Transcript Randomized Detection for SpreadSpectrum Watermarking: Defending Against Sensitivity and Other Attacks Ramarathnam Venkatesan and Mariusz H.

Randomized Detection for SpreadSpectrum Watermarking: Defending
Against Sensitivity and Other Attacks
Ramarathnam Venkatesan and Mariusz H. Jakubowski
{venkie, mariuszj}@microsoft.com
Cryptography and Anti-Piracy Group
Microsoft Research
March 20, 2005
Overview
•
•
•
•
•
Introduction
Spread-spectrum methodology
Enhancements and analysis
Experimental results
Conclusion
2
Spread-Spectrum Watermarking
=
+
Embedding
Original image
secret key
Watermark
pseudorandom generator
=
*
Detection
Test image
Watermarked image
~0 if WM is absent
~1 if WM is present
Watermark
•The watermark is a pseudorandom sequence of positive and negative chips. The
dot (*) represents correlation (normalized dot product).
•Robustness is typically achieved via redundancy, synchronization grids, error
correction, visual models, embedding in special domains, and other techniques.
3
Overview
•
•
•
•
•
Introduction
Spread-spectrum methodology
Enhancements and analysis
Experimental results
Conclusion
4
Spread-Spectrum Enhancements
• Strategies against cryptanalytic attacks
– Pseudorandom embedding into portions of available
domain
– Pseudorandom detection
• Many correlations over pseudorandom WM subsets
• Median value from subsets returned as WM response
– Image-dependent WM keys from image hashes
• Some resistance against signal-processing
attacks
– Contrast enhancement to boost WM
– Some randomized redundant embedding into regions
– Note: Redundancy, synchronization grids, and related
techniques tend to make cryptanalysis easier.
– Is provable resistance against both cryptanalytic and
signal-processing attacks possible?
5
Cryptanalysis Model
...
Pseudorandom
black-box
detector
Results:
•Yes/No WM
•WM strength
Adversarial processing:
Adversarial
inputs
•Coefficient changes
•WM estimation
•Arbitrary analysis
6
Detection Scheme
• Let n = total number of chips (or number of WMed
coefficients).
• Detection:
– Choose m WM subsets S1, S2, …, Sm, each of size k << n.
– Compute correlations Y1, Y2, …, Ym over the subsets.
– Output median Ymed of Y1, Y2, …, Ym.
• Overall correlation average over subsets
• Median approximates average well:
Pr [|Ymed − E(Y)| e ]  e−cn
(c = constant)
7
Security Against Black-Box Attacks
• Assume subsets contain k out of n total watermarked coefficients.
• The following limits the information attacker can obtain during each
query to the black-box detector:
Lemma (Threshold Phenomenon): Consider a watermarked image, and set p
= k/n. Assume the attacker changes X coefficients in the transform plane,
and |pX − 1/2| > L, where L is a constant. Let Si, where i  n, be the
random subsets choosen by the detector. Let D1 and D2 denote the detector
values that are output to the attacker. For every r > 0, we have
Pr [|D1 − D2|  r]  e−cn
W
for some constant c, where W is the space of coin flips used by the
detector.
• Consequence: If the attacker changes too few coefficients, the attack
will fail with high probability (i.e., values output by detector change
little despite attacker’s arbitrary modifications to coefficients).
8
Overview
•
•
•
•
•
Introduction
Spread-spectrum methodology
Enhancements and analysis
Experimental results
Conclusion
9
Watermarking Example
WM response: enhanced correlation measure
No watermark: 3%
Watermark: 257%
StirMark attack: 195%
StirMark + low-quality JPEG: 103%
Results on Typical Images
300
Enhanced Watermark
Normal Watermark
No Watermark
Watermark Response (%)
250
200
150
100
50
0
-50
10
20
30
40
50
Image Number
60
70
80
90
100
Results of watermark tests on 100 images
•Each image was watermarked and StirMarked.
•19 incorrect watermark keys yield low watermark responses
(whether or not watermark enhancement is applied).
•One proper watermark key yields high watermark responses,
generally significantly higher after enhancement.
11
Black-Box Attack: Brute-Force Chip Estimation
1.
*
Test image
2.
Attack image 001
*
Test image
Attack image 010
3.
...
4.
*
Test image
Choose X watermark chips to estimate
(e.g., X = 3).
For each of the 2X possible chip
sequences, create an attack image:
•
In DCT domain, set all
coefficients to zero, except for
ones corresponding to selected
chips.
•
Set each chip coefficient to an
artificially large value (+ or -) to
boost overall correlation.
Use the black-box WM correlation
detector to compute WM response
over each attack image.
The attack image with the highest
WM response provides estimated chip
signs.
- large positive attack chip
Attack image 111 (2X)
- large negative attack chip 12
Results of Attack on 10 Test Images
A. Plain images
B. Watermarked images
C. Attack images
(X = 10 correct coefficients)
A: Overall correlation response (blue) and subset-median response (green) both
correctly reveal no WM.
B: Overall response and subset response both correctly reveal WM.
C: Overall response incorrectly reveals WM on well-guessed attack chips. Subset
13
response correctly reveals no WM, foiling the attack.
Conclusion
• New methods proposed to enhance the security
of spread-spectrum watermarking against
cryptanalysis.
• Ultimate security of spread-spectrum
watermarking remains an open problem.
• Are there practical spread-spectrum methods
provably robust against both cryptanalysis and
signal-processing attacks?
14