The Keyspace for the SVD Method

Before discussing the size of the keyspace, a quick review of the main results of the preced-ing Experiments is given below, in Experiment order. The Experiments undertaken above were performed on astronomical images, initially approximated by applying OMP2D, to select vectors from the column and row dictionaries D^c,1₈ and D^r,1₈ . The dictionary for all Experiments was constructed as the union of the RDC and Euclidean basis. The results below apply to Experiments undertaken under the above conditions:

• With a fixed block size N = 8, approximating all images to a PSNR^a = 45 ± 4.5 × 10⁻²%dB before applying the folding procedure:

1) The range of perturbations, which both protect the vectors of hidden coefficients e_q, q = 1, . . . , Q^N, and did not introduce an unacceptable level of distortion, into the recovered image ˜I^K, are

E1 = {10^x}⁻³_x=−16.

The set E₁was determined for a single perturbation ǫ, applied to a fixed location within each matrix ˜G, as shown in equation (3.22).

These perturbations also prevented recovery of the hidden coefficients e, when the recovery was performed with an incorrect perturbation. This was realized experimentally by a perturbation ǫR at the recovery stage, differing by ǫmin to that used in the folding stage.

2) Requirements a) and b) were satisfied, when the perturbation in E1were applied to two additional fixed locations, and a pseudorandom location in ˜G.

3) Requirements a) and b) were again satisfied for two perturbations from E₁. Realized experimentally by applying all combinations of two perturbations from E1, to two different pseudorandom locations within the matrix ˜G. The second perturbation was found not to increase the δPSNR of the recovered image, beyond that of a single perturbation of the same size.

• Applying two perturbations to pseudorandom locations within the matrix ˜G, the first being fixed as ǫmin, and the second taking on all the values from E₁:

4) With a fixed block size N = 8, increasing in the approximation quality to PSNR^a= 55 ± 5.5 × 10⁻²%dB and PSNR^a= 65 ± 6.5 × 10⁻²%dB, the folding and recovery procedure still fulfilled requirements a) and b).

5) With a fixed PSNR^a= 45 ± 4.5 × 10⁻²%dB, increasing the block size to N = 16 and N = 24, the folding and recovery procedure again fulfilled requirements a) and b).

1) # of perturbation sizes #pert

As mentioned earlier perturbations less than ǫmin are not guaranteed to perturb the matrix G. Therefore only perturbations greater than or equal to this amount will be considered˜ in this discussion.

The conclusions below assume that the results for the discrete set E1 hold for all ǫmin

precision perturbations between ǫmin and 10⁻³. This assumption results in a number of unique perturbation sizes # , of # = ¹⁰⁻³ ≈ 2.25 × 10¹².

A difference of ǫmin between the perturbation used to fold an image, and the pertur-bation used recover the image fulfilled requirement b). Therefore for this discussion it is assumed that each of the #pert perturbations, result in a different folded image I^f1.

2) Location of the perturbation

First assume a single perturbation is applied to the same fixed location within each of the H₁matrices ˜G, where H₁is the number of folded image blocks I^fq¹, q = 1, . . . , Q^N. Because the location is fixed, the total number of permutations of location over the H₁ blocks, is only N⁴, the same number of positions in a single matrix ˜G. Alternatively if the location with in each block is allowed to be different, the result would be, (N⁴)^H1 permutations of the location, over all the H1 image blocks. For this to be applied in practice, the H1

locations used at the folding stage, would have to be be passed to the recipient of the folded image, to allow it to be recovered.

An alternative to this, applied in Experiment 3.4.4, is to generate the locations within each ˜G with a PRNG, initialized with a known seed. This would require only one pa-rameter, the seed, to be passed to the recipient of the folded image. The total number of permutations over all image blocks would then be, the minimum of (N⁴)^H1 and the total number of seeds smax, which can initialize the PRNG.

The pseudorandom numbers could be generated by the RC4 stream cipher which has an smax = 2²⁵⁶ ≈ 1.16 × 10⁷⁷. In this case any image with H₁ ≥ ⌈_log²⁵⁶

2(N⁴)⌉, has smax

possible combinations of location, over the H₁ image blocks.

3) Number of perturbations Nǫ

If the results of Experiment 3.4.5 hold for more perturbations, then a fixed combination of N_ǫ perturbations, N_ǫ < N⁴, could be applied. The SVD method only fulfils require-ment a) and b) for perturbations smaller than 10⁻³. Therefore to prevent the situation where combinations of two or more perturbations exceed this value, a maximum of one perturbation can be applied to each location.

If the perturbation applied to each of the N_ǫ locations is allowed to be different, the order the perturbations are applied to the Nǫ locations, has to be the same at both the folding and recovery stage. Because the order is important, this is the number of permutations

P (N⁴, N_ǫ) = N⁴!

(N⁴− Nǫ). (3.24)

If the same perturbation is applied to each of the Nǫ locations, the order the pertur-bations are applied to the Nǫ locations does not make any difference. Because the order

is not important this is the number of combinations C(N⁴, Nǫ) = P (N⁴, Nǫ)

Nǫ! . (3.25)

From the above it is clear that applying a different perturbation to each location results in a larger N_ǫ shown in equation (3.24). Therefore the number of permutations for Nǫ = 2, 3 and 4 different perturbations, is shown in the against the block size N in the Table below.

N 8 16 24

P (N⁴, 2) 1.67 × 10⁷ 4.29 × 10⁹ 1.10 × 10¹¹ P (N⁴, 3) 6.87 × 10¹⁰ 2.81 × 10¹⁴ 3.65 × 10¹⁶ P (N⁴, 4) 2.81 × 10¹⁴ 1.84 × 10¹⁹ 1.21 × 10²²

Choice of Private Key

Under the assumption that each perturbation size and location combination result in a different folded image, the private key can be, either:

1) A single perturbation. In this case the only two parameters which can be changed, are the perturbation size and its location. Therefore the choice for a private key can be, either one or the other, or a combination of the two.

The number of locations resulting from choosing a pseudorandom location within each block depends on H₁. In extreme cases such as H₁ = 1, this results in only N⁴ locations. Therefore the location on its own is not suitable as a private key. The location could however be applied in combination with the size of the perturbation.

This would increase the keyspace, from the #_pert to a minimum of N⁴#_pert, show below for the block sizes N = 8, 16 and 24.

N 8 16 24

keyspace 9.22 × 10¹⁵ 1.48 × 10¹⁷ 7.47 × 10¹⁷

2) N_ǫ perturbations. Combining the perturbation size with location increases the num-ber of permutations, from those shown in equation (3.24). Each location Nǫcan have all the #_pert perturbations applied to it, however, once a perturbation has been ap-plied the number of locations is decreased by one. Therefore for l perturbations the size of the keyspace is calculated from

keyspace = (N⁴)!

(N⁴− Nǫ)!(#_pert)^Nǫ. (3.26)

N 8 16 24 Nǫ= 2 8.51 × 10³¹ 2.18 × 10³⁴ 5.58 × 10³⁵ Nǫ= 3 7.85 × 10⁴⁷ 3.21 × 10⁵¹ 4.17 × 10⁵³ N_ǫ= 4 7.23 × 10⁶³ 4.74 × 10⁶⁸ 3.12 × 10⁷¹

... ... ... ...

Nǫ= 10 4.40 × 10¹⁵⁹ 4.90 × 10¹⁷¹ 5.42 × 10¹⁷⁸

Table 3.1: The size of the keyspace for the SVD method is shown against the number of perturbations Nǫ= 2, 3, 4 and 10, for each block size N = 8, 16 and 24.

The keyspace is shown in Table 3.1 against the number of perturbations l = 2, 3, 4 and 10, for each block size N = 8, 16 and 24.

As shown in Table 3.1 the size of the keyspace rapidly increases with the number of perturbations N_ǫ. The result for N_ǫ = 10 is shown to illustrate that, even with the smallest block size N = 8, this system can have a keyspace more than double the s_max of the RC4 stream cipher.

The keysize for the N_ǫ perturbations is much larger than for a single perturbation.

Therefore the combinations of Nǫ different perturbations will be the private key for the SVD method.