Cryptanalysis of Correlation-Based Watermarking Schemes

Download Report

Transcript Cryptanalysis of Correlation-Based Watermarking Schemes

Cryptanalysis of Correlation-Based
Watermarking Schemes Using Single
Watermarked Copy
Author: Tanmoy Kanti Das and Subhamoy Maitra
From IEEE SIGNAL PEOCESSING LETTERS,
April 2004
Presented by 詹益誌
6/8/2004
Outline
• Introduction
• How to Get Convinced That the Attack is
Successful.
• Exact Cryptoanalytic Attack.
• Experimental results.
• Conclusions
Introduction
• Most of the existing digital watermarking
techniques are based on correlation between
“some information stored in the watermarked
copy” and “related information retrieved from
attacked watermarked copy”.
• They show how to remove this correlation to
mount a cipher text-only cryptanalytic attack
on these watermarking schemes.
How to Get Convinced That the
Attack is Successful
• Theorem 1: consider two datasets v1,…,vt and
u1,…,ut that are uncorrelated.The mean
and standard deviation of the dataset
( xk (1  k )  xk (1   k )) / xk (1   k ), k  1,, t
are approximately
2
2



and

  2 
    / t k 1 t
2
k
How to Get Convinced That the
Attack is Successful
( xk (1  k )  xk (1   k )) / xk (1   k )
(  k  k )(1  k )
(  k  k )
• Corollary 1: consider two datasets v1,…,vt
and u1,…,ut selected at random from a
standard normal distribution.
The mean and standard deviation of the data
u1-v1,…,ut-vt are approximately  and 2
How to Get Convinced That the
Attack is Successful
• I d( i )  I d  s (i )
• Neither Id nor s(i) is known to the attacker,
but some knowledge about statistical
distribution of s(i) is known.
( j)
( j)
• Id  Id  s
(i )
( j)
(i , j )
• I d  I d  sd
sd(i , j ) [k ]  ( I d(i ) [k ]  I d( j ) [k ]) / I d( j ) [k ]
Exact Cryptoanalytic Attack
1. A single watermarked copy I(i) is available. Push
I(i) in a stack ST of image.
2. Take the topmost image from the stack ST and
consider it as I#.
3. The maximum t values of Id# are identified. DCT
polynomial are formed.
4. The coefficients of the DCT polynomial are
changed in a small range to create a population
of several DCT polynomials and respective
images are considered.
Exact Cryptoanalytic Attack
5.From the population, images are selected which
are visually indistinguishable from I(i).
Moreover, we analyze s(i,#) as mentioned above.
If the mean and standard deviation of s(I,#) is
close to 0.1 and 2 , respectively, then we select
Id# as an attacked one.
6.If required number of images are available, the
terminate; otherwise go to step 2.
Experimental results
• <image name, count of image, mean, std of
the data s(I,#), PSNR(w,a)>
• <Lena , 7200, 0.16, 0.69, 33.88>
• <Pentagon, 8400, 0.193, 1.71, 32.7>
• <Peppers , 6000, 0.081, 1.84, 31.93>
Experimental results
• <image name, PSNR(o,w), PSNR(o,a),
correlation, similarity factor>
• <Lena,
36.77, 33.02, 0.178, 1.08>
• <Pentagon, 42.3, 32.1, 0.169, 1.91>
• <Peppers, 36.94, 30.78, 0.181, 2.01>
Conclusions
• Support the theoretical concepts based on
statistical criteria.