CHAPTER 2

STEGANOGRAPHY

14
2.1 Definition

Steganography refers to a process (art and science) of concealed communication.

The term steganography is derived from two Greek words steganos ("covered or
protected"), and graphei ("writing").[3]

This is an ancient technique used by many people including kings to communicate

protected message to intended recipient. Most of the time except sender and receiver
no one else know about existence of such message. It is very powerful technique to
share critical messages as there are less chances of disclosure of the content.

15
2.1 How it works?

As the name suggest steganography is a technique to hide message in something

and send it to recipient. This is an ancient technique and one of the stories from
Herodotus proves it. In this story a slave sent by his master, Histiaeus, to the Ionian
city of Miletus with a secret message tattooed on his scalp. After tattooing, the slave
grew his hair back in order to conceal the message. He then journeyed to Miletus
and, upon arriving, shaved his head to reveal the message to the city’s regent,
Aristagoras. The message encouraged Aristagoras to start a revolt against the
Persian king. In this scenario, the message is of primary value to Histiaeus and the
slave is simply the carrier of the message. So, it reflects use of steganography here. [3]

2.2.1 Basics

There are many other evidences which prove that steganography was used by many
people in the past. Some of those examples are:

1. hiding messages in women’s earrings

2. messages carried by pigeons
3. by modifying the height of letter strokes
4. marking letters in a text using small holes

Not limited to only these traditional forms, linguistic steganography (acrostic) was
used in different ways by different people. The covert communication makes sure that
intended information is covered in some medium in such a way that no one except
sender and receiver can know about its existence.

With evolution of computers and Internet this ancient technique of hiding data has
been used very frequently and more accurately in this digital world.

It not only became easy to hide digital data in digital media but it also become very
powerful to communicate crucial information by using digital steganography.

16
Today, steganography is most often associated with the high-tech variety, where data
is hidden within other data in an electronic file. For example, a Word document might
be hidden inside an image file. This is usually done by replacing the least important or
most redundant bits of data in the original file-bits that are hardly missed by the
human eye or ear with hidden data bits.

Before understanding how steganography works, one should know that

steganography is not cryptography and there is huge difference in both. Cryptography
refers to converting data into unreadable format while communicating and then
converting that data back to original (readable) format at the receiver's end. While
Steganography refers to hiding data in some other container like multimedia files and
communicate it.

Here in steganography data may or may not be encrypted but it is hidden in some
other media.

In cryptography hackers or external users can see that some data is being
communicated but they don't know what is being transferred as data is in unreadable
format. But the data is covered say in an image file and if you transfer that image file
then hackers or external users will see that an image file is being transferred but they
cannot see any hidden information in that image.

This not only reduces probability of disclosing content to third parties it also makes
sure that people don't know anything about the intended communication.

As in cryptography anyone can see that some data is being transferred (even though
it is in unreadable format it is visible), they can use different techniques to decrypt it
(by using different algorithms to convert unreadable format to readable format).

While in steganography, since no one knows about the hidden data chances of
making it visible are very less.

17
It is always recommended that one should use steganography with cryptography,
because in any case if hackers come to know that any data is hidden (using
steganography) in the container and if they try to reveal it they can get only
unreadable data. Which may result in more secure and less risky method.

Again, there are different containers like image files, sound files, etc... which can be
used as container for hiding data and based on their variations there are different
techniques to hide data. These variations lead to variety of ways to implement
steganography (almost separate for each type) and it in other hands makes it difficult
for hacker to get the hidden data.

For example, if one decides to hide data into an image file then the image file may be
in PNG, JPEG, GIF, BMP, etc... format and hiding information on different type of
images varies.[10]

So as being hacker, one has to first make sure that the image which is getting
transferred has some data (hidden using steganography), if it is found then he will
need to use appropriate algorithm to reveal that data and since most of the
information is encrypted he will again need to decrypt that information in proper
readable format.

Above process clearly indicates that chances that your secret information get
revealed are very less in case of steganography. If used with proper techniques one
can assure a secure communication with maximum accuracy and confidentiality.

So, if we put it in a sequence of steps then it would be as follows:

At the sender's End:

1. Encrypt the message (using encryption algorithm)
2. Hide data into container using steganography (the container file in genera are
multimedia files)

18
At the receiver's End:
1. Reveal the message from container.
2. Decrypt the retrieved message

For hacker following would be challenges:

1. Identifying whether the media being transferred has hidden message is or not
(almost impossible, because data is being hidden without changing overall
container)
2. In case if it is found then retrieving message from the media (very difficult,
because there are variety of algorithms to hide data and so the number of
possibilities to retrieve data)
3. If message is retrieved from the container then decrypt it (again its difficult to
decrypt without knowing encryption algorithm)

As a result it will be very secure to transmit secret data (in encrypted form) using
steganography. And that is the main reason this technique is being use by many
people for communicating crucial information. Following are the people and their
intension for using steganography.

1. Businessman – For transferring their business related crucial information

securely.
2. Software Manufacturers – For storing or sending License/Key to activate
software.
3. End users (Only Few) – For hiding their personal Information like passwords,
credit card details etc...
4. Terrorist / Criminals – For communicating messages or information to their
team members.
5. Hackers – For spreading malware.

19
From above one can say that its an interesting way to hide information. But its also
equally important to understand how it works technically? Following figure explains
the basic technique of Steganography.

Cover
Cover With
Hidden Message

Figure 2.1 - Steganography

2.2.2 Components of Steganography

There are three basic components and two main functions which make hiding of
information possible through steganography.

1. Cover: It is a media or container like image / sound / other files and

message is hidden in it.
2. Message: It is the information to hide.
3. Key: An encryption key to make sure hidden data remains encrypted.

Functions
1. Embed:
The embed function at the sender's end adds message to cover and encrypts
it using given key.

20
 2. Extract:
The extract function at the receiver's end extracts the message from cover and
decrypts it using given key.

In general, the message bytes are added to empty or least significant bits for effective
hiding. So, while adding message the original file gets modified but proper
implementation with efficient cover can implement steganography without making any
visible changes to the original file.

Three techniques are interlinked, steganography, watermarking and cryptography.

The first two are quite difficult to tease apart especially for those coming from different
disciplines. Drawing a line between these techniques is both arbitrary and confusing.
Therefore, it is necessary to discuss briefly these techniques. Following figure and
table depicts it in detail.

Figure 2.2 – Steganography, Cryptography and Watermarking

21
Steganography and Watermarking are used for information hiding. And in most cases
watermarks are visible while steganographic content is not visible to third party.
Steganography can be achieved using digital images, video, audio and text. But most
common and used method is to use digital images to hide messages.

Table 2.1 – Comparison of Steganography, Watermarking and Cryptography

Criterion / Steganography Watermarking Cryptography

Method
Carrier Any digital media Generally Generally text based,
image/audio/video but can be extended
files to images
Secret Data Payload Watermark Plain text
No changes to the structure Changes the
structure
Key Optional Required
Objective Secret Copyright Data protection
Communication preserving
Result Stego-file Watermarked-file Cipher-text
Concern Detectability/capacit Robustness robustness
y
Type of attacks Steganalysis Image processing Cryptanalysis
Visibility Never Sometimes Always
Fails when Detected removed/replaced De-ciphered
Relation to cover The message is The cover is more N/A
more important than important than the
the cover. message
Selection of Cover Free to choose any Cover choice is N/A
suitable cover restricted

22
2.2.3 Selection of Cover Media

The process of hiding information begins with selection of cover which can be used to
hide information. Selection of cover decides result of the steganography as different
media has different effects. Possible covers are simple text files, documents, image
files, executable files, sound files, etc...

If we use text file as cover then the message that we hide will change the content and
will easily become visible to any user. If message is encrypted then also user can at
least see that some bytes have been modified and actual content is changed.

In case if audio file is used as cover then there are chances that sound waves gets
corrupted and one can experience change in original track. Many times it may go
unnoticed by assuming corrupt track or mechanical fault. But even though its not the
efficient cover.

If we use executable file as cover then in most of the cases the file gets corrupted
because if we change bits in binary files then the overall execution gets affected.

But among all, image files are more suitable for steganography and gives efficient
results compared to all other types of cover media. The biggest advantage of image
files is its representation at pixel levels. Each pixel stores RGB value and changing
few pixels from thousands of pixels actually doesn't change its overall representation
and the message can be hidden easily without any problem. A person cannot see
from his eyes whether the image contains a message or not. Following are two such
images which clearly indicates that its not difficult but its almost impossible to tell
whether the image contains any hidden message or not.

23
 Figure 2.3 – Original Image Figure 2.4 – Image with hidden text

So as a conclusion one can say that Image is the best cover and I have used Image
as cover media for my research work.

Image on Left is the original image and does not contain any text, while image on
Right and has hidden text inside it. But from the visibility both images look same and
one cannot conclude whether the image on right contains any additional detail in it or
is same as original one.

24
2.3 Steganography Methods

In this section an overview of the most important steganographic techniques in digital

images is discussed. The most popular image formats, non scientific images, used on
the Internet are Graphics Interchange Format (GIF), Joint Photographic Experts
Group (JPEG), and to a lesser extent -Portable Network Graphics (PNG).

Most of the techniques developed aimed to exploit the structures of these particular
formats. There are some exceptions in the literature that use the Bitmap format
(BMP), due to its simple data structure.

2.3.1 Steganography by exploiting the image format

Steganography can be accomplished by simply feeding into a Windows operating

system’s command window the following code:

C:\> Copy Cover.jpg /b + Message.txt /b Stego.jpg

This code appends the secret message found in the text file ‘Message.txt’ into the
JPEG image file ‘Cover.jpg’ and produces the stego-image ‘Stego.jpg’.

This attempts to abuse the recognition of EOF, End Of File. In other words, the
message is packed and inserted after the EOF tag. When ‘Stego.jpg’ is viewed using
any photo editing application, the latter will just display the picture ignoring anything
coming after the EOF tag. However, when ‘Stego.jpg’ is opened in Notepad for
example, the message reveals itself after displaying some data as shown in following
figure.

Here message.txt contains message:

“This message will be hidden in cover.jpg using simple technique on Microsoft
windows.

25
But when the resultant file will be opened in notepad the message will become visible
after EOF of the actual file

--- Parag Rughani“

Figure 2.5– Notepad view of a stego-image

Note that the format of the inserted message remains intact. The embedded message
does not impair the image quality.

Neither image histograms nor visual perception can detect any difference between
the two images due to the secret message being hidden after the EOF tag. Whilst this
method is simple, a range of steganography software distributed online uses this
method, Camouflage, JpegX. Unfortunately, this simple technique would not resist

26
any kind of editing to the stego-image or any steganalysis attacks.

Another native implementation of steganography is to append hidden data into the

image’s Extended File Information, EXIF[2] . EXIF is a standard used by digital camera
manufacturers to store information in the image file, such as, the make and model of
a camera, the time the picture was taken and digitized, the resolution of the image,
exposure time, and the focal length.

This is metadata information about the image and its source located at the header of
the file. Paul Alvarez discussed the possibility of using such headers in digital
evidence analysis to combat child porno graphy. Following figure depicts some text
inserted into the comment field of a GIF image header. This method is not a reliable
one as it suffers from the same drawbacks as that of the EOF method. Note that it is
not always recommended to hide data directly without encrypting as in this example.

Figure 2.6– Modified EXIF header hex chunk in red.

These are few common methods of implementing steganography and are the manual
ways of doing it. There are certain tools and algorithms which does the same with
higher accuracy and efficiency. Some of them are discussed in Other algorithms
section of this chapter.

27
2.4 LSB - Least Significant Bit Substitution

There are many algorithms which can be used in implementing steganography.

These algorithms vary based on type of cover, type of message, performance, etc...
Since Steganography is in practice from many years, may people as a part of their
research work have developed various algorithms. Some of them are modified
versions of existing algorithms for either improving performance or to support new
cover media. Based on situation and requirement one can select any of the
algorithms available or may think to create a custom algorithm from scratch. I have
selected the most common and widely used algorithm known as LSB – Least
Significant Bit Substitution Algorithm for my research work.

Least Significant Bit is the right most bit of the byte and has least significance on
overall value. Since it is of least significance, modifying or even replacing it does not
affect over all image. The LSB substitution allows substitution of Least Significant Bit
from the image with a bit of the message. Based on size of the message to embed
one can modify those many least significant bits from the image and it does not make
any change to overall image as a whole.[4]

2.4.1 Data Representation of Digital Images

Before exploring LSB algorithm it is necessary to go through different types of images

and their architectures and image data representation. Following section discusses
details about some common image formats and their data representation.

Following can be few types for which we can have data representation.
• Black and White

• Monochrome Images

• Color Images

◦ 8-bit Color Images

◦ 24-bit Color Images

28
 Black and White Images

Figure 2.7 – Black and White Image

Black and White Binary images are encoded as a 2-D array, using one bit per pixel,
where a 0 usually means ‘black’ and a 1 means ‘white’ (even though there is no
universal agreement on that). The main advantage of this representation is its small
size.

Above image (the original jpeg file) is of 181x247 pixels and each pixel has value
either 0 (black) or 1 (white). So if we visualize the image as a 2-D array of pixels
considering a bit per pixel then it can be visualized as follows:

1 0 0 1 1 0 1 0 1
0 1 1 0 1 0 0 0 1
0 0 1 1 0 1 1 0 1
1 0 1 0 1 1 1 0 0
1 1 0 0 0 1 0 1 0
0 0 1 1 0 1 1 0 1

29
Above table of course is not the exact mapping of image pixels in bits but it gives a
simple idea how this image should be storing data digitally.

Gray-level Images

Gray-level images are also encoded as a 2-D array of pixels, using eight bits per
pixel, where a pixel value of 0 usually means ‘black’ and a pixel value of 255 means
‘white’, with intermediate values corresponding to varying shades of gray. The total
number of gray-levels is larger than the human visual system requirements, making
this format a good compromise between subjective visual qualities and relatively
compact representation and storage. An 8-bit monochrome image can also be
thought of as a collection of bit-planes, where each plane contains a 1-bit
representation of the image at different levels of detail.

Figure 2.8 – Gray-level Image

In Gray-level images there are different shades of Gray color and they generally fall
between white and black. It can be easily seen by comparing black and white image
with this one. Here the shades in image shows variations in the pixel value and each
pixel generally contains a value between 0 to 255 (the black and white image
contains only a single bit with values either 0 or 1).

30
For storing the value between 0 to 255 (different shades) a pixel in general refers to a
byte and so the binary values between 00000000 to 11111111. Each value represents
a shade between white and black and the 2-D array of pixel (byte) can be visualized
as follows: (Each pixel can have different values and that value lies between 0 and
255)

0-255 0-255 0-255 0-255 0-255 0-255 0-255

0-255 0-255 0-255 0-255 0-255 0-255 0-255
0-255 0-255 0-255 0-255 0-255 0-255 0-255
0-255 0-255 0-255 0-255 0-255 0-255 0-255
0-255 0-255 0-255 0-255 0-255 0-255 0-255

Color Images

Representation of color images is significantly more complex and varied. The two
most common ways of storing color image contents are:
1. RGB representation – in which each pixel is usually represented by a 24-bit
number containing the amount of its Red, Green, and Blue components – and
2. Indexed representation – where a 2-D array contains indices to a color palette
(or look-up table – LUT).

Indexed Color Images (8 – bit Color Images)

A problem with 24-bit color representations is backward compatibility with older

hardware which may not be able to display the 16 million colors simultaneously. A
solution devised before 24-bit color displays and video cards were widely accessible
was to adopt an indexed representation, in which a 2-D array of the same size as the
image contains indices (pointers) to a color palette (or look-up table – LUT) of fixed
maximum size (usually 256 colors).

31
 Figure 2.9 8-Bit color image
24-bit Color Images

Figure 2.10 24-Bit color image

32
Color images can be represented using three 2-D arrays of same size, one for each
color channel: Red, Green, and Blue. Each array element contains an 8-bit value
indicating the amount of red, green, or blue at that point, in a 0 to 255 scale. The
combination of the three 8-bit values into a 24-bit number allows for 256x256x256
(16,777,216, usually referred to as 16 million or 16 M) color combinations.

The 24-bit representation can be visualized as follows

Figure 2.11 - 24 Bit representation of the image

An alternative representation uses 32 bits and includes a fourth channel, called the
alpha channel, which provides a measure of transparency for each pixel and is widely
used in image editing effects.

From all the representations we can see that each pixel refers to some bits and the
bits here plays important role in implementing steganography technique. Let us take
an example of an 8 – Bit pixel in an image the bits here represent shade of one color

33
and its value can be assumed as : 10010011 so the 8 bits represent a pixel with a
decimal value 147. If we observe the bits then we can say that there are two extreme
bits: left most bit (known as Most Significant Bit) and rigth most bit (Known as Least
Significant Bit). These bits affects value of the either heavily of negligibly pixel and
can be understood from following.

1 0 0 1 0 0 1 1

Most Significant Bit Least Significant Bit

(Left-Most Bit) (Right-Most Bit)

The names Least and Most significant refers to the way these bits change the whole
value. In above example the decimal value is 147, so if I change value of Left Most
Bit (from 1 to 0) then the value will become 19 (new value: 00010011) and a huge
decrement can be seen here. Since the change in value is very large (when we
change the Left most bit) compare to all other bits, it is said to be the Most Significant
Bit (MSB) for any number.

Opposite to above if we change value of Right most bit (from 1 to 0) then new value
will be 146 (new value: 00010011), and a minor negligible change is there in the
actual value. Hence, change in right most bit does not affect original value very less
compare to other bits, it is said to be the Least Significant Bit (LSB) for any number.

One can derive two things from above theory

1. Each digital image stores pixel values in combination of bits representing a

color or shade of color.
2. In each number represented as binary, the left most bit is Least Significant and
changes to that doesn't affect overall value of the number.

34
The aim of steganography is to hide intended content in efficient way so it remains
undetectable to other users (except sender and receiver). This can be easily
achieved by replacing LSB from an image with bits of content to hide.

Computer scientists and programmers use LSB substitution algorithm in

steganography and have received best results. That is the main reason why most of
the steganography techniques use LSB substitution algorithm. Many people
customize it based on their requirement but at the core level it remains the LSB
substitution algorithm.

2.4.2 LSB2

Many times when the data to hide is big one can substitute two left most bits with
intended bits of the content. This is also very effective way and results in efficient
outputs in images with high resolution (24 bit color).

Same as LSB if we consider a 24-bit binary value : 110011100011000101101001

whose decimal value is 13513065. So if we change values of two left most bits from 1
to 0 and 0 to 1 respectively then the resultant decimal value will be 13513066. The
difference in the original and updated values is very small and can easily go
unnoticed by an end user.

Similarly, there can be LSB3 and may be LSB4 in 24-bit color images. Since the last
4 bits in such images are less significant.

35
2.5 Other Algorithms

Apart from the most common algorithm LSB there are some other algorithms which
can be considered for steganography. Some of them are discussed below:

2.5.1 Steganography in the image spatial domain

In spatial domain methods a steganographer modifies the secret data and the cover
medium, which involves encoding at the level of the LSBs. This method, although
simpler, has a larger impact compared to the other types of methods

Potdar used a spatial domain technique in producing a fingerprinted secret sharing

steganography for robustness against image cropping attacks. Their paper addressed
the issue of image cropping effects rather than proposing an embedding technique.
The logic behind their proposed work was to divide the cover image into sub-images
and compress and encrypt the secret data. The resulting data was then sub-divided
in turn and embedded into those image portions. To recover the data, a Lagrange
Interpolating Polynomial was applied along with an encryption algorithm.

The computational load was high, but their algorithm parameters, namely the number
of sub-images, and the threshold value, k, were not set to optimal values leaving the
reader to guess the values. Notice also that if n is set to 32, for example, that means
32 public keys are needed along with 32 persons and 32 sub-images, which turns out
to be impractical. Moreover, data redundancy that they intended to eliminate occurs in
the stego-image.

Shirali-Shahreza[7] exploited Arabic and Persian alphabet punctuations to hide

messages. While their method is not related to the LSB approach, it falls into the
spatial domain if the text is treated as an image. Unlike English language, which has
only two letters with dots in their lower case format, namely “i” and “j”, the Persian
language is rich in that 18 out of 32 alphabet letters have dots.

36
The secret message is converted to bits and those 18 letters’ dots are modified
according to the values in the binary file.

Color palette based steganography exploits the smooth ramp transition in colors as
indicated in the color palette. The LSBs are modified based on their positions in the
palette index. Johnson and Jajodia [19] were in favor of using BMP, 24-bit, instead of
JPEG images. Their next-best choice was GIF files, 256-color.

BMP as well as GIF based steganography apply LSB techniques, while their
resistance to statistical counter attacks and compression are reported to be weak.
BMP files are bigger compared to other formats which render them improper for
network transmissions. JPEG images however, initially were avoided because of their
compression algorithm which does not support a direct LSB embedding into the
spatial domain.

Fridrich[22] claimed that changes as small as flipping the LSB of one pixel in a JPEG
image can be reliably detected. The experiments on the DCT coefficients showed
promising results and redirected researchers’ attention towards this type of image.

In fact acting at the level of DCT makes steganography more robust and less prone to
statistical attacks.

Jung down-sampled an input image to 1⁄2 of its size and then used a modified
interpolation method, termed the neighbor mean interpolation, NMI, to up-sample the
result back to its original dimensions ready for embedding. For the embedding
process the up-sampled image was divided into 2x2 non- overlapping blocks as
shown in following figure.

37
 Original 2x2 block

120 90

Message to Hide
111 123

1101 1010 0011

120 93

124 133

Stego 2x2 block

Figure 2.12 – 2x2 block spatial steganography

Potential problems with this method are:

• The impossibility of recovering the secret bits without errors, owing to the use
of log2, base 2 logarithm, which is also used in the extraction that produces
floating point values that can be displayed in different precision in different
machines, e.g. rounding issue.

• since in the 2x2 blocks, the leading value, i.e., block(1,1), is left unaltered, thus
this leads to the destruction of the naturally strong correlation between
adjacent pixels which advertises a non-natural process involvement.

• this method resembles to a certain extent the pixel-value differencing for

reversible data embedding method which is proven to be prone to histogram
analysis attacks. Also Tian commented on the method’s vulnerability.

38
2.5.2 Histogram Based Hiding

Histogram-based data hiding is another commonly used data hiding scheme. Li

proposed lossless data hiding using the difference value of adjacent pixels. It is
classified under '±1' data embedding algorithms. It exploits the correlation between
adjacent pixels that more likely results in a compact histogram that is characterized
by a normal Gaussian distribution. Instead of considering the whole image, Piyu Tsai
divided the image into blocks of 5x5 where the residual image is calculated using
linear prediction, another term for adjacent pixels’ difference.

The secret data is then embedded into the residual values, followed by block
reconstruction. Such schemes have the advantage of recovering the original cover
image from the stego-image. While this preservation can be required in certain
applications such as medical imaging, in general steganography is not concerned
with this recovery. The hiding capacity is restricted in these methods, besides the '±1'
embedding strategy can Frequency be detected.

2.5.3 Steganography in the image frequency domain

The discovery of the LSB embedding mechanism is actually a big achievement.

Although it is perfect in not deceiving the HVS, its weak resistance to attacks left
researchers wondering where to apply it next until they successfully applied it within
the frequency domain. The description of the two- dimensional DCT for an input
image F and an output image T is calculated as:

39
where M, N are the dimensions of the input image while m, n are variables ranging
from 0 to M-1 and 0 to N-1 respectively.

DCT is used extensively with video and image compression e.g. JPEG lossy
compression. Each block DCT coefficient obtained from Equation is quantized using
a specific Quantization Table, QT.

Following matrix is suggested in the Annex of the JPEG standard [23]. Note that some
camera manufacturers have their own built-in QT and they do not necessarily
conform to the standard JPEG table. The value 16, in bold-face, represents the DC
coefficient and the other values are the AC coefficients.

The logic behind choosing a table with such values is based on extensive
experimentation that tried to balance the trade-off between image compression and
quality factors. The HVS dictates the ratios between values in the QT.

40
 Table 2.2 - JPEG suggested Luminance Quantization Table.

16 11 10 16 24 40 51 61
12 12 14 19 26 58 60 55
14 13 16 24 40 57 69 56
14 17 22 29 51 87 80 62
18 22 37 56 68 109 103 77
24 36 55 64 81 104 113 92
49 64 78 87 103 121 120 101
72 92 95 98 112 100 103 99

An image can be partitioned in 8x8 blocks as shown below:

Figure 2.13 8x8 blocks partition of an image

41
Steganography based on DCT, JPEG compression, follows following steps:

JPEG Compression

Secret Bits Huffman

Table

8x8 blocks
8x8 blocks
Compressed
Image (Cover)
Stego
8x8 DCT Quantization Huffman
Table Coder

Figure 2.14- Steganography on JPEG

Choosing which values in the 8x8 DCT coefficients block are altered is very important
as changing one value will affect the whole 8x8 block in the image.

2.5.4 F5 Algorithm

Andreas Westfeld[6] bases his “F5” algorithm on subtraction and matrix encoding,
also known as syndrome coding.

F5 embeds only into non-zero AC DCT coefficients by decreasing the absolute value
of the coefficient by 1.

A shrinkage occurs, when the same bit has to be re-embedded in case the original
coefficient is either ‘1’ or ‘-1’ as at the decoding phase all zero coefficients will be
skipped whether they are modified or not.

Neither the χ 2 -test nor its extended version could break this solid algorithm.
Unfortunately, F5 did not survive attacks for too long. Fridrich proposed steganalysis
method, by exploiting the natural distribution of DCT coefficients, which does detect
F5 contents, disrupting its survival.

42
The F5 algorithm embeds message bits into randomly-chosen DCT coefficients and
employs matrix embedding that minimizes the necessary number of changes to
embed a message of certain length. According to the description of the F5 algorithm,
version 11, the program accepts six inputs:

• Quality factor of the stego-image Q;

• Input file (TIFF, BMP, JPEG, or GIF);

• Output file name;

• File containing the secret message;

• User password to be used as a seed for PRNG;

• Comment to be inserted in the header.

In the embedding process, the message length and the number of non-zero non-DC
coefficients are used to determine the best matrix embedding that minimizes the
number of modifications of the cover-image. Matrix embedding has three parameters
(c, n, k), where c is the number of changes per group of n coefficients, and k is the
number of embedded bits.

The embedding process starts with deriving a seed for a PRNG from the user
password and generating a random walk through the DCT coefficients of the cover-
image. The PRNG is also used to encrypt the value k using a stream cipher and
embed it in a regular manner together with the message length in the beginning of
the message stream.

The body of the message is embedded using matrix embedding, inserting k message
bits into one group of 2k–1 coefficients by decrementing the absolute value of at most
one coefficient from each group by one. The embedding process consists of the
following six steps:

43
1. Get the RGB representation of the input image.

2. Calculate the quantization table corresponding to quality factor Q and

compress the image while storing the quantized DCT coefficients.

3. Compute the estimated capacity with no matrix embedding C = hDCT –

hDCT /64 –h(0) –h(1) + 0.49h(1), where hDCT is the number of all DCT
coefficients, h(0) is the number of AC DCT coefficients equal to zero, h(1) is
the number of AC DCT coefficients with absolute value 1, hDCT/64 is the
number of DC coefficients, and –h(1)+0.49h(1) = –0.51h(1) is the estimated
loss due to shrinkage (see Step 5). The parameter C and the message length
together determine the best matrix embedding.

4. The user-specified password is used to generate a seed for a PRNG that

determines the random walk for embedding the message bits. The PRNG is
also used to generate a pseudo- random bit-stream that is XOR-ed with the
message to make it a randomized bit-stream. During the embedding, DC
coefficients and coefficients equal to zero are skipped.

5. The message is divided into segments of k bits that are embedded into a
group of 2k–1 coefficients along the random walk. If the hash of that group
does not match the message bits, the absolute value of one of the coefficients
in the group is decreased by one to obtain a match. If the coefficient becomes
zero, the event is called shrinkage, and the same k message bits are re-
embedded in the next group of DCT coefficients (we note that LSB(d)= d mod
2, for d > 0, and LSB(d)=1– d mod 2, for d < 0).

6. If the message size fits the estimated capacity, the embedding proceeds,
otherwise an error message showing the maximal possible length is displayed.

44
There are rare cases when the capacity estimation is wrong due to a larger than
anticipated shrinkage. In those cases, the program embeds as much as possible and
displays a warning.

While the F5 algorithm does modify the histogram of DCT coefficients, but some
crucial characteristics of the histogram are preserved, such as its monotonicity and
monotonicity of increments. The F5 algorithm cannot be detected using the χ2 attack
because the embedding is not based on bit-replacement or exchanging any fixed
Pairs of Values.

2.5.5 JSteg Algorithm

The JSteg algorithm was among the first algorithms to use JPEG images. Although
the algorithm stood strongly against visual attacks, it was found that examining the
statistical distribution of the DCT coefficients shows the existence of hidden data [09].

JSteg is easily detected using the χ2 -test . Moreover, since the DCT coefficients
need to be treated with sensitive care and intelligence the JSteg algorithm leaves a
significant statistical signature. In his book, Wayner, stated that the coefficients in
JPEG compression normally fall along a bell curve and the hidden information
embedded by JSteg distorts this.
The Algorithm:

Input: Cover Image and Message

Process:
while data left to embed do
get next DCT Coefficient from the cover image
if DCT != 0 and DCT !=1 then
get next LSB from message
replace DCT LSB with message LSB
end if

45
 insert DCT into stego image
end while
Output: Stego image

2.5.6 OutGuess Algorithm

OutGuess is a better alternative as it uses a pseudo-random-number generator to

select DCT coefficients. The χ 2 - test does not detect data that is randomly
distributed. The developer of OutGuess suggests a counter attack against his
algorithm. Provos suggests applying an extended version of the χ 2 -test to select
Pseudo randomly embedded messages in JPEG images. [09]

OutGuess works in two phases – embedding and correction steps.

Embedding
The embedding process skips 0’s and 1’s and flips the LSBs of coefficients to match
them with the message bits. Following figure depicts embedding process in
OutGuess algorithm.

Figure 2.15– OutGuess Embedding Process.

46
Correction:

Because the embedding process changes the histogram of the quantized DCT
coefficients, the correction steps flips LSBs of yet not visited DCTs to match the cover
and stego histograms.

Since the chi-square attack is based on analyzing first-order statistics of the stego
image, it cannot detect messages embedded using OutGuess. Provos also reports
that the corrections are made in such a manner to avoid detection using his
generalized chi-square attack.

2.5.7 Data Hiding in DWT

Abdelwahab and Hassan proposed a data hiding technique in the DWT domain. Both
secret and cover images are decomposed using DWT, 1st level each of which is
divided into disjoint 4x4 blocks.

Blocks of the secret image fit into the cover blocks to determine the best match. Error
blocks are then generated and embedded into coefficients of the best matched
blocks in the horizontal sub-band of the cover image. Two keys must be
communicated: one to hold the indices to the matched blocks in the cover
approximation sub-band, and another for the matched blocks in the horizontal sub-
band of the cover.

Note that the extracted payload is not totally identical to the embedded version as the
only embedded and extracted bits belong to the secret image approximation while
setting all the data in other sub images to zeros during the reconstruction process.

2.5.8 Adaptive Steganography

Adaptive steganography is a special case of the former methods. It is also known as

“Statistics-aware embedding”, “Masking” or “Model-Based”.

47
This method takes statistical global features of the image before attempting to interact
with its LSB/DCT coefficients. The statistics will dictate where to make the changes.

It is characterized by a random adaptive selection of pixels depending on the cover

image and the selection of pixels in a block with large local STD, standard deviation.
The latter is meant to avoid areas of uniform color, smooth areas. This behavior
makes adaptive steganography seek images with existing or deliberately added noise
and images that demonstrate color complexity.

The model-based method, MB1, generates a stego-image based on a given

distribution model, using a generalized Cauchy distribution, that results in the
minimum distortion.

Due to the lack of a perfect model, this steganographic algorithm can be broken using
the first-order statistics. Moreover, it can also be detected by the difference of
‘blockiness’ between a stego-image and its estimated image reliably. The discovery of
‘blockiness’ led the author to produce an enhanced version called MB2, a model-
based with de-blocking. Unfortunately, even MB2 can be attacked.

Edge embedding follows edge segment locations of objects in the host gray-scale
image in a fixed block fashion each of which has its center on an edge pixel. Whilst
simple, this method is robust to many attacks and it follows that this adaptive method
is also an excellent means of hiding data while maintaining a good perception.

Chin-Chen and his colleagues propose an adaptive technique applied to the LSB
substitution method. Their idea is to exploit the correlation between neighboring
pixels to estimate the degree of smoothness. They discuss the choices of having 2, 3
and 4 sided matches. The payload, embedding capacity, is high.

Hioki presented an adaptive method termed “A Block Complexity based Data

Embedding”, ABCDE. Embedding is performed by replacing selected suitable pixel
data of noisy blocks in an image with another noisy block obtained by converting data

48
to be embedded. This suitability is identified by two complexity measures to properly
discriminate complex blocks from simple ones, which are run- length irregularity and
border noisiness.

The hidden message is more a part of the image than just added noise. The ABCDE
method introduced a large embedding capacity, however, certain control parameters
had to be configured manually, e.g., finding an appropriate section length for
sectioning a stream of resource blocks and finding the threshold value that controls
identification of complex blocks. These requirements render the method unsuitable
for automatic processes.

Kong and his colleagues proposed a content-based image embedding based on

segmenting homogeneous greyscale areas using a watershed method coupled with
Fuzzy C-Means, FCM. Entropy was then calculated for each region. Entropy values
dictated the embedding strength where four LSBs of each of the cover’s RGB
primaries were used if it exceeded a specific threshold otherwise only two LSBs for
each were used. The drawback of this method was its sensitivity to intensity changes
which would affect severely the extraction of the correct secret bits. As a side note,
the authors also reported the use of a logistic map to encrypt the secret bit stream
which seems vulnerable to a Chosen-plaintext attack, CPA.

Chao and his colleagues presented a 3D steganography scheme. The embedding

scheme hides secret messages in the vertices of 3D polygon models.

Similarly, Bogomjakov hide a message in the indexed representation of a mesh by

permuting the order in which faces and vertices's are stored.

Although, such methods claim higher embedding capacity, time complexity to

generate the mesh and rendering can become issues. Moreover 3D graphics are not
easily ported compared to digital images.

49
Nakamura and Zhao, propose a morphing process that takes as input the secret
image and the cover file. The method does not discuss the generated features from
the cover and secret images used for morphing and how to regenerate them from the
stego-image.

Zeki and Azizah proposed what they termed as ‘the intermediate significant bit
algorithm’.

They studied different ranges of an 8-bit image and found the best compromise for
distortion and robustness was in the following range: {0:15} {16:31} ...{224:239}
{240:255}. The core idea in the embedding process is to find the nearest range that
matches the secret bit in the next or previous range.

Above details gives an idea that there are variety of algorithms available for
steganography and this too is not a complete list as many researchers are working on
this domain to find out many new algorithms. It is in deed a most attracted domain by
researchers and lots of research work is being carried out at present also.

50
2.6 Stego Tools

There are different stego tools available in market and they are created based on
different algorithms. Some of them are discussed above and some of them are
customized ones.

Few such tools are JSteg, S-Tools, OutGuess, EZStego, Jphide, F5, etc...

Based on their performance and functionality a comparison table has been prepared
by some researchers and same is shown below.

Table 2.3 – Comparison of Stego tools

In above table columns with heading (1) and (2) represent Frequency Domain (3)
refers to encryption support (4) refers to random bit selection and (5) refers to image
format.

51
As a conclusion we can say that: Algorithms F5 and Outguess are the most reliable
algorithms although they violate the second order statistics.

52
2.7 Steganalysis

Steganalysis is the science of attacking steganography in a battle that never ends. It

mimics the already established science of Cryptanalysis. Note that steganographers
can create a steganalysis system merely to test the strength of their algorithm.

Steganalysis is achieved through applying different image processing techniques,

e.g., image filtering, rotation, cropping, and translation. More deliberately, it can be
achieved by coding a program that examines the stego-image structure and
measures its statistical properties, e.g., first order statistics, histograms, or second
order statistics, correlations between pixels, distance and direction. JPEG double
compression and the distribution of DCT coefficients can give hints on the use of
DCT-based image steganography.

Passive steganalysis attempts to destroy any trace of secret communication, without

detecting the secret data, by using the above mentioned image processing
techniques: changing the image format, flipping all LSBs or by undertaking a severe
lossy compression, e.g., JPEG.

Active steganalysis however, is any specialized algorithm that detects the existence
of stego-images.[18]

Spatial steganography generates unusual patterns such as sorting of color palettes,

relationships between indexed colors and exaggerated “noise”, all of which leave
traces to be picked up by steganalysis tools. This method is very fragile.

LSB encoding is extremely sensitive to any kind of filtering or manipulation of the

stego-image. Scaling, rotation, cropping, addition of noise, or lossy compression to
the stego-image is very likely to destroy the message.

Furthermore an attacker can easily remove the message by removing, zeroing, the
entire LSB plane with very little change in the perceptual quality of the modified

53
stego-image. Almost any filtering process will alter the values of many of the LSBs.

By inspecting the inner structure of the LSBs, Fridrich and her colleagues claimed to
be able to extract hidden messages as short as 0.03bpp, bit per pixel. Kong et al.
stated that the LSB methods can result in the “pair effect” in the image histograms.
This “pair effect” phenomenon is empirically observed in steganography based on the
modulus operator.

Note that it is not always the case that modulus steganography produces such a
noticeable phenomenon. This operator acts as a means to generate random
locations, i. e. not sequential, to embed data. It can be a complicated process or a
simple one like testing, in a raster scan fashion, if a pixel value is even then embed,
otherwise do nothing.

Essentially there are two approaches to the problem of steganalysis, one is to come
up with a steganalysis method specific to a particular steganographic algorithm. The
other is developing universal steganalysis techniques which are independent of the
steganographic algorithm being analyzed.

Each of the two approaches has it’s own advantages and disadvantages. A
steganalysis technique specific to an embedding method would give very good
results when tested only on that embedding method, and might fail on all other
steganographic algorithms. On the other hand, a steganalysis method which is
independent of the embedding algorithm might preform less accurately overall but still
provide acceptable results on new and unseen embedding algorithms.

Universal steganalysis techniques work by designing a classifier based on a training

set of cover objects and stego-objects obtained from a variety of different embedding
algorithms. Classification is done based on some inherent ”features” of typical natural
images which can get violated when an image undergoes some embedding process.

Hence, designing a feature classification based universal steganalysis technique

54
consists of tackling two independent problems. The first is to find and calculate
features which are able to capture statistical changes introduced in the image after
the embedding process. The second is coming up with a strong classification
algorithm which is able to maximize the distinction captured by the features and
achieve high classification accuracy.

There have been a number Universal steganalysis techniques proposed in the

literature, these techniques differ in the features sets they propose for capturing the
natural image statistics. For example Avcibas et al. 7 look at seventh and eight bit
planes of an image and calculates several binary similarity measures. Farid et al.,8, 9
calculate a number of statistics from the wavelet domain representation of the image
after decomposing it with quadratic mirror filters (QMF). Fridrich,10 looks at statistics
directly from the JPEG domain, such as DCT coefficient histograms, as well as
spatial domain statistics.

Typically, good features should be accurate, monotonic, and consistent in capturing

statistical signatures left by the embedding process. Detection accuracy can be
interpreted as the ability of the features to detect the presence of a hidden message
with minimum error on average. Similarly, detection monotonicity signifies that the
features should ideally be monotonic in their relationship to the embedded message
size.

Finally, detection consistency relates to the feature’s ability to provide consistently

accurate detection for a large set of steganography techniques and image types. This
implies that the feature should be independent of the type and variety of images
supplied to it.

55
2.8 Steganography in Mobile Phones / Smart Phones

When we talk about steganography implementation, there are various applications

and tools available for traditional computers like Desktop, Laptop, etc... but when we
think about implementing steganography on small computing devices like mobile
phones / smart phones it becomes very challenging because of many limitations.

These days most of the people are using smart phones (which are basically mobile
phones but have some advanced features) and very few are there who use pure
mobile phones (with only basic functions of mobile phones). So looking at the trend
and overall acceptance I will use term smart phone for mobile phone and it is
assumed that they are indeed mobile phones at core.

As being small computing devices these smart phones lack processing power,
storage and speed compare to traditional computers. There are other limitations like
most of them are battery powered and are smaller in size with / without keypad.

Some of the major limitations in implementing steganography in smart phones are

mentioned below:

Smart phones are small computing devices - even though smart phones are
smarter than mobile phones they are not sufficient enough to provide efficiency of a
traditional computer like desktop or laptop. Smart phones / Mobile Phones are still
small computing devices and have limited resources compare to desktop or laptop.
The file size and operations on files at low level are not very easy in smart phones.
Another factor in smart phone is availability of APIs and libraries, the APIs or libraries
available for desktop computers cannot be available on smart phones. So, algorithms
developed for computers cannot be used for smart phones.

There cannot be a common algorithm - since there are many smart phone
manufacturers. It is almost difficult to develop a common algorithm for steganography.
Another issue is, there are lots of variations in smart phones and their architectures;

56
you can find different devices with different features and facilities from same vendor.
Further on regular interval new versions or models of same product are launched. So,
due to unstable market it seems very difficult to have a common steganographic
algorithm for smart phones.

Low level operations – Most of the smart phone vendors allow file editing at low
level but still there are few smart phone vendors who are not giving access to low
level operations on files. If you look at blackberry and apple then for security reasons
they have kept some restricted APIs which cannot be used by third party developers.
So you cannot use such restricted APIs in your application. Basically all the
steganographic techniques need to alter the image at byte level. So if the smart
phone on which you are working does not allow you to alter the image at byte level
then you may not be able to implement steganography.

Testing environment – on desktop/laptop we can develop, compile, run and test

applications easily. But in smart phones we do not have such programming or testing
environment. So it may happen that for smart phones we need to go through tedious
job of testing and deployment. Even though emulators and simulators can be used for
testing purpose, sometimes they cannot give exact results. This becomes very
complex when you are developing an algorithm to cover most of the phones. For
example if you are working on blackberry platform then there are different simulators
available for different blackberry devices. So for each simulator you need to test the
application and that too can give you inaccurate results.

It is very difficult to have a common / generic Steganographic technique which can

support all the mobile / smart phones.

57