Cryptographic Secrecy Analysis of Adaptive Steganographic Syndrome-Trellis Codes

Compared with traditional steganography, adaptive steganography based on STC (Syndrome-Trellis Codes) has extremely high antidetection ability and has been amainstream and hot research direction in the field of information hiding over the past decades. However, it is noted, in specific scenarios, that a small number of methods can extract data from STC-based adaptive steganography, indicating security risks related to such algorithms. In this manuscript, the cryptographic secrecy of this kind of steganography is analyzed, on condition of two common attacks: stego-only attack and known-cover attack, respectively, from three perspectives: steganographic key equivocation, message equivocation, and unicity distance of the steganographic key. Focusing on the special layout characteristics of the parity-check matrix of STC, under the two attack conditions, the theoretical boundaries of the steganographic key equivocation function, the message equivocation function, and the unicity distance of the steganographic key are separately obtained, showing the impact of the three elements: the submatrix size, the randomness of the data, and the cover object on the cryptographic secrecy of the STC-based adaptive steganography, resulting in a theoretical reference to accurately judge the cryptographic secrecy of such steganography and design more secure steganography methods.


Introduction
Digital steganography ensures data security by embedding data into multimedia files such as digital images, audio, videos, etc., for transmission [1]. is kind of communication conceals the fact that "communication is happening" and is highly deceptive, which has become a main method of covert communication and a research hotspot in the field of information security in recent years [2]. e security of steganography includes covert security and cryptographic secrecy. e covert security refers to antidetection performance of data, and the cryptographic secrecy refers to antiextraction performance of data [3]. At present, there have been a lot of research studies [4][5][6] on the antidetection performance, while relatively few research studies [7] on the antiextraction performance. e adaptive steganography based on STC (Syndrome-Trellis Codes) [8] has a high antidetection performance by embedding data into complex texture areas that are difficult to model and has been a mainstream direction in the field of information hiding in recent years. At present, many STC-based adaptive steganography algorithms [9][10][11][12][13] have been proposed. However, there have been a few studies [14][15][16] that could extract data from STC-based adaptive steganography in specific scenarios, indicating that such algorithms may have hidden security risks. erefore, carrying out a comprehensive and in-depth cryptographic secrecy analysis of such steganography has important research value for judging the security of such steganography and designing more secure steganography methods.
Early studies on steganographic security mainly focused on the covert security. Cachin [17] was the first to study the covert security from the perspective of communication. He defined the active attacker and the passive attacker by the information theory model and distinguished the concepts of perfect concealment and perfect confidentiality for the first time. Hopper [18] studied the problem of covert security from the perspective of cryptography and defined covert security from the perspective of computational complexity under the assumption of passive aggression. As the problem of data extraction was put forward, some scholars [3,[9][10][11][12] pointed out that steganography should not only have covert security but also have cryptographic secrecy.
Data extraction essentially is a kind of cryptanalysis [3]. Provos and Honeyman [19] first studied the cryptographic secrecy of steganography and proposed a general model for attacking random steganography, that is, simultaneously exhausting the encryption key and steganography key space. e computational complexity of the attack algorithm is O(|K| × |E|) where K represents the steganographic key space and E represents the encryption key space. Fridrich et al. [20,21] analyzed the cryptographic secrecy for the first time from the perspective of computational complexity and pointed out that if an attacker could independently extract the data, the attack complexity of restoring plaintext could be reduced from O(|K| × |E|) to O(max |K|, |E| { }). Zhang and Li [3] gave a measurement method of cryptographic secrecy and the relationship among cryptographic secrecy, information transmission rate, and key rate by drawing on Shannon's definition of the confidentiality system. In addition, he pointed out that the cryptographic secrecy brought by steganography was essentially a cryptographic feature. Further, Zhang and Li pointed out in [22] that even if the data embedded through steganography was unencrypted, it was still relatively secure in the sense of cryptography as long as the steganography itself had strong cryptographic secrecy.
With the proposal of a large number of steganography algorithms [23][24][25] based on matrix coding [26], the research on cryptographic secrecy has shifted to cryptographic secrecy of steganographic matrix coding. Regalia [27] used the information theory method to study the cryptographic secrecy of steganographic matrix coding under the condition of stego-only attack. e upper bound of the steganographic key equivocation function and the relationship among message equivocation function, cover entropy, and data entropy under different steganographic key models were separately obtained in [27]. In addition, Regalia demonstrated that the perfect secrecy defined by Shannon can be progressively achieved using wet paper coding. Chen et al. [28] studied the cryptographic secrecy of matrix coding under different attack conditions. In the condition of stegoonly attack, the theoretical bound of unicity distance of the steganographic key was given, which supplemented the research results of Regalia. Under the condition of knowncover attack, the upper bounds of the steganographic key equivocation function and message equivocation function of matrix encoding-based steganography were given.
In recent years, STC-based adaptive steganography has become a research hotspot in the field of information hiding with high covert security [29]. is type of coding makes the data embedding related to all the elements of the image, resulting in a decrease in the correlation between the steganographic key and stego object, and has extremely high resistance to detection. However, in the existing literatures [14][15][16], there have been a small number of data extraction methods, which could extract data from STC-based adaptive steganography under specific conditions. Liu et al. [14] presented a "column grouping" method for extracting the data under the conditions of "chosen-stego-object" and "data-retransmission," respectively. ese methods were based on the time-invariant property of the convolutional codes, and they could reduce the steganographic key space to a very small candidate set for arbitrary relative payload without exhaustive searches. In our previous research [15,16], we presented a method for extracting data, respectively, in two cases where embedded data was plaintext and part of plaintext was known. Aiming at the case that embedded data was plaintext, Luo et al. [15] proposed an extraction method based on the parameter identification of STC. Based on the randomness difference between plaintext and ciphertext, the method first exhausted the submatrices and then judged whether the submatrix was correct or not according to the randomness of the data extracted from different submatrices. Under the condition that part of plaintext was known, Gan et al. [16] proposed a data extraction method based on the identity transformation of the decoding equation.
is method used the identity deformation of the parity-check matrix operation to simplify the decoding equation, then converted the unknown and relatively complex parity-check matrix into a column vector that was easy to solve, and finally eliminated the impossible parity-check matrix based on the code judgment standard. e above research studies show that, in some cases, STCbased adaptive steganography may have hidden confidential dangers, and it is necessary for us to carry out research on the cryptographic secrecy of STC-based adaptive steganography. However, unlike general matrix coding, there are few research results on the cryptographic secrecy of STC-based adaptive steganography, and the element affecting the cryptographic secrecy is not clear yet. We still need to conduct in-depth analysis on the cryptographic secrecy of such algorithm to measure the cryptographic secrecy of such algorithms is related to what element and how are they related. To be specific, what are the upper bounds of the amount of data information and steganographic key information that can be leaked from stego objects and cover objects? What elements are the upper bounds relate to and in what relation? What is the lower bound of the amount of information an attacker needs to recover the steganographic key? What elements are this lower bound relate to and in what relation?
For this reason, this manuscript carries out the cryptographic secrecy research on STC-based adaptive steganography. Benchmarking the related theories in classical cryptography, this manuscript analyzes the cryptographic secrecy of steganography from three aspects, namely, the steganographic key equivocation, the message equivocation, and the unicity distance of the steganographic key, under two attack conditions of stego-only and known-cover, respectively. e main work of this manuscript is as follows: (1) Under the condition of stego-only attack, the cryptographic secrecy of STC-based adaptive steganography algorithm is studied from three aspects: the steganographic key equivocation, the message equivocation, and the unicity distance of the steganographic key. More specifically, under the condition of stego-only attack and based on the special structure of the STC parity-check matrix, we obtain the upper bound of the amount of steganographic key information and data information leaked from the stego object, the lower bound of the amount of information an attacker needs to recover the steganographic key, and the quantitative relationship between these theoretical bounds and submatrices, data, and cover objects. It can be seen from the obtained quantitative relationship: the better the randomness of the data and the cover object and the larger the scale of the STC submatrices, correspondingly the stronger the cryptographic secrecy. (2) Under the condition of known-cover attack, the cryptographic secrecy of the STC-based adaptive steganography algorithm is studied from three aspects: the steganographic key equivocation, the message equivocation, and the unicity distance of the steganographic key. More specifically, under the condition of known-cover attack and based on the special structure of the STC parity-check matrix, we obtain the upper bound of the amount of steganographic key information and data information leaked from the stego object and cover object, the lower bound of the amount of information an attacker needs to recover the steganographic key, and the quantitative relationship between these theoretical bounds and submatrices, data, and cover objects. It can be seen from the obtained quantitative relationship: the better the randomness of the data and the cover object and the larger the scale of the STC submatrices, correspondingly the stronger the cryptographic secrecy.
e structure of this manuscript is as follows: Section 2 is a description of the problem, which introduces the notation used in this manuscript, analyzes the STC encoding and decoding principle, and puts forward the problems to be studied in this manuscript. is manuscript intends to study the cryptographic secrecy of STC-based adaptive steganography from three aspects: the steganographic key equivocation, the message equivocation, and the unicity distance of the steganographic key. Section 3 studies the theoretical bound of the steganographic key equivocation, the message equivocation, and the unicity distance of the steganographic key under the stego-only attack. Section 4 studies the theoretical bound of the steganographic key equivocation, the message equivocation, and the unicity distance of the steganographic key under known-cover attack. Section 5 is the discussion and conclusion of this manuscript.

Problem Setup
In this section, we will introduce the notation used in this manuscript, analyze the principle of STC encoding and decoding, and put forward the problems to be studied in this manuscript.

Symbols.
In this manuscript, random variables are denoted by uppercase italic letters, with lowercase bold letters denoting particular realizations. Decorated letters denote the set. We treat all signals as vectors of bits (each 0 or 1), using componentwise modulo-2 addition over the Galois field F 2 . In particular, X is the cover sequence of length n, Y is the stego sequence of length n, and M is the data of length of q, in which q < n.
Entropy is denoted by H(·), as in e entropy is used to describe the average uncertainty of random variables. Assuming X 1 , X 2 , . . . , X n are random variables, the joint entropy satisfies the chain rule: e conditional entropy is used to describe the average uncertainty of random variable Y under the condition of known random variable X.
Average mutual information is denoted by I(X; Y), as in e average mutual information is used to describe how much uncertainty about random variable X can be eliminated when random variable Y is known.

Analysis of STC Encoding and Decoding Principle.
is section will briefly analyze the principle of STC encoding and decoding in adaptive steganography. Before the analysis, we first introduce the basic process of STCbased adaptive steganography.
We begin with the basic setup of Figure 1. A binary cover sequence x is first extracted from a cover object (image, audio, videos, etc.) by a bit-assignment function which is commonly assumed publicly known.
us, for simplicity, the cover Security and Communication Networks sequence and stego sequence can be thought as the cover and stego object in our analysis. Assume that both sides of communication want to transfer data m (m ∈ F 2 q ) with q bits, using a binary cover sequence y(y ∈ F 2 n ) whose length is n, where q < n. Usually, the data is encrypted ciphertext. e sender first permutes the binary cover sequence into the permuted cover sequence, then calculates the embedding distortion in different locations of the cover image, and finally uses STC to select the modifying positions adaptively according to the calculated distortion and embed data with minimum embedding distortion. After the sender inversely permuting the corresponding stego sequence, the stego sequence can be obtained.
In the above process, the STC is the most important. e following is an analysis of the STC encoding and decoding principle.
e cover object and stego object are denoted as x � (x 1 , x 2 , . . . , x n ) and y � (y 1 , y 2 , . . . , y n ) ∈ F n 2 , respectively, where the embedded data is denoted as m. e STC encoding and decoding processes can be realized by equations (5) and (6), respectively: where D(x, y) is an embedding distortion function, k and k ∈ F q×n 2 is the STC parity-check matrix, and C(m) � z ∈ F n 2 |kz � m is the coset corresponding to syndrome. From equation (5), we can see that the purpose of STC encoding is to find the optimal y subjected to equation (6) to minimize embedding distortion D(x, y). e parity-check matrix k is composed of a small submatrix k 1 of size h × w, as shown in Figure 2. e submatrices are placed next to each other and shifted down by one row. e values of the elements in the submatrix denote the encoding content parameters. e width w is dictated by the relative payload α. If the relative payload α is equal to 1/k for some k ∈ Z + (Z + represents the positive integer), then select w � k; otherwise, if 1/k + 1 < α < 1/k, then the parity-check matrix k will contain a mix of submatrices of widths k and k + 1.
For example, suppose the relative payload α � 0.5, then the parity-check matrix k is composed of one submatrix k 1 .
If the submatrix k 1 is selected as 1 0 0 1 , then parity-check matrix k can be shown as If the relative payload α � 0.4, then the parity-check matrix k is composed of two different submatrices. For example, if the submatrices are selected as 1 0 0 1 and 1 1 1 0 1 1 , then parity-check matrix k will be formed as 1 0 As shown in Figure 1, the binary cover sequence is usually permuted into the permuted cover sequence before embedding the data in the actual covert communication based on adaptive steganography. en, the sender uses STC encoding to embed the data into the permuted cover sequence to generate the corresponding stego sequence. Finally, perform the inverse permutation operation on the  corresponding stego sequence to generate the stego sequence and send it to the receivers. e receivers extract the data through the preappointed submatrices and permutation process. For attackers to obtain the content of covert communication, his task is to extract the embedded data from the intercepted stego objects. As long as the correct parity-check matrices and the process of permutation are obtained, the attackers can extract embedded data from STC-based adaptive steganography such as receivers. It is worth noting that the permutation process is mostly determined by the length of the data. As the same time, the length of the data is exactly the height of the parity-check matrix. In sum, if attackers obtain the correct parity-check matrices, he can be the same as the receivers and extract the data from STC-based adaptive steganography. erefore, the extraction of data from STC-based adaptive steganography is equivalent to the recovery of parity-check matrices. From this perspective, we can regard the parity-check matrices as the steganographic key in the covert communication process.
Shannon [30] pointed out that "breaking a good cryptographic system" is equivalent to solving a complex equation that contains a large number of unknowns. However, it can be seen from the above analysis that the decoding system of STC is a system of linear equations, whose form is simple (the parity-check matrix is simply rearranged of the submatrices in the main diagonal direction of the parity-check matrix) and vulnerable to attack.
In this manuscript, cryptographic secrecy of STCbased adaptive steganography is analyzed under two common attack conditions: stego-only and known-cover. e stego-only attack refers to the steganographic key recovery under the condition that only the stego object is obtained; the known-cover attack refers to the steganographic key recovery under the condition that the stego object and cover object are obtained. From Figure 1, we can see that the parity-check matrix, distortion function, data, and cover object are the four elements in the embedding process of STC-based adaptive steganography. What is the relationship between the cryptographic secrecy of STC-based adaptive steganography and submatrix, distortion function, data, stego object, and cover object? More specifically, under the two conditions, what is the upper bound of the amount of steganographic key information and data information leaked from the stego object and cover object? What does this upper bound have to do with the submatrix, distortion function, data, stego object, and cover object? What is the lower bound of the information required by the attacker to recover the steganographic key under these attack conditions? What does this lower bound have to do with the submatrix, distortion function, data, stego object, and cover object? ese are the questions to be studied in this manuscript.

Cryptographic Secrecy of STC under Stego-
Only Attack e most common scenario is that the attacker only obtains the stego object. We call this steganographic key recovery under that condition as the stego-only attack, which is the most difficult and common type of all attacks. In the following, we are concerned about the upper bound of the amount of the steganographic key information and data information that can be leaked by the stego object, and the lower bound of the amount of information required by the attacker to recover the steganographic key under this attack condition.

Steganographic Key Equivocation.
Under the stego-only attack, the steganographic key equivocation function is denoted by I(K; Y) [27] as in which measures how much steganographic key information may be revealed from observation of the stego object. e greater the steganographic key equivocation function I(K; Y), the more steganographic key information can be obtained by the attacker from the stego object, that is, the easier the attacker can infer the correct steganographic key and the less secure the steganographic system will be. e following theorem gives the upper bound of the steganographic key equivocation function under the stego-only attack, that is, how much steganographic key information can be leaked by the stego object at most.

Theorem 1.
Under the stego-only attack, when all cover objects and data equally probable, the key equivocation function is bounded as in which q is the length of data M.
Proof. According to the chain rule of the entropy function (equation (2)), we can isolate the joint entropy H(X, M, Y, K, T) of cover object X, data M, stego object Y, steganographic key K, and distortion function T as follows: According to equation (5), the sender in covert communication can generate a unique stego object Y from the steganographic key K, data M, distortion function T, and cover object X, which implies

Security and Communication Networks
Following equation (11), we have e last step is valid since the independence of the steganographic keys K, stego object Y, distortion function T, and cover object X. According to the chain rule of the entropy function (equation (2)), we can isolate the entropy H(X, M, Y, K, T) in another way: Combining equations (13) and (14), we get According to the relationship between mutual information and entropy (equation (4)), the average mutual information I(X; K, Y, T) can be isolated as follows: By substituting equation (16) into equation (15), we get According to equation (2), we can isolate the entropy joint H(Y, X, T, K, M) as follows: e independence between distortion function T, steganographic key K, and stego object Y means Substitute equation (19) into equation (18) From equation (6), we know that the data M can be obtained by the steganographic key K and the stego object Y, suggesting H(M|T, K, Y) � 0. As a result, the last step is valid. We From equation (5), we know that the stego object Y can be obtained by the cover object X, distortion function T, steganographic key K, and data M, suggesting H(Y| X, T, K, M) � 0. As a result, the last step is valid. Combining equations (20) and (23) Together with nonnegative of average mutual information, we get the desired result.
Particularly, when all cover objects and data are equally probable, that is, H(M) � q and H(X) � n, the following equation is obtained: en, an application of the nonnegative of average mutual information yields eorem 1 shows that the knowledge of the stego object does not assist in deducing the uncertainty of steganographic key (I(K; Y) � 0) when the data is completely random (H(M) � q) and cover object is completely random (H(X) � n).
is means (1) the choice of cover has an impact on cryptographic secrecy of STC-based adaptive steganography.
e better the randomness of cover, the higher the cryptographic secrecy. (2) Compared to the data is plaintext, when the data is encrypted ciphertext, the cryptographic secrecy of STC-based adaptive steganography is higher.
It is worth noting that, as a result of eorem 1, the upper bound on the steganographic key equivocation function is independent of the distortion function, that is, the uncertainty about the steganographic key is independent of the specific distortion function taken by the adaptive steganographic algorithm. However, most of the existing studies on steganographic algorithms are in pursuit of the design of new distortion functions, which may improve the covert security, that is, antidetection, but is not conducive to the enhancement of cryptographic secrecy.
which measures how much data information may be revealed from observation of the stego object. e greater the message equivocation function is, the more data information can be obtained by the attacker from the stego object, that is, the easier the attacker can extract the data, and the less secure the steganographic system will be. e following theorem gives the upper bound of the message equivocation function under the stego-only attack, that is, how much data information can be leaked by the stego object at most. In order to establish a relationship between the upper bound of message equivocation function I(M; Y) and the size of the submatrix, we first prove the following lemma.
When the reciprocal of the relative payload α is not an integer, the STC parity-check matrix consists of two submatrices with widths w 1 and w 2 .
Proof. According to the stego object, we can estimate the relative payload α. For example, in [31], the rich model is used for quantitative analysis to realize the estimation of relative payload α. e width of the submatrix can be obtained by relative payload α. For a submatrix with height h and width w, the number of all possible submatrices is 2 hw . Filler et al. [8] pointed out that a good submatrix should meet the requirements that the first row and the last row are 1 and any two columns are not the same. When the reciprocal of the relative payload is an integer, the parity-check matrix is only composed of a single submatrix, and the size of the steganographic key space is erefore, given the stego object, the average uncertainty of the steganographic key is e parity-check matrix is composed of two submatrices when the reciprocal of the relative payload is not an integer. e size of the steganographic key space is us, Security and Communication Networks in which w 1 � 1/α and w 2 � 1/α + 1. e penultimate step is valid since log 2 . For example, when the height of the submatrix is fixed at 7, the relationship between H(K|Y) and the relative payload α is shown in Figure 3. When the number of different submatrices is fixed at one (that is, the reciprocal of the relative payload is an integer), the relative payload is taken as 0.05 bpp, 0.1 bpp, 0.2 bpp, 0.25 bpp, and 0.5 bpp. When the number of different submatrices is fixed at two (that is, when the reciprocal of the relative payload is not an integer), the relative payload is taken as 0.06 bpp, 0.15 bpp, 0.24 bpp, 0.35 bpp, and 0.45 bpp. It can be seen from Figure 3 that H(K|Y) decreases as the relative payload increases when the number of different submatrices is fixed. e relationship between H(K|Y) and the height of the submatrix is shown in Figure 4. e relative payload is fixed at 0.2 bpp and 0.4 bpp in order. When the relative payload is fixed at 0.2 bpp, the parity-check matrix is composed of one submatrix with width of 5; when the relative payload is fixed at 0.4 bpp, the parity-check matrix is composed of two different submatrices with width of 2 and 3. It can be seen from Figure 4 that H(K|Y) increases as the height of the submatrix increases when the relative payload is fixed.
Lemma 1 indicates the relationship between conditional entropy H(K|Y) and the size of submatrices. Based on this relationship, we can obtain the relationship between the upper bound of the message equivocation function and the size of the submatrices under the stego-only attack. See the following theorem for details. Proof. Due to the relationship between mutual information and entropy, we have

I(M; Y) � H(Y) − H(K) − H(T) − H(X) + H(T|M, K, Y) + H(X|M, K, Y, T) + H(K|Y) − H(M|Y). (38)
Due to the chain rule of the entropy function (equation (2) It can be seen from eorem 2 that the upper bound of the message equivocation function increases as the height of the submatrices increases when the relative payload is fixed. When the number of different submatrices is fixed, the upper bound of the message equivocation function decreases as the relative payload increases. is is because the larger the submatrices size and the larger number of different submatrices mean the more encoding content parameters and harder to extract the data. erefore, we should choose submatrices with bigger size and a relative payload whose reciprocal is not    an integer preferentially. However, the above methods will increase the time consumption of generating stego objects.

e Unicity Distance of the Steganographic
Key. e security of a steganographic algorithm is generally only based on the secrecy of the steganographic key. Accordingly, a complete breach of a steganographic algorithm by an attacker means that he can find a way to recover the steganographic key. erefore, the following is to further analyze the cryptographic secrecy of STC-based adaptive steganography from the perspective of the unicity distance of the steganographic key [3]. Specifically, we consider the minimum amount of data required by the attacker to recover the steganographic key on average. e following theorem gives the relationship between the unicity distance of the steganographic key N K and the size of the submatrix under the stego-only attack.

Theorem 3. Under the stego-only attack, the unicity distance of the steganographic key N K is bounded as
in which H(K|Y) �

Proof.
Denote N K groups of stego objects as Given N K stego objects, then the set of all the possible steganographic keys K(Y N K ) is and the expectation of the number of pseudokeys K P is where |K(Y N K )| represents the number of elements in set K(Y N K ).
en, an application of equation (3) yields and with equation (17) and the expectation of the number of pseudokeys N K is bounded as On that account, the unicity distance is bounded as It can be seen from eorem 6 that when the relative payload is fixed, the lower bound of the unicity distance of the steganographic key N K increases as the height h of the submatrix increases; when the number of different submatrices is fixed, the unicity distance of the steganographic key N K decreases as the relative payload α increases. is is because the larger sizes of submatrices and number of different submatrices mean the more encoding content parameters, that is, the more difficult it is to restore the steganographic key. erefore, in order to recover the steganographic key, the average amount of information the attacker needs to obtain in advance become more. We should choose submatrices with bigger size and a relative payload whose reciprocal is not an integer preferentially. However, the above method will increase the time consumption of generating stego objects.
In this section, the cryptographic secrecy of the STCbased adaptive steganography algorithm is studied from three aspects: the steganographic key equivocation, the message equivocation, and the unicity distance of the steganographic key under the known-cover attack. More specifically, we obtain the upper bound of the amount of steganographic key information and data information leaked from the cover object and stego object, the lower bound of the amount of information an attacker needs to recover the steganographic key, and the quantitative relationship between these theoretical bounds and the submatrices, data, and cover object.

Cryptographic Secrecy of STC under Known-Cover Attack
With the development of steganalysis technology, attackers may obtain stronger attack conditions: obtaining the cover object. Attack under this condition is called known-cover attack. Similar to Section 3, this section discusses the cryptographic secrecy of STC-based adaptive steganography from three aspects: the steganographic key equivocation function, message equivocation function, and unicity distance of the steganographic key.

Steganographic Key Equivocation.
Under the knowncover attack, the steganographic key equivocation function is denoted by I(K; X, Y) [27] as in which measures how much steganographic key information may be revealed from observations of the cover object and stego object. e greater the steganographic key equivocation function is, the more steganographic key information can be obtained by the attacker from the cover object and stego object, that is, the easier the attacker can infer the steganographic key, and the less secure the steganographic system will be. e following theorem gives the upper bound of the steganographic key equivocation function under the known-cover attack, that is, how much steganographic key information can be leaked by the cover object and stego object at most. Proof. According to the chain rule of entropy function (equation (2) According to the relationship between mutual information and entropy (equation (4)), we have It can be seen from eorem 4 that when the relative payload is fixed, the steganographic key equivocation function increases as the height of the submatrices increases; when the number of different submatrices is fixed, the steganographic keys' equivocation function decreases as the relative payload increases.
is is because the larger the submatrices size and the more different submatrices number mean the more encoding content parameters and the more difficult to completely restore the steganographic key. erefore, we should choose submatrices with bigger size, and a relative payload whose reciprocal is not an integer preferentially. However, the above methods will increase the time consumption of generating stego objects.

Message Equivocation.
Under the known-cover attack, the message equivocation function is denoted by I(M; X, Y) [28] as in which measures how much data information may be revealed from observations of the cover object and stego object. e greater the message equivocation function I(M; X, Y) is, the more information about the data M can be obtained by the attacker from the cover object X and stego object Y, that is, the easier the attacker can extract the data, and the less secure the steganographic system will be. e following theorem gives the upper bound of the message equivocation function under the known-cover attack, that is, how much data information can be leaked by the cover object and stego object at most.  It can be seen from eorem 5 that when the relative payload is fixed, the message equivocation function increases as the height of the submatrix increases; when the number of different submatrices is fixed, the message equivocation function decreases as the relative payload increases. is is because the larger the submatrices size and number of different submatrices mean the more encoding content parameters and more difficult to extract the data completely. erefore, we should choose submatrices with bigger size, and a relative payload whose reciprocal is not an integer preferentially. However, the above methods will increase the time consumption of generating stego objects.

e Unicity Distance of the Steganographic Key.
e following theorem gives the relationship between the unicity distance of the steganographic key and the size of the submatrix under the cover-known attack.

Theorem 6.
Under the known-cover attack, the unicity distance of the steganographic key N K is bounded as in which H(K|Y) � Proof. Denote N K groups of covers and stego objects as Given N K pairs of covers and stego objects, then denote the set of all the possible steganographic keys K as K(Y N K , X N K ); then, and the expectation of the number of pseudokeys K P is where |K(Y N K , X N K )| represents the number of elements in set K(Y N K , X N K ). e application of equation (3) yields Because of H(Y N K |K, M N K , T N K , X) � 0 (it is because the stego object Y can be determined by steganographic key K, data M, distortion function T, and cover object X) and joint entropy H(M N K , T N K , X N K , K) � N K (H(X)+ H(M) + H(T)) + H(K) (it is because the independence of steganographic key K, data M, distortion function T, and cover object X), we can isolate the joint entropy H(Y N K , X N K , M N K , T N K , K) as According to the chain rule of the joint entropy function (equation (2)), we can rearrange the joint entropy (77)

Security and Communication Networks 13
Expectation of the number of pseudosteganographic key K p is bounded as As a result, the unicity distance N K is bounded as in which H(K|Y) � It can be seen from eorem 6 that when the relative payload is fixed, the lower bound of the unicity distance of the steganographic key N K increases as the height h of the submatrix increases; when the number of different submatrices is fixed, the unicity distance of the steganographic key N K decreases as the relative payload α increases. is is because the larger sizes of submatrices and number of different submatrices mean the more encoding content parameters, that is, the more difficult it is to completely restore the steganographic key. erefore, the average amount of data required to recover the steganographic key are more. We should choose submatrices with bigger size and a relative payload whose reciprocal is not an integer preferentially. However, the above method will increase the time consumption of generating stego objects.
In this section, the cryptographic secrecy of the STCbased adaptive steganography algorithm is studied from three aspects: the steganographic key equivocation, the message equivocation, and the unicity distance of the steganographic key under the known-cover attack. More specifically, we obtain the upper bound of the amount of steganographic key information and data information leaked from the cover object and stego object, the lower bound of the amount of information an attacker needs to recover the steganographic key, and the quantitative relationship between these theoretical bounds and submatrices, data, and cover object.

Discussion and Conclusion
is section mainly uses the results obtained in this manuscript to explain the performance of the data extraction methods proposed in [14][15][16] and summarizes this manuscript.

Discussion.
e research results of this manuscript show that the cryptographic secrecy of the STC-based adaptive steganography algorithm has a quantitative relationship with the submatrix used by STC under the stego-only attack and the known-cover attack. More specifically, when the number of different submatrices is fixed, the larger size of the submatrix, the stronger the cryptographic secrecy. However, when the height of the submatrix is fixed, the smaller the relative payload, the stronger the cryptographic secrecy is not necessarily. For example, when the height of the submatrix is fixed at 7, the cryptographic secrecy at a relative payload of 0.3 bpp is higher than that at a relative payload of 0.2 bpp. is is because when the height of the submatrix is fixed at 7, there are 49 encoding parameters that need to be restored at a relative payload of 0.3 bpp, while 35 encoding parameters need to be restored at a relative payload of 0.2 bpp. In fact, under different attack conditions, [14][15][16] all have similar conclusions in different attack methods: the more encoding parameters, the greater the time overhead and the lower the recovery rate. is is because STC are a linear structure, and the more unknowns there are, the more difficult it is to solve. erefore, when the two parties conduct covert communication, they can select submatrices with greater height and width to enhance the cryptographic secrecy of the covert communication according to actual needs. However, the above method will increase the time consumption of generating the stego object. us, we need to make a compromise between cryptographic secrecy and time consumption of generating the stego object. e research results of eorem 2 on the steganographic key equivocation in the third section of this manuscript shows that the better the randomness of the embedded data, the smaller the theoretical upper bound of the steganographic key equivocation and the less steganographic key information is obtained from the stego object. is means that, for STC-based adaptive steganography, the randomness of data also has impact on the security of the steganography system. However, the research results of [22] show that even if the data embedded via steganography is unencrypted, as long as the steganography itself has strong cryptographic secrecy, it is still safe in the cryptographic sense. For STC-based adaptive steganography algorithms that use plaintext as data, Luo et al. [15] proposed a data extraction method based on the difference in randomness of the data extracted by correct encoding parameters and the incorrect encoding parameters under the condition of the stego-only attack. When the embedded data is a ciphertext, the random sequence extracted by the incorrect parity-check matrix is indistinguishable from the data extracted by the correct parity-check matrix, which makes the method proposed in [15] invalid. us, the sender should encrypt the data when performing covert communication, and the stronger the randomness of the cipher text, the better the cryptographic secrecy of covert communication.

Conclusion.
e STC-based adaptive steganography has become the mainstream steganography technology with strong covert security. However, as the problem of data extraction was put forward, researchers have gradually begun to pay attention to the factors related to the antiextraction performance of steganography algorithms and what quantitative relationship they have. In the future, the security of STC-based adaptive steganography will gradually get shocked.
is manuscript studies the cryptographic secrecy of the STC-based adaptive steganography algorithm from three aspects: steganographic key equivocation, message equivocation, and unicity distance of the steganographic key under the condition of stego-only attack and known-cover attack. More specifically, based on the special structure of the STC parity-check matrix, we obtain the upper bound of the amount of steganographic key information and data information leaked from the stego object and cover object, the lower bound of the amount of information an attacker needs to recover the steganographic key, and the quantitative relationship between these theoretical bounds and submatrices, data, and cover object. e research results of this manuscript show that the better the randomness of the data and the cover object, the more coding contents parameters of STC, correspondingly the stronger the cryptographic secrecy of the STC-based adaptive steganography algorithm. e research results of this manuscript not only provide precise theoretical guidance for improving the more secure communication based on STC but also provide a theoretical bound of the amount of information required for the attackers to extract data. Next, we will study the data extraction method under the theoretical framework of this manuscript and verify the correctness of the theoretical derivation in this manuscript.

Data Availability
No data were used to support the findings of this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.