university of adelaide...contents contents iii abstract vii statement of originality ix...
TRANSCRIPT
Thesis:
Multimedia Transaction Tracking from
a Mutual Distrust Perspective.
by
Angela S. L. Wong
Thesis submitted for the degree of
Doctor of Philosophy
in
Electrical and Electronic Engineering
University of Adelaide
November 2007
c© 2007
Angela S. L. Wong
All Rights Reserved
Page ii
Contents
Contents iii
Abstract vii
Statement of Originality ix
Acknowledgments xi
Publications xiii
List of Figures xv
List of Tables xxiii
Chapter 1. Introduction 1
1.1 Outline of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.2 Cryptology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Background and Aim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Legal Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 2. A Review of the State of the Art 11
2.1 Watermarking Alone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2 Cryptography Alone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.1 General Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.2 Image- and Video-Specific Cryptosystems . . . . . . . . . . . . . 17
2.3 Watermarking and Cryptography . . . . . . . . . . . . . . . . . . . . . . 20
2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Page iii
Contents
Chapter 3. A Technical Background on Watermarking and Cryptography 23
3.1 Steganographic Watermarking . . . . . . . . . . . . . . . . . . . . . . . 24
3.1.1 Watermarking Categories . . . . . . . . . . . . . . . . . . . . . . 26
3.1.2 Spread Spectrum Watermarking . . . . . . . . . . . . . . . . . . 27
3.1.3 Attacks and Defenses . . . . . . . . . . . . . . . . . . . . . . . . 28
3.2 Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.2.1 RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.2.2 ElGamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . 34
3.2.3 Rabin Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.2.4 Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . . 37
3.2.5 Attacks on Cryptosystems . . . . . . . . . . . . . . . . . . . . . . 46
3.3 Pre- and Post-processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.3.1 Trade-offs: Capacity and Invisibility . . . . . . . . . . . . . . . . 47
3.3.2 Power Spectral Density (PSD) . . . . . . . . . . . . . . . . . . . . 48
3.3.3 Choice of watermark . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.3.4 Choosing document components to alter . . . . . . . . . . . . . 49
3.3.5 Watermark detection . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 4. Issues Associated with Mutual Distrust 53
4.1 The problem with trusting too much... . . . . . . . . . . . . . . . . . . . 54
4.2 Significance of Research . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.3 Applications of Research Findings . . . . . . . . . . . . . . . . . . . . . 55
4.4 Trusted Owner Party Scenario . . . . . . . . . . . . . . . . . . . . . . . . 56
4.5 The Staining Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.5.1 Problems Anticipated with Staining . . . . . . . . . . . . . . . . 58
Chapter 5. Experimental Results 61
5.1 Test Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.2 XOR Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.3 Block-based Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.4 RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.5 Elliptic Curve Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . 94
Page iv
Contents
Chapter 6. Summary 115
6.1 Discussion of Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
6.1.1 The Exacting Nature of Cryptograms . . . . . . . . . . . . . . . 116
6.1.2 Cryptosystem and Watermark Requirements . . . . . . . . . . . 117
6.2 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.3 Summary of Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.4 Future Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Appendix A. Acronyms, Abbreviations and Glossary 123
A.1 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
A.2 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
A.3 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Appendix B. Paper-Pen Analyses 127
B.1 XOR Watermarking Algorithm . . . . . . . . . . . . . . . . . . . . . . . 128
B.2 RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
B.3 Elliptic Curve Cryptography (ECC) . . . . . . . . . . . . . . . . . . . . . 133
Appendix C. Codes 137
C.1 XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
C.2 Block-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
C.3 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem . . . . . . . . . . . . . 153
C.4.1 Truncation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
C.4.2 JPEG Compression . . . . . . . . . . . . . . . . . . . . . . . . . . 159
C.4.3 Cropping and Replacing . . . . . . . . . . . . . . . . . . . . . . . 166
C.4.4 Gaussian Noise Addition . . . . . . . . . . . . . . . . . . . . . . 172
C.4.5 Scaling and Rescaling . . . . . . . . . . . . . . . . . . . . . . . . 179
C.4.6 Combination Attacks: Rotate, Crop and Rescale . . . . . . . . . 185
C.4.7 Combination Attacks: Crop and Rescale . . . . . . . . . . . . . . 192
C.4.8 Double Watermarking . . . . . . . . . . . . . . . . . . . . . . . . 198
Page v
Contents
C.5 Extraneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
C.5.1 POWMOD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
C.5.2 RANDPRIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
C.5.3 EXTDEUC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Bibliography 209
Page vi
Abstract
In this thesis, we present a novel, elegant and simple method for secure transac-
tion authentication and non-repudiation for trading multimedia content. Multimedia
content can be video, images, text documents, music, or any form of digital signal,
however here we will focus particular on still images with application to video.
We will provide proof that not only can receiving parties within a transaction be
untrustworthy, but the owner, or members within an owning party, also cannot be
trusted. Known as the insider attack, this attack is particularly prevalent in multi-
media transactions. Thus the focus of the thesis is on the prevention of piracy, with
particular emphasis on the case where the owner of a document is assumed to be
capable of deceit, placing the system under the assumption of mutual distrust.
We will introduce a concept called staining, which will be used to achieve authentica-
tion and non-repudiation. Staining is composed of two key components: (1) public-
key cryptography; and (2) steganographic watermarking. The idea is to watermark
a multimedia document after encryption, thereby introducing a stain on the water-
mark. This stain is due to the non-commutative nature of the scheme, so that de-
cryption will be imperfect, leaving a residue of the cryptographic process upon the
watermark. Essentially, secrets from the owner (the watermark) and the receiver (the
cryptographic key) are entangled rather than shared, as in most schemes.
We then demonstrate our method using image content and will test several differ-
ent common cryptographic systems with a spread-spectrum type watermark. Wa-
termarking and cryptography are not usually combined in such a manner, due to
several issues such as the rigid nature of cryptography. Contrary to the expectation
that there will be severe distortions caused to the original document, we show that
such an entanglement is possible without destroying the document under protection.
We will then attack the most promising combination of systems by introducing geo-
metric distortions such as rotation and cropping, as well as compressing the marked
document, to demonstrate that such a method is robust to typical attacks.
Page vii
Page viii
Statement of Originality
This work contains no material that has been accepted for the award of any other
degree or diploma in any university or other tertiary institution and, to the best of
my knowledge and belief, contains no material previously published or written by
another person, except where due reference has been made in the text.
I give consent to this copy of my thesis being available in the University Library.
The author acknowledges that copyright of published works contained within this
thesis (as listed under Publications) resides with the copyright holder/s of those
works.
Signed Date
Page ix
Page x
Acknowledgments
I am grateful to my supervisors, Dr. Matthew Sorell and Dr. Robert Clarke, for teach-
ing me how to walk on water, and for their boundless patience and guidance over
the course of my PhD. They have given me an incredible opportunity to study these
fascinating fields of watermarking and cryptography, to which I could never express
my gratitude enough. I am especially thankful for the care and speed with which
they reviewed my original manuscript, considering Dr. Sorell has just had his second
child and Dr. Clarke is in semi-retirement.
I would also like to thank the School of Electrical and Electronic Engineering of the
University of Adelaide, including the lovely office ladies whom have made my post-
graduate life easier, for all the resources that have been made available to aid me
in my research. Furthermore, I would like to include in my acknowledgements all
the members of the Centre for Internet Research (CIR), past and present, for making
my postgraduate candidature an exceptional time in my life. Many of my colleagues
have become very good friends of mine, especially one very witty and brilliant miss,
who has been of great help over the years, and while I was writing this dissertation.
For all their love and encouragement, I would also like to acknowledge my friends
and family, and in addition for his faith, my closest friend, Andrew Morris, as well
as for his cheer: ”You can do it, Gigi!”, that has kept me going during some tough
times. Infinitely, I would like to thank God, for listening to my worries, and giving
me strength and clarity when I have needed them the most.
Finally, I would like to thank the anonymous reviewers, for taking the time to review
this manuscript. Their constructive and insightful comments have been of tremen-
dous value.
Page xi
Page xii
Publications
Wong, A. S. L., Sorell, M. & Clarke, R. (2004). Transaction Tracking for Multimedia Content from a
Mutual Distrust Perspective. International Symposium on Intelligent Multimedia, Video & Speech
Processing (ISIMP2004), The Hong Kong Polytechnic University, Hong Kong, October 20–22.
Wong, A. S. L., Sorell, M. & Clarke, R. (2005). Secure Mutual Distrust Transaction Tracking Using Cryp-
tographic Elements, Lecture Notes for Computer Science, No. 3710, 4th International Workshop on
Digital Watermarking (IWDW2005), Siena, Italy, September 13–15, pp. 459–469.
Wong, A. S. L., & Sorell, M., (2007). Trading Multimedia Content Using Entangled Secrets, in Chang-
Tsun Li (ed.), Multimedia Forensics and Security, Idea Group Inc. Pending Acceptance for Publica-
tion.
Page xiii
Page xiv
List of Figures
3.1 An example of fragile watermarking. . . . . . . . . . . . . . . . . . . . . 24
3.2 An example of robust watermarking. . . . . . . . . . . . . . . . . . . . . 25
3.3 The most general watermarking system. . . . . . . . . . . . . . . . . . . 25
3.4 Point addition of two unequal points in a real field. . . . . . . . . . . . 39
3.5 Point addition of a point and its reflection in a real field. . . . . . . . . 41
3.6 Point doubling in a real field. . . . . . . . . . . . . . . . . . . . . . . . . 42
4.1 Trust-distrust copy transfer process. . . . . . . . . . . . . . . . . . . . . 57
4.2 Mutual distrust copy transfer process. . . . . . . . . . . . . . . . . . . . 59
5.1 Lena image used in the testing of the implementations, curtesy of the
Signal and Image Processing Institute at the University of Southern
California. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.2 Baboon image used in the testing of the implementations, curtesy of
the Signal and Image Processing Institute at the University of Southern
California. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.3 Results for XOR encryption and spread spectrum watermarking scheme
with α = 0.012, (a) original image (Lena), (b) after encryption, (c) then
watermarking, and finally (d) after decryption. . . . . . . . . . . . . . . 71
5.4 Results for matrix multiplication watermarking scheme, with encryp-
tion block size 8, and DCT watermarking block size 8, α 0.00043, (a)
original image (Lena), (b) after encryption, (c) then watermarking, and
finally (d) after decryption. . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.5 Comparison for matrix multiplication watermarking scheme, with en-
crypted image at block sizes (a) 8, (b) 16, (c) 64, and (d) 512. . . . . . . . 73
Page xv
List of Figures
5.6 Results of RSA encryption and DCT watermarking, α = 0.001, (a) orig-
inal image (Lena), (b) after encryption, (c) then watermarking, and fi-
nally (d) after decryption. . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.7 The correlation of the decrypted image to 100 randomly watermarked
decrypted images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.8 Results of RSA encryption and DCT watermarking, α = 0.001,after ap-
plying attack: forcing to 8-bits, where (a) before attack, (b) after attack,
(c) correlation before attack, and (d) correlation after attack. . . . . . . 76
5.9 Results of RSA encryption and DCT watermarking, α = 0.001,after
applying attack: JPEG compressed by 50%, where (a) before attack, (b)
after attack, (c) correlation before attack, and (d) correlation after attack. 77
5.10 Results of RSA encryption and DCT watermarking, α = 0.001,after
applying attack: cropping 1 pixel from edges, where (a) before attack,
(b) after attack, (c) correlation before attack, and (d) correlation after
attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
5.11 Results of RSA encryption and DCT watermarking, α = 0.001,after
applying attack: cropping 50 pixel from edges, where (a) before attack,
(b) after attack, (c) correlation before attack, and (d) correlation after
attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.12 Results of RSA encryption and DCT watermarking, α = 0.001,after
applying attack: adding Gaussian noise with zero mean and standard
variance 0.004, where (a) before attack, (b) after attack, (c) correlation
before attack, and (d) correlation after attack. . . . . . . . . . . . . . . . 80
5.13 Results of RSA encryption and DCT watermarking, α = 0.001,after
applying attack: scaling by half and then doubling in size, where (a)
before attack, (b) after attack, (c) correlation before attack, and (d) cor-
relation after attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.14 Results of RSA encryption and DCT watermarking, α = 0.001,after
applying attack: cropping 1 pixel from edges and resizing to original
size, where (a) before attack, (b) after attack, (c) correlation before at-
tack, and (d) correlation after attack. . . . . . . . . . . . . . . . . . . . . 82
Page xvi
List of Figures
5.15 Results of RSA encryption and DCT watermarking, first watermark
α = 0.0005, second watermark α = 0.0005, after applying attack: dou-
ble watermarking, where (a) before attack, (b) after attack, (c) correla-
tion before attack, and (d) correlation after attack. . . . . . . . . . . . . 83
5.16 Results of RSA encryption and DCT watermarking, α = 0.001, corre-
lation after applying attack: forcing to 8-bits, where the original image
has been subtracted from the attacked image, before correlating. . . . . 85
5.17 Results of RSA encryption and DCT watermarking, α = 0.001, cor-
relation after applying attack: JPEG compressed by 50%, where the
original image has been subtracted from the attacked image, before
correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
5.18 Results of RSA encryption and DCT watermarking, α = 0.001, corre-
lation after applying attack: cropping 1 pixel from edges, where the
original image has been subtracted from the attacked image, before
correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.19 Results of RSA encryption and DCT watermarking, α = 0.001, corre-
lation after applying attack: cropping 50 pixel from edges, where the
original image has been subtracted from the attacked image, before
correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.20 Results of RSA encryption and DCT watermarking, α = 0.001, correla-
tion after applying attack: adding Gaussian noise with zero mean and
standard variance 0.004, where the original image has been subtracted
from the attacked image, before correlating. . . . . . . . . . . . . . . . . 87
5.21 Results of RSA encryption and DCT watermarking, α = 0.001, corre-
lation after applying attack: scaling by half and then doubling in size,
where the original image has been subtracted from the attacked image,
before correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.22 Results of RSA encryption and DCT watermarking, α = 0.001, corre-
lation after applying attack: cropping 1 pixel from edges and resizing
to original size, where the original image has been subtracted from the
attacked image, before correlating. . . . . . . . . . . . . . . . . . . . . . 88
Page xvii
List of Figures
5.23 Results of RSA encryption and DCT watermarking, first watermark
α = 0.0005, second watermark α = 0.0005, correlation after applying
attack: double watermarking, where the original image has been sub-
tracted from the attacked image, before correlating. . . . . . . . . . . . 88
5.24 Results of RSA encryption and DCT watermarking, capacity analysis,
with α varying from 0.0002 to 0.001, and for a range of prime keys, n,
versus peak signal-to-noise ratio (PSNR). . . . . . . . . . . . . . . . . . 89
5.25 Results of RSA encryption and DCT watermarking, capacity analysis,
with α varying from 0.0002 to 0.001, and for a range of prime keys, n,
versus peak signal-to-noise ratio (PSNR), lower-bound and best-fit. . . 90
5.26 Results of RSA encryption and DCT watermarking, capacity analysis,
with α varying from 0.0002 to 0.001, versus a range of prime keys, n,
versus peak signal-to-noise ratio (PSNR), upper-bound and surface-
best-fit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.27 Results of RSA encryption and DCT watermarking, capacity analysis:
individual upper-curve best-fits for α equal to (a) 0.0002, (b) 0.0003, (c)
0.0004, (d) 0.0005, (e) 0.0006, and (f) 0.0007. . . . . . . . . . . . . . . . . 92
5.28 Results of RSA encryption and DCT watermarking, capacity analysis:
individual upper-curve best-fits for α equal to (a) 0.0008, and (b) 0.001. 93
5.29 Results of RSA encryption and DCT watermarking, capacity analysis:
upper-curve percentage of PSNR below the JND threshold. . . . . . . . 93
5.30 Results of Menezes-Vanstone EC encryption and DCT watermarking,
α = 0.001, (a) original image (Lena), (b) after encryption, (c) then wa-
termarking, and finally (d) after decryption. . . . . . . . . . . . . . . . . 97
5.31 The correlation of the MVECC-encrypted and DCT-watermarked re-
covered watermark to 100 random watermarks. . . . . . . . . . . . . . 98
5.32 Results of MV-ECC encryption and DCT watermarking, watermark at
α = 0.001, correlation after applying attack: forcing to 8-bits, where
(a) before attack, (b) after attack, (c) correlation before attack, and (d)
correlation after attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.33 Results of MV-ECC encryption and DCT watermarking, watermark at
α = 0.001, correlation after applying attack: JPEG compression to 10%,
where (a) before attack, (b) after attack, (c) correlation before attack,
and (d) correlation after attack. . . . . . . . . . . . . . . . . . . . . . . . 100
Page xviii
List of Figures
5.34 Results of MV-ECC encryption and DCT watermarking, watermark at
α = 0.001, correlation after applying attack: cropping 1 pixel from the
edges and replacing from the original, where (a) before attack, (b) after
attack, (c) correlation before attack, and (d) correlation after attack. . . 101
5.35 Results of MV-ECC encryption and DCT watermarking, watermark at
α = 0.001, correlation after applying attack: cropping 50 pixel from the
edges and replacing from the original, where (a) before attack, (b) after
attack, (c) correlation before attack, and (d) correlation after attack. . . 102
5.36 Results of MV-ECC encryption and DCT watermarking, watermark at
α = 0.001, correlation after applying attack: adding Gaussian noise
with zero mean and standard variance 0.01, where (a) before attack,
(b) after attack, (c) correlation before attack, and (d) correlation after
attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.37 Results of MV-ECC encryption and DCT watermarking, watermark at
α = 0.001, correlation after applying attack: scaling by half and then
doubling the size, where (a) before attack, (b) after attack, (c) correla-
tion before attack, and (d) correlation after attack. . . . . . . . . . . . . 104
5.38 Results of MV-ECC encryption and DCT watermarking, watermark at
α = 0.001, correlation after applying attack: cropping 1 pixel from
edges and resizing to original dimensions, where (a) before attack, (b)
after attack, (c) correlation before attack, and (d) correlation after attack. 105
5.39 Results of MV-ECC encryption and DCT watermarking, first water-
mark α = 0.0005 at index 27, second watermark α = 0.001 at index
65, correlation after applying attack: double watermarking, where (a)
before attack, (b) after attack, (c) correlation before attack, and (d) cor-
relation after attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.40 Results of MV-ECC encryption and DCT watermarking, α = 0.005, cor-
relation after applying attack: rotating 1◦ clockwise, cropping 3 pixels
from edges, and resizing to original size, where (a) before attack, (b)
after attack, (c) correlation before attack, and (d) correlation after attack. 107
5.41 Results of MV-ECC encryption and DCT watermarking, α = 0.001,
correlation after applying attack: forcing to 8-bits, where the original
image has been subtracted from the attacked image, before correlating. 108
Page xix
List of Figures
5.42 Results of MV-ECC encryption and DCT watermarking, α = 0.001,
correlation after applying attack: JPEG compressed to 10%, where the
original image has been subtracted from the attacked image, before
correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.43 Results of MV-ECC encryption and DCT watermarking, α = 0.001,
correlation after applying attack: cropping 1 pixel from edges and re-
placing from original, where the original image has been subtracted
from the attacked image, before correlating. . . . . . . . . . . . . . . . . 109
5.44 Results of MV-ECC encryption and DCT watermarking, α = 0.001,
correlation after applying attack: cropping 50 pixel from edges and
replacing from original, where the original image has been subtracted
from the attacked image, before correlating. . . . . . . . . . . . . . . . . 110
5.45 Results of MV-ECC encryption and DCT watermarking, α = 0.001, cor-
relation after applying attack: adding Gaussian noise with zero mean
and standard variance 0.01, where the original image has been sub-
tracted from the attacked image, before correlating. . . . . . . . . . . . 110
5.46 Results of MV-ECC encryption and DCT watermarking, α = 0.001,
correlation after applying attack: scaling by half and then doubling in
size, where the original image has been subtracted from the attacked
image, before correlating. . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.47 Results of MV-ECC encryption and DCT watermarking, α = 0.001,
correlation after applying attack: cropping 1 pixel from edges and re-
sizing to original size, where the original image has been subtracted
from the attacked image, before correlating. . . . . . . . . . . . . . . . . 111
5.48 Results of MV-ECC encryption and DCT watermarking, first water-
mark α = 0.0005, second watermark α = 0.001, correlation after apply-
ing attack: double watermarking, where the original image has been
subtracted from the attacked image, before correlating. . . . . . . . . . 112
5.49 Results of MV-ECC encryption and DCT watermarking, α = 0.005, cor-
relation after applying attack: rotating 1◦ clockwise, cropping 3 pixels
from edges, and resizing to original size, where the original image has
been subtracted from the attacked image, before correlating. . . . . . . 112
Page xx
List of Figures
Page xxi
Page xxii
List of Tables
3.1 Summary of Cox’s watermarking algorithm . . . . . . . . . . . . . . . . 28
3.2 Summary of RSA algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.3 Summary of ElGamal algorithm . . . . . . . . . . . . . . . . . . . . . . . 36
3.4 Summary of Rabin algorithm . . . . . . . . . . . . . . . . . . . . . . . . 37
3.5 Summary of ElGamal-type ECC encryption algorithm . . . . . . . . . . 44
3.6 Summary of Menezes-Vanstone ECC encryption algorithm . . . . . . . 45
5.1 Summary of XOR encryption algorithm . . . . . . . . . . . . . . . . . . 63
5.2 Summary of XOR watermarking algorithm . . . . . . . . . . . . . . . . 64
5.3 Summary of matrix multiplication watermarking algorithm . . . . . . 65
5.4 Correlation comparison for different encryption and watermarking block
sizes for matrix multiplication watermarking scheme. . . . . . . . . . . 68
5.5 Summary of RSA watermarking algorithm . . . . . . . . . . . . . . . . 69
5.6 Summary of Menezes-Vanstone ECC watermarking algorithm . . . . . 95
Page xxiii
Page xxiv
Chapter 1
Introduction
THIS chapter is an introduction and background into the re-
search discussed in this thesis. Before the digital age, when
video data was limited to being stored on videotapes, video
piracy was not an important issue as videotapes deteriorate in quality
with each copy. However, with the advance of video technology in the
digital age comes the ability to generate perfect copies of a video. This
has made video piracy very popular since illegal copies can be obtained
easily and are considerably less expensive than a legal copy. This has
resulted in a boom in video piracy. This problem has since grown un-
controllably and has become an increasing threat to the movie production
and pre-mass-distribution industries necessitating action. To that purpose
there has been extensive research into the area of digital copy protection,
watermarking and steganography.
Page 1
1.1 Outline of Thesis
1.1 Outline of Thesis
This chapter looks into the history of copy protection, as well as a brief statement of
some of the assumptions of this research. This is followed by some background into
what is currently occurring in digital rights management and a list of watermarking
criteria, plus the significance and aims of this research, ending in some legal notes.
The following chapter (2) will give a review on the state of copyright protection for
multimedia. This will constitute of watermarking, cryptography, and watermark-
ing and cryptography in combination. The chapter ends with a brief summary and
conclusion on the technologies discussed.
Chapter 3 outlines the technical background on which the work in this thesis is based.
These include the watermarking method which will be employed. In addition, sev-
eral cryptographic techniques will be discussed in detail.
Chapter 4 will definitively state the issues in digital rights management which this
thesis will be addressing, including its significance to today’s problems. This will
lead into a description of the new methodology and how it contributes to solving the
stated issues.
The implementations and results of the new methodology follows in the succeeding
chapter. The codes for the implementations are placed in Appendix C.
Finally, the conclusions that resulted from this research will be in Chapter 6. This
chapter will also discuss the problems discovered during the course of the research,
state the summary of contributions and suggest some possible directions for future
research.
1.2 History
1.2.1 Watermarking
Watermarking is the process of placing a piece of information upon a document,
which can be a physical object such as a piece of paper or a photograph. It can also
be placed upon signals such as electronic forms of music, a digital image or video.
The latter is known as digital watermarking. Watermarks contain information usually
pertaining to the document, such as the author of the document. A watermark can
also verify the authenticity of a document.
Page 2
Chapter 1 Introduction
Watermarking can be traced back to ancient China, when owners of precious objects,
such as artwork, would stamp their stylised name upon the item to identify owner-
ship. Watermarks also used to feature in the manufacturing of paper, as a means of
identifying the mill that produced the paper, as well as indicating the type, quality
and strength of the paper. Watermarking is still widely used today, especially in the
authentication of paper money.
The hidden form of placing information upon a document is known as steganogra-
phy. Steganography is derived from the Greek words steganos, meaning “covered”,
and graphia, meaning “writing” – “covered writing”. The document in this case is
usually known as the work or cover work.
Steganography can be traced back to ancient Greece as well as ancient China. In
ancient China, messages were written on silk, scrunched and hidden in a ball of wax,
then swallowed for transmission. In Greece, a message was tattooed upon the bare
scalp of a slave. The slave’s hair was allowed to grow back, hiding the message,
before he was sent to the message’s destination, where his hair was shaved off again
to reveal the message.
Steganography was employed during the Second World War, with the use of “spe-
cial inks”, rendered visible only under certain circumstances. Messages were even
shrunk into tiny circles and hidden in the superscript dot above the letters i and j in
an innocent document. Today, with the aid of computers, steganography is also used
to conceal messages within digital media.
Hiding information such as details about a cover work, for example the author of the
cover work, in digital media is known as digital steganographic watermarking. Digital
steganographic watermarking will be referred to henceforth as just watermarking.
1.2.2 Cryptology
While watermarking is concerned with hiding information regarding a message within
the message, cryptography is the art of hiding the message itself. Cryptanalysis is then
the art of un-hiding said message; cryptology is the general name encompassing both
areas. The process of enciphering the message is called encryption, and the corre-
sponding process of deciphering is referred to as decryption.
Cryptology naturally began in the field of linguistics, to hide spoken or written words,
its history spanning as long as that of watermarking. The oldest notable instance of
Page 3
1.3 Assumptions
the use of cryptography was by Julius Caesar, who used a simple substitution algo-
rithm, replacing a letter with another letter further down the alphabet, essentially
shifting the letter by a fixed amount. Hence these kinds of ciphers were known as the
shift ciphers.
During the Second World War, codebooks were employed as a means of encryption
and decryption. These codebooks were lookup tables consisting of a series of words
or phrases and the possible strings that could be used to represent them. Since a word
or phrase was selected to be equivalent to a unique, fixed-length block of letters, these
types of cryptosystems were known as block ciphers.
Later, cryptography moved from linguistics to the digital medium, especially for
faster and easier cryptanalysis, where a cryptanalyst can attempt to break the cryp-
tographic system or cryptosystem, with the greater processing abilities of a computer.
This meant longer key lengths and more cunning algorithms and protocols needed
to be devised to prevent easy cryptanalysis, and cryptosystems today are typically
made and broken with the aid of high-speed computers.
1.3 Assumptions
There are also certain assumptions associated with watermarking methods, in re-
gards to their survivability against attacks. A moderately skilled attacker with one or
two adequately powerful computers and a reasonable level of expertise in signal and
image processing should be anticipated. This attacker will also be willing to spend
up to a few days trying to remove or corrupt a watermark.
The most important assumption is that of attacks from a “person”, either an indi-
vidual or a company, involved in the transaction. This assumption is reasonable as
a study has shown 77% of piracy occurred through insider sellout, originating from
among pre-mass-distribution organizations (Byers et al. 2003). This person will pre-
sumably know the method used to embed the watermark into the cover work, the
form of the watermark, the embedding key(s), the detection method and the encryp-
tion method(s) used. These are generally known as insider attacks.
There are also more specific attacks. These attacks can be deliberate or non-deliberate.
For instance, the normal image processing techniques are usually non-deliberate, but
Page 4
Chapter 1 Introduction
because they might distort the watermark, these processing methods must be con-
sidered as attacks. The attacks can also be individually applied or in conjunction, but
only to the extent that the cover work is not compromised.
Types of expected attacks are as follows:
• Common signal processing: such as digital-to-analog and analog-to-digital con-
version, resampling, requantisation (including dithering and recompression),
and common signal enhancements to image contrast and colour;
• Common geometric distortions: such as rotation, translation, cropping and
scaling;
• Subterfuge attacks: such as collusion and forgery;
• Specialised attacks: such as the jitter attack and the mosaic attack; and
• Video-specific attacks: such as frame shuffling, frame insertion, frame removal
and inter-frame collusion.
These will be discussed in greater detail in §3.1.3.
1.4 Background and Aim
The earliest example of digital copy protection occurred in 1954, when a patent was
applied for by Emil Hembrooke of the Muzac Corporation, “Identification of sounds
and like signals” (Hembrooke 1961). The patent described a method of identifying
the owner of a piece of music by embedding an unnoticeable identification code into
the music, comparative to a watermark in paper. Since then, digital copyright pro-
tection has blossomed into an increasingly important area of research and interest.
In 1996, a group known as the DVD Copy Protection Technical Working Group
(CPTWG), formed by the Motion Picture Association of America (MPAA), the Con-
sumer Electronics Manufacturers Association (CEMA), and members of the com-
puter industry (Miller et al. 1999), began developing copy protection systems for
DVDs. They developed a systems known as the Copy Generation Management Sys-
tem (CGMS). This system was based on compliant recording machines, which can be
consumer devices such as DVD burners. These compliant devices check for special
Page 5
1.4 Background and Aim
instructions on a DVD, dictating whether a DVD can be copied with no limits, copied
once or never copied. Such a technique is known as copy control (Linnartz 1998, IBM
Research 1999). However, a non-compliant DVD player can be utilised to remove the
CGMS (Miller et al. 1999).
A method of implementing device control, developed by Macrovision, was the Analog
Protection System (APS). This system prevents DVDs from being recorded on VCRs.
However, there are also ways of circumventing this system as shown by (Miller et al.
1999) and (King et al. 1999b).
Another method of implementing device control, known as the Content Scramble
System (CSS), developed in 1997, was also created by the CPTWG. CSS is an encryp-
tion and decryption system for compliant DVD players. Compliant DVD players
possess certain keys, licensed by the DVD Copy Control Association (DVD CCA),
which allows them to decrypt the encrypted content on a DVD (Kesden 2000).
However, in 1999, an European group known as MoRE (Masters of Reverse Engi-
neering) created a program called DeCSS, which copies the contents of a DVD di-
rectly into a user’s hard drive. This was possible due to an error on the part of one
of the manufacturers, Xing Technology Corporation, in failing to properly encrypt
its decryption key. Not only was Xing Technology Corporation’s key exposed, but
because of the relationship between each of the CSS keys, some 170 keys belonging
to other manufacturers were uncovered through reverse engineering and trial and
error (Patrizio 1999, Ketola 1999). This effectively rendered CSS obsolete. Even if
this method of circumventing CSS had not been discovered, sooner or later the CSS
encryption would have been broken by cryptoanalysis (King et al. 1999a, Stevenson
1999, Kesden 2000).
Thus the industry was forced to recognise that once encryption is removed from a
digital document, that document is no longer protected, and that compliant machines
was not enough of a protection. To augment the use of compliant machines and en-
cryption systems, much of the copy protection focus has shifted to the development
of watermarking schemes that track and enable the prosecution of people that traffic
in illegal distribution.
Watermarking techniques and methods are highly dependent on their application
areas. Seven possible application areas as defined in (Bloom et al. 2001b) are:
1. Broadcast Monitoring
Page 6
Chapter 1 Introduction
2. Owner identification
3. Proof of Ownership
4. Transaction Tracking
5. Content Authentication
6. Copy Control, and
7. Device Control
The focus of our research will be to trace the source of illegal redistribution before
mass distribution. Thus the application area will be transaction tracking, also known
as copy tracing or fingerprinting.
Some of current transaction tracking research has sought to combine watermarking
methods with cryptography as an additional form of security, to prevent certain in-
sider as well as outsider attacks (Piva et al. 2002, Xu et al. 2004, Zhang et al. 2006).
Hence this dissertation will also attempt to incorporate a technical background of
currently used encryption as well as watermarking schemes in Chapter 3 . Our con-
tribution to this combination will be explained in Chapter 5.
The criteria that our watermarking method will attempt to meet are:
• Fidelity: Any watermark embedded using our method should not cause percep-
tible changes to the cover work under normal viewing conditions.
• Robustness: The watermarks should be able to survive known attacks (see §3.1.3).
They should not be removable or destroyable without serious degradation of
the cover work.
• Detectability: The watermarks should be detectable by our method only, so as
to remain hidden from attackers. It is also desirable that there be a negligible
probability of incorrect detection of a watermark in a cover work that does not
contain an embedded watermark.
• Conclusiveness: There should be no confusion as to the owner of a watermark.
• Additivity: Watermarks should be immutable by other watermarks placed in the
same cover work, whether embedded by the same method or using a different
method.
Page 7
1.5 Legal Issues
• Capacity/Complexity: The “size” of watermarks should not be such that only
a small number of watermarks can be embedded into any given cover work
without causing perceptible changes. However, embedding too short or too
simple a watermark would mean that the watermark will be less robust and
easier to lose. As the watermarks are intended to be embedded in video, the
embedding will occur in real-time, and hence should have low complexity.
There are various watermarking techniques that have been used to meet the above
criteria. In the past, watermarks have been embedded in the least significant com-
ponents of a cover work to meet the fidelity condition. However, it was discovered
that watermarks embedded in this manner were easily distorted or removed. As the
loss of the least significant components of a cover work do not affect the percepti-
ble quality to the human eyes or ears, these components are often discarded during
compression. This means the removal of the embedded watermark.
However, the alternative approach is to embed in the significant components. This
has the unfortunate effect of possibly becoming visible in the cover work if care is
not taken during embedding. Therefore, a careful balance must be achieved when
attempting to meet the above criteria.
We should also note that this research is not intended to define a permanent one-
off solution but one that can be continually upgraded to keep up with advances in
technology and attacker skills.
1.5 Legal Issues
As this application is intended for commercial use, there are many legal issues that
will need to be addressed. The Acts involved, with respect to Australian law, are as
follows:
• Copyright Act 1968 (Australian Commonwealth Government 1968)
• Electronic Transactions Act 1999 (Australian Commonwealth Government 1999)
• Copyright Amendment (Digital Agenda) Act 2000 (Australian Commonwealth
Government 2000)
• CyberCrime Act 2001 (Australian Commonwealth Government 2001)
Page 8
Chapter 1 Introduction
International law or agreement may also need to be recognised, such as the Free Trade
Agreement that has been arranged between Australia and the United States of Amer-
ica. This agreement means that US Intellectual Property Laws are enforceable in Aus-
tralia. This legislation includes:
• The Digital Millennium Copyright Act of 1998 (US Copyright Office 1998)
The legal issues are particularly relevant in this area of research as it deals with mu-
tual distrust, where neither company involved in a transaction can be trusted, and
both are capable to violating copyright. Mutual distrust will be explained in more
detail in Chapter 4. Research in this area must be legally sound to ensure that no
legal loopholes can prevent persecution. However, for the time being, since this re-
search is as yet a purely intellectual pursuit and non-commercially linked, these laws
are noted here but not addressed.
Page 9
Page 10
Chapter 2
A Review of the State ofthe Art
THOUGH both cryptography and watermarking deal with the
concealment of some secret, cryptography is about obscuring the
veracity of the content of a message but not the existence of the
message, while steganographic watermarking is about hiding the very
existence of the message. As a result, though both have the same roots,
they are very different in application and development. This chapter gives
a review of both these areas of security, as well as literature with a union
of these two areas.
Page 11
2.1 Watermarking Alone
2.1 Watermarking Alone
The idea of digital watermarking was introduced in 1954 by Emil Hembrooke’s patent,
but the field is still undergoing more of an evolution with the never-ending cycle of
more techniques coming in to attack watermarking schemes, and more schemes be-
ing created to prevent those attacks.
Turner (1989) produced a patent for digital audio watermarking which replaces the
least significant bits of random audio samples with bits from the watermark. This
idea can also be applicable for digital images and video (van Schyndel et al. 1994),
however, using the least significant bit of a content means that the watermark can
easily be destroyed or removed, for instance during signal processing with a simple
low-pass filter operation, and compression.
Tanaka et al. (1990a), Tanaka et al. (1990b), and Matsui and Tanaka (1994) looked into
adapting watermarks to the document’s representation. For example, they put forth
that whether an image was represented by dithering, linear predictive coding or run-
lengths (fax) should determine how a watermark will be encoded. However, it was
unclear whether some of these methods suggested will be robust to typical signal
processing.
Brassil et al. (1995) presented several watermarking system for text documents that
are being distributed electronically. These methods involved the indiscernible shift-
ing of lines, words or characters in a document according to some decision rule to
track a document, even after the document has undergone photocopying. However,
the authors noted that these methods can be defeated by randomly shifting lines,
words or characters slightly.
Caronni (1995) introduced the term tagging, where a tag is defined as “the sum of
hidden information introduced into an image”, similar to a watermark. They listed
a series of requirements for tags, then suggested methods of embedding a tag into
an image. These include the automatic or manual altering of picture elements, for
example, automatically detecting and shifting borders within the image, or manually
adding more leaves to a tree. They showed an experiment with altering the intensity
of the image in chosen rectangular blocks, with special considerations taken to hide
the rectangles in the natural noise of the image. However, though the tag is inde-
pendent of the image, this process will only work on selected images, as noted by the
author, not on images with a large number of homogenous regions or too many sharp
Page 12
Chapter 2 A Review of the State of the Art
edges. This process may also be susceptible to normal forms of image processing as
the tag is also an image. In addition, the process requires an explicitly trustworthy
image owner, which may not always be the case (Byers et al. 2003).
Cox et al. (1995) placed a watermark into the perceptually significant components
of a signal. This means that the watermark would be robust to typical signal dis-
tortions and attacks. To avoid degrading the image excessively, the watermark was
placed into the discrete cosine transform (DCT) components of the image using an
idea similar to spread spectrum communications, i.e. hiding a narrow-band signal
(the watermark) in a wide-band channel (the image). The length and strength of the
watermark was then adjustable depending on the requirements of the data. Placing
the watermark into the perceptually significant components of an image meant that
the hidden watermark would be difficult to uncover and remove, however if the wa-
termark is not carefully embedded, it may become visible to all, and hence distort the
image itself.
Bender et al. (1996) presented two different approaches to watermarking, (1) Patch-
work, a statistical approach, and (2) Texture Block Coding, a visual approach. The
first approach works by randomly choosing a pair of image points, A and B. Letting
a equal the brightness of point A, and similarly for B, then increase each ai and de-
crease each bi by the same amount δ, for the ith iteration of the procedure, repeating
n times such that the expected value of the sum of the difference of the pairs is 2δn.
They then suggested improvements such as taking groups of several points instead
of singular point to increase the robustness of the process. While this technique is re-
sistant to most non-geometric image processing, it assumes all brightness levels are
equally likely, which is not usually the case. The second approach hides data in the
continuous i random texture patterns of an image by copying a region from a random
texture pattern to an area which has similar texture. The identical areas can then be
detected by using autocorrelation of the image to recover the shape of the areas. In
this paper, the visual method requires that the region texture mappings be done man-
ually, but these could be automated. However, this method is limited to images with
lots of texture, and can be defeated with selective image processing, such as replacing
textured areas with a similar random texture pattern, which reduces the amount of
texture than can be autocorrelated.
Smith and Comiskey (1996) considered embedding watermarks from an information
theoretic point of view. Therefore the original image is viewed as the noise and the
Page 13
2.1 Watermarking Alone
watermark to be embedded as the signal, modelling the hiding capacity, perceptibil-
ity and robustness of a watermark using the image’s channel capacity, signal-to-noise
ratio (SNR), and jamming margin or processing gain. Several spread spectrum or
spread spectrum-like watermarking schemes were discussed, analysed from an in-
formation and communication theory perspective. A new hiding scheme was then
proposed, whose parameters are adjustable depending on whether capacity, imper-
ceptibility or robustness was the primary factor. In addition, a new technique called
predistortion was presented to increase resistance to known distortions that will be in-
troduced to the system. For example, if it is known that an image to be watermarked
will be later JPEG compressed, then the watermark should be JPEG compressed and
uncompressed as well. This process however assumes a Gaussian channel distribu-
tion, which may not be a sufficiently accurate model, and the watermark will not be
a function of the image, as they were assuming capacity as the primary factor.
Langelaar et al. (1997) introduced two watermarking methods, (1) an extension of an
existing spatial labeling technique, and (2) a method that discards high frequency
DCT coefficients as a way of embedding a label. The first method extends Pitas and
Kaskalis’ method (Pitas and Kaskalis 1995), which adds positive integer constant k
(the label embedding level) directly to the brightness level of half the pixels in an
image. In addition, Langelaar et al. divided the image into blocks and searched for
an optimal label-embedding level k for each block instead of using a fixed embed-
ding level, and k is determined using a lower quality JPEG compressed version of
each block. This was to give the method a larger label for greater robustness, espe-
cially against JPEG compression, and lower noticeability. However, this meant that
the method is more complex and not ideal for real-time implementation due to the
compression and recompression step, and the labeling itself. This method is also very
susceptible to geometric attacks such as cropping and shifting. The second method
avoids the partial recompression by removing the high frequency DCT coefficients
of particular DCT blocks. This method proved to be more robust to cropping and
shifting than the first method, and can be implemented in real-time as it embeds rel-
atively few labels, however this method is not as resistant to JPEG compression or
combinatory attacks such as JPEG compression followed by shifting.
Page 14
Chapter 2 A Review of the State of the Art
Hartung and Girod (1997) presented a public-key watermarking scheme for compres-
sed video as well as images, where decoding of the watermark is not made com-
pletely public. The watermark is embedded along the same principles as direct-
sequence spread spectrum communications, and is composed of the spread version
of a binary sequence, bi, a watermarking strength factor, α, and a binary pseudo-noise
sequence, pi. Decoding the watermark is then achieved by summing the filtered, wa-
termarked video frame multiplied by pi, yielding a correlation sum from which the
binary sequence can be extracted. They suggested that a public version that does
not allow the watermark to be fully decoded, and hence removable or corruptible,
is possible by only summing the filtered watermarked video frame multiplied by a
pseudo-noise sequence where only every n-th bit is from pi and the rest are arbi-
trary values with the same distribution. This yields a correlation sum that is 1/n the
fully decoded correlation sum. However, this process still assumes a trusted owner
scenario.
Crowcroft et al. (2000) presented a novel patent for multicasting watermarks as a
method of tracing copies of a document. The method basically takes an image and
subdivides it into very small portions. Each of these portions are uniquely water-
marked several times. These watermarked portions are then transmitted through a
part of devices, each of which randomly decides which copy of each portion is trans-
mitted, which are then assembled at the receiver end to produce a uniquely marked
image. In this manner, the path that the pieces of the image can be determined. How-
ever, this method depends on compliant devices, the security of which is difficult to
ensure.
2.2 Cryptography Alone
Cryptography is a field that has been around for as long as there has been a need
for secret communication. Encrypting a message can be as simple as replacing each
unique element of the message with a number, and then adding a constant value to
each number. This constant value is then considered to be the key for the system and
in this instance is used in both encrypting, by adding the key, and decrypting, by
subtracting the key. More difficult cryptosystems will be introduced in Section 3.2.
Page 15
2.2 Cryptography Alone
For this particular research, we are only interested in public-key cryptosystems, where
the encryption and decryption keys are not the same. A more concise definition of a
public-key cryptosystem is also given in Section 3.2.
2.2.1 General Cryptosystems
The following cryptosystems are general in that they can be used for almost any
input, with no consideration for the type of message being encrypted and decrypted.
In 1977, Rivest, Shamir and Adleman created RSA (Rivest et al. 1978), one of the most
famous public-key cryptosystems known. They described a method in which two
large prime numbers are combined and used together with modulo arithmetic to
build a system whose security is based on the difficulty of factorising large numbers.
However, there must be careful choice in the prime numbers or prime factorisation
algorithms such as in (McKee 1999) may be applied.
ElGamal (1985) presented a cryptosystem that is based upon modulo arithmetic and
relies on the difficulty of solving the discrete logarithm problem for security. ElGa-
mal algorithm is more often used for signature and authentication schemes. Shoup’s
(1997) paper looks into ways of solving the discrete logarithm problem.
The Rabin cryptosystem was developed by Michael Rabin (Rabin 1979). As with
Rivest, Shamir and Adleman’s algorithm, RSA, the security of the cryptosystem is
based on the difficulty of factorising large numbers. Breaking the Rabin cryptosystem
is provably as hard as integer factorisation. The disadvantage of this cryptosystem is
that an encrypted message must be correctly surmised from four possible outcomes.
Elliptic curves were first suggested for use in cryptography in 1985 (Miller 1985).
Elliptic curve cryptosystems (ECCs) have been found to be generally easier to im-
plement but just as hard to defeat as conventional cryptosystems (Lam et al. 1996,
Araki et al. 1998, Rosing 1999, Torii and Yokoyama 2000, Burnett et al. 2002). Due to
their shorter required key-lengths for security, ECCs have become increasingly inter-
esting for use (Hankerson et al. 2000, Yang et al. 2003) and have even been chosen
for inclusion in the NSA’s Suite B set of algorithms (National Security Agency 2005).
As with conventional cryptosystems, ECCs do have the weakness that if the curves
are not carefully chosen, the whole cryptosystem may become vulnerable to special
attacks (Wiener and Zuccherato 1999, Gaudry 2000, Gaudry 2004).
Page 16
Chapter 2 A Review of the State of the Art
The Pallier cryptosystem was created by Pascal Pallier in 1999 (Paillier 1999). The
security of the cryptosystem is based upon the Composite Residuosity (CR) assump-
tion, where computing the n-th residue of a message is believed to be computation-
ally difficult. The important aspect of the Pallier cryptosystem is its homomorphic
property with respect to addition. This allows plaintexts to be added and multiplied,
making it a more malleable cryptosystem. However, this homomorphic property also
causes the cryptosystem to be weaker than conventional cryptosystems such as RSA
against adaptive chosen-plaintext attacks.
2.2.2 Image- and Video-Specific Cryptosystems
There are many general classes of cryptosystems as seen in the previous section.
However, though these general cryptosystems can be used for almost any input, they
are either more suited to text documents or bear no consideration for the type of mes-
sage being encrypted and decrypted.
Image and video encryption presents a whole different range of issues that must be
dealt with. For example, there are usually more symbols required than with text.
English text has the usual 26 letters of the alphabet plus special characters, whereas
images can take any integer value within their representation, for instance 8-bit im-
ages can take values from 0 to 255, and colour images have 3 colour planes too. Video
not only has the representation and planes, but 3 different frames as well. Hence,
image and video data are usually much larger than text data. All this means that
encryption using the typical cryptographic schemes will take a great deal longer to
encrypt.
In addition, images and videos undergo many signal and geometric processing oper-
ations. Hence image- and video-specific cryptosystems are aimed at reduced compu-
tational complexity and permit for loss, for example when compression is used, and
for real-time processing. That is, the cryptosystems should not increase the size of a
compressed document too much, should be fast to implement for real-time applica-
tion, and yet still be secure.
Since compression is one of the most time-consuming processes in image and video
processing, combining compression and encryption will be faster than separating the
two processes. The following literature looks into image and video encryption and
decryption combined with compression.
Page 17
2.2 Cryptography Alone
Qiao and Nahrstedt (1997b) discussed problems associated with the symmetric, ran-
dom zigzag-permutation cryptosystem for MPEG video, to be used during the com-
pression stage. They showed that this method of encryption not only increased the
size of the compressed document noticeably but is insecure and unable to with-
stand the known-plaintext attack. They further suggested an algorithm in (Qiao and
Nahrstedt 1997a) that would work better as it is based on the statistical analysis of
MPEG video. However, both systems are symmetric, which limits their range of ap-
plications.
Cheng and Li (2000) suggested a partial encryption method combined with com-
pression that is faster than full encryption and yet is still secure, without reduc-
ing the compression rate. However, this algorithm, as noted by the authors, is not
suitable for JPEG and MPEG compression. Hence they suggested two methods of
compression that this method does work with: quadtree compression algorithm and
zerotree wavelet compression algorithms, i.e. Set Partitioning in Hierarchical Trees
(SPIHT) compression algorithm. They then experimented with their partial encryp-
tion method and the two types of compression methods which showed promising
results for both image and video data.
Chang et al. (2001) offered a secure encryption and decryption system for images
with reduced computational complexity. They discussed issues related with image
encryption and proposed a system based on DES and DES-like cryptosystems. This
system was then used with the vector quantisation compression technique. They
showed that it was robust to a number of cryptographic attacks and that it would
not be very computationally expensive. However, DES is a symmetric system, which
limits its range of applications and does not help with untrustworthy parties.
The system in (Li et al. 2002) is based on multiple, digital chaotic systems, and is
known as the Chaotic Video Encryption Scheme (CVES). CVES is independent of
any video compression algorithms, which makes it useable in many applications,
and it gives reliable security as well as fast encryption. However, under certain ini-
tial conditions there may be a many-to-one mapping which must be avoided for cor-
rect decryption. In addition, this system has not yet been tested and has only been
theoretically analysed, and seems complex to implement and time-consuming to run.
Li and Zheng (2002) looked into cryptanalysing a new chaotic key-based algorithm
for image encryption by (Yen and Gou 2000). They showed mathematically that this
system is not secure, even from a brute-force or exhaustive-search attack. They then
Page 18
Chapter 2 A Review of the State of the Art
discussed methods of improving the security of the system but concluded in the end
that this system cannot be improved to the point it will ever be secure.
Lin et al. (2003) proposed a public-key optical image encryption algorithm based
on data embedding techniques. Their systems employs what they called a double-
random-phase encoding in which an image is multiplied by a random-phase mask
in the spatial domain, and then another random-phase mask in the Fourier domain,
to encrypt the image. The keys used to generate the random-phase masks are then
asymmetrically encrypted and also embedded into the encrypted image. This en-
crypted image is then used as a secret channel to hide information within. The re-
sulting decrypted image sustains some distortion in the process, but is still viewable.
What is interesting is that the hidden information survives the process. Attacks to
destroy the hidden information result in too much degradation to the image channel.
Hence, this system may be employed as a method of combining steganographic wa-
termarking and cryptography, if we can reasonably assume that a watermark can be
the hidden information. However, even though this system is based on public-key
cryptography, only the encryption of the keys is asymmetric, whereas the image part
of the encryption, i.e. the process of masking the image into a covert channel, uses
symmetric encryption, which does not work in a mutually distrustful environment.
A system for encrypting binary images is proposed by del Rey (2004) through the
use of hybrid boolean cellular automata (CA), i.e. Wolfram CA, as pseudorandom
bit-generators. This cryptosystem is essentially an XOR stream cipher, which means
that the encryption procedure itself will be fast, and has perfect decryption. However,
it is a symmetric cryptosystem, which limits its field to that with trusted parties, and
is for use on binary images.
Kim et al. (2004) have created a system for MPEG-4 based videos. The major ad-
vantage of their system is that it adds as little as possible excess load on the video
streaming system. In the paper, the authors describe three methods for macroblock
encryption. The first works on the I-VOP (video object plane), the second on the
P-VOP, and the third method combines the previous two techniques for the best se-
curity with an additional overhead cost. The specialisation of this system for MPEG-4
video, however, limits it from use in other video types.
The partial encryption idea in Cheng and Li’s (2000) paper seems the most easy and
least complex system to implement. It is especially interesting as it can be used
Page 19
2.3 Watermarking and Cryptography
for wavelet compression and spread spectrum watermarking can be adapted to the
wavelet domain.
2.3 Watermarking and Cryptography
Watermarking and cryptography are often both used in the pursuit of document pro-
tection, but often they are considered separate entities, even when both are used in
the same system. More recent research has looked into the use of the two protec-
tion techniques in cooperation, thus allowing the two systems to complement one
another.
Piva et al. (2002) provide a protocol combining watermarking and an encryption sys-
tem for open networks such as the Internet. This protocol is designed to allow users
to verify that required watermarks have been embedded but are not removable by
other users. However, this protocol would only be useful in a legal transaction, and
for users who want legitimate copies of a document. The mind-set of most users
these days, particularly for video content, is wanting the most cost efficient solution,
regardless of legalities, and whatever watermarks are embedded.
In (Xu et al. 2004), a hybrid encryption and watermarking technique is introduced.
The basic idea is that for a multiple party (multicast) transaction, a secret is parti-
tioned between transacting parties, with a symmetric encryption system used for
security. However, secret sharing and symmetric cryptosystems require completely
trustworthy parties, which cannot be guaranteed.
Zhang et al. (2006) presented a full protocol for watermarking, including registration,
identification and arbitration, using a combination of typical watermarking tech-
niques and public-key cryptography, based on the idea of shared secrets. They used
two rounds of watermarking, with homomorphic encryption with respect to addi-
tion in the middle, to ensure a secure system. However, there are too many steps
required, which makes this system difficult for real-time applications and increases
the chance of a mistake collapsing the security of the system. In addition, this system
does prevent the owner of a document from being deceitful, but does not prevent the
buyer from removing their watermark upon receiving the decrypted marked image,
since the secrets are shared rather than entangled.
Page 20
Chapter 2 A Review of the State of the Art
2.4 Summary
Many of the above watermarking techniques are aimed at tracking or preventing
piracy after mass-distribution. In addition, all the above watermarking techniques
do not fully allow a system in which there is an invisible, traceable watermark that is
robust to attacks, safe in transmission, and addresses the issue of the originator of a
document being capable of deceit as well.
The system that best addresses the above issues is the clever protocol designed by
Zhang et al. (2006), mentioned above. However, even that has its limitations.
Therefore, we present a protocol for entangling secrets rather than the sharing of se-
crets, through a process we call staining. Staining uses basic watermarking and en-
cryption techniques to ensure a simplified and easy-to-use system, and will be fully
presented in the following chapter. For now, we present the technology and intro-
duce the knowledge required to follow various technical aspects of the research.
Page 21
Page 22
Chapter 3
A Technical Backgroundon Watermarking and
Cryptography
THISchapter expounds on the previous chapter by giving a tech-
nical background into both the areas of watermarking and cryp-
tography. Included are the background information required to
understand certain aspects of these two areas of security.
Page 23
3.1 Steganographic Watermarking
Figure 3.1. An example of fragile watermarking.
3.1 Steganographic Watermarking
In general, there are two types of watermarks: fragile and robust.
Fragile watermarks are mainly invisible, but can be visible, and are used as a signa-
ture or verification of authenticity. Any tampering with the cover message that the
watermark is embedded into will cause the watermark to be corrupted or destroyed,
hence showing that it has been altered. The black cat in the bottom right corner of
Figure 3.1 is an example of a fragile watermark.
Robust watermarks tend to be invisible to the eye, but can be visible, and are embed-
ded with the intention that they should survive major changes to the cover message.
The purpose of robust watermarks is to serve as a method of identifying the owner,
origin, or other pertinent information regarding the cover message. Figure 3.2 is a
very simple example of a robustly watermarked image and the watermark embed-
ded. In this case, the watermark has been embedded in the 4 LSBs of the image to
deliberately show the faint presence of the watermark. However, note that this par-
ticular watermarking scheme is weak against compression, and here is only used to
illustrate robust watermarking.
The general steps of a watermarking system, shown in Figure 3.3, are
Page 24
NOTE: This figure is included on page 24 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 3 A Technical Background on Watermarking and Cryptography
Figure 3.2. An example of robust watermarking.
��
�
�
M
W
kw
M’
Figure 3.3. The most general watermarking system.
1. Select watermarking key, kw;
2. Select components of cover work, M, in which to hide the watermark, W. These
are usually determined by some watermarking algorithm;
3. Apply key on watermarking algorithm to obtain watermarked cover work, M′.
Steganographic watermarking is the art of concealing a secret message within an-
other innocuous cover message, also known as the cover work or host data. In this the-
sis, the term cover work is used. Steganographic watermarks are robust types of water-
marks. Henceforth, steganographic watermarking is referred to as just watermarking
(Bloom et al. 2001a).
Watermarking algorithms aim to hide the watermark within the perceptually signif-
icant portions of the cover work. Slightly different to cryptographic systems, which
require either that the encrypted message be revealed or the encryption system be
Page 25
NOTE: This figure is included on page 25 of the print copy of the thesis held in the University of Adelaide Library.
3.1 Steganographic Watermarking
unravelled, a watermarking algorithm is broken when an attacker detects that a wa-
termark has been inserted, and can alter or remove the watermark. A watermarking
algorithm is also considered broken even if a watermark cannot be removed but can
be reproduced in another document, casting doubt as to its authenticity in the orig-
inal document. Similarly for cryptography, Kirchhoff’s Principle must hold as well
for watermarking algorithms. That is, the security of a system should not rely on the
secrecy of the algorithm but on the secrecy of the key.
3.1.1 Watermarking Categories
Watermarking methods fall under three categories: non-blind (or private), semi-blind,
and blind (or public) systems. In non-blind systems, in addition to the marked copy,
the original or a copy of the original cover work and all secret keys are required to
extract an embedded watermark. This extracted watermark is then compared against
the original watermark. In semi-blind systems, the watermark and all secret keys
are needed to extract this watermark or detect whether this particular watermark is
present in a watermarked cover work. In blind systems, only the keys are required.
Blind watermark detection systemshave the advantage that they are more secure and
easier to use, since only the key is required for detection, and more importantly can
be placed in the public domain for use. However, there are difficult trade-off issues
between capacity and cover work interference. Put simply, there is only a certain
amount of information that can be embedded before the presence of the watermark
causes significant changes to the cover work. This is known as the maximum capacity
of a watermarking scheme. It will be discussed further in § 3.3.1.
Non-blind watermarking systemshave the advantage that there is full knowledge
of the watermark available for collaboration. However, such a system will have to
be kept essentially secret, which means it does not follow Kirchhoff’s Principle, and
hence its usability as well as its security is reduced.
The remaining option is then a semi-blind system, with a combination of blind and
non-blind properties.
Page 26
Chapter 3 A Technical Background on Watermarking and Cryptography
3.1.2 Spread Spectrum Watermarking
Spread spectrum watermarking is based on spread spectrum communication. The
idea is to spread a watermark over a transformed message or cover work. One fre-
quently used spread spectrum system was created by Cox et al., known as Cox’s
algorithm (Cox et al. 1995). In the algorithm, Cox et al. used discrete cosine transform
(DCT) to stretch the cover work. However, discrete wavelet transform (DWT) or any
stretching function will do as well.
Definition 3.1.1 2D Discrete Cosine Transform (DCT):
V(i, j) = c(i)c(j)n1−1
∑x=0
n2−1
∑y=0
M(x, y) cos[
πi2n1
(2x + 1)]
cos[
π j2n2
(2y + 1)]
(3.1)
where M is the amplitude at image coordinate (x, y), n1 and n2 are the dimensions of the
image, and c(k) =√
2/n with c(0) =√
1/n.
Definition 3.1.2 2D Inverse Discrete Cosine Transform (IDCT):
M(x, y) =n1−1
∑i=0
n2−1
∑j=0
c(i)c(j)V(i, j) cos[
πi2n1
(2x + 1)]
cos[
π j2n2
(2y + 1)]
(3.2)
where conversely V is the value of the DCT at coordinate (i, j), n1 and n2 are the dimensions
of the image, and c(k) =√
2/n with c(0) =√
1/n.
In Cox’s algorithm, a factor known as the strength of the watermark, α, is used to
adjust the amount of impact the watermark will have on the cover work. Ideally, α
should be adaptable rather than a single value used throughout as below. Embedding
is then achieved through one of the following three equations:
1. V′ = V + αW
2. V′ = V(1 + αW)
3. V′ = VeαW
where V is the transformed cover work and V′ is the corresponding transformed
cover work after watermarking. To detect the watermark, the process is reversed
given V′ and V (pg. 6 of (Cox et al. 1995)), and the watermark extracted for com-
parison to a set of watermarks. Hence Cox’s watermarking algorithm is a non-blind
system.
Page 27
3.1 Steganographic Watermarking
Table 3.1. Summary of Cox’s watermarking algorithm
Setup:
• Choose cover work, M, of size n1 x n2.
• Choose random watermark vector, W, of length 1000 ≤ l � n1n2.
• Choose appropriate watermark strength, α, so that watermark
remains hidden.
Insertion steps:
1. Discrete cosine transform (DCT) the cover work, V = dct(M).
2. Find the l largest dct values and embed the watermark,
e.g. for i = 1 to l, V ′max,i = idct(Vmax,i(1 + αWi)).
2. Insert altered l largest values back into V and perform inverse DCT,
M′ = idct(V ′).
Detection steps:
1. Extract watermark by reversing insertion process.
2. Compare statistically to set of watermarks for match. (See 3.3.5.)
3.1.3 Attacks and Defenses
This chapter details the attacks listed in Section 1.3, and also briefly describes how
past watermark designers have attempted to prevent and defend against these at-
tacks.
Common Signal Processing
Common signal processing procedures can be operations such as digital-to-analog
conversion, analog-to-digital conversion, resampling, requantisation and signal en-
hancements commonly applied to video.
It was found that a technique that uses the same principle as spread spectrum ra-
dio communication is robust to these operations (Cox et al. 1995). Spread spectrum
communication distributes a signal with a small bandwidth across a much larger
bandwidth, resulting in a stretched-out, white-noise-like signal. Hence the signal is
undetectable (Meel 1999).
For watermarking, the watermark is the signal with the smaller bandwidth. The
watermark is usually repeated several times throughout the video data, which is
analogous to the larger bandwidth. The watermark can be placed in either the spatial
Page 28
Chapter 3 A Technical Background on Watermarking and Cryptography
or the spectral domain of the cover work such as described in (Chouinard et al. 1999,
George et al. 1999). Particular to video, it can also be placed in the MPEG-2 bitstream
as described in (Girod and Hartung 1998).
Another common signal processing procedure is high frequency filtering. This pro-
cedure is commonly used to remove the perceptually insignificant components for
better compression. This means that any watermark must be embedded in the per-
ceptually significant components, but this may noticeably distort the cover work.
Hence, care must be taken in the embedding of the watermark.
Common Geometric Distortions
Common geometric distortions can be operations such as rotation, translation, crop-
ping and scaling. Malicious geometric distortions can be the simple moving of the
corners of an image by an insignificant amount. However, spread spectrum water-
marks, described in the previous section (§ 3.1.3), are again robust to these distortions.
Another technique used in watermarking is the use of reference symbols commonly
used in video motion compensation. Particular pixels are chosen as reference sym-
bols. After undergoing distortion, the reference symbols are re-located and the amount
of distortion can be calculated by comparison with the original picture, and compen-
sated for. This technique consumes a great deal of memory, however, and is not fea-
sible for large distortions, as incorrect reference-matching may occur. This method
also has limited use as it requires knowledge of the original picture. These types of
methods are known as non-blind methods.
In (Dugelay and Petitcolas 2000), the authors discuss a blind method known as resyn-
chronisation. Particular pixels in the watermark are preset to known values so that
they may be used as the reference points. However, this method means most of the
watermark will be set apart for resynchronisation, reducing the amount of useful in-
formation present in the watermark. This approach was deemed too computationally
expensive to be useful.
This led to a self-referencing technique (Kutter 1998), the idea of which was to re-
peat the watermark throughout a cover work, such that the copies of the watermark
overlapped by a fixed amount, thus making the watermark itself a calibration signal.
However, detecting the watermark can become computationally expensive.
Page 29
3.1 Steganographic Watermarking
Another technique, known as the block based (Girod et al. 1999, Dugelay and Petitcolas
2000) approach to watermark detection was also considered. This work considered
the idea that although geometric distortions can be quite severe when considering an
image as a whole, since the resulting image needed to be visually aesthetic, a small
section of the image cannot contain large geometric distortions. Hence the distor-
tion can be estimated, block by block, and compensated. However, this technique
becomes computationally expensive as the size of the blocks decrease.
Specialised Attacks
Two specialised attacks we will be discussing are the jitter attack and the mosaic attack.
Specialised attacks are not necessarily malicious operations. They can have innocu-
ous applications, but function in such a way as to have disastrous consequences upon
watermarked objects.
Jitter is a timing fluctuation in a signal (Anderson et al. 1998a). In audio, it can be
caused by tools used to change the length of musical tracks, such as those used nor-
mally by radio DJs. In digital images, this could be caused in the process of repairing
a damaged image by deleting or replicating pixels. These fluctuations are usually
imperceptible to the human ears and eyes, however, jitter attacks are particularly
effective against spread spectrum signals and watermarks. This is because spread
spectrum techniques require synchronisation with the chiprate that is used to spread
a signal. Due to the usefulness of spread spectrum techniques in their resilience to
amplitude distortions and noise additions, ways have been formed to compensate
for this weakness, as described in (Chouinard et al. 1999) and (George et al. 1999).
The mosaic attack is a process in which an image or video frame is taken and seg-
mented into, for example, six pieces (Anderson et al. 1998a). The picture can then be
reassembled and displayed as six different images placed in their correct order. The
watermark cannot then be detected as it has been broken. The image can be broken
into as many pieces as necessary to prevent the watermark from being detected. This
attack occurs more commonly with images than in videos as there are usually far too
many image frames to be broken and recombined with any ease or speed. There is
no known defense against this attack. It may be necessary to place the watermark in
every frame of a video, in different locations, but this has complications of its own,
as we will see in § 3.1.3.
Page 30
Chapter 3 A Technical Background on Watermarking and Cryptography
Subterfuge Attacks
Subterfuge attacks are malicious processes deliberately aimed at discovering and
hence destroying watermarks, as is the case with collusion, or with the intent of plac-
ing blame on another, as is the case with forgery.
In collusion, assume an attacker has many copies of a cover work. Each cover work
contains a different watermark, or a set of different watermarks, embedded. Collu-
sion occurs when the attacker is able to discover the watermarking method by com-
paring these copies.
There are two possible defenses against collusion. The first is to make each water-
marked copy uniquely different from every other so that an attacker cannot deter-
mine which components comprise the watermark (Boneh and Shaw 1996). The sec-
ond is to make each copy indistinguishable from another copy, such that an attacker
cannot discern the difference between any number of copies with different water-
marks. We will also be taking the original unmarked cover work into considera-
tion as another copy. Thus possessing the unmarked cover work should not indicate
whether another copy does or does not have a watermark present.
Forgery occurs when an attacker knows enough about the watermarking process to
plant someone else’s watermark onto an illegally distributed cover work. For in-
stance, an attacker may wish to incriminate a rival. A method of preventing this may
be to incorporate time-stamping into the process and having a neutral third party
keep a database on registered watermarks. Then if a watermark with an incorrect
time-stamp is discovered, the implicated person can be absolved.
There are issues with time-stamping, however, such as the issue of whose time to use.
If the time for the stamping came from the PC which was embedding the watermark,
the time can be tampered with. A way to prevent this could possibly be to place
the responsibility of embedding the watermark, including the time-stamping, on the
neutral third party. This may place more burden upon the third party than we desire.
Whichever method is employed, the end result is that it should be very difficult for
any of the watermarks to be forged, even with knowledge of the embedding key.
Video-Specific Attacks
Additional care needs to be taken when watermarking video images. Watermarking
video is significantly different from still images as they are subject to an additional
Page 31
3.2 Public Key Cryptography
range of special attacks. This is due to the characteristics of video such as the prop-
erty of inter-frames and intra-frames, which leads to attacks such as frame shuffling,
frame insertion, frame removal and inter-frame collusion.
Similar or identical watermarks cannot be embedded in successive frames because
the high correlation between the frames can lead to the detection and removal of
the watermarks. However, the watermarks also cannot be completely different, as
they can still be uncovered and erased by identifying the differences between similar
frames.
This trade-off between watermarking every frame differently versus similarly is ad-
dressed in (Wolfgang et al. 1999). The authors proposed two techniques particular
to video. One approach, called the Image-Adaptive Direct Cosine Transform (IA-DCT)
Technique for video, is to embed the watermark within the motion vectors of an MPEG
compressed bitstream. This may produce artifacts, but the authors also proposed a
method to remove these. The other approach is to take blocks of pixels. This method
is quite lengthy to explain and is better described in (Girod and Hartung 1998).
StirMark
StirMark is a benchmark for fair watermark evaluation. In 1997, Fabien Petitcolas,
Ross J. Anderson and Markus G. Kuhn created the first version of StirMark, allow-
ing for simple geometric distortion attacks on watermarking systems. In 1999, it was
released as a benchmarking tool for the quick evaluation of watermarking libraries
(Anderson et al. 1998b, Petitcolas 2000). The benchmark is freely available from Petit-
colas’ website http://www.petitcolas.net/fabien/watermarking/stirmark/.
3.2 Public Key Cryptography
Cryptography began, as did watermarking, in a situation where the sender and re-
ceiver are both explicitly trusted. Hence, both used the same keys for encryption as
well as decryption. However, an immediately obvious problem then arises. How
can the keys be shared? One party would select the key(s), but how do they tell the
other party what key(s) they have selected if they are unable to meet face to face?
This problem was known as the key exchange or distribution problem, which will not be
discussed in this thesis.
Page 32
Chapter 3 A Technical Background on Watermarking and Cryptography
This problem brought about much research until the idea of using separate keys for
encryption and decryption was realized. The encryption key(s) could be published to
the world in general, allowing anyone to encrypt a document for the holder of the se-
cret decryption key(s) to decipher. Such a system is known as a public key cryptosystem
(PKC). It is also known as an asymmetric cryptosystem, as the method for decryption
is different to that of encryption.
A cryptosystem is deemed broken when an attacker can uncover the encrypted mes-
sage without knowing the decryption key. As with watermarking, Kirchhoff’s prin-
ciple should hold for the security of any cryptosystem. During the course of this
project, we looked at several public key cryptography algorithms. These include
RSA, ElGamal, Rabin, elliptic curve-based cryptosystems, and matrix-based cryp-
tosystems such as McEliece.
3.2.1 RSA Cryptosystem
RSA encryption, created by Ron Rivest, Adi Shamir and Leonard Adleman, is based
on modulo arithmetic and relies on the difficulty of factorising large numbers (Rivest et al.
1978).
In RSA, to setup, Bob needs to pick two large prime numbers, p and q, that are not
too close in value (typically q < p < 2 ∗ q), or Fermat’s integer factorisation algo-
rithm can be used to break the system (McKee 1999). Bob must then find n = pq
and φ = (p − 1)(q − 1). Then Bob will need to find an integer e in Zφ/0, which is
coprime or relatively prime to φ, i.e. gcd(e, φ) = 1, and compute d such that ed ≡ 1
(mod φ). The encryption and decryption exponentiations, e and d, can be found
using the Extended Euclidean Algorithm, which finds the greatest common divisor
between two numbers a and b, denoted gcd(a, b) or (a, b), as well as x and y, such
that (a, b) = ax + by. The decryption exponentiation, d, must also be fairly large (e.g.
d > n1/4/3) or Wiener’s attack (Wiener 1990) could be used.
Theorem 3.2.1 (Extended Euclidean Algorithm) Let a and b be positive integers. Define
a[0] = a, a[1] = b,
q[i] =Floor(a[i − 1]/a[i]) for i > 0,
a[i] = a[i − 2] − a[i − 1]q[i − 1] for i > 1,
Page 33
3.2 Public Key Cryptography
Suppose that a[n] is the last nonzero a[i]. Define y[n] = 0 and y[n − 1] = 1. Then taking i
equal to the numbers from n − 2 down to 1 in that order, define
y[i − 1] = q[i]y[i] + y[i + 1].
Then
a[n] = (a, b) = (−1)ny[1]a + (−1)(n+1)y[0]b.
Bob’s public information is (n,e), and his private information is (φ,d). To encrypt,
Alice first obtains Bob’s public information. With the message element, m, she calcu-
lates
c = me (mod n),
and sends c to Bob. On receiving c, to decrypt Bob computes
m = cd (mod n).
The summary of the RSA cryptosystem is given in Table 3.2.
This works because cd = (me)d = med, and ed ≡ 1 (mod p− 1) and ed ≡ 1 (mod q−1) (this is derived from Fermat’s Little Theorem).
Theorem 3.2.2 (Fermat’s Little Theorem) Let p be a prime which does not divide the integer
a, then ap−1 ≡ 1 (mod p).
3.2.2 ElGamal Cryptosystem
The ElGamal algorithm was created by Taher ElGamal and is based on modulo arith-
metic, relying on the difficulty of solving the discrete logarithm problem for security
(ElGamal 1985). The ElGamal algorithm is also used for signature and authentication
schemes.
To setup, Bob picks a large prime number, p, and a random number, g ∈ Fp. Then
Bob picks another random number, kB ∈ Fp/0 and calculates y = gkB (mod p). He
makes public (y, g, p) and keeps private kB.
Page 34
Chapter 3 A Technical Background on Watermarking and Cryptography
Table 3.2. Summary of RSA algorithm
Bob’s setup:
1. Choose 2 large prime numbers, p and q.
2. Compute n = pq and φ = (p − 1)(q − 1).
3. Find 1 < e < φ such that (e, φ) = 1.
4. Compute d such that ed ≡ 1 (mod φ).
5. Make public (n, e) and keep private (φ, d).
Alice’s encryption steps:
1. Obtain message, m ∈ Fn.
2. Compute c = me (mod n).
3. Send c to Bob.
Bob’s decryption steps:
1. Receive ciphertext, c.
2. Compute message, m = cd (mod φ).
The summary of the ElGamal cryptosystem is given in Table 3.3.
Alice obtains Bob’s private information, and with the message, m, and a random
number, kA ∈ Fp, computes c1 = gkA (mod p) and c2 = m · ykA . She sends (c1, c2) to
Bob.
Bob decrypts by taking the received values and calculating m = c2/ckB1 (mod p).
This works because ckB1 = (gkA)kB = (gkB)kA = ykA . Then c2/ckB
1 = m · ykA /ykA = m.
3.2.3 Rabin Cryptosystem
The Rabin cryptosystem was developed by Michael Rabin (Rabin 1979), and like RSA,
the security of the algorithm is based on the difficulty of factorising large numbers.
Breaking the Rabin cryptosystem is provably as hard a integer factorisation, while
RSA is only believed to be as difficult. This cryptosystem has the disadvantage that a
message, m, encrypted to the ciphertext, c, has four possible answers and the answer,
which is only one of these values, must be correctly deduced.
To setup, Bob picks two large primes, p and q, such that they fulfill the requirement:
p ≡ q ≡ 3 (mod 4). This is so later decryption will be easier. Bob calculates n = pq,
which becomes the public key, and he keeps p and q secret.
Page 35
3.2 Public Key Cryptography
Table 3.3. Summary of ElGamal algorithm
Bob’s setup:
1. Choose a large prime number, p.
2. Choose a generator, g, in Fp, such that for all n, there
exists a k with n = gk (mod p)}.3. Choose an integer, kB, between 1 and p − 1 to be Bob’s
private key.
4. Compute y = gkB (mod p).
5. Make public (p, g, y) and keep private kB.
Alice’s encryption steps:
1. Obtain message, m ∈ Fp.
2. Choose an integer, kA ∈ Fp, such that gcd(kA, p) = 1.
3. Compute c1 = gkA (mod p) and c2 = m ykA (mod p).
4. Send ciphertext c = (c1, c2) to Bob.
Bob’s decryption steps:
1. Receive ciphertext, c = (c1, c2).
2. Compute message, m = c2/ckB1 (mod p).
Check:
c2/ckB1 (mod p) = m ykA((gkA)kB)−1 (mod p)
= m gkAkB(gkAkB)−1 (mod p)
= m.
To encrypt a message m, Alice computes c = m2 (mod n) and sends this to Bob.
Bob then calculates mp = c(p+1)/4 (mod p) and mq = c(q+1)/4 (mod q). Using the
Extended Euclidean Algorithm (Theorem 3.2.1), Bob also finds ap + bq = 1 (mod n).
Then Bob computes x = apmq + bqmp (mod n) and y = apmq − bqmp (mod n),
acquiring the four answers (m1, m2, m3, m4) = (x,−x (mod n), y,−y (mod n). Note
that sometimes there are two results instead of four, occurring when the message is
divisible by p or q.
The correct answer can be obtained with the introduction of redundancy in the mes-
sage, either by replication of the last 64-bits or more of the message, or by padding the
last 64-bits with zeros. Only one of the four answers will then have this redundancy.
The summary of the Rabin cryptosystem is given in Table 3.4.
Page 36
Chapter 3 A Technical Background on Watermarking and Cryptography
Table 3.4. Summary of Rabin algorithm
Bob’s setup:
1. Choose 2 large prime numbers, p and q, such that p ≡ q ≡ 3 (mod 4).
2. Find n = pq.
5. Make public n and keep private (p, q).
Alice’s encryption steps:
1. Obtain message, 0 < m < n.
2. Set redundancy by repeating last n-bits,
m′ = [m, m(length(m) − n + 1 . . . length(m))].
3. Compute c = m2 (mod n).
4. Send c to Bob.
Bob’s decryption steps:
1. Receive c.
2. Find a and b, such that ap + bq = 1 using Theorem 3.2.1.
3. Compute mp = c(p+1)/4 (mod p) and mq = c(q+1)/4 (mod q).
4. Compute x = apmq + bqmp (mod n) and y = apmq − bqmp (mod n).
5. Compute message possibles, M = [x,−x, y,−y] (mod n).
6. Find the real message by looking for the repeat in the last n-bits.
3.2.4 Elliptic Curve Cryptography
Elliptic curves (EC) have been studied for many years, but only relatively recently,
in 1985, have they been considered for use in cryptography. As of 2005, EC cryp-
tography became a recommended algorithm for the U.S. National Security Agency’s
Suite B set of algorithms for unclassified and most classified information (National
Security Agency 2005).
ECs form the basis of several public key cryptosystems. Two such cryptosystems
are the ElGamal-type elliptic curve cryptosystem and the Menezes-Vanstone elliptic
curve cryptosystem, which we will detail further in the subsection. To break these
cryptosystem, a problem called the elliptic curve discrete logarithm problem must be
solved. We will see later that this leads to shorter required key lengths for secu-
rity. This is advantageous as key lengths become increasingly long to compensate
Page 37
3.2 Public Key Cryptography
for advances in technology and mathematics, making the storing of keys a prob-
lem. However, implementation of the cryptosystem must then take into account at-
tacks, some of which rely on short keys (Schoof 1995, Araki et al. 1998, Wiener and
Zuccherato 1999, Gaudry 2000, Okeya and Sakurai 2000).
General cubic ECs of characteristic �= 2, 3 have the equation: y2 + a1xy + a3y = x3 +
a2x2 + a4x + a6. Then the set of points (x, y), together with a point at infinity, O,
form an elliptic curve, uniquely identifiable by the values of (a1, a2, a3, a4, a6). For
continuous ECs, these parameters can take any value. However, to be useful for
encryption, these will need to take discrete values from within a finite field, F =
GF(p), that is, ai ∈ F, for i = 1, . . . , 6.
Definition 3.2.1 E = {(x, y) ∈ F2|y2 + a1xy + a3y = x3 + a2x2 + a4x + a6} ∪ {O},
where F is the algebraic closure of a finite field F, and O is defined as P+O = O+P=P.
The discriminant of a curve is then given by:
Δ = −b22b8 − 8b3
4 − 27b26 + 9b2b4b6 (3.3)
whereb2 = a2
1 + 4a2
b4 = a1a3 + 2a4
b6 = a23 + 4a6
b8 = a21a6 + 4a2a6 − a1a3a4 + a2a2
3 − a24.
If the discriminant Δ �= 0, then the curve is non-singular.
The most important property of elliptic curves is the law:
+ : E × E → E .
Basically, the “addition” of two points on an elliptic curve results in another point on
the same elliptic curve.
Other properties of the addition on elliptic curves include:
• Commutative: P + Q = Q + P
• Associative: (P + Q) + R = P + (Q + R)
• Identity: P + O = O + P = P
• Inverse: P + (−P) = −P + P = O
Page 38
Chapter 3 A Technical Background on Watermarking and Cryptography
Figure 3.4. Point addition of two unequal points in a real field.
Point Addition
As mentioned above, two points on an EC can be “added” together resulting in a
third point on the same curve. Point addition works geometrically by picking two
points, P and Q, on a curve. Then a line is drawn through the two points, and if this
line intersects the curve again, this intersection point, -R, is the negative of the result
of “adding” P and Q. Figure 3.4 shows a diagrammatical example.
Algebraically, where P = (xP, yP), Q = (xQ, yQ), if xP �= xQ, that is P �= Q, and
R = P + Q = (xR,−yR), the slope of the line between P and Q is
s = yP−yQxP−xQ
, and
xR = s2 − xP − xQ,
yR = yP + s(xR − xP).
(3.4)
If xP = xQ, Q could be the reflection of P on the x-axes as in Figure 3.5, i.e. yP = −yQ
or Q = −P. Then the result of “addition” is a point at infinity, O.
Page 39
3.2 Public Key Cryptography
If xP = xQ but yP = yQ �= 0, so Q = P, then R = P + P = 2P = (xR,−yR) and
the process is called doubling the point. In this case, the result is found by drawing a
tangent to the curve at P. If the tangent intersects the curve, then the result is a distinct
point R, as in Figure 3.6.
Algebraically, the equations of the general form are
s = 3x2P+2a2xP+a4−a1yP
2yP+a1xP+a3,
xR = s2 + a1s − a2 − 2xP, and
yR = (s + a1)xR + a3 + −x3P+a4xP+2a6−a3yP2yP+a1xP+a3
,
where s here is now the slope of the tangent to the curve at P.
If char(F) = 2, 3 the above simplifies to
s = 3x2P+a42yP
,
xR = s2 − 2xP, and
yR = sxR + −x3P+a4xP+2a6
2yP.
Point Multiplication
Point multiplication results from adding the point to itself multiple times. That is,
k multiples︷ ︸︸ ︷P + P + P + . . . + P = [k]P.
Equation (3.4) still applies, but is repeated k times. The difficulty of reversing modulo
point multiplication, known as the elliptic curve discrete logarithm problem, forms
the basis of elliptic curve cryptography. Given the points [k]P and P, supposing that
k is large enough to prevent an easy exhaustive computation of [k]P for all possible
values of k, this problem is considered to be harder than normal discrete logarithm
problems, and much harder than the factorization problem as in RSA. Hence key
lengths in elliptic curve cryptosystems are considerably shorter.
Prime Fields
In cryptography, when working with finite prime fields, i.e. p is prime in the field
F = GF(p), the EC equation can be more suitably simplified to
y2 = x3 + ax + b (3.5)
Page 40
Chapter 3 A Technical Background on Watermarking and Cryptography
Figure 3.5. Point addition of a point and its reflection in a real field.
where a, b ∈ Fp. Then the discriminant can also be simplified, to
Δ = −16(4a3 + 27b2).
Addition in the field is then done modulo p.
Binary Field
Also in cryptography, elliptic curves may be defined over a binary field, GF(2n), i.e.
a field of characteristic 2. Then the EC equation is
y2 + xy = x3 + 1
or
y3 + xy = x3 + x2 + 1
Addition in the field will then obviously be modulo 2.
Page 41
3.2 Public Key Cryptography
Figure 3.6. Point doubling in a real field.
Counting Points
Each elliptic curve, E , in finite field, Fq, where q = p for some large prime p or
q = 2m for some large integer m, has an associated number of points on the curve, #Eor | E(Fq) |, also known as the order of the field, plus a point at infinity, O.
The number of points on an elliptic curve is needed to determine the range of values
cryptographic keys can take. It also determines the maximum number of times a
point can be doubled before it returns to its original position. In addition, it is also
the method by which cryptosystems based on elliptic curves can be broken, and as
such is important for cryptanalyst.
There are many ways to determine the bounds on the number of points, but an accu-
rate method for finding the number of points on a curve in a finite field is still under
research. Hence only computational methods for finding these bounds will be listed
plus a brief discussion on the methods.
Page 42
Chapter 3 A Technical Background on Watermarking and Cryptography
The methods are:
Schoof’s algorithm (Schoof 1985), is generally known to be the first study into #Eand paved the way for other techniques, runs in polynomial time but difficult
to implement;
Shanks’ Baby Step–Giant Step (Shanks 1971) is similar to Schoof’s algorithm, but
for extremely large primes, and is applicable for all finite cyclic fields;
Hasse’s theorem on elliptic curves (Silverman and Tate 1992) also known as the Hasse-
Weil Conjecture, gives that the number of points is close to the size of the finite
field;
Theorem 3.2.3 (Hasse’s theorem on elliptic curves) Let N be the number of points on
the elliptic curve E over a finite field with q elements, then
|N − (q + 1)| ≤ 2√
q
or put another way,
(√q − 1)2 ≤ N ≤ (√q + 1)2.
Schoof-Elkies-Atkin (SEA) algorithm (Atkin 1992), Atkin’s extension to Elkies’ al-
gorithm, which is itself an extension of Schoof’s, is a sort-and-match method
for large finite fields; and
Couveignes’s algorithm (Couveignes 1994) is a method for counting points for fields
of small characteristic.
ElGamal-type Elliptic Curve Cryptosystem
The ElGamal-type elliptic curve cryptosystem is based on the ElGamal cryptosystem
(ElGamal 1985). The ElGamal-type cryptosystems rely on the difficulty of solving
discrete logarithms. For example, given that
ax ≡ y mod n
find
x = loga y mod n.
Page 43
3.2 Public Key Cryptography
Table 3.5. Summary of ElGamal-type ECC encryption algorithm
Bob’s setup:
1. Choose a large number, n. (If using prime fields, n = large prime,
p. If using m-bit strings, n = 2m.)
2. Choose an elliptic curve, E , defined by a, b ∈ Fn.
3. Choose a point, P, on E .
4. Choose a secret key, kB < #E .
5. Compute point, Q = [kB]P.
6. Make public Ke = (n, E ,P,Q) and keep private Kd = (kB).
Alice’s setup:
1. Obtain message, M = [m1, m2], m1, m2 ∈ Zn.
2. Choose a secret key, kA, such that 0 < kA < #E , where #E is
the number of points in E .
Alice’s encryption steps:
1. Get Bob’s public information, Ke = (n, E ,P,Q).
2. Compute point, S = [kA]P.
3. Compute point, T = M + [kA]Q.
4. Send C = (S,T) to B.
Bob’s decryption steps:
1. Receive ciphertext, C =(S,T).
2. Compute M′ = T - [kB]S.
The algorithm for this cryptosystem is outlined on Table 3.5.
However, ElGamal-type ECC is not in use as the ElGamal cryptosystem causes the
ciphertext to be twice as long as the original plaintext, and is vulnerable to chosen
ciphertext attacks. Also, the message, M, must be a valid point on the curve for point
addition to be possible, as in step 3 of Alice’s encryption. Often, this is not the case,
so there must be a homomorphic function, f , that maps a point, P, to some value,
v in the desired finite field, i.e. P → v, such that f (P) = v and has the property
f (P1 + P2) = f ([v1]P2) = f (P1) f (P2) = v1 ∗ v2. However, there is some difficulty
in finding this function, f , which makes the algorithm difficult to implement where
such a function does not already exist. This brings us to the Menezes-Vanstone ellip-
tic curve cryptosystem.
Page 44
Chapter 3 A Technical Background on Watermarking and Cryptography
Table 3.6. Summary of Menezes-Vanstone ECC encryption algorithm
Bob’s setup:
1. Choose a large prime number, p.
2. Choose an elliptic curve, E .
3. Choose a point, P, on E .
4. Choose a secret key, kB < #E .
5. Compute point, Q = [kB]P.
6. Make public Ke = (P,Q,E , p) and keep private Kd = (kB).
Alice’s setup:
1. Obtain message, M, in Zn and arrange in pairs (M1, M2).
2. Select a secret key, kA, such that 0 < kA < #E , where #E is the
number of points in E .
Alice’s encryption steps:
1. Get Bob’s public information, Ke = (P,Q,E , p).
2. Compute points, Y0 = [kA]P and Y= (y1, y2) = [kA]Q.
3. Obtain the ciphertext, C = (C1, C2), where C1 = y1 · M1 (mod p),
and C2 = y2 · M2 (mod p).
4. Send point, Y0, and ciphertext, C, to B.
Bob’s decryption steps:
1. Receive ciphertext, C = (C1, C2), and cipherpoint, Y0.
2. Compute point, Y= (y1, y2) = [kB]Y0.
3. Compute the two parts of the message, M1 = (y1)−1 · C1 (mod p),
and M2 = (y2)−1 · C2 (mod p), to obtain M = (M1, M2).
Menezes-Vanstone Elliptic Curve Cryptosystem
The Menezes-Vanstone elliptic curve cryptosystem (MV-ECC) is a variant of the ElGamal-
type ECC. However, one important distinction is that MV-ECC does not need the
function, f . The MV-ECC works directly on the values of the plaintext. Elliptic curve
cryptosystems have the disadvantage of requiring key pairs. Key pairs would nor-
mally double the size of the encrypted document, but the Menezes-Vanstone cryp-
tosystem exploits this property, using it for pixel-masking (Araki et al. 1998).
The algorithm for the Menezes-Vanstone elliptic curve cryptosystem is outlined on
Table 3.6.
Page 45
3.2 Public Key Cryptography
3.2.5 Attacks on Cryptosystems
Attacks on cryptosystems can be divided into four main types of attacks:
Ciphertext-only attack. This is when the ciphertext of several messages, encrypted
using the same key, are known and the attacker tries to reverse-engineer the
key(s) and/or plaintext.
Known-plaintext attack. This is when the plaintext and corresponding ciphertext of
several messages are known, all encrypted with the same key, and the attacker
tries to reverse-engineer the (encryption) key.
Chosen-plaintext attack. This occurs when the attacker has access to the encryption
process, is able to encrypt the plaintext(s) of their choice, and hence can obtain
the ciphertext, trying to discover the (encryption) key.
Exhaustive-search attack. Also known as brute-force attack, this is when the at-
tacker knows the range of the key(s) and tests each possible key until the correct
plaintext results.
Sometimes attacks can be used together. For example, as exhaustive-search attacks
usually have a great number to keys to test, by combining this attack with any of the
other three attacks, it is possible to reduce the number of keys that must be investi-
gated.
Other attacks on cryptosystems include:
Man-in-the-middle attack. This attack is more important to cryptosystems that re-
quire communication such as during key-exchange for symmetric systems. If
the exchange in keys can be intercepted, the attacker can pretend to be ei-
ther end-parties and obtain information without alerting the end-parties to the
breach. This attack was the main reason digital signatures were developed.
Chosen-ciphertext attack. This occurs when an attacker has (temporary) access to
the decryption process and is able to decrypt ciphertexts of their choice, trying
to discover the (decryption) key.
Timing attack. This attack is when the execution time of the encryption/decryption
process is analysed in an attempt to figure out the structure of the process. An
Page 46
Chapter 3 A Technical Background on Watermarking and Cryptography
attacker sends particular queries to the process and times the speed taken to
process the query. This is a practical attack in that the attacker requires no math-
ematical knowledge, only technical knowledge in association with the hard-
ware and implementation of the process. This attack can therefore be used on
any system.
Some attacks are particular important to different cryptosystems. For instance, the
chosen-plaintext attack is a vital attack to test public-key cryptosystems against as
the attacker has easy access to the encryption process, since it is made public. Using
this type of attack, an attacker may be able to build up a look-up table of ciphertext
and their corresponding plaintext.
Man-in-the-middle attack is obviously more pertinent to symmetric systems.
3.3 Pre- and Post-processing
Applying pre- and post-processing is a necessity when it comes to watermark de-
tection. It not only increases the chances of detecting and matching the watermark,
but it becomes particularly important for watermark recovery when a document has
been substantially attacked.
3.3.1 Trade-offs: Capacity and Invisibility
In addition to the trade-off in the number of frames to watermark as different versus
similar in § 3.1.3, there are also difficult trade-off issues between capacity and cover
work interference briefly mentioned in 3.1.1. There is only a certain amount of infor-
mation that can be embedded into a cover work before the presence of the watermark
causes noticeable changes to the cover work. As mentioned, this certain amount of
information is known as the maximum capacity of a watermarking scheme.
The size of a watermark is directly related to the length of the watermark as well
as the watermarking strength, α. If an image can only allow a certain amount of
information to be added before becoming noticeably distorted, then increasing the
length of a watermark will mean that the strength of the watermark will need to
be reduced. The longer is a watermark for comparison, the greater the chances of
a successful match and the less likely the watermark will be detected. However,
Page 47
3.3 Pre- and Post-processing
reduce the strength too much and the watermark becomes less robust to attacks and
processing.
Length of the watermark
The length of the watermark is an important issue. As noted in Cox et al.(Cox et al.
1995), increasing the watermark length will allow the strength of the watermark to
be decreased, thereby decreasing detection by a third party. However, also noted was
that there is a limit to the usefulness of the number of watermark components embed-
ded, and hence the optimal watermark length is subsequently document-dependent.
3.3.2 Power Spectral Density (PSD)
A well known attack for watermarking is the Wiener attack. The Wiener attack is an
application of the Wiener filter, originally intended to remove noise. However, it can
also be used to remove an embedded watermark. In the Wiener attack, the Power
Spectral Density (PSD) of a watermarked document is used to determine the PSD of
the watermark. The estimated watermark is then subtracted from the watermarked
document to remove or corrupt the watermark and prevent detection.
The best way to prevent this attack is to scale the strength of the watermark such that
the PSD of the watermarked document is similar to that of the unmarked document.
3.3.3 Choice of watermark
There are three main choices of watermark distribution. These are the uniform distri-
bution, the binary or bipolar distribution, and the normal or Gaussian distribution.
All three choices typically have zero mean to reduce the impact on the document. In
addition, document DCT coefficient distributions fall into two categories: the Gener-
alised Gaussian distribution (GGD) and the Laplacian distribution (LD).
In (Eggers and Girod 2001), the combinations of document distributions and water-
mark distributions were investigated and it was found that under distortions due to
quantisation, i.e. for quantisation attacks, the Gaussian distributed watermark did
worst and the bipolar distribution fared the best for fine quantisation, and the oppo-
site is true for coarse quantisation. However, for small watermark-to-document ratio,
Page 48
Chapter 3 A Technical Background on Watermarking and Cryptography
which must occur so that the watermark does not cause a visible impact on the doc-
ument, the watermark distributions did not differ by much. Moreover, the authors
noted that the distribution of the document is more important, with GGD documents
and any watermark distribution faring better than its counterpart, LD.
Since the distribution of the document cannot be readily chosen, the overall conclu-
sion is that any watermark distribution will suffice, but for a more general system,
the uniformly distributed watermark is probably the best choice.
3.3.4 Choosing document components to alter
Early literature such as in (van Schyndel et al. 1994) directly altered the components
of an image by watermarking in the least significant bits (LSBs) of a pixel. This was
later found to be easily breakable since the least significant bits of a component are
the most affected during compression.
Nowadays, components tend to belong to a spread or stretched version of the doc-
ument or signal being marked, which were found to better survive attacks such as
compression and geometric image processing. A popular method of spreading a sig-
nal is via the DCT as in Cox et al’s algorithm, discussed in § 3.1.2. The DC component
of the DCT of a signal should not be touched as it contains significant information
required to reconstitute a signal. From the earlier LSB method of watermarking, we
also know there is no point in watermarking the smaller-valued components of the
DCT as they are also removed or reduced during compression. Therefore watermark-
ers tend to insert watermarks into the larger to semi-larger, or the middle detailing,
of the DCT.
A similar method, discrete wavelet transform (DWT) was also mentioned in Cox et
al’s paper as well as implemented in various other papers (Cox et al. 1995, Meerwald
and Uhl 2001, Barni et al. 2001, Kazakeviciute et al. 2005). DWT seems to be a good
choice as the decomposition automatically separates a signal into its gross detailing,
middle detail level, and finer details. Watermarks can them be placed into the middle
detail level, and even a smaller, less obtrusive watermark can be embedded into the
gross detailing.
Thus, when choosing components of a signal to alter, the best location is the middle
detail level, which is less affected by compression than the finer detail level, and
causes less distortion to the signal than embedding in the gross detailing.
Page 49
3.3 Pre- and Post-processing
3.3.5 Watermark detection
Throwing away values below a tolerance:
Cox noted that the average or expected value of W ′i can be greatly affected by a few
outlying values. He suggested some post-processing to the extracted watermark, W ′,may be appropriate, that is, comparison may be done by setting the magnitude of
values below a tolerance, tol, to zero,
W ′i ←
{W ′
i if |W ′i | > tol
0 Otherwise(3.6)
or by comparing the signs of the values rather than the actual values themselves. All
this is done to lower the expected value of W ′i .
2-D Correlation calculation:
The sum of squared values, SSxx, SSxy and SSyy of two arrays, x and y, of length n
about their respective means is given by
SSxx ≡ ∑(xi − x)2
= ∑ x2 − 2x ∑ x + ∑ x2
= ∑ x2 − 2nx2 + nx2 = ∑ x2 − nx2
SSyy ≡ ∑(yi − y)2
= ∑ y2 − 2y ∑ y + ∑ y2
= ∑ y2 − 2ny2 + ny2 = ∑ y2 − ny2
SSxy ≡ ∑(xi − x)(yi − y)
= ∑(xiyi − xyi − xiy + xy
= ∑ xy − nxy − nxy + nxy = ∑ xy − nxy
(3.7)
The square of the correlation coefficient, r2, is then
r2 ≡ SS2xy
SSxxSSyy=
(∑ xy − nx y)2
(∑ x2 − nx2)(∑ y2 − ny2)(3.8)
For 2-D correlation coefficient calculations, the above is applied to the rows, then
columns.
Mean Squared Error (MSE):
Mean squared error (MSE) is a useful method of estimating the amount of error a
signal has accumulated as it is transmitted through a noisy channel. The MSE of an
Page 50
Chapter 3 A Technical Background on Watermarking and Cryptography
estimator, θ, with respect to the estimated variable, θ, is generally defined as
MSE(θ) = E((θ, θ)2) (3.9)
For grayscale images, this is more readily defined as
MSE =1
mn
m−1
∑i=0
n−1
∑j=0
‖I(i, j) − K(i, j)‖2 (3.10)
where I is an m × n image, and K is its noisy counterpart.
Peak Signal-to-Noise Ratio (PSNR):
Peak signal-to-noise ratio (PSNR) is a typical measure of image or video quality, par-
ticularly after compression. PSNR is more easily defined by the MSE, i.e.
PSNR = 20 · log10
(MAXI√
MSE
)(3.11)
where MAXI is the maximum pixel value. For an 8-bit image, this value is 255 (=
2B − 1, where B is the maximum number of bits per pixel).
Removing similar features:
Sometimes the watermark embedded in a document may not be extractable. In fact,
this is a desirable property to prevent removal. In this case, it may be necessary to
compare the watermarked images themselves instead of just the watermarks. How-
ever, comparisons done in this way will have a high correlation since the water-
marked images must have no noticeable differences when compared to the original
image. The residues of the watermarked images should then be compared instead.
Once again, this is done to lower the expected value of W ′i , to prevent a few outlying
values from greatly affecting the final correlation value.
Page 51
Page 52
Chapter 4
Issues Associated withMutual Distrust
THIS chapter discusses the issue of transaction tracking under
the mutual distrust scenario, with the use of watermarks and
cryptography. We will give examples that support our reasons
for delving into this issue. We will then elucidate the significance of find-
ing solutions to the mutual distrust challenge. Following the benefits of
our research in this field, we present the usual approach, which is to en-
crypt, decrypt, then watermark. We identify the weaknesses of this usual
approach, and present our staining protocol – encrypt, watermark, and
then decrypt – and outline how it solves the mutual distrust issue. We
complete this chapter with a brief summary of the problems that we may
encounter in implementing our protocol.
Page 53
4.1 The problem with trusting too much...
4.1 The problem with trusting too much...
A recent study, as well as various telltale signs in news articles and so forth, have
shown that the majority of the problems of piracy are occurring before mass distri-
bution. That is, the piracy is originating from within the group of trusted parties,
such as review committees, processing companies, and even from the studios them-
selves (Lyman 2002, Glasner 2002, KillerMovies 2003, Becker 2003, Schwartz 2003, By-
ers et al. 2003). This seems to indicate that the research into watermarking and trans-
action tracing or fingerprinting should be focussing on piracy from within the enter-
tainment industry. The idea we are trying to convey is that not even the owner of a
document can be trusted. Hence, through the use of steganographic watermarking
and encryption, by tracking transactions between all parties possessing copies of a
document, this means the possibility of ending piracy at the source.
4.2 Significance of Research
Video piracy has long been recognised by the video industry, but the advent of the
DVD has meant an explosive growth in the video black market. In 2002, Business
Software Alliance (BSA) estimated that DVD piracy had increased up to 40% glob-
ally in the year 2001 (MediaLine News 2002). In 2004, FACT reported pirated DVD
seizures of about 2.4 million compared to 1.6 million the year before and just 337
thousand in 2002 (The Federation Against Copyright Theft (FACT) 2005b). Also in
2004, the MPAA conducted a study on the losses to the film industry and interna-
tional economies due to piracy. In 2005, the MPAA presented the results of the 18-
month and 22-country study, estimating the lost to the studios at USD$6.1 billion
(Motion Picture Association of America 2005).
In addition, owing to the increase in piracy, many companies, most notably those that
provide content protection, have significantly diminished in size or are no longer in
business (Roush 2002, Butler 2003).
In response, the entertainment industries have been actively seeking out illegal copies
and taking legal action, even against those that have not committed, but could po-
tentially commit or assist in the committing of, a crime (Costello 2001, Dean 2003,
Butler 2003, Motion Picture Association of America n.d.). Their targets have largely
been end-users and consumers, and have extended even to researchers and scholars
Page 54
Chapter 4 Issues Associated with Mutual Distrust
(Grossman 2001, Yu 2002, McCullagh 2003, von Lohmann 2003, Butler 2003). Con-
sumers are rapidly losing faith in the entertainment industries. We can see the re-
sponse of consumers to the entertainment industries’ actions against companies such
as Napster. When Napster fell, many similar companies rose to take its place, such
as Madster, KaZaA, AudioGalaxy and MusicCity (Yu 2002).
This is a troubling trend, and though the actions taken by the entertainment indus-
tries do seem to be working (Motion Picture Association of America n.d., The Fed-
eration Against Copyright Theft (FACT) 2005a, piracyisacrime.com 2005), the future
implications are unknown. The entertainment industries need to develop a different,
more sustainable and effective strategies to reducing piracy.
The most direct option is by finding and taking legal action against the sources of
illegal redistribution. As seen from previous chapters, the majority of research into
copy protection has been targetted at post-mass-distribution piracy. However, the
majority of the piracy is occurring pre-mass-distribution, from organisations such as
multimedia processing businesses, review companies, advertising agencies, airlines,
cinemas, TV networks, and even from the film studios themselves (Glasner 2002,
KillerMovies 2003, Becker 2003, Lyman 2002, Schwartz 2003).
Compliant machines (see Appendix A) have not been enough of a protection (Boneh
and Shaw 1996, Linnartz 1998, IBM Research 1999, Miller et al. 1999, King et al. 1999a,
King et al. 1999b, Patrizio 1999, Ketola 1999, Stevenson 1999, Kesden 2000, Lawlor
2001, CNN 2003, Borland 2003) and will be better strengthened if supported by em-
bedding watermarking systems. Only recently has research begun to focus on the
root of the piracy problem of insiders and malicious owners (Zhang et al. 2006, Bloom
and Polyzois 2004, Lei et al. 2004, Sheppard et al. 2004), but a sufficiently robust and
elegant system is yet to be found.
4.3 Applications of Research Findings
Watermarks are typically used to identify the owner of a document. They can also be
used to authenticate a piece of document using fragile watermarks, and have even
been embedded in vital sections of medical x-rays to prove the veracity of the x-ray
(Osbourne 2005). However, a particularly interesting usage of watermarking from
a legal point of view is in copy tracing (fingerprinting or transaction tracking), to
Page 55
4.4 Trusted Owner Party Scenario
determine the path a documents takes from its source to third parties that are not
legally entitled to receive the document.
Watermarking methods that track distribution are not only useful for copy tracing
but for the management of distribution of commercially sensitive material. The en-
tertainment industries are only recently beginning to utilise the Internet for mass
distribution (Kontzer 2001, Olsen 2003, Regan 2006) and taking tentative steps into
investing in movies that can be bought and downloaded off the internet as can be
done currently with some songs, opening up new possibilities for distribution. All
these new distribution directions will require copyright protection methods, espe-
cially now that piracy from within the industries has been established.
Transaction tracking research has been applied to protecting other commercial prop-
erties such as computer software, and has even been extended into music. It can
allow the automatic monitoring and tracking of copyright documents, not only on
the Internet but also in radio broadcasts. For example, a program could trawl the In-
ternet for watermarked documents, thereby seeking out and identifying online copy-
right violations. Similarly, a program could listen for markers in broadcasted music.
This research will also have obvious military applications such as for document in-
tegrity and security. Documents have often been prematurely disclosed to the public,
which could prove to be embarrassing to defence institutions and companies, or even
a threat to national security. With the ability to uncover the culprit of the disclosure,
these incidents are less likely to occur in future.
4.4 Trusted Owner Party Scenario
In typical transactions there are transfers of some document or data from the owner
party A to receiving parties, B, C, D and so forth. Usually, A is considered trust-
worthy and the receiving parties are considered untrustworthy. In that case, A will
insert a watermark into each document transmitted, such that the document sent to
party B will contain a watermark identifying the copy as going to B, C will receive a
copy watermarked to C, and so forth. Should a copy of the document surface in the
possession of another, unauthorised party, A can detect the embedded watermark,
thereby identifying which receiving party leaked the unauthorised copy.
However, the transmitted copies could be intercepted en route to the receiving par-
ties, which will cause one of the receiving parties to be wrongly accused of betrayal.
Page 56
Chapter 4 Issues Associated with Mutual Distrust
To prevent this, encryption is used to protect the passage of the document. Public-
key encryption should be used to avoid the key-exchange problem, such that only
the receiving party can decrypt, as shown in Figure 4.1 below.
����
����
����
�
�
�
�
�
�
�
�
1
2
3
A B
Embeds B’s
identifying
Watermark
Encrypts with
B’s Secret
Tx Rx
Decrypts with
its Secret
Gets a Copy with
its identifying
Watermark
Figure 4.1. Trust-distrust copy transfer process.
However, it has been established in Chapter 4 that party A is capable of betrayal,
thereby creating a mutual distrust environment where none of the parties can trust
any other party. Examining the scenario depicted in Figure 4.1, an obvious weakness
can be immediately identified. A cannot betray just before 2, before it has sent the
copy, as it cannot decipher B’s encryption; at 2 after receiving, it is pointless for B
to illegally distribute the copy since the document would be rendered meaningless
by encryption; interception at 2 will similarly be pointless; and at point 3, B will not
illegally distribute since the copy can be linked to B. This then leaves point 1. It is at
this point, together with point 3, that the weakness in the scheme is found.
At points 1 and 3, assuming no information is lost in transition, the documents held
by each party are identical. A sub-party within A could deliver its copy of the docu-
ment to an enemy E to copy and illegally redistribute, protecting itself by implicating
B. Conversely, if B was the insider, party B could falsely refute the charge of supply-
ing E with a copy by pointing out that the same watermarked copy is also available
through A. Since the charge of leaking can be repudiated by either party in a transac-
tion, this system cannot be used in a court of law.
Page 57
4.5 The Staining Approach
4.5 The Staining Approach
To avoid the above mutual-distrust problem, we present a protocol for entangling
secrets rather than the sharing of secrets, through a process called staining. We require
a system which ensures that B’s copy is unique, by altering B’s copy irreversibly
after decryption. However, it is not in B’s interest to embed a receipt voluntarily,
signifying that the copy has reached B. Such a mechanism must then be compulsory.
The staining protocol is as follows: instead of embedding the watermark before en-
cryption, embedding should occur after encryption. This is shown in Figure 4.2. After
decryption, B would possess a copy containing a distorted watermark, altered by the
cryptographic process.
If we examine as before, we see that at point 2, including before transmission and
after receiving, the document will be protected by the encryption process. At 3, B
still cannot distribute as the copy can still be linked to it, but now at points 1 and 3,
the same document is not available to both parties.
As can be seen, this staining protocol embeds a secret in B’s copy which contains el-
ements from both parties, A and B. The stain can only be generated by B’s private
decryption key, unknown to A who is only given B’s public key for encryption, to-
gether with A’s watermark, which is not known to B.
In the event of a copy being found in E’s possession, the watermark need only be
detected. A has sufficient information to identify the presence of the stain through
B’s public key and A’s watermark, but not enough information to frame B. If the
watermark is undistorted or missing, A is the culprit. B can be implicated only if
a distorted watermark is detected, which A cannot duplicate without knowing the
decryption procedure, held secret by B. If A and B are in dispute, a third party could
be given all secrets to verify the existence of the stain in the copy recovered from E.
4.5.1 Problems Anticipated with Staining
Watermarking and cryptography have always been heavily related. The same re-
quirements on cryptography: secretiveness and impenetrability, are also imposed
upon watermarks. Strangely enough, the two fields have never been fully integrated
in the manner proposed. Perhaps for that reason the following problem arises.
Page 58
Chapter 4 Issues Associated with Mutual Distrust
����
����
����
�
�
�
�
�
�
�
�
1
2
3
A B
Encrypts with
B’s Secret
Embeds B’sidentifying
Watermark
Tx Rx
Decrypts with
its Secret
Gets a Copy with its
identifying W/mark
crypto-distorted
Figure 4.2. Mutual distrust copy transfer process.
Cryptography is a precise art, with a one-to-one mapping from the plain text to the
cipher text. Such a mapping is achieved through the use of secret keys, one-way func-
tions and problems that are algebraically hard to solve, such as the discrete logarithm
problem.
Watermarking is comparatively malleable, as it is usually used in media highly prone
to modification, that is, a certain amount of loss of information is expected. Whereas
a watermark is made to survive tampering, a similar alteration would and should
destroy a piece of cipher text.
Cryptosystems are made to be fragile. In the proposed scheme, however, a robust
cryptosystem is required as it will be deliberately altered by the insertion of the wa-
termark. This will require complementary watermarking and cryptographic systems.
However, the primary aim of this research is to demonstrate the feasibility of the
proposed solution. As such, we will show how this process works using simple wa-
termarking and cryptographic systems. We have chosen Cox et al.’s watermarking
method as defined in 3.1.2 as it is a simple but robust system. The choice of the cryp-
tographic complement was a great deal more difficult. We have considered various
types of public-key cryptosystems which have been outlined in 3.2. The results from
these will be in the following section.
Page 59
Page 60
Chapter 5
Experimental Results
IN this chapter, we demonstrate how we address the problems of
having untrustworthy parties in a transaction. We achieve this
through experimentation, on greyscale still images, using a vari-
ety of cryptographic techniques combined with our chosen watermarking
technique, the spread spectrum algorithm. In addition, we attack our sys-
tems to test their durability.
From these experiments, we show that it is possible to combine water-
marking and cryptography in such a way – encrypting, watermarking,
then decrypting – without destroying the cover work, and still be able to
obtain a successful watermark match. In addition, the attacks will show
that such systems are also robust to common signal processing and geo-
metric attacks.
Page 61
5.1 Test Work
Figure 5.1. Lena image used in the testing of the implementations, curtesy of the Signal and
Image Processing Institute at the University of Southern California.
5.1 Test Work
In this thesis, only greyscale still images have been considered. However, the processes
can be extended for colour images, either by treating each colour plane separately or
regarding all planes as a whole and altering them in the same way.
In the testing of the implementations, the images, Lena and Baboon, as shown in
Figures 5.1 and 5.2, have been used. The size of both images is 512 × 512 pixels, but
a scaled version, 256 × 256 pixels, was used if there were OUT OF MEMORY issues or the
process took too long.
5.2 XOR Cryptosystem
We began with the simplest of cryptosystems, the XOR cryptosystem, which has not
been detailed in § 3.2 as it is not a public key cryptosystem and is very simple to
explain.
The XOR cryptosystem is a symmetric cryptosystem, which means that the method
for decoding and encoding is the same. The XOR cryptosystem is a type of stream
cipher. A key generates a pseudorandom encryption stream of the length required,
in this case the stream is the same length as the image when laid as a vector and con-
verted to bits, i.e. 512 × 512 = 262144 pixels long = 262144 × 8 = 2097152 bits long.
The message is then encrypted by XOR-ing with the stream to produce a ciphertext.
Page 62
NOTE: This figure is included on page 62 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
Figure 5.2. Baboon image used in the testing of the implementations, curtesy of the Signal and
Image Processing Institute at the University of Southern California.
Table 5.1. Summary of XOR encryption algorithm
Setup:
1. Choose a key, k.
2. Use k to obtain a pseudorandom encryption stream, E.
3. Obtain message, M ∈ F2.
Encryption steps:
1. Compute C = M⊗
E.
Decryption steps:
1. Compute message, M = C⊗
E.
Decryption is achieved by again XOR-ing the ciphertext with the stream. The method
is outlined in Table 5.1.
The point of this first experiment was to test using XOR encryption with Cox et al.’s
spread spectrum watermarking method 3.1.2, primarily because this is the simplest
form of encryption, so as to gain a better understanding of combining encryption and
watermarking. Hence this test will not be subjected to attacks as outlined in 3.1.3.
The code for this implementation is in Appendix C.1. The algorithm is as in Table 5.2.
For detection, the watermark was recovered by reversing the algorithm, and a simple
correlation analysis was used to determine the match ratio. The correlations, for the
images in Figure 5.3 are as follows:
Page 63
NOTE: This figure is included on page 63 of the print copy of the thesis held in the University of Adelaide Library.
5.2 XOR Cryptosystem
Table 5.2. Summary of XOR watermarking algorithm
A’s setup:
1. Obtain image, M, of size h × w uint8 values.
2. Obtain watermark image, W, of size h × w uint8.
3. Select strength factor, α.
B’s setup:
1. Pick a key, k.
2. Obtain from k an encryption binary stream, E, and corresponding
decryption binary stream, D(= E), each of length h × w × 8.
3. Send E to A.
A’s encryption steps:
1. Turn M into a stream of h × w × 8 bits.
2. Compute C = M⊗
E.
A’s watermarking steps:
1. Turn C into a matrix of h × w pixels.
2. Discrete cosine transform the encrypted image, C, i.e. V = dct(C).
3. Obtain V ′ = V(1 + αW).
4. Inverse discrete cosine transform V ′ into C′.
5. Send C′ to B.
B’s decryption steps:
1. Receive C′ and turn into a stream of h × w × 8 bits.
2. Compute stained image, M′ = C′ ⊗ D.
3. Turn M′ into a matrix of h × w pixels.
• correlation for the stained image, (d), and original image, (a), was 0.9999
• correlation for the recovered watermark and original watermark was 0.9318
• correlation for the encrypted image, (b), and original image, (a), was 0.0030
This experiment was set to learn about combining watermarking and cryptography.
This showed us that though the encryption method is commutative, inserting the
watermarking step in between will reduce any commutative process into a non-
commutative process. This is a good step as it implies that the stain will always
occur. Next step was to find a process that worked.
Page 64
Chapter 5 Experimental Results
Table 5.3. Summary of matrix multiplication watermarking algorithm
A’s setup:
1. Obtain image, M, of size h × w uint8 values.
2. Obtain watermark, W, of length l binary bits, {−1, 1}.3. Select strength factor, α.
B’s setup:
1. Pick a key, k.
2. Obtain from k an encryption matrix, E, of size n × n of uint8
values.
3. Obtain decryption matrix by finding the matrix inverse of E,
D = inv(E).
4. Send E to A.
A’s encryption steps:
1. Divide M into blocks of n × n.
2. For each block, i, compute Ci = Mi × E, where × here means
matrix multiplication.
A’s watermarking steps:
1. Discrete cosine transform the encrypted image, C, and sort into
l largest values excepting the DC component(s).
2. Obtain C′j = Cj(1 + αWj), for j = 1 : l.
3. Inverse discrete cosine transform C′.
4. Send C′ to B.
B’s decryption steps:
1. Receive C′ and divide into n × n blocks.
2. Compute stained image, M′i = C′
i × D, for each block, i.
5.3 Block-based Cryptosystem
From XOR encryption, we went on to a simple block-based, invertible-matrices, cryp-
tosystem. We chose the encryption here to be an n × n matrix, E, of uint8 values,
obtained by using a pseudorandom key, k. To encrypt, we simply matrix-multiplied
the image in n × n blocks with the encryption matrix. To decrypt, the inverse of the
encryption matrix, D, must exist. The decryption method is same as for encryption,
just a series of matrix multiplications. The code for this implementation is in Appen-
dix C.2, and the summary of this cryptosystem is outlined in Table 5.3
Page 65
5.3 Block-based Cryptosystem
For this implementation, we varied n from 8 up to the whole image. For the water-
marking step, we similarly varied the DCT block size from blocks of 8 up to DCTing
the whole image. α was varied in such a way that the distortions caused by the wa-
termark were at the very edge of visibility, giving a correlation of 0.9980 to 0.9981
between the final image and the original image. The results are shown in Table 5.4,
Figure 5.4 and Figure 5.5.
Due to the properties of images, a small block of image, unless an edge occurs in that
block, has almost the same intensity. Hence the encrypted image is dependent on
the encryption matrix, producing the vertical lines seen in Figure 5.4 and Figure 5.5,
instead of the expected blocky encrypted image.
For example, if we have
C = M ∗ E
where M is the message, E is the encryption matrix, and ∗ denotes matrix multipli-
cation, then
cij = ∑nx=1 mixexj
=
⎛⎜⎜⎝m11e11 + m12e21 + · · · + m1nen1 m11e12 + · · · + m1nen2 · · ·m21e11 + m22e21 + · · · + m1nen1 m21e12 + · · · + m2nen2 · · ·
...... . . .
⎞⎟⎟⎠and
c11 = m11e11 + m12e21 + · · · + m1nen1
.
Therefore if m11 ≈ m12 ≈ · · · ≈ m1n, then
c11 = m11(e11 + e21 + · · · + en1) =n
∑ ex1
and c11 is dependent on the columns of the encryption matrix, producing the ribbed
effect.
From the results, we observe that the same encryption and watermarking block sizes
produce the best results. The reason for this lies in the edges. Watermarking blocks
Page 66
Chapter 5 Experimental Results
not of the same size as encryption causes more edges to be within an encryption
block, and therefore there will be a disparity between pixels along the edge, produc-
ing more distortion. Also, encryption block sizes any bigger than 8 × 8 gives a better
encrypted image, as can be seen in Figure 5.4. However, the greater the size of the
matrix, the greater the number of altered pixels due to watermarking, and hence the
greater the distortion after decryption by matrix multiplication.
This means that due to these distortions caused by the properties of matrix multipli-
cation, the watermark strength then needed to be increased, as shown in the results
from Table 5.4, for the watermark to survive the process. For encryption and water-
marking block sizes of 8 × 8, the largest α producing minimal distortions to the end
image was 0.00043, giving a watermark correlation value of 0.8777 and decrypted
image correlation value of 0.9981. At n = 16, α was increased to 0.01, producing
a watermark correlation value of 0.8059 and decrypted image correlation value of
0.9981.
However, though increasing the watermark’s strength means that the survivability
of the watermark is increased, it also means that decryption will interfere more with
the watermark and vice-versa. At a certain point, the interference will be such that
the end image will be noticeably distorted and the watermark destroyed altogether.
This point occurred for n > 16, which would need α < 0.001 to prevent visible
distortions. However, the watermark at that point is then too weak and incoherent
to be recovered correctly. This ties in with earlier discussions regarding the trade-off
between visibility and capacity (§ 3.3.1).
To increase watermark detection, we implemented post-processing. In this instance,
after attempting to recover the watermark, an additional step was added: averag-
ing and rounding to ±1. The result after post-processing is labelled as WmCorr2 on
Table 5.4, while no post-processing is labelled WmCorr1. Since the original water-
mark only had values of -1 and 1, this additional post-processing would minimise
the distortions to the watermark caused by the decryption stage. As expected, this
produced better correlation values, reinforcing the use of pre- and post-processing
stages, especially when the watermark is weak and detection needs support.
Lastly, this is a symmetrical cryptosystem, where the decryption matrix can be in-
ferred from the encryption matrix obtained through a key, which is not what we want.
We can see that thought the residue that has been left is visible, it shows promise that
Page 67
5.4 RSA Cryptosystem
Table 5.4. Correlation comparison for different encryption and watermarking block sizes for matrix
multiplication watermarking scheme.
EnBlkSiz WmBlkSiz α ImCorr WmCorr1 WmCorr2
8 8 0.000430 0.9981 0.8777 0.9781
16 0.000300 0.9981 0.1243 0.7032
64 0.000300 0.9981 0.0032 0.0000
512 0.000400 0.9980 -0.0170 -0.0377
16 8 0.001300 0.9980 0.0550 0.0121
16 0.010000 0.9981 0.8059 0.8660
64 0.004100 0.9981 0.0029 -0.0064
512 0.005000 0.9981 -0.0515 -0.0411
64 8 0.000600 0.9980 -0.0337 -0.0345
16 0.000400 0.9981 0.0022 -0.0080
64 0.004900 0.9981 0.0240 0.0010
512 0.003900 0.9980 -0.0317 -0.0262
512 8 0.000043 0.9981 0.0007 -0.0072
16 0.000024 0.9981 0.0085 0.0183
64 0.000028 0.9981 -0.0379 -0.0260
512 0.001550 0.9980 0.0516 0.0149
adding a watermarking step after encryption still allows for a fairly good decryp-
tion. However, as can also be seen, the image after encryption is minimally distorted
so even if the cryptosystem was of a type we desired, it is clearly not sufficiently
strong enough a cipher for image encryption.
5.4 RSA Cryptosystem
One of the simplest public-key cryptosystems is RSA. The steps with the watermark-
ing stage included are in Table 5.5, an extension of Table 3.2 from the RSA section,
§ 3.2.1. The code for this implementation is in Appendix C.3.
To recover or extract the watermark, one option was to encrypt the final image again,
as decryption cancels encryption and vice-versa. The watermarking process could
then be inverted to obtain the watermark. The problem with this method is that any
Page 68
Chapter 5 Experimental Results
Table 5.5. Summary of RSA watermarking algorithm
Alice’s setup:
1. Obtain image, M, of size h × w uint8 values.
2. Obtain watermark, W, of length l binary bits, {−1, 1}.3. Select strength factor, α.
Bob’s setup:
1. Choose 2 large prime numbers, p and q.
2. Compute n = pq and φ = (p − 1)(q − 1).
3. Find 1 < e < φ such that (e, φ) = 1.
4. Compute d such that ed ≡ 1 (mod φ).
5. Make public (n, e) and keep private (φ, d).
Alice’s encryption step:
1. Compute C = Me (mod n).
Alice’s watermarking steps:
1. Discrete cosine transform the encrypted image, C, and sort into
l largest values except the DC component.
2. Obtain C′j = Cj(1 + αWj), for j = 1 : l.
3. Inverse discrete cosine transform C′.
4. Send C′ to B.
Bob’s decryption steps:
1. Receive altered ciphertext, C′.
2. Compute message, M′ = (C′)d (mod φ).
little changes are further increased by the re-encryption step, due to the large expo-
nentiation (power to e), which could end up substantially corrupting the watermark.
Alternatively, instead of extraction, the presence of the watermark can be detected.
Given the original image and the set of random watermarks (a set to which our wa-
termark belongs), embed the original image with the entire set, following the process
exactly, producing another set, this one of randomly watermarked images. Then our
document of interest can be compared to this output image set, matching the final
decrypted images produced. That is, we match M′s instead of W ′s. In this way, the
watermark is not further corrupted by re-encryption.
The results are shown in Figure 5.6 and Figure 5.7. We can see that RSA is a much
stronger encryption than the block-based encryption system, as the original image
can barely be seen in the encrypted image.
Page 69
5.4 RSA Cryptosystem
Next, we began attacking the system to test its robustness. The attacks can only oc-
cur after decryption. If it occurred before decryption, the image will not be decrypted
properly, or at least not without noticeable distortions. Since the integrity of the mes-
sage, M, must be kept, any changes from attacks must be marginal.
The attacks applied to the final images are:
• forcing pixel values to unsigned 8-bit integers, i.e. truncating,
• JPEG conversion, to image quality 50%,
• cropping 1 pixel (out of 256 pixels) from each of the edges,
• cropping 50 pixels (out of 256 pixels) from each of the edges,
• adding Gaussian noise, with zero mean and standard variance 0.004,
• downsampling by 2, by decreasing the final image to half-size then enlarging
to full size,
• testing combination attacks of cropping 1 pixel from each of the edges and then
resizing the image to its original dimensions, and
• applying a second watermark, or double watermarking.
To compare the output images, the same attack was mimicked for the set of ran-
domly watermarked images for the geometric attacks, namely the cropping attacks,
the downsampling attack, and the geometric-combination attack. This is due to the
results from (Kutter 1998, Girod et al. 1999) and (Dugelay and Petitcolas 2000) show-
ing some common geometric attacks can be estimated.
The results are shown in Figure 5.8 through to Figure 5.15.
Page 70
Chapter 5 Experimental Results
(a) (b)
(c) (d)
Figure 5.3. Results for XOR encryption and spread spectrum watermarking scheme with α =
0.012, (a) original image (Lena), (b) after encryption, (c) then watermarking, and
finally (d) after decryption.
Page 71
NOTE: This figure is included on page 71 of the print copy of the thesis held in the University of Adelaide Library.
NOTE: This figure is included on page 71 of the print copy of the thesis held in the University of Adelaide Library.
5.4 RSA Cryptosystem
(a) (b)
(c) (d)
Figure 5.4. Results for matrix multiplication watermarking scheme, with encryption block size 8,
and DCT watermarking block size 8, α 0.00043, (a) original image (Lena), (b) after
encryption, (c) then watermarking, and finally (d) after decryption.
Page 72
NOTE: This figure is included on page 72 of the print copy of the thesis held in the University of Adelaide Library.
NOTE: This figure is included on page 72 of the print copy of the thesis held in the University of Adelaide Library.
NOTE: This figure is included on page 72 of the print copy of the thesis held in the University of Adelaide Library.
NOTE: This figure is included on page 72 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
(a) (b)
(c) (d)
Figure 5.5. Comparison for matrix multiplication watermarking scheme, with encrypted image at
block sizes (a) 8, (b) 16, (c) 64, and (d) 512.
Page 73
NOTE: This figure is included on page 73 of the print copy of the thesis held in the University of Adelaide Library.
NOTE: This figure is included on page 73 of the print copy of the thesis held in the University of Adelaide Library.
5.4 RSA Cryptosystem
(a) (b)
(c) (d)
Figure 5.6. Results of RSA encryption and DCT watermarking, α = 0.001, (a) original image
(Lena), (b) after encryption, (c) then watermarking, and finally (d) after decryption.
Page 74
NOTE: This figure is included on page 74 of the print copy of the thesis held in the University of Adelaide Library.
NOTE: This figure is included on page 74 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
0 20 40 60 80 1000.985
0.99
0.995
1Correlation of 100 uniquely watermarked images to our watermarked image
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
Figure 5.7. The correlation of the decrypted image to 100 randomly watermarked decrypted im-
ages.
Page 75
5.4 RSA Cryptosystem
(a) (b)
0 20 40 60 80 1000.99
0.991
0.992
0.993
0.994
0.995
0.996
0.997
0.998
0.999
1Correlation of 100 uniquely watermarked images to our watermarked image
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(c)
0 20 40 60 80 1000.99
0.991
0.992
0.993
0.994
0.995
0.996
0.997
0.998
0.999
1Correlation of 100 uniquely watermarked images to our watermarked image, after atk
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(d)
Figure 5.8. Results of RSA encryption and DCT watermarking, α = 0.001,after applying attack:
forcing to 8-bits, where (a) before attack, (b) after attack, (c) correlation before
attack, and (d) correlation after attack.
Page 76
NOTE: These figures are included on page 76 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
(a) (b)
0 20 40 60 80 1000.985
0.99
0.995
1Correlation of 100 uniquely watermarked images to our watermarked image
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(c)
0 20 40 60 80 1000.985
0.986
0.987
0.988
0.989
0.99
0.991
0.992Correlation of 100 uniquely watermarked images to our watermarked image, after atk
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(d)
Figure 5.9. Results of RSA encryption and DCT watermarking, α = 0.001,after applying attack:
JPEG compressed by 50%, where (a) before attack, (b) after attack, (c) correlation
before attack, and (d) correlation after attack.
Page 77
NOTE: These figures are included on page 77 of the print copy of the thesis held in the University of Adelaide Library.
5.4 RSA Cryptosystem
(a) (b)
0 20 40 60 80 1000.975
0.98
0.985
0.99
0.995
1Correlation of 100 uniquely watermarked images to our watermarked image
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(c)
0 20 40 60 80 1000.975
0.98
0.985
0.99
0.995
1Correlation of 100 uniquely watermarked images to our watermarked image, after atk
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(d)
Figure 5.10. Results of RSA encryption and DCT watermarking, α = 0.001,after applying attack:
cropping 1 pixel from edges, where (a) before attack, (b) after attack, (c) correlation
before attack, and (d) correlation after attack.
Page 78
NOTE: These figures are included on page 78 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
(a) (b)
0 20 40 60 80 1000.985
0.99
0.995
1Correlation of 100 uniquely watermarked images to our watermarked image
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(c)
0 20 40 60 80 1000.985
0.99
0.995
1Correlation of 100 uniquely watermarked images to our watermarked image, after atk
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(d)
Figure 5.11. Results of RSA encryption and DCT watermarking, α = 0.001,after applying attack:
cropping 50 pixel from edges, where (a) before attack, (b) after attack, (c) correlation
before attack, and (d) correlation after attack.
Page 79
NOTE: These figures are included on page 79 of the print copy of the thesis held in the University of Adelaide Library.
5.4 RSA Cryptosystem
(a) (b)
0 20 40 60 80 1000.998
0.9982
0.9984
0.9986
0.9988
0.999
0.9992
0.9994
0.9996
0.9998
1Correlation of 100 uniquely watermarked images to our watermarked image
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(c)
0 20 40 60 80 1000.9456
0.9458
0.946
0.9462
0.9464
0.9466
0.9468
Correlation of 100 uniquely watermarked images to our watermarked image, after atk
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(d)
Figure 5.12. Results of RSA encryption and DCT watermarking, α = 0.001,after applying attack:
adding Gaussian noise with zero mean and standard variance 0.004, where (a) before
attack, (b) after attack, (c) correlation before attack, and (d) correlation after attack.
Page 80
NOTE: These figures are included on page 80 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
(a) (b)
0 20 40 60 80 100
0.9999
0.9999
0.9999
0.9999
1
1
1
1
1
1Correlation of 100 uniquely watermarked images to our watermarked image
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(c)
0 20 40 60 80 100
0.9999
0.9999
0.9999
0.9999
1
1
1
1
1
1Correlation of 100 uniquely watermarked images to our watermarked image, after atk
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(d)
Figure 5.13. Results of RSA encryption and DCT watermarking, α = 0.001,after applying attack:
scaling by half and then doubling in size, where (a) before attack, (b) after attack,
(c) correlation before attack, and (d) correlation after attack.
Page 81
NOTE: These figures are included on page 81 of the print copy of the thesis held in the University of Adelaide Library.
5.4 RSA Cryptosystem
(a) (b)
0 20 40 60 80 1000.988
0.99
0.992
0.994
0.996
0.998
1Correlation of 100 uniquely watermarked images to our watermarked image
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(c)
0 20 40 60 80 1000.988
0.99
0.992
0.994
0.996
0.998
1Correlation of 100 uniquely watermarked images to our watermarked image, after atk
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(d)
Figure 5.14. Results of RSA encryption and DCT watermarking, α = 0.001,after applying attack:
cropping 1 pixel from edges and resizing to original size, where (a) before attack, (b)
after attack, (c) correlation before attack, and (d) correlation after attack.
Page 82
NOTE: These figures are included on page 82 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
(a) (b)
0 20 40 60 80 1001
1
1
1
1
1
1
1
1
1
1Correlation of 100 uniquely watermarked images to our watermarked image
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(c)
0 20 40 60 80 100
1
1
1
1
1
1
1
1
1
1Correlation of 100 uniquely watermarked images to our watermarked image, after atk
Randomly Watermarked Images
Cor
rela
tion
to o
ur im
age
(d)
Figure 5.15. Results of RSA encryption and DCT watermarking, first watermark α = 0.0005,
second watermark α = 0.0005, after applying attack: double watermarking, where
(a) before attack, (b) after attack, (c) correlation before attack, and (d) correlation
after attack.
Page 83
NOTE: These figures are included on page 83 of the print copy of the thesis held in the University of Adelaide Library.
5.4 RSA Cryptosystem
As mentioned previously, if re-encrypting again after decryption, any little deviation
is further increased by the re-encryption step (power to e), thus potentially destroying
the underlying watermark. For this reason, the last attack, where another watermark
was inserted, was only possible by setting the strength of the first watermark smaller
than the second, and the combined watermarking strength less than or equal to the
strength of when only one watermark is inserted. This makes intuitive sense as there
is a maximum capacity measure for each image. Since the maximum capacity is
the total amount of information that can be inserted into an image without causing
distortion, the total capacity of the two embedded watermarks must be kept below
the maximum capacity.
Notice that the difference between the correlation to other randomly watermarked
images and the correct matching watermarked image is significantly small, espe-
cially where the final image is visually indistinguishable from the original image,
as in Figure 5.12. This small difference is caused by the fact that as the final image be-
comes closer and closer to being identical to the original image, the amount of unique
markers is reduced. Thus to bring out the differences into light, we applied post-
processing, where we subtracted the originally image from the final images, high-
lighting the differences and showing the residue, or the stain, from the watermarking
algorithm. The results are in Figures 5.16 to 5.23. This, again, clearly supports the
need for post-processing.
Page 84
Chapter 5 Experimental Results
0 10 20 30 40 50 60 70 80 90 100−0.2
0
0.2
0.4
0.6
0.8
1
1.2Correlation of 100 uniquely watermarked images to our attacked watermarked image, after atk, minus image
Randomly Watermarked Images
Cor
rela
tion
to o
ur a
ttack
ed im
age
Figure 5.16. Results of RSA encryption and DCT watermarking, α = 0.001, correlation after
applying attack: forcing to 8-bits, where the original image has been subtracted
from the attacked image, before correlating.
0 10 20 30 40 50 60 70 80 90 100−0.02
0
0.02
0.04
0.06
0.08
0.1Correlation of 100 uniquely watermarked images to our attacked watermarked image, after atk, minus image
Randomly Watermarked Images
Cor
rela
tion
to o
ur a
ttack
ed im
age
Figure 5.17. Results of RSA encryption and DCT watermarking, α = 0.001, correlation after
applying attack: JPEG compressed by 50%, where the original image has been sub-
tracted from the attacked image, before correlating.
Page 85
5.4 RSA Cryptosystem
0 10 20 30 40 50 60 70 80 90 100−0.2
0
0.2
0.4
0.6
0.8
1
1.2Correlation of 100 uniquely watermarked images to our attacked watermarked image, after atk, minus image
Randomly Watermarked Images
Cor
rela
tion
to o
ur a
ttack
ed im
age
Figure 5.18. Results of RSA encryption and DCT watermarking, α = 0.001, correlation after
applying attack: cropping 1 pixel from edges, where the original image has been
subtracted from the attacked image, before correlating.
0 10 20 30 40 50 60 70 80 90 100−0.2
0
0.2
0.4
0.6
0.8
1
1.2Correlation of 100 uniquely watermarked images to our attacked watermarked image, after atk, minus image
Randomly Watermarked Images
Cor
rela
tion
to o
ur a
ttack
ed im
age
Figure 5.19. Results of RSA encryption and DCT watermarking, α = 0.001, correlation after
applying attack: cropping 50 pixel from edges, where the original image has been
subtracted from the attacked image, before correlating.
Page 86
Chapter 5 Experimental Results
0 10 20 30 40 50 60 70 80 90 100−0.01
0
0.01
0.02
0.03
0.04
0.05
0.06Correlation of 100 uniquely watermarked images to our attacked watermarked image, after atk, minus image
Randomly Watermarked Images
Cor
rela
tion
to o
ur a
ttack
ed im
age
Figure 5.20. Results of RSA encryption and DCT watermarking, α = 0.001, correlation after ap-
plying attack: adding Gaussian noise with zero mean and standard variance 0.004,
where the original image has been subtracted from the attacked image, before cor-
relating.
0 10 20 30 40 50 60 70 80 90 100−0.2
0
0.2
0.4
0.6
0.8
1
1.2Correlation of 100 uniquely watermarked images to our attacked watermarked image, after atk, minus image
Randomly Watermarked Images
Cor
rela
tion
to o
ur a
ttack
ed im
age
Figure 5.21. Results of RSA encryption and DCT watermarking, α = 0.001, correlation after
applying attack: scaling by half and then doubling in size, where the original image
has been subtracted from the attacked image, before correlating.
Page 87
5.4 RSA Cryptosystem
0 10 20 30 40 50 60 70 80 90 100−0.2
0
0.2
0.4
0.6
0.8
1
1.2Correlation of 100 uniquely watermarked images to our attacked watermarked image, after atk, minus image
Randomly Watermarked Images
Cor
rela
tion
to o
ur a
ttack
ed im
age
Figure 5.22. Results of RSA encryption and DCT watermarking, α = 0.001, correlation after
applying attack: cropping 1 pixel from edges and resizing to original size, where the
original image has been subtracted from the attacked image, before correlating.
0 10 20 30 40 50 60 70 80 90 100−0.1
0
0.1
0.2
0.3
0.4
0.5
0.6Correlation of 100 uniquely watermarked images to our attacked watermarked image, after atk, minus image
Randomly Watermarked Images
Cor
rela
tion
to o
ur a
ttack
ed im
age
Figure 5.23. Results of RSA encryption and DCT watermarking, first watermark α = 0.0005,
second watermark α = 0.0005, correlation after applying attack: double watermark-
ing, where the original image has been subtracted from the attacked image, before
correlating.
Page 88
Chapter 5 Experimental Results
0 1000 2000 3000 4000 5000 600090
100
110
120
130
140
150
n
PS
NR
All Alpha
Alpha =0.000200Alpha =0.000225Alpha =0.000250Alpha =0.000275Alpha =0.000300Alpha =0.000325Alpha =0.000350Alpha =0.000375Alpha =0.000400Alpha =0.000425Alpha =0.000450Alpha =0.000475Alpha =0.000500Alpha =0.000525Alpha =0.000550Alpha =0.000575Alpha =0.000600Alpha =0.000625Alpha =0.000650Alpha =0.000675Alpha =0.000700Alpha =0.000725Alpha =0.000750Alpha =0.000775Alpha =0.000800Alpha =0.000825Alpha =0.000850Alpha =0.000875Alpha =0.000900Alpha =0.000925Alpha =0.000950Alpha =0.000975Alpha =0.001000
Figure 5.24. Results of RSA encryption and DCT watermarking, capacity analysis, with α varying
from 0.0002 to 0.001, and for a range of prime keys, n, versus peak signal-to-noise
ratio (PSNR).
To have the decrypted result, i.e. M′, visually identical to the original message, the
changes caused by the embedded watermark must be small. For the security of RSA,
the prime numbers, p and q, should be very large, such that the encryption and de-
cryption keys generated, e and d, are in the order of 2048-bits.
To determine how tolerant this system is to the errors caused by the watermark, we
ran a series of simulations, producing the graphs seen in Figure 5.24 to Figure 5.29,
by varying the size of the prime keys, n(= p ∗ q), from 240 to 5832, versus the PSNR.
We repeated the simulation for a range of different watermarking strength, α, from
0.0002 up to 0.001, as we observed that 0.001 gives a good final image and very good
watermark survivability for the experimental results shown previously, and 0.0002
gives the best final image with a reasonable watermark survivability.
From Figure 5.24, we noted that the lower curve of the PSNR remained the same for
all values of α, varying only with n. Through least-squares curve-fitting in MATLAB,
the shape of this curve was determined to be
1039.664585 − 476.661547 ln(n) + 91.585027 ln(n)2
−7.882351 ln(n)3 + 0.254924 ln(n)4.
Page 89
5.4 RSA Cryptosystem
0 1000 2000 3000 4000 5000 600094
96
98
100
102
104
106
108
110
112All Alpha −− Lower Curve
n
PS
NR
Actual DataPolyFit Log Est
Figure 5.25. Results of RSA encryption and DCT watermarking, capacity analysis, with α varying
from 0.0002 to 0.001, and for a range of prime keys, n, versus peak signal-to-noise
ratio (PSNR), lower-bound and best-fit.
The graph of the lower curve and its best-fit curve is displayed in Figure 5.25. We can
easily see that the best-fit curve follows the actual data closely.
We determined the point at which there is JND in the final image, which gives a
correlation of about 0.995, or a PSNR of approximately 122.62dB. By extrapolating
the graph in Figure 5.25, this gives a n of approximately 70. Therefore to always be
below the JND threshold, the product of the keys of the cryptosystem must be 70 or
less, which is a very small number.
We can also see from Figure 5.24 that there is an upper curve, dependent on both α
and n. The graph of the upper curve and its best-fit surface-curve is displayed in
Figure 5.26. The form of the best-fit curve is
129.788586 − 0.003164n + 484.033349α − 9.643661nα
+0.000000268741n2 + α2 + 0.942221n2α2.
Page 90
Chapter 5 Experimental Results
10002000
30004000
50006
24
68
10
x 10−4
90
100
110
120
130
nalpha
PS
NR
Figure 5.26. Results of RSA encryption and DCT watermarking, capacity analysis, with α varying
from 0.0002 to 0.001, versus a range of prime keys, n, versus peak signal-to-noise
ratio (PSNR), upper-bound and surface-best-fit.
However, the upper curve is only of interest around the point it ceases to follow this
model. As mentioned above, the PSNR JND threshold is 122.62dB. This is displayed
as the horizontal green line in Figure 5.27 and Figure 5.28. The vertical green line
represents the point where there are no more images that are below the JND thresh-
old (or above the equivalent PSNR threshold). In Figure 5.27, for α = 0.0002 up to
α = 0.000275 we can see that there are no vertical green lines as no images lie above
the required PSNR. This means that for this system α must be chosen to be above
0.000275.
Figure 5.29, shows the percentage of the time that the image produced is below the
JND threshold, for all values shown in Figure 5.24. Averaging just below 14%, this
can be considered the failure-rate of the system. This means that under the worst-
case, the system must be run for a maximum of just below ten runs before a sufficient
image is produced.
Page 91
5.4 RSA Cryptosystem
0 1000 2000 3000 4000 5000 6000105
110
115
120
125
130
n
PS
NR
alpha =0.0002
0 1000 2000 3000 4000 5000 6000105
110
115
120
125
130
n
PS
NR
alpha =0.000275
(a) (b)
0 1000 2000 3000 4000 5000 600090
100
110
120
130
140
150
n
PS
NR
alpha =0.0003
0 1000 2000 3000 4000 5000 600090
100
110
120
130
140
150
n
PS
NR
alpha =0.0005
(c) (d)
0 1000 2000 3000 4000 5000 600090
100
110
120
130
140
150
n
PS
NR
alpha =0.0006
0 1000 2000 3000 4000 5000 600090
100
110
120
130
140
150
n
PS
NR
alpha =0.0007
(e) (f)
Figure 5.27. Results of RSA encryption and DCT watermarking, capacity analysis: individual
upper-curve best-fits for α equal to (a) 0.0002, (b) 0.0003, (c) 0.0004, (d) 0.0005,
(e) 0.0006, and (f) 0.0007.
Page 92
Chapter 5 Experimental Results
0 1000 2000 3000 4000 5000 600090
100
110
120
130
140
150
n
PS
NR
alpha =0.0008
0 1000 2000 3000 4000 5000 600090
100
110
120
130
140
150
n
PS
NR
alpha =0.001
(a) (b)
Figure 5.28. Results of RSA encryption and DCT watermarking, capacity analysis: individual
upper-curve best-fits for α equal to (a) 0.0008, and (b) 0.001.
2 3 4 5 6 7 8 9 10
x 10−4
0
2
4
6
8
10
12
14
16
18Percentage of PSNR below JND
alpha
Per
cent
age
(%)
Figure 5.29. Results of RSA encryption and DCT watermarking, capacity analysis: upper-curve
percentage of PSNR below the JND threshold.
Page 93
5.5 Elliptic Curve Cryptosystem
As we can see, using very large prime keys is not possible, as the smallest of devi-
ations altered M′ too much to make it look anything like M. Hence the security of
this system is seriously doubtful. It may be possible that the changes caused by the
watermark will prevent easy cryptanalysis of the system when attempting to find
the decryption key, but since this is a public encryption system, the (weak) encryp-
tion key is readily available and can be reverse-engineered for the decryption key. In
addition, this system’s failure-rate of around 14% is not the best.
Thus RSA in this instance is not sufficient for the purpose of protecting the image,
even though it can tolerate minor distortions.
5.5 Elliptic Curve Cryptosystem
Elliptic curve based cryptosystems have the useful properties of being asymmetric,
non-commutative, secure with shorter key lengths, and easily implementable. For
ECC, there was a choice of two implementable encryption systems. The first is an
ElGamal-type ECC and the second is the Menezes-Vanstone ECC, both detailed in
§ 3.2. The ElGamal-type ECC was a stepping stone to understanding the Menezes-
Vanstone ECC but otherwise not used. The reason for this is that it is not imple-
mentable without a function, f ,that maps a point, P, to some value, v, i.e. P → v, such
that f (P) = v and has the property f (P1 + P2) = f ([v1]P2) = f (P1) f (P2) = v1 ∗ v2.
Hence only the Menezes-Vanstone ECC is implemented in Appendix C.4 with the
algorithm outlined on Table 5.6.
The Menezes-Vanstone ECC unfortunately introduces a security weakness, which
will be discussed in detail later, but is still important in showing the algorithm’s
abilities in terms of robustness to attacks and detectability.
The results of the Menezes-Vanstone ECC watermarking system are shown in Fig-
ures 5.30 and 5.31.
Figure 5.30(a) is the original image and Figure 5.30(b) is the image after encryption.
As can be seen, encryption has altered the image considerably. It can be seen that
ECC is again a better encryption than previous encryption implementations, as the
encrypted image appears to be closer to random noise. This is exactly what is desired,
so that the attackers have minimal to no features from the original image to exploit.
Page 94
Chapter 5 Experimental Results
Table 5.6. Summary of Menezes-Vanstone ECC watermarking algorithm
Bob’s setup:
1. Choose a large prime number, p.
2. Choose an elliptic curve, E .
3. Choose a point, P, on E .
4. Choose a secret key, kB < #E .
5. Compute point, Q = [kB]P.
6. Make public Ke = (P,Q,E , p) and keep private Kd = (kB).
Alice’s setup:
1. Obtain image, M, of size h × w uint8 values, arranged into pairs,
(m1, m2).
2. Obtain watermark, W, of length l binary bits, {−1, 1}.3. Select strength factor, α.
4. Select a secret key, kA, such that 0 < kA < #E ,
where #E is the number of points in E .
Alice’s encryption steps:
1. Get Bob’s public information, Ke = (P,Q,E , p).
2. Compute Y0 = [kA]P and (y1, y2) = [kA]Q.
3. Obtain the encrypted image, C = (c1, c2), where
c1 = y1 · m1 (mod p), and c2 = y2 · m2 (mod p).
Alice’s watermarking steps:
1. Discrete cosine transform the encrypted image, C, and sort into
l largest values except the DC component.
2. Obtain C′i,j = Ci,j(1 + αWj), for i = 1, 2 and j = 1 : l.
3. Inverse discrete cosine transform C′ = (C′1, C′
2).
4. Send Y0 and C′ to B.
Bob’s decryption steps:
1. Receive altered ciphertext, C′ = (c′1, c′2), and cipherpoint, Y0.
2. Compute (y1, y2) = [kB]Y0.
3. Compute the message, M′ = (m′1, m′
2), where
m′1 = (y1)−1 · c′1 (mod p), and m′
2 = (y2)−1 · c′2 (mod p).
Page 95
5.5 Elliptic Curve Cryptosystem
Image 5.30(d) shows that despite the watermarking stage between the encryption
and decryption stages, the image is still visually similar to the original image. This
result further supports the use of the staining protocol.
For comparison, in Figure 5.31, the stained image was matched against a test set of
100 different watermarked images, using the correlation measure as the comparer.
The spike shown in Figure 5.31 indicates a match to the watermarked image at index
27, which is the correct result.
To test the robustness of the system to disruption, attacks were applied to the final
image.
The attacks applied to the final images are:
• forcing pixel values to unsigned 8-bit integers, i.e. truncating,
• JPEG conversion, to image quality 10%,
• cropping 1 pixel (out of 256 pixels) from each of the edges and replacing the
pixels with corresponding pixels from the original image,
• cropping 50 pixels (out of 256 pixels) from each of the edges and replacing the
pixels with corresponding pixels from the original image,
• adding Gaussian noise, with zero mean and typical standard variance 0.01,
• downsampling by 2, by decreasing the final image to half-size then enlarging
to full size,
• testing combination attacks of cropping 1 pixel from each of the edges and then
resizing the image to its original dimensions, and
• applying a second watermark, or double watermarking.
The results are displayed in Figure 5.32 through to Figure 5.39.
We also rotated the final image by 1 degree clockwise, using bilinear interpolation as
part of our set of attacks. The rotated image was then cropped to remove the black
edging, and resized to its original dimensions. A positive match was barely made.
This result is shown in Figure 5.40.
Page 96
Chapter 5 Experimental Results
(a) (b)
(c) (d)
Figure 5.30. Results of Menezes-Vanstone EC encryption and DCT watermarking, α = 0.001, (a)
original image (Lena), (b) after encryption, (c) then watermarking, and finally (d)
after decryption.
Page 97
NOTE: This figure is included on page 97 of the print copy of the thesis held in the University of Adelaide Library.
NOTE: This figure is included on page 97 of the print copy of the thesis held in the University of Adelaide Library.
5.5 Elliptic Curve Cryptosystem
0 20 40 60 80 100−0.2
0
0.2
0.4
0.6
0.8
1
1.2Correlation to 100 different wms
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
Figure 5.31. The correlation of the MVECC-encrypted and DCT-watermarked recovered water-
mark to 100 random watermarks.
Page 98
Chapter 5 Experimental Results
(a) (b)
0 20 40 60 80 1000.999
0.9991
0.9992
0.9993
0.9994
0.9995
0.9996
0.9997
0.9998
0.9999
1Correlation to 100 different watermarked images, before attack
Randomly Watermarked Images
(c)
0 20 40 60 80 1000.999
0.9991
0.9992
0.9993
0.9994
0.9995
0.9996
0.9997
0.9998
0.9999
1Correlation to 100 different watermarked images, after attack
Randomly Watermarked Images
(d)
Figure 5.32. Results of MV-ECC encryption and DCT watermarking, watermark at α = 0.001,
correlation after applying attack: forcing to 8-bits, where (a) before attack, (b) after
attack, (c) correlation before attack, and (d) correlation after attack.
Page 99
NOTE: These figures are included on page 99 of the print copy of the thesis held in the University of Adelaide Library.
5.5 Elliptic Curve Cryptosystem
(a) (b)
0 20 40 60 80 100
0.99
0.992
0.994
0.996
0.998
1Correlation to 100 different watermarked images, before attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(c)
0 20 40 60 80 1000.9705
0.971
0.9715
0.972
0.9725
0.973Correlation to 100 different watermarked images, after attack
Randomly Watermarked Images
(d)
Figure 5.33. Results of MV-ECC encryption and DCT watermarking, watermark at α = 0.001,
correlation after applying attack: JPEG compression to 10%, where (a) before attack,
(b) after attack, (c) correlation before attack, and (d) correlation after attack.
Page 100
NOTE: These figures are included on page 100 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
(a) (b)
0 20 40 60 80 1000.99
0.991
0.992
0.993
0.994
0.995
0.996
0.997
0.998
0.999
1Correlation to 100 different watermarked images, before attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(c)
0 20 40 60 80 1000.99
0.991
0.992
0.993
0.994
0.995
0.996
0.997
0.998
0.999
1Correlation to 100 different watermarked images, after attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(d)
Figure 5.34. Results of MV-ECC encryption and DCT watermarking, watermark at α = 0.001,
correlation after applying attack: cropping 1 pixel from the edges and replacing from
the original, where (a) before attack, (b) after attack, (c) correlation before attack,
and (d) correlation after attack.
Page 101
NOTE: These figures are included on page 101 of the print copy of the thesis held in the University of Adelaide Library.
5.5 Elliptic Curve Cryptosystem
(a) (b)
0 20 40 60 80 1000.98
0.982
0.984
0.986
0.988
0.99
0.992
0.994
0.996
0.998
1Correlation to 100 different watermarked images, before attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(c)
0 20 40 60 80 1000.98
0.982
0.984
0.986
0.988
0.99
0.992
0.994
0.996
0.998
1Correlation to 100 different watermarked images, after attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(d)
Figure 5.35. Results of MV-ECC encryption and DCT watermarking, watermark at α = 0.001,
correlation after applying attack: cropping 50 pixel from the edges and replacing
from the original, where (a) before attack, (b) after attack, (c) correlation before
attack, and (d) correlation after attack.
Page 102
NOTE: These figures are included on page 102 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
(a) (b)
0 20 40 60 80 1000.95
0.955
0.96
0.965
0.97
0.975
0.98
0.985
0.99
0.995
1Correlation to 100 different watermarked images, before attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(c)
0 20 40 60 80 1000.85
0.855
0.86
0.865
0.87
0.875
0.88
0.885
0.89
0.895
0.9Correlation to 100 different watermarked images, after attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(d)
Figure 5.36. Results of MV-ECC encryption and DCT watermarking, watermark at α = 0.001,
correlation after applying attack: adding Gaussian noise with zero mean and standard
variance 0.01, where (a) before attack, (b) after attack, (c) correlation before attack,
and (d) correlation after attack.
Page 103
NOTE: These figures are included on page 103 of the print copy of the thesis held in the University of Adelaide Library.
5.5 Elliptic Curve Cryptosystem
(a) (b)
0 20 40 60 80 1000.99
0.991
0.992
0.993
0.994
0.995
0.996
0.997
0.998
0.999
1Correlation to 100 different watermarked images, before attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(c)
0 20 40 60 80 1000.95
0.951
0.952
0.953
0.954
0.955
0.956
0.957
0.958
0.959
Correlation to 100 different watermarked images, after attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(d)
Figure 5.37. Results of MV-ECC encryption and DCT watermarking, watermark at α = 0.001,
correlation after applying attack: scaling by half and then doubling the size, where
(a) before attack, (b) after attack, (c) correlation before attack, and (d) correlation
after attack.
Page 104
NOTE: These figures are included on page 104 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
(a) (b)
0 20 40 60 80 1000.98
0.982
0.984
0.986
0.988
0.99
0.992
0.994
0.996
0.998
1Correlation to 100 different watermarked images, before attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(c)
0 20 40 60 80 1000.9
0.902
0.904
0.906
0.908
0.91
0.912
0.914
0.916
0.918
0.92Correlation to 100 different watermarked images, after attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(d)
Figure 5.38. Results of MV-ECC encryption and DCT watermarking, watermark at α = 0.001,
correlation after applying attack: cropping 1 pixel from edges and resizing to original
dimensions, where (a) before attack, (b) after attack, (c) correlation before attack,
and (d) correlation after attack.
Page 105
NOTE: These figures are included on page 105 of the print copy of the thesis held in the University of Adelaide Library.
5.5 Elliptic Curve Cryptosystem
(a) (b)
0 20 40 60 80 1000.99
0.991
0.992
0.993
0.994
0.995
0.996
0.997
0.998
0.999
1Correlation to 100 different watermarked images, before attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(c)
0 20 40 60 80 1000.99
0.991
0.992
0.993
0.994
0.995
0.996
0.997
0.998
0.999
1Correlation to 100 different watermarked images, after attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(d)
Figure 5.39. Results of MV-ECC encryption and DCT watermarking, first watermark α = 0.0005
at index 27, second watermark α = 0.001 at index 65, correlation after applying at-
tack: double watermarking, where (a) before attack, (b) after attack, (c) correlation
before attack, and (d) correlation after attack.
Page 106
NOTE: These figures are included on page 106 of the print copy of the thesis held in the University of Adelaide Library.
Chapter 5 Experimental Results
(a) (b)
0 20 40 60 80 1000.98
0.982
0.984
0.986
0.988
0.99
0.992
0.994
0.996
0.998
1Correlation to 100 different watermarked images, before attack
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
(c)
0 20 40 60 80 100−0.02
−0.015
−0.01
−0.005
0
0.005
0.01
0.015
0.02
0.025Correlation to 100 different watermarked images, after attack, minus orig
Randomly Watermarked Images
(d)
Figure 5.40. Results of MV-ECC encryption and DCT watermarking, α = 0.005, correlation after
applying attack: rotating 1◦ clockwise, cropping 3 pixels from edges, and resizing to
original size, where (a) before attack, (b) after attack, (c) correlation before attack,
and (d) correlation after attack.
Page 107
NOTE: These figures are included on page 107 of the print copy of the thesis held in the University of Adelaide Library.
5.5 Elliptic Curve Cryptosystem
0 20 40 60 80 100−0.2
0
0.2
0.4
0.6
0.8
1
1.2Correlation to 100 different watermarked images, after attack, minus orig
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
Figure 5.41. Results of MV-ECC encryption and DCT watermarking, α = 0.001, correlation after
applying attack: forcing to 8-bits, where the original image has been subtracted from
the attacked image, before correlating.
We have also tested the algorithm on the Baboon image with similar results. Bearing
in mind that we applied no pre- or post-processing to any of the images, and that
the watermark should theoretically render the data indecipherable, the watermark
comes through better than expected, standing out in most cases well above the clearly
random line.
Post-processing was then employed to see if the correlation results can be improved
upon. The results are in Figures 5.41 through to 5.49.
As can be seen, multiple attacks on the same system causes a lot of damage to the
underlying watermark. It is still possible to obtain a match, but the match is, as
expected, nowhere near as good as the singularly attacked images.
However, this system has an unfortunate weakness in that it does not prevent Alice
from reproducing the stain. Although the MV-ECC is an asymmetric cryptosystem in
that the keys of each party are protected, the message can be divined by both parties.
This is due to the realisation that Alice has all the information required to decrypt
the message, and hence is able to reproduce the stain that was previously believed to
only be possible by Bob.
Following the algorithm from Table 5.6, Step 1 and 2 in Alice’s encryption stage gives
Alice access to p, y1 and y2, which in turn allows Alice to compute (y1)−1 and (y2)−1.
After Step 3 of Alice’s watermarking stage, giving Alice c′1 and c′2, Alice is then able to
Page 108
Chapter 5 Experimental Results
0 20 40 60 80 100−0.02
−0.01
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07Correlation to 100 different watermarked images, after attack, minus orig
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
Figure 5.42. Results of MV-ECC encryption and DCT watermarking, α = 0.001, correlation af-
ter applying attack: JPEG compressed to 10%, where the original image has been
subtracted from the attacked image, before correlating.
0 20 40 60 80 100−0.2
0
0.2
0.4
0.6
0.8
1
1.2Correlation to 100 different watermarked images, after attack, minus orig
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
Figure 5.43. Results of MV-ECC encryption and DCT watermarking, α = 0.001, correlation after
applying attack: cropping 1 pixel from edges and replacing from original, where the
original image has been subtracted from the attacked image, before correlating.
Page 109
5.5 Elliptic Curve Cryptosystem
0 20 40 60 80 100−0.1
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7Correlation to 100 different watermarked images, after attack, minus orig
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
Figure 5.44. Results of MV-ECC encryption and DCT watermarking, α = 0.001, correlation after
applying attack: cropping 50 pixel from edges and replacing from original, where the
original image has been subtracted from the attacked image, before correlating.
0 20 40 60 80 100−0.05
0
0.05
0.1
0.15
0.2
0.25
0.3Correlation to 100 different watermarked images, after attack, minus orig
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
Figure 5.45. Results of MV-ECC encryption and DCT watermarking, α = 0.001, correlation af-
ter applying attack: adding Gaussian noise with zero mean and standard variance
0.01, where the original image has been subtracted from the attacked image, before
correlating.
Page 110
Chapter 5 Experimental Results
0 20 40 60 80 100−0.02
−0.01
0
0.01
0.02
0.03
0.04
0.05Correlation to 100 different watermarked images, after attack, minus orig
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
Figure 5.46. Results of MV-ECC encryption and DCT watermarking, α = 0.001, correlation after
applying attack: scaling by half and then doubling in size, where the original image
has been subtracted from the attacked image, before correlating.
0 20 40 60 80 100−0.015
−0.01
−0.005
0
0.005
0.01
0.015
0.02
0.025Correlation to 100 different watermarked images, after attack, minus orig
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
Figure 5.47. Results of MV-ECC encryption and DCT watermarking, α = 0.001, correlation after
applying attack: cropping 1 pixel from edges and resizing to original size, where the
original image has been subtracted from the attacked image, before correlating.
Page 111
5.5 Elliptic Curve Cryptosystem
0 20 40 60 80 100−0.1
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9Correlation to 100 different watermarked images, after attack, minus orig
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
Figure 5.48. Results of MV-ECC encryption and DCT watermarking, first watermark α = 0.0005,
second watermark α = 0.001, correlation after applying attack: double watermark-
ing, where the original image has been subtracted from the attacked image, before
correlating.
0 20 40 60 80 100−0.02
−0.015
−0.01
−0.005
0
0.005
0.01
0.015
0.02
0.025Correlation to 100 different watermarked images, after attack, minus orig
Randomly Watermarked Images
Cor
rela
tion
to o
ur w
ater
mar
ked
imag
e
Figure 5.49. Results of MV-ECC encryption and DCT watermarking, α = 0.005, correlation after
applying attack: rotating 1◦ clockwise, cropping 3 pixels from edges, and resizing to
original size, where the original image has been subtracted from the attacked image,
before correlating.
Page 112
Chapter 5 Experimental Results
obtain the stained message, M′ = (m′1, m′
2), by computing m′i = (yi)−1 · c′i (mod p).
Given the stained message, Alice is able to implicate Bob, and Bob is able to refute
any accusations of illegal redistribution due to this weakness. More specifically, in
MV-ECC, the problem is that the ciphertext is a linear function of the message.
However, the RSA cryptosystem is a non-linear system. Though the key must be
much weaker to achieve a tolerable image reconstruction after decryption, the results
from Section 5.4 showed that it is possible to encrypt, watermark, then decrypt an
image and produce a stain with deterministic artefacts like a watermark. In addition,
we submitted the RSA system to the same variety of attacks as with MV-ECC and
demonstrated that the system could survive truncation, JPEG conversion, cropping,
noise addition, resizing, double watermarking, and a combination attack involving
cropping and resizing, which the RSA system was able to survive. We are still unsure
of how easy the system would be to break due to the low key-size requirement, but
as the key-size increases, the watermarking capacity decreases drastically, as shown
in Section 5.4.
Page 113
Page 114
Chapter 6
Summary
THIS chapter completes the dissertation with a discussion of is-
sues discovered throughout the research, in particular regard-
ing the precise nature of cryptographic systems, as well as addi-
tional requirements on cryptosystems and watermarking algorithms for
our staining protocol. This chapter also contains our conclusions based on
our findings, a summary of contributions to the field, and a descriptive
list of future directions for research.
Page 115
6.1 Discussion of Problems
6.1 Discussion of Problems
As we explored the feasibility of the staining protocol, we encountered several issues
that had to be addressed. Not the least among these was the incompatibility of the
majority of cryptosystems with watermarking methods.
6.1.1 The Exacting Nature of Cryptograms
Our initial approach was to regard the cryptographic and watermarking stages as
separate components. We sought to find cryptographic algorithms that can survive
the distortion caused by the watermark, since watermarks are more malleable than
cryptosystems. However, it became clear quite rapidly that such a distinction will
not be feasible, considering that the two stages are intertwined.
Though watermarking and cryptography share a common history and sometimes a
common basis as well (Yang et al. 2003), they are remarkably different in how each
can be manipulated. The difference is primarily in how errors are handled. Wa-
termarks are formed with the understanding that they will be altered, by attacks as
well as normal image processing operations, and are hence built to withstand errors.
Cryptograms are created to be fragile, and are hence destroyed on attack.
Another issue was key length. We found that the longer the key length, the more
likely the watermark will be destroyed. Further, the likelihood that decryption will
be unsuccessful increased with the key length. This was one of the reasons we chose
to implement the protocol with elliptic curves.
However, the elliptic curve cryptosystem implemented, the Menezes-Vanstone ECC,
was found to be seriously faulty in that Party A is able to reproduce the stain, thus
MV-ECC is no longer sufficient to solve our mutual distrust problem. MV-ECC does
however show that a complex encryption system can be utilised in such a way, to
encrypt, watermark and then decrypt, without destroying the watermark and still
produce a relatively visually identical output image to the stained image.
In addition, RSA is still too rigid a system to allow for our deliberately introduced
errors, however, there is a new field of cryptography known as image cryptography,
which was briefly discussed in Section 2.2.2. This field is not yet sufficiently devel-
oped for our use, however, it has a clear application in our protocol as it is designed
Page 116
Chapter 6 Summary
to be error-tolerant. This means that our deliberately introduced errors (i.e. the wa-
termark) will result in deterministic staining artefacts, which can usefully be used in
transaction tracking.
In conclusion, we would like to make the following statements:
1. The Menezes-Vanstone Elliptic Curve Cryptosystem does not solve the specific
problem of mutual distrust in a transaction;
2. RSA demonstrated that the system is possible, when the correct conditions on
the encryption system are met;
3. Image cryptography is still in the developmental stages, but with the designed
tolerance for errors could one day easily meet our cryptographic requirements.
6.1.2 Cryptosystem and Watermark Requirements
From our analysis, we note several additional requirements on the choice of cryp-
tosystem. The cryptosystem needs to be asymmetric, to prevent A from easily re-
versing the encryption from the data given by B. Also, the cryptosystem needs to be
non-commutative with the chosen watermarking methods, so the crypto-process will
be assured of distorting the watermark. In addition, the algorithms will likely need
to be non-linear, to ensure that A is unable to reproduce the stain as with MV-ECC,
but not as strict as systems such as RSA, so that our deliberately introduced errors in
the form of A’s watermark will still be able to produce deterministic artefacts on the
decrypted image.
The method of identifying the stain would depend on the watermark embedding
method. The embedding method itself already has several well established require-
ments (Anderson et al. 1999, Wolfgang et al. 1999, Zhou 2000) which must be met.
These are:
• fidelity,
• robustness,
• detectability, and
• conclusiveness.
Page 117
6.2 Conclusion
Two additional requirements for our particular methods are:
• additivity, and
• capacity/complexity
which were defined in Section 1.4. Specifically, the greater the number of watermarks
that can be embedded and successfully detected, the more useful the protocol will be
for multiple transactions, hence the capacity of the scheme must be greater than one.
For use in large multimedia objects such as video and raw images, the complexity of
the scheme must therefore be as low as possible. Also, we desire that the watermarks
be disparate as possibleto limit their effects on one another and allow for better de-
tection, hence the additivity requirement. It is clear that our greatest challenge still
lies in finding compatible cryptosystems and watermarking methods.
We have considered asymmetric watermarks as an alternative to public-key encryp-
tion (Eggers et al. 2000, Hachez and Quisquater 2002), however the field is still in
its infancy and is currently limited in its uses. The ideas are based on asymmet-
ric cryptography, and the majority of methods are fragile and hence are more often
used in signature schemes. Unfortunately, though there are many interesting systems
(Choi et al. 2004, Kazakeviciute et al. 2005), none currently suit our purposes.
6.2 Conclusion
As we explored the feasibility of the staining protocol, we encountered several issues
that must be addressed. Not the least among these was the incompatibility of the
majority of cryptosystems with watermarking methods.
Our initial approach was to regard the cryptographic and watermarking stages as
separate components, as we sought to find cryptographic algorithms that can sur-
vive the distortion caused by the watermark. This is due to watermarks being more
malleable than cryptosystems. However, it is quite clear that such a distinction will
not be feasible, considering that the two stages are intertwined.
We note several additional requirements on the choice of cryptosystem. The cryp-
tosystem needs to be asymmetric and non-linear, to prevent A from easily reversing
Page 118
Chapter 6 Summary
the encryption from the data given by B. Also, the cryptosystem needs to be non-
commutative with the chosen watermarking methods, so the crypto-process will be
assured of distorting the watermark.
In conclusion, this research was not intended to be the end-all of piracy, but to di-
rect research considerations into other directions, mainly that of the mutual-distrust
problem. In the end, the idea was not to stop piracy by making watermarks that are
impossible to detect and harder to destroy, but to make piracy undesirable to those
perpetrating it. This is not a permanent one-off solution but one that can be continu-
ally upgraded to keep up with advances in technology and attacker skills.
6.3 Summary of Contributions
In this thesis we have introduced a novel direction for research in dealing with doc-
ument theft and redistribution of digital documents, commonly known as piracy. In
particular, the focus of our staining protocol is on detecting and identifying insider
sources of illegal distribution with non-repudiation.
Our contributions include:
• A new protocol that allows for non-repudiable transaction tracking.
The majority of protocols and techniques in the literature, detailed in Section
2.1, have been focused on trusted owners, however it was shown in Chapter
4 that this was not the case. Hence we concluded that a new protocol needed
to be developed. We created our protocol by combining cryptography and wa-
termarking in such a way that decryption imposes a stain upon the watermark.
This stain ensures that neither party in a transaction can repudiate. For instance,
if party B takes its decrypted copy and illegally provides the copy to an outside
party, the watermark can be detected. In the standard watermarking scenario,
which was shown in Section 4.4, this exact watermark would be present in A’s
copy, and hence B can repudiate claims of piracy. However, in our protocol, the
watermark has been stained by decryption, proving that the copy is irrefutably
B’s. Alternatively, if A illegally redistributes, it cannot place the blame on B as
the embedded watermark will not have the stain.
• Combining cryptography and watermarking for the first time where watermarking oc-
curs before decryption.
Page 119
6.3 Summary of Contributions
Our protocol consists of three steps: first we encrypt the cover work, then we
watermark the encrypted cover work, and finally we decrypt to obtain a cover
work embedded with a stained watermark. There is little existing literature
combining watermarking and cryptography, which has been detailed in Sec-
tion 2.3. What little literature does exist has not considered the possibility of
watermarking between the encryption and decryption steps. This is due to the
fragile nature of cryptosystems, which are built to be destroyed upon corrup-
tion of the encrypted data. However, new encryption techniques, reviewed in
Section 2.2, particularly those for image or video applications, have been built
to withstand errors. Hence this allows this research to consider steganogra-
phy and cryptography used in such a way as to complement each other, not by
sharing secrets but by the entangling of secrets.
• Producing successful experimental results on the staining protocol.
In Chapter 5, we tested our protocol using a simple, yet robust, watermark-
ing technique known as the spread spectrum watermarking method, discussed
in Section 3.1.2. We combined the spread spectrum watermark with several
well-known methods of encryption, specifically XOR encryption, block-based
encryption, RSA, and elliptic curve cryptography, to test the viability of the pro-
tocol. Finally, we attacked the RSA and the Menezes-Vanstone Elliptic Curve
cryptosystems with several typical common signal processing and geometric
attacks such as resampling, JPEG compression, cropping, and rotation, as well
as embedding a second watermark. Though none of the encryption methods
were sufficient for our use, we did show that complex encryption systems such
as RSA and MV-ECC can successfully withstand the aforementioned attacks,
and derived additional requirements with respect to the cryptographic systems
to be used.
One of the goals of this thesis was to present another approach to tackling the prob-
lem of piracy. It is our hope that with our contributions we have opened the eyes
and minds of other researchers and provided another avenue of focus in the data
protection field.
Page 120
Chapter 6 Summary
6.4 Future Research
As previously mentioned, one of the aims of this research was to investigate the fea-
sibility of combining steganography and cryptography, such that decryption leaves
a stain on the watermark. It was also to demonstrate another direction for research to
tackle the increase in piracy and illegal copyright-violating activities.
From this point onwards, the research can branch off into several different directions.
Cryptography has always been a necessarily precise study. However, due to this
preciseness, its applications are limited to non-error-prone fields. Throughout the
research, a less exact encryption system was always sought. This can thus be one
direction in future: the search for an imperfect cryptosystem. A less than perfect
cryptosystem, where decryption does not entirely remove the encryption, but leaves
behind an echo or stain of its presence, would remove the need for the watermarking
step.
Such a system would be well insulated from casual attacks. For example, it would be
pointless to attack the encrypted object because then decryption would fail. At the
very least, the choices of attacks would be limited to attacks on typical cryptosystems
(see §3.2.5). This system would still need to be robust to normal operations that the
cover work would be expected to have applied, such as common signal processing
and geometric operations.
Another direction for future research is finding a complimentary encryption and
steganographic watermarking system. The two systems would be compatible such
that they interfere minimally with each other, but still cause a stain to be placed upon
the cover work. Encryption and watermarking have such similar roots, it seems un-
likely that they should be unable to coexist in such a way.
An immediate continuation on the current research would be to extend the encryp-
tion side into image-specific cryptosystems and investigating the validity of their use
instead of the generic cryptosystems used here. Work into this area was investigated
in Section 2.2.
A further continuation of the research presented would be to extend the work into
video cover works. The results of this study have been limited to still images due to
time and computational power limitations, for video would take much longer and
be computational expensive to mark, test and process. However, the groundworks
Page 121
6.4 Future Research
have been laid in Section 2.1, where many ideas from the literature on video (stegano-
graphic) watermarking were investigated, in Section 2.2, where video-specific en-
cryption systems are listed, and in Section 3.1, where additions requirements for
video watermarking were mentioned as well as an outline of expected video-specific
attacks to look out for.
Once a properly working system, secure to all reasonable attacks and producing good
outputs under all reasonable circumstances, is found, suitable cryptanalysis will need
to be applied, as well as investigations into the statistical nature of this system, to
quantify properties such as capacity and complexity in terms of time.
Page 122
Appendix A
Acronyms, Abbreviationsand Glossary
APPENDIX A contains a summary of the acronyms and ab-
breviations used throughout the thesis, including also a glos-
sary of technical terms.
Page 123
A.1 Acronyms
A.1 Acronyms
2-D 2-Dimensional
APS Analog Protection System
BSA Business Software Alliance
CEMA Consumer Electronics Manufacturers Association
CGMS Copy Generation Management System
CPTWG Copy Protection Technical Working Group
CR Composite Residuosity
CSS Content Scramble System
CVES Chaotic Video Encryption Scheme
DCT discrete cosine transform
DC-DM distortion compensated dither modulation
DES Data Encryption Standard
DJ disc jockey
DM dither modulation
DVD digital versatile disc
DVD CCA DVD Copy Control Association
DWT discrete wavelet transform
EC elliptic curve
ECC elliptic curve cryptosystem
gcd greatest common divisor
GGD Generalised Gaussian distribution
IA-DCT Image-Adaptive Direct Cosine Transform
IDCT Inverse Discrete Cosine Transform
JPEG Joint Photographic Experts Group
LD Laplacian distribution
LSB least significant bit
MoRE Masters of Reverse Engineering
MPAA Motion Picture Association of America
MPEG Moving Picture Experts Group
MSE mean square error
MV-ECC Menezes-Vanstone elliptic curve cryptosystem
PKC public key cryptosystem
PSD Power Spectral Density
PSNR peak signal-to-noise ratio
Page 124
Appendix A Acronyms, Abbreviations and Glossary
RSA Rivest-Shamir-Adleman
SEA Schoof-Elkies-Atkin
SPIHT Set Partitioning in Hierarchical Trees
VCR videocassette recorder
VOP video object plane
A.2 Abbreviations
cryptosystem cryptographic system
XOR Exclusive-Or
et al. et alia (Latin for “and others”)
A.3 Glossary
compliant machines Compliant (recording) machines can be consumer devices such
as DVD burners. These compliant devices check for special instructions, for
example on a DVD, dictating whether a DVD can be copied with no limits,
copied once or never copied.
Page 125
Page 126
Appendix B
Paper-Pen Analyses
THIS appendix contains analyses of the cryptosystems investi-
gated in Chapter 5.
Page 127
B.1 XOR Watermarking Algorithm
B.1 XOR Watermarking Algorithm
The algorithm:
1. A’s setup:
(a) Obtain image, M, of size h × w uint8 values.
(b) Obtain watermark image, W, of size h × w uint8.
(c) Select strength factor, α.
2. B’s setup:
(a) Pick a key, k.
(b) Obtain from k an encryption binary stream, E, and corresponding decryp-
tion binary stream, D(= E), each of length h × w × 8.
(c) Send E to A.
3. A’s encryption steps:
(a) Turn M into a stream of h × w × 8 bits.
(b) Compute C = M⊗
E.
4. A’s watermarking steps:
(a) Turn C into a matrix of h × w pixels.
(b) Discrete cosine transform the encrypted image, C, i.e. V = dct(C).
(c) Obtain V′ = V · (1 + αW).
(d) Inverse discrete cosine transform V′ into C′.
(e) Send C′ to B.
5. B’s decryption steps:
(a) Receive C′ and turn into a stream of h × w × 8 bits.
(b) Compute stained image, M′ = C′ ⊗ D.
(c) Turn M′ into a matrix of h × w pixels.
Step-by-step:
Page 128
Appendix B Paper-Pen Analyses
1. C = M⊗
E.
2. V = dct(C).
3. V′ = V · (1 + αW) = dct(C) · (1 + αW).
4. C′ = idct(V′) = idct(dct(C) · (1 + αW)).
• Now, if idct(X · Y) = idct(X) · idct(Y), then
C′ = C · idct(1 + αW)
= M⊗
E · idct(1 + αW).
• Else, C′ = idct(dct(C) · (1 + αW)).
5. M′ = C′ ⊗ D = idct(dct(C) · (1 + αW)).
• Now, if idct(X · Y) = idct(X) · idct(Y), then
M′ = M⊗
E⊗
D · idct(1 + αW)
= M · idct(1 + αW).
• Else,
M′ = idct((1 + αW) · dct(C))⊗
D
= idct((1 + αW) · dct(M⊗
E))⊗
D.
In the latter case, the best way to recover would then be to
(a) reverse the decryption:
C′′ = M′ ⊗ E
= (C′ ⊗ D)⊗
E
= C′;
(b) then reverse the IDCT:
V ′′ = dct(C′′)
= dct(idct(dct(C) · (1 + αW)))
= dct(C) · (1 + αW)
= V ′;
Page 129
B.2 RSA Cryptosystem
(c) and finally reverse the watermarking algorithm:
W ′ = ((V′′/dct(C)) − 1)/α
= W.
I.e. to get the recovered watermark, W ′ = ((dct(M′ ⊗ E)/dct(M⊗
E))− 1)/α.
However, each time dct and idct is applied, the watermark is spread more and more
among all the dct components (including the DC component). The best way to de-
tect the watermark then is to either match spectrums when watermarking, or apply
correlation matching to the output images.
B.2 RSA Cryptosystem
The encryption algorithm:
1. Setup:
(a) Message, M.
(b) Two large primes, p and q (private).
(c) n = pq (public), φ = (p − 1)(q − 1) (private).
(d) e ∈ Zφ/{0} such that gcd(e, φ) = 1 (public).
(e) d such that ed = 1(mod φ) (private).
2. Encrypting: C = Me(mod n).
3. Decrypting:
M′ = Ed
= (Me)d
= M1
= M(mod n).
However, we want to watermark between the encryption and decryption stages, us-
ing the DCT spread spectrum algorithm. The output image will also be attacked. The
entire algorithm, including watermarking and attack stages, then becomes:
Page 130
Appendix B Paper-Pen Analyses
1. B’s setup:
(a) Pick two large primes, p and q.
(b) Set n = pq, and φ = (p − 1)(q − 1).
(c) Select e ∈ Zn/{0} such that gcd(e, φ) = 1.
(d) Find d such that ed = 1(mod φ).
(e) Send (n,e) to A.
2. A’s setup:
(a) Obtain message matrix, M, size h × w.
(b) Pick watermarking strength, α.
(c) Pick random watermark vector, W, of N elements (N � h × w).
3. A’s encryption steps: Compute C = Me(mod n).
4. A’s watermarking steps:
(a) DCT the encrypted message, V = dct(C).
(b) Find the N largest elements of C′, not including the DC element.
(c) Watermark according to the formula, V ′i = Vi · (1 + αWi), on the N ele-
ments of C′.
(d) IDCT to obtain the marked encrypted message, C′ = idct(V′).
5. B’s decryption steps: Compute M′ = (C′)d(mod n).
6. E’s attack stage can only be applied after decryption, as any other time message
will produce a distorted output message. Since the integrity of M must be kept,
any changes from attacks must be small, i.e. M′′ = δM′ = δM(W ′)d, where δ is
the small change caused by attacks.
To recover the watermark, one option is to re-encrypt the output message (to reverse
the decryption) and then reverse the watermarking process to obtain the watermark.
That is, M′ = (idct(V′))d.
Page 131
B.2 RSA Cryptosystem
• Now if idct(X · Y) = idct(X) · idct(Y), then
M′ = Cd · (idct(1 + αW))d
= (Me)d · (idct(1 + αW))d
= M · (idct(1 + αW))d
= M · (W ′)d
where W ′ = dct(1 + αW).
• Otherwise,
M′ = (idct(V · (1 + αW)))d
= (idct(dct(C) · (1 + αW)))d.
The difficulty in this reversal process is that any little deviation is further increased
by encryption (power to e), thus distorting the watermark, possibly beyond recovery.
This implies that we will be unable to add other watermarks, which is not useful.
Alternately, instead of extraction by the reversal process, presence of the watermark
can be detected. For example, comparing the output message with the original im-
age that has been embedded, with the known set of watermarks used, identically to
the one under investigation. That way the watermark will not be further corrupted
by re-encryption. Spectral comparison is another method of detecting or matching
watermarks.
Another difficulty with this encryption-watermark combination comes from the large
values of exponentiation required for security. To ensure that the decrypted result,
i.e. M′, looks like the original message, W ′ must be as close to 1 as possible. The
difficulty here is that since p and q are large primes, this produces a large φ, which
in turn will likely produce a large d. This means that any small deviation of W ′ from
1 will likely push the output message, M′, from seeming anything like the original
message, M, and thus integrity is not maintained.
Therefore, from our algorithm, αW must be as close to zero as possible. Since the
elements of W are equally likely values of either -1 or 1, α will be the minimising
factor. However, if α is too small, there will be multiple W matches.
Page 132
Appendix B Paper-Pen Analyses
B.3 Elliptic Curve Cryptography (ECC)
There are various implements of public-key elliptic curve cryptography. One cryp-
tosystem is the ElGamal-type elliptic curve cryptosystem. However, as mentioned in
Subsection 3.2.4, there is great difficulty in finding the homomorphic function, f , that
maps a point, P, to some value, v in the desired finite field.
Another cryptographic system is the Menezes-Vanstone elliptic curve cryptosystem,
which does not require mapping from message to points. The Menezes-Vanstone
algorithm is as follows:
1. B’s setup:
(a) Choose a large prime, p.
(b) Choose an elliptic curve, E . (I.e. Choose coefficients of the elliptic curve
equation, which for prime fields is shortened to: y2 = x3 + a4x + a6. Basi-
cally, choose a4 and a6 in Zp and Δ �= 0.)
(c) Choose a point, P, on the curve, E .
(d) Choose a secret key, kB < #E (where #E is the number of points in E , see
3.2.4).
(e) Compute Q = [kB]P.
(f) Send (P,Q,a4,p) to A.
(g) Keep secret kB.
2. A’s setup:
(a) Obtain message, M, of size h×w uint8 values, arranged into pairs, (m1, m2).
(b) Obtain watermark, W, of length N binary bits, {−1, 1}.
(c) Select strength factor, α.
(d) Choose a secret key, kA, such that 0 < kA < #E .
3. A’s encryption step,
(a) Get B’s public information, (P,Q,a4,p).
(b) Compute Y0 = [kA]P.
(c) Compute (y1, y2) = [kA]Q.
Page 133
B.3 Elliptic Curve Cryptography (ECC)
(d) Compute C = (c1, c2), where c1 = y1 ·m1(mod p) and c2 = y2 ·m2(mod p).
(e) Send (Y0,C).
4. A’s watermarking steps:
(a) Discrete cosine transform the encrypted image, C, and sort into N largest
values except the DC component.
(b) Obtain C′i,j = Ci,j · (1 + αWj), for i = 1, 2 and j = 1 : N.
(c) Inverse discrete cosine transform C′ = (C′1, C′
2).
(d) Send Y0 and C′ to B.
5. B’s decryption steps,
(a) Receive (Y0,C′).
(b) Compute (y1, y2) = [kB]Y0.
(c) Compute M′ = (m′1, m′
2), where m′1 = (y1)−1 · c1(mod p) and m′
2 = (y2)−1 ·c2(mod p).
6. Then
m′i = (yi)−1 · c′i(mod p)
= (yi)−1 · idct(ci · (1 + αw))(mod p)
= (yi)−1 · idct(dct(yi · mi) · (1 + αw))(mod p)
for i = 1, 2.
• Now if idct(X · Y) = idct(X) · idct(Y), then
m′i = (yi)−1 · idct(dct(yi · mi) · (1 + αw))(mod p)
= (yi)−1 · idct(dct(yi · mi)) · idct(1 + αw)(mod p)
= (yi)−1 · yi · mi · idct(1 + αw)(mod p)
= mi · idct(1 + αw).
• Else m′i = (yi)−1 · idct(dct(yi · mi) · (1 + αw))(mod p).
The issue with this algorithm is that because p is very very large, the coordinates of
the points will be correspondingly large. Any small errors are multiplied by those
Page 134
Appendix B Paper-Pen Analyses
large values. For the RSA watermarking scheme, if the errors are < 1, they are
multiplied by themselves (exponentially) and hence remain small. However, in the
Menezes-Vanstone watermarking case, though the errors are still less than 1 they are
multiplied by large values and may cause considerable damage to the final message.
Again, the watermarking strength, α, will determine the extent of the distortion to
the final message caused by watermarking before decryption.
Note that the cryptosystem is acting like another transform domain.
Page 135
Page 136
Appendix C
Codes
THIS appendix contains the codes that produced the results
shown in Chapter 5. The codes and results are based on the
MATLAB software, version 7.0 (R14).
Page 137
C.1 XOR
Note: The following codes were created based on the MATLAB software, version 7.0
(R14), and require the following toolboxes:
• images
C.1 XOR
This system uses XOR encryption (and decryption) and spread spectrum algorithm
for watermarking.
The slight difference with this code from the algorithm in Table 5.2 is that instead of
bitwise XOR-ing, MATLAB provides a function for integer XOR-ing, provided the
integer is unsigned.
Also, two methods of watermark recovery were attempted, based on the analyses
in Appendix B.1. The second watermark recovery method’s correlation is given in
Section 5.2.
clear all
close all
fig = 1;
%====================================================
% SETUP
%====================================================
% A’s setup:
% 1. Obtain image, M, of size h X w uint8 values.
% 2. Obtain watermark image, W, of size h X w uint8.
% 3. Select strength factor, alpha.
% The image M = imread(‘lena.tif’);
M = rgb2gray(M); % originally RGB => conv to grey
M = double(M);
figure(fig), fig = fig + 1;
imshow(uint8(M)), title(‘Cover work’)
[h,w] = size(M);
% Watermark vector to subtract from enc im
wk = 28; % watermark key
wl = 1000; % watermark length
Page 138
Appendix C Codes
rand(‘state’,wk);
W = 2*randint(1,wl)-1; % watermark vector
alpha = 0.012; % tolerance/strength
% B’s setup:
% 1. Pick a key, k.
% 2. Obtain from k an encryption binary stream, E, and corresponding
% decryption binary stream, D (= E), each of length h X w X 8.
% 3. Send E to A.
% Crypto vector to xor image with
ck = 27; % key into rand vector
rand(‘state’,ck); % set rand gen state
cn = h*w*8; % length of E & D
E = randint(cn/8,1,255)+1; % same dimensions as M
E = reshape(E,h,w); % encryption vector
D = E; % decryption vector
%====================================================
% BEGIN IMPLEMENTATION
%====================================================
% A’s encryption steps:
% 1. Turn M into a stream of h X w X 8 bits.
% 2. Compute C = M XOR E.
% 1. Remember, M is now represented by an 8 bit number.
% 2. Encrypt: XOR E with M.
C = bitxor(M,E);
figure(fig), fig = fig + 1;
imshow(uint8(C)), title(‘Encrypted cover work’)
% A’s watermarking steps:
% 1. Turn C into a matrix of h X w pixels.
% 2. Discrete cosine transform encrypted image, C, i.e. V = dct(C).
% 3. Obtain V’ = V (1 + alpha W).
% 4. Inverse discrete cosine transform V’ into C’.
% 5. Send C’ to B.
Page 139
C.1 XOR
% 3. Watermarking: Now watermark using spread spectrum algorithm.
dctC = dct2(C);
dctC = reshape(dctC,1,h*w);
[t,maxI] = sort(dctC,‘descend’);
clear t % t not in use
maxI = maxI(2:wl+1); % do not change DC cmpt
dctC2 = dctC;
dctC2(maxI) = dctC(maxI).*(1+alpha*W);
dctC2 = reshape(dctC2,h,w);
C2 = idct2(dctC2);
figure(fig), fig = fig + 1;
imshow(C2,[min(min(C2)) max(max(C2))])
title(‘Watermarked encrypted cover work’)
ci corr = corr2(C,C2) % close to 1 => high corr
% B’s decryption steps:
% 1. Receive C’ and turn into a stream of h X w X 8 bits.
% 2. Compute stained image, M’ = C’ XOR D.
% 3. Turn M’ into a matrix of h X w pixels.
% 4. Decryption: Do opposite what did in encryption.
C2 = round(max(C2,0)); % bitxor only works on non-neg ints
% the line above will introduce more errors into the output image
M2 = bitxor(C2,D);
figure(fig), fig = fig + 1;
imshow(uint8(M2))
title(‘Decrypted watermarked encrypted cover work’)
di corr = corr2(M,M2) % close to 1 => high corr
% 5. Detection: By correlation analysis.
% try, assuming M2 = M idct(1 + alpha W)
idctW2 = M2 - M;
dctW2 = reshape(dct2(idctW2),1,h*w);
W2 = (dctW2(maxI)-1)/alpha;
wm corr2 = corr2(W2,W) % close to 1 => high corr
% try, assuming W3 = ((dct(M2 XOR E)/dct(C)) - 1)/alpha
a = bitxor(floor(M2),E);
b = reshape(dct2(a),1,h*w);
W3 = ((b(maxI)./dctC(maxI))-1)/alpha;
Page 140
Appendix C Codes
wm corr3 = corr2(W3,W) % close to 1 => high corr
C.2 Block-Based
This system uses block-based encryption (and decryption) and spread spectrum al-
gorithm for watermarking. The encryption is done by matrix multiplication, and
decryption used the inverse of the encryption matrix for matrix multiplication.
clear all
close all
fig = 1;
% Set to 1 if dcting whole
whole = 0;
en blk siz = 8;
wm blk siz = 8;
%====================================================
% SETUP
%====================================================
% A’s setup:
% 1. Obtain image, M, of size h X w uint8 values.
% 2. Obtain watermark, W, of length l binary bits, -1,1.
% 3. Select strength factor, alpha.
M = imread(‘lena2.tif’);
M = rgb2gray(M); % originally rgb => conv to grey
M = double(M);
figure(fig), fig = fig + 1;
imshow(uint8(M)), title(’Cover work’)
[h1,w1] = size(M);
% Using random vector for watermarking
wk = 28; % key into rand vector
rand(‘state’,wk); % set rand generator state
wl = 1000; % length of wm
W = rand(1,wl)*2-1; % wm vector, vals < 1
alpha = 0.003; % strength of wm
Page 141
C.2 Block-Based
% B’s setup:
% 1. Pick a key, k.
% 2. Obtain from k an encryption matrix, E, of size n X n of uint8
% values.
% 3. Obtain decryption matrix by finding the matrix inverse of E,
% D = inv(E).
% 4. Send E to A.
% Crypto matrices to mult image with, all values int
ck = 27; % key into rand vector
rand(‘state’,ck); % set rand gen state
E = randint(en blk siz,en blk siz,256);
% enc mat, same dims as M
D = inv(E); % dec mat, works coz sq
%====================================================
% BEGIN IMPLEMENTATION
%====================================================
% A’s encryption steps:
% 1. Divide M into blocks of n X n.
% 2. For each block, i, compute C i = M i X E, where X here means
% matrix multiplication.
% 1. Encrypting: MxE
for i = 1:en blk siz:h1,
for j = 1:en blk siz:w1;
a = M(i:i+en blk siz-1,j:j+en blk siz-1);
C(i:i+en blk siz-1,j:j+en blk siz-1) = a*E;
end
end
clear a i j;
figure(fig), fig = fig + 1;
imshow(C/max(max(C)))
title(‘Encrypted image (normalised)’)
% A’s watermarking steps:
% 1. Discrete cosine transform the encrypted image, C, and sort into
% l largest values excepting the DC component(s).
% 2. Obtain C j’ = C j (1 + alpha W j), for j=1:l.
% 3. Inverse discrete cosine transform C’.
Page 142
Appendix C Codes
% 4. Send C’ to B.
% 2. Embedding: dct(C).*(1 + alpha.*W)
if (whole),
dctC = dct2(C);
else,
for i = 1:wm blk siz:h1,
for j = 1:wm blk siz:w1,
a = dct2(C(i:i+wm blk siz-1,j:j+wm blk siz-1));
dctC(i:i+wm blk siz-1,j:j+wm blk siz-1) = a;
end
end
end
dctC = reshape(dctC,1,h1*w1);
[t,Ind] = sort(dctC,‘descend’); % t is mat of sorted vals
% t is not used here
% Ind is index of sorted vals
% For whole, do from 2 onwards to leave DC value untouched.
% For blocks need to ignore every wm blk siz value.
if whole,
maxI = Ind(2:wl+1); % maxI is idx of wming set
else,
maxI = Ind(h1/wm blk siz+1:wl+h1/wm blk siz);
end
dctC2 = dctC;
for i = 1:wl,
dctC2(1,maxI(i)) = dctC(maxI(i)).*(1+alpha.*W(i));
end
dctC2 = reshape(dctC2,h1,w1);
if (whole),
C2 = idct2(dctC2);
else,
for i = 1:wm blk siz:h1,
for j = 1:wm blk siz:w1,
a = idct2(dctC2(i:i+wm blk siz-1,j:j+wm blk siz-1));
C2(i:i+wm blk siz-1,j:j+wm blk siz-1) = a;
end
end
end
clear a t Ind i dctC2;
figure(fig), fig = fig + 1;
Page 143
C.2 Block-Based
imshow(C2/max(max(C2)))
title(‘Watermarked encrypted image (normalised)’)
% Keep maxI, dctC for watermark recovery.
% B’s decryption steps:
% 1. Receive C’ and divide into n X n blocks.
% 2. Compute stained image, M i’ = C i’ X D, for each block, i.
% 3. Decrypting: C2xD
for i = 1:en blk siz:h1,
for j = 1:en blk siz:w1,
a = C2(i:i+en blk siz-1,j:j+en blk siz-1);
M2(i:i+en blk siz-1,j:j+en blk siz-1) = a*D;
end
end
clear a i j;
figure(fig), fig = fig + 1;
imshow(uint8(M2))
title(‘Decrypted watermarked encrypted image’)
di corr = corr2(M,M2)
% 4. Detection: By correlation analysis.
% - dct M2
% - recover watermark by extracting wl largest values
% - show recovered
% - do correlation analysis
% maxI, dctC2 kept for watermark recovery.
if (whole),
dctM2 = dct2(M2);
else,
M22 = double(uint8(M2)); % truncating to im vals
for i = 1:wm blk siz:h1,
for j = 1:wm blk siz:w1,
a = dct2(M22(i:i+wm blk siz-1,j:j+wm blk siz-1));
dctM2(i:i+wm blk siz-1,j:j+wm blk siz-1) = a;
end
end
end
a = reshape(dctC,1,h1*w1);
a = a(maxI);
Page 144
Appendix C Codes
b = reshape(dctM2,1,h1*w1);
b = b(maxI);
RW = ((b./a)-1)/alpha; % recovered wm
clear dctC2 temp maxI a b i j;
wm corr = corr2(W,RW) % close to 1 => high corr
% Let’s try this:
% 1. Adding post-processing step for Detection
% to round recovered wm values to either 1 or -1
for i = 1:wl,
if RW(i) < mean(RW),
RW2(i) = -1;
else
RW2(i) = 1;
end
end
wm corr2 = corr2(W,RW2) % close to 1 => high corr
C.3 RSA
The following code is the implementation for RSA cryptography with spread spec-
trum DCT Watermarking, as per the algorithm shown in Table 5.5.
In this implementation, given the original image and the set of 100 random water-
marks, the original image is marked with those random watermarks and compared
against the watermarked document of interest to determine which of the random
watermarks have been embedded into the marked document of interest.
This implementation also applies several common attacks to the marked image, as
listed below, to test the system’s robustness.
Attacks applied were
• 1) forced to 8-bit;
• 2) JPEG encoding and compression;
• 3) cropping by 1 pixel from the edges up to 50 pixels from the edges (after which
point the original image has lost a significant portion of its value);
Page 145
C.3 RSA
• 4) insert Gaussian noise of variance 0.004 and mean 0;
• 4.1) insert speckle noise of variance 0.004 and mean 0;
• 5) scale by half (or downsample by 2) then rescale the image back to original
dimensions;
• 6) crop and resize (combination attack) by 1 pixel from edges and half size re-
spectively;
• 7) insert another watermark at 5α.
To compare the images, the same attack was mimicked for the 100 randomly water-
marked images, save for attacks 1 (truncation), 2 (compression), 4 and 4.1 (noise), and
7 (mark again).
The slight difference with this implementation from the images shown in § 5.4 is that
of attack 3 (the cropping from 1 pixel to 50 pixels from the edges), only the 1 and 50
cropping results are shown, and attack 4.1 (speckle) has been left out as it is similar
to Gaussian noise addition.
clear all, close all
fig = 1;
atk = 0; % which attack to apply
redo = 1; % to ensure output
% Alice’s setup:
% 1. Obtain image, M, of size h X w uint8 values.
% 2. Obtain watermark, W, of length l binary bits, -1,1.
% 3. Select strength factor, alpha.
% Message, i.e. small image
M = double(rgb2gray(imread(‘lena256x256.tif’,‘tif’)));
[h,w] = size(M);
figure(fig), fig = fig + 1;
imshow(uint8(M)), title(‘Original Image’)
% Watermark info
ws = 100; % num of wms to compare
wl = 1000; % len of each wm
W = randint(ws,wl)*2-1; % 1000 watermarks.
Page 146
Appendix C Codes
wn = randint(1,1,ws)+1; % the number of our watermark
a = 0.001; % watermarking strength
disp(sprintf(‘our watermark: %i’,wn))
% Bob’s setup:
% 1. Choose 2 large prime numbers, p and q.
% 2. Compute n = pq and phi = (p-1)(q-1).
% 3. Find 1 < e < phi such that (e,phi) = 1.
% 4. Compute d such that ed ~1 (mod phi).
% 5. Make public (n,e) and keep private (phi,d).
while redo,
redo = 0;
fig = 2;
% 1. Crypto setup, know 255 smallest value.
not done = 1;
while not done,
% pick 2 prime numbers
q = randprime(15); % 15ˆ2 is just < 255, so n > 255
p = randprime(q+1,2*q); % typical for q < p < 2q
% make sure p,q not too close or may use Fermat factorisation
while round(p/q) == 1,
q = randprime(15);
p = randprime(q+1,2*q);
end
n = p*q;
f = (p-1)*(q-1); % phi
e = randint(1,1,f-2) + 1; % the + 1 prevents e = 0
% make sure e and phi coprime
while (gcd(e,f) ~= 1), e = randint(1,1,f-1) + 1; end
[t,t2,d] = extdeuc(f,e);
d = mod(d,f);
if mod(e*d,f) == 1, not done = 0; end
% also want d large, else can use Michael J. Wiener’s 1990 attack
if d < nˆ(1/4)/3, not done = 1; end
end clear f not done
% Alice’s encryption step:
Page 147
C.3 RSA
% 1. Compute C = Mˆe (mod n).
% 2. Encrypt, c = mˆeC = powmod(M,e,n);
figure(fig), fig = fig + 1;
imshow(C,[min(min(C)) max(max(C))]),
title(‘Encrypted’)
% Alice’s watermarking steps:
% 1. Discrete cosine transform the encrypted image, C, and sort into
% l largest values except the DC component.
% 2. Obtain C j’ = C j (1 + alpha W j), for j=1:l.
% 3. Inverse discrete cosine transform C’.
% 4. Send C’ to B.
% 3. Watermark, dct C, find 1000 largest values except DC.
DCTC = dct2(C);
[t,I] = sort(reshape(DCTC,1,h*w),‘descend’);
clear t
I = I(2:wl+1);
DCTC2 = DCTC;
% % 1) v’ = v + aw
% DCTC2(I) = DCTC2(I) + a.*W(wn,:);
% 2) v’ = v(1 + aw)
DCTC2(I) = DCTC2(I).*(1 + a.*W(wn,:));
% % 3) v’ = veˆ(aw)% C2a(I) = C2a(I).*exp(a.*W(wn,:));
C2 = idct2(DCTC2);
figure(fig), fig = fig + 1;
imshow(C2,[min(min(C2)) max(max(C2))]), title(‘Watermarked’)
C2 = round(C2);
% Bob’s decryption steps:
% 1. Receive altered ciphertext, C’.
% 2. Compute message, M’ = C’ˆd (mod phi).
% 4. Decrypt, m’ = cˆd = mˆ(ed) = m
M2 = powmod(C2,d,n);
if corr2(M2,M) < 0.7, redo = 1; end % out im not good enou, redo
figure(fig), fig = fig + 1;
Page 148
Appendix C Codes
imshow(uint8(M2)), title(‘Decrypted’)
% 4a. Attack point
switch atk
% 1) Force to 8-bit
case 1,
M21 = max(0,min(255,M2));
figure(fig), fig = fig + 1; imshow(uint8(M21))
title(‘8-bit quantised’),
M3 = M21;
clear M21
% 2) JPEG encoding
case 2,
imwrite(uint8(M2),‘imjpeg.jpg’,‘jpg’,‘Quality’,20)
M22 = double(imread(‘imjpeg.jpg’,‘jpg’));
figure(fig), fig = fig + 1; imshow(uint8(M22)),
title(‘Jpeged’)
M3 = M22;
clear M22
% 3) crop it
case 3,crop amt = 50; % 1 up to 50 still good
M23 = imcrop(M2,[crop amt crop amt (h-1)-crop amt*2 (w-1)-crop amt*2]);
figure(fig), fig = fig + 1; imshow(uint8(M23)),
title(‘Cropped’)
M3 = M23;
clear M23
% 4) noise it - gaussian
case 4,
M24 = double(imnoise(uint8(M2),’gaussian’,0,0.004));
figure(fig), fig = fig + 1; imshow(uint8(M24)),
title(‘Noised - Gaussian (var 0.004)’)
M3 = M24;
clear M24
% 4.1) noise it - speckle
case 41,
M241 = double(imnoise(uint8(M2),‘speckle’,0.004));
figure(fig), fig = fig + 1; imshow(uint8(M241)),
Page 149
C.3 RSA
title(‘Noised - Speckle (var 0.004)’)
M3 = M241;
clear M241
% 5) scaling
case 5,
M25 = imresize(M2,0.5);
figure(fig), fig = fig + 1; imshow(uint8(M25)),
title(‘Resized - Halved’),
M3 = imresize(M25,2); % resize to orig size
clear M25
% 6) crop and resize
case 6,
M26 = imcrop(M2,[1 1 (h-1)-2 (w-1)-2]);
figure(fig), fig = fig + 1; imshow(uint8(M26)),
title(‘Cropped’)
% resize to same dimensions as original unwatermarked image
% took away 1x1 outer pixels out of 512x512. resize by 1.003921569
M3 = imresize(M26,h/size(M26,1));
figure(fig), fig = fig + 1; imshow(uint8(M3)),
title(‘Cropped 1 pixel from edges and Resized’),
if size(M3) ~= size(M),
error(‘Incorrect resizing...exiting program’),
end
clear M26
% 7) multiple watermarking
case 7,
% watermark setup:
wn7 = randint(1,1,ws)+1; % the index of second watermark
while wn7 == wn, wn7 = randint(1,1,ws); end
% watermark:
DCTC7 = DCTC2;
[t7,I7] = sort(reshape(DCTC7,1,h*w),‘descend’);
clear t7
I7 = I7(2:wl+1);
DCTC27 = DCTC7;
DCTC27(I7) = DCTC27(I7).*(1 + a.*W(wn7,:));
C27 = idct2(DCTC27);
% decrypt:
Page 150
Appendix C Codes
M3 = powmod(round(C27),d,n);
figure(fig), fig = fig + 1; imshow(uint8(M3))
title(‘Doubly Watermarked’),
clear DCTC7 DCTC27 C27
if corr2(M3,M) < 0.8, redo = 1; end
otherwise,
M3 = M2;
end
% 5. Watermark recovery,
% mimic process with original and compare if results the same
for i=1:ws,
DCTCR = DCTC; % using encrypted image, coz
% steps before will be same
% watermark:
% % 1) v’ = v + aw
% DCTC2(I) = DCTC2(I) + a.*W(i,:);
% 2) v’ = v(1 + aw)
DCTCR(I) = DCTCR(I).*(1 + a.*W(i,:));
% % 3) v’ = veˆ(aw)% C2a(I) = C2a(I).*exp(a.*W(i,:));
CR = idct2(DCTCR);
CR = round(CR);
% decrypt:
MR = powmod(CR,d,n);
% and match:
switch atk
case 3,
MR2 = imcrop(MR,[crop amt crop amt ...
(h-1)-crop amt*2 (w-1)-crop amt*2]);
MM = imcrop(M,[crop amt crop amt ...
(h-1)-crop amt*2 (w-1)-crop amt*2]);
case 5,
MR2 = imresize(MR,0.5);
MR2 = imresize(MR2,2);
MM = imresize(M,0.5);
MM = imresize(MM,2);
case 6,
MR2 = imcrop(MR,[1 1 (h-1)-2 (w-1)-2]);
MR2 = imresize(MR2,h/size(MR2,1));
MM = imcrop(M,[1 1 (h-1)-2 (w-1)-2]);
Page 151
C.3 RSA
MM = imresize(MM,h/size(MM,1));
otherwise,
MM = M;
MR2 = MR;
end
R0(i) = corr2(M2,MR2); % before distortions
R1(i) = corr2(M3,MR2); % after distortions, with orig image
R2(i) = corr2(M3-MM,MR2-MM); % after distortions, minus orig image
if isnan(R0(i)) | isnan(R1(i)) | isnan(R2(i)),
redo = 1;
end
end
if atk == 7, disp(sprintf(‘second watermark: %i’,wn7)), end
figure(fig), fig = fig + 1; stem(1:ws,R0)
title(strcat(‘Correlation of ’,[‘ ’ num2str(ws)],‘ uniquely ...
watermarked images to our watermarked image’))
xlabel(‘Randomly Watermarked Images’), ylabel(‘Correlation to our image’)
figure(fig), fig = fig + 1; stem(1:ws,R1)
title(strcat(‘Correlation of ’,[‘ ’ num2str(ws)],‘ uniquely ...
watermarked images to our watermarked image, after atk’))
xlabel(‘Randomly Watermarked Images’), ylabel(‘Correlation to our image’)
figure(fig), fig = fig + 1; stem(1:ws,R2)
title(strcat(‘Correlation of’,[‘ ’ num2str(ws)],‘ uniquely ...
watermarked images to our attacked watermarked image, ...
after atk, minus image’))
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our attacked image’)
end % of redo while loop
Page 152
Appendix C Codes
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
The implementation for the Menezes-Vanstone elliptic curve cryptosystem combined
with spread spectrum DCT watermarking was code intensive, and hence each attack
level has been separated for ease of testing. The algorithm for the implementations
are outlined in § 5.6.
Unless specifically mentioned, the random watermarked set will not mimic the at-
tack(s) applied on the watermarked document of interest.
C.4.1 Truncation
Force to 8-bit integers.
clear all
close all fig = 1;
redo = 1;
%====================================================
% SETUP
%====================================================
% Image setup.
% Message, M = (m1,m2) (pairs of message values)
M = double(rgb2gray(imread(‘lena256x256.tif’,‘tif’)));
[h,w] = size(M);
figure(fig), fig = fig + 1; imshow(uint8(M)),
title(‘Original Image’),
while redo, % start of redo loop
M = reshape(M,h*w/2,2);
redo = 0;
fig = 2;
% Bob’s setup:
% 1. Choose a large prime number, p.
% 2. Choose an elliptic curve, E.
% 3. Choose a point, P, on E.
% 4. Choose a secret key, kB < #E.
% 5. Compute point, Q = [kB]P.
Page 153
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% 6. Make public Ke = (P,Q,E,p) and keep private Kd = (kB).
% Crypto setup.
% a) pick a prime number p, and an elliptic curve (i.e. pick
% a and b)
% b) pick a point P on E
% c) pick Bob’s secret, kb < #E (#E = number of points on E)
% d) compute Q = [kb]P
% if takes more than a 100 guesses, not gonna work with
% those values so begin again.
repeat = 1;
while repeat = 0,
% pick prime field
p = randprime(255);
% pick an elliptic curve, i.e. pick random a and b in p
not done = 1;
while not done,
a = randint(1,1,p);
b = randint(1,1,p-1)+1; % b cannot be 0
if mod(4*aˆ3+27*bˆ2,p) ~= 0, not done = 0; end
end
% pick a point on the elliptic curve
not done = 1;
while not done & repeat < 100,
x = randint(1,1,p);
y = sqrt(xˆ3 + a*x + b);
if isint(y), not done = 0; end
else repeat = repeat + 1; end
end
if not done, repeat = 1;
else repeat = 0; end
end
P = [x,y];
% find #E, i.e. the number of EC points
numpts = floor((sqrt(p)-1)ˆ2); % Hasse’s lower bound
% pick B’s private key < #E
kb = randint(1,1,numpts);
Page 154
Appendix C Codes
% compute by point addition
Q = P;
for i = 1:kb, Q = ptadd(Q,P,a,p); end
% keep private (kb)
% make public (P,Q,E,p)
clear x y b;
% Alice’s setup
% 1. Obtain image, M, of size h X w uint8 values, arranged
% into pairs, (M1, M2).
% 2. Obtain watermark, W, of length l binary bits, -1,1.
% 3. Select strength factor, alpha.
% 4. Select a secret key, kA, such that 0 < kA < #E,
% where #E is the number of points in E.
% Watermark info
ws = 100; % number of watermarks
wl = 10000; % length of each watermark
wn = 27; % our watermark indices
W = rand(wl,ws); % set of watermarks
W = randint(wl,ws)*2-1; % set of watermarks
alpha = 0.001; % wm scaling factor
%====================================================
% BEGIN IMPLEMENTATION
%====================================================
% Alice’s encryption steps:
% 1. Get Bob’s public information, Ke = (P,Q,E,p).
% 2. Compute y0 = [kA]P and (y1,y2) = [kA]Q.
% 3. Obtain the encrypted image, C = (C1, C2), where
% C1 = y1.M1 mod p, and C2 = y2.M2 mod p.
% 1. Encrypt: e(ka,M) = (y0,y1,y2)
% a) pick a random number ka, s.t. 0 < ka < #E
% b) compute y0 = [ka]P
% c) compute (c1,c2) = ka*beta
% d) compute y1 = c1*m1 mod p
% e) compute y2 = c2*m2 mod p
Page 155
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% pick A’s secret key, ka, s.t. 0 < ka < #E
ka = randint(1,1,numpts-1)+1;
% compute S = [ka]P = y0
S = P;
for i = 1:ka, S = ptadd(S,P,a,p); end
% compute T = [ka]Q = (c1,c2)
T = Q;
for i = 1:ka, T = ptadd(T,Q,a,p); end
% compute cipher text, C = (y1,y2)
clear C
for i = 1:h*w/2,
C(i,:) = mod(T.*M(i,:),p);
end
M = reshape(M,h,w);
% show
C = reshape(C,h,w);
figure(fig), fig = fig + 1;
imshow(C,[min(min(C)) max(max(C))]),
title(‘Encrypted Image’),
clear T ka i P Q
% Alice’s watermarking steps:
% 1. Discrete cosine transform the encrypted image, C, and sort into
% l largest values except the DC component.
% 2. Obtain C’ {i,j} = C {i,j} (1 + alpha W j), for i = 1,2 and j=1:l.
% 3. Inverse discrete cosine transform C’ = (C1’,C2’).
% 4. Send y0 and C’ to B.
% 2. Watermark, DCT C and find 1000 largest values,
% except DC.
DCTC = reshape(dct2(temp),h*w,1);
[t,I] = sort(-DCTC);
clear t
I = I(2:wl+1);
DCTC2 = DCTC;
Page 156
Appendix C Codes
% v’ = v(1 + aw)
DCTC2(I) = DCTC2(I).*(1 + alpha.*W(:,wn));
DCTC2 = reshape(DCTC2,h,w);
C2 = idct2(DCTC2);
figure(fig), fig = fig + 1;
imshow(C2,[min(min(C2)) max(max(C2))]),
title(‘Watermarked Encrypted Image’),
% send B (S,C2)
clear DCTC2
% Bob’s decryption steps:
% 1. Receive altered ciphertext, C’ = (C1’,C2’), and cipherpoint, y0.
% 2. Compute (y1,y2) = [kB]y0.
% 3. Compute the message, M’ = (M1’,M2’), where
% M1’ = (y1)ˆ{-1}.C1’ mod p, and M2’ = (y2)ˆ{-1}.C2’ mod p.
% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)
% a) compute (c1,c2) = kb*y0
% b) compute m1’ = y1*c1ˆ{-1} mod p
% c) compute m2’ = y2*c2ˆ{-1} mod p
% find T = (c1,c2)
T = S;
for i = 1:kb, T = ptadd(T,S,a,p); end
% find Z = M’
[d0,d1,d2] = extdeuc(p,T(1));
D(1,1) = mod(d2,p);
[d0,d1,d2] = extdeuc(p,T(2));
D(1,2) = mod(d2,p);
clear M3 C2 = reshape(C2,h*w/2,2);
for i = 1:h*w/2,
M3(i,:) = mod(D.*C2(i,:),p);
end
M3 = reshape(M3,h,w);
if corr2(M3,M) < 0.95, redo = 1; end
figure(fig), fig = fig + 1; imshow(uint8(M3)),
title(‘Decrypted Watermarked Image Unpaired’),
Page 157
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
end % end of redo loop
% 4. Attack point
% 1) Truncating to integer values.
M4 = M3;
M4 = double(uint8(M4));
figure(fig), fig = fig + 1;
imshow(uint8(reshape(M4,h,w))), title(‘Forced to 8 bits’),
% 5. Detect
% First, make test set of singularly-watermarked images
for i = 1:ws,
DCTC5(:,i) = DCTC;
% v’ = v(1 + aw)
DCTC5(I,i) = DCTC5(I,i).*(1 + alpha.*W(:,i));
IDCTC5(:,:,i) = idct2(reshape(DCTC5(:,i),h,w));
end
for j = 1:ws,
C5 = reshape(IDCTC5(:,:,j),h*w/2,2);
for i = 1:h*w/2,
M5(i,:,j) = mod(D.*C5(i,:),p);
end
end
M5 = reshape(M5,h,w,ws);
M5 = round(M5);
clear DCTC5 IDCTC5 C5
% Second, detection by correlation of watermarked images
% First bit: correlation before attack and no post-processing
for i = 1:ws,
wmcorr1(i) = corr2(M3,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr1),
title(‘Correlation to 100 different watermarked images, before attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
Page 158
Appendix C Codes
% Second bit: correlation after attack and no post-processing
for i = 1:ws,
wmcorr2(i) = corr2(M4,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr2),
title(‘Correlation to 100 different watermarked images, after attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Third bit: correlation after attack and remove original image
M = reshape(M,h,w);
M4 = M4 - M;
for i = 1:ws,
wmcorr3(i) = corr2(M4,M5(:,:,i)-M);
end
figure(fig), fig = fig + 1;
stem(wmcorr3),
title(‘Correlation to 100 different watermarked images, after ...
attack, minus orig’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
C.4.2 JPEG Compression
JPEG conversion and compression to quality 20%.
clear all
close all
fig = 1;
redo = 1;
%====================================================
% SETUP
%====================================================
% Image setup.
% Message, M = (m1,m2) (pairs of message values)
M = double(rgb2gray(imread(‘lena256x256.tif’,‘tif’)));
[h,w] = size(M);
Page 159
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
figure(fig), fig = fig + 1; imshow(uint8(M)),
title(‘Original Image’),
while redo, % start of redo loop
M = reshape(M,h*w/2,2);
redo = 0;
fig = 2;
% Bob’s setup:
% 1. Choose a large prime number, p.
% 2. Choose an elliptic curve, E.
% 3. Choose a point, P, on E.
% 4. Choose a secret key, kB < #E.
% 5. Compute point, Q = [kB]P.
% 6. Make public Ke = (P,Q,E,p) and keep private Kd = (kB).
% Crypto setup.
% a) pick a prime number p, and an elliptic curve (i.e. pick
% a and b)
% b) pick a point P on E
% c) pick Bob’s secret, kb < #E (#E = number of points on E)
% d) compute Q = [kb]P
% if takes more than a 100 guesses, not gonna work with
% those values so begin again.
repeat = 1;
while repeat = 0,
% pick prime field
p = randprime(255);
% pick an elliptic curve, i.e. pick random a and b in p
not done = 1;
while not done,
a = randint(1,1,p);
b = randint(1,1,p-1)+1; % b cannot be 0
if mod(4*aˆ3+27*bˆ2,p) ~= 0, not done = 0; end
end % pick a point on the elliptic curve
not done = 1;
while not done & repeat < 100,
x = randint(1,1,p);
y = sqrt(xˆ3 + a*x + b);
Page 160
Appendix C Codes
if isint(y), not done = 0; end
else repeat = repeat + 1; end
end
if not done, repeat = 1;
else repeat = 0; end
end
P = [x,y];
% find #E, i.e. the number of EC points
numpts = floor((sqrt(p)-1)ˆ2); % Hasse’s lower bound
% pick B’s private key < #E
kb = randint(1,1,numpts);
% compute by point addition
Q = P;
for i = 1:kb, Q = ptadd(Q,P,a,p); end
% keep private (kb)
% make public (P,Q,E,p)
clear x y b;
% Alice’s setup
% 1. Obtain image, M, of size h X w uint8 values, arranged
% into pairs, (M1, M2).
% 2. Obtain watermark, W, of length l binary bits, -1,1.
% 3. Select strength factor, alpha.
% 4. Select a secret key, kA, such that 0 < kA < #E,
% where #E is the number of points in E.
% Watermark info
ws = 100; % number of watermarks
wl = 10000; % length of each watermark
wn = 27; % our watermark indices
W = rand(wl,ws); % set of watermarks
W = randint(wl,ws)*2-1; % set of watermarks
alpha = 0.001; % wm scaling factor
Page 161
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
%====================================================
% BEGIN IMPLEMENTATION
%====================================================
% Alice’s encryption steps:
% 1. Get Bob’s public information, Ke = (P,Q,E,p).
% 2. Compute y0 = [kA]P and (y1,y2) = [kA]Q.
% 3. Obtain the encrypted image, C = (C1, C2), where
% C1 = y1.M1 mod p, and C2 = y2.M2 mod p.
% 1. Encrypt: e(ka,M) = (y0,y1,y2)
% a) pick a random number ka, s.t. 0 < ka < #E
% b) compute y0 = [ka]P
% c) compute (c1,c2) = ka*beta
% d) compute y1 = c1*m1 mod p
% e) compute y2 = c2*m2 mod p
% pick A’s secret key, ka, s.t. 0 < ka < #E
ka = randint(1,1,numpts-1)+1;
% compute S = [ka]P = y0
S = P;
for i = 1:ka, S = ptadd(S,P,a,p); end
% compute T = [ka]Q = (c1,c2)
T = Q;
for i = 1:ka, T = ptadd(T,Q,a,p); end
% compute cipher text, C = (y1,y2)
clear C
for i = 1:h*w/2,
C(i,:) = mod(T.*M(i,:),p);
end
M = reshape(M,h,w);
% show
C = reshape(C,h,w);
figure(fig), fig = fig + 1;
imshow(C,[min(min(C)) max(max(C))]),
title(‘Encrypted Image’),
clear T ka i P Q;
Page 162
Appendix C Codes
% Alice’s watermarking steps:
% 1. Discrete cosine transform the encrypted image, C, and sort into
% l largest values except the DC component.
% 2. Obtain C i,j’ = C i,j (1 + alpha W j), for i = 1,2 and j=1:l.
% 3. Inverse discrete cosine transform C’ = (C1’,C2’).
% 4. Send y0 and C’ to B.
% 2. Watermark, DCT C and find 1000 largest values, except DC.
DCTC = reshape(dct2(C),h*w,1);
[t,I] = sort(-DCTC);
clear t
I = I(2:wl+1);
DCTC2 = DCTC;
% v’ = v(1 + aw)
DCTC2(I) = DCTC2(I).*(1 + alpha.*W(:,wn));
DCTC2 = reshape(DCTC2,h,w);
C2 = idct2(DCTC2);
figure(fig), fig = fig + 1;
imshow(C2,[min(min(C2)) max(max(C2))]),
title(‘Watermarked Encrypted Image’),
% send B (S,C2)
clear DCTC2
% Bob’s decryption steps:
% 1. Receive altered ciphertext, C’ = (C1’,C2’), and cipherpoint, y0.
% 2. Compute (y1,y2) = [kB]y0.
% 3. Compute the message, M’ = (M1’,M2’), where
% M1’ = (y1)ˆ{-1}.C1’ mod p, and M2’ = (y2)ˆ{-1}.C2’ mod p.
% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)
% a) compute (c1,c2) = kb*y0
% b) compute m1’ = y1*c1ˆ{-1} mod p
% c) compute m2’ = y2*c2ˆ{-1} mod p
% find T = (c1,c2)
T = S;
for i = 1:kb, T = ptadd(T,S,a,p); end
Page 163
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% find Z = M’
[d0,d1,d2] = extdeuc(p,T(1));
D(1,1) = mod(d2,p);
[d0,d1,d2] = extdeuc(p,T(2));
D(1,2) = mod(d2,p);
clear M3 C2 = reshape(C2,h*w/2,2);
for i = 1:h*w/2,
M3(i,:) = mod(D.*C2(i,:),p);
end
M3 = reshape(M3,h,w);
if corr2(M3,M) < 0.95, redo = 1; end
figure(fig), fig = fig + 1; imshow(uint8(M3)),
title(‘Decrypted Watermarked Image Unpaired’),
end % end of redo loop
% 4. Attack point
% 2) JPEG conversion
M4 = M3;
qual amt = 10;
imwrite(uint8(M4),‘atkmidstage ecc1242.jpg’,‘jpg’, ...
‘Quality’,qual amt);
M4 = double(imread(‘atkmidstage ecc1242.jpg’,‘jpg’));
figure(fig), fig = fig + 1;
imshow(uint8(M4)), title([‘JPEG conversion (Q: ’, ...
int2str(qual amt),‘%)’]),
% 5. Detect
% First, make test set of singularly-watermarked images
for i = 1:ws,
DCTC5(:,i) = DCTC;
% v’ = v(1 + aw)
DCTC5(I,i) = DCTC5(I,i).*(1 + alpha.*W(:,i));
IDCTC5(:,:,i) = idct2(reshape(DCTC5(:,i),h,w));
end
for j = 1:ws,
C5 = reshape(IDCTC5(:,:,j),h*w/2,2);
for i = 1:h*w/2,
Page 164
Appendix C Codes
M5(i,:,j) = mod(D.*C5(i,:),p);
end
end
M5 = reshape(M5,h,w,ws);
M5 = round(M5);
clear DCTC5 IDCTC5 C5
% Second, detection by correlation of watermarked images
% First bit: correlation before attack and no post-processing
for i = 1:ws,
wmcorr1(i) = corr2(M3,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr1),
title(‘Correlation to 100 different watermarked images, before attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Second bit: correlation after attack and no post-processing
for i = 1:ws,
wmcorr2(i) = corr2(M4,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr2),
title(‘Correlation to 100 different watermarked images, after attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Third bit: correlation after attack and remove original image
M = reshape(M,h,w);
M4 = M4 - M;
for i = 1:ws,
wmcorr3(i) = corr2(M4,M5(:,:,i)-M);
end
figure(fig), fig = fig + 1;
stem(wmcorr3),
title(‘Correlation to 100 different watermarked images, after ...
attack, minus orig’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
Page 165
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
C.4.3 Cropping and Replacing
Cropping by 1 or 50 pixels from the edges and replacing cropped parts with original
unmarked image.
clear all
close all fig = 1;
redo = 1;
%====================================================
% SETUP
%====================================================
% Image setup.
% Message, M = (m1,m2) (pairs of message values)
M = double(rgb2gray(imread(‘lena256x256.tif’,‘tif’)));
[h,w] = size(M);
figure(fig), fig = fig + 1; imshow(uint8(M)),
title(‘Original Image’),
while redo, % start of redo loop
M = reshape(M,h*w/2,2);
redo = 0;
fig = 2;
% Bob’s setup:
% 1. Choose a large prime number, p.
% 2. Choose an elliptic curve, E.
% 3. Choose a point, P, on E.
% 4. Choose a secret key, kB < #E.
% 5. Compute point, Q = [kB]P.
% 6. Make public Ke = (P,Q,E,p) and keep private Kd = (kB).
% Crypto setup.
% a) pick a prime number p, and an elliptic curve (i.e. pick
% a and b)
% b) pick a point P on E
% c) pick Bob’s secret, kb < #E (#E = number of points on E)
Page 166
Appendix C Codes
% d) compute Q = [kb]P
% if takes more than a 100 guesses, not gonna work with
% those values so begin again.
repeat = 1;
while repeat = 0,
% pick prime field
p = randprime(255);
% pick an elliptic curve, i.e. pick random a and b in p
not done = 1;
while not done,
a = randint(1,1,p);
b = randint(1,1,p-1)+1; % b cannot be 0
if mod(4*aˆ3+27*bˆ2,p) ~= 0, not done = 0; end
end
% pick a point on the elliptic curve
not done = 1;
while not done & repeat < 100,
x = randint(1,1,p);
y = sqrt(xˆ3 + a*x + b);
if isint(y), not done = 0; end
else repeat = repeat + 1; end
end
if not done, repeat = 1;
else repeat = 0; end
end
P = [x,y];
% find #E, i.e. the number of EC points
numpts = floor((sqrt(p)-1)ˆ2); % Hasse’s lower bound
% pick B’s private key < #E
kb = randint(1,1,numpts);
% compute by point addition
Q = P;
for i = 1:kb, Q = ptadd(Q,P,a,p); end
% keep private (kb)
% make public (P,Q,E,p)
Page 167
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
clear x y b;
% Alice’s setup
% 1. Obtain image, M, of size h X w uint8 values, arranged
% into pairs, (M1, M2).
% 2. Obtain watermark, W, of length l binary bits, -1,1.
% 3. Select strength factor, alpha.
% 4. Select a secret key, kA, such that 0 < kA < #E,
% where #E is the number of points in E.
% Watermark info
ws = 100; % number of watermarks
wl = 10000; % length of each watermark
wn = 27; % our watermark indices
W = rand(wl,ws); % set of watermarks
W = randint(wl,ws)*2-1; % set of watermarks
alpha = 0.001; % wm scaling factor
%====================================================
% BEGIN IMPLEMENTATION
%====================================================
% Alice’s encryption steps:
% 1. Get Bob’s public information, Ke = (P,Q,E,p).
% 2. Compute y0 = [kA]P and (y1,y2) = [kA]Q.
% 3. Obtain the encrypted image, C = (C1, C2), where
% C1 = y1.M1 mod p, and C2 = y2.M2 mod p.
% 1. Encrypt: e(ka,M) = (y0,y1,y2)
% a) pick a random number ka, s.t. 0 < ka < #E
% b) compute y0 = [ka]P
% c) compute (c1,c2) = ka*beta
% d) compute y1 = c1*m1 mod p
% e) compute y2 = c2*m2 mod p
% pick A’s secret key, ka, s.t. 0 < ka < #E
ka = randint(1,1,numpts-1)+1;
% compute S = [ka]P = y0
S = P;
for i = 1:ka, S = ptadd(S,P,a,p); end
Page 168
Appendix C Codes
% compute T = [ka]Q = (c1,c2)
T = Q;
for i = 1:ka, T = ptadd(T,Q,a,p); end
% compute cipher text, C = (y1,y2)
clear C
for i = 1:h*w/2,
C(i,:) = mod(T.*M(i,:),p);
end
M = reshape(M,h,w);
% show
C = reshape(C,h,w);
figure(fig), fig = fig + 1;
imshow(C,[min(min(C)) max(max(C))]),
title(‘Encrypted Image’),
clear T ka i P Q;
% Alice’s watermarking steps:
% 1. Discrete cosine transform the encrypted image, C, and sort into
% l largest values except the DC component.
% 2. Obtain C i,j’ = C i,j (1 + alpha W j), for i = 1,2 and j=1:l.
% 3. Inverse discrete cosine transform C’ = (C1’,C2’).
% 4. Send y0 and C’ to B.
% 2. Watermark, DCT C and find 1000 largest values, except DC.
DCTC = reshape(dct2(C),h*w,1);
[t,I] = sort(-DCTC);
clear t
I = I(2:wl+1);
DCTC2 = DCTC;
% v’ = v(1 + aw)
DCTC2(I) = DCTC2(I).*(1 + alpha.*W(:,wn));
DCTC2 = reshape(DCTC2,h,w);
C2 = idct2(DCTC2);
figure(fig), fig = fig + 1;
imshow(C2,[min(min(C2)) max(max(C2))]),
title(‘Watermarked Encrypted Image’),
Page 169
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% send B (S,C2)
clear DCTC2
% Bob’s decryption steps:
% 1. Receive altered ciphertext, C’ = (C1’,C2’), and cipherpoint, y0.
% 2. Compute (y1,y2) = [kB]y0.
% 3. Compute the message, M’ = (M1’,M2’), where
% M1’ = (y1)ˆ{-1}.C1’ mod p, and M2’ = (y2)ˆ{-1}.C2’ mod p.
% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)
% a) compute (c1,c2) = kb*y0
% b) compute m1’ = y1*c1ˆ{-1} mod p
% c) compute m2’ = y2*c2ˆ{-1} mod p
% find T = (c1,c2)
T = S;
for i = 1:kb, T = ptadd(T,S,a,p); end
% find Z = M’
[d0,d1,d2] = extdeuc(p,T(1));
D(1,1) = mod(d2,p);
[d0,d1,d2] = extdeuc(p,T(2));
D(1,2) = mod(d2,p);
clear M3 C2 = reshape(C2,h*w/2,2);
for i = 1:h*w/2,
M3(i,:) = mod(D.*C2(i,:),p);
end
M3 = reshape(M3,h,w);
if corr2(M3,M) < 0.95, redo = 1; end
figure(fig), fig = fig + 1; imshow(uint8(M3)),
title(‘Decrypted Watermarked Image Unpaired’),
end % end of redo loop
% 4. Attack point
% 3) cropping and replacing
M4 = M3;
crop amt = 1; % or 50
M4 = imcrop(M4,[crop amt crop amt (h-1)-crop amt*2 (w-1)-crop amt*2]);
Page 170
Appendix C Codes
% replace cropped with original unwatermarked image
temp = reshape(M,h,w);
temp(crop amt:h-crop amt-1,crop amt:w-crop amt-1) = M4;
M4 = temp; clear temp
figure(fig), fig = fig + 1;
imshow(uint8(M4)),
title([‘Cropped ’,int2str(crop amt),...
‘ from edges (replaced with original)’]),
% 5. Detect
% First, make test set of singularly-watermarked images
for i = 1:ws,
DCTC5(:,i) = DCTC;
% v’ = v(1 + aw)
DCTC5(I,i) = DCTC5(I,i).*(1 + alpha.*W(:,i));
IDCTC5(:,:,i) = idct2(reshape(DCTC5(:,i),h,w));
end
for j = 1:ws,
C5 = reshape(IDCTC5(:,:,j),h*w/2,2);
for i = 1:h*w/2,
M5(i,:,j) = mod(D.*C5(i,:),p);
end
end
M5 = reshape(M5,h,w,ws);
M5 = round(M5);
clear DCTC5 IDCTC5 C5
% Second, detection by correlation of watermarked images
% First bit: correlation before attack and no post-processing
for i = 1:ws,
wmcorr1(i) = corr2(M3,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr1),
title(‘Correlation to 100 different watermarked images, before attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Second bit: correlation after attack and no post-processing
Page 171
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
for i = 1:ws,
wmcorr2(i) = corr2(M4,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr2),
title(‘Correlation to 100 different watermarked images, after attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Third bit: correlation after attack and remove original image
M = reshape(M,h,w);
M4 = M4 - M;
for i = 1:ws,
wmcorr3(i) = corr2(M4,M5(:,:,i)-M);
end
figure(fig), fig = fig + 1;
stem(wmcorr3),
title(‘Correlation to 100 different watermarked images, after ...
attack, minus orig’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
C.4.4 Gaussian Noise Addition
Gaussian noise is added to the output image, or zero mean and variance 0.01. This is
a much larger variance used than that with the RSA cryptosystem C.3, as RSA could
not handle larger variances.
clear all
close all fig = 1;
redo = 1;
%====================================================
% SETUP
%====================================================
% Image setup.
% Message, M = (m1,m2) (pairs of message values)
M = double(rgb2gray(imread(‘lena256x256.tif’,‘tif’)));
[h,w] = size(M);
Page 172
Appendix C Codes
figure(fig), fig = fig + 1; imshow(uint8(M)),
title(‘Original Image’),
while redo, % start of redo loop
M = reshape(M,h*w/2,2);
redo = 0;
fig = 2;
% Bob’s setup:
% 1. Choose a large prime number, p.
% 2. Choose an elliptic curve, E.
% 3. Choose a point, P, on E.
% 4. Choose a secret key, kB < #E.
% 5. Compute point, Q = [kB]P.
% 6. Make public Ke = (P,Q,E,p) and keep private Kd = (kB).
% Crypto setup.
% a) pick a prime number p, and an elliptic curve (i.e. pick
% a and b)
% b) pick a point P on E
% c) pick Bob’s secret, kb < #E (#E = number of points on E)
% d) compute Q = [kb]P
% if takes more than a 100 guesses, not gonna work with
% those values so begin again.
repeat = 1;
while repeat = 0,
% pick prime field
p = randprime(255);
% pick an elliptic curve, i.e. pick random a and b in p
not done = 1;
while not done,
a = randint(1,1,p);
b = randint(1,1,p-1)+1; % b cannot be 0
if mod(4*aˆ3+27*bˆ2,p) ~= 0, not done = 0; end
end
% pick a point on the elliptic curve
not done = 1;
while not done & repeat < 100,
x = randint(1,1,p);
Page 173
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
y = sqrt(xˆ3 + a*x + b);
if isint(y), not done = 0; end
else repeat = repeat + 1; end
end
if not done, repeat = 1;
else repeat = 0; end
end
P = [x,y];
% find #E, i.e. the number of EC points
numpts = floor((sqrt(p)-1)ˆ2); % Hasse’s lower bound
% pick B’s private key < #E
kb = randint(1,1,numpts);
% compute by point addition
Q = P;
for i = 1:kb, Q = ptadd(Q,P,a,p); end
% keep private (kb)
% make public (P,Q,E,p)
clear x y b;
% Alice’s setup
% 1. Obtain image, M, of size h X w uint8 values, arranged
% into pairs, (M1, M2).
% 2. Obtain watermark, W, of length l binary bits, -1,1.
% 3. Select strength factor, alpha.
% 4. Select a secret key, kA, such that 0 < kA < #E,
% where #E is the number of points in E.
% Watermark info
ws = 100; % number of watermarks
wl = 10000; % length of each watermark
wn = 27; % our watermark indices
W = rand(wl,ws); % set of watermarks
W = randint(wl,ws)*2-1; % set of watermarks
alpha = 0.001; % wm scaling factor
Page 174
Appendix C Codes
%====================================================
% BEGIN IMPLEMENTATION
%====================================================
% Alice’s encryption steps:
% 1. Get Bob’s public information, Ke = (P,Q,E,p).
% 2. Compute y0 = [kA]P and (y1,y2) = [kA]Q.
% 3. Obtain the encrypted image, C = (C1, C2), where
% C1 = y1.M1 mod p, and C2 = y2.M2 mod p.
% 1. Encrypt: e(ka,M) = (y0,y1,y2)
% a) pick a random number ka, s.t. 0 < ka < #E
% b) compute y0 = [ka]P
% c) compute (c1,c2) = ka*beta
% d) compute y1 = c1*m1 mod p
% e) compute y2 = c2*m2 mod p
% pick A’s secret key, ka, s.t. 0 < ka < #E
ka = randint(1,1,numpts-1)+1;
% compute S = [ka]P = y0
S = P;
for i = 1:ka, S = ptadd(S,P,a,p); end
% compute T = [ka]Q = (c1,c2)
T = Q;
for i = 1:ka, T = ptadd(T,Q,a,p); end
% compute cipher text, C = (y1,y2)
clear C
for i = 1:h*w/2,
C(i,:) = mod(T.*M(i,:),p);
end
M = reshape(M,h,w);
% show
C = reshape(C,h,w);
figure(fig), fig = fig + 1;
imshow(C,[min(min(C)) max(max(C))]),
title(‘Encrypted Image’),
clear T ka i P Q;
Page 175
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% Alice’s watermarking steps:
% 1. Discrete cosine transform the encrypted image, C, and sort into
% l largest values except the DC component.
% 2. Obtain C i,j’ = C i,j (1 + alpha W j), for i = 1,2 and j=1:l.
% 3. Inverse discrete cosine transform C’ = (C1’,C2’).
% 4. Send y0 and C’ to B.
% 2. Watermark, DCT C and find 1000 largest values, except DC.
DCTC = reshape(dct2(C),h*w,1);
[t,I] = sort(-DCTC);
clear t
I = I(2:wl+1);
DCTC2 = DCTC;
% v’ = v(1 + aw)
DCTC2(I) = DCTC2(I).*(1 + alpha.*W(:,wn));
DCTC2 = reshape(DCTC2,h,w);
C2 = idct2(DCTC2);
figure(fig), fig = fig + 1;
imshow(C2,[min(min(C2)) max(max(C2))]),
title(‘Watermarked Encrypted Image’),
% send B (S,C2)
clear DCTC2
% Bob’s decryption steps:
% 1. Receive altered ciphertext, C’ = (C1’,C2’), and cipherpoint, y0.
% 2. Compute (y1,y2) = [kB]y0.
% 3. Compute the message, M’ = (M1’,M2’), where
% M1’ = (y1)ˆ{-1}.C1’ mod p, and M2’ = (y2)ˆ{-1}.C2’ mod p.
% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)
% a) compute (c1,c2) = kb*y0
% b) compute m1’ = y1*c1ˆ{-1} mod p
% c) compute m2’ = y2*c2ˆ{-1} mod p
% find T = (c1,c2)
T = S;
for i = 1:kb, T = ptadd(T,S,a,p); end
Page 176
Appendix C Codes
% find Z = M’
[d0,d1,d2] = extdeuc(p,T(1));
D(1,1) = mod(d2,p);
[d0,d1,d2] = extdeuc(p,T(2));
D(1,2) = mod(d2,p);
clear M3 C2 = reshape(C2,h*w/2,2);
for i = 1:h*w/2,
M3(i,:) = mod(D.*C2(i,:),p);
end
M3 = reshape(M3,h,w);
if corr2(M3,M) < 0.95, redo = 1; end
figure(fig), fig = fig + 1; imshow(uint8(M3)),
title(‘Decrypted Watermarked Image Unpaired’),
end % end of redo loop
% 4. Attack point
% 7) noise
M4 = double(imnoise(uint8(M3),‘gaussian’,0,0.01));
figure(fig), fig = fig + 1; imshow(uint8(M4)),
title(Noised - Gaussian (var 0.01)),
% 5. Detect
% First, make test set of singularly-watermarked images
for i = 1:ws,
DCTC5(:,i) = DCTC;
% v’ = v(1 + aw)
DCTC5(I,i) = DCTC5(I,i).*(1 + alpha.*W(:,i));
IDCTC5(:,:,i) = idct2(reshape(DCTC5(:,i),h,w));
end
for j = 1:ws,
C5 = reshape(IDCTC5(:,:,j),h*w/2,2);
for i = 1:h*w/2,
M5(i,:,j) = mod(D.*C5(i,:),p);
end
end
M5 = reshape(M5,h,w,ws);
Page 177
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
M5 = round(M5);
clear DCTC5 IDCTC5 C5
% Second, detection by correlation of watermarked images
% First bit: correlation before attack and no post-processing
for i = 1:ws,
wmcorr1(i) = corr2(M3,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr1),
title(‘Correlation to 100 different watermarked images, before attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Second bit: correlation after attack and no post-processing
for i = 1:ws,
wmcorr2(i) = corr2(M4,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr2),
title(‘Correlation to 100 different watermarked images, after attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Third bit: correlation after attack and remove original image
M = reshape(M,h,w);
M4 = M4 - M;
for i = 1:ws,
wmcorr3(i) = corr2(M4,M5(:,:,i)-M);
end
figure(fig), fig = fig + 1;
stem(wmcorr3),
title(‘Correlation to 100 different watermarked images, after ...
attack, minus orig’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
Page 178
Appendix C Codes
C.4.5 Scaling and Rescaling
Scale by half (or downsample by 2), then rescale back to original dimensions.
clear all
close all fig = 1;
redo = 1;
%====================================================
% SETUP
%====================================================
% Image setup.
% Message, M = (m1,m2) (pairs of message values)
M = double(rgb2gray(imread(‘lena256x256.tif’,‘tif’)));
[h,w] = size(M);
figure(fig), fig = fig + 1; imshow(uint8(M)),
title(‘Original Image’),
while redo, % start of redo loop
M = reshape(M,h*w/2,2);
redo = 0;
fig = 2;
% Bob’s setup:
% 1. Choose a large prime number, p.
% 2. Choose an elliptic curve, E.
% 3. Choose a point, P, on E.
% 4. Choose a secret key, kB < #E.
% 5. Compute point, Q = [kB]P.
% 6. Make public Ke = (P,Q,E,p) and keep private Kd = (kB).
% Crypto setup.
% a) pick a prime number p, and an elliptic curve (i.e. pick
% a and b)
% b) pick a point P on E
% c) pick Bob’s secret, kb < #E (#E = number of points on E)
% d) compute Q = [kb]P
% if takes more than a 100 guesses, not gonna work with
% those values so begin again.
repeat = 1;
Page 179
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
while repeat = 0,
% pick prime field
p = randprime(255);
% pick an elliptic curve, i.e. pick random a and b in p
not done = 1;
while not done,
a = randint(1,1,p);
b = randint(1,1,p-1)+1; % b cannot be 0
if mod(4*aˆ3+27*bˆ2,p) ~= 0, not done = 0; end
end
% pick a point on the elliptic curve
not done = 1;
while not done & repeat < 100,
x = randint(1,1,p);
y = sqrt(xˆ3 + a*x + b);
if isint(y), not done = 0; end
else repeat = repeat + 1; end
end
if not done, repeat = 1;
else repeat = 0; end
end
P = [x,y];
% find #E, i.e. the number of EC points
numpts = floor((sqrt(p)-1)ˆ2); % Hasse’s lower bound
% pick B’s private key < #E
kb = randint(1,1,numpts);
% compute by point addition
Q = P;
for i = 1:kb, Q = ptadd(Q,P,a,p); end
% keep private (kb)
% make public (P,Q,E,p)
clear x y b;
% Alice’s setup
% 1. Obtain image, M, of size h X w uint8 values, arranged
% into pairs, (M1, M2).
Page 180
Appendix C Codes
% 2. Obtain watermark, W, of length l binary bits, -1,1.
% 3. Select strength factor, alpha.
% 4. Select a secret key, kA, such that 0 < kA < #E,
% where #E is the number of points in E.
% Watermark info
ws = 100; % number of watermarks
wl = 10000; % length of each watermark
wn = 27; % our watermark indices
W = rand(wl,ws); % set of watermarks
W = randint(wl,ws)*2-1; % set of watermarks
alpha = 0.001; % wm scaling factor
%====================================================
% BEGIN IMPLEMENTATION
%====================================================
% Alice’s encryption steps:
% 1. Get Bob’s public information, Ke = (P,Q,E,p).
% 2. Compute y0 = [kA]P and (y1,y2) = [kA]Q.
% 3. Obtain the encrypted image, C = (C1, C2), where
% C1 = y1.M1 mod p, and C2 = y2.M2 mod p.
% 1. Encrypt: e(ka,M) = (y0,y1,y2)
% a) pick a random number ka, s.t. 0 < ka < #E
% b) compute y0 = [ka]P
% c) compute (c1,c2) = ka*beta
% d) compute y1 = c1*m1 mod p
% e) compute y2 = c2*m2 mod p
% pick A’s secret key, ka, s.t. 0 < ka < #E
ka = randint(1,1,numpts-1)+1;
% compute S = [ka]P = y0
S = P;
for i = 1:ka, S = ptadd(S,P,a,p); end
% compute T = [ka]Q = (c1,c2)
T = Q;
for i = 1:ka, T = ptadd(T,Q,a,p); end
Page 181
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% compute cipher text, C = (y1,y2)
clear C
for i = 1:h*w/2,
C(i,:) = mod(T.*M(i,:),p);
end
M = reshape(M,h,w);
% show
C = reshape(C,h,w);
figure(fig), fig = fig + 1;
imshow(C,[min(min(C)) max(max(C))]),
title(‘Encrypted Image’),
clear T ka i P Q;
% Alice’s watermarking steps:
% 1. Discrete cosine transform the encrypted image, C, and sort into
% l largest values except the DC component.
% 2. Obtain C i,j’ = C i,j (1 + alpha W j), for i = 1,2 and j=1:l.
% 3. Inverse discrete cosine transform C’ = (C1’,C2’).
% 4. Send y0 and C’ to B.
% 2. Watermark, DCT C and find 1000 largest values, except DC.
DCTC = reshape(dct2(C),h*w,1);
[t,I] = sort(-DCTC);
clear t
I = I(2:wl+1);
DCTC2 = DCTC;
% v’ = v(1 + aw)
DCTC2(I) = DCTC2(I).*(1 + alpha.*W(:,wn));
DCTC2 = reshape(DCTC2,h,w);
C2 = idct2(DCTC2);
figure(fig), fig = fig + 1;
imshow(C2,[min(min(C2)) max(max(C2))]),
title(‘Watermarked Encrypted Image’),
% send B (S,C2)
clear DCTC2
% Bob’s decryption steps:
Page 182
Appendix C Codes
% 1. Receive altered ciphertext, C’ = (C1’,C2’), and cipherpoint, y0.
% 2. Compute (y1,y2) = [kB]y0.
% 3. Compute the message, M’ = (M1’,M2’), where
% M1’ = (y1)ˆ{-1}.C1’ mod p, and M2’ = (y2)ˆ{-1}.C2’ mod p.
% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)
% a) compute (c1,c2) = kb*y0
% b) compute m1’ = y1*c1ˆ{-1} mod p
% c) compute m2’ = y2*c2ˆ{-1} mod p
% find T = (c1,c2)
T = S;
for i = 1:kb, T = ptadd(T,S,a,p); end
% find Z = M’
[d0,d1,d2] = extdeuc(p,T(1));
D(1,1) = mod(d2,p);
[d0,d1,d2] = extdeuc(p,T(2));
D(1,2) = mod(d2,p);
clear M3 C2 = reshape(C2,h*w/2,2);
for i = 1:h*w/2,
M3(i,:) = mod(D.*C2(i,:),p);
end
M3 = reshape(M3,h,w);
if corr2(M3,M) < 0.95, redo = 1; end
figure(fig), fig = fig + 1; imshow(uint8(M3)),
title(‘Decrypted Watermarked Image Unpaired’),
end % end of redo loop
% 4. Attack point
% 4) rescaling
M4 = M3;
M4 = imresize(imresize(M4,0.5),2);
figure(fig), fig = fig + 1;
imshow(uint8(M4)), title(‘Size halved then doubled’),
% 5. Detect
% First, make test set of singularly-watermarked images
Page 183
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
for i = 1:ws,
DCTC5(:,i) = DCTC;
% v’ = v(1 + aw)
DCTC5(I,i) = DCTC5(I,i).*(1 + alpha.*W(:,i));
IDCTC5(:,:,i) = idct2(reshape(DCTC5(:,i),h,w));
end
for j = 1:ws,
C5 = reshape(IDCTC5(:,:,j),h*w/2,2);
for i = 1:h*w/2,
M5(i,:,j) = mod(D.*C5(i,:),p);
end
end
M5 = reshape(M5,h,w,ws);
M5 = round(M5);
clear DCTC5 IDCTC5 C5
% Second, detection by correlation of watermarked images
% First bit: correlation before attack and no post-processing
for i = 1:ws,
wmcorr1(i) = corr2(M3,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr1),
title(‘Correlation to 100 different watermarked images, before attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Second bit: correlation after attack and no post-processing
for i = 1:ws,
wmcorr2(i) = corr2(M4,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr2),
title(‘Correlation to 100 different watermarked images, after attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Third bit: correlation after attack and remove original image
M = reshape(M,h,w);
Page 184
Appendix C Codes
M4 = M4 - M;
for i = 1:ws,
wmcorr3(i) = corr2(M4,M5(:,:,i)-M);
end
figure(fig), fig = fig + 1;
stem(wmcorr3),
title(‘Correlation to 100 different watermarked images, after ...
attack, minus orig’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
C.4.6 Combination Attacks: Rotate, Crop and Rescale
The output image is rotated 1 degree clockwise, cropped by 3 pixels, then rescaled
back to the original dimensions. Bilinear interpolation is used for the rotation and
rescaling functions. The attack is mimicked in the random watermarked set to obtain
a positive match.
clear all
close all fig = 1;
redo = 1;
%====================================================
% SETUP
%====================================================
% Image setup.
% Message, M = (m1,m2) (pairs of message values)
M = double(rgb2gray(imread(‘lena256x256.tif’,‘tif’)));
[h,w] = size(M);
figure(fig), fig = fig + 1; imshow(uint8(M)),
title(‘Original Image’),
while redo, % start of redo loop
M = reshape(M,h*w/2,2);
redo = 0;
fig = 2;
% Bob’s setup:
Page 185
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% 1. Choose a large prime number, p.
% 2. Choose an elliptic curve, E.
% 3. Choose a point, P, on E.
% 4. Choose a secret key, kB < #E.
% 5. Compute point, Q = [kB]P.
% 6. Make public Ke = (P,Q,E,p) and keep private Kd = (kB).
% Crypto setup.
% a) pick a prime number p, and an elliptic curve (i.e. pick
% a and b)
% b) pick a point P on E
% c) pick Bob’s secret, kb < #E (#E = number of points on E)
% d) compute Q = [kb]P
% if takes more than a 100 guesses, not gonna work with
% those values so begin again.
repeat = 1;
while repeat = 0,
% pick prime field
p = randprime(255);
% pick an elliptic curve, i.e. pick random a and b in p
not done = 1;
while not done,
a = randint(1,1,p);
b = randint(1,1,p-1)+1; % b cannot be 0
if mod(4*aˆ3+27*bˆ2,p) ~= 0, not done = 0; end
end
% pick a point on the elliptic curve
not done = 1;
while not done & repeat < 100,
x = randint(1,1,p);
y = sqrt(xˆ3 + a*x + b);
if isint(y), not done = 0; end
else repeat = repeat + 1; end
end
if not done, repeat = 1;
else repeat = 0; end
end
P = [x,y];
Page 186
Appendix C Codes
% find #E, i.e. the number of EC points
numpts = floor((sqrt(p)-1)ˆ2); % Hasse’s lower bound
% pick B’s private key < #E
kb = randint(1,1,numpts);
% compute by point addition
Q = P;
for i = 1:kb, Q = ptadd(Q,P,a,p); end
% keep private (kb)
% make public (P,Q,E,p)
clear x y b;
% Alice’s setup
% 1. Obtain image, M, of size h X w uint8 values, arranged
% into pairs, (M1, M2).
% 2. Obtain watermark, W, of length l binary bits, -1,1.
% 3. Select strength factor, alpha.
% 4. Select a secret key, kA, such that 0 < kA < #E,
% where #E is the number of points in E.
% Watermark info
ws = 100; % number of watermarks
wl = 10000; % length of each watermark
wn = 27; % our watermark indices
W = rand(wl,ws); % set of watermarks
W = randint(wl,ws)*2-1; % set of watermarks
alpha = 0.001; % wm scaling factor
%====================================================
% BEGIN IMPLEMENTATION
%====================================================
% Alice’s encryption steps:
% 1. Get Bob’s public information, Ke = (P,Q,E,p).
% 2. Compute y0 = [kA]P and (y1,y2) = [kA]Q.
% 3. Obtain the encrypted image, C = (C1, C2), where
% C1 = y1.M1 mod p, and C2 = y2.M2 mod p.
% 1. Encrypt: e(ka,M) = (y0,y1,y2)
Page 187
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% a) pick a random number ka, s.t. 0 < ka < #E
% b) compute y0 = [ka]P
% c) compute (c1,c2) = ka*beta
% d) compute y1 = c1*m1 mod p
% e) compute y2 = c2*m2 mod p
% pick A’s secret key, ka, s.t. 0 < ka < #E
ka = randint(1,1,numpts-1)+1;
% compute S = [ka]P = y0
S = P;
for i = 1:ka, S = ptadd(S,P,a,p); end
% compute T = [ka]Q = (c1,c2)
T = Q;
for i = 1:ka, T = ptadd(T,Q,a,p); end
% compute cipher text, C = (y1,y2)
clear C
for i = 1:h*w/2,
C(i,:) = mod(T.*M(i,:),p);
end
M = reshape(M,h,w);
% show
C = reshape(C,h,w);
figure(fig), fig = fig + 1;
imshow(C,[min(min(C)) max(max(C))]),
title(‘Encrypted Image’),
clear T ka i P Q;
% Alice’s watermarking steps:
% 1. Discrete cosine transform the encrypted image, C, and sort into
% l largest values except the DC component.
% 2. Obtain C i,j’ = C i,j (1 + alpha W j), for i = 1,2 and j=1:l.
% 3. Inverse discrete cosine transform C’ = (C1’,C2’).
% 4. Send y0 and C’ to B.
% 2. Watermark, DCT C and find 1000 largest values, except DC.
DCTC = reshape(dct2(C),h*w,1);
Page 188
Appendix C Codes
[t,I] = sort(-DCTC);
clear t
I = I(2:wl+1);
DCTC2 = DCTC;
% v’ = v(1 + aw)
DCTC2(I) = DCTC2(I).*(1 + alpha.*W(:,wn));
DCTC2 = reshape(DCTC2,h,w);
C2 = idct2(DCTC2);
figure(fig), fig = fig + 1;
imshow(C2,[min(min(C2)) max(max(C2))]),
title(‘Watermarked Encrypted Image’),
% send B (S,C2)
clear DCTC2
% Bob’s decryption steps:
% 1. Receive altered ciphertext, C’ = (C1’,C2’), and cipherpoint, y0.
% 2. Compute (y1,y2) = [kB]y0.
% 3. Compute the message, M’ = (M1’,M2’), where
% M1’ = (y1)ˆ{-1}.C1’ mod p, and M2’ = (y2)ˆ{-1}.C2’ mod p.
% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)
% a) compute (c1,c2) = kb*y0
% b) compute m1’ = y1*c1ˆ{-1} mod p
% c) compute m2’ = y2*c2ˆ{-1} mod p
% find T = (c1,c2)
T = S;
for i = 1:kb, T = ptadd(T,S,a,p); end
% find Z = M’
[d0,d1,d2] = extdeuc(p,T(1));
D(1,1) = mod(d2,p);
[d0,d1,d2] = extdeuc(p,T(2));
D(1,2) = mod(d2,p);
clear M3 C2 = reshape(C2,h*w/2,2);
for i = 1:h*w/2,
M3(i,:) = mod(D.*C2(i,:),p);
end
M3 = reshape(M3,h,w);
Page 189
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
if corr2(M3,M) < 0.7, redo = 1; end
figure(fig), fig = fig + 1; imshow(uint8(M3)),
title(‘Decrypted Watermarked Image Unpaired’),
end % end of redo loop
% 4. Attack point
% 5) rotation, cropping and rescaling
M4 = M3;
rot angle = -1;
crop amt = 3;
int meth = ‘bilinear’; % interpolation method
M4 = imrotate(M4,rot angle,int meth,‘crop’);
M4 = imcrop(M4,[crop amt crop amt (h-1)-2*crop amt (w-1)-2*crop amt]);
M4 = imresize(M4,[h w],int meth);
figure(fig), fig = fig + 1;
imshow(uint8(M4))
title(‘Rotated, bilinear interpolated, cropped, resized’),
% 5. Detect
% First, make test set of singularly-watermarked images
for i = 1:ws,
DCTC5(:,i) = DCTC;
% v’ = v(1 + aw)
DCTC5(I,i) = DCTC5(I,i).*(1 + alpha.*W(:,i));
IDCTC5(:,:,i) = idct2(reshape(DCTC5(:,i),h,w));
end
for j = 1:ws,
C5 = reshape(IDCTC5(:,:,j),h*w/2,2);
for i = 1:h*w/2,
M5(i,:,j) = mod(D.*C5(i,:),p);
end
end
M5 = reshape(M5,h,w,ws);
M5 = round(M5);
clear DCTC5 IDCTC5 C5
% Second, detection by correlation of watermarked images
Page 190
Appendix C Codes
% First bit: correlation before attack and no post-processing
for i = 1:ws,
wmcorr1(i) = corr2(M3,M5(:,:,i));
end
figure(fig), fig = fig + 1, stem(wmcorr1),
title(‘Correlation to 100 different watermarked images, before attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Second bit: correlation after attack and no post-processing
for i = 1:ws,
wmcorr2(i) = corr2(M4,M5(:,:,i));
end
figure(fig), fig = fig + 1, stem(wmcorr2),
title(‘Correlation to 100 different watermarked images, after attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Third bit: correlation after attack and remove original image
M = reshape(M,h,w);
M4 = M4 - M;
for i = 1:ws,
wmcorr3(i) = corr2(M4,M5(:,:,i)-M);
end
figure(fig), fig = fig + 1;
stem(wmcorr3),
title(‘Correlation to 100 different watermarked images, after ...
attack, minus orig’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Fourth bit: correlation by copying attack, after attack and rem orig
M end = imrotate(reshape(M,h,w),rot angle,int meth,‘crop’);
M4 end = M4 - M end;
M5 end = imrotate(reshape(M5,h,w,ws),rot angle,int meth,‘crop’);
for i = 1:ws,
temp = imcrop(M5 end(:,:,i), ...
[crop amt crop amt (h-1)-2*crop amt (w-1)-2*crop amt]);
temp = imresize(temp,[h w],int meth);
wmcorr4(i) = corr2(M4 end,temp-M end);
end
Page 191
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
figure(fig), fig = fig + 1; stem(wmcorr4)
title(‘Correlation to 100 different watermarked images, after ...
attack, minus orig, copy atk’)
xlabel(’Randomly Watermarked Images’)
ylabel(’Correlation to our watermarked image’)
clear temp
C.4.7 Combination Attacks: Crop and Rescale
The output image is cropped by 1 pixel from the edges, then rescaled back to the
original dimensions. Bilinear interpolation is used for rescaling.
clear all
close all fig = 1;
redo = 1;
%====================================================
% SETUP
%====================================================
% Image setup.
% Message, M = (m1,m2) (pairs of message values)
M = double(rgb2gray(imread(‘lena256x256.tif’,‘tif’)));
[h,w] = size(M);
figure(fig), fig = fig + 1; imshow(uint8(M)),
title(‘Original Image’),
while redo, % start of redo loop
M = reshape(M,h*w/2,2);
redo = 0;
fig = 2;
% Bob’s setup:
% 1. Choose a large prime number, p.
% 2. Choose an elliptic curve, E.
% 3. Choose a point, P, on E.
% 4. Choose a secret key, kB < #E.
% 5. Compute point, Q = [kB]P.
% 6. Make public Ke = (P,Q,E,p) and keep private Kd = (kB).
Page 192
Appendix C Codes
% Crypto setup.
% a) pick a prime number p, and an elliptic curve (i.e. pick
% a and b)
% b) pick a point P on E
% c) pick Bob’s secret, kb < #E (#E = number of points on E)
% d) compute Q = [kb]P
% if takes more than a 100 guesses, not gonna work with
% those values so begin again.
repeat = 1;
while repeat = 0,
% pick prime field
p = randprime(255);
% pick an elliptic curve, i.e. pick random a and b in p
not done = 1;
while not done,
a = randint(1,1,p);
b = randint(1,1,p-1)+1; % b cannot be 0
if mod(4*aˆ3+27*bˆ2,p) ~= 0, not done = 0; end
end
% pick a point on the elliptic curve
not done = 1;
while not done & repeat < 100,
x = randint(1,1,p);
y = sqrt(xˆ3 + a*x + b);
if isint(y), not done = 0; end
else repeat = repeat + 1; end
end
if not done, repeat = 1;
else repeat = 0; end
end
P = [x,y];
% find #E, i.e. the number of EC points
numpts = floor((sqrt(p)-1)ˆ2); % Hasse’s lower bound
% pick B’s private key < #E
kb = randint(1,1,numpts);
Page 193
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% compute by point addition
Q = P;
for i = 1:kb, Q = ptadd(Q,P,a,p); end
% keep private (kb)
% make public (P,Q,E,p)
clear x y b;
% Alice’s setup
% 1. Obtain image, M, of size h X w uint8 values, arranged
% into pairs, (M1, M2).
% 2. Obtain watermark, W, of length l binary bits, -1,1.
% 3. Select strength factor, alpha.
% 4. Select a secret key, kA, such that 0 < kA < #E,
% where #E is the number of points in E.
% Watermark info
ws = 100; % number of watermarks
wl = 10000; % length of each watermark
wn = 27; % our watermark indices
W = rand(wl,ws); % set of watermarks
W = randint(wl,ws)*2-1; % set of watermarks
alpha = 0.001; % wm scaling factor
%====================================================
% BEGIN IMPLEMENTATION
%====================================================
% Alice’s encryption steps:
% 1. Get Bob’s public information, Ke = (P,Q,E,p).
% 2. Compute y0 = [kA]P and (y1,y2) = [kA]Q.
% 3. Obtain the encrypted image, C = (C1, C2), where
% C1 = y1.M1 mod p, and C2 = y2.M2 mod p.
% 1. Encrypt: e(ka,M) = (y0,y1,y2)
% a) pick a random number ka, s.t. 0 < ka < #E
% b) compute y0 = [ka]P
% c) compute (c1,c2) = ka*beta
% d) compute y1 = c1*m1 mod p
% e) compute y2 = c2*m2 mod p
Page 194
Appendix C Codes
% pick A’s secret key, ka, s.t. 0 < ka < #E
ka = randint(1,1,numpts-1)+1;
% compute S = [ka]P = y0
S = P;
for i = 1:ka, S = ptadd(S,P,a,p); end
% compute T = [ka]Q = (c1,c2)
T = Q;
for i = 1:ka, T = ptadd(T,Q,a,p); end
% compute cipher text, C = (y1,y2)
clear C
for i = 1:h*w/2,
C(i,:) = mod(T.*M(i,:),p);
end
M = reshape(M,h,w);
% show
C = reshape(C,h,w);
figure(fig), fig = fig + 1;
imshow(C,[min(min(C)) max(max(C))]),
title(‘Encrypted Image’),
clear T ka i P Q;
% Alice’s watermarking steps:
% 1. Discrete cosine transform the encrypted image, C, and sort into
% l largest values except the DC component.
% 2. Obtain C i,j’ = C i,j (1 + alpha W j), for i = 1,2 and j=1:l.
% 3. Inverse discrete cosine transform C’ = (C1’,C2’).
% 4. Send y0 and C’ to B.
% 2. Watermark, DCT C and find 1000 largest values, except DC.
DCTC = reshape(dct2(C),h*w,1);
[t,I] = sort(-DCTC);
clear t
I = I(2:wl+1);
DCTC2 = DCTC;
% v’ = v(1 + aw)
DCTC2(I) = DCTC2(I).*(1 + alpha.*W(:,wn));
Page 195
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
DCTC2 = reshape(DCTC2,h,w);
C2 = idct2(DCTC2);
figure(fig), fig = fig + 1;
imshow(C2,[min(min(C2)) max(max(C2))]),
title(‘Watermarked Encrypted Image’),
% send B (S,C2)
clear DCTC2
% Bob’s decryption steps:
% 1. Receive altered ciphertext, C’ = (C1’,C2’), and cipherpoint, y0.
% 2. Compute (y1,y2) = [kB]y0.
% 3. Compute the message, M’ = (M1’,M2’), where
% M1’ = (y1)ˆ{-1}.C1’ mod p, and M2’ = (y2)ˆ{-1}.C2’ mod p.
% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)
% a) compute (c1,c2) = kb*y0
% b) compute m1’ = y1*c1ˆ{-1} mod p
% c) compute m2’ = y2*c2ˆ{-1} mod p
% find T = (c1,c2)
T = S;
for i = 1:kb, T = ptadd(T,S,a,p); end
% find Z = M’
[d0,d1,d2] = extdeuc(p,T(1));
D(1,1) = mod(d2,p);
[d0,d1,d2] = extdeuc(p,T(2));
D(1,2) = mod(d2,p);
clear M3 C2 = reshape(C2,h*w/2,2);
for i = 1:h*w/2,
M3(i,:) = mod(D.*C2(i,:),p);
end
M3 = reshape(M3,h,w);
if corr2(M3,M) < 0.95, redo = 1; end
figure(fig), fig = fig + 1; imshow(uint8(M3)),
title(‘Decrypted Watermarked Image Unpaired’),
end % end of redo loop
Page 196
Appendix C Codes
% 4. Attack point
% 6) crop and resize
M4 = M3;
crop amt = 1;
int meth = ‘bilinear’; % interpolation method
M4 = imcrop(M4,[crop amt crop amt (h-1)-crop amt*2 (w-1)-crop amt*2]);
M4 = imresize(M4,[h w],int meth);
figure(fig), fig = fig + 1;
imshow(uint8(M4)),
title(Crop 1 pixel and resize),
% 5. Detect
% First, make test set of singularly-watermarked images
for i = 1:ws,
DCTC5(:,i) = DCTC;
% v’ = v(1 + aw)
DCTC5(I,i) = DCTC5(I,i).*(1 + alpha.*W(:,i));
IDCTC5(:,:,i) = idct2(reshape(DCTC5(:,i),h,w));
end
for j = 1:ws,
C5 = reshape(IDCTC5(:,:,j),h*w/2,2);
for i = 1:h*w/2,
M5(i,:,j) = mod(D.*C5(i,:),p);
end
end
M5 = reshape(M5,h,w,ws);
M5 = round(M5);
clear DCTC5 IDCTC5 C5
% Second, detection by correlation of watermarked images
% First bit: correlation before attack and no post-processing
for i = 1:ws,
wmcorr1(i) = corr2(M3,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr1),
title(‘Correlation to 100 different watermarked images, before attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
Page 197
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% Second bit: correlation after attack and no post-processing
for i = 1:ws,
wmcorr2(i) = corr2(M4,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr2),
title(‘Correlation to 100 different watermarked images, after attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Third bit: correlation after attack and remove original image
M = reshape(M,h,w);
M4 = M4 - M;
for i = 1:ws,
wmcorr3(i) = corr2(M4,M5(:,:,i)-M);
end
figure(fig), fig = fig + 1;
stem(wmcorr3),
title(‘Correlation to 100 different watermarked images, after ...
attack, minus orig’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
C.4.8 Double Watermarking
Two watermarks are embed, where the first watermark is at α = 0.0005 and the
second is at α = 0.001.
clear all
close all
fig = 1;
redo = 1;
%====================================================
% SETUP
%====================================================
% Image setup.
% Message, M = (m1,m2) (pairs of message values)
Page 198
Appendix C Codes
M = double(rgb2gray(imread(‘lena256x256.tif’,‘tif’)));
[h,w] = size(M);
figure(fig), fig = fig + 1; imshow(uint8(M)),
title(‘Original Image’),
while redo, % start of redo loop
M = reshape(M,h*w/2,2);
redo = 0;
fig = 2;
% Bob’s setup:
% 1. Choose a large prime number, p.
% 2. Choose an elliptic curve, E.
% 3. Choose a point, P, on E.
% 4. Choose a secret key, kB < #E.
% 5. Compute point, Q = [kB]P.
% 6. Make public Ke = (P,Q,E,p) and keep private Kd = (kB).
% Crypto setup.
% a) pick a prime number p, and an elliptic curve (i.e. pick
% a and b)
% b) pick a point P on E
% c) pick Bob’s secret, kb < #E (#E = number of points on E)
% d) compute Q = [kb]P
% if takes more than a 100 guesses, not gonna work with
% those values so begin again.
repeat = 1;
while repeat = 0,
% pick prime field
p = randprime(255);
% pick an elliptic curve, i.e. pick random a and b in p
not done = 1;
while not done,
a = randint(1,1,p);
b = randint(1,1,p-1)+1; % b cannot be 0
if mod(4*aˆ3+27*bˆ2,p) ~= 0, not done = 0; end
end
% pick a point on the elliptic curve
not done = 1;
Page 199
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
while not done & repeat < 100,
x = randint(1,1,p);
y = sqrt(xˆ3 + a*x + b);
if isint(y), not done = 0; end
else repeat = repeat + 1; end
end
if not done, repeat = 1;
else repeat = 0; end
end
P = [x,y];
% find #E, i.e. the number of EC points
numpts = floor((sqrt(p)-1)ˆ2); % Hasse’s lower bound
% pick B’s private key < #E
kb = randint(1,1,numpts);
% compute by point addition
Q = P;
for i = 1:kb, Q = ptadd(Q,P,a,p); end
% keep private (kb)
% make public (P,Q,E,p)
clear x y b;
% Alice’s setup
% 1. Obtain image, M, of size h X w uint8 values, arranged
% into pairs, (M1, M2).
% 2. Obtain watermark, W, of length l binary bits, -1,1.
% 3. Select strength factor, alpha.
% 4. Select a secret key, kA, such that 0 < kA < #E,
% where #E is the number of points in E.
% Watermark info
ws = 100; % number of watermarks
wl = 10000; % length of each watermark
wn = [27,65]; % our watermark indices
W = rand(wl,ws); % set of watermarks
W = randint(wl,ws)*2-1; % set of watermarks
alpha = 0.001; % wm scaling factor
Page 200
Appendix C Codes
%====================================================
% BEGIN IMPLEMENTATION
%====================================================
% Alice’s encryption steps:
% 1. Get Bob’s public information, Ke = (P,Q,E,p).
% 2. Compute y0 = [kA]P and (y1,y2) = [kA]Q.
% 3. Obtain the encrypted image, C = (C1, C2), where
% C1 = y1.M1 mod p, and C2 = y2.M2 mod p.
% 1. Encrypt: e(ka,M) = (y0,y1,y2)
% a) pick a random number ka, s.t. 0 < ka < #E
% b) compute y0 = [ka]P
% c) compute (c1,c2) = ka*beta
% d) compute y1 = c1*m1 mod p
% e) compute y2 = c2*m2 mod p
% pick A’s secret key, ka, s.t. 0 < ka < #E
ka = randint(1,1,numpts-1)+1;
% compute S = [ka]P = y0
S = P;
for i = 1:ka, S = ptadd(S,P,a,p); end
% compute T = [ka]Q = (c1,c2)
T = Q;
for i = 1:ka, T = ptadd(T,Q,a,p); end
% compute cipher text, C = (y1,y2)
clear C
for i = 1:h*w/2,
C(i,:) = mod(T.*M(i,:),p);
end
M = reshape(M,h,w);
% show
C = reshape(C,h,w);
figure(fig), fig = fig + 1;
imshow(C,[min(min(C)) max(max(C))]),
title(‘Encrypted Image’),
clear T ka i P Q;
Page 201
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
% Alice’s watermarking steps:
% 1. Discrete cosine transform the encrypted image, C, and sort into
% l largest values except the DC component.
% 2. Obtain C i,j’ = C i,j (1 + alpha W j), for i = 1,2 and j=1:l.
% 3. Inverse discrete cosine transform C’ = (C1’,C2’).
% 4. Send y0 and C’ to B.
% 2. First watermark, DCT C and find 1000 largest values, except DC.
DCTC = reshape(dct2(C),h*w,1);
[t,I] = sort(-DCTC);
clear t
I = I(2:wl+1);
DCTC2 = DCTC;
% v’ = v(1 + aw)
DCTC2(I) = DCTC2(I).*(1 + alpha.*W(:,wn(1)));
DCTC2 = reshape(DCTC2,h,w);
C2 = idct2(DCTC2);
figure(fig), fig = fig + 1;
imshow(C2,[min(min(C)) max(max(C))]),
title(‘Doubly Watermarked Encrypted Image’),
% send B (S,C2)
clear DCTC2
% Bob’s decryption steps:
% 1. Receive altered ciphertext, C’ = (C1’,C2’), and cipherpoint, y0.
% 2. Compute (y1,y2) = [kB]y0.
% 3. Compute the message, M’ = (M1’,M2’), where
% M1’ = (y1)ˆ{-1}.C1’ mod p, and M2’ = (y2)ˆ{-1}.C2’ mod p.
% 3. Decrypt: d(y0,y1,y2) = (m1’,m2’)
% a) compute (c1,c2) = kb*y0
% b) compute m1’ = y1*c1ˆ{-1} mod p
% c) compute m2’ = y2*c2ˆ{-1} mod p
% find T = (c1,c2)
T = S;
for i = 1:kb, T = ptadd(T,S,a,p); end
Page 202
Appendix C Codes
% find Z = M’
[d0,d1,d2] = extdeuc(p,T(1));
D(1,1) = mod(d2,p);
[d0,d1,d2] = extdeuc(p,T(2));
D(1,2) = mod(d2,p);
clear M3 C3 = reshape(C2,h*w/2,2);
for i = 1:h*w/2,
M3(i,:) = mod(D.*C3(i,:),p);
end
M3 = reshape(M3,h,w);
figure(fig), fig = fig + 1; imshow(uint8(M3)),
title(‘Decrypted Watermarked Image Unpaired’),
clear C3 i
% 4. Attack point
% 8) Double watermarking and Decryption
% The previous was just for show, now we do the real
% double watermarking, as if A is trying to bury it’s wm.
DCTC4 = reshape(DCTC,h*w,1);
for j = 1:2,
% v’ = v(1 + aw)
if j == 1,
DCTC4(I) = DCTC4(I).*(1 + (alpha/2).*W(:,wn(j)));
else
DCTC4(I) = DCTC4(I).*(1 + alpha.*W(:,wn(j)));
end
end
C4 = idct2(reshape(DCTC4,h,w));
C4 = reshape(C4,h*w/2,2);
clear M4
for i = 1:h*w/2,
M4(i,:) = mod(D.*C4(i,:),p);
end
M4 = reshape(M4,h,w);
if corr2(M4,M) < 0.95, redo = 1; end
figure(fig), fig = fig + 1; imshow(uint8(M4)),
title(‘Doubly Watermarked Image’),
Page 203
C.4 Menezes-Vanstone Elliptic Curve Cryptosystem
clear DCTC4 C4 i j
end % end of redo loop
% 5. Detect
% First, make test set of singularly-watermarked images
for i = 1:ws,
DCTC5(:,i) = DCTC;
% v’ = v(1 + aw)
DCTC5(I,i) = DCTC5(I,i).*(1 + alpha.*W(:,i));
IDCTC5(:,:,i) = idct2(reshape(DCTC5(:,i),h,w));
end
for j = 1:ws,
C5 = reshape(IDCTC5(:,:,j),h*w/2,2);
for i = 1:h*w/2,
M5(i,:,j) = mod(D.*C5(i,:),p);
end
end
M5 = reshape(M5,h,w,ws);
clear DCTC5 IDCTC5 C5 i j D
% Second, detection by correlation of watermarked images
% First bit: correlation before attack and no post-processing
for i = 1:ws,
wmcorr1(i) = corr2(M3,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr1),
title(‘Correlation to 100 different watermarked images, before attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Second bit: correlation after attack and no post-processing
for i = 1:ws,
wmcorr2(i) = corr2(M4,M5(:,:,i));
end
figure(fig), fig = fig + 1;
stem(wmcorr2),
Page 204
Appendix C Codes
title(‘Correlation to 100 different watermarked images, after attack’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
% Third bit: correlation after attack and remove original image
M = reshape(M,h,w);
M4 = M4 - M;
for i = 1:ws,
wmcorr3(i) = corr2(M4,M5(:,:,i)-M);
end
figure(fig), fig = fig + 1;
stem(wmcorr3),
title(‘Correlation to 100 different watermarked images, after ...
attack, minus orig’)
xlabel(‘Randomly Watermarked Images’),
ylabel(‘Correlation to our watermarked image’)
C.5 Extraneous
C.5.1 POWMOD
Also know as exponentiation by squaring.
% z = powmod(x,y,p)
% MATLAB’s mod can’t handle big numbers, so I made one that can.
% p is the value to mod by
% x & y are two values that are normally powered together
% before mod-ing
% e.g. z = mod(xˆy,p)% now z = powmod(x,y,p)
% Based on square-and-multiply algorithm.
% Created By: Angela Wong
% Created On: 26/6/2003
% Last Modified: 09/12/2004
function [z,t] = powmod(x,y,p)
z = 1;
while y ~= 0,
Page 205
C.5 Extraneous
while (mod(y,2) == 0),
y = y./2;
x = mod(x.ˆ2,p);end
y = y - 1;
z = mod(z.*x,p);
end
C.5.2 RANDPRIME
%RANDPRIME Generate random prime numbers.
% Written by Angela Wong @ Centre for Internet Research, Uni of Adelaide.
% Last updated 26/11/03.
%
% RANDPRIME produces a random prime number using RANDSEED. This is the
% only time RANDPRIME uses RANDSEED.
%
% RANDPRIME(RMIN) returns a random prime number from the range
% [RMIN, 2ˆ32-5].%
% RANDPRIME(RMIN,RMAX) returns a random prime number from the range
% [RMIN, RMAX].
%
% RANDPRIME(RMIN,RMAX,Q) returns a random prime number from the range
% [RMIN, RMAX], with the condition Q. Q can be scalar or a vector.
% Entries for Q are as follows.
% Q Condition
% -------------------------
% 0 Returns q = 2p-1, where p is also a prime.
%
% This generator can generate any prime on the closed interval
% [3, 2ˆ17-1].%
% The state of this generator is the same as that of RANDSEED.
%
% See also RAND, RANDSEED, PRIMES, ISPRIMES.
function X = RANDPRIME(varargin)
% Basic function setup.
error(nargchk(0,3,nargin));
Page 206
Appendix C Codes
switch nargin
case 0,
X = randseed;
case 1,
C = primes(2ˆ17-1);D = C(find(C>=varargin1));
X = D(randint(1,1,[1 length(D)]));
case 2,
C = primes(2ˆ17-1);D = C(find(C>=varargin1 & C<=varargin2));
X = D(randint(1,1,length(D))+1);
case 3,
C = primes(2ˆ17-1);D = C(find(C>=varargin1 & C<=varargin2));
for i = 1:length(D)
if isprime((D(i)-1)/2)
B(i) = D(i);
else
B(i) = 0;
end
end
C = B(find(B =0));
D = rand(length(C),1);
[B,I] = sort(D);
X = C(I(1));
end
C.5.3 EXTDEUC
% EXTDEUC Apply Extended Euclidean Algorithm
% Written by Angela Wong @ Centre for Internet Research, Uni of Adelaide.
% Last updated 31/08/04.
%
% [D,X,Y] = EXTDEUC(A,B) where A > B, and returns D, X, Y according to
% extended euclidean algorithm:
% D = GCD(A,B), and
% D = A X + B Y.
%
% See also GCD MOD.
Page 207
C.5 Extraneous
function [d,x,y] = EXTDEUC(a,b)
c = a;
if a < b,
a = b; b = c;
end
if b == 0,
d = a;
x = 1;
y = 0;
else
x1 = 0;
x2 = 1;
y1 = 1;
y2 = 0;
while b > 0,
q = floor(a/b);
r = a - q*b;
x = x2 - q*x1;
y = y2 - q*y1;
a = b;
b = r;
x2 = x1;
x1 = x;
y2 = y1;
y1 = y;
end
d = mod(a,b);
x = mod(x2,b);
y = mod(y2,b);
end
Page 208
Bibliography
ANDERSON-R. J., KUHN-M. G., AND PETITCOLAS-F. A. (1998a). Attacks on Copyright Marking Sys-
tems, Second Workshop on Information Hiding, Vol. 1525 of Lecture Notes in Computer Science,
Portland, Oregon, USA, pp. 218–238.
ANDERSON-R. J., KUHN-M. G., AND PETITCOLAS-F. A. (1998b). Attacks on copyright marking sys-
tems, in D. Aucsmith. (ed.), Second International Workshop on Information Hiding, IH’98, Vol.
1525 of Lecture Notes in Computer Science, Springer-Verlag, Portland, Oregon, USA, pp. 218–
238.
ANDERSON-R. J., KUHN-M. G., AND PETITCOLAS-F. A. (1999). Information Hiding — A Survey, in
B. Macq. (ed.), Proceedings of the IEEE, Vol. 87(7), pp. 1062–1078. Special Issue on Identification
& Protection of Multimedia Information.
ARAKI-K., SATOH-T., AND MIURA-S. (1998). Overview of Elliptic Curve Cryptography, in H. Imai.,
and Y. Zheng. (eds.), Proceedings of the First International Workshop on Practice and Theory in
Public Key Cryptography: Public Key Cryptography, Vol. 1431 of Lecture Notes In Computer
Science, Springer–Verlag, pp. 29–49.
ATKIN-A. O. L. (1992). The number of points on an elliptic curve modulo a prime (ii), Draft.
AUSTRALIAN COMMONWEALTH GOVERNMENT. (1968). Copyright Act 1968, http://www.austlii.
edu.au/au/legis/cth/consol act/ca1968133/. Legislation.
AUSTRALIAN COMMONWEALTH GOVERNMENT. (1999). Electronic Transactions Act 1999, http://
www.austlii.edu.au/au/legis/cth/consol act/eta1999256/. Legislation.
AUSTRALIAN COMMONWEALTH GOVERNMENT. (2000). Copyright Amendment (Digital Agenda)
Act 2000, http://www.austlii.edu.au/au/legis/cth/num act/caaa2000n1102000321/. Leg-
islation.
AUSTRALIAN COMMONWEALTH GOVERNMENT. (2001). Cybercrime Act 2001, http://www.austlii.
edu.au/au/legis/cth/consol act/ca2001112/. Legislation.
BARNI-M., BARTOLINI-F., AND PIVA-A. (2001). Improved Wavelet-Based Watermarking Through
Pixel-Wise Masking, IEEE Transactions on Image Processing, 10(5), pp. 783–791.
BECKER-D. (2003). “hulk” pirate faces three years, http://zdnet.com.com/2102-1105 2-1021005.
html.
BENDER-W., GRUHL-D., MORIMOTO-N., AND LU-A. (1996). Techniques for Data Hiding, IBM Sys-
tems Journal, 35(3&4), pp. 313–336.
BLOOM-J., AND POLYZOIS-C. (2004). Watermarking to Track Motion Picture Theft, Proceedings of the
Thirty-Eighth Asilomar Conference on Signals, Systems, and Computers, Vol. 1, Pacific Grove,
CA, USA, pp. 363–367.
Page 209
Bibliography
BLOOM-J., COX-I., AND MILLER-M. (2001a). Digital Watermarking, Morgan Kaufmann Publishers,
Inc., San Francisco, CA, USA.
BLOOM-J., MILLER-M., AND COX-I. (2001b). Digital Watermarking, Morgan Kaufmann Publishers,
Inc., San Francisco, CA, USA, chapter 1.
BONEH-D., AND SHAW-J. (1996). Collusion-Secure Fingerprinting for Digital Data, Unpublished.
BORLAND-J. (2003). Shift key breaks CD copy locks, http://news.com.com/Shift+key+breaks+CD+
copy+locks/2100-1025 3-5087875.html.
BRASSIL-J. T., LOW-S., MAXEMCHUK-N. F., AND O’GORMAN-L. (1995). Electronic Marking and
Identification Techniques to Discourage Document Copying, IEEE Journal on Selected Areas in
Communications, 13(4), pp. 1495–1504.
BURNETT-A., WINTERS-K., AND DOWLING-T. (2002). A java implementation of an elliptic curve
cryptosystem, Principles and Practice of Programming in Java 2002 (PPPJ‘02), Trinity College,
Dublin, Ireland, pp. 83–88.
BUTLER-R. W. (2003). Movie industry battles film piracy on many fronts, http://www.kansascity.
com/mld/kansascitystar/6141893.htm.
BYERS-S., CRANOR-L., CRONIN-E., KORMAN-D., AND MCDANIEL-P. (2003). Analysis of Security
Vulnerabilities in the Movie Production and Distribution Process, Proceedings of 2003 ACM
Workshop on Digital Rights Management (DRM 2003), Washinton DC, USA.
CARONNI-G. (1995). Assuring Ownership Rights for Digital Images, in H. H. Bruggemann., and
W. Gerhardt-Hackl. (eds.), Proceedings of Reliable IT Systems VIS’95, Vieweg Publishing Com-
pany, Germany.
CHANG-C.-C., HWANG-M.-S., AND CHEN-T.-S. (2001). A new encryption algorithm for image cryp-
tosystems, Journal of Systems and Software, 58(2), pp. 83–91.
CHENG-H., AND LI-X. (2000). Partial encryption of compressed images and videos, Proceedings of
the IEEE Transactions on Signal Processing, Vol. 48(8), pp. 2439–2451.
CHOI-H., LEE-K., AND KIM-T. (2004). Transformed-Key Asymmetric Watermarking System, IEEE
Signal Processing Letters, 11(2), pp. 251–254.
CHOUINARD-J.-Y., GEORGANAS-N., AND GEORGE-M. (1999). Digital Watermarking of Images and
Video using Direct Sequence Spread Spectrum Techniques, Proceedings of the 1999 IEEE Cana-
dian Conference on Electrical and Computer Engineering, Shaw Conference Center, Edmonton,
Alberta, Canada.
CNN (2003). Hollywood alters movies to foil camcorder pirates, http://www2.cnn.com/2003/TECH/
biztech/04/19/camcorder.piracy.ap.
COSTELLO-S. (2001). RIAA Silences Security Code Crackers, http://www.pcworld.com/resource/
printable/article/0,aid,48546,00.asp.
COUVEIGNES-J.-M. (1994). Quelques calculs en theorie des nombres, PhD thesis, Universite de Bor-
deaux I.
Page 210
Bibliography
COX-I. J., KILIAN-J., LEIGHTON-T., AND SHAMOON-T. (1995). Secure Spread Spectrum Watermark-
ing for Multimedia, Technical Report 95–10, NEC Research Institute, Princeton, NJ, USA.
CROWCROFT-J., PERKINS-C., AND BROWN-I. (2000). A Method and Apparatus for Generating Multi-
ple Watermarked Copies of an Information Signal, Patent 00/56059.
DEAN-K. (2003). Court Hears DVD Copying Dispute, http://www.wired.com/news/digiwood/0,
1412,58845,00.html.
DEL REY-A. M. (2004). A Novel Cryptosystem for Binary Images, Studies in Informatics and Control.
DUGELAY-J.-L., AND PETITCOLAS-F. A. (2000). Possible counter-attacks against random geometric
distortions, in P. W. Wong., and E. J. Delp. (eds.), Proceedings of SPIE Conference on Electronic
Imaging: Security and Watermarking of Multimedia Contents II, Vol. 3971, San Jose, California,
USA.
EGGERS-J. J., AND GIROD-B. (2001). Quantization Effects on Digital Watermarks, Signal Processing,
81(2), pp. 239–263.
EGGERS-J. J., SU-J. K., AND GIROD-B. (2000). Asymmetric watermarking schemes, Sicherheit in
Netzen und Medienstr omen: Tagungsband des GI Workshops ”Sicherheit in Mediendaten”,
Springer Reihe: Informatik Aktuell, Berlin, Germany.
ELGAMAL-T. (1985). A Public Key Cryptosystem and a Signature Scheme Based on Discrete Loga-
rithms, IEEE Transactions on Information Theory, 31(4), pp. 469–472.
GAUDRY-P. (2000). An algorithm for solving the discrete log problem on hyperelliptic curves, Pro-
ceedings of the Advances in Cryptology (EUROCRYPT 2000) International Conference on the
Theory and Application of Cryptographic Techniques, 1807, pp. 19–34.
GAUDRY-P. (2004). Index calculus for abelian varieties and the elliptic curve discrete logarithm prob-
lem, Cryptology ePrint Archive: Report 2004/073.
GEORGE-M., CHOUINARD-J.-Y., AND GEORGANAS-N. (1999). Spread Spectrum Spatial and Spec-
tral Watermarking for Images and Video, Proceedings of the 1999 IEEE Canadian Workshop in
Information Theory (CWIT’99), Kingston, Ontario, Canada.
GIROD-B., AND HARTUNG-F. (1998). Watermarking of Uncompressed and Compressed Video, Euro-
pean Association for Signal Processing (EURASIP), 66(3), pp. 283–301.
GIROD-B., HARTUNG-F., AND SU-J. K. (1999). Spread Spectrum Watermarking: Malicious Attacks
and Counterattacks, Proceedings of SPIE, Vol. 3657, San Jose, CA, USA, pp. 147–158.
GLASNER-J. (2002). Harry Potter in Theaters, Online, http://www.wired.com/news/technology/0,
1294,56400,00.html.
GROSSMAN-W. M. (2001). To Protect and Self-Serve, http://www.sciam.com/article.cfm?
articleID=000B17E8-7A09-1C70-84A9809EC588EF21.
HACHEZ-G., AND QUISQUATER-J.-J. (2002). Which directions for asymmetric watermarking?, Pro-
ceedings of the 11th European Signal Processing Conference (EUSIPCO 2002), Vol. 1, Toulouse,
France, pp. 283–286.
Page 211
Bibliography
HANKERSON-D., HERNANDEZ-J. L., AND MENEZES-A. (2000). Software Implementation of Ellip-
tic Curve Cryptography Over Binary Fields, Proceedings of the Second International Workshop
on Cryptographic Hardware and Embedded Systems, Vol. 1956 of Lecture Notes In Computer
Science, pp. 1–24.
HARTUNG-F. H., AND GIROD-B. (1997). Fast Public-Key Watermarking of Compressed Video, Pro-
ceedings of IEEE International Conference on Image Processing (ICIP’97), Vol. I, Santa Barbara,
CA, USA, pp. 528–531.
HEMBROOKE-E. F. (1961). Identification of sound and like signals, United States Patent, No. 3,004,104.
IBM RESEARCH. (1999). Galaxy Proposal for DVD Copy Protection, http://www.trl.ibm.com/
projects/RightsManagement/datahiding/dhvg2 e.htm.
KAZAKEVICIUTE-G., JANUSKEVICIUS-E., ROSENBAUM-R., AND SCHUMANN-H. (2005). Tamper-
Proof Image Watermarking, Based on Existing Public Key Infrastructure, INFORMATICA, 16(1),
pp. 75–92.
KESDEN-G. (2000). 15–412 Operating Systems: Design and Implementation, Lecture 33, http:
//www-2.cs.cmu.edu/∼dst/DeCSS/Kesden/.
KETOLA. (1999). DeCSS causes a huge fuss, http://www.afterdawn.com/news/archive/363.cfm.
KILLERMOVIES. (2003). “Two Towers” Oscar DVDs Pirated In The UK, http://www.killermovies.
com/l/lotrthetwotowers/articles/2718.html.
KIM-G., SHIN-D., AND SHIN-D. (2004). An Effective Adaptation of Encryption on MPEG-4 Video
Streams for Digital Rights Management in an Ubiquitous Computing Environment, Embedded
and Ubiquitous Computing, 3207, pp. 642–651.
KING-G., LAI-M., AND YANG-A. (1999a). CSS Demystified, http://cse.stanford.edu/class/
cs201/projects-99-00/dmca-2k/css.html.
KING-G., LAI-M., AND YANG-A. (1999b). Macrovision Demystified, http://cse.stanford.edu/
class/cs201/projects-99-00/dmca-2k/macrovision.html.
KONTZER-T. (2001). Hollywood Goes Internet, http://www.informationweek.com/story/
IWK20011108S0015. InformationWeek.com.
KUTTER-M. (1998). Watermarking resisting to translation, rotation and scaling, in A. G. Tescher.,
B. Vasudev., V. M. Bove Jr.., and B. Derryberry. (eds.), Proceedings of the SPIE International Sym-
posium on Voice, Video, and Data Communications, Conference on Multimedia Systems and
Applications, Vol. 3528, The International Society for Optical Engineering, Boston, MA, USA,
pp. 423–431.
LAM-K.-Y., LING-S., AND HUI-L. C.-K. (1996). Efficient Generation of Elliptic Curve Cryptosystems,
in J.-Y. Cai., and C. K. Wong. (eds.), Proceedings of the Second Annual International Conference
on Computing and Combinatorics, COCOON ’96, Vol. 1090 of Lecture Notes in Computer Sci-
ence, Springer, Hong Kong, pp. 411–416.
Page 212
Bibliography
LANGELAAR-G. C., VAN DER LUBBE-J. C. A., AND LAGENDIJK-R. L. (1997). Robust Labeling Meth-
ods for Copy Protection of Images, Proceedings of SPIE Conference on Storage and Retrieval for
Image and Video Databases V, Vol. 3022, San Jose, CA, USA, pp. 298–309.
LAWLOR-D. (2001). New Coalition Developing DVD Watermark, http://www.cdmediaworld.com/
hardware/cdrom/news/0105/dvd watermark.shtml.
LEI-C.-L., YU-P.-L., TSAI-P.-L., AND CHAN-M.-H. (2004). An Efficient and Anonymous Buyer-Seller
Watermarking Protocol, IEEE Transactions on Image Processing, 13(12), pp. 1618–1626.
LIN-G.-S., CHANG-H. T., LIE-W.-N., AND CHUANG-C.-H. (2003). Public-key-based optical image
cryptosystem based on data embedding techniques, SPIE Journal on Optical Engineering, 42(8),
pp. 2331–2339.
LINNARTZ-J.-P. M. G. (1998). The “Ticket” Concept for Copy Control Based on Embedding Signalling,
European Symposium on research in Computer Security (ESORICS) ’98, Vol. 1485 of Lecture
Notes in Computer Science, Springer, Louvain-La-Neuve, pp. 257–274.
LI-S., AND ZHENG-X. (2002). Cryptanalysis of a chaotic image encryption method, Proceedings of
2002 IEEE International Symposium on Circuits and Systems (ISCAS 2002), Vol. II, Scottsdale,
Arizona, USA, pp. 708–711.
LI-S., ZHENG-X., MOU-X., AND CAI-Y. (2002). Chaotic Encryption Scheme for Real-Time Digital
Video, in N. Kehtarnavaz. (ed.), Proceedings of the SPIE Conference on Real-Time Imaging VI,
Vol. 4666 of SPIE – The International Society for Optical Engineering, San Jose, California, USA,
pp. 149–160.
LYMAN-J. (2002). Pirated Star Wars Movie Now Showing on Internet, http://www.newsfactor.com/
perl/story/17714.html.
MATSUI-K., AND TANAKA-K. (1994). Video-Steganography: How to Secretly Embed a Signature in a
Picture, Proceedings of IMA Intellectual Property, Vol. 1, pp. 187–206.
MCCULLAGH-D. (2003). States add stricter copyright laws, http://zdnet.com.com/
2100-1104-994667.html.
MCKEE-J. (1999). Speeding Fermat’s factoring method, Mathematics of Computation, 68(228),
pp. 1729–1737.
MEDIALINE NEWS. (2002). BSA: Global Piracy Rate Increases to 40 Percent, http://www.
medialinenews.com/issues/2002/june/news0612 5.shtml.
MEEL-P. J. (1999). Spread Spectrum (SS) — An Introduction, http://www.sss-mag.com/pdf/Ss jme
denayer intro print.pdf.
MEERWALD-P., AND UHL-A. (2001). A Survey of Wavelet-domain Watermarking Algorithms, in P. W.
Wong., and E. J. Delp. (eds.), Proceedings of SPIE, Electronic Imaging, Security and Watermark-
ing of Multimedia Contents III, Vol. 4314, SPIE, San Jose, CA, USA.
MILLER-M. L., COX-I. J., AND BLOOM-J. A. (1999). Watermarking in the Real World: An Application
to DVD, Thirty-third Asilomar Conference on Signals, Systems, and Computers, Vol. 2, IEEE,
Pacific Grove, CA, USA, pp. 1496–1502.
Page 213
Bibliography
MILLER-V. S. (1985). Use of elliptic curves in cryptography, Advances in cryptology—CRYPTO 85,
Vol. 218 of Lecture notes in computer sciences, Springer-Verlag New York, Inc., New York, NY,
USA, pp. 417–426.
MOTION PICTURE ASSOCIATION OF AMERICA. (2005). Worldwide Study of Losses to the Film
Industry & International Economies Due to Piracy; Pirate Profiles, http://www.mpaa.org/
2006 05 03leksumm.pdf. Last Checked: December 14 2006.
MOTION PICTURE ASSOCIATION OF AMERICA. (n.d.). Legal Cases, http://www.mpaa.org/
newsStand Legal.asp.
NATIONAL SECURITY AGENCY. (2005). Suite B, http://www.nsa.gov/ia/industry/crypto suite b.
cfm.
OKEYA-K., AND SAKURAI-K. (2000). Power analysis breaks elliptic curve cryptosystems even secure
against the timing attack, Progress in Cryptology-INDOCRYPT, 1977, pp. 178–190.
OLSEN-S. (2003). Lights go up on CinemaNow-MGM Deal, http://news.com.com/Lights+go+up+
on+CinemaNow-MGM+deal/2100-1025 3-998800.html. CNET News.com.
OSBOURNE-D. (2005). Embedded Watermarking for Image Verification in Telemedicine,
PhD thesis, Electrical and Electronic Engineering, University of Adelaide, Adelaide, SA,
Australia. http://thesis.library.adelaide.edu.au/uploads/approved/adt-SUA20060222.
094710/public/02whole.pdf.
PAILLIER-P. (1999). Public key cryptosystems based on composite degree residuosity classes, in
J. Stern. (ed.), Proceedings of Advances in Cryptology – Eurocrypt’99, Vol. 1592 of Lecture Notes
on Computer Science.
PATRIZIO-A. (1999). Why the DVD Hack Was a Cinch, http://www.wired.com/news/technology/0,
1282,32263,00.html.
PETITCOLAS-F. A. P. (2000). Watermarking schemes evaluation, IEEE Signal Processing, 17(5), pp. 58–
64.
PIRACYISACRIME.COM. (2005). The fight back against DVD piracy, http://www.piracyisacrime.
com/press/pdfs/ipac 8pp brochure.pdf.
PITAS-I., AND KASKALIS-T. (1995). Applying Signatures on digital images, Proceedings of IEEE Work-
shop on Nonlinear Signal and Image Processing, Neos Marmaras, Halkidiki, Greece, pp. 460–463.
PIVA-A., BARTOLINI-F., AND BARNI-M. (2002). Managing Copyright in Open Networks, IEEE Inter-
net Computing, 6(3), pp. 18–26.
QIAO-L., AND NAHRSTEDT-K. (1997a). A New Algorithm for MPEG Video Encryption, Proceedings
of the First International Conference on Imaging Science, Systems, and Technology (CISST’97),
Las Vegas, Nevada, USA.
QIAO-L., AND NAHRSTEDT-K. (1997b). Is MPEG Encryption by Using Random List Instead of Zigzag
Order Secure?
Page 214
Bibliography
RABIN-M. (1979). Digital Signatures and Public-Key Infrastructure as Intractable as Factorization,
MIT Laboratory for Computer Science.
REGAN-K. (2006). Disney, iTunes Partnership Off to a Rousing Start, http://www.macnewsworld.com/
story/53134.html.
RIVEST-R. L., SHAMIR-A., AND ADLEMAN-L. (1978). A method for obtaining digital signatures and
public-key cryptosystems, Communications of the ACM, 21(2), pp. 120–126.
ROSING-M. (1999). Implementing elliptic curve cryptography, Manning Publications Co., Greenwich,
CT, USA.
ROUSH-W. (2002). The Death of Digital Rights Management?, http://www.technologyreview.com/
articles/innovation10302.asp. Publicly accessed.
SCHOOF-R. (1985). Elliptic curves over finite fields and the computation of square roots mod p, Math-
ematics of Computation, 44(170), pp. 483–494.
SCHOOF-R. (1995). Counting points on elliptic curves over finite fields, Journal de Theorie des Nom-
bres de Bourdeaux 7, pp. 219–254.
SCHWARTZ-J. (2003). Hollywood Faces Online Piracy, but It Looks Like an Inside Job,
http://www.nytimes.com/2003/09/15/technology/15MOVI.html?ex=1378958400&en=
5ff2b9031c983a39&ei=5007&partner=USERLAND.
SHANKS-D. (1971). Class number, a theory of factorization and genera, Proceedings of the Sympo-
sium on Pure Mathematics, Vol. 20 of 1969 Institute on Number Theory, American Mathematics
Society, Providence, RI, USA, pp. 415–440.
SHEPPARD-N. P., SAFAVI-NAINI-R., AND OGUNBONA-P. (2004). Secure Multimedia Authoring with
Dishonest Collaborators, EURASIP Journal on Applied Signal Processing, 2004(14), pp. 2214–
2223. doi:10.1155/S1110865704401085.
SHOUP-V. (1997). Lower bounds for discrete logarithms and related problems, Proceedings of the In-
ternational Conference on the Theory and Application of Cryptographic Techniques (Eurocrypt
’97), 1233, pp. 256–266.
SILVERMAN-J., AND TATE-J. (1992). Rational Points on Elliptic Curves, Springer-Verlag Inc., New
York.
SMITH-J. R., AND COMISKEY-B. O. (1996). Modulation and Information Hiding in Images, Workshop
on Information Hiding, Vol. 1174 of Lecture Notes in Computer Science, Springer-Verlag, Isaac
Newton Institute, University of Cambridge, UK.
STEVENSON-F. A. (1999). Cryptanalysis of Contents Scrambling System, http://www.insecure.org/
news/cryptanalysis of contents scrambling system.htm.
TANAKA-K., NAKAMURA-Y., AND MATSUI-K. (1990a). Embedding Secret Information into a
Dithered Multi-level Image, Proceedings of 1990 IEEE Military Communications Conference,
pp. 216–220.
Page 215
Bibliography
TANAKA-K., NAKAMURA-Y., AND MATSUI-K. (1990b). New Integrated Coding Schemes for
Computer-Aided Facsimile, International Conference on Systems Integration ICSI 1990, pp. 275–
281.
THE FEDERATION AGAINST COPYRIGHT THEFT (FACT). (2005a). Media Centre/ Press Releases,
http://www.fact-uk.org.uk/site/media centre/pressreleases.htm.
THE FEDERATION AGAINST COPYRIGHT THEFT (FACT). (2005b). Media Centre/ Statistics, http:
//www.fact-uk.org.uk/site/media centre/dvd seiz 0405.htm.
TORII-N., AND YOKOYAMA-K. (2000). Elliptic Curve Cryptosystem, Fujitsu Scientific & Technical
Journal, 36(2), pp. 140–146.
TURNER-L. F. (1989). Digital Data Security System, Patent IPN WO 89/08915.
US COPYRIGHT OFFICE. (1998). Digital Millenium Copyright Act of 1998, http://www.copyright.
gov/legislation/dmca.pdf. Legislation.
VAN SCHYNDEL-R. G., TIRKEL-A. Z., AND OSBORNE-C. F. (1994). A Digital Watermark, Proceedings
of IEEE International Conference on Image Processing, Vol. 1, pp. 86–90.
VON LOHMANN-F. (2003). State “Super-DMCA” Legislation: MPAA’s Stealth Attack on Your Living
Room, http://www.efg.org/IP/DMCA/states/200304 sdmca eff analysis.php.
WIENER-M. J. (1990). Cryptanalysis of Short RSA Secret Exponents, IEEE Transactions on Information
Theory, 36(3), pp. 553–558.
WIENER-M. J., AND ZUCCHERATO-R. J. (1999). Faster Attacks on Elliptic Curve Cryptosystems, in
S. Tavares., and H. Meijer. (eds.), Selected Areas in Cryptography: 5th Annual International
Workshops (SAC’98), Vol. 1556 of Lecture Notes in Computer Science, Springer, Kingston, On-
tario, CANADA, pp. 190–200.
WOLFGANG-R. B., PODILCHUK-C. I., AND DELP-E. J. (1999). Perceptual Watermarks for Digital
Images and Video, in B. Macq. (ed.), Proceedings of the IEEE, Vol. 87(7), pp. 1108–1126. Special
Issue on Identification & Protection of Multimedia Information.
XU-X., DEXTER-S. D., AND ESKICIOGLU-A. M. (2004). A hybrid scheme for encryption and water-
marking, in E. J. Delp., and P. W. Wong. (eds.), Proceedings of the SPIE Conference on Security,
Steganography, and Watermarking of Multimedia Contents, Vol. 5306, SPIE, San Jose, CA, USA,
pp. 725–736.
YANG-J., LIU-Q., TAN-G., AND MING-H. (2003). Elliptic curve cryptographic watermark technique,
in H. Lu., and T. Zhang. (eds.), Proceedings of SPIE, Vol. 5286 of Third International Symposium
on Multispectral Image Processing and Pattern Recognition, Beijing, China, pp. 155–158.
YEN-J.-C., AND GOU-J.-I. (2000). A new chaotic key-based design for image encryption and decryp-
tion, Proceedings of the 2000 IEEE International Symposium on Circuits and Systems (ISCAS
2000), Vol. 4, Geneva, Switzerland, pp. 49–52.
YU-P. K. (2002). How The Motion Picture And Recording Industries Are Losing The Copyright War
By Fighting Misdirected Battles, FindLaw’s Writ: Legal Commentary.
Page 216
Appendix C Bibliography
ZHANG-J., KOU-W., AND FAN-K. (2006). Secure buyer-seller watermarking protocol, IEE Proceedings
on Information Security, Vol. 153(1), pp. 15–18.
ZHOU-Y. (2000). Copyright Protection of compressed Video Using DCT-based Watermarking Tech-
nology, citeseer.ist.psu.edu/401180.html.
Page 217