Signal Processing: Image Communication 21 (2006) 890–903 Joint near-lossless compression and watermarking of still images for authentication and tamper localization Roberto Caldelli a, , Francesco Filippini a , Mauro Barni b a Department of Electronics and Telecommunications, University of Florence, Via di Santa Marta, 3, 50139 Florence, Italy b Department of Information Engineering, University of Siena, Siena, Italy Received 3 August 2005; received in revised form 28 August 2006; accepted 30 August 2006 Abstract A system is presented to jointly achieve image watermarking and compression. The watermark is a fragile one being intended for authentication purposes. The watermarked and compressed images are fully compliant with the JPEG-LS standard, the only price to pay being a slight reduction of compression efficiency and an additional distortion that can be anyway tuned to grant a maximum preset error. Watermark detection is possible both in the compressed and in the pixel domain, thus increasing the flexibility and usability of the system. The system is expressly designed to be used in remote sensing and telemedicine applications, hence we designed it in such a way that the maximum compression and watermarking error can be strictly controlled (near-lossless compression and watermarking). Experimental results show the ability of the system to detect tampering and to limit the peak error between the original and the processed images. r 2006 Elsevier B.V. All rights reserved. Keywords: Image authentication; Near-lossless JPEG; Digital watermarking; Tamper localization; Remote sensing; Medical imagery 1. Introduction The demand for image authentication and for effective means to control image integrity has been steadily increasing in the last years. Such a demand is due to the ease with which digital images can be tampered with thus compromising their credibility as faithful pictures of the scene they represent. Several techniques have been developed in order to prevent or at least detect unwanted alteration of digital images. Among them, digital watermarking has gained more and more popularity due to its versatility and its potential to localize tampering and the possibility (at least theoretical) to distin- guish between different kinds of manipulations (usually split into allowed and not allowed manip- ulations). Two possible approaches can be distin- guished, one based on (semi) fragile watermarking and the other relying on robust watermarking. Authentication through fragile watermarking [15,5] is accomplished by inserting within the image a watermark that is readily altered or destroyed as soon as the host image undergoes any manipula- tions. The alteration or deletion of the watermark allows to discover that the image has been modified, whereas the correct recovery of the hidden informa- tion permits to prove the integrity of the image and, possibly, to establish its origin. Some techniques ARTICLE IN PRESS www.elsevier.com/locate/image 0923-5965/$ - see front matter r 2006 Elsevier B.V. All rights reserved. doi:10.1016/j.image.2006.08.006 Corresponding author. Tel.: +39 0554796380; fax: +39 055494569. E-mail address: [email protected]fi.it (R. Caldelli).
Transcript
ARTICLE IN PRESS
0923-5965/$ - se
doi:10.1016/j.im
�Correspondfax: +3905549
E-mail addr
Signal Processing: Image Communication 21 (2006) 890–903
www.elsevier.com/locate/image
Joint near-lossless compression and watermarking of still imagesfor authentication and tamper localization
Roberto Caldellia,�, Francesco Filippinia, Mauro Barnib
aDepartment of Electronics and Telecommunications, University of Florence, Via di Santa Marta, 3, 50139 Florence, ItalybDepartment of Information Engineering, University of Siena, Siena, Italy
Received 3 August 2005; received in revised form 28 August 2006; accepted 30 August 2006
Abstract
A system is presented to jointly achieve image watermarking and compression. The watermark is a fragile one being
intended for authentication purposes. The watermarked and compressed images are fully compliant with the JPEG-LS
standard, the only price to pay being a slight reduction of compression efficiency and an additional distortion that can be
anyway tuned to grant a maximum preset error. Watermark detection is possible both in the compressed and in the pixel
domain, thus increasing the flexibility and usability of the system. The system is expressly designed to be used in remote
sensing and telemedicine applications, hence we designed it in such a way that the maximum compression and
watermarking error can be strictly controlled (near-lossless compression and watermarking). Experimental results show the
ability of the system to detect tampering and to limit the peak error between the original and the processed images.
r 2006 Elsevier B.V. All rights reserved.
Keywords: Image authentication; Near-lossless JPEG; Digital watermarking; Tamper localization; Remote sensing; Medical imagery
1. Introduction
The demand for image authentication and foreffective means to control image integrity has beensteadily increasing in the last years. Such a demandis due to the ease with which digital images can betampered with thus compromising their credibilityas faithful pictures of the scene they represent.Several techniques have been developed in order toprevent or at least detect unwanted alteration ofdigital images. Among them, digital watermarkinghas gained more and more popularity due to its
e front matter r 2006 Elsevier B.V. All rights reserved
versatility and its potential to localize tamperingand the possibility (at least theoretical) to distin-guish between different kinds of manipulations(usually split into allowed and not allowed manip-ulations). Two possible approaches can be distin-guished, one based on (semi) fragile watermarkingand the other relying on robust watermarking.Authentication through fragile watermarking [15,5]is accomplished by inserting within the image awatermark that is readily altered or destroyed assoon as the host image undergoes any manipula-tions. The alteration or deletion of the watermarkallows to discover that the image has been modified,whereas the correct recovery of the hidden informa-tion permits to prove the integrity of the image and,possibly, to establish its origin. Some techniques
ARTICLE IN PRESSR. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903 891
permit also to localize the altered zones on a blockbasis [8,6]. Systems based on robust watermarking[4,11] assume that the watermark is not affected byimage manipulations. Specifically, a summary of theto-be-authenticated image is computed and em-bedded within the image itself (possibly togetherwith additional information about the origin of theimage). Subsequently, the hidden information isrecovered and compared with the actual content ofthe image: a mismatch reveals that the image hasbeen tampered with.
In this paper we focus on authentication andtamper localization through fragile watermarking.Specifically, our system is built by relying on ascheme originally developed by Wong [14] andsuccessively improved by Fridrich [5] with a betterlogo structure to prevent attacks. This method, thatin the sequel will be called, for sake of simplicity,Fridrich’s method, embeds the watermark in theleast significant bits (LSB) of the host image. Thechoice of Fridrich’s algorithm is justified by itssecurity features and its good localization capabil-ities (more details on this scheme are given inSection 2).
Together with the demand for integrity verifica-tion, the demand for image compression is everydaymore pressing. The great majority of the imagesexchanged in digital format are stored in acompressed format, with lossy compression beingdefinitely much more popular than lossless com-pression. Hence, a first crucial choice must be madeto decide whether to embed the watermark in theraw domain (i.e. before compression takes place) orin the compressed domain (e.g. by jointly codingand watermarking the image). In the context ofimage authentication through fragile watermarking,joint coding and watermarking is highly desirable,since otherwise the fragile nature of the watermarkwill identify image compression as an unwantedmanipulation hence failing to distinguish between(allowed) compression and (not allowed) tampering.On the other hand, tying the watermarking systemto a particular coding format limits the flexibility ofthe authentication scheme, since the watermark islikely not to survive lossless format changes, e.g.conversions from the coded and the raw format. Itis one of the goals of the system presented in thispaper to embed the watermark in the compresseddomain, while still allowing its recovery in the rawpixel domain.
Though lossy compression is by far the mostpopular coding strategy used today, in some
application scenarios the loss of informationaccompanying the compression process cannot betolerated or, at least, must be strictly controlled.This is the case of remote sensing and medicalapplications. In both cases the risk of discardinguseful information calls for the adoption of losslesscompression, however the large amount of dataacquired by sensors during earth observationmissions and the large volume of images producedby modern telemedicine applications [10,3] make theuse of efficient lossy coding algorithms unavoidable.In order to control the amount of information lostduring the compression process, a class of algo-rithms capable of strictly controlling the compres-sion loss have been devised and grouped under theterm near-lossless compression, whose main re-quirement is that of insuring that the maximumerror between the original and the compressedimage does not exceed a fixed threshold. In thesame line, the concept of near-lossless watermarkinghas been introduced recently to satisfy the strictrequirements set by the remote sensing scenario[2,1]. In this paper we propose a system that permitsto jointly compress and watermark the to-be-protected image in a near-lossless fashion; thusresulting particularly suited for remote sensing andmedical applications.
Specifically, Fridrich’s authentication algorithm[5] is modified so as to make it compliant with theJPEG-LS coding standard. The JPEG-LS [9,13] is alossless/near-lossless image coding scheme based ondifferential pulse code modulation (DPCM) [12]. Inthe near-lossless mode each pixel of the recon-structed image differs from the correspondingoriginal pixel by up to a preset (usually small)amount, called D in the following. By slightlymodifying the quantization process, our system isable to embed an LSB message similar to that usedby Fridrich directly in the compressed domain, thuskeeping complete compliance with the JPEG-LS. Atthe same time, the maximum amount of distortionintroduced by the watermark can be strictly con-trolled thus satisfying the near-lossless requirement.As already said, the watermark can be recoveredboth in the compressed and in the raw domain, thusincreasing the flexibility of the system and itspractical usability. Finally, the security features ofFridrich’s algorithm are retained together with itslocalizing properties (the localization accuracybeing reduced only slightly).
The rest of the paper is organized as follows. InSection 2, after a brief review of the JPEG-LS
ARTICLE IN PRESSR. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903892
standard, the proposed watermark embeddingalgorithm is described. In Section 3, watermarkdetection is considered. In Section 4, security issuesare discussed. Section 5 is devoted to the presenta-tion of experimental results. Finally, some conclu-sions are drawn in Section 6.
2. Encoding phase
As we already said, the main goal of the newwatermarking scheme is to grant robustness againstnear-lossless JPEG image compression, while main-taining the usual features of an authenticationtechnique. This aim is achieved by designing asystem which is based on the JPEG-LS codingstandard. In order to generate compressed data andsimultaneously authenticate them, a secure fragilewatermarking technique, that in our approach hasbeen individuated in the technique developedby Fridrich [5], has been integrated within theJPEG-LS.
2.1. JPEG-LS in brief
Before describing the proposed watermarkingalgorithm let us sketch the JPEG-LS standard.JPEG-LS is a typical example of coder based onspatial pixel prediction followed by quantization ofthe prediction error and entropy coding (specificallyGolomb–Rice coding is used). The aim of thespatial prediction is to decorrelate the pixel valuesproviding an approximately white sequence ofprediction errors. Prediction is performed accordingto a causal neighborhood (the image is scanned leftto right and top to bottom) as depicted in Fig. 1,where the brightness Ix of the current pixel ispredicted by relying on the pixels in position Ra;Rb
and Rc (the value of Rd is used only for contextmodelling, see below). In the sequel we will indicatethe predicted value of the pixel in position x by Px,the prediction error by E and the quantizedprediction error by QE . Pixel values are recon-structed by adding back the dequantized predictionerror QR to the predicted value Px. Note that due to
Fig. 1. A causal context for JPEG-LS prediction.
quantization the reconstructed pixel value
Rx ¼ PxþQR (1)
is different form the original value Ix, hence in orderto keep the decoder and encoder synchronized, theencoder calculates the predicted value Rx by relyingon the predicted values of the pixels in the causalneighborhood.
According to JPEG-LS terminology, prediction isformulated as an inductive inference problem some-times referred to as modelling. In particular, themodelling approach JPEG-LS relies on is based onthe notion of context, which is determined by the fourreconstructed samples Ra, Rb, Rc, Rd, belonging to aneighborhood of the current sample Ix (see Fig. 1).
Consequently, each sample value is conditionedto the context and also the probability distributionused to encode the samples is determined by thecontext. Though two different encoding modes areavailable in JPEG-LS, the watermarking methodproposed here considers only the so-called regular
mode. In the regular mode, the prediction procedureworks as follows. First of all, a test for the presenceof a horizontal or vertical edge is performed on thepixels belonging to the context, then the predictedvalue Px is computed according to
Px ¼
minðRa;RbÞ if RcXmaxðRa;RbÞ;
maxðRa;RbÞ if RcpminðRa;RbÞ;
Raþ Rb� Rc otherwise:
8><>: (2)
The predicted value Px is chosen by switching amongthree simple predictors: if a vertical edge on the leftof the current location is detected, the predictor tendsto pick Rb, if a horizontal edge above the currentlocation is detected the predictor tends to pick Ra,finally if no edge is detected the predictor tends topick the value ðRaþ Rb� RcÞ. At the end of thisphase, a fixed predicted value is found. Notice thatRd is not used in this phase, since it is employed inthe adaptive part of the predictor [13].
After this procedure, the prediction error E ¼
Ix� Px is computed and, in the near-lossless codingðD40Þ, the error is quantized (QE) according to thefollowing rule:
QE ¼E þ D2Dþ 1
� �, (3)
where D is the maximum guaranteed preset errorbetween the original and compressed images.
The proposed watermarking scheme works bymodifying the quantized prediction as shown in
ARTICLE IN PRESS
Fig. 2. Simplified block diagram of the proposed methodology.
Fig. 3. Watermark embedding diagram of Fridrich’s algorithm [5].
R. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903 893
Fig. 2. Note that in order to keep the encoder inpace with the decoder the reconstructed values usedby the predictor are obtained by adding back thewatermarked prediction errors.
2.2. Watermark generation
Let us first summarize how the watermark isgenerated in the secure fragile watermarking tech-nique developed by Fridrich [5] (a block diagram ofthis approach is given in Fig. 3). During watermarkembedding, the algorithm proceeds by dividing theimage into 8� 16 pixel blocks and by separatelymodifying the LSBs of each block. To do so, theseven most significant bits (MSBs) of the pixels inthe block are hashed by using a proper hashfunction. Then, a binary logo carrying informationabout the block position, image index and possiblyother information relevant to the image is con-structed, and is XORed with the hash. After that,the XORed result is encrypted using a secret-key-dependent encryption function, and inserted intothe LSBs of the same block.
In the watermark detection phase, the to-be-authenticated image is divided again into 8� 16blocks and for each block the following procedure isapplied. The seven MSBs of each pixel are extractedand hashed, while the LSBs are decrypted by usingthe secret key. In the end, the hashed MSBs and the
result of LSBs decryption are XORed to obtainback the logo. Block-wise image authentication isachieved through an automatic examination of thelogo. In this way, the watermarking scheme isrobust to authentication attacks, such as stego-image attack, multiple stego-image attack andHolliman–Memon attack [8,6] (see Section 4);furthermore, localization of image tamper isgranted.
By taking into account the JPEG-LS andFridrich’s algorithms, we developed a watermarkingsystem that allows a near-lossless compression ofthe image and, at the same time, permits to insert awatermark into the to-be-authenticated image. Todo so, the encoding procedure of the JPEG-LSalgorithm has been modified in order to integratethe watermarking system while maintaining com-pliance with the JPEG-LS standard.
2.3. Watermark embedding phase
After watermark generation, the quantized pre-diction errors are modified in order to insert thewatermark into the image and, finally, the correctedquantized prediction errors are Golomb–Rice codedand the compressed image obtained. More specifi-cally, we proceed as follows. Let us consider animage of DR �DC pixels, consisting of blocks eachof 8� 16 pixels (i.e. DR=8 stripes of blocks). For the
ARTICLE IN PRESS
Fig. 4. Stripe watermark embedding scheme.
2
R. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903894
first stripe S1, the reconstructed samples Rx arecomputed and stored to form a reconstructedsample stripe RS1, which is formed by DC=16blocks each of 8� 16 pixels. Then, each recon-structed sample block is processed by the water-marking system whose output is an 8� 16 binarymatrix (the authenticating message). When all thereconstructed sample blocks of the reconstructedstripe RS1 have been processed, an 8�DC binarystripe BS1 is created. At the end of this process, foreach sample in position ði; jÞ in the second stripe S2
of the image, the quantized prediction error iscalculated. Then, in order to insert the watermarkinto the image pixel in position ði; jÞ, the quantizedprediction error is modified by altering its LSBaccording to the corresponding bit of the authenti-cating message of the previous stripe.
In order to allow watermark recovery directly onthe reconstructed pixel values1 the parity of Rx hasto be checked before performing any modification.For sake of clarity, let us give an example and let ussuppose that Rx assumes an odd value and that a bit0 has to be inserted (if a bit 1 has to be embedded noaction is needed). To do this, the original QE isaugmented or decreased by one quantization levelto change its parity to obtain a QE1 ¼ QE � 1. Byapplying dequantization we obtain
QR1 ¼ QE1 � ð2Dþ 1Þ (4)
1Watermark recovery on the quantized prediction error is
straightforward.
and then
Rx1 ¼ PxþQR1. (5)
The choice of increasing or decreasing the quantizederror is made by choosing the option that minimizesmaximum error between the original and thecompressed and marked image. The quantizationstep (2Dþ 1) being an odd value, the modifiedparity is transferred to QR1 and consequently to Rx1
as required.Fig. 4 summarizes the steps of the authentication
procedure for the first stripe of pixels. First of all, itis possible to notice the Hashing&Encryption blockwhich performs the hash of the seven MSBs2 andthe LSBs encryption for each image block in orderto generate the binary stripe BS1. Consequently, theprediction error of the successive stripe is computed,quantized and modified. As said before, the goal ofthe block that compares the difference between Rx
and Ix is to choose the best modified predictionerror, which limits the MaxError between theoriginal and the authenticated image.
Through the above procedure, the authenticationinformation of a stripe is embedded into thereconstructed samples of the stripe below. Finally,the reconstructed value Rx is stored to form thesecond reconstructed sample stripe RS2, whereasGolomb–Rice coding of the modified quantized
We could also hash all the eight bits, however we have
considered only seven MSBs both to maintain coherence with
Fridrich’s algorithm and to hash only the bits belonging to the
original image content.
ARTICLE IN PRESS
Fig. 5. Watermark detection scheme: the scheme represents the block-wise procedure that is followed to check image authenticity.
R. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903 895
prediction error is performed. When all recon-structed samples Rx of the second stripe S2 havebeen computed and stored, RS2 has been con-structed. The result of this process is RS2 that hasbeen modified according to BS1. Generally, byfollowing this procedure each RSiþ1 is modified onthe basis of BSi and the watermarked–compressedimage is generated. It is important to note that, inthis system, the authentication binary matrix BSi isembedded into the subsequent reconstructed samplestripe RSiþ1. This approach has been adoptedbecause the JPEG-LS is based on a sequentialprocedure, whereas Fridrich’s algorithm worksblock-wise. In the JPEG-LS algorithm, for eachsample of the input image the correspondingreconstructed sample is found. If we desire towatermark this reconstructed value using Fridrich’salgorithm, the binary matrix must be calculatedpreviously; at the same time, this binary matrix canbe only computed if all the reconstructed samplesbelonging to the block are known. This requirementcontrasts with the sequential flow of the JPEG-LS.
As a final observation it is worth noticing againthat the watermarked image is fully compliant withthe JPEG-LS standard and hence can be decom-pressed by means of a standard decoder.
3The use of a couple of private/public keys can be imagined for
an application where authenticity verification is left to an end-
user, otherwise a unique secret key could be adopted.
3. Watermark detection
In order to describe the authentication process letus consider, as we did for the coding phase, a DR �
DC image. Watermark detection starts by dividingthe image into 8-row stripes each consisting of 8�16 pixel blocks, as in the embedding phase. Then,for each image stripe the following procedure is
applied. First of all, in order to verify the integrityof the first image stripe S1, the second stripe S2 isaccessed to extract the LSBs and to complete thewatermark detection (see Fig. 5). For each imageblock belonging to the first stripe S1, the verificationprocedure continues as in Fridrich’s algorithm. Theseven MSBs are extracted and then hashed. At thesame time, the LSBs of the corresponding imageblock in the second stripe S2 are extracted anddecrypted by using the public key corresponding tothe one used by the embedder.3 Finally, the hasheddata and the decrypted LSBs are XORed and theauthenticating logo is found. The informationcarried by the logo permits to verify the authenticityof each image block. A similar approach is followedfor the subsequent stripes. In general, by analyzingtwo consecutive stripes it is possible to check eachimage stripe and in the end to check if the image isauthentic as a whole or which parts (blocks) havebeen manipulated.
Note that authentication is carried out directly inthe non-compressed domain thus increasing theflexibility of the proposed scheme.
4. Security issues
Security issues play a central role in water-marking-based authentication. In fact, contentauthenticity can be compromised by an ad hocaction made by an attacker who wants to create afake document by resorting to all the information
ARTICLE IN PRESSR. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903896
and capabilities available to him. It is importantthat an authentication algorithm is robust not onlywhen a hacker has a unique image at his disposal(stego-image attack) but also when he can accessother supplementary knowledge; hereafter some ofthe main security attacks against watermarking-based authentication are listed:
�
Multiple stego-image attack: The counterfeiterhas many authenticated documents and hisaction aims at making changes in such a waythat the detector cannot reveal them or at gainingknowledge about the secret keys used bythe scheme. A particular application of thisattack is well known as the Holliman and Memon
attack [8].
� Verification device attack: The aim of the
counterfeiter is the same as before, but, in thiscase, he has access to the verification device andcan use it to check the integrity of any image helikes. On the basis of the answer he gets he canrearrange the applied modifications to achieve asuccessful result. The kind of output the hackerobtains, either a simple Yes/No or a binary mapcontaining authentic and tampered blocks, playsa key role in determining the potentialities of theattack.
� Cover-image attack: The counterfeiter has multi-
ple pairs of original and authenticated images;this can happen when one has access to theimage before authentication or when an estimateof the original can be performed. Againthe hacker aims at making changes in such away that the detector cannot reveal them or atgaining knowledge about the secret keys of thescheme.
� Chosen cover-image attack: The counterfeiter has
the authentication device at his disposal and cansubmit his images to the authentication process;this could lead him to violate the secrets of thesystem.
Since the technique presented in this paper is basedon the work by Fridrich [5], it inherits all themain security features of that algorithm. In parti-cular, due to the specific structure of the logo,robustness to all the previous security attacks,included the Holliman and Memon one, is granted(see [5] for a discussion about the security ofFridrich’s scheme).
5. Experimental results
In this section, some experimental results aregiven so to evaluate the performance of theauthentication algorithm.
5.1. Watermark distortion
In this subsection, image distortion due to thewatermark insertion is considered. Images belong-ing to remote sensing and biomedical scenarios areconsidered.
First of all, in Fig. 6 an example of original andauthenticated images ðD ¼ 2Þ is given, both for thecase of remote sensing (El Toro Airfield 512� 512)and for the case of medical imaging (RX-Chest
512� 512). In both circumstances authenticationdoes not introduce perceptual artifacts. To carry outa more objective analysis, the peak-signal-to-noise-ratio (PSNR) between the original image and thecompressed one with different values of the D factorhas been computed both in the case of near-losslessJPEG coding and in the case of joint authenticationand coding. These results are presented in thegraphs of Fig. 7 for El Toro Airfield image and inFig. 8 for RX-Chest. It can be noticed that, asexpected, there is a decrement (approximately6–7 dB for each level of D factor) in the value ofPSNR when the authentication information isembedded within the image. This worsening isabout the same for both the types of image and isalmost constant when the D factor increases. Ourprimary aim being that of designing a near-losslessscheme, where the maximum error can be strictlycontrolled, it is important to examine how thepeak error varies as a consequence of watermarkinsertion.
This effect is due to the fact that during thewatermark embedding phase, the quantized errorsare modified in order to accomplish image authen-tication. In particular, each quantized error ischanged to obtain a reconstructed sample whoseLSB is equal to that of the corresponding binarystripe. As a result of this process, the quantizedprediction error is varied by one quantization stepwhose value is ð2Dþ 1Þ. Because two possiblequantization levels exist, the one which determinesthe minimum distance between the reconstructedsample and the original pixel Ix is chosen. Thismeans that the two modifications (the one due tocoding and the one due to watermarking) do notadd each other, in such a way that the error is at
ARTICLE IN PRESS
Fig. 6. El Toro Airfield: (a) original image and (b) authenticated image ðD ¼ 2Þ. RX-Chest: (c) original image and (d) authenticated image
ðD ¼ 2Þ.
R. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903 897
most 2Dþ 1. However, this choice is not possible inthe case of pixel values that are near to 0 and 255due to overflow and underflow problems. In thiscase, the choice to augment or decrease thequantized prediction error is obliged and the errorcould be equal to Dþ ð2Dþ 1Þ.
In Figs. 9 and 10, the percentages of image pixelshaving a certain distortion error with respect to theoriginal image for two sample images when D hasbeen set to 1 and 2 are reported. It can be noticedthat in all cases about 50% of the image pixels havea distortion within the D and almost 80% of theimage pixels are at most one gray level beyond D.
5.2. Performance against attacks to authenticity
To examine the ability of the algorithm toascertain image authenticity and to detect local
modifications, near-lossless compressed and authen-ticated images have been tampered with and thenauthenticated.
In Fig. 11, three examples of counterfeited imagesare illustrated. Images in the left column have beenmodified by inserting some artifacts, in particular,in Fig. 11(a) an airplane originally belonging to theimage has been duplicated on the airfield, while inFig. 11(c) another airplane, a B-52 taken from adifferent picture, has been added. In Fig. 11(e) a‘‘false fracture’’ has been artificially induced on theright collarbone of the chest. In the correspondingright columns these alterations have been rightlydetected by the proposed technique, the imageblocks that the detector estimates to be altered arein black. The results demonstrate that the imageauthenticity is correctly verified, but the tamperlocalization accuracy is decreased with respect to
ARTICLE IN PRESS
PSNR - Remote sensing image
38.6235.70
33.54
28.80
42.9838.3240.01
42.1845.22
49.99
20
30
40
50
60
70
80
0 2 4
DELTA
PS
NR
(db
)
PSNR - with watermark
PSNR - without watermark
1 3 5
Fig. 7. El Toro Airfield. Graph of PSNR versus preset error D: continuous line JPEG-LS and dotted line JPEG-LS+WAT.
PSNR - Medical image
38.8635.95 33.75 31.98
43.1738.5640.20
42.2845.19
49.89
30
40
50
60
70
80
0 2
DELTA
PS
NR
(db
)
PSNR - with watermark
PSNR - without watermark
1 3 4 5
Fig. 8. RX-Chest. Graph of PSNR versus preset error D: continuous line JPEG-LS and dotted line JPEG-LS+WAT.
R. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903898
Fridrich’s original work, in particular now accuracyis half. In fact, because the embedding procedureinserts into an image block bi the binary map foundutilizing the pixels of its upper block, it is impossibleto distinguish if block modification has been appliedto block bi or to its upper neighbor. Both thesecircumstances lead to a non-authenticity detection.
5.3. Compression performance
Some tests, whose results are summarized inTable 1 for remote sensing and in Table 2 formedical images, have been carried out to establishthe variation of compression rate between theJPEG-LS standard and the new integrated system.For each value of D the size of the compressed and
marked/compressed images is given as a percentageof the original image. In the last column thedifference in bytes between the size of the authenti-cated image and the image resulting from plainJPEG-LS compression is given. Interestingly thisdifference is much lower than the size of theembedded watermark, hence testifying the efficiencyof the proposed embedding scheme.
Upon inspection of the tables, it can be seen theauthentication procedure leads to a slight decrementof the compression efficiency compared to thatachieved by the plain JPEG-LS algorithm. Thisresult is mainly due to the fact that in the water-marking embedding procedure the difference be-tween smooth and non-smooth regions cannot beexploited as usually done by switching between run
ARTICLE IN PRESS
Fig. 10. RX-Chest. Histogram of the percentage of image pixels having a certain distortion error (D ¼ 1 dark and D ¼ 2 bright). The
maximum error between the original image and authenticated one is ð3Dþ 1Þ, that is, 3 and 7, respectively.
Fig. 9. El Toro Airfield. Histogram of the percentage of image pixels having a certain distortion error (D ¼ 1 dark and D ¼ 2 bright). The
maximum error between the original image and authenticated one is ð3Dþ 1Þ, that is, 3 and 7, respectively.
R. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903 899
mode and regular mode in the JPEG-LS coding. Toconfirm this claim, it has been noted that thecompression rate decrease for highly texturedimages is less than that experienced in flat images,where the run mode allows to improve the compres-sion performance.
Finally, to provide a further point of view, therate–distortion trends obtained for the image El
Toro Airfield are pictured in Fig. 12 (a similarbehavior is registered for the image RX-Chest). Thisfigure basically synthesizes values coming from thegraphs in Fig. 7, regarding distortion in terms of
ARTICLE IN PRESS
Fig. 11. El Toro Airfield: authenticated image after manipulation and detection of tampered zones (dark blocks) in the authenticated
image, respectively: object replication (a) and (b), object insertion (c) and (d). RX-Chest: (e) authenticated image after manipulation. (f)
detection of tampered zones (dark blocks) in the authenticated image.
R. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903900
PSNR, and Table 1, concerning compression rate.In addition to the two cases of simple JPEG-LScompression (bold dashed line) and JPEG-LS+WAT (dashed line), it has been consideredanother situation in which a signature of the samesize of the watermark is attached to the header ofthe JPEG-LS image to convey an informativepayload as the watermark does (continuous line).The dimension of this signature will have to beequal to the binary matrix embedded in the image
with the proposed procedure (see Section 2.3). Aspointed out in Eq. (6), the signature size depends onthe dimension of the image itself (DR �DC):
Signaturesize ðbitsÞ ¼DR
8� 1
� ��
DC
16
� �� 128,
(6)
where the amount ðDR=8� 1Þ represents the num-ber of stripes contained in an image diminished by
ARTICLE IN PRESS
Table 1
El Toro Airfield: output data size (percentage) with respect to the
original size, obtained by JPEG-LS+WAT and JPEG-LS; byte
increment (right column)
El Toro Airfield pgm 512� 512 size: 262 159 bytes
D JPEG-LS + WAT JPEG-LS Increment
Data size (percentage) Data size (percentage) Bytes
0 62.92 62.92 0
1 44.87 43.67 3152
2 37.63 35.29 6127
3 33.38 29.96 8983
4 30.61 26.50 10806
5 28.84 23.99 12717
Table 2
RX-Chest: output data size (percentage) with respect to the
original size, obtained by JPEG-LS+WAT and JPEG-LS; byte
increment (right column)
RX-Chest pgm 512� 512 size: 262 159 bytes
D JPEG-LS + WAT JPEG-LS Increment
Data size (percentage) Data size (percentage) Bytes
0 42.19 42.19 0
1 29.73 24.91 12641
2 25.56 19.81 15065
3 24.10 17.41 17523
4 23.50 15.68 20507
5 23.22 14.19 23690
Fig. 12. El Toro Airfield: r
R. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903 901
one because the last binary stripe is not embeddedand DC=16 indicates the number of 8� 16 blocksper stripe. In this circumstance, the image El Toro
Airfield has DR ¼ DC ¼ 512 and, consequently, thesignature size is 258 048 bits (32 256 bytes).
It can be observed that the JPEG-LS+WATmethod permits to grant a performance slightlybetter than that of JPEG-LS+SIGNATURE asevidenced by the two lines of tendency; in particular,the first one allows to achieve a lower rate for adesired distortion not decreasing the PSNR under40 dB. Anyway what is important to further high-light is that the signature, attached to the header inthis manner, would not provide any real warrantyfor the authenticity of the image. In fact, beingseparated from the rest of the image, the signaturecould be, for instance, fraudulently deleted orsubstituted and nothing might be assessed in termsof image integrity; on the contrary, this is notpossible with the proposed methodology. Obviously,the JPEG-LS curve outperforms the other two, butdoes not insert any informative payload at all.
5.4. Further improvements
Looking at the distortions applied to the images,due to watermark embedding, it could be deemedthat the PSNR performance is not sufficient forspecific applications, such as radiographies or
ate–distortion trends.
ARTICLE IN PRESSR. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903902
military imagery. In this case a higher visual qualitycan be achieved at the expense of a minorlocalization accuracy. For example, instead ofhashing blocks of size 8� 16, we could use blocksof 16� 16, that is two stripes are processedtogether, and insert the authenticity map within athird stripe (see Fig. 13). This procedure, namedalternate watermarking, always permits to protectthe whole image but with reduced resolution. Byobserving Fig. 13, it can be seen that authenticityinformation of stripes number 1 and 2 is embeddedin stripe number 3, and then authenticity informa-tion of stripes number 3 and 4 is embedded in stripenumber 5 and so on. Doing so, it determines that,globally, one stripe is only JPEG-LS compressed(i.e. even stripes in dark color) and one is jointly
Fig. 13. Alternate watermark embedding procedure.
PSNR - Remot
38.62
42.98
45.22
49.99
40.77
45.21
20
30
40
50
60
70
80
0 2
DE
PS
NR
(db
)
1
Fig. 14. El Toro Airfield. Graph of PSNR versus preset error D: continalternate watermark.
JPEG-LS compressed and watermarked: this allowsto reduce PSNR distortion and improve visualquality. In Figs. 14 (El Toro Airfield) and 15 (RX-
Chest), the plots representing PSNR with respect toD are proposed again for the modified scheme,where an improvement of about 2 dB can beappreciated.
A similar trade-off between tamper localizationaccuracy and distortion can be achieved throughother solutions, e.g. by applying an XOR operationto two consecutive image blocks of size 8� 16 beforeusing Fridrich’s algorithm, thus reducing the authen-tication payload to be embedded. A further solutionmight foresee the adoption of concepts stemmingfrom parity/syndrome or matrix embedding [7].
6. Conclusions
The system we presented in this paper permits tojointly compress and watermark a still image toallow subsequent tamper localization. The systemwas designed to take into account the peculiaritiesof application scenarios requiring that the degrada-tion of the original image content is strictlycontrolled (near-lossless compression and water-marking). Particular care was paid to insure thesecurity of the system. While the proposed systemwas specifically designed and tested to work onremote sensing and telemedicine imagery, its use isnot limited to these scenarios. On the contrary,thanks to the compliance with the JPEG-LS codingstandard and the possibility of retrieving the water-mark even in the raw pixel domain, we believe that
e sensing image
35.7033.54
28.80
38.3240.0142.18
37.8235.66 33.91
4
LTA
PSNR - with watermark
PSNR - without watermark
PSNR - alternate watermark
3 5
uous line JPEG-LS, dotted line JPEG-LS+WAT and dashed line
ARTICLE IN PRESS
PSNR - Medical image
38.8635.95 33.75 31.98
43.1738.5640.20
42.2845.19
49.89
45.35
40.96
35.8834.13
38.04
30
40
50
60
70
80
0 2
DELTA
PS
NR
(db
)
PSNR - with watermarkPSNR - without watermark
PSNR alternate watermark
1 3 4 5
Fig. 15. RX-Chest. Graph of PSNR versus preset error D: continuous line JPEG-LS, dotted line JPEG-LS+WAT and dashed line
alternate watermark.
R. Caldelli et al. / Signal Processing: Image Communication 21 (2006) 890–903 903
our system can find application in a variety of real-life scenarios.
References
[1] M. Barni, F. Bartolini, V. Cappellini, E. Magli, G. Olmo,
Watermarking-based protection of remote sensing images:
requirements and possible solutions, in: Proceedings of SPIE
Conference on Mathematics of Data/Image Coding, Com-
pression, and Encryption IV, with Applications, S. Diego,
CA, July 29–August 3, 2001.
[2] M. Barni, F. Bartolini, V. Cappellini, E. Magli, G. Olmo,
Near-lossless digital watermarking for copyright protection
of remote sensing images, in: IEEE International Geoscience
and Remote Sensing Symposium, 2002, IGARSS’02, vol. 3,
24–28 June 2002, pp. 1447–1449.
[3] K. Chen, T.V. Ramabadran, Near-lossless compression of
medical images through entropy-coded DPCM, IEEE Trans.
Med. Imaging 13 (3) (September 1994) 538–548.
[4] J. Fridrich, Image watermarking for tamper detection, in:
Proceedings of the ICIP98, IEEE International Conference
on Image Processing, vol. II, Chicago, IL, October 1998, pp.
404–408.
[5] J. Fridrich, Security of fragile authentication watermarks
with localization, in: Security and Watermarking of Multi-
media Contents, Proceedings of the SPIE, vol. 4675, San
Jose, CA, January 2002, pp. 691–700.
[6] J. Fridrich, M. Goljan, N. Memon, Further attacks on
