Digital Image Watermarking

ELE 488 final project, fall 2011, Princeton University

Ali JavadiAbhari

Introduction:
Recent years have seen the rapid growth of digital media, and their proliferation,
especially images. This makes protecting multimedia information become more and more
important and a lot of copyright owners are concerned about protecting any illegal
duplication of their data or work. Some serious work needs to be done in order to
maintain the availability of multimedia information but, in the meantime, the industry
must come up with ways to protect intellectual property of creators, distributors or simple
owners of such data. This is an interesting challenge and this is probably why so much
attention has been drawn toward the development of digital images protection schemes.
Of the many approaches possible to protect visual data, digital watermarking is probably
the one that has received most interest. The idea of robust watermarking of images is to
embed information data within the image with an insensible form for human visual
system but in a way that protects from attacks such as common image processing
operations. The goal is to produce an image that looks exactly the same to a human eye
but still allows its positive identification in comparison with the owner's key if necessary.
Some of the applications of watermarking are broadcast monitoring, copy protection, data
authentication and data hiding. Some of the properties of different watermarks, which we
will discuss more, are visibility, robustness, security and capacity.
In this work, I have evaluated three general techniques for watermarking. They are the
Yeung-Mintzer, Cox and Fridrich techniques, named after their respective proposers. To
be consistent, all three techniques have been designed for grayscale images. They come
from three papers proposed in the 1990s, and each offers a different method for the
protection of images through watermarking. The philosophy of each technique is
somewhat different from the others, and together they represent a broad spectrum of
reasons behind watermarking and its uses.
In the rest of this paper, the three techniques are explained in more detail, and some
experiments done with each of them are shown. Finally, a comparison is made between
these three techniques in terms of what each has to offer, their general performance, and
many other aspects. In the end, as a contribution of the paper, I detect a flaw in the most
recent technique (Fridrich), and offer a way to eliminate it.

Yeung-Mintzer Algorithm:
A simple approach referred to as the Yeung-Mintzer scheme, which enables single pixel
authentication, is shown in Figure 1 for grayscale images. The watermarked image Iw is
generated by disturbing the original image I to enforce the relationship L(i, j) = f (Iw(i, j)),
where L is a secret logo and f is a secret binary function. A simple way to generate the
binary function f is to flip a coin for each possible pixel value. Illustrative pixel and logo
values are also shown in the figure. Error diffusion is employed to reduce perceptual
artifacts from the disturbance. Tampered pixels are found by examining visually or
against the original logo the resulting binary image obtained by applying f to the
challenged image. This scheme can be easily extended to color images and other
multimedia signals.
This approach can locate a tampered pixel but only half of modified pixels on average
can be detected since each pixel is individually mapped to a binary value. The schemes
security depends critically on the secrecy of the underlying logo. Once the logo is known
or its structure is exploited, the search space for the secret mapping function f is
dramatically reduced. Even if the logo is not exploited, if the same logo and mapping
function f are reused in watermarking images, only two watermarked grayscale images
are needed on average to recover 90% of f by simply solving the equations of f at all
pixels. Once f is known, the secret logo can be readily derived. Making the mapping
function dependent on pixel positions and a unique image index or on processed neighbor
pixels can dramatically enhance the security.
This method is vulnerable, since the attacker can easily estimate the watermark and then
the modification can be done so that the watermark remains intact. This arises from the
watermark being from an image that presents itself even in degraded images. Thus, the
purpose of this method is not to protect the watermark, but rather provide a platform for
easily detecting where even slight changes have occurred in an image. Its good since it
provides security at the granularity of individual pixels.
In our implementation, the function f is produced using a lookup table (LUT). The idea is
to use the lookup table to find out what pixel value should replace a current pixel if we
want to embed a 1 or 0 inside it (since the insertion logo is a binary image). Then we can
have the lookup table dictate to us what binary value has been embedded inside each
pixel during logo extraction.
A few notes are worthwhile:
1- The lookup table used at the time of watermarking is also needed during the
dewatermarking phase. In fact, this is the only information that needs to be conveyed
between the encoder and decoder. The original image is not needed.
2- The run of each 0 or 1 stream in the LUT should be limited, since this would guarantee
the watermark image is not much different from the original, and hence undetectable with
naked eye. However, the table in general is generated randomly. In our implementation
this limited run is 5.
These are the .m files written for this method:

Yeung_Mintzer.m: produces the watermarked image

Yeung_Mintzer_Dewatermark.m: extracts watermark based on LUT
limit_run.m: limits run of ones and zeros in LUT string to desired value
searchLUT: find which number approximates the current pixel according to LUT
Below is an example of this method:

It shows how much the effect of the method is negligible, since it modifies each pixel by
at most 5 levels out of 256 levels, and on average only half the pixels are modified.
If the dewatermark is applied to the unmodified image, the logo is extracted perfectly:

However only slight modifications to the watermarked image severely affect the

embedded logo. Here we only darken the image by 10 levels on each pixel:

You see that the changes are almost invisible, but the watermark is completely destroyed:

This shows how fragile the watermark is.

The advantage of this method is that it shows exactly where modifications have occurred,
in case the image is locally tampered. For example, a square is cropped out of the image
as follows:

This granularity of tamper detection is often useful.

Cox Algorithm:
To have a more resilient watermark, we use the method in Cox et al [1997] where the
watermark insertion and extraction is done in the transform (DCT) domain. Specifically,
the DCT of the image is computed, then the K most significant coefficients are selected
and a series of K randomly generated numbers (! ) is inserted inside them using:
!! = ! . 1 + ! 1
is chosen so that it satisfies our level of desired effect on the values of the coefficients.

At the same time watermark security is kept high because (1) the watermarks are
composed of pseudorandom numbers with no obvious structure, (2) the watermarks are
embedded in multiple frequency components with spatial impact over the entire 2-D
image (so their location is not obvious) and (3) attacks against them tend to degrade the
image as well (i.e. the images most important frequency components must be altered to
affect the watermarks).
Gamma () shows how much the image has been tampered with. It is just a measure to let
us know the extent of manipulation, and cannot show where the tampering has taken
place (unlike Yeung-Mintzer) and obviously cannot provide the correct form.
These are the .m files written for this method:
Cox.m: produces the watermarked image based on the alpha and K
Cox-Dewatermark.m: for extracting random numbers and comparing with originals
find_maxes.m: returns K largest elements of a matrix along with their index
Noting a few points is worthwhile:
1- This method is quite robust compared to the previous one, and can resist a certain
number of modifications done to the image and still report the image as being not
so much forged. This means that the random numbers that are embedded inside
DCT coefficients are not changed very easily.
2- The information that needs to be communicated between the encoder and decoder
in this case is the string of largest coefficients, their index, the string of random
numbers embedded inside them, and alpha. This is considerably more.
Below some experiments are shown, all carried out on Lennas image, just to show the
amount by which is reduced each time. Note that without any tampering, = 0.9996.

a) 2-D median filtering: a nonlinear operation often used in image processing to reduce
"salt and pepper" noise. A median filter is more effective than convolution when the goal

is to simultaneously reduce noise and preserve edges.

Igray_wmkd_tampered = medfilt2 (Igray_wmkd)

= 0.8748
b) Lighting: Add 30 intensity levels (out of 256) to all pixels.
Igray_wmkd_tampered(:,:) = Igray_wmkd(:,:) + 30;

= 0.8589
c) Salt & pepper noise: This adds on-off noise to the image with a certain density.
Igray_wmkd_tampered = imnoise ( Igray_wmkd, 'salt & pepper', 0.02 );

 = 0.5786
d) Rotate: Rotating has a very large effect on gamma, as can be seen below, where we
only rotate clockwise by 0.05 degrees but gamma becomes nearly zero.
Igray_wmkd_tampered = imrotate(Igray_wmkd,-0.05);

= 0.0113

Fridrich Algorithm (Self-Embedding):

This algorithm was proposed in 1999 by Fridrich et al, and is based on taking information
from the image and hiding it inside itself, called self-embedding. According to this
method, the image is divided into 8x8 blocks and a DCT is performed on each block. The

first 11 coefficients are encoded in such a way that they produce a 64-bit string of
information, approximately enough to estimate that block. 64 bits can then be fitted
inside the LSBs of another 8x8 block. The blocks that contain each others information
are chosen with a vector. The vector must be chosen such that it can properly separate
linked blocks; generally a vector with length 0.3 of the image in each direction is
appropriate.
These are the .m files written for this method:
Fridrich.m: code for self-embedding
Fridrich_Test.m: overall code for recovery, given an input image
Fridrich_Recover.m: implements the recovery process on an int8 format image
Fridrich_Reconstruct.m: reconstructs image based on hidden info only
Find_Dest_Src.m: returns previous or next block in linked chain of encodings
Extract_Code.m: get code hidden in LSBs of this block
Reconstruct_Source.m: based on the extracted code of its destination
Generate_Code.m: generate 64-bit code for this block to be embedded
LSBzero.m: make blocks LSBs zero prior to code generation
Dec2bin2.m: convert decimal to binary of desired length
Bin2dec2.m: convert binary to decimal
Noting a few points is worthwhile:
1- Unlike previous methods, this method has the capability to recover some lost
parts of the image. This incredible ability is demonstrated below.
2- The only information that needs to be communicated between the encoder and
decoder in this method is the encryption vector, which we have implemented as
horizontal and a vertical component.
3- The recovered parts of the image approximate the original with a quality less than
the 50% jpg. Since the untampered parts are borrowed from the original image,
visually only the tampered parts seem a bit low quality, which are usually quite
small.
4- This method works best for local and small changes. If a change is too large, it is
quite possible that it modifies both the source and destination blocks, which
makes the source virtually unrecoverable.
Below are two examples of seemingly undetectable forgery and the ability of the
algorithm to recover them. In these examples, the vector is 0.4 of the image size in
horizontal and 0.1 of the image size in vertical direction:
Example 1: Forged car brand and number plate

Number of altered blocks = 81.

Example 2: Obscured face

Number of altered blocks = 360.

This last example shows a clear flaw in the algorithm. It arises from the recovery
procedure in which according to the paper, if block 1 is inconsistent with block 2 and also
block 2 is inconsistent with block 3 then block 2 is tampered and needs to be
reconstructed. This is incorrect since block 2 can be perfectly fine and blocks 1 and 3 are
the tampered ones. This is rare but possible, as can be seen in the example above. To
solve this I propose that block 0 also be checked for inconsistency with block 1. Below is
my result, which shows this correction using Fridrich_Recover_Mine.

Comparisons:
Finally I present a comparison between the different methods, in various aspects:

Yeung-Mintzer

Cox

Fridrich

Philosophy

Detect any change, at the

level of individual pixels

Be more robust; determine

weather change is strong
enough or not

Detect local
tampering, and also
correct it

Visibility
(qualitative transparency)

Invisible

Invisible

Invisible

Effect on original image *

(quantitative transparency)

0.1619 %

1.4694 %

0.1117 %

Robustness

Very Fragile

Very robust

Robust to local
modifications

Information needed for

decoding

LUT

K largest coefficients, their

indices, the random
numbers and alpha

Encoding vector

Recoverable

No

No

Yes

*Based on Lenna. Measuring average difference between pixels by summing differences, and dividing by image size
times pixel range (256)

Below, I do a lengthy comparison of the different methods using standard benchmark

transformations. This is to show how much each watermark is affected by the
transportations. They are:

Cropping out a rectangle (replacing by white color)

Lowpass filtering (2D median filtering)
Illuminating (by 30 grayscale levels)
Adding noise (salt and pepper noise)
Rotating (10 degrees clockwise)

*Cropping out a rectangle:

(Yeung-Mintzer)

 = 0.2065

(Cox)

Count = 59 (Fridrich)
*Lowpass filtering:

(Yeung-Mintzer)

= 0.8856

(Cox)

Count = 2500
*Illuminating:

(Fridrich)

(Yeung-Mintzer)

= 0.4870

(Cox)

Count = 2500
*Adding Noise:

(Yeung-Mintzer)

= 0.5690

(Cox)

(Fridrich)

Count = 2178

(Fridrich)

*Rotating:

(Yeung-Mintzer)

= 0.0170

(Cox)

Could not perform Fridrich algorithm because of out-of-bound access.

The following table summarizes these effects:
Yeung-Mintzer
(recovered logo)

Cox
()

Fridrich
(recovered image)

Crop

Shows crop location

0.2065
(unacceptable)

Recovered

Filter

Edges ruined

0.8856
(acceptable)

Destroyed

Illuminate

Destroyed

0.4870
(acceptable)

Partial destruction

Noise

Noisy

0.5690
(acceptable)

Partial destruction

Rotate

Same rotation

0.0170
(unacceptable)

References:

M. Yeung and F. Mintzer. Invisible Watermarking for Image Verification. Journal

of Electronic Imaging, pp. 576-591, 1998.

I. Cox, J. Kilian, T. Leighton, T. Shamoon. Secure Spread Spectrum

Watermarking for Multimedia, IEEE Transaction on Image Processing, vol.6,
no.12, pp.1673-1687, 1997.

J. Fridrich, M. Goljan, Protection of Digital Images Using Self-Embedding,

Symposium on Content Security and Data Hiding in Digital Media, NJ, USA,
May 14, 1999.
R. C. Gonzalez and R.E. Woods, Digital Image Processing 4th Edition, Prentice
Hall, New Jersey, 2009.
B.B. Zhu, M.D. Swanson and A.H. Tewfik. When seeing isnt believing. IEEE
Signal Processing Magazine, pp. 4049, 2004.