Proof-of-work based new encoding scheme for information hiding purposes

Information hiding, particularly steganography, deals with techniques for stealth storing or transmitting secret messages [10]. So far, many different techniques have been proposed in the literature [9, 12, 13, 18], and it must be noted that malware creators increasingly utilize such methods to cover their tracks (e.g., exfiltrate confidential data or download further malware modules) [2, 3]. In many schemes presented so far, to make the steganalysis more challenging, it is desired to make the secret messages look random [10]. Sometimes, an even distribution of byte values is to be achieved, or an entropy must be matched, for example, to remain unsuspicious. Although this randomization can be achieved with encryption of the secret message, which additionally provides confidentiality of the secret message even if its existence is revealed, the two properties are different. If encryption is used, it requires shared knowledge of the key by covert sender and receiver, e.g., by a key exchange, which may not always be possible to achieve in a secure manner. Moreover, encryption and decryption incur some effort on the side of the covert sender and receiver, respectively, which in turn might compromise the stealthiness of the scheme, although the secret message itself is well hidden. Considering the above, two questions arise:

• If confidentiality is needed, how can key exchange prior to message transfer be avoided.
  
• If confidentiality is not needed, can encryption algorithms be substituted by algorithms that still provide a suitable level of randomness, but require less effort than encryption.
  

In this research, we address both questions.

Regarding the key, we propose a proof-of-work-inspired approach that allows secure transmission of the key with the encrypted message, thus avoiding the need for a previous key exchange. This comes at the cost of “key mining” by the covert sender or receiver, but not both. e Obviously, in this case, we need to keep in mind that we provide the confidentiality of the message on a minimal level. Thus, if the steganalyst discovers that the hidden transmission is taking place, then it is relatively easy to decrypt the secret message. Thus, the main goal of our approach is to make it harder for detectors inspecting network traffic to discover secret communication.

Regarding the lightweight scheme, we propose to substitute encryption by T-functions which have been used previously in pseudo-random number generators [8]. We implement both schemes to measure the effort invested by the covert sender and the covert receiver and to measure the entropy of the resulting message to check for suitable randomness. Our preliminary experimental results, presented in this paper, indicate that both schemes are feasible.

Both schemes should be seen as promising examples of a large field of possible solutions that may range from ID-based encryption, where the receiver's identity serves as a key to encrypt a session key that, in turn, is used to encrypt the secret message, to lossless compression, where entropy is increased by removing statistical redundancy in the original message, and which might look random, too. However, it should be emphasized that exploring the full spectrum of solutions is beyond the scope of this work. Still, we discuss some related approaches in Section 2.5.

Considering the above, the main contributions of this paper are summarized as follows:

• We investigate the randomization of messages and encryption of messages as separate, yet partly related entities,
  
• We propose a scheme that avoids key exchange before the actual transmission of the secret message when encryption is needed. Proof-of-work approaches inspire the scheme and come at the cost of “key mining” on either the covert sender or covert receiver side.
  
• We propose a scheme that substitutes symmetric block encryption algorithms by T-functions to lower computational effort without compromising the randomness of the resulting message.
  
• We implement both schemes and perform experiments to demonstrate that randomization without encryption can indeed be provided at a smaller cost and that, in the case of encryption, the key exchange can be avoided by transmitting a hashed key, where the effort on the side of the covert sender to generate that key might be traded for effort on the receiver side to recover the key.
  

The remainder of this paper is structured as follows. Section 2 summarizes the techniques needed for our investigation and describes the most notable published works related to the topic described in this paper. Then in Section 3, we present two proposals on how to randomize a secret message if either confidentiality is needed or not. Section 4 presents the concrete implementations of our proposals and describes the preliminary experiments we performed for evaluation, while Section 5 presents the results of the analysis of our experiments. Finally, Section 6 presents conclusions and an outlook for future work.

In this section, we first present relevant background in encryption and its modes, pseudo-random number generation, as well as cryptographic hash functions and proof-of-work. Then we focus on describing the most notable related work in this area.

As a first scenario, we consider a covert sender that randomizes a secret message m = m₁m₂… by encrypting it symmetrically with a key k in CBC mode using an initialization vector IV = c where c is a randomly chosen salt or nonce. To ensure that the covert receiver can decrypt the secret message, the covert sender must also transmit the key k and the nonce c. The covert sender can simply precede the encrypted message E_k(m) with c and k, but then confidentiality is not provided anymore, and there may be randomization approaches that require less computation on the side of the covert receiver, and thus may be more stealthy. Instead, the covert sender can transmit a hashed version of the key. As hash block sizes are normally longer than key sizes, and to be able to control the effort to be invested by the covert receiver, the covert sender chooses a key k where the first j bits are set to zero and ultimately transmits c|H(c|k)|E_k(m).

Upon receiving this message, the covert receiver performs a kind of proof-of-work scheme. It repeatedly applies a randomly chosen key k′ with the first j bits set to zero and computes H(c|k′), until it equals H(c|k). As H is assumed to be resistant to collisions, the covert receiver can assume k′ = k, and it can derive the secret message by decrypting: $m=D_{k^{\prime }}(E_k(m))$. If the key size is n bits, then there are 2^{n − j} possible keys, and on average the covert receiver will try out half of them before obtaining a hit. The general flow is presented in Figure 1.

The covert sender and the covert receiver must agree in advance on the encryption function E, the hash function H, and the number j of bits set to zero in the key.

The rationale behind this approach is that, in many cases, the covert sender may be in greater danger of being detected (e.g., a dissident in an oppressive regime) than the covert receiver if it is not very careful to lie low and only scarcely does computations. The covert receiver, on the other hand, often can either freely do computations, because that computer is under the attacker's control, or it can forward the encrypted message into a cloud where it can be decrypted even with high computational effort.

The confidentiality of the secret message is not absolute, as a warden (an entity that in an information hiding area is typically responsible for hidden communication detection and prevention) could, in principle, apply the computations that the covert receiver does. However, since a warden normally does not know in advance if a particular transmission contains an encrypted secret message, it would be forced to perform such a key recovery on many strings, which might not be possible anymore with its computational capabilities. Moreover, the warden may be more interested in interrupting this transmission than decrypting a particular secret message.

If confidentiality is not needed, then also an encryption algorithm is not necessarily needed in the scheme above, but any bijective function will. This reduces effort and does not require transmitting a key. Thus, in this case, a T-function could be used. However, the inverse of a T-function, which is needed for encryption, is often notably slower than the T-function itself [7], so this could create problems for the covert receiver if it also needs to lie low and can do computations only scarcely.

Instead of using the CBC mode, the Counter mode can also be used. In this case, both the covert sender and the covert receiver apply the same encryption algorithm, and no decryption algorithm is needed. If confidentiality is not needed, so we propose to replace the encryption algorithm with a T-function, as it seems a suitable and work-efficient alternative in this setting.

The transmission overhead is the nonce and the hashed key if confidentiality is needed. The nonce is chosen randomly, and the hash value will look random so that the whole data for transmission is randomized. The nonce also ensures that if a key is used twice, it will result in different hash values. If this is not an issue, then also the key might be used as a nonce, and only the hashed key must be transmitted.

If confidentiality is not needed, overhead consists of the nonce.

Transmission overhead can be notable for short messages, yet will be marginal for longer data transfers.

Note that there might be a situation where an additional effort may be expected from the covert sender rather than from the covert receiver. In order to address that, it is possible to introduce the proof-of-work effort on the sender side, however, it is out of the scope of this paper. However, we plan to explore such scenarios in further research.

Each encoding technique will be classified according to the following criteria:

• Additional intentional effort required by the covert receiver,
  
• Need for key exchange,
  
• Confidentiality,
  
• Integrity checks.
  

First, let us discuss the asymmetry in the expected effort between the covert sender and the covert receiver. Although the covert sender wants to prepare the secret message without unnecessary delay, additional effort on the receiver side is introduced to make the task of detecting and discovering the message for any attacker online much more difficult and time-consuming. Let us consider an environment where there is a huge amount of data transferred each hour and only a minuscule portion is our covert message. In such a case, we can see that even a small additional effort might be a significant difficulty for detection and analysis. The technique itself is also recognized and applied in many other areas, e.g., against brute force password hashing by introducing the so-called slow hashing functions.

It is also worth mentioning that the level of computational effort can be managed by how the encryption key is created, and we can influence the following two aspects:

• Alphabet. The space search will be much smaller (and faster) if we agree only on digits, it will be bigger if we agree on digits plus lower- and upper-case letters, and it will be the biggest one if we agree on all possible characters. In our considerations, we applied digits only as a simple and good enough approach for the purpose.
  
• Key pattern. Agreeing on certain patterns, e.g., a number of leading 0’s in case of digits only, can reduce the search space. Moreover, we can control that by agreeing on a number of leading 0’s. Obviously, the pattern can be anything like a fixed part, different parts of the key encoded with different alphabets, etc. In our consideration, keeping in mind that we use digits only as the alphabet, we applied the leading 0’s pattern as, again, a simple and good enough approach for the purpose.
  

Now let us introduce basic terms and notation:

• s₁|s₂ - a concatenation of strings s₁ and s₂
  
• c - random salt
  
• iv - random initialization vector required by encryption CBC mode
  
• H(·) - hash function, in our consideration it will be SHA256
  
• E_k(·) - encryption function with the key k, in our consideration it will be DES or AKARI²
  
• D_k(·) - decryption function with the key k, as above.
  
• m - secret open text message
  
• S - secret encoded message
  
• CS - covert sender
  
• CR - covert receiver
  

In the following sections, we will introduce the proposed schemas.

4.1 Scheme with DES and intentional CR effort (Sch-1)

4.1.1 Encoding and sending by CS. Input:

• m - secret message
  
• c - 8 bytes random salt
  
• iv = c
  
• k - 7 bytes of key with z zero bits prefix (z adjusted to the expected security level)
  
• E(·) - DES in CBC mode
  
• H(·) - SHA256
  

Output:

4.1.2 Decoding and receiving by CR. Input:

• S
  

Output:

• split S into: c, H(c|k), E_{k, iv}(m)
  
• generate k′ by enumeration or repeated random choice (assuming z zeros bits prefix) until:
  
  
  under the assumption of collision resistance of H we obtain k = k′
  
• Decrypt E_{k, iv}(m) using k and c and obtain m
  

4.2 Scheme with AKARI-1 or T-function and no intentional CR effort (Sch-2)

4.2.1 Encoding and sending by CS. Input:

• m - secret message
  
• c - 12 bytes random nonce
  
• E(·) - AKARI-1 in CNT mode or T-function (defined as $f(x)=x+(x\cdot x \vee 5) \bmod 2^{64}$) in CNT mode
  

Output: T-function is defined clearly, but let us quickly recap how the AKARI-1 function works: it takes 16 (left 8 and right 8) bytes of seed, and an output produces 16 bytes of output where the left 8 bytes are considered random. So, both the T-function and AKARI-1 function return 8 bytes of random output. Having that, we split the message m into 8 bytes blocks m₁, m₂, … and then calculate n₁, n₂, … in the following way:

\begin{eqnarray*} n_1 & = & {AKARI1}\_OR\_T(c|0000)\ {\rm XOR}\ m_1\\ n_2 & = & {AKARI1}\_OR\_T(c|0001) \ {\rm XOR}\ m_2\\ \ldots && \end{eqnarray*}

Finally, the following output is created and sent to the receiver:

4.2.2 Decoding and receiving by CR. Input:

• S
  

Output:

• Split S into: c, n₁, n₂, etc.
  
• Decrypt n_i into m_i following the same schema as before:
  \begin{eqnarray*} m_1 & = & {AKARI1}\_OR\_T(c|0000)\ {\rm XOR}\ n_1 \\ m_2 & = & {AKARI1}\_OR\_T(c|0001)\ {\rm XOR}\ n_2 \\ \ldots && \end{eqnarray*}
  
  
  
• reconstitute m = m₁|m₂|…
  

In this section, we analyze several properties of all proposed schemas:

• Bandwidth (a.k.a. data hiding capacity),
  
• Stealthiness (a.k.a. how random the message is and how difficult it would be to discover embedded hidden data),
  
• Robustness.
  

The test bed for analysis is created as follows. We take a sample text from the literature, i.e., the first chapter of Master and Margarita by Mikhail Bulhakov, and we split it into M₁, …, M_n equal size messages. In our considerations, we take messages of size 1000 characters, which resulted in 25 full files (the last one of less size was discarded).

Having the messages, we executed both operations, i.e., encoding and decoding, for all the messages and, based on that, performed the below analysis.

In the following sections, we analyze each of the proposed schemas.

5.3 Proof-of-Work consideration

In the schema Sch-1 we introduce the so-called intentional covert receiver effort, which is the idea based on the Proof-of-Work concept from Blockchain. The main reasoning behind introducing the concept into the information hiding domain and sending secret messages is as follows. The network traffic is scanned for any potential anomalies like malware software, attackers’ activities, and many others, including hidden messages being a part of steganography communication, e.g., to control the botnet. The inspecting solutions (e.g., IDS/IPS systems) must scan huge amounts of data in real time. Now, if we introduce a mechanism that forces IDS/IPS to spend a certain amount of time for each portion of data to make it meaningful, then the task for IDS/IPS to identify suspicious packets is getting much more difficult as the software cannot operate in real-time anymore.

In our schema, we introduce a mechanism based on key search, so to be able to restore the original message, a specific decryption key needs to be found. As discussed at the beginning of Section 4, the decryption key can be based on a certain alphabet, it can also follow a certain pattern, and in our consideration, we applied the (a) digits only alphabet, and (b) certain leading 0’s pattern. In Bitcoin, each block is supposed to be added (i.e., proof-of-work task completed) in 10 minutes, and the task is being adjusted over time to align with the technology evolution (including applying GPU or ASICs). Obviously, in our scenario, there is no need for such a sophisticated adjustment. Still, we can make a rough time estimate assuming a single core on a modern processor produced in recent 2-3 years. Having that, we made a quick evaluation to see what key pattern gives which delays. The results are summarized in Table 7.

Table 7: Time needed to calculate the specific number of hashes

Hashes number	Average time [s]	StdDev [s]
104	0.0005	0.0030
105	0.1460	0.0112
106	1.5463	0.0202
107	15.4655	0.1569
108	156.2532	0.6384

Based on the results presented, it is easily observable that till 10⁴, that time is around 0, but starting from 10⁵, it increases linearly with very small deviations. From our key search perspective, we can conclude time ranges summarized in Table 8.

Table 8: Time needed to find a key of a specific pattern (X - any digit, Y - any digit except 0)

Name	Key pattern	Min time [s]	Max time [s]
A	000YXXXX	0.00	0.14
B	00YXXXXX	0.14	1.54-0.14= 1.40
C	0YXXXXXX	1.54	15.46-1.54= 13.92
D	YXXXXXXX	15.46	156.25-15.46= 140.79

The results presented in Table 8 show that we have quite significant flexibility to control the time the receiver needs to restore the message, keeping in mind that the same time will be needed by detecting software to discover the message. In most cases, pattern B will be good enough to minimize the risk of detection to a value close to 0, and pattern C gives almost certainty (assuming an oblivious scenario where the attacker does not expect a secret message in the traffic). To show the magnitude of different ranges, the visual representation is presented in Figure 2.

Finally, since the ranges 1, 5s − 13, 9s (C) and 15, 4s − 140, 8s (D) can be seen to be quite wide, we can introduce subclasses like 0YZXXXXX where Z can be only certain digits, e.g., 5 − 9, and by that control the time even more strictly.

In this paper, we analyzed the problems of randomization or encryption of messages as separate but similar concepts but consider them in the context of hiding information. Moreover, we propose a scheme that avoids key exchange, which is inspired by proof-of-work approaches and comes at the cost of “key mining” on the covert sender or receiver side. To reduce computational effort without compromising the randomness of the resulting message, we also introduce a mechanism that substitutes symmetric block encryption algorithms with T-functions. Finally, we implement both solutions, and based on the results of the performance evaluation, we show that randomization without encryption can be achieved at a smaller cost.

Our future work will be focused on the following areas:

• exploring more schemes with proof-of-work both on the covert sender and covert receiver side,
  
• exploring other Blockchain-related techniques (e.g., Smart Contracts) including leveraging Blockchain platforms themselves,
  
• exploring other available hashing, cryptographic, and PRNG functions for this purpose,
  
• performing more experiments to characterize better performance differences,
  
• presenting a more in-depth analysis of the obtained output leveraging, e.g., AI techniques.