Broken Arrows

This paper makes an account of the design and investigations done for the still image watermarking technique used in the 2nd edition of the BOWS challenge. This technique is named “broken arrows” for some reasons given later on, and abbreviated “BA.” This zero-bit algorithm is an implementation of a recent theoretical result by Merhav and Sabbag (2008) with precautions taken with respect to robustness, security, and imperceptibility. A new robustness criterion, based on the nearest border point of a cone, is proposed. The security constraint is taken into account by increasing the diversity of the watermark, sculpturing and randomizing the shape of the detection regions. The imperceptibility and robustness are also provided by adopting proportional embedding in the wavelet domain. The algorithm has been benchmarked using a database of 2000 images. For a probability of false alarm below and a PSNR of 43 dB, the overall robustness regarding various classical image processing seems a promising and strong basis for the challenge.

1.1. Motivations

The watermarking technique “broken arrows” has been designed especially for the break our watermarking scheme 2nd edition (BOWS-2) contest. From the lessons learnt during BOWS-1, we had in mind to design a pure zero-bit watermarking scheme (no message decoding), which spreads the presence of the mark all over the host image. The BOWS-2 challenge is divided into three episodes with different contexts. The first episode aims at benchmarking the robustness of the technique against common image processing tools (compression, denoising, filtering, etc.). Thus, “BA” must be efficient so that it strongly multiplexes the original content and the watermarking signal in a nonreversible way when the secret key is not known. Moreover, no robustness against geometrical attacks is needed because they yield low PSNR values unacceptable in the contest. The second episode is dedicated to oracle attacks. The technique must be sufficiently simple so that the software implementation of the detector runs very fast because we expect a huge number of trials during this second episode. Counterattacks should be included if possible in the design. The third episode focuses on threats when many contents watermarked with the same secret key are released. The contenders are expected to deduce some knowledge about the secret key in order to better hack the pictures. “BA” must not be trivially hacked. This is not an easy task especially since zero-bit watermarking tends to lack diversity.

This technique is inspired from four articles of different fields: information theory [1], signal processing and game theory [2], statistics [3], and image processing [4]. During the design, we relied on the following key ideas.

1. (i)

   We do not know how to zero-bit watermark an image. However, the recent work [1] shows that the optimum scheme for Gaussian vectors under certain restrictions among which is the low complexity of the detector exactly matching our requirement.

2. (ii)

   Multiplicative embedding (aka proportional embedding) offers many advantages: an embedding that is easy to implement and compliant with the human visual system [4], plus a good approximation of game theoretical optimum solution for spread spectrum schemes [2].

3. (iii)

   One of the most difficult things in zero-bit watermarking is to assess that the false alarm probability is lower than a given level. Yet, one exception is for detection regions shaped like hypercones where tractable numerical calculations exist [1, 3].

4. (iv)

   The wavelet domain is one of the best embedding domain even if the watermark signal has been created in another space, because it is compliant with the human visual system. There exists a fast wavelet transform based on the lifting scheme.

In a nutshell, the detection regions are represented by a set of slightly modified hypercones. The embedding is classically done by moving a feature vector of the host content deep inside this detection region to obtain a watermarked vector . The detection is performed by checking whether a feature vector extracted from a submitted image belongs or not to one of these hypercones (see Section 3).

1.2. Three General Constraints

Other subtleties of BA are motivated by the general constraints in image watermarking, for example, security, robustness, and distortion.

Distortion

The visual distortion has been taken into account by choosing the medium and high frequencies of the image thanks to the wavelet transform (see Section 2.2) and applying the proportional embedding (see Section 4). The PSNR of the watermarked images is controlled during the embedding, resorting to norm conservation property of some orthogonal transforms (see Section 2) and by taking into account the proportional embedding step (see Section 4.1).

Robustness

BA relies on two techniques in order to have a decent robustness. The first one is commonly known as informed embedding. Vector is generated in order to be as far as possible from the border of the detection region (see Section 3.1.2). Furthermore, proportional embedding in a transform domain enables to merge two signals sharing the same statistical structure. The host is almost decorrelated in this transform domain like the watermark signal, while the watermark signal amplitude is shaped as the one of the host. This helps to be robust against denoising attacks like Wiener filtering.

Security

The original content is projected successively onto lower-dimensional subspaces in order to ease the creation of the watermark signal (see Sections 2.2 and 2.3). However, the first projection is private and depends on the secret key. This prevents the pirate from tracing the contents in the successive subspaces, and it restricts his playground to a very high-dimensional space. The dimension is almost as big as the number of pixels in the image. The detection region is composed of several regions introducing some diversity in the embedding because the host contents are pushed towards many different regions (see Section 3.2). We hope that this diversity brings some gain in security level in the sense that the private projection will remain secret even if many watermarked contents are observed. Finally, at the detection side, the security is also strengthened by randomizing the decision of the detector when the signal is near the frontier (see Section 5.1) and by introducing notches in the detection region (see Section 5.2).

The embedding and the detection involve four nested spaces: the “pixel” space, the “wavelet” subspace, the “correlation” subspace, and (what we call) the “Miller, Cox & Bloom” plane (abbr. MCB plane). Index letters “X, Y, W ” denote, respectively, the representatives of the original content, the watermarked content, and the watermark signal to be embedded. We use the following terminology and notations to denote the representatives in the different domains:

1. (i)

   “image” in the pixel space of width and height : ,

2. (ii)

   “signal” in the wavelet subspace, which is a subset of : (due to the discrete nature of pixels values, this subspace and the following ones are not stricto sensu homomorphic to, or),

3. (iii)

   “vector” in the correlation space, which is a subset : ,

4. (iv)

   “coordinates” in the MCB plane, which is a subset : .

The diagram of the different processes necessary to obtain the different subspaces is depicted on Figure 1. The following subsections describe these subspaces and their specificities.

The different processes and entities involved in the BA embedding scheme. Each couple represents the name and size of the vector a.

Full size image

2.1. The Pixel Space

Images in this article are matrices of 8-bit luminance values. We can always consider that the watermark in the pixel space is the difference between the watermarked image and the original image: . This is not very useful, except that we impose a distortion constraint based on the PSNR, that is, a logarithmic scale of the mean square error between pixel values of images and :

(1)

where MSE is the mean square error: , with being the width and height of the image in pixels.

2.2. The Wavelet Subspace

As stated in the introduction, the wavelet transform is an excellent embedding domain because of its compliance to the human visual system.

We perform the 2D wavelet transform (Daubechies 9/7) on three levels of decomposition of the original image . This transform is very fast thanks to a very efficient lifted scheme implementation. We select the coefficients from all the bands except the low-frequency LL band. These wavelet coefficients are then stored into a signal (a column vector) . In our implementation, the image dimensions must be multiple of 8. This signal lies in , a space we call the wavelet subspace. The low-low frequency band coefficients are kept in memory, and they will be used in the inverse extraction process.

The embedding process in this domain is in charge of mixing the host and watermark signals in a nonreversible way. The result is the watermarked signal . We mean by nonreversible the fact that an attacker observing should not be able to split it back to the two private signals.

The MSE in the wavelet subspace is equal to the MSE in the spatial domain because this wavelet transform conserves the Euclidean norm. Hence, to enforce the distortion constraint, we must have

(2)

2.3. The Secret Subspace

We use secret binary antipodal carrier signals of size : . They are produced by a pseudorandom generator seeded by the secret key . Their norm equals one, they are independent and we assume that they are orthogonal since their cross correlations are negligible (their expectations are zero, and their standard deviations equal ) compared to their unitary norms when is big. The host signal is projected onto these carrier signals: . These correlations are stored into a vector . It means that represents the host signal in the secret subspace. We can write this projection with the matrix whose columns are the carrier signals: . The norm is conserved because the secret carriers are assumed to constitute a basis of the secret subspace: .

The secret subspace has several advantages. Its dimension is much lower than the wavelet subspace; the vectors in this space are easier to manipulate. It brings robustness against noise or, in other words, it increases the signal to noise power ratio at the detection side, because the noise is not coherently projected onto the secret subspace. Moreover, it boils down the strong nonstationarity of the wavelet coefficients: components of are almost independent and identically distributed as Gaussian random variables.

2.4. The Miller, Cox & Bloom Plane

The MCB plane is the most convenient space because it enables a clear representation of the location of the hosts, the watermarked contents, and the detection boundary. This eases the explanation of the embedding and the detection processes. It is an adaptive subspace of the secret subspace whose dimension is two. We mean by adaptive the fact that this subspace strongly depends on the host vector . Denote as a secret vector in the secret subspace, with unitary norm. A basis of the MCB plane is given by such that

(3)

Hence, the MCB plane is the plane containing and . As far as we know, [5] is the first paper proposing the idea that the watermark vector should belong to the plane containing the secret and the host, hence the name MCB plane.

The coordinates representing the host are with , and . Note that whereas is always positive, the sign of is not a priori fixed. However, we will define so that is indeed always positive (see (14)).

A useful property of the MCB plane is that the norm of the host vector is conserved. The denominator of can be written as

(4)

Hence,

(5)

so that . Now, the vector to be added in the secret subspace is indeed first generated in the MCB plane, such that . Then, .

As mentioned in the previous section, the embedding first needs to go from the spatial domain to the MCB plane. Then, it creates the watermark signal and finally maps it back to the spatial domain. We have seen how to go from one subspace to another. We now explain the definition of the watermark representatives for the three domains.

We do not know what is the optimal way to watermark an image. This is mainly due to the nonstationarity of this kind of host. However, as mentioned earlier, host vectors in the secret subspace can be modeled as random white Gaussian vectors. We know what is the optimal way (in some sense) to watermark a Gaussian white vector according to [1]. The embedder has to create a watermarked vector as , where is a secret vector and and are scalars to be determined. This shows that the watermarked vector belongs to the plane , that is, the MCB plane. However, contrary to [1], we prefer to look for the optimum watermarked coordinate in the basis of the MCB plane.

3.1. The MCB Plane

Knowing vector , we perform the projection from the secret subspace to MCB plane as defined in (3). The detection region is defined by a cone of angle and abscissa direction in the MCB plane such that is considered watermarked if

(6)

The absolute value in the detection formula implies that the detection region is indeed a two-sheet cone as advised by Merhav and Sabbag [1].

The goal of the embedding process in this domain is to bring the coordinates of the watermarked vector deep inside the cone. There are actually several methods: maximizing a robustness criterion [6, Section 5.1.3], maximizing the detection score [1], or maximizing the error exponent [7]. These strategies assume different models of attack noise (resp., the noise vector is orthogonal to the MCB plane, the noise vector is null, or the noise vector is white and Gaussian distributed). We propose our own strategy which, in contrast, does not assume any model of attack as it foresees the worst possible noise. A geometrical interpretation makes the link between our strategy and the one from [6, Section 5.1.3].

3.1.1. Maximum Robustness

This strategy is detailed in [6, Section 5.1.3]. Assume that . We look for an angle which pushes the watermarked coordinates deep inside the detection region. This operation is defined by

(7)

The radius is related to the embedding distortion constraint. We give its formula in Section 4.1.

Now, what does “deep inside the cone” mean? Cox et al. propose to maximize a robustness criterion defined by

(8)

Roughly speaking, represents the amount of noise energy to go outside the detection region provided that is inside [6, Section 5.1.3]. The maximum robustness strategy selects the angle maximizing the robustness: , where is a function of (7). This can be done via a dichotomy search or a Newton algorithm.

We would like to give a geometrical interpretation of this robustness criterion. Assume first that the attack noise is independent of the secret vector and of the host vector . Geometrically speaking, it means that this noise vector is orthogonal to the MCB plane, giving birth to an orthogonal subspace spanned by as depicted in Figure 2. A cut of the frontier of the detection region by the plane at the point shows a circle of radius . Figure 3 shows that the square norm of needs to be at least equal to which is indeed .

The hypercone and the MCB plane in the basis.

Full size image

The minimal norm attack vector , when it is orthogonal to and .

Full size image

3.1.2. A New Criterion Based on the Nearest Border Point Attack

The definition of the robustness explained above makes sense whenever the noise vector is orthogonal to the MCB plane. However, many attacks (filtering, compression, etc.) introduce a distortion which is indeed to be very dependent on the host vector. Hence, the previous assumption may not be realistic. We describe here a new embedding strategy maximizing the distance between the watermarked vector and the nearest border point on the detection region frontier. We first introduce it in an intuitive manner with geometrical arguments, and then we prove it with a Lagrange resolution which is indeed the best strategy.

Assume that the noise vector belongs to the MCB plane, then the shortest path to move outside the detection region is to push the watermarked vector orthogonal to the edge of the cone as shown in Figure 4. Hence, . It is very easy to show that this norm is lower than . The embedding strategy should look for the coordinates maximizing the score under the constraint that . In other words, we select the coordinates whose nearest border point attack needs the maximum noise energy. Intuitively, the embedder should push the host coordinates orthogonally to the edge of the cone so that . However, this intuition is wrong when the embedding circle intersects the axis of the cone because there is no point in having a negative which would decrease . This detail is illustrated in Figure 5.

The border point attack in the MCB plane.

Full size image

The two different embedding cases in the MCB plane.

Full size image

We now strengthen our rationale with a more rigorous approach. The noise vector can always be written as , where are its coordinates in the MCB plane (the one defined by the original vector ), and is the remaining component orthogonal to the MCB plane. Let us look for the nearest border point attack noise that is finding which point located on the cone minimizes the Euclidean distance to a point in the MCB plane and inside the cone. This question can be mathematically formulated by

(9)

A Lagrange resolution gives a point function of the coordinates of , and the minimum distance . Keep in mind that our real job is to place in the MCB plane coordinate at a distance from , while maximizing this minimal distance:

(10)

This second constrained optimization is also easily solved by a Lagrange resolution. The study is divided into two parts depending on the first Lagrange resolution:

Case 1.

If , the minimal distance equals which is positive since is inside the cone. The nearest border point belongs to the MCB plane (i.e., ) with coordinates .

The second Lagrange resolution gives the watermarked coordinates: . Yet, this solution is acceptable only if , that is, . The maximum of the minimum square distance is then . Vector instances are shown in Figure 5 with superscript .

Case 2.

If (i.e., is on the axis of the cone), then , and the nearest border points are located on a circle: , and .

The distortion constraint allows to place the watermarked coordinates on the axis of the cone only if , and then . We rediscover here the embedding proposed in [1, Theorem 2], where optimal parameters are given by [1, (33)]. This is the “erase” strategy where the embedder first erases the noncoherent projection of the host and then spends the remaining distortion budget to emits a signal in the direction of the secret vector . Vector instances are shown in Figure 5 with superscript .

The two cases are possible and compete if . A development of the two expressions of shows that, in this case, the first case gives the real maximum minimum distance. Denote . Our embedder amounts to place to maximize this criterion.

If , then

(11)

If , then

(12)

where is the the nearest border point attacked coordinate.

In conclusion, a geometrical interpretation of the robustness criterion given in [6, Section 5.1.3] gives us an idea of changing it for . This idea has been checked via a double Lagrange optimization. This new formula has links with the embedding strategy of [1] and also avoids the iterative search, as the optimal watermarked coordinates have now closed-form equation. The locus for the watermarked coordinates having the same robustness (aka contour of constant robustness) is the cone translated by the vector . This is quite a different constant robustness surface as the hyperbola (defined through (8)) gets very close to the border as the norm of the vector increases [5].

To go back to the wavelet subspace, we perform a double projection: firstly, we project in the secret subspace and secondly, we project this result in the wavelet subspace to produce the watermark signal in the wavelet domain . Due to the use of orthonormal column vectors in both (seeSection 2.3) and matrices, this operation is defined by

(13)

3.2. Increasing the Diversity of the Watermark Signal

Zero-bit watermarking is known to provide weak security levels due to its lack of diversity. The detection region, for the moment, is only composed of one two-nappe hypercone around the axis supported by . Analyzing several watermarked signals, an attacker might disclose the secret signal that parameterized the detection region, using clustering or principal component analysis tools [8–, 10].

For this security reason, we render the detection region more complex, defining it as the union of several two-nappe hypercones. In the secret subspace, we define a set of secret directions with secret unitary vectors: . With the host signal being represented by in this space, we look for the “nearest” secret direction from the host vector:

(14)

This secret vector is used for the embedding in the MCB plane. Chosen as is, projection is always positive. At the detection side, the same vector has a high probability to be selected since the embedding increases correlation .

We can predict two consequences. The first one is an advantage; we increase the probability of correct embedding. is chosen as the closest vector of from , whence, for a given embedding distortion, it is more likely to push a vector in its hypercone. This acceptance region split into several areas mimics the informed coding used in positive rate or zero rate watermarking scheme such as dirty paper trellis or quantized index modulation. The second one is a drawback; the angle of the cones decreases with the number of cones in order to maintain a probability of false alarm below a given significance level. Consequently, narrower hypercones yield a lower robustness, as less attack distortion is needed to go outside.

The following subsections investigate this issue from a theoretical and an experimental point of view.

3.3. Modeling the Host

In the wavelet subspace, one possible statistical model is to assume a Gaussian mixture. The wavelet coefficient is Gaussian distributed but with its own variance : . We will also pretend that they are conditionally independent given their variances, which is of course not exactly true [11]. In the secret subspace, the components of the host vector are Gaussian i.i.d. because the carrier signals are mutually independent, and the correlations are indeed linear combinations of Gaussian random variables: , with .

In the MCB plane, the statistical model is also very simple. Note first that and are not independent: . The first coordinate is defined as the maximum of absolute values of correlation with unitary vectors. Hence, its cdf is given by

(15)

where is the standard normal cdf. As becomes larger, the Fisher-Tippet theorem shows that converges to the Gumbel distribution with a variance decreasing to zero with a rate [12]. This allows us to roughly approximate by its expectation which converges to the median value:

(16)

where is the inverse normal cdf. By approximating also by , (5) shows the following ratio is approximately constant:

(17)

Hence, the locus of the host coordinates in the MCB plane focuses more and more with around a line passing by the origin and whose slope equals (17). Moreover, as mentioned above, the host coordinates get closer to the axis of the cone because the slope of the line is decreasing with (see Figure 6).

Distribution of the hosts (blue dots) and their watermarked coordinates (red dots) in their respective MCB plane., equivalent dB.

Full size image

3.4. Probability of False Alarm

The hypercone is one of the very few detection regions where the probability of false alarm can be easily calculated provided that the host vectors pdf is radially symmetric, that is, only depending of the norm of the vectors. This is the case in BA, we can thus use work [3]. The probability that falls inside a cone of angle is given by

(18)

where is the solid angle associated to angle in dimension . We just bound with a classical union bound:

(19)

As shown in Figure 6, the angle of the cone is moderately decreasing with .

3.5. Experimental Investigations

Figure 6 depicts the distributions of the coordinates of 5500 original images and their watermarked versions (PSNR of 45 dB) in their MCB plane for different numbers of cones while keeping the probability of false alarm below . The host model is represented by the green line on the left. The bigger the number of cones is the better the approximative model feats the experimental distribution. The effect of the proposed strategy to maximize the robustness is clearly visible. The points representing watermarked contents are either located on the axis or nearly distributed along the blue line on the right parallel to the line modeling the host coordinates. Host coordinates above the dotted blue line are just shifted by the vector .

Figure 7 represents the robustness criterion calculated for these 5500 real host coordinates against and enables to draw important remarks for constant embedding.

Computation of the robustness in function of for different images and different number of cones. Average robustness is represented by horizontal lines.

Full size image

1. (i)

   For images with a low magnitude of , the robustness decreases with the number of cones.

2. (ii)

   For images with a high magnitude of , the robustness increases according to the number of cones.

3. (iii)

   For a given number of cones, there is a range of , for example, a class of images, where the robustness is maximal.

4. (iv)

   The average robustness is monotonically increasing with the number of cones. It tends to saturate for . This is an extremely surprising experimental result because we expected to have an optimal number of cones like the optimum number of codewords in Costa's theory [13].

This subsection has investigated the watermark embedding and detection only in the MCB plane. This exactly simulates an additive spread spectrum embedding where the watermark signal defined in (13) is directly added to the wavelet coefficients: . This provides a tractable model in the MCB plane but it has many drawbacks, as we will see in the next section.

The additive embedding has two major drawbacks. First, it does not comply with some psychovisual basics. The power of the watermark signal is constant all over the image, whereas the human eye is more sensitive on homogeneous regions than on textured regions and edges. Experimentally, the watermark appears as noise over uniform areas. The only way to avoid this artefact is to increase the PSNR, but then the robustness becomes weak. A second drawback is that additive embedding does not respect the power-spectrum condition [14] which states that the spectrum of the watermark has to be locally proportional to the spectrum of the host in order to be robust against denoising attacks. The intuition is that it is extremely hard or almost impossible to filter out the watermark signal if it shares the same statistical property than the host. A proportional embedding in the wavelet domain solves this two issues. The proportional embedding consists in locally adapting a gain prior the mixing: . The local gain is indeed proportional to the absolute value of the host wavelet coefficient:

(20)

In other words, the signal is hidden in the content via a proportional embedding. Such an embedding in the wavelet domain provides a simple human visual system in the sense that it yields perceptually acceptable watermarked pictures for PSNR above 40 dB [4]. Moreover, this scheme has shown to be close to the optimal embedding strategy given by a game theory approach, but less computationally expensive [2]. However, some corrections are needed in the BA algorithm.

4.1. Corrections

4.1.1. Impact on Embedding Distortion

The following equation links the norms of and , assuming that is independent from :

(21)

with . Hence, with (2), we must set the norm of to

(22)

4.1.2. Equivalent Projection

A difficulty stems from the fact that the proportional embedding is not a linear process. Assume that the embedder calculates watermarked coordinates in the MCB plane, and it mixes the corresponding watermark signal in the wavelet subspace with the proportional embedding. When the detector projects the watermarked signal back to the MCB plane, it does not find the same watermarked representative . The watermarked signal is projected back onto the secret subspace in such that

(23)

We assume that the host wavelet coefficient is statistically independent of the th secret carriers samples in order to simplify this last expression in provided that :

(24)

with .

At the embedding side, we take into account this phenomenon right in the MCB plane. We model it by searching the best watermark coordinates with a vector , which reflects the coordinates of the vector after proportional embedding in the MCB plane. But, the coordinates to be projected back to the secret subspace is indeed .

These two corrections imply that even with a constant PSNR, the norm of is different from a host image to another:

(25)

In the MCB plane, the ratio is the only difference between the additive and the proportional embedding methods.

4.2. Experimental Investigations

We need to check that our model of proportional embedding in the MCB plane is actually working. Figure 8 shows ten couples of watermarked vectors in their own MCB plane. Each couple is composed of coordinate used at the embedding and coordinate retrieved at the detection side when no attack occurred. There is a small difference, and the reason stems from all the approximations previously made: carriers are not orthogonal (Section 2.3), the embedding distortion is not exact (21), and projections in the secret subspace are modeled (24). The quantization in the spatial domain, after the inverse wavelet transform, is less disturbing. An iterative algorithm has already been proposed to better control the location of the watermarked coordinates [15, Section 3], but we believe that this difference is a second-order effect, and we prefer to keep the embedding process as simple as possible.

Deviations between the desired coordinates at the embedding and the real coordinate retrieved at the detection. The coordinates are represented by circles as they appear in their own MCB plane, for 10 watermarked images.

Full size image

Other experimental works not described in this article showed us that bigger values of and are expected when is important, but there is almost no obvious statistical inference between and the norm of the host vector. The expectation of this ratio is around and , weakly increasing with . It has a strong variance around this expectation. The most important is that the ratio is always lower than 1. It means that embedding circle in the MCB plane is smaller with a proportional embedding than an additive embedding.

The final experimental work is a benchmark of four watermarking techniques. We used 2000 luminance images of size . These pictures represent natural and urban landscapes, people, or objects, taken with many different cameras from 2 to 5 millions of pixels.

The PSNR of the watermarked pictures is in average 42.7 dB. The visual distortion is invisible for almost all images. Figure 9 illustrates this with the reference image “Lena.” A careful inspection shows some light ringing effects around the left part of the hat. However, there exist pictures where the embedding produces unacceptable distortion as shown in Figure 10. We explain this as follows. The common factor of these images is that they are composed of uniform areas (e.g., the sky) or textures with very low dynamic (e.g., the trees), and they have very few strong contours (the street lamp and the statue of Figure 10). Then, for a given distortion budget, the proportional embedding does not spread the watermark energy all over the image because most wavelet coefficients are small, but it focuses the watermark energy on the very few strong wavelet coefficients. For the purpose of the challenge, we did not care of it but this drawback has to be improved for a real watermarking technique.

The reference image “Lena” watermarked at dB.

Full size image

One of the few images where the embedding provides a poor quality despite a PSNR of 42. 7 dB. Ringing effect is visible around the statue and the street lamp.

Full size image

Four watermarking techniques with different embedding strategies have been benchmarked:

1. (i)

   maximization of the robustness criterion defined by (8) with a proportional embedding,

2. (ii)

   maximization of the error exponent as detailed in [7] with a proportional embedding,

3. (iii)

   maximization of the new robustness criterion with a proportional embedding,

4. (iv)

   maximization of the new robustness criterion with an additive embedding.

We apply a set of 40 attacks mainly composed of combinations of JPEG and JPEG 2000 compressions at different quality factors, low-pass filtering, wavelet subband erasure, and a simple denoising algorithm. This latter consists in thresholding wavelet coefficients of 16 shifted versions of the image, afterward the inverse wavelet transforms are shifted back and averaged.

Figure 11 reports the impact of the 15 most significant attacks on the four techniques (the discarded attacks yield either lower PSNR or higher probabilities of detection). The probability of detecting the watermark (i.e., number of good detection divided by 2000) is plotted with respect to the average PSNR of the attacked images. Because these classical attacks produce almost the same average PSNR, the four points for a given attack are almost vertically aligned. Yet, the impact on the probability of detection is interesting; despite that the additive embedding allows bigger radius embedding circle in the MCB plane, this technique is the weakest. This stresses the fact that mixing signals with different statistical structures as for constant additive embedding is partly reversible. This is an Achilles' heel that even classical attacks take benefit of. Our embedding strategy gives average better results than the ones of Cox et al. (8) and of Comesaña et al. [7]. Yet, the improvement is really weak.

Probability of good detection versus average PSNR of attacked images for the four watermarking techniques: proportional embedding and new robustness criterion “,” additive embedding and new robustness criterion “+,” proportional embedding and Miller, Cox & Bloom robustness criterion “” [6, Section 5. 1.3], proportion embedding with Comesaña's strategy “” [7]. Selection of attacks: (1) denoise threshold 20, (2) denoise threshold 30, (3) JPEG , (4) JPEG2000 , (5) JPEG2000 , (6) JPEG2000 , (7) scale , (8) scale , (9) scale , (10) scale , (11) scale , (12) scale , (13) scale , (14) scale , (15) no attack.

Full size image

In the BOWS-2 contest, the broken arrows algorithm has to face attacks linked to security. The first one is the oracle attack whose goal is to disclose the shape of the detection region and/or to find nearest border point. The second one is based on information leakage, and the goal here is to try to estimate the secret subspace. We consequently decided to implement a counterattack in order to make these attacks (a bit) more complicated. The only solution we found to cope with information leakage attacks is to increase the diversity of the key by using several cones as explained previously in the paper (see Section 3.2). Initially, we also tried to increase the diversity of the key by using technique relying on perceptual hashing, but this technique was not mature enough to be implemented in the last final version of the algorithm. Regarding oracle attacks, we adopted three counterattacks presented below.

5.1. Randomized Boundary

An attacker having unlimited access to the detector as a black sealed box can lead oracle attacks. Many of them are based on the concept of sensitivity, where the attacker tries to disclose the tangent hyperplane locally around a point (called sensitive vector) on the border of the detection region. A counterattack formalized by [16] is to slightly randomize the detection region for each call. This counterattack is very similar to the one that consists in having a chaotic boundary as proposed in [17, 18], both want to prevent an easy gradient ascent algorithm by making the detection border more difficult to analyse.

We process very simply by picking up a random threshold uniformly distributed in the range has a corresponding probability of false alarm of (resp., ).

5.2. Snake Traps

The “snake” is a new kind of oracle attack invented by Craver and Yu [19]. It consists in a random walk or a diffusion process in a constrained area of the space, which is indeed the detection region. This approach is a very efficient way to explore the detection region and to estimate parameters of the watermark detector. An important fact is that the snake tends to grow along the detection region border.

Our counterattack is to shape the boundary of the detection region, trapping the snakes in small regions to stop their growth. We draw “teeth” in the MCB plane, in the following way:

1. (i)

   if , then detection is positive if ,

2. (ii)

   else the watermark is detected if , where is a random variable as explained above.

and set the periodicity and the width of the “teeth.” Note that the teeth are longer as the vector is far away from the origin. Depending on the step of the random walk, we hope to increase the probability of trapping a snake as it grows. The teeth slightly reduce the size of the acceptance region, hence, the probability of false alarm is even lower.

Snakes almost grow infinitely in a cone because this detection region is not bounded (in practice, the pixel luminance dynamic bounds it). Hence, the average direction of several independent snakes can disclose the axis of the cone. Yet, we deal with several cones, and more importantly, the cones are indeed not disjoint for the considered probability of false alarm; the angle is always bigger than in Figure 6 and around rad in the final implementation. The snakes will then be trapped in a subspace of dimension , where no average direction will emerge. This does not mean that snakes do no longer constitute a threat. A principal component analysis of several long snakes might disclose the secret subspace. We expect at least a strong increase of detection trials.

5.3. Camouflage of the Cone

The detection score is virtually independent of a value-metric scaling. This is a nice robustness feature, but very few detectors provide this advantage. Hence, this leaves clues [19]. We consequently decided to conceal the use of hypercones by truncating it; a content is deemed not watermarked if . Note that the value has to be small enough to guaranty that the nearest border point is not located on the truncated section of the cone.

These three countermeasures result in a detection region depicted in Figure 12.

Detection results in the MCB plane. Dark-grey points represent contents detected as watermarked, light-grey points as not watermarked. The angle of the cone has been chosen in order to magnify the shape of the border.

Full size image

5.4. Nasty Tricks

Concerning the challenge, we have the choice for the images proposed for the contest. We benchmark our watermarking technique over a set of 2000 images and against a bunch of common image processing attacks, in order to fine tune all the parameters, but also to investigate which images from this database were the most robust. These latter ones are used for the first episode of the challenge. In the same way, we made a light JPEG compression to let participants think that the embedding domain is the DCT domain!

The BA software was developed in C using the libit [20] library in order to get fast embedding and detection schemes. During the whole contest, the embedding distortion is set by a targeted PSNR of 43 dB. In practice, due to pseudo-orthogonal carriers and the different approximations made in Section 4.1, the real PSNR is in between 42.5 dB and 43 dB.

A four-level wavelet decomposition is performed via libit with its very efficient implementation of a lifting step factorization using a Daubechies 9/7 biorthogonal wavelet [21]. The coefficients in subbands form the vector .

The pseudorandom generator is the Mersenne Twister pseudorandom number generator [22] whose seed, that is, the secret key , is 128 bit long. The dimension of the secret subspace is . It is spanned by pseudo-orthogonal carriers on size . The Gram-Schmidt orthogonalization has been skipped because it is too much time-consuming. Antipodal carriers speed the correlation calculus because coefficients are accumulated in a sum which is in accordance with the sign of the corresponding carrier sample. We can also trade speed against memory; all the carriers' samples are not stored in memory but they are generated as the need arises.

The number of cones equals . There is no point in creating yet another set of secret directions for the axis of the cones. The secret subspace is already private via the secrecy of the antipodal carriers. Consequently, vector is just the th element of the canonical basis of the secret subspace. The angles and are chosen to obtain probabilities of false alarm lower than and , respectively. These two probabilities bound the probability of false alarm of the whole system.

During the detection process, we choose a truncating parameter equal to , a period equal to , and a width of the teeth equal to . The random parameter to choose angle is computed using time as a seed of the pseudorandom generator.

For a grey-scale image, the computational time for an embedding is of approximately 1.0 second for the embedding and 0.8 seconds for the detection on the BOWS-2 server (a 3-ghz Intel Xeon). Consequently, the BOWS-2 server, with 2 dual-core processors, has the possibility to detect around 350 000 images per day.

The source code of the BA embedding and detection schemes and the images used during the contest are available on http://bows2.gipsa-lab.inpg.fr.

The name “broken arrows” comes from the fact that the detection region is a set of cones shaped like heads of arrows, where the very end has been broken (see Section 5.3). Moreover, such a name suits perfectly the BOWS contest.

Designing a practical watermarking technique for a contest is a very challenging task. We would like to point out that a design is necessary done under constraints of time, man, and computer powers, with the sword of Damocles that a contender hacks the technique within the first hours of the challenge. Especially, the countermeasures presented in Section 5 have not been thoroughly tested due to lack of time. Consequently, a design is quite a different work than the writing of scientific paper. However, algorithms performing well in practice are often based on strong theoretical background. Not knowing the final results of the challenge by the time of writing, we humbly hope that lessons of scientific interest will be learnt.

The authors thank Guillaume Stehlin and Francois Cayre for their knowhow in code optimization. They also thank Hervé Jégou, Vivien Chappelier, and Francois Cayre, the authors of the libit, for providing them such a simple and efficient C library as well as the denoiser software. The quality of this article has been really improved thanks to the careful reviewing of Cléo Baras, Francois Cayre, and the anonymous reviewers of EURASIP JIS. The authors also thank the French national ANR projects Nebbiano (ANR-06-SETI-009) and Estivale (ANR-05-RIAM-1902) for funding the BOWS-2 server. Last but not least, special thanks to Maj. Deakins and Capt. Hale for having supported them during the running of the challenge.

Authors and Affiliations

1. Project-Team TEMICS, INRIA Rennes-Bretagne Atlantique Research Centre, 35042, Rennes Cedex, France

   Teddy Furon

2. Gipsa-Lab Grenoble, CNRS, 38031, Grenoble Cedex, France

   Patrick Bas

Corresponding author

Correspondence to Teddy Furon.

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (https://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and permissions