Image Watermarking -- public ICASSP talk (3/20/05) by 5p52sHv1

VIEWS: 0 PAGES: 14

									  Randomized Detection for Spread-
 Spectrum Watermarking: Defending
Against Sensitivity and Other Attacks



    Ramarathnam Venkatesan and Mariusz H. Jakubowski
             {venkie, mariuszj}@microsoft.com

           Cryptography and Anti-Piracy Group
                   Microsoft Research


                     March 20, 2005
              Overview


•   Introduction
•   Spread-spectrum methodology
•   Enhancements and analysis
•   Experimental results
•   Conclusion

                                  2
     Spread-Spectrum Watermarking

Embedding                        +                          =
               Original image             Watermark                Watermarked image



            secret key             pseudorandom generator




Detection
                                 *                          =          ~0 if WM is absent
                                                                       ~1 if WM is present


                Test image                Watermark

      •The watermark is a pseudorandom sequence of positive and negative chips. The
      dot (*) represents correlation (normalized dot product).
      •Robustness is typically achieved via redundancy, synchronization grids, error   3
      correction, visual models, embedding in special domains, and other techniques.
              Overview


•   Introduction
•   Spread-spectrum methodology
•   Enhancements and analysis
•   Experimental results
•   Conclusion

                                  4
Spread-Spectrum Enhancements

• Strategies against cryptanalytic attacks
   – Pseudorandom embedding into portions of available
     domain
   – Pseudorandom detection
      • Many correlations over pseudorandom WM subsets
      • Median value from subsets returned as WM response
   – Image-dependent WM keys from image hashes

• Some resistance against signal-processing
  attacks
   – Contrast enhancement to boost WM
   – Some randomized redundant embedding into regions
   – Note: Redundancy, synchronization grids, and related
     techniques tend to make cryptanalysis easier.
   – Is provable resistance against both cryptanalytic and
     signal-processing attacks possible?                   5
          Cryptanalysis Model



                Pseudorandom             Results:
                  black-box                 •Yes/No WM
                   detector                 •WM strength
    ...


              Adversarial processing:
                  •Coefficient changes
                  •WM estimation
Adversarial       •Arbitrary analysis
  inputs


                                                           6
             Detection Scheme

• Let n = total number of chips (or number of WMed
  coefficients).
• Detection:
   – Choose m WM subsets S1, S2, …, Sm, each of size k << n.
   – Compute correlations Y1, Y2, …, Ym over the subsets.
   – Output median Ymed of Y1, Y2, …, Ym.


• Overall correlation average over subsets
• Median approximates average well:
     Pr [|Ymed − E(Y)| e ]  e−cn   (c = constant)
                                                          7
Security Against Black-Box Attacks

• Assume subsets contain k out of n total watermarked coefficients.
• The following limits the information attacker can obtain during each
  query to the black-box detector:

    Lemma (Threshold Phenomenon): Consider a watermarked image, and set p
      = k/n. Assume the attacker changes X coefficients in the transform plane,
      and |pX − 1/2| > L, where L is a constant. Let Si, where i  n, be the
      random subsets choosen by the detector. Let D1 and D2 denote the detector
      values that are output to the attacker. For every r > 0, we have

         Pr [|D1 − D2|  r]  e−cn
         W

       for some constant c, where W is the space of coin flips used by the
       detector.

• Consequence: If the attacker changes too few coefficients, the attack
  will fail with high probability (i.e., values output by detector change
  little despite attacker’s arbitrary modifications to coefficients).
                                                                              8
              Overview


•   Introduction
•   Spread-spectrum methodology
•   Enhancements and analysis
•   Experimental results
•   Conclusion

                                  9
     Watermarking Example
             WM response: enhanced correlation measure




  No watermark: 3%                              Watermark: 257%




StirMark attack: 195%                    StirMark + low-quality JPEG: 103%
                               Results on Typical Images
                         300
                                                                                     Enhanced Watermark
                                                                                     Normal Watermark
                         250                                                         No Watermark
Watermark Response (%)




                         200


                         150


                         100


                         50


                          0


                         -50
                                   10    20    30     40        50        60   70   80       90           100
                                                           Image Number



Results of watermark tests on 100 images
                               •Each image was watermarked and StirMarked.
                               •19 incorrect watermark keys yield low watermark responses
                                (whether or not watermark enhancement is applied).
                               •One proper watermark key yields high watermark responses,
                                generally significantly higher after enhancement.                               11
 Black-Box Attack: Brute-Force Chip Estimation
                                           1.   Choose X watermark chips to estimate
                                                (e.g., X = 3).
                                                For each of the 2X possible chip
              *
                                           2.
                                                sequences, create an attack image:
                                                •     In DCT domain, set all
Test image          Attack image 001                  coefficients to zero, except for
                                                      ones corresponding to selected
                                                      chips.
                                                •     Set each chip coefficient to an
              *                                       artificially large value (+ or -) to
                                                      boost overall correlation.
                                           3.   Use the black-box WM correlation
Test image          Attack image 010
                                                detector to compute WM response
             ...                                over each attack image.
                                           4.   The attack image with the highest
                                                WM response provides estimated chip
                                                signs.
              *                                 - large positive attack chip
                                                - large negative attack chip 12
Test image         Attack image 111 (2X)
         Results of Attack on 10 Test Images




      A. Plain images          B. Watermarked images             C. Attack images
                                                            (X = 10 correct coefficients)
A: Overall correlation response (blue) and subset-median response (green) both
correctly reveal no WM.

B: Overall response and subset response both correctly reveal WM.

C: Overall response incorrectly reveals WM on well-guessed attack chips. Subset
response correctly reveals no WM, foiling the attack.                        13
                Conclusion
• New methods proposed to enhance the security
  of spread-spectrum watermarking against
  cryptanalysis.

• Ultimate security of spread-spectrum
  watermarking remains an open problem.

• Are there practical spread-spectrum methods
  provably robust against both cryptanalysis and
  signal-processing attacks?


                                                   14

								
To top