Authentication and recovery of an image by sharing and lattice-embedding

Authentication and recovery of an image by sharing

and lattice-embedding

Sian-Jheng Lin Ja-Chen Lin

National Chiao Tung University Department of Computer Science

1001 Ta Hsueh Road Hsinchu, 300, Taiwan E-mail: sjhenglin@gmail.com

Abstract.Based on sharing and lattice-embedding techniques, we present an authentication-recovery method for an image. The recov-ery data are shared among many shadows, then lattice-embedding is utilized to embed each shadow in the discrete cosine transform domain of an 8×8 block. The proposed method can resist certain content-preserving operations such as JPEG compression, Gaussian noise, and brightness adjustment, up to a tolerance level controlled by a quantization parameter value. The method can also resist cer-tain security attacks such as a cut-and-paste attack, a collage attack, and a vector quantization attack. Compared with previous works, the proposed method has following major advantages and novelty: (1) the method does not require prediction of the tampering trace, and the tampered blocks are always recovered as long as the num-ber of valid blocks reaches a threshold and (2) lattice-embedding yields smaller distortion than does parity-check quantization, and the latter was often used in reported works.© 2010 SPIE and IS&T.

[DOI: 10.1117/1.3500799]

1 Introduction

It is easy for attackers to modify public digital media, and many authentication techniques,1–8 _{called watermarking,}

have been reported recently to protect digital media. These techniques can check the correctness of the media content. Recently, some fragile watermarking schemes for tampered-region detection and recovery have also been introduced.6–8 Lin et al.6 _{proposed a block-based watermarking scheme to}

detect and recover the tampering of an image. They used a four-level detection structure to detect the tampered blocks. For each block that is detected as having been tampered with, its recovery data is extracted from another block, which is located by a block mapping sequence. Chan and Chang7

proposed an image authentication method based on the Hamming code, and this method had three components, namely, the Hamming code, the Torus automorphism, and bit rotation. The parity check bits for each pixel were gener-ated by the Hamming code. The embedding locations for the parity check bits were decided by Torus automorphism, and the bit rotation was used to improve the security. Chang et al.8

Paper 09243RR received Dec. 21, 2009; revised manuscript received Jul. 26, 2010; accepted for publication Aug. 25, 2010; published online Dec. 6, 2010

1017-9909/2010/19(4)/043008/14/$25.00C2010 SPIE and IS&T.

also proposed a method for authentication and recovery. However, just like all of the other mentioned methods, their watermarked image cannot be compressed by JPEG, since the hidden information cannot be extracted after JPEG compres-sion. Zhang and Wang9 proposed an elegant watermarking method, which can restore the tampered region without error. The method is based on reversible data hiding, which can ex-tract the whole host image from the stego image without error (for more information about reversible data hiding, see the work10 _{proposed by Alattar who used color images as host}

images). However, as stated in paper caption of Ref.9, the method9 _{is still a fragile watermarking method, rather than}

semifragile. Based on the Pascal transform, Varsaki et al.11

proposed a semifragile watermarking with the recovery abil-ity to deal with color images. The host is a color image, but the recovery data is a 1/16-size gray-level version of the host. The data is embedded in the Pascal domain of R, G, and B color components, respectively. As a result, the recovered region of the tampered color image is gray-leveled, rather than colored. However, as demonstrated in Fig.8of Sec.4.3, the recovery ability is not so good after cropping in the central area of the image.

In general, if a watermarked image is processed by some content-preserving operations (for example, JPEG compres-sion or Gaussian noise or brightness adjustment), the verifi-cation ability should still exist within a certain level of the operation. This type of watermarking method is said to be semifragile, and in the semifragile watermarking method pro-posed by Ho and Li,12_{users choose the lowest JPEG quality}

factor they can tolerate, and the verification data is generated and embedded in the quantized DCT domain. Their exper-iments demonstrated that their method could resist JPEG compression [up to a level of quality factor (QF)]. In the method of Lin et al.,13 users also choose the lowest JPEG quality factor they can tolerate, and then the verification data is generated from the low/middle frequency of the discrete cosine transform (DCT) domain, followed by an embedding in the high-frequency domain. Their experiments showed that their method can also resist JPEG compression (up to a QF level). However, these two methods12,13 _{embed only}

verification data, and there is no recovery data.

Some semifragile watermarking techniques also embed recovery data in the watermarked image, and the image

itself can recover the tampered regions. Lin and Chang14

proposed two approaches to semifragile watermarking, one of which has verification ability only, while the other has both verification and recovery ability. The verification data is generated from the DCT coefficients, and the recovery data is generated from a quarter-size shrunken subimage of the host image (if recovery ability is required). Then all of the generated data is embedded in the DCT domain. Their method can resist both JPEG compression and brightness adjustment within a reasonable range. Hsieh et al.15also pro-posed a watermarking scheme with damage-recovery abil-ity. The recovery data is calculated from the host image, and then three copies of the recovery data are embedded in the DCT domain of the host image. Their experiments showed that their method could resist JPEG compression, brightness adjustment, and contrast adjustment. Jiang and Liu16 _{proposed an authentication-recovery scheme. Their}

verification data is a random number sequence generated by a key, and their recovery data is generated from DCT coefficients of the host image. The two sets of data are embedded in the 2 LSBs (the two least significant bits) of the image. Their experiments showed that their method could resist JPEG compression and small-area replacement of the watermarked image. Tsai and Chien17,18 _{proposed a}

method based on discrete wavelet transform. The verification data and the recovery data is generated from low-frequency bands and then embedded in high-frequency bands. This method can resist JPEG compression and Gaussian noise.

Based on (t,n) sharing and lattice embedding, a novel semifragile watermarking method with recovery ability is proposed. The motivation of the proposed method is based on the three observations as follows. First, the (t,n) two-layer sharing, which we introduce in Sec.2.2, can recover the em-bedded data, as long as no more than (n − t)/2 of the n created shadows are damaged shadows. This is an important property for our design to recover the image. Since each of our generated shadows is embedded in a block, the water-marked image can still extract useful recovery data after tam-pering, as long as the percentage of validity blocks reaches a predefined threshold α. If sharing-related techniques were not used, and if, for example, traditional block-mapping se-quence techniques were used instead, the recovery data of some tampered blocks would have been lost because it was hard to predict in advance which blocks would be tampered (more details are addressed in Sec.5.1). Second, the gener-ated shadows Eihave the ability to both verify and recover. Because both of these abilities are tied together in Ei, we need to embed only one shadow Ei(rather than two data sets) in an 8×8 host block. This simplifies the design. Finally, we use lattice embedding to replace the so-called parity-check embedding used by many methods14,15,17,18_{when data is to}

be embedded. The major reason for this is that lattice em-bedding has a smaller impact on the host image (more details are addressed in Sec.5.2).

The remainder is organized as follows. Section 2 intro-duces the (t,n) two-layer sharing and lattice embedding, which is utilized in our design. Section 3 describes our method, including a mathematical property. Section4shows the experimental results. Section5discusses the difference between the proposed method and other works, and Sec.6is the conclusion.

We use the following notation:

n= number of created shadows in a (t,n) secret sharing t= the threshold of (t,n) secret sharing

Pi= the ith shadow of (t,n) two-layer sharing c= the size of Pi

Ei= the generated shadow, which is attached to Piby (t,n) two-layer sharing

M= the step size of the lattice embedding di= the ith DCT value of an 8×8 image block ID= the image’s identification number Key= a secret key

α = a specified threshold for the percentage of valid blocks in a tampered image

2 Background Knowledge

Secret image sharing19 _{and Reed-Solomon (RS) code}

technique20 are briefly reviewed in Sec.2.1; the two-layer sharing technique is introduced in Sec.2.2, and lattice em-bedding is reviewed in Sec.2.3. These techniques are used by the proposed method in Sec.3.

2.1 Secret Image Sharing19_{and RS Code}

Technique20

In the sharing phase of Thien and Lin’s (t,n) threshold method,19for each nonoverlapping t pixel values of the secret image (secret message), a related polynomial is defined as

f (x)= a0+ a1x+ · · · + at−1xt−1(mod p), (1) where a0, a1, . . . ,at–1are the gray values of the t pixels, and p is a prime constant. Then f (1), f (2), . . . , f (n) is eval-uated and sequentially attached to the n shadows. Having processed all of the pixels in the secret image, the n shadows are generated. Since each t pixels in the secret image only contributes 1 pixel to each generated shadow, the size of each shadow is 1/t of the secret image.

As indicated by Preparata,21_{from the mathematical}

view-point, the encoding phase of using the sharing Eq.(1)is iso-morphic to the creation of a Reed-Solomon code.20

There-fore, by the error-correction property20 _{of the RS code, if}

(n − t)/2 of the n received shadows are contaminated and become malign shadows, people can still utilize the RS code decoder to decode the n received shadows, locate the malign shadows, and then extract the whole secret data correctly. Two commonly used RS code decoders are the Berlekamp-Massey decoder22 _{and the Euclidean algorithm.}23 _{In our}

method, we use Euclidean algorithm23 to locate the posi-tion of the malign shadows, or the tampered blocks, because all of the shadows are embedded in image blocks.

2.2 A (t,n) two-layer sharing technique modified from

Chang et al.8

This technique can share n given data sets {Pi||Pi|=c, i = 1, 2, . . . , n} to produce n shadows {(Pi, Ei)|i = 1, 2, . . . , n}, where constant c is the constant size of each Pi. The created file Eiis attached to Pi, where the size of each Eiis c(n/t − 1) (the analysis is addressed later). In the original design by Chang et al.,8 _{the n data sets {P}

i||Pi|=c, i = 1, 2, . . . , n} can be decoded using any t received shadows. However, in our method, we always get all n shadows (but some of them may have been tampered). Therefore, certain steps of the

algorithm in Chang et al.8 _{are modified so that, for all n}

shadows, if the number of error shadows is not more than (n − t)/2, then all n data sets {Pi||Pi|=c, i = 1, 2, . . . , n} can be decoded by the modified decoder. Notably, in our method, the n data sets{Pi} are the DCT coefficients, which are used to recover the tampered blocks. Moreover, the loca-tion of the error shadows are also the localoca-tion of error blocks in the tampered watermarked image. The encoder (sharing) and the decoder (inverse-sharing) are shown in the following. Notably, in our method, the calculations of Algorithms 1A and 1B are over GF(212_).

Algorithm 1A: (t,n) two-layer sharing encoder

Input:ndata sets{Pi|i= 1, 2, . . . ,n} in which eachPihas constant

sizec.

Output:nshadows{(Pi,Ei)|i= 1, 2, . . . ,n}.

1. First-layer sharing: For eachPi, we calculateBi(eachPiand

Biis treated as a vector, and |Pi|= |Bi|=cfor eachi) by the

following equation:

Bi=P1+ 2iP2+ 3iP3+ · · · +niPn.

Then we collect and store then−tvectors{B1,B2, . . . ,Bn−t} in

fileB.

2. Second-layer sharing: For eachtdigits in fileB, we encode thetdigits by (t,n) secret image sharing9_{(Sec.2.1) to get an}

n-digits codeword. Thendigits are dispersed, respectively, ton

shadows{Ei|i= 1, 2, . . . ,n}. The construction of {Ei} is thus done

when all of the digits of fileBare shared.

Algorithm 1B: (t,n) two-layer sharing decoder

Input:nreceived shadows{( ˜Pi, ˜Ei)|i= 1, 2, . . . ,n}, but some

shad-ows within them may have been tampered.

Output: If the number of tampered shadows is no more than 

{(n−t)/2}, then we output the n error-corrected data sets

{Pi|i= 1, 2, . . . ,n} and the verification result.

1. Reconstruct the fileBfrom{ ˜Ei|i= 1, 2, . . . ,n}. Here, if the

number of tampered ˜Eiis no more than{(n−t)/2}, then the fileB

can be reconstructed by the RS code decoder, and we can also identify locations of the tampered shadows

{( ˜P˜j[i], ˜Ej˜[i])|i= 1, 2, . . . ,v}. We can mark the location of these

tampered shadows as “tampered,” then output the verification result. (However, if the number of tampered ˜Eiis more than {(n−t)/2}, the fileBcannot be reconstructed, so we would stop the procedure in this case.

2. Let the un-tampered shadows be{( ˜Pj[i], ˜Ej[i])|i= 1,

2, . . . ,n−v} where {j[i]|i= 1, 2, . . . ,n−v} are indices of the

un-tampered shadows. In other words,{j[i]|i= 1,

2, . . . ,n−v} ∪ {˜j[i]|i= 1, 2, . . . ,v} = {1, 2, . . . ,n} and

{j[i]|i= 1, 2, . . . ,n−v} ∩ {˜j[i]|i= 1, 2, . . . ,v} = , The tampered

data{ ˜P˜j[i]|i= 1, 2, . . . ,v} can be recovered by the equation

⎡ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎣ ˜ P˜j[1] ˜ P˜j[2] . . . ˜ P˜j[v] ⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎦ = ⎡ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎣ ˜ j[1] ˜j[2] · · · ˜j[v] ˜ j[1]2 _˜j[2]2 _{· · · ˜j[v]}2 . . . ... . .. ... ˜j[1]v ˜j[2]v · · · ˜j[v]v ⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎦ −1 × ⎛ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎝ ⎡ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎣ B1 B2 . . . Bv ⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎦ − ⎡ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎣ j[1] j[2] · · · j[n−v] j[1]2 j[2]2 · · · j[n−v]2 . . . ... . .. ... j[1]v _j[2]v _{· · · j[n−v]}v ⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎦ × ⎡ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎣ ˜ Pj[1] ˜ Pj[2] . . . ˜ Pj[n−v] ⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎦ ⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠ . 3. Output{Pi|i= 1, 2, . . . ,n} = { ˜P˜j[i]|i= 1, 2, . . . ,v} ∪ { ˜Pj[i]|i= 1, 2, . . . ,n−v}.

Two size and time issues about the generated shadow Eiare discussed next.

2.2.1 Size of Ei

We consider the two-layer sharing encoder, and in the first-layer sharing, since the Picontains c digits, and the matrix in the multiplication has (n− t) rows, the generated matrix [B1B2. . . Bn−t]T contains (n− t)c digits, which is the size of file B. In the second-layer sharing, the file B is divided into (n − t)c/t sectors of t digits each, and each t digits are encoded into n digits by (n,t) RS code; and then a digit is assigned to each shadow Ei. So the size of each shadow Eiis (n − t)c/t ≈ (n/t − 1)c.

2.2.2 Running time of generating Ei

In the first-layer sharing, the size of the two matrices at the equation right are (n− t)n and nc, so it requires (n − t)nc op-erations to calculate [B1B2. . . Bn−t]T. In the second-layer sharing, the file B is divided into (n − t)c/t sectors of t digits each, and each t digits require nt operations to gen-erate the code, so it requires (n − t)c/t ×nt ≈ (n − t)nc operations. Therefore, all of the operations necessary are 2(n− t)nc = θ[(n − t)nc].

2.3 Lattice Embedding24

Lattice embedding24 is an embedding method in which a secret digit can be embedded into many signals. Figure1is an example, in which a ternary value{0,1,2} is embedded in a pair of signals (p1,p2). As shown in Fig.1, the space of host pair values (p1,p2) is divided into many hexagonal regions, and each region corresponds to a ternary value 0, 1, or 2 (squares, circles, and triangles are used to represent the three values). As shown in Fig. 1, in each one of the horizontal and vertical directions, the distance of contiguous hexagonal region’s centers is set to our step size M. If a ternary value is to be embedded in the pair (p1,p2), we find the nearest region’s center to (p1,p2) so that the nearest region corresponds to the ternary value to be embedded. Then the coordinate of the region’s center is output. Later, to decode the embedded value, the region that contains the stego pair (p1,p2) is found, and the corresponding region value 0, 1, or 2 of the region is output. In general, if the value of M is larger, then the image quality after embedding is lower, but the hidden data is more

p1

p2

M

Fig. 1 Diagram of our lattice embedding.

robust. The embedding and extracting algorithms 2A and 2B are shown below.

Algorithm 2A: Embed a ternary value in a pair of signals

Input: a ternary values, a pair of host signals (p1,p2), and step size

M.

Output: a pair of stego-signals (p ₁,p₂ ).

 q1 q2  =  M−1−(√3M)−1 0 2(√3M)−1   p1 p2+M/ √ 3  (lq1,lq2)= (q1 , q2) t=s− (lq1+ 2lq2) (mod3) ift= 1 or 2 then lqt =lqt+ 1 else if q1−lq1+q2−lq2> 1 lq1=lq1+ 1 lq2=lq2+ 1 end if end if ⎡ ⎣p 1 p ₂ ⎤ ⎦ = ⎡ ⎣M M/2 0 √3M/2 ⎤ ⎦ ⎡ ⎣lq1 lq2 ⎤ ⎦ −  0 M/√3  .

Algorithm 2B: Extract a ternary value from a pair of signals Input: a pair of stego-signals (p ₁,p ₂),and step sizeM.

Output: the ternary valueshidden in (p ₁,p ₂).

 q1 q2  =  M−1 −(√3M)−1 0 2(√3M)−1   p₁ p ₂+M/√3  (lq1,lq2)= (q1 , q2)  p ₁ p ₂  =  M M/2 0 √3M/2   lq1 lq2  −  p ₁ p ₂+M/√3  min= (p₁ )2_{+ (p} 2)2 b=lq1+ 2lq2(mod3) ifmin> (p ₁+M)2_{+ (p} 2)2 then min= (p₁ +M)2_{+ (p} 2)2 s=b+ 1 (mod3) end if ifmin> (p ₁+M/2)2_{+ (p} 2+ √ 3M/2)2 _then min= (p₁ +M/2)2_{+ (p} 2+ √ 3M/2)2 s=b+ 2 (mod3) end if ifmin> (p₁ + 3M/2)2_{+ (p} 2+ √ 3M/2)2 _then min= (p ₁+ 3M/2)2_{+ (p} 2+ √ 3M/2)2 s=b end if 3 Proposed Method

The proposed method consists of two phases: (1) watermark generation, which generates the shadows{Ei}, followed by embedding{Ei} in the DCT domain of the host image, and (2) tampered block detection, together with the recovery achieved by a two-layer sharing decoder (then the decoded data set{Pi} is utilized to recover the tampered blocks).

3.1 Watermark Generation

Without the loss of generality, assuming that the host im-age is 512×512, so there are 4096 blocks of 8×8 pixels each. Then the following four steps are taken: (1) data sets {Pi|i = 1, 2, . . . , 4096} are generated for all 4096 blocks in the host image; (2) then these data sets are used to generate 4096 shadows {Ei|i = 1, 2, . . . , 4096}; (3) to increase the security and protection, a 12-bit hashing code is generated for each block i, and then the shadow Ei is encrypted by an Exclusive-OR with the 12-bit code; and (4) finally, the (encrypted) shadow Eiis embedded in each block, and the DCT coefficients are converted into spatial domain to obtain the watermarked image. The details of the steps 1 to 1 are explained next.

3.1.1 Generating date sets{Pi|i= 1, 2, . . . , 4096} Each 8×8 block of the host image is converted to DCT domain, and then four low-frequency DCT coefficients are quantized by step size M (the value of M influences the robustness of the watermarked image). Figure2 shows the positions of the four DCT coefficients{d0,d1,d8,d9}, which are colored dark gray. Then for each dc coefficient the d0 in the 8×8 block, the difference value d0is calculated by subtracting the dc coefficient of the previous block from d0. This step has two advantages. First, the contiguous blocks have similar dc values, so the bit length of d0can be reduced

d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 d10 d11 d12 d13 d14 d15 d16 d17 d18 d19 d20 d21 d22 d23 d24 d25 d26 d27 d28 d29 d30 d31 d32 d33 d34 d35 d36 d37 d38 d39 d40 d41 d42 d43 d44 d45 d46 d47 d48 d49 d50 d51 d52 d53 d54 d55 d56 d57 d58 d59 d60 d61 d62 d63

Fig. 2 DCT coefficients that are selected as dataPi(dark gray) and

by storing the differenced0. Second, when the brightness of the watermarked image is adjusted, all dc values will increase/decrease a const value, but the difference of two dc values is unchanged, so the integrity of differenced0 is preserved after the brightness is adjusted. Finally, for each 8×8 block, the data Piis calculated by

Pi = 

d0×d1MAX+ d1 

d₈MAX+ d₈d₉MAX+ d₉,

where diMAX is the maximal diof all blocks, and the three val-ues{dMAX

1 , d8MAX, d9MAX} are sent to the decoding side for the purpose of recovery. The size of Piis c= log₂(d₀MAXd₁MAX dMAX

8 d9MAX), which is determined by the maximal coeffi-cients in{d0, d1, d8, d9} among all blocks.

3.1.2 Generating recovery data{Ei |i = 1, 2, . . . , 4096}

Generate 4096 couples {(Pi, Ei)| |Pi| = c, i = 1, . . . , 4096} by the (t,n) = [4096(2α − 1), 4096] two-layer shar-ing encoder (Algorithm 1A). Here,α is a specified threshold for the percentage of valid blocks in a tampered image. Due to embedding capacity limitation, each generated shadow Ei should have 12 bits at most. This will makeα ≥ 6/(c + 12) a requirement when percentage valueα is specified. The proof is given in Sec.3.3. On the other hand, 100%= 1 > α is a natural requirement. Together, the percentage valueα must satisfy 1> α ≥ 6/(c + 12).

3.1.3 Generating the hashing code of a block

First, a 128-bit MD5 code25 of the block is calculated, and the formula is

MD5 (Pi, i, ID, Key),

where ID is the image’s identification number, and key is a secret key. Then the generated 128-bit MD5 code is divided into 10 sectors of 12 bits each (the final 8 bits of the MD5 code are dropped), and the Exclusive-OR on the 10 sectors is used to get a 12-bit hashing code.

3.1.4 Embedding shadow Eiin a block

For each 8×8 block, the shadow Ei is converted into eight ternary digits, and each digit is embedded in two DCT coef-ficients with lattice embedding (Algorithm 2A). Figure 2 shows all 2×8 DCT coefficients which are painted light gray. A coefficient in the middle frequency and a coeffi-cient in the low frequency are selected to form a pair of values (p1,p2). Here the eight pairs of values being used for (p1,p2) are{(d12,d2), (d40,d17), (d19,d10), (d4,d24), (d33,d16), (d26,d3), (d11,d18), (d32,d25)}. Then a ternary digit (0 or 1 or 2) grabbed from the shadow Eiis embedded in each (p1,p2) pair.

3.2 Tampered Image Verification and Recovery

When a tampered watermarked image is received, the follow-ing steps can generate the verification result and the recovered image.

1. Data sets {Pi |i = 1, 2, . . . , 4096} are generated for all blocks in the tampered watermark image (this step is the same as Sec.3.1.1).

2. All shadows{E i |i = 1, 2, . . . , 4096} are extracted from all blocks with Algorithm 2B.

3. A 12-bit hashing code is generated from each block (this step is the same as Sec.3.1.3). Then Ei is de-crypted by applying Exclusive-OR to Eiand the 12-bit code.

4. Detect the tampered blocks of the coupled-shadows {(P

i, Ei ) |i = 1, 2, . . . , 4096} with (t,n) = [4096 (2α − 1), 4096] two-layer sharing decoder (Algo-rithm 1B). If the percentage of tampered blocks is less than 1− α, the data sets {Pi|i = 1, 2, . . . , 4096} are decoded. Then output the decoded data sets{Pi} and the verification result indicating locations of the tam-pered blocks. (If the percentage of tamtam-pered blocks is more than 1− α, the warning-message is output: “Too many blocks are tampered, and hence no re-covery can be done,” then the procedure should be stopped without going to step 5.)

5. For the data sets{Pi|i = 1, 2, . . . , 4096}, decode the four values{d0,d1,d8,d9} by division. The step re-quires the three values {dMAX

1 , d8MAX, d9MAX}. Then the dc value d0is obtained by calculating the sum of d0and the dc coefficient of the previous block. 6. In all tampered blocks, the four DCT

coeffi-cients{d0,d1,d8,d9} should be replaced with the de-quantized values in Pi.

7. For each block that passes the authentication tests, if its DCT coefficient d0 is too far away from the dequantized value d0 in Pi (up to a threshold), then still replace the DCT coefficient d0by the dequantized value d0extracted from Pi; this is to recover back the whole image after global adjustment of brightness. 8. The DCT coefficients in each block should be

con-verted to the spatial domain.

3.3 Value ofα

The value of α used in Sec. 3.1 is discussed here. In Sec.3.1.2, we set (t,n)= [4096(2α − 1), 4096] where 4096 is the number of 8×8 blocks in a 512×512 image. Due to the use of the RS code, which can correct(n − t)/2 error shadows in all n received shadows in general applications, the tolerable percentage of tampered blocks equals

_n−t 2  n = _{4096−4096(2α−1)} 2  4096 ≈ 4096−4096(2α−1) 2 4096 = 1 − α.

In other words, if the percentage of tampered blocks ex-ceeds 1− α, then our method loses the ability to re-cover tampered blocks. Analogously, in a tampered im-age, α is the minimal percentage of valid blocks needed to keep the recovery ability active. In Sec. 3.1, the size of each Pi is c. On the other hand, Sec. 3.1.4 states that shadow Ei is converted into 8 ternary digits. Hence, each Ei has|Ei| = log₂(38)= 8 log₂3≥ 12 bits. Thus, by the equation |Ei| ≈ (n/t − 1)c of Sec. 2.2, it can be de-rived that 12≤ |Ei| ≤ c [4096/4096(2α − 1)] − 1]. Hence, α ≥ (6/c + 12). Notably, α < 1 is required for a recovery system to be meaningful (α = 1 would require all blocks to be valid blocks, which means that the recovery system is too weak to tolerate even just one block being altered). Having

combined the two inequalities, a more integrated inequity should be

1> α ≥ 6(c+ 12).

4 Experimental Results

In this section, some experiments are undertaken to check the performance of our watermarked images.

4.1 Robustness Test

With the step value M being 20, four watermarked images {“Lena,” “Peppers,” “Jet,” “Scenery”} are generated and shown in Fig.3(a)to3(d). From Fig.3(a)to Fig.3(d), the PSNR values are 34.75, 34.70, 34.80, and 34.65 dB, respec-tively. Then a cropping attack is applied to the four water-marked images (we crop the central 192×192 pixels of each 512×512 image). Moreover, some further distortion is made to the cropped images, as illustrated in the following. The cropped “Lena” shown in Fig.3(e)is compressed by a JPEG with QF= 65 and the compression ratio is 8.57. The bright-ness of the cropped “Peppers,” shown in Fig.3(f)is increased by 30; Gaussian noises (σ2 _{= 6) are added to the cropped} “Jet” shown in Fig.3(g); an 8-pixels-wide “white” horizon-tal bar is inserted to the cropped “Scenery” image shown in Fig.3(h). Figures 3(i)to3(l)shows the verification result of the four tampered images. White blocks are the places marked as “tampered” blocks. Figures3(m)to3(p)are the four recovered images, and Figs.3(q)to3(t)are the close-up versions of the recovered images. The Peak SNR (PSNR) values of four recovered images are, from left to right, 30.16, 30.96, 29.83, and 31.75 dB, respectively. More experiments for various values of M are shown in Table1. In each row, column 1 is the value of the user-specified step value M; and column 2 is the PSNR of the corresponding watermarked im-age. The remaining columns are for different kinds of attacks. Column 3 is the allowed tampered ratio of watermarked im-age; i.e., if the tampered ratio is larger than the specified value, our method cannot recover the tampered region. Col-umn 4 is the tolerable bound of the qualify factor (QF) of JPEG compression; i.e., if the compression uses a QF below this bound,our method cannot recover the tampered region. Column 5 is for Gaussian noise, it shows the maximal tolera-ble varianceσ2of Gaussian noise. Column 6 is the tolerable range of brightness adjustment. In summary, if the attack uses a parameter value worse than the threshold values specified in Table1, then our method cannot recover the tampered re-gion. Should this happen, switching to a larger value of M in advance is necessary (In general, using a larger value of M in advance can increase the tolerable range of attack; but the watermarked image’s quality degenerates). From Table1, we see that our method can resist certain levels of area tampering (e.g., cropping or replacement of some areas of image), JPEG compression, Gaussian noise, and brightness adjustment.

4.2 Security Test

Three kinds of attack are tested on our watermarked images, which are cut-and-paste attack,26_{collage attack,}27_{and vector}

quantization (VQ) attack.28

First, the so-called cut-and-paste attack is tested.26

Fig-ure4(a) is our watermarked image and the PSNR value is

48.13 dB. Then a small-size pepper is copied and pasted to the lower-left corner as shown in Fig. 4(b). Figure4(c) is the verification result, and Fig.4(d)is the recovered image, the PSNR value of which is 40.54 dB. Second, the so-called collage attack is tested.27Figures5(a)and5(b)show our two watermarked images, “Boat” and “House,” and the PSNR values are 34.63 and 34.76 dB, respectively. Then the car in Fig.5(b)is copied-and-pasted to the same place in Fig.5(a). This yields the image shown in Fig.5(c). Figure5(d)is the verification result, and Fig.5(e)is the recovered image, the PSNR value of which is 31.88 dB. Finally, the so-called VQ attack is tested.28Twelve aerial images are downloaded from the USC-SIPI Image Database.29 _{Each image is 512×512,}

and is converted to a grayscale image. Then one of them is assigned as the test image [the one shown in Fig.6(a)]; and the remaining 11 images are watermarked by the proposed method (using M= 4). Then, since our method is based on 8×8 blocks, the eleven watermarked images are partitioned to get blocks of 8×8 each. These blocks are collected together and treated as a VQ codebook with many code words. With this VQ codebook, the VQ-compression-decompression ver-sion of Fig. 6(a) is shown in Fig. 6(b). Figure6(c) is the verified result, which shows that the whole Fig. 6(b)is a fake.

4.3 Image Quality and Our Advantage

First, as suggested by one of the reviewers, the method of Varsaki et al.11was implemented, and the results are shown in Fig.7. Figure7(a)is the 512×512 watermarked color image “Lena,” which is 40.88 dB. As shown in Fig.7(b), the em-bedded recovery data is the size-reduced 128×128 gray-level version of the rotated host, the clockwise rotation is 180 deg, as suggested by Varsaki et al.11_{This 128×128 gray-level}

ro-tated version is embedded in the 128×128 blocks of the host image, and each block is 4×4. Thus, the recovery data of the rightmost bottom 4×4 block is embedded in the leftmost top 4×4 block, and the recovery data of the Southwest quadrant is embedded in the Northeast quadrant, and so on. Unfortu-nately, when the central 192×192 pixels of the watermarked “Lena” are cropped [the tampered image is shown in Fig. 7(c)], the recovery data extracted from the non-cropped area is as shown in Fig.7(d). We can see that the tampered region still cannot be recovered because the recovery data of the central 192×192-pixel box was embedded earlier in the box itself. In other words, the recovery data of the cropped box is also cropped. This is very different from ours. As shown in Fig.3, when the central 192×192 pixels of our watermarked “Lena” are cropped, the cropped region can still be recov-ered. This should come as no surprise because, according to Table1, when M= 20, a moderate-size-area’s tampering can be tolerated (up to 16.7% of the whole image’s blocks can be tampered).

Next, because Tsai and Chien’s method17 used scaled versions of the originals as messages, then embedded the messages in the frequency domain, and also because they provided experimental results about the resistance to JPEG compression and Gaussian noise, we compare their method with ours.

Figure 8shows the experiment. The results of Tsai and Chien17 _{are shown in Figs.8(a)to8(d)and ours are shown}

(d) (c) (b) (a) (e) (f) (g) (h) (l) (k) (j) (i) (m) (n) (o) (p) (q) (r) (s) (t)

Fig. 3 Robustness test of the proposed method. (a) to (d) our four watermarked images “Lena,”

“Pep-pers,” “Jet,” and “Scenery”; (e) and (f) the four cropped images: (i) to (l) the corresponding verification results, after doing a JPEG compression on (e), adjusting brightness of (f), adding noise to (g), and adding white bar to (h); and (m) to (p) the recovered images; (q) to (t): close-up versions around the recover area of the recovered images (m) to (p).

Table 1 PSNR quality of watermarked image and attack-tolerance (for various quantization step valueM). The host images are “Lena” (L), “Peppers” (P), “Jet” (J), and “Scenery” (S).

Watermarked Image Attack Tolerance

Range of “Brightness Adjustment” Quantiz. Step Value (M) Used in our Algorithm PSNR (dB) of Watermarked Image (1− α) , i.e., Percentage of Area Can Be Cropped or Replaced JPEG with QF not Less than Thresholds Shown Here

Gaussian Noise

(σ2_{) “Pepper”}“Lena”; _{“Scenery”}“Jet”;

2 53.37–53.40 1/8= 12.5% 100 0 [–35,40]; [–10,40] [–55,30]; [–20,25] 4 48.13–48.15 1/8 94 0 [–40,50]; [–15,50] [–70,35]; [–30,30] 6 44.83–44.85 1/8 90 0 [–40,50]; [–15,55] [–70,35]; [–30,30] 8 42.40–42.48 1/8 86 0− 1 (0 for J; 1 for L&P&S) [–40,50]; [–15,55] [–70,35]; [–30,30] 10 40.52–40.54 1/8 82 2− 3 (2 for J&P&S; 3 for L) [–40,50]; [–15,55] [–70,35]; [–30,30] 12 38.95–39.01 1/8 78 4 [–40,50]; [–20,55] [–75,35]; [–30,30] 14 37.67–37.72 1/8 75 5− 6 (5 for L&S; 6 for J&P) [–40,55]; [–20,55] [–75,35]; [–30,30] 16 36.56–36.61 1/8 71 7 [–40,55]; [–20,55] [–75,35]; [–30,30] 18 35.55–35.62 1/8 67 10 [–40,55]; [–25,55] [–75,35]; [–30,30] 20 34.63–34.80 1/6= 16.7% 63 13 [–45,60]; [–25,60] [–85,35]; [–35,35] 22 33.84–33.97 1/6 59 16 [–45,60]; [–25,60] [–85,35]; [–35,35] 24 33.10–33.24 1/6 55 19 [–45,60]; [–25,60] [–85,40]; [–40,40] 26 32.43–32.60 1/6 51 22 [–45,60]; [–25,65] [–85,40]; [–40,40] 28 31.80–32.00 1/6 48 26 [–45,60]; [–25,65] [–85,40]; [–40,40] 30 31.24–31.42 1/6 45 30 [–45,65]; [–25,65] [–85,40]; [–40,45] 32 30.70–30.87 1/6 42 34 [–45,65]; [–25,65] [–85,40]; [–40,45]

watermarked image “Jet” in Fig.8(a)is 30.8 dB, while ours in Fig.8(e)is 32.29 dB. The PSNR value of the recovered image is 29.3 dB [Fig.8(d)] for theirs, and 31.89 dB [Fig. 8(h)] for ours. Notably, Figs.8(i)and8(j)show the details of Figs.8(d)and8(h), respectively. It is observed that, be-tween the lower-middle and lower-left of the image, there are some artifacts in their recovered snow area below the moun-tains, as shown in Fig.8(i). Therefore, our recovered image is better.

Figure9shows the second experiment. The watermarked image “Peppers” are under both tampered attack and JPEG

compression. The results of Tsai and Chien’s17 _{method are}

shown in Figs. 9(a)to 9(d). Ours are shown in Figs.9(e) to 9(h). Figure 9(a) is their 30.6 dB watermarked image. Figure 9(b)is their tampered image [inserting a subimage compressed-decompressed by JPEG (QF= 80, and the com-pression ratio is 4.3). Figure 9(e) is our 32.24-dB water-marked image. Figure9(f)is our tampered image [inserting a sub-image, then use JPEG (QF= 80, and the compression ratio is 5.4] to compress/decompress the mixed image]. Hav-ing compared the two recovered images Figs.9(d)and9(h), it can be seen that ours [Fig. 9(h)] has better visual quality

(a) (b) (c) (d) Fig. 4 Cut-and-paste attack: (a) watermarked image, (b) tampered image, (c) verification result, and (d) recovered image.

(a)

(e)

(b) (c) (d)

Fig. 5 Collage attack: (a) first watermarked image “Boat;” (b) second watermarked image “House,” (c)

collaged image in which the car in (b) is copied and pasted to the same place as (a); (d) verification result; and (e) recovered image.

(a) (b) (c)

Fig. 6 Vector quantization (VQ) attack: (a) original image, (b) VQ-attack result of (a) and (c) verification

(a) (b) (c) (d) Fig. 7 Cropping test for Varsaki et al.’s11_{method: (a) watermarked image “Lena,” (b) recovery data}

embedded in (a), (c) when (a) is cropped, and (d) recovery data extracted from the support of the noncropped area. (a) (b) (c) (d) (h) (g) (f) (e) (i) (j)

Fig. 8 Experiment to compare our method with that of Tsai and Chien17_{: (a) their 30.8-dB watermarked}

image “Jet,” (b) their tampered image, (c) their verification result, (d) their 29.3-dB recovered image, (e) our 32.29-dB watermarked image, (f) our tampered image, (g) our verification result, and (h): our 31.89-dB recovered image. Note that (i) and (j) show the details of (d) and (h), respectively. There are some artifacts in (i) on the recovered snow.

(a) (b) (c) (d) (h) (g) (f) (e) (i) (j)

Fig. 9 Second experiment to compare our method with that of Tsai and Chien17_{: (a) their 30.6-dB}

watermarked image “Peppers,” (b) tampering with (a) followed by JPEG compression with QF= 80;

(c) their verification result; (d) their recovered image; (e) our 32.24-dB watermarked image “Peppers,” (f) tampering with (e), followed by a JPEG compression with QF= 80; (g) our verification result; (h) our recovered image. Note, that (i) and (j) show the details of (d) and (h), respectively.

[because Fig.9(d)has some noisy dots]. Details are shown in Figs.9(i)and9(j).

Figure10shows the final experiment. The watermarked image Peppers is tampered with; and then the damaged im-age is attacked by adding Gaussian noises. The results of Tsai and Chien17are shown in Figs.10(a)to10(d), and ours are shown in Figs.10(e)to10(h). Having compared the two recovered images, Figs. 10(d) and 10(h), again, it can be seen that ours [Fig.10(h)] still has a better visual quality [be-cause Fig.10(d)has some noisy dots]. Details are shown in Figs.10(i)and10(j).

5 Comparison with Other Studies

In this section, the proposed method is compared with other studies. First, the two studies12,13 _{are authentication}

meth-ods without considering the issue of recovery, but ours is equipped with both authentication and recovery abilities. As for other semifragile watermarking methods14–18 _{with both}

authentication and recovery abilities, to describe the differ-ence between ours and those methods, each watermarking algorithm is divided into major substeps (from the perspec-tive of methodology and system design), and then a compar-ison is made. The differences are described below.

5.1 Embedding Location (i.e., Where to Embed) and

Our Advantage

In the methods of Refs.14to16, the recovery data of each block is embedded in another block. For example, the recov-ery data of block A0is embedded in block A1, the recovery data of block A1 is embedded in block A2, and so on. In the verification and recovery phase, if block A0 is judged as “tampered,” then the recovery data in block A1 is ex-tracted to recover block A0, and so on. In this example, if blocks A0 and A1 are both tampered, then block A0 can-not be recovered. In Tsai and Chien’s method,17,18_although

(a) (b) (c) (d) (h) (g) (f) (e) (i) (j)

Fig. 10 The third experiment to compare our method with that of Tsai and Chien17_{: (a) their 30.6-dB}

watermarked image “Peppers;” (b) tampering with (a), followed by adding Gaussian noises withσ2_{= 12;}

(c) their verification result; (d) their recovered image; (e) our 32.24-dB watermarked image “Peppers;” (f) tampering with (e), followed by adding Gaussian noises withσ2 _{= 12; (g) our verification result;}

(h) our recovered image (Note, (i) and (j) show the details of (d) and (h), respectively.

recovery data in low-frequency bands still needs to find some other location in high-frequency domain to under-take embedding. Therefore, if both locations are attacked, a similar recovery-disabled problem exists, although it is less severe.

However, in our method, as long as the number of valid blocks reaches a threshold, our inverse operation of the two-layer sharing can always decode the recovery data, so there is no need to consider the case that a block A0and the block A1 storing its recovery data are simultaneously tampered. We only have to consider the percentage of the damaged area occupied in the whole image. As long as the damaged blocks occupy less than, say, 1/6 = 16.7% of the whole image’s blocks, recovery can always be undertaken. In general, it is hard to predict in advance which part would be tampered. There is no way to predict the trace of tampering, and wor-rying about “the percentage of blocks (in the whole image) being tampered” is simpler than worrying about “how to predict the actual location of the tampered area.”

5.2 Embedding Method (i.e. How to Embed) and Our

Advantage

Parity-check quantization (or similar works) is used in a great many research works.14–17_{As for Ref. [16], it embeds the data}

in least significant bits (LSBs) of the host image. Notably, 1-bit LSB embeds 1 bit/pixel, so 2 bits are embedded in two pixels, and the largest distortion for a pair of stego pixels is (12_{+ 1}2₎1/2₌√_{2≈ 1.414, but in our lattice embedding,} when M= 2 in Fig.1, our largest distortion for two host pix-els is M/√3= 2/√3≈ 1.155; hence smaller. As shown in Fig.11, in 1-D parity-check quantization, the host values are

−2M −M 0 M 2M

0 1 0 1 0

p

Fig. 11 Diagram of the 1-D parity-check quantization used in many

divided into many regions like (–3M/2,–M/2), (–M/2,M/2), (M/2,3M/2), (3M/2,5M/2), and so on, with M is called the quantization level or step size. Each region corresponds to a binary value 0 or 1. If a bit is to be embedded in a host value p, then just find the nearest region of p so that the nearest region corresponds to the bit value to be embedded. Then output the central coordinate (0, or ± M, or ± 2M, or . . . ) of the picked region as the stego value that replaces p. To extract the hidden secret bit, just locate the region which contains the stego value, then output the corresponding bit value 0 or 1. Our method is different, since we use lattice embedding as the embedding method. As shown in Fig.1, the space of the host pair-values (p1,p2) is divided into many hexagonal re-gions, and the center of each region corresponds to a ternary value 0, 1 or 2. (In Fig. 1, small rectangles, triangles, and circles are used to represent the three values, respectively.) If a ternary value is to be embedded in the host pair (p1,p2), the nearest hexagon-center is found (i.e., small rectangle, trian-gle, or circle), which corresponds to the ternary value to be embedded. Then the 2-D coordinate of the hexagon-center is output. Later, to decode the embedded value, just locate the hexagonal region which contains the stego pair (p1,p2), then output the corresponding value 0, 1, or 2 of the region. The major reason for using lattice embedding is that the distortion of the embedding is smaller, because the hexagon-centers are denser in the plane than the square-hexagon-centers. To see this, first let us inspect Fig.12, which explains the 2-D case of parity-check quantization, i.e., it explains what happens when two pixels (p1,p2) are modified by parity-check quanti-zation in order to embed two bits (00= 0, 01 = 1, 10 = 2, or 11= 3) of the data. According to the location of (p1,p2), the nearest square-center, whose class-reading in{0,1,2,3} must coincide with the given 2-bit data, is picked and the value of (p1,p2) is replaced by the coordinate of the square-center. The quantization step size M in Fig. 12 is the same as in Fig.1. Having compared Figs.1and12, it can be seen that the distance between the hexagon-centers is smaller than the distance between the square-centers (each hexagon can be contained by a square box of size M-by-M). Therefore, when two host pixel values (p1,p2) are modified to embed the data, the distortion of the Lattice embedding is smaller. (As shown in Figs.8to10, our watermarked images have a better image quality.) p1 p2 M

*

_*

*

*

Fig. 12 Diagram to explain a 2-D case of parity-check quantization.

Here, two host pixel values (p1,p2) are replaced by one of the centers

for the purpose of embedding 2-bit data.

Of course, when Fig.1is adopted to replace Fig.12, the price is that the data embedded in a hexagon can only have a data value of 0, 1, 2, but not 3. In other words, we sacrifice the size of the embedding to get a smaller distortion. How-ever, this difficulty is overcome because a sharing technique is used in the paper here to reduce the amount of data to be embedded, along with the second benefit of increasing the recovery ability from scattered large-area tampering. In general, the size of each share is only a small portion of the original size of the data. (As shown in Figs.8to10, although our watermarked images have a better image quality, our recovery ability is still very competitive.)

6 Conclusion

We proposed an authentication-recovery method. The wa-termarked image can be moderately altered by doing a JPEG compression, adding a Gaussian noise, or adjusting the brightness. Certain security tests, such as a cut-and-paste attack, a collage attack, and a VQ attack, were also tested. In our design, the recovery data is embedded in DCT co-efficients using lattice embedding to reduce distortion. The recovery data is dispersed into many blocks by two-layer sharing. Compared with previously reported methods, our specialty is that the tampered region can be recovered as long as the percentage of the tampered blocks does not ex-ceed a pre-defined threshold, say, 16.66%. Notably, as stated in Sec.5.1, it is hard to predict in advance which part of a watermarked image will be cropped or replaced by attack-ers. The traditional mapping-sequence strategy for finding locations to hide recovery data is not a suitable strategy. This dilemma is avoided in this paper by using sharing. After all, worrying about “the percentage of blocks being tampered” is simpler than worrying about “how to predict the actual locations of tampered area.”

Acknowledgments

This work is supported by the National Science Council of Republic of China, under Grant No. NSC97-2221-E-009-120-MY3. The authors also thank the reviewers and editor for their valuable comments.

References

1. C. Y. Lin and S. F. Chang, “A robust image authentication method distinguishing JPEG compression from malicious manipulation,”IEEE

Trans. Circ. Syst. Video Technol. 11(2), 153–168 (2001).

2. P. Tsai, Y. C. Hu, and C. C. Chang, “Using set partitioning in hier-archical tree to authenticate digital images,”Signal Process. Image

Commun. 18(9), 813–822 (2003).

3. C. C. Chang, Y. S. Hu, and T. C. Lu, “A watermarking-based image ownership and tampering authentication scheme,”Pattern Recog. Lett. 27(5), 439–446 (2006).

4. M. U. Celik, G. Sharma, E. Saber, and A. M. Tekalp, “Hierarchical watermarking for secure image authentication with localization,”IEEE

Trans. Image Process. 11(6), 585–594 (2002).

5. P. W. Wong and N. Memon, “Secret and public key image watermarking schemes for image authentication and ownership verification,”IEEE

Trans. Image Process. 10(10), 1593–1601 (2001).

6. P. L. Lin, C. K. Hsieh, and P. W. Huang, “A hierarchical digital wa-termarking method for image tamper detection and recovery,”Pattern

Recog. 38(12), 2519–2529 (2005).

7. C. S. Chan and C. C. Chang, “An efficient image authentication method based on Hamming code,”Pattern Recog. 40(2), 681–690 (2007). 8. Y. J. Chang, S. J. Lin, and J. C. Lin, “Authentication and cross-recovery

for multiple images,”J. Electron. Imaging17(4), 043007 (2008). 9. X. Zhang and S. Wang, “Fragile watermarking with error-free

10. A. M. Alattar, “Reversible watermark using the difference expansion of a generalized integer transform,”IEEE Trans. Image Process. 13(8), 1147–1156 (2004).

11. E. E. Varsaki, V. Fotopoulos, and A. N. Skodras, “Self-authentication of natural color images in Pascal transform domain,” in Proc. 16th

Int. Conf. on Digital Signal Processing, IEEE Circuits and Systems

Society; Santorini, Greece, 5–7 July (2009), pp. 1–6.

12. C. K. Ho and C. T. Li, “Semi-fragile watermarking scheme for au-thentication of JPEG images,” in Proc. IEEE Int. Conf. Information

Technology, Coding, and Computing (ITCC’04), Las Vegas, USA,

Vol. 2, pp. 7–11 (2004).

13. C. H. Lin, T. S. Su and W. S. Hsieh, “Semi-fragile watermarking scheme for authentication of JPEG images,” Tamkang J. Sci. Eng. 10(1), 57–66 (2007).

14. C. Y. Lin and S. F. Chang, “Semi-fragile watermarking for authenticat-ing JPEG visual content,” Proc. SPIE 3971, 140–151 (2000). 15. S. L. Hsieh, P. D. Wu, I. J. Tsai, and B. Y. Huang, “A recoverable

semi-fragile watermarking scheme using cosine transform and adaptive median filter,”Lecture Notes in Comput. Sci. 5060, 629–640 (2008). 16. X. Jiang and Q. Liu, “Semi-fragile watermarking algorithm for image

tampers localization and recovery,”J. Electron. (China)25(3), 343– 351 (2008).

17. M. J. Tsai and C. C. Chien, “Authentication and recovery for wavelet-based semi-fragile watermarking,”Opt. Eng. 47(6), 067005 (2008). 18. M. J. Tsai and C. C. Chien, “A wavelet-based semi-fragile

watermark-ing with recovery mechanism,” inProc. IEEE Int. Symp. on Circuits

and Systems, pp. 3033–3036 (2008).

19. C. C. Thien, and J. C. Lin, “Secret image sharing,” Comput. Graph. 26(5), 766–770 (2002).

20. I. S. Reed and G. Solomon, “Polynomial codes over certain finite fields,”J. Soc. Industr. Appl. Math. 8(2), 300–304(1960).

21. F. Preparata, “Holographic dispersal and recovery of information,”

IEEE Trans. inf. Theory35(5), 1123–1124(1989).

22. J. L. Massey, “Shift-register synthesis and BCH decoding”, IEEE

Trans. Inf. Theory15(1), 122–127 (1969).

23. T. K. Truong, W. L. Eastman, I. S. Reed and I. S. Hsu, “Simplified procedure for correcting both errors and erasures of Reed–Solomon code using Euclidean algorithm,” IEE Proc. 135(6), 318–324 (1988). 24. P. Moulin and R. Koetter, “Data-Hiding Codes,”Proc. IEEE93(12),

2083–2127(2005).

25. R. Rivest, “RFC1312: the MD5 message-digest algorithm,” http://tools. ietf.org/html/rfc1321 (1992).

26. P. S. L. M. Barreto, H. Y. Kim, and V. Rijmen, “Toward secure public-key blockwise fragile authentication watermarking,” IEE Proc. Vis.

Image Signal Process. 149(2), 57–62(2002).

27. J. Fridrich, M. Goljan, and N. Memon, “Further attacks on Yeung-Mintzer fragile watermarking scheme,” Proc. SPIE 3971, 428– 437(2000).

28. M. Holliman, and N. Memon, “Counterfeiting attacks on oblivious block-wise independent invisible watemarkhg schemes,”IEEE Trans.

Image Proc.9(3), 432–441(2000).

29. The USC-SIPI Image Database, http://sipi.usc.edu/database/.

Sian-Jheng Lin received his BS and MS

de-grees in computer science in 2004 and 2006, respectively, from National Chiao Tung Uni-versity, where he is currently a PhD candi-date in the Computer Science Department. His recent research interests include image processing and secret sharing.

Ja-Chen Lin received his BS and MS

degrees from National Chiao Tung Univer-sity, Taiwan, and his PhD degree in mathe-matics from Purdue University, in 1988. He is currently a professor with the Department of Computer and Information Science, Na-tional Chiao Tung University. His research interests include pattern recognition and im-age processing. Dr. Lin is a member of the Phi-Tau-Phi Scholastic Honor Society.