On the Gold Standard for Security of Universal Steganography

TL;DR

This paper advances the understanding of public-key steganography by designing a universally secure system against SS-CCA for memoryless channels and proving the impossibility of such security for certain channel families.

Contribution

It introduces a universal SS-CCA-secure stegosystem for memoryless channels and establishes fundamental limitations for universal steganography in non-look-ahead models.

Findings

Designed a universal SS-CCA-secure stegosystem for memoryless channels

Proved impossibility of SS-CCA security for certain channel families

Established fundamental limits of universal steganography in non-look-ahead models

Abstract

While symmetric-key steganography is quite well understood both in the information-theoretic and in the computational setting, many fundamental questions about its public-key counterpart resist persistent attempts to solve them. The computational model for public-key steganography was proposed by von Ahn and Hopper in EUROCRYPT 2004. At TCC 2005, Backes and Cachin gave the first universal public-key stegosystem - i.e. one that works on all channels - achieving security against replayable chosen-covertext attacks (SS-RCCA) and asked whether security against non-replayable chosen-covertext attacks (SS-CCA) is achievable. Later, Hopper (ICALP 2005) provided such a stegosystem for every efficiently sampleable channel, but did not achieve universality. He posed the question whether universality and SS-CCA-security can be achieved simultaneously. No progress on this question has been achieved since more than a decade. In our work we solve Hopper's problem in a somehow complete manner: As our main positive result we design an SS-CCA-secure stegosystem that works for every memoryless channel. On the other hand, we prove that this result is the best possible in the context of universal steganography. We provide a family of 0-memoryless channels - where the already sent documents have only marginal influence on the current distribution - and prove that no SS-CCA-secure steganography for this family exists in the standard non-look-ahead model.