IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 1, MARCH 2010
13
Secure Client-Side ST-DM Watermark Embedding Alessandro Piva, Member, IEEE, Tiziano Bianchi, Member, IEEE, and Alessia De Rosa
Abstract—Client-side watermark embedding systems have been proposed as a possible solution for the copyright protection in large-scale content distribution environments. In this framework, we propose a new look-up-table-based secure client-side embedding scheme properly designed for the spread transform dither modulation watermarking method. A theoretical analysis of the detector performance under the most known attack models is presented and the agreement between theoretical and experimental results verified through several simulations. The experimental results also prove that the advantages of the informed embedding technique in comparison to the spread-spectrum watermarking approach, which are well known in the classical embedding schemes, are preserved in the client-side scenario. The proposed approach permits us to successfully combine the security of client-side embedding with the robustness of informed embedding methods. Index Terms—Client-side embedding, fingerprinting, informed embedding, multiple decryption, secure watermark embedding, spread transform dither modulation (ST-DM).
I. INTRODUCTION
I
N recent years, new models for the distribution of multimedia content have appeared and seem to gain every day more and more popularity among the customers. Distribution channels such as digital music downloads and video-on-demand services pose new challenges to the design of content protection measures aimed at preventing or deterring copyright violations from malevolent users. One of the adopted technologies on the deterrence side is the digital watermarking technology [1], [2], allowing embedding of a unique code into each copy of the multimedia content to be distributed, where the code links the content to a particular user or device receiving it. When unauthorized content is found, the detection of the hidden watermark allows tracing of the user who has redistributed the content. Content distribution systems are based on a server–client architecture; when watermarking technologies are adopted, usually a trusted server embeds the code and then sends the watermarked content to the corresponding client. This approach Manuscript received July 16, 2009; accepted November 30, 2009. First published December 31, 2009; current version published February 12, 2010. This work was supported in part by the European Commission through the IST Programme under Contract 034238 – SPEED and in part by the Italian Research Project (PRIN 2007): “Privacy aware processing of encrypted signals for treating sensitive information.” The information in this document reflects only the author’s views, is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Nasir Memon. The authors are with the Department of Electronics and Telecommunications, University of Florence, 50139 Firenze, Italy (e-mail:
[email protected];
[email protected];
[email protected]). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TIFS.2009.2038761
makes it possible to securely embed the watermark into the content, so that neither unwatermarked copies nor information related to the embedding process are disclosed outside the server. However, in large-scale systems, the server may become overloaded, since the computational burden related to the embedding grows linearly with the number of users. In addition, since the distribution of individually watermarked copies requires us to resort to point-to-point communication channels, bandwidth requirements can become prohibitive. A different architecture, proposed in [3], is based on a federation of web entities constituting a distributed protection center, that relieves the content provider of the task of directly implementing the watermarking procedures. This model is designed for applications where the client is assumed to be light as much as possible, but has the drawback to require the setup of services based on complex technologies and “ad-hoc” web architectures; in addition, bandwidth requirements can still be prohibitive in the presence of many users, due to the distribution of individually watermarked copies. An alternative solution is represented by the client-side watermark embedding: in this case, a server–client architecture is again adopted; however, in this case, the server is allowed to send a unique copy of the content to all the interested users through broadcasting systems, without the need to generate different watermarked copies (thus removing the bottlenecks present in the server-side watermark embedding approach); instead, each client will be in charge of embedding a personal watermark identifying the received copy. In this case, however, since the clients are untrusted, proper solutions need to be devised not to allow malevolent users to have access to the original content or to the watermark to be inserted. A new approach, defined as secure watermark embedding, has been proposed for facing such a problem: here, the server transmits the same encrypted version of the original work to all the clients, but a client-specific secret allows decryption of the content and at the same time implicit embedding of a personalized watermark, obtaining a uniquely watermarked version of the work. In literature, several approaches for secure watermark embedding have been proposed, reviewed in [4]. Here we are interested in the methods based on ciphers that decrypt a ciphertext to slightly different plaintext when different decryption keys are used, in such a way that the difference between the original and the decrypted content represents the hidden watermark. The first scheme following this approach has been proposed in [5], where a special stream cipher, called Chameleon, is adopted. During encryption, a sequence of indexes is generated to select four entries from a look-up-table (LUT), consisting of random 64-bit words, for each element of the plaintext. These entries are XORed with the plaintext to form the ciphertext. The decryption process is identical to encryption except for the use of a decryption LUT, which is obtained by properly inserting bit errors in some entries of the encryption LUT. Decryption superimposes
14
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 1, MARCH 2010
these errors onto the content, thus leaving a unique watermark. Recently, Adelsbach et al. [6] and Celik et al. [7] have proposed generalizations of the Chameleon cipher. In particular, [7] has been the first method applicable to multimedia content: by allowing us to use algebraic operations (i.e., addition/multiplication) during encryption/decryption, an LUT-based secure clientside embedding method for additive/multiplicative spread-spectrum (SS) watermarks was designed. To move one step further in the field of secure client-side watermark embedding for multimedia content distribution, we considered to improve the above-mentioned method through the adoption of a more robust watermarking scheme. By relying on the well-known results coming from the watermarking community on the superiority of the class of informed embedding (or host-interference rejecting) data hiding schemes with respect to the classical SS methods [8], our aim was to modify the model proposed in [7] so that the secure client-side embedding scheme will be able to embed a watermark belonging to the quantization index modulation (QIM) class [9], [10], that has rapidly become popular as one of the best performing watermarking strategies. In particular, we properly designed an LUT-based secure client-side embedding system allowing us to embed a spread transform dither modulation (ST-DM) watermark [9]. As it will be demonstrated in the following sections, this modification is not straightforward, since the client-side embedding framework imposes some constraints that does not allow us to embed a pure ST-DM watermark. Still, the experimental results will confirm that the superiority of ST-DM versus SS watermarking exhibited in the classical embedding schemes is maintained also in the client-side embedding approach. The rest of the paper is organized as follows. In Section II, we briefly review the two main works that inspired our proposed method, namely the ST-DM algorithm and the LUT-based secure embedding scheme. While Section III describes how we modify the secure client-side embedding approach for embedding ST-DM watermarks, thus leading to ST-DM secure embedding, the relating detection process is described in Section IV. A thorough theoretical analysis of the performance of the proposed system is derived in Section V, under the most known attack models; whereas the experimental tests for validating the performances of the system in a practical scenario are shown in Section VI. Some concluding remarks complete the paper in Section VII. II. RELATED WORK In this section, the two key concepts on which our proposed scheme is based are described: the ST-DM watermarking scheme and the LUT-based secure embedding approach. In Table I a list of the main symbols used hereafter is provided. A. ST-DM Algorithm The ST-DM watermarking algorithm [9], as already explained, belongs to the wider class of QIM watermarking algorithms. According to the QIM approach, watermark embedding is achieved through the quantization of the host feature vector on the basis of a set of predefined quantizers, where the particular quantizer used by the embedder depends on the to-be-hidden message . Practical implementations resort to dithered quantizers, i.e., sets of quantizers where quantization cells and reconstruction values of each quantizer are shifted
TABLE I TABLE OF SYMBOLS
versions of cells and values of any other quantizer in the set. These shifts are usually represented by pseudorandomly generated vectors, called dither vectors, modulated by the to-be-embedded information. The simplest way to design a QIM watermarking system consists of a binary dither modulation (DM) with uniform scalar quantizers: in this realization, we assume that is a binary vector, and that each bit of , say , determines which quantizer, chosen between two uniform scalar quantizers, is used to quantize a single scalar host feature . Two codebooks and associated, respectively, to a bit value and are built as (1) where is the quantization step, and the dithering value. Watermark embedding is achieved by applying to the feature the quantizer associated to , depending on the to-be-hidden , obtaining the marked feature bit value (2) The ST-DM algorithm permits us to exploit the availability of host features to host a single bit . According to the ST-DM approach, the correlation between the host feature vector and a reference spreading signal is quantized instead of the features themselves. In a more precise way, the correlation between and an unit-norm pseudorandom sequence is computed as . The correlation is then quantized by depending on the to-be-hidden applying to it either quantizer bit , so that the quantized correlation is . Then a new vector component along the direction of is added, so that the watermarked features are given by (3)
PIVA et al.: SECURE CLIENT-SIDE ST-DM WATERMARK EMBEDDING
15
In this way, it is guaranteed that projecting the watermarked feature vector onto is exactly equal to . As to the recovery of the hidden information, the embedded bit is read by adopting a minimum distance decoder applied to the correlation of the watermarked and possibly attacked features with the vector ( ) (4) which is equivalent to quantizing with a quantizer and checking if the difference between and its quantized version . is nearest to 0 or The ST-DM approach can be extended in such a way that the host features are projected not only along one direction, but on a vector subspace, allowing us to introduce an additional degree of freedom in the design of the scheme [11], [12]. In [11], the host features hide a binary codeword of bits: the codeword is embedded by projecting the host features to mutually orthogonal random spreading sequences ( ), and by properly quantizing the resulting correlation values. The watermarked vector of host features is then obtained by modifying (3) in the following way: (5) where is the th spreading sequence relating to the th bit of the codeword and the th correlation refers to the th spreading sequence . The watermark decoding is accomplished by applying (4) to each of the orthogonal directions, that is to each th correlation . It is worth noting that informed embedding algorithms can be also viewed as watermarking schemes using syndrome coding[13], [14], i.e., schemes in which the information is coded in the residual error after quantization. Namely, the marked feature of a QIM watermarking system can be modeled as (6) where is a shift encoding the information bit and can be considered as the error made after quantizing with the , i.e., the information is encoded in the syndrome quantizer obtained after decoding as an element of the codebook . The syndrome coding approach is useful for client-side embedding, since it permits separation of the watermarked feature , which depends on the cover into a server-dependent part content, and a client-dependent part , which depends on the information to be embedded. From a different point of view, according to the idea introduced in [15], it is also possible to consider the first part as the result of a preprocessing step, introduced to limit the computational burden of embedding, and the second part as the result of the actual embedding process. Syndrome coding can be also used to generalize conventional QIM and ST-DM approaches by allowing arbitrary syndrome codewords , so as to provide an additional degree of freedom in the generation of the client-dependent part. As it will become clear in the following, this additional degree of freedom is essential for the definition of the proposed client-side ST-DM secure embedding.
Fig. 1. Encryption and following joint decryption and watermarking procedure proposed in [7].
B. LUT-Based Secure Embedding The secure embedding proposed by Celik et al. in [4], [7] works as follows. A distribution server generates a long-term master encryption LUT of size , whose entries, denoted by , are i.i.d. random variables following a Gaussian distribution . The LUT will be used to enclients. Next, for the crypt the content to be distributed to the th client, the server generates a personalized watermark LUT whose entries follow a Gaussian distribution , and builds a personalized decryption LUT by combining component-wise the master encryption LUT and the water: mark LUT (7) . The personalized decryption LUTs are for then transmitted once to each client over a secure channel. Let us note that the generation of the LUTs is carried out just once at the setup of the application. A content, represented as a vector of size , is encrypted by adding to each element of it entries of the LUT pseudorandomly selected according to a content-dependent key . We assume that each content is linked with a unique key , that could be retrieved from a particular content by using, for example, some robust hashing techniques, as those described in [16] and [17]. The obtained encrypted content is sent to all the authorized clients along with the key . The th client can decrypt by using his/her personalized decryption LUT , with the final effect that an SS watermark sequence is embedded into the decrypted content , through an additive rule (i.e., each content feature is modified according to the rule ). This process is summarized in Fig. 1. In detail, driven by the content-dependent key , a set of values in the range is generated, where , . Each of the content features is encrypted by adding entries of the encryption LUT identified by the indexes , obtaining the encrypted feature as follows: (8) Joint decryption and watermarking is accomplished by reconstructing with the content-dependent key the same sequence
16
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 1, MARCH 2010
of indexes and by adding to each encrypted feature
entries of the decryption LUT
(9) where the th watermark component is given as the sum of entries of the LUT . The result of this operation is the waidentifying the th user. termarked content As explained in [4], the parameter influences the security of the encryption and should be set to in order to provide resilience against known-plain-text attacks. In our application, this fact limits the freedom we have in designing the watermark , as it will be detailed in the next section. components During watermark detection, by means of the key , the same sequence of indexes used in the encryption and embedding steps is reconstructed. For each client, identified by the , a watermark sequence corresponding watermark LUT is generated and correlated with an estimated watermark extracted from the possibly watermarked content. The obtained correlation is then compared with a properly chosen threshold to decide if the watermark for that particular client is present in the content or not. Equation (9) represents the classical additive SS watermark embedding rule, where the watermarked feature is given as the sumof thecorrespondingoriginalfeatureandthewatermarkcomponent; as previously stated, our intent is to modify the secure embedding procedure so that the final watermarked content assumes the form of (5). In the following, such an aim is pursued. III. ST-DM SECURE EMBEDDING Based on the schemes described in Section II, we now propose the new secure embedding approach for ST-DM watermarks. Starting from an original vector composed features, a random projection matrix by whose columns are orthogonal is generated. The host features are projected according to , which, differently from the traditional ST-DM, needs to be known to the clients; in order to add a level of secrecy, only out of projections will be quantized to embed the watermark, where the directions are kept secret to the clients. Let us indicate by the indexes corresponding to the directions where the watermark will be introduced. To represent that only out of projections are quantized, we will resort to an matrix denoting a partition of obtained by picking the columns whose indexes are in . To embed the watermark, we generalize the ST-DM scheme of (5) by using syndrome coding. The server-dependent part (the codebook ) is obtained as a set of dithered quantizers, shifted each by a factor with respect to a reference quantizer having fixed step size , that is . The dithering values are assumed independent and uniformly distributed in . Both and can be considered as private watermarking keys and are never communicated to the clients. Each dithered quantizer is used to quantize one of the randomly chosen projections, so that the embedded components are, for (10) where
is the syndrome associated to the th projection.
In a forensic application, we can associate to the th client a unique syndrome codeword represented as a vector , so that the vector of watermarked features, for the th user, becomes
(11) According to this approach, in (11) it is possible to distinguish between a term present in all the watermarked copies of the , and a term content, i.e., the summation . identifying the single user, i.e., the summation When an unauthorized copy of the content is distributed, the detector will try to identify the dishonest client by looking at this uniquely distinguishing term (based on the syndrome codeword ). A. Client-Side Embedding Let us now describe how the previously proposed watermarking algorithm can be modified in order to allow a secure client-side embedding. It is supposed that a distribution server, as in [4] and [7], generates an encryption LUT , and, for each client, a personalized watermark LUT . For each client, a personalized decryption LUT is also computed by combining component-wise the master encryption LUT and the watermark LUT . In addition, let us consider that the server generates a projection matrix . The personalized decryption LUTs and the matrix are then transmitted once to each client over a secure channel. by The server encrypts a set of host features of size adding some entries of the LUT ; however, different from (8), where terms are directly added to , here different entries are added along each of the orthogonal directions . In addition, in randomly chosen directions the common terms present in the watermark embedding rule (11) are introduced, so that at the server side the host feature vector will be modified as in the following: (12) Through the broadcast transmission, the server distributes, with the encrypted content, the public content-dependent key ( ) needed to reconstruct the sequence of indexes of the LUTs. Decryption and watermark embedding is then achieved by adding to the encrypted content entries of the LUT along each of the orthogonal directions
(13) If we assume it is possible to set , the result of this operation is the sequence of features , watermarked using the syndrome codeword defined by the set , identifying the th user. We note that, due to the
PIVA et al.: SECURE CLIENT-SIDE ST-DM WATERMARK EMBEDDING
17
random nature of the LUTs, each client will be identified by a Gaussian random codeword, thus it is not possible to guarantee the same level of robustness for all clients. Different syndrome codewords could be obtained by choosing ad hoc LUTs. However, since the security of client-side embedding requires us to random entries from an LUT (with larger resulting add in better security) we do not have complete control on the generated codewords. Joint decryption and watermarking process become (14) The final effect of the joint decryption and watermarking is that an ST-DM embedding, as in (11), has been carried out, but in ) directions an SS like noise has been added. These ( noise terms cannot be avoided, since the client is not allowed directions where the watermark is to know the out of hidden, indicated by the set . If this were the case, a malicious attacker could add noise only on the used projections, thus reducing the security of the system. Compared to a train (14) ditional ST-DM system, the penalty term can be viewed as the price to be paid to implement an ST-DM client-side system in a secure way. IV. DETECTION Unlike most of the previous LUT-based secure embedding methods, in our proposed approach, the detection process is blind, i.e., it does not require access to the original content. For security reasons, it is assumed that detection is not allowed to the clients, but it can be carried out by only the server or by a trusted third party (TTP), in case that the clients do not trust the server. In this way, sensitive parameters like the set and the are unknown to the clients, thus to the atdithering values tackers. During the detection step, we suppose then that a content copy is illegally distributed and we would like to determine which client received such a copy. Hence, the TTP or the server knowing the examined image, its relative content-depenand the set of all the watermark LUTs dent key , the matrix , computes the detection statistics for each client ) and the detector finally provides either a neg(i.e., for each ative output (no watermark is present in the analyzed image) or the name of the guilty client owning the suspected image. In detail, it is assumed that the input to the detector is a vector of possibly altered watermarked features, denoted as . Such a vector is projected onto the directions carrying the watermark, yielding a vector of correlations between and (15) Since the embedding rule makes it difficult to define a likelihood ratio, the proposed detector relies on a suboptimal approach which considers the quantization errors [12]. Moreover, besides deciding whether the content is watermarked or not, in our application, we must distinguish among possible clients. Hence, we resort to a minimum distance decoder followed by a threshold. Namely, the detector computes a vector of quantization errors as (16)
. Then, the detector computes where the distances between the syndrome and each syndrome codeword as (17) and picks the codeword which minimizes the above distance. If the minimum distance stays below a threshold, then the corresponding client is declared guilty; otherwise, no watermark is found on the examined content. does not depend on , minimum decoding is Since equivalent to consider a correlation followed by a maximum detector [18]. That is, the detector statistics for the th client is defined as (18) and the decision is made according to the following test: if if
. (19) The output of the test is either the index of the guilty client or meaning that no watermark has been the special symbol found on the examined content. The threshold has to be set so as to minimize the probability of detection errors. To do so, we formulate the problem as , the a binary hypothesis testing where the hypotheses are: content is not watermarked; , the content contains the watermark of the th client. The detector makes an error every time it accuses a client and no watermark was present (false alarm) or it fails in detecting the watermark of the th client. However, in the second case, we can have two kinds of errors, depending on whether the detector decides that no watermark is present (missed detection) or it wrongly accuses an innocent client (wrong accusation). Obviously, the second kind of error can have severe consequences in a dispute resolution and thus, in the detector design, it has to receive the same attention as the false alarm error. The performance of the detector is then measured by the prob, ability of false alarm , the probability of missed detection and the probability of wrong accusation , defined as (20) (21) (22) Note that refers only to the case in which a watermarked content is classified as unwatermarked, since the probability . Hence, the of accusing a innocent client is referred to as probability of correct detection should be expressed as . The above error probabilities will depend on the threshold and on several other parameters of the system; such probabilities will be theoretically evaluated in Section V under the most known attack models, whereas in Section VI the behavior of the overall system will be experimentally tested in a practical scenario. A. Scalability The detection according to the test in (19) requires us to compute statistics (18). Let us indicate as the length of ,
18
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 1, MARCH 2010
hence the number of operations needed for the detection step is ; if the number of customers is really high, for example on the order of users, the application of the above detector may become unpractical. A possible solution could be to employ a hierarchical structure of the watermark using multiple watermark LUTs for each client. The higher level will identify a group of users, whereas the successive levels will refine the partition of the group up to the single users. Using levels, the number of operations is , thus making the reduced to application of the detector more practical. Alternatively, the LUT selection strategy using circular shift proposed in [4] may be adopted: this method permits us to compute simultaneously a given number of correlations with only three fast Fourier transform (FFT) operations. This strategy can be applied with our detector by replacing the minimum distance decoder with the corresponding suboptimal correlation decoder: By approximating the second term in (18) as nearly constant for each user, so that it can be included in the threshold, the statistics become simple correlations: . Following the approach presented by Celik et al., only a maximum of (the LUT size) shifts would be possible, and thus only clients could be supported. However, as the same authors propose as possible solution, the users can be divided in groups, each of them referring to an independent LUT. Relying on the complexity considerations LUTs requires described in [4], the correlation with FFTs and thus the total number of operations results in . In order to compare the complexity of the three above-mentioned decoding approaches, we may consider their asymptotic and behavior and assuming that the size of the watermark the size of the LUT are asymptotically similar, we achieve , , and , for the three decoders, respectively. On the other hand, concerning the performances of the methods, while in the hierarchical approach to will inthe reduction of the watermark length from crease the probabilities of errors with respect to the classical decoder, by adopting the circular shift approach, the system is less secure against the collusion attack due to the redundancy in the watermark LUTs, as detailed in [4].
The probability of false alarm can be evaluated under the hyas pothesis
(25) where represents the logical disjunction operator, and the inequality in the last step comes from the union bound [19]. Note that the detection statistics can not be assumed mutually indeare not mutually orpendent, since the fingerprint vectors thogonal. Under hypothesis , the quantization errors measured by the detector are (26) Hence, the detector statistics are . If the standard deviation of is large compared to (which is usually the case if the watermark is imperceptible), the quantization errors can be assumed uniformly distributed with . Moreover, thanks to the orthogonality of the variance projections vectors, the quantization errors are independent on each projection. By using the central limit theorem (CLT), we as Gaussian variables can model the detector statistics and variance . having mean According to this, the probability of false alarm can be upper bounded as (27)
where is the -function. The other error probabilities can be evaluated under the hypothesis . In particular, the probability of missed detection is given by
V. PERFORMANCE EVALUATION: THEORETICAL ANALYSIS The performance of the system has been theoretically studied under two classes of attacks, namely additive white Gaussian noise (AWGN) and average collusion. A. AWGN Attack This kind of attack is well studied in literature, since a large number of attacks can be modeled as an AWGN which degrades the watermarked content. Under the AWGN attack, the received vector of projections can be modeled as (23) (24) where is the projection of the original (unwatermarked) content and is the noise.
(28) where
represents the logical conjunction operator, and . Again, we use an upper bound since we cannot exploit the independence of the detector statistics. In this case, the quantization errors are given by (29) where the terms take into account the fact that the values of may fall outside the quantization interval . The probability distribution of is given by (30)
PIVA et al.: SECURE CLIENT-SIDE ST-DM WATERMARK EMBEDDING
19
where (31)
we denote the pairwise error probability, With i.e., the probability that the detector decides for the th client when the watermark of the th client was present. Such a probability can be evaluated as
is the delta function. and The detector statistics are then given by the CLT, with mean
. By invoking again can be assumed to follow a Gaussian distribution
(32) and variance
(40) . The detection statistics in where this case, being the quantization errors the ones in (29), are given by and can be assumed Gaussian distributed with mean
(33)
(41)
where we define the mean
, and the covariances and . Following (30), the mean of can be derived as (34)
and variance (42) From (39) and (40), the probability of wrong accusation is finally upper bounded as
whereas the covariance matrices are given by (35) and
(43) (36)
where (37) By plugging it into (28), we have that the probability of missed detection satisfies (38) where is the cumulative distribution function (cdf) of Gaussian variable with zero-mean and unit variance. The probability of wrong accusation can be obtained as
B. Average Collusion Attack A collusion attack occurs when several clients having different watermarked copies of the same content generate an attacked copy by applying either a linear or a nonlinear combination of their copies. A widely popular collusion attack is the average collusion attack, where the attacked copy is simply generated by averaging the different watermarked copies. Such an attack has been recognized as the most efficient from the attacker point of view under the same distortion assumption [18]. According to the proposed model, two hypotheses will be con, the content is not watermarked; , the content sidered: has been generated by colluders. Under these hypotheses, the received vector of projections can be modeled as (44) (45) where (46)
(39)
where the inequality comes again from the union bound.
and denotes the set of colluders. The noise term is usually introduced to take into account a possible additional distortion, such as a recompression. The performance of the detector under the average collusion attack can be measured using the analysis on the error probabilities defined in the preceding section. The probability of false alarm is the same as in (20), since in the hypothesis the vector is modeled in the same way.
20
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 1, MARCH 2010
The probability of missed detection and the probability of wrong accusation can be recast as
where we define the mean (56)
(47) (48) The probability of missed detection can be evaluated by using an approach similar to the AWGN attack as (49) . where The probability of wrong accusation is given as
and the variance (57) whereas the probability of wrong accusation will be upper bounded as (58) where the mean is (59) the variance is (60)
(50) In the above equation, the pairwise error probability should be intended as the probability that the detection statistic of one of the colluders ( ) is lower than the detection statistic of one of the honest clients ( ). Such a probability can be evaluated as
(51) . where The distributions of and can be obtained by considering the quantization error vector under the hypothesis , that is
where each element of
The expression of , , and in the above equations with . can be derived as in (34)–(36), by substituting It is worth noting that the upper bound in (55) refers to the probability of missing a specific client among the colluders. Since the probability of missing all the colluding clients will be in general much lower than the probability of missing a specific colluder, we can expect the above upper bound to be quite loose. If we assume 1) that the detection statistics of the different colluding clients are weakly correlated and 2) that the upper bound on the probability of missing a specific client is tight, we can approximate the probability of missing detection as (61)
(52)
Note that the above value is no more an upper bound, however, can be if assumptions 1) and 2) are verified, the estimated quite accurate.
(53)
Remarks
has probability distribution
Similar to the AWGN case, the detector statistics can be modeled as Gaussian variables by invoking the CLT. Since
All the above bounds and estimates are computed considering a fixed set of syndrome codewords. Since in our design syndrome codewords are random, this means that the performance of the system will depend on the particular codeword realization, so that different clients, having different random codewords, will experience different levels of security/robustness. In general, it is possible to define an average performance measure by taking the expectation over the distribution of , i.e., (62)
(54) the probability of missed detection will be upper bounded as (55)
and, in a similar way, we can define . If the random codewords are sufficiently long, the asymptotic equipartition property says that the probability of choosing a bad codeword is negligible, i.e., it is very unlikely to have a client achieving a level of security/robustness very different from either or . The
PIVA et al.: SECURE CLIENT-SIDE ST-DM WATERMARK EMBEDDING
actual fairness of the proposed system, that is the expected deor , will be experimentally evaluated viation from either in the following section. VI. PERFORMANCE EVALUATION: EXPERIMENTAL TESTS In this section, a practical implementation of the proposed scheme is described, highlighting all the involved parameters. This tool has been used first of all to validate the theoretical analysis carried out in Section V, in presence of the considered attacks (AWGN and collusion attack, respectively); next, the system has been compared with a similar implementation of the previous LUT-based secure SS watermark embedding [4], [7] in the presence of AWGN, representing the class of content-independent attacks, and in the presence of a JPEG compression, representing an example of host-dependent attack. Note that other common attacks, like the geometrical modifications, are not considered, since it is well known that SS as well as ST-DM are not robust to them. However, we devise that in a client-side watermark embedding approach, it is possible to cope with this class of attacks by means of the application of a synchronization pattern [1] embedded by the server, since the pattern is a client-independent information to be embedded in all the distributed copies, not requiring any processing from the client side. A. Practical Implementation As a practical implementation of the proposed scheme, it has been considered to embed a watermark into a gray level image by modifying a subset of 8 8 block DCT coefficients. For each block, the DCT coefficients are reordered in the classical zig-zag th are sescan, and the ones from the second until the lected for embedding, so that out of 64 coefficients for each block will be modified. Whereas in theory the host vector ( ) and the spreading vector ( ) have the same size (i.e., ), in a practical implementation we must adapt the variable size of the host features to the fixed size of the spreading vector. To this aim, we divide the overall vector of available host features into chunks of length : each chunk is composed by the selected DCT coefficients belonging to blocks, so that the chunk length is just . By indicating as the number of total 8 8 blocks inside an image, the total number of chunks is achieved as . For each chunk the same projection matrix is adopted, but and LUT indexes are different sets of dithering values generated. According to this, the th client is identified by a obtained as the concatenation of syndrome codeword independent vectors of length (one for each chunk), that is in the detection process the vector having size will be considered. Another problem to cope with in a practical implementation is that the final values of the encrypted pixels are usually clipped by means of a modular operation (e.g., to 8-bit values) to be properly represented. The application of such a modular operator would be totally transparent if . When the watermark is embedded, there could be some pixel values wrapping around in the modular representation. To avoid such a problem, we have two possible solutions: a preprocessing of the to be watermarked content aiming at reducing the dynamic
21
range of the pixel values; and a postprocessing aiming at removing isolated pixel values having strong difference of luminance with respect to the neighboring pixels. The performance analysis is carried out by clearly defining the operating conditions in terms of document-to-watermark ratio (DWR) and watermark-to-noise ratio (WNR). The DWR expresses the ratio between the power of the host features and that of the watermark (63) is the standard deviation of the watermark compowhere nents. While can be estimated on the original host features, can be computed as follows: (64) where and are the percentages of DCT coefficients suffering the quantization error introduced by the embedding process, due to shift addition (involving directions) and quantization process (involving only all the directions), respectively. In order to force a given DWR value for a specific watermarked image, we introduce a parameter controlling the watermark strength and we put it as a factor multiplying the watermark LUT; specifically, in the practical implementation we will and instead of and in consider (12) and (13), and consequently also the watermark LUT will result multiplied by . This parameter is distributed together with and can be retrieved from a susthe content-dependent key pected content using secure hashing techniques, for example, a secure hash of the content can index a table containing pairs ( , ). The relationship between and the DWR can be computed by of the shifts taking into account that the standard deviation and the quantization step size are linked by means of a constant . In order to assure that the shift value remains inside the interval , and given that follows a Gaussian distribution, this condition is valid with suf. Furthermore, since a ficiently high probability by fixing shift value is obtained by the addition of entries of the LUT , we have that . Hence, by considering that , (64) can be rewritten as
(65) Thus, we achieve the watermark strength as a function of the linear DWR value (DWR ) as (66) and, therefore, by imposing a given watermark distortion (i.e., a given DWR), a proper value for is achieved. It is now possible to discuss the effect of the penalty term present in (14) represented by the noise introduced in the directions on the overall performance. In practice, this term increases the standard deviation of the watermark components
22
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 1, MARCH 2010
TABLE II COMPARISON BETWEEN THE ACTUAL FALSE ALARM PROBABILITY COMPUTED THROUGH SIMULATIONS AND THE TARGET VALUE
in (64) by a quantity equal to . However, it has no effect on the detection performance, since it does not affect the directions carrying the ST-DM watermark. Fixing the value of , without the penalty term we would observe the same performance curves; however, the resulting DWR, and hence the overall image quality, would be higher. Fixing the value of DWR, without the penalty term we could increase , and hence we would observe the performance curves corresponding to a lower DWR value. Finally, the WNR expresses the ratio between the power of the watermark and that of the noise (67) where
is the standard deviation of the considered AWGN.
B. Theoretical Analysis Validation In the tests for evaluating the robustness of the overall system against the addition of white Gaussian noise and the average collusion attack, we considered a set of fixed values for the following system parameters: , , , , , , , , , DWR . The other parameters , and are then derived from the fixed ones, while and are estimated from the considered image. A set of 512 512 8-bit gray level images has been considered in all the experimental tests. The probability of false alarm has been set to and the corresponding values for the threshold are calculated by numerically inverting (27). In all the tests, a number of clients has been considered. In order to evaluate the soundness of the proposed model, we first compared the actual false alarm probability computed through simulations and the target value. The results we obtained are given in Table II: as it can be seen, the difference between target and actual values is acceptable. We carried out two comparisons, both computed for different values of WNR: one between simulation results and theoretical missed detection probability , and one between simu. lation results and theoretical wrong accusation probability Concerning the average collusion attack, we considered both different values of WNR and different numbers of colluders, ranging from 2 to 6. The results for the AWGN attack are shown in Fig. 2, while the results for the collusion attack are depicted in Fig. 3. The results demonstrate the validity of the proposed model, since the experimental results are in good agreement with the theoretical curves. Simulation results were obtained by averaging over a large number of detector outputs, using 20 different test images. We generated independent keys, i.e., sets of sequences of LUT indexes , projections and dithering values . For each
Fig. 2. Comparison between (a) simulation results and average theoretical missed detection probability (P ), (b) simulation results and average wrong accusation probability (P ), computed for different values of WNR. Dotted lines indicate best-case and worst-case theoretical performance for different clients. The error bars indicate the variability (95% confidence interval) of the simulated data for different clients. The crosses on the error bars indicate the variability of the simulated data for different images.
key, and for each image, the embedding process is applied considering all the users, thus resulting in independent tests. In order to verify the variability of the performance for different clients and for different cover images, we also computed error bars considering 1) fixed cover images, fixed keys, varying clients (simulation results are averaged over cover images and keys only) and 2) fixed keys, fixed clients, varying cover contents (simulation results are averaged over keys and clients only). As to the theoretical performance measures, average missed detection and wrong accusation probabilities are computed numerically by means of Monte Carlo integration. The fairness of the system is evaluated through a best-case and a worst-case performance measure, defined as the end points of the 95% confidence interval relative to the considered probability. Note that, according to our model, the cover image does not influence the performance, hence best-case and worst-case probabilities only refer to the effect of using random syndrome codewords. For the collusion attack, it is worth noting that the approxigiven in (61) is more accurate that the upper bound mated in (55). The results also show that the impact of different codewords on the performance is quite limited; in fact there is a maximum gap of about 0.5 dB between the obtained curves, while the impact of different cover images is almost negligible. For very low error probabilities, especially when evaluating , the variability of the simulated results is higher than that obtained from the theoretical analysis; we explain this fact by noting that
PIVA et al.: SECURE CLIENT-SIDE ST-DM WATERMARK EMBEDDING
23
Fig. 3. Comparison between (left) simulation results and average theoretical missed detection probability (P ), (right) simulation results and average wrong accusation probability (P ), computed for different values of WNR and different numbers of colluders (C ). (a), (b): C ; (c), (d): C ; (e), (f): C . For the theoretical missed detection probability, both the upper bound (UB) on a specific colluder given in (55) and the approximated P (A) for all colluders given in (61) are plotted. Dotted lines indicate best-case and worst-case theoretical performance for different clients. The error bars indicate the variability (95% confidence interval) of the simulated data for different clients. The crosses on the error bars indicate the variability of the simulated data for different images.
=2
at very low error probabilities our error bars are actually measuring the variance of the Monte Carlo averages, which is no more negligible with respect to the variance due to either different codewords or different cover images. As to the collusion attack, we can observe that the probability of missed detection is not strictly decreasing when . This can be explained by considering the behavior of the term in (56). When , the components of will be on the average close to zero, and the term will be negligible. On the other hand, when , the components of will be strongly anticorrelated with those of , and the term will be strictly negative. As a result, at high WNR values the mean value of the detection statistic decreases, so that in particular cases it may fall below the actual threshold and cause the probability of missing detection to increase again.
=4
=6
TABLE III IMAGE QUALITY METRICS
It is also interesting to note that the probability of wrong accusation is always below the nominal probability of false alarm
24
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 1, MARCH 2010
Fig. 4. Comparison between SS and ST-DM client-side embedding: missed detection probability (P ) is computed with different values of WNR.
Fig. 5. Comparison between SS and ST-DM client-side embedding: missed detection probability (P ) is computed for different JPEG qualities.
and decreasing with the WNR. This can be explained considering the asymptotic behavior of the system at WNR . In such a case, the detector statistics of a marked image will be virtually independent from the embedded watermark, so that the detector will perform as if it were in the presence of a unwaterwere in force. marked image, that is as if the hypothesis C. Comparison With SS Client-Side Embedding In order to compare the performances of the proposed ST-DM client-side watermarking system with the corresponding SS version, we implemented the SS client-side watermarking scheme as described in [4] and [7]. We considered the same vector of host features, that is the same subset of 8 8 block DCT coefficients, and the same parameters for the generated LUTs ( and ) as described in Section VI-A, for encrypting and embedding the SS watermark, according to (8) and (9).
First, we computed the perceptual degradation introduced by the two watermarking systems, to verify if a comparison between them with equivalent DWR is fair also from the point of view of perceptual quality. In Table III, two image quality metrics, namely the weighted peak signal-to-noise ratio (WPSNR) and the visual information fidelity (VIF), are considered in order to measure the perceived distance between original and watermarked image, using the two considered client-side watermarking systems (SS and ST-DM) for two fixed DWR (30 and 36 dB). The WPSNR is achieved as the PSNR weighted using the contrast sensitivity function (CSF) computed as in [20] to weight spatial frequency of error image. The VIF proposed in [21] is defined as the ratio between the distorted image information and the reference image information. For the two considered DWR values, the corresponding perceptual metrics demonstrate a good final visual quality of the protected contents for both SS and ST-DM: for a given image and a fixed DWR, the metrics assume almost indistinguishable values for both systems. This allows us to compare the different systems for fixed DWR values, thus ensuring the same perceptual quality of the watermarked images. The robustness of SS and ST-DM client-side systems to the AWGN attack is compared in Fig. 4. The results are in agreement with the usual behavior of the corresponding nonclientside systems, that is, ST-DM shows a better performance with respect to SS for higher WNR values [22], [23]. A similar behavior can be observed in the case of JPEG compression, as shown in Fig. 5. In both cases, ST-DM shows a vanishing probability of missed detection at high WNR/JPEG quality and performs better than SS when the degradation on the watermarked content is kept within an acceptable range. Two examples of a and watermarked image degraded with AWGN at WNR JPEG compressed with a quality of 30 are shown in Fig. 6 and demonstrate that in order to make the ST-DM scheme ineffective (see Figs. 4 and 5), the images have to be degraded to a poor quality. Lastly, in Fig. 7, we show the probability of correct detection for both systems considering the average collusion attack with dB. For a moderate different numbers of colluders at WNR number of colluders, ST-DM achieves a better performance than SS, however, its probability of correct detection tends to vanish for a higher number of colluders. The relatively low number of colluders that can be faced by both systems has to be ascribed to the reduced watermark length in our tests [18]. It is interesting to note that for the attacks which do not depend on the specific content, i.e., the AWGN attack and the average collusion attack, the performance of client-side ST-DM is independent from the actual watermarked content. This is in agreement with our theoretical analysis and confirms the fact that host interference rejection can be successfully achieved also by the client-side ST-DM approach.
VII. CONCLUDING REMARKS In this paper, a new scheme following the secure client-side watermark embedding approach for data copyright protection in a large-scale content distribution environment has been proposed. Starting from the idea of LUT-based secure embedding, previously applied to the SS watermarking algorithms only, we
PIVA et al.: SECURE CLIENT-SIDE ST-DM WATERMARK EMBEDDING
25
Fig. 6. Example of client-side ST-DM watermarked images: (a) Lena at DWR under JPEG compression, quality .
= 30
Fig. 7. Comparison between SS and ST-DM client-side embedding: detection dB. probability (P ) is computed for different number of colluders at WNR
=0
modified the ST-DM, belonging to the informed watermark embedding algorithms, in order to design it specifically for the LUT-based secure embedding. A theoretical analysis of the detector performance under the most known attack models, namely the AWGN attack and the average collusion attack, has been carried out. The probabilities and wrong accusation have been of missed detection evaluated in the two cases. Also, the analytical expression of has been derived, from which the the false alarm probability correct value of the threshold for the detector can be achieved. The agreement between theoretical and experimental results has been verified through several simulations, considering different values of WNR, different cover contents, different watermarking keys, and different customers, confirming the validity of our analysis. The proposed client-side ST-DM embedding has been compared with a previously proposed client-side SS watermarking system, showing that the advantages of the informed embedding technique, which are well known in traditional watermarking systems, are preserved in the client-side scenario. This is not an obvious result, since the client-side framework imposes some constraints that do not allow us to embed a pure ST-DM watermark.
= 36 dB; (b) same image under AWGN attack, WNR = 018 dB; (c) same image
The proposed approach permits us to successfully combine the secure embedding of fingerprints at the client side with the superior robustness of informed embedding techniques, providing a new powerful tool for the secure distribution of high-quality multimedia contents. Open issues in the proposed framework to be addressed in the future research concern the need of higher security and the compression overhead. From the point of view of security, in the current system, the server is considered trustworthy, since it has access to all the information needed to generate the protected copy of the content. A possible solution to remove this constraint consists of resorting to a TTP who generates the watermarking LUTs and takes care of the detection process. Alternatively, this TTP can participate in a suitable buyer–seller protocol, that is an interactive protocol between server, client, and TTP to generate the watermarked content, as that depicted in [24]. We point out that, different from traditional server-side watermarking, the literature about buyer–seller protocols for client-side embedding is still very limited: for instance, the design of a TTP-free solution in this framework is still unsolved. From the point of view of the compression overhead, in the current system, the server distributes encrypted images that cannot be optimally compressed; to cope with it, two possible solutions are devised: in the first one, suitable for the distribution of very large contents like videos, the server selectively encrypts only some parts of the content, which are not compressed; in the second one, the server employs some form of distributed source coding, that, at least in theory, should guarantee a coding rate close to the entropy of the watermarked content. However, it has to be considered that already in the current system the overhead due to encryption is balanced by the possibility of broadcasting the encrypted content: if the number of clients is much greater than the best achievable compression rate, transmitting separate optimally compressed copies of the content to each client will consume more bandwidth than broadcasting a single but less compressed copy. REFERENCES [1] I. J. Cox, M. L. Miller, and J. A. Bloom, Digital Watermarking. San Mateo, CA: Morgan Kaufmann, 2001. [2] M. Barni and F. Bartolini, Watermarking Systems Engineering: Enabling Digital Assets Security and Other Applications. New York: Marcel Dekker, 2004. [3] F. Frattolillo, “Watermarking protocol for web context,” IEEE Trans. Inf. Forensics Security, vol. 2, no. 3, pp. 350–363, Sep. 2007.
26
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 1, MARCH 2010
[4] M. Celik, A. Lemma, S. Katzenbeisser, and M. van der Veen, “Look-up table based secure client-side embedding for spread-spectrum watermarks,” IEEE Trans. Inf. Forensics Security, vol. 3, no. 3, pp. 475–487, Sep. 2008. [5] R. J. Anderson and C. Manifavas, “Chameleon—A new kind of stream cipher,” in Proc. 4th Int. Workshop on Fast Software Encryption (FSE ’97), London, U.K., 1997, pp. 107–113. [6] A. Adelsbach, U. Huber, and A.-R. Sadeghi, “Fingercasting—Joint fingerprinting and decryption of broadcast messages,” in Proc. 11th Australasian Conf. Information Security and Privacy, 2006, vol. 4058, Lecture Notes in Computer Science, pp. 136–147. [7] M. Celik, A. Lemma, S. Katzenbeisser, and M. van der Veen, “Secure embedding of spread-spectrum watermarks using look-up tables,” in Proc. Int. Conf. Acoustics, Speech and Signal Processing (ICASSP’07), Honolulu, HI, Apr. 2007, vol. 2, pp. II-153–II-156. [8] I. J. Cox, M. L. Miller, and A. L. McKellips, “Watermarking as communications with side information,” Proc. IEEE, vol. 87, no. 7, pp. 1127–1141, Jul. 1999. [9] B. Chen and G. Wornell, “Quantization index modulation: A class of provably good methods for digital watermarking and information embedding,” IEEE Trans. Inf. Theory, vol. 47, no. 4, pp. 1423–1443, May 2001. [10] J. J. Eggers and B. Girod, Informed Watermarking. Norwell, MA: Kluwer, 2002. [11] A. Swaminathan, S. He, and M. Wu, “Exploring QIM-based anticollusion fingerprinting for multimedia,” in Security, Steganography, and Watermarking of Multimedia Contents VIII, E. J. Delp, III and P. W. Wong, Eds. San Jose, CA: SPIE, 2006, vol. 6072, p. 60721T. [12] L. Perez-Freire, P. Comesana-Alfaro, and F. Perez-Gonzalez, “Detection in quantization-based watermarking: performance and security issues,” in Security, Steganography, and Watermarking of Multimedia Contents VII, Proc. SPIE, P. W. Wong and E. J. Delp, Eds. San Jose, CA: SPIE, Jan. 2005, vol. 5681, pp. 721–733. [13] J. Chou, S. S. Pradhan, L. El Ghaoui, and K. Ramchandran, “Watermarking based on duality with distributed source coding and robust optimization principles,” in Proc. 7th IEEE Int. Conf. Image Processing (ICIP’00), Vancouver, Canada, Sep. 2000, vol. 1, pp. 585–588. [14] S. S. Pradhan and K. Ramchandran, “Distributed source coding using syndromes (DISCUS): Design and construction,” IEEE Trans. Inf. Theory, vol. 49, no. 3, pp. 626–643, Mar. 2003. [15] I. J. Cox and M. L. Miller, “Facilitating watermark insertion by preprocessing media,” EURASIP J. Appl. Signal Process., vol. 2004, no. 14, pp. 2081–2092, 2004. [16] R. Venkatesan, S. M. Koon, M. H. Jakubowski, and P. Moulin, “Robust image hashing,” in Proc. IEEE Int. Conf. Image Processing (ICIP’00), Vancouver, BC, Canada, Sep. 2000, vol. 3, pp. 664–666. [17] A. Swaminathan, M. Yinian, and M. Wu, “Robust and secure image hashing,” IEEE Trans. Inf. Forensics Security, vol. 1, no. 2, pp. 215–230, Jun. 2006. [18] Z. J. Wang, M. Wu, H. V. Zhao, W. Trappe, and K. J. R. Liu, “Anti-collusion forensics of multimedia fingerprinting using orthogonal modulation,” IEEE Trans. Image Process., vol. 14, no. 6, pp. 804–821, Jun. 2005. [19] A. Papoulis, Probability, Random Variables, and Stochastic Processes. New York: McGraw-Hill, 1991. [20] M. Miyahara, “Objective picture quality scale (PQS) for image coding,” IEEE Trans. Commun., vol. 46, no. 9, pp. 1215–1226, Sep. 1998. [21] H. Sheikh and A. Bovik, “Image information and visual quality,” IEEE Trans. Image Process., vol. 15, no. 2, pp. 430–444, Feb. 2006. [22] J. J. Eggers, R. Bauml, R. Tzschoppe, and B. Girod, “Scalar Costa scheme for information embedding,” IEEE Trans. Signal Process., vol. 51, no. 4, pp. 1003–1019, Apr. 2003.
[23] F. Perez-Gonzalez, F. Balado, and J. Martin, “Performance analysis of existing and new methods for data hiding with known-host information in additive channels,” IEEE Trans. Signal Process., vol. 51, no. 4, pp. 960–980, Apr. 2003. [24] S. Katzenbeisser, A. Lemma, M. Celik, M. van der Veen, and M. Maas, “A buyer–seller watermarking protocol based on secure embedding,” IEEE Trans. Inf. Forensics Security, vol. 3, no. 4, pp. 783–786, Dec. 2008.
Alessandro Piva (M’04) received the electronic engineering degree (cum laude) and the Ph.D. degree in computer science and telecommunications engineering from the University of Florence, Italy, in 1995 and 1999, respectively. From 2002 to 2004 he was Research Scientist at the National Inter-University Consortium for Telecommunications. He is at present Assistant Professor at the University of Florence, Italy. His current research interests are the technologies for Multimedia content security, and image processing techniques for the Cultural Heritage field. He is coauthor of more than 100 papers published in international journals and conference proceedings. He holds three Italian patents and an International one regarding watermarking. He serves as Associate Editor of the IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, of the EURASIP Journal on Information Security, and of the LNCS Transactions on Data Hiding and Multimedia Security.
Tiziano Bianchi (S’03–M’05) was born in Prato, Italy, in 1976. He received the M.Sc. degree (Laurea) in electronic engineering in 2001 and the Ph.D. degree in information and telecommunication engineering in 2005, both from the University of Florence, Italy. Since March 2005, he has been with the Department of Electronics and Telecommunications, University of Florence, as a Research Assistant. His research interests have involved processing of SAR images, signal processing in communications, multicarrier modulation techniques, and ultra-wideband systems. Current research topics include multimedia security technologies and signal processing in the encrypted domain.
Alessia De Rosa received the electronic engineering degree and the Ph.D. degree in informatics and telecommunications from the University of Florence, Italy, in 1998 and 2002 respectively. Since 2002, she has worked at the University of Florence as a Research Assistant with the Department of Electronics and Telecommunications. Her main research interests are in the field of image processing and protection, including digital watermarking, human perception models for watermarking and quality assessment, image processing for Cultural Heritage applications, and image forensics. She holds an Italian patent regarding digital watermarking.
