DATA HIDING: STEGANOGRAPHY AND COPYRIGHT MARKING

Stefano Cacciaguerra & Stefano Ferretti Department of Computer Science, University of Bologna Mura A. Zamboni 7, 40127 Bologna, Italy Phone: +39 0547642826 - Fax : +39 0512094510 E-Mail: {scacciag, sferrett}@cs.unibo.it ABSTRACT Communicating in secure way is, in general, synonymous of encrypting the traffic, but this is not really true in practice. If a person wants to comunicate a secret to another one is better hiding the message in an innocuos object as a mp3, mpeg and a jpg. This paper presents an overview of information hiding in general, steganography and copyright marking in particular. Several techniques to hide information are presented, terminology and possible related attacks, with specific attention on steganographic and copyright schemes. 1. INTRODUCTION It is often thought that communications may be secured by encrypting the traffic, but this is not really true in practice. The history teaches that is better hiding messages rather than enciphering them, because it arouses less suspicion. This preference persists in many operational contexts till up this day: an encrypted e-mail message between an employee of a defence contractor and the embassy of a hostile power, for example, may have obvious implications. So the study of communications security includes not just encryption but also traffic security, whose essence lies in hiding information. Data information hiding is a multidisciplinary discipline that combines image and signal processing with cryptography, communication theory, coding theory, signal compression, and the theory of visual and audio perception. One of the more interesting subdiscipline of information hiding is steganography. Differently from cryptography that is about protecting the content of messages steganography is about concealing their existence [1], i.e. hiding information in other information. Classic examples include sending a message to a spy by marking certain letters in a newspaper using invisible link, or adding subperceptible echo in a song. In the study of communications security, cryptography techniques received more attention from the research community and from industry than information hiding, but recent years have seen a rapid growth of this discipline [2]. The reason of this growing interest is due to the availability of multimedia content in digital form. Digital representation of signals brings many advantages when compared to analog representation: Lossless recording and copying. Convenient distribution over networks. Easy editing and modification.

Easily searchable archival. Durable. Cheap.

Unfortunately, these advantages also present serious problems: Wide spread copyright violation. Illegal copying and distribution. Problematic authentication. Easy forging.

One possible approach to content security is the using of cryptographic techniques, but those encryption systems do not completely solve the problem of unauthorized copying. All encrypted content needs to be decrypted, before it can be used, but if encryption is removed, there is no way to prove the ownership or copyright of the content. Piracy of digital audio, video, pictures and books is already a common phenomenon on the Internet. So the main interest is concern over copyright that drives recent research into digital watermarks and fingerprints. A digital watermark [3 - 7] is hidden copyright messages added to the original digital data which can later be extracted or detected, while a fingerprint is hidden serial numbers one. The latter is useful to identify copyright violators, checking the serial number, and to officially accuse them. Another scenario to solve the copyright violation is proposed by the DVD consortium. Their proposal is for a copyright marking scheme to enforce serial copy management. The DVD players available to consumers would allow unlimited copying of home videos and TV programmes, but could not easily be abused for commercial piracy. In fact home videos would be unmarked, TV broadcasts marked copy once only, and commercial videos marked never copy [8, 9]. There are also other applications driving interest in the subject of information hiding (Figure 1): Military and intelligence agencies require unobtrusive communications. Even if the content is encrypted, the detection of a signal on a modern battlefield may lead the enemy to attack quickly the sender. In fact, military communications use particular techniques which make signals hard to detect or jam: spread spectrum modulation or meteor scatter transmission. Criminals also place great value on unobtrusive communications. They are interested to use prepaid mobile phones, mobile phones which have been modified to change their identity frequently, and hacked corporate switchboards through which calls can be rerouted. Polices and intelligence agencies are interested in understanding these technologies and their weaknesses, to detect and trace hidden messages. Recent attempts by some governments to limit online free speech and the civilian use of cryptography have spurred people concerned about liberties to develop techniques for anonymous communications on the net, including anonymous remailers and Web proxies. Schemes for digital elections and digital cash make use of anonymous communication techniques.

Marketeers use email forgery techniques to send out huge numbers of unsolicited messages while avoiding responses from angry users.

Another main difference from the cryptographic game is the ethical positions of the players. In the cryptographic game, the good guys wish to keep their communications private while the bad eavesdroppers want to listen in. Instead, in the hiding information game, the situation is much less clear. For example, legitimate users of the net may need anonymous communications to contact abuse helplines or vote privately in online elections [10], without providing general anonymous communication mechanisms that make easy attacks by people who maliciously overload the communication facilities. In another example, industry may need tools to hide copyright marks invisibly in media objects, without spies abusing these tools to pass on secrets hidden in unobtrusive data over public networks. The rest of this paper is organized as follows. In the second section, we will explain the terminology used for information hiding, including steganography, digital watermarking and fingerprinting. In the third section, we will describe a wide range of techniques that have been used in a number of applications, which we will try to juxtapose in such a way that the common features become evident. Then, we will describe a number of attacks against these techniques; and finally, we conclude this survey. Information Hiding

Covert Channels

Steganography

Anonymity

Copyright Marking

Linguistic Steganography

Technical Steganography

Robust Copyright Marking

Fragile Watermarking

Fingerprinting

Watermarking

Imperceptible Watermarking

Visible Watermarking

Fig. 1: A classification of information hiding techniques based on [11].

2. TERMINOLOGY: DEFINITIONS AND PROPERTIES 2.1 Definitions As we have already said previously, there is a growing interest, by research community and industry, in the fields of steganography and copyright marking. Now we want introduce the terminology which was agreed at the first international workshop on this subject [2, 11] (Figure 1). As already said, sometimes it is better hiding messages rather than enciphering them. In fact the main purpose of cryptography is to make message incomprehensible, so that people, who do not posses secret keys, cannot recover the message. Instead the data hiding uses binary files with certain degree of irrelevancy and redundancy to hide data. Digital books, images, videos, and audio tracks are ideal for this purpose. The general definitions of hiding data in other data can be described as follows. The embedded data is the message that a person wishes to send secretly. This message must be concealed in a normal message as a cover-text, or cover-image, or cover-audio, or in general a cover-object, producing the stego-object or the marked-object. In particular a stego-key is necessary to control the hiding process, to restrict detection and recovery of the embedded data to people who know it or some derived key value. The hidden data may have no relationship to or may provide important information about the cover-object, in which it is embedded. The first is the case of the research of secure communication, the second of copyright notice, authentication information, captions, date and time of creation, serial number of the digital camera that took the picture, information about image content and access to the image, etc. So in the first case we speak about steganography while in the second about copyright marking. The idea of steganography is using a covert communication between two parties whose existence is unknown to a possible attacker. The main attack consists in detecting the existence of this secret communication; this attack is always possible when two parties use only cryptographys techniques! In contrasting to steganography, copyright marking guarantees that embedded data can be reliably detected after the image has been modified (but not destroyed beyond recognition). For sake of completeness, it is important to clarify, that in same techniques of copyright marks, it may be possible that not invisible data are embedded to a digital object: visible digital watermarks [12]. Visible watermarks may be visual patterns, as a company logo or copyright sign, which overlay about digital images. However, invisible (or transparent) digital watermarks have wider applications. In the literature on digital marking, the stego-object is called the marked-object. We may qualify marks depending on the application (Figure 1). If the embedded data is modified too much, fragile watermarks are destroyed. This is useful if digital images are used as proof in a court. Instead it is not possible to remove robust marks without destroying the object at the same time. In fact the mark should be embedded in the most perceptually significant components of the object [13].

Besides it is possible to distinguish between two types of robust marks (Figure 1):

Fingerprints are the hidden serial numbers which enable the intellectual property owner to identify which customer broke his license agreement by supplying the property to third parties. Watermarks tell us who is the owner of the object.

The general scenario for hiding messages is shown in the Figure 2.

Secret Message

Secret Message

Carrier Digital Object

Embedding Algorithm

Trasmission Via Network

Detector Algorithm

StegoKey

StegoKey

Fig. 2: Model for of data hiding technique.

In each data hiding technique we have the embedding and the detector algorithm. The embedding algorithm hides secret message inside a cover-object. A stego-key protects the embedding process; in this way only who knows this one can access the hidden message. The detector algorithm is applied to a possibly stego-object or marked-object and returns the embedded data.
Mark(M) Mark(M) and/or Original Object (I)

Original Object (I)

Marking Algorithm

Marked Object (O)

Detector Algorithm

Mark or Confidence measure

Keyword (K)

Keyword (K)

Fig. 3: Generic robust copyright marking scheme. On the left side, embedded scheme, on the right side detector scheme. The mark M can be either a fingerprint or a watermark.

The model for steganography technique is not more complicated than that general one of Figure 2. Instead in the case of robust copyright marking, the model is the same, but there are several differentiations depending from the different types adopted systems. On the left side, the embedding process is able to build a marked object O, given an original object I, a mark M and a keyword K. The marked object is the result of I K M O. On the right side, we have the detector scheme. Its output is either the recovered mark M or some kind of confidence measure indicating how likely it is for a given mark at the input to be present in the original object O under inspection. The different types of robust copyright marking systems are defined by their inputs and outputs: Private marking systems require at least the original image. This type is subdivided two subtypes. o The first, extract the mark M from the probably distorted object O and use the original object as a hint to find where the mark could be in O. o The second [15 - 17] also require a copy of the embedded mark for extraction and comparison with that inside O (O I K M {0,1}). This scheme will be more accurate than the others since it conveys very little information and requires access to secret material [14]. Semi-private marking does not use the original object for detection but answers the same question (O K M {0,1}). The main uses of semi-private and private marking are to prove ownership in court and to control reproduction in applications such as DVD [18 - 24]. Public marking (or blind marking) requires neither the original I nor the embedded mark M. This system extracts the mark from the marked-object: O K M [25 - 29]. There is also asymmetric marking (or public key marking) which should have the property that any user can read the mark, without being able to remove it.

2.2 Properties Each data hiding technique must have certain properties that are dictated by the intended application. The most important properties of data hiding schemes are robustness, undetectability, invisibility, security, complexity, and capacity. We present definitions of those concepts below. Robustness Robustness determines the algorithm behavior towards data distortions introduced through standard and malicious data processing. The embedded information is said to be

robust if its presence can be reliably detected after the image has been modified but not destroyed beyond recognition. Examples of modification are linear and nonlinear filters (blurring, sharpening, median filtering), lossy compression, contrast adjustment, gamma correction, recoloring, resampling, scaling, rotation, small nonlinear deformations, noise adding, cropping, printing / copying / scanning, D/A and A/D conversion, pixel permutation in small neighborhood, color quantization (as in palette images), skipping rows / columns, adding rows / columns, frame swapping, frame averaging (temporal averaging), etc. Robustness does not include attacks on the embedding scheme that are based on the knowledge of the embedding algorithm or on the availability of the detector function. Undetectability Undetectability is typically required for secure covert communication. The embedded information is undetectable if the image with embedded data is consistent with a model of source from which images are drawn. For example, if a steganographic method uses the noise component of digital images to embed a secret message, it should do so while not making statistically significant changes to the noise in the carrier. The concept of undetectability is inherently tied to the statistical model of the cover-object source. If an attacker has a more detailed model of the source, he may be able to detect presence of a hidden message. This means that the attacker is not automatically able to read hidden message. The concept of undetectability is different from that one of invisibility. Invisibility Invisibility is based on properties of human visual system or human audio system. The embedding information should not introduce any perceptible artifacts, that is, if an average human subject is unable to distinguish between carriers that contain hidden information and those that do not. This problem can be solved by applying human perceptual modeling in embedding process. A commonly accepted experimental arrangement, the blind test, frequently used in psycho-visual experiments is based on randomly presenting a large number of carriers with and without hidden informations and asking subjects to identify which cover-objects contain hidden informations. Success ratio close to 50%, demonstrates that subjects cannot distinguish carriers with hidden information. The blind test is a test for visibility of artifacts caused by data embedding schemes. If the visibility of artifacts was tested by presenting both covers with or without embedding information, a concept of invisibility would result. Security The embedding algorithm is said to be secure if embedded information cannot be removed beyond reliable detection by targeted attacks based on a full knowledge of the embedding algorithm and detector (except the secret key), and the knowledge of at least one carrier with hidden message. Now we introduce the secure black-box public and the secure public detectors. Secure black-box public detector is a message detector implemented in a tamper-proof hardware. It is assumed that the box cannot be reverseengineered. The secret key used to read the hidden messages is wired-in the black-box and cannot be recovered. The availability of the black-box should not enable an attacker to recover the secret key or remove the hidden information from the carrier. Here also,

we assume that the attacker has a full knowledge of embedding algorithm and the inner workings of detection function. Of course, any embedding technique that has a secure black-box public detector must also be secure in the sense defined above. At present, it is not clear if a secure black-box public detector can be built at all. Recently, attacks on a general class of data embedding techniques that are based on linear correlators have been described [29 - 33]. Instead secure public detector is an even stronger concept for which all details of detector are publicly known. If such a detector is ever built, it would find several applications and could be implemented in software rather than tamper-proof hardware. It would enable building intelligent Internet browsers capable of filtering images containing certain marks, automatic display of copyright information with every image, etc. Special care would have to be taken to overcome so called mosaic attack [34]. So far, no secure public detectors exist. Conflicting Requirements The above requirements are mutually competitive and cannot be clearly optimized at the same time. If we want to hide a large message inside an image, it is not possible, at the same time, to reach absolute undetectability and large robustness. Thus, there must be a trade-off between undetectability and robustness. On the other hand, if robustness to large distortion is an issue, the message that can be reliably hidden cannot be too long. This observation is schematically depicted in the figure below.

Fig. 4: trade-off among undetectability, capacity and robustness.

3. STEGANOGRAFY AND COPYRIGHT MARKING TECHNIQUES Now we look at some of the techniques used to hide information. This section is divided in two subsections: the first illustrates the steganography techniques and the second the copyright marking ones.

3.1 Steganography Techniques The typical user of these techniques is a spy in a foreign country that wants to send messages abroad. He needs to use local communication channels in order to send messages. He should assume that the communication channel could be monitored. Sending encrypted messages would raise suspicion and could result in cutting the access to the communication infrastructure. Therefore the spy should be interested to hide presence of communication. The solution of this problem is using a clever steganographic protocol. The most important requirement is that the presence of hidden message be undetectable (Figure 4). This means that cover-object with and without secret messages should appear identical to all possible statistical tests that can be carried out. Therefore it becomes very important to know as much about the statistical properties of source from which cover-object are being drawn as possible. For example, if images are scanned photographs, there will be stronger correlation in horizontal direction than in perpendicular direction. Therefore the details of noise may be specific for each scanner and need to be considered if a reliable and secure steganographic protocol is wanted. On the other hand, if images are taken using a digital CCD camera, the noise will again have certain specific properties induced by CCD element and specific data readout. In either case, data hiding scheme must respect all known statistical properties of cover-object source and produce cover-object that cannot be distinguished from original one. Another important requirement is the capacity of communication channel. If one can embed one bit of information into one frame of a cover-object, without worrying much about noise models, the communication scheme would lead to low communication bandwidth. The challenge is to embed as much information as possible while staying compatible with image noise model. The last important requirement is that it must be possible to detect hidden message without original image. Sometimes it may be possible to agree on certain image database from which cover images are drawn (without repetition!) but this obviously limits the applicability of the technique. Now we illustrate main steganographic technique. 3.1.1 Analog of One-time-pad The analog of one-time-pad is also called absolutely secure steganographic technique and it is thought as the best solution for any steganographic challenge. Aura [35] proposed to embed a small message of the order of 8 bits or so, by repeated scanning of a cover image till a certain password-dependent message digest function returns the required 8-tuple of bits. The main advantage of this technique is the absolute secrecy equivalent to one time pad used in cryptography. The method guarantees the same error distribution and undetectability. The main disadvantage is this technique is time consuming, has very limited capacity, and is not applicable to image carriers for which we only have one copy. 3.1.2 LSB Encoding The simplest and the most common steganographic technique is the Least Significant Bit embedding (LSB). This technique provides to embed the data into the least significant

bits of pseudo-randomly chosen pixels or sound samples [36, 37]. In this way, the key for the pseudo-random sequence generator becomes the stego-key for the system and Kerckhoffis' principle is observed. Many implementation details need some care. For example, one might not wish to disturb a pixel in a large expanse of flat color, or lying on a sharp edge; for this reason, a prototype digital camera designed to enable spies to hide encrypted reports in snapshots used a pseudo-random sequence generator to select candidate pixels for embedding bits of cipher-text and then rejected those candidates where the local variance of luminosity was either too high or too low. Systems that involve bit-twiddling have a common vulnerability, that even very simple digital filtering operations will disturb the value of many of the least significant bits of a digital object. This leads us to consider ways in which bit alteration can be made robust against filtering. The solution is to consider filtering operations as the introduction of noise in the embedded data channel [38], and to use suitable coding techniques to exploit the residual bandwidth. The simplest is the repetition code-one simply embeds a bit enough times in the cover object that evidence of it will survive the filter. This is inefficient in coding theoretic terms but can be simple and robust in some applications. The next LSB technique provides to mask the changes to the least significant bit, using the noise commonly present in digital images. In this technique is important to study the noise model of the cover-object (see below). In the case of color images, there are more places for hiding messages because each pixel is a triple of red, green, and blue. The main disadvantage is that replacing two or more least significant bits of each pixel increases the capacity of scheme but at the same time the risk of making statistically detectable changes also increases. Therefore, it is important to study the security of each specific steganographic technique. In fact it is possible that even the simple least significant bit encoding may under certain circumstances introduce detectable changes. The study of Aura [35] suggests to change only a small fraction of carrier bits. For example, modify each hundredth pixel in the carrier by one gray level. Depending on the image noise, these changes may be compatible with any statistical model of the image. Before any secret message hiding technique can be claimed as secure, we need to carefully investigate the cover-images and their statistical properties. The noise component may not be uniform within the image but may depend on pixel position in image. Even if we modify only a small fraction of pixels in the image, we may introduce some suspicious noise into the overflowed patch. This problem with over/under flow can of course be avoided by a more careful choice of the cover-image, preprocessing the cover-one, or by instructing steganographic scheme to avoid over/underflowed areas and adapt it to the image content. It is probably impossible to get a complete model of the cover-image noise, and the search for the perfect steganographic method will probably never be complete, but anyway good hiding schemes must be based on some model of noise. If scanned images exhibit larger noise correlations in horizontal direction and smaller correlations in vertical direction, while the probability distribution for each pixel, which is neither overflowed nor underflowed, is Gaussian with certain standard deviation, then the carrier modifications must be consistent with this statistical evidence. It is certainly possible that somebody will, with great effort, create even more sophisticated noise model and detect the presence of messages, but only at the price of careful time-consuming and possible expensive investigation. It is rather unfortunate but

understandable, however, that most detailed technical information regarding noise in CCD arrays and scanners is proprietary and rarely published. 3.1.3 Spread Spectrum Systems Another way to hide information is spreading them into statistics of luminance of pixels, such as [39, 40]. Patchwork [39], for instance, uses a pseudorandom generator to select n pairs of pixels and slightly increases or decrease their luminosity contrast. Thus the contrast of this set is increased without any change in average luminosity of the image. With suitable parameters, Patchwork even survives compression using JPEG. However, it embeds only one bit of information. To embed more, one can first split the image into pieces and then apply the embedding to each of them [41, 42]. These statistical methods give a kind of primitive spread spectrum modulation. General spread spectrum systems encode data in the choice of a binary sequence that appears like noise to an outsider but which a legitimate receiver, furnished with an appropriate key, can recognize. Spread spectrum radio techniques have been developed for military applications because of their antijamming and low probability of intercept properties [43 - 45]. They allow the reception of radio signals that are over 100 times weaker than the atmospheric background noise. Tirkel et al. were the first to note that spread spectrum techniques could be applied to digital watermarking [46] and later a number of researchers have developed steganographic techniques based on spread spectrum ideas which take advantage of the large bandwidth of the cover medium by matching the narrow bandwidth of the embedded data to it (e.g., [47, 48]). 3.1.4 Echo Hiding A novel transform coding technique is echo hiding [49], which relies on the fact that we cannot perceive short echoes (of the order of a millisecond). It embeds data into a coveraudio signal by introducing two types of short echo with different delays to encode zeros and ones. These bits are encoded at locations separated by spaces of pseudorandom length. The cepstral transform [50] is used to manipulate the echo signals. Echo hiding leads naturally to the broader topic of information hiding techniques that exploit features of a particular application environment. One technology that is emerging from the military world is meteor burst communication, which uses the transient radio paths provided by ionized trails of meteors entering the atmosphere to send data packets between a mobile station and a base [51]. The transient nature of these paths makes it hard for an enemy to locate mobiles using radio direction finding, and so meteor burst is used in some military networks. 3.1.5 Steganographic Technique Based on PDF of the Noise To give an example how one can incorporate statistical evidence into the construction of a secret message hiding scheme is as follows. Let us assume that the noise component of pixels with gray levels within the range [L, H] can be modeled with a uniformly valid probability density, f, which is symmetric around zero. If the secret plain-text message {pi}Ni=1 is encrypted, the cipher-text {ci}Ni=1 should be a random sequence of ones and

zeros. By averaging several scanned versions of the carrier image (or using adaptive Wiener filter, wavelets, or other noise removing techniques), we obtain a zero noise image Z. Using a pseudo-random number generator, we can choose at random N pixels in Z with their gray levels in [L, H]. Then, we can modify the LSB of those pixels by the amount of (2bi -1) | i |, where i is a random variable with probability distribution f. The remainder of the pixels will be modified by i. The modifications should be consistent with the statistical model. To recover the hidden message, we need the seed for the pseudorandom number generator. By following the path of random pixels, we can read the encrypted message by comparing the image with its Wiener-filtered version. 3.1.6 Methods for palette-based images In general, more colors in a digital image, easier is to hide messages. The most difficult images from the point of view of data hiding are images with singular histogram or a small color depth. For example, palette-based images with small number of colors in the palette are in general very difficult to modify without introducing some statistically detectable changes. Unfortunately, a large portion of images on the Internet is available in palette-based formats, such as GIF, PNG, etc. A secure steganographic technique for embedding messages in palette-based images is currently not available. Some software routines that hide information in GIF images are available on the Internet [52]. However, the implementations are not supported by security proofs or any other evidence that hidden messages cannot be detected. Secure steganography for palette-based images remains an unsolved problem. Embedding Messages into the Palette The advantage of palette embedding is that it will probably be easier to design a secure method under some assumptions about the noise properties of the image source (a scanner, a CCD camera, etc.). The obvious disadvantage is that the capacity does not depend on the image and is limited by the palette size. Permuting the Palette Entries It has been suggested in the past that secure message hiding in palette-based images can be obtained by permuting the image palette rather than changing the colors in the image. While this method does not change the appearance of the image, which is certainly an advantage, its security is questionable because many image processing software products do order the palette according to luminance, or some other scalar factor. Also, displaying the image and resaving it may erase the information because the software routine may rewrite (and reorder) the palette. Another disadvantage is a rather limited capacity. LSB Encoding in the Palette A better approach may be to hide encrypted (random) messages in the least significant bits of the palette colors. One would need to guarantee that the perturbed palette is still consistent with the noise model of the original 24-bit image. This, however, could be established in each particular case by studying the sensitivity of the color quantization process to perturbations.

Embedding into the Image Data These methods have higher capacity, but it will be harder to prove security of such schemes. In order to prove security of an embedding scheme, we need to understand the details of algorithms for creating palette-based images. Virtually all algorithms consist of two steps: color quantization (also called vector quantization) and dithering. Color quantization selects the palette of the image by truncating all colors of the raw, 24-bit image to a finite number of colors (256 for GIF images, and 216 for Netscape version of GIFs, 2 for black and white images, etc.). Dithering is used for apparent increasing of color depth (trading spatial resolution for apparent color depth). It is based on the ability of the human visual system to integrate colors scattered in small neighborhood. The best results are obtained using dithering algorithms based on error diffusion. EZ Stego EZ Stego is a name of a computer program that embeds bits of information into GIF images. The method first sorts the palette so that neighboring entries have similar colors. Message embedding then proceeds with changing the LSB of the pointers to palette entries rather than changing the colors themselves. Since the palette is sorted according to the colors, typically invisible changes will be introduced using this algorithm. The code is available for download at [53]. So far, we discussed the case when the communication channel is error free (passive warden scenario). This is certainly the case for many computer transfer procedures, such as ftp protocol that already contain error correcting schemes. The situation complicates when there is noise in the communication channel. This noise could be a random noise with known statistical properties or a result of a deliberate effort to prevent steganography from being used (the active warden scenario). For example, the monitoring agency can actively perturb the messages while staying consistent with the noise model of the carrier image. It can be shown that in that case, the capacity of the steganographic channel decreases but stays above zero. 3.2 Copyright Marking Techniques Digital mark for copyright is a perceptually transparent pattern embedded in an image using an embedding algorithm and a secret key. The purpose of the mark is to supply some additional information about the image without visibly modifying the image. The process of embedding a mark depends on a secret key so that only those possessing the key can access the hidden informations. With the key, this information can be read and decoded using a detection algorithm. In this section an explanation of possible marking schemes is carried out. As majority of Copyright Marking techniques use Watermarking techniques, the terms digital mark and watermark are used as synonyms. A first classification can be based on schemes that need the original image for mark extraction (private). schemes that don't need the original image for watermark extraction (non private).

Typically, private schemes are more robust than others. The original image is usually subtracted from the suspected image before a detection algorithm is applied. On the other hand, the application of private schemes is severely limited by the requirement of having the original image available. Marking Techniques can also be divided into different categories based on their attributes. A common classification is the mark can be embedded directly in the spatial domain. The mark is embedded directly into pixels values, the mark can be embedded in the transform space using common transforms, such as FFT, DCT, wavelet transform or general key-dependent transform. The image is transformed prior to watermark embedding and the mark is hidden in the coefficients representing the image. The marked image is obtained using an inverse transformation.

As concern transform-based mechanisms, the watermark pattern itself can have its energy mostly concentrated in low or high frequencies depending on the technique. Lowfrequency watermarks interfere with the image and it is thus necessary to have the original image for mark extraction. On the other hand, the low-frequency character of the watermark does not increase the noise level of the image and increases the robustness with respect to image distortions that have lowpass character (filtering, nonlinear filtering such as median filter, lossy compression, etc.). Low-frequency watermarks also have fewer problems with synchronizing the mark detector with the image and are less sensitive to small geometric distortions. On the other hand, non-private schemes with low-frequency watermarks are more sensitive to modifications of the histogram, such as contrast/brightness adjustment, gamma correction, histogram equalization, and cropping. Digital marks inserted mostly into middle and high frequencies are typically less robust to low-pass filtering and small geometric deformations of the image, but are extremely robust with respect to noise adding, non-linear deformations of the gray scale, such as contrast/brightness adjustment, gamma correction, and histogram manipulations. The advantages and disadvantages of low and middle-to-high frequency marks are complementary. Another important attribute of digital marking is the computational complexity of the embedding and extracting procedures. In some applications, it is important that the embedding process be as fast and simple as possible (e.g., embedding serial numbers of digital cameras into images for the purpose of tamper detection) allowing the extraction to be more time consuming. In other applications, the speed of extraction is absolutely critical (e.g., extracting subtitles from movies). As already mentioned, watermarking techniques are involved in several scenarios. Copyright Protection In this scenario, the author of a digital image signs the image so that no one else can attribute the authorship of the image to himself. The signature cannot be appended to the image file, nor can it be visibly imprinted on the image because such signatures can be easily removed or replaced. Cryptographic digital signatures cannot be applied because images are to be viewed by others and, therefore, will be distributed in plain. A distinction can be made on the presence of a trusted third party:

Copyright protection without trusted third party: a private key can be used. The need for introducing a public-key watermarking scheme is obvious, since the product is to be made available to a quite large group of people, and, thus, watermark detection may not be centralized. Copyright protection with trusted third party: the trusted third party is responsible for performing detection on behalf of the content owner, provided that the owner has already registered his watermarked products to the third party. The detector has to answer the question who the registered user is. Private keys should be used because of the centralized control the third party offers. Again, in a case of copyright dispute, the trusted third party can resolve rightful ownership.

Fingerprinting This is the typical scenario in which the digital mark conveys identification information of the user instead of the owner. This information is inserted by the distributor and is different for each copy of the same product, thus characterizing each single transaction. The distributor is the one interested in tracing illegal copies. Either private key watermarks or public key watermarks can be used. Since the same copy may fall in the hands of different users in the distribution line, it is evident that the watermarking schemes should attain robustness to multiple watermarking, i.e. many embedded fingerprints. Broadcast monitoring This scenario involves, apart from the product owner and the user, a distributor, which in this case is the broadcaster. There can be two alternative aims for broadcast monitoring. The first one refers to piracy tracking, done by monitoring stations at the side of the receivers. Public keys should be used since the detection is not done by the content owner himself but by the monitoring stations. Use of the original is not feasible since the scenario concerns real time applications. Typical examples of this scenario are TV, Internet and radio providers sending out broadcasts that are monitored at various stations in order to decide if a digital medium is legally transmitted and by whom. Usually, the watermark contains just the index to the entry in a central database, which corresponds to a specific broadcaster and aids in its identification. The second alternative concerns people metering. In this case, the interested party is the broadcaster who wants to get information about his broadcasts ratings. This is accomplished again by monitoring stations that decode the watermark which contains information about the identification of the broadcaster and of the broadcast content, as well as the time of broadcast and sometimes the receivers location. The fact that the detection of the watermark is done by the monitoring stations forces the use of public keys. Robustness should be provided against intentional removal or presentation attacks inflicted by competing broadcasters that want to make the watermark unreadable and generate lower than expected rating levels. Authentication/Integrity checking This could be considered depending on which the interested party is. In the first case, the copyright owner wants to check whether the content has been altered. This is done using fragile or semi-fragile watermarks. Private keys should be used since detection is done by

the owner. A usual application is authentication for multimedia distributed by news agencies. The copyright holder wants to know if the agency has used their source in a misleading way. In the second case, the user is interested in verifying whether the product he has purchased is authentic or not. Since the embedding is done by the owner, whereas the detection is performed by the buyer, public keys should be employed for security. Either robust or fragile watermarks can be used, depending on whether the user simply wants to check authenticity, or wants to know what changes occurred in the content, respectively. Usage control The content provider is interested in constraining the level of control the end user may have on the purchased product. Special purpose devices at the users end are used for reading the content and detecting the watermark. These devices should be able to change the watermark bits that convey access permission information. Depending on the information carried by the watermark, the devices can allow or prohibit certain operations on the content. Since detection and decoding is done by remote equipment, public keys are employed. An example for this scenario is the use of devices with hardware watermark detectors/embedders for reading/writing, respectively, CDs and DVDs to enable detection/embedding of copy control information. Their control mechanisms prohibit illegal copying of the original discs [54]. Intelligent browsers, automatic copyright information After an image is downloaded but before it is displayed by a browser, it is checked for presence of watermarks. If certain watermarks are present, the image is not displayed and is automatically erased from computer memory. The screening could be adjusted according to the user that is logged on to the computer. Another application is display of copyright information with every image rendered by browsers, image manipulating software, such as PhotoShop or PaintShop, etc. In the following, several watermarking schemes are described. 3.2.1 Private Watermarking Schemes The NEC Scheme This technique, explained in [15], uses a pseudorandom Gaussian sequence N(0,1). For security reasons, the pseudo-random number generator should be seeded with a concatenation of authors ID and an image hash. The watermark is embedded by modulating discrete cosine coefficients with the largest magnitude, in order to achieve a high degree of robustness with respect to lossy compression and most common image processing techniques. The highest energy 1000 frequency coefficients vk are modulated according to the formula vk = vk (1 + hk ) where is the watermark strength and can be adjusted to achieve a reasonable compromise between the robustness of the watermark and its visibility. The watermarked

image is obtained by applying the inverse DCT to the coefficients vk. Watermark detection is done by subtracting the original image from a suspected image, calculating the DCT of the difference, and extracting the (possibly modified) watermark sequence. If no distortion of the watermarked image is present, the DCT coefficients of the difference are vkhk. By dividing this difference by vk, it results an estimate of the original watermark, that can be compared to the original watermark. Improvements have been designed like, for example in [16]. Perceptually invisible Watermarking This scheme uses models of the human visual system to design provably invisible watermarks. The authors utilize spatial and frequency masking phenomena to guarantee watermarks invisibility. An image is first divided into blocks of 88 pixels. Each block is DCT transformed and a frequency-masking model [55] is used to calculate maximal allowable changes Mij in each DCT frequency bin. An authors ID is concatenated with image digest and fed as a seed into a cryptographically strong Pseudo-Random Number Generator generating numbers uniformly distributed in [-1,1]. The obtained pseudo-noise sequence is then divided into 88 blocks and multiplied by the mask Mij for each block. The result is added to the matrix of DCT coefficients and each block is further transformed using an inverse DCT. To guarantee perceptual invisibility of the changes, the linearized spatial masking model of Girod [56] is used to provide feedback whether or not the changes are visible. If they are, the masking values Mij are multiplied by a factor less than one and the process is repeated till no visible changes are produced. The security of the scheme is in the secret authors ID that is used to produce the pseudonoise sequence that is modulated by the mask Mij. The detection proceeds by regenerating the pseudo-noise sequence and the masking matrices Mij from the original image. To evaluate the received signal R, one have to consider the difference between R and the original sequence S, obtaining R - S = W' + N, where N is the noise and W' is the potentially modified watermark. 3.2.2 Non-Private Watermarking Schemes Embedding in Wavelet Space There exist mechanisms [57, 58] that embed message bits into disjoint triplets of wavelet coefficients. The choice of the triplets is based on a pseudo-random number generator initialized with a secret key. The middle coefficient is adjusted so that its relative position with respect to the other two coefficients falls into intervals of length (cmax cmin)/(2Q), where cmax and cmin are the largest and the smallest wavelet coefficients for the triplet, and Q is a fixed integer that can be adjusted to obtain a good trade-off between robustness and watermark visibility. Embedding in general key-dependent spaces Digital marks can be embedded into the projections onto smooth orthogonal basis functions. These schemes are typically very robust and less sensitive to synchronization errors due to skipping of rows of pixels, and permuting of nearby pixels. However, if the watermark pattern is spanned by a relatively small number of publicly known functions, it may be possible to remove the watermark or disrupt it beyond reliable detection if a

portion of the watermark pattern (or the embedding key) can be guessed or is known [59]. Indeed, techniques based on general, key-dependent orthogonal basis functions may provide more security than techniques based on publicly known bases, such as discrete cosines. It is not necessary to generate a complete set of orthogonal basis functions since only a relatively small number of them are needed to span a watermark pattern. One can calculate projections of the original image onto a set of J orthogonal functions, and modify the projections so that some secret information is encoded. If we consider a set of orthogonal functions fi, i = 1,, J and a set of functions gi to complete the orthogonal system, the original image I can then be written as

I = ci f i + g
i =1

where g is a linear combination of functions gi. The watermarking process is realized by modifying the coefficients ci. So, the watermarked image can be expressed as

I w = ci' f i + g
i =1

Representing the suspected image in terms of the fi and gi, it's possible to evaluate it, on the basis of the related coefficients. Direct spread spectrum in the spatial domain All pixels in the image are divided into three disjoint sets A, B, and C with cardinalities |A| = |B|. The sets are generated from a pseudo-random number generator seeded with secret key. The gray levels of pixels in set A are increased by k gray levels and pixels in set B are decreased by k. The pixels in set C remain unchanged. The average DC term of the image is unchanged because the cardinalities of sets A and B are equal. The detection is based on the fact that the average gray level over two randomly chosen sets A and B are approximately equal, while the averages will be well separated (by k) if A = A and B = B. Patchwork This scheme is already introduced in the Steganography Techniques Section. It is a mechanism that can be used in both areas. Therefore, we have reported it on both sections putting emphasis on the specific related topics. In this scheme, pairs of pixels A and B with gray levels a and b are randomly chosen in the image. The expected value of the difference A B is zero. Repeating this procedure n times, it will obtained the quantity S

S = (ai bi )
i =1

The expected value of this sum is zero. It's possible to estimate the probability that the value of S will exceed a certain threshold. The watermarking algorithm starts with a secret key used to seed a Pseudo-Random Number Generator. The sequence of pseudorandom numbers is used to randomly select n pixel pairs. For each pair, the gray level of one the first pixel is increased by one, while the value of the second pixel is decreased by one. To test a watermarked image with a specific secret key on a certain confidence level, it's necessary to generate the pseudo-random sequence and to evaluate the sum S. The method can be improved by adjusting patches of pixels rather than single pixels. This will have the effect of shifting the energy of the watermark towards low frequencies thus making it more robust to JPEG compression and low-pass filtering. As with most spread spectrum methods, the watermark is very robust to nonlinear transformations of the gray scale. Frequency-based spread spectrum This method embeds a spread spectrum signal into the Fourier (or Cosine) coefficients of an image rather than directly into the image pixels. Frequency-based spread spectrum methods appear to be more robust than the spatial ones. This is especially true for lowpass filtering and JPEG compression. A nice feature of spread spectrum methods is that they easily accommodate insertion of more than one bit. In [60, 61], the watermark is inserted by adding a noise-like signal to the middle frequencies of its DCT, using a secret key as seed for the Pseudo-Random Number Generator. The DCT coefficients are converted to a vector and the middle 30% (Nm frequencies) is chosen for marking. The information carried by the watermark consists of M symbols. The detection of the message proceeds by first transforming the image using a DCT and extracting the middle Nm DCT coefficients. The secret key is used to generate M pseudo-random sequences. For each sequence, all the possible segments of length Nm are correlated with the middle Nm DCT coefficients. The largest value of the correlation determines the encoded symbol. This watermarking scheme exhibits very impressive robustness properties with respect to many image processing operations. Brightness/contrast adjustment, gamma correction, histogram operations, dithering, sharpening, noise adding, and high-pass filters leave the watermark almost untouched. The watermark is also fairly robust to lossy JPEG compression. Scale, rotation, shift invariant watermarking In [25] is described a variation of the Frequency-based spectrum technique to make the digital mark robust against arbitrary combination of rotation, shift, and change of scale. The idea is to use Fourier transform in log-polar coordinates. It is possible to show that scaling and rotation are transformed to shifts in the new coordinate system. The mechanism works as follows: 1. 2. 3. 4. Divide the image into adjacent blocks of 128128 pixels Take logarithm of the gray levels Compute the FFT for each block, obtain the magnitude and phase Modulate the magnitude of the middle band of frequencies by adding a spreadspectrum signal 5. Add a template to the same band by a second modulation

a. Apply log-polar map to the magnitude components b. Select a set of magnitude components that will be modulated. The pattern formed by the modulated components should have as small autocorrelation as possible c. Map the pattern back from log-polar space into the frequency space 6. Compute inverse FFT using the modulated magnitude components 7. Apply exponential function to the image (inverse of the Webers logarithm) Detection of the watermark: 1. 2. 3. 4. 5. Divide the image into adjacent blocks of 128128 pixels Take logarithm of the gray levels Compute the FFT for each block, obtain the magnitude and phase Transform the magnitude components are using log-polar map Perform a two-dimensional search to find the scaling and rotation parameters. This could be done by computing simple cross-correlation and locating a peak 6. Transform back the image using the found scaling and rotation parameters 7. Apply the detection algorithm to the middle band of Fourier magnitudes At present, this technique can survive the widest spectrum of geometrical transformations. Block-watermarking technique In [62, 63] is presented a technique that embeds a robust watermark into larger blocks. To prevent unauthorized removal or intentional distortion, the watermark depends on a secret key S, block number B, and on the content of the block. The content of each block is represented with M bits extracted from the block by projecting it on a set of random, smooth patterns and thresholding the result. This extraction process gives similar Mtuples for similar blocks. The spread spectrum signal for each block is generated by adding M pseudo-random sequences uniformly distributed in [-1,1]. Each sequence depends on the secret key, block number, and the bit extracted from the block. If k out of M bits are extracted incorrectly due to image distortion, the spread spectrum signal will still have large correlation with the image as long as k << M. The spread spectrum signal is rescaled, made DC-free, and added to the middle third of DCT coefficients for each block. The detection proceeds recovering M bits from each block, generating the spread spectrum signal, and correlating it with the middle third of DCT coefficients of that block. If watermarks are present in all blocks it will be possible to conclude that the image has not been tampered with in any significant manner. 4. ATTACKS To be effective, an embedded digital mark should be imperceptible, reliable and resistant to attacks. The mark must be strongly resistant to unauthorized detection, decoding and manipulation. It has to tolerate coding, compression, signal processing, filtering or any other technique. Any manipulation of a file can result in an attack on the embedded watermarks. Depending on the way the information will be used, some attacks are more

likely than others. In some cases the embedded data is simply said to be robust against common signal processing algorithms and geometric distortions when used on some standard object. Its possible to classify attacks on the basis of their effect on the digital mark and the way the digital mark is interpreted by the detector. In this way, four broad categories can be formed [64, 65]: Robustness attacks: This category includes attacks that aim at diminish or remove the embedded data without degrading the perceptual quality of the product. Presentation attacks: Instead of removing the embeded data, these attacks aim at manipulating the content in such a way that the detector cannot find it. Interpretation (protocol) attacks: In this case, the intention of the attacker is to devise a situation which prevents assertion of ownership and to render the digital embedded data unreliable. This can be done for example by producing a counterfeit original after subtracting a counterfeit mark from a marked image. The attacker can then claim that the marked image contains his own mark and also that he has the original product, thus creating an ownership deadlock [66]. Legal attacks: This category is quite different from the ones presented above, since it implies all the actions that can be taken in a law court in order to damage the credibility of watermarks as proofs of ownership/authenticity in case of disputes. In other words, it does not include manipulations of the watermarked product, but attempts to take advantage of the lack of legal foundation on watermarking as a proof of ownership (i.e. gaps in the legislation on copyright laws), and challenging the credibility of the owner.

The separation between these groups is not always very clear though; for instance, StirMark both diminishes the embedded data and distort the content to fool the detector. 4.1 Robustness Attacks These can be unintentional attacks that occur during common processing operations by the user/system (compression, filtering, resizing, printing, scanning, etc.), or malicious ones like noise addition to weaken the strength of the embedded data, or the collusion attack which tries to combine different marked versions of the same image to generate an average image that is very close to the original, thus reducing the embedded data strength or totally removing it. Most simple spread spectrum based techniques and some simple image stego software are subject to some kind of jitter attack [67]. Indeed, although spread spectrum signals are very robust to amplitude distortion and to noise addition, they do not survive timing errors: synchronization of the chip signal is very important and simple systems fail to recover this synchronization properly. An example for such a robustness attack could be the preparation of audio material to be transmitted at a radio station: the material will be normalised and compressed to fit the loudness level of the transmission. Equalization will be used to optimise the perceived quality. If a watermark is used to detect radio transmission of commercials, it has to be robust against all these attacks, or the detection will not be possible as it is destroyed. Another example is the Internet: if a company wants to embed data as copyright protection, the digital mark has

to be robust against all operations usually worked on the material. In this case the main attack will be lossy compression like mp3, sometimes at high compression rates. Its possible to build groups of attacks based on the way manipulation works. As the attacks in these groups work on the same principles, a weakness against one of the attacks makes it likely that the other attacks in the group will also destroy the embedded data. Optimization of the robustness of digital marking algorithms against one of the attacks in a group will also make it more robust against the others. The following groups of attacks can be identified: Dynamics These change the loudness profile of a signal. Filter Filters (high-pass, low-pass and equalizers) cut off or increase a selected part of the spectrum. Ambience The most common effects are reverb and delay. Conversion manipulations like sample size changes, digital-to-analogue (D/A) and analogue-to-digital (A/D) conversions, are examples that induce quantization noise and artefacts, as no conversion is perfect. Lossy compression Compression algorithms are used to reduce the amount of data. Examples are JPEG, MPEG, mp3, AAC, VQF and more. Lossy compression can obviously be a serious problem for data hiding. Noise Noise can be the result of most of the attacks described above. Most hardware components in an audio chain also induce noise into the signal. A very common attack also is to try to add noise to destroy the embedded data. Modulation Modulation effects like vibrato, chorus, amplitude modulation or flanging can be used as attacks to embedded data. Time stretch and pitch shift These either change the length of an audio event without changing its pitch or change the pitch without changing the length. They are used for fine tuning or fitting audio parts into time windows [68]. As such tools become widely available, attacks involving sound manipulation will become easy. Sample permutations This group consists of algorithms not used for audio manipulation in usual environments. Theses are specialised ways to attack data embedded in audio files. Examples are sample permutation, dropping samples and similar approaches.

StirMark It is easy to understand that, although most schemes could survive basic manipulations, they would not cope with combinations of them or with random geometric distortions. This motivated the design of StirMark [67]. This powerful attack has been designed by a research group (R. Andersson, F. Petitcolas, and M. Kuhn) at University of Cambridge. StirMark is a generic tool for basic robustness testing of image data hiding algorithms

and has been freely available since November 1997. The attack simulates image distortions that commonly occur when a picture is printed, photocopied, and rescanned. The image is slightly stretched, sheared, shifted, bent and rotated and compressed by an unnoticeable random amount. A small amount of noise is added to simulate quantization errors of A/D and D/A conversion. For low-frequency digital marks, small geometrical deformations can cause large differences in DCT coefficients. A transfer function that introduces a small and smoothly distributed error into all sample values is applied. This emulates the small nonlinear analogue/digital converter imperfections typically found in scanners and display devices. StirMark can perform a default series of tests which serve as a benchmark for image watermarking [69]. Attack on Echo Hiding Echo hiding encodes zeros and ones by adding echo signals distinguished by two different values for their delay and their relative amplitude to a cover audio signal. The delays are chosen between 0.5 and 2 ms, and the relative amplitude is around 0.8 [49]. According to its creators, decoding involves detecting the initial delay and the autocorrelation of the spectrum of the encoded signal is used for this purpose. However the same technique can be used for an attack. The obvious attack on this scheme is to detect the echo and then remove it by simply inverting the convolution formula; the problem is to detect the echo without knowledge of either the original object or the echo parameters. This is known as blind echo cancellation in the signal processing literature and is known to be a hard problem in general. Several methods to remove the echo have been investigated in literature [50, 70, 71]. Twin Peaks Attack In some cases the image to be marked has certain features that help a malicious attacker to gain information about the mark itself. An example of such features is where a picture, such as a cartoon, has only a small number of distinct colours, giving sharp peaks in the colour histogram. These are split by some marking algorithms. The twin peaks attack, suggested by Maes [73], takes advantage of this to recover and remove marks. In the case of grayscale images, a simple example of digital marking based on spread spectrum ideas is to add or subtract randomly a fixed value d to each pixel value. So each pixel's value has a 50% chance of being increased or decreased. 4.2 Presentation Attack The intention is essentially the same as in the Robustness category, but the techniques employed to achieve it are different. One example of such attacks is the mosaic attack in which the marked image is divided into parts and reassembled using proper HTML tags in order to fool web-based agents. Thus the embedded data cannot be detected in any of the individual image parts which the web crawler accesses. Other examples of such attacks are rotation, enlargement, and affine transformations in general. The mosaic attack This presentation attack possesses the property that it's possible to remove the marks from an image and still rendered, pixel for pixel, as the marked image by a standard

browser. This attack was motivated by an automatic system for copyright piracy detection: a special program (a crawler) that search through the Internet, download pictures, and look for illegal copies of images marked with a certain digital mark. The idea behind the mosaic attack is to simply break an image into small portions, and correctly assemble them on a web page so that a complete image without spaces is obtained. This is easily done because most browsers can paste images without any spaces in between them. Because images with dimensions smaller than a certain limit cannot be reliably marked, the crawler would not detect the embedded data in any mosaic piece. Another possibility is to wrap images into Java applets or Active X objects so that they would not be recognized as images to the crawler. Java applets can be used to display a picture inside the browser; the applet could descramble the picture in real time. Defeating such techniques would entail rendering the whole page, detecting pictures and checking whether they contain a mark. Another problem is that pirated pictures are typically sold via many small web services, from which the crawler would have to purchase them using a credit card before it could examine them. 4.3 Interpretation Attack The basic idea is that as many schemes provide no intrinsic way of detecting which of two digital marks was added first. Let us assume that Alice watermarks an image IA by adding the watermark WA to I: IA = I + WA. A Bob generates his watermark WB using his key and creates a fake original I = IA + WB. Since IA = I + WA = I + WB and since the marking method must be robust with respect to small changes, Bob can argue that Alices original I contains his watermark WB if he uses his forged original I for the detection. Of course, Alice can claim that her embedded data is contained in Bs original if she uses her I as the original image. This creates a deadlock and one cannot unambiguously decide who owns the image. In [74] is proposed the use of informationlosing marking schemes whose inverses cannot be approximated closely enough. In essence, in order to forge an original and a watermark, an attacker would have to solve the equation IA = I + W(I) for I, which may be computationally very difficult if W for example depends on image hash. Care needs to be taken, however, how the image hash is applied. In some circumstances, if multiple watermarked copies are available, an attack can still be mounted. Alternative prevention mechanisms could be time-stamping and notarization. 4.4 Other Generic Attacks The histogram attack This attack applies mostly to fix-depth digital marks that are applied to images with some singularities in the histogram. The histograms of some images after scanning exhibit regularly distributed peaks. If such an image is marked with a fixed depth embedded data [39, 40], the peaks will essentially double and one can correctly estimate a large portion of the mark pattern by simply counting the number of pixels occupying neighboring gray level bins. The attack can be easily thwarted if images are pre-processed before watermarking to get rid of the histogram peaks. Details of this attack can be found in [73].

Attack based on partial knowledge of the embedded data It is important that a partial knowledge of the embedded data should not enable a pirate to remove the entire data or disturb it beyond reliable detection. It might indeed be possible in certain cases to reconstruct the data pattern based on the assumption that the embedded data becomes partially known. This assumption is not that unreasonable as it may seem at first. For example, one can make a guess that certain portion of the original image had pixels of uniform brightness or of a uniform gradient, or an attacker may be able to foist a piece of his image into a collage created by somebody else. If this is the case, then the knowledge of a portion of the embedded data may give us additional constraints to disturb or eliminate the whole object. This is especially relevant for watermark patterns spanned by publicly known functions. In [59] an attack is described that can be applied to any non-adaptive robust watermarking technique, invertible or not, if some portion of the original unwatermarked image is known or can be guessed, and if the watermark is mostly spanned by some small number of Fourier modes. The attack attempts to find the coefficients of the lowest frequency DCT coefficients based on the known pixel values. A set of linear equations completed with a stabilizing functional makes the inversion possible. 5. CONCLUSION In this paper we gave an overview of information hiding in general and steganography and copyright marking in particular. Communicating in secure way is, in general, synonymous of encrypting the traffic, but this is not really true in practice. If a person wants to communicate a secret to another one is better hiding the message in an innocuous object as an mp3, mpeg and a jpg. In fact enciphering lets arouse more suspicion; so how can you suspect about something that you do not perceive? Therefore the study of communications security includes not just encryption but also traffic security, whose essence lies in hiding information. On the other hand with analogous techniques is possible to embed in the innocuous objects (mp3, mpeg and a jpg) a copyright mark. These techniques are very useful to prevent and to avoid problem of piracy. In the introduction we have explained why the hiding information discipline was born and who are interested to these ones. The growing interest, by different research communities, in the fields of steganography and copyright marking, has led to some confusion in the terminology. In the second section we have tried to introduce the terminology which is a summary of existing ones, with particular care at the first international workshop on the subject [2, 11] (Figure 1). Again in the third section we have looked at some of the techniques used to hide information. This section is divided in two subsections: the first illustrates the steganography techniques and the second the copyright marking ones. We then described a number of attacks on information hiding systems, which between them demolish most of the current contenders in the copyright marking business. Concluding we think that this survey may be very useful for someone that want to know the world of information hiding; in fact in this is possible here to find the references to the famous papers about this argument.

REFERENCES [1] The Oxford English dictionary: being a corrected re-issue Clarendon Press, Oxford, 933 [2] R. J. Anderson, ed., Information hiding: first international workshop, vol. 1174 of Lecture Notes in Computer Science, Isaac Newton Institute, Cambridge, England, May 1996, Springer-Verlag, Berlin, Germany, ISBN 3-540-61996-8 [3] M. Swanson, M. Kobayashi, and A. Tewfik, Multimedia Data Embedding and Watermarking Technologies, Proc. of IEEE, vol. 86, no. 6, June 1998, pp. 1064-1087. [4] C. Cox, J. Killian, T. Leighton, and T. Shamoon, Secure Spread Spectrum Communication for Multimedia, Technical report, N.E.C. Research Institute, 1995. [5] R.J. Anderson and F. Peticolas, On the Limit of Steganography, IEEE J. Select. Areas Comm., vol. 16, May 1998, pp. 474-481. [6] A. Shizaki, J. Tanimoto, M. Iwata, A Digital Image Watermarking Scheme Withstanding Malicious Attacks, IEICE Trans. Fundamentals, vol. E-83-A, no. 10, Oct. 2000, pp. 2015-2022. [7] F. Hartung and M. Kutter, Multimedia Watermarking Techniques, Proc .of IEEE, vol. 86, no. 6, June 1998, pp. 1079-1107. Pictures and Associated Audio for Digital Storage up to about 1.5 Mbits/s. [8] J.-P. M. G. Linnartz, The `ticket' concept for copy control based on embedded signalling. In Quisquater et al. [146], pp. 257-274, ISBN 3-540-65004-0. [9] M. L. Miller, I. J. Cox, and J. A. Bloom, Watermarking in the real world: An application to DVD. In Dittmann et al. [147], pp. 71-76. [10] J. C. Benaloh, Verifiable Secret-Ballot Elections. Ph.D. thesis, Yale University, New Haven, 1987, YALEU/DCS/TR-561. [11] B. Pfitzmann, Information hiding terminology. In Anderson [2], pp. 347-350, ISBN 3-540-61996-8, results of an informal plenary meeting and additional proposals. [12] G. W. Braudaway, K. A. Magerlein, and F. Mintzer, Protecting publicly-available images with a visible image watermark. In van Renesse [87], pp. 126-133, ISBN 0-1942033-6. [13] I. J. Cox and M. L. Miller, A review of watermarking and the importance of perceptual modeling. In Rogowitz and Pappas [142], ISBN 0-8194-2427-7. [14] G. Caronni, Assuring ownership rights for digital images. In H. Brauggermann and W. Gerhardt-Hackl, eds., Reliable IT Systems (VIS'95), pp. 251-263, Vieweg Publishing Company, Germany,1995. [15] I. J. Cox, J. Kilian, T. Leighton, and T. Shamoon, A secure, robust watermark for multimedia. In Anderson [5], pp. 183-206, ISBN 3-540-61996-8. [16] C. I. Podilchuk and W. Zeng, Digital image watermarking using visual models. In Rogowitz and Pappas [142], pp. 100-111, ISBN 0-8194-2427-7. [17] M. Barni, F. Bartolini, V. Cappellini, and A. Piva, A D.C.T.-domain system for robust image watermarking. Signal Processing, vol. 66, no. 3, pp. 357-372, May 1998, ISSN 0165-1684,European Association for Signal Processing (EURASIP). [18] D. Kundur and D. Hatzinakos, Digital watermarking using multiresolution wavelet decomposition. In International Conference on Acoustic, Speech and Signal Processing (ICASP), vol. 5, pp. 2969-2972, IEEE, Seattle, Washington, U.S.A., May 1998.

[19] G. Nicchiotti and E. Ottaviano, Non-invertible statistical wavelet watermarking. In 9th European Signal ProcessingConference (EUSIPCO'98), pp. 2289-2292, Island of Rhodes, Greece, 8-11 Sep. 1998, ISBN 960-7620-05-4. [20] N. Nikolaidis and I. Pitas, Robust image watermarking in the spatial domain. Signal Processing, vol. 66, no. 3, pp. 385-403, May 1998, ISSN 0165-1684, European Association for Signal Processing (EURASIP). [21] D. Tzovaras, N. Karagiannis, and M. G. Strintzis, Robust image watermarking in the subband or discrete cosine transform domain. In 9th European Signal Processing Conference (EUSIPCO'98), pp. 2285-2288, Island of Rhodes, Greece, 8-11 Sep. 1998, ISBN 960-7620-05-4. [22] R. G. van Schyndel, A. Z. Tirkel, and C. F. Osborne, A digital watermark. In International Conference on Image Processing, vol. 2, pp. 86-90, IEEE, Austin, Texas, U.S.A., 1994. [23] R. B. Wolfgang and E. J. Delp, A watermarking technique for digital imagery: further studies. In International Conference on Imaging, Systems, and Technology, pp. 279-287, IEEE, Las Vegas, Nevada, U.S.A., 30 Jun.-3 Jul. 1997. [24] F. Hartung and B. Girod, Watermarking of uncompressed and compressed video. Signal Processing, vol. 66, no. 3, pp. 283-301, May 1998, ISSN 0165-1684, European Association for Signal Processing (EURASIP). [25] A. Herrigel, J. J. K. fiO Ruanaidh, H. Petersen, S. Pereira, and T. Pun, Secure copyright protection techniques for digital images. In Aucsmith [148], pp. 169-190, ISBN 3-540-65386-4. [26] M. D. Swanson, B. Zu, and A. H. Tewfik, Robust data hiding for images. In 7th Digital Signal Processing Workshop (DSP 96), pp. 37-40, IEEE, Loen, Norway, Sep. 1996. [27] G. C. Langelaar, J. C. A. van der Lubbe, and R. L. Lagendijk, Robust labeling methods for copy protection of images. In Sethin and Jain [149], pp. 298-309, ISBN 08194-2433-1. [28] J. Zhao and E. Koch, Embedding robust labels into images for copyright protection. In International Congress on Intellectual Property Rights for Specialised Information, Knowledge and New Technologies, Vienna, Austria, Aug. 1995. [29] T. Kalker, Watermark Estimation Through Detector Observation, Philips Research Eindhoven, Netherland, preprint 1998. [30] T. Kalker, J. P. Linnartz, and M. van Dijk, Watermark estimation through detector analysis, Proc. of the ICIP, Chicago, Oct 1998. Submitted. [31] J. P. Linnartz and M. van Dijk, Analysis of the sensitivity attack against electronic watermarks in images, Proc. of the Workshop on Information Hiding, Portland, April 1998. Submitted. [32] J. P. M. G. Linnartz, A. C. C. Kalker, G. F. Depovere, and R. Beuker, A reliability model for detection of electronic watermarks in digital images, Proc. Benelux Symposium on Communication Theory, Enschede, pp. 202208, Oct 1997. [33] I. J. Cox and J.-P. M. G. Linnartz, Some general methods for tampering with watermarks, preprint, 1998. [34] F. A. P. Petitcolas, Weakness of existing watermarking schemes, http://www.cl.cam.ac.uk/~fapp2/watermarking/image watermarking/ , Oct 1997.

[35] T. Aura, Invisible communication, Proc. of the HUT Seminar on Network Security 95, Espoo,Finland, Nov 1995. Telecommunications Software and Multimedia Laboratory, Helsinki University of Technology. http://deadlock.hut.fi/ste/ste_html.html, ftp://saturn.hut.fi/pub/aaura/ ste1195.ps [36] S. Walton, Image authentication for a slippery new age. Dr. Dobb's journal of software tools, vol. 20, no. 4, pp. 18-26, Apr. 1995. [37] K. Matsui and K. Tanaka, Video-steganography: How to secretly embed a signature in a picture. Journal of the Interactive Multimedia Association Intellectual Property Project, vol. 1, no. 1, pp. 187-205, Jan. 1994. [38] J. R. Smith and B. O. Comiskey, Modulation and information hiding in images." In Anderson [5], pp. 207-226, ISBN 3-540-61996-8. [39] W. Bender, D. Gruhl, N. Morimoto, and A. Lu, Techniques for data hiding. I.B.M. Systems Journal , vol. 35, no. 3 & 4, pp. 313-336, 1996. [40] I. Pitas, A method for signature casting on digital images. In International Conference on Image Processing, vol. 3, pp. 215-218, Sep. 1996. [41] G. C. Langelaar, J. C. A. van der Lubbe, and J. Biemond, Copy protection for multimedia data based on labeling techniques. In 17th Symposium on Information Theory in the Benelux, Enschede, The Netherlands, May 1996. [42] G. C. Langelaar, J. C. A. van der Lubbe, and R. L. Lagendijk, Robust labeling methods for copy protection of images. In Sethin and Jain [149], pp. 298-309, ISBN 08194-2433-1. [43] R. C. Dixon, Spread spectrum systems with commercial applications. New York, New York, U.S.A.: John Wiley & Sons, Inc., 3rd edn., 1994, ISBN 0-471-59342-7. [44] R. A. Scholtz, The origins of spread spectrum communications. IEEE Transactions on Communications, vol. 30, no. 5, pp. 822-853, May 1982. [45] R. L. Pickholtz, D. L. Schilling, and L. B. Milstein, Theory of spread spectrum communications: A tutorial. IEEE Transactions on Communications, vol. 30, no. 5, pp. 855-884, May 1982. [46] A. Z. Tirkel, G. A. Rankin, R. M. van Schyndel, W. J. Ho, N. R. A. Mee, and C. F. Osborne, Electronic watermark. In Digital Image Computing, Technology and Applications (DICTA'93), pp. 666{673, Macquarie University, Sidney, 1993. [47] I. J. Cox, J. Kilian, T. Leighton, and T. Shamoon, Secure spread spectrum watermarking for images, audio and video. In International Conference on Image Processing (ICIP'96), pp. 243-246, IEEE, Lausanne, Switzerland, 16-19 Sep. 1996. [48] F. Hartung and B. Girod, Watermarking of MPEG-2 encoded video without decoding and re-encoding. In M. Freeman, P. Jardetzky, and H. M. Vin, eds., Multimedia Computing and Networking 1997, vol. 3020, pp. 264-273, The Society for Imaging Science and Technology (IS&T) and the International Society for Optical Engineering (SPIE), San Jose, California, U.S.A.: SPIE, Feb. 1997, ISBN 0-8194-2431-5. In Optical Security and Counterfeit Deterrence Techniques II [49] D. Gruhl, W. Bender, and A. Lu, Echo hiding. In Anderson [5], pp. 295{315, ISBN 3-540-61996-8. [50] B. P. Bogert, M. J. R. Healy, and J. W. Tukey, The quefrency alanysis of time series for echoes: Cepstrum, pseudo-autocovariance, cross-cepstrum and saphe cracking. In M. Rosenblatt, ed., Symposium on Time Series Analysis, pp. 209-243, New York, New York, U.S.A.: John Wiley & Sons, Inc., 1963.

[51] D. L. Schilling, ed., Meteor burst communications: theory and practice. Wiley series in telecommunications, New York, U.S.A.: Wiley, 1993. [52] R. Machado. Stego. http://www.fqa.com/romana/romanasoft/stego.html [53] http://www.stego.com/ [54] J. A. Bloom, I.J. Cox, T. Kalker, J.-P.M.G. Linnartz, M.L. Miller, C.B.S. Traw, "Copy protection for dvd video", Proceeding of the IEEE, vol.87, no. 7, pp. 1267-1276, 1999. [55] = G. E. Legge and J. M. Foley, Contrast Masking in Human Vision, J. Opt. Soc. Am., 70(12), pp. 14581471, 1980. [56] = B. Girod, The Information Theoretical Significance of Spatial and Temporal Masking in Video Signals, Proc. of the SPIE Human Vision, Visual Processing, and Digital Display, vol. 1077, pp. 178 187, 1989. [57] = D. Kundur and D. Hatzinakos, A robust digital image watermarking method using waveletbased fusion, to appear in Proc. Int. Conference in Image Processing, 1997. [58] = D. Kundur and D. Hatzinakos, Digital Watermarking Based on Multiresolution Wavelet Data Fusion, Proc. IEEE, Special Issue on Intelligent Signal Processing, under review, 43 pages, 1997. [59] = J. Fridrich, Robust digital watermarking based on key-dependent basis functions, The 2nd Information Hiding Workshop in Portland, Oregon, April 1517, 1998. [60] = J. J. K. Ruanaidh and T. Pun, Rotation, scale and translation invariant digital image watermarking, Proc. of the ICIP, vol. 1, pp. 536539, Santa Barbara, California, Oct 1997. [61] = A. Piva, M. Barni, F. Bartolini, V. Cappellini, DCT-based watermark recovering without resorting to the uncorrupted original image, preprint, 1997. [62] = J. Fridrich, Image Watermarking for Tamper Detection, Proc. ICIP 98, Chicago, Oct 1998. [63] = J. Fridrich, Methods for Detecting Changes in Digital Images, Proc. of The 6th IEEE International Workshop on Intelligent Signal Processing and Communication Systems (ISPACS'98), Melbourne, Australia, 4-6 November 1998. [64] S. Craver, M. Memon, B.-L. Yeo, M. Yeung, Resolving rightful ownership with invisible watermarking techniques: Limitations, attacks and implications, IEEE Journal of Selected Areas in Communications, vol. 16, no. 4, May 1998 [65] S. Craver, B.-L. Yeo, M. Yeung, Technical Trials and legal tribulations, Communications of the ACM, vol. 41, no. 7, July 1998 [66] S. Katzenbeisser, F.A.P. Petitcolas, Information Hiding Techniques for Steganography and Digital Watermarking, Aetech House, Boston London, 2000 [67] = F. A. P. Petitcolas, R. J. Anderson, and M. G. Kuhn, Attacks on copyright marking systems." In Aucsmith [148], pp. 218-238, ISBN 3-540-65386-4. [68] = K. N. Hamdy, A. H. Tew_k, T. Chen, and S. Takagi, Timescale modification of audio signals with combined harmonic and wavelet representations." In International Conference on Acoustics, Speech and Signal Processing (ICASSP'97), vol. 1, pp. 439442, IEEE, Munich, Germany: IEEE Press, Apr. 1997, Session on Hearing Aids and Computer Music.

[69] = M. Kutter and F. A. P. Petitcolas, A fair benchmark for image watermarking systems." In Wong and Delp [106], pp. 226-239, ISBN 0-8194-3128-1. [70] = A. V. Oppenheim and R. W. Schafer, Discrete-Time Signal Processing, chap. 12, pp. 768-834. Englewood Cli_s, New Jersey, U.S.A.: Prentice-Hall International, Inc., international edn., 1989, ISBN 0-13-216771-9. [71]= R. W. Schafer, Echo removal by discrete generalized linear filtering." Tech. Rep. 466, Massachusetts Institute of Technology, Feb. 1969. [72] = G. C. Langelaar, R. L. Lagendijk, and J. Biemond, Removing spatial spread spectrum watermarks by non-linear _ltering." In 9th European Signal Processing Conference (EUSIPCO'98), pp. 2281{2284, Island of Rhodes, Greece, 8-11 Sep. 1998, ISBN 960-7620-05-4. [73] = M. Maes, Twin peaks: The histogram attack on fixed depth image watermarks." In Aucsmith [148], pp. 290-305, ISBN 3-540-65386-4. [74] = S. Craver, N. Memon, B.-L. Yeo, and M. M. Yeung, Can invisible watermark resolve rightful ownerships?" In Sethin and Jain [149], pp. 310-321, ISBN 0-8194-24331.