Professional Documents
Culture Documents
[A
r
, V
r
) = accept].
We assume that A can have precise knowledge of how V works; the only piece
of information that A cant know is r
k :
m
i=k+1
m
i
i
(1 )
mi
1 &
k
i=0
m
i
i
(1 )
mi
[1] and i ,= i
then T(i) ,= T
(i
)
for any T, T
, +
)
solution to an instance of T2 (where
and
[M
r
, B
r
) = reject] = 1
B
=
p
0
2
+
p
1
+ (1 p
1
)(1
B
)
2
=
p
0
+p
1
1 +p
1
,
which gives
B
1 p
0
and p
1
2(1
B
). Hence:
Pr
T ,I,r
[A
B
r
(t(j)) = j]
n
s=1
Pr
T ,I,r
[A
B
r
(t(j)) = j[[S[ = s] Pr
T ,I
[[S[ = s] (1)
=
n
s=1
1 p
0
s
Pr
T ,I
[[S[ = s] (2)
1 p
0
E
T ,I
[[S[]
(3)
1 p
0
1 +[[1][p
1
(4)
B
1 + 2[[1][(1
B
)
(5)
(2) follows by the denition of the procedure A
B
, (3) follows by Jensens in-
equality and the fact that f(x) = 1/x is concave, (4) follows because
E
T ,I
[[S[] 1 +
i=j
Pr
I,r
(B(i, t(j)) = 1)
and (5) follows by the inequalities for p
0
, p
1
and
B
given above. This completes
the proof.
Theorem 1. If T1
I,T
is (, [[1][)-hard and M = (1, T , ) is (, )-human
executable, then M is a (, ,
(2|[I]|)
2|[I]|
)-captcha.
4.2 PIX
An instance T2
I,T ,
can sometimes be used almost directly as a captcha. For
instance, if 1 is a distribution over images containing a single word and maps
an image to the word contained in it, then T2
I,T ,
can be used directly as a
captcha. Similarly, if all the images in [1] are pictures of simple concrete objects
and maps an image to the object that is contained in the image, then T2
I,T ,
can be used as a captcha.
Formally, a pix instance is a tuple X = (1, T , L, , ). The pix verier works
as follows. First, V draws i 1, and t T . V then sends to P the message
(t(i), L), and sets a timer for . P responds with a label l L. V accepts if
l = (i) and its timer has not expired, and rejects otherwise.
Theorem 2. If T2
I,T ,
is (, )-hard and X = (1, T , L, , ) is (, )-human
executable, then X is a (, , )-captcha.
Various instantiations of pix are in use at major internet portals, like Yahoo!
and Hotmail. Other less conventional ones, like Animal-PIX, can be found at
www.captcha.net. Animal-PIX presents the prover with a distorted picture of a
common animal (like the one shown below) and asks it to choose between twenty
dierent possibilities (monkey, horse, cow, et cetera).
Fig. 2. Animal-Pix.
5 An Application: Robust Image-Based Steganography
We detail a useful application of (, )-solutions to instantiations of T1 and
T2 (other than reading slightly distorted text, which was mentioned before).
We hope to convey by this application that our problems were not chosen just
because they can create captchas but because they in fact have applications
related to security. Our problems also serve to illustrate that there is a need
for better AI in security as well. Areas such a Digital Rights Management, for
instance, could benet from better AI: a program that can nd slightly distorted
versions of original songs or images on the world wide web would be a very useful
tool for copyright owners.
There are many applications of solutions to T1 and T2 that we dont mention
here. T1, for instance, is interesting in its own right and a solution for the
instantiation when 1 is a distribution on images of works of art would benet
museum curators, who often have to answer questions such as what painting is
this a photograph of?
Robust Image-Based Steganography.
Robust Steganography is concerned with the problem of covertly communicating
messages on a public channel which is subject to modication by a restricted
adversary. For example, Alice may have some distribution on images which she
is allowed to draw from and send to Bob; she may wish to communicate addi-
tional information with these pictures, in such a way that anyone observing her
communications can not detect this additional information. The situation may
be complicated by an adversary who transforms all transmitted images in an
eort to remove any hidden information. In this section we will show how to
use (, )-solutions to instantiations of T1
I,T
or T2
I,T ,
to implement a secure
robust steganographic protocol for image channels with distribution 1, when
the adversary chooses transformations from T . Note that if we require security
for arbitrary 1, T , we will require a (, )-solution to T1 for arbitrary 1, T ; if
no solution works for arbitrary (1, T ) this implies the existence of specic 1, T
for which T1 is still hard. Thus either our stegosystem can be implemented by
computers for arbitrary image channels or their is a (non-constructive) hard AI
problem that can be used to construct a captcha.
The results of this subsection can be seen as providing an implementation of
the supraliminal channel postulated by Craver [6]. Indeed, Cravers observa-
tion that the adversarys transformations should be restricted to those which do
not signicantly impact human interpretation of the images (because the adver-
sary should not unduly burden innocent correspondents) is what leads to the
applicability of our hard AI problems.
Steganography Denitions
Fix a distribution over images 1, and a set of keys /. A steganographic protocol
or stegosystem for 1 is a pair of ecient probabilistic algorithms (SE, SD) where
SE : / 0, 1 [1]
and SD : / [1]
and 1
,K
[SD
r
(K, t
1...
(SE
r
(K, ))) ,= ]
is negligible (in [K[ and ) for any 0, 1.
Let F : / 1, . . . , L 0, 1 be a pseudorandom function family.
We assume that : [1] L is eciently computable and A : S
P2
L is a
(, )-solution to T2
I,T ,
as dened above (recall that T1 is a special case of
T2), i.e. A operates in time and
Pr
t,i,r
[A
r
(t(i)) = (i)] .
Let c = Pr
i,jI
[(i) = (j)]. We require that c < 1 (that is, we require that there
is enough variability in the labels of the images to be useful for communication).
Notice that L can simply be equal to [1] and can be the identity function (in
case the images in [1] have no labels as in T1). We prove in the Appendix that
the following construction is an ecient, robust stegosystem for T .
Construction 1
Procedure SE:
Input: K /, 0, 1
for j = 1 . . . do
draw d
0
1, d
1
1
if F
K
(j, (d
0
)) = then
set i
j
= d
0
else
set i
j
= d
1
Output: i
1
, i
2
, . . . , i
Procedure SD:
Input: K /, i
1...
[1]
for j = 1 . . . l do
set
j
= F
K
(j, A(i
j
))
Output: majority(
1
, . . . ,
)
Proposition 1. Construction 1 is steganographically secret and robust for 1, T .
The proof of Proposition 1 is similar in avor to those of Hopper, Langford
and von Ahn [7] and relies on the fact that when A returns the correct solution
on received image i
j
, the recovered bit
j
is equal to the intended bit with
probability approximately
1
2
+
1
4
(1 c) and otherwise
j
= with probability
1/2; therefore the probability that the majority of the
j
are incorrect is negli-
gible in . For details, see the Appendix.
Remarks
1. Better solutions to T2
I,T ,
imply more ecient stegosystems: if is larger,
then can be smaller and less images need to be transmitted to send a bit
secretively and robustly.
2. Since we assume that T2
I,T ,
(or, as it might be the case, T1
I,T
) is easy for
humans, our protocol could be implemented as a cooperative eort between
the human recipient and the decoding procedure (without the need for a
solution to T1
I,T
or T2
I,T ,
). However, decoding each bit of the secret
message will require classifying many images, so that a human would likely
fail to complete the decoding well before any sizeable hidden message could
be extracted (this is especially true in case we are dealing with T1
I,T
and
a large set [1]: a human would have to search the entire set [1] as many as
times for each transmitted bit). Thus to be practical, a (, )-solution (for
small ) to T1
I,T
or T2
I,T ,
will be required.
6 Discussion and Closing Remarks
Interaction with the AI community
A primary goal of the captcha project is to serve as a challenge to the Articial
Intelligence community. We believe that having a well-specied set of goals will
contribute greatly to the advancement of the eld. A good example of this process
is the recent progress in reading distorted text images driven by the captcha in
use at Yahoo!. In response to the challenge provided by this test, Malik and Mori
[9] have developed a program which can pass the test with probability roughly
0.8. Despite the fact that this captcha has no formal proof that a program
which can pass it can read under other distributions of image transformations,
Malik and Mori claim that their algorithm represents signicant progress in
the general area of text recognition; it is encouraging to see such progress. For
this reason, it is important that even Automated Turing Tests without formal
reductions attempt to test ability in general problem domains; and even though
these tests may have specic weaknesses it is also important that AI researchers
attempting to pass them strive for solutions that generalize.
Other AI problem domains
The problems dened in this paper are both of a similar character, and deal with
the advantage of humans in sensory processing. It is an open question whether
captchas in other areas can be constructed. The construction of a captcha
based on a text domain such as text understanding or generation is an important
goal for the project (as captchas based on sensory abilities cant be used on
sensory-impaired human beings). As mentioned earlier, the main obstacle to
designing these tests seems to be the similar levels of program ability in text
generation and understanding.
Logic problems have also been suggested as a basis for captchas and these
present similar diculties, as generation seems to be dicult. One possible source
of logic problems are those proposed by Bongard [4] in the 70s; indeed [1] presents
a test based on this problem set. However, recent progress in AI has also yielded
programs which solve these problems with very high success probability, exceed-
ing that of humans.
Conclusion
We believe that the elds of cryptography and articial intelligence have much to
contribute to one another. captchas represent a small example of this possible
symbiosis. Reductions, as they are used in cryptography, can be extremely useful
for the progress of algorithmic development. We encourage security researchers
to create captchas based on dierent AI problems.
Acknowledgments
We are greatful to Udi Manber for his suggestions. We also thank Lenore Blum,
Roni Rosenfeld, Brighten Godfrey, Moni Naor, Henry Baird and the anonymous
Eurocrypt reviewers for helpful discussions and comments. This work was par-
tially supported by the National Science Foundation (NSF) grants CCR-0122581
and CCR-0085982 (The Aladdin Center). Nick Hopper is also partially supported
by an NSF graduate research fellowship.
References
1. Luis von Ahn, Manuel Blum, Nicholas J. Hopper and John Langford. The
CAPTCHA Web Page: http://www.captcha.net. 2000.
2. Luis von Ahn, Manuel Blum and John Langford. Telling Humans and Computers
Apart (Automatically) or How Lazy Cryptographers do AI. To appear in Commu-
nications of the ACM.
3. Mihir Bellare, Russell Impagliazzo and Moni Naor. Does Parallel Repetition Lower
the Error in Computationally Sound Protocols? In 38th IEEE Symposium on Foun-
dations of Computer Science (FOCS 97), pages 374-383. IEEE Computer Society,
1997.
4. Mikhail M. Bongard. Pattern Recognition. Spartan Books, Rochelle Park NJ, 1970.
5. A. L. Coates, H. S. Baird, and R. J. Fateman. Pessimal Print: A Reverse Turing
Test. In Proceedings of the International Conference on Document Analysis and
Recognition (ICDAR 01), pages 1154-1159. Seattle WA, 2001.
6. Scott Craver. On Public-key Steganography in the Presence of an Active Warden.
In Proceedings of the Second International Information Hiding Workshop, pages
355-368. Springer, 1998.
7. Nicholas J. Hopper, John Langford and Luis von Ahn. Provably Secure Steganog-
raphy. In Advances in Cryptology, CRYPTO 02, volume 2442 of Lecture Notes in
Computer Science, pages 77-92. Santa Barbara, CA, 2002.
8. M. D. Lillibridge, M. Abadi, K. Bharat, and A. Broder. Method for selectively
restricting access to computer systems. US Patent 6,195,698. Applied April 1998
and Approved February 2001.
9. Greg Mori and Jitendra Malik. Breaking a Visual CAPTCHA.
Unpublished Manuscript, 2002. Available electronically:
http://www.cs.berkeley.edu/~mori/gimpy/gimpy.pdf.
10. Moni Naor. Verication of a human in the loop or Identication via
the Turing Test. Unpublished Manuscript, 1997. Available electronically:
http://www.wisdom.weizmann.ac.il/~naor/PAPERS/human.ps.
11. Benny Pinkas and Tomas Sander. Securing Passwords Against Dictionary Attacks.
In Proceedings of the ACM Computer and Security Conference (CCS 02), pages
161-170. ACM Press, November 2002.
12. S. Rice, G. Nagy, and T. Nartker. Optical Character Recognition: An Illustrated
Guide to the Frontier. Kluwer Academic Publishers, Boston, 1999.
13. Adi Shamir and Eran Tromer. Factoring Large Numbers with the
TWIRL Device. Unpublished Manuscript, 2003. Available electronically:
http://www.cryptome.org/twirl.ps.gz.
14. J. Xu, R. Lipton and I. Essa. Hello, are you human. Technical Report GIT-CC-
00-28, Georgia Institute of Technology, November 2000.
A Proof of Proposition 1
Lemma 1. Construction 1 is steganographically secret.
Proof. Consider for any 1 j and x [1] the probability
j
x
that i
j
= x,
i.e.
j
x
= Pr[i
j
= x]. The image x is returned in the jth step only under one of
the following conditions:
1. D
0
: d
0
= x and F
K
(j, (d
0
)) = ; or
2. D
1
: d
1
= x and F
K
(j, (d
0
)) = 1
Note that these events are mutually exclusive, so that
j
x
= Pr[D
0
] + Pr[D
1
].
Suppose that we replace F
K
by a random function f : 1, . . . , L 0, 1.
Then we have that Pr
f,d0
[D
0
] =
1
2
Pr
I
[x] by independence of f and d
0
, and
Pr
f,d1
[D
1
] =
1
2
Pr
I
[x], by the same reasoning. Thus
j
x
= Pr
I
[x] when F
K
is replaced by a random function. Further, for a random function the
j
x
are
all independent. Thus for any 0, 1 we see that SE(K, ) and 1
are
computationally indistinguishable, by the pseudorandomness of F.
Lemma 2. Construction 1 is steganographically robust for T .
Proof. Suppose we prove a constant bound >
1
2
such that for all j, Pr[
j
= ] >
. Then by a Cherno bound we will have that Pr[majority(
1
, . . . ,
) ,= ] is
negligible, proving the lemma.
Consider replacing F
K
for a random K with a randomly chosen function
f : 1, . . . , L 0, 1 in SE, SD. We would like to assess the probability
j
= Pr[
j
= ]. Let A
j
be the event A(i
j
) = (i
j
) and A
j
be the event
A(i
j
) ,= (i
j
), and write (d
j
b
) as l
j
b
. We have the following:
Pr
f,ij,t
[
j
= ] = Pr[
j
= [A
j
] Pr[A
j
] + Pr[
j
= [A
j
] Pr[A
j
] (6)
= Pr[
j
= [A
j
] +
1
2
(1 ) (7)
= (Pr[f(j, l
j
0
) = or (f(j, l
j
0
) = 1 and f(j, l
j
1
)) = )] +
1
2
(8)
= (
1
2
+ Pr[f(j, l
j
0
) = 1 and f(j, l
j
1
) = and l
j
0
,= l
j
1
]) +
1
2
(9)
= (
1
2
+
1
4
(1 c)) +
1
2
(10)
=
1
2
+
4
(1 c) (11)
Here (7) follows because if A(i
j
) = l ,= (i
j
) then Pr
f
[f(j, l) = ] =
1
2
, and
(8) follows because if A(i
j
) = (i
j
), then f(j, A(i
j
)) = i f(j, (i
j
)) = 0; the
expression results from expanding the event f(j, (i
j
)) = 0 with the denition
of i
j
in the encoding routine.
For any constant > 0, a Cherno bound implies that the probability of
decoding failure is negligible in when F
K
is a random function. Thus the
pseudorandomness of F
K
implies that the probability of decoding failure for
Construction 1 is also negligible, proving the lemma.