography is the process of sending a secret message from Alice to Bob in such a way that an eavesdropper (who listens to all communications) cannot even tell that a secret message is being sent. In this work, we initiate the study of steganography from a complexitytheoretic point o ..."
Abstract

Cited by 64 (6 self)
 Add to MetaCart
Informally, steganography is the process of sending a secret message from Alice to Bob in such a way that an eavesdropper (who listens to all communications) cannot even tell that a secret message is being sent. In this work, we initiate the study of steganography from a complexitytheoretic point of view. We introduce definitions based on computational indistinguishability and we prove that the existence of oneway functions implies the existence of secure steganographic protocols. Keywords: Steganography, Cryptography, Provable Security 1
PublicKey Steganography
 In: Advances in Cryptology – Proceedings of Eurocrypt ’04
, 2003
"... Informally, a publickey steganography protocol allows two parties, who have never met or exchanged a secret, to send hidden messages over a public channel so that an adversary cannot even detect that these hidden messages are being sent. Unlike previous settings in which provable security has be ..."
Abstract

Cited by 45 (3 self)
 Add to MetaCart
Informally, a publickey steganography protocol allows two parties, who have never met or exchanged a secret, to send hidden messages over a public channel so that an adversary cannot even detect that these hidden messages are being sent. Unlike previous settings in which provable security has been applied to steganography, publickey steganography is informationtheoretically impossible.
A publickey encryption scheme with pseudorandom ciphertexts.
 In Computer Security—ESORICS
, 2004
"... ..."
(Show Context)
Upper and Lower Bounds on BlackBox Steganography
 Theory of Cryptography Conference (TCC
, 2004
"... We study the limitations of steganography when the sender is not using any properties of the underlying channel beyond its entropy and the ability to sample from it. On the negative side, we show that the number of samples the sender must obtain from the channel is exponential in the rate of the ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
We study the limitations of steganography when the sender is not using any properties of the underlying channel beyond its entropy and the ability to sample from it. On the negative side, we show that the number of samples the sender must obtain from the channel is exponential in the rate of the stegosystem. On the positive side, we present the first secretkey stegosystem that essentially matches this lower bound regardless of the entropy of the underlying channel.
Covert TwoParty Computation
 In 37th STOC
, 2005
"... We introduce the novel concept of covert twoparty computation. Whereas ordinary secure twoparty computation only guarantees that no more knowledge is leaked about the inputs of the individual parties than the result of the computation, covert twoparty computation employs steganography to yield ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
We introduce the novel concept of covert twoparty computation. Whereas ordinary secure twoparty computation only guarantees that no more knowledge is leaked about the inputs of the individual parties than the result of the computation, covert twoparty computation employs steganography to yield the following additional guarantees: (A) no outside eavesdropper can determine whether the two parties are performing the computation or simply communicating as they normally do; (B) before learning f(xA , xB ), neither party can tell whether the other is running the protocol; (C) after the protocol concludes, each party can only determine if the other ran the protocol insofar as they can distinguish f(xA , xB ) from uniformly chosen random bits. Covert twoparty computation thus allows the construction of protocols that return f(xA , xB ) only when it equals a certain value of interest (such as "Yes, we are romantically interested in each other") but for which neither party can determine whether the other even ran the protocol whenever f(xA , xB ) does not equal the value of interest. We introduce security definitions for covert twoparty computation and we construct protocols with provable security based on the Decisional Di#eHellman assumption.
Contentaware steganography: About lazy prisoners and narrowminded wardens
 In Proceedings of the 8th Information Hiding Workshop, Lecture Notes in Computer Science
, 2005
"... Abstract. We introduce contentaware steganography as a new paradigm. As opposed to classic steganographic algorithms that only embed information in the syntactic representation of a datagram, contentaware steganography embeds secrets in the semantic interpretation which a human assigns to a datagr ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce contentaware steganography as a new paradigm. As opposed to classic steganographic algorithms that only embed information in the syntactic representation of a datagram, contentaware steganography embeds secrets in the semantic interpretation which a human assigns to a datagram. In this paper, we outline two constructions for contentaware stegosystems, which employ, as a new kind of security primitive, problems that are easy for humans to solve, but difficult to automate. Such problems have been successfully used in the past to construct Human Interactive Proofs (HIPs), protocols capable of automatically distinguishing whether a communication partner is a human or a machine.
Provably Secure Steganography with Imperfect Sampling
 PUBLIC KEY CRYPTOGRAPHY
, 2006
"... The goal of steganography is to pass secret messages by disguising them as innocentlooking covertexts. Real world stegosystems are often broken because they make invalid assumptions about the system’s ability to sample covertexts. We examine whether it is possible to weaken this assumption. By mod ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
The goal of steganography is to pass secret messages by disguising them as innocentlooking covertexts. Real world stegosystems are often broken because they make invalid assumptions about the system’s ability to sample covertexts. We examine whether it is possible to weaken this assumption. By modeling the covertext distribution as a stateful Markov process, we create a sliding scale between real world and provably secure stegosystems. We also show that insufficient knowledge of past states can have catastrophic results.
A Formal Treatment of Backdoored Pseudorandom Generators
"... We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited fo ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor. We show that backdoored PRGs are equivalent to publickey encryption schemes with pseudorandom ciphertexts. We use this equivalence to build backdoored PRGs that avoid a well known drawback of the Dual EC PRG, namely biases in outputs that an attacker can exploit without the trapdoor. Our results also yield a number of new constructions and an explanatory framework for why there are no reported observations in the wild of backdoored PRGs using only symmetric primitives. We also investigate folklore suggestions for countermeasures to backdoored PRGs, which we call immunizers. We show that simply hashing PRG outputs is not an effective immunizer against an attacker that knows the hash function in use. Salting the hash, however, does yield a secure immunizer, a fact we prove using a surprisingly subtle proof in the random oracle model. We also give a proof in the standard model under the assumption that the hash function is a universal computational extractor (a recent notion introduced by Bellare, Tung, and Keelveedhi).