Digital image watermarking: its formal model, fundamental properties and possible attacks

Watermark generation, G(·)

This function generates a suitable watermark according to the watermarking objectives in an application. In a simple data-hiding application, a watermark can be the embedding-data (e.g., message, m, other image data, j) itself (along with any side information). In an advanced application, a watermark may require to have certain properties (depending upon the watermarking objectives). For example, in a copyright protection application, a watermark may need to be ‘robust’ against certain processing techniques and/or attacks. (We will discuss the ‘robustness’ property in detail in section 4.5). Failure to consider those properties may result in technical flaws and security vulnerabilities. Although watermark generation is mainly constrained by the required properties, it starts with necessary inputs and their properties. For an image application, the generation function, G(·), can take image data, i, and message, m and/or other image data, j as input, and outputs a watermark, w.

Watermark embedding, E(·)

As the data-hiding component, watermark embedding function considers where and how to embed the watermark satisfying various requirements of the cover objects (here, digital images). For example, ‘perceptual similarity’ requirements (that control which pixels can be modified to what extent) of medical images may limit the embedding region [17]. (We will discuss the ‘perceptual similarity’ property in detail in section 4.1.) There are different domains (e.g., spatial, transform) for embedding, which are computed directly from an input image. Embedding types may also be different (e.g., invisible, invertible or reversible, blind, etc. - will be discussed in section 4). Irrespective of the embedding region, domain and type, however, an embedding function E(·) can take a watermark, w and the original image data, i as input to output the watermarked image data, ī.

Watermark detection D(·)

This function helps make an objective decision (e.g., to declare whether the content is authentic) and/or initiate further actions (e.g., to extract the embedded data, to engage and retain users of the watermarked objects). In different application scenarios, the additional tasks may vary and depend on the binary decision (i.e, pass or fail). The basic idea is that D(·) extracts the embedded watermark and regenerates another version of the watermark, from the inputs. If the regenerated version matches the extracted version, a pass signal is returned. (The pass signal is considered to pass the parameters such as the valid watermark, the estimated image data, etc. to its dependent module that performs the additional tasks, which will be shown later in Figure 2.) Otherwise, a failure is output. The main constraints for this function thus can be the minimum error probabilities (e.g., false negative/positive rates) and computation time. Like the functions, G(·) and E(·), the internal design of D(·) can also vary, but it generally takes watermarked image data, ī, original image data, i and a watermark, w to yield either an estimated image data, ĩ, message $\tilde{m}$ and other image data, $\tilde{j}$, or a failure, ⊥.

It is worth noting here that we consider the original (unwatermarked) version of an image as the input image for the watermarking functions. In most cases, original images are used for watermarking. However, there may be cases where a (valid) watermarked version of an image can be used as an input image. For example, to update/re-embed a watermark in an existing watermarked image, one may need to use the present (or any earlier) watermarked version, rather than using the original image. It depends upon the application scenario which version of images are to be used (and how any restrictions on using them should be dealt with). However, this variation (in input image versions) can be studied as a special case of the proposed model, where the model may accept either an original image or its existing watermarked versions as an input. Therefore, we consider the fundamental scenario for the proposed model, where an (original) image is watermarked for the first time.

The construction of the above basic model is suitable for realizing a basic watermarking scenario, but it may not be sufficient to capture the recent watermarking advances. Although study of a complete watermarking model is still lacking, many advances are evident [18–22] in the present watermarking context. For example, the concepts of using keys and deploying cryptographic techniques are prominent in addressing different levels of security in various application scenarios such as content/owner authentication and copy control. Such developments help obtain the combined benefits from the fusion of data hiding and cryptographic techniques.

Definition 4.1(Perceptual similarity).

Any two images, i₁ and i₂, are said to be (d,t)perceptually similar, if d _j (i₁,i₂)≤t _j for all similarity measures d _j ∈ d≡{d₁,d₂,⋯,d _n } and thresholds t _j ∈ t≡{t₁,t₂,⋯,t _n }.

Various measures are used to quantify the requirements for the perceptual similarity. For example, correlation quality (CQ), signal to noise ratio (SNR), peak or weighted SNR (PSNR or WPSNR), mean square error (MSE), structural similarity index (SSIM), mean or weighted SSIM (MSSIM or WSSIM), normalized cross-correlation (NCC), etc. However, no globally agreed and effective measures for visual quality currently exist [24]. In addition, not all the measures give the similar estimation. Therefore, we define perceptual similarity by defining a similarity measure, which is a set of n-suitable measures that help quantify the perceptual distance between two images. Now, we define two images to be perceptually similar (or imperceptible) for an acceptable value returned by all suitable measures defined for similarity.

As an example to use the above definition, we may consider two measures (i.e., n=2): PSNR and MSSIM, for the similarity measure, d such that d₁=PSNR and d₂=MSSIM. The given thresholds are t₁=60 (dB) and t₂=0.995. Two images i₁ and i₂ are said to be perceptually similar if both d₁(i₁,i₂)≥60 and d₂(i₁,i₂)≥0.995 are satisfied.

Definition 4.2(Visibility).

A watermarking scheme is called visible or perceptible, if E(·) embeds a given watermark, w, into an image, i, such that the w appears at least noticeably in ī. That is, |E _e (i,w)−i|=α w for all i, w. Here, α is weight factor that controls the degree of visibility.

A watermarking scheme is called invisible or imperceptible, if E(·) embeds w into i such that the ī is perceptually similar to the original image, i. That is E _e (i,w)≈i for all i, w.

Although the visibility and perceptual similarity properties share some perceptual aspects of a watermarked image, they need not be confused with each other. As stated in Definition 4.1, the perceptual similarity property determines if an original image and its watermarked version remain ‘perceptually’ the same. On the other hand, Definition 4.2 states that a visible watermark appears on a watermarked image with a predefined degree of visibility, α, and thus strictly speaking for the visible watermarking, the watermarked image is not perceptually similar to the original image. Perceptual similarity property is thus studied for the invisible watermarking schemes

An invisible watermarking scheme usually differs from a visible watermarking scheme, not only in the visibility factor, but also in their embedding processes. Invisible embedding of a watermark aims at keeping the perceptual difference (resulting from the embedding distortion) at a ‘minimum’ level such that the watermarked and original images remain perceptually the same. Their perceptual similarity is verified by quantifying the perceptual difference using similarity measures. The commonly used similarity measures do not indicate any subjective quality degradation, rather they quantify the overall perceptual difference either by their local (e.g., block-wise or kernel-based) or global (e.g., whole image based) operations. As a result, the defined perceptual similarity does not directly indicate whether a watermarking scheme is visible or invisible. However, for an invisible watermarking scheme, the quantified perceptual difference between an original image and its watermarked version would naturally be much lower than that for a visible watermarking scheme.

In short, an invisible scheme may be considered a variant of visible watermarking with a ‘negligible’ (i.e., approaching zero) α, and having an additional (and even more strict) perceptual similarity requirement. Visible watermarking is present in a few applications such as video broadcasting. However, recent research is mainly focussed on invisible watermarking with a high perceptual similarity in various image applications [25–41].

Definition 4.3(Blindness).

We note here that strictly speaking, the detection function D(·) and the extraction function X(·) must have all three inputs: ī, i, and w. However, for instances of blind and semi-blind watermarking, some inputs (e.g., i and w) are not used in D(·) and X(·), and thus, they can be optionally omitted.

It can also be noted that the blindness property, as defined in Definition 4.3 in terms of the watermark detection and extraction functions, can also be considered for the watermark generation function. A non-blind (ie, an original image dependent) G can be helpful in resisting copy attacks (that aims at counterfeiting the D(·) for any invalid modifications, or invalid watermarked images; see section 5.1.6 for the definition of copy attack). The blindness for D is also important, where availability of the original image, watermark or other side information at D(·) can thwart watermarking objectives. Blind and non-blind watermarking schemes are sometimes confused with private and public watermarking, respectively. However, we insist on defining a watermarking scheme to be private and public in terms of their keys (as defined in section 3.2) to avoid any confusion.

Definition 4.4(Invertibility)

A watermarking scheme is invertible ( or reversible or lossless) if the inverse of E is computationally feasible to compute and is used in D to estimate an exact original image, i, from the respective watermarked image, ī. Otherwise, the scheme is called non-invertible watermarking scheme.

From the above definition, if E _e (i,w)=ī, then for an invertible watermarking scheme, $E_e^{-1}$ the detection must exist and satisfy $E_e^{-1}\left(ī\right)=\left(i,w\right)$. Therefore, such watermarking schemes can be either blind or a semi-blind (according to Definition 4.3). Since, in image applications, an invertible watermarking scheme is mainly designed to reverse the effect of embedding on the original image, the embedding function is only considered to define invertibility of the scheme. However, the concept of an invertible function can also be extended for X, if an invertible G(·) is computationally feasible.

Definition 4.5(Processed image).

A processed image is an image that is not essentially perceptually similar to its original, but a certain amount of distortion, δ is incurred by a processing technique, p ∈ P. That is, if any image, $l\in \mathbb{I}$ is processed by p then, for the processed image, p(l) the following is true: p(l)=l+δ. Here, P is the set of applicable processing techniques for an application such that $P\subset \mathbb{P}$, where is the space of processing techniques.

It is worth noting that, in our earlier work [2, 61], we aimed at avoiding any confusion between the robustness and security properties and considered that a processed image is not perceptually similar to its unprocessed version. That consideration was based on the assumption that only an adversary may want to process a valid watermarked image to achieve the perceptual similarity requirements. However, that assumption is not always valid in practice. For example, a watermarked image can be processed such as by lossless compression and file-format conversion, with the required perceptual similarity property (not only maliciously, but also intentionally as a system requirement). We, therefore, revise our earlier consideration for Definition 4.5 such that a processed image is not necessarily perceptually similar to its unprocessed version. We believe that this revision does not conflict with our earlier intention to avoid the confusion between robustness and security properties

With the Definition 4.5, now we may wish to define the detection condition for the robustness property. Suppose a processing technique, p ∈ P, causes distortion to a watermarked image, ī. As defined in our proposed model, D _d (·) accepts with the property $D_d\left(p\left(ī\right),i,w\right)=\left(ĩ,\tilde{w}\right)\cup \perp$ for all p(ī),i,w|p(ī) ∈ Ī. Here, the pass that returns with $\left(ĩ,\tilde{w}\right)$ and the failure, ⊥ can be used to define two potential variants, robust and fragile respectively, of watermarking schemes for different P. Another variant, semi-fragile watermarking scheme can also be defined considering a suitable subset of P. Thus, we define the robustness property in Definition 4.6 considering detection ability at three different levels

Definition 4.6(Robustness).

A watermarking scheme is defined for the following levels of robustness:

  Robust. A watermarking scheme is called robust if $D_d\left(p\left(ī\right),i,w\right)=\left(ĩ,\tilde{w}\right)$ for all p ∈ P.

  Fragile. A watermarking scheme is called fragile if D _d (p(ī),i,w)=⊥ for all p ∈ P.

Semi-fragile. A watermarking scheme is called semi-fragile if $D_d\left(p\left(ī\right),i,w\right)=\left(ĩ,\tilde{w}\right)$ for all p ∈ P₁ and D _d (p(ī),i,w) = ⊥ for all p ∈ (P∖P₁), where P₁⊂P.

As stated in Definition 4.6, a successful detection (i.e., D _d (·)≠⊥) is the basic criterion for a watermarking scheme to be robust to p ∈ P. However, there is no absolute robustness for watermarking, since taking all known/available processing techniques into consideration (for robustness) is not realistic. It is therefore reasonable to identify only the set of applicable processing techniques for the robustness requirements in an application (like knowing the set of potential adversaries for the security requirements in an application, see section 4.8 below). As Definition 4.6 suggests, we also stress that one must have an explicit consideration on P for design and evaluation of a watermarking scheme in a particular application scenario.

When we consider P (the set of applicable processing techniques), we may notice that different processing techniques (e.g., compression, de-noising) have different parameters (e.g., compression ratio, down sampling rate, type and rank of filter). These parameter settings give different strengths to a processing technique. Therefore, it is worth noting that considering a technique, p, means that p is defined with its all required parameter settings. The technique with other settings thus remains outside of P.

Definition 4.7(Embedding capacity).

Watermarking embedding capacity for an image, i is the maximum size of any watermark, w=G _g (i,m,j) for all m and j, to be embedded in i, such that E _e (i,w)≈i, $D_d\left(E_e\left(i,w\right),i,w\right)=\left(ĩ,\tilde{w}\right)$, and there exists $\tilde{m},\tilde{j}|\tilde{j}\approx j$ such that $X_x\left(E_e\left(i,w\right),i,\tilde{w}\right)=\left(\tilde{m},\tilde{j}\right)$.

Definition 4.7 suggests that to know the capacity of a watermarking scheme for an image, one needs to know how many bits can be embedded in the image with achieving the perceptual similarity and error probability (e.g., successful detection) requirements. This capacity estimation method may vary with the type of watermarking schemes. Although several attempts have already been made [64–70] to know the capacity bound as mentioned above, developing a general method for capacity estimation of each type of watermarking schemes could still be interesting. This may also help solve other capacity-related problems like the capacity control [50]

In image applications, embedding capacity is usually expressed as a ratio, bit-per-pixel (bpp). According to Definition 4.7, if the watermarking embedding capacity is n-bit, and the size of watermark is m-bit (i.e., w={1,0} ^m ), then the necessary condition for an invisible watermarking scheme is m<n. This condition suggests that there can be a hidden assumption of recursive embedding in developing an invisible scheme - if the required capacity is not achievable in first run of E(·), the remaining bits can be re-embedded recursively. That assumption may severely affect the performance of a watermarking scheme in practice, and thus needs to be explicitly stated, if applicable.

Definition 4.8(False positive and false negative)

A watermarking detection in a normal condition is said to be a false positive if D _d (i,w)≠⊥ for some i. Conversely, a watermarking detection is a false negative if D _d (ī,i,w)=⊥ for some ī. Here, the normal condition allows the scheme to run with all of its valid inputs, outputs and functions.

Irrespective of application scenarios, ideally, a zero FNR and FPR represents a reliable detection. Particularly, a watermarking scheme can be of no use if a scheme is unable to detect a valid watermark in normal condition of operation. Achieving a zero FNR and FPR in practice, however, may not be realistic for many reasons like communication errors. So, it is reasonable here to define a highly accurate detection for an application scenario in terms of a very low probability (e.g., in the order of 10⁻⁶) of detection failure.

However, error probability may be confused with other watermarking properties. Other properties (e.g., security, robustness, perceptual similarity) may also deal with errors, which can be of different types; for example, bit-errors (often termed as distortion) in a valid watermarked/unwatermarked image, which can be incurred maliciously, unintentionally, or as a system requirement, may also cause a detection failure. Further, we note that the function E(·) itself utilize the error signal, e.g., exploiting the redundant bit planes of an image, for embedding. This embedding error can be considered as a system requirement and thus can be addressed in terms of perceptual similarity requirement. Specifically, while error probability measures can be used to determine the system error rate for the reliability of a watermarking scheme, the other perceptual errors (ie, distortion) can be studied in terms of the security, robustness and perceptual similarity properties.

Definition 4.9(Security)

A watermarking scheme is called –secure if the scheme retains the security against the attack ( ie, if it is ‘hard’ to succeed with the set of adversary actions mounted by the attack ).

An application-specific analytical approach is often considered to study watermarking security [3, 16, 74–80]. In a broad sense, this practice suggests that the security property can be studied for two main types of watermarking schemes: robust and fragile. However, instead of focusing on a specific type of watermarking schemes, in this paper (section 5), we are more interested in studying the general scenarios of a set of possible attacks in an abstract level for image applications. The main idea is to demonstrate how an adversary of different capabilities may win with different conditions. We call this a win condition. Knowing the inputs, outputs and the win conditions would eventually help visualize the possible attacks in an application. (With that visualization, conducting an application-specific security analysis can be easier and more efficient). Here, we consider that identifying the set of attacks in a specific application and defining them in the model are the first steps to defining the watermarking security.

5.1.1 Elimination attack

In an elimination attack, an adversary tries to output an image that is perceptually similar to the watermarked image, but will never be detected as containing the watermark. Thus, the attacked watermarked image cannot be considered to contain a watermark at all. It is important to consider that eliminating the watermark does not necessarily mean reconstructing (or inverting) the watermarked image [42]. Rather, the adversary may output a new image that is perceptually similar to the watermarked image.

5.1.2 Collusion attack

In a collusion attack, an adversary obtains several copies of a watermarked image, each with a different (or same) watermark to obtain a close approximation of the watermarked image and thereby produces a copy with no watermark.

5.1.3 Masking attack

Masking of a watermark means that the attacked watermarked image can still have the watermark, which is, however, undetectable by existing detectors. More sophisticated detectors might be able to detect it.

Let an adversary have a watermarked image, ī=E _e (i,w₀), where w₀ ∈ W. Here, the adversary aims to output i _a ∈ Ī such that i _a ≈ī. The adversary wins if D _d (i _a ,i,w₀)=⊥ but there exists w≠w₀ such that D _d (i _a ,i,w)≠⊥, as defined in Definition 5.3.

5.1.4 Distortion attack

In some masking attacks, an adversary applies some processing techniques uniformly over the watermarked image or some part of it, in order to degrade the watermark, so that the embedded watermark becomes undetectable or unreadable. This subclass of masking attack has special merit in image processing and is referred to as distortion attack. De-noising attacks and synchronization attacks are two common attacks in this category.

Given a watermarked image, ī=E _e (i,w₀), an adversary applies a processing technique, q ∈ Q uniformly over the whole ī, or selected object/region of ī, and outputs q(ī). According to Definition 5.4, the adversary wins if D _d (q(ī),i,w₀)=⊥ but there exists w≠w₀ such that D _d (q(ī),i,w)≠⊥. Q is the set of applicable processing techniques such that $Q\subset \mathbb{P}$.

5.1.5 Forgery attack

In a forgery attack, an adversary outputs an invalid watermarked image in the form of unauthorized embedding. An adversary with the ability to perform unauthorized embedding can be presumed able to cause the detector to falsely authenticate an invalid watermarked image.

Given access to E _e (·), an adversary chooses a new unwatermarked image, i _a ∈ I and a new watermark, w _a ∈ W to output the watermarked image, $\overline{i_a}\in Ī$. As in Definition 5.5, the adversary wins with the output $\left(\overline{i_a},i_a\right)$ if there exists w _a ∈ W such that $D_d\left(\overline{i_a},i_a,w_a\right)\ne \perp$, and also, possibly, there exists $\widetilde{w_a}\in \tilde{W}$ such that $X_x\left(\overline{i_a},i_a,\widetilde{w_a}\right)\ne \perp$

5.1.6 Copy attack

In a copy attack, an adversary outputs an invalid watermarked image as in a forgery attack. However, the adversary copies a watermark from one valid watermarked image into another to falsely authenticate an invalid watermarked image. In principle, an adversary initially tries to estimate the unwatermarked image from its watermarked version and then estimates the original watermark from the estimated unwatermarked image and the original watermarked image. Finally, the estimated watermark is embedded to a new unwatermarked image to get a forged watermarked copy.

Suppose an adversary is given a valid watermarked image, $ī=E_e\left(i,w_0\right)$ and the access to E _e (·). The adversary obtains the estimated original watermark, $\widetilde{w_0}$, and chooses an unwatermarked image, i _a to output a new watermarked image, $\overline{i_a}=E_e\left(i_a,\widetilde{w_0}\right)$. Finally, as given in Definition 5.6, the adversary wins with output $\left(\overline{i_a},i_a\right)$ if there exists $\widetilde{w_0}\in W$ such that $D_d\left(\overline{i_a},i_a,\widetilde{w_0}\right)\ne \perp$. Also possibly, there exists $\widetilde{\stackrel{~}{w_0}}\in \tilde{W}$ such that $X_x\left(\overline{i_a},i_a,\widetilde{\stackrel{~}{w_0}}\right)\ne \perp$, where $\widetilde{\stackrel{~}{w_0}}$ is the estimate of $\widetilde{w_0}$

5.1.7 Ambiguity attack

In a successful ambiguity attack, an adversary outputs a forgery, where a valid watermarked image is forged (i.e., illegally watermarked) with a chosen watermark. The output forgery later can be verified as valid for the chosen (not for the originally embedded) watermark. Therefore, unlike a copy or forgery attack, it has a direct impact on the scheme.

Suppose a valid watermarked image, ī and access to E _e (·) are given to an adversary. An ambiguity attack outputs a new watermarked image, $\overline{i_a}=E_e\left(ī,w_a\right)$ and the adversary wins if there exists w _a ∈ W such that $D_d\left(\overline{i_a},ī,w_a\right)\ne \perp$ (Definition 5.7). Also possibly, there exists $\left(\widetilde{w_a}\right)\in \tilde{W}$ such that $X_x\left(\overline{i_a},ī,\widetilde{w_a}\right)\ne \perp$. Similar to forgery attack, a stronger adversary may have access to G _g (·) to obtain w _a =G _g (i,m,j)|i=ī

5.1.8 Scrambling attack

The objective of an adversary in applying a scrambling attack is similar to that of masking attack (i.e., to falsify the detection of a valid watermarked image). However, in this attack, the samples of a watermarked image are scrambled prior to being presenting to the detector and subsequently descrambled. The type of scrambling can be a simple sample permutation or a more sophisticated pseudo-random scrambling [42]. A well-known scrambling attack is the mosaic attack, in which an image is broken into many small rectangular patches, each too small for reliable watermark detection. These image segments are then displayed in a table such that the segment edges are adjacent. The resulting table of small images is perceptually identical to the image prior to subdivision.

Definition 5.9(Passive attacks).

Level 1. (Detection only). An adversary only detects the presence of valid watermark, w ∈ W in a watermarked image, ī ∈ Ī.

Level 2. (Incisive detection). An adversary distinguishes the watermark, w ∈ W from that of other watermarked image( s), $\bar{l}\in Ī|\bar{l}\ne ī$.

Level 3. (Comprehensive detection). An adversary obtains information at least partially (e.g., the message, m ∈ M and other image data, j ∈ J, etc.) that the valid watermark, w ∈ W carries, without modifying the watermarked image, ī ∈ Ī.