Image Watermarking -- public ICASSP talk (3/20/05) by 5p52sHv1


									  Randomized Detection for Spread-
 Spectrum Watermarking: Defending
Against Sensitivity and Other Attacks

    Ramarathnam Venkatesan and Mariusz H. Jakubowski
             {venkie, mariuszj}

           Cryptography and Anti-Piracy Group
                   Microsoft Research

                     March 20, 2005

•   Introduction
•   Spread-spectrum methodology
•   Enhancements and analysis
•   Experimental results
•   Conclusion

     Spread-Spectrum Watermarking

Embedding                        +                          =
               Original image             Watermark                Watermarked image

            secret key             pseudorandom generator

                                 *                          =          ~0 if WM is absent
                                                                       ~1 if WM is present

                Test image                Watermark

      •The watermark is a pseudorandom sequence of positive and negative chips. The
      dot (*) represents correlation (normalized dot product).
      •Robustness is typically achieved via redundancy, synchronization grids, error   3
      correction, visual models, embedding in special domains, and other techniques.

•   Introduction
•   Spread-spectrum methodology
•   Enhancements and analysis
•   Experimental results
•   Conclusion

Spread-Spectrum Enhancements

• Strategies against cryptanalytic attacks
   – Pseudorandom embedding into portions of available
   – Pseudorandom detection
      • Many correlations over pseudorandom WM subsets
      • Median value from subsets returned as WM response
   – Image-dependent WM keys from image hashes

• Some resistance against signal-processing
   – Contrast enhancement to boost WM
   – Some randomized redundant embedding into regions
   – Note: Redundancy, synchronization grids, and related
     techniques tend to make cryptanalysis easier.
   – Is provable resistance against both cryptanalytic and
     signal-processing attacks possible?                   5
          Cryptanalysis Model

                Pseudorandom             Results:
                  black-box                 •Yes/No WM
                   detector                 •WM strength

              Adversarial processing:
                  •Coefficient changes
                  •WM estimation
Adversarial       •Arbitrary analysis

             Detection Scheme

• Let n = total number of chips (or number of WMed
• Detection:
   – Choose m WM subsets S1, S2, …, Sm, each of size k << n.
   – Compute correlations Y1, Y2, …, Ym over the subsets.
   – Output median Ymed of Y1, Y2, …, Ym.

• Overall correlation average over subsets
• Median approximates average well:
     Pr [|Ymed − E(Y)| e ]  e−cn   (c = constant)
Security Against Black-Box Attacks

• Assume subsets contain k out of n total watermarked coefficients.
• The following limits the information attacker can obtain during each
  query to the black-box detector:

    Lemma (Threshold Phenomenon): Consider a watermarked image, and set p
      = k/n. Assume the attacker changes X coefficients in the transform plane,
      and |pX − 1/2| > L, where L is a constant. Let Si, where i  n, be the
      random subsets choosen by the detector. Let D1 and D2 denote the detector
      values that are output to the attacker. For every r > 0, we have

         Pr [|D1 − D2|  r]  e−cn

       for some constant c, where W is the space of coin flips used by the

• Consequence: If the attacker changes too few coefficients, the attack
  will fail with high probability (i.e., values output by detector change
  little despite attacker’s arbitrary modifications to coefficients).

•   Introduction
•   Spread-spectrum methodology
•   Enhancements and analysis
•   Experimental results
•   Conclusion

     Watermarking Example
             WM response: enhanced correlation measure

  No watermark: 3%                              Watermark: 257%

StirMark attack: 195%                    StirMark + low-quality JPEG: 103%
                               Results on Typical Images
                                                                                     Enhanced Watermark
                                                                                     Normal Watermark
                         250                                                         No Watermark
Watermark Response (%)






                                   10    20    30     40        50        60   70   80       90           100
                                                           Image Number

Results of watermark tests on 100 images
                               •Each image was watermarked and StirMarked.
                               •19 incorrect watermark keys yield low watermark responses
                                (whether or not watermark enhancement is applied).
                               •One proper watermark key yields high watermark responses,
                                generally significantly higher after enhancement.                               11
 Black-Box Attack: Brute-Force Chip Estimation
                                           1.   Choose X watermark chips to estimate
                                                (e.g., X = 3).
                                                For each of the 2X possible chip
                                                sequences, create an attack image:
                                                •     In DCT domain, set all
Test image          Attack image 001                  coefficients to zero, except for
                                                      ones corresponding to selected
                                                •     Set each chip coefficient to an
              *                                       artificially large value (+ or -) to
                                                      boost overall correlation.
                                           3.   Use the black-box WM correlation
Test image          Attack image 010
                                                detector to compute WM response
             ...                                over each attack image.
                                           4.   The attack image with the highest
                                                WM response provides estimated chip
              *                                 - large positive attack chip
                                                - large negative attack chip 12
Test image         Attack image 111 (2X)
         Results of Attack on 10 Test Images

      A. Plain images          B. Watermarked images             C. Attack images
                                                            (X = 10 correct coefficients)
A: Overall correlation response (blue) and subset-median response (green) both
correctly reveal no WM.

B: Overall response and subset response both correctly reveal WM.

C: Overall response incorrectly reveals WM on well-guessed attack chips. Subset
response correctly reveals no WM, foiling the attack.                        13
• New methods proposed to enhance the security
  of spread-spectrum watermarking against

• Ultimate security of spread-spectrum
  watermarking remains an open problem.

• Are there practical spread-spectrum methods
  provably robust against both cryptanalysis and
  signal-processing attacks?


To top