Steganalysis of JPEG Images: Breaking the F5
Algorithm
Jessica Fridrich
1
, Miroslav Goljan
1
, Dorin Hogea
2
1
Department of Electrical and Computer Engineering, SUNY Binghamton, Binghamton,
NY 13902-6000, USA
{fridrich,mgoljan}@binghamton.edu
http://www.ssie.binghamton.edu/fridrich
2
Department of Computer Science, SUNY Binghamton, Binghamton, NY 13902-6000,
USA
dhogea1@binghamton.edu
Abstract. In this paper, we present a steganalytic method that can reliably
detect messages (and estimate their size) hidden in JPEG images using the
steganographic algorithm F5. The key element of the method is estimation of
the cover-image histogram from the stego-image. This is done by
decompressing the stego-image, cropping it by four pixels in both directions to
remove the quantization in the frequency domain, and recompressing it using
the same quality factor as the stego-image. The number of relative changes
introduced by F5 is determined using the least square fit by comparing the
estimated histograms of selected DCT coefficients with those of the stego-
image. Experimental results indicate that relative modifications as small as 10%
of the usable DCT coefficients can be reliably detected. The method is tested on
a diverse set of test images that include both raw and processed images in the
JPEG and BMP formats.
1 Overview of Steganography and Steganalysis
Steganography is the art of invisible communication. Its purpose is to hide the very
presence of communication by embedding messages into innocuous-looking cover
objects. In today’s digital world, invisible ink and paper have been replaced by much
more versatile and practical covers for hiding messages – digital documents, images,
video, and audio files. As long as an electronic document contains perceptually
irrelevant or redundant information, it can be used as a “cover” for hiding secret
messages. In this paper, we deal solely with covers that are digital images stored in
the JPEG format.
Each steganographic communication system consists of an embedding algorithm
and an extraction algorithm. To accommodate a secret message, the original image,
also called the cover-image, is slightly modified by the embedding algorithm. As a
result, the stego-image is obtained.
Steganalysis is the art of discovering hidden data in cover objects. As in
cryptanalysis, we assume that the steganographic method is publicly known with the
exception of a secret key. The method is secure if the stego-images do not contain any
detectable artifacts due to message embedding. In other words, the set of stego-
images should have the same statistical properties as the set of cover-images. If there
exists an algorithm that can guess whether or not a given image contains a secret
message with a success rate better than random guessing, the steganographic system
is considered broken. For a more exact treatment of the concept of steganographic
security, the reader is referred to [1–3].
The ability to detect secret messages in images is related to the message length.
Obviously, the less information we embed into the cover-image, the smaller the
probability of introducing detectable artifacts by the embedding process. Each
steganographic method has an upper bound on the maximal safe message length (or
the bit-rate expressed in bits per pixel or sample) that tells us how many bits can be
safely embedded in a given image without introducing any statistically detectable
artifacts. Determining this maximal safe bit-rate (or steganographic capacity) is a non-
trivial task even for the simplest methods. Chandramouli et al. [4] give a theoretical
analysis of the maximal safe bit-rate for LSB embedding in the spatial domain.
Recently, Fridrich et al. [5,6] derived a more stringent estimate using dual statistics
steganalysis.
The choice of cover-images is important because it significantly influences the
design of the stego system and its security. Images with a low number of colors,
computer art, images with a unique semantic content, such as fonts, should be
avoided. Aura [7] recommends grayscale images as the best cover-images. He also
recommends uncompressed scans of photographs or images obtained with a digital
camera containing a high number of colors, and considers them safest for
steganography.
The choice of the image format also makes a very big impact on the design of a
secure steganographic system. Raw, uncompressed formats, such as BMP, provide the
biggest space for secure steganography, but their obvious redundancy makes them
very suspicious in the first place. Indeed, some researchers do not consider those
formats for steganography claiming that exchanging uncompressed images is
“equivalent” to using cryptography [8]. Never the less, most steganographic products
available on the Internet work with uncompressed image formats or formats that
compress data losslessly (BMP, PCX, GIF, PGM, and TIFF).
Fridrich et al. [9] have recently shown that cover-images stored in the JPEG format
are a very poor choice for steganographic methods that work in the spatial domain.
This is because the quantization introduced by JPEG compression can serve as a
"semi-fragile watermark" or a unique fingerprint that can be used for detection of very
small modifications of the cover-image by inspecting the compatibility of the stego-
image with the JPEG format. Indeed, changes as small as flipping the least significant
bit (LSB) of one pixel can be reliably detected. Consequently, one should avoid using
decompressed JPEG images as covers for spatial steganographic methods, such as the
LSB embedding or its variants.
Despite its proven insecurity, the method of choice of most publicly available
steganographic tools is the LSB embedding. This paradigm can be adapted not only to
raw formats but also to palette images after pre-sorting the palette (EZ Stego [10])
and to JPEG images (J-Steg [10], JP Hide&Seek [10], and OutGuess [11]).
Fridrich et al. [5,6] introduced the dual statistics steganalytic method for detection
of LSB embedding in uncompressed formats. For high quality images taken with a
digital camera or a scanner, the dual statistics steganalysis indicates that the safe bit-
rate is less than 0.005 bits per sample, providing a surprisingly stringent upper bound
on steganographic capacity of simple LSB embedding.
Pfitzmann and Westfeld
[12] introduced a method based on statistical analysis of
Pairs of Values (PoVs) that are exchanged during message embedding. For example,
grayscales that differ in the LSBs only, could form these PoVs. This method, which
became known as the χ
2
attack, is quite general and can be applied to many
embedding paradigms besides the LSB embedding. It provides very reliable results
when the message placement is known (e.g., for sequential embedding). Pfitzmann
[12] and Provos [13] noted that the method could still be applied to randomly
scattered messages by applying the same idea to smaller portions of the image while
comparing the statistics with the one obtained from unrelated pairs of values.
Unfortunately, no further details regarding this generalized χ
2
attack are provided in
their papers, although Pfitzmann [12] reports that messages as small as one third of
the total image capacity are detectable.
Farid [14] developed a universal blind detection scheme that can be applied to any
steganographic scheme after proper training on databases of original and cover-
images. He uses an optimal linear predictor for wavelet coefficients and calculates the
first four moments of the distribution of the prediction error. Fisher linear
discriminant statistical clustering is then used to find a threshold that separates stego-
images from cover-images. Farid demonstrates the performance on J-Steg, both
versions of OutGuess, EZ Stego, and LSB embedding. It appears that the selected
statistics is rich enough to cover a very wide range of steganographic methods.
However, the results are reported for a very limited image database of large, high-
quality images, and it is not clear how the results will scale to more diverse databases.
Also, the authors of this paper believe that methods that are targeted to a specific
embedding paradigm will always have significantly better performance than blind
methods.
Johnson and Jajodia
[15] pointed out that some steganographic methods for palette
images that preprocess the palette before embedding are very vulnerable. For
example, S-Tools [10] or Stash [10] create clusters of close palette colors that can be
swapped for each other to embed message bits. These programs decrease the color
depth and then expand it to 256 by making small perturbations to the colors. This
preprocessing, however, will create suspicious and easily detectable pairs (clusters) of
close colors.
Recently, the JPEG format attracted the attention of researchers as the main
steganographic format due to the following reasons: It is the most common format for
storing images, JPEG images are very abundant on the Internet bulletin boards and
public Internet sites, and they are almost solely used for storing natural images.
Modern steganographic methods can also provide reasonable capacity without
necessarily sacrificing security. Pfitzmann and Westfeld [16] proposed the F5
algorithm as an example of a secure but high capacity JPEG steganography. The
authors presented the F5 algorithm as a challenge to the scientific community at the
Fourth Information Hiding Workshop in Pittsburgh in 2001. This challenge stimulated
the research presented in this paper.
In the next section, we give a description of the F5 algorithm as introduced in [16].
Then, in Sect. 3, we describe an attack on F5 and give a sample of experimental
results. The limitations of the detection method and ways to overcome those
limitations are discussed in Sect. 4. The paper is concluded in Sect. 5, where we also
outline our future research.
2 The F5 Algorithm
The F5 steganographic algorithm was introduced by German researchers Pfitzmann
and Westfeld in 2001 [16]. The goal of their research was to develop concepts and a
practical embedding method for JPEG images that would provide high steganographic
capacity without sacrificing security. Guided by their χ
2
attack, they challenged the
paradigm of replacing bits of information in the cover-image with the secret message
while proposing a different paradigm of incrementing image components to embed
message bits. Instead of replacing the LSBs of quantized DCT coefficients with the
message bits, the absolute value of the coefficient is decreased by one. The authors
argue that this type of embedding cannot be detected using their χ
2
statistical attack.
The F5 algorithm embeds message bits into randomly-chosen DCT coefficients
and employs matrix embedding that minimizes the necessary number of changes to
embed a message of certain length. According to the description of the F5 algorithm,
version 11, the program accepts five inputs:
• Quality factor of the stego-image Q;
• Input file (TIFF, BMP, JPEG, or GIF);
•
Output file name;
• File containing the secret message;
• User password to be used as a seed for PRNG;
• Comment to be inserted in the header.
In the embedding process, the message length and the number of non-zero non-DC
coefficients are used to determine the best matrix embedding that minimizes the
number of modifications of the cover-image. Matrix embedding has three parameters
(c, n, k), where c is the number of changes per group of n coefficients, and k is the
number of embedded bits. In their paper [16], the authors describe a simple matrix
embedding (1, 2
k
–1, k) using a “hash” function that outputs k bits when applied to 2
k
–
1 coefficients.
The embedding process starts with deriving a seed for a PRNG from the user
password and generating a random walk through the DCT coefficients of the cover-
image. The PRNG is also used to encrypt the value k using a stream cipher and embed
it in a regular manner together with the message length in the beginning of the
message stream. The body of the message is embedded using matrix embedding,
inserting k message bits into one group of 2
k
–1 coefficients by decrementing the
absolute value of at most one coefficient from each group by one.
The embedding process consists of the following six steps:
1. Get the RGB representation of the input image.
2. Calculate the quantization table corresponding to quality factor Q and compress
the image while storing the quantized DCT coefficients.
3. Compute the estimated capacity with no matrix embedding C = h
DCT
– h
DCT
/64 –
h(0) – h(1)
+ 0.49h(1), where h
DCT
is the number of all DCT coefficients, h(0)
is
the number of AC DCT coefficients equal to zero, h(1) is the number of AC
DCT coefficients with absolute value 1, h
DCT
/64 is the number of DC
coefficients, and –h(1)+0.49h(1) = –0.51h(1) is the estimated loss due to
shrinkage (see Step 5). The parameter C and the message length together
determine the best matrix embedding.
4. The user-specified password is used to generate a seed for a PRNG that
determines the random walk for embedding the message bits. The PRNG is also
used to generate a pseudo-random bit-stream that is XOR-ed with the message to
make it a randomized bit-stream. During the embedding, DC coefficients and
coefficients equal to zero are skipped.
5. The message is divided into segments of k bits that are embedded into a group of
2
k
–1 coefficients along the random walk. If the hash of that group does not match
the message bits, the absolute value of one of the coefficients in the group is
decreased by one to obtain a match. If the coefficient becomes zero, the event is
called shrinkage, and the same k message bits are re-embedded in the next group
of DCT coefficients (we note that LSB(d)= d mod 2, for d > 0, and LSB(d)=1– d
mod 2, for d < 0).
6. If the message size fits the estimated capacity, the embedding proceeds,
otherwise an error message showing the maximal possible length is displayed.
There are rare cases when the capacity estimation is wrong due to a larger than
anticipated shrinkage. In those cases, the program embeds as much as possible
and displays a warning.
While the F5 algorithm does modify the histogram of DCT coefficients, the
authors show that some crucial characteristics of the histogram are preserved, such as
its monotonicity and monotonicity of increments. The F5 algorithm cannot be
detected using the χ
2
attack because the embedding is not based on bit-replacement or
exchanging any fixed Pairs of Values.
In the next section, we describe an attack on F5. It is based on the idea that one can
accurately estimate the histogram of the cover-image from the stego-image. Because
F5 modifies the histogram in a well-defined manner, we can calculate the number of
modified coefficients by comparing the estimated histogram with the histogram of the
stego-image.
3 Description of the Attack
We divided our attack on F5 into two separate parts: (1) Finding distinguishing
statistical quantities T that correlate with the number of modified coefficients, and (2)
Determining the baseline values of the statistics T. In fact, it is not that difficult to
find a quantity that changes with embedded message length. For example, the number
of coefficients equal to zero increases while the number of remaining non-zero
