Steganography over Redundant Residue Number System Codes

Steganography over Redundant Residue Number System Codes

Journal of Information Security and Applications 51 (2020) 102434 Contents lists available at ScienceDirect Journal of Information Security and Appl...
Download PDF
658KB Sizes 0 Downloads 73 Views
Report

Journal of Information Security and Applications 51 (2020) 102434

Contents lists available at ScienceDirect

Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa

Steganography over Redundant Residue Number System Codes Mohamed Amine Belhamra∗, El Mamoun Souidi Mohammed V University in Rabat, Faculty of Sciences, BP 1014 RP Rabat 10000, Morocco Laboratory of Mathematics, Computer Science, Applications and Information Security, Morocco

a r t i c l e

i n f o

Keywords: Steganography Information Hiding Residue Number System (RNS) Redundant Residue Number System (RRNS) Codes Distortion-less Steganalysis χ 2 Attack Kolmogorov-Smirnov (KS) Attack.

a b s t r a c t In this paper we define steganography over Redundant Residue Number System (RRNS) Codes. We describe distortion-less RRNS based steganographic schemes, analyse their corresponding embedding capacities, discuss their linearity and compare them with well known steganographic protocols. Specifically, we take advantage of the redundancy and correction capacity of these codes to hide secret information in such way that the number of the altered residues does not exceed half the redundancy of the code. © 2019 Elsevier Ltd. All rights reserved.

1. Introduction Steganography is the art and science of imperceptible communications. The term originates from the ancient Greek words stegano and graphein, where the former word means covered or concealed, while the latter means writing. Steganography allows transmitting a secret message through another message, called cover, in such way that the existence of a secret information is not suspected. Distortion, security and embedding capacity are three important factors in steganography. Distortion means that the cover containing secret information should not be distinguishable from the original one (i.e., before embedding secret information). Security implies that the secret message should be undetectable and no one except the eligible recipient should be able to extract it, whereas the embedding capacity is defined as the percentage of the secret bits to the total cover bits. Finding steganographic schemes, with large embedding capacities and minimum distortion for new communication technologies has always been the essence of the information hiding research community. Many steganographic schemes have been proposed in the literature for hiding data in different types of media [41]. Among these schemes, the Least Significant Bits (LSB) technique hides secret messages in the LSB of a bitmap image. LSB causes an imperceptible distortion to the digital image, i, e. without a rigorous comparison between the original image and the altered one, it is hard to see that something has changed in it. The F5 protocol [37] for JPEG compressed images on an other hand was the first implementation of a steganographic scheme based on codes. It ∗

Corresponding author. E-mail addresses: [email protected] [email protected] (E.M. Souidi). https://doi.org/10.1016/j.jisa.2019.102434 2214-2126/© 2019 Elsevier Ltd. All rights reserved.

(M.A.

Belhamra),

permits to hide messages of length k in words of length 2k − 1. Furthermore, in [18] the authors proposed a data hiding technique based on the first order binary Reed-Muller syndrome coding, reducing time complexity from 2m (2m − 1 )2m+1 to 2m (2m − 1 )m binary operations. Recently, distortion-less network steganographic protocols schemes for wireless multicast communications with a high embedding capacity were proposed in [6,8]. These schemes use an efficient implementation for wireless Random Linear Network Codes (RLNC) which can run directly on top of the IEEE 802.11 for Media Access Control (MAC) protocols, known as MORE (MAC independent Opportunistic Routing & Encoding) Protocol. A Residue Number System RNS [36] is a finite integers ring Z(Mk ) defined by k relatively co-prime moduli, m1 , m2 , . . . , mk , such that Mk = ki=1 mi , where integers in [0, Mk − 1] are represented as the corresponding residue digits in each modulus. The main interesting property of RNS is its ability to perform parallel (carry-free) addition, subtraction and multiplication [13,14], leading to high speed and low power consumption. Hence, it makes RNS suitable for use in several research topics such as digital signal processing [10,11] for hardware implementations of RNSbased units (RNS processors), cryptography [1,2,29], edge detection and sharpening of images [35]. As far as we know, the only work using RNS for steganographic purpose is [3]. In this paper the authors propose a technique for data steganography over Voice Over IP (VoIP) using the combination of RNS, Deoxyribonucleic Acid (DNA) sequences and Huffman compressing algorithm is investigated. Moreover, introducing redundancy in RNS (Redundant RNS (RRNS) [33]) has shown interesting capacities in error detection/ correction for fault-tolerant systems, which made it attractive for applications such as computer networks [19,39], data sharing in

2

M.A. Belhamra and E.M. Souidi / Journal of Information Security and Applications 51 (2020) 102434

cloud storage [9,34], distributed data storage systems for Internet of Things (IoT) [12], hybrid memory [16,17] and DNA arithmetic [40]. In [7] we have introduced steganography using RRNS codes by taking advantage from their redundancy, i, e. hiding secrets in residues without exceeding the redundancy length. In this paper we extend the former one by defining steganography over RRNS codes. Explicitly, we propose three schemes. The first scheme embeds secrets as binary sequences, the second one is a linear scheme, which operates over finite field symbols while the third one embeds RNS representations of the secret data. Additionally, we propose algorithms for the embedding and retrieval maps with examples and analyse the complexity of the schemes. Finally, we compare our schemes to other protocols. This paper is organized as follows: In Section 2, we recall some definitions and background about steganography and RRNS. In Section 3, we first describe a binary based steganographic scheme for general RRNS codes and its corresponding embedding capacity. Then we introduce linear steganography for equally sized binary representations. To do so, we define symbol and RNS representation based schemes and their embedding capacities. Finally, we discuss the efficiency of the schemes, compare their corresponding embedding capacities with other protocols and give some steganalysis perspectives. We conclude the paper in Section 4. 2. Definitions and background To make this paper self contained, in this section we recall some definitions of steganographic protocols, Residue Number System (RNS) and Redundant RNS (RRNS). 2.1. Steganography A steganographic protocol is defined as follows. Definition 1 [27]. Let n, k be positive integers with k < n, and let M be a non empty finite set. A steganographic protocol S = (E, R ) of type [k, n] over M is a pair of maps E : Mk × Mn → Mn and R : Mn → Mk such that R(E (s, x )) = s for all s ∈ Mk and x ∈ Mn . Let d be the Hamming distance on Mn . We call the number

 = max{d (x, E (s, x ))|s ∈ Mk , x ∈ Mn }

(1)

the radius of the steganographic protocol S. A steganographic protocol S = (E, R ) of type [k, n], with radius ϱ is noted [k, n, ϱ] for short. The map E is called the embedding map, and it allows to hide a secret of k information symbols (by changing at most ϱ symbols) into a string x of n symbols (the cover). The map R is called the retrieval map, which allows to extract the secret s from x.

Z(Mk ) are computed respectively as k parallel multiplications

xi .yi mod mi , for i = 1, 2, . . . , k. and k parallel additions

xi + yi mod mi , for i = 1, 2, . . . , k. The conversion of the input data X in the RNS format is obtained by computing the integer remainder of the division of X by mi , Xi = X mod mi . The works presented in the literature on this subject can be categorized depending on the class of used moduli: i.e., special moduli sets and general moduli sets. For general moduli sets with dynamic ranges 3 to 8 bits, input converters can be simply implemented by Look-Up Tables (LUT). If n is the number of input bits, the LUT size in terms of number of cells is 2n and the number of bits that are needed for the residue binary coding is



b=

n 



log2 mi ,

(3)

i=1

where  ·  is the Ceil function. In the case of a large n, and consequently, the amount of memory becomes too large, the techniques that can be used are based on the observation that finding a residue of a number with respect to a given modulus is basically obtained by computing modular sums of different combinations of modular powers of two. Usually these techniques are fast and viable if some latency can be tolerated. Generally, for performance reasons the moduli sets are chosen of the form mi = 2r − μi where the μi s are chosen to be small (i.e., μi 2r ). Many options and moduli sets for efficient modulo reduction have been proposed [4]. Now consider ki=1 mi < β T for a given integer T, where β is the radix of the classical representation. It is common in the RNS literature that the conversion from the β representation to RNS using full parallelization in modular adder-multiplier operators can be logarithmic [5], i.e.,

O (RNS ) = O (log(T ))

(4)

where we denote by O (· ) the Landau notation. On the other hand, the conversion from the RNS representation to binary can be accomplished by two different techniques: the Mixed Radix Conversion (MRC) and the Chinese Remainder Theorem (CRT) [26]. The most used technique for high-speed implementations is the CRT which is based on the following reconstruction formula: Given x in RNS representation, computation of X, 0 ≤ X < Mk , can be stated as follows:

X≡

k 

ai .xi

i=1

Mk mod Mk mi

(5)

The scalars ai are computed a-priori by solving the congruence

Remark 1. A good steganographic protocol must have parameters  k, n, ϱ maximizing nk and minimizing n .

ai

2.2. Residue Number System

It is clear from (6) that gcd (ai , mi ) = 1, for i = 1, 2, . . . , k. The CRT computation in (5) can be performed in two steps: Step 1: Compute the permuted residues

A Residue Number System (RNS) is a finite integers ring Z(Mk ) defined by k relatively co-prime moduli, m1 , m2 , . . . , mk , arranged in ascending order (without loss of generality) where Mk = ki=1 mi . An integer X ∈ [0, Mk − 1] in a given RNS is represented by a vector x = (x1 , x2 , . . . , xk ) of length k where

xi ≡ X mod mi , for i = 1, 2, . . . , k.

(2)

RNS expresses a computation in a large integer ring as a direct sum of computations in a number of smaller integers rings. Computations can be carried out in a parallel way. For instance, multiplication and addition of x = (x1 , x2 , . . . , xk ) and y = (y1 , y2 , . . . , yk ) in

Mk ≡ 1 mod mi , i = 1, 2, . . . , k. mi

xi ≡ ai .xi mod mi , for i = 1, 2, . . . , k.

(6)

(7)

Step 2: Compute X as

X≡

k  i=1

xi

Mk mod mi mi

(8)

Computation of X from x necessarily involves large integers as the dynamic range of RNS is large. For the integers ai (i = 1, 2, . . . , k ) in (5), consider the integer T (0 < T < Mk ) such that

T ≡ ai mod mi , for i = 1, 2, . . . , k.

(9)

M.A. Belhamra and E.M. Souidi / Journal of Information Security and Applications 51 (2020) 102434

The integer T can be obtained using the CRT. Stated explicitly,

T ≡

k  i=1

a2i

Mk mod Mk , for i = 1, 2, . . . , k. mi

(10)

It follows from the fact that gcd (ai , mi ) = 1 and (9) that

gcd (T , Mk ) = 1.

(11)

Moreover, the CRT-based RNS-to-Binary conversion is more suitable for parallel computing and it can be performed in

O (CRT ) = O (log(n ))

(12)

2.3. RRNS codes When we expand an RNS representation with the moduli set

{m1 , m2 , . . . , mk } to include r additional residue digits, using this Redundant RNS (RRNS), an (n, k) Maximum Distance Separable (MDS) code can be constructed [24,30]. An RRNS has a basis of n = k + r co-prime moduli {m1 , m2 , . . . , mk , mk+1 , . . . , mn } and a dynamic range of Mn = nj=1 m j . We refer to {m1 , m2 , . . . , mk }, as the information moduli, while {mk+1 , mk+2 , . . . , mk+r } are called the redundant moduli. The interval [0, Mk − 1] of the k information residue digits is called the legitimate range as opposed to the interval [Mk , Mn − 1] due to the r redundant residue digits, which is called the illegitimate range. Let X be an integer within the legitimate range. When the residue digits (x1 , x2 , . . . , xk , xk+1 , . . . , xn ) of X are corrupted, X will be converted to X  = X + E where E represents the error magnitude. X always falls in the illegitimate range if mk+ j > mi for all 1 ≤ i ≤ k and 1 ≤ j ≤ r [14]. Then, by checking the magnitude of X , the errors on the residue digits can be detected and then corrected as stated in the following RRNS theorems. We first provide some definitions from [24]. The weight wt (x) of a code vector x in an RRNS code is defined as the number of non-zero residue digits of x. The distance d(x, x ) between two RRNS code vectors x and x is defined as the number of residue digits positions in which x and x differ. We define the minimum distance d of an RRNS code C as:

d = min{d (x, x ) : x, x ∈ C and x = x },

(13)

where C is defined as the code space. The necessary and sufficient condition for an (n, k)-RRNS code to achieve a minimum distance of d = n − k + 1 is that any of the redundant moduli is larger than the largest non redundant modulus, i.e.,

mk+ j > max{m1 , m2 , . . . , mk }, j = 1, 2, . . . , n − k

(14)

Furthermore, if X is an integer in an (n, k)-RRNS code having a minimum distance d = n − k + 1, then any integer X differing from X in at least one but no more than (d − 1 ) residue digits is erroneous. Now let C be an (n, k)-RRNS code, and let P r = {i1 , i2 , . . . , i j } be a subset of {1, 2, . . . , n}, for some integer 1 ≤ j ≤ n. We denote by XPr , the MPr -projection of X, which is a reduced residue representation of X with the residue digits xi1 , xi2 , . . . , xi j deleted. As an example, the mi -projection Xi can be interpreted as (x1 , x2 , . . . , xi−1 , xi+1 , . . . , xn ), which is the residue representation of X in a reduced RRNS with the ith residue digit xi deleted: n Xi ≡ X mod M m . Hence, the MPr -projection of X is i

XPr ≡ X mod

Mn MPr

(15)

where MPr = l=1 mil and Mn = ni=1 mi . Additionally, let X be an erroneous integer in the (n, k)-RRNS code. If there exists a legitimate integer message X ∈ [0, Mk − 1] differing from X in the ith l j

3

residue digit for integers 1 ≤ l ≤ j and j ≤ (n − k ), then the MPr  is the legitimate number with M =  j m . For projection XPr Pr l=1 il further explanation see [24,30]. RRNS error correction codes are capable of correcting up to t residue digit errors with 2t redundant moduli. The erroneous residue digits are located by inspecting projections of the RRNS codeword. In a nutshell, it can be concluded that the erroneous residue digits are located at modulus channels mi if the corresponding projection have less than or equal to t non-zero elements. Further works have been proposed such as in [33] where the authors proposed an efficient syndrome based RRNS error detection and correction algorithm avoiding full residue-to-binary conversions on the received residue representation. Hence yielding less computation and time complexity. Recently, a new error correction algorithm with computational complexity of tO (log2 (n ) + log2 (m )) is proposed in [38] where m is the geometric average of the mi ’s. 3. Steganographic schemes over RRNS codes Consider an (n, k)-RRNS code C with {m1 , m2 , . . . , mn } such that m1 < m2 < . . . < mn being the set of the n moduli. The legitimate range as stated before, i.e, the interval [0, Mk − 1], represents the useful computational range of the number system [28] whereas the illegitimate range [Mk , Mn − 1], is useful for error and overflow detection [13], where Ml = li=1 mi for l ∈ {1, 2, . . . , n}. Thus, some of the residue digits can be discarded for steganographic purpose as long as the receiver can unambiguously decode the result. In order to send secret information using RRNS codes, we focus on its detection and correction capacities for designing the steganoraphic protocol. Thus, using these abilities, we can design a protocol where the sender may choose a random combination among the residue digits for hiding information, then the receiver using RRNS detections and correction properties can discard cover residue digits and then retrieve the secret data. As stated before, an (n, k)-RRNS code can detect up to (n − k ) residue digit errors or correct up to n−k 2 residue digit errors, where we denote by · the floor function. Alternatively, an (n, k)-RRNS code can correct up to a residue digit errors and simultaneously detect up to b (b > a) residue digit errors, provided that a + b ≤ ( n − k ). The above statement can be developed as follows. Consider the (n, k)-RRNS code stated above, and let X be an integer representing a message which is expressed with the residue digits (x1 , x2 , . . . , xn ) with respect to the above moduli. If the dynamic range of X is [0, ki=1 mi − 1] where k ≤ n, then X can be recovered as long as the residue digit errors does not exceed n−k 2 . That is, based on this property we investigate in the following how to use a number δ (δ ≤ n−k 2 ) of residue digits as cover material to define distortion-less steganography over RRNS codes.

3.1. Notations Given an (n, k)-RRNS code, the binary representation of residue xi , i = 1, 2, . . . , n, is in bi = log2 (mi ) bits. For configurations where the residue digits are equally binaryrepresented in l bits for some non negative integer l, without loss of generality we denote by < m > q , for q = 2l the binary representation of m. i.e., for z ∈ Fl2 let < z > 10 be the decimal integer which has z as binary expression, then 1 ≤< z >10 ≤ 2l − 1. Additionally, we denote by P p = {σ1 , σ2 , . . . , σ|P p | } for an integer p

n! 0 < p < n, the set of the Pn = (n−p )! permutations representing the ordered arrangements of p elements taken from the set {1, 2, . . . , n}. Hence |P p | = Pnp .

4

M.A. Belhamra and E.M. Souidi / Journal of Information Security and Applications 51 (2020) 102434

Now consider a permutation σ ∈ P p . For integers i, j such that 1 ≤ i ≤ n and 1 ≤ j ≤ n−k 2 , we refer to the support of σ by the set:



Iσ = i j : σ (i j ) = i j , i1 < i2 < · · · < i n−k



2

(16)

We refer to elements of Iσ without indices when order is not a necessity. For s = (s1 , s2 , · · · , s n−k ), s j ∈ Fq for j = 1, 2, · · · , n−k 2 , we 2

define the map f( · ) as follows:



f ( xi ) =

for σ (i ) = i for i j ∈ Iσ (i, e.

xi sj

σ ( i j ) = i j )

(17)

Set the zero vector e0 = 0 and ei the ith vector of the canonical basis. For J ⊆ {1, 2, · · · , n}, we define In |J to be the identity matrix In of dimension n from which we remove the ith rows verifying i∈ / J . Furthermore, consider the matrices Au ∈ Mn×u (Fq ) and Bv ∈ Mn (Fq ) given by



Au =

0(n−u )×u Iu



and

(18)





e1  ⎜ e2 ⎟ ⎜ . ⎟ In |[1,v] ⎟ Bv = =⎜ ⎜ .. ⎟ 0v×n ⎝ ev ⎠ 0v×n

(19)

where we denote by the block matrix 0i × j the null (i × j)-matrix for some non zero integers i, j. We denote by Au (resp. Bv ) the matrix with ordered rows (Au )[i] (resp. (Bv )[i]) defined by:



(Au )[i] =

 (Bv )[i] =

e0 ej

eσ ( i ) e0

for σ (i ) = i for i j ∈ Iσ (i, e.

σ ( i j ) = i j )

for σ (i ) = i otherwise,

(20)

(21)

 The secret message s is of length { j∈Iσ } bσ ( j ) bits, divided into parts {s1 , s2 , . . . , s r } where si for i = 1, 2, · · · , 2r is written

2r

2

on bσ (j) bits. And x = (x1 , x2 , . . . , xn ) is the RRNS original cover. In addition, this scheme is distortion-less. Proof. On one hand, for s ∈ Fσ and x ∈ E we obviously have



R(E (s, x )) = R ( f (x1 ), f (x2 ), . . . , f (xn ))







= f ( x1 ), f ( x2 ), . . . , f ( xn ) |Iσ = (s1 , s2 , . . . , s 2r ) since r = n − k. On the other hand, as stated before an (n, k)-RRNS code can correct up to n−k 2 erroneous residues. Hence, a number of residues that does not exceed n−k 2 when used to hide secret information, are considered by the corrector as errors. To generalize this assumption, for each r residues of the Pnr residue permu  tations, corresponds a [ { j∈Iσ } bσ ( j ) , ni=1 bi ]-steganographic protocol S = (E, R ), where bk = log2 (mk ) for k = 1, 2, . . . , n, and σ (.) is one permutation matching the 2r chosen residues for i = 1, 2, . . . , 2r . Finally, the scheme is distortion-less since the receiver can retrieve the original message using RRNS-correction capacities.  Remark 2. It is obvious that using the redundant moduli set to hide data leads to maximal embedding capacity. However, for a user who chooses security over the embedding capacity, using a steganographic scheme with a key (i, e. such as one of the proposed permutations) would be a choice to make.

3.2.1. Algorithms Hereafter we describe the algorithms of the steganographic scheme given in Theorem 1. Let S be a binary array of size max containing secret data. We consider the value max to be shared between the sender and the receiver. Algorithm 1 extracts the amount of b[j] bits starting at iteration t.

3.2. Binary representation based steganographic scheme In this subsection, we introduce our first steganographic scheme using RRNS codes. For this we consider an (n, k)-RRNS code with moduli set {m1 , m2 , . . . , mk , mk+1 , mn=k+r }. Theorem 1. Let an (n, k)-RRNS code defined by its moduli set {m1 , m2 , . . . , mn } with r = n − k redundant moduli. Consider the binary representation < xi > 2 of each residue xi for i = 1, 2, . . . , n on bi = log2 (mi ) bits and set Fσ = F n and E = F2b1 × b 2 { j=1,σ ( j ) = j} σ ( j )

F2b2 × · · · × F2bn . Let σ ∈ P r be a permutation, then there exists  2 [ j∈Iσ bσ ( j ) , ni=1 bi ]-steganographic protocol S = (E, R ) with

E : Fσ × E → E, (s, x ) → ( f (x1 ), f (x2 ), . . . , f (xn ))

a

(22)

where f( · ) is as in (17) and

R:

E x

→ →



(23)

( x )|Iσ

where Iσ is as in (16) and (x )|I is the projection of x on the set σ Iσ .  The radius of the scheme is  = n{ j=1,σ ( j ) = j}bσ ( j ) , and its embedding capacity is



C=

{ j∈Iσ } log2 (mσ ( j ) )

n

i=1

log2 (mi )

%

(24)

Algorithm 1 Extract (S, t, b) extracts and returns an array of b bits from S starting at iteration t. Input: The binary array S (for embedding), iterator t and b the amount of bits to extract.Output: Array of b bits starting at S[t]. Let r[] be an empty array; for i = t − 1, j = 0; i < b + t − 1; i + +, j + + do r[ j] ← S[i] end for return r

Algorithm 2 embeds binary sequences from S via. Extract (S, t, b) using an iterator t in each embedding process, then incrementing it by b to get to the next sequence. In addition, we use the array K[] to record the support of the key permutation for the embedding. We use array B = [log2 (m1 ), log2 (m2 ), · · · , log2 (mn )] to determine for ea-ch residue the corresponding size of the binary sequence. Algorithm 3 uses the binary representation of x[σ [j]] and concatenates it in the array S. The only condition breaking the process is the size of the extracted bits exceeding the maximum size set before max. Algorithm 4 retrieves the binary sequences sequentially and adds it to the array S until the reaching the size l = max + 1.

M.A. Belhamra and E.M. Souidi / Journal of Information Security and Applications 51 (2020) 102434

Algorithm 2 ES (n, σ [1, · · · , n], x[], t ) the embedding algorithm.

Input:Size of codeword n, permutation Key σ= [σ (1 ), σ (2 ), · · · , σ (n )], x[] the binary representation of the (n, k )-RRNS codeword x = (x1 , x2 , . . . , xn ) and iteration t. Output: The cover (n, k )-RRNS codeword with concealed secret data y = [y1 , y2 , . . . , yn ]. Let k ← 0 be an integer; Let K[] be an array of integers; for j = 0; j < n; j + + do if σ [ j]! = j then K[k] ← σ [ j]   b[k] ← B[ j] {B = log2 (m1 ), · · · , log2 (mn ) .} k++ end if end for for j = 0; j < k; j + + do x[K[ j]] ← Extract (S, t, b[ j] ) t ← t + b[ j] end for return x[]

=

{ j∈Iσ } log2 (mσ ( j ) )

n

i=1

log2 (mi )







O ( S ) = O 9n +







n−k (3 + 10log2 (mn ) ) 2



(27)

{i∈Iσ } bσ (i )



(3 + 10log2 (mn ) ) {i∈Iσ } log2 (mσ (i ) )  bpo =  O 9n + n−k

(3 + 10log2 (mn ) ) 2 O 9n + 

n−k 2



3.2.2. Embedding capacity Since we hide data in 2r residues among a total number of n residues, the embedding capacity of the steganographic protocol associated with a permutation key σ is

i=1 bi

(26)

ing O 3n + 5log2 (mn ) n−k 2 . ES and RS algorithms  That nis,   runs approximately in n−k O 6n + −k

( 3 + 5  log ( m )  ) and O 3 n + 5  log ( m ) 

n n 2 2 2 2 respectively. Hence the overall time complexity for the steganographic scheme is

Ce|o =

if l = max + 1 then return S end if for j = 0; j < n; j + + do if σ [ j]! = j then Concat (S, l, x[σ [ j]] ) end if end for

n

 bpo

where bpo denoting the pseudo unit bits per operation time.

Thus,

Input: Size of codeword n, permutation Key σ= [σ (1 ), σ (2 ), · · · , σ (n )], l the current size of S, and x[] the binary representation of the (n, k )-RRNS codeword x = (x1 , x2 , . . . , xn ). Output: Array S.

Ce|b =

{i∈Iσ } log2 (mσ (i ) )

O 9n + n−k

(3 + 10log2 (mn ) ) 2



Algorithm 4 RS (n, σ [1, 2, · · · , n], l, x[] ) the retrieval algorithm of the array S.







binary array S with size l and the bix[] to insert.Input: Concatenates x[σ [ j]] in

{ j∈Iσ } bσ ( j )



Ce|o =

5log2 (mn ) ) . Finally, in Algorithm 4 (RS ) we have a for loop running n times with a repetitive 2 comparisons and an incrementation, and the Concat() algorithm executing precisely n−k 2 , yield-

for i = 0, j = l; x[i]! = Null ; i + +, j + + do S[ j] ← x[i] if j = max + 1 then l = max + 1 print end if end for l ← j+1



Proposition 1. The embedding capacity of the steganographic protocol per operation time is

Proof. of each of Algorithms 1 and 3 is bounded  The complexity  by O 5log2 (mn ) since b[j] ≤ log2 (mn ), the inter-loop starts by 5 instructions then does not exceed 3 afterwards and the breaking if-loop is performed only once. For Algorithm 2 (ES ) we have two for-loops with a repetitive inner comparison and incrementation. The first runs n times with at most 4 instructions, leading to approximatively O (6n ). The second runs n−k 2 times (to sweep the chosen redundant residues), with 2 allocations, 1 in crementation and Algorithm 1 (Extract()), yielding O n−k 2 (3 +

Algorithm 3 Concat (S[], l, x[]) concatenates binary array x[σ [j]] in array S. Input: The nary array S.

5

%

(25)

Furthermore, the embedding capacity per operation time is as follows.

Remark 3. When analysing the complexity of the scheme we only take into consideration our embedding and retrieval maps. If we additionally consider the correction of the n−k 2 errors we may



add the corresponding complexity which is O n−k 2 (log2 (n ) + log2 (

n

i=1 mi

n

 ) as noted before.

Example 1. Let us consider the moduli set {3, 4, 5, 7, 11} where {3, 4, 5} are the information moduli (i, e. the information range is [0,59]) and two redundant moduli 7 and 11 in this (5,3)-RRNS from which we will use residues associated to moduli 11 to hide information. Since b5 = log2 (11 ) = 4, for simplicity we consider a scheme where we want to hide a sequence M of size |M| which is | multiple of 4 bits (i, e. we will need  |M 4  RRNS codewords). Consider the integer message X = 21, having corresponding residue digits X = (0, 1, 1, 0, 10 ) ≡ (00, 001, 001, 000, 1010 ). Hence, if our first 4 bits block to hide in X is  1011 , we embed it as stated in Theorem 1: X = (0 0, 0 01, 0 01, 0 0 0, 1011 ). The erroneous RRNS codeword X ≡ (0, 1, 1, 0, 0), we use the retrieval map defined in (23) to retrieve the secret s = 1011 . For the sake of brevity, we use the {3, 4, 5}-projection (i, e. (x1 , x2 , x3 ) = (0, 1, 1 ) which gives X3,4,5 ≡ 21 mod 60) allowing to recover the original codeword. Remark 4. Note that a residue digit can have different binary representation before and after modulo reduction (e.g., 1011 refers to the digit 11 while 11 ≡ 0 mod 11). However, in our scheme, we are concerned by the binary representation of the residue digits, before taking modulo reduction into consideration. The embedding capacity of this scheme is Ce|b = 26, 6%, and Ce|o ≈ 4, 5 bpo.

6

M.A. Belhamra and E.M. Souidi / Journal of Information Security and Applications 51 (2020) 102434

Furthermore, the receiver can recover the complete original message, thus the scheme is distortion-less. As stated in Theorem 1, the steganographic scheme can be adapted to each permutation of n−k 2 among the n residue digits, as long as the number of the altered residues does not exceed n−k 2 .

Now consider a secret binary sequence s of size |s| = 24 bits, which we arrange in 3 chunks of 8 bits each, i.e., s = (s1 , s2 , s3 ), where si ∈ F28 and | < si >2 | = 8 for i = 1, 2, and 3. Without loss of generality, we can use digit representation for the embedding and retrieval maps:

E (s, x ) = B3 .x + A3 .s



⎜ ⎜ ⎜ =⎜ ⎜ ⎜ ⎝

3.2.3. Symbol based linear steganographic scheme Hereafter, we propose a linear steganogaphic scheme using RRNS codes. Theorem 2. Given an (n, k)-RRNS code for which the residue digits are coded in an equally sized binary representation of l bits, set v = n−k 2 and let σ be a chosen permutation in Pv . For every (n, k)-RRNS code, there exist a distortion-less linear steganographic protocol S (resp. E, R) of type [v, n] over Fq such that:

E : Fvq × Fnq (s, x ) R : Fnq x

→  →

Fnq Bv .x + Av .s

n−k

2 n

In |[n−v,n] .x

%

(30)

Proof. Firstly, R is obviously linear and

R(E (s, x )) = In |[n−v,n] .(xσ (v+1) , xσ (v+2) , . . . , xσ (n ) , s1 , s2 , . . . , sv ) = s Secondly, the RRNS codeword is correctable since v does not exceed n−k 2 . Finally, the original message is completely retrievable and hence the scheme is distortion-less.  3.2.4. Embedding capacity The embedding capacity of the scheme of Theorem 2 is

Ce|b =

n−k

2 n

%

(31)

and

Ce|o =



O 9n +

n−k 2

n−k

2  r po

(3 + 10log2 (mn ) )

(32)

Since the number of bits l = log2 (mn ) we have

Ce|o = l

0 0 1 0 0 0

03×9

0 0 0 1 0 0

0 0 0 0 1 0

0 0 0 0 0 1

0 0 0 0 0 0

0 0 0 0 0 0



0 0⎟ 0⎟ ⎟ 0⎟ ⎟x 0⎟ ⎠ 0

⎞ 0 1 0

0⎟ s 0⎠ 1

R(x ) = I9 |{7,8,9} × x. (29)

where Av and Bv are respectively as in (18) and (19), and In |[n−v,n] as defined in Subsection 3.1. With a radius  = l × v and embedding capacity

C=

0 1 0 0 0 0

06×3 ⎜ 1 +⎝ 0 0

(28)

Fvq

→  →



1 0 0 0 0 0

n−k

2  bpo n−k O 9n + 2 (3 + 10l ) 

(33)

Once again, if we wish to consider correction of the altered residues we   may add the corresponding complexity n−k 2 O log2 (n ) + l . Remark 5. In our scheme we proposed a 2-block matrix for the embedding process to simplify (i, e. 0-block and the σ permutation block for both A n−k and B). We could use these 2

permutations as well while keeping the order of the residue digits as we will see in the RNS-representation based steganographic scheme. Example 2. We consider the configuration given in [22] whi-ch has the strongest error properties with a code rate of 0.33 comparing to other RRNS-configurations such as (5, 3)-RRNS, (8, 6)-RRNS, (10, 6)-RRNS, and (12, 6)-RRNS codes. That is, (n, k ) = (9, 3 ), l = 8 bits and the chosen moduli set is {229, 233, 239, 241, 247, 251, 253, 255, 256}.

The embedding capacity of this scheme is Ce|b = 39ll = 33.3% Finally, since the receiver (and no third-party) can perfectly recover both the secret and the original data as stated before, the scheme is distortion-less. 3.2.5. RNS representation based steganographic scheme Considering an (n, k)-RRNS code where the information and redundant moduli sets are respectively {m1 , m2 , . . . , mk } and {mk+1 , mk+2 , . . . , mn=k+r }, for every codeword x = (x1 , x2 , · · · , xn ) where xi is the corresponding residue digit to moduli mi , we denote by Mi for 1 ≤ i ≤ n, the set of integers in interval [0, mi − 1]. Thus, every (n, k)-RRNS codeword x belong to the set M = ni=1 Mi . Additionally, for a given permutation σ ∈ Pv for v = n−k 2 we consider the moduli set {mσ ( j ) , j ∈ Iσ } upon which we construct a corresponding RNS representation for integers X ∈ [0,  j∈Iσ mσ ( j ) − 1]. Hence, for j ∈ Iσ :

xσ ( j ) ≡ X mod mσ ( j ) Similarly to (n, k)-RRNS codes, the corresponding RNSrepresentation codewords x = (xσ ( j ) ){1≤ j≤v, i j ∈Iσ } belong to the set MIσ =  j∈Iσ Mσ ( j ) . Theorem 3. Let C be an (n, k)-RRNS code, σ in Pv a permutation with v = n−k 2 . There exist a distortion-less linear RNS-based steganographic protocol S (E, R ) of type [v, n] over Fq such that:

E : MIσ × M (s, x )

→ →

M, Bv .x + Av .s,

(34)

where Av and Bv are respectively as in (20) and (21).

R:M x

→ →

MIσ , In |{1≤ j≤v, i ∈Iσ } .x,

with radius  =



C=



{ j∈Iσ } bσ ( j )

n

i=1

bi

(35)

j

{ j∈Iσ } bσ ( j ) and embedding capacity

%,

(36)

Proof. (Linearity is obvious) We have

R(E (s, x )) = R(Bv .x + Av .s ) = In |{1≤ j≤v,

i j ∈Iσ }

.(Bv .x + Av .s )

= ( s1 , s2 , · · · , sv ) =s

M.A. Belhamra and E.M. Souidi / Journal of Information Security and Applications 51 (2020) 102434

(Error correction) Taking parameters a and b as a = v = n−k 2 and b = 0 satisfy the error correction condition a + b ≤ n−k

, hence 2 the error is correctable. (Distortion-less) Finally, correcting the RRNS codeword assures the recovery of the original message with no distortion. 

3.2.6. Embedding capacity Proposition 2. The embedding capacity of the scheme of Theorem 3 is

Ce|b =

n−k

2 n

%,

(37)

Furthermore, the embedding capacity in bits per operation time is:

Ce|o = l 

n−k

2 bpo n−k 9n + 2 (3 + 10l ) + O (log(T )) + O (log( n−k

)) 2 

(38) Proof. Since we use an equally sized binary representation, the n−k

embedding capacity of the scheme remains Ce|b = n2 . Furthermore, in addition to the embedding and retrieval algorithms we have two conversions, the Binary-To-RNS (from [0, i=1 mi [ to MIσ ) conversion and the CRT conversion (from MIσ to [0, i=1 mi [).

Ce|o =

n−k

2 r po O (S ) + O (CRT n−k ) + O (RNS n−k ) 2 2

Hence our ordered matrices are as follows:



0 ⎜1 ⎜0 ⎜ ⎜0 ⎜ A3 = ⎜ ⎜0 ⎜0 ⎜ ⎜0 ⎝0 0





0 0 0 0 0 1 0 0 0

1 ⎜0 ⎜0 ⎜ ⎜0 ⎜  and B3 = ⎜ ⎜0 ⎜0 ⎜ ⎜0 ⎝0 0

0 0⎟ ⎟ 0⎟ 0⎟ ⎟ 0⎟ ⎟ 0⎟ ⎟ 1⎟ ⎠ 0 0

0 0 0 0 0 0 0 0 0

0 0 1 0 0 0 0 0 0



1 ⎜0 ⎜0 ⎜ ⎜0 ⎜   E (s, x ) = B3 .x + A3 .s = ⎜0 ⎜0 ⎜ ⎜0 ⎝ 0 0

2

2

and the CRT conversion as in (4) O (CRT n−k ) = 2

R(x ) = I9 |{2,6,7} × x.

n−k

2  Ce|o =  r po n−k 9n + 2 (3 + 10l ) + O (log(T )) + O (log( n−k

)) 2 (40) Hence Ce|o = l 



n−k 2

9n+ n−k

(3+10l ) +O (log(T ))+O (log( n−k

)) 2 2

bpo



Finally, the induced error correction complexity is n−k 2 O log2 (n ) + l . Example 3. Using the (9, 3)-RRNS code given in Example 2 , consider the permutation key σ =  1 2 3 4 5 6 7 8 9 . Thus,  j∈Iσ mσ ( j ) = 1 6 3 4 5 7 2 8 9 233 × 251 × 253 = 14796199. Now consider a secret s ∈ [0, 14796198[ with (233,251,253) RNS representation (s2 , s6 , s7 ), where si = s mod mi for i = 2, 6 and 7. We have respectively, as stated in (20) and (21), for i ∈ {1, 2, , 9}  e for σ (i ) = i (A3 )[i] = 0 ej for i j ∈ Iσ and (B3 )[i] =



eσ ( i ) e0

for σ (i ) = i otherwise,

0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0



(39)

O (log( n−k 2 )). Set l = log2 (mn ), hence

0 0 0 0 1 0 0 0 0



spectively of the steganographic scheme as in (27), the Binary to-RNS conversion O (RNS n−k ) = O (log(T )) where T satisfies

ni=1 mi < β T

0 0 0 1 0 0 0 0 0

0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 1 0



0 0⎟ ⎟ 0⎟ 0⎟ ⎟ 0⎟ ⎟ 0⎟ ⎟ 0⎟ ⎠ 0 1

Hence, the embedding and retrieval maps are:

where O (S ), O (RNS n−k ) and O (CRT n−k ) are the complexities re2

7

0 ⎜1 ⎜0 ⎜ ⎜0 ⎜ + ⎜0 ⎜0 ⎜ ⎜0 ⎝ 0 0

0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0

0 0 0 1 0 0 0 0 0



0 0 0 0 1 0 0 0 0

0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 1 0



0 0⎟ 0⎟ ⎟ 0⎟ ⎟ 0⎟x 0⎟ ⎟ 0⎟ ⎠ 0 1

0 0⎟ 0⎟ ⎟ 0⎟ ⎟ 0⎟s. 0⎟ ⎟ 1⎟ ⎠ 0 0

The embedding capacity of this scheme is Ce|b = 39ll = 33.3%. Finally, since the receiver (and no third-party) can perfectly recover both the secret and the original data as stated before, the scheme is distortion-less. 3.3. Efficiency and comparison For the sake of simplicity, we consider here schemes for which the residue digits are equally binary represented. As in (33), for the symbol-based steganographic scheme we have

Ce|o = l

n−k

2  bpo, n−k O 9n + 2 (3 + 10l ) 

and for the RNS based scheme in (39):

Ce|o = l 

9n +

n−k 2

n−k

2 bpo

(3 + 10l ) + O (log(T )) + O (log( n−k

)) 2 

(41) Hence, if we consider the (9,3)-RRNS code with l = 8 bits as given in Examples (2) and (3), using a 1GHz single core processor, the embedding capacities for both linear schemes are respectively ≈ 73Mbs−1 for the symbol based scheme, and for the RNS based

8

M.A. Belhamra and E.M. Souidi / Journal of Information Security and Applications 51 (2020) 102434

scheme, we have 233 × 251 × 253 = 14796199 < 224 = 16777216. That is, we set the complexity of the RNS conversion as O (log(24 )), i.e., ≈ 72Mbs−1 . In the following we rather compare secret channel capacity of an RRNS-based network steganographic scheme using Ad-hoc On-demand Multipath Distance Vector (AOMDV) with some well known schemes. We consider here a communication-based RRNS code such as in [19] where the authors propose to use RRNS codes into a modified version of AOMDV for Mobile/Vehicular Ad-hoc Networks (MANETs/VANETs). The AOMDV uses the IEEE 802.11n and hence is based on the Orthogonal Frequency Division Multiplex (OFDM). The total single OFDM symbol transmission time (Tsym = Tu + TCP ) where Tu is the useful part of the symbol and TCP the duration of the Guard Interval (GI) which is inserted between each pair of symbols and consists in copying the ending part of each OFDM symbol and adding that copy in front of that symbol (which takes a TCP from the Tu ). Moreover, we consider a similar configuration to the one given in [15], i.e., using the most basic IEEE 802.11n modulation and coding scheme which uses BPSK modulation, code rate 12 and 20 MHz channels. In this case Tsym = 4μs and the Cyclic Prefix CP (i.e., the GI) has a transmission time TCP = 0, 8μs. There are SR = 250.0 0 0 OFDM symbol per second transmitted, each symbol carries 52 coded bits (NCBPS ) and half of them are data bits (NDBPS ). Then, the achieved network throughput is 6, 5 Mb/s. In the case of BPSK modulation, the useful part of the OFDM symbol (Tu = 3.2μs) carries 52 bits. Since in this case we have NDBPS = 26 data bits, to exploit the whole capacity we may have two options. We can either use large moduli set on l = 26 bits which may be cumbersome in some scenarios, or we can simply concatenate residues in the same moduli in one symbol, e.g., for our example if we use the moduli set on l = 8 bits we can concatenate using 3 RRNS codewords say x, y and z, 3 residues corresponding to each mi for i = 1, 2, . . . , n in one symbol, i.e., < xi > 2 || < yi > 2 || < zi > 2 where we denote by < xi > 2 the binary representation of xi and by ||, the concatenation operator. We can use the same approach for the other modulations. Now if we consider only one stable route (i.e., a one sender, one receiver and a 100% delivery rate as in [15]) and a (9,3)-RRNS code taking into account its corresponding error rate 33%, the capacity of the secret channel will be:

C = NCBPS ×

Tu − TCP × SR × 33% Tu

(42)

That is, C = 3, 251 Mb/s which is equal to the capacity of the CP-scheme (the scheme in [15]). Remark that Tu = 4TCP = 3, 2μs (i.e., Tu − TCP = 3TCP ), hence when multiplying in (42) by 33% we

T

have C = NCBPS × TCP × SR which is exactly the channel capacity of u the CP-scheme. Furthermore, if the used canal has good propagation conditions the OFDM cyclic prefix used in this case is divided by two, i.e., TCP = 0, 4μs rather than TCP = 0, 8μs which obviously divides the channel capacity of the CP-scheme by two for all modulations (BPSK, QPSK, 16-QAM and 64-QAM), while for our scheme the capacity for each modulation becomes: • C = 3, 8 Mb/s for BPSK. • C = 7, 58 Mb/s for QPSK. • C = 15, 17 Mb/s for 16-QAM. • C = 22, 8 Mb/s for 64-QAM. Finally, even though we used a one sender one receiver Ad-Hoc network, the scheme stays as efficient as the CP-scheme for bad propagation conditions while for good ones, the channel capacity of our scheme exceeds more than twice that of the CP-scheme. Remark 6. Note that the AOMDV is a routing protocol which uses multiple routes for sending packets instantly. That is, if we consider multiple nodes (and hence multiple routes) in the network, the channel capacity will be obviously much more interesting even though the delivery rate is generally not optimal. In Table 1 we give a comparison with some well known network steganographic protocols [15,25,31,32], where WLAN/HW stands for Wireless Local Area Networks/ Hardware Wi-Fi based implementations, IEEE 802.11 specifies the set of Media Access Control (MAC) and physical layer (PHY) protocols for implementing (WLAN) Wi-Fi communications, and SS for Spectrum Selection. 3.4. Steganaysis perspective Even though a complete steganalysis of the schemes is beyond the scope of this work, we discuss in the following possible attacks and give two examples of different statistical attacks on two suspicious characteristics, namely the indices (from 1 to n) of the residue digits used for the embedding on one hand, and on the other hand, the number of the altered residue digits. Then we give a perspective solutions to counter these attacks. Steganalysis is the science of detecting the existence of embedded secret information, classified into specific and general detection categories. The specific detection methods target specific steganographic systems, and consists of subjective and statistical methods. The subjective methods make use of human eyes to look for suspicious artefacts, while statistical methods (such as the chi-square test) perform mathematical analysis in order to find statistical differences between the altered and non-altered messages. In order to understand the adversary’s attack, one have to distinguish between the following scenarios [21]. If the presence of

Table 1 Comparison with some steganographic scheme. Our scheme is as efficient as the CP-scheme in bad propagation conditions (TCP = 0, 8μs) and twice more efficient in good propagation conditions (TCP = 0, 4μs). Channel Covert

Used carrier

Embedding capacity in bps

WLAN/HW WLAN/HW WLAN/HW Network/SS

IEEE 802.11 FCF [23] IEEE 802.11 [31] IEEE 802.11 Padding [32] VoIP stream payload [25]

16,8 216K 1, 1M for data frames, 0, 44M for ACKs 32K

WLAN/HW

IEEE 802.11 Cyclic prefix [15]

For TCP = 0, 8μs: 3,25 M (BSPK), 6,5 M (QPSK), 13,0 M (16-QAM) and 19,5 M (64-QAM) For TCP = 0, 4μs: 1,625 M (BSPK), 3,25 M (QPSK),6,5 M (16-QAM) and 9,75 M (64-QAM)

WLAN/HW Ad-Hoc Networks (Our scheme)

IEEE 802.11 AOMDV based (9,3)-RRNS codes l = 8 bits, moduli set {229, 233, 239, 241, 247, 251, 253, 255, 256}.

For TCP = 0, 8μs: 3,25 M (BSPK), 6,5 M (QPSK), 13,0 M (16-QAM) and 19,5 M (64-QAM) For TCP = 0, 4μs: 3,8 M (BSPK), 7,58 M (QPSK), 15,17 M (16-QAM) and 22,8 M (64-QAM)

M.A. Belhamra and E.M. Souidi / Journal of Information Security and Applications 51 (2020) 102434

a steganographic protocol and its structure and functionality are known to the adversary, it is easy to detect the covert communication. However, if the adversary has no knowledge of the protocol, and only knows its existence, he can inject random noise, or reverse engineer the protocol. On another hand, if the protocol is known but not detected, a blind attack can be performed by sending disruptive commands to terminate the communication. And finally, if the adversary has no information at all, then no specific attack on the steganographic scheme is possible. In contrast to protocols inducing vulnerabilities to the human eye such as image based information hiding techniques, subjective attacks are not a problem for our schemes since we use plain binary represented algebraic codes. Moreover, the no-distortion property of theses schemes makes the non generic attacks less performing than the generic ones. Hence only generic statistical attacks are of interest in the following. In the proposed steganographic schemes, using precisely n−k 2 and the same residue digits at each communication round is obviously sufficient to sense the existence of a covert communication channel via statistical attacks. Hereafter we discuss two statistical tests, namely the χ 2 (chi-square) and the Kolmogorov-Smirnov (KS) tests respectively for both the vulnerabilities given above. The χ 2 (chi-square) test is a statistical test for detecting randomness, based on the differences between the expected number of some chosen event occurrences and its real values, i.e., the purpose of the test is to evaluate how likely the observations that are made would be, assuming the null hypothesis is true. In our case, if we consider for example, an amount of residue digits and their associated moduli set {m1 , m2 , . . . , mn }. Then we take a random sample and their status recorded as “erroneous” or “not erroneous”. Additionally, denote by pie the probability that the ith residue digit is erroneous and by pio its observed average, then the sum of

( pio −pie )2 pie

over all the residues is the test statistic.

Under the null hypothesis, it has approximately a χ 2 distribution. Accordingly, the test statistic will be large and hence the null hypothesis of independence would be rejected (i, e. existence of a covert communication channel). Furthermore, a more interesting attack that could be used is the Kolmogorov-Smirnov (KS) test [20]. KS test verifies the hypothesis that a sample is Independent and Identically Distributed (iid) with a given distribution function F (one-sample KS test), or that two samples are drawn from the same distribution (two-sample KS test). A low KS test statistic means that the distributions are similar, whereas a high KS test statistic means the distributions are different. KS test is applicable to a variety of types of data with different distributions, including mixed or purely discrete ones. That is, suppose in the following that X = [X1 , X2 , . . . , Xs ] to be a series of s variables with values x1 , x2 , . . . , xs , and Fs (x) be the empirical cumulative distribution function of X, i, e.:

number of Xi ’s ≤ x Fs (x ) = s

(43)

Hence the statistic defined by:

Ds = supx |Fs (x ) − F (x )|

(44)

has the (KS) distribution, where supx is the least upper bound of the set of distances. Now if we consider F to be the distribution function of variable X = “The number of the altered residues in a received RRNS codeword”, where the distribution function for variable X is defined as F ( x ) = P ( X ≤ x ). In this case we test the hypothesis: H0 : “The samples Xi ’s are iid random variables with distribution function F”.

9

That is, we reject H0 if Ds > d{s,1−α} where d{s,1−α} is the (1 − α ) quantile of the KS distribution. Here α is the significance level of the test (i.e., probability of rejecting H0 given that H0 is true). Now to define our distribution function we have two possibilities: (i) We consider the event E: “The received residue is erroneous”. Events E are iid and with constant average rate. Hence, the distribution of our events can be modelled as a Poisson process. Specifically, the Poisson distribution probability mass function is:

P (x errors in the set of received residues R ) = e−λ

λk k!

(45)

where the parameter λ refers to the expected number of events E’s in the set. Then we can use some samples of received residues of sufficiently large number s, and use them to set a reasonable value ds,1−α . (ii) The other possibility is to directly use the two-sample KS test. i.e., we take sufficiently large ordinary (with no secret embedding) samples of received residues then take the largest corresponding value ds . This attack is proven to be very effective in case the altered residue digits trigger a positive test, i.e., P (Ds > ds,1−α ) > α . Thus, when suspecting the existence of a secret channel, an adversary can easily find a high statistic when using naively the steganographic schemes. In both tests we can point out two problems to solve. The first and simplest one is that the altered residues must be randomly and uniformly distributed according to the moduli set, i.e., we can use a simple random generator to construct multiple key permutations, i.e., choosing randomly and uniformly generated residues in the set {1, , n}. The second one related to the proposed KS-test, is that the sample s containing secret information must not verify Ds > ds,1−α . To satisfy this condition, one direct solution is to take the maximum distance value ds obtained in the two-sample KS testing, then use an adapted scheme for which the corresponding sample will not trigger a positive test. i.e., for the samples tested before S = {s1 , s2 , · · · , sl } for some positive integer l, we take respectively for each phase p ∈ {1, 2, · · · , ns } the variables Fmax and Fmin verifying Fmax = maxsi ∈S Fsi ( pn ) and Fmin = minsi ∈S Fsi ( pn ) were Fs ( · ) is as defined by (43). Then we determinate t p = Fsmax ( pn ) − Fsmin ( pn ) the number of residue digits in a pn sample in which we can embed secret data without altering the test. Finally, the used technique assures that the altered residues are distributed randomly with almost surely the same distribution of the previous samples. 4. Conclusion Introducing redundancy in RNS brought new error correction perspectives for fault tolerant systems such as computer networks, data sharing in cloud storage, distributed data storage systems for IoT and hybrid memory, giving rise to possibilities of defining new secret communication channels. In this paper we have introduced RRNS based information hiding by defining distortion-less steganography over RRNS codes. We saw how efficient the corresponding schemes are and compared them with some well known protocols before analysing their vulnerabilities. Declaration of Competing Interest The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

10

M.A. Belhamra and E.M. Souidi / Journal of Information Security and Applications 51 (2020) 102434

Supplementary material Supplementary material associated with this article can be found, in the online version, at doi:10.1016/j.jisa.2019.102434 References [1] Antao S, Sousa L. The CRNS framework and its application to programmable and reconfigurable cryptography. TACO 2013;9(4):33:1–33:25. doi:10.1145/ 2400682.2400692. [2] Asif S, Hossain MS, Kong Y, Abdul W. A fully RNS based ECC processor. Integration 2018;61:138–49. doi:10.1016/j.vlsi.2017.11.010. [3] Azizifard A, Qermezkon M, Postizadeh T, Barati H. Data steganography on VoIP through combination of residue number system and DNA sequences. Journal of Advances in Computer Research 2014;5(2):7–22. [4] Bajard J, Kaihara ME, Plantard T. Selected RNS bases for modular multiplication. In: 19th IEEE Symposium on Computer Arithmetic, ARITH 2009, Portland, Oregon, USA, 9-10 June 2009; 2009. p. 25–32. doi:10.1109/ARITH.2009.20. [5] Bajard J-C, Plantard T. RNS bases and conversions. In: Advanced Signal Processing Algorithms, Architectures, and Implementations XIV, 5559; 2004. p. 60–9. doi:10.1117/12.557891. [6] Belhamra MA, Souidi EM. A steganogaphic scheme for MAC-independent opportunistic routing and encoding (MORE) protocol. In: Proceedings of the 15th International Joint Conference on e-Business and Telecommunications, ICETE 2018 - Volume 2: SECRYPT, Porto, Portugal, July 26-28, 2018.; 2018. p. 254–64. doi:10.5220/0 0 06852302540264. [7] Belhamra MA, Souidi EM. Introduction to steganography in RRNS based communications. In: Proceedings of the 2nd International Conference on Networking, Information Systems & Security. ACM; 2019. p. 21:1–21:7. doi:10.1145/ 3320326.3320353. [8] Belhamra MA, Souidi EM. Steganogaphy using Mac-independent opportunistic routing and encoding (MORE) protocol based communications. E-Business and Telecommunications. Communications in Computer and Information Science, 1118. Springer International Publishing; 2019. p. 66–86. doi:10.1007/ 978- 3- 030- 34866- 3_4. [9] Celesti A, Fazio M, Villari M, Puliafito A. Adding long-term availability, obfuscation, and encryption to multi-cloud storage systems. J Network and Computer Applications 2016;59:208–18. doi:10.1016/j.jnca.2014.09.021. [10] Chang C-H, Molahosseini AS, Zarandi AAE, Tay TF. Residue number systems: A new paradigm to datapath optimization for low-power and high-performance digital signal processing applications. IEEE circuits and systems magazine 2015;15(4):26–44. [11] Chen J, Hu J. Energy-efficient digital signal processing via voltage-overscaling-based residue number system.. IEEE Trans VLSI Syst 2013;21(7):1322–32. [12] Chervyakov NI, Babenko MG, Tchernykh A, Kucherov NN, Miranda-López V, Cortés-Mendoza JM. AR-RRNS: configurable reliable distributed data storage systems for internet of things to ensure security. Future Generation Comp Syst 2019;92:1080–92. doi:10.1016/j.future.2017.09.061. [13] Etzel M, Jenkins W. Redundant residue number systems for error detection and correction in digital filters. IEEE Transactions on Acoustics, Speech, and Signal Processing 1980;28(5):538–45. [14] Goh VT, Siddiqi MU. Multiple error detection and correction based on redundant residue number systems. IEEE Trans Communications 2008;56(3):325–30. doi:10.1109/TCOMM.2008.050401. [15] Grabski S, Szczypiorski K. Steganography in OFDM symbols of fast IEEE 802. 11n networks. In: 2013 IEEE Symposium on Security and Privacy Workshops, San Francisco, CA, USA, May 23-24, 2013; 2013. p. 158–64. [16] Haron NZ, Hamdioui S. Using RRNS codes for cluster faults tolerance in hybrid memories. In: 2009 24th IEEE International Symposium on Defect and Fault Tolerance in VLSI Systems; 2009. p. 85–93. doi:10.1109/DFT.2009.37. [17] Haron NZ, Hamdioui S. Redundant residue number system code for faulttolerant hybrid memories. J Emerg Technol Comput Syst 2011;7(1):4:1–4:19. doi:10.1145/1899390.1899394. [18] Jouhari H, Souidi EM. A new steganographic scheme based on first order reed muller codes - A new steganographic scheme. In: SECRYPT 2011 - Proceedings of the International Conference on Security and Cryptography, Seville, Spain, 18 - 21 July, 2011, SECRYPT is part of ICETE - The International Joint Conference on e-Business and Telecommunications; 2011. p. 351–6. [19] Junior JA, Nascimento LFL, Albini LCP. Using the redundant residue number system to increase routing dependability on mobile ad hoc networks. Journal of Selected Areas in Telecommunications (JSAT) 2011;4:67–73. [20] Justel A, Peña D, Zamar R. A multivariate kolmogorov-smirnov test of goodness of fit. Statistics & Probability Letters 1997;35(3):251–9. doi:10.1016/ S0167-7152(97)0 0 020-5. [21] Kaur J, Wendzel S, Meier M. Countermeasures for covert channel-internal control protocols. In: 10th International Conference on Availability, Reliability and Security, ARES 2015, Toulouse, France, August 24-27, 2015; 2015. p. 422–8. doi:10.1109/ARES.2015.88. [22] Keller T, Liew T-H, Hanzo L. Adaptive redunant residue number system coded multicarrier modulation. IEEE Journal on Selected Areas in Communications 20 0 0;18(11):2292–301.

[23] Krätzer C, Dittmann J, Lang A, Kühne T. WLAN steganography: a first practical review. In: Proceedings of the 8th workshop on Multimedia & Security, MM&Sec 2006, Geneva, Switzerland, September 26-27, 2006; 2006. p. 17–22. [24] Krishna H, Lin K-Y, Sun J-D. A coding theory approach to error control in redundant residue number systems. i. theory and single error correction. IEEE Transactions on Circuits and Systems II: Analog and Digital Signal Processing 1992;39(1):8–17. [25] Mazurczyk W, Szaga P, Szczypiorski K. Using transcoding for hidden communication in IP telephony. Multimedia Tools Appl 2014;70(3):2139–65. [26] Mohan PVA. Residue Number Systems: Theory and Applications. Springer International Publishing; 2016. ISBN 9783319413853. [27] Munuera C. Steganography and error-correcting codes. Signal Processing 2007;87(6):1528–33. doi:10.1016/j.sigpro.2006.12.008. [28] Orton GA, Peppard LE, Tavares SE. New fault tolerant techniques for residue number systems. IEEE Trans Computers 1992;41(11):1453–64. doi:10.1109/12. 177315. [29] Sousa L, Antao S, Martins P. Combining residue arithmetic to design efficient cryptographic circuits and systems. IEEE Circuits and Systems Magazine 2016;16(4):6–32. [30] Sun J-D, Krishna H. A coding theory approach to error control in redundant residue number systems. ii. multiple error detection and correction. IEEE Transactions on Circuits and Systems II: Analog and Digital Signal Processing 1992;39(1):18–34. [31] Szczypiorski K. Steganography in TCP/IP networks. State of the Art and a Proposal of a New System–HICCUPS, Institute of Telecommunications’ seminar, Warsaw University of Technology, Poland; 2003. [32] Szczypiorski K, Mazurczyk W. Steganography in IEEE 802. 11 OFDM symbols. Security and Communication Networks 2016;9(2):118–29. [33] Tay TF, Chang C. A non-iterative multiple residue digit error detection and correction algorithm in RRNS. IEEE Trans Computers 2016;65(2):396–408. doi:10. 1109/TC.2015.2435773. [34] Tchernykh A, Babenko MG, Chervyakov NI, Miranda-López V, Kuchukov VA, Cortés-Mendoza JM, et al. AC-RRNS: anti-collusion secured data sharing scheme for cloud storage. Int J Approx Reasoning 2018;102:60–73. doi:10.1016/ j.ijar.2018.07.010. [35] Vassalos E, Bakalis D, Vergos HT. RNS assisted image filtering and edge detection. In: 18th International Conference on Digital Signal Processing, DSP 2013, Fira, Santorini, Greece, July 1-3, 2013; 2013. p. 1–6. doi:10.1109/ICDSP.2013. 6622821. [36] Watson RW, Hastings CW. Self-checked computation using residue arithmetic. Proceedings of the IEEE 1966;54(12):1920–31. [37] Westfeld A. F5-A steganographic algorithm. In: Information Hiding, 4th International Workshop, IHW 2001, Pittsburgh, PA, USA, April 25-27, 2001, Proceedings; 2001. p. 289–302. doi:10.1007/3- 540- 45496- 9_21. [38] Xiao H, Garg HK, Hu J, Xiao G. New error control algorithms for residue number system codes. ETRI Journal 2016;38(2):326–36. doi:10.4218/etrij.16.0115. 0575. [39] Ye R, Boukerche A, Wang H, Zhou X, Yan B. Resident: a reliable residue number system-based data transmission mechanism for wireless sensor networks. Wireless Networks 2018;24(2):597–610. [40] Zheng X, Wang B, Zhou C, Wei X, Zhang Q. Parallel dna arithmetic operation with one error detection based on 3-moduli set. IEEE transactions on nanobioscience 2016;15(5):499–507. ´ [41] Zielinska E, Mazurczyk W, Szczypiorski K. Trends in steganography. Commun ACM 2014;57(3):86–95. doi:10.1145/2566590.2566610. Mohamed Amine BELHAMRA received his Master’s degree in networks and information systems in 2014 from the Faculty of sciences and Techniques in Settat, Morocco. He is currently pursuing a PhD degree at the Faculty of Sciences, Mohammed V University in Rabat, Morocco. His research interests include Network Coding, information security and digital forensics. Email: [email protected].

El Mamoun SOUIDI is currently a Professor in the department of computer science at Mohammed V University in Rabat, Morocco. His current research interests include algebra, information security, cryptography and steganography code-based. Souidi holds a Doctorat d’Etat degree in mathematics in 2002 from the same university. Email: [email protected].