Stego key recovery method for F5 steganography with matrix encoding

When embedding secret message into image by steganography with matrix encoding, there are still no effective methods to recover the stego key because it is difficult to statistically distinguish the stego coefficient sequences selected by true and false keys. Therefore, this paper proposes a method for recovering the stego key of a typical JPEG (Joint Photographic Experts Group) image steganography—F5 which composes of the check matrix and shuffling key. Firstly, the check matrix is recovered based on the embedding ratio estimated by quantitative steganalysis. The shuffling key is then recovered based on the distribution difference between the bit sequences extracted by the true and false shuffling keys. Additionally, the cardinality of the shuffling key space is significantly reduced by examining the extracted encoding parameter and message length. Experimental results show that the proposed method can recover the stego key accurately and efficiently, even when the existing Xu’s method fails for the high or very low embedding ratio.

(2020) 2020: 40 Page 2 of 17 residuals to estimate the rough sequence of stego positions when owning enough stego images embedded messages of different sizes along the same path [18]. In 2019, Yang et al. proposed a locating methodology based on quantitative steganalysis for this case [19].
Recently, Wang et al. proposed a payload locating method based on co-frequency subimage filtering for a category of pseudo-random JPEG image steganography, such as JSteg and F5 steganography [20]. (2) In the case of that the investigator owns a single stego image, in 2012, Quach proved that the modified pixels in a stego image can be located with a lower error rate if enough independent non-random discriminant functions can be used [21]. Then, Yang et al. fused spatial and wavelet filtering results to locate the modified pixels of LSB matching steganography [22]. (3) In the case of that the investigator knows the embedding position generator, Zhang et al. proposed three attack algorithms to recover the stego key of LSB steganography if the carrier is known or reused [23]. Fridrich et al. used χ 2 testing to recover the stego key of LSB steganography if the carrier is unknown [24,25].
Later, Zhang et al. and Liu et al. used the single-key collision attack algorithm to recover the stego key of LSB steganography [26][27][28]. Yang et al. recovered the stego key based on the optimal stego subset property of MLSB (multiple least significant bits) steganography [29]. Xu and Liu et al. utilized the statistical differences between the quantized DCT (discrete cosine transform) coefficients and the distribution differences between the extracted message bits to recover the stego key of some typical steganography algorithms, such as OutGuess, JPEG domain random LSB matching, and F5 steganography without matrix encoding [30,31]. Additionally, some quick stego key recovery algorithms have been proposed for specific carriers or embedding position generators [32,33]. (4) In the case of that the secret message is embedded into an image sequentially using an encoding algorithm, Chen et al. proposed a differential attack for matrix embedding under the chosen stego condition [34]. Luo et al. proposed a message extraction algorithm for HUGO (highly undetectable stego) steganography with STC (syndrome-trellis codes) based on blind coding parameters recognition when the embedded message is plaintext [35]. Gan et al. proposed an algorithm based on partially known plaintext to extract the encrypted file embedded by HUGO steganography when the file format name and message length have been embedded without encryption [36]. In a word, the existing algorithms perform well for above four cases. However, when an encoding algorithm is used to embed the secret messages into pixels or coefficients pseudo-randomly selected from an image, there are still no effective algorithms which can extract the secret messages.
F5 steganography is a typical algorithm which uses matrix encoding to embed messages into the pseudo-randomly shuffled DCT coefficients [37]. This paper proposes a stego key recovery method to recover the check matrix and shuffling key of F5 steganography. Firstly, according to the characteristic of the matrix encoding used in F5 steganography, the check matrix is recovered based on the embedding ratio estimated by quantitative steganalysis. The shuffling key is then recovered based on the difference between the distributions of bit sequences extracted by true and false shuffling keys. Additionally, the cardinality of the shuffling key space is reduced by examining the extracted encoding parameter and message length. Experimental results show that the proposed method can accurately and effectively recover the stego key containing the check matrix and shuffling key. 2 Related work-F5 steganography F5 steganography is a typical JPEG image steganography algorithm proposed by A. Westfeld. The modification pattern in F5 steganography is very simple, but its optimality has been proved under the condition that one cannot obtain the DCT coefficients before quantization [38]. The matrix encoding was firstly introduced into steganography by A. Westfeld to design F5 steganography and combined with shuffling to significantly improved the security. Additionally, F5 steganography embeds messages much faster than the new STC-based steganography. Because of above reasons, programmers have developed many steganography tools based on F5 steganography algorithm suitable for different operating systems such as Linux, Windows, and Mac. However, the existing many stego key recovery methods were just designed for the simplified F5 steganography without matrix encoding and can not distinguish true and false stego keys of F5 steganography with matrix encoding. Therefore, it should be valuable to recover the stego key of F5 steganography with matrix encoding. F5 steganography first shuffles the quantized DCT coefficients, and then uses matrix encoding technology to embed the secret message into the shuffled coefficients. The matrix encoding can be represented as (1, W , w), which denotes that w bits of the message are embedded into W (W = 2 w − 1) non-zero coefficients with at most one coefficient modified.
The embedding procedure of F5 steganography is as follows (see Fig.1).
1) Decode the given cover JPEG image to obtain the quantized DCT coefficients.
2) Generate a shuffling key from a given password and shuffle the coefficients obtained in step 1. 3) Count the available non-zero alternating current (AC) coefficients and compute the matrix encoding parameter w based on the number of available non-zero AC coefficients and the message length. 4) Embed 31 bits of metadata (matrix encoding parameter w and message length l ) into the shuffled non-zero AC coefficients. 5) Embed the message into the rest of the available non-zero AC coefficients by matrix encoding (1, W , w). 6) Inversely shuffle the stego quantized DCT coefficients to the original order. The extraction procedure of F5 steganography is as follows (see Fig.2).
1) Decode the given stego JPEG image to obtain the quantized DCT coefficients.
2) Generate a shuffling key from a given password and shuffle the coefficients obtained in step 1. 3) Extract the metadata (matrix encoding parameter c and message length l ). 4) Extract the embedded message by matrix decoding.
The following two characteristics of the quantized DCT coefficients will be maintained after embedding messages into an image by F5 steganography (see Fig.3).
(i) The quantized DCT coefficients with larger absolute values appear with lower frequency, so the bins of the quantized DCT coefficients with larger absolute values are smaller. (ii) As the absolute value of the quantized DCT coefficients increases, the frequency of the DCT coefficient decreases at a smaller rate. For example, the difference between two adjacent bins close to coefficient value 0 is greater than that between two adjacent bins far from coefficient value 0.
The above characteristics mean that the number of 1s in the LSBs of non-zero AC coefficients is greater than the number of 0s.

Method-stego key recovery method for F5 steganography
From Figs. 1 and 2, it is clear that the stego key of F5 steganography is composed of the shuffling key and the check matrix of matrix encoding. If one can obtain these two components, then the embedded message can be extracted. The brute force attack method tries all possible shuffling keys and check matrices, so it is highly inefficient. If the check matrix or shuffling key can be obtained before searching for another, then the time complexity could be reduced significantly. Following this thought, this section will present a stego key recovery method for F5 steganography with matrix encoding. The presented method contains two main procedures: recovery of check matrix and recovery of shuffling key, which are described in the following parts.
In order to simplify the description, the following symbols are defined firstly.

Recovery of check matrix in F5 steganography
During embedding, if F5 steganography modifies a coefficient with an absolute value of 1, one more non-zero AC coefficient is read and added to the buffer to form a new group of W coefficients. F5 steganography does not embed the message into the DC (direct current) coefficients. Therefore, one can compute the estimated capacity with no matrix encoding as follows: where h DCT denotes the number of quantized DCT coefficients in the cover image, h(0) denotes the number of AC coefficients equal to zero, h(1) denotes the number of AC coefficients with an absolute value of 1, h DCT 64 is the number of DC coefficients, and 0.51h(1) is the estimated loss due to shrinkage.
F5 steganography computes the modified position a i as follows: where the function bin2dec denotes the bitwise XOR (exclusive or) operation. If a i = 0, the selected ith group of non-zero AC coefficients should remain unchanged. If a i = 0, the a i th bit in C i should be changed to obtain the stego bit sequence. That is, On the receiving side, F5 steganography decodes the message bits as follows: From (4), it is apparent that the check matrix H w is determined by the parameter w and the elements in it. Fortunately, in F5 steganography, the elements in all positions of the check matrix H w are also determined by the parameter w as follows: where bit j, w − i + 1 denotes the (w − i + 1)th least-significant bit of the value j, 1 ≤ i ≤ w and 1 ≤ j ≤ 2 w − 1. For example, when w = 2, the check matrix is and when w = 3, the check matrix is Therefore, the recovery of check matrix in F5 steganography can be viewed as the recognition of the encoding parameter w. Because F5 steganography encodes message bits with as many available coefficients as possible, the parameter w should satisfy the following inequality: where r = l L . Therefore, we can adopt a quantitative steganalysis algorithm to estimate the embedding ratio in the stego image, then obtain the parameter w using (8). Currently, many quantitative steganalysis algorithms have been proposed for F5 steganography. For example, Fridrich et al. calibrated the given image to estimate the coefficient histogram of the cover image, and then used a least squares method to estimate the message length l [39]. Luo et al. improved the modification ratio estimation in Fridrich's algorithm based on relative entropy [40].
It can be found that the probability to successfully recover the check matrix depend on whether the message length can be estimated with error e =l − l in the range Thus, this further demonstrates that it is necessary to design more accurate quantitative steganalysis algorithm.

Recovery of shuffling key in F5 steganography
Recovering the shuffling key in F5 steganography involves distinguishing the true shuffling key k 0 from the key space. This section describes the principle to recover the shuffling key based on the distribution of the extracted message bits.
Firstly, the following symbols are defined: 1) Let u 0 denote the frequency of 0 in the bit sequence extracted from the non-shuffled DCT coefficients; 2) Let u 1 denote the frequency of 1 in the bit sequence extracted from the non-shuffled DCT coefficients; 3) Let I(k) denote the bit sequence extracted from the DCT coefficients shuffled by key k ; 4) Let p 0 (k, n) denote the frequency of 0 in the first n bits of I(k); 5) Let p 1 (k, n) denote the frequency of 1 in the first n bits of I(k).
The difference between the distributions of the message bits extracted by the true and false shuffling keys is analyzed as follows.
a) Statistical characteristics of message bits extracted by the true shuffling key. In F5 steganography, when the embedded message has been encrypted, it should be a stream of pseudo-random bits in which 0 and 1 appear with equal probabilities. Therefore, there should be p 0 (k 0 , n) ≈ p 1 (k 0 , n) ≈ 0.5n, where 0 < n ≤ l. b) Statistical characteristics of message bits extracted by the false shuffling key. When w = 1, the matrix encoding degrades to simple LSB embedding. From statistical characteristic (i) of the quantized DCT coefficients, one can infer that there should be more 1s than 0s in the LSBs of the non-zero AC coefficients of the stego image, i.e., u 1 > u 0 . When w ≥ 2, one can infer from statistical characteristic (i) that, in all groups of 2 w − 1 non-zero AC coefficients selected from the non-shuffled DCT coefficients, the groups whose elements' LSBs are all 1 will appear most frequently. Because the group (1, 1, . . . , 1) 2 w −1 will be decoded as there should be more 0s than 1s in the bit sequence extracted from the non-shuffled DCT coefficients, i.e., u 1 < u 0 . Because the secret message bits are pseudo-randomly spread across all non-zero AC coefficients, the distribution of the message bits extracted by the false shuffling key is similar to that of the message bits extracted from the non-shuffled image. Therefore, in the message bits extracted by the false shuffling key k, there should be p 1 (k, n) = u 1 , p 0 (k, n) = u 0 , and p 1 (k, n) = p 0 (k, n).
For example, when there are 5 coefficients whose LSBs are 1s and 1 coefficient whose LSB are 0s in a JPEG image, all of the possible stego bit sequences are showed in the following Table 1. It can be seen that there are 4 extracted message bit sequences where the number of 0s is more than half of the length. In a word, the distribution of the message bits extracted by the true shuffling key is different from that extracted by the false shuffling key. Therefore, we can use a nonparametric hypothesis testing to examine whether the message bits extracted by the test shuffling key conform to the distribution of the message bits extracted by the true shuffling key. Namely, the recovery of the shuffling key can be viewed as the testing with following hypothesis: where F 0 (x) is the distribution of the bit sequence I(k 0 ) extracted by the true shuffling key k 0 . Let f (x) denote the probability function of the distribution F 0 (x). Because the relative frequencies of 1 and 0 in I(k 0 ) are both approximately equal to 0.5, it holds that In the first n bits of the bit sequence I(k), the actual frequencies of 0 and 1 are np 0 (k, n) and np 1 (k, n), respectively. From (10), the true shuffling key k 0 produces theoretical frequencies of 0.5n for both 0 and 1. Thus, when the test shuffling key k is true, Pearson's theorem implies that the limit distribution of the following statistics is the χ 2 distribution with a single degree of freedom: The probability distribution function of the statistics is The true shuffling key k 0 will generate the small value of t(k, n) which would cause small value of p(k). In contrast, if k is a false shuffling key, the limit distribution of the statistics t(k, n) should not be the χ 2 distribution with one degree of freedom and generate a larger value of t(k, n) which would cause large value of p(k). Therefore, we attempt to search for the shuffling key k that generates a small value of t(k, n). Note that the search speed of the shuffling key is related to the number of samples n. Larger values of n will produce more accurate results, but reduce the search speed of the shuffling key. Thus, we need to find an appropriate value of n.
For the given significance level α, the threshold value T(α) of t(k, n) used to test the true and false shuffling keys should satisfy and the rejection region is (T(α), ∞). When the test key is the true shuffling key k 0 , the corresponding statistics t(k 0 , n) takes the smallest value over the whole key space and t(k 0 , n) < T(α). The statistics t k j , n of the false shuffling key k j j = 0 will be larger than T(α). Let = t k j , n − T(α) j = 0 denote the difference between the statistics t k j , n of the false key and the threshold value. Then, we obtain where > 0. Thus, the number of bits used should be It can be seen that there are two extreme cases in (15), viz. the case of the embedding ratio r → 1, and the case of the embedding ratio r → 0. In these two extreme cases, it is possible failure to recover the shuffling key.
1) As the embedding ratio r → 1, the characteristics u 0 → 0.5, u 1 → 0.5 and (15) would cause that n → ∞. Thus, the shuffling key would not be successfully recovered because of an insufficient number of samples. 2) As the embedding ratio r → 0, if the message length l is less than n, the shuffling key would not be successfully recovered. In the χ 2 testing, the number of samples belonging to each class should satisfy 0.5n ≥ 50 , so the number of samples used should satisfy n ≥ 100. (16) which also means that the message length l should be not smaller than 100 bits.
After shuffling the quantized DCT coefficients, F5 steganography embeds the metadata (matrix encoding parameter w and message length l) in the embedding procedure and extracts the metadata in the extraction procedure. The matrix encoding parameter w is determined by l and L using (8) and the message length l must not exceed L. Table 2 presents the performance results of matrix encoding with different encoding parameters. The value of w must be an integer in the range 1-9. Thus, if the parameter w k extracted by a test shuffling key k does not satisfy this criterion, this key must be false. We can use a quantitative steganalysis algorithm to estimate the embedding ratio l/L, and then obtain the parameter w. If w k = w, the tested shuffling key k also must be false. Additionally, if the message length l k extracted by shuffling key k is greater than the number of non-zero AC coefficients, the tested shuffling key k also must be false.

Description of stego key recovery method
In summary, the stego key of F5 steganography, composed of the shuffling key k 0 and the check matrix of matrix encoding H w , can be recovered as follows (seeing Fig.4).
1 Decoding: Decode the given stego JPEG image to obtain the quantized DCT coefficients and count the number of non-zero AC coefficients N AC =0 . 2 Estimate metadata and recover check matrix: Estimate the message length l using a quantitative steganalysis algorithm, and then determine the matrix encoding parameter w and the check matrix H w .  3 Count frequencies of 0s and 1s extracted from the non-shuffled DCT coefficients: Extract the bit sequence from the non-shuffled DCT coefficients and count the frequency of 0s in the extracted bit sequence, u 0 , and the frequency of 1s in the extracted bit sequence, u 1 . 4 Scan the shuffling key space: Examine each possible shuffling key k in the shuffling key space K through the following steps.
(a) Shuffle the coefficients obtained in step 1.
(b) Extract the matrix encoding parameter w k and the message length l k . (c) If w k = w and l k < N AC =0 , add k to the set of candidate shuffling keys, B ; otherwise, examine the next possible shuffling key.
5 Examine the set of candidate shuffling keys: If there is only one key in B, i.e., |B| = 1, the only key is regarded as the recovered shuffling keyk 0 .
6 Scan the set of candidate shuffling keys: If |B| > 1, compute the number of bit samples needed by the given significance level α and difference using (15), n, and then examine each candidate shuffling key k in B through the following steps.
(a) Count the number of 0s and the number of 1s in the first n bits of the bit sequence extracted by the possible shuffling key, i.e., p 0 (k, n) and p 1 (k, n). (b) Compute the statistics t(k, n) using (11).
7 Re-examine the set of candidate shuffling keys: If |B| = 1, the only key in B is regarded as the recovered shuffling keyk 0 . If |B| > 1, the key in B with the minimum statistics t(k, n) is regarded ask 0 . If |B| = 0, return -1 to denote that the process has failed to recover the shuffling key. 8 Return result: Return the recovered check matrix H w and shuffling keyk 0 as the recovered stego key.

Experimental results and analysis
In the proposed stego key recovery method, the value of is related to the cardinality of the shuffling key space, |K|, and the embedding ratio r. When the value of r is larger, the number of samples required, n, will be higher and the search speed will be slower. Therefore, the value of should be as small as possible. The experiments were performed  with different values of , starting from 0 and increasing in steps of 5, until the shuffling key had been identified or the number of samples exceeded the message length. Table 3 presents the experimental results for different embedding ratios, where "-" denotes that the number of samples exceeded the message length and "*" denotes that the value of makes the number of samples equal to the message length. From the results in Table 3, the following conclusions can be drawn.
As the matrix encoding parameter w increases, the modification ratio becomes smaller. This smaller modification ratio implies a smaller difference between the stego image and the cover image, and a smaller difference between the distributions of message bits extracted by the true stego key and the false stego key. Thus, more samples are needed to recover the stego key successfully. If the number of samples required exceeds the message length, the lack of available samples results in a failure to recover the stego key. For example, when w = 3, the modification ratio is 1/8 and the maximum embedding ratio is 3/7≈0.42. In this case, even when all of the extracted bit samples are utilized, this is still less than the number of samples required. Therefore, the stego key cannot be recovered successfully.
In the following, the proposed method is compared with the stego key recovery method proposed by Xu et al. [30] that is denoted as Xu's method.  Thus, Xu's method is more likely to fail because of less samples in each category. Therefore, when the embedding ratios are 0.004 and 0.005, Xu's method fails while the proposed method can recover the shuffling key successfully. Hence, the proposed method outperforms Xu's method [30]. 3) Comparison between the time complexities. Both Xu's method and the proposed method must search the given shuffle key space. Therefore, if the shuffling key space is fixed, the time complexities of the two methods are determined by the number of samples required. A larger number of samples would result in higher time complexity. When the numbers of samples required by the two methods are equivalent, Xu's method should extract n bits for each possible key in the shuffling key space. Its time complexity is n|K|. But the proposed method in this paper need to extract only 31 bits of metadata to determine the set of candidate shuffling keys B, then extract n bits for each candidate shuffling key. Thus, the time complexity of the proposed method is 31|K| + n|B|. Because the cardinality of B is usually much smaller than that of the shuffling key space, the time complexity of the proposed method is usually lower than that of Xu's method.

Conclusions
F5 steganography synthesizes matrix encoding and DCT coefficients shuffling, and takes the check matrix of the matrix encoding and a shuffling key as the stego key. However, previous stego recovery methods only work in the absence of matrix encoding. Therefore, this paper proposes a stego key recovery method to recover the check matrix and shuffling key. Firstly, the check matrix of the matrix encoding is recovered based on the embedding ratio estimated by quantitative steganalysis. The shuffling key is then recovered using a χ 2 testing and by examining the extracted metadata. Experimental results demonstrate the effectiveness and superiority of the proposed method over the existing stego key recovery method for F5 steganography-Xu's method. However, in STC-based steganography, multiple check submatrices are placed next to each other and shifted down by on row to generate the check matrix. The check submatrices could be generated by a key, and the decoded message bits are controlled by not only the check submatrix and stego bit subsequence in the corresponding positions, but also the check submatrices and stego bit subsequences in previous positions. Therefore, the proposed method can not directly applied to the recovery of the stego key for the STC-based steganography. And we will try to find the new property of the bit sequence decoded from the randomly shuffling coefficients to recognize the correct stego key.
Additionally, in the future work, we will try to locate the stego positions by machine learning and searching for similar images [41,42] and even consider the generation and operation history of the stego image [43][44][45].