Scale-Invariant Image Watermarking via Optimization ... - CiteSeerX

Scale-Invariant Image Watermarking via Optimization Algorithms for Quantizing Randomized Statistics Tie Liu

Ramarathnam Venkatesan

Electrical and Computer Engineering Department, University of Illinois, Urbana-Champaign, Urbana, IL, USA, 61802

Cryptography and Anti-Piracy Group, Microsoft Research, Redmond, WA, USA, 98052

[email protected]

[email protected]

M. Kıvanc¸ Mıhc¸ak

Cryptography and Anti-Piracy Group, Microsoft Research, Redmond, WA, USA, 98052

[email protected]

ABSTRACT

1. INTRODUCTION

We introduce a novel approach for blind and semi-blind watermarking and apply it to images. We derive randomized robust semi-global features of images in a suitable transform domain (wavelets in case of images) and quantize them in order to embed the watermark. Quantization is carried out by embedding to the host a computed sequence via solving an optimization problem whose parameters are known to the information hider, but unknown to the attacker. The image features are rational statistics of pseudo-random regions; these statistics are by construction invariant against scaling attacks and approximately invariant against several contrast enhancement modifications (such as histogram equalization). This scheme can be seen as an improved version of our previous image watermarking algorithm [1].

This paper describes a watermark verification system which employs optimization algorithms for quantizing randomized statistics of image regions. Watermark verification refers to the problem where the detector makes the binary decision regarding to the existence of a (possibly embedded) mark signal. Applications include various kinds of automatic monitoring and access control of copyrighted content. Watermark verification is also a useful model for the fingerprinting problem where different users are represented by different cryptographic keys. The watermarked copy owned by user A should look as if it is an un-watermarked copy when the detector is operated by the key that correspond to another user (say user B). This work is built on the verification variant of the “hashthen-watermark” paradigm proposed in [1]. We consider both blind version and semi-blind version of this problem. In the blind scenario, neither the unmarked host data source nor its hash value is available at the detector. In the semiblind scenario, the hash values of the unmarked source can be accessed by the detector to boost its performance. Following the spirit that desired watermarking schemes are based on randomized image invariants, our work also improves the design of the image hashing algorithm. Specifically, we propose using random “rational” statistics instead of random linear statistics of [1] as the semi-global image characteristics. The watermarking schemes based on the this new type of random image statistics are inherently robust against magnitude-scaling type of attacks. Other improvements include a better design of the weight distribution to match natural image spectra and an iterative regularization algorithm to improve the perception of the watermarked images. The rest of this paper is organized as follows. Sec. 2 provides a general description of our watermark verification system based on the “hash-then-watermark” paradigm. The image hashing, watermark embedding and detection algorithms will be detailed in Sec. 3. An optimal estimation type of attack will be proposed and analyzed in Section 4; this approach is cryptanalytic in spirit. The proofs of the presented mathematical results are omitted in this submission; they will be included in the final version of the paper. Furthermore, we shall provide detailed experimental results in the final version of the paper.

Categories and Subject Descriptors E [Data]: Miscellaneous; G.3 [Probability and Statistics]: Probabilistic algorithms; H.4 [Information Systems Applications]: Miscellaneous; C.2.0 [Computer Communication networks]: Security and protection; H.2.0 [Database management]: Security, integrity and protection

General Terms Algorithms, Security, Theory

Keywords watermarking, mark embedding, security, verification, optimization, quantization, randomized statistics, cryptanalysis

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. MM-SEC’04, September 20-21, 2004, Magdeburg, Germany. Copyright 2004 ACM 1-58113-854-7/04/0009 ...$5.00.

M=0

S Hash Function

h(.)

Quantizer

H

Q(.)

Formally, watermark embedding refers to the mapping φ : (S N , M, K) → X N , where

Embedding Function

Hq

K

f(.)

X

x = φ(s, m, k). M=1

When m = 0, we have x = s, the un-watermarked data. When m = 1, the watermarked data are produced through the following three steps.

Attack

Hash Function

Y

h(.)

Detector

Ha

g(.)

^ M

Figure 1: System diagram of the watermark verification problem based on the “hash-then-watermark” paradigm.

2.

2.1 The Watermark Embedder

SYSTEM DESCRIPTION

Referring to Fig. 1, denote by S, K, and M the host-data source, the cryptographic key, and the message. Specifically, • S = [S1 , S2 , · · · , SN ]T ∈ S N is an n-sample host data possibly from audio, image, or video signal. In this paper, we concentrate on the image data. We will also sometimes refer S as the discrete wavelet transform (DWT) transform of the host image. In most cases the exact meaning can be understood from the context, otherwise will be specified explicitly. In most watermarking literatures, S is modelled as a Gaussian random vector with or without correlation. Instead of making any statistical assumptions on the host image, we will directly make some assumptions on the image hash values. We feel that statistical assumptions on the hash values are more justifiable then those on the host image. • The cryptographic key K is chosen uniformly from the key space K. In practice, it is produced by a pseudorandom number generator. The cryptographic key is shared between the watermark embedder and the detector, but not with the attacker. It is the cryptographic key that gives the the detector an informational advantage over the attacker, which otherwise has the advantage of taking the action before the detector does. • For the watermark verification problem, the message M ∈ M = {0, 1}. In this paper, we take the convention that M = 0 refers to the situation where the image is un-watermarked, while M = 1 means the image is watermarked. We model the watermark detection as the the Neyman-Pearson test in this work. Therefore, it is not necessary to specify the prior for the message M here. The rest of the system consists of the watermark embedder, the attacker, and the watermark detector.

1. First, the host data s, together with the cryptographic key k, is passed to an image hashing algorithm (shown as the hash function h in Fig. 1) to produce an lsample hash vector h = [h1 , h2 , · · · , hL ]T . In additional to the conventional security requirements on hashing, following [3], we require that the hash values obtained by applying the image hashing algorithm to perceptually similar images should remain the same. For perceptually distinct images, the image hash algorithm should produce different values. 2. Second, the hash vector h is quantized by using a keyed quantizer. The purpose of using a keyed quantizer is to increase the security level of the embedding algorithm. In this work, we use subtractive dithered scalar quantizer to produce the quantized hash vector hq = [hq,1 , hq,2 , · · · , hq,L ]T where hq,i = Qd,i (hi ) , Qi (hi + di ) − di , Qi is a subtractive dithered integer-lattice quantizer scaled by ∆, and d = [d1 , d2 , · · · , dL ]T is the dither vector which is a function of the cryptographic key k. Ideally, the induced distribution (induced by the secret key) of d should be independently identically , ∆ . It is also distributed (i.i.d.) uniform over − ∆ 2 2 possible, even preferable, to use hight-dimensional lattice quantizer instead of the scalar quantizer. From a communication perspective, using high-dimensional lattice quantizer brings shaping gain and coding gain to the system. [4]. From a security point of view, it is essential that the quantization occurs in large enough dimensions to exploit the combinatorial hardness of some underlying problems. However, we have to pay the price of high computational complexity for working in the true high-dimension space. 3. Finally, we use an embedding algorithm f is used to map the change of the hash values to the image domain. We formally define the embedding function as the mapping f : (HL , S N , K) → X n where x = f (hq , s, k). The embedding algorithm must be designed such that the hash values of the watermarked data must be equal to the quantized hash values of the host data, e.g., h(x, k) = hq . It is also highly desirable for the embedding algorithm to produce the watermarked image which is perceptually similar to the host image. In this work, we use optimization algorithms to achieve both these two goals. The watermarked data are then made public.

H

Z

M=0

+

Hq

Ha

M=1

Figure 2: The induced channel model in the hash vector space.

2.2 The Attacker The attacker takes x (the host data or the watermarked data) as its input and tries to produce a degraded version y to fool the watermark detector. In communication theory, such an input-output relationship is usually described as a communication channel and modelled as a (or a class of) conditional distribution(s). However, a fundamental difference between a watermarking system and a communication system is that in the watermarking system there exists an intelligent attacker. The attacker might try whatever that might work to disrupt the communication of the watermark, as long as the degraded image is perceptually similar to the input image. Since an effective perceptual distortion metric for natural images is still lacking, we have fundamental difficulty in modelling the admissible attacks. The attacker might try all kinds of signal-processing attacks and geometric attacks, or use some additional randomness to assist his attacks. He might also use the structures of the watermark embedding and detection algorithms to increase the effectiveness of his attack. Such kind of attack is cryptanalysis in nature. In summary, we feel that the traditional concept of “channel” is no longer a suitable concept to model the behavior of the attacker, at least in the image domain. It will be more appropriate to presume the attacker as an resource-bounded adversary.

2.3 The Watermark Detector Upon the reception the watermark detector first computes the hash values of the attacked data by using the same image hashing algorithm and the same cryptographic key k shared with the watermark embedder. Based on the computation results of the hash function, the detector makes the binary decision regarding to whether the hash values come from the data which have been watermarked or not. Therefore, the watermark detection can be deemed as a decision process in the hash vector space instead of the image space. The greatest benefit of this viewpoint is that we believe in the hash space there exits a better model for the admissible attacks. Such benefit comes from the delicate design of the image hashing algorithm, which takes account of human perceptual mechanism and uses explicit randomization. Fig. 2 shows the hypothesized “channel” model in the hash vector space. Here assume that we have an ideal image hashing algorithm such that the admissible attacks can modelled as an independent additive noise channel with a power constraint, e.g., 1 kZk2 ≤ Da , (1) L where k · k denotes the l2 norm and Da is the maximum acceptable distortion level for the attacker. The detection

algorithm is then designed based on this channel model and statistical assumptions on hash values of the host image. Formally, the detection algorithm solves the following binary hypothesis testing problem:  M = 0 : Ha = H + Z M = 1 : Ha = Hq + Z. The optimal decision rule depends on the distributions of M , H, Hq , and Z, the data available at the detector, and the optimality criteria. We consider both blind detection and semi-blind detection of the watermark. In the blind scenario, only the attacked data Y, and hence Ha is available at the detector. In the semiblind scenario, in addition to Ha , H can also be accessed by the detector to assist his decision. From the detection point of view, the side information H could never hurt, because such information can be always disregarded. However, if the side information H is also accessible by the attacker, the attacker might potentially use this information to implement more effective attacks. In this paper, when we talk about semi-blind detection, we restrict ourselves in the case where H is either not accessible, or not “usable” by the attacker. Such an assumption obviously holds for the fingerprinting problem. We consider the Neyman-Pearson test where the performance measure is the probability of miss and the probability of false alarm, which are respectively defined as h i ˆ = 0|M = 1 PM = P r M h i ˆ = 1|M = 0 . PF A = P r M

3. ALGORITHM DESIGN

This section details the design of the watermarking algorithms used in our verification system, including the image hashing algorithm, the watermark embedding algorithm, and the watermark detection algorithm.

3.1 The Image Hashing Algorithm The image hashing algorithm takes an image s and the cryptographic key k as its input and produces a hash vector h of the input image. For watermarking purposes, our design objective is to guarantee the validity of the induced channel model described in Fig. 2 at the presence of an intelligent adversary. The image hashing algorithm presented here is based on the prototype proposed in [3] for hashing purposes and outlined in [1] for watermarking purposes and consists of the following four steps. Step 1: Perform 3-level DWT on the input image and denote the DC subband coefficient vector as s 1 . Step 2: Use the cryptographic key k to tilt the 3-level DC subband of the input image into rectangles Ri where i = 1, 2, · · · , L. The position for each rectangle is uniformly chosen over the whole DC subband. Furthermore, the rectangle size is uniformly distributed in [α, β], where α and β are algorithmic parameters. Note that as the number of rectangles increase, there is an increasing probability for these rectangles to overlap. Step 3: For each chosen rectangle Ri , use the cryptographic key ki (derived from k, {ki } are different for each rectangle

1 We use the same notation for the image vector and its 3level DWT DC coefficient vector. This abuse of notation is on purpose and to simply our notation. The exact meaning will be specified if it cannot be understood from the context.

(a)

(b)

(c)

(d)

Figure 3: Correlated weights generated by low-pass filtering the i.i.d Gaussian weights. Fig. (a)-(d) are corresponding to the ideal low-pass filter output with normalized cutoff frequencies 1.0, 0.75, 0.5, and 0.25. The weights become more smooth as the cutoff frequency decreases. with high probability) to generate a set of weights {aij } for each coefficient sj ∈ Ri (aij = 0 otherwise.). The way to generate the weights will be detailed later in this section. Weights are generated independently for different rectangles, overlapping or not. Step 4: For each chosen rectangle Ri , we compute the random “rational” statistic as the hash value P j∈Ri aij sj hi = P , (2) j∈Ri bij sj

where bij = |R1i | if sj ∈ Ri and bij = 0 otherwise, and | · | denotes the cardinality of a finite set. Remark. Step 4 contains the major improvement of our work over the previous image hashing algorithm in [3] and image watermarking algorithm in [1]; in [3, 1], the hash values are obtained by computing the random “linear” statistics of random image regions X hi = aij sj . (3) j∈Ri

Compared with (3), the random “rational” statistics have the obvious advantage of being invariant under the magnitudescaling of the image. Magnitude-scaling invariance is especially crucial to the success of any quantization-based watermarking schemes. As a matter of fact, since the rectangles are generated in a distributed fashion, the random “bilinear” statistics will stay approximately invariant under any local magnitude-scaling of the image, as long as the underlying scaling field is smooth enough; note that this is typically the case for most contrast enhancement type of attacks, e.g., histogram equalization. In this sense, the random “rational” statistics are better semi-global image characteristics for watermarking purposes under scaling-type attacks. The random weights play another important role in our

image hashing algorithm. One approach is that, for each given rectangle,  the weights  {aij } can be generated as in2 dependent N |R1i | , |Rσ |2 random variables, where α is an i algorithmic parameter. From the security point of view, the independent weights have the maximum entropy given the mean and variance. However, from a robustness point of view, independent weights brings fragility against desynchronization attacks, which, in the context of our image hashing algorithm, aim at mismatching the weights and the DWT coefficients at the watermark detector. In the image processing literature, the DC subband of natural images has usually been modelled as a smoothly varying field using Gauss-Markov or hidden Markov type models. Therefore, correlated weights provide better resilience property against unnoticeable de-synchronization attacks, because they provide a better match with natural image spectra. Our experiments show that the improvement (over the choice of independent weights) is quite substantial for the semi-blind watermark detection. In practice, the correlated weights are   2 generated by passing the independent N 0, |Rσ |2 weights i through an ideal two-dimensional low-pass filter, see Fig. 3. The cutoff frequency of the low-pass filter is an important algorithm parameter which controls the security and robustness tradeoff of our watermarking scheme. It also turns out that the choice of the cutoff frequency has great impact on the distortion level of the watermarked image, both in the mean-square-error (MSE) sense and in the perceptual sense. These issues will be further discussed in Sections 3.2.3 and 3.2.4. After low-pass filtering, the weights {aij } forq each rectangle will be normalized to have the same l2 norm

1 . |Ri |

3.2 The Watermark Embedding Algorithm

The purpose of the watermark embedding algorithm is to map the change in the hash vector space to the image data space. Because of the dimensionality reduction from the image data space to the hash vector space, such a mapping is by no means unique. The appropriate watermark embedding algorithm should be designed to minimize the perceptual distortion between the watermarked data and the host data. In this section, we provide two different algorithms to design the watermark sequence. The performance usually depends on specific images being watermarked.

3.2.1 The Additive Watermark Denote by n = x − s the additive watermark. The watermarked data are derived by solving the following optimization problem:  min : knk (4) s.t. : h(x, k) = hq . Remark. Our criterion is to minimize the l2 distance between the watermarked data and the host data. It is, of course, questionable if l2 distance is a good measure of perceptual quality relative to perceptual distortion issue. However, the l2 distance does provide us an objective measure of the distortion level introduced to the host data. Furthermore, if the solution to (4) is visually annoying, it is possible to use some heuristics. Such heuristics can be viewed as analogous to having regularization terms in inverse problems. In that case, our formulation is still useful, provided

380

that the heuristics can be expressed as extra linear constraints in (4). A general regularization algorithm will be provided in Section 3.2.4. The following lemma provides a closed-form solution to (4).

x = s − TT (TTT )−1 Ts,

(5)

where T , A − CB A , {aij } B

C

, {bij }

, diag(hq,1 , hq,2 , · · · , hq,L ),

provided that T has full row rank. Remark. Our assumption on the full row rank of T, while it is valid for most practical situations, imposes constraints on the choice of random regions and the random weights. In some extreme cases, where the average region size and the number of such regions is large, it may happen that even though T still has full row rank, the condition number of TTT is large, then there is a potential possibility of information leakage to the attacker, due to the unbalance nature of computing the statistics. Hence, parameters must be chosen to prevent these cases.

3.2.2 The Multiplicative Watermark Denote by n the multiplicative watermark where xj = n j sj ,

j ∈ {1, 2, · · · , N }.

The watermarked data are derived by solving the optimization problem  min : kn − 1k (6) s.t. : h(x, k) = hq , where 1 , [1, 1, · · · , 1]T . Lemma 2. The solution to the optimization problem (6) is given by xj = nj sj where  −1 n = 1 − GTT TG2 TT Ts, (7)

T is defined as in (6) and G

,

diag(s1 , s2 , · · · , sN ),

provided that TG has full row rank. Remark. The difference between the multiplicative and the additive embedding algorithms is in the visual quality while they are comparable in robustness aspects, as shown by our experiments. The distribution of the resulting distortion is quite different since they use different metrics. The superior method often depends on the input data. We can also use techniques similar to the ones mentioned for the additive embedding of the last section to achieve better perceptual effects.

3.2.3 The MSE Distortion Analysis As previously discussed, the l2 norm provides an objective measure of the distortion level introduced to the original

360

340

MSE Per Sample

Lemma 1. The solution to the optimization problem (4) is given by

Theory Simulation

320

300

280

260

240

220 0.2

0.3

0.4

0.5 0.6 0.7 Normalized Cutoff Frequency

0.8

0.9

Figure 4: The MSE per sample as a function of the normalized cutoff frequency. The “”-curve is obtained by simulations using (8), the “o”- curve is obtained by simulations using the additive embedding algorithm. Both simulations are running over 500 keys for each normalized cutoff frequency. data. In this section, we analyze the MSE distortion of the additive embedding algorithm. Such an analysis provides guidelines to choose appropriate algorithmic parameters to achieve better overall performance, in terms of distortion, robustness, and security. The following lemma is the main result of this section. Lemma 3. For the additive embedding algorithm, the MSE distortion can be estimated as  2 (αβ∆)2 L α∆ Ekx − sk2 ≈ ≤ , (8) 12 12 λL where the expectation is taken over the key distribution, ∆ PN is the step size of the scalar quantizer, α = N1 j=1 sj is the average value of the host data, q  
β = tr E (AAT )−1 , (9)

and λL is the minimum singular value of E [A].

Remark. (8) separates the effects on the MSE from the host image, the choices of the hashing parameters, and the choice of the quantization parameter, described by α, β, and ∆ respectively. Fig. 4 provides a numerical example showing how accurate the estimation of (8) is. We are particularly interested in how the choice of the normalized cutoff frequency used to generate the correlated weights affect the MSE distortion through the term β and ρ. One thing is quite obvious. If A had a row-deficient rank, the MSE between the watermarked data and the host data would blow up. Otherwise, it is quite hard to handle theoretically. Here, we rely on numerical simulations. As shown in Fig. 4, the MSE changes quite smoothly when the normalized cutoff frequency is in the range [0.25, 1]. However, our simulation shows that when normalized cutoff frequency is below 0.25, there is a very high probability that the matrix AAT is

1

(a)

(c)

(b)

(d)

Figure 5: The effect of the normalized cutoff frequency on the the perceptual quality of the watermarked image. ( a) shows the watermarked “Lena” using the normalized cutoff frequency 1. (b) shows the corresponding computed watermark in the image domain. (c) shows the watermarked “Lena” using the normalized cutoff frequency 0.3. (d) shows the computed watermark in the image domain. Obviously, (c) has a much better perceptual effect over (a), though it has a higher MSE. ill-conditioned, hence blowing up the MSE as predicted by (8). It is certainly true that the MSE cannot completely characterize the perceptual quality of the watermarked image. Actually, although the normalized cutoff frequency 0.3 gives a higher MSE than the normalized cutoff frequency 1 (which implies independent weights), our experiments show that in the former case we have much better watermarked images in term of human perception, because the watermark introduced turns out to be more smooth, see Fig. 5 for an example. This motivates our study on the regularization algorithms which aims at smoothing the watermark in the next section.

3.2.4 The Regularization Algorithm In this section, we confine ourselves to the additive watermark design without loss of generality; the presented approach can generalized to multiplicative watermark embedding without any difficulties. The results given so far are optimal in the sense of minimizing the Euclidean distance between the watermarked data and the host data. The ideal solution from a practical point of view would be to design the embedded watermark so as to minimize perceptual artifacts. It is well-known that, even though Euclidean norm is a reasonable quantity to optimize, it is certainly not the best for the human visual system. For instance, it is quite possible that the minimum norm solutions may yield spike-like artifacts while minimizing the Euclidean norm. In this section, we propose to further improve the minimum norm solutions in a visual sense by imposing extra smoothness constraints in the optimization problem such that the resulting watermark sequence is perceptually more appealing. Our

approach is analogous to imposing smoothness constraints in regularization-based inverse problems, such as denoising and restoration. As it turns out, if these extra constraints can be written as linear constraints (linear in s), then a closed form solution can be found for the watermarked signal; such a constraint can be incorporated in the optimization problem. We are omitting this formulation in the submission; it will be included in the final version of the paper. On the other hand, it is certainly possible to impose possibly non-linear constraints that may improve the quality even better than linear smoothness constraints. Such non-linear constraints may even be based on some heuristics and still be useful in practice as long as they improve the perceptual quality of the watermarked image. Next, we present an iterative algorithm for additive watermark embedding, where a (possibly arbitrary) smoothness constraint is incorporated. 1. Set n0 = nmin where nmin is given in Lemma 1, nmin = −TT (TTT )−1 Ts. 2. For K steps, do: 2.1) Set n1 = SMOOTH(n0 ). 2.2) Set n2 = n1 − nmin . 2.3) Set n3 to the projection of n2 to the null space of T which
−1was defined in Lemma 1: n3 = n2 − TT TTT Tn2 . 2.4) Set n00 = n3 + nmin . 2.5) If kn00 − n0 k < ε stop, else set n0 = n00 and go to 2.1. 3. n0 is the watermark sequence. In the algorithm above, the operator SMOOTH can be an arbitrary smoothness operator. If the algorithm converges, both the smoothness condition and the condition h (x, k) = hq are satisfied. Note that a similar algorithm can be written for the multiplicative case as well. Furthermore, the aforementioned algorithm may be useful from a computational complexity point of view if it is computationally hard to invert TTT . Our experiments reveal that if we choose SMOOTH(·) to be ideal low pass filtering with cutoff frequency π2 , the proposed algorithm typically converges in about 15 iterations for the additive watermarking scheme.

3.3 The Watermark Detection Algorithm In this section, we design our watermark detection algorithm based on the induced channel model in Fig. 2. However, the power constraint of (1) does not impose strict distribution constraints on the the additive channel noise. From the detection-theoretic point of view, there are several ways to handle such kind of situation, composite hypothesis testing. Here, we take the simplest and the most customary approach. We assume that Z are i.i.d. N (0, Da ) random variables and design and analyze our detection algorithms based on this assumption. The actual performance of our detection algorithms will be tested via simulations. We will also need to make some assumptions on the distribution of the hash values of the host image. Note that such a distribution of the hash values is induced by the distribution of natural images instead of the cryptographic key, because the cryptographic key is supposed to be known at the detector. Here we assume that min Var{Hi }  ∆2 , i

where the variance is taken over the distribution of the host image. Note that, there is a subtle difference between this assumption and the one we have made in deriving Lemma 3, where the variance is taken over the distribution of the cryptographic key (the image is fixed.) This assumption actually impose an upper limit on the choice of the quantization step size ∆.

3.3.1 The Blind Watermark Detector We propose a “soft” detector and a “hard” detector for the blind detection of the watermark. The use of “soft” and “hard” is analogous to their use in the coding literature. The “soft” watermark detector we proposed uses takes the following form: 1 kEk2 L

Ha = H + Z.

L

(10)

L π2 L Γ 2 +1

is the volume of the L-dimensional ball ( ) with unit radius, and the strict inequality in (10) holds when L ,∆ cannot completely cover the L-dimensional the − ∆ 2 2 ball with unit radius. So, the probability of false alarm can be bounded as L

≤ ≈

(Lτ π) 2
Γ L2 + 1  L 1 2eπ 2 √ . πL ∆2

Under M = 1, we have Ha = Hq + Z. Following group properties of lattices, we have Ei

= =

L i



2−L .

Under M = 1, we have Vj are i.i.d. Bernoulli-p random variables with Pr[Vi = 1] = 1 − Pr[Vi = 0] = p, where   ∆ √ . p ≤ 2Q 4 Da

j=1

By the assumption (3.3),  we have Ej are i.i.d. uniformly , ∆ . Therefore, the probability of false distributed in − ∆ 2 2 alarm   PF A = Pr kEk2 < Lτ | M = 0

PF A

X

Therefore, the probability of miss can be bounded as " L # X PM = Pr Vi > Lτ | M = 0

Under M = 0, we have

where VL =

bLτ c  i=0

Ei = Ha,i − Qi (Ha,i ).

(Lτ ) 2 VL , ∆L

i=1

=

ˆ =0 M > τ, < ˆ M =1

where the quantization noise vector E = [E1 , E2 , · · · , EL ]T is defined as

≤

The “hard” watermark detector we proposed takes the form ˆ =0 M M 1 X > Vi τ, < L i=1 ˆ M =1
∆ where Vi , 1 |Ei | ≥ 4 , Under M = 0, we have Vj are i.i.d. Bernoulli random variables with Pr[Vj = 1] = Pr[Vj = 0] = 12 . Therefore, the probability of false alarm " L # X PF A = Pr Vi < Lτ | M = 0

(Hq,i + Zi ) − Qd,i (Hq,i + Zi ) Zi − Qd,i (Zi ).

Now, the probability of miss can be bounded as follows:   PM = Pr kEk2 > Lτ | M = 1   ≤ Pr kZk2 > Lτ | M = 1 (11)   2 Lτ ≤ exp − , (12) 2Da where (11) follows that kEk ≤ kZk with probability 1, and (12) follows the Chernoff bound for χ2 random variables.

=

L   X L i

i=dLτ e

≤

pi (1 − p)L−i

L   X L i

2Q

i=dLτ e



∆ √ 4 Da

i   L−i ∆ √ 1 − 2Q . 4 Da

3.3.2 The Semi-Blind Watermark Detector In the semi-blind scenario, the hash values of the host data can be accessed by the detector. In this situation, we can derive the likelihood ratio test as follows: ˆ =1 M L 1 X > Ui τ, < L i=1 ˆ M =0 where Ui , (Ha,i − hi )(hq,i −
hi ). Under M = 0, we have Ui are i.i.d. N 0, Da (hq,i − hi )2 random variables. Therefore, the probability of false alarm " L # X PF A = Pr Ui > Lτ | M = 0 = Q



i=1

Lτ √ Da khq − hk



.

Under M = 1, we have Ui are i.i.d. N (hq,i − hi )2 , Da (hq,i − hi )2 random variables. Therefore, the probability of false alarm " L # X Ui < Lτ | M = 0 PF A = Pr = Q



i=1

khq − hk2 − Lτ √ Da khq − hk



.

Using the same assumption we have made in deriving Lemma 3, we have for each realization of the cryptographic L key khq − hk2 ≈ 12 ∆2 . This approximation becomes more




accurate as L increases. Therefore, we have the following approximate expressions for the probability of false alarm and probability of miss: ! r 12Lτ 2 PF A ≈ Q Da ∆ 2 s  2 − τ )2 12L (∆ . PM ≈ Q  Da ∆ 2

4.

ROBUSTNESS AGAINST THE ESTIMATION ATTACK

1. For each i ∈ {1, 2, · · · , L}, the quantization error Qi ,  ∆ , . Hi − Hq,i is i.i.d. uniform in − ∆ 2 2 2. Q and S are uncorrelated.

3. The additive watermark sequence N is Gaussian. Remark. Assumption 1 results from (3.3) and the similar one we have made in deriving Lemma 3. Note neither the host data nor the cryptographic key is known to the attacker. These assumptions can be verified experimentally. Assumption 2 becomes exact if the induced distribution of  the dither is i.i.d. uniform in − ∆ , ∆ . Assumption 3 can 2 2 be justified by the central limit theorem (CLT) as the size of image and the number of random rectangles become large. By the definition of T, we have , = =

Ts As − CBs Sq,

(13)

where S si

=

∆2 2 S , 12

where the last inequality follows the first assumption we have made in this section. Now, following the full row rank assumption on T, we let the singular value decomposition (SVD) of T be T = UΣT VT ,

Attacks on watermarking scheme can be either generic, or algorithm-specific that take into account the structure of the proposed algorithm. Such attacks would be cryptanalytic in nature. In this section, we derive an optimal estimation attack on the additive embedding scheme using a particular stochastic model on the host data and the embedding sequence. Note, although the use of stochastic models on the attacked signal by a detector might be inappropriate, similar assumptions are realistic for the attacker. Moreover, we allow some host data statistics and some partial information about the hash values and T be known by the attacker. Consequently, the attacker applies minimum mean-squared error (MMSE) estimation on the watermarked signal as an attack. We first hypothesize a few assumptions which might be reasonably made by the attacker:

r

for the attacker. By (13), we have h i Rr , E RRT h i T = S E QQT S

, diag(s1 , s2 , · · · , sL ) X , bij sj , i = 1, 2, · · · , L. j∈Ri

Here we assume that the attacker knows si , the local average of the host image for each randomly chosen rectangle. Note that, this implies that the attacker knows the positions of the random rectangles. Therefore it is a huge upper-hand

where U is an L × L orthogonal matrix, ΣT is an L × L diagonal matrix, and V is an N × L matrix with orthogonal columns. By Lemma 1, we have n

= −TT (TTT )−1 r T = −VΣ−1 T U r.

Therefore, we have Rn

h i , E NNT

T −1 T = VΣ−1 T U Rr UΣT V

=

∆2 T 2 −1 T VΣ−1 T U S UΣT V . 12

(14)

Our current attack analysis uses Gaussian models on the host data S. Following the methodology presented in [5], we now model S as an independent, but not necessarily identically distributed zero mean Gaussian vector. Furthermore, we assume that the variance field of S is smoothly varying, based on which we use locally approximately i.i.d. assumption on S. Using this approximation, we estimate the underlying variance field, see [5] for further details. Let Rs denote the correlation matrix of S. We now assume that the attacker knows both Rs and Rn . Note, by (14), the attacker gets some information about T for free. As our experiments reveal, even then the attacker does not succeed. Thus, the attacker can estimate s, given x = s + n, using the optimal Wiener filtering b s = Rs (Rs + Rn )−1 x.

(15)

Due to the Gaussian nature of the setup, this estimate coincides with the MMSE and MAP estimates of s given x. Also note that, the estimation of Rs given x instead of s is by no means trivial. Nevertheless, we allow the adversary to know the estimate of Rs and it only strengthens our results. In all our experiments we observed that our watermarking algorithm is robust against the estimation attack. Experimental Results: Our current experiments indicate that the robustness of the proposed algorithm against Stirmark-type geometric attacks is about the same level as the algorithm provided in [1]; that is, as long as the the geometric attacks are at a reasonable level (e.g., rotation that does not exceed 2 degrees, cropping that does exceed 5%, etc.), our algorithm is robust with high probability. On the other hand, the proposed approach here is superior over the one in [1] in the sense of scaling and contrast enhancement type attacks. More experimental results shall be provided in the final version of the paper.

5.

REFERENCES

[1] M. K. Mıh¸cak, R. Venkatesan, and M. Kesal, “Watermarking via optimization algorithms for quantizing randomized statistics of image regions,” in Proc. 40th Annual Allerton Conf. on Communication, Control and Computing, Monticello, Illinois, October 2002. [2] F. Petitcolas, R. Anderson, and M. Kuhn. “Attacks on copyright marking systems,” in Proc. 2nd Int. Workshop on Information Hiding, Portland, Oregon, April 1998. [3] R. Venkatesan, S. Koon, M. Jakubowski, and P. Moulin, “Robust Image Hashing,” in Proc. Int. Conf. Image Processing, Vancouver, Canada, September 2000. [4] T. Liu and P. Moulin, “Error exponents for one-bit watermarking,” in Proc. Int. Conf. Acoustics, Speech, and Signal Processing, Hong Kong, April 2003. [5] M. K. Mıh¸cak and P. Moulin, “Information embedding codes matched to locally stationary Guassian image models,” in Proc. Int. Conf. Image Processing, Rochester, New York, September 2002.