Академический Документы
Профессиональный Документы
Культура Документы
1 Introduction
Over the last decade watermarking technologies have been developed to a large
extent for protecting copyright of digital media. A lot of watermarking strate-
gies have been proposed in this period. In the mean time, number of bench-
mark attacks have been proposed, which the robust watermarking strategies
should pass. However, no attempt has been made to analyze each of the popular
schemes individually and presenting customized attacks to highlight the weak-
ness of each individual scheme. As it is generally done in cryptology, we here
concentrate on a specic scheme, known as Optimal Dierential Energy Water-
marking (DEW) [7] and present a successful cryptanalysis. Further we provide
necessary corrections to make the scheme robust.
Let us now provide a brief description on images and the watermarking strate-
gies in general. An image I can be interpreted as a two dimensional matrix. If
A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 135148, 2002.
c Springer-Verlag Berlin Heidelberg 2002
136 Tanmoy Kanti Das and Subhamoy Maitra
it is a gray scale image, then the integer values stored in each location of the
matrix presents the intensity, which is generally in the range of 0 to 255. Higher
resolutions may also be achieved by increasing this range. Coloured images can
generally be seen as an assorted set of three such matrices, which correspond to
the intensity values of red, green and blue channels. These are called the rep-
resentations in spatial domain. Dierent transform domain representations are
also available, which are Fast Fourier Transform (FFT), Discrete Cosine Trans-
form (DCT) [3], Wavelet Transform etc [8]. These can also be seen as matrices
containing either real or complex values. Thus, the best way to interpret an
image is as a matrix of values.
Note that, if we change the values of this matrix in some range, visually the
image quality may not degrade. Given an image I, let us dene the neighbour-
hood of I, N (I), which contains all the images which are visually indistinguish-
able from I. Even if the image is not in spatial domain, while interpreting the
neighbourhood of the image, we must consider the image in the spatial domain
(that is we need inverse transform to the spatial domain from the transformed
domain) for visual indistinguishability. There are also some measures, e.g., Peak
Signal to Noise Ratio (PSNR) [6, Page 112], which can be used as measure of
visual indistinguishability.
The concept of invisible digital watermarking works as follows. Given an
image I, a signal si is added to I, which produces a watermarked image I (i) =
I + s(i) N (I). The addition means some kind of element wise addition in the
matrix. This image I (i) is given to the i-th buyer. Now the watermark retrieval
algorithm works in two ways.
1. In the non-oblivious schemes (e.g., the CKLS scheme [1]), the original image
is used in the retrieval process. The available image (may be attacked using
image processing or cryptanalytic techniques) I # is compared to the original
image I and a signal s# = I # I is recovered. Finally from s# , the buyer i
is suspected if s(i) possesses some signicant correlation with s# .
2. In the oblivious schemes (e.g., the DEW scheme [7]), the original image is not
used in the retrieval process but some other information related to the image,
generally known as image key, are available. From the available image (may
be attacked using image processing or cryptanalytic techniques) I # and the
image key, a signal s# is recovered. From s# , the buyer i is suspected if s(i)
possesses some signicant correlation with s# .
The robustness of the watermarking strategy depends on how well the proper
buyer is identied (who has intentionally attacked the watermarked image) and
how infrequently an honest buyer is wrongly implicated. By cryptanalysis of
a digital watermarking scheme we mean the following.
Let I (i) be a watermarked copy of I. One has to mount an attack to con-
struct I # from I (i) such that there is no signicant correlation between s#
and s(i) . Thus, the buyer i will not be identied. Moreover, I (i) , I # need to be
visually indistinguishable. To the attacker, only I (i) is available, but I, s(i) are
not known. Thus there is no facility for the attacker to directly test that the
Cryptanalysis of Optimal Dierential Energy Watermarking (DEW) 137
watermarking signal has been removed. However, the attacker need to be con-
vinced indirectly that the watermark is erased, i.e., the correlation between s(i)
and s# has been removed.
It is already known that existing correlation based watermarking techniques
are susceptible to collusion attacks under a generalized framework [2]. This re-
quires a sucient number of watermarked copies. In particular, if the eective
document length is n, then at most O( n/ ln n) copies are required to defeat
the watermarking scheme. Note that for an image of size 256 256 or 512 512,
for a successful collusion attack, a large number of watermarked images may be
required depending on the size of the key information. This may not be practi-
cal. On the other hand, we here concentrate on cryptanalytic attack based on
a single watermarked copy.
Before going for further details, let us highlight why such a cryptanalytic
attack is important.
1. The watermarking strategies should survive some standard image trans-
formations. These are cropping, rotation, resizing, JPEG compression [13],
wavelet compression [8] etc. Note that most of the current schemes can eas-
ily survive these transformations. The existing methods can also survive the
attacks related to insertion of random noise in the image, some ltering at-
tacks [5, 6] or nonlinear geometric attacks such as Stirmark [10, 11]. It is
clear that once an attack, based on some image processing technique, is pro-
posed then it is expected that there will be some (inverse) image processing
methodology to resist such kinds of attack. Thus single copy attacks, based
on image processing techniques, should not survive in a long run.
2. The existing watermarking models have never been analyzed using cryptan-
alytic techniques as it is done in case of any standard cryptographic schemes.
We here look into the watermarking scheme as a cryptographic model and
provide a very strong attack which can even be considered as a cipher text
only attack (for dierent kinds of cryptanalytic attacks, see [9]). Here we
mount the attack on the DEW scheme [7] and provide successful results by
removing the watermark. It is important to analyze each of the well known
watermarking schemes in detail and it seems that the existing schemes are
not robust with respect to customized cryptanalytic attacks on each of the
schemes.
3. Further, the cryptanalytic attack motivates us to remove the weakness of
the scheme and we propose a modication of the DEW scheme which re-
sists such cryptanalysis. The DEW scheme itself is an oblivious scheme and
what we propose after the modication is also an oblivious one. However,
it is important to note that in the DEW scheme, the watermark was image
specic and it was same for all the buyers. That means the identication of
the watermark can only prove the copyright, but it can not trace the buyer
who has violated the copyright agreement. In our scheme we present buyer
specic watermark, so that it is possible to identify the malicious buyer.
In [12, Page 122], a statistical removal attack has been pointed out. The at-
tack was based on a large number of rewatermarks on the watermarked image
138 Tanmoy Kanti Das and Subhamoy Maitra
and then trying to remove each of the rewatermarks using some image transfor-
mations. First of all, putting a lot of rewatermarks degrades the visual quality of
the image. In the DEW scheme [7], with the standard experimental parameters,
we have checked that putting consecutive watermarks degrades the quality of
the image. Moreover, the exact image transformations that are required to re-
move the rewatermarks have not been discussed in [12]. In this paper we present
a concrete watermark removal strategy on a specic scheme.
We describe the DEW scheme in Subsection 1.1. In Section 2 we present
the attack. We rst present the basic attack in Subsection 2.1 and then modify
its limitation to mount a stronger attack which is described in Subsection 2.2.
Next we modify the DEW scheme in Section 3 to present a robust watermarking
strategy.
Algorithm 2
1. Arrange the 8 8 DCT blocks of the JPEG image as done in watermark
insertion stage and use the same grouping of lc-regions available using the
same pseudorandom generator and the same seed S in the Algorithm 1.
2. FOR j = 0 to l 1 DO
(a) Select j th lc-region consisting of n blocks
(b) FOR cctr = cmin + 1 to 63 DO
i. calculate EA (cctr ).
ii. calculate EB (cctr ).
(c) cA = min(cT ) where cT = {cctr {cmin + 1, 63}|(EA (ctr) < D )}
(d) cB = min(cT ) where cT = {cctr {cmin + 1, 63}|(EB (ctr) < D )}
(e) Lj = 0
(f ) IF (cA < cB ) Lj = 1
(g) IF ((cA = cB ) & (EA (cA ) < EB (cB ))) Lj = 1;
Algorithm 3
1. FOR each of the 8 8 block DO
(a) Read re/pre quantized zigzag scanned DCT coecients j (j = 0, . . . , 63).
(b) Sort j (j = 1, . . . , 63) to get j (j = 1, . . . , 63) (not considering the DC
value) and index vector V such that j = V j .
(c) Fit a polynomial P of degree d over with the following points.
i. Take the points (j, j ) for which j = 0.
ii. Let s be the largest and t be the smallest values such that s = t = 0.
Let k =
s+t
2 . Take the point (k, k ).
(d) IF j = 0 THEN j = P (j) (j = 1, . . . , 63)
Cryptanalysis of Optimal Dierential Energy Watermarking (DEW) 141
(e) j = V j (j = 1, . . . , 63).
(f ) Write back as the DCT values of the block.
2. Write back the image at 100% JPEG quality.
for the complete image. In the DCT domain of any 8 8 block of the image, we
will remove all the frequency components which are greater than fc . Moreover,
if some frequency components, having frequency fc are already zero (either
due to JPEG compression or due to the watermark), we will try to extrapolate
those values.
Thus the DEW algorithm is attacked at two levels. At rst level we remove
some frequency components and at the second level we add some. We inten-
tionally remove some high frequency coecients, so that the blocks, which are
unaected by DEW algorithm, get aected in a similar fashion as the blocks
which are aected by the algorithm itself. Note that, if removing some of the
high frequency coecients from one set of blocks by DEW algorithm does not
degrade the image quality, then it is expected that removing high frequency co-
ecients from other set of blocks will not degrade the image too. Importantly,
it will reduce the energy dierence created by DEW algorithm and hence the
watermark signal can not be extracted. The detailed algorithm is as follows.
Algorithm 4
1. Set the value of fc .
2. FOR each of the block of the image DO
(a) Read the zigzag scanned DCT coecients in j (j = 0, . . . , 63).
(b) Set j = 0 for j > fc .
(c) IF fc = 0
i. Find f such that k = 0 for all k, f < k fc .
ii. Sort j , j = 1 . . . f to get j , j = 1 . . . f and maintain an index
vector V such that j = V j .
iii. Fit a polynomial P of degree d using the data points (k, k ) for k =
1, . . . , f and (fc , fc ).
iv. j = P (j) for j = f + 1, . . . , fc .
v. j = V j for j = f + 1, . . . , fc .
(d) Write back .
Image WPS fc QJ P EG QJ P EG QJ P EG QJ P EG
fc = 100% = 75% = 50% = 25%
Lena WPS 1 23 51% 46% 49% 47%
Baboon WPS 1 23 57% 50% 52% 51%
Pentagon WPS 1 50 55% 48% 48% 48%
Lena WPS 2 21 50% 47% 46% 49%
Baboon WPS 2 19 54% 47% 51% 53%
Pentagon WPS 2 35 48% 48% 48% 47%
respectively. We are not at all interested about the JPEG quality, since the low
frequency components are not seriously disturbed by the JPEG compression.
We consider the organization of lc-subregions A, B in such a manner such
that |EA EB | < , i.e., EA EB . If we incorporate a bit 0 (respectively
1) in that region, then we want that EA (EA after the modication) becomes
substantially greater (respectively smaller) than EB (EB after the modication).
Let be the fractional change required to enforce the required energy dierence,
E EB
i.e., after the modication we need | EA
A +EB
| . The exact scheme is presented
below. Note that the l length binary pattern L is dierent for each buyer and
hence at the extraction phase, from the recovered bit pattern it is possible to
identify the copyright infringer.
Algorithm 5
1. Randomly arrange the 8 8 DCT blocks of the JPEG image using some
pseudo random generator and group them in various lc-regions. Each lc-
region should be divided in two lc-subregions such that EA EB . Store this
group information which we call the image key K.
2. FOR j = 0 to l 1 DO
(a) Select the j th lc-region consisting of n blocks.
(b) Let 2 = 1 + 2
(c) IF (Lj = 0) THEN
i. j,b = j,b (1 + 1 ) for b = 1, . . . , n2 1, and j = 1, . . . , q.
ii. j,b = j,b (1 2 ) for b = n2 , . . . , n 1, and j = 1, . . . , q.
(d) ELSE IF(Lj = 1) THEN
i. j,b = j,b (1 1 ) for b = 1, . . . , n2 1, and j = 1, . . . , q.
ii. j,b = j,b (1 + 2 ) for b = n2 , . . . , n 1, and j = 1, . . . , q.
3. Arrange back the DCT blocks to their original positions and write the image.
Note that the most important part of this algorithm is as described in the
step 1 of Algorithm 5. We rst need to group dierent blocks to get dierent lc-
regions. However, just getting the lc-regions does not suce. In fact, we further
need to divide each lc-region into two lc-subregions A, B such that |EA EB | < ,
i.e., EA EB . Getting such a grouping by itself is an NP-complete problem
(basically subset sum problem) and hard to nd. Thus there are two issues.
Even with that low quality image, our scheme can extract the watermark and
identify the malicious buyer.
We checked the standard image processing attacks like ltering, cropping,
addition of noise etc. The scheme survives all such attacks. However, we have
checked that in case of rotation or when the pixel positions change, it may not be
possible to extract the watermark. This is natural since the scheme is oblivious.
However, if we consider that the original image is available during the extraction
process (i.e., the scheme becomes non-oblivious), then we can use the original
image to properly rotate back the attacked watermarked image. In that case
one can successfully recover the watermark. In case of Stirmark attacks [10, 11],
if the original image is available, then we can use the block based strategy [4]
148 Tanmoy Kanti Das and Subhamoy Maitra
to recover the watermark properly. In Figure 2, the image after the Stirmark 3
attack has been presented. We could successfully recover the watermark using
block based strategy when the original image is available. It is a challenging
question to successfully extract the watermark in the oblivious scheme, i.e., when
the original image is not available.
References
[1] I. J. Cox, J. Kilian, T. Leighton and T. Shamoon. Secure Spread Spec-
trum Watermarking for Multimedia. IEEE Transactions on Image Processing,
6(12):16731687, 1997. 136
[2] F. Ergun, J. Kilian and R. Kumar. A note on the limits of collusion-resistant
watermarks. In Eurocrypt 1999, no 1592 in LNCS, pages 140149, Springer
Verlag, 1999. 137
[3] R. C. Gonzalez and P. Wintz. Digital Image Processing. Addison-Wesley Pub-
lishing (MA, USA), 1988. 136
[4] F. Hartung, J. K. Su and B. Girod. Spread Spectrum Watermarking : Malicious
Attacks and Counterattacks. Proceedings of SPIE, Volume 3657 : Security and
Watermarking of Multimedia Contents, January 1999. 147
[5] N. F. Johnson, Z. Duric and S. Jajodia. Information Hiding: Steganography and
Watermarking Attacks and Countermeasures. Kluwer Academic Publishers,
USA, 2000. 137
[6] S. Katzenbeisser, F. A. P. Petitcolas (edited). Information Hiding Techniques for
Steganography and Digital Watermarking. Artech House, USA, 2000. 136, 137
[7] G. C. Langelaar and R. L. Lagendijk. Optimal Dierential Energy Watermarking
of DCT Encoded Images and Video. IEEE Transactions on Image Processing,
10(1):148158, 2001. 135, 136, 137, 138, 140, 141, 146
[8] S. G. Mallet. A theory of multi resolution signal decomposition : the Wavelet
representation. IEEE Transactions on PAMI, 11:674693, 1989. 136, 137
[9] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied
Cryptography. CRC Press, 1997. 137
[10] F. A. P. Petitcolas, R. J. Anderson, M. G. Kuhn and D. Aucsmith. Attacks on
Copyright Marking Systems. In 2nd Workshop on Information Hiding, pages
218238 in volume 1525 of Lecture Notes in Computer Science. Springer Verlag,
1998. 137, 147
[11] F. A. P. Petitcolas and R. J. Anderson. Evaluation of Copyright Marking Sys-
tems. In IEEE Multimedia Systems, Florence, Italy, June 1999. 137, 147
[12] J. O. Ruanaidh, H. Petersen, A. Herrigel, S. Pereira and T. Pun. Cryptographic
copyright protection for digital images based on watermarking techniques. The-
oretical Computer Science 226:117142, 1999. 137, 138
[13] G. K. Wallace. The JPEG still picture compression standard. Communication
of the ACM, April 1991. 137