combined watermarking for image authentication ... - Semantic Scholar

COMBINED WATERMARKING FOR IMAGE AUTHENTICATION AND PROTECTION Chun-Shien Lu, Hong-Yuan Mark Liao and Chwen-Jye Sze

Institute of Information Science, Academia Sinica, Taipei, Taiwan e-mail: flcs, [email protected] ABSTRACT

A novel combined watermarking scheme for image authentication and protection is proposed in this paper. By utilizing the publicly available wavelet-based just noticeable distortion (JND) values, the hidden watermark is designed to carry the host image's information such that blind watermark detection becomes possible. The watermarks are embedded using the previously proposed cocktail watermarking technique and are extracted by a quantization process. According to the polarities and the dierences of the hidden and the extracted watermarks, the fragility and robustness of a watermark can be measured, respectively, such that both content authentication and copyright protection are achieved simultaneously.

1. INTRODUCTION Copyright marking has recently become an important technique for multimedia information hiding [11]. Its application includes ownership protection [4, 7, 8, 12], content authentication [3, 5, 6, 14], and so on. Most of the existing watermarking schemes dedicated themselves either to ownership protection or to content authentication. If more than one purpose is needed, then usually more than one watermark is required to be embedded. Because watermarks of dierent sorts play dierent roles, Mintzer and Braudaway [10] mentioned that the order for hiding watermarks is important. Wu and Liu [14] also presented a similar concept by combining their own image authentication scheme with an existing ownership protection scheme for \double watermarking." In this paper, we shall develop a new watermarking scheme that can simultaneously achieve image authentication and protection by embedding watermarks only once . For copyright protection, robustness is a major concern. We have proposed the concept of cocktail watermarking [7, 8] which can resist dierent kinds of attacks. However, the rst version of the cocktail watermarking was not oblivious. Some previous works [4] have achieved the oblivious detection requirement but at the expense of robustness especially under stronger attacks and repeated (combined) attacks. Hence, one purpose of this paper is to propose an oblivious while robust watermarking scheme. For image authentication, the previous technique such as [3] focused on detecting whether a whole image is tamTO APPEAR IN PROC. 1TH IEEE INT. CONF. ON MULTIMEDIA AND EXPO, NY, USA, JUL. 30-AUG. 2, 2000

pered or not. However, they did not specify clearly how and where the image was tampered. Although the approach proposed by Kundur and Hatzinakos [5] is capable of accessing the extent of tampering statistically by a tamper assessment function, their method is particularly unstable at high frequency wavelet subbands. Their quantization process is designed more/less sensitive to modi cations at high/low frequency in the wavelet domain. However, this will violate the nature of human visual system (HVS) [13]. To survive JPEG compression in an image authentication system, Lin and Chang [6] proposed to preserve the invariance between the DCT coecients before and after quantization to form a digital signature. They also mentioned that the authenticator is sucient to accept those images that are compressed by JPEG up to a certain compression ratio or quality factor. To resist other non-malicious processing, their authenticator should adapt to them by adjusting some tolerant thresholds. Some feature points-based authentication systems have been considered in [1, 2]. Their concept is to generate the digital signature by encrypting an image's feature points. Authentication is then veri ed by comparing the positions of those feature points of the image in question with those decrypted from the previously encrypted feature points. In this paper, we propose a combined watermarking scheme which can simultaneously achieve copyright protection and content authentication by hiding watermarks only once. The key point of why our method is valid lies in the ways of detecting the robust watermarks and the fragile watermarks, respectively. The new method proposes to quantize the selected wavelet coecients into masking threshold units. Then, the watermarks are embedded by modulating the quantization result to either a right or a left masking threshold unit using cocktail watermarking [7, 8]. In the meantime, the original quantization result can be recorded as the hidden watermark because it is the closest neighbor to the modulated quantization result. That is, the hidden watermark carries the information of the host image, which can be used to recover the host image with indistinguishable perceptual degradation. Basically, these information are very useful for oblivious watermark detection. The major contribution of this combined watermarking scheme is twofold. First, a new oblivious watermark detection technique which is associated with our previously developed cocktail watermarking scheme is proposed. Since the nature of cocktail watermarking is still preserved, the new oblivious scheme has guaranteed high robustness for

copyright protection. Second, the amount of modi cations can be calculated by directly comparing the hidden and the extracted watermarks so that malicious tampering could be detected and mild compression could be resisted. In this paper, if the modi cation amount exceeds a HVS-determined threshold, then these modi cations will be considered as malicious tampering. HVS is a reasonable standard in measuring whether the media contents are tampered or not since our eyes are sensitive to modi cations beyond perception. If the perceptual modi cations have occurred, we will feel that something are tampered. However, HVS is not adaptive to all cases because some certain manipulations actually exist but the media contents cannot be regarded as tampered. One main reason is that there are no universal de nitions about malicious tampering and incidental tampering. Even for the same type of modi cation, dierent degrees of manipulation will sometimes represent dierent meanings.

2. THE PROPOSED SCHEME Our scheme is currently developed for gray-scale and color images, but also adapts to other media [9]. The wavelet transform is adopted in this paper due to its excellent multiscale, precise localization properties and the publicly available masking thresholds [13].

2.1. Hiding: Quantization of Image waveletcoecients as Masking Threshold Units (MTUs)

Let ws;o (x; y) be the selected wavelet coecients at the scale s, the orientation o, and the position (x; y). We will modum (x; y ) by adding a quantity late it and make it become ws;o involving the i-th watermark value kH (i). The relation of (x; y) and i is a mapping function map, which is de ned in [7, 8]:

map(x; y) =

i;

for positive modulation ?i: for negative modulation (1)

These mapping results will be stored for watermark detection. The main idea of designing the watermark value kH (i) is to divide the wavelet coecients into masking threshold units. If the dierence between an original coecient and an attacked coecient is larger than a masking threshold unit, than the data is considered tampered. Let JNDs;o (x; y) be the masking threshold [13] corresponding to ws;o (x; y), we calculate an integer quantization value, q, as

ws;o (x; y) c; q(jmap(x;y)j) = b JND (x; y) s;o

(2)

with q(jmap(x; y)j) 2 Z and jq(jmap(x; y)j)j 1, because jws;o (x; y)j > jJNDs;o (x; y)j. In order to make a transparent watermarked image, the modulated quantity should not exceed JNDs;o (x; y). According to our complementary modulation strategy [7, 8], watermarks are embedded, respectively, by negative modulation (NM ) and positive modulation (PM ) as follows.

Negative modulation: 8 q(?map(x;y)) JNDs;o (x; y) ? 1; > > > ws;o (x; y) > JNDs;o (x; y) > < q(?ifmap )) JNDs;o (x; y) + 1; (3) m ws;o (x; y) = > if ws;o((x;y x; y ) < ?JNDs;o (x; y) > > > ws;o(x; y): : if jws;o (x; y)j jJNDs;o (x; y)j Positive modulation: m (x; y ) = Q(map(x;y )) JNDs;o (x; y ); ws;o (4)

where and

ws;o (x; y) e Q(map(x;y)) = d JND (x; y) s;o

(5)

jQ(map(x;y))j = jq(map(x;y))j + 1: m (x; y ), either falls The modulated wavelet coecient, ws;o into the (q(?map(x;y)) ? 1)-th masking threshold unit after negative modulation or the Q(map(x;y))-th masking threshold unit after positive modulation. That is, the original and the modulated wavelet coecients are located at dierent but contiguous masking threshold units, no matter what type of modulation rule is applied. From the modulated wavelet coecients in Eqs. (3) and (4), we can obtain the modulated quantization index, qm , as jq(?map(x;y))j ? 1; for NM(6) jqm (jmap(x; y)j)j = jq(map(x;y))j + 1; for PM The value qm (jmap(x; y)j), which is an integer, is regarded as a watermark value, kH (i), hidden using negative modulation or positive modulation according to whether map(x;y) is negative or positive. The hidden watermark kH is later used to evaluate the robustness and the fragility of extracted watermark without accessing the original image. Thus, we can call the proposed combined watermarking scheme an oblivious one.

2.2. Host Image Recovery

Let the i-th watermark value be kH (i) , it is equal to the quantization index qm (jmap(x; y)j), as indicated in Eq. (6). The recovered quantization value qr is obtained from the inverse operation of Eq. (6). The dierence between a recovered wavelet coecient and its corresponding original wavelet coecient is bounded by JNDs;o (x; y). According to the human visual system, the recovered host image is perceptually indistinguishable from the original image. This explains that the hidden watermarks really carry very important information about the original image.

2.3. Watermark Detection

a (x; y ) be a modulated wavelet coecient after atLet ws;o tacks, the positively/negatively modulated watermark value is extracted without access to the original image by a (x; y ) ws;o kHe (jmap(x; y)j) = b JND c; (7) s;o (x; y ) depending on the sign of map(x; y) (de ned in Eq. (1)). By comparing kH and kHe , the detector response is separately calculated for negatively and positively modulated watermarks.

2.3.1. Detector Response of Robust Watermarking If the signs of (kH (i) ? qr (i)) and (kHe (i) ? qr (i)) are the same; i.e., the behaviors in the modulation and the attacking processes operate along the same polarity, then they contribute positively to the detector response. A higher value of (kH ; kHe ) means stronger evidence that kHe is a genuine watermark. The response of robust waterP detector sign (k (i)?q (i))sign(k (i)?q (i)) marking is de ned as =1 , N where Nw is the watermark length. Nw i

r

H

e H

r

w

2.3.2. Perception-based Fragile Watermarking From the view point of human visual system, an image pixel is de ned to be tampered if the dierence between a hidden watermark value and its corresponding fragile watermark value is larger than t (t 1) masking unit. Hence, the tampering of negatively modulated watermark is de ned as

T neg (i)

( 1; jkH (i)j > jke (i)j ^ jkH (i) ? ke (i)j > t; H H 1; jkH (i)j jkHe (i)j ^ jkH (i) ? kHe (i)j > 1(8) ; = 0; otherwise;

and the tampering of positively modulated watermark is de ned as ( 1; jkH (i)j < jke (i)j ^ jkH (i) ? ke (i)j > t; H H pos ; 1; jkH (i)j jkHe (i)j ^ jkH (i) ? kHe (i)j > 1(9) T (i) = 0; otherwise: Thus, the globalPdetector responses watermarking Pof fragile T (i) T (i) are de ned as, =1N and =1N , respectively, for NM and PM . Note that dierent t values will make our authenticator adapt to various distortions. We will analyze perception-based fragility in Sec. 3. Nw

neg

i

Nw

pos

i

w

w

2.3.3. Invariance-based Fragile Watermarking We use an invariant property (observed from the behaviors of attacks [7, 8]) to check the invariance between two complementary watermarks. Let kneg and kpos be two watermarks hidden by negative modulation and positive modue and ke be two extracted walation, respectively, and kneg pos termarks. We de ne the invariant property between these watermark values at the same position as follows: e (i) ? kpos e (i) 0 if kneg (i) ? kpos(i) > 0 then kneg e (i) ? kpos e (i) 0 if kneg (i) ? kpos(i) < 0 then kneg e (i) ? ke (i) = 0 if kneg (i) ? kpos(i) = 0 then kneg pos If any one of the above three conditions is not satis ed, then tampering is said to occur.

2.4. Normalization of the Hidden Watermark kH

The hidden watermark kH is designed to carry the information of a host image and is, therefore, dependent on the host image itself. Any randomly selected watermark ke may be highly correlated with the hidden watermark kH . This will cause a severe false positive problem. Hence, the hidden watermark should be normalized to N (0; 1) such that kH and ke will be statistically independent. Let (m; ) be the

mean and standard deviation of the hidden watermark kH , kH can be normalized to N (0; 1) denoted as kG by

kG (i) = kH (i) ? m :

(10)

In computing the probabilities of false positive and false negative as conducted previously [7, 8], the Gaussian distributed watermark kG instead of kH is used. The pair (m; ) is regarded as the image-dependent watermark (IDW) key and is associated with kG to generate kH for watermarking.

3. ANALYSIS According to the threshold t de ned in Sec. 2.3.2, if a coef cient x is originally located at the (j +1) ? th masking unit and is moved to the j ? th masking unit after NM as xM , then xM is considered not tampered as long as the tampered x, xT , is in the (j ? t) ? th (j +1) ? th masking units. Actually, the number of masking units with respect to NM in the left and the right intervals of xT is t and 1, respectively. That is, the interval considered to be un-tampered with respect to xT is asymmetric . The similar result could be derived for PM . As we have addressed in [7, 8], attacks tend to either increase or decrease the magnitude of wavelet coecients. Thus, our watermarking strategy is to allow our authenticator more robust (less fragile) to incidental distortions. If xT is produced from compression/enhancing (behaves like NM /PM [7, 8]), xM has more chance to be still credible because the left/right interval of xM is longer. On the contrary, fragility is determined from the other shorter interval (in fact, it is 1 masking unit). On the other hand, the relative fragility of the two half intervals of xM can also be derived using the tamper sensitivity function (TSF ) [5]. We shall take NM as an example to show the analyzed result. Let JNDs;o (x; y) be the masking threshold de ned previously, we can easily derive that the TSF of the left interval of xM , 1 ? [2erf ( tJND4 (x;y) )]N , is smaller than that of the right interval of xM , 1 ? [2erf ( JND4 (x;y) )]N , where t is the variance of tampering. It means that under NM , tampering on the left interval of xM Mis more robust than tampering on the right interval of x . This again con rms our original assertion. s;o

w

t

s;o

w

t

4. EXPERIMENTAL RESULTS Our fragile watermarking is veri ed using the \MonaLisa" image of size 256 256, as shown in Fig. 1(a). The watermark length was 2538 and a total of 5076 wavelet coef cients needed to be modulated using the cocktail watermarking. The watermarked image shown in Fig. 1(b) had PSNR 43:6 dB. No perceptual distortion is observed on a computer screen at a distance of 32 in [13]. As expected, no tampering results are detected from the un-modi ed image (Fig. 1(b)). Next, the watermarked MonaLisa image is slightly modi ed in her mouth by rippling, as shown in Fig. 1(c). Figs. 1(d)(f) show the tampering detection results at dierent scales. It is observed that the altered regions are successfully located. In addition, the incidental distortion,

i.e., SPIHT compression, is used to estimate the robustness of our scheme. From Table 1, it is observed that the watermark embedded using negative modulation (NM ) is actually more robust to compression than positive modulation (PM ). The threshold, 0:15, of tampering degree is reasonably used for the negatively modulated watermark to approximately resist SPIHT up to compression ratios 20 : 1 (for t = 1) and 40 : 1 (for t = 2). However, the threshold, t, cannot be set arbitrarily large because it will aect the fragility of watermarks under malicious tampering. It needs further analysis about the compromise between the size of t and the fragility of watermarks. On the other hand, if the invariance (INV ) between watermark values is utilized, the tampering detection results show that it is extremely robust to compression. For robust watermarking, results show that the robustness is nearly equivalent to the previous non-oblivious cocktail watermarking [7, 8] under the test of more than 50 attacks. The uniqueness of the extracted watermark has also been veri ed by considering what we have mentioned in Sec. 2.4.

5. DISCUSSION Future work will focus on eliminating the need of storing and retrieving the mapping le and the hidden watermarks (considered as the secret keys) for watermark detection. This is because public key detection admits of reading the watermarks for everybody and of removing them only by an authorized person.

6. REFERENCES [1] S. Bhattacharjee and M. Kutter, \Compression Tolerant Image Authentication", ICIP , USA, 1998. [2] J. Dittmann, A. Steinmetz, and R. Steinmetz, \Content-based Digital Signature for Motion Pictures Authentication and Content-Fragile Watermarking", ICMCS , Vol. II, Italy, 1999. [3] G. L. Friedman, \The Trustworthy Digital Camera: Restoring Credibility to the Photographic Image", IEEE Trans. Consumer Electronics , Vol. 39, pp. 905910, 1993. [4] F. Hartung and M. Kutter, \Multimedia Watermarking Techniques", Proceedings of the IEEE , Vol. 87, pp. 1079-1107, 1999. [5] D. Kundur and D. Hatzinakos, \Digital Watermarking for TellTale Tamper Proo ng and Authentication", Procceedings of the IEEE , Vol. 87, pp. 1167-1180, 1999. [6] C.-Y. Lin and S.-F. Chang, \A Robust Image Authentication Method Surviving JPEG Lossy Compression", SPIE Storage and Retrieval of Image/Video Database , Vol. 3312, San Jose, 1998. [7] C. S. Lu, H. Y. Mark Liao, S. K. Huang, and C. J. Sze, \Cocktail Watermarking on Images", 3rd Inter. Workshop on Information Hiding , LNCS 1768, pp. 333-347, Sept. 29-Oct. 1, 1999.

(a)

(b)

(c)

(d)

(e)

(f)

Figure 1: Tamper detection: (a) host image; (b) watermarked image; (c) tampered image; (d)(f) the tamper detection results at 22 24 scales. [8] C. S. Lu, H. Y. Mark Liao, S. K. Huang, and C. J. Sze, \Highly Robust Image Watermarking Using Complementary Modulations", 2nd Inter. Information Security Workshop , LNCS 1729, pp. 136-153, 1999. [9] C. S. Lu, H. Y. Mark Liao and L. H. Chen, \Multipurpose Audio Watermarking", to appear in 15th Int. Conf. on Pattern Recognition , Spain, 2000. [10] F. Mintzer and G. W. Braudaway, \If one watermark is good, are more better?", ICASSP , pp. 2067-2070, 1999. [11] F. Petitcolas, R. J. Anderson, and M. G. Kuhn, \Information Hiding: A Survey", Proceedings of the IEEE , Vol. 87, pp. 1062-1078, 1999. [12] M. D. Swanson, M. Kobayashi and A. H. Tew k, \Multimedia Data-Embedding and Watermarking Technologies", Proc. of the IEEE , Vol. 86, pp. 1064-1087, 1998. [13] A. B. Watson, G. Y. Yang, J. A. Solomon, and J. Villasenor, \Visibility of Wavelet Quantization Noise", IEEE Trans. Image Proc., Vol. 6, pp. 1164-1175, 1997. [14] M. Wu and B. Liu, \Watermarking for Image Authentication", IEEE Inter. Conf. on Image Processing , 1998. Table 1: Tampering evaluation of SPIHT. CR

4 8 16 32 64

Degree of tampering t=1 t=2 INV

NM PM 0:002 0:032 0:025 0:074 0:126 0:243 0:227 0:385 0:395 0:548

NM PM 0:000 0:032 0:017 0:074 0:080 0:238 0:114 0:379 0:215 0:531

0:023 0:027 0:031 0:030 0:039