project number: ist- 1999 - 10987 d 2.1 actual date of

Project Number: IST- 1999 - 10987Project Title: CERTIMARKDeliverable Type:

Deliverable Number: D 2.1Contractual Date of Delivery: 31/10/2000Actual Date of Delivery: 31/10/2000Title of Deliverable: Watermarking applications and requirements for benchmarkingWork-Package contributing to the Deliverable: WP2Nature of the Deliverable: REAuthor(s): SACD, INA, PHILIPS, TUD, TCC, NETIMAGE, UVIGO

Abstract:Enabling the comparison of watermarking techniques on a standardised benchmarkingplatforms, and the evaluation of their performances with respect to watermarkingapplications, are key-points in enlarging the electronic commerce on digital images. As afirst step in the design of this platform, this deliverable reviews the main applications ofwatermarking techniques on images and videos, for the years to come, and then listssome technical parameters which act as measures of performances. These parameters willthen be taken into account in a future benchmarking metrics. Completing a syntheticdescription of foreseen watermarking applications, presentations of existing scenariosactually resorting to watermarking, are made, insisting in a detailed way on their specificcontexts and aroused technical requirements.

Keyword List:Watermarking requirements, watermarking performances, IPR protection, fingerprints,content protection, authentication, identification, metadata, steganography, digital imagebroadcasting, digital image distribution

*Type: PU-public, LI-limited, RP-restricted**Nature: PR-Prototype, RE-Report, SP-Specification, TO-Tool, OT-Other

D 2.1: User’s Requirements

2

1 Introduction _______________________________________________________ 4

2 Classes of Watermarking Applications __________________________________ 7

2.1 Proof of Ownership _____________________________________________________ 7

2.2 Broadcast or Distribution Monitoring______________________________________ 8

2.3 Fingerprinting _________________________________________________________ 9

2.4 Integrity Checking_____________________________________________________ 10

2.5 Authentication and Identification ________________________________________ 12

2.6 Usage Control_________________________________________________________ 152.6.1 Copy Protection __________________________________________________________ 152.6.2 Printing & Viewing Access_________________________________________________ 16

2.7 Information Side Channel_______________________________________________ 172.7.1 Carrying Public Information ________________________________________________ 182.7.2 Carrying Private Information ________________________________________________ 192.7.3 Carrying Hidden Information : Steganography __________________________________ 19

3 Definition of Parameters ____________________________________________ 21

3.1 Technical Features and Types of Watermarking Algorithms _________________ 21

3.2 Payload Capacity ______________________________________________________ 22

3.3 Granularity___________________________________________________________ 23

3.4 Complexity ___________________________________________________________ 23

3.5 Visual Quality ________________________________________________________ 24

3.6 Reliability in Detection _________________________________________________ 25

3.7 Reliability in Extraction ________________________________________________ 26

3.8 Robustness to synchronisation and removing attacks ________________________ 26

3.9 Key Capacity _________________________________________________________ 28

3.10 Cryptographic Strength ______________________________________________ 28

3.11 Robustness to attacks : additional information ___________________________ 29

4 Scenarios of Interest to Certimark Partners _____________________________ 32

4.1 Monitoring of Still Images on the Internet _________________________________ 324.1.1 Context: actors and process, image formats and tools _____________________________ 324.1.2 Aim of a still picture monitoring system _______________________________________ 344.1.3 Usage scenario ___________________________________________________________ 344.1.4 User needs and priorities on parameters for this usage example _____________________ 364.1.5 Conclusion ______________________________________________________________ 38

4.2 Television Programme Broadcast Monitoring ______________________________ 394.2.1 Context: actors and process, video formats and tools _____________________________ 394.2.2 Aim of a video monitoring system____________________________________________ 404.2.3 Usage scenario ___________________________________________________________ 404.2.4 User needs and priorities on parameters for this usage example _____________________ 424.2.5 Conclusion ______________________________________________________________ 43


3

4.3 Fingerprinting of movies in Digital Cinema ________________________________ 44

4.4 Monitoring Usage of Still Images and Fingerprinting of the Customer __________ 49

5 Conclusion _______________________________________________________ 51

6 References________________________________________________________ 53


4

1 Introduction

Various watermarking schemes have been introduced for several years in order toimprove the visual imperceptibility of watermarks in images and their robustness toattacks from users. But there is still a lack of a universally recognised procedure enablingcomparisons of their performances resorting to common and objective criteria withrespect to existing (and future) applications. This remains an important impediment to alarge use of watermarks in electronic commerce.

The aim of Certimark project is to define and develop a benchmark enabling such anobjective comparison of characteristics of watermarks. As a first step in thisdevelopment, the D2.1 deliverable document which is devoted to user requirements andapplications, aims at providing Certimark benchmarking activities with two main inputs:- A list of key parameters that should be taken into account in Certimark benchmarking

metrics and methodology as they are considered as important for user applications;- Specific usage scenarios that are of interest to Certimark partners (direct users, INA

and SACD, or other applications that are targeted by the industrial partners).

The list of important user parameters is a direct input to D2.2 (metrics) that defines howparameters should be measured. The D2.1 parameter list is derived from a survey ofidentified applications; the resulting broad application classes/markets are supposed toencompass known and future applications. Certimark benchmarking methodology shouldbe general enough so that it could be adapted to all of them.

Beyond the methodology and metrics definition, Certimark will also test itsbenchmarking software on specific use cases in WP3/4. The usage scenarios describedhere in D2.1 are provided as interesting examples from users that can be exploited forthat purpose. They describe precise applications, close to the business cases with concreteparameter range requirements. The final choice of precise scenarios for benchmark testswithin Certimark will then be defined in D3.1. It will take into account the scenariosproposed here by users in combination with other considerations such as practicalpossibilities according to today's technology and Certimark partner expertise.

In order to achieve the two main deliverable objectives (list of important user parametersand usage scenarios), D2.1 structure is organised in the following main parts:1. Broad classes/markets of watermarking applications : each description of one of

those classes leads to the identification of important user parameters concerned2. Definition of Parameters: the parameters identified in part 1. are defined in more

details3. More precise scenarios of interest to Certimark partners are then described as

example inputs to benchmarking testsA conclusion then provides the link with D2.2 (Quantitative metrics and evaluationprocedures) and D3.1 (Benchmark tool and detailed specifications); it also disclaimsrelevant synthetic comments on the scenarios.


5

The visual documents to be taken in consideration are Digital Still Images and VideoSequences. Note that audio content is not taken into consideration. Then, the nextchapter is structured based on a general application of application fields that are definedbelow:

• Proof of Ownership over an Image - “Robust” Watermarking: the detection of themark with a private key or the hidden message itself helps in proving the ownershipon a document.

• Monitoring of the Exploitation of Broadcast or Distributed Images: the notion ofmonitoring globally corresponds to tracing the distribution of some images on a givenmedia of distribution. So, it concerns the evaluation of broadcast audience of aprogramme (also called: people metering) in a legal context, as well as the tracking ofpiracy (illegal exploitation) of some creations on a distribution media.

But, its aim only remains detection of the exploitation of images.

• Fingerprinting: in order to complete the tracing of image exploitation on adistribution media, a different mark is inserted in each distributed copy of an imagebefore delivery by its legal distributor. This identifies a transaction or a sold item.

• Document Integrity Checking - “Fragile” Watermarking: the mark permits to detecteventual changes in an image due to some attacks and their locations. Then, it isexpected to be partly alterable.

• Authentication and Identification of an Image: a user which receives an imagemay need to identify the source of a document or the document itself with a highdegree of certainty, in order to validate this document for a specific use.

• Usage Control: the reception of some distributed images by some digital equipmentin a distribution network, may be controlled in using watermarks inserted in theseimages, and only enabled on equipment whose owner paid some access rights.

A first example of it is provided Copy Protection on DVD & CDROM for theConsumer Market: a mark is embedded in DVD video disks in order to prevent copyof DVD, in co-operation with playback and recording devices manufacturers.

• Information Side Channel: this is globally related to “conveying” side information.About carrying public or private information, we generally think of informationwhich is related to the image creation, and which is made available or not, to anyreceiver (depending on its nature). At the opposite, Steganography is concerned withsecretly carrying information that has nothing to do with the “cover” image: thisreally constitutes a separate channel.

A few points have to be noticed before the next chapters. First, in an IPR (IntellectualProperty Rights) context, “users” mean people, associations, or - globally speaking -juridical entities which may either sell audio-visual documents and services bound tothese documents, or buy these products and services as customers. So this word maydesignate archive institutes as well as consumers who buy DVDs. Secondly, watermarksare initially embedded in digital documents, but a watermarked Image or Video may bealternatively converted into analogue or digital signal through its life, or transcoded.


6

Then, various media, which broadcast and store either analogue or digital documents,will have to be included in the application description, as they may have influence on thewatermarking processes: cinema, TV sets, TV channels through cable or satellite, Internet(Web sites, Web servers), close networks for Video On Demand, photography, privatevideo, Laser Disc, CD-ROM, DVD, etc.


7

2 Classes of Watermarking Applications

2.1 Proof of Ownership

Watermarks proving or contributing to the proof of ownership on images find theirmotivation in the context of a distributed scheme of Intellectual Property Rights (IPR)management. As a matter of fact, since early studies on IPR protection, two models havebeen set up for copyright management:- Central management: each content provider registers his work in a TTP (Third

Trusted Party, e.g. copyright society). This TTP can be trusted when copyrightproblems occur: it then produces the proofs of ownership of people on their creations,in front of courts. There, the reliability of such proofs of ownership is bound to that ofthe copyright society.

- Distributed management, which can be considered as a liberal model: each contentprovider has to ensure the management of his intellectual property rights (on somecreations) by himself. As every content provider cannot be directly trusted, he mustproduce a material proof of his copyrights. This is what one expects robustwatermarks to be. This distributed model appears as a necessary solution to thecopyright protection problem in some situations where registration is not possible.

Thus, considering the problem of IPR protection from the distributed point of view, itfollows that a major requirement on such watermarks is a strong robustness to removingattacks, and non-invertibility due to foreseeable intentions of pirates.However, it appears that perfect robustness to attacks, of watermarks embedded inimages, doesn’t exist yet and that even very robust watermarks will never be strict proofsas digital signatures may be in cryptography. This leads to a different point of view thanthe former one:- Robust watermarks for copyright protection are then used as contributions to the

proof of ownership, when combined with other elements; thus, they may potentiallyaffect the progress of a trial;

- In the same context, they provide interesting informations and indications in theinvestigation process, which is carried out to identify some attacked images.

RequirementsRequirements on watermarks for proof or contribution of a proof of ownership are listedbelow:• Invisibility at high (studio) or consumer quality.• A payload size, which could range from one bit to a length of 48 to 64 bits, for a

complete identification of the right owner. As a matter of fact, part of thisidentification may be carried out by the watermark embedding key, since this keymay be private and may either be shared by a group of right owners or belong only tothe right owner. This reduces the required payload size and may set it down to onebit, in the second case.

• A very low probability of false alarm, since it is supposed to be used in juridicaldispute. From a general point of view, a high reliability of the detection process isalso needed.


8

• Robustness to non-intentional attacks that are caused by processes inherent to imagedistribution and broadcasting : standard digital compression, format conversions, etc.Robustness or capability to multiple watermarking, (typically, standing up to 3 otherembedded watermarks).

• Robustness to malicious removing attacks and attacks on the synchronisation of thewatermark, and non-invertibility, against attacks that attempt to replace the mark byanother.

• Robustness to cryptographic attacks, secure to collision attacks.

2.2 Broadcast or Distribution Monitoring

The varying business cases which are related to this theme, take place in the context ofwide distribution and are mainly turned towards one of the following objectives:- people metering, or evaluation of broadcast audience on a broadcast network,- tracking piracy over a media of distribution – this is mainly concerned with the

defence of property rights,which call for similar requirements on watermarking techniques. As a matter of fact, inboth cases, the fulfilling of these objectives is based on a monitoring system, which isplaced at the receiver’s side and detects relevant images or videos to monitor. And then,requirements on embedded watermarks are motivated by the structure of this monitoringsystem and its main features.

People Metering:The general context of this application is the broadcasting images or video on publicnetworks (such as Internet or TV networks on cable and satellite). A broadcaster or aright owner wants to evaluate the broadcast audience of his program and benefits frominformations from customers. A solution for automatically achieving this monitoring is toembed a specific mark in images before broadcasting them, and to get this mark detectedand extracted from the received images by the receiving equipment of any consumer(placed at the other end of the same network). The corresponding information is then sentback to a central entity: it usually identifies the broadcaster, the image and sometimes, thetime of broadcast or a global location of the receiving point in the broadcast network.

Tracking Piracy over a media of distribution:Content providers over broadcast channels are wary of any breach of contract, eitherbecause content is shown more often or at other channels than is being agreed upon (e.g.news clips by Reuters) or less than being agreed upon (commercial verification). In manycases the channels over which such content is distributed to some degree areuncontrollable. The last resort for verifying the proper showing of content is by verifyingin the field. That is, by having monitoring stations in every major region whereverification is required. In order to reduce the complexity and security issues of such amonitoring station (having all the originals at a monitoring station is a bad idea, as wellas high bandwidth pipes to central video servers with original content), content is beingstamped with an invisible marker, that cannot easily be retrieved from the content after


9

distribution. In other words, a robust watermark. In a typical broadcast verificationscenario, the watermark carries an index into a large database where the associatedbroadcasting rights & permissions are stored. On a more abstract level, this application isvery similar to the people metering application, where consumer TVs have been replacedby professional monitoring stations.

Common Requirements

In both cases, the following requirements are encountered:• robustness to non intentional attacks related to usual manipulations : MPEG

compression, transcoding, analogue to digital and digital-to-analogue conversions,standard conversions (PAL – NTSC), change of geometry (Bloomberg)

• high probability of detection and high probability of correct extraction when thewatermark is present, low false detection probability when not present,

• real-time extraction for reasonable complexity both for embedding and detection,• blind extraction,• invisibility (studio level),• granularity about 1 second,• payload between 64 and 72 bits.

Tracking piracy is related to IPR protection, and the kind piracy a right owner fears, isillegal broadcast or distribution of his owned images with potential usurpation of propertyby the pirate. Then, one must add the following robustness requirements on embeddedwatermarks :• Robustness to over-watermarking and capability for multiple watermarking up to

three other watermarks (from pirates or distributors);• Robustness to any intentional attack that aims at breaking the synchronisation of the

watermark or removing it.

2.3 Fingerprinting

When a distributor sells to a customer a copy of an image, he sometimes embeds in thedelivered copy a watermark which identifies either this very transaction or the customer:This watermark is called “fingerprint”.Thus, in the domain of IPR protection, the information carried by a fingerprint completesthe other embedded messages related to identifications of the right owners and the imagedocument itself. As a matter of fact, the main motivation for fingerprinting is to completeand extend the task of tracking pirate exploitation of broadcast images, which wasdescribed in the former section : a monitoring system watches over a distribution mediaand looks for copies of images whose distribution must be overseen. These images arewatermarked with IPR information. Once such an image is found, the system exploits thisIPR information, to see whether the detected exploitation of the concerned image is legalor not. Whether the fingerprint is embedded as a separate mark than other IPR


10

information or not, in an image item, the additional capability it brings to former piracytracking is the identification of the customer with whom piracy begun.

Due to the information they contain, fingerprints cannot be embedded once in the originalimage to distribute, like right owners or image identifiers. But their embedding isnecessarily made on each image copy that will be delivered, and it occurs before the finaldelivery of this item. In some technical contexts, this may induce strong complexityrequirements on the embedding process. For instance, it is foreseen in digital cinema thatfingerprints will be inserted at each showing of a movie by the projector itself. Intelevision networks, fingerprinting may be achieved by some set-top-boxes onconsumers’ equipments.

Requirements on fingerprintsFrom the former description of the context of use of fingerprints, it follows that theyshould first fulfil most of the requirements which are pointed out for IPR watermarksused in piracy tracking:• Invisibility at studio and consumer qualities.• Moderate payload size which is imposed by a maximal number of customers for the

embedder: it could range from 16 to 64 bits, in addition to other IPR informations.• Robustness to acceptable manipulations that are exerted on the watermarked image

all along its distribution : compression, conversions of formats, A/D and D/Aconversions, …

• Robustness to over-watermarking.• Robustness to intentional removing attacks: for instance, robustness to geometric

transforms is needed in digital cinema, due to pirates’ copying techniques.• Cryptographic robustness, secure with respect to collision attacks.

But, the fingerprint is separately embedded in an image, its extraction occurs after thisimage was detected as relevant by the monitoring system, due to other IPR watermarks.Thus, it may not have to satisfy the following requirements:- Real-time or moderate complexity of extraction process, depending on business case.- Blind extraction.

Finally, depending on applications of fingerprinting and the features of their embeddingprocesses, additional requirements on the complexity requirements have to be mentioned(for instance, this is the case for digital cinema and video broadcasting on TV networks):• Real-time or moderate complexity of embedding process, depending on business

case.

2.4 Integrity Checking

Digital image manipulation software is now readily available on personal computers, andit is very easy both to tamper with any image and to make it available to others. Usershave possibility to modify some features of the image or even the content of a scene, (e.g.to move, delete or add objects). Consequently, insuring digital image integrity becomes a


11

major requirement for several applications and watermarking algorithms are promisingtechniques that allow to solve problem concerning image integrity checking.There are several levels of image integrity that can be defined. The highest (but the mostrestrictive) level means that no alteration of the original (more precisely the watermarkedoriginal) image is allowed, e.g. the received data has to be identical to the original one.However, in real life situations, images can be transformed, compressed, etc, withoutmodifying their semantic content. Therefore, and depending on different applications,several lower levels of image integrity may be considered, where the lowest one rejectonly images which were subject to malicious manipulation changing the content of theoriginal image. In this latest case, the terminology content authentication is used ratherthan image integrity checking.According to the above mentioned integrity levels, one can distinguish:

- Fragile watermarks. The watermark is altered for any change suffered by the image.In this case no robustness to attacks is required, but it must be very difficult toremove it from the data and it must be invisible. However, there exist techniques(e.g. cryptography) which are possibly better adapted for this kind of application thanthe watermarking algorithms.

- Semi-fragile (the mark is independent of the image) and semi-robust (the mark isimage content dependent) watermarks. The watermark has to be resistant to certainattacks (especially non-malicious attacks like compression, conversion, etc), but theyare altered for non-desired or malicious attacks (in particular when the content of animage was modified). The basic idea underlying these techniques is to insert aspecific watermark so that any attempt to alter the content of an image will also alterthe watermark itself. The integrity checking process therefore consists of locatingwatermark distortions in order to locate the regions of the image that have beentampered with. The major drawback of these approaches is that it is difficult todistinguish between malicious and non-malicious attacks.

- Robust watermarks. The watermark is resistant to different attacks, but it containsinformation about the image, that let to detect eventual content manipulation of theimage. This information can be some image features (edges, colours, etc), a signatureof the image, a textual content description of the image or simply an ID towards anaddress where either the certified original image or one (or several) of the abovementioned information can be found. In the formal case, an additional requirement forthe watermarking algorithm is that the payload size of the watermark has to be largeenough to contain the desired information. The latter case corresponds to classicalwatermarking approach used for copyright protection.

Remark: There are alternative techniques to classical watermarking approaches, whichallow image integrity checking. They consist in using an external digital signaturegenerated from significant image features that summarise the semantic content of theimage such as colour, shape or texture. The signature is encrypted and transmitted alongwith the image data. The integrity checking is operated via the decoding of the signaturefollowed by a comparison between the decoded signature and the characteristics


12

extracted from the image. However, in this case the question is how to guarantee theauthenticity of the image/signature pair.

Key points that have to be taken into account when designing an image integrity checkingsystem are:- Determine whether an image has been tampered or not;- If necessary, locate malicious alterations made on the image;- Authentication system must tolerate non-malicious manipulations, such as

compression;- Should the occasion arise, permit to restore altered regions (even partially).Moreover, the choice of such a system based on watermarking is synonymous ofembedding integrity or content authentication data in the image, in an invisible way.

Requirements on Integrity checking:Consequently, some requirements can be derived for authenticating watermarks,depending of the chosen class of integrity checking:• Invisibility :

- only at high (studio) quality, for fragile watermarks,- at any visual quality, for semi-fragile/robust and robust watermarks.

• Blindness: Integrity checking must be performed without the original image.• The required payload size depends on the chosen solution for integrity checking:

- In most cases, codes based on the digital content of image and generated byapplying a specific rule (hash codes, for instance) or pointers to pages of semanticdata, only need about 48 or 64 bits.

- Robust watermarks containing some kinds of semantic description of the image,generally need longer payload (128 to 256 bits long, for instance ?).

• Non-robustness or “sensitivity” to classes of attacks on the image, may be expectedfrom the content of the watermark: the message is expected to be altered by theseattacks, to locate the damaged area of this image and potentially, to help in itsrestoration. Then :- fragile watermark contents should be sensitive to any manipulation or attack.- Semi-fragile/robust watermark contents should only be sensitive to malicious

attacks.• All classes of watermarks are expected to survive to removing attacks, although their

content may be altered. However, integral robustness to classes of attacks on theimage may also be expected from the watermark itself :- Robustness of semi-fragile/robust watermarks to acceptable manipulations on the

image that are most frequently exerted during its distribution or broadcasting.- Robust watermarks are expected to resist to acceptable manipulations as well as

malicious attacks.

2.5 Authentication and Identification

Authentication of the source of an image and Identification of the image itself seem veryclose applications, as authentication needs an identification of the source or producer.


13

But, their contexts of use are different. This is mainly true for the respective nature ofattacks that have to be faced and protection means against these attacks. So eachapplication will point out different requirements on watermarking techniques.

Identification of an ImageThe importance of defining a unique and universally acknowledged numbering for imagecreations, is clearly admitted for promoting electronic commerce, and leads to thestandardisation of identifiers. Standardised format for identifiers are required for themanagement of creations (sale, storage) and their corresponding property rights: thus,embedded identifiers are mainly and closely involved in IPR protection, and they providea link between creations and an environment which stores their related metadata (chain ofright holders, license conditions, …).Several standardised formats have been defined by ISO standardisation committees forthe identification of video sequences, still images, or only video objects. For example,MPEG-4 in its IPI Data Set should include an object identifier (ISAN, …) with astandardised length of 64 bits.

Requirements on Identification of an Image:The role embedded image identifiers play in IPR management induces a strongrequirement on persistence and resistance to modifications of an image and to intentionalattack and removal. Nevertheless, it seems that no constraint is expressed on thecomplexity of the watermarking processes, above all for still images. Considering theirmain application, a few requirements can be expressed on watermarking techniques foridentification:• A payload size of 64 bits.• Robustness to acceptable manipulation due to current use for broadcast purposes:

JPEG/ MPEG compressions, transcoding, A/D conversions, printing & scanning.• Robustness to intentional removing attacks such as: cropping, rotation, scaling,

filtering, geometric non-linear attack. In fact, robustness to any attack, which does notcause important visual degradations, is required.

• Robustness to cryptographic attacks such as forgery that would be enabled by the factthe embedding private key is not secure enough.

• Invisibility at studio and consumer qualities.

AuthenticationAuthentication on a still image or a video is motivated by recipient’s interest, and itsprinciple is that a receiver must be able to reliably identify the source of this document.By source of a visual document we generally mean the equipment (camera) whichoriginally captures the image. As a consequence, the authenticating watermark isgenerally an identifier of this equipment and in most cases, is automatically embedded inthe image right after its capture by the camera. Concerning video, this induces aconstraint on the complexity of the embedding process. In other respects, authenticationis meaningful only for images that remain little altered since they were originated.From the recipient’s point of view, two distinct views can be hold on authentication inregards of varying business cases, and lead to different methods:


14

- Some applications of authentication do not fear malicious attacks much and are moretolerant to error rates in the extraction process, with regard to involved issues. Butthey need a source identifier that survives the most usual processes bound tobroadcasting or distribution (like compression). For this reason, the chosen solutionfor authentication is to embed one partly robust watermark containing the sourceidentifier.

- Other business cases cannot admit any error in the identification of the source of animage, as its knowledge is of crucial importance. And it often appears that the onlyguarantee for preserving it with enough reliability is to keep the image as close aspossible from its original state. In this context, authentication is associated with acontrol of integrity on the image through a “fragile” watermark (see section 2.4). Theimage is then preserved from any degradation and the fragile watermark will provelater that no alterations were exerted on this image.

- An intermediary case concern embeddings of both a robust source identification and a“semi-fragile” or “semi-robust” watermark (see section 2.4). There, the sourceidentifier is expected to survive to acceptable manipulations involved in broadcastingand distribution that are not detected by the semi-fragile/robust mark. There, theobjective of this later mark is then “content integrity” checking.

Requirements on Authentication:The main requirements on the source identifier, common to both studied schemes, are:• A payload size depending from the standardised format of this identifier: a size of 48

bits is suggested. Source identifiers used in authentication of images are related tocapturing equipments for images and videos: camera or TV camera.

• Invisibility, unless at high or professional visual quality.• For video, low complexity and real time execution for the embedding process,

because it is associated to the capture of the video by the capturing TV camera.

Considering the specific case of authentication coupled with fragile watermarking, onlyone additional requirement is relevant:• Robustness to over-watermarking, as a fragile watermark is supposed to be inserted

right after the current mark. But, no other requirement on robustness is needed here,due to the presence of the fragile mark.

Authentication without control of integrity is used in a less protected context thanauthentication with fragile watermarking and this must be taken into account with thefollowing requirements:• Invisibility at a large range of visual quality levels for the image: studio and consumer

qualities.• Robustness to expected attacks involved in the usual processing path: digital

compression, transcoding, digital/analogue conversions and time degradations forarchives.

• Robustness to cryptographic attacks such as forgery that would be enabled by the factthe embedding private key is not secure enough.

The reliability of the extraction process seems to be a requirement of secondaryimportance because of a potential tolerance of the recipient about authentication results.


15

2.6 Usage Control

2.6.1 Copy Protection

DVD-Video is a relatively new medium for the distribution of moving pictures. Video isdigitally compressed in MPEG-2 format to fill a 4.7GB (12 cm) optical disk, which,depending on the final quality, allows for 2 hours of video playback. DVD-Video isexpected to replace the classical VHS tapes as the main means for distributing video forpersonal use. From the start the movie industry has recognised the potential of highquality illegal copies as soon as DVD that can be recorded would enter the market. Forthis reason, all high value Hollywood content on DVD is protected by the ContentScrambling System (CSS). CSS is an encryption method that partially scrambles theMPEG bit-stream, and for which the decryption keys partly reside on disk (but which arenot freely accessible to the user) and in the playback devices (totally inaccessible to theuser). The device decryption keys are only made available to playback devicemanufactures who have signed a license contract, which in essence states that no videocontent is allowed out of the playback device, unless specifically allowed. In particular,digital outputs are prohibited unless an approved, authenticated and encrypted digital linkis used. Analogue output links are much harder to protect, and initially only Macrovisionwas enforced. However, the CSS license contract specifically stipulates that if awatermarking technology is approved by the DVD-CCA, it will have to be implementedby the contractees.

The primary purpose of the DVD-Video watermark is to prevent content that has lived inan uncontrollable environment from re-entering the compliant world of DVD-CCAobeying devices. For that purposes a copy-bit is needed which is unremovably tied to thecontent. This copy-bit is to be implemented as a robust watermark. The set ofrequirements for this DVD-Video watermark is quite severe:

• The watermark may not perceptually degrade the content, measured at theuncompressed stage, directly after tele-cine. In practice this means that Hollywood’sgolden eyes, in side-by-side comparisons, using diagonal sweeps, and freeze-framesmodes, may not perceive any difference in marked and unmarked content.

• The watermark may not degrade the quality of compressed content. In other words,the “noise of the watermark” may not deteriorate MPEG encoding performance.

• The watermark must have an extremely low false positive rate of less than 10E-12 perbasic detection.

• The granularity of the watermark detection is 10 seconds, with a reliable payload of 8bits.

• The watermark must be robust to all common processing, including MPEGcompression down to 2Mb/sec, DAD conversions, standard conversions andgeometric transformations. The latter is particularly important as almost every DVDplayer has zoom capabilities.


16

• The payload of the watermark is 8 bits, where two bits are used to indicate Copy-Free(CF), Copy-Never (CN), Copy-Once (CO) and Copy-No-More (CM). The copyprotection system implemented by the watermark must allow to change the state fromCO to CM (for example by remarking).

• The watermark detection procedure must be simple enough to detect real-time both inbase-band and in MPEG bitstreams and within cheap consumer devices (for examplein a DVD drive in PC) without unnessesarily burdening the total costs of thosedevices. In particular this implies low gate counts, low number of MIPS and limitedmemory requirements.

• The watermarking technology must be secure to the level that it can withstand easilyavailable hacking tools, such as frame deletion/duplication, cropping and gray-scaleconversions. The precise definition of easily available hacking tools is currently notknown. The requirements with respect to professional hacks are not specified. Notethat the mantra of DVD-Video watermarking work group is “keeping honest peoplehonest”.

• Watermark detection must be performed without the original (blind detection).

2.6.2 Printing & Viewing Access

Controlling access to restrict viewing and/or printing process can be achieved using thepresence of a watermark inside a document. However it is clear that the action can onlybe "positive", that is authorising disclosure of the document, the default situation beingno view, no print. A typical classification could be:- No view, no print (default situation),- View, no print,- Print, no view (is this case possible?),- View and print.

Process description

Documents are classified in categories, from top confidential (no print, no view) to totallyopen (authorised view and print). In this example, we therefore have four categories. Onecan imagine additional functions (export for other usage than print, limited definitionusage, both in viewing and printing, ...), resulting in more categories. Users are alsoclassified in categories, called profiles for instance, from general public to full allowancefor accessing contents.The watermark carries the level of confidentiality or restrictions of use for the document.The user software has an integrated monitoring system which delivers a documentclassification to the viewing module or to the printing module. According to the fact thatthe request for viewing or printing comes from an identified operator, the profile iscompared to the level of confidentiality. If the profiles matches the confidentiality, thedocument becomes viewable and/or printable. If not, it is not mentioned as available. Incertain applications, the decision can be to signal the document and not to display it or toignore it totally.


17

Another way would be to give numbers to the classes of documents and to have areference table in the system, in order to allow for content disclosure taking into accountthe user profile and the score of the comparison.Note: the default situation is no view, no print. Only the comparison between the userprofile and the document class can disclose the content.

Security requirements

• As the document is not available without a decision made after comparing the userprofile and the document class, the watermark must be very robust otherwise it willbe interpreted as no view, no print, which is the default situation.

• An administrator of the system should have right to display and print any contenteven if the watermark is not readable. Otherwise some content may be definitivelylost.

• Conditions about the interference between the watermark and the content are similarto those stated above in the DVD specifications. In theory, any single viewableelement of the bit-stream, intra frame of still pictures, must carry enough securedwatermark to be read and used to trigger viewing or printing operation.

• About the exploitation of the watermark, the same conditions apply as for DVD, thatis blind detection, simple detection and extraction of the watermark. Near-real timeaction may be required, in order to allow for concealing images from a sequence, orto avoid export including the very first images in a sequence. Additional tricks maybe needed in this particular case.

• Note that watermark detection only (without correct extraction of the payload) can beused in case of a single level of confidentiality, close to the DVD process which as ago-no go.

• Specific software modules are however requested for access control to watermarkedcontent, as in theory the watermark is invisible. Indeed a viewer could as well displaythe content, ignoring that there is a restriction. Additional encryption may thereforebe needed.

• If the watermark uses a secret key, it should be conveyed to the end user through asecured link, as it must be present before the arrival of the protected content code-stream.

2.7 Information Side Channel

This section is concerned with conveying some hidden information other than ownershipinformation, through a (watermarked) cover image. Such an hidden information mayhave specific meaning or usefulness, according to the related application:• Information which is to be made public and then, must be available to any user

receiving the watermarked image.• Information which enables a specific use of the transmitted image, but which must be

available only to authorised recipients.


18

• Confidential Information carried in an image, but which isn’t concerned at all withthe image and its content. In Steganography, a hidden channel is embedded in theapparent one for secured transmission of information

These three classes of applications of Watermarking are presented below in the followingsubsections.

2.7.1 Carrying Public InformationIn regards of various business cases, the context of image distribution may need thatsome information on each distributed image be available to any potential receiver orcustomer who acquires this image. For instance, IPR protection on images is a relevantapplication of public information on documents. As a matter of fact, enabling any honestcustomer to know to whom royalties must be paid for the exploitation of a purchasedimage, is viewed as a prerequisite to any action that could be undertaken against piracy:such a functionality shows complementary to access control and tracking of pirateexploitation.Therefore, a binary message containing either the required informations or a pointer to aninformation page in an universal database, should be closely tied to each delivered copyof an image, for immediate availability. And besides public extraction, this messageshould also be invisible like labels, and survive to the most common manipulation on theimage all along the distribution chain like robust watermarks. The solution to thisproblem resides in “Open Watermarking”.Considering potential applications of open watermarking, its extraction process must beblind and public - which is a conflicting feature with robustness - : potential extractionkey are also publicly available. Moreover, in most cases, the efficiency of openwatermarking would be enhanced if the extraction algorithm itself could be standardised.In the example of IPR protection, open watermarking only concerns legal exploitation ofimages and doesn’t aim at surviving to intentional attacks. One also requires thatauthorised actors (knowing the embedding key) be able to replace an open watermark inorder to update its the embedded message.

Requirements:Requirements on Open Watermarking are different from those mentioned in thefollowing sections, since no threat has to be faced here:• Public extraction : using at most a public key in addition of the watermarked image

(taking its blindness into account).• Blind extraction.• Invisibility at studio and consumer qualities.• Payload size between 48 and 64 bits: due to considerations on the efficiency of such a

watermarking system, the message is generally a pointer to an item in a universaldatabase (metadata).

• Low or moderate complexity of the extraction process.• Robustness to acceptable manipulations which frequently occur during the

distribution of an image: JPEG/MPEG compression, transcoding, A/D conversions,printing and scanning (for still images), time degradation.


19

Considering the specific case of IPR protection, additional requirements must be added:• Robustness to over-watermarking (up to three additional marks): open watermarking

is complementary to other marks in a same image.• (Weak) Invertibility of the first type: authorised actors can eventually replace the

mark, to update its message.

2.7.2 Carrying Private Information

In related applications, the conveyed information generally enables a specific use of thewatermarked image either in a technical or in a legal way, and its availability adds somevalue to the image from the customer’s point of view. So it should be extractable only byauthorised customers and not by pirates. But, the most important requirement could bethat it survives to unintentional attacks due to current use and remains fully extractable bylegal recipients. In fact, the message itself is of the highest importance.One can think of a classical example: Information that assists playback of associatedvideo and audio signals (e.g.: video with the corresponding sound) which need to besynchronised. There, it technically enables a specific process on the watermarked signals.This synchronisation of both can be automatically made using watermarks: both signalsequences are segmented into scenes of fixed time duration, and identifiers are embeddedin each segment: then correspondences will be established between audio and videosegments of similar identifiers. Or some marks are embedded in video segments in orderto identify their corresponding audio segments, based on time information.

RequirementsThere, the following requirements on the embedded mark seem to be of great importance:• Invisibility, unless at high (studio) quality.• Reliable detection and correct extraction by the legal recipient, (when the mark is

present and when no intentional attack was carried out),• Robustness of the watermark to unintentional attacks, such as most of usual

processes on images (JPEG & MPEG compression, transcoding, Digital to analogueconversions, editing) and time degradation,

• Robustness to a complete extraction by an attacker (whose aim is to read it).The robustness of perfect extractability to degradations resulting from current legal useremains the main concern of a basic scenario that one would elaborate for performancetests on watermarks in relation with the formerly mentioned applications.

2.7.3 Carrying Hidden Information : Steganography

The use of watermarking as an hidden channel whose conveyed information is not relatedto the content of the image cover, can be encountered in several applications where onehas to face a problem of confidentiality. For instance, secure communications arerequired by military and intelligence agencies for military secrecy or state secret, bybanks and financial institutes for banking secrecy, and finally, by the medical sector forpersonal medical records. And, in these domains of activity, Image Steganography may


20

look an attractive solution. Moreover, in such contexts, let us also recall thatsteganography and cryptography can also be combined together.Several features commonly characterise the contexts of use of Steganography:- Transmissions of the watermarked images (“stego-images”) mainly occur on public

and open networks such as Internet or phone networks: this also implies that they aremost frequently compressed with JPEG 2000 or MPEG standards.

- The processing path is generally simple: a message is first embedded in an image or avideo by the sender, then the stego-image is compressed and sent to the receiver (whowill uncompress the image bit stream and extract the mark).

- But an attacker may spy the line from sender to recipient, in order to detect andeventually alter the corresponding message. But it is also assumed that he can’tdisturb this transmission, so that the sender masters the transmission channel.

As a matter of fact, in most cases, an attack on steganographic system can be consideredas successful since it just correctly detects the presence of an embedded message.

Requirements

Then, the requirements on image steganographic systems seem to be of two kinds:• Undetectability of the hidden message to attackers, i.e. visual imperceptibility and

robustness to the detection of the message: the secrecy of identities of the sender or ofthe receiver to attackers is a vital point.

• A long payload as the embedded mark acts as an hidden channel, inserted in anappearing one which acts as a cover and carries digital images: here, the bit rate ofsuch a channel is a relevant point.

Other requirements of importance could be:- the error-free transmission of the message to the receiver (detection and correct

extraction),- the impossibility for an attacker to completely extract and read the message.But, provided that the two former requirements are fulfilled in a satisfying way, solutionscan be found to these problems, resorting for instance to error correcting codes and tocryptography.Robustness to processes bound to broadcasting on public and open networks might berequired. However, robustness to intentional attacks is not a problem, except if theattacker suspects you to secretly communicate.


21

3 Definition of Parameters

3.1 Technical Features and Types of Watermarking Algorithms

Given an image I, a watermark W and a key K used to embed W, the process ofembedding W in I, can be globally described as a function of the form: ( I, W, K) È Iw

which is the watermarked image. We then suppose that this image IW is submitted toinvoluntary or intentional attacks, so that at the other end of the watermark transmissionchain, the detection or extraction process is exerted on a degraded version I’

w of Iw .Without loss of generality, we suppose that the embedding key K is also the key K usedfor detection / extraction.Some features of watermarking processes are determined by the aims of a watermark, ina given application:- Public vs. private watermarks: a public watermark should be detected or extracted by

any receiver, so that this detection / extraction process doesn’t need any other elementthan I’w or the additional parameters needed are made public. But for suchwatermarks, a robustness requirement actually remains on the embedding process,which is not meant to become publicly available. Privacy of the watermarkingprocess may be viewed as a constraint in the use of watermarks.

- Readable vs. detectable watermarks: the aim of some watermarks may be only theirdetection in the received degraded image I’

w (the question being: “Is W present inI’

w?”); such a detection operation requires the knowledge of W at the receiver’s side.And the answer is of the form: 0 or 1, e.g. : “present” or “not present”.At the opposite, watermark extraction is expected to detect and to provide theembedded mark W, as a result, and with no bit error.

- Blind vs. non-blind watermarks: a non-blind extraction requires the original image I,in addition to the attacked watermarked image I’

w, in the embedding and extractionprocesses.

Necessary knowledge of the watermark or of the original image imply that merewatermark detection on one hand and non-blind watermark extraction on the other, are“private” processes. However, higher levels in robustness against removing attacks canbe obtained from non-blind watermarking.

Based on the former definitions, watermarking techniques can be characterised by theglobal form of their extraction processes and classified according to varying levels ofnon-blindness or privacy [KUT99]:- Non-blind and private detection and extraction: this class of extraction/detection

processes may be described as functions of the type :- Extraction: (I’w , I , K ) È W .- Detection: (I’

w , I , W , K) È 0 or 1 .- Blind and private detection: this class of detection processes may be described as a

function of the type: (I’w , W , K) È 0 or 1 .


22

- Half-public and blind extraction/detection: for this class of watermarking algorithms,the embedding or extraction key depends on the original image: K = K(I). Then,extraction and detection processes may be described as functions of the type :(I’

w , K(I) ) È W and (I’w , W , K(I) ) È 0 or 1 .

- Public and blind extraction: this class of extraction process may be described as afunction of the type: (I’

w , K ) È W, and has many applications.

3.2 Payload Capacity

For a given watermarking technique, we mean by payload capacity the bit length of theembedded mark, taking no account of the potential redundancy provided by forward errorcorrecting codes for channel coding.A distinction has to be made with the notion of capacity of the “hidden channel”, whichis also mentioned in this section. By hidden channel, we globally mean the following setof processes applied to an message which is embedded in a cover image: invisibleembedding of the message, various attacks degrading the whole watermarked image andimpacting on the pseudo-noise that contains the mark, and extraction of the mark fromthe degraded watermarked image.

The payload capacity is not meaningful by itself, but only in conjunction of two otherparameters that are granularity and bit error rate. As seen in other sections:- granularity is the minimal size of the cover image or video sequence for the mark to

be correctly extracted, with the used watermarking technique;- bit error rate is the number of bit errors in the recovery of embedded marks, including

non-detection events, with respect to the total lengths of watermarks.Under the constraint of invisibility of the watermark, this set of three parameters actuallydefines a required channel capacity for the hidden channel provided by the current coverimage and the used watermarking technique (from Shannon’s point of view): “an amountof bits embedded in a cover image/video of a given size, then conveyed to the recipientand extracted by him with a number of bit errors below the tolerated rate”.

This required capacity should be compared to the theoretic capacity of the hiddenchannel, tied to statistics of the original image, although this theoretic value is generallynot computable at the sender’s side, before embedding. As evidence, the payload size ofembedded watermarks should stretch below the “channel” capacity of their cover imagein regards of potential manipulations to come, for constraints on invisibility and bit errorrate to be fulfilled. We can derive a few limits on payload capacity:- at fixed granularity, under the constraint of invisibility : payload capacity and

robustness are conflicting issues, as the tolerated error bit rate at the extractionsgenerally defines the robustness of a mark to encountered attacks.

- at fixed granularity & BER : payload capacity and invisibility are conflicting issues.In regards of watermarking applications, a few numerical examples of payload sizes thatare generally stand by cover images, can be given. Applications involving onlywatermark detections at the receiver’s side, may just require 1 bit long marks. But, formany other applications, one often needs payload sizes of unless 64 or 70 bits. Inencountered business cases, one aims at embedding up to 4 watermarks in a same still


23

image or video segment, corresponding to total amounts of about 300 to 400 bits. Thosevalues should be compared with common ranges of values concerning granularity andreliability parameters.

3.3 Granularity

Granularity of a watermark embedded in an cover image, defines the size of the smallestcover signal in which the watermark was originally embedded and from which it could beextracted with a number of bit errors at extraction, below the tolerated rate:- In a still image, we think of the size of a region of embedding and extraction for the

watermark.- In a video sequence, we mean the size (in number of frames) or the duration (in

seconds) of the actual segment of embedding. This parameter is sometime calledMinimum Watermark Segment.

Regions or segments in which watermarks are embedded, are clearly not sliding oroverlapping regions of the cover signal but some fixed regions resulting from a partitionof it, (although some interleaving remains possible between them). When they are notknown at the receiver’s side, watermark extractions must be processed in searchingwindows that are ensured to contain at least one embedding region/segment.

Granularity has no meaning by itself, but only in conjunction with two others: payloadcapacity and tolerated bit error rate, as seen about payload capacity. These threeparameters define a required channel capacity on the hidden channel of the wholewatermarking system. But, in this relation, granularity impacts on this capacity in a non-linear way, so that the corresponding requirement gets higher for small granularitythresholds. In parallel, a value of the bit rate emitted on the hidden channel can bederived based on granularity and payload size of an embedded watermark.This value grows when granularity thresholds are smaller. So, due to considerations onthe capacity of the hidden channel, we see that (like payload capacity) granularity islimited by potential requirements on the visual quality of the watermarked image androbustness to removing attacks.However, the issue with granularity may be robustness to some specific attacks that cutthe original signal in smaller parts, namely “mosaic” attack on still images (for example).Depending on the used watermarking scheme, their effects on embedded watermarks maybe either to make the mark extraction unfeasible in choosing a size of received coverimages below the granularity threshold, or to break the synchronisation of the watermark.

3.4 Complexity

This parameter relates to the computational burden required to run a given watermarkingalgorithm. Strictly speaking, complexity should be defined as the number of operationsneeded to fulfil such an algorithm. These operations may be stated generically orspecifically: additions, divisions, multiplications, etc. According to the particular


24

workload carried by each operation, additional characteristics specifying itsimplementation may be listed: fixed point, floating point, table look-up, etc. This allowsto properly weight their relevance in the final figure for complexity.

For different inputs having the same dimension the complexity of the algorithm may bevariable or not. Therefore, if we are unaware of the nature of the algorithm, a singlemeasure of complexity will not suffice, and an additional estimator of variance computedover a given corpus of input data will be required.

In addition, an eventual asymmetry in complexity between watermark encoding anddecoding should be contemplated, as it might turn to be necessary for certain algorithms.

Finally, it is important to distinguish complexity from execution speed (or time). Speed isjust a skewed indirect method for estimating complexity, skew being caused by theenvironment where the algorithm execution takes place. This fact limits the validity ofpredetermined thresholds, unless they are set for all possible environments. Also cross-comparisons (those run in different machines) become difficult.

In spite of these problems sometimes execution speed will be the only way to estimatecomplexity, namely when the algorithms are remotely executed or when their sourcecode is private.

3.5 Visual Quality

A user that utilises a watermarking algorithm to embed an invisible watermark in his/herdata (still image/video sequence) is concerned with 2 kinds of visual quality, namely thevisual quality of the data due to the embedding of the watermark and the visual quality ofthe watermarked data due to attacks performed on it. These terms will be called VQ1 andVQ2, respectively. The following block diagram further explains what are the meaningsof the terms.

:DWHUPDUNLQJ$OJRULWKP $WWDFNV

9LVXDO4XDOLW\

$VVHVVPHQW

9LVXDO4XDOLW\

$VVHVVPHQW

94�

�,�:0� �,�:0�,

94�

Figure 1. Visual Quality Assessment


25

In the block diagram shown above, I is the original data, (I+WM) is the watermarked dataand (I+WM)’ is the watermarked data after being attacked. The embedded watermarkmight no longer exist in (I+WM)’. Even if it does still exist, it might no longer be reliablydetectable.

A user would obviously want VQ1 to be as high as possible, meaning that the degradationto the data due to the watermarking operation is negligible/imperceptible, simply becausethis can lower its commercial value. On the other hand, the user will want VQ2 (when thewatermark become unreadable) to be as low as possible thus extending the range ofprotection by watermarking. If the attack make the visual quality of the image too poor, itno longer has commercial value for pirates.

3.6 Reliability in Detection

Detection is the process that tries to decide the presence or absence of a watermarksignal. In order to determine if a (possibly host) signal S is watermarked or not, we canapply the following binary hypothesis test, given a certain key K:

Note that the test is only useful for a particular key, that is not necessarily the same as theone used for embedding the watermark (asymmetric keys). Also, no assumption is madeon the key space size. Being },{ 1HHD O= the decision, the performance of the test is

measured through two values:

• Detection probability ( DP ). Gives the probability of deciding 1H when the signalunder consideration is actually watermarked with a watermark generated with K:

}|Pr{ 11 HHDPD ==

• False alarm probability ( FP ). It is the probability of deciding 1H when S does notcontain any invisible watermark generated with K:

}|Pr{ 01 HHDPF ==

Supposing that K is the only random variable then FP must be understood as theprobability that, given a fixed signal and a random key, we get a positive result in thedetection test. Also, DP is the probability that, given a fixed signal and a random key,after watermarking the signal with that key we get a positive result in the detection test.

H0: The signal S does not contain a watermark generated with K.H1: The signal S contains a watermark generated with K.


26

3.7 Reliability in Extraction

When the hypothesis test yields a positive decision, the information message M carriedby the watermark hidden in the host signal is extracted (decoded). In some algorithms,both detection and extraction may be accomplished in the same step.

The secret key is also used for decoding the extracted messageM̂ . Several approaches tothis procedure may be used, and their performance is measured by the error rate orprobability of error ( eP ):

}ˆPr{ MMPe ≠=

Considering the probability of bit error between the binary information carried by M andthat carried by M we may also define the bit error rate (BER).

Note that, in general, 0≠eP (and 0≠FP ) mainly due to two facts:

1. The errors made when trying to restore the original host signal from its watermarkedversion (blind watermarking).

2. The intentional or unintentional manipulations that the watermarked signal may havesuffered.

3.8 Robustness to synchronisation and removing attacks

Breaking the synchronisation of a watermark and removing it are the most commonlyencountered threats as they result from a large class of attacks on the watermarked image.They regroup not only some malicious and strong attacks but also the large class of non-intentional attacks due to acceptable manipulations that often occur all along thedistribution chain of the image. Thus, this subject is quite important.Let us recall that in most cases, an attack on a watermarked image is not only defined byits algorithmic principle but also characterised by its “strength” or intensity, which acts asa moderating parameter.

So, considering a watermarking technique, the evaluation of its robustness to a specificattack and on a set of test images, will be done through an adapted test scenario : a markis embedded in a test image using an embedding key, then the watermarked image isattacked and finally, one tries to extract the watermark from it, using the associatedextraction key K. This evaluation of robustness will then take the following informationsinto account:• Testing conditions :

- choice of the tested image, and class of images to which it belongs;- principle and (if necessary) intensity of this attack.

• Effects of this attack on the watermark extraction and on the quality of attackedimage :- Detection or non-detection of the watermark with key K ?

And in case of detection, bit error rate (BER) on the mark extracted with key K ?


27

- Is the visual quality of the resulting image still acceptable for users ?This watermarking technique is said “robust” in the present experiment if the watermarkis correctly extracted with a tolerated amount of bit errors, or if the visual quality of theattacked image is no more acceptable for users or consumers.

For a global evaluation of the robustness of the same watermarking technique on a set oftest images, one would probably have to make the distinction between “classes” ofattacks. And these classes of attacks might be defined according “algorithmic strengths”of attacks: either how hard it is to face them for the defender, or how hard it is to exertthem for the attacker. It would define various levels of watermarking robustness.But here, we just distinguish two categories of attacks and thus, two levels ofwatermarking robustness:- some non-intentional attacks frequently occur during the broadcasting or distribution

of images and define a minimum level of robustness required on almost allwatermarks,

- while intentional attacks are not limited in strength.Most famous attacks are regrouped according to their global algorithmic features:

• Acceptable manipulations which are most frequently exerted on the watermarkedimage during its distribution (on a distribution media) :- Digital compression with JPEG or MPEG standards- Digital / Analogue and Analogue / Digital conversions- Specific to still images:

Printing and scanning- Specific to video sequences:

Transcoding and conversions of formats (on: sample rate, frame rate,progressive / interlaced formats, compression bit rate)

- Impact of bit errors/packet losses on the image bit-stream during transmissions onInternet

- Over-watermarking, Multiple watermarking- Time degradation due to storage on analogue media

• Synchronisation attacks which are due to image edition or to malicious purposes,intend to break the watermark synchronisation and to make it unextractable:- Histogram modification, gamma correction,- Strong sharpening, Noise addition,- Deletion of lines and columns,- Simple geometric transforms:

Translation, rotation, scaling, shearing, cropping,- Generalised geometric transforms (affine transforms),- Random geometric transforms.

• Removing attacks which are due to image edition or to malicious purposes, intend toremove the watermark :- Colour quantification,- Low-pass filtering, noise reduction,


28

- Statistical averaging and collusion (using different copies of a same image withdifferent watermarks).

3.9 Key Capacity

The key capacity is the total number of keys that could be potentially used at embedding,by a given watermarking technique.For instance, concerning a watermark embedding technique, if this key is encoded as abinary word of a fixed bit-length N, then the corresponding key capacity is 2N.

By “key”, we only mean the integer number used for embedding a binary word in thecover image, but not the key that could be potentially used to encrypt the embeddedmessage itself. Without loss of generality, we shall suppose the same key is also used inthe extraction process. At the receiver’s side, this key controls the process of detectionand extraction of the watermark, whenever it is encrypted or not.In many watermarking schemes, it follows that only the knowledge of this key permits toreplace an embedded watermark by another without degrading the image visual quality.Thus, key security is mainly concerned with robustness to replacing attacks.

Moreover, according to Kerckhoffs’s principle, the security of watermarking techniqueshouldn’t rely on the secrecy of its algorithm, but rather rely on that of the embeddingkey (for this technique). This shows the importance of its secrecy with regard to pirates’attacks. Two threats are commonly feared:- Illegal determination of the key by an exhaustive search on its generating set.

There, the key capacity plays an active role in making such a search unfeasible.- Collision attack which occur when similar noisy signals that are added to the original

image and bear the mark, are produced with different embedding keys. Then, anotherkey than the original one accidentally enables the removing of the mark or itsreplacing by a second mark (or its extraction).

The problem on the security of the embedding key, which is raised by risks of collision,can be solved in a part by a very large key capacity, but has rather to be handledbeforehand in the design of the watermarking algorithm.

3.10 Cryptographic Strength

A watermark can be viewed either as a signal (usually noise-like) on top of (or ratherunder) a host signal or as a message (bits) securely and robustly hidden in a given hostsignal. In the latter case, the watermark is a communication channel, which, as such, hasno natural notion of cryptographic strength. The cryptographic strength lies purely in theprotocol being used on top of the communication channel. Of course, if the payload ofthe watermark channel is a small number of bits (say less than 8) than cryptography is oflimited use, as the message space is then vulnerable to exhaustive search.


29

Viewing a watermark as a signal allows for different notions and opinions on thedefinition of cryptographic strength. One option is to refer to the undetectability of thewatermark signal. If the watermark communication channel is undetectable, thecommunicated messages are by consequence also secure. However, it is difficult toassociate a cryptographic strength measure to the obscurity of the watermark channel.From a security standpoint, it is best to use a watermark signal which does notsignificantly change the statistics of the host signal. In practice many systems fail to meetthis criterion, making them vulnerable to filtering attacks.

Another option is to refer to the size of the watermark key-space. If the keyspace is small,simple exhaustive search is sufficient to read the watermark bits. See also the previoussection.

A third option is to refer to amount of information that can be learned operating awatermark embedder/detector pair. One type of vulnerability deals with discoveringwatermark keys by doing extensive plain-text type of attacks. Some theoretical papers onthis topic are known in the literature, but there is certainly no consensus on how tomeasure this type of vulnerability. A second type of vulnerability has to do with thesymmetric nature of most watermarking systems. For example, in a spread-spectrum typeof watermarking system, the spreading sequence(s) needs to be available both at theencoder and decoder. Thus, the availability of a decoder potentially is a weak spot inwatermark security, because encoding secrets can be learned from it. Showing theexistence of a fundamentally asymmetric watermarking system is one of the holy grailsof watermarking research. Again, it is difficult to associate a cryptographic notion ormeasure to this type of vulnerability

3.11 Robustness to attacks : additional information

Concerning robustness requirements on watermarking techniques, we have to mentiondifferent features or qualities that could be expected in a watermarking algorithm.

(Weak) Invertibility of the first type has to be mentioned apart from other features:This feature is partly in conflict with robustness as we usually mean it. A right owner orauthorised customers might need to sometime replace a watermark embedded in a givenimage, in order to update the message it contains. For instance, such a need could beencountered with publicly available watermarks and the related messages could concernsuccessive owners or customers of this image.

Other requirements related to robustness would concern the ability to face somethreats that a right owner could fear either from pirates or with processes tied imagedistribution (broadcasting and DVD market):- Breaking the synchronisation of the watermark.- Removing, erasure of the mark.- Forgery, e.g. replacing the mark by another.


30

- Copy attack which successes in inserting in another image, the mark of awatermarked image, without resorting to the associated embedding and extractionprocesses.

- Pirate detection or complete extraction of the Watermark, by an non-authorisedreceiver.

These requirements must be shortly listed below, and their respective influences in facingthe mentioned threats have to be recalled:• Robustness to attacks on watermark synchronisation.• Robustness to removing attacks.• Cryptographic robustness (key capacity and cryptographic strength).• Non invertibility or non quasi-invertibility.• Fragileness, e.g. non-robustness or sensitivity to local alterations of a watermarked

image.

Former sections were devoted to some of the mentioned robustness requirements:robustness to synchronisation and removing attacks, and cryptographic robustness (keycapacity and cryptographic strength). Then, let us shortly introduce some of theremaining requirements in this introduction: non invertibility or non quasi-invertibility,and fragileness.

Non-Invertibility aims at facing forgery (e.g. replacing a watermark by another). Wejust recall its definition:considering a watermarking technique and a watermarked image Iw, then,for any watermark w’ of the size of w, and any embedding key K’ , it shouldn’t bepossible to build a fake “original image” Ifake (in place of the true original image I) by“inverting” the process of embedding w’ with key K’ , from image I w.

I fake would be such that:- it is perceptually very close to I , and of high visual quality ,- the watermarked image I fake,w’ = Embed(Ifake , K’ , w’ ) is equal or perceptually very

close to watermarked image I w.- when subtracting image I from I fake, then the pirate is able to extract his watermark

w’ , making people think that his image was forged and pirated.Non invertibility is not a measurable property or a performance parameter ofwatermarking algorithms, but rather appears as a technical feature which characterises thedesign of a watermarking system (like blindness for instance).

Fragileness to altering attacks permits to face in a non-robust way, some “tampering”threats whose achievement necessarily alters of the host image, namely:- breaking the synchronisation of other watermarks which were embedded in the same

image before the “fragile” watermark, or their removing,- replacing the same former watermarks by other marks, in using again their

embedding keys.The host image in which the fragile mark is inserted, may be already contain other marks.The aim of fragileness is not to counter the corresponding attacks but only to detect thatthey were exerted on the received watermarked image and that they modified this image,compared to the original one. Moreover, it also aims at determining where these attacks


31

occurred in the image. A fragile watermark is expected to behave as follows, with respectto various attacks:- compared to the original message, the extracted message is modified by attacks of

some selected classes: the knowledge of both messages ensures attack detection;- however, the mark may also have to be robust and keep unchanged to other classes of

attacks, since one desire not to take their effects on the host image into account (forinstance, non-intentional attacks).

As a matter of fact, two goals may be assigned to a fragile watermark. First, one mayneed to detect of any alteration of an image, through a consistent modification of themark (fragile marks). On the other hand, semi-fragile/robust marks aim at detecting onlythe desired classes of malicious attacks mentioned above and bound to tampering:synchronisation, removing and replacing attacks on former watermarks,since they may potentially alter the semantic content of the image, without beingmodified by non-intentional attacks that are tied to image broadcasting or distribution.

For a semi-fragile/robust watermarking technique, the evaluation of its robustness todistribution processes or its fragileness to malicious attacks, on a set of test images, couldbe done through an adapted scenario. Modules exerting the relevant attacks would beinvolved in this scenario and followed by modules that evaluate the resulting (non-)robustness of the watermark. Beside robustness, fragileness to attacks could then becharacterised as follows:• non-detection of the watermark in the attacked image, or important bit error rate at

extraction, with errors corresponding to the altered regions of the image,or,• visual quality of the attacked image being no more acceptable for users or consumers.


32

4 Scenarios of Interest to Certimark Partners

4.1 Monitoring of Still Images on the Internet

This section first describes the context of photograph sales: the actors that are involvedand the global process, the image formats and tools in common use. It then details what isthe expected usage of watermarking for monitoring purposes in that context. A usagescenario of watermarking can then be defined as an example. This scenario details anexample of a technical chain that is used in the process; it leads to a list of user needs andpriorities on the watermarking technology parameters. A benchmark process should thenbe able to take those key parameters into account; the certification of an algorithm forthis usage means that its benchmark conforms to the parameter levels required for thisscenario.

4.1.1 Context: actors and process, image formats and toolsThe following main professional actors are involved in the business of photograph sales:

• The photographers themselves.• Photograph agencies; they get the photographs and sell exploitation rights.• Archivists such as INA; they provide access to old photographs holdings.• Collective works management agencies such as SACD; they provide image deposit

and promotion capabilities.• Editors, in a broad meaning; they buy exploitation rights and make use of the

photographs.

It is worth noticing that the editors do not “buy” the photographs in the process. Theyonly buy the rights to use the photographs for a dedicated exploitation (for a book, a CD-ROM, an online site, etc.). The price of the exploitation rights depends on the scope ofthe usage (number of books printed, etc.).

At the end of the chain, photographs are exploited in a wide variety of ways by different“editors”:

• Classical editors put photographs and images in books for schools,encyclopaedias, dictionaries, etc.

• Press editors use them both in daily papers and magazines.• Classical advertising agencies require photographs for an integration in a final

paper output.• TV Producers may need still pictures in their programmes.• New media editors integrate still pictures in CD/DVD-ROM and Web sites.• Etc.

Both analogue and digital tools are still available options along the processing anddelivery chain. At the source, the photographer can use analogue or digital cameras. The


33

analogue camera produces a negative original, out of which positive copies can be shot.The analogue negative or a positive copy goes through a professional scanner in order toenter the digital processing chain. Considering the image formats, the 24x36 iswidespread. Old 6”x6” formats can also be found in archives. The delivery of ananalogue photograph copy achieves a high bitrate transfer at a low cost1.

In the digital world, TIF and JPEG exchange formats are in common use in a professionalenvironment. The delivery of a 2000x3000 compressed image is considered as sufficientfor a double-page in a magazine. Such pictures weigh around 2 Mbytes (a 5-minutedownload with a 56 kbit/s modem and no other bottleneck on the network). When zooms,processing or bigger physical exploitation formats are required, higher quality formatscan be needed. On the contrary, “multimedia” web & CD-ROM exploitation can copewith 250x400 formats.

Digital image processing tools are now very widespread. Photoshop and its plug-ins is incommon use in the Macintosh/Windows world. GIMP (Linux) starts to interestprofessional users. Those tools provide many features:

• Basic geometrical transforms: crops, zooms, objects selection and extraction, etc.• Composition between different bitmap sources/layers.• Composition with vector graphics.• Colour correction.• Various image processing filters.• Transcoding between different formats, with different colour spaces, compression

schemes and compression levels.

Specific tools for web image design also provide the same kind of capabilities ; they arespecific to lower resolutions and smaller colour spaces. They offer the capability to cutout an image in several rectangular parts, so that they can be assembled back in a table onthe screen. This operation aims at having different sub-areas in the composite picture,each of them providing a different hyperlink.

In any case, at the end of the chain, the final image can be :• integrated in an electronic document (stills or videos on the web or in a CD/DVD-

ROM) ;• integrated in a video and broadcast on TV;• printed on paper.

An analogue positive copy can be provided directly to photo-composition systems (ex:book covers). Printing technologies in common use in a professional environment nowinclude dye-sublimation systems, that deliver photographic-quality proofs.

1 It is considered that a 24x36 photograph can be compared with a 3600x5400 pixels(55 Mbytes at 24bit/pixel without any compression).


34

4.1.2 Aim of a still picture monitoring systemIt is well known that no protection means can prevent anybody from copying aphotograph and exploit it without paying rights, particularly when it is found in a digitalform. This technical fact implies that more and more copies of pictures will be usedwithout the right owners knowing it. In the scenario detailed below, one then considersthe use of a monitoring system in order to automatically track the usage of photographsafterwards. The final aim is to have most people who exploit the image pay the fees.

For that purpose, the photograph has to be watermarked before it is released to “editors”.Ideally, the monitoring would have to be done on all exploitation means listed above(Classical edition, daily press and magazines, paper ads, stills on TV, new on-line andoff-line medias). However, it seems already clear that this is a tough aim and thatautomatically monitoring TV broadcasts and web sites may be more economically viablethan monitoring paper editions.

It is worth noticing that this use case insists on the automatic exploitation detectionfeature rather than on any proof concept. The monitoring aims at identifying an unknownexploitation. A possible contribution of the mark to a proof of ownership can be helpfulalthough it is not the primary concern here. When an exploitation is detected, the proofthat a company owns rights on an image can be done with other means today (papercontracts).

4.1.3 Usage scenarioThis usage scenario defines a common processing chain for the image and the globalprocess. Conclusions can then be drawn on the key parameters and robustness issues thatcan be benchmarked for that scenario. More globally, one can then identify questions thata watermarking technology certification procedure should answer to, for that particularapplication.

� Regular exploitation processExploitation rights on a photograph are sold to a press editor so that it can be included ina magazine. The photograph is provided as a digital 2 Mbytes 2000x3000 JPEGcompressed picture (I1) to the editor, by a photograph agency or an archivist (INA). Thephotograph can also be found as a lower quality 250x400 JPEG file (I2) on an extranetavailable to professionals, for promotion purposes. This extranet is SACD’s deposit andpromotion site or on INA’s archivist site (WWW1).

The 2000x3000 digital copy (I1) is watermarked by the image provider before it isreleased to a magazine (M1) editor. (M1) pays the rights to the image provider. Thepayload allows to identify a transaction number that points to the image provider’sdatabase. The image provider’s secret key is used. The (I2) copy is watermarked with itsstandard ID number using the same secret key. Fingerprinting is of interest at this steptoo: ideally, the IP address of the web client is also watermarked “on the fly” in (I2).


35

The copy (I1) is zoomed (150%), cropped and used as a photograph for 50% of an A4page in the magazine (M1). In the process, the file is compressed and uncompressedtwice in JPEG format. The resulting paper copy in the final magazine is (I3).

In the edition process, a few high quality proofs (I4) are made with a colour dye-sublimation printer, in order to have a first look at the result. These copies are notscanned again at that time.

� Unexpected exploitation processesFive year later, one of (I4) proofs made with the dye-sublimation printer are found andused again for another magazine (M2) without any right payment. The paper copy isscanned with a professional scanner, the photograph colours are modified withPhotoshop, and composition with vector graphics is performed. This leads to (I5) copiesin the magazine (M2).

Five years later, a copy (I5) from the (M2) magazine is scanned and published on aprofessional web site (WWW2), as copy (I6), without any right payment. Its size isreduced to a 500x750 image beforehand with Photoshop.

Finally, copy (I2) is also used as it is in a web site (WWW3) without any right payment.

� MonitoringA monitoring company paid by photograph providers and right owners looks for theirwatermarks on the web for all its customer’s secret keys. The usage of copies (I6,WWW2) and (I2,WWW3) are detected in that way. The web sites are contacted andinformed they have to pay rights. As they have few chances to win a case before a court,it is expected that they accept to pay the fee. If they do not accept to pay, the case goes tothe court. In any case, the source of the copy (I6) is investigated and the (I5) exploitationin (M2) magazine is found too.

A direct monitoring of the papers can also be considered (that would mean that someonewould have to turn magazine pages one by one before a camera). This can lead to thedirect automatic identification of the usage (I5).

� Alternate worse-case scenariosThe scenario above is expected to highlight a common processing chain. Alternate worse-case scenarios can also be considered. They make the robustness issue more and moreproblematic:

• More standard compression with different implementations2, non-standardcompression.

• Standard filtering in the process (Photoshop filters), composition between differentbitmaps.

• Over-watermarking.• Integration in a video programme and corresponding TV broadcast monitoring.

2 This is important as compression standards only define the decoder; different encoder implementationslead to different processes.


36

• Restoration, wavelet denoising.• Usage of active attacks with specific un-watermarking tools.

4.1.4 User needs and priorities on parameters for this usage exampleThis section sums up the requirements/priorities on parameters that should be addressedby a benchmark process for this usage scenario. It is worth noticing that considering eachparameter separately would be useless. All the parameters must be considered at the sametime as they depend on each other (for example, considering invisibility with a differentpayload size, key requirement or robustness requirement does not have any meaning).

The scenario considers natural colour and black and white photographs. For thisapplication, this is the preferred image source for invisibility and robustness tests.

This usage example takes place in a professional environment. Invisibility is a keyrequirement or the system will be rejected by professional users. A benchmark processshould consider subjective invisibility tests with expert viewers or simulate it in aneffective way. As watermarking impairments are expected to be different from commonones, an automatic quality evaluation system should be trained to those artefacts.

Invisibility of a watermark right after the watermarking process is a first issue. Theimpact of watermarking on the rest of the processes must also be studied : does thewatermark increase compression artefacts at the end of the chain ?

The basic scenario shows that robustness to a few basic processes must be considered asa priority :

• Crops, zooms and image size reduction down to a “web” size.• Photoshop and other JPEG compression tools.• Colour correction and colour space transforms.• Analogue conversion (for example, sublimation printing + scanning).

As mentioned in the worse-case scenarios, other processes can take place and make therobustness more problematic (see above). It is worth noticing that the recourse to activeattacks may not be limited to a few hackers: Once an un-watermarking tool is released,anybody can use it as a push-button tool without any technical knowledge.

Considering payload size :• For (I1), a 25 bit payload would allow nearly 1000 image sales per day for 100

years.• For (I2), common standard identifiers require 64 bits. For fingerprinting, the length

of the second watermark must encode an IP address.

Considering “cryptographic” requirements, a secret key is needed in order to increase thewatermark robustness and so that an active pirate can never know whether he hasremoved a mark or not. More complex protections are not expected for this use case.


37

In this scenario, the false alarm and non-detection levels are not as critic as for otherknown applications:

• If only 50% of the watermarks are detected, and if this leads to an annual incomethat is more than the watermarking and monitoring system cost, the system isclearly still useful.

• A false alarm is more problematic, although it can happen from time to time. Iffalse alarms are expected, maybe 1 for 100s positive detections, then the user hasto check that each image detected is actually his. This makes the process morecomplex and costly. Ideally, a better false alarm rate (1/10,000 positivedetections or better) would be preferred although this is not the priority.

The complexity of the watermarking system for this usage example is expected to allow asoftware product that watermarks the original 2000x3000 image in less than 10 seconds(less than 1 second preferred) as it will be processed at the time of delivery. Software “onthe fly” watermarking is expected for the low-resolution image (less than 1/10th second).The still picture economy cannot afford a hardware-based system.

From a user point of view, the monitoring part is of interest to a benchmark process too: awatermarking technology that cannot be detected effectively is useless and its benchmarkhas no meaning. A few main issues have to be considered :

• The monitoring algorithm complexity should allow the detection of the presence ofa watermark in a very short time, probably less than 1/10th second; for webdetection, the watermark detection process must be applied very fast on a verylarge set of pictures. When the presence of a watermark is detected, the extractionof the precise payload can be far slower.

• Moreover, as the monitoring system will probably be shared by different actors, italso must provide this performance level on several keys at the same time.

• The still picture economy cannot afford a hardware-based monitoring system.• The software that browses the web extensively, looking for pictures on which the

detection process will be performed, is probably a key bottleneck for the userglobal “non-detection rate”. A benchmarking system could measure itseffectiveness.

Finally, it is worth noticing that some parameters of importance to this scenario cannot beobjectively benchmarked, although they have an important impact on the usefulness ofthe system for a user. A benchmarking and certification process should either try to takethem into account as much as possible (questionnaire to the technology providers?) orclearly state that the benchmark does not take them into account at all although they areof interest in a user investment decision.

One of those concerns is the cost of monitoring. A perfect watermarking technology is ofno use if the monitoring is not economically accessible. Another such concern is themonitoring technology availability in the long term. In other words, how sure can a userbe that a watermark can be monitored in the long term? The scenario considers that apiracy happens 2x5 years after the original file delivery. The monitoring must actually bepossible for 10s of years: exploitation rights on works last 50 to 70 years after the death


38

of the right owner; the monitoring should still be possible during that period. This kind ofconcern is of particular importance to archivists. The openness of the technology has akey impact on those considerations:

• Is the watermark technology a norm or a standard?• Is it provided by several different companies?• Is there a formal commitment to backwards compatibility of monitoring systems?• What happens if the company decides not to provide the technology anymore?

4.1.5 ConclusionThis section has provided the following inputs:

• The context of still pictures sales;• The objectives of the considered application;• An example scenario, that takes into account a regular exploitation, unexpected

exploitation and the monitoring process;• User needs and priorities on parameters that are of importance to this scenario.

A benchmark process of interest to the still picture monitoring scenario should be able totake into account the parameters that have been detailed above. The certification of awatermarking algorithm for this precise usage example would imply that it satisfies theparameter levels that were listed above.


39

4.2 Television Programme Broadcast Monitoring

This section first describes the context of TV broadcast monitoring, it then details what isthe expected usage of watermarking for this purpose. A usage scenario can then beprovided as an example. It leads to user needs and priorities for this scenario.

Note: part of this scenario includes hardware watermarking processes, which are notexpected to be taken directly into account by the Certimark project; this is still of interestas:

• in the future, it should be possible to make the same process in software;• a software monitoring on a low bitrate version of the hardware-watermarked

programme is considered in the scenario.

4.2.1 Context: actors and process, video formats and toolsThe scenario will take place in the context of TV programme production and broadcast.The production of the TV programme concerned is supposed to take advantage ofexisting programme excerpts. Those existing excerpts are incorporated in the compositeprogramme. For example, the TV programme may be a news programme with referenceto past news stories.

Three main classes of actors are involved in the process of a composite programme TVproduction :

• Programme excerpt providers (producers/archivists)• The composite programme producer• The programme broadcaster

It is worth noticing that the programme producer does not “buy” the excerpts to beincorporated in his programme. One only buys the right to broadcast the excerpts on aspecific TV network, for a specified number of times. The price of the exploitation rightsdepends on the scope of the broadcast (targeted audience).

The video format and tools in use depend on the position that is considered in theproduction and broadcast chain. At the production level, high-quality digital (andanalogue video) are stored on professional VTRs such as Betacam SP, Digital Betacam,and professional DV VTRs. Digital DVEs (Digital Video Effects) tools allow shifts,crops, image rotations, composition between different videos, still pictures, logos, etc.Colour correction systems are in common use. Specific restoration systems can beapplied to archive programmes in order to remove artefacts due to tape ageing (amongstother impairment sources). At the production level, the digital formats commonly weighfrom 20 up to 100 Mbit per second of video, depending on the application3.

3 For example, more compression can be used for news programmes, where image and sound quality is notthe prime concern.


40

At the broadcast level, the use of compression results in a 3 to 6 Mbit/s video programme,depending on the image complexity. Within a broadcast stream that combines severalchannels, statistical multiplexing can also be performed; the compression levels are thenadjusted in real time depending on the relative need of each channel. Filtering can beperformed before the compression step as it improves the compression effectiveness.

If the video is exploited on a web site or in a CD-Rom, the video programme iscompressed even further in streaming formats (RealVideo, QuickTime and WindowsMedia Player). On the server side, the file is encoded beforehand at different qualitylevels, and the best version is sent to the player, depending on the internet connection.Nowadays, common compression rates are based on the capabilities of modems at theuser side; then one usually provides a version for 28.8 kbit/s modems, one for 56 kbit/smodems and a “high-quality” version up to 200 kbit/s for T1/E1, cable modems andADSL connections. The compression schemes are proprietary and new ones are proposedregularly. On the player side, the frame rate is adjusted when the connection is bad, thesound track is preserved as a priority.

4.2.2 Aim of a video monitoring systemAs copying and broadcasting TV programmes and excerpts is easy, right owners need toknow when and where there programmes and programme excerpts are broadcast. A videomonitoring system aims at automatically detecting the usage of video programmes andexcerpts. For that purpose, the video programme or excerpt has to be watermarked by theprovider before it is released to a producer.

As for the still picture monitoring scenario, once a programme has been detected, a“proof of ownership” capability of the watermark can also be helpful, although it is notconsidered as a priority in most cases.

Ideally, all exploitation means should be monitored. The Web and TV broadcasts areexpected to be more easily monitored automatically than off-line medias.

4.2.3 Usage scenarioThis usage scenario helps in defining a common production and broadcast chain that acomposite TV programme goes through. This helps in defining the key parameters androbustness issues that can be benchmarked for that scenario; more globally, one can thenidentify questions that a watermarking technology should answer for that particularapplication.

� Regular exploitation processA broadcaster (B1) has a producer (P1) make a composite video programme (V1) forhim. A producer (P2) or an archivist (A) provides an excerpt (E1) to (P1) so that he canincorporate it in his programme. The excerpt is provided to (P1) on a digital betacamtape. The excerpt can also be found as a 100 kbit/s Quicktime file (E2) on an extranet(WWW1). This extranet is provided by (P2) or (A); it is available to producers, forpromotion purposes.


41

Exploitation rights on the excerpt are paid to the excerpt provider for 2 broadcasts on(B1) network. The excerpt is watermarked by the excerpt provider before its release,using his secret key. The watermark payload is the transaction number that points to theexcerpt provider database. The Quicktime copy (E2) is also watermarked with itsstandard ID number. As in the still picture scenario, “on the fly” fingerprinting wouldideally also be required.

In the production process, the excerpt (E1) goes through proprietary MJPEG compressionand decompression on an AVID system at a low compression rate. A copy through ananalogue Betacam SP tape is made. Colour correction is performed so that the excerptoverall colour is coherent with the rest of the programme. A DVE shifts the pictures by afew pixels and it performs vertical filtering on each frame. The final programme isbroadcast using statistical multiplexing: the video bitrate varies in a 2 to 6 Mbit/s range.A logo is inserted before the broadcast.

� Unexpected exploitation processesThe Digital Betacam copy (I1) is found again by (P1) five years later; no one rememberswhat it was used for and who has rights on it as the staff has changed. It is used in a newcomposite programme (V2), with the same production and broadcast chain as above. Thebroadcast occurs on channel (B2).

The programme (V2) is recorded on a VHS tape; it is digitised to an MPEG1 file (V3)using a standard acquisition board. (V3) is transcoded to a DivX4 file. CD-Roms with thisfile (V4) are distributed without any right payment.

The standard Media Cleaner Pro5 software is also used in order to encode (V3) as aRealVideo streaming file, with 56 kbit/s and 100 kbit/s versions. This file (V5) isprovided on a web site (WWW2).

The Quicktime version of the excerpt (E2) that was provided on (WWW1) is also copiedas copy (E3) and used on another web site (WWW3) as it is without any right payment.

� MonitoringA monitoring company paid by the excerpt providers and right owners looks for theirwatermarks on TV channels and on the web. The two legitimate broadcasts on (B1) andthe unexpected broadcast on (B2) within programme (V2) are detected automatically.The broadcaster is contacted and informed that he has to pay rights on the excerpt.Thanks to the watermark payload, the identification of the excerpt can be done (it is alsofound that the copy concerned originally comes from the transaction with (B1)/(P1)).

The monitoring of the web should ideally detect (E2) and the excerpt within (V3). Withthe current status of watermarking technology, it is expected that the watermark in (V3)is not detected. In any case, once an automatic detection has been detected, the concernedweb sites are contacted and informed they have to pay rights.

4 DivX is to video what MP3 is to audio (AVI-encapsulated MPEG4 video file).5 http://www.terran.com/products/cleaner/


42

The automatic detection on off-line media (V4) can also be considered although itscommercial viability would have to be studied.

� Alternate worse-case scenariosThe scenario above is expected to highlight a very common processing chain. Alternateworse-case scenarios can also be considered; they would imply more complex processesand make the robustness issue more and more problematic:

• More standard compression with different encoders/decoders ; proprietarycompression steps.

• Filtering and restoration in the final production process. In particular, recursivefiltering should average watermarks artefacts over time.

• More complex digital video effects.• Active attacks with specific tools.

4.2.4 User needs and priorities on parameters for this usage exampleThis section sums up the requirement priorities on parameters that should be addressedtogether by a benchmark process for this usage scenario (considering invisibility androbustness separately has no meaning).

The video programme monitoring application is close to the still picture monitoringapplication. Most comments in §4.1.4 are also valid here. In the following paragraphs, weonly highlight the differences between the still picture and the video scenario.

First, the video quality for an exploitation on the internet is bad today, due to thebandwidth capacities available today. Internet video streams have a very low quality; as aconsequence, the watermark invisibility requirement on this kind of stream is lower.

However, in the production and broadcast environment, the invisibility needs are veryhigh or a watermarking system will be rejected by professional. Standard subjectivetesting is a common need. The impact of the watermark on the quality/compression levelsat the end of the chain is also considered as an important issue. The best usage of asatellite transponder is a key parameter in the broadcaster business plans; watermarkingshould not imply higher bitrates for broadcast in order to keep the same quality levels.

The robustness to the common processes listed in the scenario above is important (MPEGand MJPEG compression, DVEs, colour correction, analogue Betacam SP copy). Therobustness of a watermark inserted at the production level to internet compressionschemes and levels would be needed although it is not expected with current technology.Robustness of a dedicated watermark to internet compression is expected.

As mentioned in the worse-case scenarios, other processes can take place and make therobustness more problematic (see above). As mentioned in the still picture scenario, it isworth noticing again that in the software world, the recourse to active attacks may not be


43

limited to a few hackers. Once an un-watermarking software is released, anybody can useit as a push-button tool without any technical knowledge.

Considering complexity, contrary to the still picture business, the video business canafford an hardware-based solution.

The considerations from the still image scenario on the following points are still validhere:

• payload size,• “cryptographic” requirements,• false alarms and non-detection levels,• monitoring benchmarking issues (except that a real-time detection is required

instead of the 1/10th second figure, and a hardware monitoring solution can beafforded)

• “non-technical” parameters : cost of monitoring, monitoring capability in the longterm (standardisation, licencing to several companies, backward compatibilitycommitment, etc.)

4.2.5 ConclusionThis section has provided the following inputs:

• The context of video programme/excerpts monitoring, the production of acomposite programme;

• The objectives of the considered application;• An example scenario, that takes into account a regular exploitation, unexpected

exploitation and the monitoring process;• User needs and priorities on parameters that are of importance to this scenario.

A benchmark process of interest to the video monitoring scenario should be able to takeinto account the parameters that have been detailed above. The certification of awatermarking algorithm for this precise usage example would imply that it satisfies theparameter levels that were listed above.


44

4.3 Fingerprinting of movies in Digital Cinema

The digital cinema scenario

Digital cinema is the on-line distribution of digital movies from content providers tomovie theaters servers, via satellite, optic fibers or other high speed communication lines.This distribution is done world wide to national distributors. National distributions aresubject to national restrictions and exclusivity. Moreover, dubbing have sometimes to bedone at that level.Movie theaters receive content (movies) from national distributors. They store them andproject the movie in one or more theaters under some contract conditions.Piracy happens at two levels.• The first one is obvious and consists in direct bit to bit copies done in the storage

device. The pirated tapes are then sold on the black market. This kind of piracy couldbe partially solved by proper uses of conditional access systems.

ProductionAnd

post-production

World-widedistribution

Nationaldistribution

Movie theaters

Movie theaters

Movie theaters

Figure 1: movie distribution in digital cinema

Satellite oroptic fibers




45

• The second one is also the responsibility of the movie theater owners. It consists inletting a spectator filming the projected movie with a handycam at the back of thetheater. This one is very harmful because the copied movie is severely degraded andthe distortions applied to the image impede drastically watermark extraction.

Watermarking applications

There are essentially three possible entry points for watermarks in the chain.

• Pre-exhibition Identification WatermarkPre-exhibition identification watermarks are applied during preparation of the distributionmaster. This type of watermark is used to identify and provide traceability of the programmaterial during use of the distribution master. Such watermarks should be upgradeable.They may contain identification of the content as well as identification of the particulardistribution master.

• Pre-exhibition Copy Control WatermarkPre-exhibition copy control watermarks are also applied during preparation of thedistribution master. This type of watermark is used to provide copy control of theprogram material on compliant consumer electronics equipment, and is not a componentof Digital Cinema content protection. Such watermarks should be upgradeable, within thelimitations of the detection apparatus. They should adhere to a standard or consensus sothat copying devices can recognise the watermark and restrict or prevent copying.

• Exhibition FingerprintExhibition fingerprints are applied during each exhibition. (These fingerprints do notexist in the distribution content.) Exhibition fingerprints identify the circumstances of the

Projector 1

Projector 2

Projector 3

Projector 4

Digital cinemaVideo servers

Storagedevices

Figure 2: movie distribution inside a movie theater


46

exhibition. The fingerprint should include identification of the content as well as theexhibition. The fingerprint should be upgradeable. To be effective, the means ofapplication of the fingerprint should be resistant to attempts to disable it. This mayrequire placing the implementation within a secure perimeter.

Exhibition fingerprint identification data may include:• Unique identification of playback equipment• Serial number• Date stamp• Time stamp• Playback source identification• Number of times the source has been played• Cryptographic authentication information•

This fingerprint should be resistant to the “handycam copy”. This means severe imagedistortions, such as scaling, cropping, affine transforms, but also non-linear geometricaltransform due to optics.

Requirements for watermarking algorithm

An SMPTE study group (DC28.4 on Encryption and Conditional Access) has attemptedto list the requirements for both watermarks and fingerprints.First of all, perceptual aspects are very important and this study group recommends ITU-R Recommendation 500-7 “Methodology for the Subjective Assessment of the Quality ofTelevision Pictures”, since the quality of watermarked movies must be perfect.As far as robustness is concerned, the study group states that the watermarks must resistto the following situations:

Watermarks and fingerprints should be robust to common processing steps, including:• D/A, A/D conversion• Contrast adjustment• Sharpening• Colour and gamma correction• Cropping• Equalisation• Compression

Watermarks and fingerprints should be robust to common attacks, including:

• Collusion between multiple attackers (multiple copy attacks)• Additive/multiplicative noise• Statistical averaging• Transcoding• Image distortion (rotation/zoom/pin-cushion)• Sub-framing/over-framing by a certain percentage• Time-scaling/re-framing


47

• Contrast/colour distortion• Pixel sub-sampling (e.g. 1920x1080 to 720x525)

In the only case of fingerprint, which is the most interesting in the context of thisscenario, one must also add:• the “handycam attack”: this means severe image distortions, such as scaling,

cropping, affine transforms, but also non-linear geometrical transform due to optics.The embedding must be real-time

• the real-time embedding (in projectors)• non real-time extraction needed (this is a really good point for watermarks), the

extraction time can sometimes be counted in hours or days• access to the original unwatermarked movie• the reliability must be as high as possible, 10-6 would be preferable.

Finally, the tables below list the possible formats before and after compression for digitalcinema.

Frame Size &

DepthOne Frame One Second One Minute One Hour Two Hours

Gbits/s

ec

@1280x102424bit pixels 3,932,160 Bytes 90 Mbytes 5 Gbytes 316 Gbytes 0.618 Tbytes 0.70330bit pixels 4,915,200 Bytes 113 Mbytes 7 Gbytes 396 Gbytes 0.772 Tbytes 0.879

36bit pixels 5,898,240 Bytes 135 Mbytes 8 Gbytes 475 Gbytes 0.927 Tbytes 1.055

@1920x108024bit pixels 6,220,800 Bytes 142 Mbytes 8 Gbytes 501 Gbytes 0.978 Tbytes 1.11230bit pixels 7,776,000 Bytes 178 Mbytes 10 Gbytes 626 Gbytes 1.222 Tbytes 1.39036bit pixels 9,331,200 Bytes 214 Mbytes 13 Gbytes 751 Gbytes 1.466 Tbytes 1.669

@3000x150024bit pixels 13,500,000 Bytes 309 Mbytes 18 Gbytes 1,086 Gbytes 2.122 Tbytes 2.41430bit pixels 16,875,000 Bytes 386 Mbytes 23 Gbytes 1,358 Gbytes 2.652 Tbytes 3.01736bit pixels 20,250,000 Bytes 463 Mbytes 27 Gbytes 1,629 Gbytes 3.183 Tbytes 3.621

@4000x2000

24bit pixels 24,000,000 Bytes 549 Mbytes 32 Gbytes 1,931 Gbytes 3.772 Tbytes 4.29230bit pixels 30,000,000 Bytes 687 Mbytes 40 Gbytes 2,414 Gbytes 4.715 Tbytes 5.36436bit pixels 36,000,000 Bytes 824 Mbytes 48 Gbytes 2,897 Gbytes 5.658 Tbytes 6.437


48

Table 4–1. Compressed Movie Sizes

Assumed bitrate One Frame (24fps) One Second One Minute One Hour Two Hours@20 Mbits/Sec 104.17 Kbytes 2.5 Mbytes 150 Mbytes 9.00 Gbytes 18.00 Gbytes@40 Mbits/Sec 208.33 Kbytes 5.0 Mbytes 300 Mbytes 18.00 Gbytes 36.00 Gbytes

@45 Mbits/Sec 234.38 Kbytes 5.6 Mbytes 338 Mbytes 20.25 Gbytes 40.50 Gbytes@50 Mbits/Sec 260.42 Kbytes 6.3 Mbytes 375 Mbytes 22.50 Gbytes 45.00 Gbytes@60 Mbits/Sec 312.50 Kbytes 7.5 Mbytes 450 Mbytes 27.00 Gbytes 54.00 Gbytes@70 Mbits/Sec 364.58 Kbytes 8.8 Mbytes 525 Mbytes 31.50 Gbytes 63.00 Gbytes@80 Mbits/Sec 416.67 Kbytes 10.0 Mbytes 600 Mbytes 36.00 Gbytes 72.00 Gbytes@90 Mbits/Sec 468.75 Kbytes 11.3 Mbytes 675 Mbytes 40.50 Gbytes 81.00 Gbytes

@100 Mbits/Sec 520.83 Kbytes 12.5 Mbytes 750 Mbytes 45.00 Gbytes 90.00 Gbytes


49

4.4 Monitoring Usage of Still Images and Fingerprinting of the Customer

The scenarioData (e.g. images) is distributed over the Internet by making it downloadable from aserver.The rights of a copyright owner (content creator) can be protected by embedding awatermark which enables proof of ownership. Other applications may require additionalinformation to be embedded (e.g. information providing a link to content provider orcustomer identities). If this multiple information has to be embedded in one singleprocessing step a trustworthy environment is necessary.

Especially in an untrustworthy environment creators want their data to contain copyrightrelated information. A typical example is the commercial distribution of data using anautomatic delivering system. If the copyright owner cannot trust the security of thedelivering system or the reliability of the people working with this system the copyrightowner wants all of his data to contain his copyright information. For example a piratemight enter the system and distribute data or people having access to the system mightdistribute data.

The scenario we are interested in is an automatic delivering system of images. A server isused for selling the image data to the customer. Each customer pays for an image andinformation about the copyright owner and the customer is embedded in the deliveredimage.

The watermarking applicationBecause of the untrustworthy environment two entry points for watermarking aresuggested:

• Copyright Owner Identification Watermark:This watermark is embedded into each data (image) before it is stored on the server.So each image stored on the server contains a copyright information about thecopyright owner of an image. The watermark should be robust against attacks whichtry to remove it.

• Customer Identification Watermark:This watermark is embedded before selling the watermark to the customer. Thisfingerprint identifies the customer who bought the image. The watermark should berobust against attacks, which try to remove it.

According to the application more entry points are also possible. For example someapplications might need a 'Content Provider Identification Watermark'. We suggest usinga watermarking scheme, which allows multiple non-interfering watermarks for simplicityof usage.


50

The requirements for the watermarking algorithmIn addition to the possibility to embed multiple non-interfering watermarks this scenariohas the same requirements as those described in D 2.1 section 4.2 ("Monitoring Usage ofStill Images on Internet"). The requirements for the watermarking algorithm can begrouped as suggested below:

• Embedding of multiple non-interfering watermarks• Robustness against D/A and A/D conversion (printing and scanning)• Robustness against image processing operations• Robustness against image compression schemes• Robustness against different types of intentional attacks• Robustness against local or global geometric transformations

For professional use only those types of operations are relevant where the resulting imagequality remains usable according to the needs of the application.

Robustness against multiple watermarking is generally required especially againstintentional attacks. Adding an additional watermark to a previously watermarked imagemust not remove the original watermark(s). If the original watermark(s) is (are) removedthe image quality must degrade so the image will be unusable according to thererequirements of the application.

In contrast embedding multiple non-interfering watermarks uses information aboutpresent watermarks to embed other watermarks without degenerating previous ones (e.g.using orthogonal signals for embedding the watermark).


51

5 Conclusion

This workpackage was the first step in the design of benchmarking system forwatermarking algorithms. And as such, its associated deliverable D2.1 had to fulfil twoobjectives.On the one hand, potential applications of watermarking techniques for the years to comehad to be classified taking into account similar contexts of use and common requirementsthat they respectively pointed out, on applied watermarking algorithms. The encounteredapplications on the basis of which classes were defined, are globally related to thefollowing activity domains of electronic commerce:- Intellectual Property Rights protection,- Monitoring and Tracking of Distribution,- Information on the Past life of the Document, and- Conveying Side Information on the Hidden Channel.They were finally regrouped in seven classes of applications: Proof of Ownership,Broadcast Monitoring, Fingerprinting, Integrity Checking, Identification & Authentica-tion, Usage Control, Information, Side Channel.

The descriptions of these classes of applications and of their main requirements remainedgeneric and general because it is turned towards potentially applicable scenarios in theyears to come. As a matter of fact, few scenarios among the mentioned ones are actuallyworking till now. So, beside a global presentation of watermarking domain, someexisting business cases were presented in detail in a separate chapter, giving theopportunity to actual users of watermarking techniques to describe some specific contextsof use of watermarking techniques in a technical way. But, since it was not the scope ofD2.1 Deliverable to state the technical contexts that will serve for future benchmarking ofwatermarking techniques, we must be aware that the described business cases are notintended to provide right now such testing conditions, and will only give indications inthe design of these benchmarking systems.

On the other hand, definitions had to be given to some parameters that characterise theperformances of watermarking algorithms, and thus, permit to quantify the requirementsexpressed in varying classes of applications of watermarking. Some technical features ofwatermarking algorithms like blindness may be required by some watermarkingapplications, so that they had to be recalled, first. Then, performance parameters wereselected in order to define a benchmarking metric for watermarking: Payload Capacity,Granularity, Complexity, Visual Quality, Reliability in Detection, Reliability inExtraction, Robustness against attacks, Key Capacity, Cryptographic Strength.

As a matter of fact, the two objectives of WP2.1 are turned towards the following steps ofCertimark Project, namely the Workpackages WP2.2 and WP3.1:- The choice and the definitions of performances parameters on watermarking

algorithms will be essential for WP2.2, since the aim of WP2.2 is to design methodsfor effectively measuring these selected performance parameters.


52

- Classes of watermarking applications in which most business cases concerned withwatermarking can be regrouped, is of great interest for WP3.1, since its aim is thedesign of different benchmarking systems that will be adapted to specificapplications.


53

6 References

[BAL00] “Contributions to the Benchmark Requirements and Implementation”,F. Balado and F. Perez-Gonzalez, July 2000, contribution to CERTIMARKProject.

[CRA98] “Resolving Rightful Ownership with Invisible Watermarking Techniques :Limitations, Attacks, and Implementations”, S. Craver, N. Memon, B.-L.Yeo, M. Minerva and M. yeung, in IEEE Journal on Selected Areas inCommunications, Vol. 16, No. 4, pp 573-586, May 1998.

[DUM99] “Open watermark standardisation proposal”, F. Dumas, contribution to theEBU N/WTM Group, Mai 1999.

[I4062] “Watermarking Technology for Copyright Protection : GeneralRequirements and Interoperability”, publication IMP / I4062 / A, Mai1998, in IMPRIMATUR Project.

[KUT99] “A fair benchmark for image watermarking systems”, M. Kutter andF.A.P. Petitcolas, in Proceedings of SPIE: Security and Watermarking ofMultimedia Contents, Volume 3657, pp. 226-239, San Jose, California,January 1999.

[LAG00] “Digital Watermark Benchmarking: Requirements and ImplementationIssues”, R.L. Lagendijk and I. Setyawan, 2000, contribution toCERTIMARK Project.

[LEP00] “How to Bypass the Wassenaar Arrangement : A New Application forWatermarking”, F. Leprévost, R. Erard and T. Ebrahimi, in the 8th ACMInternational Multimedia Conference on Multimedia and Security, LosAngeles, California, September 2000.

[LIN99] “Issues for Authenticating MPEG Video”, C.-Y. Lin and S.-F. Chang, inProceedings of SPIE: Security and Watermarking of Multimedia Contents,Volume 3657, pp. 54-65, San Jose, California, January 1999.

[MIN99] “If one watermark is good, are more better ?”, F. Mintzer and G.Braudaway, International Conference on Acoustic, Speech and SignalProcessing ICASSP 99, pp. 2067-2070, Phoenix, Arizona, March 1999.

[NWTM99] N/WTM 031, N/WTM Task Force Final Report, by EBU/UER, Geneva,October 1999.

[PER99] “A Tutorial on Digital Watermarking”, F. Pérez-Gonzalez and


54

J. Hernandez, in Proceedings of the 33rd IEEE Annual CarnahanConference on Security Technology, Madrid, October 1999..

[PER00] “Approaching the Capacity limit in Image Watermarking: A Perspectiveon Coding Techniques for Data Hiding Applications”, F. Perez-Gonzalez,J.R. Hernandez and F. Balado, to appear in Signal Processing, Elsevier,2000.

[PET98] “Attacks on Copyrights Marking Systems”, F.A.P. Petitcolas,R.J. Anderson and M.G. Kuhn, in Second Workshop on InformationHiding, Volume 1525, pp. 218-238, Portland, Oregon, USA, April 1998.

[PET99] “Information Hiding - A Survey”, F.A.P. Petitcolas, R.J. Anderson,M.G. Kuhn, in Proceedings of the IEEE, special issue on protection ofmultimedia content, No 87 (7), pp. 1062-1078, July 1999.

[PIR99] “OCTALIS benchmarking : Comparison of four watermarkingtechniques”, L. Piron, M. Arnold, M. Kutter, W. Funk, J.-M. Boucqueau,F. Craven, in Proceeding of SPIE: Security and Watermarking ofMultimedia Contents, Volume 3657, San Jose, California, January 1999.