A Detection-Theoretic and Computational Framework for Designing - PowerPoint PPT Presentation

A Detection-Theoretic and Computational Framework for Designing Geometrically Resilient Watermarking Systems Pierre Moulin University of Illinois at Urbana-Champaign www.ifp.uiuc.edu/ ˜ moulin/talks/wacha05-slides.pdf WaCha, Barcelona June 8, 2005 1

Outline • A communication model for geometric attacks – Role of Information Theory and Detection Theory – “Complexity” of geometric attacks • Example: Unitary Geometric Attack Channels • Invariant vs GLRT vs Pilot-based WM schemes 2

An Image Watermarking System Decoded message Picture taken by Alice on Picture taken by Alice on January 1, 2000. This message January 1, 2000. This message is going to be embedded forever is going to be embedded forever in this picture. I challenge you in this picture. I challenge you to remove the message without to remove the message without substantially altering the picture. substantially altering the picture. 11011000...01 binary representation secret key k Decoded binary 1001001101001110100...............101 Pirate message 1001001101001110100...............101 secret key k original image S watermarked image X Encoder Attack Decoder 3

Attacks on Images Original JPEG, QF=10 4 × 4 median filtering Gaussian filter ( σ = 3) Rotated by 10 degrees Random bending 4

A Communication Model for Geometric Attacks • Attacker maps watermarked X = ( X 1 , · · · , X n ) into degraded Y = ( Y 1 , · · · , Y n ) using stochastic mapping p ( y | x ). • Distortion function d ( x , y ) • Feasible mappings satisfy a distortion constraint E [ d ( X , Y )] ≤ D 2 in average: d ( X , Y ) ≤ D 2 or with probability one: • Would like “geometrically-inspired” d ( x , y ) 5

Attack Model and Distortion Function [MM’02] Memoryless Geometric Channel Attack x z y . A(z|x) T ( ) θ θ • Geometric (desynchronization) parameter θ ∈ Θ • T θ ( · ) smooth, invertible mapping � n • Additive distortion function d a ( x , z ) = 1 i =1 d a ( x i , z i ) n • Distortion function d ( x , y ) = min θ ∈ Θ d a ( x , T − 1 ( y )) θ invariant to geometric attacks in class { T θ , θ ∈ Θ } • Maximum distortion level D 2 for attacker 6

Information-Theoretic Setup Decoder Encoder Attack ^ M x y M y k y x g ( , ) f ( ,m, ) s p( | ) Message k n n s Host k Key • Communications with side information (Gel’fand-Pinsker 1980) • M uniformly distributed over message set M n – Coding problem: R � lim n →∞ 1 n log 2 |M n | > 0 – Detection problem: M n independent of n ⇒ R = 0 • Distortion levels D 1 and D 2 • Class of attacks: P n � { p Y | X } • Attacker knows f n , g n , selects ( A Z | X , θ ) ∼ p Y | X ∈ P n 7

Decoder Encoder Attack ^ M x y M y k g ( , ) y x Message f ( ,m, ) s k p( | ) n n s Host k Key • Minmax probability of error: P ∗ e ( n, M n , P n ) = inf sup P e ( f n , g n , p Y | X ) f n ,g n p Y | X ∈P n • Rate R is achievable if lim sup n →∞ P ∗ e ( n, M n , P n ) = 0 • Supremum of achievable rates is capacity C ( D 1 , D 2 ) • Error exponent n →∞ − 1 e ∗ ( R, D 1 , D 2 ) = lim inf n log P ∗ e ( n, M n , P n ) , 0 ≤ R ≤ C e ( n, M n , P n ) . = 2 − n e ∗ ( R,D 1 ,D 2 ) • Write P ∗ 8

• Can derive expression for C ( D 1 , D 2 ) for various classes of attacks involving additive distortion functions : – Memoryless attacks [MO’99] – Max-distortion attacks [CL’01, SM’03] • Can also derive upper and lower bounds on e ∗ ( R, D 1 , D 2 ) [SM’04] [MW’04] • What happens under geometric attacks? 9

Complexity of Geometric Attacks Memoryless Geometric Channel Attack x z y . A(z|x) T ( ) θ θ • Consider two cases: receiver knows θ or not • If receiver knows θ , it can “undo” geometric attacks • If receiver doesn’t know θ but Θ is compact, – there is no decrease in capacity ; C ( D 1 , D 2 ) is achieved using traditional decoder, aided by pilot. – there is not even a decrease in e ∗ r ( R, D 1 , D 2 ), i.e., there exists a universal decoder against such geometric attacks 10

Standard WM Codes and Their Limitations • Example: standard Quantization Index Modulation codes perform well against additive Gaussian attacks but are vulnerable to scaling attacks, delays, warping, etc. • The main culprit is the minimum-Euclidean-distance decoder 11

Unitary Geometric Attack Channels • Assume s , x , y ∈ R n and d a ( x , y ) = � x − y � 2 • T θ is a unitary matrix (geometric attack is linear and preserves signal energy) • Example: cyclic delay attack – Attacker performs bandlimited interpolation of x , applies cyclic delay θ ∈ [0 , n ], and resamples signal • Assume S ∼ N (0 , Σ) and T θ Σ T T θ is independent of θ ⇒ statistics of S are invariant under T θ 12

Example: M -ary Watermark Detection in iid Gaussian Noise • Code rate R = 0 • Additive spread-spectrum embedding rule x = s + w m • M ≤ n orthogonal watermarks w m ∈ R n , each with energy � w m � 2 = nD 1 • Watermark constellation C = { w m } ; transformed watermark constellation C θ = { T θ w m } • Total noise at receiver ∼ N (0 , σ 2 I n ) • Watermark to Noise ratio: WNR = D 1 /σ 2 √ • Minimum distance of C θ : d min = 2 nWNR , same for all θ 13

Coherent Case: Detector knows θ • Hypothesis test: H m : Y ∼ N ( T θ w m , σ 2 I n ) , m ∈ M • Optimal likelihood ratio test ( LRT ) is a correlator-detector: y T T θ w m m = argmax ˆ m ∈M • Error probability: P e ≤ M − 1 Q ( d min / 2) . = e − n W NR 4 2 • Computational complexity: no search, just |M| correlations ⇒ |M| ops/sample 14

Noncoherent Case: Detector doesn’t know θ • Hypothesis test: H m : Y ∼ N ( T θ w m , σ 2 I n ) , m ∈ M , θ ∈ Θ • Worst-case error probability max θ ∈ Θ P e ( f n , g n , θ ) • Can we do (nearly) as well as in the coherent case? • What kind of detector g n is (nearly) optimal? • What kind of watermark code f n should we use? 15

Taxonomy for Practical WM Schemes • Invariant WM schemes • Generalized Likelihood Ratio Test (GLRT) detectors • Pilot-aided detection 16

Invariant Watermarks • Invariant watermark: select embedding domain such that p ( y | θ, H m ) is independent of θ – θ is nonidentifiable • Detector has same performance as in coherent case (against memoryless attacks in invariant domain) • No increase in computational complexity • Possible loss of robustness against memoryless attacks in original image domain • And invariant domain does in general not exist! 17

Invariant Detection Tests • Construct good detection statistics whose distribution is independent of θ • Example: noncoherent detection of sinusoids ( M -ary FSK) subject to cyclic delay attacks: � w m ( i ) = 2 D 1 sin(2 πf m i ) , 0 ≤ i < n, f m = ( K + m ) /n 2 � i =0 y ( n ) e j 2 πf m i � � n − 1 • Detection statistics z m = m ∈ M , � � � � • Detection test: ˆ m = argmax m ∈M z m • Error probability P e ≤ ( M − 1) e − n W NR 4 • No loss in error exponent wrt coherent case 18

Generalized Likelihood Ratio Test (GLRT) • Step 1: Maximum-Likelihood Estimation: ˆ � p ( y | θ, H m ) θ m argmax θ = argmin � y − T θ w m � , m ∈ M θ • Step 2: Correlator Detector: y T T ˆ m = argmax ˆ θ m w m m ∈M • Asymptotic optimality of GLRT: θ ∈ R , still P e . = e − n W NR ! 4 • Computational complexity: mostly |M| full searches 19

Pilot-Aided Detection Pilot Information-Bearing Signals time • Pilot known to receiver, conveys info about channel law p Y | X • Up to n − 1 orthogonal WM’s w m , each with energy nD w • Assume pilot p ∈ R n is orthogonal to { w m } , has energy nD p . • Transmit watermarked signal x = s + w m + p • Embedding distortion = nD 1 = n ( D w + D p ) ⇒ D w < D 1 20

• Computational complexity: mostly one full search (match p to y ) • Reduces effective WNR by a factor of 1 − D p /D 1 and therefore decreases error exponent • Large estimation errors ˆ θ − θ also contribute to P e ⇒ optimal D p results from large-deviations analysis Detection vs computational-complexity tradeoff 21

More General Geometric Attacks • Generally, T θ is not unitary, not even linear y n {T w } 1 θ {T w } θ 2 . . . {T w } θ 3 • How can we generalize the previous WM design/detection approaches? 22

• Invariant WM’s : very hard if not impossible to construct • GLRT approach : – due to invertibility and smoothness of T θ ( · ), GLRT is asymptotically optimal as n → ∞ provided Θ is not “too complex” (e.g., Θ ∈ R d where d ≪ n ) – Proof is based on notion of competitive minimaxity [FM’02] • Pilot-based approach : capacity-achieving, but lower error exponents 23

Fast Search • Search for ˆ θ m = argmax θ ∈ Θ p ( y | θ, H m ) , m ∈ M • Computational cost of full search (for discrete Θ) ∼ n |M| | Θ | • Replace full search by partial search • Analogous to classical signal processing problems such as fast motion estimation in video, fast image registration, etc. 24

More General Watermarking Codes [M’03] • Gelfand-Pinsker setup . u G . θ 1 . . . . . G θ 1 u’ . u G G θ 0 u’ θ 0 • How to make it practical? 25