In this chapter we introduce the main elements of a digital watermarking
system, by starting from data embedding until data recovery. We give a
description which is as general as possible, avoiding to focus on copyright
and data protection scenarios, so to encompass as many as possible data
hiding applications. In spite of this, readers must me aware that some
data hiding scenarios like steganography for covert communications are
not properly covered by our models.
We also give some fundamental definitions regarding the various actors
involved in the watermarking problem, or to better say, the watermarking
game, and some fundamental properties of the watermarking algorithms
which have a fundamental impact on the applicability of such algorithms
in practical application scenarios. For example, we pay great attention to
distinguish between different approaches to watermark recovery, since it
has been proven that, in many cases, it is the way the hidden information
is extracted from the host signal that determines whether a given algorithm
is suitable for a particular application or not.
Even if this book is mainly concerned with the signal processing level
of digital watermarking, in this first chapter (and part of chapter 2) we
briefly touch the protocol level of the system, i.e. we consider how digital
watermarking may be conveniently used, together with other complementary
technologies, such as cryptography, to solve some practical problems,
e.g. copyright protection, ownership verification, and data authentication.
1.1 Elements of a watermarking system
According to a widespread point of view, a watermarking system is much
like a communication system consisting of three main elements: a trans
Overall picture of a data hiding system. The watermark code b
represents the very input of the chain. Then, b is transformed in a watermark
signal w (optionally b = w), which is embedded into the host asset A, thus
producing the watermarked asset Av. Due to possible attacks, Aw is transformed
into A'w Finally the decoder/detector recovers the hidden information from A'w.
Note that embedding and watermark recovery may require the knowledge of a
secret key K, and that recovery may benefit from the knowledge of the original,
non-marked asset A.
mitter, a communication channel, and a receiver. To be more specific, the
embedding of the to-be-hidden information within the host signal plays the
role of data transmission; any processing applied to the host data after
information concealment, along with the interaction between the concealed
data and the host data itself, represents the transmission through a communication
channel; the recovery of the hidden information from the host
data acts the part of the receiver. By following the communication analogy,
any watermarking system assumes the form given in figure 1.1.
The information to be hidden within the host data represents the very
input of the system. Without loosing generality, we will assume that such
an information is given the form of a binary string
b = (1.1)
with bi taking values in {0,1}. We will refer to the string b as the watermark
code1 (not to be confused with the watermark signal which will be
introduced later on).
At the transmitter side, a data embedding module inserts the string b
1Some authors tend to distinguish between watermarking, fingerprinting and data
hiding in general, depending on the content and the role of the hidden information
within the application scenario. Thus, for example, the term watermarking is usually
reserved for copyright protection applications where the robustness of the hidden data
plays a central role. Apart from some examples, in this book we will not deal explicitly
with applications, thus we prefer to always use the term watermark code, regardless of
the semantic content of b. In the same way we will use the terms watermarking and
data hiding interchangeably, by paying attention to distinguish between them only when
we will enter the application level.
within a piece of data called host data or host signal2. The host signal
may be of any media type: an audio file, a still image, a piece of video
or a combination of the above3. To account for the varying nature of the
host signal we will refer to it as the host digital asset, or simply the host
asset, denoted by the symbol A. When the exact nature of A can not be
neglected, we will use a different symbol, namely / for still images and
video, and S for audio. The embedding module may accept a secret key
K as an additional input. Such a key, whose main goal is to introduce
some secrecy within the embedding step, is usually used to parameterize
the embedding process and make the recovery of the watermark impossible
for non-authorized users which do not have access to K.
The functionality's of the data embedding module can be further split
into three main tasks: (i) information coding; (ii) watermark embedding;
(iii) watermark concealment.
1.1.1 Information coding
In many watermarking systems, the information message b is not embedded
directly within the host signal. On the contrary, before insertion vector
b is transformed into a watermark signal w = {wi,w2 ... wn} which is
more suitable for embedding. In a way that closely resembles a digital
communication system, the watermark code b may be used to modulate
a much longer spread-spectrum sequence, it may be transformed into a
bipolar signal where zero's are mapped in +1 and one's in —1, or it may
be mapped into the relative position of two or more pseudo-random signals
in the case of position-encoded-watermarking. Eventually, b may be left
as it is, thus leading to a scheme in which the watermark code is directly
inserted within A. In this case the watermark signal w coincides with the
watermark code b.
Before transforming the watermark code into the watermark signal, b
may be channel-coded to increase robustness against possible attacks. As
a matter of fact, it turns out that channel coding greatly improves the
performance of any watermarking system.
1.1.2 Embedding
In watermark embedding, or watermark casting, an embedding function £
takes the host asset A, the watermark signal w, and, possibly, a key K,
2Sometimes the host signal is referred to as the cover signal.
3Though many of the concepts described in this book can be extended to systems in
which the host signal is a piece of text, we will not deal with such a case explicitly
and generates the watermarked asset
(1.2)
Note that the above equation still holds when the watermark code is embedded
directly within A, since in this case we simply have w = b. The definition
of £ usually goes through the selection of a set of asset features, called
host features, that are modified according to the watermark signal. By
letting the host features be denoted by F(A] = f/i = {/i, /2 • • • fm} e Fm4,
watermark embedding amounts to the definition of an insertion operator ©
which transforms 3-(A) into the set of watermarked features f ( A V f ) , i.e.:
= f(£(A, w, K)) = f(A) © w. (1.3)
In general m =£ n, that is the cardinality of the host feature set needs not
be equal to the watermark signal length.
Though equations (1.2) and (1.3) basically describe the same process,
namely watermark casting within A, they tend to view the embedding
problem from two different perspectives. According to (1.2), embedding is
more naturally achieved by operating on the host asset, i.e. £ modifies A so
that when the feature extraction function J- is applied to Aw, the desired
set of features fAw = { f w , i , fw,i • • • fw,m} is obtained.
Equation (1.3) tends to describe the watermarking process as a direct
modification of fU through the embedding operator ©. According to this
formulation, the watermark embedding process assumes the form shown
in figure 1.2. First the host feature set is extracted from A, then the
© operator is applied producing IAW, finally the extraction procedure is
inverted to obtain ^4W:
Avr = F-1(fAJ. (1.4)
The necessity of ensuring the invertibility of T~v may be relaxed by allowing
J-~1 to exploit the knowledge of A to obtain j4w, that is (weak
4We will use the symbology F(A) and f/i interchangeably depending on whether
we intend to focus on the extraction of host features from A or on the host features
themselves.invertibility):
(1.5)
As an example, let us consider a system in which the watermark is embedded
into the magnitude of the DFT coefficients of the host asset. The
feature extraction procedure is not strictly invertible, since it discards phase
information. Phase information, though, can be easily retrieved from the
original asset A, a possibility which is admitted by formulation (1.5) (see
figure 1.3 for a schematic description of the whole process).
It is worth noting, though, that neither strict, nor weak invertibility
of T is requested in general, since £ may always be defined as a function
operating directly in the asset domain (equation (1.2)).
A detailed discussion of the possible choices of £, J-(A) and © will be
given in chapter 4.
1.1.3 Concealment
The main concern of the embedding part of any data hiding system is to
make the hidden data imperceptible. This task can be achieved either implicitly,
by properly choosing the set of host features and the embedding
rule, or explicitly, by introducing a concealment step after watermark embedding.
To this aim, the properties of the human senses must be carefully
studied, since imperceptibility ultimately relies on the imperfections of such
senses. Thereby, still image and video watermarking will rely on the characteristics
of the Human Visual System (HVS), whereas audio watermarking
will exploit the properties of the Human Auditory System (HAS).
A detailed description of the main phenomena underlying the HVS.
1.1.4 Watermark impairments
After embedding, the marked asset A-*, enters the channel, i.e. it undergoes
a series of manipulations. Manipulations may explicitly aim at removing
the watermark from Aw, or may pursue a completely different goal, such
as data compression, asset enhancement or editing. We will denote the
output of the channel by the symbol A'w.
1.1.5 Recovery of the hidden information
The receiver part of the watermarking system may assume two different
forms. According to the scheme reported in figure 1.4a, the watermark
detector reads A'w and a watermark code b*, and decides whether A'^
contains b* or not. The detector may require that the secret key K used
to embed the watermark is known. In addition, the detector may perform
its task by comparing the watermarked asset A'^ with the original, nonmarked,
asset A, or it may not need to know A to take its decision. In the
latter case we say that the detector is blinf, whereas in the former case
the detector is said to be non-blind.
Alternatively, the receiver may work as in figure 1.4b. In this case the
watermark code b* is not known in advance, the aim of the receiver just
being that of extracting b* from A'^. As before, the extraction may require
that the original asset A and the secret key K are known.
The two different schemes given in figure 1.4 lead to a distinction between
algorithms embedding a mark that can be read and those inserting
a code that can only be detected. In the former case, the bits contained in
the watermark can be read without knowing them in advance (figure 1.4b).
In the latter case, one can only verify if a given code is present in the
document, i.e. the watermark can only be revealed if its content is known
5 Early works on watermarking used the term oblivious instead than blind.
in advance (figure 1.4a). We will refer to the extraction of a readable watermark
with the term watermark decoding, whereas the term watermark
detection will be used for the recovery of a detectable watermark.
The distinction between readable and detectable watermarking can be
further highlighted by considering the different form assumed by the decoding/
detection function T> characterizing the system. In blind, detectable
watermarking, the detector P is a three- argument function accepting as
input a digital asset A, a watermark code b, and a secret key K (the secret
key is an optional argument which may be present or not). As an output
T> decides whether A contains b or not, that is
. (1.6)
In the non-blind case, the original asset Aor is a further argument of D:
T>(A,Aor,b,K)= yes/no. (1.7)
In blind, readable watermarking, the decoder function takes as inputs a
digital asset A and, possibly, a keyword K , and gives as output the string
of bits b it reads from A:
V(A,K)=b, (1.8)
which obviously assumes the form
V(A,Aor,K) = b, (1.9)
for non-blind watermarking. Note that in readable watermarking, the decoding
process always results in a decoded bit stream, however, if the asset
is not marked, decoded bits are meaningless. Even with readable watermarking,
then, it may be advisable to investigate the possibility of assessing
whether an asset is watermarked or not.
Detectable watermarking is also known as 1-bit watermarking (or 0-
bit watermarking), since, given a watermark, the output of the detector is
just yes or no. As the 1-bit designation says, a drawback with detectable
watermarking is that the embedded code can convey only one bit of information.
Actually, this is not the case, since if one could look for all,
say N, possible watermarks, then the detection of one of such watermarks
would convey log^N information bits. Unfortunately, such an approach is
not computationally feasible, since the number of possible watermarks is
usually tremendously high.
1.2 Protocol considerations
Even if this book aims mainly at describing how to hide a piece of information
within a host asset and how to retrieve it reliably, it is interesting
to take a look at some protocol-level issues. In other words, once we know
how to hide a certain amount of data within a host signal, we still need
to investigate how the hidden data can be used in real applications such
as, for example, copyright protection or data authentication. Moreover, it
is instructive to analyze the requirements that protocol issues set on data
hiding technology and, viceversa, how technological limitations impact protocol
design.
The use of digital watermarking for copyright protection is a good example
to clarify the close interaction between data hiding and protocol-level
analysis. Suppose, for example, that watermarking has to be used to unambiguously
identify the owner of a multimedia document. One may simply
insert within the document a watermark code with the identity of the document
owner. Of course, the watermark must be as robust as possible,
otherwise an attacker could remove the watermark from the document and
replace it with a new watermark containing his/her name. However, more
subtle attacks can be thought of, thus calling for a more clever use of watermarking.
Suppose, for example, that instead of attempting to remove
the watermark with the true data owner, the attacker simply adds his/her
own watermark to the watermarked document. Even by assuming that the
new watermark does not erase the first one, the presence within the document
of two different watermarks makes it impossible to determine the
true document owner by simply reading the waterrnark(s) contained in it.
To be specific, let us assume that to protect a work of her (the asset
A), Alice adds to it a watermark with her identification code w_46,
thus producing a watermarked asset AVA = A + w^7, then she makes
A-WA publicly available. To confuse the ownership evidence provided by
the watermark, Bob takes the watermarked image and adds to it his own
watermark WB, producing the asset AWAWB = A + w^ + w#. It is now
impossible to decide whether AvlAVfB belongs to Bob or Alice since it contains
both Alice's and Bob's watermarks. To solve the ambiguity, Alice
and Bob could be asked to show if they are able to exhibit a copy of the
asset that contains their watermark but does not contain the watermark
of the other contender. Alice can easily satisfy the request, since she owns
the original asset without Bob's identification code, whereas this should
not be possible for Bob, given that the asset in his hands is a copy of the
asset with Alice's watermark. However, further precautions must be taken,
not to be susceptible to a more subtle attack known as the SWICO attack
(Single-Watermarked-Image-Counterfeit-Original)8. Suppose, in fact, that
6We assume, for simplicity, that w^ = b^
7The symbol + is used to indicate watermark casting since we assume, for simplicity,
that the watermark is simply added to the host image
8The attack described here is a simplified version of the true SWICO attack which
The SWICO attack, part (a). Bob subtracts his watermark WB from
the asset in his hands, maintaining that this is the true original asset. In this
way the public asset seems to contain Bob's watermark.
the watermarking technique used by Alice is not blind, i.e. to reveal the
presence of the watermark the detector needs to compare the watermarked
asset with the original one. For instance, we can assume that the watermark
is detected by subtracting the original asset from the watermarked
one. Alice can use the true original asset to show that Bob's asset contains
her watermark and that she possesses an asset copy, A^A containing WA
but not WB, in fact:
A^
- A = A + WA + WB - A = WA + ws, (1-10)
which proves that A-
- A = A + WA-^^ WA, (1.11)
B contains WA (as well as WB), and that AWA
contains WA but does not contain WBThe
problem is that Bob can do the same thing by building a fake
original asset Af to be used during the ownership verification procedure.
By referring to figures 1.5 and 1.6, it is sufficient that Bob subtracts his
watermark from j4Wj4, maintaining that the true original asset is Af =
AVJA ~ WB = A + WA — ws. In this way Bob can prove that he possesses
an asset, namely the public asset A-WA, that contains WB but does not
contain WA-
The SWICO attack, part (b). Bob subtracts his watermark WB from
the asset in his hands, maintaining that this is the true original asset. In this
way the original asset in Alice's hands seems to contain Bob's watermark.
As it can be seen, the plain addition of a non blind watermark to a piece
of work is not sufficient to prove ownership, even if the watermark can not
be removed without destroying the host work.
More details about the characteristics that a watermark must have in
order to be immune to the SWICO attack will be given below (section
1.2.7), here we only want to stress out that watermarking by itself is not
sufficient to prevent abuses unless a proper protection protocol is established.
In the same way, the exact properties a watermarking algorithm
must satisfy can not be denned exactly without considering the particular
application scenario the algorithm has to be used in.
Having said that an exact list of requirements of data hiding algorithms
can not be given without delving into application details, we now discuss
the main properties of data hiding algorithms from a protocol perspective.
In most cases, a brief analysis of such properties permits to decide whether
a given algorithm is suitable for a certain application or not, and can guide
the system designer in the choice of an algorithm rather than another.
1.2.1 Capacity of watermarking techniques
Although in general the watermarking capacity does not depend on the
particular algorithm used, but it is rather related to the characteristics of
the host signal, of the embedding distortion and of the attack strength (this
will be more evident in chapter 9), it makes also sense to speak about the
capacity of a given technique, as the amount of information bits that it
is able to, more or less reliably, convey. As it can be readily understood,
capacity is a fundamental property of any watermarking algorithm, which
very often determines whether a technique can be profitably used in a given
context or not. Once again, no requirements can be set without considering the application the technique has to serve in. Possible requirements
range from some hundreds of bits in security-oriented applications, where
robustness is a major concern, through several thousands of bits in applications
like captioning or labeling, where the possibility of embedding a
large number of bits is a primary need.
Generally speaking, capacity requirements always struggle against two
other important requirements, that is watermark imperceptibility and watermark
robustness (figure 1.7). As it will be clear from subsequent chapters,
a higher capacity is always obtained at the expense of either robustness
or imperceptibility (or both), it is thereby mandatory that a good trade-off
is found depending on the application at hand.
1.2.2 Multiple embedding
In some cases the possibility of inserting more than one watermark is requested.
Let us consider, for example, a copyright protection scheme, where
each protected piece of data contains two watermarks: one with the identity
of the author of the work and one indicating the name of the authorized
consumer. Of course, algorithms enabling multiple watermark embedding
must grant that all the watermarks are correctly read by the decoder. In
addition, the insertion of several watermarks should not deteriorate the
quality of the host data. In applications where watermark robustness is
required, the necessity of allowing the insertion of several watermarks also
derives from the observation that the insertion of a watermark should not
prevent the possibility of reading a preexisting watermark. If this was the
case, in fact, watermark insertion would represent an effective mean at
everyone's disposal to make a preexisting watermark unreadable without
perceptible distortion of the host signal, thus nullifying any attempt to
make the watermark robust.
Though necessary in many cases, the possibility of inserting more than
one watermark must be carefully considered by system designers, since
hidden within the protected piece of work (see the SWICO attack described
previously).
1.2.3 Robustness
Watermark robustness accounts for the capability of the hidden data to survive
host signal manipulation, including both non-malicious manipulations,
which do not explicitly aim at removing the watermark or at making it unreadable,
and malicious manipulations, which precisely aims at damaging
the hidden information.
Even if the exact level of robustness the hidden data must possess can
not be specified without considering a particular application, we can consider
four qualitative robustness levels encompassing most of the situations
encountered in practice:
• Secure watermarking', in this case, mainly dealing with copyright protection,
ownership verification or other security-oriented applications,
the watermark must survive both non-malicious and malicious manipulations.
In secure watermarking, the loss of the hidden data should
be obtainable only at the expense of a significant degradation of the
quality of the host signal. When considering malicious manipulations
it has to be assumed that attackers know the watermarking algorithm
and thereby they can conceive ad-hoc watermark removal strategies.
As to non-malicious manipulations, they include a huge variety of
digital and analog processing tools, including lossy compression, linear
and non-linear filtering, cropping, editing, scaling, D/A and A/D
conversion, analog duplication, noise addition, and many others that
apply only to a particular type of media. Thus, in the image case,
we must consider zooming and shrinking, rotation, contrast enhancement,
histogram manipulations, row/column removal or exchange; in
the case of video we must take into account frame removal, frame
exchange, temporal filtering, temporal resampling; finally, robustness
of an audio watermark may imply robustness against echo addition,
multirate processing, reverb, wow-and-flutter, time and pitch scaling.
It is, though, important to point out that even the most secure system
does not need to be perfect, on the contrary, it is only needed that a
high enough degree of security is reached. In other words, watermark
breaking does not need to be impossible (which probably will never
be the case), but only difficult enough.
• Robust watermarking: in this case it is required that the watermark
be resistant only against non-malicious manipulations. Of course,
robust watermarking is less demanding than secure watermarking.
Application fields of robust watermarking include all the situations
in which it is unlikely that someone purposely manipulates the host
data with the intention to remove the watermark. At the same time,
the application scenario is such that the, so to say, normal use of data
comprises several kinds of manipulations which must not damage the
hidden data. Even in copyright protection applications, the adoption
of robust watermarking instead than secure watermarking may be
allowed due to the use of a copyright protection protocol in which all
the involved actors are not interested in removing the watermark9.
• Semi-fragile watermarking: in some applications robustness is not a
major requirement, mainly because the host signal is not intended to
undergo any manipulations, but a very limited number of minor modifications
such as moderate lossy compression, or quality enhancement.
This is the case, for example, of data labelling for improved archival
retrieval, in which the hidden data is only needed to retrieve the host
data from an archive, and thereby it can be discarded once the data
has been correctly accessed. It is likely, though, that data is archived
in compressed format, and that the watermark is embedded prior to
compression. In this case, the watermark needs to be robust against
lossy coding. In general, we say that a watermark is semi-fragile if
it survives only a limited, well-specified, set of manipulations leaving
the quality of the host document virtually intact.
• Fragile watermarking: a watermark is said to be fragile, if the information
hidden within the host data is lost or irremediably altered
as soon as any modification is applied to the host signal. Such a
loss of information may be global, i.e. no part of the watermark can
be recovered, or local, i.e. only part of the watermark is damaged.
The main application of fragile watermarking is data authentication,
where watermark loss or alteration is taken as an evidence that data
has been tampered with, whereas the recovery of the information
contained within the data is used to demonstrate data origin10.
9 Just to give an example, consider a situation in which the ownership of a digital document
is demonstrated by verifying that the owner name is hidden within the document
by means of a given watermarking technique. Of course, the owner is not interested in
removing his/her name from the document. Here, the main concern of system designer
is not robustness, but to make it impossible that a fake watermark is built and inserted
within the document. At the same time, the hidden information must survive all the
kinds of non-malicious manipulations the rightful owner may want to apply to the host
document.
10Interesting variations of the previous paradigm, include the capability to localize
tampering, or to discriminate between malicious and innocuous manipulations, e.g. mod
Even without going into much details (which will be the goal of next
chapters), we can say that robustness against signal distortion is better
achieved if the watermark is placed in perceptually significant parts of the
signal. This is particularly evident if we consider the case of lossy compression
algorithms, which operate by discarding perceptually insignificant data
not to affect the quality of the compressed image, audio or video. Consequently,
watermarks hidden within perceptually insignificant data are likely
not to survive compression.
Achieving watermark robustness, and, to a major extent, watermark
security, is one of the main challenges watermarking researchers are facing
with, nevertheless its importance has sometimes been overestimated at the
expense of other very important issues such as watermark capacity and
protocol-level analysis.
1.2.4 Blind vs. non-blind recovery
A watermarking algorithm is said blind if it does not resort to the comparison
between the original non-marked asset and the marked one to recover
the watermark. Conversely, a watermarking algorithm is said non-blind if
it needs the original data to extract the information contained in the watermark.
Sometimes blind techniques are referred to as oblivious, or private
techniques. However, we prefer to use the term blind (or oblivious) for algorithms
that do not need the original data for detection and leave the term
private watermarking to express a different concept (see next subsection).
Early works in digital watermarking insisted that blind algorithms are
intrinsically less robust than non-blind ones, since the true data in which
the watermark is hidden is not known and must be treated as disturbing
noise. However, this is not completely true, since the host asset is known
by the encoder and thus it should not be treated as ordinary noise, which
is not known either by the encoder or by the decoder. Indeed, it can be
demonstrated (see chapter 9) that, at least in principle, and under some
particular hypotheses, blindness does not cause any loss of performance,
neither in terms of capacity nor robustness. At a more practical level,
blind algorithms are certainly less robust than non-blind ones, even if the
loss of performance is not as high as one may expect. For example, by
knowing the original, non-marked, non-corrupted asset some preprocessing
can be carried out to make watermark extraction easier, e.g. in the case
of image watermarking, rotation and magnification factors can be easily
estimated and compensated for if the non-marked image is known.
Very often, in real-world scenarios the availability of the original host
asset can not be warranted, thus making non-blind algorithms unsuitablefor many practical applications. Besides, as it is summarized below, this
kind of algorithms can not be used to prove rightful ownership, unless additional
constraints regarding the non-quasi-invertibility of the watermark
are satisfied.
In the rest of this book we will focus only on blind watermarking, being
confident that the extension of most of the concepts we will expose to the
non-blind case is trivial.
1.2.5 Private vs. public watermarking
A watermark is said private if only authorized users can recover it. In other
words, in private watermarking a mechanism is envisaged that makes it impossible
for unauthorized people to extract the information hidden within
the host signal. Sometimes by private watermarking, non-blind algorithms
are meant. Indeed, non-blind techniques are by themselves private, since
only authorized users (e.g. the document owner) can access the original
data needed to read the watermark. Here, we extend the concept of privateness
to techniques using any mechanism to deny the extraction of the
watermark to unauthorized personnel. For instance, privateness may be
achieved by assigning to each user a different secret key, whose knowledge
is necessary to extract the watermark from the host document. In contrast
to private watermarking, techniques allowing anyone to read the watermark
are referred to as public.
Due to Kerkhoff's principle that security can not be based on algorithm
ignorance, but rather on the choice of a secret key, it can be concluded that
private watermarking is likely to be significantly more robust than public
watermarking, in that, once the embedded code is known, it is much easier
for an attacker to remove it or to make it unreadable, e.g. by inverting
the encoding process or by encoding an inverse watermark. Note that the
use of cryptography does not help here, since once the embedded bits have
been read, they can be removed even if their meaning is not known because
they have been previously encrypted.
1.2.6 Readable vs. detectable watermarks
As stated in section 1.1 (see figure 1.4), an important distinction can be
made between data hiding schemes where the embedded code can be read,
and those in which the embedded information can only be detected. In the
former case (readable watermarking), the bits contained in the watermark
can be read without knowing them in advance, whereas in the latter case
(detectable watermarking), one can only verify if a given code is present
in the document. In other words, with detectable watermarking, the watermark
presence can only be revealed if the watermark content is known
in advance. Of course, detectable watermarking techniques are intrinsically
private, since it is impossible for an attacker to guess the content of
the watermark without knowing anything about it, this being especially
true if the information to be embedded in the data is encrypted prior to
watermark insertion.
The readable/detectable nature of the hidden data heavily affects the
way such data can be used in practical applications. Indeed readable watermarking
is by far more flexible than detectable watermarking, since the
a priori knowledge of the watermark content can not always be granted
from an application point of view, thus making the usage of this kind of
algorithms in practical scenarios more cumbersome. On the contrary, a detectable
watermark is intrinsically more robust than a- readable one, both
because it conveys a smaller payload and because of its inherently private
nature. As an example, let us consider a situation in which one wants to
know the owner of a piece of work downloaded somewhere in Internet. Suppose
that the owner identification code has been hidden within the work
itself. If a detectable scheme was used, there would be no mean to read
the owner name, since the user does not know in advance which watermark
he has to look for. On the contrary, this would be possible if readable
watermarking was used.
Note that given a readable watermarking scheme, the construction of
detectable scheme is straightforward; it only needs to add a module that
compares the retrieved information b against the to-be-searched code b*
(figure 1.8). As it will be shown in chapter 3, several methods also exist to
build a readable watermarking scheme by starting from a detectable one.
1.2.7 Invertibility and quasi-invertibility
The concept of watermark invertibility arises when analyzing at a deeper
level the SWICO attack described previously. At the heart of the attack
there is the possibility of reverse engineering the watermarking process,
i.e. the possibility of building a fake original asset and a fake watermark
such that the insertion of the fake watermark within the fake original asset
No comments:
Post a Comment