Has F5 Really Been Broken?
Johann A. Briffa* and Hans Georg Schaathun* and Ainuddin Wahid Abdul Wahab*+
*Department of Computing, University of Surrey, Guildford GU2 7XH, England
+Faculty of Computer Science and Information Technology, University of Malaya, Malaysia
Keywords: Steganalysis, F5.
The publicly-available F5 software (F5Software) implementa-
tion takes a possibly compressed cover image, decompresses it
if necessary, and embeds the hidden message during a second
compression process. This procedure introduces a risk that the
stego image goes through ‘double compression’. While this is
not a problem from the embedding and extraction point of view,
any steganalysis process trained on such a scheme will poten-
tially detect artifacts caused either by the embedding process or
the second compression process. In this paper we review pub-
lished steganalysis techniques on F5. By re-implementing an
isolated F5 embedding algorithm excluding the decompression
and recompression process (F5Py), we show that published ste-
ganalysis techniques are unable to defeat F5 when its ideal op-
erational condition is not violated. In other words, published
techniques most likely detected the compression artifacts rather
than the embedding process when the message size is not ex-
ceeding the optimum F5 capacity. This is an important fact
that has been ignored before. Furthermore, we look for the op-
timum embedding rate for F5 in order for it to take advantage
of matrix encoding for better embedding efﬁciency. From here
we found that the low embedding rate considered for F5 in the
previous works are actually relatively high for it. This is also
important since bigger message size might degrade F5 to F4.
In addition, we also verify that, as expected, steganalysis per-
formance depends on the message size.
There is a battle going on, between steganographers and stegan-
alysts. Steganographers aim to develop ever better techniques
to hide a secret message in a media ﬁle, such as an image, such
that the enemy will not even suspect that there is a secret there.
The steganalyst is the enemy who tries to devise techniques to
detect reliably the hidden secrets. There has been a lot of ac-
tivity in the last 15 years.
Current research tends to be rather ad hoc. Evaluation of
new methods are generally based on simulations, and the con-
ditions and parameters for these simulations are not always
clear. When they are clear, they may be controversial.
This leads to several problems in the evaluations. For in-
stance, simulations must be based on speciﬁc implementations
which are not always correct implementations of the algorithms
Figure 1. JPEG steganography embedding algorithm between
two stages in JPEG encoding
speciﬁed in the literature. Many authors assume that relatively
long messages would be embedded, and this gives the best de-
tection results on their part. But what message length was the
stego-system designed for?
Most papers in the literature have focused on defeating a
preceeding paper. Often, too little time is spent to analyse the
operating conditions where a particular technique is useful.
This is our purpose in this paper. We discuss the celebrated
F5 algorithm by Andreas Westfeld , and analyse the op-
erating conditions for which it can be expected to work. We
demonstrate that some previous claims of breaking F5 are ex-
aggerated, and that the respective steganalysis works due to ar-
tifacts in the F5 software, not the embedding algorithm.
2 JPEG Steganography
One of the most popular media for steganography is JPEG im-
ages. This makes sense because image coding and processing
is relatively uncomplicated and requires much less knowledge
than video and audio. JPEG is also one of the most popular
image formats, and remarkable in that it has been very well
known for 15–20 years across multiple architectures.
A range of stego-algorithms modulate information by mod-
ifying the JPEG coefﬁcients, which are obtained by a block-
wise DCT transform of an image and subsequent quantisation.
Figure 1 shows where embedding takes place in the process.
The subsequent steps of the JPEG compression are lossless,
so that the stego-decoder will see the exact same JPEG coefﬁ-
cients as the encoder produced.
2.1 The F5 algorithm
F5 was introduced in , with an accompanying Java imple-
mentation (F5Software). It sports two key features, which
should be treated separately. We’ll brieﬂy explain the purpose
and result of these features. For further details we refer to the
Firstly, it uses a modulation technique, named F4, which
maintains the symmetry as well as other statistical properties
of the histogram of the JPEG coefﬁcients. It effectively pro-
duces a histogram which looks like that of a JPEG image at
lower quality. This modulation effectively prevents the suc-
cessful attacks on its predecessors Jsteg and Outguess.
Secondly, it uses matrix encoding to minimise the distor-
tion. This uses ideas from source coding and coding for con-
strained memories to represent the message as a codeword
which can be embedded with a minimum of distortion.
2.2 Attacks on F5
Soon after being introduced to the steganography community,
F5 has become a popular target for steganalysis. This is due
to its capability to withstand visual and statistical attacks while
providing a large steganographic capacity. F5’s advantages are
obtained by the implementation of matrix encoding and per-
mutative straddling. Matrix encoding helps to improve the efﬁ-
ciency of embedding while the permutative straddling helps to
uniformly spread the changes over the stego image.
The most recent algorithm claimed to defeat F5 software
was our conditional probability approach . With a total
of 54 features extracted for each image, this steganalysis tech-
nique can defeat F5 software, particularly with longer message
sizes (618 bytes, 1848 bytes and 4096 bytes).
The 324-feature Markov-process approach, which inspired
our conditional probability steganalysis technique, was also
shown to defeat F5 software in . By using the different
message sizes measured in the unit of bpc (bits per non-zero
AC coefﬁcients), the highest accuracy is 96.8% for a message
size of 0.4 bpc.
Steganalysis methods based on statistical moments also
claimed to defeat F5 in . Generating 78 features for clas-
siﬁcation, an accuracy up to 91.1% achived by this technique
for a message size of 0.4 bpc.
In , Pevn´
y and Fridrich have combined their approach
 with the markov process approach. The resultant detec-
tion accuracy (99.92% for message size of 100% embedding
capacity) from this combination really shows it was better in
attacking F5 compared to their individual features.
For our experiments we use the conditional probability and
Markov process approaches, as well as steganalysis based on
wavelet decomposition .
3 Double Compression Issue
Westfeld’s F5 implementation, as well as many other popular
stego-programs for JPEG, are not able to work directly on a
given JPEG input ﬁle. An input ﬁle in JPEG format would
be decompressed (using a standard API function to load the
image), and represented internally in the spatial domain. Then
the image is recompressed, and the F5 embedding performed
The recompression will not necessarily be with the same
quantisation matrices as the original compression. In fact, the
program is unable to capture the original matrices, so if the
same quantisation matrices are to be used, the matrices have to
bethe standard matrix and the user has to manually supply the
correct quality factor.
According to Pevn´
y and Fridrich , double compression
occurs when a JPEG image, originally compressed with a pri-
mary quantization matrix is decompressed and compressed
again with different secondary quantization matrix. In their pa-
per, they used a primary quantization matrix estimation tech-
nique  to resolve the double compression issue; the esti-
mated quantization matrix was then used for the second com-
pression process. A similar approach, without the need for es-
timation, was used in .
Chen et al.  implemented another approach for this dou-
ble compression issue. They ﬁx the same quality factor (80)
for image preparation (F5 without an embedded message) and
the F5 embedding process. This assumes that the differences
between stego image and cover image are only caused by data
embedding and not by the JPEG compression quality.
In both solutions, double compression still occurs, and the
risk of its effect is still present. Indeed, F5 with no message is
actually 32 bits embedded, namely the status block saying that
there is a message of length 0. It seems both approaches as-
sume that double compression is an inherent part of F5. In the
following section we discuss how our implementation avoids
the double-compression altogether.
4 Optimal use of F5
The double-compression is an artifact of Westfeld’s implemen-
tation of F5 (F5Software), and not of the F5 algorithm as de-
scribed in Westfeld’s paper . In order to make a fair evalu-
ation of F5, we reimplemented it in Python1. Our implementa-
tion (F5Py) reads JPEG ﬁles and does the Huffmann decoding
to obtain the JPEG coefﬁcient matrix, on which the F5 embed-
ding operates, as well as the quantisation matrices. It never
reverses the lossy compression steps.
We have followed Westfeld’s version 12 beta, which means
that the algorithm ignores, in addition to all zero coefﬁcients,
every other coefﬁcient of value ±1. This feature is not docu-
mented in , but our simulations show that it gives a slight
improvement over using all ±1coefﬁcients.
Another issue which requires some consideration is the em-
bedding capacity of F5. It is not uncommon in the literature to
estimate the capacity of F5 by the number of non-zero AC co-
efﬁcients, and work on embedding rates of 0.25-0.8 bpc (bits
per non-zero coefﬁcient). Firstly, this over-estimates the to-
tal capacity, both because F5 creates new zeros which are then
ignored, and because the software ignores half of all the ±1
1We plan to make this code publicly available when the paper is
Table 1. F5 Capacity in our test images.
Range Mean Variance
Capacity (1579,8719) 3710.77 1643133
Changes (517,2621) 1100.10 98747
BPC (0.00335,0.01849) 0.00816 7.74 ×10−6
Length (430416,471429) — —
More importantly, F5 is not designed to operate close to
the maximum capacity. The main idea in F5 is matrix cod-
ing, which means that we use more coefﬁcients, but change
fewer, per embedded bit. By changing fewer coefﬁcients, we
reduce the distortion and the steganographic modiﬁcation be-
comes harder to detect. Operating close to capacity, matrix
coding is not possible and F5 degenerates to F4.
The codes used in F5 are Hamming codes of co-dimensions
k= 1,2,...,7, giving block lengths of n= 2k−1. The case
k= 1 is degenerate and gives no coding at all. At k= 1,
we can typically embed 1.4bits per change. At k= 4 we
can almost always embed more that 2 bits per change (2.1–2.5
typically). At k= 7, we can typically embed 3.5–4 bits per
In order to reduce the distortion by 50%, it is necessary to
use a matrix code of k≥5, which gives a rate of less than 1/6.
There is no doubt that many application may require embed-
ding rates of 0.25 bpc and higher, but this is not the problem F5
set out to solve.
To give an impression of the capacity of F5, we have run
a simulation at k= 7 over all the 1745 images in our test
database. The result is shown in Table 1. We generated a long
random message which we attempted to embed in every image.
Then we recorded the number of bits successfully embedded,
including the 32-bit status block which is embedded without
In our simulation, the rate which can be achieved with
k= 7 is around 0.01 bpc. We did not run any simulations
with k= 5, but it is expected that it would give a rate ap-
proximately three times higher, corresponding to the ratio of
the code rates. This means that 0.05 bpc, considered by many
authors as an extremely low rate, should actually be considered
as a relatively high rate for F5.
5 Experimental Methodology
A signiﬁcant difﬁculty in any attempt to compare steganalysis
techniques arises from the many variables involved in setting
up an experiment to determine the classiﬁcation accuracy of
such a scheme. A non-exhaustive list includes:
•Image source: sensor type; sensitivity setting; lens used;
aperture; shutter speed; mounted/handheld; temperature
& other environmental conditions
•Image subject: illumination; detail; etc.
•Image processing: conversion from raw sensor data;
compression for storage; conversion to grayscale; crop-
ping; possible re-compression
•Steganography: embedding rate/message size; strength
or other parameters of embedding scheme; randomiza-
tion of message; randomization of embedding location
•Classiﬁer used (this is often not necessarily determined
by the algorithm)
•Classiﬁer training: selection of cover images; selection
of stego images (should their covers be part of the train-
ing set?); proportion of cover to stego images; proportion
of stego algorithms/settings
•Classiﬁer tuning: parameter tuning for balancing false
•Classiﬁer testing: selection of images; statistical accu-
racy of results
This is further complicated by the lack of a comprehen-
sive guide to the approach that should be used. While the gen-
eral approach is accepted, the many details of a best-practice
methodology are scattered in the literature. This makes it very
difﬁcult for new researchers, resulting in even more publi-
cations using divergent approaches. The lack of consistency
makes it practically impossible to make a meaningful compar-
ison between techniques. Sometimes, missing details in pub-
lished work compromise the reproduction of experimental re-
In our experiments we use a combination of public im-
age databases and our own captured images, ensuring a suf-
ﬁcient number of training and testing images. Source images
are greyscale, mostly stored in JPEG format, and have not
been processed other than to remove color information and
store in compressed format. For each source image, we de-
compress, crop to the central 640 ×480 region, and store in
JPEG-compressed format.The cropping technique ensures that
our source images have the same size, so we can compare the
embedded message size in a meaningful way.
After image preparation, we create stego-images corre-
sponding to each cover image, using both Westfeld’s F5 soft-
ware implementation (F5Software) and our implementation
that avoids double-compression (F5py). In each case, we em-
bed messages of size ranging from 1 byte to 500 bytes, creating
ﬁve different sets of stego images for each implementation.
For each of the cover and stego images, we extract the
features for every steganalysis technique we are analysing,
in preparation for the subsequent classiﬁcation process. The
freely available LibSVM  is then used as the classiﬁer.
The soft margin and γparameters are determined using the
‘grid.py’ parameter selection tool, available as part of the Lib-
SVM package. Classiﬁer training is based on a random selec-
tion of 2
3of the cover and stego image pairs. The remaining 1
of the image pairs are used for classiﬁer testing. The complete
process is shown schematically in Figure 2.
Classiﬁcation results for our conditional probability steganaly-
sis and for the Markov process based technique are shown re-
spectively in Tables 2–3. Additionally, results for the wavelet
Figure 2. Experiment tasks
Table 2. Classiﬁcation accuracy for conditional probability
technique (optimal soft margin and γparameters)
Message Size (bytes)
1 10 50 250 500
F5Software 97.0% 97.6% 97.4% 98.2% 99.2%
F5py 50.0% 50.0% 50.0% 54.6% 66.8%
decomposition technique are shown in Table 4. It is clear from
the presented results that classiﬁcation accuracy is signiﬁcantly
reduced when double compression is excluded (F5Py). In fact,
none of the steganalysis techniques tested have any detection
ability at small message sizes that allows F5 to operate on its
optimal performance. The Markov technique is only able to
detect F5 at a message length of 500 bytes, and even then the
accuracy is still rather low. Conditional probability steganal-
ysis seems to perform only slightly better. Finally, as already
observed in  and , wavelet decomposition steganalysis
is unable able to defeat F5 at any message size.
F5Py also provide a new approach on how to deal with dou-
ble compression issue. Comparing our new implementation
with previous approaches, we can see that:
•Using stego image with zero message  resolved the
problem with different quality factor in preparation and
embedding process. One disadvantage is that there will
be more time needed in order to prepare the F5 with no
•Using F5Py did also resolved the above problem. With
an advantage, it save the time by not involving another
image preparation process. For example, the process
needed to estimate the primary quantization matrix in
•Using F5Py resolved the issue with the unknown addi-
tional JPEG compression with cover image. This is a
very important factor when we consider the real world
implementation of steganalysis.
Our discussion of reasonable operating conditions for F5 have
shown two things. Firstly, we have shown that F5 is not de-
signed to operate at high embedding rates, and we recommend
Table 3. Classiﬁcation accuracy for Markov process technique
(optimal soft margin and γparameters)
Message Size (bytes)
1 10 50 250 500
F5Software 99.8% 99.6% 99.6% 99.6% 99.9%
F5Py 50.0% 50.0% 50.0% 50.0% 62.4%
Table 4. Classiﬁcation accuracy for wavelet decomposition
technique (optimal soft margin and γparameters)
Message Size (bytes)
1 10 50 250 500
F5Software 50.2% 50.0% 50.6% 50.4% 50.2%
F5Py 50.0% 50.4% 50.6% 50.4% 50.2%
to restrict use of F5 to less than 0.05 bpc. This is to ensure F5
can take full advantage the of matrix encoding and its optimal
embedding efﬁciency is not violated by the access message.
Secondly, we have demonstrated the possibility that
Markov model based attack by Shi et al. detects double com-
pression artifacts, which is an artifact of the implementation
and not of the algorithm in F5 software. It is not nearly as good
a classiﬁer for stegograms from an improved implementation
of F5 (F5Py) which does not give double compression.
We stress the importance of clarifying the test conditions
when stego-systems and attacks are speciﬁed and evaluated. It
is not very useful to attack a system under conditions where it
never was supposed to be used.
It remains to be seen whether double-compressed images
actually exist in the wild, and if so, which image processing
operations tend to produce them. If such images do exist, the
problem of developing and tuning a steganalysis algorithm may
be even more complex than is generally believed; allowing
double-compressed images as cover and stego-images would
mean that the artifacts produced by double compression would
have to be ignored by the classiﬁer.
It is an interesting open problem to see how effective other
attacks are on our implementation of F5 with reasonable em-
Another open problem, and this is of course well-known, is
how we can design stego-systems with higher capacity, without
becoming more detectible.
 A.Westfeld. F5 version 12beta. Software avail-
able at http://www.inf.tu-dresden.de/
 Chih-Chung Chang and Chih-Jen Lin. LIBSVM: a
library for support vector machines, 2001. Soft-
ware available at http://www.csie.ntu.edu.
 Chunhua Chen, Yun Q. Shi, Wen Chen, and Guorong
Xuan. Statistical moments based universal steganaly-
sis using JPEG 2-d array and 2-d characteristic function.
In Proceedings of the International Conference on Im-
age Processing, ICIP 2006, Atlanta, Georgia, USA, pages
105–108, October 8-11, 2006.
 J. Fridrich and J. Lukas. Estimation of primary quanti-
zation matrix in double compressed JPEG images. in In-
ternational Conference on Image Processing, September
 Jessica Fridrich, Tom´
y, and Jan Kodovsk´
tically undetectable JPEG steganography: dead ends chal-
lenges, and opportunities. In MM&Sec ’07: Proceedings
of the 9th workshop on Multimedia & security, pages 3–
14, New York, NY, USA, 2007. ACM.
 Jessica J. Fridrich. Feature-based steganalysis for JPEG
images and its implications for future design of stegano-
graphic schemes. In Information Hiding, 2004.
 Siwei Lyu and Hany Farid. Detecting hidden messages
using higher-order statistics and support vector machines.
In 5th International Workshop on Information Hiding,
Noordwijkerhout, The Netherlands, 2002.
 Siwei Lyu and Hany Farid. Steganalysis using color
wavelet statistics and one-class support vector machines.
Proc. SPIE, 2003.
y and Jessica Fridrich. Merging Markov and
DCT features for multi-class JPEG steganalysis. In Pro-
ceedings SPIE, Electronic Imaging, Security, Steganogra-
phy, and Watermarking of Multimedia Contents IX, Jan-
 Yun Q. Shi, Chunhua Chen, and Wen Chen. A Markov
process based approach to effective attacking JPEG
steganography. In Information Hiding, 2006.
 Ainuddin Wahid Abdul Wahab, Johann A. Briffa,
Hans Georg Schaathun, and Anthony TS Ho. Conditional
probability based steganalysis for JPEG steganography.
2009 International Conference on Signal Processing Sys-
tem (ICSPS 2009), May 15 -17 2009.
 Andreas Westfeld. High capacity depsite better steganal-
ysis: F5 – a steganographic algorithm. In Fourth Infor-
mation Hiding Workshop, pages 301–315, 2001.