Digital Watermarking for Telltale Tamper Prooﬁng and

Digital Watermarking for Telltale TamperProofing and Authentication

DEEPA KUNDUR, STUDENT MEMBER, IEEE, AND DIMITRIOS HATZINAKOS, SENIOR MEMBER, IEEE

Invited Paper

In this paper, we consider the problem of digital watermarkingto ensure the credibility of multimedia. We specifically address theproblem of fragile digital watermarking for the tamper proofingof still images. Applications of our problem include authenticationfor courtroom evidence, insurance claims, and journalistic pho-tography.

We present a novel fragile watermarking approach which em-beds a watermark in the discrete wavelet domain of the image byquantizing the corresponding coefficients. Tamper detection is pos-sible in localized spatial and frequency regions. Unlike previouslyproposed techniques, this novel approach provides informationon specific frequencies of the image that have been modified.This allows the user to make application-dependent decisionsconcerning whether an image, which is JPEG compressed forinstance, still has credibility. Analysis is provided to evaluate theperformance of the technique to varying system parameters. Inaddition, we compare the performance of the proposed methodto existing fragile watermarking techniques to demonstrate thesuccess and potential of the method for practical multimediatamper proofing and authentication.

Keywords—Authentication, data hiding, digital watermarking,steganography, telltale tamper proofing.

I. INTRODUCTION

Research in the area of digital watermarking has focusedprimarily on the design of robust techniques for the copy-right protection of multimedia data. In such methods awatermark is imperceptibly embedded in a host signal suchthat its removal using common distortions on the markedsignal is difficult without degrading the perceptible datacontent itself. Watermarking can also be used to address theequally important, but underdeveloped, problem of tamperproofing.

As a great deal of multimedia is stored in digital for-mat, it has become easier to modify or forge informationusing widely available editing software. In fact, almost all

Manuscript received February 27, 1998; revised December 1, 1998.This work was supported in part by the Natural Sciences and EngineeringResearch Council (NSERC) of Canada and by the Communications andInformation Technology Ontario (CITO).

The authors are with the Department of Electrical and ComputerEngineering, University of Toronto, Toronto, Ont. M5S 3G4 Canada (e-mail: [email protected]; [email protected]).

Publisher Item Identifier S 0018-9219(99)04950-6.

published imagery is edited to some extent using computer-based tools. A problem arises when the possibly tampereddata are to be used as evidence; in such situations, themultimedia data must be credible. By “credible” we meanthat the signal source is authentic and that the informationcontent in the signal has not been modified in transit to itsdestination.

In this paper, we present a technique for signal tamperproofing. Previously proposed methods for images [1]–[5]place the watermark in the spatial domain of the signal;they provide information on the spatial location of thechanges but fail to give a more general characterizationof the type of distortion applied to the signal. In contrast,our scheme places the watermark in the discrete wavelet do-main, which allows the detection of changes in the image inlocalized spatial and frequency domain regions. This givesour approach the versatility to detect and help characterizesignal modifications from a number of distortions such assubstitution of data, filtering, and lossy compression. Inaddition, we embed the mark by quantizing the coefficientsto a prespecified degree, which provides the flexibility tomake the tamper-proofing technique as sensitive to changesin the signal as desired. We call such a method a telltaletamper-proofing scheme.

The main objectives of this paper are:

1) to introduce a set of well-defined goals for a telltaletamper-proofing scheme;

2) to present a novel tamper-proofing and authenticationtechnique which provides more complete informationon how the image is modified;

3) to demonstrate the potential of tamper-proofing meth-ods through implementations of our method and ex-isting techniques;

4) to provide a comparative study of the strengths andlimitations of the proposed and existing tamper-proofing methods.

In Section II we define the specific problems we addressin this paper and provide a review of existing techniquesfor the tamper proofing of images. We propose and intro-

0018–9219/99$10.00 1999 IEEE

PROCEEDINGS OF THE IEEE, VOL. 87, NO. 7, JULY 1999 1167

Fig. 1. The traditional tamper-proofing problem.

duce a set of objectives for the novel problem of telltaletamper proofing. The proposed technique is developedand analyzed using concepts from signal detection the-ory in Section III. Implementation issues are discussedin Section IV. Simulation results and comparisons of theperformance of the technique to previously proposed meth-ods are provided in Section V, followed by concludingstatements in Section VI.

II. PROBLEM FORMULATION

A. Tamper Proofing Versus Telltale Tamper Proofing

The problem we address is that of the telltale tamper-proofing of multimedia signals for authentication. Thetraditional problem of tamper-proofing can be stated asfollows. Consider the existence of an original or authenticdigital multimedia signal . Given a signal , which is apossibly modified version of , determine to a high degreeof probability, whether without explicit knowledgeof the original signal .

Thus, if it can be shown that is equal to almost forcertain, then the signal is considered to becredible. Thereare two basic stages to the process of tamper proofing. Inthe first stage (at the source) the original signal is passedthrough a hash function to produce a piece of data separatefrom the signal1; these data are then used in the second stage(at the receiver) to verify that the received image has notbeen modified. Alternatively, it has been shown that theverification data can be directly embedded imperceptiblyinto the signal [2]. These data are extracted from the signalitself in the second stage to check for tampering. Fig. 1gives an overview of the tamper-proofing problem.

Several approaches have been recently proposed to ad-dress the issue of tamper proofing. In [1], Friedman de-scribes a “trustworthy digital camera” in which a digitalcamera image is passed through a hash function and then isencrypted using the photographer’s private key to produce apiece of authentication data separate from the image. Thesedata are used in conjunction with the image to ensure thatno tampering has occurred. Specifically, the photographer’spublic key is used to decrypt the hashed original image andthe result is compared to the hashed version of the received

1These data can also be an encrypted author ID independent of thesignal.

image to ensure authentication. In [2], Walton proposes atechnique in which a separate piece of data is not requiredfor authentication. The method requires the calculation ofthe checksums of the seven most significant bits of theimage (or a transformed version of the image), so that theymay be embedded into randomly selected least significantbits. The major disadvantage of the techniques in [1] and[2] is that they produce a dichotomous result (i.e., “yes-or-no” solution) to the question of tampering; it is notstraightforward to determine how the image is tamperedwhich makes the scheme highly susceptible to random biterrors during data transmission.

For the tamper proofing of multimedia signals there isan additional issue of incidental distortions the signal mayundergo due to compression, enhancement, or transmissionerrors. For many applications, such transformations of thesignal are necessary and still maintain the integrity ofthe signal information. Thus, in this paper, we considerthe more practical issue of identifying whether or notthe tampering on the signal, if any, has an effect on its“credibility.”

A few techniques which attempt to address this problemhave been proposed in the literature. In [3], Schneiderand Chang propose a method for content-based imageverification in which they define a continuous interpretationof the concept of authenticity which measures the closenessof specific features of a possibly modified image to theoriginal one. The procedure is comprised of three stagesin which: 1) the relevant signal content is extracted; 2)the results of stage 1) are hashed to reduce size; and 3) theresult of stage 2) is encrypted with the author’s private key.The image content extraction could be localized histograminformation, discrete cosine transform (DCT) coefficients,or edge information. The advantage of the method isthat signals that undergo incidental distortions can still bedeemed credible. However, the process of selecting theimage content extraction functions used in stage 1) is notstraightforward for a given application.

Wolfgang and Delp in [4] proposed a fragile watermark-ing technique involving the addition of two-dimensional

sequences. They define a nonbinary test statistic basedon the inner product of the sequence and the imagewhich gives a relative measure of the tampering of aparticular image block. The major disadvantage is that it

1168 PROCEEDINGS OF THE IEEE, VOL. 87, NO. 7, JULY 1999

is possible to modify the data without disturbing the lowersignificant bits which contains the verification information.Similarly in [5], Yeung and Mintzer discuss a digital wa-termarking technique which tries to detect the modificationof individual pixels. The technique requires the use of alook-up table (LUT) which maps image colors to binarynumbers. The original image pixel colors are modifiedsuch that the associated binary numbers determined fromthe LUT equal the watermark bit values. Although thetechniques in [4] and [5] give information about spatiallylocalized changes in the image, they do not provide moreexplicit information on how the image is tampered. Forexample, if the image is innocently lossy compressed forconvenience, then the entire image may appear tamperedand its usefulness ignored.

We argue that traditional authentication approaches fordata are not well suited for images, sound, and video; tobe practically useful a tamper-proofing technique must notonly detect the presence of modifications in a signal butshould also provide information helpful to characterize thedistortions. A telltale tamper proofing method must be ableto do the following:

1) indicate with high probability that some form oftampering has or has not occurred;

2) provide a measure of the relative degree of distortionof the signal;

3) characterize the type of distortion, such as filtering,compression or replacement, without access to theoriginal host signal or any other signal-dependentinformation; it should be possible to detect changesdue to compression or random bit errors and makeapplication-dependent decisions concerning whetheror not the signal still has credibility;

4) validate the signal and authenticate the source withoutrequiring the maintenance and synchronization ofadditional data separate from the signal.

There has been a recent trend toward addressing theproblems of tamper proofing and authentication using adigital watermarking approach. The attraction of such anapproach is that no additional data are required for signalverification. In addition, the verification information isdiscretely watermarked which adds an additional level ofsecurity against attacks to modify both the signal and theverification data. In the next section, we discuss the digitalwatermarking problem.

B. The Digital Watermarking Approach

Traditionally, digital watermarking has been used toembed author and copyright identification into a multimediasignal [6]–[11]. The watermark must be retained in thesignal even under intentional signal distortion attacks toremove it. In contrast, fragile watermarking refers to theprocess of marking a signal such that any modificationcauses the extracted mark to be different than the originalwhich indicates that tampering has taken place.

We briefly discuss some terminology and requirementsfor a successful fragile watermarking method. We assumewithout loss of generality that the signal to be markedis a still image. A fragile watermark is defined as asignal (which is often a randomly generated binary stream),containing information used to assess whether an image wasmodified. The watermark is considered to be fragile becauseit is embedded in a way such that any slight modificationof the resulting image will distort the watermark as well.The embedding procedure involves modifying a host imageto reflect the information content in . The modificationmust be imperceptible in the sense that the owner andrecipient of the signal show no preference to the informationcontent in either the original or marked signal. Watermarkextraction is the process of detecting the presence ofwatermark information in a given image and is performedto recover the mark and to assess whether tampering hasbeen performed.

Some recent work in fragile watermarking [2], [4], [5]has demonstrated the potential of the approach. We specif-ically define the problem of fragile watermarking for theapplication of telltale tamper-proofing as follows. Givena digital multimedia signal and a digital watermark ,embed into by imperceptibly modifying to producea tamper-proofed signal such that:

1) the watermark can be extracted from withoutrequiring explicit knowledge of ;

2) if the information content in is unmodified, then theextracted watermark exactly matches ;

3) if is modified, then is different from the embed-ded with a probability vanishing close to one;

4) the differences between the embedded and extractedwatermarks provide useful information to assesswhether the signal modification maintains or destroyscredibility.

We present a watermarking technique which attempts toaddress the above criteria.

III. PROPOSEDTECHNIQUE

A. General Approach

Our technique is described in the context of watermarkingstill images, but it also works for general multimedia sig-nals. We make use of the discrete wavelet domain opposedto spatial or DCT domains to embed the watermark becauseit provides both a simultaneous spatial localization and afrequency spread of the watermark within the host image.The localization of the watermark gives the ability to iden-tify distinct regions of the watermarked image which haveundergone tampering and the global spreading of the markmakes it sensitive to large-scale signal distortions. We arguethat characterizing the modifications in terms of localizedspace-frequency distortions is more effective and practicalfor tamper proofing than attempting to parameterize thedistortion. Parametric models can be highly inaccurate inestimating a wide class of image transformations and areoften costly to compute for larger images.

KUNDUR AND HATZINAKOS: DIGITAL WATERMARKING 1169

(a)

(b)

Fig. 2. Proposed telltale tamper-proofing approach: (a) embedding process and (b) tamper as-sessment process.

The fundamental advantage of our technique lies in itsability to detect, with high probability, the spatial andfrequency components of the image which are untamperedand, hence, still credible. We embed the mark by quantizingthe coefficients to a prespecified degree which provides theflexibility to make the tamper-proofing technique as sensi-tive to changes in the signal as desired. The general scenariois shown in Fig. 2(a). A validation key comprised of theauthor’s watermark, a coefficient selection key (which wedescribe later), the quantization parameter, and possiblythe specific mother wavelet function are necessary forembedding and extracting the mark. The watermark can bean encrypted version of the author identification which isused to establish sender authenticity. There are three mainstages to the watermark embedding procedure.

In the first stage, we compute theth-level discretewavelet decomposition of the host image to produce asequence of three detail images, corresponding to thehorizontal, vertical, and diagonal details at each of the

resolution levels, and a gross approximation of theimage at the coarsest resolution level. The value ofisuser defined. We denote theth detail image componentat the th resolution level of the host by ,where (which stands for “horizontal,” “ver-

tical,” and “diagonal” detail coefficients, respectively),and is the particular spatial location index

at resolution . The gross approximation is represented bywhere the subscript is used instead of to

denote “approximation.” In the second stage, we embedthe watermark bit stream by modifying selected waveletcoefficients. Specifically, to embed a binary watermark oflength denoted , , a user-definedcoefficient selection key , isemployed. The particular wavelet coefficient at which toembed the th watermark bit is given by .Each element of is distinct so that two bits arenot marked at the same location, causing an ambiguityor error. In addition, the selection of the coefficients israndom and well spread spatially and throughout eachresolution level to be able to assess changes to these imagecomponents. In the simulations for this paper, wasgenerated by randomly selecting a coefficient from theset , , for each and

. Thus, one detail coefficient at each resolution andspatial location was marked. The binary watermark wasalso randomly generated using a uniform distribution andwas set to be the same length as . The watermarkbit is embedded into the coefficient through


Fig. 3. The quantization function. Each possible real value of the detail coefficient has anassociated binary number given byQ(�).

an appropriate quantization procedure. The specifics ofthe quantization are discussed in the next section. In thefinal stage, the correspondingth-level inverse wavelettransform of the marked image components is computedto form the tamper-proofed image.

Watermark extraction on a given image is performedas shown in Fig. 2(b). The th-level discrete wavelettransform (DWT) is applied to the given image and thecoefficient selection key is used to determine themarked coefficients. A quantization function (alsodiscussed in the next section) is applied to each of thesecoefficients to extract the watermark values. For authenti-cation, the author’s public key is applied to the extractedwatermark to obtain the author identification code. Almostany tampering of the image will cause the authenticationprocedure to fail as the decryption procedure is highlysensitive to changes in the watermark. Thus, authenticationis possible only if the extracted watermark is identical tothe embedded. If public key authentication fails, then weemploy tamper assessment to determine the credibility ofthe modified multimedia content.

To assess the extent of tampering, we compute thefollowing function which we call the tamper assessmentfunction (TAF)

TAF (1)

where is the true author watermark, is the extractedmark, is the length of the watermark, and is theexclusive-OR (XOR) operator. The value of TAFranges between zero and one. To determine image modi-fications for specific frequencies and/or spatial regions thewatermark can be extracted from the corresponding markedwavelet coefficients alone.

The presence of tampering is determined if TAF, where is prespecified threshold. If

TAF , then the modifications on the imageare considered to be incidental and negligible. For highersecurity applications, can be set to be smaller. Themagnitude of TAF can be used to assess theextent of tampering. We show in Section V that if JPEG

compression is applied to an image, the method can assessthat most of the changes have occurred to the details at thehigher resolution levels. If a part of the image has beenreplaced/changed in addition to compression, the watermarkin the lower resolutions will not remain the same. Hence,the lower resolution image can be authenticated. In addition,when filtering is applied to an image the technique canassess the frequency regions most tampered with [12].

B. Details of the Quantization Process

For an arbitrary wavelet transform, the detail coefficientsare real numbers. We perform quantization on

the wavelet coefficients in the following manner. Every realnumber is assigned a binary number, as shown in Fig. 3. Wedenote this function by which maps the real numberset to {0, 1}. Specifically

if for

if for(2)

where is a positive real number called the quantizationparameter and is shown in Fig. 3. The following assign-ment rule is used to embed the watermark bit intothe selected coefficient . We denote the coefficientselected by as .

1) If , then no change in thecoefficient is necessary.

2) Otherwise, change so that we force, using the following assign-

ment:

if

if(3)

where is the same parameter as in Fig. 3 and (2),and is the assignment operator.

The nature of the assignment in (3) has been experimentallyfound to change the image with the least visual degradationfor a given magnitude of . The parameter is user


Fig. 4. Effect of noise on the extracted watermark bit. Perturbation of the wavelet coefficient fromtampering can cause the extracted watermark to be different than the embedded.

defined and is set to establish an appropriate sensitivityto changes in the image. A smaller value ofwill makethe quantization process of the second stage finer and hencemakes minor changes in the image easier to detect.

It is assumed that the specific wavelet transform used isunknown to make forgery difficult. If the wavelet transformwere known, it would be possible for a tamperer to applyit to any arbitrary image and quantize the coefficientsusing the knowledge of in the same way in whichit appears in the original watermarked image so that theforgery appears authentic. We discuss how to overcome thishandicap in Section IV with the use of an image-dependentquantization key.

C. Performance Analysis

In this section, we assess the performance of our generaltechnique as a function of the system parameters. Weconcentrate on two types of degradations on a given regionof the image.

1) Mild distortion, in which we model the degradationon the associated wavelet coefficients as additivenoise with a probability density function (pdf) withrapidly decaying tails.2 We specifically model thedistortion on the wavelet coefficients as zero meanadditive Gaussian noise (AGN) with variance. Weassume that is “small,” such that the Gaussianpdf rapidly decays. Examples of image distortionswhich can fall under this category are mild filteringand JPEG compression.

2) Severe distortion, in which the degradation is assumedto be additive noise consisting of heavy tails (i.e.,

is “large”) and the value of the distortedwavelet coefficients becomes difficult to predict given

2The tails of a pdf refer to the behavior of the function as theindependent variable approaches infinity and negative infinity.

the true values. In fact, we consider that the probabil-ity of false watermark detection in such a degradedcoefficient be 1/2. Heavy linear or nonlinear filtering,random bit errors, and image region substitution fallunder this class of distortions.

We consider each type of distortion in turn to assessthe performance of our method. We evaluate the effective-ness of the approach to tamper proofing by introducing ameasure we call the tamper sensitivity function (TSF). Wedefine this as the probability that tampering is detected for

given that coefficients in the wavelet domain aremodified.

1) Sensitivity of the Technique to Mild Distortion:To assess the TSF for mild distortion we model the effects

of the image degradation on a given wavelet coefficient as

(4)

where is the undistorted wavelet coefficient,is the distorted coefficient, and is the

associated zero mean AGN with variance. Without lossof generality we assume that . Fig. 4shows how the additive noise can perturb the wavelet co-efficient such that so that the extractedwatermark is different from that embedded.

The probability of false negative for the tamperingof a given coefficient (i.e., the probability that tampering isnot detected in a particular wavelet coefficient) is given bythe probability that . That is

(5)

Given that is small, we can neglect the probabilityof and we make the following approx-imation:

(6)


where is the relative distance of the wavelet coefficientfrom one of the range boundaries of as shown inFig. 4. We simplify the expression for as follows byusing the assumption that is zero mean AGN

(7)

(8)

erf erf (9)

where erf is the traditional error function given by [13]

erf (10)

On average, is evenly distributed between zero andfor an arbitrary image and wavelet transform. Therefore,the expected probability of a false negative of a degradedcoefficient is given by

erf erf (11)

erf (12)

The TSF for mild distortion is given by the probabilitythat at least one extracted watermark bit differs from thecorresponding embedded bit

TSFall modified coefficients produce

false negative tampering results(13)

(14)

erf (15)

where . Equation (15) gives us the averageprobability of tamper detection for given thatwavelet coefficients have been modified. We see that thevalue of dictates the sensitivity of the technique to imagetampering. The value of the TSF increases monotonicallywith decreasing ; hence, the smaller the value of ,the more sensitive the tamper detection which confirmsour intuition. The value of is user-defined so that thetechnique is flexible for a variety of applications. Equation(15) also reveals that there is a geometric increase in thechange in the TSF as is increased.

We next determine the probability of tamper detection forarbitrary given that coefficients are modified

TAF (16)

(17)

The right-hand side of (17) is equivalently the probabilitythat there are at least differences in the embedded

and extracted watermark bits. Using this interpretation, weconclude that [14]

(18)

erf

erf (19)

where is the length of the extracted watermark, isthe ceiling operator, and it is assumed that .Equation (19) provides a relationship between the valueof the threshold and the probability of tamper detec-tion given that wavelet coefficients have been mildlydistorted. This probability can be set arbitrarily high byreducing both and for a given .

2) Sensitivity of the Technique to Severe Distortion:Asdiscussed in the beginning of Section III-C, we assumethat the extracted mark is essentially independent of theembedded watermark value for severe distortion so that

. Performing a similar analysis to the milddistortion case, the TSF is given by

TSF (20)

(21)

Since the distortion is unpredictable, (21) is independentof , but there still remains a geometric relationship with

. The average probability of tamper detection forgiven that wavelet coefficients are severely distorted iscomputed to be

(22)

where is the length of the watermark extracted from agiven region. The value of the thresholdcan be decreasedto increase the probability of tamper detection.

When a geometric transformation such as shearing orrescaling is applied to a marked image, the locationsof the fragile watermark bits become “unsynchronized.”Therefore, we can model this distortion as severe sincethe probability of a false negative is essentially 1/2 asa watermark bit is extracted from a completely differentlocation in the image and its value is unpredictable. Ourscheme, as proposed in this paper, cannot be used toestimate the particular geometric transformation applied tothe image; the tampering is merely detected.

IV. I MPLEMENTATION ISSUES FORTAMPER PROOFING

A. The Algorithm

In this section, we discuss the major implementationissues of realizing our telltale tamper-proofing techniqueand our strategies to overcome them. We present thespecific algorithm implemented. The two main obstaclesin implementing the method are its numerical sensitivity


and its susceptibility to forgery.1) Numerical Sensitivity:The fragile watermarking of

images is somewhat different than robust watermarkingbecause the design of the technique must be intrinsicallysensitive to detect tampering. Existing fragile watermarkingmethods deal with the addition of integers to the spatialdomain pixels of the image [2], [4], [5]. Our proposedmethod involves embedding the watermark in the waveletdomain. When the marked wavelet coefficients are modifiedand the inverse DWT is applied, the resulting marked imagepixels must be rounded to integer values to form a digitalimage. This rounding operation is an image modificationthat may cause the watermark in the marked image to differfrom the original due to numerical sensitivity.

To avoid these numerical difficulties, we propose analgorithm in which the changes to the wavelet coefficientsguarantee integer changes in the spatial domain. We makeuse of the Haar wavelet transform, in which the coefficientsat each resolution level are rational numbers of theform where . We modify the coefficients byadding or subtracting a multiple of 2. This specific typeof quantization guarantees that inverse DWT produces animage with integer pixel values; no rounding, which mayjeopardize the accuracy of the method, is necessary.

We use the following modified quantization function toembed the watermark such that is equal tothe watermark bit value:

if is even

if is odd

(23)

where is a prespecified positive integer and is thefloor function.

2) Susceptibility to Forgery:As discussed in Section III-B, knowledge of the specific wavelet transform used toembed the watermark can jeopardize the security of themethod. However, during implementation, we make ex-clusive use of the Haar wavelet, which is a discloseddetail of the algorithm. To combat this, we introduce animage-dependent key called the quantization key

. The value of this key for each indexis a functionof a localized component of the image.

The purpose of the quantization key is to make theforgery of an untampered image virtually impossible with-out knowledge of . Instead of embedding the water-mark directly into the wavelet coefficients, we embed

where is dependent on the image. Ifwe wanted to make the tamper proofing especially sensitiveto changes in horizontal edges of the image, then thevalue of could be a function of . Similarly,if we wanted the technique to indicate changes in themean value of the image, then can be dependent onlocalized averages of the image intensity. The introductionof improves security against forgery and provides theflexibility to monitor specific changes to the image.

Algorithmic forms of the watermark embedding, andextraction and tamper assessment routines are provided in

Tables 1 and 2, respectively. The choice of the user-definedparameters are discussed in Section V.

B. Key Features of the Algorithm

We discuss and review the main characteristics of thetechnique which distinguish it from previously proposedmethods for watermarking.

1) Our technique differs from existing fragile water-marking techniques in that the mark is embedded inthe discrete wavelet domain. This allows informationconcerning the frequencies of the image that haveundergone tampering and their relative degree ofdistortion.

2) There is a relationship between the value of themaximum wavelet decomposition level and thevisibility of the watermark. Given thatdetail coefficients are marked per spatial locationat a particular resolution, there can be a change inany image pixel of at most . The larger thevalue of the more localized the information thatis extracted concerning changes to lower frequenciesof the image. Thus, there exists a tradeoff between thevisibility of the mark and the ability to detect changesin lower image frequencies. Analogously, increasingthe value of can provide additional informationabout tampering such as the possibility of directionalfiltering, but this increases the chance of visibility.

3) The quantization key provides the flexibility to makethe technique more or less sensitive to certain dis-tortions. For example, if we wish to detect changesin the mean value of each 8 8 block of the image,then can depend directly on this quantity so thatany change in the mean will scramble and hencecause the extracted watermark value to differ from theembedded with high probability. It should be notedthat the presence of maintains the integrity of thetamper-proofing scheme against forgery even underthe condition that the coefficient sensitivity function

is disclosed.

These properties make the method appealing for othermultimedia security applications. Related work has demon-strated the usefulness of telltale watermarking for tamperrecovery [12] and watermark attack characterization [15].In [12] the authors demonstrated how telltale watermarkingcan be used for semiblind image restoration. In this problemthe marked image undergoes unknown blurring and mustbe recovered using information on how the correspondingfragile watermark is distorted. In [15] the authors demon-strate how a fragile watermark can be embedded in additionto a robust watermark to characterize image tampering. Thecharacterization process allows optimal robust watermarkextraction which improves security for copyright-protectionapplications.

V. SIMULATION RESULTS AND COMPARISONS

A. Basis of Comparison

We evaluate the fragile watermarking techniques basedon their ability to detect undesired tampering such as


Table 1The Proposed Telltale Tamper-Proofing Technique for Watermark Embedding

replacement of specific image regions and their robustness

to incidental image distortions such as high quality JPEG

compression. In addition, we study the introduction of arti-

facts, if any, into the image as a result of the watermarking

procedure using both qualitative observations and the peak

signal-to-noise ratio (PSNR) which is defined as

PSNR

(24)


Table 2The Proposed Telltale Tamper-Proofing Technique for Watermark Extraction and Tamper Assessment

in decibels, where is the original unmarked image,is the tamper-proofed result, and are the

number of pixels in [or alternatively in ]since watermarking does not increase the dimensions ofthe image.

We compare the performance of our technique with thewatermarking methods of [4] and [5]. We do not implementthe approaches in [1]–[3] for comparison as these methodsprovide little information to characterize the distortion and,hence, fall under a different class of techniques than ourproposed algorithm.

B. Results

We demonstrate the results of the three techniques usingthe 256 256 image of Lena shown in Fig. 5(a). We tamper

proof the image using our proposed technique and use thefollowing parameters: and .3 The watermark

and the coefficient selection keyare randomly generated. The quantization key

maps the amplitude of the selected detail coefficientsto binary numbers. The values of are set randomlyfor each argument with runs of zeros and ones no greaterthan two to avoid visual artifacts in the marked image.We specified the in this way to make the methodequally sensitive to all distortions to obtain a general senseof the behavior of our technique. The resulting watermarked

3These parameters were chosen as they provide no noticeable visualchange in the image. From experience, we find that� = 1 is appropriatefor smooth photographic images. For highly varying images,� = 2 canalso be used. As a rule of thumb,L may be set such thatlog

2(N=8) �

L � log2(N=4), whereN is the largest dimension of the image.


(a)

(b)

Fig. 5. Original and watermarked images for the proposedmethod: (a) original image of Lena and (b) watermarked imagewith L = 5 and � = 1 (PSNR= 43 dB).

Table 3The TAF Values for the Proposed Techniquefor Various Mean Filter Lengths

image is shown in Fig. 5(b). No visual difference is noticedwhen viewed on a computer screen. The PSNR of themarked image is 43 dB.

As expected, TAF for the untampered markedimage. If a watermark is extracted from the unmarkedimage or from any other unmarked image the value ofTAF is approximately 0.5. We demonstrate the effectsof various image distortions such as mean filtering andJPEG compression in Tables 3 and 4. As we can see,for high-quality JPEG compression, the lower resolutionsubimages are still deemed credible by our method. Formean filtering, we can see from the magnitude of theTAF that the lower frequencies are less distorted than thehigher frequencies. Tests were also conducted to determine

Table 4The TAF Values for the Proposed Technique forVarious JPEG Compression Ratios

(a)

(b)

Fig. 6. (a) Tampered image. The feathers on the hat have beensmoothed using an image-editing package. (b) Undistorted water-marked image.

whether localized tampering could be detected. The markedimage was modified by smoothing out the feathers in thehat using an image editing package as shown in Fig. 6.The differences in the extracted watermark and embeddedare shown in white in Fig. 7 for the various resolutionlevels. The value of the threshold to detect for tamperingis application dependent. From our simulations we foundthat a value of approximately 0.15 allows the method tobe robust to high quality compression, but detects the


(a) (b)

(c) (d)

(e)

Fig. 7. Tamper detection at the various resolutions for the distorted image of Fig. 6(a) for: (a)l = 1; (b) l = 2; (c) l = 3; (d) l = 4; and (e)l = 5. The differences between the embedded andextracted watermarks are shown in white for each resolution.

presence of additional tampering. A good way to analyzethe effects of tampering would be to view the differences inthe extracted and embedding marks as displayed in Fig. 7.

The Lena image was also tamper proofed using themethod by Yeung and Mintzer [5]. The results are shownin Fig. 8. The LUT and watermark used in the techniquewere randomly generated as suggested. The PSNR forthe marked image is 45 dB. Perfect watermark recovery

was possible when the marked image was untampered.Localized spatial regions of image tampering were alsoidentified accurately. We tested the effects of mild filteringand JPEG compression. The results are shown in Fig. 9,where the white pixels indicate that tampering has beendetected at the corresponding spatial locations. As canbe seen, high-quality JPEG compression has the effect ofcompletely destroying the credibility of the image. It is


(a)

(b)

Fig. 8. Original and watermarked images for the method byYueng and Mintzer [5]: (a) original image of Lena and (b)watermarked image (PSNR=45 dB).

not possible to distinguish between an image which iscompressed with perceptual information in tact and onethat is compressed in addition to being severely tampered.In general, we found that the method in [5] produced nonoticeable artifacts in the marked images. The changes inthe image were similar to the effect of mild dithering.

We tested the watermarking method by Wolfgang andDelp [4] on the same image of Lena. The results are shownfor block sizes of 8 8, an sequence of order 16, anda bipolar watermark scaled by a factor of two in Fig. 10.The PSNR of the resulting image is 41 dB. As expected,no tampering was detected for the original marked image.The method detected the 8 8 blocks containing spatiallylocalized changes (similar to that shown in Fig. 6) in theimage for a threshold of zero. We found that the methodidentified the changes even in the presence of high qualityJPEG compression (CR 3) for a threshold set to 1.5 timesthe mean value of the associated autocorrelation matrix[4]. For mean filtering, the regions of high variance weredetected to be tampered, but for JPEG compression, theresults were more unpredictable.

To determine localized changes in the image, it is impor-tant that the block sizes be small. However, the strength of

(a)

(b)

Fig. 9. Tamper identification for filtering and compression for thetechnique by Yueng and Mintzer [5]: (a) tamper identification forhigh-quality JPEG compresion CR=3 and (b) tamper identificationfor 3 � 3 mean filtering.

the technique lies in statistical assumptions of the embedded-sequence watermark, and reducing the block size lowers

the statistical validity of the technique. Thus, we have foundthere to be a tradeoff between accuracy and localization ofdetection in this method. In addition, the technique requiresthat image-dependent information in the form of an innerproduct matrix [4] (which depends on the marked imageand sequence) be known for extraction. This makes themethod less portable and not well suited for automation.

VI. CONCLUSIONS

Tamper proofing of multimedia signals is a new andgrowing field of study. Traditional approaches for dataauthentication are not appropriate for multimedia due tothe nature of the information to be protected. In thispaper we introduce the problem of telltale tamper proofing.We propose a fragile watermarking technique for imagesand compare its performance with existing methods. Ourresults indicate that the proposed approach has potential formultimedia information authentication applications. Futureresearch involves extending this approach to characterizegeometric distortions through appropriate design of thequantization key.


(a)

(b)

Fig. 10. Original and watermarked images for the method byWolfgang and Delp [4]: (a) original image of Lena and (b)watermarked image for a block size of 8� 8, anm sequenceof order 16, and a watermark scaling of a factor of two.

REFERENCES

[1] G. L. Friedman, “The trustworthy digital camera: Restoringcredibility to the photographic image,”IEEE Trans. ConsumerElectron.,vol. 39, pp. 905–910, Oct. 1993.

[2] S. Walton, “Image authentication for a slippery new age,”Dr.Dobb’s J.,vol. 20, pp. 18–26, Apr. 1995.

[3] M. Schneider and S.-F. Chang, “A robust content based digitalsignature for image authentication,” inProc. IEEE Int. Conf.Image Processing,1996, vol. 3, pp. 227–230.

[4] R. B. Wolfgang and E. J. Delp, “A watermark for digitalimages,” inProc. IEEE Int. Conf. Image Processing,1996, vol.3, pp. 219–222.

[5] M. M. Yeung and F. Mintzer, “An invisible watermarkingtechnique for image verification,” inProc. IEEE Int. Conf.Image Processing,1997, vol. 2, pp. 680–683.

[6] I. J. Cox, J. Killian, T. Leighton, and T. Shamoon, “Securespread spectrum watermarking for multimedia,” NEC Res. Inst.,Princeton, NJ, Tech. Rep. 95-10, 1995.

[7] J.-F. Delaigle, C. De Vleeschouwer, and B. Macq, “Digitalwatermarking,” inProc. SPIE, Optical Security and CounterfeitDeterrence Techniques,Feb. 1996, vol. 2659, pp. 99–110.

[8] E. Koch and J. Zhao, “Toward robust and hidden imagecopyright labeling,” inProc. Workshop on Nonlinear Signal andImage Processing,I. Pitas, Ed., June 1995, pp. 452–455.

[9] G. Voyatzis and I. Pitas, “Applications of toral automorphismsin image watermarking,” inProc. IEEE Int. Conf. Image Pro-cessing,1996, vol. 2, pp. 237–240.

[10] J. J. K. O Ruanaidh, W. J. Dowling, and F. M. Boland,“Watermarking digital images for copyright protection,” inIEEProc. Vision, Image and Signal Processing,Aug. 1996, vol. 143,pp. 250–256.

[11] D. Kundur and D. Hatzinakos, “A robust digital image water-marking method using wavelet-based fusion,” inProc. IEEEInt. Conf. Image Processing,1997, vol. 1, pp. 544–547.

[12] , “Semi-blind image restoration based on telltale water-marking,” in Proc. 32nd Asilomar Conf. Signals, Systems, andComputers,1998, pp. 933–937.

[13] M. Abramowitz and I. A. Stegun, Eds.,Handbook of Math-ematical Functions with Formulas Graphs and MathematicalTables. New York: Dover, 1965.

[14] A. Leon-Garcia,Probability and Random Processes for Electri-cal Engineering. Don Mills, Ont., Canada: Addison-Wesley,1989.

[15] D. Kundur and D. Hatzinakos, “Improved robust watermark-ing through attack characterization,”Opt. Express,vol. 3, pp.485–490, Dec. 7, 1998.

Deepa Kundur (Student Member, IEEE) wasborn in Toronto, Ont., Canada. She received theBachelor of Applied Science degree in 1993and the Master of Applied Science degree incommunications and signal processing in 1995,both from the Department of Electrical andComputer Engineering, University of Toronto,Ont., Canada. She is currently pursuing thePh.D. degree at the University of Toronto.

Her research interests include digital water-marking of multimedia information, blind image

restoration, and data fusion for the classification of remote sensingimagery.

Ms. Kundur is currently an Engineer-in-Training with the ProfessionalEngineers of Ontario (PEO).

Dimitrios Hatzinakos (Senior Member, IEEE)received the Diploma degree from the Universityof Thessaloniki, Greece, in 1983, the M.A.Scdegree from the University of Ottawa, Canada,in 1986, and the Ph.D. degree from NortheasternUniversity, Boston, MA, in 1990, all in electricalengineering.

In September 1990, he joined the Departmentof Electrical and Computer Engineering, Uni-versity of Toronto, where he now holds the rankof Associate Professor with tenure. His research

interests span the fields of digital signal/image processing with applicationsto wireless communications and multimedia. He is the author or co-authorof more than 80 papers in technical journals and conference proceedingsand has contributed to four books in his areas of interest. His experienceincludes consulting through Electrical Engineering Consociates Ltd. andcontracts with United Signals and Systems, Inc., Burns and Fry Ltd.,Pipetronix Ltd., Defense Research Establishment Ottawa (DREO), andVaytek, Inc.

He has been an Associate Editor for IEEE TRANSACTIONS ON SIGNAL

PROCESSING since July 1998 and Guest Editor for the Special Issue ofSignal Processingon Signal Processing Technologies for Short BurstWireless Communications, scheduled to appear in late 1999. He was amember of the IEEE Statistical Signal and Array Processing TechnicalCommittee (SSAP) from 1992 to 1995 and Technical Program Cochairof the Fifth Workshop on Higher-Order Statistics in July 1997. He is amember of EURASIP, the Professional Engineers of Ontario (PEO), andthe Technical Chamber of Greece.


Documents

Digital Watermarking for Telltale Tamper Prooﬁng and