We consider the problem of embedding one signal (e.g., a digital watermark), within another "host" signal to form a third, "composite" signal. The embedding is designed to achieve efficient tradeoffs among the three conflicting goals of maximizing information-embedding rate, minimizing distortion between the host signal and composite signal, and maximizing the robustness of the embedding. We introduce new classes of embedding methods, termed quantization index modulation (QIM) and distortion-compensated QIM (DC-QIM), and develop convenient realizations in the form of what we refer to as dither modulation. Using deterministic models to evaluate digital watermarking methods, we show that QIM is "provably good" against arbitrary bounded and fully informed attacks, which arise in several copyright applications, and in particular, it achieves provably better rate distortion--robustness tradeoffs than currently popular spread-spectrum and low-bit(s) modulation methods. Furthermore, we show that for some important classes of probabilistic models, DC-QIM is optimal (capacity-achieving) and regular QIM is near-optimal. These include both additive white Gaussian noise (AWGN) channels, which may be good models for hybrid transmission applications such as digital audio broadcasting, and mean-square-error-constrained attack channels that model private-key watermarking applications.

Watermarking models a copyright protection mechanism where an original source sequence or "covertext" is modified before distribution to the public in order to embed some extra information. The embedding should be transparent (i.e., the modified data sequence or "stegotext" should be similar to the covertext) and robust (i.e., the extra information should be recoverable even if the stegotext is modified further, possibly by a malicious "attacker"). We compute the coding capacity of the watermarking game for a Gaussian covertext and squared-error distortions. Both the public version of the game (covertext known to neither attacker nor decoder) and the private version of the game (covertext unknown to attacker but known to decoder) are treated. While the capacity of the former cannot, of course, exceed the capacity of the latter, we show that the two are, in fact, identical. These capacities depend critically on whether the distortion constraints are required to be met in expectation or with probability one. In the former case the coding capacity is zero, whereas in the latter it coincides with the value of related zero-sum dynamic mutual informations games of complete and perfect information. # Parts of this work were presented at the 2000 Conference on Information Sciences and Systems (CISS '00), Princeton University, Princeton, NJ, March 15--17, 2000, and at the 2000 IEEE International Symposium on Information Theory (ISIT '00), Sorrento, Italy, June 25--30, 2000.

Research on information embedding and particularly information hiding techniques has received considerable attention within the last years due to its potential application in multimedia security. Digital watermarking, which is an information hiding technique where the embedded information is robust against malicious or accidental attacks, might offer new possibilities to enforce the copyrights of multimedia data. In this article, the specific case of information embedding into independent identically distributed (IID) data and attacks by additive white Gaussian noise (AWGN) is considered. The original data is not available to the decoder. For Gaussian data, Costa proposed already in 1983 a scheme that theoretically achieves the capacity of this communication scenario. However, Costa's scheme is not practical. Thus, several research groups have proposed suboptimal practical communication schemes based on Costa's idea. The goal of this artical is to give a complete performance analysis of the scalar Costa scheme (SCS) which is a suboptimal technique using scalar embedding and reception functions. Information theoretic bounds and simulation results with state-of-the-art coding techniques are compared. Further, reception after amplitude scaling attacks and the invertibility of SCS embedding are investigated. Keywords Information embedding, communication with side-information, blind digital watermarking, scalar Costa scheme I.

Abstract — Network based intruders seldom attack their victims directly from their own computer. Often, they stage their attacks through intermediate “stepping stones ” in order to conceal their identity and origin. To identify the source of the attack behind the stepping stone(s), it is necessary to correlate the incoming and outgoing flows or connections of a stepping stone. To resist attempts at correlation, the attacker may encrypt or otherwise manipulate the connection traffic. Timing based correlation approaches have been shown to be quite effective in correlating encrypted connections. However, timing based correlation approaches are subject to timing perturbations that may be deliberately introduced by the attacker at stepping stones. In this paper we propose a novel watermark-based correlation scheme that is designed specifically to be robust against timing

Digital fingerprinting is a technique for identifying users who might try to use multimedia content for unintended purposes, such as redistribution. These fingerprints are typically embedded into the content using watermarking techniques that are designed to be robust to a variety of attacks. A cost-e#ective attack against such digital fingerprints is collusion, where several di#erently marked copies of the same content are combined to disrupt the underlying fingerprints. In this paper, we investigate the problem of designing fingerprints that can withstand collusion and allow for the identification of colluders. We begin by introducing the collusion problem for additive embedding. We then study the e#ect that averaging collusion has upon orthogonal modulation. We introduce an e#cient detection algorithm for identifying the fingerprints associated with K colluders that requires log(n/K)) correlations for a group of n users. We next develop a fingerprinting scheme based upon code modulation that does not require as many basis signals as orthogonal modulation. We propose a new class of codes, called anti-collusion codes (ACC), which have the property that the composition of any subset of K or fewer codevectors is unique. Using this property, we can therefore identify groups of K or fewer colluders. We present a construction of binary-valued ACC under the logical AND operation that uses the theory of combinatorial designs and is suitable for both the on-o# keying and antipodal form of binary code modulation. In order to accommodate n users, our code construction requires only # n) orthogonal signals for a given number of colluders. We introduce four di#erent detection strategies that can be used with our ACC for identifying a suspect set of colluders. We demonstrate th...

A considerable amount of attention has been lately payed to a number of data hiding methods based in quantization, seeking to achieve in practice the results predicted by Costa for a channel with side information at the encoder. With the objective of filling a gap in the literature, this paper supplies a fair comparison between significant representatives of both this family of methods and the former spread-spectrum approaches that make use of near-optimal ML decoding; the comparison is based on measuring their probabilities of decoding error in the presence of channel distortions. Accurate analytical expressions and tight bounds for the probability of decoding error are given and validated by means of Monte Carlo simulations. For Dithered Modulation (DM) a novel technique that allows to obtain tighter bounds to the probability of error is presented. Within the new framework, the strong points and weaknesses of both methods are distinctly displayed. This comparative study allows us to propose a new technique named "Quantized Projection" (QP), which by adequately combining elements of those previous approaches, produces gains in performance.

Quantization index modulation (QIM) methods, a class of digital watermarking and information embedding methods, achievevery efficient trade-offs among the amount of embedded information (rate), the amount of embedding-induced distortion to the host signal, and the robustness to intentional and unintentional attacks. For example, we show that against independent additive Gaussian attacks, which are good models for at least some types of uninformed and unintentional attacks, QIM methods exist that achieve the best possible rate-distortion-robustness trade-offs (i.e., capacity) asymptotically at high rates and achieve performance within a few dB of capacity at all finite rates. Furthermore, low-complexity realizations of QIM methods, such as so-called dither modulation, have also been shown to achieve favorable rate-distortion-robustness trade-offs. We further develop preprocessing and postprocessing techniques that enable QIM to fully achieve capacity, not only against Gaussian attacks but also ag...

Using a theoretical approach based on random processes, signal processing, and information theory, we study the performance of digital watermarks subjected to an attack consisting of linear shift-invariant filtering and additive colored Gaussian noise. Watermarking is viewed as communication over a hostile channel, where the attack takes place. The attacker attempts to minimize the channel capacity under a constraint on the attack distortion (distortion of the attacked signal), and the owner attempts to maximize the capacity under a constraint on the embedding distortion (distortion of the watermarked signal). The distortion measure is frequency-weighted mean-squared error (MSE). In a conventional additive-noise channel, communication is most difficult when the noise is white and Gaussian, so we first investigate an effective white-noise attack based on this principle. We then consider the problem of resisting this attack and show that capacity is maximized when a power-spectrum condition (PSC) is fulfilled. The PSC states that the power spectrum of the watermark should be directly proportional to that of the original signal. However, unlike a conventional channel, the hostile attack channel adapts to the watermark, not vice versa. Hence, the effective white-noise attack is suboptimal. We derive the optimum attack, which minimizes the channel capacity for a given attack distortion. The attack can be roughly characterized by a rule-of-thumb: At low attack distortions, it adds noise, and at high attack distortions, it discards frequency components. Against the optimum attack, the PSC does not maximize capacity at all attack distortions. Also, there is no unique watermark power spectrum that maximizes capacity over the entire range of attack distortions. T...

To prevent image nanipulations and fraudulent use of modified images, the embedding of semi-fragile digital watermarks into image data has been proposed. The watermark should survive modifications introduced by random noise or compression, but should not be detectaisle from non-authentic regions of the image. The original image cannot be used by the watermark detector to verify the authenticity of the image. In this paper, we investigate the application of a recently developed quantization based watermarking scheme to image authentication. The watermarking technology called Scalar Costa Scheme (SCS), allows reliable blind water- mark detection from a sinall uumber of pixels, and thus enables the detection of local modifications to the image content.

Watermarking is a potential method for protection of ownership rights on digital audio, image and video data. Benchmarks are used to evaluate the performance of different watermarking algorithms. For image watermarking, the Stirmark package is the most popular benchmark, and the best current algorithms perform well against it. However, results obtained by the Stirmark benchmark have to be handled carefully since Stirmark does not properly model the watermarking process and consequently is limited in its potential for impairing sophisticated image watermarking schemes. In this context, the goal of this article is threefold. First, we give an overview of the current attacking methods. Second, we describe attacks exploiting knowledge about the statistics of the original data and the embedded watermark. We propose a stochastic formulation of estimation-based attacks. Such attacks consist of two main stages: a) watermark estimation; b) exploitation of the estimated watermark to trick watermark detection or create ownership ambiguity. The full strength of estimation-based attacks can be achieved by introducing additional noise, where the attacker tries to combine the estimated watermark and the additive noise to impair watermark communication as much as possible while fulfilling a quality constraint on the attacked data. With a sophisticated quality constraint it is also possible to exploit human perception, e.g., the human auditory system in case of audio watermarks and the human visual system (HVS) in case of image and video watermarks. Third, we discuss the current status of image watermarking benchmarks. We briefly present Fabien Petitcolas ' Stirmark benchmarking tool [1]. Next, we consider the benchmark proposed by the University of Geneva Vision Group that contains more deliberate attacks. Finally, we summerize the current work of the European Certimark project, whose goal is to accelerate efforts from a number of research groups and companies in order to produce an improved ensemble of benchmarking tools.