Security analysis of a self-embedding fragile image watermark scheme
Xinhui Gong, Feng Yu, Xiaohong Zhao, Shihong Wang

TL;DR
This paper critically analyzes a self-embedding fragile image watermark scheme, revealing its vulnerabilities to collage and multiple stego-image attacks, and provides a detailed security assessment based on permutation complexity.
Contribution
It identifies security flaws in the scheme, especially its block independence and key generation process, and quantifies the difficulty of key recovery through permutation analysis.
Findings
Scheme is vulnerable to collage attack.
Authentication bits are not key-dependent.
Permutation complexity for key recovery is factorial in block size.
Abstract
Recently, a self-embedding fragile watermark scheme based on reference-bits interleaving and adaptive selection of embedding mode was proposed. Reference bits are derived from the scrambled MSB bits of a cover image, and then are combined with authentication bits to form the watermark bits for LSB embedding. We find this algorithm has a feature of block independence of embedding watermark such that it is vulnerable to a collage attack. In addition, because the generation of authentication bits via hash function operations is not related to secret keys, we analyze this algorithm by a multiple stego-image attack. We find that the cost of obtaining all the permutation relations of watermark bits of each block (i.e., equivalent permutation keys) is about for the embedding mode , where MSB layers of a cover image are used for generating reference bits…
| Block size | Mode | Test number | Test time(s) |
|---|---|---|---|
| (6,2) | 2 | ||
| (6,3) | 6 | ||
| (6,2) | 40320 | ||
| (6,3) | |||
| (6,2) | |||
| (6,3) |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Steganography and Watermarking Techniques · Digital Media Forensic Detection · Chaos-based Image/Signal Encryption
∎
11institutetext: Shihong Wang 22institutetext: School of Science, Beijing University of Posts and Telecommunications, Beijing 100876, China
Tel.: 0086-10-62282452
Fax: 0086-10-62282452
22email: [email protected]
Security analysis of a self-embedding fragile image watermark scheme
Xinhui Gong
Feng Yu
Xiaohong Zhao
Shihong Wang
(Received: date / Accepted: date)
Abstract
Recently, a self-embedding fragile watermark scheme based on reference-bits interleaving and adaptive selection of embedding mode was proposed. Reference bits are derived from the scrambled MSB bits of a cover image, and then are combined with authentication bits to form the watermark bits for LSB embedding. We find this algorithm has a feature of block independence of embedding watermark such that it is vulnerable to a collage attack. In addition, because the generation of authentication bits via hash function operations is not related to secret keys, we analyze this algorithm by a multiple stego-image attack. We find that the cost of obtaining all the permutation relations of watermark bits of each block (i.e., equivalent permutation keys) is about for the embedding mode , where MSB layers of a cover image are used for generating reference bits and LSB layers for embedding watermark, and is the size of image block. The simulation results and the statistical results demonstrate our analysis is effective.
Keywords:
Fragile watermark Collage attack Multiple stego-image attack Image authentication Security analysis
1 Introduction
With the development in science and technology, digital images are easily processed and widely used Birajdar2013Digital ; Petitcolas1999Information ; Li2011A ; Ping2016Chaos . To ensure the integrity of digital images, image authentication techniques based on fragile watermark have been studied Lin2005A ; Ping1998A . Haouzia et al. Haouzia2008Methods discussed the general requirements of an authentication system, such as its security, the sensitivity of watermark, the accuracy of tampering localization. We consider security the most important one. Any authentication system must protect the authentication data against any falsification attempts.
There are multiple image authentication schemes based on fragile watermark proposed by scholarsLiu2007An ; Lazarov2016A ; Qin2017Fragile ; Zhang2007Statistical ; Zhang2017FragileA ; Zhang2009Fast ; Zhang2017Fragile . However, some of them only pursue the accuracy of tampering detection and the quality of recovered image. There still exist the security problems, which are vulnerable to counterfeiting attack. Yeung and Mintzer Yeung1997An proposed a fragile watermark scheme where fragile watermark is generated via a lookup table. The table map the value of pixels to 0 or 1 bit controlled by the secret keys. However, there is a security risk that the mapping relations are not related to the image content. Holliman and Memon proposed a vector quantization (VQ) attack to break this schemeHolliman2000Counterfeiting . Chang et al. Chang2006A proposed a watermark algorithm based on hash functions. The authentication bits are generated via a cryptographic hash function, and then inserted into the lowest significant bit (LSB) of the center pixel in a corresponding block. However, Phan Phan2008Tampering proposed an effective method to break this scheme. Lin et al.Lin2005A proposed a hierarchical watermark method, where the feature of each block of the image is embedded into another block. This scheme uses both reference bits and authentication bits to detect tampered area. However, Chang et al. Chang2008Four proposed a four-scanning attack to find the block-mapping sequence, and furthermore to counterfeit authenticated images successfully. A scheme with high data hiding capability and fidelity preservation was proposed by Lin et al. Lin2011Protecting . However Li et al. Li2016Attack proposed an analysis method to counterfeit authenticated images. Rawat and Raman Rawat2011A proposed a scheme based on chaotic map and Teng et al. Teng2013Cryptanalysis found this scheme cannot resist a content-only attack. Without knowing the secret key, an attacker first stores the LSBs of the watermarked image. Then he or she alters the pixels and replace their LSBs stored before. The main reason is that the authentication data is irrelevant to the cover image.
Qin et al. Qin2016Self proposed a self-embedding fragile watermark scheme based on reference-data interleaving and adaptive selection of embedding mode. The choice of embedding mode is related with watermarked image quality, estimated tampering rate, and recovered image quality. The authors claimed that the proposed scheme can achieve good visual quality of recovered images under different tampering rates. To improve the sensitivity of authentication data in the scheme, hash function operations are utilized to generate authentication data. Though this scheme is flexible and has good ability in recovering tampered image, we find it vulnerable to a collage attack. The scheme has a fatal defect that the authentication bits of each block only embed into the corresponding block. This feature is called block independence. This weakness makes this scheme not resist the collage attack. Besides, the generation of authentication bits via hash function operations is not controlled by secret keys and the authentication bits embed in the fixed positions that are not related with the cover image. Therefore, based on the two characteristic above, if an attacker obtains embedding positions of watermark, he or she can forge any authenticated images.
The remaining parts of the paper are organized as follows. Section 2 describes the conditions of security analysis of fragile watermark. In Section 3, we introduce Qin et al.’s scheme briefly. In Section 4 we analyze the security of Qin et al.’s scheme by using the collage attack and multiple stego-image attack. Conclusion of this paper is given in Section 5.
2 Conditions of security analysis of fragile watermark
Besides VQ attack Holliman2000Counterfeiting and collage attack Fridrich2002Cryptanalysis etc, there also exist general tampering attacks, such as copy-paste attacks, deletion attacks, text insertion attacks etc Sreenivas2017Fragile . Considering analysis conditions, the attack methods can be classified into the following types Fridrich2002Security .
Stego-image attacks. The attacker has only one authenticated image. The aim is to modify the image such that it is undetected or obtain some secret information of the scheme.
Multiple stego-image attacks. The attacker has multiple authenticated images. The aim is to modify or forge one image such that it is undetected, or to obtain some secret information of the scheme.
Verification device attacks. The attacker has access to the verification device, i.e., the attacker can verify the authenticity of any image. In this condition, the attacker is interested in making undetected changes or obtaining some secret information of the scheme.
Cover-image attacks. The attacker has multiple pairs of original-authenticated images. Again, the attacker is interested in making undetected changes or obtaining some secret information of the scheme.
Chosen cover-image attacks. The attacker has access to the authentication device and can submit her or his images for authentication. The aim is to obtain some information about the secret authentication key.
3 Brief description of Qin et al.’s scheme
First, we describe Qin et al.’s scheme briefly. This scheme is a self-embedding image authentication scheme. In the original scheme, MSB (the most significant bit) layers of a cover image are used for the generation of reference bits, and the reference bits and the MSB layers are further used for the generation of authentication bits ( is the minimum of two values and , where LSB layers are used for embedding). The authentication and reference bits are embedded in LSB layers of the cover image. There exist two working modes: overlapping-free embedding () and overlapping embedding (). The choices of and are related to many factors, such as watermarked image quality, estimated tampering rate, and recovered image quality.
3.1 Watermark embedding
In this scheme, the embedding and detecting of watermark are based on image block. For a block size of , bits are embedded in LSB layers of each block, containing authentication bits and reference bits. The generation of reference and authentication bits, and the watermark embedding procedure are shown below.
Step 1. Image grouping. Divide a cover image of size into blocks, where . For simplicity, and are assumed to be the multiples of .
Step 2. Permutation. Collect MSB layers of the cover image, and permute the bits with a secret key to form a set C.
Step 3. Generate reference bits. Divide C into subsets noted as , , … , . Each subset contains bits. Each subset is transformed by the following expression
[TABLE]
where is a pseudo-random binary matrix of size produced from a secret key. After the transformation above, there are bits named the reference bits, furthermore, the value of should satisfy the expression
[TABLE]
Step 4. Generate authentication bits. For each block, feed bits of the MSB layers and corresponding reference bits into a hash function and generate authentication bits.
Step 5. Embed watermark. Permute the watermark bits of each block with a secret key (containing authentication bits and reference bits) and use them to replace the LSB layers of each block.
3.2 Tampering detection
In this scheme, a receiver not only verifies the integrity of suspicious watermarked image , but also has ability to recover tampering area. Here we only describe the tampering detection procedure.
For each block of , first extract the bits of its LSB layers consisting of authentication bits and reference bits. There are two modes of tampering detection:
(1) Overlapping-free embedding: Feed the MSB bits of each block and the reference bits into a hash function and output authentication bits. If the recalculated bits differ from the extracted , this block is judged as a tampered block. Otherwise, it is marked as an intact block.
(2) Overlapping embedding: Feed the MSB bits of each block and the reference bits into a hash function and output authentication bits. Similar to overlapping-free embedding mode, if the recalculated bits differ from the extracted , this block is judged as a tampered block. Otherwise, it is an intact one.
4 Security analysis of Qin et al.’s scheme and simulation results
4.1 A collage attack
One defect of this scheme is that the authentication bits generated by one block are embedded into the same block. This means that each block verification with unchanged secret keys is independent. This defect leads to be vulnerable to attack of a collage of images. The collage attack is effective for overlapping-free embedding mode and overlapping embedding mode. The details of the collage attack are shown as follows.
Attack aim: The aim of this attack is to forge a new image produced from authenticated images.
Attack Conditions: A forger has multiple authenticated images with the same embedding mode and the unchanged secret key, although she or he does’t know the key.
Step 1. For an authenticated image , a forger first marks the block according to the block size and selects an area to be tampered. And this area must be an integral multiple of a block, named .
Step 2. Given another authenticated image , which has the same authentication mode as the image . Same as , the authenticated image is blocked through and the area of is selected.
Step 3. Replace the area of with the area of , and finish a forged image .
Step 4. Verification operation. Because the tampered area is an integral multiple of the size of a block and the verification procedure is block independent, the tampered image , as an intact image, can pass tampering detection and cannot be found that it has been tampered.
To verify our analysis above, we give three examples by using the collage attack. The simulation results are shown in Fig.1 (top, middle and bottom panels). The size of all the images is and the size of a block is . Figures 1(a1-d1) are four authenticated images with the same embedding mode , i.e., . We take a quarter of each image and construct a collage image shown in Fig.1(e1). The collage image (e1) can successfully pass the tampering detection process, and the detection result is shown in Fig.1(f1). In Figs. 1(a2-e2), the embedding mode is and the other conditions are the same as Figs. 1(a1-e1). The collage image (e2) also passes tampering detection, and the detection result is shown in Fig.1(f2). The two examples above show that the embedding mode does not affect the collage attack.
In Fig.1, the four images of (a3-d3) are the same as those of a1-d1, but chosen parts of the four images a3-d3 for making a new image e3 are slightly different from those of a1-d1. We select a rectangular part of each image, from pixel (1,1) to pixel (251,251) in a3, from pixel (1,252) to pixel (252,512) in b3, from pixel (252,1) to pixel (512,251) in c3, and from pixel (252,252) to pixel (512,512) in d3. Since the block size is , the edge blocks of the merged image e3 are combinations of pixels of two images or four images, which are inconsistent with the original blocks. Therefore it cannot pass tampering detection. The results of tampering detection (f3) validate the analysis above. Through the result of f3, we adjust the edge of the collage image, once edge blocks match the original blocks of images, the collage image can pass tampering detection.
4.2 Multiple stego-image attack
The aim of this attack is to obtain the equivalent permutation relation of the watermark bits in each block. Once the attacker acquires these permutation relations of image blocks, she or he can forge authenticated images such that they pass tampering detection. In embedding procedure, there are two weakness that are able to cause security problems shown as follows.
Weakness 1: For each block, bits of its MSB layers and its corresponding reference bits are fed into a hash function to generate authentication bits. In this operation, we find that there is no secret key participating. In other words, anyone can implement this operation.
Weakness 2: After generating authentication bits for each block, we need permute the reference bits and authentication bits through a secret key and then embed bits in the LSB layers of each block. Assume that the permutation key is unchanged for each block. For watermark bits, the maximal permutation numbers are . Therefore, if an attacker obtains the permutation relation of watermark bits for each block, she or he is able to forge any authenticated images. For example, for an image of mode with block, 8 watermark bits are embedd into 2 LSB of the 4 pixels. As Fig.2 shown, the maximal permutation numbers of 8 watermark bits are . Thus, an attacker tries times at most that he/she can obtains the permutation relation of watermark bits for each block.
Attack aim: The aim of this attack is to obtain the equivalent permutation key (i.e., permutation relation) of watermark bits in each block.
Attack Conditions: An attacker has two authenticated images with mode .
Step 1. Given an authenticated image with mode , we first analyze its 1st block. We extract the watermark bits and separates them into two parts, reference bits and authentication bits. The bits have different permutation relations and the permutation number is expressed by the form
[TABLE]
Step 2. Choose one of all permutation relations and calculate its authentication bits . Feed bits of its MSB layers and the reference bits into a hash function and generate authentication bits .
Step 3. Compare and . If , the assumed permutation is wrong, otherwise it may be right. Furthermore, we take another authenticated image to verify this permutation relation.
Step 4. Parallel processing all blocks. We execute the parallel process of blocks of the authenticated image from steps 2 to 3. To acquire the correct permutation of watermark bits, we need test about times, which is not related to the image size. Table 1 lists the test number of analysis for different block sizes and embedding modes. From Table 1 we can observe that the security of Qin et al.’s scheme increases with increase of block size of the image and embedding layer of the watermark, but the security is low for small block size.
We measure the time for obtaining all the permutation relation of , shown in Table 1. The experiments are implemented on a personal computer with a 3.60 GHz Intel i7 processor, 8.00 GB memory, and Windows 10 operating system. Implementation software is Matlab R2015a. For the block size , the time of mode (6.2) is about while the time of mode (6.3) is . The time ratio of mode (6,3) to mode (6,2) is theoretically 11880, but is actually , this is because the program about mode (6,3) requires large storage space. For the block size and mode , the maximum test number is up to . Therefore, the larger the block size, the more test number and time the multiple stego-image attack needs to be tried.
5 Conclusion
Qin et al. proposed a general image self-embedding watermark scheme for tampering recovery. But we find that, due to the block independence of watermark embedding, we can forge a new authenticated image from authenticated images via the collage attack. The simulation results verify our theoretical analysis. Furthermore, we analyze the security of Qin et al.’s scheme by using multiple stego-image attack. Because the generation of authentication bits isn’t related to a secret key, once an attacker acquires the permutation relations of watermark bits of all blocks, she or he can forge any authenticated images. The cost of acquiring all the permutation relations is about , where LSB layers are used for embedding watermark, and is the size of image block. Enhancing the security of fragile watermarking algorithms has been a challenge and we hope our analysis method will promote the research of fragile watermarking to some extent.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Gajanan K. Birajdar and Vijay H. Mankar. Digital image forgery detection using passive techniques: A survey. Digital Investigation , 10(3):226–245, 2013.
- 2[2] F. A. P. Petitcolas, R. J. Anderson, and M. G. Kuhn. Information hiding-a survey. Proceedings of the IEEE , 87(7):1062–1078, 1999.
- 3[3] Shujun Li, Chengqing Li, Guanrong Chen, Nikolaos G. Bourbakis, and Kwok Tung Lo. A general quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks . 2011.
- 4[4] Zhen Ping, Zhao Geng, Lequan Min, and Jin Xin. Chaos-based image encryption scheme combining dna coding and entropy. Multimedia Tools & \& Applications , 75(11):6303–6319, 2016.
- 5[5] Phen Lan Lin, Chung Kai Hsieh, and Po Whei Huang. A hierarchical digital watermarking method for image tamper detection and recovery. Pattern Recognition , 38(12):2519–2529, 2005.
- 6[6] Wah Wong Ping. A watermark for image integrity and ownership verification. In Pics 1998: Is & \& t’s 1998 Image Processing, Image Quality, Image Capture, Systems Conference, Portland, Oregon, Usa, May , pages 374–379, 1998.
- 7[7] Adil Haouzia and Rita Noumeir. Methods for image authentication: a survey . Kluwer Academic Publishers, 2008.
- 8[8] Shao Hui Liu, Hong Xun Yao, Wen Gao, and Yong Liang Liu. An image fragile watermark scheme based on chaotic image pattern and pixel-pairs. Applied Mathematics & \& Computation , 185(2):869–882, 2007.
