An Asymmetric Subspace Watermarking Method for Copyright Protection

(1)

An Asymmetric Subspace Watermarking Method

for Copyright Protection

Jengnan Tzeng, Wen-Liang Hwang, and I-Liang Chern

Abstract—We present an asymmetric watermarking method

for copyright protection that uses different matrix operations to embed and extract a watermark. It allows for the public release of all information, except the secret key. We investigate the conditions for a high detection probability, a low false positive probability, and the possibility of unauthorized users successfully hacking into our system. The robustness of our method is demonstrated by the simulation of various attacks.

Index Terms—Asymmetric watermark, copyright protection.

NOMENCLATURE Watermark space whose dimension is . Orthogonal complement of in feature space. Subspace of whose dimension is . Subspace of whose dimension is .

by matrix composed of an orthogonal basis of . by matrix composed of an orthogonal basis of .

by detection matrix. Watermark with length . Matrix of size by .

Feature of the original image in the feature space. Feature of the watermarked image in the feature space.

I. INTRODUCTION

D

IGITAL security information embedded in content, called watermarking, has many applications, including authen-tication, copyright protection, copy protection, fingerprinting, and broadcasting channel tracking [9], [21], [29], [30], [34]. In this paper, we only focus on asymmetric watermarking for the copyright protection of images. Copyright protection should not be confused with copy protection because, for the latter, one key is given to all recipients, while for copyright protection, each image has its own key. In a symmetric watermarking system, the keys necessary to embed and extract a watermark are secret and identical. The common secret key is a random sequence, which is embedded in an image by the spreading spectrum technique [6]. Notable security problems of the symmetric (one secret key) watermarking approach stem from the need to make the secret key available to owners and recipients, as well as from the need to identify which secret key is associated with which image in a Manuscript received July 1, 2004; revised August 9, 2004. The associate ed-itor coordinating the review of this manuscript and approving it for publication was Dr. Stefan Katzenbeisser.

J. Tzeng and I-L. Chern are with the Department of Mathematics, National Taiwan University, Taiwan, R.O.C.

W.-L. Hwang is with the Institute of Information Science, Academia Sinica, Taiwan, R.O.C. (e-mail: whwang@iis.sinica.edu.tw).

Digital Object Identifier 10.1109/TSP.2004.839921

large image database. Another problem is that the watermark is present as evidence of ownership, so it provides an attacker with the knowledge to remove the watermark [4]. The solution to the problem is a watermarking system that satisfies Kirckhoffs’prin-ciple [16], which states that a security system must assume that an adversary knows everything about the algorithm, except for the secret keys. Zero-knowledge watermark detection is one ap-proach for resolving this problem [1], [4]. The basic idea is to replace the watermark detection process with a cryptographic protocol. Although this approach shows promise, it requires a great deal of bidirectional communication between owners and verifiers to prove ownership for copyright protection purposes.

Asymmetric watermarking is another approach that satisfies Kerckhoffs’ principle. This system uses two sets of keys: one for embedding, and one for detecting. The detecting key is made public so that anyone has access to it and is permitted to use it to verify whether an image is watermarked or not. The public key of each watermarked image is usually stored in a safe place where a trusted third party can verify its integrity. This avoids the problem that anyone could produce a valid public key by his own asymmetric watermarking method. In an asymmetric system, the secret embedding keys are not used for verification. Therefore, no secret information is sent over the channel, nor can it be accessed in the database.

An asymmetric system must ensure that it is almost impos-sible, or at least computationally imposimpos-sible, for those who know the entire system, except for the secret key, to success-fully hack into the system [18]. Some interesting asymmetric schemes have been proposed for watermarking [10]–[13], [26]–[28]. Hartung and Girod [13] proposed the first asym-metric watermarking method. Furon and Duhamel [12] provide a useful survey of various methods, as well as an in-depth discussion of asymmetric watermarking. Their asymmetric watermarking method is applied to copy protection and their watermark detector must be embedded into detection devices, so that inverting the embedding process becomes computation-ally difficult. We propose an asymmetric watermarking method for copyright protection whereby all information, except the secret key, is released to the public.

In our previous study of symmetric watermarking, we pro-posed a robust subspace watermarking method in which our watermark was embedded into a subspace , where the wa-termark is resistant to conventional image operations. For our asymmetric watermarking method, we have further split our wa-termark space into two subspaces, and . The column vec-tors of the secret matrices and form an orthogonal basis of subspaces and , respectively. Our published watermark is embedded into subspace by the secret matrix , while 1053-587X/$20.00 © 2005 IEEE

(2)

Fig. 1. Simplified schematic diagram of the subspace watermarking strategy. is the original image feature. The distribution of the forged modifications of the watermarked image is plotted. The components of smaller eigenvalues from applying SVD to the distribution form the watmermark spaceW, while the components of larger eigenvalues form the subspaceV.

our watermark detection method uses a publicly released ma-trix , whose domain is . With our published algorithm, a pirate can obtain our watermark space, but cannot obtain the basis of the space that we used to form and .

Section II provides a summary of our previous subspace sym-metric watermarking method. Section III-A illustrates how we have extended it to our asymmetric method. In Section III-B, we analyze the security of our watermarking under projection attack. The robustness issue is analyzed in Section IV. Imple-mentation and simulations of various attacks are demonstrated in Section V. Finally, in Section VI, we present our conclusions.

II. SYMMETRICSUBSPACEWATERMARKINGMETHOD A symmetric waterkmarking system embeds and detects a watermark using the same key, which is hidden from public ac-cess. One can refer to [6], [20], [32], [33] for information on many symmetric watermarking methods.

In [31], we proposed a subspace symmetric watermarking method, which models watermarking as a communication with side information [9], for copyright protection. The method makes the keys strongly dependent on the original image and on potential modifications of the watermarked image. The robustness of the approach lies in hiding a watermark in the subspace that is least susceptible to potential modifications. The distribution of the feature of the forged images is analyzed by singular value decomposition (SVD). According to the results of SVD, the optimal solution is to divide the feature space (such as DCT transform and wavelet transform) into two subspaces. A simple presentation of the subspace watermarking approach is given in Fig. 1.

One of the subspaces is the watermark space , in which the watermark is hidden. is chosen because it is the least affected by most modifications of the image . The orthogonal com-plement of is denoted as , representing the subspace that is most susceptible to modifications of the image. This approach allows a copyright owner to custom select the watermark space that is most resistant to possible attacks. Let be the feature of the original image. Watermark is embedded into by:

where is a secret matrix whose columns are a basis of , and is the feature of the watermarked image. Because watermark is in , the watermark is robust against possible attacks. A pirate can simulate attacks on our watermarked image and obtain a good approximation of space , but he cannot disclose the secret matrix from the space.

Our symmetric method uses the key to embed, and its in-verse to extract, watermark . By choosing such that , the method does not need a reference image to de-tect a watermark. Because the key is content-dependent, when the number of watermarked images is large, there are problems that copyright owners need to manage so that the correct key of a watermarked image can be located. It is also necessary to se-cretly communicate the keys to another party. In an asymmetric watermarking method, a verifier does not need exclusive per-mission to access a published key database. This reduces the key management effort. Also, anyone can prove copyright of a watermarked image without secret key communication.

III. THEASYMMETRICWATERMARKINGMETHOD Our asymmetric watermarking method is based on the sym-metric subspace watermarking method. We divide our feature space into subspace and . The difference from our sym-metric method is that we further divide into two orthogonal subspaces and . Let and denote the secret matrices whose columns form a basis of subspaces and , respectively. We use the matrix to embed our watermark into subspace and detect by using the published keys , where matrix

is a weighted mixing of the matrices and .

A. Encoding and Decoding

Embedding our watermark into subspace is achieved by the function

(1) We require the watermark strength to be as large as pos-sible, in order to obtain a high signal-to-noise ratio (SNR) of our watermark signal to the original image feature . However, should not be so large that the perceptual quality of the wa-termarked image is destroyed. Finally, a feature reconstruction function is applied to to obtain a watermarked image . The top subfigure of Fig. 2 shows the flowchart of our encoder. Our detection is a hard decision function with a threshold . The decision function applies the detection matrix to the extracted feature and then uses the sim function to measure the similarity between and . Our detector is

if sim

otherwise (2)

where

(3) The flowchart of our decoder is shown in the bottom subfigure of Fig. 2.

(3)

Fig. 2. Top: Our encoder:fX g is a set of forged images of X . Bottom: Our decoder:T is a test image.

We give the matrix the form

(4) where is a matrix, is a matrix, whose columns are a basis

of , and . Let

(5) For the security reasons presented in part (a) of the theorem in Section III-B, cannot be a zero vector.

Applying to our watermarked feature , we obtain (6) Because is the component from the original image feature, its magnitude is usually greater than . To avoid the

sit-uation where (when the detected value

is dominated by the original image component), we impose to be parallel to . This also makes our asymmetric system robust against projection attack, as presented in part (e) of the theorem in Section III-B. Since is dependent on the original image, choosing to be parallel to is an example of mod-eling watermarking as a communication with side information. The embedding key of our asymmetric system is . Our secret key is , whereas the published detection key is . Two important performance criteria of a watermarking system are security and robustness. Before we analyze the ro-bustness of our asymmetric system, we will assess its security.

Comment: and can be hidden from the public and still preserve the integrity of the method by introducing the secret orthogonal matrix and releasing to the public.

Be-cause and , the sim detected by

is the same as that obtained by using .

B. Security Assessment

Watermark security requires that there is an extremely low risk that unauthorized users will be able to successfully hack into the system. Security assessment determines whether can remain secure under malicious attack. A list of published threats to the security of a watermark system is given in [2], [3], [5], [8], [14], [15], and [17]. Among these threats, the oracle attack, which estimates what is secret in the detection process from observations of detector outputs, is not as serious a security threat to asymmetric watermarking as it is to symmetric water-marking. If the oracle attack on an asymmetric watermarking method is successful, it will disclose the detection key, which is already public. An analysis of the oracle attack on the proposed asymmetric method is given in Appendix B. The unsuccessful oracle attack on our asymmetric watermarking method is fur-ther evidence of the conclusion in [2], which indicates that the more public information there is in a watermarking scheme, the fewer the potential malicious attacks.

We evaluate the security threats of malicious attacks on our watermarking system. The projection attack is analyzed and pre-sented in this section. The other two attacks, namely jamming a random noise into our watermark space and the copy attack, are evaluated by simulations, and presented in Section V.

A projection attack tries to find the feature that satisfies

with the constraint .1 _{This means} _{is the feature}

without a watermark that is closest to . As a projection at-tack is extremely effective in removing a watermark, we pay particular attention to this kind of attack.

From must be on the hyperplane passing

through the origin. The normal vector of the hyperplane is . The solution that minimizes is the projec-tion of to the hyperplane. Therefore, we have

(7) Let

(8) where and are the components of the original image fea-ture in and subspaces, respectively. Also let

(9) where and are the coefficient vectors of in and , respectively. According to (1), the component of the watermarking image feature in is

(10) The following theorem shows that we can construct a matrix so that the projection attack yields . Because is the per-ceptually robust feature of the original image, the image recon-structed from has a high probability of being a percep-tually distorted image.

1_{The real constraint is}_{jsim(W; D)j < , where is the threshold. We use}

(4)

Theorem: Given , and .

a) To be robust to the projection attack, the detection matrix [defined in (4)] must be chosen such that . b) If is chosen such that

(11) where and is defined by (10), then applying the projection attack to [defined in (1)] obtains . c) If and satisfy (11), then

(12) where and as defined in (9).

d) If is constructed as

(13)

where (defined in (9)), is a real

number, and satisfies (12), then satisfies (11). e) If and are chosen according to (12) and (13), then

is parallel to [defined in (5)].

f) If satisfies (13), and , then

.

Proof: See Appendix A.

Corollary: In order to be robust against projection attack, the

watermark must be parallel to , and cannot be equal to

either , or .

Fig. 3 shows that the projection attack on our watermarked image makes the image perceptually unacceptable. Thus, our watermarking is secure under projection attack. Fig. 4 shows a diagram of the oracle attack on our watermarked image. Having made a security accessment of our watermarking system, we now analyze its robustness.

IV. ROBUSTNESSANALYSIS

The performance criteria of a robust watermarking system are high detection probability and low false positive probability. The latter measures the probability that a watermark is detected in a test image, even though the test image is not watermarked. An analysis of false positive probability by using a sim detector is given in [19].

Detection probability measures the probability that a de-tector correctly determines that a manipulated watermarked image contains a watermark. A feature extracted from this watermarked image is composed of and a noise . That is

(14) Applying to and using (1), (4), and (14), we obtain

Because we choose to be parallel to , we have

(15)

Fig. 3. Top: Our watermarked image. Bottom: The image obtained from the feature extracted by applying a projection attack to the watermarked image. The PSNR of the noise image, obtained by subtracting the bottom image from the top image, is 17 dB.

Fig. 4. Feature obtained by applying the oracle attack is circled, whereD w is the successfully estimated vector of the attack. This is the same feature as that obtained by the projection attack.

The proof of the last inequality is given in Fig. 5. Thus, in order to have a high detection probability, we need to design a matrix

(5)

Fig. 5. Plane containsm +w and Dn . The largest angle between the two vectors occurs whenm + w + Dn is perpendicular to Dn . As sin = (kDn k)=(km + wk), so = sin (kDn k)=(km + wk). Therefore, the last inequality of (15) is satisfied.

1) ROC Curves: In the theorem, the matrix in the

detec-tion matrix has the general form

(16)

where , and is a real number. Here, we

present the simulation results of the detection probability and false positive probability as functions of a threshold with dif-ferent values of and demonstrate our method’s performance by using receiver operating characteristic curves, or ROC curves [24].

We let be a uniformly distributed random variable with range , where is a parameter. To measure the detection probability for each , we performed 1000 attacks on a water-marked Lena image. These attacks included shifting (at most ten pixels in either a horizontal or vertical direction), scaling, blurring, JPEG compression, adding white noise, sharpening, rotation (at most ), stirmark,2 _{as well as combinations of}

the attacks. The top figure of Fig. 6 shows the detection proba-bility, versus a threshold of , of the attacked watermarked images.

To measure the false positive probability, we watermarked the Lena image with 16 different watermarks. For each wa-termarked Lena and for each , we obtained a pair of public detection keys . We used the keys to 1000 unwater-marked images to measure the values. The curves in the bottom figure of Fig. 6 are the false positive probabilities, versus a threshold of , with different values.

Fig. 6 shows that both the detection probability and false pos-itive probability are smaller at a given threshold for a larger value. If we apply to (the feature extracted from a test image), then from (16), we have

Because is normal to , this term does not contribute to the value in the norminator of , but it does con-tribute to the value in the denominator. Hence, as increases, the

2_{[Online] Available at:}

http://www/petitcolas.net/fabien/watermarking/stir-mark

Fig. 6. Probabilities of detection and false-positives whenjsimj is used as our threshold with differentc values. Top: Detection probability. Bottom: Mean false positive probability. The horizontal axis is the jsimj threshold. Solid curves:c = 0:15. Dashed-dotted curves: c = 0:1. Dotted curves: c = 0:05.

detected values, of both a watermarked or an un-watermarked image, decrease.

The plots of the empirical data of the detection and false pos-itive probabilities, shown in Fig. 6, do not overlap. This implies that many values can be used as our threshold because any of them will yield a high detection probability and a low false positive probability.

Although there is no overlap between the detection proba-bility and the false positive probaproba-bility, according to the law of large numbers, if we had enough images, both the detection probability and the false positive probability would have be-come a Gaussian distribution. As proposed in [7], we model the detection probability and false positive probability as Gaussian distributions. We compute the mean and the standard devia-tion of the Gaussian distribudevia-tion of the false positive proba-bility from the detected values of the unwatermarked images, in the same way, we compute the parameters of the detection probability for the watermarked images. From the Gaussian dis-tributions, we can draw the ROC curve of our empirical data. Fig. 7 shows the ROC curves of different values, obtained

(6)

Fig. 7. ROC curves of our empirical data. The curves plot the false positive probability in the logarithmic (base 10) scale against the false negative probability, which is defined as one minus the detection probability, as a function of the threshold andc value. Solid curve: c = 0:15. Dashed-dotted curve:c = 0:1. Dotted curve: c = 0:05.

in this manner. For numerical precision, the figure shows only the part of the curves whose false positive probability is above . The intersections of the curves and the axis of false pos-itive probability ( -axis) are 0.34, 0.50, and 0.56 for curves of , and , respectively. In the following simulations, we choose and use 0.5 as our threshold. This corresponds to the false positive probability below in our simulation.

V. IMPLEMENTATION ANDSIMULATIONRESULTS

A. Implementation

The major implementation issues were to find the watermark space and the matrix . Our image database had a total of 61 images of womens’ faces. One of them was a Lena image, the other 60 were down-loaded from the Google Search Engine. Their sizes ranged from 223 by 342 pixels to 512 by 512 pixels. We applied the full frame DCT to each image, and then selected DCT coefficients from their upper left 32 by 32 corners to form our feature. The coefficients corresponded to 32 horizontal low-frequency bands and 32 vertical low-low-frequency bands. Thus, our feature space had a dimension of 1024 frequency bands.

From each image in our database, we obtained a set of 100 forged images by means of image operations. Our operations included: blurring (with B-spline kernel), JPEG compression, scaling, rotations (with ), translations (by shifting at most ten pixels either up, down, left or right), adding random noise, stirmark, various image operations from the Matlab image toolbox, as well as combinations of all these operations. For each image, we computed the covariance ma-trix from the collection of features obtained from the forged images of an image. Using SVD on the covariance matrix, we chose our watermark space to be the space spanned by 900 eigenvectors (of the covariance matrix) whose corresponding eigenvalues were small.

Let be the matrix of the 900 eigenvectors and be the feature of the original image. Using a notebook computer with a CPU 1.8 GHz, it takes about 5 min to generate a watermark space and its orthogonal basis. From an orthogonal basis of space, we randomly choose 300 vectors as an orthogonal basis of , and form the columns of the secret matrix . The re-maining vectors form the columns of the secret matrix .

We project to and obtain , which is then represented

as , where and are the coefficient of in

and , respectively. We choose our watermark to be parallel to . Let , where is a scalar. In order to have a high SNR of our watermark signal to should be as large as possible. However, it cannot be too large, or it will decrease the perceptual quality of our watermarked image. The average PSNR of our watermarked image is 44 dB. After is chosen, we

have . We then find with each ,

and with each . We randomly choose

and use them to construct a matrix to satisfy (16).

From , we obtain the detection matrix .

B. Simulations

We now demonstrate the resistance of our asymmetric water-marking method to the following attacks. See [22] and [23] for further discussion of various attacks.

1) Applying a Copy Attack: A copy attack uses noise

reduc-tion methods to extract an approximareduc-tion of a watermark from a watermarked image , and hides the feature in another image,

[17]. This increases the false positive probability.

Let be the public keys of the watermarked image

, and be a feature of image . Let be the

estimated mark from . We replace with

as ’s feature. A copy attack is successful if one can use and to obtain a high from

We performed the following simulations of copy attacks. We obtained a noise image by subtracting the watermarked Lena image from a denoised image, using a mask which is a tensor product of the B-spline filter with coefficients . We then extracted an estimated feature of from the image . The estimated feature was multiplied by , and embedded into each non-Lena image in our database. After applying Lena’s detection matrix to each image, we compared the results with . We found that the mean and the standard deviation of the 60 copy attacks were 0.0346 and 0.0287, respectively. Comparing these results with our threshold 0.5, the probability of successfully copy attacking our method is very low.

2) Spreading Noise Into Watermark Space: The simulation

results shown in [31] indicate that a pirate can simulate attacks on our watermarked image and obtain a good approximation of space , but he cannot obtain the secret matrix from the space. In this scenario, we evaluate the efficiency of a pirate who attacks our watermark space by jamming it with

(7)

Fig. 8. White noise spreading attack onW. The watermark space of the watermarked Lena image was attacked by random noises that had various energy levels. The SNR was measured by20 log (kwk=knk).

Fig. 9. Blind attacks: The mean and standard deviation of various attacks on our watermarked images. Method Key: (1) Shift: a random shift of at most 10 pixels. (2) Blur: a smoothing of images by a B-spline of order chosen from 3, 5, 7, and 9. (3) Spreading noise: the adding of white noise to images. (4) JPEG: the compression of images using JPEG with a quality factor between 30 and 100. (5) Sharpen: the sharpening of images using Microsoft Photo Editor (parameter 5). (6) Rotation: the rotation of images by at most65 . (7) Stirmark: a random seed from 1 to 100. (8) Combination: a combination of the rotation [ in (6)], shift [in (1)], and a rotation back(0) operations.

random noise. We embed 64 random noises that have various levels of energy into the watermark space of a watermarked Lena image. Performance results for this attack are shown in Fig. 8. We plot the mean, obtained by averaging the detection values of the 64 random noise attacks on the space, versus

the SNR that is measured by , where is

our random noise. One can observe from the figure that even at a very low SNR, the detection value is still quite high compared to our threshold. This proves that our method is robust against this type of attack.

3) Blind Attacks: Blind attacks are carried out with the

in-tention of removing a watermark when the attacker does not know the watermarking method. For each of the 61 images in our database, we produced 32 watermarked images and per-formed an average of 100 attacks on each image. These attacks included: shifting, blurring, JPEG compression, sharpening, ro-tation, stirmarking, as well as combinations of the above at-tacks. Fig. 9 shows the mean and the standard deviation of the values. Although the rotation attack (i.e., rotating our wa-termarked image without rotating it back) has a slightly lower detection value, our method is still robust against these attacks.

VI. CONCLUSION

To resolve the weaknesses of current symmetric water-marking methods, we have designed an asymmetrical wa-termarking method for copyright protection that satisfies the zero knowledge principle. All of our watermarking, except the secret matrices and , have been released and are publicly available. Our asymmetric design is robust because it enhances the watermark space concept of our previous symmetric water-marking method. As our watermark is highly dependent on the original image, it cannot be removed without the watermarked image being perceptually distorted. Our method is secure, since we embed secret information within a subspace of , and

provide the public with a key to detect

. Because the secret basis of is hidden from the public, estimating is extremely difficult. Further development of our method will reduce the size of our detection matrix, and extend our method to copy protection.

APPENDIX A Here, we provide the proof of our theorem.

Proof of a): If is chosen such that , then

Because meets the constraint , and

since is the solution that minimizes , we have .

As this proof indicates that for , the image recon-structed from (i.e., the image that does not have a watermark) is probably perceptually undistorted.

Proof of b): Let , where . Ap-plying the projection attack to a watermarked image obtains , which is (from (7))

where satisfies and the detected value is zero. The image reconstructed using is probably a distorted image.

Proof of c): If , then according to (4) and (10), we obtain

Because the columns of and are orthonormal and , we have

(17) and

(18) From (17), when , we obtain

(8)

Proof of d): We want to construct a matrix such that is satisfied.

Substituting (19) into (18), we have

The general form of that solves the above equation is (20)

where are real numbers and , for every

and .

Substituting in (20) into and using the

fact that , we obtain

(21)

Proof of e): In a), we show that for our method to be

ro-bust against the projection attack, cannot be zero. In the following, we show that becomes zero for a particular .

(22)

If , then we have

That is

(23)

Proof of f): From (22) and (12), we have parallel to .

APPENDIX B

Here, we discuss the oracle attack on our asymmetric wa-termarking method. The attack estimates what is secret in the detection process and uses what is estimated to remove the embedded watermark. This attack can successfully estimate the secret key of a subspace-based symmetric watermarking

system [31], where the detection matrix is the secret matrix . Although the oracle attack estimates the detection

key of our asymmetric watermarking

method, it cannot obtain the secret information . In an asymmetric watermarking system, the detection key is public, thus a successful oracle attack obtains publicly available infor-mation that is of no use for secret key estiinfor-mation.

The next phase of the attack is to add the vector to the watermark feature so that

(24) According to our Theorem, we have . If we sub-stitute this into (24), we have

(25) From (1), (8), and (10), the solution of (25) is . Thus, the oracle attack and projection attack result in the same feature . As shown previously, Fig. 4 shows a diagram of the oracle attack on our watermarked image.

ACKNOWLEDGMENT

The authors would like to express their gratitude to Reviewers 1 and 2 for their insightful suggestions. They give special thanks to Reviewer 1, whose invaluable suggestions—especially about the projection attack—significantly improved their manuscript.

REFERENCES

[1] A. Adelsbach, S. Katzenbeisser, and A. R. Sadeghi, “Watermark detec-tion with zero-knowledge disclosure,” in ACM Multimedia Syst., 2003, vol. 9.

[2] M. Barni, F. Bartolini, and T. Furon, “A general framework for robust watermarking security,” Signal Processing, vol. 83, pp. 2069–2084, 2003.

[3] J. A. Bloom, I. J. Cox, T. Kalker, J. P. Linnartz, M. L. Miller, and C. B. S. Traw, “Copy protection for DVD video,” Proc. IEEE, vol. 87, no. 7, pp. 1267–1276, Jul. 1999.

[4] S. Craver, “Zero knowledge watermark detection,” in Proc. 3rd Int.

Workshop on Information Hiding, vol. 1768, Spring 2000, pp. 101–116.

Lecture Notes in Computer Science.

[5] S. Craver, N. Memon, B. L. Yeo, and M. M. Yeung, “Resolving rightful ownership with invisible watermarking teachniques: Limitations, at-tacks, and implications,” IEEE J. Select. Areas Commun., vol. 16, no. 9, pp. 573–587, Dec. 1998.

[6] I. Cox, J. Kilian, T. Leighton, and T. Shamoon, “Secure spread spectrum watermarking for multimedia,” IEEE Trans. Image Processing, vol. 6, no. 12, pp. 1673–1687, Dec. 1997.

[7] I. Cox, M. Miller, and J. Bloom, Digital Watermarking. New York: Morgan Kaufmann, 2002, pp. 173–177.

[8] I. Cox and J. P. Linnartz, “Some general methods for tampering with watermarks,” IEEE J. Select. Areas Commu., vol. 16, no. 4, pp. 587–593, May 1998.

[9] I. Cox, M. Miller, and A. Mckellips, “Watermarking as communication with side information,” Proc. IEEE, vol. 87, pp. 1127–1141, Jul. 1999. [10] J. Eggers, J. Su, and B. Girod, “Public key watermarking by eigenvec-tors of linear transforms,” in Proc. Eur. Signal Process. Conf., Tampere, Finland, Sep. 2000.

[11] T. Furon, I. Venturini, and P. Duhamel, “An unified approach of asymmetric watermarking schemes,” in Proc, SPIE: Security and

Watermarking of Multimedia Contents III, P. W. Wong and E. Delp,

Eds., San Jose, CA, Jan. 2000.

[12] T. Furon and P. Duhamel, “An asymmetric watermarking method,” IEEE

(9)

[13] F. Hartung and B. Girod, “Fast public-key watermarking of compressed video,” in Proc. IEEE Int. Conf. Image Processing, Santa Barbara, CA, Oct. 1997, pp. 528–531.

[14] T. Kalker, “Watermark estimation through detector observations,” in

Proc. IEEE Benelux Signal Processing Symp., Leuven, Belgium, Mar.

1998.

[15] , “A security risk for publicly available watermark detectors,” in

Proc. Benelux Information Theory Symp., Veldhoven, The Netherlands,

May 1998.

[16] A. Kerckhoffs, “La cryptographie militaire,” J. Sci. Militaires, vol. 9, pp. 5–38, Jan. 1883.

[17] M. Kutter, S. Voloshynovskiy, and A. Herrigel, “Watermark copy at-tack,” in SPIE Security and Watermarking of Multimedia Contents III, P. W. Wong and E. Delp, Eds., San Jose, CA, Jan. 2000.

[18] J. C. A. Van Der Lubbe, Basic Methods of Cryptography Cambridge, MA, 1998.

[19] M. L. Miller and J. A. Bloom, “Computing the probability of false wa-termark detection,” in Proc. Workshop on Information Hiding, Dresden, Germany, Sep. 1999.

[20] P. Moulin and E. Delp, “A mathematical appraoch to watermarking and data hiding,” in IEEE ICIP. Thessaloniki, Greece, 2001.

[21] P. Moulin and A. Ivanovic, “The zero-rate spread-spectrum water-marking game,” IEEE Trans. Signal Processing, vol. 51, no. 4, pp. 1098–1117, Apr. 2003.

[22] F. A. P. Petitcolas, R. J. Anderson, and M. G. Kuhn, “Attacks on copy-right marking systems,” Lecture Notes on Computer Science 1525:

In-formation Hiding, pp. 218–238, 1998.

[23] , “Information hiding—A survey,” in Proc. IEEE, 1999, pp. 1062–1078.

[24] H. V. Poor, An Introduction to Signal Detection and Estimation. New York: Springer, 1994.

[25] J. G. Proakis, Digital Communications. New York: McGraw-Hill, 1995.

[26] R. Van Schyndel, A. Tirkel, and I. Svalbe, “Key independent watermark detection,” in Proc. Int. Conf. Multimedia Comput. Syst., vol. 1, Flo-rence, Italy, Jun. 1999.

[27] J. Smith and C. Dodge, “Developments in steganography,” in Proc. 3rd

Int. Workshop on Information Hidding, A. Pfitzmann, Ed., Dresden,

Ger-many, Sep. 1999, pp. 77–87.

[28] J. Stern and J. P. Tillich, “Automatic detection of a watermarked doc-ument using a private key,” in Proc. 4th Int. Workshop on Information

Hiding, vol. 2137, I. S. Moskowitz, Ed., Pittsburgh, PA, Apr. 2001.

[29] M. Swanson, B. Zhu, A. Tewfik, and L. Boney, “Robust audio water-marking using perceptual masking,” Signal Processing, vol. 66, no. 3, pp. 337–355, May 1998.

[30] W. Trapper, M. Wu, Z. Wang, and K. J. R. Liu, “Anti-Collusion finger-printng for multimedia,” IEEE Trans. Signal Processing, vol. 51, no. 4, pp. 1069–1087, Apr. 2003.

[31] J. Tzeng, W. L. Hwang, and I. Liang Chern, “Enhancing image wa-termarking methods with/without reference images by optimization on second order statistics,” IEEE Trans. Image Processing, vol. 11, pp. 771–782, Jul. 2002.

[32] S. Voloshynovskiy, A. Herrigel, N. Baumgaertner, and T. Pun, “A sto-chastic approach to content adaptive digital image watermarking,” in

Proc. 3rd Int. Workshop on Information Hiding, Dresden, Germany, Sep.

1999, pp. 211–236.

[33] R. B. Wolfgang, C. I. Podilchuk, and E. J. Delp, “Perceptual watermarks for digital images and video,” in Proc. IEEE, vol. 87, Jul. 1999, pp. 1108–1126.

[34] M. M. Yeung, “Digital watermarking,” Commun. ACM, vol. ACM 41, no. 7, pp. 31–33, Jul. 1998.

Jengnan Tzeng received the B.S. degree from Na-tional Chengchi University, Taiwan, R.O.C., the M.S. degree from National Central University, Taiwan, and the Ph.D. degree from National Taiwan University in 2004, all in mathematics.

He is currently a Postdoctoral Researcher in the Genomics Research Center, Academia Sinica, Taipei, Taiwan. His research interests include digital watermarking, wavelet analysis, and PDE methods in image processing and genomic research.

Wen-Liang Hwang received the B.S. degree in nuclear engineering from National Tsing Hua Uni-versity, Hsinchu, Taiwan, R.O.C., the M.S. degree in electrical engineering from the Polytechnic Institute of New York, and the Ph.D. degree in computer science from New York University in 1993.

He was a Postdoctoral Researcher with the De-partment of Mathematics, University of California, Irvine, in 1994. In January 1995, he became a member of the Institute of Information Science, Academia Sinica, Taipei, Taiwan, where he is currently an Associate Research Fellow. He is co-author of the book Practical Time-Frequency Analysis (New York: Academic, 1998). His research interests include wavelet analysis, signal, and image processing, multimedia transmis-sion, and computer vision.

Dr. Hwang was awarded the Academia Sinica Research Award for Junior Research in 2001.

I-Liang Chern received the B.S. and M.S. degrees in mathematics from National Taiwan University, Taiwan, R.O.C., and the Ph.D. degree in mathematics from New York University in 1983.

He was with Academia Sinica, Taipei, Taiwan, the Courant Institute, New York University, and Argonne National Laboratory, Argonne, IL. He has been a Professor in the Mathematics Department of National Taiwan University since 1991. His research interests include multiscale scientific computing, wavelet analysis, and partial differential equations.