IMAGE BASED STEGANOGRAPHY AND CRYPTOGRAPHY                                            Domenico Bloisi and Luca Iocchi     ...
message so it cannot be seen. A cipher message,            to send a secret message M to Bob (the receiver): infor instanc...
strong encryption at the same time.                        recover M through S and K (see Sect. 4.2). In addi-    Our meth...
Where random() returns a real in [0, 1). Re-                                                          turned values are ch...
Stereo Image Pair). In fact, the key image idea de-           following one-way relations RK, RS, and RM:rives from stereo...
Lines 1,2,3, and 4 perform (in the binary domain)          bit planes of an image because they overwrite visualthe same op...
Thus, if the statistical tests used to examine an im-                                                             age for ...
quence is ”unbreakable in practice” (Menezes et al.,                                                         1996).       ...
Upcoming SlideShare
Loading in …5



Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. IMAGE BASED STEGANOGRAPHY AND CRYPTOGRAPHY Domenico Bloisi and Luca Iocchi Dipartimento di Informatica e Sistemistica Sapienza University of Rome, Italy E-mail: <lastname>@dis.uniroma1.itKeywords: Steganography, cryptography.Abstract: In this paper we describe a method for integrating together cryptography and steganography through image processing. In particular, we present a system able to perform steganography and cryptography at the same time using images as cover objects for steganography and as keys for cryptography. We will show such system is an effective steganographic one (making a comparison with the well known F5 algorithm) and is also a theoretically unbreakable cryptographic one (demonstrating its equivalence to the Vernam Cipher).1 INTRODUCTION confidential transmission over a public network. The original text, or plaintext, is converted into a codedCryptography and steganography are well known and equivalent called ciphertext via an encryption algo-widely used techniques that manipulate information rithm. Only those who possess a secret key can deci-(messages) in order to cipher or hide their existence. pher (decrypt) the ciphertext into plaintext.These techniques have many applications in computer Cryptography systems can be broadly classifiedscience and other related fields: they are used to pro- into symmetric-key systems (see Fig. 1) that use atect e-mail messages, credit card information, corpo- single key (i.e., a password) that both the sender andrate data, etc. the receiver have, and public-key systems that use two More specifically, steganography1 is the art and keys, a public key known to everyone and a privatescience of communicating in a way which hides the key that only the recipient of messages uses. In theexistence of the communication (Johnson and Jajodia, rest of this paper, we will discuss only symmetric-key1998). A steganographic system thus embeds hid- systems.den content in unremarkable cover media so as not toarouse an eavesdropper’s suspicion (Provos and Hon-eyman, 2003). As an example, it is possible to embeda text inside an image or an audio file. On the other hand, cryptography is the study ofmathematical techniques related to aspects of infor-mation security such as confidentiality, data integrity,entity authentication, and data origin authentication(Menezes et al., 1996). In this paper we will focusonly on confidentiality, i.e., the service used to keepthe content of information from all but those autho-rized to have it. Figure 1: Symmetric-key Cryptographic Model. Cryptography protects information by transform-ing it into an unreadable format. It is useful to achieve Cryptography and steganography are cousins in the spy craft family: the former scrambles a mes- 1 from Greek, it literally means ”covered writing” sage so it cannot be understood, the latter hides the
  2. 2. message so it cannot be seen. A cipher message, to send a secret message M to Bob (the receiver): infor instance, might arouse suspicion on the part of order to do this, Alice chooses a cover image C.the recipient while an invisible message created with The steganographic algorithm identifies C’s re-steganographic methods will not. dundant bits (i.e., those that can be modified with- In fact, steganography can be useful when the out arising Wendy’s suspicion), then the embeddinguse of cryptography is forbidden: where cryptogra- process creates a stego image S by replacing these re-phy and strong encryption are outlawed, steganog- dundant bits with data from M.raphy can circumvent such policies to pass messagecovertly. However, steganography and cryptographydiffer in the way they are evaluated: steganographyfails when the ”enemy” is able to access the contentof the cipher message, while cryptography fails whenthe ”enemy” detects that there is a secret messagepresent in the steganographic medium (Johnson andJajodia, 1998). The disciplines that study techniques for decipher-ing cipher messages and detecting hide messages arecalled cryptanalysis and steganalysis. The former de-notes the set of methods for obtaining the meaning Figure 2: Steganographic Model.of encrypted information, while the latter is the art ofdiscovering covert messages. S is transmitted over a public channel (monitored The aim of this paper is to describe a method for by Wendy) and is received by Bob only if Wendy hasintegrating together cryptography and steganography no suspicion on it. Once Bob recovers S, he can getthrough image processing. In particular, we present a M through the extracting process.system able to perform steganography and cryptogra- The embedding process represents the critical taskphy at the same time. We will show such system is an for a steganographic system since S must be as simi-effective steganographic one (making a comparison lar as possible to C for avoiding Wendy’s interventionwith the well known F5 algorithm (Westfeld, 2001)) (Wendy acts for the eavesdropper).and is also a theoretically unbreakable cryptographicone (we will demonstrate our system is equivalent to Least significant bit (LSB) insertion is a commonthe Vernam cipher (Menezes et al., 1996)). and simple approach to embed information in a cover file: it overwrites the LSB of a pixel with an M’s bit. If we choose a 24-bit image as cover, we can store 3 bits in each pixel. To the human eye, the resulting stego2 IMAGE BASED image will look identical to the cover image (Johnson STEGANOGRAPHIC SYSTEMS and Jajodia, 1998). Unfortunately, modifying the cover imageThe majority of today’s steganographic systems uses changes its statistical properties, so eavesdroppersimages as cover media because people often transmit can detect the distortions in the resulting stego im-digital pictures over email and other Internet commu- age’s statistical properties. In fact, the embedding ofnication (e.g., eBay). Moreover, after digitalization, high-entropy data (often due to encryption) changesimages contain the so-called quantization noise which the histogram of colour frequencies in a predictableprovides space to embed data (Westfeld and Pfitz- way (Provos and Honeyman, 2003; Westfeld andmann, 1999). In this article, we will concentrate only Pfitzmann, 1999).on images as carrier media. Westfeld (Westfeld, 2001) proposed F5, an algo- The modern formulation of steganography is of- rithm that does not overwrite LSB and preserves theten given in terms of the prisoners’ problem (Sim- stego image’s statistical properties (see Sect. 5.2).mons, 1984; Kharrazi et al., 2004) where Alice and Since standard steganographic systems do not pro-Bob are two inmates who wish to communicate in or- vide strong message encryption, they recommend toder to hatch an escape plan. However, all commu- encrypt M before embedding. Because of this, wenication between them is examined by the warden, have always to deal with a two-steps protocol: firstWendy, who will put them in solitary confinement at we must cipher M (obtaining M’) and then we canthe slightest suspicion of covert communication. embed M’ in C. Specifically, in the general model for steganogra- In the next sections we will present a new all-in-phy (see Fig. 2), we have Alice (the sender) wishing one method able to perform steganography providing
  3. 3. strong encryption at the same time. recover M through S and K (see Sect. 4.2). In addi- Our method has been planned either to work with tion, Wendy will neither detect that M is embedded inbit streams scattered over multiple images (in an on- S nor be able to access the content of the secret mes-line way of functioning) or to work with still images; sage (see Fig. 4).it yields random outputs, in order to make steganaly-sis more difficult and it can cipher M in a theoreticallysecure manner preserving the stego image’s statisticalproperties. The simplicity of our method gives the possibilityof using it in real-time applications such as mobilevideo communication.3 A STEGO-CRYPTOGRAPHIC MODEL Figure 4: The unifying model.Figures 1 and 2 depict the cryptographic and stegano-graphic system components. Here we discuss how wecould unify those two models, in order to devise anew model holding the features that are peculiar both 4 IMAGE BASEDto the steganographic and to the cryptographic model STEGANOGRAPHY AND(see Fig. 3). CRYPTOGRAPHY The function denoted by F in Fig. 4 represents the embedding function we are going to explain in this section. The symbol F −1 indicates the ex- traction function, since it is conceptually the in- verse of embedding. We will call ISC (Image- based Steganography and Cryptography) the algo- rithm which carries on such functions. 4.1 ISC Embedding Process Figure 5 shows the embedding process. The choice Figure 3: Mapping between model components. of the stego image format makes a very big impact on the design of a secure steganographic system. The mapping between P and M, E and S, and k and Raw, uncompressed formats, such as BMP, pro-K is possible because we can consider all the compo- vide the biggest space for secure steganography, butnents in Fig. 3 as bit sequences and then realize a their obvious redundancy would arise Wendy’s suspi-relation between the co-respective bit sets. cion (in fact, why someone would have to transmit big The unifying model results as a steganographic uncompressed files when he can strongly reduce theirone with the addition of a new element: the key image size through compression? (Fridrich et al., 2002)).K. It gives the unifying model the cryptographic func- Thus, ISC embedding algorithm must yield a com-tionality we are searching for, preserving its stegano- pressed stego image, in particular we choose to pro-graphic nature. duce a JPEG file, because it is the most widespread The unifying model embedding process yields S image format.exploiting not only C’s bits but also K’s ones (see While the output of the embedding process is aSect. 4.1): this way of proceeding gives Alice the JPEG image (as we noted above), the inputs are: thechance to embed the secret message M (that is, the secret message bit sequence, an image C, and an im-plaintext) into the cover image C (as every common age K. C and K can be either uncompressed imagessteganographic system) encrypting M by the key im- (e.g., BMP) or compressed ones (e.g., JPEG), in ad-age K (as a classical cryptographic system) at the dition they can be either distinct images or the samesame time. At the receiver side, Bob will be able to image.
  4. 4. Where random() returns a real in [0, 1). Re- turned values are chosen pseudorandomly with (ap- proximately) uniform distribution from that range. Notice that we must avoid to produce zero coeffi- cients otherwise we would be unable to extract them at the receiver side (see Sect. 4.2). Once the embedding algorithm terminates, we can proceed with stegoAC[] Huffman coding and even- tually we obtain a JPEG image S as similar as possible to C. We can embed into S a number of bits equal to min(length(coverAC[]), length(keyAC[])). Figure 5: ISC embedding process. We have experimentally determined that we can hide in a JPEG image a message of size about 14% of the JPEG file dimension. Clearly the more amount The embedding process will be a modification of of information we embed into S the more S will resultthe JPEG encoding scheme. First of all, we subdivide different from C.C in a set of 8 x 8 pixel blocks and compute the Dis-crete Cosine Transform (DCT) on each block obtain- 4.2 ISC Extracting Processing a set of DCT coefficients; then they are quantized. After quantization, DC coefficients and AC zero The ISC extracting process is very simple and con-coefficients are discarded. The remaining AC nonzero sists in a comparison between S nonzero AC coeffi-coefficients are stored in a vector called coverAC[], cients (stegoAC[]) and K nonzero AC coefficientsthat is a signed integer array. We have to repeat the (keyAC[]). In order to obtain these two sets of coeffi-previous list of operations for the key image K obtain- cients we perform a Huffman decoding step followeding keyAC[], a signed integer array as coverAC[]. by the quantized AC coefficients extraction (see Fig. Now, in order to yield the stego image S, we are 6).able to modify coverAC[] according to the followingEm1 embedding algorithm. We will call stegoAC[]the modified coverAC[] array.Embedding Algorithm Em1.Input: coverAC[], keyAC[], message bit array MOutput: stegoAC[]for every bit M[i] of the message array M if (M[i] == 1) // we want to codify a 1 if (coverAC[i] and keyAC[i] are both even or both odd numbers) if(coverAC[i] == 1) stegoAC[i] = 2 else if(coverAC[i] == -1) stegoAC[i] = -2 else Figure 6: ISC extracting process. if(random() < 0.5) stegoaAC[i] = coverAC[i] - 1; Once the extraction is finished we compute the else following Ex1 extracting algorithm: stegoaAC[i] = coverAC[i] + 1; Extracting Algorithm Ex1. end if Input: stegoAC[], keyAC[] else // M[i] = 0, we want to codify a 0 Output: message bit array M if (coverAC[i] and keyAC[i] are one equal and one uneven) for every coefficient stegoAC[i] if(coverAC[i] == 1) stegoAC[i] = 2 if (stegoAC[i] and keyAC[i] are both even or both else if(coverAC[i] == -1) stegoAC[i] = -2 odd) else M[i] = 0; if(random() < 0.5) else stegoaAC[i] = coverAC[i] - 1; M[i] = 1; else end if stegoaAC[i] = coverAC[i] + 1; end for end if end if Images C and K depicted in Fig. 5 are two wellend for known stereo images (the University of Tsukuba’s
  5. 5. Stereo Image Pair). In fact, the key image idea de- following one-way relations RK, RS, and RM:rives from stereo vision: if you imagine the extracting RKprocess is a correlation algorithm, the secret message keyAC[] − k1 , k2 , ..., kt −→M could be seen as a disparity map between S and K, RS stegoAC[] − c1 , c2 , ..., ct →the embedding process as a sort of inverse correlation. RM M[] −→ m1 , m2 , ..., mt − The last relation RM is simply the relation of5 ISC PERFORMANCE equivalence since both M[] and m1 , m2 , ..., mt are bit sequences. For finding RK we have to transform keyAC[] inIn this section we will present ISC performance with a bit sequence through two further relations RK1 andrespect to both steganography and cryptography. We RK2:first demonstrate that ISC has optimum cryptographic RK1 RK2performance, by proving that it is equivalent to Ver- keyAC[] − → keyEO[] − → k1 , k2 , ..., kt − −nam cipher (Menezes et al., 1996), and then compareISC steganographic performance with respect to the RK1 maps each AC coefficient keyAC[i] over a bi-well known F5 algorithm (Westfeld, 2001). nary alphabet and store the corresponding bit value in keyEO[i] trough the rule: if keyAC[i] is even5.1 ISC Cryptographic Performance keyEO[i] = 0 elseThe Vernam Cipher. The Vernam cipher is a keyEO[i] = 1.symmetric-key cipher defined on the alphabet A = end if{0, 1}. A binary message m1 , m2 , ..., mt is operated on RK2 is the relation of equivalence betweenby a binary key string k1 , k2 , ..., kt of the same length KeyEO[] and k1 , k2 , ..., kt . RK results as the combi-to produce a ciphertext string c1 , c2 , ..., ct where ci = nation of RK1 and RK2.mi ⊕ ki , for 1 ≤ i ≤ t and ⊕ is the XOR operator. We can repeat the above procedure for finding RSThe ciphertext is turned back into plaintext simply in- as a combination of RS1 and RS2, i.e.,verting the previous procedure, i.e., mi = ci ⊕ ki , for RS1 RS21 ≤ i ≤ t. stegoAC[] −→ stegoEO[] −→ c1 , c2 , ..., ct − − If the key string is randomly chosen and never Let us use RS1 on coverAC[] in order to obtainused again, the Vernam cipher is called a one-time coverEO[] identical to stegoEO[] (note that initiallypad. stegoAC[] is equal to coverAC[]). One-time pad is theoretically unbreakable: if a RS1cryptanalyst has a ciphertext string c1 , c2 , ..., ct en- coverAC[] −→ coverEO[] −crypted using a random key string which as been Now we transform Em1 in order to work with bitused only once, the cryptanalyst can do no better then sequences, obtaining the algorithm Em2:guess at the plaintext being any binary string of lengtht. To realize an unbreakable system requires a ran- Embedding Algorithm Em2.dom key of the same length as the message (Shannon, Input: coverEO[], keyEO[], M[]1949). Output: stegoEO[] for every bit M[i] of the binary array M[]Equivalence between Vernam Cipher and ISC. if (M[i] == 1)Let keyAC[] and coverAC[] be two arrays contain- if (coverEO[i] ⊕ keyEO[i] == 0) (1)ing the AC nonzero coefficients extracted from the stegoEO[i] = coverEO[i] ⊕ 1 (2)key image K and the cover image C respectively. end if Let stegoAC[] be an array initialized identical to end ifcoverAC[] (stegoAC[] will be modified during the else //M[i] = 0embedding process because it will store the change if (coverEO[i] ⊕ keyEO[i] == 1) (3)needed by coverAC[]). stegoEO[i] = coverEO[i] ⊕ 1 (4) Let M[] be a binary array containing all the end ifbits from the secret message M and let us suppose, end elsefor the sake of simplicity, that length(keyAC[]) = end forlength(coverAC[]) = length(M[]). We want to find the
  6. 6. Lines 1,2,3, and 4 perform (in the binary domain) bit planes of an image because they overwrite visualthe same operations made by algorithm Em1. Table 1 structures; statistical attacks consist in measure dis-shows the truth table for every input feasible by algo- tortions in the DCT coefficients’ frequency histogramrithm Em2. produced by embedding. Table 1: Truth table for algorithm Em2. F5 Algorithm. The F5 steganographic algorithm M[i] keyEO[i] coverEO[i] stegoEO[i] was introduced by Andreas Westfeld in 2001 (West- 0 0 0 0 feld, 2001). The goal of his research was to de- 0 0 1 0 velop concepts and a practical embedding method for 0 1 0 1 JPEG images that would provide high steganographic 0 1 1 1 capacity without sacrificing security (Fridrich et al., 1 0 0 1 2002). 1 0 1 1 Instead of replacing the least-significant bit of a 1 1 0 0 DCT coefficient with message data, F5 decrements 1 1 1 0 its absolute value in a process called matrix encod- ing. As a result, there is no coupling of any fixed You can notice that bold values correspond to the pair of DCT coefficients, meaning the χ2 -test (Provostruth table for ci = mi ⊕ ki . Since M[] corresponds to and Honeyman, 2003; Westfeld and Pfitzmann, 1999)the Vernam plaintext m1 , m2 , ..., mt (by virtue of RM), cannot detect F5 (χ2 -test measure the probability akeyAC[] corresponds to the Vernam key k1 , k2 , ..., kt DCT coefficients’ frequency histogram is the product(by virtue of RK1 and RK2), and stegoAC[] corre- of a steganographic process).sponds to the Vernam ciphertext c1 , c2 , ..., ct (by virtue F5 uses a permutative straddling mechanism toof RS1 and RS2) we can conclude asserting: scatter the message over the whole cover medium. ISC embedding process and Vernam cipher en- The permutation depends on a key derived from acrypting step are equal. password. The proof of equivalence between ISC extracting Moreover, F5 (as ISC) embeds data in JPEG im-process and Vernam cipher decrypting step is trivial. ages thus resulting immune against visual attacks be- Let us transform algorithm Ex1 in order to work cause it operates in a transform space (i.e., the fre-with M[], keyEO[], and stegoEO[]. quency domain) and not in a spatial domain.Algorithm Ex2. Comparison between F5 and ISC. In order to re-Input: stegoEO[], keyEO[] alize a meaningful comparison between ISC and F52 ,Output: keyEO[] we must embed the same message m into the same cover image c using both ISC and F5. After embed-for every bit stegoEO[i] of stegoEO[] ding, we have two stego images: SF5 produced by F5 M[i] = stegoEO[i] ⊕ keyEO[i] and SISC generated by ISC. Both SF5 and SISC presentend for a DCT coefficients histogram different from the c’s original one. What we are interested in is to com- Since Ex2 is identical to the Vernam cipher de- pare the amount of modifications introduced by F5crypting step (mi = ci ⊕ ki , for 1 ≤ i ≤ t), we have that and ISC.ISC extracting process and Vernam cipher decrypting Figure 7 shows the result of such comparison ob-step are equal. tained using a JPEG cover set Cset of 20 images (1024 Eventually, ISC and Vernam cipher are equivalent. x 768, average size 330 KB). In every image of Cset we have embedded a canto from Dante’s Divina Com-5.2 ISC Steganographic Performance media (about 5 KB for each canto) with a JPEG qual- ity factor set to 80. Only for ISC, we also used theThe ISC steganographic performance will be mea- images of Cset as key images.sured by comparing it with the well known F5 algo- The mean difference (in percentage) for every ACrithm (Westfeld, 2001). In order to do this, we will coefficient in the interval [−8, 8] is shown on the y-compare the statistical behaviour of these two algo- axis in Fig. 7, in particular the black columns rep-rithms on the same input set. This will demonstrate resent the differences introduced by F5 embeddingthat ISC withstands both visual and statistical attacks step while the white ones correspond to the number(Westfeld and Pfitzmann, 1999): visual attacks meanthat one can see steganographic messages on the low 2 release 11+
  7. 7. Thus, if the statistical tests used to examine an im- age for steganographic content are known, ISC is ro- bust to them because ISC uses the remaining redun- dant bits to correct statistical deviations created by the embedding step, as suggested in (Provos and Honey- man, 2003). 6 ISC FOR IMAGE SEQUENCES The image based steganographic system illustrated in Figure 7: F5 and ISC comparison. Fig. 4 requires the receiver (Bob) must posses K (i.e., the key image) in order to get M (i.e., the secret mes-of modifications yielded by ISC embedding process. sage). If Alice sends Bob the key image K togetherAs one can notice, the respective difference values are with the stego image S, Wendy could uncover thecomparable. steganographic communication simply applying ISC Em1 is a simplified version of ISC, because actu- extracting ISC spreads M over the entire stego image, yield- A na¨ve solution consists in creating a reserved ıing the same embedding density everywhere. In doing image database shared by Alice and Bob. If Alice andthis, ISC neither uses permutative straddling nor ma- Bob use a new key image for every new message theytrix encoding, but simply divides the nonzero coeffi- send each other, ISC is a theoretically secure crypto-cients array in blocks of the same length. If necessary, graphic algorithm (a sort of ”photographic” one-timeonly one of the coefficients in each block is modified. pad). Unluckily, sooner or later, Alice and Bob will be forced to reuse a key image already sent (the image Furthermore, ISC presents an on-line mechanism database is not infinite).for correcting the statistical deviations created by theembedding step. If the message length is sufficiently A reasonable (and more practical) solution isshort (i.e., it is less than the number of AC nonzero co- shown in Fig. 8 and 9. Instead of sending a singleefficients), ISC transforms useless coefficients in or- image, Alice can send Bob a sequence of JPEG im-der to restore the original statistical properties charac- ages (called stego sequence in Fig. 8). In this way,terizing the cover medium. Alice and Bob can communicate each other sharing only a secret password p (that is, a sort of crypto- As an example, if ISC transforms an AC coeffi- graphic symmetric key). In a similar way it is possiblecient from -1 into -2, when it encounters the first un- to implement the extracting process, as represented inused -2, it transforms this value in -1 in order to re- Fig. 9.equilibrate the histogram. Naturally, the more infor- The above introduced password p must be shortermation we embed in the cover image, the less ISC can than the length of M because p must be as simplecorrect the introduced modifications. as possible (as required by the Kerckhoffs’ desider- ata (Kerckhoffs, 1883)). Thus the password p will beBreaking F5 Fridrich and her group presented a used as input for a pseudorandom number generatorsteganalytic method that does detect images with (PRNG) function, in order to produce a message M(p)F5 content (Fridrich et al., 2002). They estimated as long as the message we want to embed (as requiredthe cover image histogram from the stego image by the Vernam cipher).and compared statistics from the estimated histogram M(p) together with the images of the stego se-against the actual histogram. quence will be used for generating every key image As a result, they found it possible to get a mod- Ki (see Fig. 8). ISC yields the stego sequence (i.e.,ification rate that indicates if F5 modified an image. a set of stego images Si ), through an iterative processF5 can be defeated because it can only decrement shown in Fig. 8.DCT absolute value, giving the chance of predicting Only the first image I1 of the sequence is sentthe histogram value for the stego image. On the con- without any steganographic content.trary, ISC can increase or decrease DCT absolute val- Bob is able to recover the set of messages sent byues indifferently (see algorithm Em1). The decision Alice without sharing with her any image but onlybetween these two possibilities are random for default knowing the secret password p (see Fig. 9).but can also be taken depending on image properties Since p is used as a seed for the PRNG and sinceand statistics. p is reused for every new message, the ISC algorithm
  8. 8. quence is ”unbreakable in practice” (Menezes et al., 1996). 7 Conclusion In this paper we have presented a novel method for integrating in an uniform model cryptography and steganography. We have proven that the presented ISC algorithm is both an effective steganographic method (we made a comparison with F5) as well as a theoretically unbreakable cryptographic one (ISC is an image based one-time pad). The strength of our system resides in the new con- cept of key image. Involving two images (the cover and the key) in place of only one (the cover) we are able to change the cover coefficients randomly. This opportunity does not give a steganalytic tool the chance of searching for a predictable set of modifica- tions. The proposed approach has many applications in hiding and coding messages within standard medias, Figure 8: ISC for JPEG sequences (embedding step). such as images or videos. As future work, we intend to study steganalytic techniques for ISC and to extend ISC to mobile video communication. REFERENCES Fridrich, J., Goljan, M., and Hogea, D. (2002). Steganalysis of jpeg images: Breaking the f5 algorithm. In Proc.of In 5th International Workshop on Information Hiding. Johnson, N. F. and Jajodia, S. (1998). Exploring steganog- raphy: Seeing the unseen. Computer, 31(2):26–34. Kerckhoffs, A. (1883). La cryptographie militaire. Journal des Sciences Militaries, 9th series(IX):5–38. Kharrazi, M., Sencar, H. T., and Memon, N. (2004). Im- age steganography: Concepts and practice. In WSPC Lecture Notes Series. Menezes, A., van Oorschot, P., and Vanstone, S. (1996). Handbook of Applied Cryptography. CRC Press. Provos, N. and Honeyman, P. (2003). Hide and seek: An introduction to steganography. IEEE SECURITY & PRIVACY. Shannon, C. E. (1949). Communication theory of secrecy system. Bell Syst. Tech. J., 28:656–715. Simmons, G. J. (1984). The prisoners’ problem and the Figure 9: ISC for JPEG sequences (extracting step). subliminal channel. In Advances in Cryptology: Pro- ceedings of Crypto 83, pages 51–67. Plenum Press. Westfeld, A. (2001). F5-a steganographic algorithm: Highfor image sequence is not theoretically secure, but it capacity despite better steganalysis. In Proc. 4th Int’lis equivalent to the Vernam cipher that uses a pseudo- Workshop Information Hiding, pages 289–302.random key. Westfeld, A. and Pfitzmann, A. (1999). Attacks on stegano- Likely, since we can assume Wendy has a limited graphic systems. In Proc. Information Hiding 3rd Int’l Workshop, pages 61–76.computational power we can assert ISC for image se-