Cryptographic Scheme for Group Passwords Distribution in Steganographic Systems

When having a deal with a secret communication channel, hidden data are transmitted to a group of users. Sometimes it is necessary to send message only to a given subgroup of participants via a hidden channel. The purpose of this work is to build a cryptographic protocol that is able to provide the exchange of group passwords in the conditions of hiding the fact of secret messages transmission. A centralized password management system is used. Passwords dispatching for user groups are carried out through distribution of data necessary for solving system of equations. Roots of such equation system are used by users for calculation of the group password. The proposed scheme is based on the linear algebra theory and the cryptography. The third-party is not able to solve this system of equations, which is proved by the Kronecker-Capelli theorem. It is assumed that the protocol can be actively used in steganographic systems, where there is one source of messages and many receivers.


I. INTRODUCTION
When subscribers choose communication channels for transmitting data with commercial worth, they pay great attention to information security issues. In some cases, it is enough to restrict access to data using some secret key. Such task can be successfully solved with the help of cryptography methods.
The classic cryptography problem was formulated in [1], [2] and involves two participants, which exchange messages: Alice and Bob. In particular, in the theory of cryptography, the main problem is restriction access to data transmitted over an insecure communication channel by using some secret key known only to a sender and an addressee. One of the important tasks solved in the cryptography is exchanging passwords between subscribers via an insecure communication channel.
The solution of this problem was first proposed in the research [3]. With the explosive development of communication networks, methods have emerged that organize the process of exchanging secret messages with a large number of participants.
For example, a threshold secret sharing scheme proposed in the Shamir's paper [4] is known, when subscribers can use a secret if there is a quorum present. Consider this scheme in more detail. Let there be a group from n users and we need to reproduce a secret by using k user's shares, where k ≤ n. The technique is to construct a polynomial function of k − 1 order, where d 0 constant term is the secret (see (1)). Every participant have one point of the polynomial curve. According to the basic algebra theorem that asserts the existence and uniqueness of the solution, k users can interpolate the polynomial of k − 1 order and find out the secret term d 0 .
where p is a prime number. While a number of users less then k then the task has many equally probable solutions that does not allow to realize a brute force attack on the specified scheme.
In the article [5], a secret key sharing scheme was proposed, based on a modification of the Diffie-Hellman algorithm. A trusted authority choose prime numbers p i for all r users so, that pi−1 2 is odd and mutually prime. The choice is made in order to calculate a discrete logarithm with modulo p in a reasonable time. Then the trusted authority computes a product m = p 1 ·p 2 ·...·p r and determines an element g in special way: 1 < g < m − 1 . When a user A wants to join the system, he provides his ID A identifying him as the user and receiving from the system s A = t * log g (ID 2 A )(mod φ(m)), where t is random coefficient, φ is the Euler function. When a complete factorization of m is given it is simple to calculate discrete logarithm using Chinese remainder technique [6].
A predetermined cipher is used to send an encrypted message to a user B, and a key K AB = (ID B ) 2S A (mod m). The user B receives a pair ID A , ciphertext and calculates a symmetric encryption key ) and decrypts the cipher-text.
In scientific literature, for instance in [7], there was described more complex secret sharing schemes for a user's group, when exists some malicious participant that exchanges messages and tries either to disturb secret sharing process or collect additional knowledge about secret parameters of other participants.
During exchanging messages via an insecure communication channel, some-times it is necessary to hide the fact that a message is transmitted from third parties. In particular, an information security policy of a company may prescribe to hide emergency reserve channels. For example, if known channels are target of denial of service attack (DDoS) [8], the company can communicate with its branches via reserve channels, thus ensuring a survivability of its management system.
The last problem can be effectively solved with the help of steganography methods [9]. To hide the fact that a secret message is transmitted, a user chooses an object of data, socalled a container, that is harmless to the appearance (not attracting the attention of third parties). With the help of special algo-rithms, the user embeds the secret message into the container and transmits it via an insecure communication channel. The fact of container transmission does not cause any suspicion. Steganographic algorithms have properties that prevent successful analyzing the container by third parties, hence it is impossible to definitely say about presence or absence of secret data.
It should be noted that any secret message is encrypted before embedding into a container. The encryption is necessary so that a third party, that is able to extract the message, cannot perform an effective stegoanalysis. Otherwise, the presence of a meaningful message in the container immediately reveals the fact of the secret message transmission. A container and an embedding method is selected so that a message extracted from an empty container is statistically indistinguishable from an encrypted message (i.e. a message from a filled container), which ensures robustness to the analysis.
In modern methods of steganography, there is always a balance exists between secrecy (a probability of the secret data transmission without detection by a third party) and a transmission speed. Moreover, secrecy is of paramount importance. A number of methods described in [10]- [12] to provision of secrecy, imitate statistical properties of an empty container using addition of redundancy to a message or filling a container incompletely. This strategy always entails the reduction in a data transmission speed.
With a large number of users and a fixed level of secrecy, the speed of data transmission becomes important. This paper is devoted to constructing a protocol for distribution group passwords in a steganographic system. Unlike previously known password exchange schemes, this one is designed for steganographic systems and includes presence of a coordinator who is the source of messages. The developed algorithm can be easily adapted to a usual crypto-graphic system where there is no restriction on the concealment of the secret data transmission.

II. THE PROBLEM FORMULATION
The proposed in this article scheme is described as follows. Let A N is a set from N subscribers. There is a single coordinator-subscriber among them: Alice, who coordinates the work of other subscribers and is the main source of hidden messages (the proportion of the number of transmitted messages from Alice to other subscribers to remaining messages is overwhelming). There is a third party: Eve, which can analyze all transmitted messages. The task is to organize a hidden process of transmission secret messages via an insecure communication channel from Alice to other subscribers.
Let denote as G M a group of M subscribers such that G M ⊆ A N . In practice, the new scheme can be used to distribute by a parent company some secret instructions or information to its branches. For example, the parent company embeds secret messages in video files (for example, advertisements) and puts them in open access using some public hosting or cloud. From the point of view of unauthorized persons, video files do not contain any secret information. Subscribers can extract messages, but only the group (for example, a branch) that has a key for the given message in the container, i.e. Alice originally intended the message for a specific group. Now we fix the following requirements for the new scheme (hereinafter just the Requirements): 1) Messages are transmitted by using specified steganography and cryptography methods. A hidden message embedded in the container had been previously encrypted with a key (so-called group key) known to Alice and a group of subscribers G M to whom the message is intended.
2) The composition of groups is changed by the decision of Alice, and the composition of groups is not known in advance. 3) A subscriber is allowed to belong to several groups at the same time. 4) A subscriber or group is identified by a certain natural number (id). 5) The data transmission from subscribers to Alice, inside or between groups, is performed using previously known schemes, and is not considered in this paper due to its small part in the total number of transmitted messages. 6) A transmitted container has a time stamp of its construction. 7) In the general case, a message in a container consists of two parts with varying sizes: • service information, which defines a new group compositions and their passwords; • useful information that need to be transmitted to a group. 8) Each subscriber has a personal password, known only to him and Alice. 9) The group password can be calculated by all subscribers included in the group. 10) Any subscriber that does not included in the group cannot calculate the group password. 11) Any subscriber, except Alice, cannot calculate the personal password of another subscriber. 12) Alice knows all encryption keys of all subscribers and is able to reproduce all calculations of any subscriber. 13) Alice is not included in any of the groups.

III. PROPOSED SCHEME
In this section, we describe the process of preliminary preparation of subscribers, performed before the data transmission. First, subscribers choose a large prime number p. Secondly, an applicable function h(x) is specified. The scheme provides several options for this function h(x): a cryptographic hash function, a pseudo-random number generator function, initialized by x parameter or a block cipher that encrypts a predetermined sequence with the key x. Thirdly, subscribers prepare the following keys, which subsequently do not change: • key for service information Commonkey that is set by Alice and is known to all subscribers in the system. This key is necessary to protect against Eva, revealing the fact of the secret message transmission; • subscriber's personal key chosen by any subscriber. In addition to the subscriber, the key is known to Alice (see clause 12 of the Requirements). The process of keys preparing and distribution between Alice and other subscribers at this stage is carried out by previously known algorithms and goes beyond the framework of the proposed scheme. At the next stage, Alice sequentially performs the following steps: determining the group membership, calculating the group password. Next, it forms, encrypts and embeds the message into the container with its subsequent transmission to other subscribers via an insecure communication channel.
Let us consider in more details the process of group password calculation. Let the group consist of k subscribers. Alice calculates current keys X id for each subscribers of the group by using (2) and (3).
where id -subscriber identifier, such that 1 < id < p − 1, time is a time stamp of a container (see clause 6 of the Requirements).
F (time, key id ) = time key id mod p Then, Alice calculates values B i = X idi ⊕ X idi+1 , where id is an identifier of a subscriber in the group sorted in ascending order, i is a value of sequence number. Further, the composition of the group (to which the message is intended) and the set of numbers B i that are necessary for subscribers for calculating the group password is recorded in the service part of the message. The service part is encrypted with Commonkey password. The useful part of the message is encrypted with a key Gpwd id according to (4): Then the entire message is transmitted to subscribers using the previously selected steganographic algorithm (see clause 1 of the Requirements). The subscriber, after receiving the container, extracts the message and decrypts its service part with Commonkey. If the subscriber is in the group, it performs the following actions: 1) Calculates his own current key X id by using (2) and (3).
2) Compose a system of linear equations and calculates current keys of other subscribers.
There are two variables in every equation of the system. The equations consist of current keys of subscribers included in the group and are written into the system in ascending order of subscriber identifiers (id 1 < id 2 < ... < id k−1 ). The second variable of every equation always (except the last one) coincides with the first variable of the subsequent equation in the system. Thus, having received the set B i from Alice and knowing his own current key, each subscriber who is in the group is able to calculate the remaining current keys of other subscribers. 3) Calculates the group key Gpwd id by multiplying all previously computed subscribers' current keys of the group according to (4). To simplify the process of information perception we give a simple example. Suppose there are 5 subscribers and Alice as coordinator. Alice sends a message M to subscribers 1, 2, 3 and 5. A subscriber 4 is not in the group. Alice sends in the service part of the message the composition of the group, for example, in a form of a bit string, values B i such way: {"11101", B 1 , B 2 , B 3 } and sends a message M encrypted with the group key in the useful part. Note that in the bit string "1" is denoted a subscriber in the group, "0" -otherwise. Each subscriber performs the following steps, for example, consider actions of the subscriber. He calculates value X 5 according to (2) and (3), then composes the system of linear equations.
Having the value B 3 and his own current key X 5 , the subscriber computes X 3 , then in the same manner other current keys (X 2 and X 1 ) for other subscribers. The system of equations always has a solution, since Alice has previously calculated B i values using actual current keys. The subscriber obtains the group key by using (4), and decrypts the message M . It should be noted that the subscriber 4, which is not in the group, cannot solve the system of equations, while knowing only B i values, that is explained in more details in the (see Sect. V).

IV. DESCRIPTION OF THE GROUP MANAGEMENT
It is clear, that with increase in subscribers number some difficulties may arise with an indication of a group composition. The amount of data transmitted in a container is limited and increasing the service part of a message is always comes to the detriment of the useful part. The scheme proposed in this paper allows us to unite not only single subscribers, but also previously created groups.
Consider the system (6). Here, each value X id is the current key of the subscriber. The scheme provides to use the current key for subscribers in a group and its value is calculated by the following: where Gr is a group identifier. Identifiers of both: groups and subscribers are natural numbers in the interval (1; p − 1) and differ only by values.
Values of current keys of the group X Gr are constant while the group membership does not change. Those keys similarly used in the system (5).
Let us denote as a participant one subscriber or subgroup that takes part in a message receiving. We need to perform the following actions to add a new participant to the existing group. Alice sends to subscribers identifiers of the group and its new participant for merging and one value B = Gpwd old ⊕ X add , where Gpwd old is a value of the group key, but X add is a current key of the new participant. By using the value B that received from Alice, the group calculates X add and the new group key Gpwd new value by (8). The new participant calculates Gpwd old = B ⊕ X add and Gpwd new by the same way.
Gpwd new = Gpwd old · X add mod p A removal process from the group occurs by construction a new group in which some of participants are missing. Due to the fact that the original group may contain a large number of subscribers, the construction of the new group with a slight decrease in its size requires a transmission of large amount of service information that leads to decreasing the size of useful information. In this regard, it is more rational to construct a large group from smaller subgroups. In the latter case, the ratio of service information can be significantly reduced.

V. DISCUSSION AND CONCLUSION
In this section of the article, we present some explanations of the selected algorithm parameters. The scheme is designed for the steganographic system. Classical algorithms such as Diffie-Hellman and others allow sharing passwords, but they explicitly demonstrate the fact of the secret information transmission. The proposed scheme, by contrast, aims to create a secret communication channel. The presence of personal passwords of subscribers implies duplication of data encrypted for each subscriber separately, which will significantly increase amount of transmitted data. With a small number of subscribers, it is possible to foresee in advance all possible compositions of the groups and predefine passwords for all the possible groups, but with a large number of participants this approach is ineffective.
The requirement for a container time stamp (clause 6 of the Requirements) is necessary when creating the group to synchronize the computations of all participants for calculating their current keys. The presence of the current key, which is changed when a new group is constructed, prevents calculating the group key by third party member and allows us to keep personal keys of subscribers in secret. In practice, files always have the creation time stamp; therefore, there is no need to additionally send any variables that perform the same function.
Note that the current key is calculated using (2) and (3). If only (3) is used, a violation of the clause 11 of the Requirements is possible. So, if group members find out the same values of variables in the system of equations, this would definitely indicate the coincidence of personal keys, which is quite possible, since subscribers choose their personal keys themselves. When using (2) and (3) in this scheme, the fact of coincident in keys has a random nature and does not compromise personal keys of subscribers.
Removing a participant from a group is implemented through the creation of a new group for the following reasons. At the stage before removing, the participant knows all current keys in the group. Consequently, any new data received from Alice is not allow to remove, since the excluded participant will be able to reproduce all calculations of the new group. Changes of the current key of any member in the new group cannot be calculated by other participants (in new group) and it is requires additional data from Alice, equivalent in amount to data for construction a new group.
The proof of the security scheme is based on the corollary of the Kronecker-Capelli theorem [13]. So for a group of k participants, a system is always contains k − 1 linear algebraic equations with k variables (see (5)). Consequently, according to the above mentioned theorem, the system is consistent and has many equiprobable solutions for a subscriber who is not in the group. The equiprobability of solutions (passwords) is a property of perfect secrecy. The member of group, in contrast, is able to calculate his own current key, which is included in the system of equations and, further, find its remaining k − 1 variables and the group key.