Information Theoretical Analysis of
Digital Watermarking
Multimedia Security
Definitions:
X : the output of a source with alphabet X
W : a message in a discrete alphabet W={1,2,…,M}
Assumption :
X is a discrete alphabet, follows a discrete distribution Px
S  0,1 : a rv. which indicates whether X will be watermarked.
The variable S is introduced in the model only to provide the
possibility of expressing mathematically the existence or nonexistence of a watermark in a simple way.
2
K : a secret key defined on a discrete alphabet k.
f1
S=1 : X  Y (watermarked version)
f1 : x  w  k  y (The output of the
watermarking function f1 )
f0
X


Y (non-watermarked version)
S=0 :
f0 : x  y
The output of the watermarking function f1 depends
on the value of K, a secret key which uniquely
identifies the copyright owner.
3
S
X
W
X̂
k
Y
fs
K
g
PZ Y
Z
ψ
Ŵ
q
Ŝ
General model of a watermarking system
4
The watermarked version Y then passes
through a noisy channel and is transformed
into Z  y . This channel models both
unintentional distortions suffered by Y and
attacks aimed at deleting or corrupting the
watermark information.
In both cases we assume that the secret key is
not known, so the noisy channel can be defined
by the distribution PZ Y z y which is
independent of K.
 
5

Finally, Z is processed to obtain a point x  X which
will be used by the recipient instead of X.
There are two tests that can serve to verify the
ownership of Z :
the watermark detection test q : y  k  0,1
the watermark decoding test  : y  k  w

the detection test is used to obtain an estimate s of S
(to decide whether Z has been watermarked using k)

the decoding test is used to obtain an estimate w of
W.
6
Imperceptibility :

Let d : x  x   be a perceptually significant
distortion. A watermarking system must
guarantee that the functions f 0 , f1 and g
introduce imperceptible alternations with
respect to X.
Ed x, g  f 0 x   D0
Ed x, g  f1 x, w, k   D1
With expectations taken wrt. X, W, K,
(Mean Distortion Consraints)
7
or
d x, g  f 0 x   D0 , x  X
d x, g  f1 x, w, k   D1 , x  X , w W , k  K
(Maximum constraints)
8
Hiding Information
The performance of the watermark
decoding process is measured by the
probability of error, defined as :

Pe Pr  w  W 
  Pk k Pr    z , k   w k 
k
9
For each value of K, the space y is
partitioned into decision regions D1,..., DM
where M  W is the no. of possible hidden
messages.
Decoding errors are due to the uncertainty
about the source output X from which the
watermarked version was obtained.
10
Detecting the Watermark
For each value of k, the watermark
detection test can be mathematically
defined as a binary hypothesis test in
which we have to decide if Z was
generated by the distribution of f 0 x  or
the distribution of f1 x, w, k  , where X ~ Px x 
and W is modeled as a random variable.
11
Let  k Z  y qz, k   1 be the critical region
for the watermark detection test performed

with k, i.e. the set of point in y where s  1 is
decided for that key.
The watermark detection test is completely
defined by the sets  k , k  K 
12
The performance of the watermark detection
test is measured by the probabilities of false
alarm PF  and detection PD  , defined as :

PF Pr s  1 s  0   Pk k Pr Z   k s  0
k

PD Pr s  1 s  1   Pk k Pr Z   k s  1, k 
k
13
Suppose there is no distortion during
distribution, so Z=Y optimizing the
performance of the watermark detection
test in terms of PF and PD is in a way
equivalent to maximizing the KullbackLaibler distance between distributions :
PY s  1, k and PY s  0
The maximum achievable distance is
limited by the perceptual distortion
constraint and entropy of the source.
14
The probability of collision between keys K1 and K 2 :

the probability of deciding s  1 in the watermark
detection test for certain key K1 when Z has been
watermarked using a different key K 2 .
In the context of copyright protection, this
probability should be constrained below a
maximum allowed value for all pairs ( K1, K 2 ) since
otherwise the author in possession of K1 could
claim authorship of information watermarked by
the author who owns K 2.
15
This constraint imposes a limit to the
cardinality of the key space since the
minimum achievable maximum probability of
collision between keys increase with the
number of keys for fixed PF and PD .
16
Attacks
In the following discussion we will
assume that the attacker has unlimited
computation power and that the
algorithm for watermarking, detection
and decoding are public.
The security of the watermarking
system relies exclusively on the secret
key K of the copyright owner.
17
The Elimination Attack
Alternate a watermarked source output
Y to obtain a negative result s  0 in the
watermark detection test for the secret
key used by the legitimate owner.
The alteration made by the attacker
should not be perceptible, since the
resulting output Z will be used as a
substitute for the watermarked source
output Y.
18
This constraint can be expressed in
mathematical form as an average distortion
constraint Ed Z , Y   DE or as a maximum
distortion constraint d Z , Y   DE , Z , Y , where
d(.,.) is a distortion function and DE is the
maximum distortion allowed by the attacker.
19
The Elimination Attack can be represented
by a game-theoretic model :
Given a certain watermarked source
output Y, the attacker will choose the
point Z  y , subject to the distortion
constraint, which maximizes his probability
of success.
20
Under a maximum distortion constraint, this
maximum probability of success for a given Y
can be expressed as
max
PE Y 
PK Y 1  qZ , K 

Z : d Z , Y   DE k
After averaging out over y, the average
probability of success in the elimination attack is
max
PE   PY 
PK Y 1  qZ , K 

Z : d Z , Y   DE k
Y
21
We can model the transformation made by the
attacker as a channel with conditioned pdf PZ Y .
Then the optimal elimination strategy can be seen
as a worst-case channel PZ Y in the sense that it
minimizes the PD for given critical regions  k  and
watermarking function f1 .
Note that the attacker is limited to those channels
which satisfy the average distortion constraint.
22
The minimum achievable PD is a non-increasing
function of DE .
The optimum watermarking strategy consists in
choosing the watermarking function f1 and the
critical regions  k  maximizing the minimum PD
achievable by the attacker through the choice of a
channel PZ Y .Hence, the design of the
watermarking system is a robust hypothesis testing
problem.
23
The Corruption Attack
The attacker is not interested in
eliminating the watermark, but increasing
the probability of error in the watermark
decoding process.
24
Cryptographic Security
The securing level of the system can be
measured by the uncertainty about the key
given a watermarked source output Y.
Using an information-theoretical
terminology, this uncertainty is the
conditioned entropy H K Y  , also called
equivocation.
25
Size of Key Space
A minimum cardinality of the key space K is a
necessary condition for specifying the
equivocation H K Y  .
Increasing the equivocation helps in increasing the
robustness against elimination attacks.
However, increasing the number of available keys
also increases the probability of collision among
keys.
Therefore, if we specify a maximum allowable
probability of collision, this constraint will impose a
limit on the maximum number of keys.
26
Summary
• Decoding of hidden information is affected by
uncertainty due to the source output (not available at
the receiver), distortion and attacks.
We can think that there is a channel between W and
Z which can be characterized by a certain capacity.
• Watermarking and watermark detection under a
constrained maximum probability of collision between
keys can be seen as an application of identification
via channels, with additional constraints derived from
the limited admissible perceptual distortion in the
watermarking process.
• The combination of watermark detection and data
hiding can be related to the theory of identification
plus transmission codes.
27