university of adelaide...contents contents iii abstract vii statement of originality ix...

Thesis:

Multimedia Transaction Tracking from

a Mutual Distrust Perspective.

by

Angela S. L. Wong

Thesis submitted for the degree of

Doctor of Philosophy

in

Electrical and Electronic Engineering

University of Adelaide

November 2007

c© 2007

Angela S. L. Wong

All Rights Reserved

Page ii

Contents

Contents iii

Abstract vii

Statement of Originality ix

Acknowledgments xi

Publications xiii

List of Figures xv

List of Tables xxiii

Chapter 1. Introduction 1

1.1 Outline of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2.1 Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2.2 Cryptology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.4 Background and Aim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.5 Legal Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 2. A Review of the State of the Art 11

2.1 Watermarking Alone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2 Cryptography Alone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2.1 General Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . 16

2.2.2 Image- and Video-Specific Cryptosystems . . . . . . . . . . . . . 17

2.3 Watermarking and Cryptography . . . . . . . . . . . . . . . . . . . . . . 20

2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Page iii

Contents

Chapter 3. A Technical Background on Watermarking and Cryptography 23

3.1 Steganographic Watermarking . . . . . . . . . . . . . . . . . . . . . . . 24

3.1.1 Watermarking Categories . . . . . . . . . . . . . . . . . . . . . . 26

3.1.2 Spread Spectrum Watermarking . . . . . . . . . . . . . . . . . . 27

3.1.3 Attacks and Defenses . . . . . . . . . . . . . . . . . . . . . . . . 28

3.2 Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.2.1 RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.2.2 ElGamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . 34

3.2.3 Rabin Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.2.4 Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . . 37

3.2.5 Attacks on Cryptosystems . . . . . . . . . . . . . . . . . . . . . . 46

3.3 Pre- and Post-processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3.3.1 Trade-offs: Capacity and Invisibility . . . . . . . . . . . . . . . . 47

3.3.2 Power Spectral Density (PSD) . . . . . . . . . . . . . . . . . . . . 48

3.3.3 Choice of watermark . . . . . . . . . . . . . . . . . . . . . . . . . 48

3.3.4 Choosing document components to alter . . . . . . . . . . . . . 49

3.3.5 Watermark detection . . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter 4. Issues Associated with Mutual Distrust 53

4.1 The problem with trusting too much... . . . . . . . . . . . . . . . . . . . 54

4.2 Significance of Research . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.3 Applications of Research Findings . . . . . . . . . . . . . . . . . . . . . 55

4.4 Trusted Owner Party Scenario . . . . . . . . . . . . . . . . . . . . . . . . 56

4.5 The Staining Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4.5.1 Problems Anticipated with Staining . . . . . . . . . . . . . . . . 58

Chapter 5. Experimental Results 61

5.1 Test Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

5.2 XOR Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

5.3 Block-based Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . 65

5.4 RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

5.5 Elliptic Curve Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . 94

Page iv

Contents

Chapter 6. Summary 115

6.1 Discussion of Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

6.1.1 The Exacting Nature of Cryptograms . . . . . . . . . . . . . . . 116

6.1.2 Cryptosystem and Watermark Requirements . . . . . . . . . . . 117

6.2 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

6.3 Summary of Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . 119

6.4 Future Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Appendix A. Acronyms, Abbreviations and Glossary 123

A.1 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

A.2 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

A.3 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Appendix B. Paper-Pen Analyses 127

B.1 XOR Watermarking Algorithm . . . . . . . . . . . . . . . . . . . . . . . 128

B.2 RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

B.3 Elliptic Curve Cryptography (ECC) . . . . . . . . . . . . . . . . . . . . . 133

Appendix C. Codes 137

C.1 XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

C.2 Block-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

C.3 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

C.4 Menezes-Vanstone Elliptic Curve Cryptosystem . . . . . . . . . . . . . 153

C.4.1 Truncation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

C.4.2 JPEG Compression . . . . . . . . . . . . . . . . . . . . . . . . . . 159

C.4.3 Cropping and Replacing . . . . . . . . . . . . . . . . . . . . . . . 166

C.4.4 Gaussian Noise Addition . . . . . . . . . . . . . . . . . . . . . . 172

C.4.5 Scaling and Rescaling . . . . . . . . . . . . . . . . . . . . . . . . 179

C.4.6 Combination Attacks: Rotate, Crop and Rescale . . . . . . . . . 185

C.4.7 Combination Attacks: Crop and Rescale . . . . . . . . . . . . . . 192

C.4.8 Double Watermarking . . . . . . . . . . . . . . . . . . . . . . . . 198

Page v

Contents

C.5 Extraneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

C.5.1 POWMOD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

C.5.2 RANDPRIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

C.5.3 EXTDEUC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Bibliography 209

Page vi

Abstract

In this thesis, we present a novel, elegant and simple method for secure transac-

tion authentication and non-repudiation for trading multimedia content. Multimedia

content can be video, images, text documents, music, or any form of digital signal,

however here we will focus particular on still images with application to video.

We will provide proof that not only can receiving parties within a transaction be

untrustworthy, but the owner, or members within an owning party, also cannot be

trusted. Known as the insider attack, this attack is particularly prevalent in multi-

media transactions. Thus the focus of the thesis is on the prevention of piracy, with

particular emphasis on the case where the owner of a document is assumed to be

capable of deceit, placing the system under the assumption of mutual distrust.

We will introduce a concept called staining, which will be used to achieve authentica-

tion and non-repudiation. Staining is composed of two key components: (1) public-

key cryptography; and (2) steganographic watermarking. The idea is to watermark

a multimedia document after encryption, thereby introducing a stain on the water-

mark. This stain is due to the non-commutative nature of the scheme, so that de-

cryption will be imperfect, leaving a residue of the cryptographic process upon the

watermark. Essentially, secrets from the owner (the watermark) and the receiver (the

cryptographic key) are entangled rather than shared, as in most schemes.

We then demonstrate our method using image content and will test several differ-

ent common cryptographic systems with a spread-spectrum type watermark. Wa-

termarking and cryptography are not usually combined in such a manner, due to

several issues such as the rigid nature of cryptography. Contrary to the expectation

that there will be severe distortions caused to the original document, we show that

such an entanglement is possible without destroying the document under protection.

We will then attack the most promising combination of systems by introducing geo-

metric distortions such as rotation and cropping, as well as compressing the marked

document, to demonstrate that such a method is robust to typical attacks.

Page vii

Page viii

Statement of Originality

This work contains no material that has been accepted for the award of any other

degree or diploma in any university or other tertiary institution and, to the best of

my knowledge and belief, contains no material previously published or written by

another person, except where due reference has been made in the text.

I give consent to this copy of my thesis being available in the University Library.

The author acknowledges that copyright of published works contained within this

thesis (as listed under Publications) resides with the copyright holder/s of those

works.

Signed Date

Page ix

Page x

Acknowledgments

I am grateful to my supervisors, Dr. Matthew Sorell and Dr. Robert Clarke, for teach-

ing me how to walk on water, and for their boundless patience and guidance over

the course of my PhD. They have given me an incredible opportunity to study these

fascinating fields of watermarking and cryptography, to which I could never express

my gratitude enough. I am especially thankful for the care and speed with which

they reviewed my original manuscript, considering Dr. Sorell has just had his second

child and Dr. Clarke is in semi-retirement.

I would also like to thank the School of Electrical and Electronic Engineering of the

University of Adelaide, including the lovely office ladies whom have made my post-

graduate life easier, for all the resources that have been made available to aid me

in my research. Furthermore, I would like to include in my acknowledgements all

the members of the Centre for Internet Research (CIR), past and present, for making

my postgraduate candidature an exceptional time in my life. Many of my colleagues

have become very good friends of mine, especially one very witty and brilliant miss,

who has been of great help over the years, and while I was writing this dissertation.

For all their love and encouragement, I would also like to acknowledge my friends

and family, and in addition for his faith, my closest friend, Andrew Morris, as well

as for his cheer: ”You can do it, Gigi!”, that has kept me going during some tough

times. Infinitely, I would like to thank God, for listening to my worries, and giving

me strength and clarity when I have needed them the most.

Finally, I would like to thank the anonymous reviewers, for taking the time to review

this manuscript. Their constructive and insightful comments have been of tremen-

dous value.

Page xi

Page xii

Publications

Wong, A. S. L., Sorell, M. & Clarke, R. (2004). Transaction Tracking for Multimedia Content from a

Mutual Distrust Perspective. International Symposium on Intelligent Multimedia, Video & Speech

Processing (ISIMP2004), The Hong Kong Polytechnic University, Hong Kong, October 20–22.

Wong, A. S. L., Sorell, M. & Clarke, R. (2005). Secure Mutual Distrust Transaction Tracking Using Cryp-

tographic Elements, Lecture Notes for Computer Science, No. 3710, 4th International Workshop on

Digital Watermarking (IWDW2005), Siena, Italy, September 13–15, pp. 459–469.

Wong, A. S. L., & Sorell, M., (2007). Trading Multimedia Content Using Entangled Secrets, in Chang-

Tsun Li (ed.), Multimedia Forensics and Security, Idea Group Inc. Pending Acceptance for Publica-

tion.

Page xiii

Page xiv

List of Figures

3.1 An example of fragile watermarking. . . . . . . . . . . . . . . . . . . . . 24

3.2 An example of robust watermarking. . . . . . . . . . . . . . . . . . . . . 25

3.3 The most general watermarking system. . . . . . . . . . . . . . . . . . . 25

3.4 Point addition of two unequal points in a real field. . . . . . . . . . . . 39

3.5 Point addition of a point and its reflection in a real field. . . . . . . . . 41

3.6 Point doubling in a real field. . . . . . . . . . . . . . . . . . . . . . . . . 42

4.1 Trust-distrust copy transfer process. . . . . . . . . . . . . . . . . . . . . 57

4.2 Mutual distrust copy transfer process. . . . . . . . . . . . . . . . . . . . 59

5.1 Lena image used in the testing of the implementations, curtesy of the

Signal and Image Processing Institute at the University of Southern

California. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

5.2 Baboon image used in the testing of the implementations, curtesy of

the Signal and Image Processing Institute at the University of Southern

California. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

5.3 Results for XOR encryption and spread spectrum watermarking scheme

with α = 0.012, (a) original image (Lena), (b) after encryption, (c) then

watermarking, and finally (d) after decryption. . . . . . . . . . . . . . . 71

5.4 Results for matrix multiplication watermarking scheme, with encryp-

tion block size 8, and DCT watermarking block size 8, α 0.00043, (a)

original image (Lena), (b) after encryption, (c) then watermarking, and

finally (d) after decryption. . . . . . . . . . . . . . . . . . . . . . . . . . 72

5.5 Comparison for matrix multiplication watermarking scheme, with en-

crypted image at block sizes (a) 8, (b) 16, (c) 64, and (d) 512. . . . . . . . 73

Page xv

List of Figures

5.6 Results of RSA encryption and DCT watermarking, α = 0.001, (a) orig-

inal image (Lena), (b) after encryption, (c) then watermarking, and fi-

nally (d) after decryption. . . . . . . . . . . . . . . . . . . . . . . . . . . 74

5.7 The correlation of the decrypted image to 100 randomly watermarked

decrypted images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

5.8 Results of RSA encryption and DCT watermarking, α = 0.001,after ap-

plying attack: forcing to 8-bits, where (a) before attack, (b) after attack,

(c) correlation before attack, and (d) correlation after attack. . . . . . . 76

5.9 Results of RSA encryption and DCT watermarking, α = 0.001,after

applying attack: JPEG compressed by 50%, where (a) before attack, (b)

after attack, (c) correlation before attack, and (d) correlation after attack. 77


applying attack: cropping 1 pixel from edges, where (a) before attack,

(b) after attack, (c) correlation before attack, and (d) correlation after

attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78


applying attack: cropping 50 pixel from edges, where (a) before attack,


attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79


applying attack: adding Gaussian noise with zero mean and standard

variance 0.004, where (a) before attack, (b) after attack, (c) correlation

before attack, and (d) correlation after attack. . . . . . . . . . . . . . . . 80


applying attack: scaling by half and then doubling in size, where (a)

before attack, (b) after attack, (c) correlation before attack, and (d) cor-

relation after attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81


applying attack: cropping 1 pixel from edges and resizing to original

size, where (a) before attack, (b) after attack, (c) correlation before at-

tack, and (d) correlation after attack. . . . . . . . . . . . . . . . . . . . . 82

Page xvi

List of Figures

5.15 Results of RSA encryption and DCT watermarking, first watermark

α = 0.0005, second watermark α = 0.0005, after applying attack: dou-

ble watermarking, where (a) before attack, (b) after attack, (c) correla-

tion before attack, and (d) correlation after attack. . . . . . . . . . . . . 83

5.16 Results of RSA encryption and DCT watermarking, α = 0.001, corre-

lation after applying attack: forcing to 8-bits, where the original image

has been subtracted from the attacked image, before correlating. . . . . 85

5.17 Results of RSA encryption and DCT watermarking, α = 0.001, cor-

relation after applying attack: JPEG compressed by 50%, where the

original image has been subtracted from the attacked image, before

correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85


lation after applying attack: cropping 1 pixel from edges, where the


correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86


lation after applying attack: cropping 50 pixel from edges, where the


correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.20 Results of RSA encryption and DCT watermarking, α = 0.001, correla-

tion after applying attack: adding Gaussian noise with zero mean and

standard variance 0.004, where the original image has been subtracted

from the attacked image, before correlating. . . . . . . . . . . . . . . . . 87


lation after applying attack: scaling by half and then doubling in size,

where the original image has been subtracted from the attacked image,

before correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87


lation after applying attack: cropping 1 pixel from edges and resizing

to original size, where the original image has been subtracted from the

attacked image, before correlating. . . . . . . . . . . . . . . . . . . . . . 88

Page xvii

List of Figures

5.23 Results of RSA encryption and DCT watermarking, first watermark

α = 0.0005, second watermark α = 0.0005, correlation after applying

attack: double watermarking, where the original image has been sub-

tracted from the attacked image, before correlating. . . . . . . . . . . . 88

5.24 Results of RSA encryption and DCT watermarking, capacity analysis,

with α varying from 0.0002 to 0.001, and for a range of prime keys, n,

versus peak signal-to-noise ratio (PSNR). . . . . . . . . . . . . . . . . . 89


with α varying from 0.0002 to 0.001, and for a range of prime keys, n,

versus peak signal-to-noise ratio (PSNR), lower-bound and best-fit. . . 90


with α varying from 0.0002 to 0.001, versus a range of prime keys, n,

versus peak signal-to-noise ratio (PSNR), upper-bound and surface-

best-fit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

5.27 Results of RSA encryption and DCT watermarking, capacity analysis:

individual upper-curve best-fits for α equal to (a) 0.0002, (b) 0.0003, (c)

0.0004, (d) 0.0005, (e) 0.0006, and (f) 0.0007. . . . . . . . . . . . . . . . . 92


individual upper-curve best-fits for α equal to (a) 0.0008, and (b) 0.001. 93


upper-curve percentage of PSNR below the JND threshold. . . . . . . . 93

5.30 Results of Menezes-Vanstone EC encryption and DCT watermarking,

α = 0.001, (a) original image (Lena), (b) after encryption, (c) then wa-

termarking, and finally (d) after decryption. . . . . . . . . . . . . . . . . 97

5.31 The correlation of the MVECC-encrypted and DCT-watermarked re-

covered watermark to 100 random watermarks. . . . . . . . . . . . . . 98

5.32 Results of MV-ECC encryption and DCT watermarking, watermark at

α = 0.001, correlation after applying attack: forcing to 8-bits, where

(a) before attack, (b) after attack, (c) correlation before attack, and (d)

correlation after attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99


α = 0.001, correlation after applying attack: JPEG compression to 10%,

where (a) before attack, (b) after attack, (c) correlation before attack,

and (d) correlation after attack. . . . . . . . . . . . . . . . . . . . . . . . 100

Page xviii

List of Figures


α = 0.001, correlation after applying attack: cropping 1 pixel from the

edges and replacing from the original, where (a) before attack, (b) after

attack, (c) correlation before attack, and (d) correlation after attack. . . 101


α = 0.001, correlation after applying attack: cropping 50 pixel from the

edges and replacing from the original, where (a) before attack, (b) after

attack, (c) correlation before attack, and (d) correlation after attack. . . 102


α = 0.001, correlation after applying attack: adding Gaussian noise

with zero mean and standard variance 0.01, where (a) before attack,


attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103


α = 0.001, correlation after applying attack: scaling by half and then

doubling the size, where (a) before attack, (b) after attack, (c) correla-

tion before attack, and (d) correlation after attack. . . . . . . . . . . . . 104


α = 0.001, correlation after applying attack: cropping 1 pixel from

edges and resizing to original dimensions, where (a) before attack, (b)


5.39 Results of MV-ECC encryption and DCT watermarking, first water-

mark α = 0.0005 at index 27, second watermark α = 0.001 at index

65, correlation after applying attack: double watermarking, where (a)

before attack, (b) after attack, (c) correlation before attack, and (d) cor-

relation after attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

5.40 Results of MV-ECC encryption and DCT watermarking, α = 0.005, cor-

relation after applying attack: rotating 1◦ clockwise, cropping 3 pixels

from edges, and resizing to original size, where (a) before attack, (b)


5.41 Results of MV-ECC encryption and DCT watermarking, α = 0.001,

correlation after applying attack: forcing to 8-bits, where the original

image has been subtracted from the attacked image, before correlating. 108

Page xix

List of Figures


correlation after applying attack: JPEG compressed to 10%, where the


correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109


correlation after applying attack: cropping 1 pixel from edges and re-

placing from original, where the original image has been subtracted



correlation after applying attack: cropping 50 pixel from edges and

replacing from original, where the original image has been subtracted



relation after applying attack: adding Gaussian noise with zero mean

and standard variance 0.01, where the original image has been sub-

tracted from the attacked image, before correlating. . . . . . . . . . . . 110


correlation after applying attack: scaling by half and then doubling in

size, where the original image has been subtracted from the attacked

image, before correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . 111


correlation after applying attack: cropping 1 pixel from edges and re-

sizing to original size, where the original image has been subtracted


5.48 Results of MV-ECC encryption and DCT watermarking, first water-

mark α = 0.0005, second watermark α = 0.001, correlation after apply-

ing attack: double watermarking, where the original image has been

subtracted from the attacked image, before correlating. . . . . . . . . . 112


relation after applying attack: rotating 1◦ clockwise, cropping 3 pixels

from edges, and resizing to original size, where the original image has

been subtracted from the attacked image, before correlating. . . . . . . 112

Page xx

List of Figures

Page xxi

Page xxii

List of Tables

3.1 Summary of Cox’s watermarking algorithm . . . . . . . . . . . . . . . . 28

3.2 Summary of RSA algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.3 Summary of ElGamal algorithm . . . . . . . . . . . . . . . . . . . . . . . 36

3.4 Summary of Rabin algorithm . . . . . . . . . . . . . . . . . . . . . . . . 37

3.5 Summary of ElGamal-type ECC encryption algorithm . . . . . . . . . . 44

3.6 Summary of Menezes-Vanstone ECC encryption algorithm . . . . . . . 45

5.1 Summary of XOR encryption algorithm . . . . . . . . . . . . . . . . . . 63

5.2 Summary of XOR watermarking algorithm . . . . . . . . . . . . . . . . 64

5.3 Summary of matrix multiplication watermarking algorithm . . . . . . 65

5.4 Correlation comparison for different encryption and watermarking block

sizes for matrix multiplication watermarking scheme. . . . . . . . . . . 68

5.5 Summary of RSA watermarking algorithm . . . . . . . . . . . . . . . . 69

5.6 Summary of Menezes-Vanstone ECC watermarking algorithm . . . . . 95

Page xxiii

Page xxiv

Chapter 1

Introduction

THIS chapter is an introduction and background into the re-

search discussed in this thesis. Before the digital age, when

video data was limited to being stored on videotapes, video

piracy was not an important issue as videotapes deteriorate in quality

with each copy. However, with the advance of video technology in the

digital age comes the ability to generate perfect copies of a video. This

has made video piracy very popular since illegal copies can be obtained

easily and are considerably less expensive than a legal copy. This has

resulted in a boom in video piracy. This problem has since grown un-

controllably and has become an increasing threat to the movie production

and pre-mass-distribution industries necessitating action. To that purpose

there has been extensive research into the area of digital copy protection,

watermarking and steganography.

Page 1

1.1 Outline of Thesis

1.1 Outline of Thesis

This chapter looks into the history of copy protection, as well as a brief statement of

some of the assumptions of this research. This is followed by some background into

what is currently occurring in digital rights management and a list of watermarking

criteria, plus the significance and aims of this research, ending in some legal notes.

The following chapter (2) will give a review on the state of copyright protection for

multimedia. This will constitute of watermarking, cryptography, and watermark-

ing and cryptography in combination. The chapter ends with a brief summary and

conclusion on the technologies discussed.

Chapter 3 outlines the technical background on which the work in this thesis is based.

These include the watermarking method which will be employed. In addition, sev-

eral cryptographic techniques will be discussed in detail.

Chapter 4 will definitively state the issues in digital rights management which this

thesis will be addressing, including its significance to today’s problems. This will

lead into a description of the new methodology and how it contributes to solving the

stated issues.

The implementations and results of the new methodology follows in the succeeding

chapter. The codes for the implementations are placed in Appendix C.

Finally, the conclusions that resulted from this research will be in Chapter 6. This

chapter will also discuss the problems discovered during the course of the research,

state the summary of contributions and suggest some possible directions for future

research.

1.2 History

1.2.1 Watermarking

Watermarking is the process of placing a piece of information upon a document,

which can be a physical object such as a piece of paper or a photograph. It can also

be placed upon signals such as electronic forms of music, a digital image or video.

The latter is known as digital watermarking. Watermarks contain information usually

pertaining to the document, such as the author of the document. A watermark can

also verify the authenticity of a document.

Page 2

Chapter 1 Introduction

Watermarking can be traced back to ancient China, when owners of precious objects,

such as artwork, would stamp their stylised name upon the item to identify owner-

ship. Watermarks also used to feature in the manufacturing of paper, as a means of

identifying the mill that produced the paper, as well as indicating the type, quality

and strength of the paper. Watermarking is still widely used today, especially in the

authentication of paper money.

The hidden form of placing information upon a document is known as steganogra-

phy. Steganography is derived from the Greek words steganos, meaning “covered”,

and graphia, meaning “writing” – “covered writing”. The document in this case is

usually known as the work or cover work.

Steganography can be traced back to ancient Greece as well as ancient China. In

ancient China, messages were written on silk, scrunched and hidden in a ball of wax,

then swallowed for transmission. In Greece, a message was tattooed upon the bare

scalp of a slave. The slave’s hair was allowed to grow back, hiding the message,

before he was sent to the message’s destination, where his hair was shaved off again

to reveal the message.

Steganography was employed during the Second World War, with the use of “spe-

cial inks”, rendered visible only under certain circumstances. Messages were even

shrunk into tiny circles and hidden in the superscript dot above the letters i and j in

an innocent document. Today, with the aid of computers, steganography is also used

to conceal messages within digital media.

Hiding information such as details about a cover work, for example the author of the

cover work, in digital media is known as digital steganographic watermarking. Digital

steganographic watermarking will be referred to henceforth as just watermarking.

1.2.2 Cryptology

While watermarking is concerned with hiding information regarding a message within

the message, cryptography is the art of hiding the message itself. Cryptanalysis is then

the art of un-hiding said message; cryptology is the general name encompassing both

areas. The process of enciphering the message is called encryption, and the corre-

sponding process of deciphering is referred to as decryption.

Cryptology naturally began in the field of linguistics, to hide spoken or written words,

its history spanning as long as that of watermarking. The oldest notable instance of

Page 3

1.3 Assumptions

the use of cryptography was by Julius Caesar, who used a simple substitution algo-

rithm, replacing a letter with another letter further down the alphabet, essentially

shifting the letter by a fixed amount. Hence these kinds of ciphers were known as the

shift ciphers.

During the Second World War, codebooks were employed as a means of encryption

and decryption. These codebooks were lookup tables consisting of a series of words

or phrases and the possible strings that could be used to represent them. Since a word

or phrase was selected to be equivalent to a unique, fixed-length block of letters, these

types of cryptosystems were known as block ciphers.

Later, cryptography moved from linguistics to the digital medium, especially for

faster and easier cryptanalysis, where a cryptanalyst can attempt to break the cryp-

tographic system or cryptosystem, with the greater processing abilities of a computer.

This meant longer key lengths and more cunning algorithms and protocols needed

to be devised to prevent easy cryptanalysis, and cryptosystems today are typically

made and broken with the aid of high-speed computers.

1.3 Assumptions

There are also certain assumptions associated with watermarking methods, in re-

gards to their survivability against attacks. A moderately skilled attacker with one or

two adequately powerful computers and a reasonable level of expertise in signal and

image processing should be anticipated. This attacker will also be willing to spend

up to a few days trying to remove or corrupt a watermark.

The most important assumption is that of attacks from a “person”, either an indi-

vidual or a company, involved in the transaction. This assumption is reasonable as

a study has shown 77% of piracy occurred through insider sellout, originating from

among pre-mass-distribution organizations (Byers et al. 2003). This person will pre-

sumably know the method used to embed the watermark into the cover work, the

form of the watermark, the embedding key(s), the detection method and the encryp-

tion method(s) used. These are generally known as insider attacks.

There are also more specific attacks. These attacks can be deliberate or non-deliberate.

For instance, the normal image processing techniques are usually non-deliberate, but

Page 4


because they might distort the watermark, these processing methods must be con-

sidered as attacks. The attacks can also be individually applied or in conjunction, but

only to the extent that the cover work is not compromised.

Types of expected attacks are as follows:

• Common signal processing: such as digital-to-analog and analog-to-digital con-

version, resampling, requantisation (including dithering and recompression),

and common signal enhancements to image contrast and colour;

• Common geometric distortions: such as rotation, translation, cropping and

scaling;

• Subterfuge attacks: such as collusion and forgery;

• Specialised attacks: such as the jitter attack and the mosaic attack; and

• Video-specific attacks: such as frame shuffling, frame insertion, frame removal

and inter-frame collusion.

These will be discussed in greater detail in §3.1.3.

1.4 Background and Aim

The earliest example of digital copy protection occurred in 1954, when a patent was

applied for by Emil Hembrooke of the Muzac Corporation, “Identification of sounds

and like signals” (Hembrooke 1961). The patent described a method of identifying

the owner of a piece of music by embedding an unnoticeable identification code into

the music, comparative to a watermark in paper. Since then, digital copyright pro-

tection has blossomed into an increasingly important area of research and interest.

In 1996, a group known as the DVD Copy Protection Technical Working Group

(CPTWG), formed by the Motion Picture Association of America (MPAA), the Con-

sumer Electronics Manufacturers Association (CEMA), and members of the com-

puter industry (Miller et al. 1999), began developing copy protection systems for

DVDs. They developed a systems known as the Copy Generation Management Sys-

tem (CGMS). This system was based on compliant recording machines, which can be

consumer devices such as DVD burners. These compliant devices check for special

Page 5

1.4 Background and Aim

instructions on a DVD, dictating whether a DVD can be copied with no limits, copied

once or never copied. Such a technique is known as copy control (Linnartz 1998, IBM

Research 1999). However, a non-compliant DVD player can be utilised to remove the

CGMS (Miller et al. 1999).

A method of implementing device control, developed by Macrovision, was the Analog

Protection System (APS). This system prevents DVDs from being recorded on VCRs.

However, there are also ways of circumventing this system as shown by (Miller et al.

1999) and (King et al. 1999b).

Another method of implementing device control, known as the Content Scramble

System (CSS), developed in 1997, was also created by the CPTWG. CSS is an encryp-

tion and decryption system for compliant DVD players. Compliant DVD players

possess certain keys, licensed by the DVD Copy Control Association (DVD CCA),

which allows them to decrypt the encrypted content on a DVD (Kesden 2000).

However, in 1999, an European group known as MoRE (Masters of Reverse Engi-

neering) created a program called DeCSS, which copies the contents of a DVD di-

rectly into a user’s hard drive. This was possible due to an error on the part of one

of the manufacturers, Xing Technology Corporation, in failing to properly encrypt

its decryption key. Not only was Xing Technology Corporation’s key exposed, but

because of the relationship between each of the CSS keys, some 170 keys belonging

to other manufacturers were uncovered through reverse engineering and trial and

error (Patrizio 1999, Ketola 1999). This effectively rendered CSS obsolete. Even if

this method of circumventing CSS had not been discovered, sooner or later the CSS

encryption would have been broken by cryptoanalysis (King et al. 1999a, Stevenson

1999, Kesden 2000).

Thus the industry was forced to recognise that once encryption is removed from a

digital document, that document is no longer protected, and that compliant machines

was not enough of a protection. To augment the use of compliant machines and en-

cryption systems, much of the copy protection focus has shifted to the development

of watermarking schemes that track and enable the prosecution of people that traffic

in illegal distribution.

Watermarking techniques and methods are highly dependent on their application

areas. Seven possible application areas as defined in (Bloom et al. 2001b) are:

1. Broadcast Monitoring

Page 6


2. Owner identification

3. Proof of Ownership

4. Transaction Tracking

5. Content Authentication

6. Copy Control, and

7. Device Control

The focus of our research will be to trace the source of illegal redistribution before

mass distribution. Thus the application area will be transaction tracking, also known

as copy tracing or fingerprinting.

Some of current transaction tracking research has sought to combine watermarking

methods with cryptography as an additional form of security, to prevent certain in-

sider as well as outsider attacks (Piva et al. 2002, Xu et al. 2004, Zhang et al. 2006).

Hence this dissertation will also attempt to incorporate a technical background of

currently used encryption as well as watermarking schemes in Chapter 3 . Our con-

tribution to this combination will be explained in Chapter 5.

The criteria that our watermarking method will attempt to meet are:

• Fidelity: Any watermark embedded using our method should not cause percep-

tible changes to the cover work under normal viewing conditions.

• Robustness: The watermarks should be able to survive known attacks (see §3.1.3).

They should not be removable or destroyable without serious degradation of

the cover work.

• Detectability: The watermarks should be detectable by our method only, so as

to remain hidden from attackers. It is also desirable that there be a negligible

probability of incorrect detection of a watermark in a cover work that does not

contain an embedded watermark.

• Conclusiveness: There should be no confusion as to the owner of a watermark.

• Additivity: Watermarks should be immutable by other watermarks placed in the

same cover work, whether embedded by the same method or using a different

method.

Page 7

1.5 Legal Issues

• Capacity/Complexity: The “size” of watermarks should not be such that only

a small number of watermarks can be embedded into any given cover work

without causing perceptible changes. However, embedding too short or too

simple a watermark would mean that the watermark will be less robust and

easier to lose. As the watermarks are intended to be embedded in video, the

embedding will occur in real-time, and hence should have low complexity.

There are various watermarking techniques that have been used to meet the above

criteria. In the past, watermarks have been embedded in the least significant com-

ponents of a cover work to meet the fidelity condition. However, it was discovered

that watermarks embedded in this manner were easily distorted or removed. As the

loss of the least significant components of a cover work do not affect the percepti-

ble quality to the human eyes or ears, these components are often discarded during

compression. This means the removal of the embedded watermark.

However, the alternative approach is to embed in the significant components. This

has the unfortunate effect of possibly becoming visible in the cover work if care is

not taken during embedding. Therefore, a careful balance must be achieved when

attempting to meet the above criteria.

We should also note that this research is not intended to define a permanent one-

off solution but one that can be continually upgraded to keep up with advances in

technology and attacker skills.

1.5 Legal Issues

As this application is intended for commercial use, there are many legal issues that

will need to be addressed. The Acts involved, with respect to Australian law, are as

follows:

• Copyright Act 1968 (Australian Commonwealth Government 1968)

• Electronic Transactions Act 1999 (Australian Commonwealth Government 1999)

• Copyright Amendment (Digital Agenda) Act 2000 (Australian Commonwealth

Government 2000)

• CyberCrime Act 2001 (Australian Commonwealth Government 2001)

Page 8


International law or agreement may also need to be recognised, such as the Free Trade

Agreement that has been arranged between Australia and the United States of Amer-

ica. This agreement means that US Intellectual Property Laws are enforceable in Aus-

tralia. This legislation includes:

• The Digital Millennium Copyright Act of 1998 (US Copyright Office 1998)

The legal issues are particularly relevant in this area of research as it deals with mu-

tual distrust, where neither company involved in a transaction can be trusted, and

both are capable to violating copyright. Mutual distrust will be explained in more

detail in Chapter 4. Research in this area must be legally sound to ensure that no

legal loopholes can prevent persecution. However, for the time being, since this re-

search is as yet a purely intellectual pursuit and non-commercially linked, these laws

are noted here but not addressed.

Page 9

Chapter 2

A Review of the State ofthe Art

THOUGH both cryptography and watermarking deal with the

concealment of some secret, cryptography is about obscuring the

veracity of the content of a message but not the existence of the

message, while steganographic watermarking is about hiding the very

existence of the message. As a result, though both have the same roots,

they are very different in application and development. This chapter gives

a review of both these areas of security, as well as literature with a union

of these two areas.

Page 11

2.1 Watermarking Alone


The idea of digital watermarking was introduced in 1954 by Emil Hembrooke’s patent,

but the field is still undergoing more of an evolution with the never-ending cycle of

more techniques coming in to attack watermarking schemes, and more schemes be-

ing created to prevent those attacks.

Turner (1989) produced a patent for digital audio watermarking which replaces the

least significant bits of random audio samples with bits from the watermark. This

idea can also be applicable for digital images and video (van Schyndel et al. 1994),

however, using the least significant bit of a content means that the watermark can

easily be destroyed or removed, for instance during signal processing with a simple

low-pass filter operation, and compression.

Tanaka et al. (1990a), Tanaka et al. (1990b), and Matsui and Tanaka (1994) looked into

adapting watermarks to the document’s representation. For example, they put forth

that whether an image was represented by dithering, linear predictive coding or run-

lengths (fax) should determine how a watermark will be encoded. However, it was

unclear whether some of these methods suggested will be robust to typical signal

processing.

Brassil et al. (1995) presented several watermarking system for text documents that

are being distributed electronically. These methods involved the indiscernible shift-

ing of lines, words or characters in a document according to some decision rule to

track a document, even after the document has undergone photocopying. However,

the authors noted that these methods can be defeated by randomly shifting lines,

words or characters slightly.

Caronni (1995) introduced the term tagging, where a tag is defined as “the sum of

hidden information introduced into an image”, similar to a watermark. They listed

a series of requirements for tags, then suggested methods of embedding a tag into

an image. These include the automatic or manual altering of picture elements, for

example, automatically detecting and shifting borders within the image, or manually

adding more leaves to a tree. They showed an experiment with altering the intensity

of the image in chosen rectangular blocks, with special considerations taken to hide

the rectangles in the natural noise of the image. However, though the tag is inde-

pendent of the image, this process will only work on selected images, as noted by the

author, not on images with a large number of homogenous regions or too many sharp

Page 12

Chapter 2 A Review of the State of the Art

edges. This process may also be susceptible to normal forms of image processing as

the tag is also an image. In addition, the process requires an explicitly trustworthy

image owner, which may not always be the case (Byers et al. 2003).

Cox et al. (1995) placed a watermark into the perceptually significant components

of a signal. This means that the watermark would be robust to typical signal dis-

tortions and attacks. To avoid degrading the image excessively, the watermark was

placed into the discrete cosine transform (DCT) components of the image using an

idea similar to spread spectrum communications, i.e. hiding a narrow-band signal

(the watermark) in a wide-band channel (the image). The length and strength of the

watermark was then adjustable depending on the requirements of the data. Placing

the watermark into the perceptually significant components of an image meant that

the hidden watermark would be difficult to uncover and remove, however if the wa-

termark is not carefully embedded, it may become visible to all, and hence distort the

image itself.

Bender et al. (1996) presented two different approaches to watermarking, (1) Patch-

work, a statistical approach, and (2) Texture Block Coding, a visual approach. The

first approach works by randomly choosing a pair of image points, A and B. Letting

a equal the brightness of point A, and similarly for B, then increase each ai and de-

crease each bi by the same amount δ, for the ith iteration of the procedure, repeating

n times such that the expected value of the sum of the difference of the pairs is 2δn.

They then suggested improvements such as taking groups of several points instead

of singular point to increase the robustness of the process. While this technique is re-

sistant to most non-geometric image processing, it assumes all brightness levels are

equally likely, which is not usually the case. The second approach hides data in the

continuous i random texture patterns of an image by copying a region from a random

texture pattern to an area which has similar texture. The identical areas can then be

detected by using autocorrelation of the image to recover the shape of the areas. In

this paper, the visual method requires that the region texture mappings be done man-

ually, but these could be automated. However, this method is limited to images with

lots of texture, and can be defeated with selective image processing, such as replacing

textured areas with a similar random texture pattern, which reduces the amount of

texture than can be autocorrelated.

Smith and Comiskey (1996) considered embedding watermarks from an information

theoretic point of view. Therefore the original image is viewed as the noise and the

Page 13


watermark to be embedded as the signal, modelling the hiding capacity, perceptibil-

ity and robustness of a watermark using the image’s channel capacity, signal-to-noise

ratio (SNR), and jamming margin or processing gain. Several spread spectrum or

spread spectrum-like watermarking schemes were discussed, analysed from an in-

formation and communication theory perspective. A new hiding scheme was then

proposed, whose parameters are adjustable depending on whether capacity, imper-

ceptibility or robustness was the primary factor. In addition, a new technique called

predistortion was presented to increase resistance to known distortions that will be in-

troduced to the system. For example, if it is known that an image to be watermarked

will be later JPEG compressed, then the watermark should be JPEG compressed and

uncompressed as well. This process however assumes a Gaussian channel distribu-

tion, which may not be a sufficiently accurate model, and the watermark will not be

a function of the image, as they were assuming capacity as the primary factor.

Langelaar et al. (1997) introduced two watermarking methods, (1) an extension of an

existing spatial labeling technique, and (2) a method that discards high frequency

DCT coefficients as a way of embedding a label. The first method extends Pitas and

Kaskalis’ method (Pitas and Kaskalis 1995), which adds positive integer constant k

(the label embedding level) directly to the brightness level of half the pixels in an

image. In addition, Langelaar et al. divided the image into blocks and searched for

an optimal label-embedding level k for each block instead of using a fixed embed-

ding level, and k is determined using a lower quality JPEG compressed version of

each block. This was to give the method a larger label for greater robustness, espe-

cially against JPEG compression, and lower noticeability. However, this meant that

the method is more complex and not ideal for real-time implementation due to the

compression and recompression step, and the labeling itself. This method is also very

susceptible to geometric attacks such as cropping and shifting. The second method

avoids the partial recompression by removing the high frequency DCT coefficients

of particular DCT blocks. This method proved to be more robust to cropping and

shifting than the first method, and can be implemented in real-time as it embeds rel-

atively few labels, however this method is not as resistant to JPEG compression or

combinatory attacks such as JPEG compression followed by shifting.

Page 14


Hartung and Girod (1997) presented a public-key watermarking scheme for compres-

sed video as well as images, where decoding of the watermark is not made com-

pletely public. The watermark is embedded along the same principles as direct-

sequence spread spectrum communications, and is composed of the spread version

of a binary sequence, bi, a watermarking strength factor, α, and a binary pseudo-noise

sequence, pi. Decoding the watermark is then achieved by summing the filtered, wa-

termarked video frame multiplied by pi, yielding a correlation sum from which the

binary sequence can be extracted. They suggested that a public version that does

not allow the watermark to be fully decoded, and hence removable or corruptible,

is possible by only summing the filtered watermarked video frame multiplied by a

pseudo-noise sequence where only every n-th bit is from pi and the rest are arbi-

trary values with the same distribution. This yields a correlation sum that is 1/n the

fully decoded correlation sum. However, this process still assumes a trusted owner

scenario.

Crowcroft et al. (2000) presented a novel patent for multicasting watermarks as a

method of tracing copies of a document. The method basically takes an image and

subdivides it into very small portions. Each of these portions are uniquely water-

marked several times. These watermarked portions are then transmitted through a

part of devices, each of which randomly decides which copy of each portion is trans-

mitted, which are then assembled at the receiver end to produce a uniquely marked

image. In this manner, the path that the pieces of the image can be determined. How-

ever, this method depends on compliant devices, the security of which is difficult to

ensure.

2.2 Cryptography Alone

Cryptography is a field that has been around for as long as there has been a need

for secret communication. Encrypting a message can be as simple as replacing each

unique element of the message with a number, and then adding a constant value to

each number. This constant value is then considered to be the key for the system and

in this instance is used in both encrypting, by adding the key, and decrypting, by

subtracting the key. More difficult cryptosystems will be introduced in Section 3.2.

Page 15


For this particular research, we are only interested in public-key cryptosystems, where

the encryption and decryption keys are not the same. A more concise definition of a

public-key cryptosystem is also given in Section 3.2.

2.2.1 General Cryptosystems

The following cryptosystems are general in that they can be used for almost any

input, with no consideration for the type of message being encrypted and decrypted.

In 1977, Rivest, Shamir and Adleman created RSA (Rivest et al. 1978), one of the most

famous public-key cryptosystems known. They described a method in which two

large prime numbers are combined and used together with modulo arithmetic to

build a system whose security is based on the difficulty of factorising large numbers.

However, there must be careful choice in the prime numbers or prime factorisation

algorithms such as in (McKee 1999) may be applied.

ElGamal (1985) presented a cryptosystem that is based upon modulo arithmetic and

relies on the difficulty of solving the discrete logarithm problem for security. ElGa-

mal algorithm is more often used for signature and authentication schemes. Shoup’s

(1997) paper looks into ways of solving the discrete logarithm problem.

The Rabin cryptosystem was developed by Michael Rabin (Rabin 1979). As with

Rivest, Shamir and Adleman’s algorithm, RSA, the security of the cryptosystem is

based on the difficulty of factorising large numbers. Breaking the Rabin cryptosystem

is provably as hard as integer factorisation. The disadvantage of this cryptosystem is

that an encrypted message must be correctly surmised from four possible outcomes.

Elliptic curves were first suggested for use in cryptography in 1985 (Miller 1985).

Elliptic curve cryptosystems (ECCs) have been found to be generally easier to im-

plement but just as hard to defeat as conventional cryptosystems (Lam et al. 1996,

Araki et al. 1998, Rosing 1999, Torii and Yokoyama 2000, Burnett et al. 2002). Due to

their shorter required key-lengths for security, ECCs have become increasingly inter-

esting for use (Hankerson et al. 2000, Yang et al. 2003) and have even been chosen

for inclusion in the NSA’s Suite B set of algorithms (National Security Agency 2005).

As with conventional cryptosystems, ECCs do have the weakness that if the curves

are not carefully chosen, the whole cryptosystem may become vulnerable to special

attacks (Wiener and Zuccherato 1999, Gaudry 2000, Gaudry 2004).

Page 16


The Pallier cryptosystem was created by Pascal Pallier in 1999 (Paillier 1999). The

security of the cryptosystem is based upon the Composite Residuosity (CR) assump-

tion, where computing the n-th residue of a message is believed to be computation-

ally difficult. The important aspect of the Pallier cryptosystem is its homomorphic

property with respect to addition. This allows plaintexts to be added and multiplied,

making it a more malleable cryptosystem. However, this homomorphic property also

causes the cryptosystem to be weaker than conventional cryptosystems such as RSA

against adaptive chosen-plaintext attacks.

2.2.2 Image- and Video-Specific Cryptosystems

There are many general classes of cryptosystems as seen in the previous section.

However, though these general cryptosystems can be used for almost any input, they

are either more suited to text documents or bear no consideration for the type of mes-

sage being encrypted and decrypted.

Image and video encryption presents a whole different range of issues that must be

dealt with. For example, there are usually more symbols required than with text.

English text has the usual 26 letters of the alphabet plus special characters, whereas

images can take any integer value within their representation, for instance 8-bit im-

ages can take values from 0 to 255, and colour images have 3 colour planes too. Video

not only has the representation and planes, but 3 different frames as well. Hence,

image and video data are usually much larger than text data. All this means that

encryption using the typical cryptographic schemes will take a great deal longer to

encrypt.

In addition, images and videos undergo many signal and geometric processing oper-

ations. Hence image- and video-specific cryptosystems are aimed at reduced compu-

tational complexity and permit for loss, for example when compression is used, and

for real-time processing. That is, the cryptosystems should not increase the size of a

compressed document too much, should be fast to implement for real-time applica-

tion, and yet still be secure.

Since compression is one of the most time-consuming processes in image and video

processing, combining compression and encryption will be faster than separating the

two processes. The following literature looks into image and video encryption and

decryption combined with compression.

Page 17


Qiao and Nahrstedt (1997b) discussed problems associated with the symmetric, ran-

dom zigzag-permutation cryptosystem for MPEG video, to be used during the com-

pression stage. They showed that this method of encryption not only increased the

size of the compressed document noticeably but is insecure and unable to with-

stand the known-plaintext attack. They further suggested an algorithm in (Qiao and

Nahrstedt 1997a) that would work better as it is based on the statistical analysis of

MPEG video. However, both systems are symmetric, which limits their range of ap-

plications.

Cheng and Li (2000) suggested a partial encryption method combined with com-

pression that is faster than full encryption and yet is still secure, without reduc-

ing the compression rate. However, this algorithm, as noted by the authors, is not

suitable for JPEG and MPEG compression. Hence they suggested two methods of

compression that this method does work with: quadtree compression algorithm and

zerotree wavelet compression algorithms, i.e. Set Partitioning in Hierarchical Trees

(SPIHT) compression algorithm. They then experimented with their partial encryp-

tion method and the two types of compression methods which showed promising

results for both image and video data.

Chang et al. (2001) offered a secure encryption and decryption system for images

with reduced computational complexity. They discussed issues related with image

encryption and proposed a system based on DES and DES-like cryptosystems. This

system was then used with the vector quantisation compression technique. They

showed that it was robust to a number of cryptographic attacks and that it would

not be very computationally expensive. However, DES is a symmetric system, which

limits its range of applications and does not help with untrustworthy parties.

The system in (Li et al. 2002) is based on multiple, digital chaotic systems, and is

known as the Chaotic Video Encryption Scheme (CVES). CVES is independent of

any video compression algorithms, which makes it useable in many applications,

and it gives reliable security as well as fast encryption. However, under certain ini-

tial conditions there may be a many-to-one mapping which must be avoided for cor-

rect decryption. In addition, this system has not yet been tested and has only been

theoretically analysed, and seems complex to implement and time-consuming to run.

Li and Zheng (2002) looked into cryptanalysing a new chaotic key-based algorithm

for image encryption by (Yen and Gou 2000). They showed mathematically that this

system is not secure, even from a brute-force or exhaustive-search attack. They then

Page 18


discussed methods of improving the security of the system but concluded in the end

that this system cannot be improved to the point it will ever be secure.

Lin et al. (2003) proposed a public-key optical image encryption algorithm based

on data embedding techniques. Their systems employs what they called a double-

random-phase encoding in which an image is multiplied by a random-phase mask

in the spatial domain, and then another random-phase mask in the Fourier domain,

to encrypt the image. The keys used to generate the random-phase masks are then

asymmetrically encrypted and also embedded into the encrypted image. This en-

crypted image is then used as a secret channel to hide information within. The re-

sulting decrypted image sustains some distortion in the process, but is still viewable.

What is interesting is that the hidden information survives the process. Attacks to

destroy the hidden information result in too much degradation to the image channel.

Hence, this system may be employed as a method of combining steganographic wa-

termarking and cryptography, if we can reasonably assume that a watermark can be

the hidden information. However, even though this system is based on public-key

cryptography, only the encryption of the keys is asymmetric, whereas the image part

of the encryption, i.e. the process of masking the image into a covert channel, uses

symmetric encryption, which does not work in a mutually distrustful environment.

A system for encrypting binary images is proposed by del Rey (2004) through the

use of hybrid boolean cellular automata (CA), i.e. Wolfram CA, as pseudorandom

bit-generators. This cryptosystem is essentially an XOR stream cipher, which means

that the encryption procedure itself will be fast, and has perfect decryption. However,

it is a symmetric cryptosystem, which limits its field to that with trusted parties, and

is for use on binary images.

Kim et al. (2004) have created a system for MPEG-4 based videos. The major ad-

vantage of their system is that it adds as little as possible excess load on the video

streaming system. In the paper, the authors describe three methods for macroblock

encryption. The first works on the I-VOP (video object plane), the second on the

P-VOP, and the third method combines the previous two techniques for the best se-

curity with an additional overhead cost. The specialisation of this system for MPEG-4

video, however, limits it from use in other video types.

The partial encryption idea in Cheng and Li’s (2000) paper seems the most easy and

least complex system to implement. It is especially interesting as it can be used

Page 19

2.3 Watermarking and Cryptography

for wavelet compression and spread spectrum watermarking can be adapted to the

wavelet domain.

2.3 Watermarking and Cryptography

Watermarking and cryptography are often both used in the pursuit of document pro-

tection, but often they are considered separate entities, even when both are used in

the same system. More recent research has looked into the use of the two protec-

tion techniques in cooperation, thus allowing the two systems to complement one

another.

Piva et al. (2002) provide a protocol combining watermarking and an encryption sys-

tem for open networks such as the Internet. This protocol is designed to allow users

to verify that required watermarks have been embedded but are not removable by

other users. However, this protocol would only be useful in a legal transaction, and

for users who want legitimate copies of a document. The mind-set of most users

these days, particularly for video content, is wanting the most cost efficient solution,

regardless of legalities, and whatever watermarks are embedded.

In (Xu et al. 2004), a hybrid encryption and watermarking technique is introduced.

The basic idea is that for a multiple party (multicast) transaction, a secret is parti-

tioned between transacting parties, with a symmetric encryption system used for

security. However, secret sharing and symmetric cryptosystems require completely

trustworthy parties, which cannot be guaranteed.

Zhang et al. (2006) presented a full protocol for watermarking, including registration,

identification and arbitration, using a combination of typical watermarking tech-

niques and public-key cryptography, based on the idea of shared secrets. They used

two rounds of watermarking, with homomorphic encryption with respect to addi-

tion in the middle, to ensure a secure system. However, there are too many steps

required, which makes this system difficult for real-time applications and increases

the chance of a mistake collapsing the security of the system. In addition, this system

does prevent the owner of a document from being deceitful, but does not prevent the

buyer from removing their watermark upon receiving the decrypted marked image,

since the secrets are shared rather than entangled.

Page 20


2.4 Summary

Many of the above watermarking techniques are aimed at tracking or preventing

piracy after mass-distribution. In addition, all the above watermarking techniques

do not fully allow a system in which there is an invisible, traceable watermark that is

robust to attacks, safe in transmission, and addresses the issue of the originator of a

document being capable of deceit as well.

The system that best addresses the above issues is the clever protocol designed by

Zhang et al. (2006), mentioned above. However, even that has its limitations.

Therefore, we present a protocol for entangling secrets rather than the sharing of se-

crets, through a process we call staining. Staining uses basic watermarking and en-

cryption techniques to ensure a simplified and easy-to-use system, and will be fully

presented in the following chapter. For now, we present the technology and intro-

duce the knowledge required to follow various technical aspects of the research.

Page 21

Chapter 3

A Technical Backgroundon Watermarking and

Cryptography

THISchapter expounds on the previous chapter by giving a tech-

nical background into both the areas of watermarking and cryp-

tography. Included are the background information required to

understand certain aspects of these two areas of security.

Page 23

3.1 Steganographic Watermarking

Figure 3.1. An example of fragile watermarking.


In general, there are two types of watermarks: fragile and robust.

Fragile watermarks are mainly invisible, but can be visible, and are used as a signa-

ture or verification of authenticity. Any tampering with the cover message that the

watermark is embedded into will cause the watermark to be corrupted or destroyed,

hence showing that it has been altered. The black cat in the bottom right corner of

Figure 3.1 is an example of a fragile watermark.

Robust watermarks tend to be invisible to the eye, but can be visible, and are embed-

ded with the intention that they should survive major changes to the cover message.

The purpose of robust watermarks is to serve as a method of identifying the owner,

origin, or other pertinent information regarding the cover message. Figure 3.2 is a

very simple example of a robustly watermarked image and the watermark embed-

ded. In this case, the watermark has been embedded in the 4 LSBs of the image to

deliberately show the faint presence of the watermark. However, note that this par-

ticular watermarking scheme is weak against compression, and here is only used to

illustrate robust watermarking.

The general steps of a watermarking system, shown in Figure 3.3, are

Page 24

NOTE: This figure is included on page 24 of the print copy of the thesis held in the University of Adelaide Library.

Chapter 3 A Technical Background on Watermarking and Cryptography

Figure 3.2. An example of robust watermarking.

��

�

�

M

W

kw

M’

Figure 3.3. The most general watermarking system.

1. Select watermarking key, kw;

2. Select components of cover work, M, in which to hide the watermark, W. These

are usually determined by some watermarking algorithm;

3. Apply key on watermarking algorithm to obtain watermarked cover work, M′.

Steganographic watermarking is the art of concealing a secret message within an-

other innocuous cover message, also known as the cover work or host data. In this the-

sis, the term cover work is used. Steganographic watermarks are robust types of water-

marks. Henceforth, steganographic watermarking is referred to as just watermarking

(Bloom et al. 2001a).

Watermarking algorithms aim to hide the watermark within the perceptually signif-

icant portions of the cover work. Slightly different to cryptographic systems, which

require either that the encrypted message be revealed or the encryption system be

Page 25



unravelled, a watermarking algorithm is broken when an attacker detects that a wa-

termark has been inserted, and can alter or remove the watermark. A watermarking

algorithm is also considered broken even if a watermark cannot be removed but can

be reproduced in another document, casting doubt as to its authenticity in the orig-

inal document. Similarly for cryptography, Kirchhoff’s Principle must hold as well

for watermarking algorithms. That is, the security of a system should not rely on the

secrecy of the algorithm but on the secrecy of the key.

3.1.1 Watermarking Categories

Watermarking methods fall under three categories: non-blind (or private), semi-blind,

and blind (or public) systems. In non-blind systems, in addition to the marked copy,

the original or a copy of the original cover work and all secret keys are required to

extract an embedded watermark. This extracted watermark is then compared against

the original watermark. In semi-blind systems, the watermark and all secret keys

are needed to extract this watermark or detect whether this particular watermark is

present in a watermarked cover work. In blind systems, only the keys are required.

Blind watermark detection systemshave the advantage that they are more secure and

easier to use, since only the key is required for detection, and more importantly can

be placed in the public domain for use. However, there are difficult trade-off issues

between capacity and cover work interference. Put simply, there is only a certain

amount of information that can be embedded before the presence of the watermark

causes significant changes to the cover work. This is known as the maximum capacity

of a watermarking scheme. It will be discussed further in § 3.3.1.

Non-blind watermarking systemshave the advantage that there is full knowledge

of the watermark available for collaboration. However, such a system will have to

be kept essentially secret, which means it does not follow Kirchhoff’s Principle, and

hence its usability as well as its security is reduced.

The remaining option is then a semi-blind system, with a combination of blind and

non-blind properties.

Page 26


3.1.2 Spread Spectrum Watermarking

Spread spectrum watermarking is based on spread spectrum communication. The

idea is to spread a watermark over a transformed message or cover work. One fre-

quently used spread spectrum system was created by Cox et al., known as Cox’s

algorithm (Cox et al. 1995). In the algorithm, Cox et al. used discrete cosine transform

(DCT) to stretch the cover work. However, discrete wavelet transform (DWT) or any

stretching function will do as well.

Definition 3.1.1 2D Discrete Cosine Transform (DCT):

V(i, j) = c(i)c(j)n1−1

∑x=0

n2−1

∑y=0

M(x, y) cos[

πi2n1

(2x + 1)]

cos[

π j2n2

(2y + 1)]

(3.1)

where M is the amplitude at image coordinate (x, y), n1 and n2 are the dimensions of the

image, and c(k) =√

2/n with c(0) =√

1/n.

Definition 3.1.2 2D Inverse Discrete Cosine Transform (IDCT):

M(x, y) =n1−1

∑i=0

n2−1

∑j=0

c(i)c(j)V(i, j) cos[

πi2n1

(2x + 1)]

cos[

π j2n2

(2y + 1)]

(3.2)

where conversely V is the value of the DCT at coordinate (i, j), n1 and n2 are the dimensions

of the image, and c(k) =√

2/n with c(0) =√

1/n.

In Cox’s algorithm, a factor known as the strength of the watermark, α, is used to

adjust the amount of impact the watermark will have on the cover work. Ideally, α

should be adaptable rather than a single value used throughout as below. Embedding

is then achieved through one of the following three equations:

1. V′ = V + αW

2. V′ = V(1 + αW)

3. V′ = VeαW

where V is the transformed cover work and V′ is the corresponding transformed

cover work after watermarking. To detect the watermark, the process is reversed

given V′ and V (pg. 6 of (Cox et al. 1995)), and the watermark extracted for com-

parison to a set of watermarks. Hence Cox’s watermarking algorithm is a non-blind

system.

Page 27


Table 3.1. Summary of Cox’s watermarking algorithm

Setup:

• Choose cover work, M, of size n1 x n2.

• Choose random watermark vector, W, of length 1000 ≤ l � n1n2.

• Choose appropriate watermark strength, α, so that watermark

remains hidden.

Insertion steps:

1. Discrete cosine transform (DCT) the cover work, V = dct(M).

2. Find the l largest dct values and embed the watermark,

e.g. for i = 1 to l, V ′max,i = idct(Vmax,i(1 + αWi)).

2. Insert altered l largest values back into V and perform inverse DCT,

M′ = idct(V ′).

Detection steps:

1. Extract watermark by reversing insertion process.

2. Compare statistically to set of watermarks for match. (See 3.3.5.)

3.1.3 Attacks and Defenses

This chapter details the attacks listed in Section 1.3, and also briefly describes how

past watermark designers have attempted to prevent and defend against these at-

tacks.

Common Signal Processing

Common signal processing procedures can be operations such as digital-to-analog

conversion, analog-to-digital conversion, resampling, requantisation and signal en-

hancements commonly applied to video.

It was found that a technique that uses the same principle as spread spectrum ra-

dio communication is robust to these operations (Cox et al. 1995). Spread spectrum

communication distributes a signal with a small bandwidth across a much larger

bandwidth, resulting in a stretched-out, white-noise-like signal. Hence the signal is

undetectable (Meel 1999).

For watermarking, the watermark is the signal with the smaller bandwidth. The

watermark is usually repeated several times throughout the video data, which is

analogous to the larger bandwidth. The watermark can be placed in either the spatial

Page 28


or the spectral domain of the cover work such as described in (Chouinard et al. 1999,

George et al. 1999). Particular to video, it can also be placed in the MPEG-2 bitstream

as described in (Girod and Hartung 1998).

Another common signal processing procedure is high frequency filtering. This pro-

cedure is commonly used to remove the perceptually insignificant components for

better compression. This means that any watermark must be embedded in the per-

ceptually significant components, but this may noticeably distort the cover work.

Hence, care must be taken in the embedding of the watermark.

Common Geometric Distortions

Common geometric distortions can be operations such as rotation, translation, crop-

ping and scaling. Malicious geometric distortions can be the simple moving of the

corners of an image by an insignificant amount. However, spread spectrum water-

marks, described in the previous section (§ 3.1.3), are again robust to these distortions.

Another technique used in watermarking is the use of reference symbols commonly

used in video motion compensation. Particular pixels are chosen as reference sym-

bols. After undergoing distortion, the reference symbols are re-located and the amount

of distortion can be calculated by comparison with the original picture, and compen-

sated for. This technique consumes a great deal of memory, however, and is not fea-

sible for large distortions, as incorrect reference-matching may occur. This method

also has limited use as it requires knowledge of the original picture. These types of

methods are known as non-blind methods.

In (Dugelay and Petitcolas 2000), the authors discuss a blind method known as resyn-

chronisation. Particular pixels in the watermark are preset to known values so that

they may be used as the reference points. However, this method means most of the

watermark will be set apart for resynchronisation, reducing the amount of useful in-

formation present in the watermark. This approach was deemed too computationally

expensive to be useful.

This led to a self-referencing technique (Kutter 1998), the idea of which was to re-

peat the watermark throughout a cover work, such that the copies of the watermark

overlapped by a fixed amount, thus making the watermark itself a calibration signal.

However, detecting the watermark can become computationally expensive.

Page 29


Another technique, known as the block based (Girod et al. 1999, Dugelay and Petitcolas

2000) approach to watermark detection was also considered. This work considered

the idea that although geometric distortions can be quite severe when considering an

image as a whole, since the resulting image needed to be visually aesthetic, a small

section of the image cannot contain large geometric distortions. Hence the distor-

tion can be estimated, block by block, and compensated. However, this technique

becomes computationally expensive as the size of the blocks decrease.

Specialised Attacks

Two specialised attacks we will be discussing are the jitter attack and the mosaic attack.

Specialised attacks are not necessarily malicious operations. They can have innocu-

ous applications, but function in such a way as to have disastrous consequences upon

watermarked objects.

Jitter is a timing fluctuation in a signal (Anderson et al. 1998a). In audio, it can be

caused by tools used to change the length of musical tracks, such as those used nor-

mally by radio DJs. In digital images, this could be caused in the process of repairing

a damaged image by deleting or replicating pixels. These fluctuations are usually

imperceptible to the human ears and eyes, however, jitter attacks are particularly

effective against spread spectrum signals and watermarks. This is because spread

spectrum techniques require synchronisation with the chiprate that is used to spread

a signal. Due to the usefulness of spread spectrum techniques in their resilience to

amplitude distortions and noise additions, ways have been formed to compensate

for this weakness, as described in (Chouinard et al. 1999) and (George et al. 1999).

The mosaic attack is a process in which an image or video frame is taken and seg-

mented into, for example, six pieces (Anderson et al. 1998a). The picture can then be

reassembled and displayed as six different images placed in their correct order. The

watermark cannot then be detected as it has been broken. The image can be broken

into as many pieces as necessary to prevent the watermark from being detected. This

attack occurs more commonly with images than in videos as there are usually far too

many image frames to be broken and recombined with any ease or speed. There is

no known defense against this attack. It may be necessary to place the watermark in

every frame of a video, in different locations, but this has complications of its own,

as we will see in § 3.1.3.

Page 30


Subterfuge Attacks

Subterfuge attacks are malicious processes deliberately aimed at discovering and

hence destroying watermarks, as is the case with collusion, or with the intent of plac-

ing blame on another, as is the case with forgery.

In collusion, assume an attacker has many copies of a cover work. Each cover work

contains a different watermark, or a set of different watermarks, embedded. Collu-

sion occurs when the attacker is able to discover the watermarking method by com-

paring these copies.

There are two possible defenses against collusion. The first is to make each water-

marked copy uniquely different from every other so that an attacker cannot deter-

mine which components comprise the watermark (Boneh and Shaw 1996). The sec-

ond is to make each copy indistinguishable from another copy, such that an attacker

cannot discern the difference between any number of copies with different water-

marks. We will also be taking the original unmarked cover work into considera-

tion as another copy. Thus possessing the unmarked cover work should not indicate

whether another copy does or does not have a watermark present.

Forgery occurs when an attacker knows enough about the watermarking process to

plant someone else’s watermark onto an illegally distributed cover work. For in-

stance, an attacker may wish to incriminate a rival. A method of preventing this may

be to incorporate time-stamping into the process and having a neutral third party

keep a database on registered watermarks. Then if a watermark with an incorrect

time-stamp is discovered, the implicated person can be absolved.

There are issues with time-stamping, however, such as the issue of whose time to use.

If the time for the stamping came from the PC which was embedding the watermark,

the time can be tampered with. A way to prevent this could possibly be to place

the responsibility of embedding the watermark, including the time-stamping, on the

neutral third party. This may place more burden upon the third party than we desire.

Whichever method is employed, the end result is that it should be very difficult for

any of the watermarks to be forged, even with knowledge of the embedding key.

Video-Specific Attacks

Additional care needs to be taken when watermarking video images. Watermarking

video is significantly different from still images as they are subject to an additional

Page 31

3.2 Public Key Cryptography

range of special attacks. This is due to the characteristics of video such as the prop-

erty of inter-frames and intra-frames, which leads to attacks such as frame shuffling,

frame insertion, frame removal and inter-frame collusion.

Similar or identical watermarks cannot be embedded in successive frames because

the high correlation between the frames can lead to the detection and removal of

the watermarks. However, the watermarks also cannot be completely different, as

they can still be uncovered and erased by identifying the differences between similar

frames.

This trade-off between watermarking every frame differently versus similarly is ad-

dressed in (Wolfgang et al. 1999). The authors proposed two techniques particular

to video. One approach, called the Image-Adaptive Direct Cosine Transform (IA-DCT)

Technique for video, is to embed the watermark within the motion vectors of an MPEG

compressed bitstream. This may produce artifacts, but the authors also proposed a

method to remove these. The other approach is to take blocks of pixels. This method

is quite lengthy to explain and is better described in (Girod and Hartung 1998).

StirMark

StirMark is a benchmark for fair watermark evaluation. In 1997, Fabien Petitcolas,

Ross J. Anderson and Markus G. Kuhn created the first version of StirMark, allow-

ing for simple geometric distortion attacks on watermarking systems. In 1999, it was

released as a benchmarking tool for the quick evaluation of watermarking libraries

(Anderson et al. 1998b, Petitcolas 2000). The benchmark is freely available from Petit-

colas’ website http://www.petitcolas.net/fabien/watermarking/stirmark/.


Cryptography began, as did watermarking, in a situation where the sender and re-

ceiver are both explicitly trusted. Hence, both used the same keys for encryption as

well as decryption. However, an immediately obvious problem then arises. How

can the keys be shared? One party would select the key(s), but how do they tell the

other party what key(s) they have selected if they are unable to meet face to face?

This problem was known as the key exchange or distribution problem, which will not be

discussed in this thesis.

Page 32


This problem brought about much research until the idea of using separate keys for

encryption and decryption was realized. The encryption key(s) could be published to

the world in general, allowing anyone to encrypt a document for the holder of the se-

cret decryption key(s) to decipher. Such a system is known as a public key cryptosystem

(PKC). It is also known as an asymmetric cryptosystem, as the method for decryption

is different to that of encryption.

A cryptosystem is deemed broken when an attacker can uncover the encrypted mes-

sage without knowing the decryption key. As with watermarking, Kirchhoff’s prin-

ciple should hold for the security of any cryptosystem. During the course of this

project, we looked at several public key cryptography algorithms. These include

RSA, ElGamal, Rabin, elliptic curve-based cryptosystems, and matrix-based cryp-

tosystems such as McEliece.

3.2.1 RSA Cryptosystem

RSA encryption, created by Ron Rivest, Adi Shamir and Leonard Adleman, is based

on modulo arithmetic and relies on the difficulty of factorising large numbers (Rivest et al.

1978).

In RSA, to setup, Bob needs to pick two large prime numbers, p and q, that are not

too close in value (typically q < p < 2 ∗ q), or Fermat’s integer factorisation algo-

rithm can be used to break the system (McKee 1999). Bob must then find n = pq

and φ = (p − 1)(q − 1). Then Bob will need to find an integer e in Zφ/0, which is

coprime or relatively prime to φ, i.e. gcd(e, φ) = 1, and compute d such that ed ≡ 1

(mod φ). The encryption and decryption exponentiations, e and d, can be found

using the Extended Euclidean Algorithm, which finds the greatest common divisor

between two numbers a and b, denoted gcd(a, b) or (a, b), as well as x and y, such

that (a, b) = ax + by. The decryption exponentiation, d, must also be fairly large (e.g.

d > n1/4/3) or Wiener’s attack (Wiener 1990) could be used.

Theorem 3.2.1 (Extended Euclidean Algorithm) Let a and b be positive integers. Define

a[0] = a, a[1] = b,

q[i] =Floor(a[i − 1]/a[i]) for i > 0,

a[i] = a[i − 2] − a[i − 1]q[i − 1] for i > 1,

Page 33


Suppose that a[n] is the last nonzero a[i]. Define y[n] = 0 and y[n − 1] = 1. Then taking i

equal to the numbers from n − 2 down to 1 in that order, define

y[i − 1] = q[i]y[i] + y[i + 1].

Then

a[n] = (a, b) = (−1)ny[1]a + (−1)(n+1)y[0]b.

Bob’s public information is (n,e), and his private information is (φ,d). To encrypt,

Alice first obtains Bob’s public information. With the message element, m, she calcu-

lates

c = me (mod n),

and sends c to Bob. On receiving c, to decrypt Bob computes

m = cd (mod n).

The summary of the RSA cryptosystem is given in Table 3.2.

This works because cd = (me)d = med, and ed ≡ 1 (mod p− 1) and ed ≡ 1 (mod q−1) (this is derived from Fermat’s Little Theorem).

Theorem 3.2.2 (Fermat’s Little Theorem) Let p be a prime which does not divide the integer

a, then ap−1 ≡ 1 (mod p).

3.2.2 ElGamal Cryptosystem

The ElGamal algorithm was created by Taher ElGamal and is based on modulo arith-

metic, relying on the difficulty of solving the discrete logarithm problem for security

(ElGamal 1985). The ElGamal algorithm is also used for signature and authentication

schemes.

To setup, Bob picks a large prime number, p, and a random number, g ∈ Fp. Then

Bob picks another random number, kB ∈ Fp/0 and calculates y = gkB (mod p). He

makes public (y, g, p) and keeps private kB.

Page 34


Table 3.2. Summary of RSA algorithm

Bob’s setup:

1. Choose 2 large prime numbers, p and q.

2. Compute n = pq and φ = (p − 1)(q − 1).

3. Find 1 < e < φ such that (e, φ) = 1.

4. Compute d such that ed ≡ 1 (mod φ).

5. Make public (n, e) and keep private (φ, d).

Alice’s encryption steps:

1. Obtain message, m ∈ Fn.

2. Compute c = me (mod n).

3. Send c to Bob.

Bob’s decryption steps:

1. Receive ciphertext, c.

2. Compute message, m = cd (mod φ).

The summary of the ElGamal cryptosystem is given in Table 3.3.

Alice obtains Bob’s private information, and with the message, m, and a random

number, kA ∈ Fp, computes c1 = gkA (mod p) and c2 = m · ykA . She sends (c1, c2) to

Bob.

Bob decrypts by taking the received values and calculating m = c2/ckB1 (mod p).

This works because ckB1 = (gkA)kB = (gkB)kA = ykA . Then c2/ckB

1 = m · ykA /ykA = m.

3.2.3 Rabin Cryptosystem

The Rabin cryptosystem was developed by Michael Rabin (Rabin 1979), and like RSA,

the security of the algorithm is based on the difficulty of factorising large numbers.

Breaking the Rabin cryptosystem is provably as hard a integer factorisation, while

RSA is only believed to be as difficult. This cryptosystem has the disadvantage that a

message, m, encrypted to the ciphertext, c, has four possible answers and the answer,

which is only one of these values, must be correctly deduced.

To setup, Bob picks two large primes, p and q, such that they fulfill the requirement:

p ≡ q ≡ 3 (mod 4). This is so later decryption will be easier. Bob calculates n = pq,

which becomes the public key, and he keeps p and q secret.

Page 35


Table 3.3. Summary of ElGamal algorithm

Bob’s setup:

1. Choose a large prime number, p.

2. Choose a generator, g, in Fp, such that for all n, there

exists a k with n = gk (mod p)}.3. Choose an integer, kB, between 1 and p − 1 to be Bob’s

private key.

4. Compute y = gkB (mod p).

5. Make public (p, g, y) and keep private kB.


1. Obtain message, m ∈ Fp.

2. Choose an integer, kA ∈ Fp, such that gcd(kA, p) = 1.

3. Compute c1 = gkA (mod p) and c2 = m ykA (mod p).

4. Send ciphertext c = (c1, c2) to Bob.


1. Receive ciphertext, c = (c1, c2).

2. Compute message, m = c2/ckB1 (mod p).

Check:

c2/ckB1 (mod p) = m ykA((gkA)kB)−1 (mod p)

= m gkAkB(gkAkB)−1 (mod p)

= m.

To encrypt a message m, Alice computes c = m2 (mod n) and sends this to Bob.

Bob then calculates mp = c(p+1)/4 (mod p) and mq = c(q+1)/4 (mod q). Using the

Extended Euclidean Algorithm (Theorem 3.2.1), Bob also finds ap + bq = 1 (mod n).

Then Bob computes x = apmq + bqmp (mod n) and y = apmq − bqmp (mod n),

acquiring the four answers (m1, m2, m3, m4) = (x,−x (mod n), y,−y (mod n). Note

that sometimes there are two results instead of four, occurring when the message is

divisible by p or q.

The correct answer can be obtained with the introduction of redundancy in the mes-

sage, either by replication of the last 64-bits or more of the message, or by padding the

last 64-bits with zeros. Only one of the four answers will then have this redundancy.

The summary of the Rabin cryptosystem is given in Table 3.4.

Page 36


Table 3.4. Summary of Rabin algorithm

Bob’s setup:

1. Choose 2 large prime numbers, p and q, such that p ≡ q ≡ 3 (mod 4).

2. Find n = pq.

5. Make public n and keep private (p, q).


1. Obtain message, 0 < m < n.

2. Set redundancy by repeating last n-bits,

m′ = [m, m(length(m) − n + 1 . . . length(m))].

3. Compute c = m2 (mod n).

4. Send c to Bob.


1. Receive c.

2. Find a and b, such that ap + bq = 1 using Theorem 3.2.1.

3. Compute mp = c(p+1)/4 (mod p) and mq = c(q+1)/4 (mod q).

4. Compute x = apmq + bqmp (mod n) and y = apmq − bqmp (mod n).

5. Compute message possibles, M = [x,−x, y,−y] (mod n).

6. Find the real message by looking for the repeat in the last n-bits.

3.2.4 Elliptic Curve Cryptography

Elliptic curves (EC) have been studied for many years, but only relatively recently,

in 1985, have they been considered for use in cryptography. As of 2005, EC cryp-

tography became a recommended algorithm for the U.S. National Security Agency’s

Suite B set of algorithms for unclassified and most classified information (National

Security Agency 2005).

ECs form the basis of several public key cryptosystems. Two such cryptosystems

are the ElGamal-type elliptic curve cryptosystem and the Menezes-Vanstone elliptic

curve cryptosystem, which we will detail further in the subsection. To break these

cryptosystem, a problem called the elliptic curve discrete logarithm problem must be

solved. We will see later that this leads to shorter required key lengths for secu-

rity. This is advantageous as key lengths become increasingly long to compensate

Page 37


for advances in technology and mathematics, making the storing of keys a prob-

lem. However, implementation of the cryptosystem must then take into account at-

tacks, some of which rely on short keys (Schoof 1995, Araki et al. 1998, Wiener and

Zuccherato 1999, Gaudry 2000, Okeya and Sakurai 2000).

General cubic ECs of characteristic �= 2, 3 have the equation: y2 + a1xy + a3y = x3 +

a2x2 + a4x + a6. Then the set of points (x, y), together with a point at infinity, O,

form an elliptic curve, uniquely identifiable by the values of (a1, a2, a3, a4, a6). For

continuous ECs, these parameters can take any value. However, to be useful for

encryption, these will need to take discrete values from within a finite field, F =

GF(p), that is, ai ∈ F, for i = 1, . . . , 6.

Definition 3.2.1 E = {(x, y) ∈ F2|y2 + a1xy + a3y = x3 + a2x2 + a4x + a6} ∪ {O},

where F is the algebraic closure of a finite field F, and O is defined as P+O = O+P=P.

The discriminant of a curve is then given by:

Δ = −b22b8 − 8b3

4 − 27b26 + 9b2b4b6 (3.3)

whereb2 = a2

1 + 4a2

b4 = a1a3 + 2a4

b6 = a23 + 4a6

b8 = a21a6 + 4a2a6 − a1a3a4 + a2a2

3 − a24.

If the discriminant Δ �= 0, then the curve is non-singular.

The most important property of elliptic curves is the law:

+ : E × E → E .

Basically, the “addition” of two points on an elliptic curve results in another point on

the same elliptic curve.

Other properties of the addition on elliptic curves include:

• Commutative: P + Q = Q + P

• Associative: (P + Q) + R = P + (Q + R)

• Identity: P + O = O + P = P

• Inverse: P + (−P) = −P + P = O

Page 38


Figure 3.4. Point addition of two unequal points in a real field.

Point Addition

As mentioned above, two points on an EC can be “added” together resulting in a

third point on the same curve. Point addition works geometrically by picking two

points, P and Q, on a curve. Then a line is drawn through the two points, and if this

line intersects the curve again, this intersection point, -R, is the negative of the result

of “adding” P and Q. Figure 3.4 shows a diagrammatical example.

Algebraically, where P = (xP, yP), Q = (xQ, yQ), if xP �= xQ, that is P �= Q, and

R = P + Q = (xR,−yR), the slope of the line between P and Q is

s = yP−yQxP−xQ

, and

xR = s2 − xP − xQ,

yR = yP + s(xR − xP).

(3.4)

If xP = xQ, Q could be the reflection of P on the x-axes as in Figure 3.5, i.e. yP = −yQ

or Q = −P. Then the result of “addition” is a point at infinity, O.

Page 39


If xP = xQ but yP = yQ �= 0, so Q = P, then R = P + P = 2P = (xR,−yR) and

the process is called doubling the point. In this case, the result is found by drawing a

tangent to the curve at P. If the tangent intersects the curve, then the result is a distinct

point R, as in Figure 3.6.

Algebraically, the equations of the general form are

s = 3x2P+2a2xP+a4−a1yP

2yP+a1xP+a3,

xR = s2 + a1s − a2 − 2xP, and

yR = (s + a1)xR + a3 + −x3P+a4xP+2a6−a3yP2yP+a1xP+a3

,

where s here is now the slope of the tangent to the curve at P.

If char(F) = 2, 3 the above simplifies to

s = 3x2P+a42yP

,

xR = s2 − 2xP, and

yR = sxR + −x3P+a4xP+2a6

2yP.

Point Multiplication

Point multiplication results from adding the point to itself multiple times. That is,

k multiples︷︸︸︷P + P + P + . . . + P = [k]P.

Equation (3.4) still applies, but is repeated k times. The difficulty of reversing modulo

point multiplication, known as the elliptic curve discrete logarithm problem, forms

the basis of elliptic curve cryptography. Given the points [k]P and P, supposing that

k is large enough to prevent an easy exhaustive computation of [k]P for all possible

values of k, this problem is considered to be harder than normal discrete logarithm

problems, and much harder than the factorization problem as in RSA. Hence key

lengths in elliptic curve cryptosystems are considerably shorter.

Prime Fields

In cryptography, when working with finite prime fields, i.e. p is prime in the field

F = GF(p), the EC equation can be more suitably simplified to

y2 = x3 + ax + b (3.5)

Page 40


Figure 3.5. Point addition of a point and its reflection in a real field.

where a, b ∈ Fp. Then the discriminant can also be simplified, to

Δ = −16(4a3 + 27b2).

Addition in the field is then done modulo p.

Binary Field

Also in cryptography, elliptic curves may be defined over a binary field, GF(2n), i.e.

a field of characteristic 2. Then the EC equation is

y2 + xy = x3 + 1

or

y3 + xy = x3 + x2 + 1

Addition in the field will then obviously be modulo 2.

Page 41


Figure 3.6. Point doubling in a real field.

Counting Points

Each elliptic curve, E , in finite field, Fq, where q = p for some large prime p or

q = 2m for some large integer m, has an associated number of points on the curve, #Eor | E(Fq) |, also known as the order of the field, plus a point at infinity, O.

The number of points on an elliptic curve is needed to determine the range of values

cryptographic keys can take. It also determines the maximum number of times a

point can be doubled before it returns to its original position. In addition, it is also

the method by which cryptosystems based on elliptic curves can be broken, and as

such is important for cryptanalyst.

There are many ways to determine the bounds on the number of points, but an accu-

rate method for finding the number of points on a curve in a finite field is still under

research. Hence only computational methods for finding these bounds will be listed

plus a brief discussion on the methods.

Page 42


The methods are:

Schoof’s algorithm (Schoof 1985), is generally known to be the first study into #Eand paved the way for other techniques, runs in polynomial time but difficult

to implement;

Shanks’ Baby Step–Giant Step (Shanks 1971) is similar to Schoof’s algorithm, but

for extremely large primes, and is applicable for all finite cyclic fields;

Hasse’s theorem on elliptic curves (Silverman and Tate 1992) also known as the Hasse-

Weil Conjecture, gives that the number of points is close to the size of the finite

field;

Theorem 3.2.3 (Hasse’s theorem on elliptic curves) Let N be the number of points on

the elliptic curve E over a finite field with q elements, then

|N − (q + 1)| ≤ 2√

q

or put another way,

(√q − 1)2 ≤ N ≤ (√q + 1)2.

Schoof-Elkies-Atkin (SEA) algorithm (Atkin 1992), Atkin’s extension to Elkies’ al-

gorithm, which is itself an extension of Schoof’s, is a sort-and-match method

for large finite fields; and

Couveignes’s algorithm (Couveignes 1994) is a method for counting points for fields

of small characteristic.

ElGamal-type Elliptic Curve Cryptosystem

The ElGamal-type elliptic curve cryptosystem is based on the ElGamal cryptosystem

(ElGamal 1985). The ElGamal-type cryptosystems rely on the difficulty of solving

discrete logarithms. For example, given that

ax ≡ y mod n

find

x = loga y mod n.

Page 43


Table 3.5. Summary of ElGamal-type ECC encryption algorithm

Bob’s setup:

1. Choose a large number, n. (If using prime fields, n = large prime,

p. If using m-bit strings, n = 2m.)

2. Choose an elliptic curve, E , defined by a, b ∈ Fn.

3. Choose a point, P, on E .

4. Choose a secret key, kB < #E .

5. Compute point, Q = [kB]P.

6. Make public Ke = (n, E ,P,Q) and keep private Kd = (kB).

Alice’s setup:

1. Obtain message, M = [m1, m2], m1, m2 ∈ Zn.

2. Choose a secret key, kA, such that 0 < kA < #E , where #E is

the number of points in E .


1. Get Bob’s public information, Ke = (n, E ,P,Q).

2. Compute point, S = [kA]P.

3. Compute point, T = M + [kA]Q.

4. Send C = (S,T) to B.


1. Receive ciphertext, C =(S,T).

2. Compute M′ = T - [kB]S.

The algorithm for this cryptosystem is outlined on Table 3.5.

However, ElGamal-type ECC is not in use as the ElGamal cryptosystem causes the

ciphertext to be twice as long as the original plaintext, and is vulnerable to chosen

ciphertext attacks. Also, the message, M, must be a valid point on the curve for point

addition to be possible, as in step 3 of Alice’s encryption. Often, this is not the case,

so there must be a homomorphic function, f , that maps a point, P, to some value,

v in the desired finite field, i.e. P → v, such that f (P) = v and has the property

f (P1 + P2) = f ([v1]P2) = f (P1) f (P2) = v1 ∗ v2. However, there is some difficulty

in finding this function, f , which makes the algorithm difficult to implement where

such a function does not already exist. This brings us to the Menezes-Vanstone ellip-

tic curve cryptosystem.

Page 44


Table 3.6. Summary of Menezes-Vanstone ECC encryption algorithm

Bob’s setup:


2. Choose an elliptic curve, E .




6. Make public Ke = (P,Q,E , p) and keep private Kd = (kB).

Alice’s setup:

1. Obtain message, M, in Zn and arrange in pairs (M1, M2).

2. Select a secret key, kA, such that 0 < kA < #E , where #E is the

number of points in E .


1. Get Bob’s public information, Ke = (P,Q,E , p).

2. Compute points, Y0 = [kA]P and Y= (y1, y2) = [kA]Q.

3. Obtain the ciphertext, C = (C1, C2), where C1 = y1 · M1 (mod p),

and C2 = y2 · M2 (mod p).

4. Send point, Y0, and ciphertext, C, to B.


1. Receive ciphertext, C = (C1, C2), and cipherpoint, Y0.

2. Compute point, Y= (y1, y2) = [kB]Y0.

3. Compute the two parts of the message, M1 = (y1)−1 · C1 (mod p),

and M2 = (y2)−1 · C2 (mod p), to obtain M = (M1, M2).

Menezes-Vanstone Elliptic Curve Cryptosystem

The Menezes-Vanstone elliptic curve cryptosystem (MV-ECC) is a variant of the ElGamal-

type ECC. However, one important distinction is that MV-ECC does not need the

function, f . The MV-ECC works directly on the values of the plaintext. Elliptic curve

cryptosystems have the disadvantage of requiring key pairs. Key pairs would nor-

mally double the size of the encrypted document, but the Menezes-Vanstone cryp-

tosystem exploits this property, using it for pixel-masking (Araki et al. 1998).

The algorithm for the Menezes-Vanstone elliptic curve cryptosystem is outlined on

Table 3.6.

Page 45


3.2.5 Attacks on Cryptosystems

Attacks on cryptosystems can be divided into four main types of attacks:

Ciphertext-only attack. This is when the ciphertext of several messages, encrypted

using the same key, are known and the attacker tries to reverse-engineer the

key(s) and/or plaintext.

Known-plaintext attack. This is when the plaintext and corresponding ciphertext of

several messages are known, all encrypted with the same key, and the attacker

tries to reverse-engineer the (encryption) key.

Chosen-plaintext attack. This occurs when the attacker has access to the encryption

process, is able to encrypt the plaintext(s) of their choice, and hence can obtain

the ciphertext, trying to discover the (encryption) key.

Exhaustive-search attack. Also known as brute-force attack, this is when the at-

tacker knows the range of the key(s) and tests each possible key until the correct

plaintext results.

Sometimes attacks can be used together. For example, as exhaustive-search attacks

usually have a great number to keys to test, by combining this attack with any of the

other three attacks, it is possible to reduce the number of keys that must be investi-

gated.

Other attacks on cryptosystems include:

Man-in-the-middle attack. This attack is more important to cryptosystems that re-

quire communication such as during key-exchange for symmetric systems. If

the exchange in keys can be intercepted, the attacker can pretend to be ei-

ther end-parties and obtain information without alerting the end-parties to the

breach. This attack was the main reason digital signatures were developed.

Chosen-ciphertext attack. This occurs when an attacker has (temporary) access to

the decryption process and is able to decrypt ciphertexts of their choice, trying

to discover the (decryption) key.

Timing attack. This attack is when the execution time of the encryption/decryption

process is analysed in an attempt to figure out the structure of the process. An

Page 46


attacker sends particular queries to the process and times the speed taken to

process the query. This is a practical attack in that the attacker requires no math-

ematical knowledge, only technical knowledge in association with the hard-

ware and implementation of the process. This attack can therefore be used on

any system.

Some attacks are particular important to different cryptosystems. For instance, the

chosen-plaintext attack is a vital attack to test public-key cryptosystems against as

the attacker has easy access to the encryption process, since it is made public. Using

this type of attack, an attacker may be able to build up a look-up table of ciphertext

and their corresponding plaintext.

Man-in-the-middle attack is obviously more pertinent to symmetric systems.

3.3 Pre- and Post-processing

Applying pre- and post-processing is a necessity when it comes to watermark de-

tection. It not only increases the chances of detecting and matching the watermark,

but it becomes particularly important for watermark recovery when a document has

been substantially attacked.

3.3.1 Trade-offs: Capacity and Invisibility

In addition to the trade-off in the number of frames to watermark as different versus

similar in § 3.1.3, there are also difficult trade-off issues between capacity and cover

work interference briefly mentioned in 3.1.1. There is only a certain amount of infor-

mation that can be embedded into a cover work before the presence of the watermark

causes noticeable changes to the cover work. As mentioned, this certain amount of

information is known as the maximum capacity of a watermarking scheme.

The size of a watermark is directly related to the length of the watermark as well

as the watermarking strength, α. If an image can only allow a certain amount of

information to be added before becoming noticeably distorted, then increasing the

length of a watermark will mean that the strength of the watermark will need to

be reduced. The longer is a watermark for comparison, the greater the chances of

a successful match and the less likely the watermark will be detected. However,

Page 47


reduce the strength too much and the watermark becomes less robust to attacks and

processing.

Length of the watermark

The length of the watermark is an important issue. As noted in Cox et al.(Cox et al.

1995), increasing the watermark length will allow the strength of the watermark to

be decreased, thereby decreasing detection by a third party. However, also noted was

that there is a limit to the usefulness of the number of watermark components embed-

ded, and hence the optimal watermark length is subsequently document-dependent.

3.3.2 Power Spectral Density (PSD)

A well known attack for watermarking is the Wiener attack. The Wiener attack is an

application of the Wiener filter, originally intended to remove noise. However, it can

also be used to remove an embedded watermark. In the Wiener attack, the Power

Spectral Density (PSD) of a watermarked document is used to determine the PSD of

the watermark. The estimated watermark is then subtracted from the watermarked

document to remove or corrupt the watermark and prevent detection.

The best way to prevent this attack is to scale the strength of the watermark such that

the PSD of the watermarked document is similar to that of the unmarked document.

3.3.3 Choice of watermark

There are three main choices of watermark distribution. These are the uniform distri-

bution, the binary or bipolar distribution, and the normal or Gaussian distribution.

All three choices typically have zero mean to reduce the impact on the document. In

addition, document DCT coefficient distributions fall into two categories: the Gener-

alised Gaussian distribution (GGD) and the Laplacian distribution (LD).

In (Eggers and Girod 2001), the combinations of document distributions and water-

mark distributions were investigated and it was found that under distortions due to

quantisation, i.e. for quantisation attacks, the Gaussian distributed watermark did

worst and the bipolar distribution fared the best for fine quantisation, and the oppo-

site is true for coarse quantisation. However, for small watermark-to-document ratio,

Page 48


which must occur so that the watermark does not cause a visible impact on the doc-

ument, the watermark distributions did not differ by much. Moreover, the authors

noted that the distribution of the document is more important, with GGD documents

and any watermark distribution faring better than its counterpart, LD.

Since the distribution of the document cannot be readily chosen, the overall conclu-

sion is that any watermark distribution will suffice, but for a more general system,

the uniformly distributed watermark is probably the best choice.

3.3.4 Choosing document components to alter

Early literature such as in (van Schyndel et al. 1994) directly altered the components

of an image by watermarking in the least significant bits (LSBs) of a pixel. This was

later found to be easily breakable since the least significant bits of a component are

the most affected during compression.

Nowadays, components tend to belong to a spread or stretched version of the doc-

ument or signal being marked, which were found to better survive attacks such as

compression and geometric image processing. A popular method of spreading a sig-

nal is via the DCT as in Cox et al’s algorithm, discussed in § 3.1.2. The DC component

of the DCT of a signal should not be touched as it contains significant information

required to reconstitute a signal. From the earlier LSB method of watermarking, we

also know there is no point in watermarking the smaller-valued components of the

DCT as they are also removed or reduced during compression. Therefore watermark-

ers tend to insert watermarks into the larger to semi-larger, or the middle detailing,

of the DCT.

A similar method, discrete wavelet transform (DWT) was also mentioned in Cox et

al’s paper as well as implemented in various other papers (Cox et al. 1995, Meerwald

and Uhl 2001, Barni et al. 2001, Kazakeviciute et al. 2005). DWT seems to be a good

choice as the decomposition automatically separates a signal into its gross detailing,

middle detail level, and finer details. Watermarks can them be placed into the middle

detail level, and even a smaller, less obtrusive watermark can be embedded into the

gross detailing.

Thus, when choosing components of a signal to alter, the best location is the middle

detail level, which is less affected by compression than the finer detail level, and

causes less distortion to the signal than embedding in the gross detailing.

Page 49


3.3.5 Watermark detection

Throwing away values below a tolerance:

Cox noted that the average or expected value of W ′i can be greatly affected by a few

outlying values. He suggested some post-processing to the extracted watermark, W ′,may be appropriate, that is, comparison may be done by setting the magnitude of

values below a tolerance, tol, to zero,

W ′i ←

{W ′

i if |W ′i | > tol

0 Otherwise(3.6)

or by comparing the signs of the values rather than the actual values themselves. All

this is done to lower the expected value of W ′i .

2-D Correlation calculation:

The sum of squared values, SSxx, SSxy and SSyy of two arrays, x and y, of length n

about their respective means is given by

SSxx ≡ ∑(xi − x)2

= ∑ x2 − 2x ∑ x + ∑ x2

= ∑ x2 − 2nx2 + nx2 = ∑ x2 − nx2

SSyy ≡ ∑(yi − y)2

= ∑ y2 − 2y ∑ y + ∑ y2

= ∑ y2 − 2ny2 + ny2 = ∑ y2 − ny2

SSxy ≡ ∑(xi − x)(yi − y)

= ∑(xiyi − xyi − xiy + xy

= ∑ xy − nxy − nxy + nxy = ∑ xy − nxy

(3.7)

The square of the correlation coefficient, r2, is then

r2 ≡ SS2xy

SSxxSSyy=

(∑ xy − nx y)2

(∑ x2 − nx2)(∑ y2 − ny2)(3.8)

For 2-D correlation coefficient calculations, the above is applied to the rows, then

columns.

Mean Squared Error (MSE):

Mean squared error (MSE) is a useful method of estimating the amount of error a

signal has accumulated as it is transmitted through a noisy channel. The MSE of an

Page 50


estimator, θ, with respect to the estimated variable, θ, is generally defined as

MSE(θ) = E((θ, θ)2) (3.9)

For grayscale images, this is more readily defined as

MSE =1

mn

m−1

∑i=0

n−1

∑j=0

‖I(i, j) − K(i, j)‖2 (3.10)

where I is an m × n image, and K is its noisy counterpart.

Peak Signal-to-Noise Ratio (PSNR):

Peak signal-to-noise ratio (PSNR) is a typical measure of image or video quality, par-

ticularly after compression. PSNR is more easily defined by the MSE, i.e.

PSNR = 20 · log10

(MAXI√

MSE

)(3.11)

where MAXI is the maximum pixel value. For an 8-bit image, this value is 255 (=

2B − 1, where B is the maximum number of bits per pixel).

Removing similar features:

Sometimes the watermark embedded in a document may not be extractable. In fact,

this is a desirable property to prevent removal. In this case, it may be necessary to

compare the watermarked images themselves instead of just the watermarks. How-

ever, comparisons done in this way will have a high correlation since the water-

marked images must have no noticeable differences when compared to the original

image. The residues of the watermarked images should then be compared instead.

Once again, this is done to lower the expected value of W ′i , to prevent a few outlying

values from greatly affecting the final correlation value.

Page 51

Chapter 4

Issues Associated withMutual Distrust

THIS chapter discusses the issue of transaction tracking under

the mutual distrust scenario, with the use of watermarks and

cryptography. We will give examples that support our reasons

for delving into this issue. We will then elucidate the significance of find-

ing solutions to the mutual distrust challenge. Following the benefits of

our research in this field, we present the usual approach, which is to en-

crypt, decrypt, then watermark. We identify the weaknesses of this usual

approach, and present our staining protocol – encrypt, watermark, and

then decrypt – and outline how it solves the mutual distrust issue. We

complete this chapter with a brief summary of the problems that we may

encounter in implementing our protocol.

Page 53

4.1 The problem with trusting too much...

4.1 The problem with trusting too much...

A recent study, as well as various telltale signs in news articles and so forth, have

shown that the majority of the problems of piracy are occurring before mass distri-

bution. That is, the piracy is originating from within the group of trusted parties,

such as review committees, processing companies, and even from the studios them-

selves (Lyman 2002, Glasner 2002, KillerMovies 2003, Becker 2003, Schwartz 2003, By-

ers et al. 2003). This seems to indicate that the research into watermarking and trans-

action tracing or fingerprinting should be focussing on piracy from within the enter-

tainment industry. The idea we are trying to convey is that not even the owner of a

document can be trusted. Hence, through the use of steganographic watermarking

and encryption, by tracking transactions between all parties possessing copies of a

document, this means the possibility of ending piracy at the source.

4.2 Significance of Research

Video piracy has long been recognised by the video industry, but the advent of the

DVD has meant an explosive growth in the video black market. In 2002, Business

Software Alliance (BSA) estimated that DVD piracy had increased up to 40% glob-

ally in the year 2001 (MediaLine News 2002). In 2004, FACT reported pirated DVD

seizures of about 2.4 million compared to 1.6 million the year before and just 337

thousand in 2002 (The Federation Against Copyright Theft (FACT) 2005b). Also in

2004, the MPAA conducted a study on the losses to the film industry and interna-

tional economies due to piracy. In 2005, the MPAA presented the results of the 18-

month and 22-country study, estimating the lost to the studios at USD$6.1 billion

(Motion Picture Association of America 2005).

In addition, owing to the increase in piracy, many companies, most notably those that

provide content protection, have significantly diminished in size or are no longer in

business (Roush 2002, Butler 2003).

In response, the entertainment industries have been actively seeking out illegal copies

and taking legal action, even against those that have not committed, but could po-

tentially commit or assist in the committing of, a crime (Costello 2001, Dean 2003,

Butler 2003, Motion Picture Association of America n.d.). Their targets have largely

been end-users and consumers, and have extended even to researchers and scholars

Page 54

Chapter 4 Issues Associated with Mutual Distrust

(Grossman 2001, Yu 2002, McCullagh 2003, von Lohmann 2003, Butler 2003). Con-

sumers are rapidly losing faith in the entertainment industries. We can see the re-

sponse of consumers to the entertainment industries’ actions against companies such

as Napster. When Napster fell, many similar companies rose to take its place, such

as Madster, KaZaA, AudioGalaxy and MusicCity (Yu 2002).

This is a troubling trend, and though the actions taken by the entertainment indus-

tries do seem to be working (Motion Picture Association of America n.d., The Fed-

eration Against Copyright Theft (FACT) 2005a, piracyisacrime.com 2005), the future

implications are unknown. The entertainment industries need to develop a different,

more sustainable and effective strategies to reducing piracy.

The most direct option is by finding and taking legal action against the sources of

illegal redistribution. As seen from previous chapters, the majority of research into

copy protection has been targetted at post-mass-distribution piracy. However, the

majority of the piracy is occurring pre-mass-distribution, from organisations such as

multimedia processing businesses, review companies, advertising agencies, airlines,

cinemas, TV networks, and even from the film studios themselves (Glasner 2002,

KillerMovies 2003, Becker 2003, Lyman 2002, Schwartz 2003).

Compliant machines (see Appendix A) have not been enough of a protection (Boneh

and Shaw 1996, Linnartz 1998, IBM Research 1999, Miller et al. 1999, King et al. 1999a,

King et al. 1999b, Patrizio 1999, Ketola 1999, Stevenson 1999, Kesden 2000, Lawlor

2001, CNN 2003, Borland 2003) and will be better strengthened if supported by em-

bedding watermarking systems. Only recently has research begun to focus on the

root of the piracy problem of insiders and malicious owners (Zhang et al. 2006, Bloom

and Polyzois 2004, Lei et al. 2004, Sheppard et al. 2004), but a sufficiently robust and

elegant system is yet to be found.

4.3 Applications of Research Findings

Watermarks are typically used to identify the owner of a document. They can also be

used to authenticate a piece of document using fragile watermarks, and have even

been embedded in vital sections of medical x-rays to prove the veracity of the x-ray

(Osbourne 2005). However, a particularly interesting usage of watermarking from

a legal point of view is in copy tracing (fingerprinting or transaction tracking), to

Page 55

4.4 Trusted Owner Party Scenario

determine the path a documents takes from its source to third parties that are not

legally entitled to receive the document.

Watermarking methods that track distribution are not only useful for copy tracing

but for the management of distribution of commercially sensitive material. The en-

tertainment industries are only recently beginning to utilise the Internet for mass

distribution (Kontzer 2001, Olsen 2003, Regan 2006) and taking tentative steps into

investing in movies that can be bought and downloaded off the internet as can be

done currently with some songs, opening up new possibilities for distribution. All

these new distribution directions will require copyright protection methods, espe-

cially now that piracy from within the industries has been established.

Transaction tracking research has been applied to protecting other commercial prop-

erties such as computer software, and has even been extended into music. It can

allow the automatic monitoring and tracking of copyright documents, not only on

the Internet but also in radio broadcasts. For example, a program could trawl the In-

ternet for watermarked documents, thereby seeking out and identifying online copy-

right violations. Similarly, a program could listen for markers in broadcasted music.

This research will also have obvious military applications such as for document in-

tegrity and security. Documents have often been prematurely disclosed to the public,

which could prove to be embarrassing to defence institutions and companies, or even

a threat to national security. With the ability to uncover the culprit of the disclosure,

these incidents are less likely to occur in future.

4.4 Trusted Owner Party Scenario

In typical transactions there are transfers of some document or data from the owner

party A to receiving parties, B, C, D and so forth. Usually, A is considered trust-

worthy and the receiving parties are considered untrustworthy. In that case, A will

insert a watermark into each document transmitted, such that the document sent to

party B will contain a watermark identifying the copy as going to B, C will receive a

copy watermarked to C, and so forth. Should a copy of the document surface in the

possession of another, unauthorised party, A can detect the embedded watermark,

thereby identifying which receiving party leaked the unauthorised copy.

However, the transmitted copies could be intercepted en route to the receiving par-

ties, which will cause one of the receiving parties to be wrongly accused of betrayal.

Page 56


To prevent this, encryption is used to protect the passage of the document. Public-

key encryption should be used to avoid the key-exchange problem, such that only

the receiving party can decrypt, as shown in Figure 4.1 below.

��

��

��

�

�

�

�

�

�

�

�

1

2

3

A B

Embeds B’s

identifying

Watermark

Encrypts with

B’s Secret

Tx Rx

Decrypts with

its Secret

Gets a Copy with

its identifying

Watermark

Figure 4.1. Trust-distrust copy transfer process.

However, it has been established in Chapter 4 that party A is capable of betrayal,

thereby creating a mutual distrust environment where none of the parties can trust

any other party. Examining the scenario depicted in Figure 4.1, an obvious weakness

can be immediately identified. A cannot betray just before 2, before it has sent the

copy, as it cannot decipher B’s encryption; at 2 after receiving, it is pointless for B

to illegally distribute the copy since the document would be rendered meaningless

by encryption; interception at 2 will similarly be pointless; and at point 3, B will not

illegally distribute since the copy can be linked to B. This then leaves point 1. It is at

this point, together with point 3, that the weakness in the scheme is found.

At points 1 and 3, assuming no information is lost in transition, the documents held

by each party are identical. A sub-party within A could deliver its copy of the docu-

ment to an enemy E to copy and illegally redistribute, protecting itself by implicating

B. Conversely, if B was the insider, party B could falsely refute the charge of supply-

ing E with a copy by pointing out that the same watermarked copy is also available

through A. Since the charge of leaking can be repudiated by either party in a transac-

tion, this system cannot be used in a court of law.

Page 57

4.5 The Staining Approach

4.5 The Staining Approach

To avoid the above mutual-distrust problem, we present a protocol for entangling

secrets rather than the sharing of secrets, through a process called staining. We require

a system which ensures that B’s copy is unique, by altering B’s copy irreversibly

after decryption. However, it is not in B’s interest to embed a receipt voluntarily,

signifying that the copy has reached B. Such a mechanism must then be compulsory.

The staining protocol is as follows: instead of embedding the watermark before en-

cryption, embedding should occur after encryption. This is shown in Figure 4.2. After

decryption, B would possess a copy containing a distorted watermark, altered by the

cryptographic process.

If we examine as before, we see that at point 2, including before transmission and

after receiving, the document will be protected by the encryption process. At 3, B

still cannot distribute as the copy can still be linked to it, but now at points 1 and 3,

the same document is not available to both parties.

As can be seen, this staining protocol embeds a secret in B’s copy which contains el-

ements from both parties, A and B. The stain can only be generated by B’s private

decryption key, unknown to A who is only given B’s public key for encryption, to-

gether with A’s watermark, which is not known to B.

In the event of a copy being found in E’s possession, the watermark need only be

detected. A has sufficient information to identify the presence of the stain through

B’s public key and A’s watermark, but not enough information to frame B. If the

watermark is undistorted or missing, A is the culprit. B can be implicated only if

a distorted watermark is detected, which A cannot duplicate without knowing the

decryption procedure, held secret by B. If A and B are in dispute, a third party could

be given all secrets to verify the existence of the stain in the copy recovered from E.

4.5.1 Problems Anticipated with Staining

Watermarking and cryptography have always been heavily related. The same re-

quirements on cryptography: secretiveness and impenetrability, are also imposed

upon watermarks. Strangely enough, the two fields have never been fully integrated

in the manner proposed. Perhaps for that reason the following problem arises.

Page 58


��

��

��

�

�

�

�

�

�

�

�

1

2

3

A B

Encrypts with

B’s Secret

Embeds B’sidentifying

Watermark

Tx Rx

Decrypts with

its Secret

Gets a Copy with its

identifying W/mark

crypto-distorted

Figure 4.2. Mutual distrust copy transfer process.

Cryptography is a precise art, with a one-to-one mapping from the plain text to the

cipher text. Such a mapping is achieved through the use of secret keys, one-way func-

tions and problems that are algebraically hard to solve, such as the discrete logarithm

problem.

Watermarking is comparatively malleable, as it is usually used in media highly prone

to modification, that is, a certain amount of loss of information is expected. Whereas

a watermark is made to survive tampering, a similar alteration would and should

destroy a piece of cipher text.

Cryptosystems are made to be fragile. In the proposed scheme, however, a robust

cryptosystem is required as it will be deliberately altered by the insertion of the wa-

termark. This will require complementary watermarking and cryptographic systems.

However, the primary aim of this research is to demonstrate the feasibility of the

proposed solution. As such, we will show how this process works using simple wa-

termarking and cryptographic systems. We have chosen Cox et al.’s watermarking

method as defined in 3.1.2 as it is a simple but robust system. The choice of the cryp-

tographic complement was a great deal more difficult. We have considered various

types of public-key cryptosystems which have been outlined in 3.2. The results from

these will be in the following section.

Page 59

Chapter 5

Experimental Results

IN this chapter, we demonstrate how we address the problems of

having untrustworthy parties in a transaction. We achieve this

through experimentation, on greyscale still images, using a vari-

ety of cryptographic techniques combined with our chosen watermarking

technique, the spread spectrum algorithm. In addition, we attack our sys-

tems to test their durability.

From these experiments, we show that it is possible to combine water-

marking and cryptography in such a way – encrypting, watermarking,

then decrypting – without destroying the cover work, and still be able to

obtain a successful watermark match. In addition, the attacks will show

that such systems are also robust to common signal processing and geo-

metric attacks.

Page 61

5.1 Test Work

Figure 5.1. Lena image used in the testing of the implementations, curtesy of the Signal and

Image Processing Institute at the University of Southern California.

5.1 Test Work

In this thesis, only greyscale still images have been considered. However, the processes

can be extended for colour images, either by treating each colour plane separately or

regarding all planes as a whole and altering them in the same way.

In the testing of the implementations, the images, Lena and Baboon, as shown in

Figures 5.1 and 5.2, have been used. The size of both images is 512 × 512 pixels, but

a scaled version, 256 × 256 pixels, was used if there were OUT OF MEMORY issues or the

process took too long.

5.2 XOR Cryptosystem

We began with the simplest of cryptosystems, the XOR cryptosystem, which has not

been detailed in § 3.2 as it is not a public key cryptosystem and is very simple to

explain.

The XOR cryptosystem is a symmetric cryptosystem, which means that the method

for decoding and encoding is the same. The XOR cryptosystem is a type of stream

cipher. A key generates a pseudorandom encryption stream of the length required,

in this case the stream is the same length as the image when laid as a vector and con-

verted to bits, i.e. 512 × 512 = 262144 pixels long = 262144 × 8 = 2097152 bits long.

The message is then encrypted by XOR-ing with the stream to produce a ciphertext.

Page 62


Chapter 5 Experimental Results

Figure 5.2. Baboon image used in the testing of the implementations, curtesy of the Signal and

Image Processing Institute at the University of Southern California.

Table 5.1. Summary of XOR encryption algorithm

Setup:

1. Choose a key, k.

2. Use k to obtain a pseudorandom encryption stream, E.

3. Obtain message, M ∈ F2.

Encryption steps:

1. Compute C = M⊗

E.

Decryption steps:

1. Compute message, M = C⊗

E.

Decryption is achieved by again XOR-ing the ciphertext with the stream. The method

is outlined in Table 5.1.

The point of this first experiment was to test using XOR encryption with Cox et al.’s

spread spectrum watermarking method 3.1.2, primarily because this is the simplest

form of encryption, so as to gain a better understanding of combining encryption and

watermarking. Hence this test will not be subjected to attacks as outlined in 3.1.3.

The code for this implementation is in Appendix C.1. The algorithm is as in Table 5.2.

For detection, the watermark was recovered by reversing the algorithm, and a simple

correlation analysis was used to determine the match ratio. The correlations, for the

images in Figure 5.3 are as follows:

Page 63


5.2 XOR Cryptosystem

Table 5.2. Summary of XOR watermarking algorithm

A’s setup:

1. Obtain image, M, of size h × w uint8 values.

2. Obtain watermark image, W, of size h × w uint8.

3. Select strength factor, α.

B’s setup:

1. Pick a key, k.

2. Obtain from k an encryption binary stream, E, and corresponding

decryption binary stream, D(= E), each of length h × w × 8.

3. Send E to A.

A’s encryption steps:

1. Turn M into a stream of h × w × 8 bits.

2. Compute C = M⊗

E.

A’s watermarking steps:

1. Turn C into a matrix of h × w pixels.

2. Discrete cosine transform the encrypted image, C, i.e. V = dct(C).

3. Obtain V ′ = V(1 + αW).

4. Inverse discrete cosine transform V ′ into C′.

5. Send C′ to B.

B’s decryption steps:

1. Receive C′ and turn into a stream of h × w × 8 bits.

2. Compute stained image, M′ = C′ ⊗ D.

3. Turn M′ into a matrix of h × w pixels.

• correlation for the stained image, (d), and original image, (a), was 0.9999

• correlation for the recovered watermark and original watermark was 0.9318

• correlation for the encrypted image, (b), and original image, (a), was 0.0030

This experiment was set to learn about combining watermarking and cryptography.

This showed us that though the encryption method is commutative, inserting the

watermarking step in between will reduce any commutative process into a non-

commutative process. This is a good step as it implies that the stain will always

occur. Next step was to find a process that worked.

Page 64


Table 5.3. Summary of matrix multiplication watermarking algorithm

A’s setup:


2. Obtain watermark, W, of length l binary bits, {−1, 1}.3. Select strength factor, α.

B’s setup:

1. Pick a key, k.

2. Obtain from k an encryption matrix, E, of size n × n of uint8

values.

3. Obtain decryption matrix by finding the matrix inverse of E,

D = inv(E).

4. Send E to A.

A’s encryption steps:

1. Divide M into blocks of n × n.

2. For each block, i, compute Ci = Mi × E, where × here means

matrix multiplication.

A’s watermarking steps:

1. Discrete cosine transform the encrypted image, C, and sort into

l largest values excepting the DC component(s).

2. Obtain C′j = Cj(1 + αWj), for j = 1 : l.

3. Inverse discrete cosine transform C′.

4. Send C′ to B.

B’s decryption steps:

1. Receive C′ and divide into n × n blocks.

2. Compute stained image, M′i = C′

i × D, for each block, i.

5.3 Block-based Cryptosystem

From XOR encryption, we went on to a simple block-based, invertible-matrices, cryp-

tosystem. We chose the encryption here to be an n × n matrix, E, of uint8 values,

obtained by using a pseudorandom key, k. To encrypt, we simply matrix-multiplied

the image in n × n blocks with the encryption matrix. To decrypt, the inverse of the

encryption matrix, D, must exist. The decryption method is same as for encryption,

just a series of matrix multiplications. The code for this implementation is in Appen-

dix C.2, and the summary of this cryptosystem is outlined in Table 5.3

Page 65

5.3 Block-based Cryptosystem

For this implementation, we varied n from 8 up to the whole image. For the water-

marking step, we similarly varied the DCT block size from blocks of 8 up to DCTing

the whole image. α was varied in such a way that the distortions caused by the wa-

termark were at the very edge of visibility, giving a correlation of 0.9980 to 0.9981

between the final image and the original image. The results are shown in Table 5.4,

Figure 5.4 and Figure 5.5.

Due to the properties of images, a small block of image, unless an edge occurs in that

block, has almost the same intensity. Hence the encrypted image is dependent on

the encryption matrix, producing the vertical lines seen in Figure 5.4 and Figure 5.5,

instead of the expected blocky encrypted image.

For example, if we have

C = M ∗ E

where M is the message, E is the encryption matrix, and ∗ denotes matrix multipli-

cation, then

cij = ∑nx=1 mixexj

=

⎛⎜⎜⎝m11e11 + m12e21 + · · · + m1nen1 m11e12 + · · · + m1nen2 · · ·m21e11 + m22e21 + · · · + m1nen1 m21e12 + · · · + m2nen2 · · ·

...... . . .

⎞⎟⎟⎠and

c11 = m11e11 + m12e21 + · · · + m1nen1

.

Therefore if m11 ≈ m12 ≈ · · · ≈ m1n, then

c11 = m11(e11 + e21 + · · · + en1) =n

∑ ex1

and c11 is dependent on the columns of the encryption matrix, producing the ribbed

effect.

From the results, we observe that the same encryption and watermarking block sizes

produce the best results. The reason for this lies in the edges. Watermarking blocks

Page 66


not of the same size as encryption causes more edges to be within an encryption

block, and therefore there will be a disparity between pixels along the edge, produc-

ing more distortion. Also, encryption block sizes any bigger than 8 × 8 gives a better

encrypted image, as can be seen in Figure 5.4. However, the greater the size of the

matrix, the greater the number of altered pixels due to watermarking, and hence the

greater the distortion after decryption by matrix multiplication.

This means that due to these distortions caused by the properties of matrix multipli-

cation, the watermark strength then needed to be increased, as shown in the results

from Table 5.4, for the watermark to survive the process. For encryption and water-

marking block sizes of 8 × 8, the largest α producing minimal distortions to the end

image was 0.00043, giving a watermark correlation value of 0.8777 and decrypted

image correlation value of 0.9981. At n = 16, α was increased to 0.01, producing

a watermark correlation value of 0.8059 and decrypted image correlation value of

0.9981.

However, though increasing the watermark’s strength means that the survivability

of the watermark is increased, it also means that decryption will interfere more with

the watermark and vice-versa. At a certain point, the interference will be such that

the end image will be noticeably distorted and the watermark destroyed altogether.

This point occurred for n > 16, which would need α < 0.001 to prevent visible

distortions. However, the watermark at that point is then too weak and incoherent

to be recovered correctly. This ties in with earlier discussions regarding the trade-off

between visibility and capacity (§ 3.3.1).

To increase watermark detection, we implemented post-processing. In this instance,

after attempting to recover the watermark, an additional step was added: averag-

ing and rounding to ±1. The result after post-processing is labelled as WmCorr2 on

Table 5.4, while no post-processing is labelled WmCorr1. Since the original water-

mark only had values of -1 and 1, this additional post-processing would minimise

the distortions to the watermark caused by the decryption stage. As expected, this

produced better correlation values, reinforcing the use of pre- and post-processing

stages, especially when the watermark is weak and detection needs support.

Lastly, this is a symmetrical cryptosystem, where the decryption matrix can be in-

ferred from the encryption matrix obtained through a key, which is not what we want.

We can see that thought the residue that has been left is visible, it shows promise that

Page 67

5.4 RSA Cryptosystem

Table 5.4. Correlation comparison for different encryption and watermarking block sizes for matrix

multiplication watermarking scheme.

EnBlkSiz WmBlkSiz α ImCorr WmCorr1 WmCorr2

8 8 0.000430 0.9981 0.8777 0.9781

16 0.000300 0.9981 0.1243 0.7032

64 0.000300 0.9981 0.0032 0.0000

512 0.000400 0.9980 -0.0170 -0.0377

16 8 0.001300 0.9980 0.0550 0.0121

16 0.010000 0.9981 0.8059 0.8660

64 0.004100 0.9981 0.0029 -0.0064

512 0.005000 0.9981 -0.0515 -0.0411

64 8 0.000600 0.9980 -0.0337 -0.0345

16 0.000400 0.9981 0.0022 -0.0080

64 0.004900 0.9981 0.0240 0.0010

512 0.003900 0.9980 -0.0317 -0.0262

512 8 0.000043 0.9981 0.0007 -0.0072

16 0.000024 0.9981 0.0085 0.0183

64 0.000028 0.9981 -0.0379 -0.0260

512 0.001550 0.9980 0.0516 0.0149

adding a watermarking step after encryption still allows for a fairly good decryp-

tion. However, as can also be seen, the image after encryption is minimally distorted

so even if the cryptosystem was of a type we desired, it is clearly not sufficiently

strong enough a cipher for image encryption.


One of the simplest public-key cryptosystems is RSA. The steps with the watermark-

ing stage included are in Table 5.5, an extension of Table 3.2 from the RSA section,

§ 3.2.1. The code for this implementation is in Appendix C.3.

To recover or extract the watermark, one option was to encrypt the final image again,

as decryption cancels encryption and vice-versa. The watermarking process could

then be inverted to obtain the watermark. The problem with this method is that any

Page 68


Table 5.5. Summary of RSA watermarking algorithm

Alice’s setup:



Bob’s setup:

1. Choose 2 large prime numbers, p and q.

2. Compute n = pq and φ = (p − 1)(q − 1).

3. Find 1 < e < φ such that (e, φ) = 1.

4. Compute d such that ed ≡ 1 (mod φ).

5. Make public (n, e) and keep private (φ, d).

Alice’s encryption step:

1. Compute C = Me (mod n).

Alice’s watermarking steps:


l largest values except the DC component.

2. Obtain C′j = Cj(1 + αWj), for j = 1 : l.

3. Inverse discrete cosine transform C′.

4. Send C′ to B.


1. Receive altered ciphertext, C′.

2. Compute message, M′ = (C′)d (mod φ).

little changes are further increased by the re-encryption step, due to the large expo-

nentiation (power to e), which could end up substantially corrupting the watermark.

Alternatively, instead of extraction, the presence of the watermark can be detected.

Given the original image and the set of random watermarks (a set to which our wa-

termark belongs), embed the original image with the entire set, following the process

exactly, producing another set, this one of randomly watermarked images. Then our

document of interest can be compared to this output image set, matching the final

decrypted images produced. That is, we match M′s instead of W ′s. In this way, the

watermark is not further corrupted by re-encryption.

The results are shown in Figure 5.6 and Figure 5.7. We can see that RSA is a much

stronger encryption than the block-based encryption system, as the original image

can barely be seen in the encrypted image.

Page 69


Next, we began attacking the system to test its robustness. The attacks can only oc-

cur after decryption. If it occurred before decryption, the image will not be decrypted

properly, or at least not without noticeable distortions. Since the integrity of the mes-

sage, M, must be kept, any changes from attacks must be marginal.

The attacks applied to the final images are:

• forcing pixel values to unsigned 8-bit integers, i.e. truncating,

• JPEG conversion, to image quality 50%,

• cropping 1 pixel (out of 256 pixels) from each of the edges,

• cropping 50 pixels (out of 256 pixels) from each of the edges,

• adding Gaussian noise, with zero mean and standard variance 0.004,

• downsampling by 2, by decreasing the final image to half-size then enlarging

to full size,

• testing combination attacks of cropping 1 pixel from each of the edges and then

resizing the image to its original dimensions, and

• applying a second watermark, or double watermarking.

To compare the output images, the same attack was mimicked for the set of ran-

domly watermarked images for the geometric attacks, namely the cropping attacks,

the downsampling attack, and the geometric-combination attack. This is due to the

results from (Kutter 1998, Girod et al. 1999) and (Dugelay and Petitcolas 2000) show-

ing some common geometric attacks can be estimated.

The results are shown in Figure 5.8 through to Figure 5.15.

Page 70


(a) (b)

(c) (d)

Figure 5.3. Results for XOR encryption and spread spectrum watermarking scheme with α =

0.012, (a) original image (Lena), (b) after encryption, (c) then watermarking, and

finally (d) after decryption.

Page 71




(a) (b)

(c) (d)

Figure 5.4. Results for matrix multiplication watermarking scheme, with encryption block size 8,

and DCT watermarking block size 8, α 0.00043, (a) original image (Lena), (b) after

encryption, (c) then watermarking, and finally (d) after decryption.

Page 72






(a) (b)

(c) (d)

Figure 5.5. Comparison for matrix multiplication watermarking scheme, with encrypted image at

block sizes (a) 8, (b) 16, (c) 64, and (d) 512.

Page 73




(a) (b)

(c) (d)

Figure 5.6. Results of RSA encryption and DCT watermarking, α = 0.001, (a) original image

(Lena), (b) after encryption, (c) then watermarking, and finally (d) after decryption.

Page 74




0 20 40 60 80 1000.985

0.99

0.995

1Correlation of 100 uniquely watermarked images to our watermarked image

Randomly Watermarked Images

Cor

rela

tion

to o

ur im

age

Figure 5.7. The correlation of the decrypted image to 100 randomly watermarked decrypted im-

ages.

Page 75


(a) (b)

0 20 40 60 80 1000.99

0.991

0.992

0.993

0.994

0.995

0.996

0.997

0.998

0.999



Cor

rela

tion

to o

ur im

age

(c)

0 20 40 60 80 1000.99

0.991

0.992

0.993

0.994

0.995

0.996

0.997

0.998

0.999

1Correlation of 100 uniquely watermarked images to our watermarked image, after atk


Cor

rela

tion

to o

ur im

age

(d)

Figure 5.8. Results of RSA encryption and DCT watermarking, α = 0.001,after applying attack:

forcing to 8-bits, where (a) before attack, (b) after attack, (c) correlation before

attack, and (d) correlation after attack.

Page 76

NOTE: These figures are included on page 76 of the print copy of the thesis held in the University of Adelaide Library.


(a) (b)

0 20 40 60 80 1000.985

0.99

0.995



Cor

rela

tion

to o

ur im

age

(c)

0 20 40 60 80 1000.985

0.986

0.987

0.988

0.989

0.99

0.991

0.992Correlation of 100 uniquely watermarked images to our watermarked image, after atk


Cor

rela

tion

to o

ur im

age

(d)


JPEG compressed by 50%, where (a) before attack, (b) after attack, (c) correlation

before attack, and (d) correlation after attack.

Page 77



(a) (b)

0 20 40 60 80 1000.975

0.98

0.985

0.99

0.995



Cor

rela

tion

to o

ur im

age

(c)

0 20 40 60 80 1000.975

0.98

0.985

0.99

0.995



Cor

rela

tion

to o

ur im

age

(d)


cropping 1 pixel from edges, where (a) before attack, (b) after attack, (c) correlation


Page 78



(a) (b)

0 20 40 60 80 1000.985

0.99

0.995



Cor

rela

tion

to o

ur im

age

(c)

0 20 40 60 80 1000.985

0.99

0.995



Cor

rela

tion

to o

ur im

age

(d)


cropping 50 pixel from edges, where (a) before attack, (b) after attack, (c) correlation


Page 79



(a) (b)

0 20 40 60 80 1000.998

0.9982

0.9984

0.9986

0.9988

0.999

0.9992

0.9994

0.9996

0.9998



Cor

rela

tion

to o

ur im

age

(c)

0 20 40 60 80 1000.9456

0.9458

0.946

0.9462

0.9464

0.9466

0.9468

Correlation of 100 uniquely watermarked images to our watermarked image, after atk


Cor

rela

tion

to o

ur im

age

(d)


adding Gaussian noise with zero mean and standard variance 0.004, where (a) before

attack, (b) after attack, (c) correlation before attack, and (d) correlation after attack.

Page 80



(a) (b)

0 20 40 60 80 100

0.9999

0.9999

0.9999

0.9999

1

1

1

1

1



Cor

rela

tion

to o

ur im

age

(c)

0 20 40 60 80 100

0.9999

0.9999

0.9999

0.9999

1

1

1

1

1



Cor

rela

tion

to o

ur im

age

(d)


scaling by half and then doubling in size, where (a) before attack, (b) after attack,

(c) correlation before attack, and (d) correlation after attack.

Page 81



(a) (b)

0 20 40 60 80 1000.988

0.99

0.992

0.994

0.996

0.998



Cor

rela

tion

to o

ur im

age

(c)

0 20 40 60 80 1000.988

0.99

0.992

0.994

0.996

0.998



Cor

rela

tion

to o

ur im

age

(d)


cropping 1 pixel from edges and resizing to original size, where (a) before attack, (b)

after attack, (c) correlation before attack, and (d) correlation after attack.

Page 82



(a) (b)

0 20 40 60 80 1001

1

1

1

1

1

1

1

1

1



Cor

rela

tion

to o

ur im

age

(c)

0 20 40 60 80 100

1

1

1

1

1

1

1

1

1



Cor

rela

tion

to o

ur im

age

(d)

Figure 5.15. Results of RSA encryption and DCT watermarking, first watermark α = 0.0005,

second watermark α = 0.0005, after applying attack: double watermarking, where

(a) before attack, (b) after attack, (c) correlation before attack, and (d) correlation

after attack.

Page 83



As mentioned previously, if re-encrypting again after decryption, any little deviation

is further increased by the re-encryption step (power to e), thus potentially destroying

the underlying watermark. For this reason, the last attack, where another watermark

was inserted, was only possible by setting the strength of the first watermark smaller

than the second, and the combined watermarking strength less than or equal to the

strength of when only one watermark is inserted. This makes intuitive sense as there

is a maximum capacity measure for each image. Since the maximum capacity is

the total amount of information that can be inserted into an image without causing

distortion, the total capacity of the two embedded watermarks must be kept below

the maximum capacity.

Notice that the difference between the correlation to other randomly watermarked

images and the correct matching watermarked image is significantly small, espe-

cially where the final image is visually indistinguishable from the original image,

as in Figure 5.12. This small difference is caused by the fact that as the final image be-

comes closer and closer to being identical to the original image, the amount of unique

markers is reduced. Thus to bring out the differences into light, we applied post-

processing, where we subtracted the originally image from the final images, high-

lighting the differences and showing the residue, or the stain, from the watermarking

algorithm. The results are in Figures 5.16 to 5.23. This, again, clearly supports the

need for post-processing.

Page 84


0 10 20 30 40 50 60 70 80 90 100−0.2

0

0.2

0.4

0.6

0.8

1

1.2Correlation of 100 uniquely watermarked images to our attacked watermarked image, after atk, minus image


Cor

rela

tion

to o

ur a

ttack

ed im

age

Figure 5.16. Results of RSA encryption and DCT watermarking, α = 0.001, correlation after

applying attack: forcing to 8-bits, where the original image has been subtracted

from the attacked image, before correlating.

0 10 20 30 40 50 60 70 80 90 100−0.02

0

0.02

0.04

0.06

0.08



Cor

rela

tion

to o

ur a

ttack

ed im

age


applying attack: JPEG compressed by 50%, where the original image has been sub-

tracted from the attacked image, before correlating.

Page 85


0 10 20 30 40 50 60 70 80 90 100−0.2

0

0.2

0.4

0.6

0.8

1



Cor

rela

tion

to o

ur a

ttack

ed im

age


applying attack: cropping 1 pixel from edges, where the original image has been

subtracted from the attacked image, before correlating.

0 10 20 30 40 50 60 70 80 90 100−0.2

0

0.2

0.4

0.6

0.8

1



Cor

rela

tion

to o

ur a

ttack

ed im

age


applying attack: cropping 50 pixel from edges, where the original image has been


Page 86


0 10 20 30 40 50 60 70 80 90 100−0.01

0

0.01

0.02

0.03

0.04

0.05



Cor

rela

tion

to o

ur a

ttack

ed im

age

Figure 5.20. Results of RSA encryption and DCT watermarking, α = 0.001, correlation after ap-

plying attack: adding Gaussian noise with zero mean and standard variance 0.004,

where the original image has been subtracted from the attacked image, before cor-

relating.

0 10 20 30 40 50 60 70 80 90 100−0.2

0

0.2

0.4

0.6

0.8

1



Cor

rela

tion

to o

ur a

ttack

ed im

age


applying attack: scaling by half and then doubling in size, where the original image

has been subtracted from the attacked image, before correlating.

Page 87


0 10 20 30 40 50 60 70 80 90 100−0.2

0

0.2

0.4

0.6

0.8

1



Cor

rela

tion

to o

ur a

ttack

ed im

age


applying attack: cropping 1 pixel from edges and resizing to original size, where the

original image has been subtracted from the attacked image, before correlating.

0 10 20 30 40 50 60 70 80 90 100−0.1

0

0.1

0.2

0.3

0.4

0.5



Cor

rela

tion

to o

ur a

ttack

ed im

age

Figure 5.23. Results of RSA encryption and DCT watermarking, first watermark α = 0.0005,

second watermark α = 0.0005, correlation after applying attack: double watermark-

ing, where the original image has been subtracted from the attacked image, before

correlating.

Page 88


0 1000 2000 3000 4000 5000 600090

100

110

120

130

140

150

n

PS

NR

All Alpha

Alpha =0.000200Alpha =0.000225Alpha =0.000250Alpha =0.000275Alpha =0.000300Alpha =0.000325Alpha =0.000350Alpha =0.000375Alpha =0.000400Alpha =0.000425Alpha =0.000450Alpha =0.000475Alpha =0.000500Alpha =0.000525Alpha =0.000550Alpha =0.000575Alpha =0.000600Alpha =0.000625Alpha =0.000650Alpha =0.000675Alpha =0.000700Alpha =0.000725Alpha =0.000750Alpha =0.000775Alpha =0.000800Alpha =0.000825Alpha =0.000850Alpha =0.000875Alpha =0.000900Alpha =0.000925Alpha =0.000950Alpha =0.000975Alpha =0.001000

Figure 5.24. Results of RSA encryption and DCT watermarking, capacity analysis, with α varying

from 0.0002 to 0.001, and for a range of prime keys, n, versus peak signal-to-noise

ratio (PSNR).

To have the decrypted result, i.e. M′, visually identical to the original message, the

changes caused by the embedded watermark must be small. For the security of RSA,

the prime numbers, p and q, should be very large, such that the encryption and de-

cryption keys generated, e and d, are in the order of 2048-bits.

To determine how tolerant this system is to the errors caused by the watermark, we

ran a series of simulations, producing the graphs seen in Figure 5.24 to Figure 5.29,

by varying the size of the prime keys, n(= p ∗ q), from 240 to 5832, versus the PSNR.

We repeated the simulation for a range of different watermarking strength, α, from

0.0002 up to 0.001, as we observed that 0.001 gives a good final image and very good

watermark survivability for the experimental results shown previously, and 0.0002

gives the best final image with a reasonable watermark survivability.

From Figure 5.24, we noted that the lower curve of the PSNR remained the same for

all values of α, varying only with n. Through least-squares curve-fitting in MATLAB,

the shape of this curve was determined to be

1039.664585 − 476.661547 ln(n) + 91.585027 ln(n)2

−7.882351 ln(n)3 + 0.254924 ln(n)4.

Page 89


0 1000 2000 3000 4000 5000 600094

96

98

100

102

104

106

108

110

112All Alpha −− Lower Curve

n

PS

NR

Actual DataPolyFit Log Est


from 0.0002 to 0.001, and for a range of prime keys, n, versus peak signal-to-noise

ratio (PSNR), lower-bound and best-fit.

The graph of the lower curve and its best-fit curve is displayed in Figure 5.25. We can

easily see that the best-fit curve follows the actual data closely.

We determined the point at which there is JND in the final image, which gives a

correlation of about 0.995, or a PSNR of approximately 122.62dB. By extrapolating

the graph in Figure 5.25, this gives a n of approximately 70. Therefore to always be

below the JND threshold, the product of the keys of the cryptosystem must be 70 or

less, which is a very small number.

We can also see from Figure 5.24 that there is an upper curve, dependent on both α

and n. The graph of the upper curve and its best-fit surface-curve is displayed in

Figure 5.26. The form of the best-fit curve is

129.788586 − 0.003164n + 484.033349α − 9.643661nα

+0.000000268741n2 + α2 + 0.942221n2α2.

Page 90


10002000

30004000

50006

24

68

10

x 10−4

90

100

110

120

130

nalpha

PS

NR


from 0.0002 to 0.001, versus a range of prime keys, n, versus peak signal-to-noise

ratio (PSNR), upper-bound and surface-best-fit.

However, the upper curve is only of interest around the point it ceases to follow this

model. As mentioned above, the PSNR JND threshold is 122.62dB. This is displayed

as the horizontal green line in Figure 5.27 and Figure 5.28. The vertical green line

represents the point where there are no more images that are below the JND thresh-

old (or above the equivalent PSNR threshold). In Figure 5.27, for α = 0.0002 up to

α = 0.000275 we can see that there are no vertical green lines as no images lie above

the required PSNR. This means that for this system α must be chosen to be above

0.000275.

Figure 5.29, shows the percentage of the time that the image produced is below the

JND threshold, for all values shown in Figure 5.24. Averaging just below 14%, this

can be considered the failure-rate of the system. This means that under the worst-

case, the system must be run for a maximum of just below ten runs before a sufficient

image is produced.

Page 91


0 1000 2000 3000 4000 5000 6000105

110

115

120

125

130

n

PS

NR

alpha =0.0002

0 1000 2000 3000 4000 5000 6000105

110

115

120

125

130

n

PS

NR

alpha =0.000275

(a) (b)

0 1000 2000 3000 4000 5000 600090

100

110

120

130

140

150

n

PS

NR

alpha =0.0003

0 1000 2000 3000 4000 5000 600090

100

110

120

130

140

150

n

PS

NR

alpha =0.0005

(c) (d)

0 1000 2000 3000 4000 5000 600090

100

110

120

130

140

150

n

PS

NR

alpha =0.0006

0 1000 2000 3000 4000 5000 600090

100

110

120

130

140

150

n

PS

NR

alpha =0.0007

(e) (f)

Figure 5.27. Results of RSA encryption and DCT watermarking, capacity analysis: individual

upper-curve best-fits for α equal to (a) 0.0002, (b) 0.0003, (c) 0.0004, (d) 0.0005,

(e) 0.0006, and (f) 0.0007.

Page 92


0 1000 2000 3000 4000 5000 600090

100

110

120

130

140

150

n

PS

NR

alpha =0.0008

0 1000 2000 3000 4000 5000 600090

100

110

120

130

140

150

n

PS

NR

alpha =0.001

(a) (b)

Figure 5.28. Results of RSA encryption and DCT watermarking, capacity analysis: individual

upper-curve best-fits for α equal to (a) 0.0008, and (b) 0.001.

2 3 4 5 6 7 8 9 10

x 10−4

0

2

4

6

8

10

12

14

16

18Percentage of PSNR below JND

alpha

Per

cent

age

(%)

Figure 5.29. Results of RSA encryption and DCT watermarking, capacity analysis: upper-curve

percentage of PSNR below the JND threshold.

Page 93

5.5 Elliptic Curve Cryptosystem

As we can see, using very large prime keys is not possible, as the smallest of devi-

ations altered M′ too much to make it look anything like M. Hence the security of

this system is seriously doubtful. It may be possible that the changes caused by the

watermark will prevent easy cryptanalysis of the system when attempting to find

the decryption key, but since this is a public encryption system, the (weak) encryp-

tion key is readily available and can be reverse-engineered for the decryption key. In

addition, this system’s failure-rate of around 14% is not the best.

Thus RSA in this instance is not sufficient for the purpose of protecting the image,

even though it can tolerate minor distortions.


Elliptic curve based cryptosystems have the useful properties of being asymmetric,

non-commutative, secure with shorter key lengths, and easily implementable. For

ECC, there was a choice of two implementable encryption systems. The first is an

ElGamal-type ECC and the second is the Menezes-Vanstone ECC, both detailed in

§ 3.2. The ElGamal-type ECC was a stepping stone to understanding the Menezes-

Vanstone ECC but otherwise not used. The reason for this is that it is not imple-

mentable without a function, f ,that maps a point, P, to some value, v, i.e. P → v, such

that f (P) = v and has the property f (P1 + P2) = f ([v1]P2) = f (P1) f (P2) = v1 ∗ v2.

Hence only the Menezes-Vanstone ECC is implemented in Appendix C.4 with the

algorithm outlined on Table 5.6.

The Menezes-Vanstone ECC unfortunately introduces a security weakness, which

will be discussed in detail later, but is still important in showing the algorithm’s

abilities in terms of robustness to attacks and detectability.

The results of the Menezes-Vanstone ECC watermarking system are shown in Fig-

ures 5.30 and 5.31.

Figure 5.30(a) is the original image and Figure 5.30(b) is the image after encryption.

As can be seen, encryption has altered the image considerably. It can be seen that

ECC is again a better encryption than previous encryption implementations, as the

encrypted image appears to be closer to random noise. This is exactly what is desired,

so that the attackers have minimal to no features from the original image to exploit.

Page 94


Table 5.6. Summary of Menezes-Vanstone ECC watermarking algorithm

Bob’s setup:


2. Choose an elliptic curve, E .




6. Make public Ke = (P,Q,E , p) and keep private Kd = (kB).

Alice’s setup:

1. Obtain image, M, of size h × w uint8 values, arranged into pairs,

(m1, m2).


4. Select a secret key, kA, such that 0 < kA < #E ,

where #E is the number of points in E .


1. Get Bob’s public information, Ke = (P,Q,E , p).

2. Compute Y0 = [kA]P and (y1, y2) = [kA]Q.

3. Obtain the encrypted image, C = (c1, c2), where

c1 = y1 · m1 (mod p), and c2 = y2 · m2 (mod p).

Alice’s watermarking steps:


l largest values except the DC component.

2. Obtain C′i,j = Ci,j(1 + αWj), for i = 1, 2 and j = 1 : l.

3. Inverse discrete cosine transform C′ = (C′1, C′

2).

4. Send Y0 and C′ to B.


1. Receive altered ciphertext, C′ = (c′1, c′2), and cipherpoint, Y0.

2. Compute (y1, y2) = [kB]Y0.

3. Compute the message, M′ = (m′1, m′

2), where

m′1 = (y1)−1 · c′1 (mod p), and m′

2 = (y2)−1 · c′2 (mod p).

Page 95


Image 5.30(d) shows that despite the watermarking stage between the encryption

and decryption stages, the image is still visually similar to the original image. This

result further supports the use of the staining protocol.

For comparison, in Figure 5.31, the stained image was matched against a test set of

100 different watermarked images, using the correlation measure as the comparer.

The spike shown in Figure 5.31 indicates a match to the watermarked image at index

27, which is the correct result.

To test the robustness of the system to disruption, attacks were applied to the final

image.

The attacks applied to the final images are:

• forcing pixel values to unsigned 8-bit integers, i.e. truncating,

• JPEG conversion, to image quality 10%,

• cropping 1 pixel (out of 256 pixels) from each of the edges and replacing the

pixels with corresponding pixels from the original image,

• cropping 50 pixels (out of 256 pixels) from each of the edges and replacing the

pixels with corresponding pixels from the original image,

• adding Gaussian noise, with zero mean and typical standard variance 0.01,

• downsampling by 2, by decreasing the final image to half-size then enlarging

to full size,

• testing combination attacks of cropping 1 pixel from each of the edges and then

resizing the image to its original dimensions, and

• applying a second watermark, or double watermarking.

The results are displayed in Figure 5.32 through to Figure 5.39.

We also rotated the final image by 1 degree clockwise, using bilinear interpolation as

part of our set of attacks. The rotated image was then cropped to remove the black

edging, and resized to its original dimensions. A positive match was barely made.

This result is shown in Figure 5.40.

Page 96


(a) (b)

(c) (d)

Figure 5.30. Results of Menezes-Vanstone EC encryption and DCT watermarking, α = 0.001, (a)

original image (Lena), (b) after encryption, (c) then watermarking, and finally (d)

after decryption.

Page 97




0 20 40 60 80 100−0.2

0

0.2

0.4

0.6

0.8

1

1.2Correlation to 100 different wms


Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

Figure 5.31. The correlation of the MVECC-encrypted and DCT-watermarked recovered water-

mark to 100 random watermarks.

Page 98


(a) (b)

0 20 40 60 80 1000.999

0.9991

0.9992

0.9993

0.9994

0.9995

0.9996

0.9997

0.9998

0.9999

1Correlation to 100 different watermarked images, before attack


(c)

0 20 40 60 80 1000.999

0.9991

0.9992

0.9993

0.9994

0.9995

0.9996

0.9997

0.9998

0.9999

1Correlation to 100 different watermarked images, after attack


(d)

Figure 5.32. Results of MV-ECC encryption and DCT watermarking, watermark at α = 0.001,

correlation after applying attack: forcing to 8-bits, where (a) before attack, (b) after

attack, (c) correlation before attack, and (d) correlation after attack.

Page 99



(a) (b)

0 20 40 60 80 100

0.99

0.992

0.994

0.996

0.998



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(c)

0 20 40 60 80 1000.9705

0.971

0.9715

0.972

0.9725

0.973Correlation to 100 different watermarked images, after attack


(d)


correlation after applying attack: JPEG compression to 10%, where (a) before attack,

(b) after attack, (c) correlation before attack, and (d) correlation after attack.

Page 100



(a) (b)

0 20 40 60 80 1000.99

0.991

0.992

0.993

0.994

0.995

0.996

0.997

0.998

0.999



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(c)

0 20 40 60 80 1000.99

0.991

0.992

0.993

0.994

0.995

0.996

0.997

0.998

0.999



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(d)


correlation after applying attack: cropping 1 pixel from the edges and replacing from

the original, where (a) before attack, (b) after attack, (c) correlation before attack,

and (d) correlation after attack.

Page 101



(a) (b)

0 20 40 60 80 1000.98

0.982

0.984

0.986

0.988

0.99

0.992

0.994

0.996

0.998



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(c)

0 20 40 60 80 1000.98

0.982

0.984

0.986

0.988

0.99

0.992

0.994

0.996

0.998



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(d)


correlation after applying attack: cropping 50 pixel from the edges and replacing

from the original, where (a) before attack, (b) after attack, (c) correlation before

attack, and (d) correlation after attack.

Page 102



(a) (b)

0 20 40 60 80 1000.95

0.955

0.96

0.965

0.97

0.975

0.98

0.985

0.99

0.995



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(c)

0 20 40 60 80 1000.85

0.855

0.86

0.865

0.87

0.875

0.88

0.885

0.89

0.895



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(d)


correlation after applying attack: adding Gaussian noise with zero mean and standard

variance 0.01, where (a) before attack, (b) after attack, (c) correlation before attack,


Page 103



(a) (b)

0 20 40 60 80 1000.99

0.991

0.992

0.993

0.994

0.995

0.996

0.997

0.998

0.999



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(c)

0 20 40 60 80 1000.95

0.951

0.952

0.953

0.954

0.955

0.956

0.957

0.958

0.959

Correlation to 100 different watermarked images, after attack


Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(d)


correlation after applying attack: scaling by half and then doubling the size, where

(a) before attack, (b) after attack, (c) correlation before attack, and (d) correlation

after attack.

Page 104



(a) (b)

0 20 40 60 80 1000.98

0.982

0.984

0.986

0.988

0.99

0.992

0.994

0.996

0.998



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(c)

0 20 40 60 80 1000.9

0.902

0.904

0.906

0.908

0.91

0.912

0.914

0.916

0.918



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(d)


correlation after applying attack: cropping 1 pixel from edges and resizing to original

dimensions, where (a) before attack, (b) after attack, (c) correlation before attack,


Page 105



(a) (b)

0 20 40 60 80 1000.99

0.991

0.992

0.993

0.994

0.995

0.996

0.997

0.998

0.999



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(c)

0 20 40 60 80 1000.99

0.991

0.992

0.993

0.994

0.995

0.996

0.997

0.998

0.999



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(d)

Figure 5.39. Results of MV-ECC encryption and DCT watermarking, first watermark α = 0.0005

at index 27, second watermark α = 0.001 at index 65, correlation after applying at-

tack: double watermarking, where (a) before attack, (b) after attack, (c) correlation


Page 106



(a) (b)

0 20 40 60 80 1000.98

0.982

0.984

0.986

0.988

0.99

0.992

0.994

0.996

0.998



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

(c)

0 20 40 60 80 100−0.02

−0.015

−0.01

−0.005

0

0.005

0.01

0.015

0.02

0.025Correlation to 100 different watermarked images, after attack, minus orig


(d)

Figure 5.40. Results of MV-ECC encryption and DCT watermarking, α = 0.005, correlation after

applying attack: rotating 1◦ clockwise, cropping 3 pixels from edges, and resizing to

original size, where (a) before attack, (b) after attack, (c) correlation before attack,


Page 107



0 20 40 60 80 100−0.2

0

0.2

0.4

0.6

0.8

1



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e


applying attack: forcing to 8-bits, where the original image has been subtracted from

the attacked image, before correlating.

We have also tested the algorithm on the Baboon image with similar results. Bearing

in mind that we applied no pre- or post-processing to any of the images, and that

the watermark should theoretically render the data indecipherable, the watermark

comes through better than expected, standing out in most cases well above the clearly

random line.

Post-processing was then employed to see if the correlation results can be improved

upon. The results are in Figures 5.41 through to 5.49.

As can be seen, multiple attacks on the same system causes a lot of damage to the

underlying watermark. It is still possible to obtain a match, but the match is, as

expected, nowhere near as good as the singularly attacked images.

However, this system has an unfortunate weakness in that it does not prevent Alice

from reproducing the stain. Although the MV-ECC is an asymmetric cryptosystem in

that the keys of each party are protected, the message can be divined by both parties.

This is due to the realisation that Alice has all the information required to decrypt

the message, and hence is able to reproduce the stain that was previously believed to

only be possible by Bob.

Following the algorithm from Table 5.6, Step 1 and 2 in Alice’s encryption stage gives

Alice access to p, y1 and y2, which in turn allows Alice to compute (y1)−1 and (y2)−1.

After Step 3 of Alice’s watermarking stage, giving Alice c′1 and c′2, Alice is then able to

Page 108


0 20 40 60 80 100−0.02

−0.01

0

0.01

0.02

0.03

0.04

0.05

0.06



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

Figure 5.42. Results of MV-ECC encryption and DCT watermarking, α = 0.001, correlation af-

ter applying attack: JPEG compressed to 10%, where the original image has been


0 20 40 60 80 100−0.2

0

0.2

0.4

0.6

0.8

1



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e


applying attack: cropping 1 pixel from edges and replacing from original, where the


Page 109


0 20 40 60 80 100−0.1

0

0.1

0.2

0.3

0.4

0.5

0.6



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e


applying attack: cropping 50 pixel from edges and replacing from original, where the


0 20 40 60 80 100−0.05

0

0.05

0.1

0.15

0.2

0.25



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

Figure 5.45. Results of MV-ECC encryption and DCT watermarking, α = 0.001, correlation af-

ter applying attack: adding Gaussian noise with zero mean and standard variance

0.01, where the original image has been subtracted from the attacked image, before

correlating.

Page 110


0 20 40 60 80 100−0.02

−0.01

0

0.01

0.02

0.03

0.04



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e


applying attack: scaling by half and then doubling in size, where the original image

has been subtracted from the attacked image, before correlating.

0 20 40 60 80 100−0.015

−0.01

−0.005

0

0.005

0.01

0.015

0.02



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e


applying attack: cropping 1 pixel from edges and resizing to original size, where the


Page 111


0 20 40 60 80 100−0.1

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e

Figure 5.48. Results of MV-ECC encryption and DCT watermarking, first watermark α = 0.0005,

second watermark α = 0.001, correlation after applying attack: double watermark-

ing, where the original image has been subtracted from the attacked image, before

correlating.

0 20 40 60 80 100−0.02

−0.015

−0.01

−0.005

0

0.005

0.01

0.015

0.02



Cor

rela

tion

to o

ur w

ater

mar

ked

imag

e


applying attack: rotating 1◦ clockwise, cropping 3 pixels from edges, and resizing to

original size, where the original image has been subtracted from the attacked image,

before correlating.

Page 112


obtain the stained message, M′ = (m′1, m′

2), by computing m′i = (yi)−1 · c′i (mod p).

Given the stained message, Alice is able to implicate Bob, and Bob is able to refute

any accusations of illegal redistribution due to this weakness. More specifically, in

MV-ECC, the problem is that the ciphertext is a linear function of the message.

However, the RSA cryptosystem is a non-linear system. Though the key must be

much weaker to achieve a tolerable image reconstruction after decryption, the results

from Section 5.4 showed that it is possible to encrypt, watermark, then decrypt an

image and produce a stain with deterministic artefacts like a watermark. In addition,

we submitted the RSA system to the same variety of attacks as with MV-ECC and

demonstrated that the system could survive truncation, JPEG conversion, cropping,

noise addition, resizing, double watermarking, and a combination attack involving

cropping and resizing, which the RSA system was able to survive. We are still unsure

of how easy the system would be to break due to the low key-size requirement, but

as the key-size increases, the watermarking capacity decreases drastically, as shown

in Section 5.4.

Page 113

Chapter 6

Summary

THIS chapter completes the dissertation with a discussion of is-

sues discovered throughout the research, in particular regard-

ing the precise nature of cryptographic systems, as well as addi-

tional requirements on cryptosystems and watermarking algorithms for

our staining protocol. This chapter also contains our conclusions based on

our findings, a summary of contributions to the field, and a descriptive

list of future directions for research.

Page 115

6.1 Discussion of Problems

6.1 Discussion of Problems

As we explored the feasibility of the staining protocol, we encountered several issues

that had to be addressed. Not the least among these was the incompatibility of the

majority of cryptosystems with watermarking methods.

6.1.1 The Exacting Nature of Cryptograms

Our initial approach was to regard the cryptographic and watermarking stages as

separate components. We sought to find cryptographic algorithms that can survive

the distortion caused by the watermark, since watermarks are more malleable than

cryptosystems. However, it became clear quite rapidly that such a distinction will

not be feasible, considering that the two stages are intertwined.

Though watermarking and cryptography share a common history and sometimes a

common basis as well (Yang et al. 2003), they are remarkably different in how each

can be manipulated. The difference is primarily in how errors are handled. Wa-

termarks are formed with the understanding that they will be altered, by attacks as

well as normal image processing operations, and are hence built to withstand errors.

Cryptograms are created to be fragile, and are hence destroyed on attack.

Another issue was key length. We found that the longer the key length, the more

likely the watermark will be destroyed. Further, the likelihood that decryption will

be unsuccessful increased with the key length. This was one of the reasons we chose

to implement the protocol with elliptic curves.

However, the elliptic curve cryptosystem implemented, the Menezes-Vanstone ECC,

was found to be seriously faulty in that Party A is able to reproduce the stain, thus

MV-ECC is no longer sufficient to solve our mutual distrust problem. MV-ECC does

however show that a complex encryption system can be utilised in such a way, to

encrypt, watermark and then decrypt, without destroying the watermark and still

produce a relatively visually identical output image to the stained image.

In addition, RSA is still too rigid a system to allow for our deliberately introduced

errors, however, there is a new field of cryptography known as image cryptography,

which was briefly discussed in Section 2.2.2. This field is not yet sufficiently devel-

oped for our use, however, it has a clear application in our protocol as it is designed

Page 116

Chapter 6 Summary

to be error-tolerant. This means that our deliberately introduced errors (i.e. the wa-

termark) will result in deterministic staining artefacts, which can usefully be used in

transaction tracking.

In conclusion, we would like to make the following statements:

1. The Menezes-Vanstone Elliptic Curve Cryptosystem does not solve the specific

problem of mutual distrust in a transaction;

2. RSA demonstrated that the system is possible, when the correct conditions on

the encryption system are met;

3. Image cryptography is still in the developmental stages, but with the designed

tolerance for errors could one day easily meet our cryptographic requirements.

6.1.2 Cryptosystem and Watermark Requirements

From our analysis, we note several additional requirements on the choice of cryp-

tosystem. The cryptosystem needs to be asymmetric, to prevent A from easily re-

versing the encryption from the data given by B. Also, the cryptosystem needs to be

non-commutative with the chosen watermarking methods, so the crypto-process will

be assured of distorting the watermark. In addition, the algorithms will likely need

to be non-linear, to ensure that A is unable to reproduce the stain as with MV-ECC,

but not as strict as systems such as RSA, so that our deliberately introduced errors in

the form of A’s watermark will still be able to produce deterministic artefacts on the

decrypted image.

The method of identifying the stain would depend on the watermark embedding

method. The embedding method itself already has several well established require-

ments (Anderson et al. 1999, Wolfgang et al. 1999, Zhou 2000) which must be met.

These are:

• fidelity,

• robustness,

• detectability, and

• conclusiveness.

Page 117

6.2 Conclusion

Two additional requirements for our particular methods are:

• additivity, and

• capacity/complexity

which were defined in Section 1.4. Specifically, the greater the number of watermarks

that can be embedded and successfully detected, the more useful the protocol will be

for multiple transactions, hence the capacity of the scheme must be greater than one.

For use in large multimedia objects such as video and raw images, the complexity of

the scheme must therefore be as low as possible. Also, we desire that the watermarks

be disparate as possibleto limit their effects on one another and allow for better de-

tection, hence the additivity requirement. It is clear that our greatest challenge still

lies in finding compatible cryptosystems and watermarking methods.

We have considered asymmetric watermarks as an alternative to public-key encryp-

tion (Eggers et al. 2000, Hachez and Quisquater 2002), however the field is still in

its infancy and is currently limited in its uses. The ideas are based on asymmet-

ric cryptography, and the majority of methods are fragile and hence are more often

used in signature schemes. Unfortunately, though there are many interesting systems

(Choi et al. 2004, Kazakeviciute et al. 2005), none currently suit our purposes.

6.2 Conclusion

As we explored the feasibility of the staining protocol, we encountered several issues

that must be addressed. Not the least among these was the incompatibility of the

majority of cryptosystems with watermarking methods.

Our initial approach was to regard the cryptographic and watermarking stages as

separate components, as we sought to find cryptographic algorithms that can sur-

vive the distortion caused by the watermark. This is due to watermarks being more

malleable than cryptosystems. However, it is quite clear that such a distinction will

not be feasible, considering that the two stages are intertwined.

We note several additional requirements on the choice of cryptosystem. The cryp-

tosystem needs to be asymmetric and non-linear, to prevent A from easily reversing

Page 118

Chapter 6 Summary

the encryption from the data given by B. Also, the cryptosystem needs to be non-

commutative with the chosen watermarking methods, so the crypto-process will be

assured of distorting the watermark.

In conclusion, this research was not intended to be the end-all of piracy, but to di-

rect research considerations into other directions, mainly that of the mutual-distrust

problem. In the end, the idea was not to stop piracy by making watermarks that are

impossible to detect and harder to destroy, but to make piracy undesirable to those

perpetrating it. This is not a permanent one-off solution but one that can be continu-

ally upgraded to keep up with advances in technology and attacker skills.

6.3 Summary of Contributions

In this thesis we have introduced a novel direction for research in dealing with doc-

ument theft and redistribution of digital documents, commonly known as piracy. In

particular, the focus of our staining protocol is on detecting and identifying insider

sources of illegal distribution with non-repudiation.

Our contributions include:

• A new protocol that allows for non-repudiable transaction tracking.

The majority of protocols and techniques in the literature, detailed in Section

2.1, have been focused on trusted owners, however it was shown in Chapter

4 that this was not the case. Hence we concluded that a new protocol needed

to be developed. We created our protocol by combining cryptography and wa-

termarking in such a way that decryption imposes a stain upon the watermark.

This stain ensures that neither party in a transaction can repudiate. For instance,

if party B takes its decrypted copy and illegally provides the copy to an outside

party, the watermark can be detected. In the standard watermarking scenario,

which was shown in Section 4.4, this exact watermark would be present in A’s

copy, and hence B can repudiate claims of piracy. However, in our protocol, the

watermark has been stained by decryption, proving that the copy is irrefutably

B’s. Alternatively, if A illegally redistributes, it cannot place the blame on B as

the embedded watermark will not have the stain.

• Combining cryptography and watermarking for the first time where watermarking oc-

curs before decryption.

Page 119

6.3 Summary of Contributions

Our protocol consists of three steps: first we encrypt the cover work, then we

watermark the encrypted cover work, and finally we decrypt to obtain a cover

work embedded with a stained watermark. There is little existing literature

combining watermarking and cryptography, which has been detailed in Sec-

tion 2.3. What little literature does exist has not considered the possibility of

watermarking between the encryption and decryption steps. This is due to the

fragile nature of cryptosystems, which are built to be destroyed upon corrup-

tion of the encrypted data. However, new encryption techniques, reviewed in

Section 2.2, particularly those for image or video applications, have been built

to withstand errors. Hence this allows this research to consider steganogra-

phy and cryptography used in such a way as to complement each other, not by

sharing secrets but by the entangling of secrets.

• Producing successful experimental results on the staining protocol.

In Chapter 5, we tested our protocol using a simple, yet robust, watermark-

ing technique known as the spread spectrum watermarking method, discussed

in Section 3.1.2. We combined the spread spectrum watermark with several

well-known methods of encryption, specifically XOR encryption, block-based

encryption, RSA, and elliptic curve cryptography, to test the viability of the pro-

tocol. Finally, we attacked the RSA and the Menezes-Vanstone Elliptic Curve

cryptosystems with several typical common signal processing and geometric

attacks such as resampling, JPEG compression, cropping, and rotation, as well

as embedding a second watermark. Though none of the encryption methods

were sufficient for our use, we did show that complex encryption systems such

as RSA and MV-ECC can successfully withstand the aforementioned attacks,

and derived additional requirements with respect to the cryptographic systems

to be used.

One of the goals of this thesis was to present another approach to tackling the prob-

lem of piracy. It is our hope that with our contributions we have opened the eyes

and minds of other researchers and provided another avenue of focus in the data

protection field.

Page 120

Chapter 6 Summary

6.4 Future Research

As previously mentioned, one of the aims of this research was to investigate the fea-

sibility of combining steganography and cryptography, such that decryption leaves

a stain on the watermark. It was also to demonstrate another direction for research to

tackle the increase in piracy and illegal copyright-violating activities.

From this point onwards, the research can branch off into several different directions.

Cryptography has always been a necessarily precise study. However, due to this

preciseness, its applications are limited to non-error-prone fields. Throughout the

research, a less exact encryption system was always sought. This can thus be one

direction in future: the search for an imperfect cryptosystem. A less than perfect

cryptosystem, where decryption does not entirely remove the encryption, but leaves

behind an echo or stain of its presence, would remove the need for the watermarking

step.

Such a system would be well insulated from casual attacks. For example, it would be

pointless to attack the encrypted object because then decryption would fail. At the

very least, the choices of attacks would be limited to attacks on typical cryptosystems

(see §3.2.5). This system would still need to be robust to normal operations that the

cover work would be expected to have applied, such as common signal processing

and geometric operations.

Another direction for future research is finding a complimentary encryption and

steganographic watermarking system. The two systems would be compatible such

that they interfere minimally with each other, but still cause a stain to be placed upon

the cover work. Encryption and watermarking have such similar roots, it seems un-

likely that they should be unable to coexist in such a way.

An immediate continuation on the current research would be to extend the encryp-

tion side into image-specific cryptosystems and investigating the validity of their use

instead of the generic cryptosystems used here. Work into this area was investigated

in Section 2.2.

A further continuation of the research presented would be to extend the work into

video cover works. The results of this study have been limited to still images due to

time and computational power limitations, for video would take much longer and

be computational expensive to mark, test and process. However, the groundworks

Page 121

6.4 Future Research

have been laid in Section 2.1, where many ideas from the literature on video (stegano-

graphic) watermarking were investigated, in Section 2.2, where video-specific en-

cryption systems are listed, and in Section 3.1, where additions requirements for

video watermarking were mentioned as well as an outline of expected video-specific

attacks to look out for.

Once a properly working system, secure to all reasonable attacks and producing good

outputs under all reasonable circumstances, is found, suitable cryptanalysis will need

to be applied, as well as investigations into the statistical nature of this system, to

quantify properties such as capacity and complexity in terms of time.

Page 122

Appendix A

Acronyms, Abbreviationsand Glossary

APPENDIX A contains a summary of the acronyms and ab-

breviations used throughout the thesis, including also a glos-

sary of technical terms.

Page 123

A.1 Acronyms

A.1 Acronyms

2-D 2-Dimensional

APS Analog Protection System

BSA Business Software Alliance

CEMA Consumer Electronics Manufacturers Association

CGMS Copy Generation Management System

CPTWG Copy Protection Technical Working Group

CR Composite Residuosity

CSS Content Scramble System

CVES Chaotic Video Encryption Scheme

DCT discrete cosine transform

DC-DM distortion compensated dither modulation

DES Data Encryption Standard

DJ disc jockey

DM dither modulation

DVD digital versatile disc

DVD CCA DVD Copy Control Association

DWT discrete wavelet transform

EC elliptic curve

ECC elliptic curve cryptosystem

gcd greatest common divisor

GGD Generalised Gaussian distribution

IA-DCT Image-Adaptive Direct Cosine Transform

IDCT Inverse Discrete Cosine Transform

JPEG Joint Photographic Experts Group

LD Laplacian distribution

LSB least significant bit

MoRE Masters of Reverse Engineering

MPAA Motion Picture Association of America

MPEG Moving Picture Experts Group

MSE mean square error

MV-ECC Menezes-Vanstone elliptic curve cryptosystem

PKC public key cryptosystem

PSD Power Spectral Density

PSNR peak signal-to-noise ratio

Page 124

Appendix A Acronyms, Abbreviations and Glossary

RSA Rivest-Shamir-Adleman

SEA Schoof-Elkies-Atkin

SPIHT Set Partitioning in Hierarchical Trees

VCR videocassette recorder

VOP video object plane

A.2 Abbreviations

cryptosystem cryptographic system

XOR Exclusive-Or

et al. et alia (Latin for “and others”)

A.3 Glossary

compliant machines Compliant (recording) machines can be consumer devices such

as DVD burners. These compliant devices check for special instructions, for

example on a DVD, dictating whether a DVD can be copied with no limits,

copied once or never copied.

Page 125

Appendix B

Paper-Pen Analyses

THIS appendix contains analyses of the cryptosystems investi-

gated in Chapter 5.

Page 127

B.1 XOR Watermarking Algorithm

B.1 XOR Watermarking Algorithm

The algorithm:

1. A’s setup:

(a) Obtain image, M, of size h × w uint8 values.

(b) Obtain watermark image, W, of size h × w uint8.

(c) Select strength factor, α.

2. B’s setup:

(a) Pick a key, k.

(b) Obtain from k an encryption binary stream, E, and corresponding decryp-

tion binary stream, D(= E), each of length h × w × 8.

(c) Send E to A.

3. A’s encryption steps:

(a) Turn M into a stream of h × w × 8 bits.

(b) Compute C = M⊗

E.

4. A’s watermarking steps:

(a) Turn C into a matrix of h × w pixels.

(b) Discrete cosine transform the encrypted image, C, i.e. V = dct(C).

(c) Obtain V′ = V · (1 + αW).

(d) Inverse discrete cosine transform V′ into C′.

(e) Send C′ to B.

5. B’s decryption steps:

(a) Receive C′ and turn into a stream of h × w × 8 bits.

(b) Compute stained image, M′ = C′ ⊗ D.

(c) Turn M′ into a matrix of h × w pixels.

Step-by-step:

Page 128

Appendix B Paper-Pen Analyses

1. C = M⊗

E.

2. V = dct(C).

3. V′ = V · (1 + αW) = dct(C) · (1 + αW).

4. C′ = idct(V′) = idct(dct(C) · (1 + αW)).

• Now, if idct(X · Y) = idct(X) · idct(Y), then

C′ = C · idct(1 + αW)

= M⊗

E · idct(1 + αW).

• Else, C′ = idct(dct(C) · (1 + αW)).

5. M′ = C′ ⊗ D = idct(dct(C) · (1 + αW)).

• Now, if idct(X · Y) = idct(X) · idct(Y), then

M′ = M⊗

E⊗

D · idct(1 + αW)

= M · idct(1 + αW).

• Else,

M′ = idct((1 + αW) · dct(C))⊗

D

= idct((1 + αW) · dct(M⊗

E))⊗

D.

In the latter case, the best way to recover would then be to

(a) reverse the decryption:

C′′ = M′ ⊗ E

= (C′ ⊗ D)⊗

E

= C′;

(b) then reverse the IDCT:

V ′′ = dct(C′′)

= dct(idct(dct(C) · (1 + αW)))

= dct(C) · (1 + αW)

= V ′;

Page 129

B.2 RSA Cryptosystem

(c) and finally reverse the watermarking algorithm:

W ′ = ((V′′/dct(C)) − 1)/α

= W.

I.e. to get the recovered watermark, W ′ = ((dct(M′ ⊗ E)/dct(M⊗

E))− 1)/α.

However, each time dct and idct is applied, the watermark is spread more and more

among all the dct components (including the DC component). The best way to de-

tect the watermark then is to either match spectrums when watermarking, or apply

correlation matching to the output images.


The encryption algorithm:

1. Setup:

(a) Message, M.

(b) Two large primes, p and q (private).

(c) n = pq (public), φ = (p − 1)(q − 1) (private).

(d) e ∈ Zφ/{0} such that gcd(e, φ) = 1 (public).

(e) d such that ed = 1(mod φ) (private).

2. Encrypting: C = Me(mod n).

3. Decrypting:

M′ = Ed

= (Me)d

= M1

= M(mod n).

However, we want to watermark between the encryption and decryption stages, us-

ing the DCT spread spectrum algorithm. The output image will also be attacked. The

entire algorithm, including watermarking and attack stages, then becomes:

Page 130


1. B’s setup:

(a) Pick two large primes, p and q.

(b) Set n = pq, and φ = (p − 1)(q − 1).

(c) Select e ∈ Zn/{0} such that gcd(e, φ) = 1.

(d) Find d such that ed = 1(mod φ).

(e) Send (n,e) to A.

2. A’s setup:

(a) Obtain message matrix, M, size h × w.

(b) Pick watermarking strength, α.

(c) Pick random watermark vector, W, of N elements (N � h × w).

3. A’s encryption steps: Compute C = Me(mod n).


(a) DCT the encrypted message, V = dct(C).

(b) Find the N largest elements of C′, not including the DC element.

(c) Watermark according to the formula, V ′i = Vi · (1 + αWi), on the N ele-

ments of C′.

(d) IDCT to obtain the marked encrypted message, C′ = idct(V′).

5. B’s decryption steps: Compute M′ = (C′)d(mod n).

6. E’s attack stage can only be applied after decryption, as any other time message

will produce a distorted output message. Since the integrity of M must be kept,

any changes from attacks must be small, i.e. M′′ = δM′ = δM(W ′)d, where δ is

the small change caused by attacks.

To recover the watermark, one option is to re-encrypt the output message (to reverse

the decryption) and then reverse the watermarking process to obtain the watermark.

That is, M′ = (idct(V′))d.

Page 131


• Now if idct(X · Y) = idct(X) · idct(Y), then

M′ = Cd · (idct(1 + αW))d

= (Me)d · (idct(1 + αW))d

= M · (idct(1 + αW))d

= M · (W ′)d

where W ′ = dct(1 + αW).

• Otherwise,

M′ = (idct(V · (1 + αW)))d

= (idct(dct(C) · (1 + αW)))d.

The difficulty in this reversal process is that any little deviation is further increased

by encryption (power to e), thus distorting the watermark, possibly beyond recovery.

This implies that we will be unable to add other watermarks, which is not useful.

Alternately, instead of extraction by the reversal process, presence of the watermark

can be detected. For example, comparing the output message with the original im-

age that has been embedded, with the known set of watermarks used, identically to

the one under investigation. That way the watermark will not be further corrupted

by re-encryption. Spectral comparison is another method of detecting or matching

watermarks.

Another difficulty with this encryption-watermark combination comes from the large

values of exponentiation required for security. To ensure that the decrypted result,

i.e. M′, looks like the original message, W ′ must be as close to 1 as possible. The

difficulty here is that since p and q are large primes, this produces a large φ, which

in turn will likely produce a large d. This means that any small deviation of W ′ from

1 will likely push the output message, M′, from seeming anything like the original

message, M, and thus integrity is not maintained.

Therefore, from our algorithm, αW must be as close to zero as possible. Since the

elements of W are equally likely values of either -1 or 1, α will be the minimising

factor. However, if α is too small, there will be multiple W matches.

Page 132


B.3 Elliptic Curve Cryptography (ECC)

There are various implements of public-key elliptic curve cryptography. One cryp-

tosystem is the ElGamal-type elliptic curve cryptosystem. However, as mentioned in

Subsection 3.2.4, there is great difficulty in finding the homomorphic function, f , that

maps a point, P, to some value, v in the desired finite field.

Another cryptographic system is the Menezes-Vanstone elliptic curve cryptosystem,

which does not require mapping from message to points. The Menezes-Vanstone

algorithm is as follows:

1. B’s setup:

(a) Choose a large prime, p.

(b) Choose an elliptic curve, E . (I.e. Choose coefficients of the elliptic curve

equation, which for prime fields is shortened to: y2 = x3 + a4x + a6. Basi-

cally, choose a4 and a6 in Zp and Δ �= 0.)

(c) Choose a point, P, on the curve, E .

(d) Choose a secret key, kB < #E (where #E is the number of points in E , see

3.2.4).

(e) Compute Q = [kB]P.

(f) Send (P,Q,a4,p) to A.

(g) Keep secret kB.

2. A’s setup:

(a) Obtain message, M, of size h×w uint8 values, arranged into pairs, (m1, m2).

(b) Obtain watermark, W, of length N binary bits, {−1, 1}.

(c) Select strength factor, α.

(d) Choose a secret key, kA, such that 0 < kA < #E .

3. A’s encryption step,

(a) Get B’s public information, (P,Q,a4,p).

(b) Compute Y0 = [kA]P.

(c) Compute (y1, y2) = [kA]Q.

Page 133

B.3 Elliptic Curve Cryptography (ECC)

(d) Compute C = (c1, c2), where c1 = y1 ·m1(mod p) and c2 = y2 ·m2(mod p).

(e) Send (Y0,C).


(a) Discrete cosine transform the encrypted image, C, and sort into N largest

values except the DC component.

(b) Obtain C′i,j = Ci,j · (1 + αWj), for i = 1, 2 and j = 1 : N.

(c) Inverse discrete cosine transform C′ = (C′1, C′

2).

(d) Send Y0 and C′ to B.

5. B’s decryption steps,

(a) Receive (Y0,C′).

(b) Compute (y1, y2) = [kB]Y0.

(c) Compute M′ = (m′1, m′

2), where m′1 = (y1)−1 · c1(mod p) and m′

2 = (y2)−1 ·c2(mod p).

6. Then

m′i = (yi)−1 · c′i(mod p)

= (yi)−1 · idct(ci · (1 + αw))(mod p)

= (yi)−1 · idct(dct(yi · mi) · (1 + αw))(mod p)

for i = 1, 2.

• Now if idct(X · Y) = idct(X) · idct(Y), then

m′i = (yi)−1 · idct(dct(yi · mi) · (1 + αw))(mod p)

= (yi)−1 · idct(dct(yi · mi)) · idct(1 + αw)(mod p)

= (yi)−1 · yi · mi · idct(1 + αw)(mod p)

= mi · idct(1 + αw).

• Else m′i = (yi)−1 · idct(dct(yi · mi) · (1 + αw))(mod p).

The issue with this algorithm is that because p is very very large, the coordinates of

the points will be correspondingly large. Any small errors are multiplied by those

Page 134


large values. For the RSA watermarking scheme, if the errors are < 1, they are

multiplied by themselves (exponentially) and hence remain small. However, in the

Menezes-Vanstone watermarking case, though the errors are still less than 1 they are

multiplied by large values and may cause considerable damage to the final message.

Again, the watermarking strength, α, will determine the extent of the distortion to

the final message caused by watermarking before decryption.

Note that the cryptosystem is acting like another transform domain.

Page 135

Appendix C

Codes

THIS appendix contains the codes that produced the results

shown in Chapter 5. The codes and results are based on the

MATLAB software, version 7.0 (R14).

Page 137

C.1 XOR

Note: The following codes were created based on the MATLAB software, version 7.0

(R14), and require the following toolboxes:

• images

C.1 XOR

This system uses XOR encryption (and decryption) and spread spectrum algorithm

for watermarking.

The slight difference with this code from the algorithm in Table 5.2 is that instead of

bitwise XOR-ing, MATLAB provides a function for integer XOR-ing, provided the

integer is unsigned.

Also, two methods of watermark recovery were attempted, based on the analyses

in Appendix B.1. The second watermark recovery method’s correlation is given in

Section 5.2.

clear all

close all

fig = 1;

%====================================================

% SETUP

%====================================================

% A’s setup:

% 1. Obtain image, M, of size h X w uint8 values.

% 2. Obtain watermark image, W, of size h X w uint8.

% 3. Select strength factor, alpha.

% The image M = imread(‘lena.tif’);

M = rgb2gray(M); % originally RGB => conv to grey

M = double(M);

figure(fig), fig = fig + 1;

imshow(uint8(M)), title(‘Cover work’)

[h,w] = size(M);

% Watermark vector to subtract from enc im

wk = 28; % watermark key

wl = 1000; % watermark length

Page 138

Appendix C Codes

rand(‘state’,wk);

W = 2*randint(1,wl)-1; % watermark vector

alpha = 0.012; % tolerance/strength

% B’s setup:

% 1. Pick a key, k.

% 2. Obtain from k an encryption binary stream, E, and corresponding

% decryption binary stream, D (= E), each of length h X w X 8.

% 3. Send E to A.

% Crypto vector to xor image with

ck = 27; % key into rand vector

rand(‘state’,ck); % set rand gen state

cn = h*w*8; % length of E & D

E = randint(cn/8,1,255)+1; % same dimensions as M

E = reshape(E,h,w); % encryption vector

D = E; % decryption vector

%====================================================

% BEGIN IMPLEMENTATION

%====================================================

% A’s encryption steps:

% 1. Turn M into a stream of h X w X 8 bits.

% 2. Compute C = M XOR E.

% 1. Remember, M is now represented by an 8 bit number.

% 2. Encrypt: XOR E with M.

C = bitxor(M,E);


imshow(uint8(C)), title(‘Encrypted cover work’)

% A’s watermarking steps:

% 1. Turn C into a matrix of h X w pixels.

% 2. Discrete cosine transform encrypted image, C, i.e. V = dct(C).

% 3. Obtain V’ = V (1 + alpha W).

% 4. Inverse discrete cosine transform V’ into C’.

% 5. Send C’ to B.

Page 139

C.1 XOR

% 3. Watermarking: Now watermark using spread spectrum algorithm.

dctC = dct2(C);

dctC = reshape(dctC,1,h*w);

[t,maxI] = sort(dctC,‘descend’);

clear t % t not in use

maxI = maxI(2:wl+1); % do not change DC cmpt

dctC2 = dctC;

dctC2(maxI) = dctC(maxI).*(1+alpha*W);

dctC2 = reshape(dctC2,h,w);

C2 = idct2(dctC2);


imshow(C2,[min(min(C2)) max(max(C2))])

title(‘Watermarked encrypted cover work’)

ci corr = corr2(C,C2) % close to 1 => high corr

% B’s decryption steps:

% 1. Receive C’ and turn into a stream of h X w X 8 bits.

% 2. Compute stained image, M’ = C’ XOR D.

% 3. Turn M’ into a matrix of h X w pixels.

% 4. Decryption: Do opposite what did in encryption.

C2 = round(max(C2,0)); % bitxor only works on non-neg ints

% the line above will introduce more errors into the output image

M2 = bitxor(C2,D);


imshow(uint8(M2))

title(‘Decrypted watermarked encrypted cover work’)

di corr = corr2(M,M2) % close to 1 => high corr

% 5. Detection: By correlation analysis.

% try, assuming M2 = M idct(1 + alpha W)

idctW2 = M2 - M;

dctW2 = reshape(dct2(idctW2),1,h*w);

W2 = (dctW2(maxI)-1)/alpha;

wm corr2 = corr2(W2,W) % close to 1 => high corr

% try, assuming W3 = ((dct(M2 XOR E)/dct(C)) - 1)/alpha

a = bitxor(floor(M2),E);

b = reshape(dct2(a),1,h*w);

W3 = ((b(maxI)./dctC(maxI))-1)/alpha;

Page 140

Appendix C Codes

wm corr3 = corr2(W3,W) % close to 1 => high corr

C.2 Block-Based

This system uses block-based encryption (and decryption) and spread spectrum al-

gorithm for watermarking. The encryption is done by matrix multiplication, and

decryption used the inverse of the encryption matrix for matrix multiplication.

clear all

close all

fig = 1;

% Set to 1 if dcting whole

whole = 0;

en blk siz = 8;

wm blk siz = 8;

%====================================================

% SETUP

%====================================================

% A’s setup:


% 2. Obtain watermark, W, of length l binary bits, -1,1.


M = imread(‘lena2.tif’);

M = rgb2gray(M); % originally rgb => conv to grey

M = double(M);


imshow(uint8(M)), title(’Cover work’)

[h1,w1] = size(M);

% Using random vector for watermarking

wk = 28; % key into rand vector

rand(‘state’,wk); % set rand generator state

wl = 1000; % length of wm

W = rand(1,wl)*2-1; % wm vector, vals < 1

alpha = 0.003; % strength of wm

Page 141

C.2 Block-Based

% B’s setup:

% 1. Pick a key, k.

% 2. Obtain from k an encryption matrix, E, of size n X n of uint8

% values.

% 3. Obtain decryption matrix by finding the matrix inverse of E,

% D = inv(E).

% 4. Send E to A.

% Crypto matrices to mult image with, all values int

ck = 27; % key into rand vector

rand(‘state’,ck); % set rand gen state

E = randint(en blk siz,en blk siz,256);

% enc mat, same dims as M

D = inv(E); % dec mat, works coz sq

%====================================================


%====================================================

% A’s encryption steps:

% 1. Divide M into blocks of n X n.

% 2. For each block, i, compute C i = M i X E, where X here means

% matrix multiplication.

% 1. Encrypting: MxE

for i = 1:en blk siz:h1,

for j = 1:en blk siz:w1;

a = M(i:i+en blk siz-1,j:j+en blk siz-1);

C(i:i+en blk siz-1,j:j+en blk siz-1) = a*E;

end

end

clear a i j;


imshow(C/max(max(C)))

title(‘Encrypted image (normalised)’)

% A’s watermarking steps:

% 1. Discrete cosine transform the encrypted image, C, and sort into

% l largest values excepting the DC component(s).

% 2. Obtain C j’ = C j (1 + alpha W j), for j=1:l.

% 3. Inverse discrete cosine transform C’.

Page 142

Appendix C Codes


% 2. Embedding: dct(C).*(1 + alpha.*W)

if (whole),

dctC = dct2(C);

else,

for i = 1:wm blk siz:h1,

for j = 1:wm blk siz:w1,

a = dct2(C(i:i+wm blk siz-1,j:j+wm blk siz-1));

dctC(i:i+wm blk siz-1,j:j+wm blk siz-1) = a;

end

end

end

dctC = reshape(dctC,1,h1*w1);

[t,Ind] = sort(dctC,‘descend’); % t is mat of sorted vals

% t is not used here

% Ind is index of sorted vals

% For whole, do from 2 onwards to leave DC value untouched.

% For blocks need to ignore every wm blk siz value.

if whole,

maxI = Ind(2:wl+1); % maxI is idx of wming set

else,

maxI = Ind(h1/wm blk siz+1:wl+h1/wm blk siz);

end

dctC2 = dctC;

for i = 1:wl,

dctC2(1,maxI(i)) = dctC(maxI(i)).*(1+alpha.*W(i));

end

dctC2 = reshape(dctC2,h1,w1);

if (whole),

C2 = idct2(dctC2);

else,



a = idct2(dctC2(i:i+wm blk siz-1,j:j+wm blk siz-1));

C2(i:i+wm blk siz-1,j:j+wm blk siz-1) = a;

end

end

end

clear a t Ind i dctC2;


Page 143

C.2 Block-Based

imshow(C2/max(max(C2)))

title(‘Watermarked encrypted image (normalised)’)

% Keep maxI, dctC for watermark recovery.

% B’s decryption steps:

% 1. Receive C’ and divide into n X n blocks.

% 2. Compute stained image, M i’ = C i’ X D, for each block, i.

% 3. Decrypting: C2xD

for i = 1:en blk siz:h1,

for j = 1:en blk siz:w1,

a = C2(i:i+en blk siz-1,j:j+en blk siz-1);

M2(i:i+en blk siz-1,j:j+en blk siz-1) = a*D;

end

end

clear a i j;


imshow(uint8(M2))

title(‘Decrypted watermarked encrypted image’)

di corr = corr2(M,M2)

% 4. Detection: By correlation analysis.

% - dct M2

% - recover watermark by extracting wl largest values

% - show recovered

% - do correlation analysis

% maxI, dctC2 kept for watermark recovery.

if (whole),

dctM2 = dct2(M2);

else,

M22 = double(uint8(M2)); % truncating to im vals



a = dct2(M22(i:i+wm blk siz-1,j:j+wm blk siz-1));

dctM2(i:i+wm blk siz-1,j:j+wm blk siz-1) = a;

end

end

end

a = reshape(dctC,1,h1*w1);

a = a(maxI);

Page 144

Appendix C Codes

b = reshape(dctM2,1,h1*w1);

b = b(maxI);

RW = ((b./a)-1)/alpha; % recovered wm

clear dctC2 temp maxI a b i j;

wm corr = corr2(W,RW) % close to 1 => high corr

% Let’s try this:

% 1. Adding post-processing step for Detection

% to round recovered wm values to either 1 or -1

for i = 1:wl,

if RW(i) < mean(RW),

RW2(i) = -1;

else

RW2(i) = 1;

end

end

wm corr2 = corr2(W,RW2) % close to 1 => high corr

C.3 RSA

The following code is the implementation for RSA cryptography with spread spec-

trum DCT Watermarking, as per the algorithm shown in Table 5.5.

In this implementation, given the original image and the set of 100 random water-

marks, the original image is marked with those random watermarks and compared

against the watermarked document of interest to determine which of the random

watermarks have been embedded into the marked document of interest.

This implementation also applies several common attacks to the marked image, as

listed below, to test the system’s robustness.

Attacks applied were

• 1) forced to 8-bit;

• 2) JPEG encoding and compression;

• 3) cropping by 1 pixel from the edges up to 50 pixels from the edges (after which

point the original image has lost a significant portion of its value);

Page 145

C.3 RSA

• 4) insert Gaussian noise of variance 0.004 and mean 0;

• 4.1) insert speckle noise of variance 0.004 and mean 0;

• 5) scale by half (or downsample by 2) then rescale the image back to original

dimensions;

• 6) crop and resize (combination attack) by 1 pixel from edges and half size re-

spectively;

• 7) insert another watermark at 5α.

To compare the images, the same attack was mimicked for the 100 randomly water-

marked images, save for attacks 1 (truncation), 2 (compression), 4 and 4.1 (noise), and

7 (mark again).

The slight difference with this implementation from the images shown in § 5.4 is that

of attack 3 (the cropping from 1 pixel to 50 pixels from the edges), only the 1 and 50

cropping results are shown, and attack 4.1 (speckle) has been left out as it is similar

to Gaussian noise addition.

clear all, close all

fig = 1;

atk = 0; % which attack to apply

redo = 1; % to ensure output

% Alice’s setup:




% Message, i.e. small image

M = double(rgb2gray(imread(‘lena256x256.tif’,‘tif’)));

[h,w] = size(M);


imshow(uint8(M)), title(‘Original Image’)

% Watermark info

ws = 100; % num of wms to compare

wl = 1000; % len of each wm

W = randint(ws,wl)*2-1; % 1000 watermarks.

Page 146

Appendix C Codes

wn = randint(1,1,ws)+1; % the number of our watermark

a = 0.001; % watermarking strength

disp(sprintf(‘our watermark: %i’,wn))

% Bob’s setup:

% 1. Choose 2 large prime numbers, p and q.

% 2. Compute n = pq and phi = (p-1)(q-1).

% 3. Find 1 < e < phi such that (e,phi) = 1.

% 4. Compute d such that ed ~1 (mod phi).

% 5. Make public (n,e) and keep private (phi,d).

while redo,

redo = 0;

fig = 2;

% 1. Crypto setup, know 255 smallest value.

not done = 1;

while not done,

% pick 2 prime numbers

q = randprime(15); % 15ˆ2 is just < 255, so n > 255

p = randprime(q+1,2*q); % typical for q < p < 2q

% make sure p,q not too close or may use Fermat factorisation

while round(p/q) == 1,

q = randprime(15);

p = randprime(q+1,2*q);

end

n = p*q;

f = (p-1)*(q-1); % phi

e = randint(1,1,f-2) + 1; % the + 1 prevents e = 0

% make sure e and phi coprime

while (gcd(e,f) ~= 1), e = randint(1,1,f-1) + 1; end

[t,t2,d] = extdeuc(f,e);

d = mod(d,f);

if mod(e*d,f) == 1, not done = 0; end

% also want d large, else can use Michael J. Wiener’s 1990 attack

if d < nˆ(1/4)/3, not done = 1; end

end clear f not done

% Alice’s encryption step:

Page 147

C.3 RSA

% 1. Compute C = Mˆe (mod n).

% 2. Encrypt, c = mˆeC = powmod(M,e,n);


imshow(C,[min(min(C)) max(max(C))]),

title(‘Encrypted’)

% Alice’s watermarking steps:


% l largest values except the DC component.

% 2. Obtain C j’ = C j (1 + alpha W j), for j=1:l.

% 3. Inverse discrete cosine transform C’.


% 3. Watermark, dct C, find 1000 largest values except DC.

DCTC = dct2(C);

[t,I] = sort(reshape(DCTC,1,h*w),‘descend’);

clear t

I = I(2:wl+1);

DCTC2 = DCTC;

% % 1) v’ = v + aw

% DCTC2(I) = DCTC2(I) + a.*W(wn,:);

% 2) v’ = v(1 + aw)

DCTC2(I) = DCTC2(I).*(1 + a.*W(wn,:));

% % 3) v’ = veˆ(aw)% C2a(I) = C2a(I).*exp(a.*W(wn,:));

C2 = idct2(DCTC2);


imshow(C2,[min(min(C2)) max(max(C2))]), title(‘Watermarked’)

C2 = round(C2);

% Bob’s decryption steps:

% 1. Receive altered ciphertext, C’.

% 2. Compute message, M’ = C’ˆd (mod phi).

% 4. Decrypt, m’ = cˆd = mˆ(ed) = m

M2 = powmod(C2,d,n);

if corr2(M2,M) < 0.7, redo = 1; end % out im not good enou, redo


Page 148

Appendix C Codes

imshow(uint8(M2)), title(‘Decrypted’)

% 4a. Attack point

switch atk

% 1) Force to 8-bit

case 1,

M21 = max(0,min(255,M2));

figure(fig), fig = fig + 1; imshow(uint8(M21))

title(‘8-bit quantised’),

M3 = M21;

clear M21

% 2) JPEG encoding

case 2,

imwrite(uint8(M2),‘imjpeg.jpg’,‘jpg’,‘Quality’,20)

M22 = double(imread(‘imjpeg.jpg’,‘jpg’));

figure(fig), fig = fig + 1; imshow(uint8(M22)),

title(‘Jpeged’)

M3 = M22;

clear M22

% 3) crop it

case 3,crop amt = 50; % 1 up to 50 still good

M23 = imcrop(M2,[crop amt crop amt (h-1)-crop amt*2 (w-1)-crop amt*2]);


title(‘Cropped’)

M3 = M23;

clear M23

% 4) noise it - gaussian

case 4,

M24 = double(imnoise(uint8(M2),’gaussian’,0,0.004));


title(‘Noised - Gaussian (var 0.004)’)

M3 = M24;

clear M24

% 4.1) noise it - speckle

case 41,

M241 = double(imnoise(uint8(M2),‘speckle’,0.004));


Page 149

C.3 RSA

title(‘Noised - Speckle (var 0.004)’)

M3 = M241;

clear M241

% 5) scaling

case 5,

M25 = imresize(M2,0.5);


title(‘Resized - Halved’),

M3 = imresize(M25,2); % resize to orig size

clear M25

% 6) crop and resize

case 6,

M26 = imcrop(M2,[1 1 (h-1)-2 (w-1)-2]);


title(‘Cropped’)

% resize to same dimensions as original unwatermarked image

% took away 1x1 outer pixels out of 512x512. resize by 1.003921569

M3 = imresize(M26,h/size(M26,1));


title(‘Cropped 1 pixel from edges and Resized’),

if size(M3) ~= size(M),

error(‘Incorrect resizing...exiting program’),

end

clear M26

% 7) multiple watermarking

case 7,

% watermark setup:

wn7 = randint(1,1,ws)+1; % the index of second watermark

while wn7 == wn, wn7 = randint(1,1,ws); end

% watermark:

DCTC7 = DCTC2;

[t7,I7] = sort(reshape(DCTC7,1,h*w),‘descend’);

clear t7

I7 = I7(2:wl+1);

DCTC27 = DCTC7;

DCTC27(I7) = DCTC27(I7).*(1 + a.*W(wn7,:));

C27 = idct2(DCTC27);

% decrypt:

Page 150

Appendix C Codes

M3 = powmod(round(C27),d,n);

figure(fig), fig = fig + 1; imshow(uint8(M3))

title(‘Doubly Watermarked’),

clear DCTC7 DCTC27 C27

if corr2(M3,M) < 0.8, redo = 1; end

otherwise,

M3 = M2;

end

% 5. Watermark recovery,

% mimic process with original and compare if results the same

for i=1:ws,

DCTCR = DCTC; % using encrypted image, coz

% steps before will be same

% watermark:

% % 1) v’ = v + aw

% DCTC2(I) = DCTC2(I) + a.*W(i,:);

% 2) v’ = v(1 + aw)

DCTCR(I) = DCTCR(I).*(1 + a.*W(i,:));

% % 3) v’ = veˆ(aw)% C2a(I) = C2a(I).*exp(a.*W(i,:));

CR = idct2(DCTCR);

CR = round(CR);

% decrypt:

MR = powmod(CR,d,n);

% and match:

switch atk

case 3,

MR2 = imcrop(MR,[crop amt crop amt ...

(h-1)-crop amt*2 (w-1)-crop amt*2]);

MM = imcrop(M,[crop amt crop amt ...

(h-1)-crop amt*2 (w-1)-crop amt*2]);

case 5,

MR2 = imresize(MR,0.5);

MR2 = imresize(MR2,2);

MM = imresize(M,0.5);

MM = imresize(MM,2);

case 6,

MR2 = imcrop(MR,[1 1 (h-1)-2 (w-1)-2]);

MR2 = imresize(MR2,h/size(MR2,1));

MM = imcrop(M,[1 1 (h-1)-2 (w-1)-2]);

Page 151

C.3 RSA

MM = imresize(MM,h/size(MM,1));

otherwise,

MM = M;

MR2 = MR;

end

R0(i) = corr2(M2,MR2); % before distortions

R1(i) = corr2(M3,MR2); % after distortions, with orig image

R2(i) = corr2(M3-MM,MR2-MM); % after distortions, minus orig image

if isnan(R0(i)) | isnan(R1(i)) | isnan(R2(i)),

redo = 1;

end

end

if atk == 7, disp(sprintf(‘second watermark: %i’,wn7)), end

figure(fig), fig = fig + 1; stem(1:ws,R0)

title(strcat(‘Correlation of ’,[‘ ’ num2str(ws)],‘ uniquely ...

watermarked images to our watermarked image’))

xlabel(‘Randomly Watermarked Images’), ylabel(‘Correlation to our image’)


title(strcat(‘Correlation of ’,[‘ ’ num2str(ws)],‘ uniquely ...

watermarked images to our watermarked image, after atk’))

xlabel(‘Randomly Watermarked Images’), ylabel(‘Correlation to our image’)


title(strcat(‘Correlation of’,[‘ ’ num2str(ws)],‘ uniquely ...

watermarked images to our attacked watermarked image, ...

after atk, minus image’))

xlabel(‘Randomly Watermarked Images’),

ylabel(‘Correlation to our attacked image’)

end % of redo while loop

Page 152

Appendix C Codes

C.4 Menezes-Vanstone Elliptic Curve Cryptosystem

The implementation for the Menezes-Vanstone elliptic curve cryptosystem combined

with spread spectrum DCT watermarking was code intensive, and hence each attack

level has been separated for ease of testing. The algorithm for the implementations

are outlined in § 5.6.

Unless specifically mentioned, the random watermarked set will not mimic the at-

tack(s) applied on the watermarked document of interest.

C.4.1 Truncation

Force to 8-bit integers.

clear all

close all fig = 1;

redo = 1;

%====================================================

% SETUP

%====================================================

% Image setup.

% Message, M = (m1,m2) (pairs of message values)


[h,w] = size(M);

figure(fig), fig = fig + 1; imshow(uint8(M)),

title(‘Original Image’),

while redo, % start of redo loop

M = reshape(M,h*w/2,2);

redo = 0;

fig = 2;

% Bob’s setup:

% 1. Choose a large prime number, p.

% 2. Choose an elliptic curve, E.

% 3. Choose a point, P, on E.

% 4. Choose a secret key, kB < #E.

% 5. Compute point, Q = [kB]P.

Page 153


% 6. Make public Ke = (P,Q,E,p) and keep private Kd = (kB).

% Crypto setup.

% a) pick a prime number p, and an elliptic curve (i.e. pick

% a and b)

% b) pick a point P on E

% c) pick Bob’s secret, kb < #E (#E = number of points on E)

% d) compute Q = [kb]P

% if takes more than a 100 guesses, not gonna work with

% those values so begin again.

repeat = 1;

while repeat = 0,

% pick prime field

p = randprime(255);

% pick an elliptic curve, i.e. pick random a and b in p

not done = 1;

while not done,

a = randint(1,1,p);

b = randint(1,1,p-1)+1; % b cannot be 0

if mod(4*aˆ3+27*bˆ2,p) ~= 0, not done = 0; end

end

% pick a point on the elliptic curve

not done = 1;

while not done & repeat < 100,

x = randint(1,1,p);

y = sqrt(xˆ3 + a*x + b);

if isint(y), not done = 0; end

else repeat = repeat + 1; end

end

if not done, repeat = 1;

else repeat = 0; end

end

P = [x,y];

% find #E, i.e. the number of EC points

numpts = floor((sqrt(p)-1)ˆ2); % Hasse’s lower bound

% pick B’s private key < #E

kb = randint(1,1,numpts);

Page 154

Appendix C Codes

% compute by point addition

Q = P;

for i = 1:kb, Q = ptadd(Q,P,a,p); end

% keep private (kb)

% make public (P,Q,E,p)

clear x y b;

% Alice’s setup

% 1. Obtain image, M, of size h X w uint8 values, arranged

% into pairs, (M1, M2).



% 4. Select a secret key, kA, such that 0 < kA < #E,

% where #E is the number of points in E.

% Watermark info

ws = 100; % number of watermarks

wl = 10000; % length of each watermark

wn = 27; % our watermark indices

W = rand(wl,ws); % set of watermarks

W = randint(wl,ws)*2-1; % set of watermarks

alpha = 0.001; % wm scaling factor

%====================================================


%====================================================

% Alice’s encryption steps:

% 1. Get Bob’s public information, Ke = (P,Q,E,p).

% 2. Compute y0 = [kA]P and (y1,y2) = [kA]Q.

% 3. Obtain the encrypted image, C = (C1, C2), where

% C1 = y1.M1 mod p, and C2 = y2.M2 mod p.

% 1. Encrypt: e(ka,M) = (y0,y1,y2)

% a) pick a random number ka, s.t. 0 < ka < #E

% b) compute y0 = [ka]P

% c) compute (c1,c2) = ka*beta

% d) compute y1 = c1*m1 mod p

% e) compute y2 = c2*m2 mod p

Page 155


% pick A’s secret key, ka, s.t. 0 < ka < #E

ka = randint(1,1,numpts-1)+1;

% compute S = [ka]P = y0

S = P;

for i = 1:ka, S = ptadd(S,P,a,p); end

% compute T = [ka]Q = (c1,c2)

T = Q;

for i = 1:ka, T = ptadd(T,Q,a,p); end

% compute cipher text, C = (y1,y2)

clear C

for i = 1:h*w/2,

C(i,:) = mod(T.*M(i,:),p);

end

M = reshape(M,h,w);

% show

C = reshape(C,h,w);



title(‘Encrypted Image’),

clear T ka i P Q




% 2. Obtain C’ {i,j} = C {i,j} (1 + alpha W j), for i = 1,2 and j=1:l.

% 3. Inverse discrete cosine transform C’ = (C1’,C2’).

% 4. Send y0 and C’ to B.

% 2. Watermark, DCT C and find 1000 largest values,

% except DC.

DCTC = reshape(dct2(temp),h*w,1);

[t,I] = sort(-DCTC);

clear t

I = I(2:wl+1);

DCTC2 = DCTC;

Page 156

Appendix C Codes

% v’ = v(1 + aw)

DCTC2(I) = DCTC2(I).*(1 + alpha.*W(:,wn));

DCTC2 = reshape(DCTC2,h,w);

C2 = idct2(DCTC2);


imshow(C2,[min(min(C2)) max(max(C2))]),

title(‘Watermarked Encrypted Image’),

% send B (S,C2)

clear DCTC2


% 1. Receive altered ciphertext, C’ = (C1’,C2’), and cipherpoint, y0.

% 2. Compute (y1,y2) = [kB]y0.

% 3. Compute the message, M’ = (M1’,M2’), where

% M1’ = (y1)ˆ{-1}.C1’ mod p, and M2’ = (y2)ˆ{-1}.C2’ mod p.

% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)

% a) compute (c1,c2) = kb*y0

% b) compute m1’ = y1*c1ˆ{-1} mod p

% c) compute m2’ = y2*c2ˆ{-1} mod p

% find T = (c1,c2)

T = S;

for i = 1:kb, T = ptadd(T,S,a,p); end

% find Z = M’

[d0,d1,d2] = extdeuc(p,T(1));

D(1,1) = mod(d2,p);


D(1,2) = mod(d2,p);

clear M3 C2 = reshape(C2,h*w/2,2);

for i = 1:h*w/2,

M3(i,:) = mod(D.*C2(i,:),p);

end

M3 = reshape(M3,h,w);



title(‘Decrypted Watermarked Image Unpaired’),

Page 157


end % end of redo loop

% 4. Attack point

% 1) Truncating to integer values.

M4 = M3;

M4 = double(uint8(M4));


imshow(uint8(reshape(M4,h,w))), title(‘Forced to 8 bits’),

% 5. Detect

% First, make test set of singularly-watermarked images

for i = 1:ws,

DCTC5(:,i) = DCTC;

% v’ = v(1 + aw)

DCTC5(I,i) = DCTC5(I,i).*(1 + alpha.*W(:,i));

IDCTC5(:,:,i) = idct2(reshape(DCTC5(:,i),h,w));

end

for j = 1:ws,

C5 = reshape(IDCTC5(:,:,j),h*w/2,2);

for i = 1:h*w/2,

M5(i,:,j) = mod(D.*C5(i,:),p);

end

end

M5 = reshape(M5,h,w,ws);

M5 = round(M5);

clear DCTC5 IDCTC5 C5

% Second, detection by correlation of watermarked images

% First bit: correlation before attack and no post-processing

for i = 1:ws,

wmcorr1(i) = corr2(M3,M5(:,:,i));

end


stem(wmcorr1),

title(‘Correlation to 100 different watermarked images, before attack’)


ylabel(‘Correlation to our watermarked image’)

Page 158

Appendix C Codes

% Second bit: correlation after attack and no post-processing

for i = 1:ws,


end


stem(wmcorr2),

title(‘Correlation to 100 different watermarked images, after attack’)



% Third bit: correlation after attack and remove original image

M = reshape(M,h,w);

M4 = M4 - M;

for i = 1:ws,

wmcorr3(i) = corr2(M4,M5(:,:,i)-M);

end


stem(wmcorr3),

title(‘Correlation to 100 different watermarked images, after ...

attack, minus orig’)



C.4.2 JPEG Compression

JPEG conversion and compression to quality 20%.

clear all

close all

fig = 1;

redo = 1;

%====================================================

% SETUP

%====================================================

% Image setup.



[h,w] = size(M);

Page 159






redo = 0;

fig = 2;

% Bob’s setup:







% Crypto setup.


% a and b)






repeat = 1;

while repeat = 0,

% pick prime field

p = randprime(255);


not done = 1;

while not done,

a = randint(1,1,p);



end % pick a point on the elliptic curve

not done = 1;


x = randint(1,1,p);


Page 160

Appendix C Codes



end



end

P = [x,y];






Q = P;


% keep private (kb)


clear x y b;

% Alice’s setup







% Watermark info







Page 161


%====================================================


%====================================================















S = P;



T = Q;



clear C

for i = 1:h*w/2,

C(i,:) = mod(T.*M(i,:),p);

end

M = reshape(M,h,w);

% show

C = reshape(C,h,w);




clear T ka i P Q;

Page 162

Appendix C Codes




% 2. Obtain C i,j’ = C i,j (1 + alpha W j), for i = 1,2 and j=1:l.



% 2. Watermark, DCT C and find 1000 largest values, except DC.

DCTC = reshape(dct2(C),h*w,1);


clear t

I = I(2:wl+1);

DCTC2 = DCTC;

% v’ = v(1 + aw)



C2 = idct2(DCTC2);




% send B (S,C2)

clear DCTC2






% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)




% find T = (c1,c2)

T = S;


Page 163


% find Z = M’


D(1,1) = mod(d2,p);


D(1,2) = mod(d2,p);


for i = 1:h*w/2,

M3(i,:) = mod(D.*C2(i,:),p);

end






% 4. Attack point

% 2) JPEG conversion

M4 = M3;

qual amt = 10;

imwrite(uint8(M4),‘atkmidstage ecc1242.jpg’,‘jpg’, ...

‘Quality’,qual amt);

M4 = double(imread(‘atkmidstage ecc1242.jpg’,‘jpg’));


imshow(uint8(M4)), title([‘JPEG conversion (Q: ’, ...

int2str(qual amt),‘%)’]),

% 5. Detect


for i = 1:ws,

DCTC5(:,i) = DCTC;

% v’ = v(1 + aw)



end

for j = 1:ws,


for i = 1:h*w/2,

Page 164

Appendix C Codes

M5(i,:,j) = mod(D.*C5(i,:),p);

end

end


M5 = round(M5);




for i = 1:ws,


end


stem(wmcorr1),





for i = 1:ws,


end


stem(wmcorr2),





M = reshape(M,h,w);

M4 = M4 - M;

for i = 1:ws,


end


stem(wmcorr3),





Page 165


C.4.3 Cropping and Replacing

Cropping by 1 or 50 pixels from the edges and replacing cropped parts with original

unmarked image.

clear all

close all fig = 1;

redo = 1;

%====================================================

% SETUP

%====================================================

% Image setup.



[h,w] = size(M);





redo = 0;

fig = 2;

% Bob’s setup:







% Crypto setup.


% a and b)



Page 166

Appendix C Codes




repeat = 1;

while repeat = 0,

% pick prime field

p = randprime(255);


not done = 1;

while not done,

a = randint(1,1,p);



end


not done = 1;


x = randint(1,1,p);




end



end

P = [x,y];






Q = P;


% keep private (kb)


Page 167


clear x y b;

% Alice’s setup







% Watermark info







%====================================================


%====================================================















S = P;


Page 168

Appendix C Codes


T = Q;



clear C

for i = 1:h*w/2,

C(i,:) = mod(T.*M(i,:),p);

end

M = reshape(M,h,w);

% show

C = reshape(C,h,w);




clear T ka i P Q;










clear t

I = I(2:wl+1);

DCTC2 = DCTC;

% v’ = v(1 + aw)



C2 = idct2(DCTC2);




Page 169


% send B (S,C2)

clear DCTC2






% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)




% find T = (c1,c2)

T = S;


% find Z = M’


D(1,1) = mod(d2,p);


D(1,2) = mod(d2,p);


for i = 1:h*w/2,

M3(i,:) = mod(D.*C2(i,:),p);

end






% 4. Attack point

% 3) cropping and replacing

M4 = M3;

crop amt = 1; % or 50


Page 170

Appendix C Codes

% replace cropped with original unwatermarked image

temp = reshape(M,h,w);

temp(crop amt:h-crop amt-1,crop amt:w-crop amt-1) = M4;

M4 = temp; clear temp


imshow(uint8(M4)),

title([‘Cropped ’,int2str(crop amt),...

‘ from edges (replaced with original)’]),

% 5. Detect


for i = 1:ws,

DCTC5(:,i) = DCTC;

% v’ = v(1 + aw)



end

for j = 1:ws,


for i = 1:h*w/2,

M5(i,:,j) = mod(D.*C5(i,:),p);

end

end


M5 = round(M5);




for i = 1:ws,


end


stem(wmcorr1),





Page 171


for i = 1:ws,


end


stem(wmcorr2),





M = reshape(M,h,w);

M4 = M4 - M;

for i = 1:ws,


end


stem(wmcorr3),





C.4.4 Gaussian Noise Addition

Gaussian noise is added to the output image, or zero mean and variance 0.01. This is

a much larger variance used than that with the RSA cryptosystem C.3, as RSA could

not handle larger variances.

clear all

close all fig = 1;

redo = 1;

%====================================================

% SETUP

%====================================================

% Image setup.



[h,w] = size(M);

Page 172

Appendix C Codes





redo = 0;

fig = 2;

% Bob’s setup:







% Crypto setup.


% a and b)






repeat = 1;

while repeat = 0,

% pick prime field

p = randprime(255);


not done = 1;

while not done,

a = randint(1,1,p);



end


not done = 1;


x = randint(1,1,p);

Page 173





end



end

P = [x,y];






Q = P;


% keep private (kb)


clear x y b;

% Alice’s setup







% Watermark info







Page 174

Appendix C Codes

%====================================================


%====================================================















S = P;



T = Q;



clear C

for i = 1:h*w/2,

C(i,:) = mod(T.*M(i,:),p);

end

M = reshape(M,h,w);

% show

C = reshape(C,h,w);




clear T ka i P Q;

Page 175











clear t

I = I(2:wl+1);

DCTC2 = DCTC;

% v’ = v(1 + aw)



C2 = idct2(DCTC2);




% send B (S,C2)

clear DCTC2






% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)




% find T = (c1,c2)

T = S;


Page 176

Appendix C Codes

% find Z = M’


D(1,1) = mod(d2,p);


D(1,2) = mod(d2,p);


for i = 1:h*w/2,

M3(i,:) = mod(D.*C2(i,:),p);

end






% 4. Attack point

% 7) noise

M4 = double(imnoise(uint8(M3),‘gaussian’,0,0.01));


title(Noised - Gaussian (var 0.01)),

% 5. Detect


for i = 1:ws,

DCTC5(:,i) = DCTC;

% v’ = v(1 + aw)



end

for j = 1:ws,


for i = 1:h*w/2,

M5(i,:,j) = mod(D.*C5(i,:),p);

end

end


Page 177


M5 = round(M5);




for i = 1:ws,


end


stem(wmcorr1),





for i = 1:ws,


end


stem(wmcorr2),





M = reshape(M,h,w);

M4 = M4 - M;

for i = 1:ws,


end


stem(wmcorr3),





Page 178

Appendix C Codes

C.4.5 Scaling and Rescaling

Scale by half (or downsample by 2), then rescale back to original dimensions.

clear all

close all fig = 1;

redo = 1;

%====================================================

% SETUP

%====================================================

% Image setup.



[h,w] = size(M);





redo = 0;

fig = 2;

% Bob’s setup:







% Crypto setup.


% a and b)






repeat = 1;

Page 179


while repeat = 0,

% pick prime field

p = randprime(255);


not done = 1;

while not done,

a = randint(1,1,p);



end


not done = 1;


x = randint(1,1,p);




end



end

P = [x,y];






Q = P;


% keep private (kb)


clear x y b;

% Alice’s setup



Page 180

Appendix C Codes





% Watermark info







%====================================================


%====================================================















S = P;



T = Q;


Page 181



clear C

for i = 1:h*w/2,

C(i,:) = mod(T.*M(i,:),p);

end

M = reshape(M,h,w);

% show

C = reshape(C,h,w);




clear T ka i P Q;










clear t

I = I(2:wl+1);

DCTC2 = DCTC;

% v’ = v(1 + aw)



C2 = idct2(DCTC2);




% send B (S,C2)

clear DCTC2


Page 182

Appendix C Codes





% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)




% find T = (c1,c2)

T = S;


% find Z = M’


D(1,1) = mod(d2,p);


D(1,2) = mod(d2,p);


for i = 1:h*w/2,

M3(i,:) = mod(D.*C2(i,:),p);

end






% 4. Attack point

% 4) rescaling

M4 = M3;

M4 = imresize(imresize(M4,0.5),2);


imshow(uint8(M4)), title(‘Size halved then doubled’),

% 5. Detect


Page 183


for i = 1:ws,

DCTC5(:,i) = DCTC;

% v’ = v(1 + aw)



end

for j = 1:ws,


for i = 1:h*w/2,

M5(i,:,j) = mod(D.*C5(i,:),p);

end

end


M5 = round(M5);




for i = 1:ws,


end


stem(wmcorr1),





for i = 1:ws,


end


stem(wmcorr2),





M = reshape(M,h,w);

Page 184

Appendix C Codes

M4 = M4 - M;

for i = 1:ws,


end


stem(wmcorr3),





C.4.6 Combination Attacks: Rotate, Crop and Rescale

The output image is rotated 1 degree clockwise, cropped by 3 pixels, then rescaled

back to the original dimensions. Bilinear interpolation is used for the rotation and

rescaling functions. The attack is mimicked in the random watermarked set to obtain

a positive match.

clear all

close all fig = 1;

redo = 1;

%====================================================

% SETUP

%====================================================

% Image setup.



[h,w] = size(M);





redo = 0;

fig = 2;

% Bob’s setup:

Page 185








% Crypto setup.


% a and b)






repeat = 1;

while repeat = 0,

% pick prime field

p = randprime(255);


not done = 1;

while not done,

a = randint(1,1,p);



end


not done = 1;


x = randint(1,1,p);




end



end

P = [x,y];

Page 186

Appendix C Codes






Q = P;


% keep private (kb)


clear x y b;

% Alice’s setup







% Watermark info







%====================================================


%====================================================







Page 187










S = P;



T = Q;



clear C

for i = 1:h*w/2,

C(i,:) = mod(T.*M(i,:),p);

end

M = reshape(M,h,w);

% show

C = reshape(C,h,w);




clear T ka i P Q;









Page 188

Appendix C Codes


clear t

I = I(2:wl+1);

DCTC2 = DCTC;

% v’ = v(1 + aw)



C2 = idct2(DCTC2);




% send B (S,C2)

clear DCTC2






% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)




% find T = (c1,c2)

T = S;


% find Z = M’


D(1,1) = mod(d2,p);


D(1,2) = mod(d2,p);


for i = 1:h*w/2,

M3(i,:) = mod(D.*C2(i,:),p);

end


Page 189






% 4. Attack point

% 5) rotation, cropping and rescaling

M4 = M3;

rot angle = -1;

crop amt = 3;

int meth = ‘bilinear’; % interpolation method

M4 = imrotate(M4,rot angle,int meth,‘crop’);

M4 = imcrop(M4,[crop amt crop amt (h-1)-2*crop amt (w-1)-2*crop amt]);

M4 = imresize(M4,[h w],int meth);


imshow(uint8(M4))

title(‘Rotated, bilinear interpolated, cropped, resized’),

% 5. Detect


for i = 1:ws,

DCTC5(:,i) = DCTC;

% v’ = v(1 + aw)



end

for j = 1:ws,


for i = 1:h*w/2,

M5(i,:,j) = mod(D.*C5(i,:),p);

end

end


M5 = round(M5);



Page 190

Appendix C Codes


for i = 1:ws,


end

figure(fig), fig = fig + 1, stem(wmcorr1),





for i = 1:ws,


end

figure(fig), fig = fig + 1, stem(wmcorr2),





M = reshape(M,h,w);

M4 = M4 - M;

for i = 1:ws,


end


stem(wmcorr3),





% Fourth bit: correlation by copying attack, after attack and rem orig

M end = imrotate(reshape(M,h,w),rot angle,int meth,‘crop’);

M4 end = M4 - M end;

M5 end = imrotate(reshape(M5,h,w,ws),rot angle,int meth,‘crop’);

for i = 1:ws,

temp = imcrop(M5 end(:,:,i), ...

[crop amt crop amt (h-1)-2*crop amt (w-1)-2*crop amt]);

temp = imresize(temp,[h w],int meth);

wmcorr4(i) = corr2(M4 end,temp-M end);

end

Page 191


figure(fig), fig = fig + 1; stem(wmcorr4)


attack, minus orig, copy atk’)

xlabel(’Randomly Watermarked Images’)

ylabel(’Correlation to our watermarked image’)

clear temp

C.4.7 Combination Attacks: Crop and Rescale

The output image is cropped by 1 pixel from the edges, then rescaled back to the

original dimensions. Bilinear interpolation is used for rescaling.

clear all

close all fig = 1;

redo = 1;

%====================================================

% SETUP

%====================================================

% Image setup.



[h,w] = size(M);





redo = 0;

fig = 2;

% Bob’s setup:







Page 192

Appendix C Codes

% Crypto setup.


% a and b)






repeat = 1;

while repeat = 0,

% pick prime field

p = randprime(255);


not done = 1;

while not done,

a = randint(1,1,p);



end


not done = 1;


x = randint(1,1,p);




end



end

P = [x,y];





Page 193



Q = P;


% keep private (kb)


clear x y b;

% Alice’s setup







% Watermark info







%====================================================


%====================================================












Page 194

Appendix C Codes




S = P;



T = Q;



clear C

for i = 1:h*w/2,

C(i,:) = mod(T.*M(i,:),p);

end

M = reshape(M,h,w);

% show

C = reshape(C,h,w);




clear T ka i P Q;










clear t

I = I(2:wl+1);

DCTC2 = DCTC;

% v’ = v(1 + aw)


Page 195



C2 = idct2(DCTC2);




% send B (S,C2)

clear DCTC2






% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)




% find T = (c1,c2)

T = S;


% find Z = M’


D(1,1) = mod(d2,p);


D(1,2) = mod(d2,p);


for i = 1:h*w/2,

M3(i,:) = mod(D.*C2(i,:),p);

end






Page 196

Appendix C Codes

% 4. Attack point

% 6) crop and resize

M4 = M3;

crop amt = 1;

int meth = ‘bilinear’; % interpolation method


M4 = imresize(M4,[h w],int meth);


imshow(uint8(M4)),

title(Crop 1 pixel and resize),

% 5. Detect


for i = 1:ws,

DCTC5(:,i) = DCTC;

% v’ = v(1 + aw)



end

for j = 1:ws,


for i = 1:h*w/2,

M5(i,:,j) = mod(D.*C5(i,:),p);

end

end


M5 = round(M5);




for i = 1:ws,


end


stem(wmcorr1),




Page 197



for i = 1:ws,


end


stem(wmcorr2),





M = reshape(M,h,w);

M4 = M4 - M;

for i = 1:ws,


end


stem(wmcorr3),





C.4.8 Double Watermarking

Two watermarks are embed, where the first watermark is at α = 0.0005 and the

second is at α = 0.001.

clear all

close all

fig = 1;

redo = 1;

%====================================================

% SETUP

%====================================================

% Image setup.


Page 198

Appendix C Codes


[h,w] = size(M);





redo = 0;

fig = 2;

% Bob’s setup:







% Crypto setup.


% a and b)






repeat = 1;

while repeat = 0,

% pick prime field

p = randprime(255);


not done = 1;

while not done,

a = randint(1,1,p);



end


not done = 1;

Page 199



x = randint(1,1,p);




end



end

P = [x,y];






Q = P;


% keep private (kb)


clear x y b;

% Alice’s setup







% Watermark info



wn = [27,65]; % our watermark indices




Page 200

Appendix C Codes

%====================================================


%====================================================















S = P;



T = Q;



clear C

for i = 1:h*w/2,

C(i,:) = mod(T.*M(i,:),p);

end

M = reshape(M,h,w);

% show

C = reshape(C,h,w);




clear T ka i P Q;

Page 201








% 2. First watermark, DCT C and find 1000 largest values, except DC.



clear t

I = I(2:wl+1);

DCTC2 = DCTC;

% v’ = v(1 + aw)

DCTC2(I) = DCTC2(I).*(1 + alpha.*W(:,wn(1)));


C2 = idct2(DCTC2);


imshow(C2,[min(min(C)) max(max(C))]),

title(‘Doubly Watermarked Encrypted Image’),

% send B (S,C2)

clear DCTC2






% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)




% find T = (c1,c2)

T = S;


Page 202

Appendix C Codes

% find Z = M’


D(1,1) = mod(d2,p);


D(1,2) = mod(d2,p);


for i = 1:h*w/2,

M3(i,:) = mod(D.*C3(i,:),p);

end




clear C3 i

% 4. Attack point

% 8) Double watermarking and Decryption

% The previous was just for show, now we do the real

% double watermarking, as if A is trying to bury it’s wm.

DCTC4 = reshape(DCTC,h*w,1);

for j = 1:2,

% v’ = v(1 + aw)

if j == 1,

DCTC4(I) = DCTC4(I).*(1 + (alpha/2).*W(:,wn(j)));

else

DCTC4(I) = DCTC4(I).*(1 + alpha.*W(:,wn(j)));

end

end

C4 = idct2(reshape(DCTC4,h,w));

C4 = reshape(C4,h*w/2,2);

clear M4

for i = 1:h*w/2,

M4(i,:) = mod(D.*C4(i,:),p);

end




title(‘Doubly Watermarked Image’),

Page 203


clear DCTC4 C4 i j


% 5. Detect


for i = 1:ws,

DCTC5(:,i) = DCTC;

% v’ = v(1 + aw)



end

for j = 1:ws,


for i = 1:h*w/2,

M5(i,:,j) = mod(D.*C5(i,:),p);

end

end


clear DCTC5 IDCTC5 C5 i j D



for i = 1:ws,


end


stem(wmcorr1),





for i = 1:ws,


end


stem(wmcorr2),

Page 204

Appendix C Codes





M = reshape(M,h,w);

M4 = M4 - M;

for i = 1:ws,


end


stem(wmcorr3),





C.5 Extraneous

C.5.1 POWMOD

Also know as exponentiation by squaring.

% z = powmod(x,y,p)

% MATLAB’s mod can’t handle big numbers, so I made one that can.

% p is the value to mod by

% x & y are two values that are normally powered together

% before mod-ing

% e.g. z = mod(xˆy,p)% now z = powmod(x,y,p)

% Based on square-and-multiply algorithm.

% Created By: Angela Wong

% Created On: 26/6/2003

% Last Modified: 09/12/2004

function [z,t] = powmod(x,y,p)

z = 1;

while y ~= 0,

Page 205

C.5 Extraneous

while (mod(y,2) == 0),

y = y./2;

x = mod(x.ˆ2,p);end

y = y - 1;

z = mod(z.*x,p);

end

C.5.2 RANDPRIME

%RANDPRIME Generate random prime numbers.

% Written by Angela Wong @ Centre for Internet Research, Uni of Adelaide.

% Last updated 26/11/03.

%

% RANDPRIME produces a random prime number using RANDSEED. This is the

% only time RANDPRIME uses RANDSEED.

%

% RANDPRIME(RMIN) returns a random prime number from the range

% [RMIN, 2ˆ32-5].%

% RANDPRIME(RMIN,RMAX) returns a random prime number from the range

% [RMIN, RMAX].

%

% RANDPRIME(RMIN,RMAX,Q) returns a random prime number from the range

% [RMIN, RMAX], with the condition Q. Q can be scalar or a vector.

% Entries for Q are as follows.

% Q Condition

% -------------------------

% 0 Returns q = 2p-1, where p is also a prime.

%

% This generator can generate any prime on the closed interval

% [3, 2ˆ17-1].%

% The state of this generator is the same as that of RANDSEED.

%

% See also RAND, RANDSEED, PRIMES, ISPRIMES.

function X = RANDPRIME(varargin)

% Basic function setup.

error(nargchk(0,3,nargin));

Page 206

Appendix C Codes

switch nargin

case 0,

X = randseed;

case 1,

C = primes(2ˆ17-1);D = C(find(C>=varargin1));

X = D(randint(1,1,[1 length(D)]));

case 2,

C = primes(2ˆ17-1);D = C(find(C>=varargin1 & C<=varargin2));

X = D(randint(1,1,length(D))+1);

case 3,

C = primes(2ˆ17-1);D = C(find(C>=varargin1 & C<=varargin2));

for i = 1:length(D)

if isprime((D(i)-1)/2)

B(i) = D(i);

else

B(i) = 0;

end

end

C = B(find(B =0));

D = rand(length(C),1);

[B,I] = sort(D);

X = C(I(1));

end

C.5.3 EXTDEUC

% EXTDEUC Apply Extended Euclidean Algorithm

% Written by Angela Wong @ Centre for Internet Research, Uni of Adelaide.

% Last updated 31/08/04.

%

% [D,X,Y] = EXTDEUC(A,B) where A > B, and returns D, X, Y according to

% extended euclidean algorithm:

% D = GCD(A,B), and

% D = A X + B Y.

%

% See also GCD MOD.

Page 207

C.5 Extraneous

function [d,x,y] = EXTDEUC(a,b)

c = a;

if a < b,

a = b; b = c;

end

if b == 0,

d = a;

x = 1;

y = 0;

else

x1 = 0;

x2 = 1;

y1 = 1;

y2 = 0;

while b > 0,

q = floor(a/b);

r = a - q*b;

x = x2 - q*x1;

y = y2 - q*y1;

a = b;

b = r;

x2 = x1;

x1 = x;

y2 = y1;

y1 = y;

end

d = mod(a,b);

x = mod(x2,b);

y = mod(y2,b);

end

Page 208

Bibliography

ANDERSON-R. J., KUHN-M. G., AND PETITCOLAS-F. A. (1998a). Attacks on Copyright Marking Sys-

tems, Second Workshop on Information Hiding, Vol. 1525 of Lecture Notes in Computer Science,

Portland, Oregon, USA, pp. 218–238.

ANDERSON-R. J., KUHN-M. G., AND PETITCOLAS-F. A. (1998b). Attacks on copyright marking sys-

tems, in D. Aucsmith. (ed.), Second International Workshop on Information Hiding, IH’98, Vol.

1525 of Lecture Notes in Computer Science, Springer-Verlag, Portland, Oregon, USA, pp. 218–

238.

ANDERSON-R. J., KUHN-M. G., AND PETITCOLAS-F. A. (1999). Information Hiding — A Survey, in

B. Macq. (ed.), Proceedings of the IEEE, Vol. 87(7), pp. 1062–1078. Special Issue on Identification

& Protection of Multimedia Information.

ARAKI-K., SATOH-T., AND MIURA-S. (1998). Overview of Elliptic Curve Cryptography, in H. Imai.,

and Y. Zheng. (eds.), Proceedings of the First International Workshop on Practice and Theory in

Public Key Cryptography: Public Key Cryptography, Vol. 1431 of Lecture Notes In Computer

Science, Springer–Verlag, pp. 29–49.

ATKIN-A. O. L. (1992). The number of points on an elliptic curve modulo a prime (ii), Draft.

AUSTRALIAN COMMONWEALTH GOVERNMENT. (1968). Copyright Act 1968, http://www.austlii.

edu.au/au/legis/cth/consol act/ca1968133/. Legislation.

AUSTRALIAN COMMONWEALTH GOVERNMENT. (1999). Electronic Transactions Act 1999, http://

www.austlii.edu.au/au/legis/cth/consol act/eta1999256/. Legislation.

AUSTRALIAN COMMONWEALTH GOVERNMENT. (2000). Copyright Amendment (Digital Agenda)

Act 2000, http://www.austlii.edu.au/au/legis/cth/num act/caaa2000n1102000321/. Leg-

islation.

AUSTRALIAN COMMONWEALTH GOVERNMENT. (2001). Cybercrime Act 2001, http://www.austlii.

edu.au/au/legis/cth/consol act/ca2001112/. Legislation.

BARNI-M., BARTOLINI-F., AND PIVA-A. (2001). Improved Wavelet-Based Watermarking Through

Pixel-Wise Masking, IEEE Transactions on Image Processing, 10(5), pp. 783–791.

BECKER-D. (2003). “hulk” pirate faces three years, http://zdnet.com.com/2102-1105 2-1021005.

html.

BENDER-W., GRUHL-D., MORIMOTO-N., AND LU-A. (1996). Techniques for Data Hiding, IBM Sys-

tems Journal, 35(3&4), pp. 313–336.

BLOOM-J., AND POLYZOIS-C. (2004). Watermarking to Track Motion Picture Theft, Proceedings of the

Thirty-Eighth Asilomar Conference on Signals, Systems, and Computers, Vol. 1, Pacific Grove,

CA, USA, pp. 363–367.

Page 209

Bibliography

BLOOM-J., COX-I., AND MILLER-M. (2001a). Digital Watermarking, Morgan Kaufmann Publishers,

Inc., San Francisco, CA, USA.

BLOOM-J., MILLER-M., AND COX-I. (2001b). Digital Watermarking, Morgan Kaufmann Publishers,

Inc., San Francisco, CA, USA, chapter 1.

BONEH-D., AND SHAW-J. (1996). Collusion-Secure Fingerprinting for Digital Data, Unpublished.

BORLAND-J. (2003). Shift key breaks CD copy locks, http://news.com.com/Shift+key+breaks+CD+

copy+locks/2100-1025 3-5087875.html.

BRASSIL-J. T., LOW-S., MAXEMCHUK-N. F., AND O’GORMAN-L. (1995). Electronic Marking and

Identification Techniques to Discourage Document Copying, IEEE Journal on Selected Areas in

Communications, 13(4), pp. 1495–1504.

BURNETT-A., WINTERS-K., AND DOWLING-T. (2002). A java implementation of an elliptic curve

cryptosystem, Principles and Practice of Programming in Java 2002 (PPPJ‘02), Trinity College,

Dublin, Ireland, pp. 83–88.

BUTLER-R. W. (2003). Movie industry battles film piracy on many fronts, http://www.kansascity.

com/mld/kansascitystar/6141893.htm.

BYERS-S., CRANOR-L., CRONIN-E., KORMAN-D., AND MCDANIEL-P. (2003). Analysis of Security

Vulnerabilities in the Movie Production and Distribution Process, Proceedings of 2003 ACM

Workshop on Digital Rights Management (DRM 2003), Washinton DC, USA.

CARONNI-G. (1995). Assuring Ownership Rights for Digital Images, in H. H. Bruggemann., and

W. Gerhardt-Hackl. (eds.), Proceedings of Reliable IT Systems VIS’95, Vieweg Publishing Com-

pany, Germany.

CHANG-C.-C., HWANG-M.-S., AND CHEN-T.-S. (2001). A new encryption algorithm for image cryp-

tosystems, Journal of Systems and Software, 58(2), pp. 83–91.

CHENG-H., AND LI-X. (2000). Partial encryption of compressed images and videos, Proceedings of

the IEEE Transactions on Signal Processing, Vol. 48(8), pp. 2439–2451.

CHOI-H., LEE-K., AND KIM-T. (2004). Transformed-Key Asymmetric Watermarking System, IEEE

Signal Processing Letters, 11(2), pp. 251–254.

CHOUINARD-J.-Y., GEORGANAS-N., AND GEORGE-M. (1999). Digital Watermarking of Images and

Video using Direct Sequence Spread Spectrum Techniques, Proceedings of the 1999 IEEE Cana-

dian Conference on Electrical and Computer Engineering, Shaw Conference Center, Edmonton,

Alberta, Canada.

CNN (2003). Hollywood alters movies to foil camcorder pirates, http://www2.cnn.com/2003/TECH/

biztech/04/19/camcorder.piracy.ap.

COSTELLO-S. (2001). RIAA Silences Security Code Crackers, http://www.pcworld.com/resource/

printable/article/0,aid,48546,00.asp.

COUVEIGNES-J.-M. (1994). Quelques calculs en theorie des nombres, PhD thesis, Universite de Bor-

deaux I.

Page 210

Bibliography

COX-I. J., KILIAN-J., LEIGHTON-T., AND SHAMOON-T. (1995). Secure Spread Spectrum Watermark-

ing for Multimedia, Technical Report 95–10, NEC Research Institute, Princeton, NJ, USA.

CROWCROFT-J., PERKINS-C., AND BROWN-I. (2000). A Method and Apparatus for Generating Multi-

ple Watermarked Copies of an Information Signal, Patent 00/56059.

DEAN-K. (2003). Court Hears DVD Copying Dispute, http://www.wired.com/news/digiwood/0,

1412,58845,00.html.

DEL REY-A. M. (2004). A Novel Cryptosystem for Binary Images, Studies in Informatics and Control.

DUGELAY-J.-L., AND PETITCOLAS-F. A. (2000). Possible counter-attacks against random geometric

distortions, in P. W. Wong., and E. J. Delp. (eds.), Proceedings of SPIE Conference on Electronic

Imaging: Security and Watermarking of Multimedia Contents II, Vol. 3971, San Jose, California,

USA.

EGGERS-J. J., AND GIROD-B. (2001). Quantization Effects on Digital Watermarks, Signal Processing,

81(2), pp. 239–263.

EGGERS-J. J., SU-J. K., AND GIROD-B. (2000). Asymmetric watermarking schemes, Sicherheit in

Netzen und Medienstr omen: Tagungsband des GI Workshops ”Sicherheit in Mediendaten”,

Springer Reihe: Informatik Aktuell, Berlin, Germany.

ELGAMAL-T. (1985). A Public Key Cryptosystem and a Signature Scheme Based on Discrete Loga-

rithms, IEEE Transactions on Information Theory, 31(4), pp. 469–472.

GAUDRY-P. (2000). An algorithm for solving the discrete log problem on hyperelliptic curves, Pro-

ceedings of the Advances in Cryptology (EUROCRYPT 2000) International Conference on the

Theory and Application of Cryptographic Techniques, 1807, pp. 19–34.

GAUDRY-P. (2004). Index calculus for abelian varieties and the elliptic curve discrete logarithm prob-

lem, Cryptology ePrint Archive: Report 2004/073.

GEORGE-M., CHOUINARD-J.-Y., AND GEORGANAS-N. (1999). Spread Spectrum Spatial and Spec-

tral Watermarking for Images and Video, Proceedings of the 1999 IEEE Canadian Workshop in

Information Theory (CWIT’99), Kingston, Ontario, Canada.

GIROD-B., AND HARTUNG-F. (1998). Watermarking of Uncompressed and Compressed Video, Euro-

pean Association for Signal Processing (EURASIP), 66(3), pp. 283–301.

GIROD-B., HARTUNG-F., AND SU-J. K. (1999). Spread Spectrum Watermarking: Malicious Attacks

and Counterattacks, Proceedings of SPIE, Vol. 3657, San Jose, CA, USA, pp. 147–158.

GLASNER-J. (2002). Harry Potter in Theaters, Online, http://www.wired.com/news/technology/0,

1294,56400,00.html.

GROSSMAN-W. M. (2001). To Protect and Self-Serve, http://www.sciam.com/article.cfm?

articleID=000B17E8-7A09-1C70-84A9809EC588EF21.

HACHEZ-G., AND QUISQUATER-J.-J. (2002). Which directions for asymmetric watermarking?, Pro-

ceedings of the 11th European Signal Processing Conference (EUSIPCO 2002), Vol. 1, Toulouse,

France, pp. 283–286.

Page 211

Bibliography

HANKERSON-D., HERNANDEZ-J. L., AND MENEZES-A. (2000). Software Implementation of Ellip-

tic Curve Cryptography Over Binary Fields, Proceedings of the Second International Workshop

on Cryptographic Hardware and Embedded Systems, Vol. 1956 of Lecture Notes In Computer

Science, pp. 1–24.

HARTUNG-F. H., AND GIROD-B. (1997). Fast Public-Key Watermarking of Compressed Video, Pro-

ceedings of IEEE International Conference on Image Processing (ICIP’97), Vol. I, Santa Barbara,

CA, USA, pp. 528–531.

HEMBROOKE-E. F. (1961). Identification of sound and like signals, United States Patent, No. 3,004,104.

IBM RESEARCH. (1999). Galaxy Proposal for DVD Copy Protection, http://www.trl.ibm.com/

projects/RightsManagement/datahiding/dhvg2 e.htm.

KAZAKEVICIUTE-G., JANUSKEVICIUS-E., ROSENBAUM-R., AND SCHUMANN-H. (2005). Tamper-

Proof Image Watermarking, Based on Existing Public Key Infrastructure, INFORMATICA, 16(1),

pp. 75–92.

KESDEN-G. (2000). 15–412 Operating Systems: Design and Implementation, Lecture 33, http:

//www-2.cs.cmu.edu/∼dst/DeCSS/Kesden/.

KETOLA. (1999). DeCSS causes a huge fuss, http://www.afterdawn.com/news/archive/363.cfm.

KILLERMOVIES. (2003). “Two Towers” Oscar DVDs Pirated In The UK, http://www.killermovies.

com/l/lotrthetwotowers/articles/2718.html.

KIM-G., SHIN-D., AND SHIN-D. (2004). An Effective Adaptation of Encryption on MPEG-4 Video

Streams for Digital Rights Management in an Ubiquitous Computing Environment, Embedded

and Ubiquitous Computing, 3207, pp. 642–651.

KING-G., LAI-M., AND YANG-A. (1999a). CSS Demystified, http://cse.stanford.edu/class/

cs201/projects-99-00/dmca-2k/css.html.

KING-G., LAI-M., AND YANG-A. (1999b). Macrovision Demystified, http://cse.stanford.edu/

class/cs201/projects-99-00/dmca-2k/macrovision.html.

KONTZER-T. (2001). Hollywood Goes Internet, http://www.informationweek.com/story/

IWK20011108S0015. InformationWeek.com.

KUTTER-M. (1998). Watermarking resisting to translation, rotation and scaling, in A. G. Tescher.,

B. Vasudev., V. M. Bove Jr.., and B. Derryberry. (eds.), Proceedings of the SPIE International Sym-

posium on Voice, Video, and Data Communications, Conference on Multimedia Systems and

Applications, Vol. 3528, The International Society for Optical Engineering, Boston, MA, USA,

pp. 423–431.

LAM-K.-Y., LING-S., AND HUI-L. C.-K. (1996). Efficient Generation of Elliptic Curve Cryptosystems,

in J.-Y. Cai., and C. K. Wong. (eds.), Proceedings of the Second Annual International Conference

on Computing and Combinatorics, COCOON ’96, Vol. 1090 of Lecture Notes in Computer Sci-

ence, Springer, Hong Kong, pp. 411–416.

Page 212

Bibliography

LANGELAAR-G. C., VAN DER LUBBE-J. C. A., AND LAGENDIJK-R. L. (1997). Robust Labeling Meth-

ods for Copy Protection of Images, Proceedings of SPIE Conference on Storage and Retrieval for

Image and Video Databases V, Vol. 3022, San Jose, CA, USA, pp. 298–309.

LAWLOR-D. (2001). New Coalition Developing DVD Watermark, http://www.cdmediaworld.com/

hardware/cdrom/news/0105/dvd watermark.shtml.

LEI-C.-L., YU-P.-L., TSAI-P.-L., AND CHAN-M.-H. (2004). An Efficient and Anonymous Buyer-Seller

Watermarking Protocol, IEEE Transactions on Image Processing, 13(12), pp. 1618–1626.

LIN-G.-S., CHANG-H. T., LIE-W.-N., AND CHUANG-C.-H. (2003). Public-key-based optical image

cryptosystem based on data embedding techniques, SPIE Journal on Optical Engineering, 42(8),

pp. 2331–2339.

LINNARTZ-J.-P. M. G. (1998). The “Ticket” Concept for Copy Control Based on Embedding Signalling,

European Symposium on research in Computer Security (ESORICS) ’98, Vol. 1485 of Lecture

Notes in Computer Science, Springer, Louvain-La-Neuve, pp. 257–274.

LI-S., AND ZHENG-X. (2002). Cryptanalysis of a chaotic image encryption method, Proceedings of

2002 IEEE International Symposium on Circuits and Systems (ISCAS 2002), Vol. II, Scottsdale,

Arizona, USA, pp. 708–711.

LI-S., ZHENG-X., MOU-X., AND CAI-Y. (2002). Chaotic Encryption Scheme for Real-Time Digital

Video, in N. Kehtarnavaz. (ed.), Proceedings of the SPIE Conference on Real-Time Imaging VI,

Vol. 4666 of SPIE – The International Society for Optical Engineering, San Jose, California, USA,

pp. 149–160.

LYMAN-J. (2002). Pirated Star Wars Movie Now Showing on Internet, http://www.newsfactor.com/

perl/story/17714.html.

MATSUI-K., AND TANAKA-K. (1994). Video-Steganography: How to Secretly Embed a Signature in a

Picture, Proceedings of IMA Intellectual Property, Vol. 1, pp. 187–206.

MCCULLAGH-D. (2003). States add stricter copyright laws, http://zdnet.com.com/

2100-1104-994667.html.

MCKEE-J. (1999). Speeding Fermat’s factoring method, Mathematics of Computation, 68(228),

pp. 1729–1737.

MEDIALINE NEWS. (2002). BSA: Global Piracy Rate Increases to 40 Percent, http://www.

medialinenews.com/issues/2002/june/news0612 5.shtml.

MEEL-P. J. (1999). Spread Spectrum (SS) — An Introduction, http://www.sss-mag.com/pdf/Ss jme

denayer intro print.pdf.

MEERWALD-P., AND UHL-A. (2001). A Survey of Wavelet-domain Watermarking Algorithms, in P. W.

Wong., and E. J. Delp. (eds.), Proceedings of SPIE, Electronic Imaging, Security and Watermark-

ing of Multimedia Contents III, Vol. 4314, SPIE, San Jose, CA, USA.

MILLER-M. L., COX-I. J., AND BLOOM-J. A. (1999). Watermarking in the Real World: An Application

to DVD, Thirty-third Asilomar Conference on Signals, Systems, and Computers, Vol. 2, IEEE,

Pacific Grove, CA, USA, pp. 1496–1502.

Page 213

Bibliography

MILLER-V. S. (1985). Use of elliptic curves in cryptography, Advances in cryptology—CRYPTO 85,

Vol. 218 of Lecture notes in computer sciences, Springer-Verlag New York, Inc., New York, NY,

USA, pp. 417–426.

MOTION PICTURE ASSOCIATION OF AMERICA. (2005). Worldwide Study of Losses to the Film

Industry & International Economies Due to Piracy; Pirate Profiles, http://www.mpaa.org/

2006 05 03leksumm.pdf. Last Checked: December 14 2006.

MOTION PICTURE ASSOCIATION OF AMERICA. (n.d.). Legal Cases, http://www.mpaa.org/

newsStand Legal.asp.

NATIONAL SECURITY AGENCY. (2005). Suite B, http://www.nsa.gov/ia/industry/crypto suite b.

cfm.

OKEYA-K., AND SAKURAI-K. (2000). Power analysis breaks elliptic curve cryptosystems even secure

against the timing attack, Progress in Cryptology-INDOCRYPT, 1977, pp. 178–190.

OLSEN-S. (2003). Lights go up on CinemaNow-MGM Deal, http://news.com.com/Lights+go+up+

on+CinemaNow-MGM+deal/2100-1025 3-998800.html. CNET News.com.

OSBOURNE-D. (2005). Embedded Watermarking for Image Verification in Telemedicine,

PhD thesis, Electrical and Electronic Engineering, University of Adelaide, Adelaide, SA,

Australia. http://thesis.library.adelaide.edu.au/uploads/approved/adt-SUA20060222.

094710/public/02whole.pdf.

PAILLIER-P. (1999). Public key cryptosystems based on composite degree residuosity classes, in

J. Stern. (ed.), Proceedings of Advances in Cryptology – Eurocrypt’99, Vol. 1592 of Lecture Notes

on Computer Science.

PATRIZIO-A. (1999). Why the DVD Hack Was a Cinch, http://www.wired.com/news/technology/0,

1282,32263,00.html.

PETITCOLAS-F. A. P. (2000). Watermarking schemes evaluation, IEEE Signal Processing, 17(5), pp. 58–

64.

PIRACYISACRIME.COM. (2005). The fight back against DVD piracy, http://www.piracyisacrime.

com/press/pdfs/ipac 8pp brochure.pdf.

PITAS-I., AND KASKALIS-T. (1995). Applying Signatures on digital images, Proceedings of IEEE Work-

shop on Nonlinear Signal and Image Processing, Neos Marmaras, Halkidiki, Greece, pp. 460–463.

PIVA-A., BARTOLINI-F., AND BARNI-M. (2002). Managing Copyright in Open Networks, IEEE Inter-

net Computing, 6(3), pp. 18–26.

QIAO-L., AND NAHRSTEDT-K. (1997a). A New Algorithm for MPEG Video Encryption, Proceedings

of the First International Conference on Imaging Science, Systems, and Technology (CISST’97),

Las Vegas, Nevada, USA.

QIAO-L., AND NAHRSTEDT-K. (1997b). Is MPEG Encryption by Using Random List Instead of Zigzag

Order Secure?

Page 214

Bibliography

RABIN-M. (1979). Digital Signatures and Public-Key Infrastructure as Intractable as Factorization,

MIT Laboratory for Computer Science.

REGAN-K. (2006). Disney, iTunes Partnership Off to a Rousing Start, http://www.macnewsworld.com/

story/53134.html.

RIVEST-R. L., SHAMIR-A., AND ADLEMAN-L. (1978). A method for obtaining digital signatures and

public-key cryptosystems, Communications of the ACM, 21(2), pp. 120–126.

ROSING-M. (1999). Implementing elliptic curve cryptography, Manning Publications Co., Greenwich,

CT, USA.

ROUSH-W. (2002). The Death of Digital Rights Management?, http://www.technologyreview.com/

articles/innovation10302.asp. Publicly accessed.

SCHOOF-R. (1985). Elliptic curves over finite fields and the computation of square roots mod p, Math-

ematics of Computation, 44(170), pp. 483–494.

SCHOOF-R. (1995). Counting points on elliptic curves over finite fields, Journal de Theorie des Nom-

bres de Bourdeaux 7, pp. 219–254.

SCHWARTZ-J. (2003). Hollywood Faces Online Piracy, but It Looks Like an Inside Job,

http://www.nytimes.com/2003/09/15/technology/15MOVI.html?ex=1378958400&en=

5ff2b9031c983a39&ei=5007&partner=USERLAND.

SHANKS-D. (1971). Class number, a theory of factorization and genera, Proceedings of the Sympo-

sium on Pure Mathematics, Vol. 20 of 1969 Institute on Number Theory, American Mathematics

Society, Providence, RI, USA, pp. 415–440.

SHEPPARD-N. P., SAFAVI-NAINI-R., AND OGUNBONA-P. (2004). Secure Multimedia Authoring with

Dishonest Collaborators, EURASIP Journal on Applied Signal Processing, 2004(14), pp. 2214–

2223. doi:10.1155/S1110865704401085.

SHOUP-V. (1997). Lower bounds for discrete logarithms and related problems, Proceedings of the In-

ternational Conference on the Theory and Application of Cryptographic Techniques (Eurocrypt

’97), 1233, pp. 256–266.

SILVERMAN-J., AND TATE-J. (1992). Rational Points on Elliptic Curves, Springer-Verlag Inc., New

York.

SMITH-J. R., AND COMISKEY-B. O. (1996). Modulation and Information Hiding in Images, Workshop

on Information Hiding, Vol. 1174 of Lecture Notes in Computer Science, Springer-Verlag, Isaac

Newton Institute, University of Cambridge, UK.

STEVENSON-F. A. (1999). Cryptanalysis of Contents Scrambling System, http://www.insecure.org/

news/cryptanalysis of contents scrambling system.htm.

TANAKA-K., NAKAMURA-Y., AND MATSUI-K. (1990a). Embedding Secret Information into a

Dithered Multi-level Image, Proceedings of 1990 IEEE Military Communications Conference,

pp. 216–220.

Page 215

Bibliography

TANAKA-K., NAKAMURA-Y., AND MATSUI-K. (1990b). New Integrated Coding Schemes for

Computer-Aided Facsimile, International Conference on Systems Integration ICSI 1990, pp. 275–

281.

THE FEDERATION AGAINST COPYRIGHT THEFT (FACT). (2005a). Media Centre/ Press Releases,

http://www.fact-uk.org.uk/site/media centre/pressreleases.htm.

THE FEDERATION AGAINST COPYRIGHT THEFT (FACT). (2005b). Media Centre/ Statistics, http:

//www.fact-uk.org.uk/site/media centre/dvd seiz 0405.htm.

TORII-N., AND YOKOYAMA-K. (2000). Elliptic Curve Cryptosystem, Fujitsu Scientific & Technical

Journal, 36(2), pp. 140–146.

TURNER-L. F. (1989). Digital Data Security System, Patent IPN WO 89/08915.

US COPYRIGHT OFFICE. (1998). Digital Millenium Copyright Act of 1998, http://www.copyright.

gov/legislation/dmca.pdf. Legislation.

VAN SCHYNDEL-R. G., TIRKEL-A. Z., AND OSBORNE-C. F. (1994). A Digital Watermark, Proceedings

of IEEE International Conference on Image Processing, Vol. 1, pp. 86–90.

VON LOHMANN-F. (2003). State “Super-DMCA” Legislation: MPAA’s Stealth Attack on Your Living

Room, http://www.efg.org/IP/DMCA/states/200304 sdmca eff analysis.php.

WIENER-M. J. (1990). Cryptanalysis of Short RSA Secret Exponents, IEEE Transactions on Information

Theory, 36(3), pp. 553–558.

WIENER-M. J., AND ZUCCHERATO-R. J. (1999). Faster Attacks on Elliptic Curve Cryptosystems, in

S. Tavares., and H. Meijer. (eds.), Selected Areas in Cryptography: 5th Annual International

Workshops (SAC’98), Vol. 1556 of Lecture Notes in Computer Science, Springer, Kingston, On-

tario, CANADA, pp. 190–200.

WOLFGANG-R. B., PODILCHUK-C. I., AND DELP-E. J. (1999). Perceptual Watermarks for Digital

Images and Video, in B. Macq. (ed.), Proceedings of the IEEE, Vol. 87(7), pp. 1108–1126. Special

Issue on Identification & Protection of Multimedia Information.

XU-X., DEXTER-S. D., AND ESKICIOGLU-A. M. (2004). A hybrid scheme for encryption and water-

marking, in E. J. Delp., and P. W. Wong. (eds.), Proceedings of the SPIE Conference on Security,

Steganography, and Watermarking of Multimedia Contents, Vol. 5306, SPIE, San Jose, CA, USA,

pp. 725–736.

YANG-J., LIU-Q., TAN-G., AND MING-H. (2003). Elliptic curve cryptographic watermark technique,

in H. Lu., and T. Zhang. (eds.), Proceedings of SPIE, Vol. 5286 of Third International Symposium

on Multispectral Image Processing and Pattern Recognition, Beijing, China, pp. 155–158.

YEN-J.-C., AND GOU-J.-I. (2000). A new chaotic key-based design for image encryption and decryp-

tion, Proceedings of the 2000 IEEE International Symposium on Circuits and Systems (ISCAS

2000), Vol. 4, Geneva, Switzerland, pp. 49–52.

YU-P. K. (2002). How The Motion Picture And Recording Industries Are Losing The Copyright War

By Fighting Misdirected Battles, FindLaw’s Writ: Legal Commentary.

Page 216

Appendix C Bibliography

ZHANG-J., KOU-W., AND FAN-K. (2006). Secure buyer-seller watermarking protocol, IEE Proceedings

on Information Security, Vol. 153(1), pp. 15–18.

ZHOU-Y. (2000). Copyright Protection of compressed Video Using DCT-based Watermarking Tech-

nology, citeseer.ist.psu.edu/401180.html.

Page 217