A Semi-Frgile Hybrid Watermarking Method for Image Authentication

CHAPTER 4

A Semi-Frgile Hybrid Watermarking Method for Image Authentication

4.1 Introduction

Digital storage is increasingly being used to store digitized traditional forms of data. Digitized multimedia data are easy to process, store, and share with others through open communication channels. These advantages also bring potential risks to the security and credibility of shared data. Many digital authentication techniques that have been proposed to maintain the credibility of multimedia data between sender and receiver. The related techniques can be categorized into two categories:

signature-based techniques and watermarking-based techniques. Signature-based techniques [Lin01][Lu03][Tsa03] extract important features from a protected image and store them as a secure key, and then send the key to an authenticator who authenticates the credibility of the received image. In contrast, watermarking-based techniques embed invisible authentication signatures into multimedia data, and the receiver can authenticate the credibility of received data by analyzing the embedded signatures.

Watermarking techniques applied in image authentication can be further

classified into three types: fragile, content-fragile, and semi-fragile. In fragile

watermarking techniques [Fri02a][Yeu98], the cryptographic watermarks embedded

in a protected image can be used to identify modification to any pixel. In

content-fragile watermarking techniques [Dit99][Liu04], image features are extracted from image content to form cryptographic watermarks. The watermarks are then embedded to protect interesting regions. Multimedia content can be authenticated at semantic level even though image had undergone perceptible alterations, such as filtering and geometric attacks. In semi-fragile watermarking techniques, secure watermarks embedded in an image can tolerate some imperceptible distortions, such as those associated with lossy compression. In this chapter we focus on semi-fragile watermarking techniques.

Among the semi-fragile watermarking techniques reported in the literatures, Lin and Chang [Lin00] proposed a semi-fragile watermarking technique in wavelet domain where watermark is embedded into wavelet coefficients with a pseudo noise pattern. This technique can localize tampered areas with slight compression (3:1).

Rey et al. [Rey00] proposed a blind watermarking method which select invariant feature (edges, colours, gradient, and luminance) to lossy compression to make content-based watermarks, and then embed watermarks into image using iterative embedding function until the invariant feature are not affected by embedded watermarks. Xie et al. [Xie01] proposed a semi-fragile watermarking technique that embeds the edge-based digital signature into selected coefficients according to the properties of SPIHT compression. Although the scheme is robust to lossy compression, the scheme can not clearly localize where the image was tampered.

Queluz [Que02] proposed a blindly spatial watermarking where image is decomposed

into several nonoverlapping sets and each set is stored in a vector. The vectors are

associated three by three, resulting in triads of image vectors that are project in secret

directions according to watermarks. Although the receiver can localize tampered

areas even image is compressed by JPEG compression, the detection ability relied on

a sufficient large set of image pixels is not accuracy enough. Kundur and

Hatzinakos [Kun99] proposed a quantization-based method for image authentication, in which a selected wavelet coefficient is adjusted into a quantized interval according to a binary-value watermark. However, it is difficult to determine a fixed-quantized interval that will make the watermarking transparent and robust to lossy compression.

Lin and Chang [Lin00] described two invariant properties of JPEG compressed images that can be used to generate and embed watermarks into selected DCT coefficients. In that algorithm, watermarks are embedded according to a selected quantization table. It’s difficult to determine a quantization table that will make the watermarking transparency and robust to lossy compression. Besides, the watermarks are generated from the relations of coefficient pairs of two selected blocks, and hence any tampering of one of the blocks of each pair can be detected. Yu et al.

[Yu01] proposed a mean-quantization-based method in the wavelet domain, in which the mean value of a block is adjusted to embed a binary-value watermark with a fixed-quantized interval, and where an information fusion function is used to increase the accuracy of authentication. In that algorithm, the original watermarks need to be transmitted to receiver for authenticating protected image. Zhao et al. [Zha04]

proposed a dual-domain watermarking technique for image authentication, in which

the watermarks are generated in the DCT domain and embedded into a wavelet

coefficient using a group quantization scheme. The coefficients of neighbors are

summed and quantized for a bit of the watermarks. In the scheme, the robustness to

JPEG compression cannot be guaranteed. Bao et al. [Bao05] proposed two adaptive

watermarking techniques based on singular value decomposition in the spatial and

wavelet domains for images, in which the content-based quantization steps are

designed using the means and deviations of blocks. The adaptive quantization steps

are used to embed watermarks as binary values in blocks so as to achieve good

transparency. Although the scheme improves the watermarking transparency, the

robustness to JPEG compression cannot be guaranteed and the quantization indices must be sent to the authenticator.

The aforementioned semi-fragile watermarking schemes were designed to be robust to JPEG compression and sensitive to malicious manipulations, but they have not considered the counterfeiting attack. Counterfeiting attack is a type of fabrication attack. The counterfeiting attack proposed by Holliman and Memon [Hol00] can forge block watermarks into a non-watermarked image with a large codebook constructed from a watermarked-image database as discussed in section 2.4.

The attack can be performed successfully without any knowledge of the watermarks or secure keys used in the watermark embedding process. Evidently, the attack can be successful against watermarking technique that is blockwise independent.

The aforementioned works were proposed to attain some desirable characteristics

including robustness to JPEG compression, sensitivity to unauthorized manipulations,

blind detection of watermarks, and adaptive transparency. However, none can attain

all of the characteristics. In this chapter we propose a hybrid watermarking

technique in which the watermarks are embedded using various strategies according

to the characteristics of DCT coefficients so as to achieve perceptual transparency of

the watermarks. Besides, the proposed hybrid watermarking technique brings better

performances in image transparency and robustness to JPEG compression than

traditional quantization-based watermarking. Finally, two calibration functions are

used to increase the accuracy of authentication. The technique guarantees robustness

to JPEG compression and sensitivity to malicious manipulations, including the

counterfeiting attack. This remainder of this chapter is organized as follows: Section

4.2 describes the details of our semi-fragile watermarking scheme, and the analysis of

our algorithm is delineated in section 4.3. The experiments are described in section

4.4. Finally, we conclude the paper in section 4.5.

4.2 The Proposed Semi-Fragile Watermarking

Semi-fragile watermarking should be robust to incident manipulation, JPEG compression, and sensitive to malicious attacks. Therefore, the proposed watermark scheme was designed in the DCT domain so that the characteristics of JPEG compression can be controlled accurately. The content-based watermarks are designed to promote the practicability and security of the watermarking scheme.

The watermark generation process is detailed as section 4.2.1, and an adaptive hybrid watermarking method is introduced in section 4.2.2. Finally, the watermark authentication method and the calibrating functions are delineated in section 4.2.3.

4.2.1 The Generation of Content-Based Watermarks

A blockwise watermarking scheme that is impervious to the counterfeiting attack requires that the watermarks for a block are generated based on the block content and that they also contain information obtained from other blocks. In this chapter, two features that are invariant to JPEG compression are used to generate the watermarks and the relationships among blocks.

The watermark generation process of the proposed watermarking scheme is

depicted in Fig. 4.1. The original image is segmented into nonoverlapping blocks of

size 8 × 8 pixels. The coefficients of segmented blocks consist of 256 possible gray

levels, so the process of generating watermarks begins by level shifting the

coefficients of the segmented blocks by -128 gray levels. After all coefficients are

adjusted, the forward DCT transformation is applied to every segmented block. The

resulting DCT coefficients of a block are represented by x , where 0

≤ i ≤ 63. Two

features (significant pattern and reference bit) that are invariant to JPEG compression

are then subsequently to be extracted to generate the watermarks.

The distortions in JPEG compression are caused by the quantization operation.

The DCT coefficients are quantized using 1 of 64 corresponding steps from a quantization table and then adjusted to the nearest integers according to

) (

i i

i q

ROUND x

x =

(4.1)

where q is the ith quantization step within the quantization table, for 0

≤ i ≤ 63, and ROUND(x) returns the nearest integer of x. In our experiments, the quantization

table was adjusted according to [Che00] to form compressed images of various qualities. The standard level-50 quantization table

Q

is given in Table 3.1 [Joint].

The quantization level (compression level) can be adjusted with the predefined parameter L. The relation between the standard quantization table and the compression level L is

100 q

( L ) = ( q

( 50 ) × CS ( L ) + 50 ) / (4.2) where the adjusted function CS (⋅ ) is described by

5000/(100 ), ( ) 200 (100 ) 2, CS L L

L

 −

=   − − × 　

if 50

if 50

L L

>

<

(4.3)

The rounding operation is what affects most the value of the distortion, with a Fig. 4.1. The content-based watermark generation process.

⊕

Reference Bit-Plane Extraction Key

I

DCT (8×8)

Hashing Function Feature

Extraction

Mapping Function

Preprocessing

range equal to half the quantization step. Evidently, the maximum distortion for a lower quantization level does not exceed the maximum distortion for a higher one.

In this study, the aforementioned characteristic is applied to produce the invariant features (significant pattern and reference bit) for each block. For generating the significant pattern of each block, we select a quantization level L

that is greater than the highest acceptable level L

, and L

is used as the cut-off for categorizing the DCT coefficients. Within each 8 × 8 block, those coefficients greater than the values at identical positions within the quantization table of L

are called significant coefficients, and the others are called insignificant coefficients. The classified coefficients are set to a binary value to form a significant pattern, where the values of significant coefficients are set to one and the others are set to zero. The significant pattern is used to represent the characteristics of a subregion, and is the invariant feature used to generate the prototype watermarks.

To ensure that the significant patterns are identical between the embedding and authentication process even when the watermarked image undergoes JPEG

2 3 4 5 6

10 15 20 25 30 35 40

The PSNR

Alpha

Quantization Level Level = 50 Level = 60 Level = 70

Fig. 4.2. An image (Lena) is tested by the proposed scheme with the various choices of

the parameters α and L

(L

=30 and β=4).

compression, DCT coefficient x is adjusted to a new value

xˆ ,

, if

ˆ , if ˆ

i i i i

i

i i i i

ML ML x q

x MR q x MR

< <

=  ≤ <

(4.4)

where ML

= q ˆ

− 0 . 5 q

, MR

= q ˆ

+ 0 . 5 q

, and qˆ and

q are the ith quantization

steps within the quantization table of levels L

and L

, respectively. To accurately control the JPEG-compression distortions to the embedded watermarks and the overall image, every element of quantization level L

is multiplied by a scaling factor α to form quantization level L

, where α∈ z . We used 4 standard

images to test the proposed watermarking scheme with several choices of thresholdα.

The test images, Airplane, Sailboat, Peppers, and Lena, are shown in Fig. 4.9(b), 4.9(d), 4.9(f), and 4.9(g), respectively. An example of the qualities of watermarked image (Lena) obtained by changing threshold α and quantization level L

is shown in Fig. 4.2. For all test images, all average PSNRs of identical scaling factor among various compression levels are summarized in Table 4.1. As can be seen from Table 4.1, the watermarked image is best when scaling factor is 3. Therefore, in all experiments below, α was set to 3.

For each block, the block information (block indices, and significant pattern) are input to a one-way hashing function to generate the message digests. Then the front β bits of the message digests are adopted as prototype watermarks.

The Scaling Factor α

Average Signal to Noise Ratio(dB)

2 3 4 5 6 Sailboat 39.40 39.47 39.12 38.59 37.84 Peppers 40.18 40.46 40.41 40.24 39.89

Lena 39.94 40.03 39.73 39.31 37.79

Airplane 39.83 39.79 39.40 39.03 38.51

Table 4.1. The average qualities of watermarked images (L

=30 and β=4 ) obtained

by changing threshold α and quantization level (50, 60, and 70).

Block relationships are generated so as to resist the fabrication attack. The identical orders of watermarks of every block are viewed as a watermark bit plane.

If there are β-bit watermarks in a block, then there are β 1-bit planes. For each bit in a plane, the bit watermark is XORed with the reference bit of the selected block pair chosen by a mapping function. The mapping function and reference bit are described in following paragraphs.

Toral automorphism is adopted as the mapping function in the proposed scheme.

Toral automorphism is a nonlinear transformation that moves every pixel in a digital image to a new position [Voy98]. The original image content can be derived from the chaotic image when toral automorphism is applied for R iterations as discussed in section 3.2.1. In our experiments, the toral automorphism was applied for r iterations, after which every watermark bit was associated with a coefficient pair, where

. The number of iterations was stored as a secure key.

The sign of the DC value of each block in an image seldom changes after JPEG compression. This feature is adopted as the reference bit of each block

0 0

0

1, if 0

( )

0, if 0

ref x x

x

 ≥

=  <

. (4.5)

It is necessary to ensure that the reference bits are identical even after the image is subjected to JPEG compression. Negative DC values that are smaller than half of the corresponding step at quantization level L

need to be adjusted according to

0 0

0

( ) 0 . 5

ˆ sign x q

x = ⋅ ⋅ , if − 0 . 5 ⋅ q

< x

< 0 , (4.6)

where q is the first quantization step within the quantization table of quantization

level L

. The content-based watermarks are finally obtained once the prototype

watermarks have been XORed with the reference bits. As result, the binary

watermarks are mapped from {0, 1} to {–1, 1}.

4.2.2 Watermark Embedding Scheme

The original image is segmented into nonoverlapping blocks of 8×8 pixels, and all coefficients of the segmented blocks are shifted by -128 gray levels. Then the forward DCT transformation is applied to each block. The resulting DCT coefficients of a block are represented by x , where 0

≤ i ≤ 63. After the

(a) (b)

(c) (d)

Fig. 4.3. Visual appearances of the watermarked images are obtained by constant

quantization steps. Four watermark bits are embedded into coefficients of low frequency

band of 8 × 8 blocks. The test image is 512 × 512 pixels. (a) Original image. (b)–(d)

Watermarked images corresponding to original image (a) when quantization steps are

step to 8, 20, and 50, respectively.

content-based watermarks are generated as described in section 4.2.1, the watermarks are embedded in DCT coefficients.

In traditional quantization-based watermarking schemes [Kun99], a larger quantized interval will result in obvious visual flaws, but avoiding these by making the quantized interval smaller will increase vulnerability of the watermarks. Fig. 4.3 shows the visual perceptions of watermarked images in various quantization steps.

To overcome this dilemma, a multilevel quantization table is used to classify the DCT coefficients and embed the watermarks into DCT coefficients. In the process of embedding watermarks, the DCT coefficients are first classified into two categories (significant and insignificant) as discussed in Section 4.2.1, and then different watermarking strategies are applied to each category. Quantization level L

is used as the cut-off for categorizing DCT coefficients: DCT coefficients greater than the values at identical positions within the quantization table are called significant coefficients, and the others are called insignificant coefficients. After the DCT coefficients are categorized, two quantization levels (L

and L

, where L

> L

) are selected for embedding binary watermark {–1, 1} into the significant and insignificant DCT coefficients, respectively.

For significant coefficients, the modifications resulting from the quantization-based watermarking method are not visually obvious in the watermarked image and are not easily removed by JPEG compression. Therefore, the quantization-based embedding method is employed to embed watermarks into significant coefficients with the pre-selected quantization level L

. In addition, since embedding watermarks in DC values will degrade the watermarked image, the DC values are not used for embedding watermarks.

The concept of the quantization-based method for extracting watermark

is

based on

( , )

w  = Q x q = 1,

1,

 −

 　

i i

i i

x q x q

 

 

 

 

is is 　 even

odd 　

(4.7) where q is the ith quantization step within the quantization table of quantization

level L

and is at the identical position as DCT coefficients x . The classified

results of DCT coefficients may be affected by equation (4.7); hence, a modified approach of equation (4.7) is taken in the proposed algorithm. Watermark

is embedded in DCT coefficient x using

( ) , ( ) , ( ) 3 ,

i i

w

i i i

i i

x sign x x x sign x x sign x

+ ⋅ ∆



= − ⋅ ∆

 + ⋅ ⋅ ∆







 　

if ( , ) if ( , ) if ( , )

i i

i i

i i

Q x q w Q x q w Q x q w

=

≠

≠ 　

and and

i i

i i

BR x

x BR

<

≤ 　 　

(4.8)

where ~ x

=  x

/ q

 ⋅ q

, ∆ = 0 . 5 ⋅ q

, BR

= ˆ q

+ q

, and qˆ and

q are the ith

quantization steps within the quantization table of levels L

and L

, respectively.

For insignificant coefficients, their magnitudes are usually small, and their

Fig. 4.4. Image showing the results of classifying the Lena image (for L

=71, α=3,

and β=4) as follows: a block is maintained in the original image if the amount of

significant coefficients is more than β; a block is replaced with the symbol ‘×’ when

the amount of significant coefficients is greater than zero but smaller than β; and a

block is replaced with a black block when it contains no significant coefficients.

magnitudes are very sensitive to JPEG compression when the quantization-based embedding method is applied to them, whereas their signs are not altered by Eq. (4.1).

Therefore, the sign-based watermarking method is adopted to embed watermarks into insignificant coefficients. When the signs of DCT coefficients and watermarks differ, the formula of the sign-based method for embedding watermark

in DCT coefficient x is

, 2 / )

(

w

i

sign w q

x = ⋅ (4.9) where q is the ith quantization step within the quantization table of quantization

level L

.

There are β-bit watermarks that should be embedded in a block. According to the categorized DCT coefficients and the quantity of watermarks for a block, there are three situations in which watermarks are embedded. An example of these three situations is shown in Fig. 4.4.

In situation 1 there is a block comprising more than β significant coefficients, and the watermarks are embedded into significant coefficients using Eq. (4.8). This

0 2 4 6 8 10

0 10 20 30 40

PSNR (dB)

The amount of the watermark

Level = 50 Level = 60 Level = 70

Fig. 4.5. An image (Lena) is tested by the proposed scheme with the various choices

of the parameters β and L

(L

=30 and α=3).

kind of block is called textured area. In situation 2 there are no significant coefficients, corresponding to a block that usually appears flat, and thus the watermarks are inserted in low-frequency positions. The frequency discrimination of an 8 × 8 block is based on [Wu03]. These watermarks are embedded into selected positions using Eq. (4.9), and this type of block is called a smooth area. In situation 3 the amount of significant coefficients is less than β but greater than zero, and the proposed watermarking scheme will only embed some of the watermarks into significant coefficients using Eq. (4.8). The insertion positions of the remaining ones are behind the last position of the significant coefficient, and are located in the middle-frequency band. The watermarks are embedded into the selected positions using Eq. (4.9). This kind of block is called mid-textured area. An example showing different qualities of watermarked images with various choices of the parameters β and L

is given in Fig. 4.5.

4.2.3 Watermark Authentication Scheme

The received image is segmented into nonoverlapping blocks of 8×8 pixels, and all coefficients of the segmented blocks are shifted by -128 gray levels. The resulting DCT coefficients of a block are represented by x , where 0

≤ i ≤ 63. Every block of the received image can be authenticated with embedded watermarks

and the reproduced watermarks

.

Before extracting watermarks, the coefficients of the watermarked image are

categorized as significant and insignificant based on quantization level L

as

discussed in section 4.2.1. There are three structures in classified blocks depending

on the quantity of watermarks in a block and the categories of DCT coefficients, as

described by the three situations detailed in section 4.2.2: smooth, mid-textured,

textured areas. After the structure of classified block is determined, the watermark insertion positions can be derived as described in section 4.2.2. Furthermore, the strategies used to extract the watermark depend on the category of the watermark coefficients.

For significant coefficients, the watermark can be extracted by the quantization-based method as before:

1, if / is even

( ) 1, if / is odd

i i

i

i i

w W x x q

x q

  

  

= =    −    

 　　　 　　

　 　　 (4.10)

where q is the ith quantization step within the quantization table of quantization

level L

.

For insignificant coefficients, the watermarks are extracted from the signs of the DCT coefficients according to

1,

( ) 1,

0, w W xi



= = −





if 0

if 0

if 0

i i i

x x x

>

<

= 　 　 　 　

.

(4.11)

The estimated original watermarks W are generated as in section 4.2.1, and then the estimated watermarks are compared with extracted watermarks

.

Each bit of the original watermark

is compared with the corresponding bit in the extracted watermark

using the similarity function

1, if 0

( , )

0, if 0

D w w w w

w w

 ⋅ ≥

=   ⋅ <

 

 　 　

(4.12)

The tamper assessment function (TAF) for a block is

~ ) , (

~) , (

1

∑

= ^β

j

j

j w

w D W

W

TAF

(4.13)

When the compared result of the TAF for a block is greater than a predefined

threshold T

, where 1 ≤ T

≤ β, the block is considered to be authenticated; otherwise,

the block is considered to be tampered. In our experiments, the value of T

was

β − , which means that the TAF can tolerate tampering up to one reference bit. 1 There are two situations in which inaccurate detection can occur: First, because the TAF is insensitive to cropping attack, the tampered block may be categorized as non-tampered. Secondly, the amount of watermarks in a block is insufficient to detect the tampered areas accurately. These problems are overcome by using the contrast calibrating function and the information fusion function.

The contrast calibrating function is used to increase the authentication performance in smooth area. Suppose the incident manipulation, JPEG compression, is applied to watermarked image, the distribution of insignificant coefficient being zero within a whole image should be similar to that of every block. On the contrary, the cropping attack that can be viewed as a flat object being placed, and only the insignificant coefficients within the placed objects are zero. In this study, we use the aforementioned characteristics to enhance the accuracy of authentication results.

The contrast calibrating function is

0 20 40 60 80 100

0.0 0.5 1.0

JPEG Compression Level

Cropped Area

Whole Compressed Image The response of CA

Fig. 4.6. An watermarked image (Lena) is tested with various JPEG compression levels

and the proportions of insignificant coefficients being zero are shown. The responses of

contrast calibrating function are calculated from cropped areas and JPEG compression

levels.

|,

|

i

P P

CA = − (4.14)

where P

is the proportion of insignificant coefficients that are zero in the watermarked image, and P is the proportion of insignificant coefficients of the ith

block that are zero in smooth areas. The ranges of the parameters are 0 ≤ P ,

P

≤ 1.

If the detection result of TAF for a block is authentic and the response of contrast calibrating function CA is greater than a user-defined threshold T

, then the detection result is changed to being tampered ( T

− ). An example of the responses 1 of contrast calibrating function between cropped area and a compressed image with

(a) (b) (c)

(d) (e)

Fig. 4.7. An example is used to show the effectiveness of contrast calibrating function.

The size of test image is 512 × 512 (L

=30, L

=71, α=3, and β=4 ). (a) The original

image (b)The watermarked image whose PSNR is 39.18db. (c)The watermarked image is

compressed with quantization level L=25 and watermarked image of the upper left corner

is cropped. (d) The detection result of Fig. (c) without contrast calibrating function. (e)

The detection result of Fig. (c) with contrast calibrating function where the tampered

areas are detected correctly.

various quantization levels is shown in Fig. 4.6. The threshold T

should be smaller than the response value of contrast calibrating function at the quantization level L

. Because the visual artifacts will gradually occur in smooth areas when the selected L

is greater than 30, we set the L

to 30 in our experiments. Besides, the corresponding values of the quantization level L

is 0.57 in Fig. 7, so the contrast threshold T

is set to 0.5. An experimental test of contrast calibrating function for enhancing the accuracy of authentication results is shown in Fig. 4.7.

A false-negative detection error may occur in the second situation. The proposed watermarking scheme reduces such errors by using an information fusion function, g

that considers the relationships between the eight neighboring blocks and the current block according to the following three major steps:

Step 1: Obtain the initial weight plane of the information fusion function. After each block is verified by the tamper assessment function and contrast calibrating function, the verified results of all blocks can be stored as a weight plane. Those weights are treated as the initial values g and are iteratively calibrated using steps

2 and 3.

Step 2: The information about neighbor blocks is used to suppress false-negative detections. Let B

denote the current block and N denote the set of eight nearest

neighbors of B

. The current work set is defined as S , where

S

= { B

} ∪ N

. All weights of the previous stage are recalculated as

,

1

i S j

t j t

i

C

g

g

∑

−

= (4.15)

where C

is the number of elements of the current work set S , and

g ,

g

represent the ith elements of the weight plane of the current and previous stages,

respectively. If most elements of the current work set of the previous stage are

categorized as nontampered or g is greater than or equal to a predefined threshold

T

, then g is replaced with

g

.

Step 3: Lastly, if all categorized results are identical between the previous and current stages, then the information fusion function is stopped. Otherwise, step 2 will be performed iteratively until this function converges.

An example of information fusion function is shown in Fig. 4.8(d)–(h), which illustrates that it can iteratively suppress false-negative detections.

4.3 Feasibility and Security Analysis

We now discuss the feasibility of our algorithm in two directions. The possibility of false-positive and false-negative detections is considered in sections 4.3.1 and 4.3.2, respectively.

4.3.1 False-Positive Detection Due of Hybrid

Watermarking Sensitive to Incidental Manipulation

In the proposed scheme, the I

represents the image coefficients with a frequency of j of the ith block, and the m

represents the modifications with a frequency of j of the ith block. A manipulated image I can be viewed as a watermarked image I that contains incidental or malicious manipulations with magnitudes m

; hence I ~

I

m

+

= . As with other [Lu01][Lu03], we assumed

that the magnitudes follow a Gaussian distribution, with the deviations of incident and

malicious manipulations modeled as σ and

σ

respectively. Furthermore, the

manipulations of incident and malicious manipulations are modeled

as N ( 0 , σ

) and N ( 0 , σ

) .

In our watermarking scheme, the watermarks are embedded into significant coefficients by quantization-based watermarking and into insignificant coefficients by sign-based watermarking. Therefore, the analysis of false-positive detections is discussed along these two directions.

For significant coefficients, watermarks are embedded into coefficients by using a quantization-based embedding method with the highest acceptance quantization steps of level L

where the DCT coefficients are placed at the middle of the largest acceptance intervals. In the proposed algorithm, the incident manipulations are caused by JPEG compression. All quantization levels of incident manipulations are smaller than the largest acceptance level L

From Eq. (4.1) we can conclude that deviations σ of accepted manipulations are greater than the incident manipulations

σ (

σ

σ

). Therefore, the quantization-based watermarking method does not result in false-positive detections.

For insignificant coefficients, watermarks are embedded into coefficients using a sign-based embedding method. In JPEG compression, the major distortions are caused by rounding as in Eq. (4.1). Since rounding can only change magnitudes of DCT coefficients, but not the signs of DCT coefficients, the sign-based watermarking method also does not result in false-positive detections.

From the above discussion, we can conclude that the proposed hybrid watermarking method will not result in false-positive detections, even when JPEG compression is applied.

4.3.2 Analysis of False-Negative Detection Caused by

Hybrid Watermarking

The analysis of significant coefficients is similar to that described in [Kun99].

The symbol ε represents the relative distance of the DCT coefficient from one of the range boundaries q

, where q

is the jth step within the quantization table of level

L

. m

, which represents the modification with a frequency of j of the ith block, is modeled as a Gaussian distribution with zero mean. The probability of false-negative detection is

} 0

{ } 0

{ − ε <

< + <

< − ε

≈

fn

P m P m q

p

, ,

{0

} {0

}

P m ε P m q ε

= < < + < < −

)

( 2 2 )

(

m j m

erf q

erf σ

ε σ

ε ₊ ⁻

= . (4.16)

In the quantization-based watermarking method, the DCT coefficient is adjusted at the middle of the quantization interval. Hence, the above equation can be simplified to

2 ) ( 2

m

erf σ

⋅ ε

= , where ^{erf e =} ∫

^e

^dt

2

)

( π ^. (4.17)

For insignificant coefficients, the watermarks are embedded by sign-based watermarking method. Because the values of extracted watermarks are determined by the signs of DCT coefficients, the probability of false-negative detection is 1/2 for each watermark bit.

The above discussion shows that the verifying ability of quantization-based

watermarking is better than that of sign-based watermarking. Therefore, more

significant coefficients in a block result in lower probability of false-negative

detection. In the case of smooth areas, there is no significant coefficient. β-bit

watermarks are embedded into insignificant coefficients in a block. The possible

outcomes of authenticating watermarks are binary in the proposed algorithm. In

authenticating a block, the block is authenticated if the compared result of the TAF for

a block is greater than or equal to a predefined threshold T

, where 1 ≤ T

≤ β.

Hence, the probability distribution of false-negative detection can be seen as a binomial distribution

∑

−

 

 



=



β

β

Te

k

k fn k

fn

fn

p p

P k ( ) ( 1 ) . (4.18)

In this case, the extracted watermark is essentially independent with the embedded watermark. Hence, the probability of tampering a significant coefficient is 1/2.

Furthermore, Eq. (4.18) can be rewritten as

∑

−

 

 



=



β

β

Te

k

k k

fn

k

P )

2 1 1 ( 2 ) ( 1

∑

 

 



=

 β

Te

k

k )

2 ( 1

∑

 

 



=

 β

Te

k

k

2

1 . (4.19)

We can conclude that the ability of verifying tampered coefficients is strongly related to the user-defined threshold T

. The verifying ability in smooth areas can be promoted by determining a greater T

.

4.4 Experimental Results

Our experiments were designed to show that the proposed scheme is able to blindly localize tampered areas, robust to JPEG compression, and sensitive to malicious manipulations, including the counterfeiting attack.

Images of 512 × 512 pixels were partitioned into non-overlapping blocks of 8 × 8 pixels. The two quantization levels L

and L

were set to 30 and 71, respectively.

All elements with quantization level L

were multiplied by a scaling factor of 3 (α)

to form quantization level L

. The MD5 one-way hashing function [Riv92] was used to generate the message digests for each block, and the front 4 (β) bits of the message digests were used as the prototype of watermarks for a block. T

was set to 3 (β–1) as the cut-off for authenticating DCT coefficients. T

was set to 0.5 so as to enhance the authentication ability in smooth areas.

In the first experiment, a jet airplane (Fig. 4.8(a)) was used to show that our algorithm can accurately detect small tampered areas. The watermarked image is shown in Fig. 4.8(b) with a power signal-to-noise ratio (PSNR) of 38.54 dB. In Fig.

4.8(c), the letters “U.S.” on the airplane is replaced with “S.A.”, and a second airplane is added to the image. Without information fusion function, as shown in Fig. 4.8(d), some tampered blocks were not detected due to insufficient watermarks in the blocks.

When the information fusion function is used, all the tampered areas were correctly identified and localized, irrespective of their size, as shown in Fig. 4.8(e)–(h) for 1–4 iterations, respectively.

In the second experiment, a small image set was used to show that our algorithm is robust to incident manipulation, JPEG compression, and sensitive to malicious manipulations. The nine images in Fig. 4.9(a)–(i) contain watermarks embedded by the proposed watermarking scheme. The PSNR of each watermarked image and the detection results for various qualities of JPEG compression are listed in Table 4.2.

This table indicates that no detection error occurs when the watermarked images

underwent JPEG compression up to a certain compression level (71). Our proposed

scheme treats those manipulations with a compression level above the predefined

acceptance level as incident manipulations. The robustness to JPEG compression of

the dual-domain watermarking technique [Zha04] is shown in Table 4.3. As the

table shows, the performance of robustness to JPEG compression cannot be

guaranteed. The image set was also used to show that our algorithm is sensitive to

malicious manipulations. The detection results are listed in Table 4.4, which shows that the proposed scheme is sensitive to malicious manipulations, such as smoothing and histogram equalization. The proposed scheme is effective because the categorized results of the proposed scheme are robust to JPEG compression but sensitive to image enhancement and restoration operations.

In the third experiment, the Lena image in Fig. 4.10(a) was used to demonstrate that our algorithm can correctly localize tampered areas even when JPEG compression is applied. In this experiment, we simulated the behavior of a malicious attacker. The watermarked image is shown in Fig. 4.10(b) with a PSNR of 39.18 dB, and was processed by JPEG compression with a quantization level of 70.

We assumed that someone added a logo to this image and then compressed it at the same compression level (70). The tampered image is shown in Fig. 4.10(c). Fig.

4.10(d) indicates that our algorithm can still detect the tampered areas.

The fourth experiment demonstrates that our algorithm is sensitive to a counterfeiting attack. The jet airplane image in Fig. 4.11(a) was counterfeited as shown in Fig. 4.11(b) by embedding 69 watermarked images from a database using our proposed algorithm with the same parameters. The PSNR of the counterfeit image is 28.4 dB. When the counterfeiting attack occurs, the relationship between blocks cannot be counterfeited. The detection result is shown in Fig. 4.11 (c): 95%

of the tampered blocks were identified, which indicates that the image is worst likely being counterfeiting attacked.

The fifth experiment shows the comparison of authentication ability between

traditional quantization-based approach [Lin00] and the proposed scheme. The

amount of watermarks for each 8×8 block is 4. In this experiment, the watermarks

are embedded into image by traditional quantization-based approach and the proposed

scheme, respectively. Then the watermarked images are compressed by JPEG

compression with specific compression level, and a small airplane is placed. The Fig. 12(a) shows that the watermarked image is obtained by traditional quantization-based approach with preselected quantization level (L

=45). The visual artifacts caused by watermarking can be seen in smooth areas. Then the watermarked image is compressed with compression level (L=10) and a small airplane is placed. The Fig. 12(b) shows that the watermarked image obtained by the proposed scheme (L

=71and L

=30) is compressed with JPEG compression (L=10) and then a small airplane is added. Figs. 12(c)–(i) show the detection results of traditional quantization-based approach with various compression levels (L=10–70), respectively. It should be apparent from the Figs. 12(c)–(i) that the authentication ability failed when compression levels of JPEG compression are greater than the preselected quantization level L

. Figs. 12(j)–(p) show the detection results of the proposed scheme with various compression levels (L=10–70), respectively. As the figures show, the tampered areas are detected correctly even watermarked image are subjected to JPEG compression. The experiments indicate that the proposed scheme can achieve better performances in properties of the watermarking transparency and the robustness to JPEG compression.

4.5 Summary

This chapter describes a blindly semi-fragile watermarking scheme that includes the generation of content-based watermarks, hybrid watermarking, and calibration functions. The proposed watermarking scheme offers the characteristics of adaptive transparency, blind detection of watermarks, robustness to JPEG compression, and fragility to unauthorized manipulations.

This chapter also provides a semi-fragile classification method for categorizing

DCT coefficients, which enables the watermarks to be adaptively embedded

according to the characteristics of images. No extra space is required for storing the

image characteristics and quantization indices of blocks.

(a) (b) (c)

(d) (e) (f)

(g) (h)

Fig. 4.8. The experiment results are used to show the effectiveness that the proposed

semi-fragile watermarking scheme can localized tampered areas accurately. The size of test

image is 512 × 512 (L

=30, L

=71, α=3, and β=4 ) (a) The original image (b)The

watermarked image whose PSNR is 38.54db. (c) The tampered image where an airplane is

placed and the letters on the airframe are tampered. (d) The detection result without

amending function. (e)–(h) are the tampered detection results derived from 1 to 4 iterations.

(a) (b) (c)

(d) (e) (f)

(g) (h) (i)

Fig. 4.9. An image set showing that the proposed semi-fragile watermarking scheme is robust to

JPEG compression and sensitive to malicious tampered attacks (results data are listed in Table

4.2 and Table 4.4).

Image Operation

Image Number Signal to Noise Ratio(dB)

The block error ratio of the Detection Result(%)

(a) (b) (c) (d) (e) (f) (g) (h) (i) 35.41 37.07 35.84 37.19 35.34 30.95 36.69 35.52 43.77

JPEG(L=10) 15% 9% 7% 4% 6% 5% 7% 9% 4%

JPEG(L=20) 24% 16% 11% 11% 10% 13% 15% 12% 15%

JPEG(L=30) 29% 26% 18% 18% 13% 23% 27% 16% 18%

JPEG(L=40) 31% 24% 17% 17% 17% 24% 26% 17% 22%

JPEG(L=50) 41% 38% 26% 29% 21% 37% 42% 23% 30%

JPEG(L=60) 30% 26% 22% 23% 22% 26% 31% 21% 23%

JPEG(L=70) 53% 40% 31% 31% 28% 33% 42% 51% 35%

JPEG(L=80) 38% 34% 39% 28% 26% 27% 35% 49% 31%

JPEG(L=90) 88% 85% 80% 80% 70% 85% 86% 84% 80%

Table 4.3. The authentication results of the dual-domain watermarking technique [Zha04] that the watermarked images are subjected to JPEG compression within various quantization levels.

Image Operation

Image Number Signal to Noise Ratio(dB)

The block error ratio of the Detection Result(%)

(a) (b) (c) (d) (e) (f) (g) (h) (i) 39.75 38.54 37.85 38.24 36.82 39.79 39.18 38.17 40.64

JPEG(L=10) 0% 0% 0% 0% 0% 0% 0% 0% 0%

JPEG(L=20) 0% 0% 0% 0% 0% 0% 0% 0% 0%

JPEG(L=30) 0% 0% 0% 0% 0% 0% 0% 0% 0%

JPEG(L=40) 0% 0% 0% 0% 0% 0% 0% 0% 0%

JPEG(L=50) 0% 0% 0% 0% 0% 0% 0% 0% 0%

JPEG(L=60) 0% 0% 0% 0% 0% 0% 0% 0% 0%

JPEG(L=70) 0% 0% 0% 0% 0% 0% 0% 0% 0%

JPEG(L=80) 6.25% 4.34% 3.58% 5.22% 16.84% 1.73% 2.29% 4.78% 1.51%

JPEG(L=90) 6.42% 13.91% 10.32% 18.31% 49.97% 6.51% 7.08% 17.38% 6.44%

Table 4.2. The detection results demonstrate that our proposed algorithm is robust to JPEG

compression(L

=30, L

=71, α=3, and β=4 ). The detection results that the watermarked images

are undergoing JPEG compression within various quantization level.

Image Operation

Image Number Signal to Noise Ratio(dB)

The block error ratio of the Detection Result(%)

(a) (b) (c) (d) (e) (f) (g) (h) (i) 39.75 38.54 37.85 38.24 36.82 39.79 39.18 38.17 40.64 S(3×3) 12.76% 23.65% 24.68% 31.12% 62.30% 7.47% 18.55% 32.88% 8.42%

S(5×5) 24.41% 32.69% 28.22% 32.20% 83.74% 16.62% 26.80% 27.83% 9.66%

H. E. 99.70% 97.72% 78.78% 46.04% 67.65% 25.24% 31.93% 45.36% 99.36%

Table 4.4. The detection results demonstrate that the proposed algorithm is sensitive to malicious

manipulations(L

=30, L

=71, α=3, and β=4 ). The detection results are calculated after the

watermarked images are undergoing smoothing, or histogram equalization.

(a) (b)

(c) (d)

Fig. 4.10. The experiment results are used to show the effectiveness that the proposed

semi-fragile watermarking scheme can localized tampered areas accurately and robust to

JPEG compression. The size of test image is 512 × 512 and the quantization level is seventy

(L

=30, L

=71, α=3, and β=4 ) (a) The original image (b)The watermarked image whose

PSNR is 39.18db. (c)The watermarked image is compressed with quantization level L=70

and a logo is placed nearby the hat. (d) The detection result of Fig. (c) where the tampered

areas are detected correctly

(a) (b) (c)

Fig. 4.11. Experimental results of a counterfeit attack in which 69 images from a database were embedded with identical parameters by our algorithm. (a) Nonwatermarked image. (b) Counterfeited image (PSNR=28.4 dB). (c) Most (95%) of the tampered blocks are detected.

The gray values of the localized tampered areas were subtracted by a constant amount in order

to show the localized areas more clearly.

(a) (b)

(c) (d) (e) (f) (g) (h) (i)

(j) (k) (l) (m) (n) (o) (p)

Fig. 4.12. Comparison of authentication ability between the conventional quantization-based

approach and the proposed scheme: (a) The tampered image (L

=71 and L

=30). (b) The

tampered image (L

=45). (c)–(i) the detection results of traditional quantization-based approach

with various compression levels (L=10–70), respectively. (j)–(p) the detection results of the

proposed scheme with various compression levels (L=10–70), respectively.