Science in China Series F: Information Sciences © 2007

Science in China Press Springer-Verlag

A digital authentication watermarking scheme for JPEG images with superior localization and security YU Miao†, HE HongJie & ZHANG JiaShu Sichuan Key Lab of Signal and Information Processing, Southwest Jiaotong University, Chengdu 610031, China

The drawbacks of the current authentication watermarking schemes for JPEG images, which are inferior localization and the security flaws, are firstly analyzed in this paper. Then, two counterfeiting attacks are conducted on them. To overcome these drawbacks, a new digital authentication watermarking scheme for JPEG images with superior localization and security is proposed. Moreover, the probabilities of tamper detection and false detection are deduced under region tampering and collage attack separately. For each image block, the proposed scheme keeps four middle frequency points fixed to embed the watermark, and utilizes the rest of the DCT coefficients to generate 4 bits of watermark information. During the embedding process, each watermark bit is embedded in another image block that is selected by its corresponding secret key. Since four blocks are randomly selected for the watermark embedding of each block, the non-deterministic dependence among the image blocks is established so as to resist collage attack completely. At the receiver, according to judging of the extracted 4 bits of watermark information and the corresponding 9-neighbourhood system, the proposed scheme could discriminate whether the image block is tampered or not. Owing to the diminishing of false detection and the holding of tamper detection, we improve the accuracy of localization in the authentication process. Theoretic analysis and simulation results have proved that the proposed algorithm not only has superior localization, but also enhances the systematic security obviously. fragile watermarking, JPEG compression, localization accuracy, collage attack

As an important component of information hiding technology[1], digital watermarking sche― ― mes[2 8], especially the schemes[5 8] combined with the prevalent image compression standard, Received July 15, 2006; accepted March 15, 2007 doi: 10.1007/s11432-007-0024-7 † Corresponding author (email: [email protected]) Supported by the National Natural Science Foundation of China (Grant No. 60572027), the Program for New Century Excellent Talents in University of China (Grant No. NCET-05-0794), the Sichuan Youth Science & Technology Foundation (Grant No. 03ZQ026-033), the National Defense Pre-research Foundation of China (Grant No. 51430804QT2201) and the Application Basic Foundation of Sichuan Province, China (Grant No. 2006 J13-10)

www.scichina.com

www.springerlink.com

Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

such as JPEG, and used for authentication and integrity proofing of the image content, have aroused great fever in the researchers around the world. The existing JPEG watermarking schemes can be classified into two categories: The semi-fragile ones[5, 6] that can tolerate JPEG compression and accept the JPEG compression as an acceptable manipulation while detecting other malicious manipulations as well; the fragile ones[7, 8] used for authentication of JPEG images coupled the watermarking algorithm and JPEG compression algorithm together. In these schemes, the watermark is embedded in the compression process and extracted in the decompression stage. The fragile authentication watermarking for JPEG images, mainly used for the authentication and integrity proofing of the images needed to be transmitted through the internet, has attracted more attention in the research and industrial communities. It is a common practice in the earlier fragile watermarking schemes[8] for JPEG images authentication purposes to watermark some selected DCT coefficients so as to minimize embedding distortion. Li[7] points out that leaving most of the DCT coefficients unmarked results in a wide-open security gap for attacks to be mounted on them, and then proposes a new fragile watermarking scheme for authentication of JPEG images. Li[7] categorizes all the DCT coefficients into either watermarkable ones or unwatermarkable ones. The watermark is generated based on all the unwatermarkable DCT coefficients in the nine-neighborhoods and then embedded into all of the watermarkable coefficients. Through this method, Li’s scheme not only provides protection for all the DCT coefficients without explicitly watermarking all of them, but also strengthens the robustness against collage attack[9], thereby enhancing the security of the scheme. Unfortunately, Li’s scheme has security flaws all the same, as listed below: 1) the accuracy of localization is coarse; 2) cannot provide protection for the smooth region of the watermarked images; 3) cannot resist collage attack[9] completely. To overcome the drawbacks inhered in the existing schemes, we propose a new authentication watermarking scheme for JPEG images with superior localization and security. For each image block, the proposed scheme keeps four middle frequency points fixed to embed the watermark, and utilizes the rest of the DCT coefficients to generate 4 bits of watermark information. During the embedding process, for each image block, the 4 bits of watermark information are randomly embedded in other four blocks which are selected according to the four different secret keys separately. At the receiver, according to judging of the extracted 4 bits of watermark information and the corresponding 9-neighbourhood system, the proposed scheme could discriminate whether the image block is tampered or not. The watermark’s embedding process introduces non-deterministic dependence among the image blocks, thus the new scheme improves the accuracy of localization, and enhances the robustness against the collage attack[9] to a wider extent at the same time. In the authentication procedure, we include the 9-neighbourhood in judging a block’s tampering, thus turning off the false alarms and improving the accuracy of localization. Moreover, the probabilities of tamper detection and false detection under region tampering and collage attack are deduced separately. Theoretic analysis and simulation results have proved that the proposed new scheme can localize the tampered region precisely no matter if the watermarked image has undergone the manipulations on the smooth region nor experienced the collage attack[9]. The rest of the paper is organized as follows. In section 1, we carry out a cryptanalysis on Li’s scheme and then conduct two counterfeiting attacks. In section 2, we propose a new authentication watermarking scheme for JPEG images with superior localization and security. Then, the probabilities of tamper detection and false detection of our new scheme are deduced under region

492

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

tampering and collage attack[9] in section 3. Experimental results are given in section 4. At the end, section 5 concludes this paper.

1

Cryptanalysis of Li’s scheme[7]

Li’s scheme has made progress in the security aspect compared with ref. [8], unfortunately, security flaws are inhered in the scheme nevertheless. They will be analyzed in the following. (1) The accuracy of localization is coarse. The accuracy of localization is the capability of the authentication watermarking schemes to localize the tampered region while the watermarked image has been tampered with. It depends on two factors: one is the probability of tamper detection, i.e., the proportion of the tampered region that has been authenticated as inauthentic; and the other is the probability of false detection, i.e., the proportion of the non-tampered region that has been verified as tampered. The accuracy of localization is a very important aspect in evaluating the performance of an authentication watermarking scheme. Only when an authentication watermarking scheme holds high probability of tamper detection and low probability of false detection at the same time can the scheme have a delicate accuracy of localization, otherwise, the scheme will possess a coarse accuracy of localization. Since the watermark information of the image block is generated from its 9-neighbourhood system, when an image block has been tampered, all of the non-tampered image blocks whose 9-neighbourhood system contains this tampered image block are at the risk of being detected as tampered. This raises the probability of false detection of Li’s scheme, and causes the low accuracy of localization of the scheme. In order to diminish the probability of false detection, Li introduces a threshold k: any blocks marked as inauthentic surrounded by less than k inauthentic blocks are treated as authentic. The threshold diminishes the probability of false detection effectively, but the probability of tamper detection is depressed at the same time. Low probability of tamper detection will cause serious security problems. Therefore, the threshold fails to resolve the problem of the coarse accuracy of localization, and brings security holes to the scheme. Later, in the last instance of the counterfeiting attack mounted on Li’s scheme, a more detailed analysis will be made on the security problems induced by the threshold k. (2) Cannot provide protection for the smooth region of the watermarked images. In Li’s scheme, the watermark of the image block ought to be embedded in four non-zero coefficients which are selected from the watermarkable coefficients. Due to the JPEG compression, especially the high rate JPEG compression, in the smooth region, the number of non-zero coefficients is usually less than four, and most of the coefficients are zero. The shortage of the watermarkable coefficients will interrupt the embedding procedure of these blocks, then leading to a serious security flaw that the image blocks in the smooth region could not be protected. We take the Clock, F-16, Lena, Peppers, and Baboon images as examples, and count the proportion of the image blocks that lack watermarkable coefficients under various quality factors of JPEG compression. The value of h, the highest frequency among the four watermarkable coefficients, is set to 19. Simulation results are shown in Figure 1. It can be seen from Figure 1 that, the proportion of unwatermarked image blocks of different images varies to a wide extent. Provided that the quality factor is less than 85, most images possess some unwatermarkable blocks, especially the images that comprise a large amount of smooth region. These unwatermarked image blocks result in a wide-open security gap for attacks to be YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

493

mounted on them that will be discussed in the following.

Figure 1

The proportion of the image blocks that cannot accomplish watermark embedding.

Figure 2 shows the categories of the Clock image under quality factor of 80: the blocks in black are the blocks that have only four watermarkable coefficients; the shaded blocks have less than four watermarkable coefficients, so these blocks cannot accomplish watermark embedding; and other blocks have more than four watermarkable coefficients and can accomplish watermark embedding conveniently. It is clear that, the shaded blocks are in the smooth region of the image. Figure 3 is an attack mounted on the shaded region of the Clock image. In this attack, we first take Lena’s charming eyes out from the Lena image, compress these image blocks with quality factor of 80 of JPEG compression, then preserve the three lowest frequencies which are lower than 19, and set all the other coefficients to zero. At last, paste these blocks on the shaded region of the watermarked Clock image, then we obtain the counterfeiting image “charming eyes on the Clock”, as shown in Figure 3. Since the pasted blocks have three non-zero coefficients at most, these blocks cannot accomplish watermark embedding, and will be skipped in the authentication process. Therefore, the counterfeiting image “charming eyes on the Clock” shown in Figure 3 will be treated as authentic as a whole in Li’s scheme.

Figure 2 of 80.

494

The categories of Clock image under quality factor

Figure 3 image.

An attack mounted on the smooth region of Clock

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

(3) Cannot resist collage attack[9] completely. Li has improved the capacity of thwarting collage attack[9] in respect to the dependence among the image blocks introduced by the watermark generating method. In Li’s scheme, the watermark of the image block is generated from the blocks within the block’s 9-neighbourhood system; this establishes the dependence between the block and the blocks around it. In the scenarios where the region undergoing collage attack [9] is small, Li’s scheme has a good performance in resisting the collage attack [9]. However, with the growth of the tampered region, the capacity of resisting the collage attack [9] ruins rapidly. Li’s scheme can only detect the modifications on the inner border of the tampered region with a certain probability, and false detect the modifications on the outer border of the tampered region, but the internal tampered blocks cannot be detected at all! All the tampered blocks inside the tampered region will pass the verifier side. Therefore, in the scenarios where the region undergoing collage attack is large, Li’s scheme cannot thwart the collage attack. Two reasons cause the problem that Li’s scheme cannot dig the insider tampered blocks out: one is that the watermark generated from the insider block’s 9-neighbourhood is the same, because in the collage attack, the insider block and its 9-neighbourhood blocks are the same; the other is that the watermark extracted from the insider block is the same, because the watermark is embedded in the insider block itself, and the insider block has not been modified at all. Therefore, at the verifier, for the insider blocks, the watermark generated and extracted are all the same, Li’s scheme cannot dig the insider tampered blocks out. To validate the inability of Li’s scheme in resisting the high degree of collage attack, we mount a collage attack on Li’s scheme described as the following: first, we use Li’s scheme to embed the watermark for the Lena image and the Peppers image with the same secret key and the same quality factor (in this simulation, the quality factor is 80); then, we take Lena’s pretty face out from the watermarked Lena image, replace the image blocks of the same position in the watermarked Peppers image with Lena’s pretty face. We obtain the tampered Peppers image that has undergone the collage attack. Authenticate the tampered Peppers image with the threshold k setting to 0, 4, and 6, separately. The authentication results are shown in Figure 4(a)―(c), and the shaded image blocks are the blocks that have been detected as inauthentic.

Figure 4 The authentication results for the collage attack under various thresholds. (a) Authentication results when the threshold k is 0; (b) the threshold k is 4; (c) the threshold k is 6.

It can be clearly seen from Figure 4(a)―(c) that Li’s scheme cannot detect the insider tampered blocks at all; and can only detect modifications on both sides of the tampered region with a certain probability; with the increase of the threshold k, the probability of tamper detection de-

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

495

creases rapidly. In the case that the threshold k is assigned to 6, only one image block has been detected as inauthentic, so almost the whole tampered Peppers image is considered as authentic. We can see that the threshold k brings serious security gaps because of the decreased probability of tamper detection. From the cryptanalysis of Li’s scheme discussed above, we can see that the following three reasons bring the security holes: first, the watermark’s generating manner, of which is based on the 9-neighbourhood system coarsens the accuracy of localization; second, the 4 bits of watermark information ought to be embedded in the non-zero coefficients, and due to the lack of non-zero coefficients of the smooth region, Li’s scheme cannot provide protection for the smooth region; and lastly, the self-embedding method causes Li’s scheme to not resist collage attack completely.

2 The proposed new fragile watermarking scheme for JPEG images with superior localization and security To overcome the drawbacks inhered in Li’s scheme, we propose a new scheme with superior localization and security. In our scheme, for the sake of improving the accuracy of localization, the image block’s 4 bits of watermark information is generated from the block itself; to protect the whole image, including the smooth region, we select four sequential coefficients whose frequency is less than h (the pre-determined frequency, which is the highest frequency of the four watermarkable coefficients) as the watermarkable coefficients in spite of their values; to resist the collage attack completely, each bit of the block’s watermark information is embedded in another block that is selected by its corresponding secret key, so as to establish the non-deterministic dependence among the image blocks. The proposed scheme is described as follows: Watermark embedding algorithm: Step 1. Partition the input image to 8 × 8 image blocks, perform DCT on the image blocks, and quantize the DCT coefficients with the JPEG quantization table of the per-determined quality factor; then, we obtain X, the set of quantized DCT coefficient blocks of the original input image, and it can be represented as X={X1, X2, …, XN}, where N is the number of DCT blocks of the original image. Moreover, Xi(j) is the jth coefficient of the DCT block Xi along zigzag scan order, and j, the index of the DCT coefficients, is in the range of [0,63]. Step 2. Generate a binary random sequence A with length the same size as the image (i.e., 64 × N ) with secret key k1. It is organized in the same manner as X, e.g., Ai(j) stands for the jth bit of block Ai of A. Step 3. For any block Xi, the watermark is generated from {Xi(0), Xi(1), …, Xi(h′)}, and embedded in the following four coefficients {Xi(h′+1), Xi(h′+2), Xi(h′+3), Xi(h′+4)}, where h′ is the highest frequency from which the watermark is generated. The four bits of watermark Wk(k=1, 2, 3, 4) of Xi is generated as the following: Step 3.1. Generate four bits Si(k), k=1, 2, 3, 4 according to formula (1): Si (k ) = ∑ ( Ai (n) ⊕ Ai (h′ + k )) ⋅ X i ( n) , (1) n∈[0, h' ]

where ⊕ denotes the EXCLUSIVE-OR operation. The following can be seen from formula (1): Si(k) is the sum of the watermark generating pool {Xi(0), Xi(1), …, Xi(h′)} selected according to their corresponding Ai bits and Ai(h′+k). Let Parity (Si(k)) represent that which first converts Si(k) 496

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

to its two’s complement format, and then returns 1 or 0 as output to indicate that the number of ‘1’ bits is odd or even. Step 3.2. Generate four watermark bits wi(k) k=1, 2, 3, 4 for each block Xi according to formula (2): wi (k ) = Parity( Si ( k )) ⊕ Ai ( h′ + k ) (2) Step 4. Generate four position sequences fk(i), k=1, 2, 3, 4; i=1, 2, …, N as the following: Step 4.1. Generate four binary random sequences R1, R2, R3, R4 of length N with secret keys k2, k3, k4, k5 separately, where Rk can be represented as R k = (r1k , r2k ," , rNk ) . Step 4.2. Sort Rk, k=1, 2, 3, 4 with stable sorting algorithm (in ascending or descending order),

obtain

the

sorted

sequence

Rak = (rakk , rakk ," , rakk ) , 1

2

and

index

sequences

N

I k = (a1k , a2k ," , aNk ) . Step 4.3. The position sequence fk is the index sequence Ik, so that the following equation holds: f k (i ) = aik , k=1, 2, 3, 4; i=1, 2, …, N. Step 5. For each block Xi, repeat Steps 5.1 and 5.2. Step 5.1. For each wi(k) of the block Xi, we first use fk to find the DCT block in which the watermark wi(k) to be embedded. The selected block is X f k (i ) , the block’s index is the ith element of fk . Step 5.2.

The coefficient in which wi(k) to be embedded is X f k (i ) (h′ + k ) , and then modulate

the selected coefficient, so that Parity( X f k (i ) (h′ + k )) = wi (k ) ,

(3)

where the meanings of Parity are described in Step 3.1. Authentication algorithm: Step 1. Decode the received JPEG image to get the quantized DCT blocks Xi, i=1, 2,…N. Step 2. Generate binary random sequence A with secret key k1 as described in Step 2 of the watermark embedding algorithm. Then, generate position sequences fk(i), k=1, 2, 3, 4 with secret keys k2, k3, k4, k5 separately, as done in Step 4 of the watermark embedding algorithm. Step 3. Generate a zeroed sequence v of length N. For each block Xi, repeat Steps 3.1 and 3.2. Step 3.1. Generate the four bits of watermark wi(k), k=1, 2, 3, 4 according to formula (1) and formula (2), as we have done in Step 3 of the watermark embedding algorithm. Step 3.2. For each wi(k), find the coefficient that has been embedded watermark according to fk, the coefficient is X f k (i ) (h′ + k ) , and then verify whether formula (3) holds. If formula (3) does not hold, add 1 to v(i), which corresponds to the block Xi. Step 4. Turn off the false alarms. For each block Xi, if the following two conditions satisfy: 1) first, v(i)>0; 2) count number of the blocks in its 9-neighbourhood whose correspondence v(i ) ≥ 2 , the number is larger than or equal to 2. Then, the block Xi is shaded to reduce the transparency so as to indicate the occurrence of tampering. The last step of the authentication algorithm is the key step in reducing the probability of false detection, so as to improve the accuracy of localization.

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

497

3 Security and accuracy of localization analysis of the proposed scheme The performance of a fragile authentication watermarking scheme is evaluated by the two factors mainly: 1) the security of the scheme, in other words, the capability of the scheme in resisting various attacks; 2) the accuracy of localization. As a means to protect the contents of multimedia, the security of the watermarking scheme is ultimately important. Moreover, the accuracy of localization represents the capacity of an authentication watermarking scheme in localizing the tampered region precisely. Later, we will discuss the two aspects of the proposed scheme’s performance in section 3.1 and section 3.2 separately. 3.1

The security analysis of the proposed scheme

From the watermark embedding algorithm, we can see that the proposed scheme can provide protection for all of the blocks including the smooth region. Our scheme overcomes the security flaws inhered in Li’s scheme, which is that Li’s scheme cannot protect the smooth region of the watermarked image. Then, we conduct an elaborate research on the probability of tamper detection both through theoretic analysis and statistic experiments. Since the probability of tamper detection is a very important factor in evaluating the security aspect of the scheme, the higher the probability, the higher the security. In order to estimate the robustness against collage attack, we investigate the probability of tamper detection under region tampering and collage attack separately. 3.1.1 The probability of tamper detection under region tampering. From formula (1) and formula (2) we can see that, wi(k) varies from Ai(h′+k) only. According to the binary value of Ai(h′+k), we obtain wi0 (k ) and wi1 (k ) that correspond to zero or one of the values of Ai(h′+k). Under region tampering, the probability that wi(k) switches is about 0.5. That is to say, if block Xi undergoes region tampering, the probability of wi0 (k ) switched is 0.5, the same is for wi1 (k ) . Moreover, the occurrence probabilities of wi0 (k ) and wi1 (k ) are equal, of both 0.5, because Ai(h′+k) is random distributed. Let pw0, pw1, pw2, pw3, pw4 represent the following probabilities : If block Xi undergoes region tampering, there exists 0, 1, 2, 3, 4 switched bits of the four bits wi(k)(k=1, 2, 3, 4). Their calculation formulas are pw0 = 0.52 + C21 0.52 × 0.54 .

(4)

The former segment of formula (4) is the probability that both wi0 (k ) and wi1 (k ) are the same after the block Xi has been tampered with. The latter segment represents the following condition: provided that only wi0 (k ) is switched (the same is for wi1 (k ) ), but all of the four bits of wi(k) (k=1, 2, 3, 4) are wi1 (k ) . Analyzed like this, the rest of the formulas can be written down as follows: pw1 = C21 0.52 × C41 0.54 ,

(5)

pw2 = C21 0.52 × C42 0.54 ,

(6)

pw 3 =

C21 0.52

pw 4 = 0.5 498

2

× C43 0.54 ,

+ C21 0.52

(7) 4

× 0.5 .

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

(8)

It is clear that the region tampering not only affects wi(k), but also affects the coefficient (i.e., X f k (i ) (h′ + k ) ) in which wi(k) has been embedded, and the probability that the Parity of X f k (i ) (h′ + k ) (i.e. Parity( X f k (i ) (h′ + k )) ) flipped after the block X f k (i ) underwent region tampering is about 0.5. Therefore, if wi(k) remains after the block Xi undergoes region tampering, then only when switching the Parity of X f k (i ) (h′ + k ) , (i.e. Parity( X f k (i ) (h′ + k )) ), can formula (3) be ruined; in other words, can wi(k) be marked as inauthentic. Suppose that the proportion of the tampered region versus the whole image is a, then we can see that the probability that the block X f k (i ) located in the tampered region is a, and out of the tampered region is (1−a). Let pe represent the probability that the wi(k) has been marked as inauthentic provided that wi(k) remains the same after Xi undergoes region tampering. From the discussion above, we can write down the following formula: pe = (1 − a ) × 0 + a × 0.5 = 0.5a . (9) Similarly, if wi(k) switched, the switched wi(k) can only be detected under the condition that the Parity of X f k (i ) (h′ + k ) keeps. The Parity of X f k (i ) (h′ + k ) keeps in the following two conditions: X f k (i ) is out of the tampered region; or X f k (i ) is in the tampered region, but the Parity of X f k (i ) (h′ + k ) holds. Therefore, we can deduce the probability that wi(k) has been considered as tampered under the condition that the value of wi(k) switches. Let pne represent this probability. pne = (1 − a ) × 1 + a × 0.5 = 1 − 0.5a . (10) Let Pm0 represent the probability that the four bits of wi(k) of block Xi are authenticated as authentic, as in the following formula: Pm 0 = pw0 × (1 − pe )4 + pw1 × (1 − pe )3 × (1 − pne ) + pw 2 × (1 − pe ) 2 × (1 − pne )2 + pw3 × (1 − pe ) × (1 − pne )3 + pw4 × (1 − pne )4 .

(11)

The first segment of formula (11) represents the following: provided that the four bits wi(k) are all the same, the probability that the four bits of wi(k) are considered as authentic. The second segment of the formula is this probability under the condition that only one bit of wi(k) flipped, and the third is under the condition that the two bits of wi(k) flipped and, so on. Similarly, we can obtain Pm1, which represents the probability that only one bit of wi(k) can be detected as tampered. Pm1 = pw0 × C41 pe × (1 − pe )3 + pw1 × (C31 pe × (1 − pe ) 2 × (1 − pne ) + (1 − pe )3 × pne ) + pw2 × (C21 pe × (1 − pe ) × (1 − pne )2 + C21 pne × (1 − pne ) × (1 − pe )2 ) + pw3 × ( pe × (1 − pne )3 + C31 pne × (1 − pne ) 2 × (1 − pe )) + pw 4 × C41 pne × (1 − pne )3 . (12) The first segment of formula (12) represents that when the four bits of wi(k) remain, the probability that only one bit of wi(k) has been detected as inauthentic. The second segment represents the condition that only one bit of wi(k) flipped. In this condition, there are two cases in which only one bit of wi(k) is verified as inauthentic: the flipped wi(k) has been detected as inauthentic and the probability is pne × (1 − pe )3 ; or one of the other three bits of wi(k) has been detected as inauthentic and the probability is C31 pe × (1 − pe ) 2 × (1 − pne ) . The rest three segments are in the similar sense. YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

499

Let Pm2a represent the probability that at least two bits of wi(k) can be detected as inauthentic, then Pm 2 a = 1 − Pm 0 − Pm1 . (13) From the watermark embedding algorithm and the probabilities we deduced above, we can obtain the probability of tamper detection, represented as Pd: Pd = (1 − Pm 0 ) × (1 − (1 − Pm 2 a )9 − C91 Pm 2 a (1 − Pm 2 a )8 ) .

(14)

In formula (14), 1−Pm0 represents that at least one bit of wi(k) in block Xi can be detected as inauthentic, and the rest of the formula represents that at least two blocks in the 9-neighbourhood satisfy the condition that the number of bits detected as inauthentic is larger than or equal to 2. Then, we carry out a simulation as the following: a (the proportion of the tampered region) is uniformly distributed in [0.02, 0.2] with the interval of 0.02; for every value of a, we carry on region tampering for 50 times, and obtain the average statistic value for Pm0, Pm1, Pm2a marked as Pm0simu, Pm1simu, Pm2asimu separately, and draw them down in Figure 5. From Figure 5, we can see that the simulation results are very close to their theoretic analysis, which proves the rightness of the probabilities we have deduced. Then, we take down two statistic values for Pd (the probability of tamper detection); one is Pdsimu0, and the other is Pdsimu1. In calculating the statistic value of Pdsimu0, we only count the number of tampered blocks within the tampered region; however, in calculating the statistic value of Pdsimu1, we not only count the number of tampered blocks within the tampered region, but also count the blocks on the outer border of the tampered region that have been detected as inauthentic. The reason why we include the blocks on the outer border that have been detected as inauthentic in calculation the statistic value of Pdsimu1 is that these blocks are useful for us to localize the tampered region. All of the simulation results, including Pdsimu0, Pdsimu1, and their corresponding theoretic value Pd, and P0 (P0=1−Pm0) which represents the maximum theoretic probability of tamper detection if we skip the last step of the authentication algorithm are drawn in Figure 6.

Figure 5 Theoretic and simulation results of that zero, one, and at least two bits has been detected as inauthentic under region tampering.

Figure 6 The theoretic and statistic values of the probability of tamper detection under region tampering.

From Figure 6, we can derive the following conclusions: (1) The two broken lines in the middle of Figure 6 correspond to Pd and P0. Pd is the theoretic value of the probability of tamper detection (i.e., Pd), and P0 is the maximum theoretic value of the probability of tamper detection if we skip the last step of the authentication algorithm. We can

500

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

see that the two broken lines are very close to each other; in other words, the last step of the authentication algorithm has not depressed the probability of tamper detection under region tampering. (2) The lowest line is Pdsimu0, it is under Pd. Therefore, if we only count the number of tampered blocks within the tampered region, the simulation results are lower than the theoretic values. The reason why Pdsimu0 is always less than Pd is that, on the outer border of the tampered region, the probability of tamper detection is much less than that of the insider region. (3) The upper line is Pdsimu1. It is the probability which includes the tampered blocks on the outer border of the tampered region. Since these blocks are useful for the localization of the tampered region, we take Pdsimu1 down for the statistic value of Pd in practice. (4) Both of Pdsimu0 and Pdsimu1 are very close to the theoretic probability Pd. This verifies the rightness of the probabilities we have deduced for tamper detection under region tampering. For the sake of a better view over the performance of the proposed scheme in resisting the collage attack, we will conduct a detailed analysis on the probability of tamper detection under collage attack both from the theoretic and experimental viewpoints, since we have finished the analysis on the probability of region tampering. 3.1.2 The probability of tamper detection under collage attack. In collage attack, the probabilities that the generated four watermark bits wi(k) altered are the same as in region tampering, seen from formulas (4)―(8). The peculiarity of collage attack is that, provided that wi(k) is the same, then wi(k) will be considered as authentic in spite of the block in which wi(k) has been embedded; even if wi(k) altered, in the case that wi(k) is embedded in the tampered region, wi(k) will be considered as authentic all the same. Therefore, only in the following condition can wi(k) be detected as inauthentic: first, the generating of wi(k) is different, and wi(k) is embedded out of the tampered region. Similar to the analysis we did above, PTm0 represents the probability that the four bits of wi(k) are verified as authentic; and PTm1 represents the probability that only one bit of them is inauthentic; and the probability that at least two of them are inauthentic is PTm2a. Their calculation formulas are as follows: PTm 0 = pw0 + pw1 × a + pw 2 × a 2 + pw3 × a 3 + pw4 × a 4 ,

(15)

PTm1 = pw1 × (1 − a ) + pw2 × C21 (1 − a )a + pw3 × C31 (1 − a )a 2 + pw4 × C41 (1 − a )a 3 ,

(16)

PTm 2 a = 1 − PTm 0 − PTm1 .

(17)

Moreover, the probability of tamper detection under collage attack (assumed as PTd) is PTd = (1 − PTm 0 ) × (1 − (1 − PTm 2 a )9 − C91 PTm 2 a (1 − PTm 2 a )8 ) .

(18)

Then, we conduct an experimental research on the probability of tamper detection of our scheme under collage attack. We select ten proportions of the tampered region (represents as a) that are uniformly distributed in [0.02, 0.2], carry out the experiments as we did in the previous part of this section (in the research on the probability of tamper detection under region tampering), and finally, we obtain two experimental values for PTd, represented as PTdsimu0 and PTdsimu1. As we did in the previous part, PTdsimu0 only counts the tampered blocks within the tampered region, and PTdsimu1 includes the tampered blocks which are on the border of the tampered region. Figure 7 shows the three representations for the probability of tamper detection: the theoretic value (PTd), the two experimental values (PTdsimu0 and PTdsimu1) and the maximum theoretic detection probability (1−PTm0, represented as P0) that the last step of the authentication algorithm is skipped in the

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

501

authentication procedure. From Figure 7, the following conclusions can be made: (1) One the two broken lines is the theoretic value of the probability of tamper detection, and the other is the maximum theoretic value with the absence of the last step of the authentication algorithm. The two broken lines are very close to each other, which illustrates that the last step of the authentication algorithm has not affected the probability of tamper detection under collage attack. (2) PTdsimu0 is less than PTd, PTdsimu1 is bigger than PTd, and we usually use PTdsimu1 as the experimental value of PTd. The reason has been discussed in the previous part of this section, the second and third conclusions of Figure 6. (3) PTdsimu0 and PTdsimu1 are very close to their theoretic probability PTd, confirming our confidence on the probability of tamper detection we have deduced under collage attack. In this section, we have discussed the security performance of the proposed scheme under region tampering and collage attack separately, and seen that, the proposed scheme has high probability of tamper detection under both region tampering and collage attack. However, what is the difference between region tampering and collage attack? Or, in other words, what is the characteristic of the collage attack compared with region tampering? Cannot the elaborate attacks, such as collage attack, cause a more dangerous damage to the watermarked images? To answer these questions, the comparison between region tampering and collage attack is carried out as follows: From the conclusions made from Figures 6 and 7, we know that Pdsimu1 and PTdsimu1 are usually used as the experimental values of Pd and PTd. Therefore, we draw the theoretic and experimental probabilities under region tampering (Pd and Pdsimu1) and collage attack (PTd and PTdsimu1) in Figure 8.

Figure 7 The theoretic and statistic values of the probability of tamper detection under collage attack.

Figure 8 Compare the probability of tamper detection under region tampering and collage attack.

From Figure 8, we can answer the questions proposed above: (1) Collage attack is more fearful than region tampering, especially when the proportion of the tampered region is large. With the growth of the tampered region, the probability of tamper detection under region tampering increases, and the probability under collage attack decreases; only when the tampered region is small (in Figure 8, when a is less than 0.04) are the two probabilities nearly the same (both are about 0.73). (2) Under collage attack, despite the decrease of the probability of tamper detection when the tampered region increases, the probability of tamper detection is still very high. Even if the pro-

502

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

portion of tampered region (i.e., a) reaches 0.2 (i.e., 20% of the image has been tampered with collage attack, and the watermarked image has been tampered seriously), the probability of tamper detection is larger than 0.65 (65% of tamper detection rate is high because the image block is small, 8 × 8 pixels). This reinforces the confidence on the security of the proposed scheme. Our scheme is very secure, even in the serious condition (e.g., the high degree of collage attack). Until now, we have investigated the security aspect of the proposed scheme from the following four ways: first, we consider that whether the scheme can provide adequate protection for the smooth region of the image; second, under region tampering, how about the probability of tamper detection; and then, the probability under collage attack; at last, a comparison between region tampering and collage attack on the probability of tamper detection is made. From the above four viewpoints of analysis, we can conclude the security aspect of the proposed scheme as follows: (1) Our scheme can provide adequate protection for the whole watermarked image, including the smooth region. (2) Under both region tampering and collage attack, the proposed scheme possesses high probability of tamper detection. In other words, the proposed scheme can detect the tampered region effectively. Thus, our scheme has perfect performance in resisting region tampering and collage attack. (3) Under collage attack, when the tampered region is small, the probability of tamper detection is very high, approximate to the probability under region tampering; even if the tampered region is large, the probability of tamper detection is still adequately high. All these demonstrate that our scheme can resist collage attack completely, and has excellent performance in detecting the tampered image blocks under collage attack. Furthermore, from the conclusions made from Figures 7 and 8, we know that the last step of the authentication algorithm does not affect the probability of tamper detection neither in region tampering nor in collage attack. We have finished the security analysis of the proposed scheme. For a comprehensive understanding on the performance of the scheme, analysis which focuses on the accuracy of localization will be made in the next subsection. 3.2

The accuracy of localization of the proposed scheme

From section 1 we draw the following conclusions: Only when an authentication watermarking scheme holds high probability of tamper detection and low probability of false detection at the same time can the scheme have a delicate accuracy of localization. We have discussed the probability of tamper detection in the previous subsection and know that the probability of tamper detection under both region tampering and collage attack is adequately high. In order to accomplish the analysis on the accuracy of localization, we then investigate the probability of false detection under both region tampering and collage attack. When the non-tampered blocks (i.e., the blocks are out of the tampered region) have been marked as inauthentic, the false detection occurs. We first investigate the probability of false detection under region tampering. 3.2.1 The accuracy of localization under region tampering. Since we have discussed the probability of tamper detection under region tampering in section 3.1, we need to acquire the probability of false detection in order to obtain the accuracy of localization under region tampering. It is clear that only when the watermark bits wi(k) which are generated from the non-tampered YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

503

block Xi embeds into the coefficient of the tampered block, and this coefficient is tampered at the same time, can wi(k) be marked as inauthentic. Suppose that the proportion of the tampered region is a (as we supposed in the previous subsection), then we can deduce the probability that wi(k) will be detected as inauthentic (marked as Pnd): pnd = (1 − a ) × 0 + a × 0.5 = 0.5a . (19) Moreover, the probability that none of wi(k) will be authenticated as inauthentic (marked as Pn0), and the probability that only one bit of the watermark will be detected as inauthentic (marked as Pn1) are as follows: Pn 0 = (1 − pnd ) 4 ,

(20)

Pn1 = C41 pnd (1 − pnd )3 .

(21)

The probability that at least two bits will be detected as inauthentic (marked as Pn2a) is Pn 2 a = 1 − Pn 0 − Pn1 .

(22)

Then we can obtain the probability of false detection (marked as Pnx): Pnx = (1 − Pn 0 ) × (1 − (1 − Pn 2 a )9 − C91 Pn 2 a (1 − Pn 2 a )8 ) .

(23)

Figure 9 shows the theoretic and statistic values for the probabilities that zero, one, and at least two bits will be detected as tampered under region tampering. In Figure 9, the three broken lines represent the theoretic values Pn0, Pn1, Pn2a separately, and the three real lines represent their corresponding statistic values Pn0simu, Pn1simu, Pn2asimu. It can be seen that the real lines and their corresponding broken lines are nearly the same, verifies the perfect theoretic results we have deduced. Then, we take down two statistic values for Pnx, one is Pxsimu0, and the other is Pxsimu1. In their statistic procedure, Pxsimu0 counts all of the non-tampered blocks that have been detected as inauthentic, and Pxsimu1 excludes the blocks which are on the outer border of the tampered region and have been detected as inauthentic. Because the blocks that are on the outer border and have been detected as inauthentic are useful for us to localize the tampered region, so we can exclude them in calculating the probability of false detection of Pxsimu1, thus Pxsimu1 can represent the probability of false detection more precisely. In Figure 10, we draw down the theoretic value for the probability of false detection Pnx , and its corresponding two statistic values Pxsimu0, Pxsimu1, and the probability of false detection under the condition that the last step of the authentication algorithm is skipped (in other words, we do not turn off the false alarms), which is represented as P0 (P0=1−Pn0). We can draw the following conclusions from Figure 10: (1) The upper broken line represents P0, it is clear that the last step of the authentication algorithm depresses the false detection effectively. (2) The lower broken line is Pnx, the theoretic value for the probability of false detection. The two real lines stand upon but are very close to their theoretic value Pnx, this verifies the rightness of the theoretic value we have deduced. Pxsimu1 is closer to Pnx, illustrates that Pxsimu1 can represent the probability of false detection more precisely. (3) The lower three lines are nearly 0. This illustrates that the probability of false detection is very low under region tampering. Even when the proportion of tampered region reaches 0.2, the probability of false detection is less than 0.05.

504

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

Figure 9 Theoretic and simulation results that zero, one, and at least two bits have been detected as inauthentic under collage attack.

Figure 10 The theoretic and statistic values of the probability of false detection under region tampering.

Combined with the analysis that we have discussed on the probability of tamper detection in section 3.1, we can conclude the accuracy of localization under region tampering as follows: (1) Under region tampering, our scheme holds high probability of tamper detection and low probability of false detection at the same time, so the accuracy of localization of the proposed scheme is precise. (2) The last step of the authentication algorithm reduces the probability of false detection to nearly zero while holding the probability of tamper detection. This demonstrates that the last step of the authentication algorithm is very efficient in improving the accuracy of localization of the scheme. Until now, we have finished the performance analysis on the accuracy of localization of the proposed scheme under region tampering, and obtain the probability of tamper detection under collage attack. To accomplish the localization performance analysis under collage attack, according to the conclusions we restated in the beginning of this subsection: the probabilities of tamper detection and false detection codetermine the accuracy of localization, thus the probability of false detection under collage attack will be investigated in succession. 3.2.2 The accuracy of localization under collage attack. Under collage attack, the only difference between the tamper detection and false detection is the following: in calculation of tamper detection, only when the tampered watermark bit wi(k) is embedded out of the tampered region can wi(k) be verified as inauthentic; but in calculation of false detection, only when the tampered watermark bit wi(k) is embedded into the tampered region can wi(k) be verified as inauthentic. From the analysis above, it is clear that the probability that the watermark bit wi(k) embeds out of tampered region is (1−a), and the probability that the watermark bit wi(k) embeds into the tampered region is a. Therefore, if we replace a with 1−a in formulas (15) and (16), then we deduce that, in false detection (i.e., Xi is out of tampered region), the probability that none of wi(k) is verified as inauthentic (marked as PTx0) and the probability that only one bit is verified as inauthentic (marked as PTx1) are as follows: PTx 0 = pw0 + pw1 × (1 − a ) + pw2 × (1 − a ) 2 + pw3 × (1 − a )3 + pw 4 × (1 − a) 4 ,

(24)

PTx1 = pw1 × a + pw 2 × C21 a(1 − a) + pw3 × C31a(1 − a) 2 + pw4 × C41 a (1 − a )3 .

(25)

The probability that at least two bits are verified as inauthentic (marked as PTx2a) is YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

505

PTx 2 a = 1 − PTx 0 − PTx1 .

(26)

The probability of false detection under collage attack (marked as PTx) is PTx = (1 − PTx 0 ) × (1 − (1 − PTx 2 a )9 − C91 PTx 2 a (1 − PTx 2 a )8 ) .

(27)

We draw the theoretic and statistic values for the probability of false detection under collage attack in Figure 11; the upper broken line is P0(P0=1−PTx0), and the probability of false detection under the condition that the last step of the authentication algorithm is skipped. Also, we can see the following from Figure 11 that: (1) The lower three lines which represent the probabilities of false detection are far below the upper broken line which represents the probability of false detection without the last step of the authentication algorithm. Therefore, undergo the last step of the authentication algorithm, and the probability of false detection drops rapidly; in other words, the last step of the authentication algorithm depresses the false detection effectively under collage attack. (2) The two real lines (i.e., PTxsimu0 and PTxsimu1 represent the two statistic values for the probability of false detection under collage attack) are very close to the lower broken line (their corresponding theoretic value, PTx), this illustrates the rightness of the theoretic value, and PTxsimu1 is closer to the theoretic value. (3) The probability of false detection under collage attack is very low, even when the proportion of tampered region reaches 0.2, and the probability of false detection is less than 0.05. Combined with the analysis that we have discussed on the probability of tamper detection under collage attack (in section 3.1), we can conclude the accuracy of localization under collage attack as follows: (1) Under collage attack, the proposed scheme holds high probability of tamper detection and low probability of false detection at the same time, so the accuracy of localization of the proposed scheme is precise under collage attack. (2) The last step of the authentication algorithm is very efficient in improving the accuracy of the localization of the scheme under collage attack, since it reduces the probability of false detection to nearly zero while holding the probability of tamper detection. Since we have finished the analysis on the probability of false detection under region tampering and collage attack, we then do a comparison between the two conditions. In Figure 12, the lower broken line and real line are the theoretic and statistic values under region tampering (i.e., Pnx and Pxsimu1); the upper broken line and real line are the theoretic and statistic values under collage attack (i.e., PTx and PTxsimu1).

Figure 11 The theoretic and statistic values of the probability of false detection under collage attack.

506

Figure 12 Compare the probability of false detection under region tampering and collage attack.

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

The conclusions for the comparison of region tampering and collage attack are as follows: (1) Collage attack is more fearful than region tampering, especially when the proportion of the tampered region is large. From Figure 12, we can see that the probability of false detection under collage attack is higher than the probability under region tampering, especially when a (the proportion of tampered region) is large. (2) Under both collage attack and region tampering, the probability of false detection increases with the growth of the tampered region. However, even when the proportion of the tampered region reaches 0.2, the probabilities of false detection under both of the two conditions are still less than 0.05. This illustrates that, even in the extreme condition (i.e., under collage attack with high proportion of tampered region), the probability of false detection keeps low all the same. Until now, we can conclude the accuracy of localization of the proposed scheme as follows: (1) Under both region tampering and collage attack, the accuracy of localization of the proposed scheme is precise. (2) The last step of the authentication algorithm plays an important role in improving the accuracy of localization. Combined with the security analysis of the proposed scheme, we can conclude the performance of the proposed scheme as follows: (1) The accuracy of localization of the proposed scheme is precise. (2) The proposed scheme can provide adequate protection to the whole watermarked image, including the smooth region. (3) The proposed scheme is secure, and can resist collage attack completely. (4) The last step of the proposed scheme plays an important role in improving the accuracy of localization. The first three points corresponding to the drawbacks of Li’s scheme, show that our scheme overcomes all the drawbacks of Li’ scheme; the last point shows the importance of the last step of the authentication algorithm. In the next section, the simulation will be carried on to validate the conclusions we have made above.

4

Simulation results

In this section, we will carry out three simulations to verify the conclusions we have made in section 3. In our simulations, h′ is set to 18, and quality factor of JPEG compression is set to 80. Simulation 1. We conduct this simulation to illustrate the importance of the last step of the authentication algorithm and the accuracy of localization of the proposed scheme. First, embed the watermark for the Peppers image using the watermark embedding algorithm we have proposed in section 2; then, mount region tampering on the watermarked Peppers image (shown in Figure 13); and then authenticate the tampered Peppers twice, but for the first time, we skipped the last step of the authentication algorithm (shown in Figure 13(a)); then authenticate with all the steps suggested in the authentication algorithm we have proposed (shown in Figure 13(b)). From Figure 13(a) and (b), we can see the following: in Figure 13(b), the number of false detected blocks is reduced to 6; and the number of correct detected blocks is nearly the same compared with Figure 13(a). Thus, the last step of the authentication algorithm can reduce the probability of false detection to nearly zero while holding the probability of tamper detection. This demonstrates the important role of the last step of the authentication algorithm in improving the YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

507

accuracy of localization, and Figure 13(b) illustrates that the accuracy of localization of our scheme is precise.

Figure 13 The importance of the last step of the authentication algorithm and the accuracy of localization of the proposed scheme. (a) Authenticate without the last step; (b) authenticate with all the steps.

Simulation 2. This simulation is aimed at whether our scheme can provide adequate protection for the smooth region of the watermarked image. We embed the watermark for the Clock image, and mount the region tampering on the smooth region of the watermarked Clock image, as we did in Figure 3, and the authentication results are shown in Figure 14. We can see that the tampered region has been localized precisely. Thus, our scheme can provide adequate protection for the smooth region of the watermarked image. Simulation 3. We test the capacity of the proposed scheme in resisting collage attack in this simulation. We conduct a collage attack as mounted on Li’s scheme in Figure 4, and the authentication results are in Figure 15.

Figure 14 The authentication results for the attacks mounted on the smooth region.

Figure 15

The authentication results for collage attack.

By all appearances, our scheme can resist collage attack completely. The three simulations in this section verify the conclusions we have made, and further demonstrate that the proposed scheme has superior localization and security.

508

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

5

Conclusions

We propose an authentication watermarking scheme for JPEG images with superior localization and security to overcome the drawbacks inhered in Li’s scheme. In our scheme, we fix four middle frequencies as the watermarkable coefficients for each image block to embed the watermark, and utilize the rest of the DCT coefficients to generate 4 bits of watermark information. The non-deterministic dependence among the image blocks is introduced by the watermark embedding process. The authentication algorithm of the proposed scheme reduces the probability of false detection to nearly zero while keeping the probability of tamper detection. Theoretic analysis and simulation results have proved that the proposed algorithm not only has superior localization, but also enhances the systematic security obviously. 1

Cox I J, Miller M L. Review of watermarking and the importance of perceptual modeling. In: Bernice E R, Thrasyvoulos

2

Liu R Z, Tan T N. Watermarking for digital images. In: Proceedings of ICSP’98, Beijing, China, Febuary. 1998. 944―947

3

Sun Z W, Feng D G. A multiplicative watermark detection algorithm for digital images in the DCT Domains. J Softw, 2005,

4

Jin C, Peng J X. A robust detection method of blind digital watermark based on image projective sequence. J Softw, 2005,

5

Ho C K, Li C T. Semi-fragile watermarking scheme for authentication of JPEG images. In: Proceedings of ITCC’2004,

6

Lin C Y, Chang S F. A robust image authentication method distinguishing JPEG compression from malicious manipulation.

7

Li C -T. Digital fragile watermarking scheme for authentication of JPEG images. IEE Proceedings-Vision, Image, and

8

Fridrich J, Goljan M, Du R. Invertible authentication watermark for JPEG images. In: Proceedings of ITCC’2001, Las

9

Matthew H, Nasir M. Counterfeiting attacks on oblivious block-wise independent invisible watermarking schemes. IEEE

N P, eds. Human Vision and Electronic Imaging II, Vol. 3016. Bellingham: SPIE Press, 1997. 92―99

16(10): 1798―1804 [DOI] 16(2): 295―302 [DOI] 2004, 2: 7―11 IEEE Trans Circ Syst Video Tech, 2001, 11(2): 153―168 [DOI] Signal Processing, December, 2004, 460―466 Vegas, NV, USA, April, 2001. 446―449 Trans. on Image Processing, March, 2000. 432―441

YU Miao et al. Sci China Ser F-Inf Sci | June 2007 | vol. 50 | no. 3 | 491-509

509