Distributed data hiding in a single cloud storage environment

Distributed steganography is an approach to concealing the secret in several files, leaving fewer traces than the classical approach. Recent work proposed by Moyou and Ndoumdan have improved this approach by preserving the integrity of these files in a multi-cloud storage environment. However, the approach requires a large size of the stego-key and the management of several cloud storage environments. Our contribution consists is to improve this approach by using a single cloud storage environment and reducing the size of the stego-key. In this work, a single cloud storage environment is used to solve the problems of managing several credentials, monetary costs and data controls associated with multi-cloud storage environments. The comparisons showed interesting results with simpler operations to be performed by the participants during the process.


Introduction
The protection of information has know a growing expansion over time, with the multiplicity of intrusions and thefts of information by the entities and institutions [1,2]. Thus, many security techniques have been set up to counter these attacks [3]. Two main techniques are associated: Cryptography and steganography. Cryptography aims to make an information unintelligible by transformation [4], while steganography seeks to conceal an information in an inconspicuous way [5]. Steganography is mainly used in secret communications through an unsecured communication channel and a cover media. The most commonly used cover media are texts, images, sounds and videos [6][7][8][9].
When the scheme uses several cover media for the embedding of the secret, the approach is called distributed steganography [10]. In this approach, the secret is split into several shares that are then embedded into multiple carrier files. The main interest being to make the detection of the entire secret message extremely difficult. The embedding strategies used are based on the modification of each carrier file. However, these modifications can reveal the presence of a secret, through methods of steganalysis [11]. The carrier files of the secret are generally stored in a cloud storage environment for integrity and confidentiality requirements after embedding of the secret [12].
Moyou and Ndoundam [13] have proposed a new paradigm of steganography transparent to any attacker and resistant to the detection and extraction of the secret. The secret was distributed in a multi-cloud storage environment through several file extensions, and the use of a multi-cloud storage environment allowed to mask the presence of a communication channel between the communicating parties. The different files used were considered as a pointer to the secret data and constituted elements of the stego-key. Thus the proposed approach considered: the management of several cloud storage environments, a large size of the stego-key due to different lists of files and different credentials in the cloud accounts.
In this paper, our contribution consists is to propose a new distributed data hiding scheme in a single cloud storage environment, that improves the work done by Moyou and Ndoundam [13]. The goal is to avoid the management problems of multi-cloud storage environments and to reduce the large size of the stego-key. The technique uses a single cloud storage environment that provides a service of authenticity and confidentiality of files present in the cloud and masks the presence of a communication channel. The files do not undergo any modification during the steganographic process. The contribution of this work is focused on the following points: • Problem management of multi-cloud storage environments using a single cloud storage environment. • Reducing of large size of the stego-key.
• Simple operations to be performed by the participants during the embedding and extraction of the secret.
The rest of this paper is organized as follows: "Presentation of distributed models in steganography" section presents related work on distributed steganography models and their limits. "Our contribution" section is devoted to our contribution on a new distributed data hiding scheme in a single cloud storage environment. The experimental results are done in "Experimentation" section and finally "Conclusion" section is devoted to the conclusion.

Distributed steganography
Distributed steganography refers to the distribution of the secret into several parts which are then embedded into several cover media. In this approach, the secret is shared between several independent senders and a single receiver which receives the union of secret inputs in the communication [14]. The most commonly used cover media are images for their large data redundancy. The process requires meticulous modifications of these images, in order to go unnoticed to an unauthorized user in the communication [15]. The success of this approach lies in a good visual imperceptibility and a sufficient amount of payload [16].
Visual imperceptibility lies in the undetectability of a communication, while the payload guarantees a great capacity of secret that can be concealed [17]. Several approaches transit with visual imperceptibility as an indicator of images distortion to avoid detection of a secret message concealed [18,19]. Others approaches use the distribution of the payload in the images [20,21]. While hybrid approaches merge the features of several images [22] or combine the texture and payload associated with several images [23]. The interest of these approaches lies in a better resistance of the blind universal pooled steganalysis compared to other existing approaches.
The intervention of several human resources in a distributed steganography process is also applied to secret sharing [24]. In this secret sharing scheme, the secret key is divided into several parts, among a set of participants such that only a subset of these participants can reconstruct the secret key [25]. Thus, the system must define an efficient key sharing strategy between the participants in order to recover the target key. Counting-based secret sharing is presented as this promising approach to secret sharing that generates its sharing using simple specific bit replacement operations. This has several application domains in securing bank sensitive accounts and error tracking, voting systems trust, medical agreements, wills and inheritance authentication management [26]. Several security improvements of the secret key have been proposed, modifying the sharing generation process [27][28][29]. The generated share thus obtained, improves the security of access to the system [30,31]. The generated secret keys are generally concealed in texts [32][33][34] and images [35,36] using steganographic schemes.
Distributed steganography presents an improvement on classical steganography by concealing the secret in multiple cover media, making detection of the secret extremely difficult. However, modifications made to the cover media present limitations when setting up a process of steganalysis of these media. Indeed, several works in steganalysis on images are able to detect the presence of a secret and extract it. In general, the process is categorized into two types. One is targeted while the other is blind. Targeted steganalysis refers to an attack on a specific secret embedding algorithm [37,38]. Blind steganalysis refers to an attack on several types of secret embedding algorithms, in which the goal is to classify the original files and stego files [39,40].

Distributed model of Moyou and Ndoundam
The distributed data hiding model in a multi-cloud storage environment proposed by Moyou and Ndoundam [13], presents a new paradigm of distributed steganography that preserves the integrity of the files carrying the secret. In this model, the secret is distributed in different multimedia files that carry information of the secret message without being modified. The different multimedia files are stored in different cloud environments that mask the presence of a communication channel. The sender conceals the secret in different cloud storage environments, while the receiver retrieves the secret based on the stego-key elements. The integrity of the files being preserved, the model is more robust against steganalysis processes.
Concretely, the secret message is encoded in a specific base. To each value of the encoded secret message is associated a file in a list contained in the stego-key, the associated files carry the information of the value of the encoded secret message without being modified. Then the files are deposited in different cloud storage environments by the sender. Each file thus deposited constitutes a pointer to the encoded secret message. Finally, the two communicating parties having the same lists of files contained in the stego-key. It will be enough for the receiver to retrieve the positions of the different files in the different cloud storage environments based on these lists. Thus, the receiver reconstitutes the encoded secret message and the initial secret message. In this model, the elements contained in the stego-key are: • Cloud environments c 0 , c 1 , . . . , c n−1 .
• Authentication for access to each cloud account W i (user name and password), such that 0 ≤ i ≤ n − 1. In view of the elements contained in the stego-key, the limits listed in this scheme are based on the large size of the stego-key related to the management of several cloud account credentials and several disjointed lists, the problems of managing several cloud storage environments such that: management of several cloud account credentials, monetary costs associated with cloud storage environments, data controls in different multi-cloud environments [41][42][43]. The problems listed can result from: a difficulty of data controls by the participants due to the distribution of multimedia files in several cloud environments, high cost for the acquisition of different cloud accounts. So we are motivated to design a steganographic scheme, that reduces the large size of the stego-key and uses a single cloud storage environment. In our scheme, the real need to use this proposition lies in management of the problems of multi-cloud storage environments and in the size reduced of the stego-key. Indeed, in our proposed scheme, a single credential is used instead of several credentials, the cost associated with the cloud environments is reduced to one, the control of data in the cloud storage environments is reduced to a single cloud.

Our contribution
The purpose of the proposed scheme is to improve the work done by Moyou and Ndoundam [13], while preserving the integrity aspect of multimedia files and the masking of a communication channel. This objective is achieved through the use of a single cloud storage environment and a reduced number of elements contained in the stego-key. The proposed scheme is declined into 3 approaches with modification of receiver information, in order to make difficult the detection of the secret in the cloud, by an attacker possessing the stego-key. The cloud allows to conceal a secret message and to mask the presence of a communication channel, while the reduced number of elements in the stego-key allows to reduce the operations performed by the participants.
The stego-key consists of the credential of a single cloud storage environment and the base used. This is exchanged before the start of the process during an encrypted communication or a physical meeting. An example of real use of the proposed scheme is in a process of secret communication between two entities or institutions. Concretely, if we consider two entities A and B. Entity A uses the stego-key consisted of the credential of a cloud storage environment and a base, to conceal a secret in several multimedia files contained in the cloud. The multimedia files preserving their integrity. Entity B logs to the cloud storage environment and extracts the secret using the stego key.

Notations and hypothesis
The Table 1 gives the different symbols and their representations in the 3 proposed approaches Hypothesis The cloud storage environment consists of a set of cover folders containing several multimedia files. The number of cover folders is at least equal to the size of the secret. The number of files in each folder is at least equal to the value of the base. The following relationships are checked in the cloud storage environment:

First approach Overview
In this scheme proposed in Fig. 1, the secret communication process presented is described according to the following steps: • The sender and receiver share the credential of a cloud account and the base used, before the communication. • The sender encodes the secret in the base described in the secret key. • For each value of the encoded secret, the file corresponding to this value in the position folder of this index is copied in a folder representing the stego-folder. • Since the receiver shares the same secret key with the sender, it logs to the cloud storage environment and searches the correspondence between the files in the stego-folder and the files in the different cover folders. The receiver reconstructs thus the secret message based on this match.
The embedding and extraction algorithms are performed through the following elements: • The cover object represents any multimedia files extension located in the cover folders of cloud storage environment. • The cover folders represents a set of multimedia files.
• The stego folder represents a set of multimedia files that conceal the secret. • The secret message represents any message format encoded in a specific base. • The secret key represents the elements shared between the sender and the receiver.

Embedding
The embedding algorithm of the secret message performed by the sender is defined as follows: ; IV Convert m to binary and get the secret message s; V Delete the stego folderF;

Second approach Overview
In this scheme proposed in Fig. 2, the receiver logs to the cloud storage environment and copies the files from the cover folders in different lists before the secret communication. These lists of files will allow to perform the correspondence with the files of the stego-folder, because the files in the cloud storage environment that conceal the secret are cut during the process. The interest is to prevent an attacker to perform any correspondence of the files of the stego-folder, in case of access of this one in the cloud storage environment. The secret communication process is described according to the following steps: • The sender and receiver share the credential of a cloud account and the base used, before the communication. • The sender encodes the secret in the base described in the secret key. • For each value of the encoded secret, the file corresponding to this value in the position folder of this index is cut in a folder representing the stego-folder. • Since the receiver shares the same secret key with the sender, it logs to the cloud storage environment and searches the correspondence between the files in the stego-folder and the files in the different lists. The receiver reconstructs thus the secret message based on this match.
The embedding and extraction algorithms are performed through the following elements: • The cover object represents any multimedia files extension located in the cover folders of cloud storage environment. • The cover folders represents a set of multimedia files.
• Lists of files held by the receiver.
• The stego folder represents a set of multimedia files that conceal the secret. • The secret message represents any message format encoded in a specific base. • The secret key represents the elements shared between the sender and the receiver.

Third approach Overview
In this scheme proposed in Fig. 3, The lists of files held by the receiver are stored in an intermediate cloud storage environment. These lists of files will allow to perform the correspondence with the files of the stego-folder, because the files in the cloud storage environment that conceal the secret are cut during the process. The interest is to secure the files held by the receiver in the intermediate cloud account. The secret communication process is described according to the following steps: • The sender and receiver share the credential of a cloud account and the base used, before the communication. • The sender encodes the secret in the base described in the secret key. • For each value of the encoded secret, the file corresponding to this value in the position folder of this index is cut in a folder representing the stego-folder.
• Since the receiver shares the same secret key with the sender and holds the credential of the intermediate cloud account, it logs to the cloud storage environment and searches the correspondence between the files in the stego-folder and the files in the lists of the intermediate cloud account. The receiver reconstructs thus the secret message based on this match.
The embedding and extraction algorithms are performed through the following elements: • The cover object represents any multimedia files extension located in the cover folders of cloud storage environment. • The cover folders represents a set of multimedia files.

Embedding
The embedding algorithm of the secret message performed by the sender is defined as follows:

Extraction
The extraction algorithm of the secret message performed by the receiver is defined as follows:

Time complexity
In this subsection, we evaluate the time complexity of the 3 proposed approaches. We have a secret message s distributed between n cover folders, each folder contains at least B files. For the embedding of the secret message. Each index s i of the secret message s encoded in base B, corresponds to a file in the cover folder i. The secret message s comprising n index position. Moreover, the formatted secret message s is converted into base B in O(log B (s)).

Therefore, the time complexity of the approaches is O(n).
For the extraction of the secret message, the correspondence between the files in the stego folder and the cover folders or lists is done at O(n 2 * B). The lists comprising the same files as the cover folders. Moreover, the formatted secret message is obtained in O(log 2 (s)). Therefore, the time complexity of the approaches is O(n 2 * B).

Experimentation
In this section we present an evaluation of the hidden bits capacity of our proposed schemes and the execution through 3 examples. Then we present a discussion of our work and finally a security analysis of our proposed schemes.

Evaluation of hidden bits capacity
The idea is to make an estimation of the number of bits hidden in the cloud storage environment. Each folder in the cloud has a value in base B and this value varies from 0 to B − 1, so we have B possibilities by folder. For the set of n folders in the cloud, we have B n possibilities, so the number of hidden bits is: × log 2 (B).

Examples
In this subsection, we describe in detail the processes of embedding and extraction of the secret on 3 examples for each approach presented. In these examples, the formatted secret messages have the values 1010100,10101100,10011 with the respective bases B = 8, 4, 3. The credentials of the cloud accounts used for each example are given in the Table 2. In each example presented, the secret key consists of the credential of a cloud account and the base used.

Example 1
In this example for the first approach, the formatted secret message is s = 1010100 and the base used is B = 8. The cloud storage environment presented in the Table 3 consists of 3 folders (F (2) , F (1) , F (0) ), with 8 mutimedia files for each folder.
The steps for the embedding of the secret message are as follows: The stego folder folderF file 0 learning.docx file 1 french.pdf file 2 article.txt The steps for extraction of the secret message are as follows: • Step1: i = 0; // first file of the stego folderF   2 , the secret message s = (1010100) 2 is retrieved; • Step 5: Delete the stego folderF;

Example 2
In this example for the second approach, the formatted secret message is s = 10101100 and the base used is B = 4. The cloud storage environment presented in the Table 4 consists of 4 folders (F (3) , F (2) , F (1) , F (0) ), with 4 mutimedia files for each folder.
The steps for the embedding of the secret message are as follows: The stego folder FolderF file 0 steganalysis.pdf file 1 statistics.xlsx file 2 english.pptx file 3 presentation.pptx The steps for the extraction of the secret message are as follows: The receiver holds a copy of the files of the cover folders located in the cloud environment OneDrive. Table 5 presents the lists of files resulting of this copy. The correspondence between the files in the stego folder is made on these lists, because these files had been cut in the cover folders of the cloud environment.

Example 3
In this example for the third approach, the formatted secret message is s = 10011 and the base used is B = 3. The cloud storage environment presented in the Table 6 consists of 3 folders(F (2) , F (1) , F (0) ), with 3 mutimedia files for each folder.
The steps for the embedding of the secret message are as follows: The stego folder FolderF file 0 css.pdf file 1 java.pdf file 2 php.xlsx The steps for the extraction of the secret message are as follows: the receiver holds the credential of an intermediate cloud account (Dropbox), which contains a copy of the files of the cover folders of the cloud environment Google Drive. Dropbox cloud has for login user4@gmail.com and for password password4. Table 7 presents the lists of files in the intermediate cloud environment resulting from this copy. The correspondence between the files in the stego folder is made on these lists, because these files had been cut in the cover folders of the cloud environment.

Discussion
The different approaches proposed present steganographic schemes of secret distribution in a single cloud storage environment. The cloud environment presents a set of files distributed by folder that allows to conceal a secret message, preserving the integrity of the files that conceal the secret. The set of files distributed by cover folder and the single cloud environment allow to reduce the size of the key and the management of several cloud environments in the approach proposed by Moyou and Ndoundam [13]. Tables 8 and 9 give a comparison between our 3 approaches and Moyou and Ndoundam's approach [13] based on keys, management of the cloud storage environment and receiver elements.
In these tables, the common elements to each approach represent the key shared between the sender and the receiver before the process. In Moyou and Ndoundam's approach [13], the key consists of k lists, n cloud accounts credentials and the base B used. Each list comprising B files. We denote n + k * B + 1 elements in the key. In our proposed approaches, a single cloud account credential and base B are the elements of the key. Therefore, the size of the key is reduced to 2 elements in our approaches.
The files duplicated in the same cloud represent the copy of the files that conceal the secret in the same cloud environment. In approach 1, a copy of the files that conceal the secret is made in the cloud environment while in approaches 2 and 3 the files are cut in the cloud environment. These files copied or cutted after a series of correspondence with the encoded secret represent the operations performed by the sender. In Moyou and Ndoundam's approach [13], the operations performed by the sender represent: the encoding of the secret in a base, the partitioning of the secret according to different cloud environments, identification in different cloud environments, transmission of a set of files in different cloud environments based on lists of files in the key. Therefore, if we denote the following elements: a secret message s distributed among n cloud storage environments or cover folders, a base B, k file lists each with B files per list. Moyou and Ndoundam's approach [13] requires a time complexity of O(n * k) on the sender side with n representing the different cloud storage environments, while in our approaches a time complexity of O(n) is required with n representing the different cover folders.
The files duplicated at the receiver represent a copy of a set of files of cloud environment in different lists and in an intermediate cloud environment. In approach 1, no copy of the files is made at the receiver because the files that conceal the secret are duplicated in the cloud environment for matching. In approaches 2 and 3, a copy of the files is made at the receiver for matching because the files have been cut in the cloud environment. In Moyou and Ndoundam's approach [13], the operations performed by the receiver represent: the identification in different cloud environments, the matching of each file in the cloud environments with the lists of the files of the key, the calculation of the formatted secret message. Thus   in our approaches, the operations of correspondence and calculation of the formatted secret message being also performed, the main gain lies in the identification of a single cloud account at the receiver.

Security analysis
In this subsection, we present different attack schemes of a spy on the proposed approaches based on two main hypothesis. Hypothesis 1 describes the fact that the spy does not have access to the key and therefore cannot access the cloud environment, while in hypothesis 2 the spy has access to the key and therefore to the cloud environment. Hypothesis 1: In the 3 approaches presented, no detection or extraction of a secret is possible, because access to the cloud environment is impossible for the spy.
Hypothesis 2: In the first approach, the spy has access to the cloud environment and will be able to perform the correspondance between the files of the stego folder and the files of cover folders. This matching is possible, because the files that conceal the secret are duplicated in the cloud environment. For each file listed in the stego folder, the spy will have to perform O(n * B) browse and comparisons in the files of the cover folders in the case of an exhaustive search.
In the second approach, the spy has access to the cloud environment but will not be able to perform the correspondence between the files of the stego folder and the files of cover folders. This matching is not possible because the files that conceal the secret have been cut in the cloud environment. For each file listed in the stego folder, the spy will have to perform O(n * (B − 1)) browse and comparisons without succes in the files of the cover folders in the case of an exhaustive search. The matching is only performed by the receiver that holds the files of cover folders in different lists.
In the third approach, the spy has access to the cloud environment but will not be able to perform the correspondance between the files of the stego folder and the files of cover folders. This matching is not possible, because the files that conceal the secret have been cut in the cloud environment. For each file listed in the stego folder, the spy will have to perform O(n * (B − 1)) browse and comparisons without succes in the files of the cover folders in the case of an exhaustive search. The matching is only performed by the receiver that holds the files of cover folders in an intermediate cloud environment.

Conclusion
In this paper, we proposed three steganographic schemes distributed in a single cloud environment, which improves the work proposed by Moyou and Ndoundam [13] on the management of the problems of multi-cloud environments and the large size of the key used in the approach. In this work, the single cloud storage environment presents a set of files distributed by folder allowing to: conceal a secret message while preserving the integrity of the files that conceal the secret message, mask the presence of a communication channel during the process, reduce the size of the key by using a single cloud account credential and no file in the parameters of the key. The experiments showed that for k lists of files, n cloud accounts and a Table 9 Comparison of our approaches and Moyou and ndoundam's approach based on the number of elements of the key and the elements of the receiver base B used, we denote n + k * B + 1 elements in the key for Moyou and Ndoundam's approach [13], while 2 elements are only required in our approaches which are the base used and the credential of a cloud account. The work showed interesting comparisons with simpler operations to be performed by the participants during the embedding and extraction of the secret. This work is part of the research of a distributed steganography paradigm using the concept of indirection on different multimedia files. Future improvements of the scheme will be to take no element in the key and to propose other more robust schemes in case of access of a spy in the cloud environment.