A Commutative Encryption and Reversible

A Commutative Encryption and Reversible Watermarking for Fingerprint Image Vaibhav B. Joshi, Dhruv Gupta, and Mehul S. Raval Institute of Engineering and Technology, Ahmedabad University, Ahmedabad, India, [email protected]

Abstract. In this work, authors propose a novel scheme with commutative encryption and reversible watermarking for a fingerprint image. Due to commutative property one can embed and extract watermark in either plain or encrypted fingerprint image, irrespective of order in which encryption or watermarking is applied. The encryption and the watermarking keys are shared using secret key sharing mechanism. The biometric database consists of encrypted and watermarked fingerprint images. After successful authentication, watermarking is inverted to get back the plain fingerprint. The proposed scheme protects many of the vulnerable points of a biometric authentication system. Also native biometric authentication accuracy remains unaffected due to reversible watermarking. As per best of our knowledge, this is the first scheme to include homomorphism between encryption and reversible watermarking. Advantages of the proposed method compared to existing techniques are; 1) higher embedding capacity; 2) better peak signal to noise ratio for the decrypted marked image; 3) use of an optimal key length to preserve security while lowering computational cost; 4) simpler cryptographic key management; 5) smaller side information. Keywords: Commutative, encryption, fingerprint, reversible watermarking.

1

Introduction

In 21st century, due to rapid growth in technology and digitization, human identification and authentication poses the key challenge. Classical authentication mechanisms (ID cards, passwords) are no longer full proof in this era. Hence, biometric features are broadly used for the human identification and authentication. Many developing countries like India [4] use biometric features for the human identification. Therefore, security of the biometric authentication systems is a major concern [8]. Among biometric traits like iris, palm print, retina, signature; fingerprint has been the longest serving, most successful and popular trait for human identification [13]. Therefore, the fingerprint is chosen as a modality in the present work. The authors [8] discussed several vulnerable points in a generic biometric authentication system. These vulnerabilities are shown in

Fig. 1: Vulnerable points in a biometric authentication system [8].

Fig. 1. Most biometric recognition systems are deceived by manipulating; 1) system database; (vulnerable point 6) 2) communication channel (vulnerable point 2 and 7). Watermarking is one of the solution to secure these vulnerable points. Many researchers combined watermarking and biometrics for enhancing the security. In [10] authors proposed chaotic watermarking and steganography [14] to protect biometric data. In the communication channel, encryption and watermarking keys provide security and robustness to the biometrics. Authors in [16] used fragile watermarking to check integrity of the database. The authors used singular value decomposition (SVD) and least significant bit (LSB) plane for watermark embedding. In [11] block based fragile watermarking is used for detecting and localizing tampered parts of a fingerprint. These fragile techniques protect vulnerable point 6 (cf. Fig. 1). Authors in [5] and [7] proposed biometric sample dependent watermark generation and embedding to protect vulnerable point 2. They calculated features from the sample and used them as watermark. At the feature extractor, watermark and the sample features are matched to check the sample integrity. All the watermarking methods discussed above embed and extract watermark disjointly in the plain or in the encrypted domain. They secure any one vulnerable point of a biometric authentication system. On the other hand reversible data hiding in encrypted images [6, 12, 17–19] embeds watermark in encrypted image and extract it from both; encrypted as well as decrypted image. Methods of data hiding in an encrypted image are broadly classified as separable [17, 19] and non-separable [6, 12, 18]. In non-separable class, data can be extracted only after the image is decrypted. Thus, authentication always follows the image decryption step. In separable class, data is extracted either from the encrypted or the decrypted image for authentication. Hence, separable reversible data hiding in encrypted images secures two vulnerable points (i.e point 6 and 7 cf. Fig. 1).

Fig. 2: Basic block diagram incorporating commutative property between encryption and reversible watermarking. (Arrow type indicate possible combinations for watermark embedding and extraction)

From above discussion it is clear that any of the existing data hiding techniques cannot secure vulnerable point 2, 6 and 7 simultaneously. This is possible if watermark is embedded or extracted from either the plain or the encrypted domain. In other words security of the multiple vulnerable points is achieved by incorporating commutative property [15] between encryption and reversible watermarking functions as shown in Fig. 2.

For natural images a commutative reversible data hiding and encryption is proposed in [20]. Author in [20] uses properties of exclusive-OR to incorporate commutativity. Also using parameter optimization reversible data embedding capacity for a cover image is calculated. In [20] author uses a key with large length which makes key management difficult for large database. A step of parameter optimization for embedding capacity calculation makes the scheme complex. In the light of above facts, we propose an encryption and reversible watermarking scheme for fingerprint image which satisfies commutative property. The proposed scheme simultaneously secures multiple points Viz. 2, 6 and 7 of a biometric authentication system (cf. Fig. 1). Reversibility of watermark in the proposed scheme ensures that native biometric authentication accuracy remains unaffected. Summarizing advantages of the proposed method compared to existing technique [20] are: 1) higher data embedding capacity; 2) higher peak signal to noise ratio for the decrypted watermarked image; 3) use of an optimal key length which makes cryptographic key management simple.

2 2.1

Proposed Method Pre-processing

In reversible watermarking, content regains its original state after the watermark removal. For successful reversible watermark embedding using proposed scheme, the input image is pre-processed as follows: 1. Take an input image I of size X × Y . 2. Separate bit planes of I as: bi,j,k = bIi,j,k cmod 2

3. 4. 5.

6.

(1)

where, i = 1, 2, ..., X , j = 1, 2, ..., Y , k = 0, 1, ..., 7 and b c indicates floor operation. Take least significant bit plane (LSBP ) and divide it into blocks of size 2×2. Each block yields a bit pattern out of 16 possible patterns. Find the BP. Where, BP is the bit pattern with maximum probability of occurrence for each bit plane. Perform lossless compression of the LSBP using the following rules: For each block, if the bit pattern equals BP then corresponding location map bit equals 1 otherwise it is 0. Each bit in location map points to the blocks with or without bit pattern BP. Hence size of location map with given 2 × 2 block is 25% of LSBP. Generate bit difference by Ex-ORing BP with pattern not equal to BP. The size of bit difference is proportional to the probability of 1s in location map. Here, the location map and watermark along with auxiliary data occupies 25% and 5% of LSBP respectively. Remaining 70% is occupied by bit difference. Therefore, location map with probability of 1s less than 0.7 is placed in the LSBP to generate compressed LSBP as shown in Fig. 3. For other case location map is to be shared between watermark embedder and extractor.

Fig. 3: Format of compressed LSB plane.

7. Actual payload is zero padded (if required) to match size of the LSBP. 8. Recombine all bit planes as in Eq. 2 to generate the pre-processed image IP . IP (i,j) =

7 X

(bi,j,k · 2k )

(2)

k=0

Note that under the consideration of sharing the location map, if all 16 bit pattern are equally probable then also one can get at least 6% space of LSBP for watermark embedding. 2.2

Image encryption

Due to commutative property in the proposed method, one can apply encryption on the pre-processed image IP or on the watermarked image IW , as shown in Fig. 2. The image encryption process is shown in Fig. 4 and steps are as follows. 1. Take input image IP or IW . 2. Using bit plane slicing, generate 8 bit planes (Pi ) from the input image. 3. Divide each bit plane into vector (V ) of dimension N × 1, such that N is a integer factor of (X × Y ). Therefore, b(X × Y )/N c vectors are generated from each bit plane. where, b c is the floor operation. 4. Using an encryption key (KE ), generate 2N integers randomly from the interval [0, 2N ) in a non-repetitive manner. Divide them into sets of the even and the odd numbers. 5. Take a 2N × 1 multiplexer and apply odd numbers to input lines with odd indices. Similarly, even numbers are applied to input lines with even indices. 6. Apply vector V to selection lines of the multiplexer. 7. Convert output of the multiplexer into binary to generate encrypted vector (Vc ). 8. Repeat steps 6 and 7 for all the (X × Y )/N vectors in all the bit planes. 9. Combine all Vc vectors to get the encrypted bit planes (Pic ). 10. Recombine all the eight encrypted bit planes to get the encrypted image IE or the encrypted watermarked image IW E .

Fig. 4: Basic block diagram of encryption process.

2.3

Image decryption

The steps for the image decryption process are as follows: 1. Use bit plane slicing to generate 8 bit planes from IW E . 2. Divide each bit plane into vectors (VW E ). 3. Next, generate 2N random integers using KE and divide them into sets of even and odd numbers. 4. Apply the odd numbers to the multiplexer’s input lines with the odd indices and the even numbers to input lines with the even indices. 5. Convert VW E into decimal and match it with the random numbers applied to input lines of the multiplexer. 6. Index of the input line for which number matches VW E is converted into binary to get the decrypted vectors (VW D ). 7. Combine all VW D to get the decrypted bit planes. 8. Recombine all the eight decrypted bit planes to get the decrypted watermarked image IW D . 2.4

Watermark embedding

The steps for watermark embedding process are as follows: 1. Take an encrypted image IE or pre-processed image IP . 2. Use bit plane slicing to generate 8 bit planes. 3. Divide LSBP into (X × Y )/N vectors, to get VP or VE , each with dimension N × 1.

4. Using watermarking key (KW ) select the VP or VE between starting and ending point of zero padding block of Fig. 3. Note that watermarking key contains the starting and ending point of zero padding block of Fig. 3. The starting and ending point for watermarking key is: SP = (dSPA /N e) × N EP = (bEPA /N c) × N

(3)

where, SP and EP indicates the starting and ending point of a watermarking key respectively, SPA and EPA indicates the actual starting and ending point of a zero padded block. 5. Replace LSB of the VP or VE by watermark bit to get the watermarked vector (VW ). 6. Combine all the VW vectors to get watermarked LSBP. 7. Recombine watermarked LSBP with all other bit planes to generate encrypted watermarked image IW E or watermarked image IW . 2.5

Watermark extraction

The proposed method can extract watermark from encrypted watermarked image (IW E ) as well as decrypted watermarked image (IW D ). The watermarking key (KW ) and embedded watermark is shared with watermark extractor for authentication. The watermark extraction process is as follows: 1. 2. 3. 4. 5. 6.

Take an image IW E or IW D . Using bit plane slicing generate 8 bit planes. Divide the LSBP into vectors of dimension N × 1. Using KW select vector VW E or VW D from the LSBP. Extract LSB of the vector to get the watermark bit. Compare embedded and extracted watermark bit and if they do not match than corresponding vector is declared unauthentic. 7. Repeat steps 5 and 6 for all vectors selected by KW . 8. Even if a single vector is found to be tampered then the image is declared unauthentic.

2.6

Reversible operation

1. Get the decrypted watermarked image IW D . 2. Perform bit plane slicing on IW D as in Eq. 1. 3. From the LSBP, extract the bit pattern, actual payload size and bit difference. 4. Get location map either from LSBP or from shared memory. 5. Using bit pattern, location map and bit difference, regenerate original LSBP. 6. Combine all MSBs and the original LSBP as per Eq. 2 to generate the original fingerprint image I.

2.7

Commutativity

Functions of watermark embedding and image encryption can be defined as maps, Ω and E respectively. Ω : RX×Y × {0, 1}

2 log2 (XY )

E : RX×Y × {0, 1}

2N −1

f (I)

× {0, 1}

→ RX×Y

→ RX×Y

where X × Y is the size of image and f (I) is function on image I defining size of watermark. Ω and E is said to be commutative if Ω ◦ E = E ◦ Ω. This is visualized with the help of Fig. 5.

Fig. 5: Diagram of commutative property in Ω and E

In the proposed method watermark bit is embedded in the LSB of the plain vector VP or encrypted vector VE . The encryption keeps these LSB’s intact as even and odd indices of the multiplexer’s input lines are mapped to even and odd set of random numbers respectively (cf. step 5, section 2.2). Thus the watermark bits remains unaltered and commutative property is achieved. The commutative property allows to embed/extract watermark in both; the encrypted as well as the decrypted image. In other words, one can use any of the two paths (99K or →) to get a watermarked encrypted image, or watermark extraction and authentication (cf. fig. 2). 2.8

Security Analysis

The encryption key KE generates random integers in the interval [0, 2N ) in a non-repetitive manner to form input of a multiplexer with size 2N × 1. Total

possible combinations of numbers generated this way are (2N )!. Hence, probability Pb of the successful brute force attack is 1/(2N )!. The method in [20] use the encryption key with length equal to one half of image size. Therefore, Pb for 1
. this method is X×Y 2

8×[

2

]

For an encryption algorithm, large key size increases security as Pb reduces at the same time key management and storage becomes a major overhead in private key encryption with a large user-base. Therefore, key size should be optimum to provide adequate security. Our proposal uses a key size which balances the security and memory requirements.

3 3.1

Experimental Results Comparison with existing method [20]

The commutative encryption and data hiding was proposed by Zhang [20]. In this method author mask the gray level values of an image using pseudo-randomly generated bits which also act as an encryption key. The author used parameter optimization criterion to approximately balance embedding capacity and the distortion. Next, we elaborate the data hiding operations applied by Zhang to understand its limitations. The data hider performs bit plane slicing on the plain or the encrypted image. Take two neighbouring bits in a bit plane and performs the exclusive-or operation on them. xn (t) = bn,1 (t) ⊕ bn,2 (t)

(4)

Where t = 0, 1, 2, . . . , 7 indicates particular bit plane. Permute xn (t) using data hiding key to get xp (t). Calculate the rate of zeros (ρ(t)) and find out optimal allowable bit alteration rate (∆(t)) ∈ [0, (ρ(t) - 1/2)] for every xp (t). Find xp (t) for which ∆(t) > 0 and equally divide it into M number of sub-sequences with length L. The limitation for the data hider while selecting the secret data for embedding are as follows: for a given ρ(t) and ∆(t), the probability of 0 and 1 in the data should be (ρ(t) - ∆(t))/ρ(t) and ∆(t)/ρ(t), respectively. This limitation does not allow hider to use any data as it has to be chosen from a restrictive sub-space. Embed the data in place of zeros in every subsequence; that remain as it is or flipped to one depending on the data. So, to keep the track of original 1s and embedded 1s data hider uses auxiliary data, which may contain zero to indicate original 1s and one to indicate embedded 1s. According to Eq. 28 and Eq. 31 in [20], the data carrying capacity (βE ) for every sub-sequences is approximated as: βE ≈ L · ρ(t) · H

 ∆(t)  ρ(t)

and the size of auxiliary data (βA ) is approximated as:

(5)

Table 1: Comparison of proposed method with Zhang [20] Comparison

Proposed

Zhang [20]
X×Y Encryption key size 2 2 8×[ 2 ] Image PSNR (dB) Capacity (bits) PSNR (dB) Capacity (bits) lena 51.16 2.18 × 103 48.6 1.60 × 103 baboon 51.13 2.10 × 103 40.2 2.00 × 103 3 man 51.15 8.81 × 10 41 7.00 × 103 N


βA ≈ L · 1 − ρ(t) + ∆(t) · H

 ∆(t) 1 − ρ(t) + ∆(t)

(6)

Under the condition of βE > βA the data hider can easily embed the auxiliary data along with the secret data into a cover image. This assumption holds true in the paper proposed by Zhang. However this may not be true for many natural images. For example: according to Table I and Table II in [20], ρ(2) = 0.51, λ = 0.0003 and ∆(t) = 0.011 are given for lena image. Using these values, Eq. 5 and Eq. 6, we obtain βE = 0.076 and βA = 0.076. For every bit plane in which data is embedded, a vector c(t) is generated which carry auxiliary data, ρ(t), ∆(t) and supplementary information for image recovery. These c(t)s are inserted at the beginning of xp (0). Therefore, image(s) for which βE ≈ βA and ∆(0) = 0, data hider is forced to share auxiliary data and c(t) via secondary channel or memory for data extraction and reversible operations. Under the constraint that data hider needs secondary channel for sharing the auxiliary data, Table 1 shows the comparison of proposed method with Zhang [20] for natural images. PSNR and embedding capacity for Zhang [20] is directly taken from the paper. Compared to natural images histogram of the fingerprint images is restricted to the specific intensity range [9] as shown in Fig. 6. Due to this property of histogram, 1s occurs with probability less than 0.7 and therefore location map is not shared separately. Hence, proposed method is more secure for fingerprint images. 3.2

Results on fingerprint images

The proposed method is evaluated using 500 fingerprint from FVC 2000 [1], FVC 2002 [2] and FVC 2004 [3] databases. For experiments 8 bit fingerprint image I with 500 dpi resolution and size X = Y = 512 is selected. 28 × 1 multiplexer is used for image encryption and decryption. Hence random numbers are generated from the range [0, 255] and the Pb is 1/256! which tends to zero. Fig. 7a and Fig. 7b show the original finger print image and it’s watermarked version. While Fig. 7c and Fig. 7d shows encrypted and decrypted versions of the watermarked image.

(a) Fingerprint 1

(b) Histogram of Fingerprint 1

(c) Fingerprint 2

(d) Histogram of Fingerprint 2

(e) Fingerprint 3

(f) Histogram of Fingerprint 3

Fig. 6: Fingerprint images and their respective histograms.

The watermarking method is reversible in nature, thus native fingerprint authentication accuracy remains unaffected. This means there is no change in the receiver operation characteristics (ROC) of the fingerprint authentication system. Due to commutative property in our proposal, watermarking the plain fingerprint image (I) from a sensor secures vulnerable point 2. Same watermark is

(a)

(b)

(c)

(d)

Fig. 7: (a) Original image, (b) plain watermarked image, (c) encrypted watermarked and (d) decrypted watermarked image.

Table 2: BER at different vulnerable point under different attacks Attacks Histogram equalization Laplaceian filtering (α = 0.2) Average filtering (3 × 3) Gaussian noise (µ = 0 and σ = 0.01)

BER at vulnerable point 2

BER at vulnerable point 6

BER at vulnerable point 7

0.49

0.49

0.48

0.49

0.52

0.51

0.50

0.51

0.50

0.51

0.49

0.49

used to authenticate IW E stored in database (vulnerable point 6). The flexibility of extracting watermark from the decrypted image secures communication channel (vulnerable point 7). Hence the single watermarking scheme is used for securing multiple vulnerable points of a fingerprint authentication system. Table 2 shows sensitivity of watermark at different vulnerable points. It shows that method is sensitive against any manipulation and it declares the fingerprint image as unauthentic due to high bit error rate (BER).

Fig. 8: Time required for encryption w.r.t number of selection lines (N ) in the multiplexer.

For the proposed method, time required for encryption is inversely proportional to the key size as shown in Fig. 8. As observed the time required for 1 ∼ encryption does not change significantly after N = 8. Also Pb = 218 ! = 256! = −507 1.2×10 . Therefore, as an optimal solution between the security and memory requirement we have selected an encryption key length N = 8.

4

Conclusion

In this work, we propose a novel scheme with encryption and reversible watermarking, satisfying commutative property. By introducing commutative property, proposed method secure multiple vulnerable points (i.e 2, 6 and 7) of fingerprint authentication system. As reflected from Table 1, proposed method provides higher PSNR and higher embedding capacity than [20]. The proposed method has lower memory requirement for the key storage and management, and close to zero probability of a successful brute force attack.

References 1. Fingerprint database: Fvc2000 (2000), http://bias.csr.unibo.it/fvc2000/ databases.asp 2. Fingerprint database: Fvc2002 (2002), http://bias.csr.unibo.it/fvc2002/ databases.asp 3. Fingerprint database: Fvc2004 (2004), http://bias.csr.unibo.it/fvc2004/ databases.asp 4. Unique identification authority of india - uidai (2012), http://uidai.gov.in/ 5. Bartlow, N., Kalka, N., Cukic, B., Ross, A.: Protecting iris images through asymmetric digital watermarking. In: Automatic Identification Advanced Technologies, 2007 IEEE Workshop on. pp. 192–197. IEEE (2007)

6. Hong, W., Chen, T.S., Wu, H.Y.: An improved reversible data hiding in encrypted images using side match. Signal Processing Letters, IEEE 19(4), 199–202 (2012) 7. Huber, R., St¨ ogner, H., Uhl, A.: Semi-fragile watermarking in biometric systems: template self-embedding. In: Computer Analysis of Images and Patterns. pp. 34– 41. Springer (2011) 8. Jain, A.K., Kumar, A.: Biometrics of next generation: An overview. Second Generation Biometrics. (2010) 9. Joshi, V.B., Raval, M.S., Gupta, D., Rege, P.P., Parulkar, S.: A multiple reversible watermarking technique for fingerprint authentication. Multimedia Systems pp. 1–12 (2015) 10. Khan, M.K., Zhang, J., Tian, L.: Protecting biometric data for personal identification. In: Advances in Biometric Person Authentication, pp. 629–638. Springer (2005) 11. Li, C., Wang, Y., Ma, B., Zhang, Z.: Multi-block dependency based fragile watermarking scheme for fingerprint images protection. Multimedia tools and applications. 64(3), 757–776 (2013) 12. Ma, K., Zhang, W., Zhao, X., Yu, N., Li, F.: Reversible data hiding in encrypted images by reserving room before encryption. Information Forensics and Security, IEEE Transactions on 8(3), 553–562 (2013) 13. NSTC, Committee on Technology, Committee on Homeland and National Security, Subcommittee on Biometrics: Fingerprint recognition (2006), http://www. biometrics.gov/documents/fingerprintrec.pdf 14. Raval, M.S.: A secure steganographic technique for blind steganalysis resistance. In: Advances in Pattern Recognition, 2009. ICAPR’09. Seventh International Conference on. pp. 25–28. IEEE (2009) 15. Schmidt, G.: Relational mathematics, no. 132 in encyclopedia of mathematics and its applications (2010) 16. Wang, D.s., Li, J.p., Wen, X.y.: Biometric image integrity authentication based on svd and fragile watermarking. In: Image and Signal Processing, 2008. CISP’08. Congress on. vol. 5, pp. 679–682. IEEE (2008) 17. Zhang, W., Ma, K., Yu, N.: Reversibility improved data hiding in encrypted images. Signal Processing 94, 118–127 (2014) 18. Zhang, X.: Reversible data hiding in encrypted image. Signal Processing Letters, IEEE 18(4), 255–258 (2011) 19. Zhang, X.: Separable reversible data hiding in encrypted image. Information Forensics and Security, IEEE Transactions on 7(2), 826–832 (2012) 20. Zhang, X.: Commutative reversible data hiding and encryption. Security and Communication Networks 6(11), 1396–1403 (2013)