IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO.

6, OCTOBER 2007

1325

Correspondence
On the Security of A Steganographic Scheme for Secure Communications Based on the Chaos and the Euler Theorem
Rainer Bhme and Christian Keiler

AbstractThis paper contains a security analysis of the construction of a public key steganographic system based on chaos theory and the Euler theorem (PKS-CE) as proposed by Lou and Sung in a previous issue of this transactions. Our analysis results in attack strategies on two different layers: rst, we identify weaknesses of the embedding function, which allow a passive warden to tell steganographic images from clean carriers apart. Second, we show that the allegedly asymmetric trap-door function in fact can be efciently inverted solely with the knowledge of its public parameters, thus revealing the secret message as plain text to a passive adversary. Experimental results from a re-implementation further indicate that the claimed robustness of the embedded message against transformations of the carrier medium was far too optimistic. Finally, we demonstrate that a secure alternative system can easily be constructed from standard primitives if the strong assumptions made in PKS-CE for the mutual key exchange can actually be fullled. Index TermsInformation hiding, public key steganography, security analysis, steganalysis. Fig. 1. Block diagram of Lou and Sungs PKS-CE.

I. INTRODUCTION Steganographic techniques as described by Simmons [11] enable covered message exchange over unsuspicious communication channels. Their security can be measured by the difculty to detect the mere existence of hidden communication in a public channel. An attack is successful and a steganographic method considered as broken if the adversary is able to tell steganographic communication from clean trafc apart with a probability of success better than random guessing. In the baseline case, the communication partners share a secret key. The majority of known steganographic algorithms hence belongs to the class of secret key steganography (SKS). Anderson and Petitcolas [1] rst dened public key steganography (PKS) analogously to asymmetric (public key) cryptography. This paper contains a security analysis of one specic scheme for public key steganography proposed by Lou and Sung [10], further referred to as PKS-CE. In contrast to theoretical work on PKS in the literature (see [2], [9], and [12]), Lou and Sungs scheme is intended to be ready for implementation. It also differs from prior art in the choice of the cryptographic operation. A generic approach to PKS is to embed the entire bit stream of an asymmetrically encrypted message with an SKS embedding operation, with the exception that all its parameters are made public (i.e. are commonly shared). Lou and Sungs construction, however, determines the embedding position of individual message bits with an asymmetric mapping function. Before advancing to the security analysis, we recall the construction of PKS-CE, as visualized in Fig. 1. First, message M is transformed to
Manuscript received December 22, 2005; revised April 3, 2007. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Ching-Yung Lin. R. Bhme is with the Institute of Systems Architecture, Technische Universitt Dresden, 01062 Dresden, Germany (e-mail: rainer.boehme@tu-dresden. de). C. Keiler is with the Signsoft GmbH, 01127 Dresden, Germany (e-mail: christian.keiler@signsoft.com). Digital Object Identier 10.1109/TMM.2007.902898

a message matrix representation (MMR). This transformation can be complemented with an optional error-correcting code (ECC). A trapdoor mapping function Map is applied on each matrix coordinate (i; j ) to compute the position in the carrier matrix representation (CMR). This function consists of two nested mapping operations, which take a coordinate (i; j ), the secret key of the sender kSS and the public key of the recipient kPR to compute a corresponding embedding position (i3 ; j 3 ) in the carrier. The embedding operation returns the steganogram. It works on individual bits and it is applied with global parameters only. After the transmission of the steganogram to the recipient, they extract the carrier message representation (CMR3 ). The message matrix representation MMR3 can be recovered with the inverse mapping function Map01 using the public key of the sender kPS and the secret key of the recipient kSR

3 3 Map : (i; j; kSS ; kPR ; S) 7! (i ; j ) 0 1 3 3 0 0 : (i ; j ; kPS ; kSR ; S) 7! (i ; j ) Map

(1)

S is a global parameter. The message is obtained after linearization and optional error decoding (ECC01 ).
Our security analysis is structured as follows: Section II explains details of the embedding function before its weaknesses are pointed out and backed with experimental evidence in Section III. Accordingly, Section IV deals with the mapping function followed by an analysis in Section V. Before we conclude, and as a reaction to the weaknesses identied, a more secure alternative construction based on standard cryptographic primitives is sketched in Section VI. II. DESCRIPTION OF THE EMBEDDING FUNCTION The choice of an embedding function is always specic to the properties of the carrier medium. PKS-CE is designed for grayscale images stored as a matrix of intensity values. The embedding function takes an embedding position (i3 ; j 3 ) and the value of one message bit m(i;j ) as arguments and alters the carrier so that the resulting steganogram contains the semantic of the message bit. Obviously, this modication

1520-9210/$25.00 2007 IEEE

1326

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007

TABLE I EXPERIMENTAL RESULTS FOR ATTACKS ON THE EMBEDDING FUNCTION

Average share of t-pixels and average edge length (in pixels) of the largest square without t-pixels. Averages are computed over 100 images for plain carriers and steganograms. Fig. 2. Relation of a pixel to its local neighborhood.

should neither be perceptible to visual inspection nor alter the statistical properties of carrier media. To achieve imperceptibility, PKS-CE adaptively takes into account the local neighborhood of i3 ; j 3 with intensity x(i ;j ) , as shown in Fig. 2. PKS-CE denes three control variables l(i ;j ) (upper left), r(i ;j ) (lower right) and a(i ;j ) (surround), which average the neighborhood intensities

by the PKS-CE mapping function and then count the number of sucon we found 9.95 bit errors cessful extractions. For t : average across images. With an error correcting codeReed-Solomon RS(31,25), as proposed in [10]the error rate declined somewhat to on average. : 7.60

=1

(= 1 14%)

(= 0 87%)

III. WEAKNESSES OF THE EMBEDDING FUNCTION In steganography, unlike for some watermarking applications, it is reasonable to adhere to Kerckhoffs principle and assume that an adversary has full knowledge of the functioning of the steganographic system except for its secret keys [1], [8]. This is not only regarded as a good practice to develop truly secure algorithms, but also follows directly from the principles of public key steganographic systems, which aim at avoiding obscurity. If their secure application depends on any additional secrets shared between sender and recipient, the extra effort to construct PKS as opposed to far simpler SKS would be rendered useless. Therefore, we deem it justied to assume that the adversary knows all public and global parameters of the concrete implementation of PKS-CE in a specic communication context.1 The idea of this steganalysis exploits the deterministic embedding equations specied in the embedding function. Since the relation between pixels and their neighborhood is xed in the steganogram, an attacker can evaluate this relation for each pixel in an image. He or she can further infer the existence of steganographic content from an atypical high number of pixels that exactly fulll one of the embedding equations. Consequently, we dene the notion t-pixel as pixel where one of the embedding equations between the pixel and its neighborhood holds for a given parameter t. This corresponds to the following formal expression:

l(i ;j )

r(i ;j )

a(i ;j )

=1 3 1 =3 =1 2

x(i

01;j 01) + x(i

;j

01) + x(i 01;j

x(i +1;j )

+ )

x(i ;j +1)

x(i +1;j +1)

l(i ;j )

r(i ;j )

(2)

Let t be a global parameter for the embedding strength. We shall call pixel x(i ;j ) at position i3 ; j 3 center pixel and omit the indices for the sake of brevity. The embedding process distinguishes three possible cases. First, the center pixel has a homogenous neigborhood relative to t if jl 0 rj  1 t. In this case, a zero bit is embedded by subtracting t from a; and a one by adding t to a. Second, the center pixel is part of a downward slope if jl 0 rj > 1 t and l > r . In this case, for a zero, the resulting pixel is set close to the higher neighbors, precisely to l 0 t. In turn, a one is embedded by setting the pixel close to the lower neighbors r t. Third, for an upward slope, where jl 0 rj > 1 t and l < r , the assignment of zeros and ones is inverse to the second case with l now representing the lower neighbors and r the higher ones. Hence, the resulting pixel is l t for zeros and r 0 t for ones. The extraction function F 01 works accordingly. It rst determines whether the decoded pixel position i00 ; j 00 is in a homogenous neigborhood relative to t. If so, a comparison whether the center pixels intensity is smaller or equal than a(i ;j ) reveals the message bit value. Otherwise the extraction function checks whether the center pixels intensity is closer to l(i ;j ) or to r(i ;j ) before deciding between zero and one in a second step. There are several sources for bit errors in steganographic communication. On the transmission channel, marginal changes in the intensity, either caused by random distortions or by an active adversary trying to prevent steganographic communication, may destroy the steganographic content. Another source of error is specic to this embedding function and occurs even in perfect channels: if two embedding positions fall next to each other, wrong extraction results may occur due to the inuence of the second embedding on the neighborhood of the rst. The PKS-CE scheme proposes the error correcting code to cope with any of these errors. The impact of errors from subsequent embedding in the same neighborhood can be measured experimentally. We embed 875 bits into each of 100 8-bit grayscale test images sized 253 2 253 pixels [i.e., the embedding rate is as low as 0.014 bits per pixel (bpp)], at positions given

l(i;j )

l(i;j )

r(i;j )

r(i;j )

x(i;j )

31 ^ 2 31 ^ 2 6 _ 2
t x(i;j ) > t l(i;j ) t x(i;j )

a(i;j )

r(i;j )

(3)

By applying this criterion on a large number of test images, both plain carrier and steganograms, we found a stable share of t-pixels, which depends on parameter t and the embedding ratio. As reported in Table I, plain carriers contain fewer t-pixels than steganograms. Thus, for suitable settings of t, a simple criterion based on the share of t-pixels yields a reliable stego detector. If the mere number does not discriminate sufciently, then the spatial distribution of t-pixels can be evaluated to improve the detection power. Since the occurrence of t-pixels in plain carrier images is correlated with the image structure, there exist regions with higher concentration of t-pixels as well as regions without any. Steganographic modications, however, appear randomly in the entire space of the CMR. This
1Note that most weaknesses would still allow for successful attacks even if the exact values of global parameterssuch as twere unknown, as missing parameters could be efciently estimated by the adversary.

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007

1327

Fig. 3. Distribution of t-pixels: (a) original, (b) ltered image without embedding, and (c) ltered image with small capacity stego message.

causes t-pixels in the steganogram to appear regardless of the image structure. Fig. 3 illustrates the distribution of t-pixels in one example grayscale image by applying a lter that visualizes the positions of t-pixels for t = 1 in a clean image and [cf. Fig. 3(b)] a steganogram with about 0.1 bits per pixel payload [cf. Fig. 3(c)]. It is also visible that the mapping function reduces the set of possible embedding positions to the CMR area (see below in Section V). An easy measure that can be used as a stego-detector is the maximum square area within the dimension of the CMR that does not contain any t-pixel. This value differs considerably between plain carriers and steganograms, as reported in columns 4 and 5 of Table I. The performance in terms of detection rate and false positives of stego detectors using the above described methods is given by receiver operating characteristics (ROC) charts in Fig. 4. The charts show that the spatial criterion allows for perfect separation for t 2 f6; 12g and is still highly reliable for t = 1. The original paper also claimed a sort of robustness of PKS-CE against noise in the intensity values of the steganogram due to channel disturbance or active tampering. To verify the results, a re-implementation of the scheme has been used to evaluate the robustness against Gaussian noise with zero mean and standard deviation in the range of (1=12) 1 t to 9 1 t. Following the description in [10], a Reed-Solomon code RS(31,25) has been employed as ECC. The results of these experiments (Table II) show that even very subtle noise causes a high number of uncorrectable bit errors. The robustness increases somewhat for higher values of t, but at the same time the probability for heavily visible artifacts soars. In the following, we will show why it will not be sufcient to x the weaknesses of the embedding function to make the scheme secure. IV. DESCRIPTION OF THE MAPPING FUNCTION Function Map is supposed to be an asymmetric cryptographic function, which is based on the Euler theorem and chaos theory. Since the

Fig. 4. ROC curves for different values of t and for different detection methods; results from experiments on 100 test images with an average embedding rate of 0.1 bpp. Note that the scale of false positives has been cut in (b) to make the very small error rates visible. (a) Detector based on share of t-pixels. (b) Detector based on spatial distribution of t-pixels.

TABLE II EXPERIMENTAL RESULTS ON THE ROBUSTNESS OF THE EMBEDDING FUNCTION

Mean error rates for additive Gaussian noise (embedding rate as low as 0.002 bpp) and RS(31,25) error correction.

original publication is not entirely clear in the description of and the rationales behind the design of the mapping function, the following discussion has to be considered as a common sense interpretation of how the scheme works. The PKS-CE scheme differs from the majority of other approaches to PKS by its strong assumptions for the key exchange: even for one-way communication, both sender and recipient have to transmit the public part of their key pair to the other party authentically. How this mutual key exchange can be realized secretly is not considered in the original publication and thus beyond the scope of this paper.

1328

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007

TABLE III SCOPE OF CRYPTO PARAMETERS

secret key kSS and the recipients public key kPR as follows (without loss of generality, we assume nS < nR ):
Map : (i ; j )

3 3

k  Sk n 2 Sn 2 (i; j )(mod nS )

(mod nR ):

(9)

For the key generation, both sender and recipient independently chose a public modul nS and nR , respectively. These numbers ought to be semi-prime to ensure that the Euler symbols '(nS ) and '(nR ) can be computed effectively as '(u 1 v ) = (u 0 1)(v 0 1) with knowledge of the (secret) prime factors u and v . Both parties choose their secret keys kSS and kSR at random in the range
sender :

Note that the multiplication and modulo operations were not explicitly dened in the original paper, but the term applying does not allow any other interpretation. As a consequence of the modulo operations, the dimension of CMR is bound to the inmum of nS and nR [see Fig. 1 and Fig. 3(c)]. The decryption (i.e., reverse mapping) of (i3 ; j 3 ) to the original message position (i0 ; j 0 ) uses the remaining parameters, namely the public key of the sender kPS and the secret key of the recipient kSR

'(nS ) > kSS > 0

01 : 0 0 k (i ; j )  S
Map

3 3 2 Sk n 2 (i ; j )(mod nR )

(mod nS ):

(10)

recipient : '(nR ) > kSR > 0:

(4)

Then the public parts are given as differences to the Euler symbols
sender :

kPS = '(nS )

recipient : kPR = '(nR )

0k 0k

SS SR :

(5)

Table III summarizes all relevant parameters of the mapping function classied by their scope of knowledge (secret, public, global). Global parameters are constant for all communication relations. The two primes p1 and p2 are both relatively prime to nS and nR .2 Integer q > 2 is another global parameter to seed the chaotic mapping. Parameters p1 , p2 and q are used to build a matrix and a so-called stego-matrix as

The reverse mapping is always possible as can be seen from the identity mapping in (8) with the exponent '( ). Since the public and secret parts of a key pair sum up to '(nS ) and '(nR ), respectively [see (5)], inserting (9) in (10) yields the identity mapping as well. To summarize the above paragraphs, the mapping function is build on two principles. First the Euler theorem for (8) and second the chaotic orbits as used in Fridrichs [7] stego system, albeit in a secret key scenario. V. WEAKNESSES OF THE MAPPING FUNCTION The mapping function suffers from several weaknesses, which can be broadly structured into practical aspects for real-world applications and systematical problems with the alleged non-invertibility of Map. As to the practical issues, one obstacle stems from the fact that Map maps a small domain to a larger one. In the reverse mapping Map01 , there are way more positions in the preimage than in the projection domain dim(MMR3 ), as visualized by the italic bits in CMR3 of Fig. 1. Since the recipient cannot tell steganographically modied pixels apart from original ones,4 there is little chance to solve the ambiguity introduced at this step. Though not considered in the original paper, there is a way to improve the extraction by simultaneously applying the t-pixel criterion as described in Section III to preselect candidate pixels. However, it appears a little bit awkward to use a weakness in the embedding layer in order to x the decryption function. Regarding computational effort, the decryption of an entire steganogram is heavy if parameters are chosen in a secure range. In the worst case one has to iterate nR 1 nR (if nR > nS ) pixel positions and subsequently apply the reverse mapping operations to reconstruct MMR3 . Let ` be the length of the binary representation of the larger modulus, the complexity of the complete decryption in the O -calculus turns out to be O(e` ). The use of large parameters has another disadvantage because the required carrier size depends on the security parameter `. Apart from operational challenges to handle image data in the order of billions of pixels, solely the fact that extremely huge images are transmitted is not plausible and thus reveals the use of steganography. Moreover, a comparison of the complexity of decryption with the complexity of factorization5 of nR and nS , respectively, shows that factorization of an integer in the order of 2` is less complex than the reverse mapping of a complete CMR3 . This means that it is computationally easier to calculate the secret key from the public parameters than extracting a message!
4The secret key of the sender positions.

Q=

q q +1

; and

S = Q2 S

p1
0

p2

2 Q0 :
1

(6)

Later in the mapping function, matrix needs to be exponentiated. This is not difcult due to its special structure. As shown in [10, eq. (6)] it reduces to the exponentiation of scalars

S = Q 2

p1
0

p2

0 

2 Q0 :
1

(7)

We need another notation because PKS-CE only uses exponentiation  means that the exponenin rings of integers modulo a number. So S tiation to the power of  is computed modulo  . With the above prerequisites, we can study the basic trap-door mapping operation in (8) 3
 S' Q 2 
( )

p1

'( )

0 Q 2 1 2 Q0 (mod ) 0 1  Q 2 Q0 (mod ) 0  1 (mod  ): 0 1

1 1

p2

0 '( )

2 Q0 (mod )
1

(8)

To encrypt an MMR message position with the coordinates (i; j ) to a CMR position with the coordinates (i3 ; j 3 ), the sender has to use their
2The last condition is easy to fulll as and are semi-prime; in the very unlikely case that a communication partner chooses a secret parameter equal to a global one, the key generation algorithm has to be repeated. 3The original paper refers to another variable as the public large number in the RSA cryptosystem ([10, p. 503])presumedly another semi-primewhich can be eliminated analytically.

would be required to identify the embedding General Number Field Sieve is

O(e

5The

complexity

ln( ) 1 (ln(ln( ))) ) [3].

of

the

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007

1329

As to the systematical problems, it turns out that the mapping function has actually no trap-door property: Since the global stegomatrix S is regular and nS and nR are both relatively prime to p1 and p2 , the adversary can efciently compute its inverse S01 , as shown in (11) (nS and nR are replaced by  )
1 S0  

 (mod  ); where   1 01   ( p 2 0 q 1 p1 + q 1 p 2 ) 1 p 0 1 1 p2 (mod  ) 2 1 01  (0q 1 p1 + q 1 p2 0 q 1 p1 + q2 1 p2 ) 1 p0 1 1 p2 (mod  ) 01 1 p01 (mod ) (p1 0 p2 ) 1 p1 2 1 01   (p 1 + q 1 p 1 0 q 1 p 2 ) 1 p0 1 1 p2 (mod  )

processing, which reduces the problem to attacking the underlying SKS. Hence, against computational bounded adversaries and reasonable choices of the security parameter `, PKS-EG is as secure as the SKS. Candidate algorithms for the SKS include the state of the art least detectable embedding functions, such as perturbed quantization [6] or adaptive stochastic modulation [5] for image steganography. In contrast to PKS-CE, the security parameter ` is independent from the size of the carrier so that PKS-EG does not suffer from the above mentioned practical limitations. Note that this construction is simple because it inherits the strong assumptions from PKS-CE. Tackling the steganographic key exchange properly requires more sophisticated constructions (cf. [12]). VII. CONCLUSION The PKS-CE scheme promised to be a secure public-key steganograhic system at the cost of some impractical constraints due to the mutual key exchange. In fact, however, the exponential relation between the security parameter and the required size of the carrier media renders the system useless for reasonable security levels. Since further weaknesses were identied in both the embedding function and the asymmetric trap-door function, the PKS-CE scheme is neither operable nor secure and thus should not be used in practice. As the authors are not aware of a straight way to x these aws, a more secure and less obscure alternative has been proposed.

(11)

where p01 mod  denotes the multiplicative inverse of p in the integer eld modulo  . The well-known extended Euclidean algorithm runs in polynomial time. For the demonstration of the complete reverse mapping without using the secret key of the recipient, we still assume nS < nR

3 ; j 3 )  Map(i; j; kSS ; kPR ; S) 00 00 k 0k 2 (i3 ; j 3 )(mod nR ) (i ; j )  S n 2 S n  Map01 (i3 ; j 3; kPS ; kSR ; S):
(i

(mod nS )

(12)

Now it is evident that (i; j )  (i00 ; j 00 )(mod nS ). As nding a proper chaos function with trap-door properties is not easy,6 the above described problems are very difcult to x. VI. A DIFFIE-HELLMAN-BASED CONSTRUCTION Finally, as an alternative, we sketch a construction for a PKS system, which is as secure against polynomial bounded adversaries as an underlying secret key stego system. The construction is based on the ElGamal [4] encryption scheme (PKS-EG) that can be applied directly to PKS if the same strong assumptions about the mutual key exchange as in PKS-CE do hold: prior bi-directional key exchange (in contrast to the standard public key cryptography model); the recipient can identify his or her potential steganographic communication partner before the extraction. Let prime p in the order 2` and generator g of the nite eld GF(p) be public constants. To generate a key pair, sender S and recipient R randomly choose x; y 2 GF(p) and publish kPS  g x (mod p) and kPR  g y (mod p), respectively. In turn, kSS = x and kSR = y k  remain secret. To embed a message, sender S computes z  kPR y xy g  g (mod p). With H being an adequately secure hash function, ksym = H(z ) can be used as secret key for steganographic communication between S and R in any SKS scheme. The recipient is able to k (mod p). retrieve ksym because z  g xy  (g x )y  kPS According to the computational Dife-Hellman assumption, given gx and gy the public parameters onlyit is hard to compute gxy (mod p). In the absence of knowledge about ksym , an adversary must resort to detecting steganographic messages with means of signal
6Building secure trap-door functions with parameters in the order 2 is impossible because an adversary could run an exhaustive search in reasonable time using a probabilistic polynomial algorithm.

REFERENCES
[1] R. J. Anderson and F. A. P. Petitcolas, On the limits of steganography, IEEE J. Select. Areas Commun., vol. 16, no. 4, pp. 474481, May 1998. [2] M. Backes and C. Cachin, Public-key steganography with active attacks, in Theory of Cryptography, ser. Lecture Notes in Computer Science, J. Kilian, Ed. New York: Springer, 2005, vol. 3378, pp. 210226. [3] D. Coppersmith, Modications to the number eld sieve, J. Cryptol., vol. 6, pp. 169180, 1993. [4] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory, vol. IT-31, no. 4, pp. 469472, Jul. 1985. [5] J. Fridrich and M. Goljan, Digital image steganography using stochastic modulation, in Security, Steganography and Watermarking of Multimedia Contents V (Proc. SPIE), E. J. Delp and P. W. Wong, Eds., San Jose, CA, 2003, pp. 191202. [6] J. Fridrich, M. Goljan, and D. Soukal, Perturbed quantization steganography with wet paper codes, in MM&Sec 04: Proc. 2004 ACM Workshop on Multimedia and Security, 2004, pp. 415. [7] J. Fridrich, Symmetric ciphers based on two-dimensional chaotic maps, Int. J. Bifurcat. Chaos, vol. 8, no. 6, pp. 12591284, 1998. [8] A. Kerckhoffs, La cryptographie militaire, J. des sciences militaires vol. IX, pp. 538, 1883 [Online]. Available: http://www.petitcolas.net/ fabien/kerckhoffs/crypto_militaire_1.pdf, 161191 [9] T. V. Le, Efcient Provably Secure Public Key Steganography Cryptology ePrint Archive, Report 2003/156, 2003 [Online]. Available: http://www.eprint.iacr.org/2003/156 [10] D. Lou and C. Sung, A steganographic scheme for secure communications based on the chaos and Euler theorem, IEEE Trans. Multimedia, vol. 6, no. 3, pp. 501509, Jun. 2004. [11] G. J. Simmons, The prisoners problem and the subliminal channel, in Adv. CryptologyCRYPTO83, D. Chaum, Ed., 1984, pp. 5167, Plenum. [12] L. von Ahn and N. J. Hopper, Public-key steganography, in EUROCRYPT, ser. Lecture Notes in Computer Science, C. Cachin and J. Camenisch, Eds. New York: Springer, 2004, vol. 3027, pp. 323341.