MINISTRY OF EDUCATION AND TRAINING
HANOI UNIVERSITY OF SCIENCE AND TECHNOLOGY
——————————

Nguyen Huy Truong

RESEARCH ON DEVELOPMENT OF METHODS
OF GRAPH THEORY AND AUTOMATA
IN STEGANOGRAPHY AND SEARCHABLE ENCRYPTION

DOCTORAL DISSERTATION IN MATHEMATICS AND INFORMATICS

Hanoi - 2020


MINISTRY OF EDUCATION AND TRAINING
HANOI UNIVERSITY OF SCIENCE AND TECHNOLOGY
——————————

Nguyen Huy Truong

RESEARCH ON DEVELOPMENT OF METHODS
OF GRAPH THEORY AND AUTOMATA
IN STEGANOGRAPHY AND SEARCHABLE ENCRYPTION
Major: Mathematics and Informatics
Major code: 9460117

DOCTORAL DISSERTATION IN MATHEMATICS AND INFORMATICS

SUPERVISORS:
1. Assoc. Prof. Dr. Sc. Phan Thi Ha Duong

2. Dr. Vu Thanh Nam

Hanoi - 2020


DECLARATION OF AUTHORSHIP
I hereby certify that I am the author of this dissertation, and that I have completed it
under the supervision of Assoc. Prof. Dr. Sc. Phan Thi Ha Duong and Dr. Vu Thanh
Nam. I also certify that the dissertation’s results have not been published by other authors.
Hanoi, February 03, 2020
PhD. Student

Nguyen Huy Truong

Supervisors

Assoc. Prof. Dr. Sc. Phan Thi Ha Duong

Dr. Vu Thanh Nam


ACKNOWLEDGMENTS
I am extremely grateful to Assoc. Prof. Dr. Sc. Phan Thi Ha Duong.
I want to thank Dr. Vu Thanh Nam.
I would also like to extend my deepest gratitude to Late Assoc. Prof. Dr. Phan Trung
Huy.
I would like to thank my co-workers from School of Applied Mathematics and
Informatics, Hanoi University of Science and Technology for all their help.
I also wish to thank members of Seminar on Mathematical Foundations for Computer
Science at Institute of Mathematics, Vietnam Academy of Science and Technology for their

valuable comments and helpful advice.
I give thanks to PhD students of Late Assoc. Prof. Dr. Phan Trung Huy for sharing
and exchanging information in steganography and searchable encryption.
Finally, I must also thank my family for supporting all my work.


CONTENTS

Page
LIST OF SYMBOLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iii
LIST OF ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv
LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
v
LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 1 PRELIMINARIES . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Basic Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
1.1.1 Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
1.1.2 Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
1.1.3 Deterministic Finite Automata . . . . . . . . . . . . . . . . . . . .
6
m
1.1.4 The Galois Field GF (p ) . . . . . . . . . . . . . . . . . . . . . . .
7

1.2 Digital Image Steganography . . . . . . . . . . . . . . . . . . . . . . . . . .
8
1.3 Exact Pattern Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.4 Longest Common Subsequence . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.5 Searchable Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
CHAPTER 2 DIGITAL IMAGE STEGANOGRAPHY BASED ON THE
GALOIS FIELD USING GRAPH THEORY AND AUTOMATA . . . . . 16
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2 The Digital Image Steganography Problem . . . . . . . . . . . . . . . . . . 18
2.3 A New Digital Image Steganography Approach . . . . . . . . . . . . . . . . 19
2.3.1 Mathematical Basis based on The Galois Field . . . . . . . . . . . . 19
2.3.2 Digital Image Steganography Based on The Galois Field GF (pm )
Using Graph Theory and Automata . . . . . . . . . . . . . . . . . . 21
2.4 The Near Optimal and Optimal Data Hiding Schemes for Gray and Palette
Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.5 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
CHAPTER 3 AN AUTOMATA APPROACH TO EXACT PATTERN
MATCHING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.2 The New Algorithm - The MRc Algorithm . . . . . . . . . . . . . . . . . . 41
3.3 Analysis of The MRc Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
CHAPTER 4 AUTOMATA TECHNIQUE FOR THE LONGEST
COMMON SUBSEQUENCE PROBLEM . . . . . . . . . . . . . . . . . . 56
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
i



4.2
4.3
4.4
4.5

Mathematical Basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automata Models for Solving The LCS Problem . . . . . . . . . . . . . . .
Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CHAPTER 5 CRYPTOGRAPHY BASED ON STEGANOGRAPHY
AND AUTOMATA METHODS FOR SEARCHABLE ENCRYPTION . .
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 A Novel Cryptosystem Based on The Data Hiding Scheme (2, 9, 8) . . . . .
5.3 Automata Technique for Exact Pattern Matching on Encrypted Data . . .
5.4 Automata Technique for Approximate Pattern Matching on Encrypted Data
5.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LIST OF PUBLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ii

57
61
66
67
68
68
70
74

76
78
80
81
88


LIST OF SYMBOLS
Σ
Σ∗

An alphabet
The set of all strings on Σ
∅
The empty set
The empty string
|S|
The number of elements of a set S
|u|
The length of a string u
m
GF (p )
The Galois field is constructed from the polynomial ring Zp [x],
where p is prime and m is a positive integer
n
m
(GF (p ), +, ·) A vector space over the field GF (pm )
LCS(p, x)
A longest common subsequence of p and x
lcs(p, x)

The length of a LCS(p, x)
LeftID(u)
The least element the leftmost location of u
Rmp (u)
The last component of LeftID(u) in p
(I, M, K, Em, Ex) A data hiding scheme
I
A set of all image blocks with the same size and image format
M
A finite set of secret elements
K
A finite set of secret keys
Em
An embedding function embeds a secret element in an image
block
Ex
An extracting function extracts an embedded secret element
from an image block
qcolour
The number of different ways to change the colour of each
pixel in an arbitrary image block
I
An image block
M
A secret element
K
A secret key
Adjacent(cp , a)
An adjacent vertex of cp
A string of length c

c block
Pos p (z)
The last position of appearance of z in p
Mp
An automaton accepting the pattern p
Config(p)
The set of all the configurations of p
Wp (u)
The weight of u in p
Wp (C)
The weight of C
WConfig(p)
The set of the weights of all the configurations of p
i
Wp (a)
The weight of a at the location i in p
Wmp (a)
The heaviest weight of a in p
W (a)
The weight of a in p

iii


LIST OF ABBREVIATIONS
AOSO
BF
BFS
BMH
BNDM

CTL
EBOM
ER
FJS
FOPA
FSBNDM
HASH
HCIH
LBNDM
LCS
LSB
MSDR
MSE
NP
OPA
PA
PCT
PSNR
RGB
SA
SAE
SBNDM
SE
SSE
TVSBS
WF
WL

Average Optimal Shift Or
Brute Force

Breadth First Search
Boyer Moore Horspool
Backward Nondeterministic Dawg Matching
Chang Tseng Lin
Extended Backward Oracle Matching
Embedding Rate
Franek Jennings Smyth
Fastest Optimal Parity Assignment
Forward SBNDM
Hashing
High Capacity of Information Hiding
Long BNDM
Longest Common Subsequence
Least Significant Bit
Maximal Secret Data Ratio
Mean Square Error
Nondeterministic Polynomial
Optimal Parity Assignment
Parity Assignment
Pan Chen Tseng
Peak Signal to Noise Ratio
Red Green Blue
Shift Add
Searchable Asymmetric Encryption
Simplified BNDM
Searchable Encryption
Searchable Symmetric Encryption
Thathoo Virmani Sai Balakrishnan Sekar
Wagner Fischer
Wu Lee


iv


LIST OF FIGURES

Figure
Figure
Figure
Figure
Figure

1.1.
1.2.
1.3.
1.4.
1.5.

A simple graph . . . . . . . . . . . . . . . . . . .
A spanning tree of the graph given in Figure 1.1
The transition diagram of A in Example 1.3 . .
The basic diagram of digital image steganography
The degree of appearance of the pattern p . . . .

.
.
.
.
.


.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.


.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.


5
6
7
9
12

Figure 2.1. The nine commonly used 8-bit gray cover images sized 512 × 512 pixels 35
Figure 2.2. The nine commonly used 8-bit palette cover images sized 512 × 512
pixels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Figure 2.3. The binary cover image sized 2592 × 1456 pixels . . . . . . . . . . . 36
Figure 3.1. Sliding window mechanism . . . . . . . . . . . . . . . . . . . . . . .
Figure 3.2. The basic idea of the proposed approach . . . . . . . . . . . . . . . .
Figure 3.3. The transition diagram of the automaton Mp , p = abcba . . . . . . .

v

40
44
46


LIST OF TABLES

Table 1.1. An adjacency list representation of the simple graph given in Figure 1.1 5
Table 1.2. The performing steps of the BF algorithm . . . . . . . . . . . . . . . . 11
Table 1.3. The dynamic programming matrix L . . . . . . . . . . . . . . . . . . 13
Table 2.1. Elements of the Galois field GF (22 ) represented by binary strings and
decimal numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 2.2. Operations + and · on the Galois field GF (22 ) . . . . . . . . . . . . .
Table 2.3. The representation of E and the arc weights of G for the gray image .

Table 2.4. The payload, ER and PSNR for the optimal data hiding scheme
(1, 2n − 1, n) for palette images with qcolour = 1 . . . . . . . . . . . . .
Table 2.5. The payload, ER and PSNR for the near optimal data hiding scheme
(2, 9, 8) for gray images with qcolour = 3 . . . . . . . . . . . . . . . . . .
Table 2.6. The payload, ER and PSNR for the near optimal data hiding scheme
(2, 9, 8) for palette images with qcolour = 3 . . . . . . . . . . . . . . . .
Table 2.7. The comparisons of embedding and extracting time between the
chapter’s and Chang et al.’s approach for the same optimal data hiding
scheme (1, N, log2 (N + 1) ), where N = 2n − 1, for the binary image
with qcolour = 1. Time is given in second unit . . . . . . . . . . . . . .
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table

3.1. The performing steps of the MR1 algorithm . . . . . . . . .
3.2. Experimental results on rand4 problem . . . . . . . . . . .
3.3. Experimental results on rand8 problem . . . . . . . . . . .
3.4. Experimental results on rand16 problem . . . . . . . . . . .
3.5. Experimental results on rand32 problem . . . . . . . . . . .
3.6. Experimental results on rand64 problem . . . . . . . . . . .
3.7. Experimental results on rand128 problem . . . . . . . . . .
3.8. Experimental results on rand256 problem . . . . . . . . . .
3.9. Experimental results on a genome sequence (with |Σ| = 4) .

3.10. Experimental results on a protein sequence (with |Σ| = 20)

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.

36
37
37

37

.
.
.
.
.
.
.
.

.
.

46
51
51
52
52
53
53
54
54
55

Table 4.1. The Refp of p = bacdabcad . . . . . . . . . . . . . . . . . . . . . . . .
Table 4.2. The comparisons of the lcs(p, x) computation time for n = 50666 . . .
Table 4.3. The comparisons of the lcs(p, x) computation time for n = 102398 . .

59
66
67

vi

.
.
.
.
.
.

.
.
.
.

30
30
31


INTRODUCTION
In the modern life, when the use of computer and Internet is more and more essential,
digital data (information) can be copied as well as accessed illegally. As a result,
information security becomes increasingly important. There are two popular methods to
provide security, which are cryptography and data hiding [2, 5, 6, 20, 56, 62, 81].
Cryptography is used to encrypt data in order to make the data unreadable by a third
party [5]. Data hiding is used to embed data in digital media. Based on the purpose of
the application, data hiding is generally divided into steganography that hides the
existence of data to protect the embedded data and watermarking that protects the
copyright ownership and authentication of the digital media carrying the embedded data.
Steganography can be used as an alternative way to cryptography.
However,
steganography will become weak if attackers detect existence of hidden data. Hence
integrating cryptography with steganography is as a third choice for data security
[2, 5, 6, 12, 19, 61, 62, 81, 86, 93].
With the rapid development of applications based on Internet infrastructure, cloud
computing becomes one of the hottest topics in the information technology area. Indeed, it
is a computing system based on Internet that provides on-demand services from application
and system software, storage to processing data. For example, when cloud users use the
storage service, they can upload information to the servers and then access it on the Internet

online. Meanwhile, enterprises can not spend big money on maintaining and owning a
system consisting of hardware and software. Although cloud computing brings many
benefits for individuals and organizations, cloud security is still an open problem when cloud
providers can abuse their information and cloud users lose control of it. Thus, guaranteeing
privacy of tenants’ information without negating the benefits of cloud computing seems
necessary [28, 38, 40, 41, 60, 95, 102]. In order to protect cloud users’ privacy, sensitive
data need to be encoded before outsourcing them to servers. Unfortunately, encryption
makes the servers perform search on ciphertext much more difficult than on plaintext. To
solve this problem, many searchable encryption techniques have been presented since 2000.
Searchable encryption does not only store users’ encrypted data securely but also allows
information search over ciphertext [26, 28, 29, 38, 40, 60, 71, 85, 102].
Searchable encryption for exact pattern matching is a new class of searchable encryption
techniques. The solutions for this class have been presented based on algorithms for [26]
or approaches to [41, 89] exact pattern matching.
As in retrieving information from plaintexts, the development of searchable encryption
with approximate string matching capability is necessary, where the search string can
be a keyword determined, encrypted and stored in cloud servers or an arbitrary pattern
[28, 40, 71].
From the above problems, together with methods using graph theory and automata
proposed by P. T. Huy et al. of solving problems of exact pattern matching (2002), longest
common subsequence (2002) and steganography (2011, 2012 and 2013), and their potential
applications in steganography and searchable encryption, as well as under the direction of
supervisors, the dissertation title assigned is research on development of methods of
1


graph theory and automata in steganography and searchable encryption.
The purpose of the dissertation is to research on the development of new and quality
solutions using graph theory and automata, suggesting their applications in, and applying
them to steganography and searchable encryption.

Based on the results and suggestions introduced by P. T. Huy et al., the dissertation
will focus on following four problems in steganography and searchable encryption:
- Digital image steganography;
- Exact pattern matching;
- Longest common subsequence;
- Searchable encryption.
The first problem is stated newly in Chapter 2, the three remaining problems are recalled
and clarified in Chapter 1.
For the first three problems, the dissertation’s work is to find new and efficient solutions
using graph theory and automata. Then they will be used and applied to solve the last
problem.
The dissertation has been completed with structure as follows.
Apart from
Introduction at the beginning and Conclusion at the end of the dissertation, the main
content of it is divided into five chapters.
Chapter 1.
Preliminaries. This chapter recalls basic knowledge indicated
throughout the dissertation (strings, graph, deterministic finite automata, digital images,
the basic model of digital image steganography, some parameters to determine the
quality of digital image steganography, the exact pattern matching problem, the longest
common subsequence problem, and searchable encryption), re-presents important
concepts and results used and researched on development in remaining chapters of the
dissertation (adjacency list, breadth first search, Galois field, the fastest optimal parity
assignment method, the module method and the concept of the maximal secret data
ratio, the concept of the degree of fuzziness (appearance), the Knapsack Shaking
approach, and the definition of a cryptosystem).
Chapter 2. Digital image steganography based on the Galois field using
graph theory and automata. Firstly, from some proposed concepts of optimal and
near optimal secret data hiding schemes, this chapter states the interest problem in digital
image steganography. Secondly, the chapter proposes a new approach based on the Galois

field using graph theory and automata to design a general form of steganography in binary,
gray and palette images, shows sufficient conditions for existence and proves existence of
some optimal and near optimal secret data hiding schemes, applies the proposed schemes
to the process of hiding a finite sequence of secret data in an image and gives security
analyses. Finally, the chapter presents experimental results to show the efficiency of the
proposed results.
Chapter 3. An automata approach to exact pattern matching. This chapter
proposes a flexible approach using automata to design an effective algorithm for exact
pattern matching in practice. In given cases of patterns and alphabets, the efficiency of
the proposed algorithm is shown by theoretical analyses and experimental results.
Chapter 4. Automata technique for the longest common subsequence
problem. This chapter proposes two efficient sequential and parallel algorithms for
computing the length of a longest common subsequence of two strings in practice, using
automata technique. Theoretical analysis of parallel algorithm and experimental results

2


confirm that the use of the automata technique in designing algorithms for solving the
longest common subsequence problem is the best choice.
Chapter 5. Cryptography based on steganography and automata methods
for searchable encryption. This chapter first proposes a novel cryptosystem based on
a data hiding scheme proposed in Chapter 2 with high security. Additionally, ciphertexts
do not depend on the input image size as existing hybrid techniques of cryptography and
steganography, encoding and embedding are done at once. The chapter then applies results
using automata technique of Chapters 3 and 4 to constructing two algorithms for exact
and approximate pattern matching on secret data encrypted by the proposed cryptosystem.
These algorithms have O(n) time complexity in the worst case, together with an assumption
that the approximate algorithm uses (1 − )m processors, where , m and n are the error
of the string similarity measure proposed in this chapter and lengths of the pattern and

secret data, respectively. In searchable encryption, the cryptosystem can be used to encode
and decode secret data on users side and pattern matching algorithms can be used to
perform pattern search on cloud providers side.
The contents of the dissertation are written based on the paper [T1] published in,
the revised manuscript [T4] submitted to KSII Transactions on Internet and Information
Systems (ISI), and the papers [T2, T3] published in Journal of Computer Science and
Cybernetics in 2019. The main results of the dissertation have been presented at:
- Seminar on Mathematical Foundations for Computer Science at Institute of
Mathematics, Vietnam Academy of Science and Technology,
- The 9th Vietnam Mathematical Congress, Nha Trang, August 14-18, 2018,
- Seminar at School of Applied Mathematics and Informatics, Hanoi University of
Science and Technology.

3


CHAPTER 1

PRELIMINARIES
This chapter will attempt to recall terminologies, concepts, algorithms and results which
are really needed in order to present the dissertation’s new results clearly and logically,
as well as help readers follow the content of the dissertation easily. The background
knowledge re-presented here consists of basic structures (Section 1.1: strings (Subsection
1.1.1), graph (Subsection 1.1.2), deterministic finite automata (Subsection 1.1.3), and the
Galois field GF (pm ) (Subsection 1.1.4)), digital image steganography (Section 1.2), exact
pattern matching (Section 1.3 ), longest common subsequence (Section 1.4) and searchable
encryption (Section 1.5).

1.1 Basic Structures
1.1.1 Strings

In this dissertation, secret data are considered as strings. So, some terms related to
strings will be recalled here [11, 24, 83].
A finite set Σ is called an alphabet. The number of elements of Σ is denoted by |Σ|. An
element of Σ is called a letter. A string x of length n on the alphabet Σ is a finite sequence
of letters of Σ and we write
x = x[1]x[2]..x[n], x[i] ∈ Σ, 1 ≤ i ≤ n,
where n is a positive integer.
A special string is the empty string having no letters, denoted by . The length of the
string x is the number of letters in it, denoted by |x|. Then | | = 0.
Notice that for the string x = x[1]x[2]..x[n], we can also write x = x[1..n] in short.
The set of all strings on the alphabet Σ is denoted by Σ∗ . The operator of strings is
concatenation that writes strings as a compound. The concatenation of the two strings u1
and u2 is denoted by u1 u2 .
Let x be a string. A string p is called a substring of the string x, if x = u1 pu2 for some
strings u1 and u2 . In case u1 = (resp. u2 = ), the string p is called a prefix (resp. suffix)
of the string x. The prefix (resp. suffix) p is called proper if p = x. Note that the prefix
or the suffix can be empty.
1.1.2 Graph
Besides some basic concepts in graph theory, this subsection recalls the way representing
a graph by adjacency lists and breadth first search [82]. These are used in Chapter 2.
A finite undirected graph (hereafter, called a graph for short) G = (V, E) consists of a
nonempty finite set of vertices V and a finite set of edges, where each edge has either one
or two vertices associated with it. A graph with weights assigned to their edges is called a
weighted graph.
4


Communication
Channel


Cover
Image

Embed

Stego
Image

Stego
Image

Extract

Cover
Image

Send
to
An edge connecting a vertex to itself
is called
a loop. Multiple edges are edges connecting
the same vertices. A graph having no loops and no multiple edges is called a simple graph.
In a simple graph, the edge associated to an unordered pair of vertices {i, j} is called the
Secret Key
Secret
edge {i,
j}. Key
Two vertices i and j in a graph G are called adjacent if they are vertices of an edge of
G.
Sender

Receiver
A graph without multiple edges can be described by using adjacency lists, which specify
adjacent vertices of any vertex of the graph.
Example 1.1. Using adjacency lists, the simple graph given in Figure 1.1 can be
represented as in Table 1.1.

1
2

4
2

1
5

3

4

Figure 1.1. A simple graph
Table 1.1. An adjacency list representation of the simple graph given in Figure 1.1

Vertex

Adjacent vertices

1

2, 3


2

1, 3, 4

3

1, 2, 4, 5

4

2, 3, 5

5

3, 4

Given a simple graph G, a subgraph of G that is a tree including every vertex of G is
called a spanning tree of G. A spanning tree of a connected simple graph can be built by
using breadth first search (BFS). This algorithm is shown in pseudo-code as follows.
Breadth First Search:
Input: A connected simple graph G with vertices ordered as i1 , i2 , . . . , in .
Output: A spanning tree T .
Set T to be a tree consisting only i1 ;
Set L to be an empty list;
Put i1 in L
While (L is not empty)
{
Remove the first vertex i from L;
5



Secret Data

Communication
Channel

For each adjacent vertex j of i
in L and T ) Cover
StegoIf (j is not
Extract
Image
{
Image
Add j to the end of L;

Send to

Add j and the edge {i, j} to T ;
}
}

Secret Key

Return T ;

Receiver

End.

Example 1.2. For a graph given in Figure 1.1, a spanning tree of this graph is found by

using BFS as in Figure 1.2.

1
2

3

4

5

2

3

4

5

Figure 1.2. A spanning tree of the graph given in Figure 1.1

A graph with directed edges (or arcs) is called a directed graph. Each arc is associated
with the ordered pair of vertices. In a simple directed graph, the arc associated with the
ordered pair (i, j) called the arc (i, j). And the vertex i is said to be adjacent to the vertex
j and the vertex j is said to be adjacent from the vertex i.
1.1.3 Deterministic Finite Automata
Study on the problem of the construction and the use of deterministic finite automata
is one of objectives of the dissertation. Hence, this subsection will clarify this model of
computation [44, 82].
Definition 1.1 ([44]). Let Σ be a finite alphabet. A deterministic finite automaton

(hereafter, called an automaton for short) A = (Σ, Q, q0 , δ, F ) over Σ consists of:
• A finite set Q of elements called states,
• An initial state q0 , one of the states in Q,
• A set F of final states. The set F is a subset of Q,
• A state transition function (or simply, transition function), denoted by δ, that takes
as arguments a state and a letter, and returns a state, so that δ : Q × Σ → Q,
• The transition function δ can be extended so that it takes a state and a string, and
returns a state. Formally, this extended transition function δ can be defined recursively by
δ : Q × Σ∗ → Q
such that ∀q ∈ Q, δ(q, ) = q, ∀s ∈ Σ∗ , ∀a ∈ Σ, δ(q, as) = δ(δ(q, a), s).
6


An alternative and simple way presenting an automaton is to use the notation “transition
diagram”. A transition diagram of an automaton A = (Σ, Q, q0 , δ, F ) is a directed graph
given as follows [44].
a) Each state of Q is a vertex.
b) Let q = δ(q, a), where q is a state of Q and a is a letter of Σ. Then the transition
diagram has an arc (q , q) labeled a. If there are several letters that cause transitions from
q to q, then the arc (q , q) is labeled by a list of these letters.
c) There is an arrow into the initial state q0 . This arrow does not originate at any
vertex.
d) States not in F have a single circle. Vertices corresponding to final states are marked
by a double circle.
Example 1.3. Consider an automaton A = (Σ, Q, q0 , δ, F ) over Σ = {a, b}, where
Q = {q0 , q1 , q2 }, F = {q2 }, and δ is given by the following table. Then the transition
diagram of A is shown in Figure 1.3.
δ

a


b

q0

q0

q1

q1

q2

q1

q2

q2

q2

a

q0

a, b

b

q1


a

q2

b
Figure 1.3. The transition diagram of A in Example 1.3

Definition 1.2 ([82]). A string p is said to be accepted by the automaton
Datathe initial state q0 to a final state, it means that
A = (Σ, Q, q0 , δ, F ) Secret
if it takes
δ(qData
Secret
0 , p) is
a state in F .
1.1.4 The Galois Field GF (pm )

Communication
Channel

Cover
Stego
Extract
Embed how to Stego
This Image
subsection describes
construct a finite field with pm elements,
called the
Image

Image
m
Galois field GF (p ), where p is prime and m ≥ 1 is an integer [88]. The algebraic structure
Send to
will be used in Chapter 2.
Let p be a prime number. Define Zp [x] to be the set of all polynomials with the variable
x, whose coefficients belong to the field Zp . Addition and multiplication in Zp [x] are defined
Secret Key
Key the coefficients modulo p at the end.
in the usual way andSecret
then reduce
For f (x) ∈ Zp [x], the degree of f (x), denoted by deg(f ), is the largest exponent of
Sender
Receiver
x in f (x). A polynomial
f (x) ∈ Zp [x] is called to be irreducible if there does
not exist
7

Cover
Image


polynomials f1 (x), f2 (x) ∈ Zp [x] such that
f (x) = f1 (x)f2 (x),
where deg(f1 ) > 0 and deg(f2 ) > 0.
Let f (x) ∈ Zp [x] be an irreducible polynomial with deg(f ) = m ≥ 1. Define
Zp [x]/(f (x)) to be the set of pm polynomials of degree at most m − 1 in Zp [x]. Addition
and multiplication in Zp [x]/(f (x)) are given as in Zp [x], followed by a reduction modulo
f (x). Then Zp [x]/(f (x)) with these operations is a field having pm elements, called the

Galois field GF (pm ). Note that for p is prime and m ≥ 1, the Galois field GF (pm ) is
unique.

1.2 Digital Image Steganography
The interest problem in Chapter 2 is digital image steganography. This section will
recall the concept of digital images, the basic model of digital image steganography, some
parameters to determine the efficiency of digital image steganography and lastly re-present
results researched on development and used in Chapter 2 such as the fastest optimal parity
assignment (FOPA) method, the module method and the concept of the maximal secret
data ratio (MSDR) [18, 20, 21, 39, 49, 50, 51, 53, 61, 63, 65, 76, 78, 104].
A digital image is a matrix of pixels. Each pixel is represented by a non negative integer
number in the form of a string of binary bits. This value indicates the colour of the pixel
[39].
Note that based on the way representing of colours of pixels, digital images can be
divided into following different types [78].
1. Binary image: Each pixel is represented by one bit. In this image type, the colour of
a pixel is white, “1” value, or black, “0” value.
2. Gray image: Each pixel is typically represented by eight bits (called 8-bit gray image).
Then the colour of any pixel is a shade of gray, from black corresponding to colour value
“0” to white corresponding to colour value “255”.
3. Red green blue image: Each pixel is usually represented by a string of 24 bits (called
24-bit RGB image), where the first 8 bits, the next 8 bits and the last 8 bits corresponds
to shades of red, green and blue, specifying the red, green and blue colour components
of the pixel, respectively. Then the colour of the pixel is a combination of these three
components.
4. Palette image: The colour of each pixel is not shown directly by the number
representing the pixel as for RGB images. Instead, this number is a colour index of the
colour of the pixel existed in the colour table (the palette), an ordered set of values (strings
of 24 bits) which represent all colours as in RGB images used in the image and contained
in the file with the image. The size of the palette is the same as the length of a bit string

representing a pixel and is limited by 8 bits. For a string of 8 bits, call palette images 8-bit
palette images.
The objective of digital image steganography is to protect data by hiding the data in
a digital image well enough so that unauthorized users will not even be aware of their
existence [21, 18]. Figure 1.4 shows the basic model of digital image steganography, where
the cover image is a digital image used as a carrier to embed secret data into, the stego
image is digital image obtained after embedding secret data into the cover image by the
8


function block Embed with the secret key on the Sender side. For steganography generally,
a
a, b
the secret data needs to be extracted fully by the block Extract with the secret key on
the Receiver side [20, 61, 63, 76].
The total number of the secret data
in the cover image is called
b sequence
abits embedded
q
q
q
2
1
0
a Payload. Corresponding to a certain Payload, to measure the embedding capacity of the
cover image, the embedding rate (ER) is used and defined as follows [104].
ER =

b

Payload
(bpp),
W ×H

(1.1)

where W and H are the cover image’s width and height.

Secret Data

Secret Data
Communication
Channel

Cover
Image

Embed

Stego
Image

Stego
Image

Extract

Cover
Image


Send to

Secret Key

Secret Key

Sender

Receiver

Figure 1.4. The basic diagram of digital image steganography

The peak signal to noise ratio (PSNR) is used to evaluate quality of stego image. Based
on the value of PSNR, we can know the degree of similarity between the cover image and
stego image. If the PSNR value is high, then quality of stego image is high. Conversely,
quality of stego image is low. In general, for the digital image, PSNR is defined by the
2
4
following formula [20, 53]
2
255
PSNR = 10 log10
(dB),
(1.2)
MSE
1
where
MSEwhere 9 is the number of pixels in any image block, 8
is the number of secret bits which can be embedded in a block by changing colours of at
most 2 pixels in the block. This scheme is near optimal for gray and palette images with

high efficiency in embedding capacity, speed, security as well as visual quality, proposed in
Section 2.4. Since the proposed cryptosystem is designed to solve the problem of pattern
matching on encrypted data and for an assumption that secret data is a string over the
alphabet of size 256, the cryptosystem allows to encrypt letters of the secret data one by
one.
For a given letter in the alphabet, corresponding to a 8-bit string, based on the
embedding function in the data hiding scheme (2, 9, 8), the information (called the flip

69


information) is computed to change the input image block. This flip information consists
of positions of pixels in the block and way changing colour of these pixels. The code word
of the letter is a binary string presenting the flip information. The security analyses show
that the proposed cryptosystem provides high security with a key space of 220 39 9!290 28 !
for gray images and 220 39 9!218+9t 28 ! for palette images, where t is the number of bits
representing colour indexes.
Return to the remaining main objective of the chapter which is the problem of pattern
matching on encrypted data on cloud providers side. In Chapters 3 and 4, automata
techniques are exploited for the problem of exact pattern matching and the longest
common subsequence problem on plaintexts. With using these techniques, the chapters
have achieved aims which are to design effective algorithms in practice to solve these
problems. This chapter applies these results to constructing exact and approximate
pattern matching algorithms on ciphertexts performed by severs. The main idea is to
encrypt the automaton corresponding to a given pattern, and then consider this
encrypted automaton as a part of the trapdoor for search. Some theoretical analyses
remarked that the algorithms all have O(n) time complexity in the worst case, where for
approximate algorithm uses (1 − )m processors, where , m and n are the error of the
string similarity measure and lengths of the pattern and secret data, respectively.
The rest of this chapter is organized as follows. Sections 5.2, 5.3 and 5.4 propose

algorithms used by users and servers in SSE. Firstly, Section 5.2 constructs a novel
cryptosystem based on the data hiding scheme proposed in Chapter 2, applies this
cryptosystem to the process of encrypting and decrypting a secret data sequence and
discusses some security analyses. Sections 5.3 and 5.4 then use the automata approach in
Chapters 3 and 4 to design exact and approximate pattern matching algorithms on
secrete data encrypted by the cryptosystem proposed in Section 5.2. Finally, Section 5.5
provides the chapter’s conclusions.

5.2 A Novel Cryptosystem Based on The Data Hiding Scheme
(2, 9, 8)
This section 5.2 proposes a new cryptosystem, a major component in SSE, based on
the data hiding scheme (2, 9, 8) proposed in Chapter 2 (Theorem 5.1 and Security analyses
(5.3), (5.4)) and applies this cryptosystem to the process of encrypting and decrypting a
secret data sequence (Proposition 5.1 and Security analyses (5.9), (5.10)).
Call Em a function which is derived from the function Em by removing two Statements
(2.5) and (2.6). As in Definition 2.10, the state q in Statement (2.4) is computed by
q = δ(q, M ) = δ2 (q, M ), where q, M ∈ GF 4 (22 ) and

δ2 (q, M ) =



{(it , at )|1 ≤ it ≤ 9, t = 1, k , k ≤ 2, vit ∈ S, at ∈ GF (22 )\{0},




k
at vit (on GF 4 (22 )}


M + (−q) =







if v = q,

t=1

otherwise,

∅

where S = {v1 , v2 , . . . , v9 } is a 2-Generators for the vector space GF 4 (22 ). Note that in
Chapter 2 the number of S is given by
c39 9!, where c ≈ 220 .
70

(5.1)


Then it is easy to check that the function Em satisfies
Em : I × M × K → 2{1,2,...,9}×GF (2

2

)\{0}


and the function Em is shown as follows.
The function Em (computing the flip information q):
q = q0 ;
For i = 1 to N Do q = δ(q, Ii );
q = δ(q, M );
Ex is a function obtained from Ex by replacing image blocks Iit with image blocks Iit in
Statement (2.5) and then inserting two Statements (2.6) and (2.5) before Statement (2.7)
2
in Ex, then the function Ex holds Ex : 2{1,2,...,9}×GF (2 )\{0} × I × K → M, and the
function Ex is given as follows.
The function Ex (extracting M from I ):
I = I;
For each (it , at ) in q Do Iit = Adjacent(Iit , at );
q = q0 ;
For i = 1 to N Do q = δ(q, Ii );
M = q;
By Proposition 2.5, we have ∀(I, M, K) ∈ I × M × K, Ex(Em(I, M, K), K) = M and
for the construction of two functions Em and Ex , similarly, we also follow
∀(I, M, K) ∈ I × M × K, Ex (Em (I, M, K), I, K) = M.

(5.2)

Remark 5.1. From defining two functions Em and Ex as above, all image blocks I used
are not changed.
Consider Σ to be an alphabet of size 256. Set P = Σ.
By the decimal representation of the vector space GF 4 (22 ) over the field GF (22 ) in
Section 2.4, then |P| = |GF 4 (22 )| = 256, hence there exists a bijective function f from P
to GF 4 (22 ), denote the inverse function of f by f −1 . Put F to be a set of all f .
From the function δ2 , the state q of the automaton A(I, M, K) computed by

Statement (2.4) is a set. The state q may be one of the following sets: ∅, {(i, a)} for
i
∈
{1, 2, . . . , 9}, a
∈
GF (22 )\{0}
or
{(i, a), (j, b)}
for
2
i, j ∈ {1, 2, . . . , 9}, a, b ∈ GF (2 )\{0}.
The index i ∈ {1, 2, . . . , 9} and the coefficient a ∈ GF (22 )\{0}) = {1, 2, 3} can be
presented by binary strings of lengths 4 and 2, respectively. Hence, use 12 binary bits to
present a state q. Suppose B is a binary string of length 12 to present an arbitrary state
q, B = B12 . . . B2 B1 , then the storage structure of q in B is given as follows.
1. If q = ∅, then the value of any bit in B equals 0.
2. If q = {(i, a)}, then the values of 6 bits B7 , B8 , . . . , B12 are 0; 6 remaining bits present
(i, a), where 2-bit string B2 B1 presents a, 4-bit string B6 B5 B4 B3 presents i.
71


3. If q = {(i, a), (j, b)}, then the 6-bit string B12 B11 ..B7 presents (i, a) and the remaining
6-bit string B6 B5 ..B1 presents (j, b) in the above mentioned way.
Put Q to be a set of all possible states q, C is a set of all 12-bit strings B presenting q,
q ∈ Q. Consider a function h, h : Q → C, h(q) = B, where q is presented by B. Obviously,
h is a bijective function. Denote the inverse function of h by h−1 .
Let K = {(f, K, I)|f ∈ F, K ∈ K, I ∈ I} is a finite set of secret keys. For k ∈ K ,
k = (f, K, I), ek and dk are defined as follows.
1. ek : P → C, ek (x) = h(Em (I, f (x), K)) for x ∈ P.
2. dk : C → P, dk (y) = f −1 (Ex (h−1 (y), I, K)) for y ∈ C.

Set E = {ek |k ∈ K }, D = {dk |k ∈ K }. From Definition 1.13, the correctness of the
cryptosystem (P, C, K , E, D) is guaranteed by the following theorem.
Theorem 5.1. Let ∀x ∈ P, ∀k ∈ K , ek ∈ E and dk ∈ D. Then dk (ek (x)) = x.
Proof. Set M = f (x), q = Em (I, M, K), B = h(q), then ek (x) = B = y. We have
h−1 (y) = h−1 (B) = q, Ex (q, I, K) = M by Formula (5.2), f −1 (M ) = x, then
dk (y) = x.
Security analysis of the cryptosystem (P, C, K , E, D): Assume that publish parameters
the flip graph G, Em , Ex , GF 4 (22 ) and h in the cryptosystem (P, C, K , E, D). The
plaintext x is obtained from y by the Formula
x = dk (y) = f −1 (Ex (h−1 (y), I, K)).
So, to have accurately x, we need to know S and k = (f, K, I). The number of choices for
the image block I is 2569 with gray images, 29t with palette images, where t is the number
of bits to represent colour indexes. Furthermore, by Formula (2.45), the security of the
cryptosystem (P, C, K , E, D) is given by the following formula
c39 9!218 28 !2569 = c39 9!290 28 ! for gray images,

(5.3)

c39 9!218 29t 28 ! = c39 9!218+9t 28 ! for palette images.

(5.4)

or

Remark 5.2. By Remark 5.1, all pairs of functions (ek , dk ) in the cryptosystem
(P, C, K , E, D) do not make the image blocks I change for ∀k ∈ K , k = (f, K, I). In
addition, we can see that encrypting and hiding are done at the same time.
Consider an arbitrary subset of image blocks F as an input image, F ⊂ I,
F = {F1 , F2 , . . . , Ft2 }, t2 is the number of image blocks. Next, Section 5.2 gives a way
applying the cryptosystem (P, C, K , E, D) to the process of encrypting and decrypting

secret data over an insecure channel. By Remark 5.2, we can use a secret key subset K
instead of one secret key k,
K = {(f, K, I)|K ∈ K, I ∈ F } ⊂ K
for f ∈ F, K = {K 1 , K 2 , . . . , K t1 }.
72


Suppose that secret data is a string
x = x1 x2 ..xt3
for xi ∈ P, ∀i = 1, t3 , t3 ≥ 1. The encrypting algorithm eK used to encrypt x is given as
follows.
iK = 1;
iF = 1;
For i = 1 to t3 Do
{
ki = (f, K iK , FiF );

(5.5)

yi = eki (xi );

(5.6)

iK = (iK − 1) mod t1 + 1;
iF = (iF − 1) mod t2 + 1;
}
y = y1 y2 ..yt3 ;
The decrypting algorithm dK used to decrypt y is given as follows.
iK = 1;
iF = 1;

For i = 1 to t3 Do
{
ki = (f, K iK , FiF );

(5.7)

xi = dki (yi );

(5.8)

iK = (iK − 1) mod t1 + 1;
iF = (iF − 1) mod t2 + 1;
}
x = x1 x2 ..xt3 ;
Propostion 5.1. Let F, x, K and the cryptosystem (P, C, K , E, D) based on the data
hiding (2, 9, 8) as above. Then dK (eK (x)) = x.
Proof. Clearly, ∀i, i = 1, t3 , ki determined in Statement (5.5) is the same as in Statement
(5.7). In addition, by Theorem 5.1, xi is encrypted by Statement (5.6) and obtained by
Statement (5.8) such that xi = xi . Then x = x , hence dK (eK (x)) = x.
Security analysis of process of encrypting and decrypting the secret data x using two
algorithms eK and dK : Assume that also publish parameters as in the cryptosystem
(P, C, K , E, D). Hence, to restore exactly x, we need to know S and K . The number of
choices for S is c39 9! by Formula (5.1). The number of choices for K is 28 !218t1 2569t2 (for
gray images), 28 !218t1 29tt2 (for palette images, where t is the number of bits to represent
colour indexes). Then for a brute force attack, the number of all possible combinations of
S and K used in two algorithms eK and dK is
c39 9!28 !218t1 2569t2 = c39 9!28 !218t1 +72t2 for gray images,
73

(5.9)



or
c39 9!28 !218t1 29tt2 = c39 9!28 !218t1 +9tt2 for palette images.

(5.10)

Remark 5.3. For two algorithms eK and dK given as above, an arbitrary image block I
in the input image F can be used many times in process of encrypting and decrypting the
secret data. So, for a give input image F , the secret data encrypted is not limited by the
size of the input image F .

5.3 Automata Technique
Encrypted Data

for

Exact

Pattern

Matching

on

This section applies the automata approach proposed in Chapter 3 to designing an
algorithm for exact pattern matching on secret data encrypted by the cryptosystem
proposed in Section 5.2 (Theorem 5.2).
Suppose that Alice has a secret data and prefers to outsource this data to a cloud
provider Bob. As the provider is semi-trusted, Alice needs to encrypted her plaintext

and wishes to only store ciphertext in the cloud. Assume that Alice uses the cryptosystem
(P, C, K , E, D) proposed in Section 5.2 to encrypt data with a pair of two secret parameters
(S, k) in the cryptosystem, where S is a 2-Generators for GF 4 (22 ) with 9 elements and
k = (f, K, I) ∈ K .
Because of limited storage space and computing ability, instead of downloading
ciphertext, decrypting it and searching locally, Alice may ask Bob to perform pattern
matching tasks on the ciphertext directly with a trapdoor of the pattern received from
her.
Consider Σ to be an alphabet of size 256. Suppose that the secret data is a string over
Σ
x = x1 x2 ..xt3
for xi ∈ P, ∀i = 1, t3 , t3 ≥ 1 and t3 is often a large natural number, where P = Σ.
Before uploading the secret data x to Bob, Alice use the encrypting function ek ∈ E
to encrypt each xi . Then Alice computes yi = ek (xi ), ∀i = 1, t3 , and the encrypted secret
data is a string over Σ
y = y1 y2 ..yt3
which is sent to Bob, where Σ is an alphabet
Σ = {a |a = ek (a), a ∈ Σ}.
In general case, for x is any string over the alphabet Σ and a string y is obtained from
x by the above way. Then we can write y = ek (x) for short and y is a string over the
alphabet Σ .
Remark 5.4. By using only one pair of two secret parameters (S, k), then the security
of process of encrypting and decrypting the secret data x is similar to Formulas (5.3) (for
gray images) or (5.4) (for palette images).
Suppose that Bob needs to perform exact pattern matching task of an arbitrary pattern
p on encrypted data y. Based on previously introduced results in Chapter 3, here continues
using automata technique to meet the requirement.
74



Propostion 5.2. Let p be a pattern over the alphabet Σ. Then P osp (a ) = P osp (a) for
∀a ∈ Σ , a = dk (a ), where p = ek (p).
Proof. Set i = P osp (a), then a = pi , hence a = pi . Without loss of generality, suppose
P osp (a ) > i, then ∃i > i, pi = a by Definition 3.3, then a = pi = dk (pi ). Then
i < P osp (a), a contradiction. So, we complete the proof.
Propostion 5.3. Let a pattern p and a text x be two strings over the same alphabet Σ and
the function Sign be given by
∀a ∈ Σ , Sign(a ) =

1
0

If a ∈ p,
Otherwise.

Then ∀a ∈ Σ , a ∈ p if and only if Sign(a ) = 1.
Proof. Suppose ∀a ∈ Σ , a ∈ p if and only if ∃i, i = 1..|p |, a = pi if and only if a = pi if
and only if Sign(a ) = 1.
Propostion 5.4. Let a pattern p and a text x be two strings over the same alphabet Σ.
Then p occurs at any position i in x if and only if p occurs at the position i in y, where
y = ek (x).
Proof. Suppose that p occurs at any position i in x if and only if p = xi xi+1 ..xi+|p|−1 if
and only if yi yi+1 ..yi+|p|−1 = p if and only if p occurs at the position i in y.
Propostion 5.5. Let p be a pattern over the alphabet Σ.
Nextp (l) = Nextp (l), where p = ek (p).

Then ∀l, 1 ≤ l ≤ |p|,

Proof. Without loss of generality, suppose that lm = Nextp (l) < Nextp (l) for ∀l, 1 ≤ l ≤ |p|.
Since pi = ek (pi ), ∀i = 1..|p|, then p1 p2 ..plm +1 is both a proper prefix and suffix of p [1..l]

by Definition 3.1. Hence, p1 p2 ..plm +1 is also both a proper prefix and suffix of p[1..l] by
Definition 3.1. Then Nextp (l) > lm. This is a contradiction to the supposition. So, the
proof is complete.
Propostion 5.6. Let p be a pattern over the alphabet Σ. Then for ∀l, 0 ≤ l ≤ |p| and
∀a ∈ Σ , a = dk (a ), Appearancep (l, a ) = Appearancep (l, a), where p = ek (p).
Proof. Clearly, |p| = |p | and for ∀i, 1 ≤ i ≤ |p |, ∀a , a ∈ Σ , a = pi if and only if a = pi .
By Lemma 3.1 and Proposition 5.5, Appearancep (l, a ) = Appearancep (l, a).
Theorem 5.2. Let p be a pattern over the alphabet Σ.
Let two automata
Mp = (Σ, Qp , q0 , δp , Fp ) and Mp = (Σ , Qp , q0 , δp , Fp ) be determined as in Theorem 3.2.
Then Qp = Qp , Fp = Fp , ∀q ∈ Qp , ∀a ∈ Σ , a = dk (a ), δp (q, a ) = δp (q, a), where
p = ek (p).
Proof. It is easy to verify that |p| = |p |. In addition, by Theorem 3.2 and Proposition 5.6,
then Qp = Qp , Fp = Fp and δp (q, a ) = δp (q, a).
Remark 5.5. The meaning of Theorem 5.2 in practice is to compute δp from δp .

75