1 Introduction

Information assurance has attracted worldwide attention as a major and challenging multimedia security problem [3, 18, 22, 38, 39, 48]. Recently, we have witnessed a tremendous growth in multimedia (e.g., image, video, audio, etc.) applications, which is dramatically changing our life and continually impacting our research, business and economy. This growth, however, is also raising serious security concerns at the same time. An immediate threat, posed by the ready availability of sophisticated multimedia processing tools, is the diminishing trustworthiness of multimedia information. As a result, digital watermarking has been proposed as an enabling data-hiding technology leading to developing many self- authentication watermarking (SAW) schemes [4, 8, 14, 25, 27, 30, 41, 42, 45, 46].

The SAW schemes, as a general form of multimedia authentication tool, authenticate the semantic content of multimedia information such as images and videos using self-embedded watermark(s), with localisation and recovery of any possible alteration. There are different flavours in their construction (e.g., content authentication, self-embedding, self-recovery schemes) and application areas (e.g., image and video). In this paper, however, we mainly focus on the SAW schemes that are based on the block-wise dependent fragile watermarking principle and their applications to digital images. Although we develop and present the general model for these schemes in Section 3, the basic idea is that an input image is divided into non-overlapping blocks, and a watermark for each block is embedded into its mapped block. A mapping transform is used to generate the block-mapping sequence for a given set of block indexes. In the detection process, any possible alteration in an image is detected by comparing the embedded watermark(s) with the regenerated watermark(s). For a match, a detector authenticates the input image, otherwise it marks the image as tampered and attempts to localise and recover the tampered blocks.

Despite the continuing interest in developing new SAW schemes, disregard for their security analysis seems to impair their potential for the multimedia applications. One reason behind this disregard perhaps is the wrong consideration of active attacks [33, 35]. SAW schemes are usually based on the fragile watermarking, where active attacks that directly alter image contents are usually ignored. It is considered by the fragile watermarking property that the watermarks would be invalid for minimum possible changes in a watermarked image, and thus those attacks can be detected. This consideration, however, leaves an opportunity for the attackers to counterfeit a detector, by keeping the embedded watermarks valid for the alterations. We call those active attacks counterfeiting attacks. Consequences of those attacks, though can be unarguably severe, have not been properly realised yet. As a result, the security level of many SAW schemes remains undetermined.

The primary contributions presented in this article are three new counterfeiting attack models and an extended SAW model to facilitate the systematic development and formal security analysis of the SAW schemes. We start with reviewing the weaknesses and existing counterfeiting attacks (Section 2) and develop a general SAW model (Section 3). In developing the identified attack models, we then show how several adversary actions may apply and win in different levels of counterfeiting instances by exploiting the weaknesses of SAW schemes (Section 4). These attack models generalize all possible counterfeiting instances in three main security levels (Section 5). We present examples and experimental results to validate the practicality of the identified attacks and thereby to demonstrate how a SAW scheme may violate a systematic definition of security (Section 6). To avoid the weaknesses and counteract the identified attacks, we further outline a set of requirements and discuss some general guidelines for the SAW schemes. This finally leads us to developing an extended SAW model (Section 7). We also discuss a few open challenges in the development and formal analysis of SAW schemes based on the proposed SAW model (Section 8).

2 Review of counterfeiting weaknesses and attacks

In this section, we review weaknesses of the SAW schemes and relevant counterfeiting attacks. A SAW scheme may also have some performance issues like “inefficient” localisation and “poor quality” restoration. For example, tampering of one image block may lead to its mapped block to be marked as tampered (in addition to the real tampered block). Additionally, limited embedding capacity may often result in poor quality restoration of the tampered image blocks. However, in this paper, we are more interested in some of the schemes’ general weaknesses that can be exploited for counterfeiting attacks.

2.1 Counterfeiting weaknesses

The SAW schemes are promising for image content authentication and integrity verification with possible localisation and recovery of tampered image blocks. Without rigorous security analysis, their present development aims at improving localization-accuracy and restoration-quality. Consequently, they seem to have a number of weaknesses, which we now discuss.

Weak block-mapping transform

SAW schemes usually employ a block-mapping sequence to obtain block-wise dependence property. This property helps avoid vector quantisation (VQ) weaknesses, which will be discussed below in Section 2.2. For the block-mapping sequence generation, although a non-linear transform is recently studied in [20]; a common approach is to use a linear transform such as using fixed offset [12], 1D-transformation [8, 24, 27, 46], or 2D-transformation [28]. The block-mapping weakness of a linear block-mapping transform mainly stems from choosing a key from a key-space of the range of block indexes. For example, for an image of size 512 × 512 and a block of size 4×4, the range of the block indexes is [1,16384] (i.e., \([1, \frac {512}{4}\times \frac {512}{4}]\)). Such an “incongruously” small key space speeds up the process of block-mapping sequence recovery to only a fraction of a second (considering a typical key search time for the key-space using a Brute-force attack [36]).

Lack of collision resistance

SAW schemes generally consider that any alteration in a valid watermarked image makes the embedded watermark invalid, as mentioned in Section 1. However, a detector can be deceived, if the embedded watermark remains valid for any possible alteration. Various local features (e.g., average intensity, transform or quantisation coefficients) of an image are used for the authentication watermark generation. Although these features facilitate the recovery process, they posses no or little “collision resistance”. Footnote 1 Such SAW schemes therefore may no longer be reliable and in a more strict sense, seem to violate the systematic definition of security.

2.2 Counterfeiting attacks

Security aspects of the SAW schemes have attracted very limited attention in research. A few works [5, 15, 19, 21] have studied some counterfeiting possibilities for earlier schemes as follows.

The vector quantisation attack [21] (or VQ attack) and collage attack [15] are the initial counterfeiting attacks studied on some SAW schemes that embed watermarks into the host images in a block-wise independent fashion. Holliman and Memon [21] showed that there exists equivalence classes for each block containing a similar watermark for a given key, and thus the block is susceptible to the VQ attack. The collage attack is based on the same principle but assumes that an attacker has only a set of (large number) valid images watermarked with the same key and watermark. Thus an attacker replaces a set of valid image blocks with a set of collage blocks (i.e., a set of chosen blocks from the equivalence class) and wishes to validate those collage blocks for the key and original watermarks. Although the equivalence class principle is the key idea of the VQ and collage attacks, the principle is considered inapplicable, if the watermarks are block-wise dependent, and thus those attacks become invalid [5, 19]. (We will show, however, in Section 4.3 that the equivalence class principle can also be partially extended to the block-wise dependent watermarks).

Therefore, to avoid the VQ and collage attacks, SAW schemes are later designed to have the block-wise dependence; however, counterfeiting weaknesses in those schemes have also been reported. He et al. [19] showed the possibility of unauthorised recovery of the mapping sequence and secret key by using verification device attack and exhaustive key search, respectively. Subsequently, Chang et al. [5] proposed a four-scanning attack to obtain the secret mapping sequence. In a verification device attack, the attacker tampers with the embedded watermark of a block, and observes corresponding location of the mapped block as detected tampered. Consequently, the corresponding mapped image block is marked as tampered and the attacker comes to know which block it is mapped to, for a given block. The attacker thus continues verification for a set of input blocks of a valid watermarked image to recover their mapping sequence. In an exhaustive key search, an attacker tries all possible keys to find the correct mapping sequence, for which the regenerated watermark of each block will match with its original watermark embedded in the respective mapped block. In a four-scanning attack, like the exhaustive key search, an attacker applies an exhaustive search, but not for the secret key; rather the attacker aims to recover the mapping sequence.

In addition to those secret recovery attacks, some particular counterfeiting scenarios have also been studied. He et al. [19] illustrated a counterfeiting scenario called synchronous attack, where with the knowledge of the secret mapping sequence, an attacker modifies the chosen block(s) of a valid watermarked image keeping their original watermark(s) valid for the modification. Similarly, Chang et al. [5] presented a counterfeiting scenario called constant-average attack, which first modifies a block and then adjusts the pixels of the block such that their average intensity matches that of the original block.

In summary, the above studies [5, 19] mainly aimed at the unauthorised recovery of secret parameters (i.e., key or mapping sequence) exploiting the weaknesses of some SAW schemes. However, neither the weaknesses themselves nor the recovery of secret parameters demonstrate their practical consequences in an application. Although, those studies also illustrated particular counterfeiting instances, there can be many other counterfeiting possibilities for their studied schemes [11, 27, 47] and other similar schemes as well. Therefore, to generalise all possible counterfeiting instances at three levels of modification of a valid watermarked image, we studied three new counterfeiting attacks, developed their models, and defined their win conditions. We presented our early results for those attacks in [34].

In this paper, we extend our previous work [34] by developing a SAW model. We present three counterfeiting attacks valid for the SAW model and later extended the model to avoid the counterfeiting weaknesses. We also substantially revise our previous work with further technical details and clarification. Particularly, we demonstrate the counterfeiting consequences for the SAW schemes with new experimental results in different image applications. A set of requirements for the SAW schemes is determined, which was not studied and presented in the literature, as we will argue in Section 7. Our conjecture is, this gap in the literature is the main source of many protocol weaknesses and security problems of the SAW schemes including what we will discuss in this paper. Because, if the requirements are not properly considered for an application scenario, a scheme may be able to achieve the intended goals, but it can be still vulnerable to the attacks (as will be demonstrated in Section 6). Finally, considering those requirements, we extend the SAW model to resist the counterfeiting attacks.

3 Developing a general SAW model

In this section, we develop and describe a general model for the SAW schemes, which are based on the the block-wise dependent fragile watermarking principle (as mentioned in Section 1). The developed model, illustrated in Model 1, thus simplifies the realisation of a case of SAW schemes, which our identified attacks are valid for. For the model, we adopt necessary notations from the formal model of digital watermarking in [31, 32, 35].

We define a SAW scheme with three basic functions: watermark generation, G(⋅), watermark embedding, E(⋅), and watermark detection, D(⋅). The generation function generates the watermark: w = G(i)={0,1}+. The embedding function embeds the watermark, w in an input image, i with a secret key, k, and thus outputs a watermarked image, \(\bar {i}\) such that \(E_{k}\left (i,w\right )=\bar {i}\). The detection function, on the other hand, verifies \(\bar {i}\) with the detection key, k such that \(D_{k}\left (\bar {i}\right )\neq \bot \), where ‘ ⊥’ denotes a failure. D(⋅) also performs a few additional tasks (e.g., tampering localisation and recovery as showed in Step 3 and 7 in Model 1).

figure d

A SAW scheme operates on image blocks. The scheme divides a given input image, i into non-overlapping blocks, {B n } and sub-blocks, \(\left \{ {B_{n}^{l}} \right \}\) such that \(i = \left \{ B_{n} \right \} = \left \{{B_{n}^{l}} \right \}\).Similarly, \(w = \left \{ w_{n} \right \} = \left \{ {w_{n}^{l}} \right \}\), and \(\bar {i} = \left \{\bar {B}_{n} \right \} = \left \{ \bar {B}_{n}^{l} \right \}\). Here, l and n denote the indexes of the sub-blocks and blocks respectively. For example, l∈{1,…,4} and n∈{1,2,…, N b } are the indexes of the 4 × 4 sub-block and 8 × 8 image block, where \(N_{b} = \left (\frac {M}{8}\times \frac {N}{8}\right ) \) and M × N is the image size. Note here that not all SAW schemes operate on the sub-blocks, where l = 1 and an image is thus simply a set of image blocks, i.e., i = {B n } or \(\bar {i} = \left \{ \bar {B}_{n} \right \}\).

In embedding, a mapping function, M a p(⋅) is used to achieve the block-wise dependence. This function generates a mapping sequence and rearranges its input blocks according to the generated mapping sequence such that i.e., \(\{{w_{q}^{l}}\} \leftarrow Map\left (\{{w_{n}^{l}}\}, k\right )\) or \(\{{B_{q}^{l}}\} \leftarrow Map\left (\{{B_{n}^{l}}\}, k\right )\). For generating a mapping sequence, different mapping transform can be used in M a p(⋅), as discussed in Section 2.1. However, for the considered case of SAW schemes, the mapping sequence, {q} is generated for the block indexes, {n}, using the secret key, k, such that q = [(k × n)m o d N b ]+1 for all n, where k is a prime number and usually chosen from the range of [2, N b ]. Finally, block-wise dependence is achieved by embedding the mapped blocks’ watermarks into the input image blocks, i.e., \(E:\left \{ {B_{n}^{l}} \right \} \times \left \{ {w_{q}^{l}} \right \} \rightarrow \left \{ \bar {B}_{n}^{l} \right \}\) .

To verify \(\bar {i}\), D(⋅) regenerates watermarks and extracts their original version from \(\bar {i}\) such that \(G:\left \{ \bar {B}_{n}^{l} \right \} \rightarrow \left \{ wne{w_{n}^{l}} \right \}\), and \(E^{-1}\left (\{\bar {B}_{n}^{l}\}, \,Map(\cdot ), k\right )\rightarrow \left \{ \tilde {w}_{n}^{l}\right \}\), for all l and n. Here, \(\left \{ wne{w_{n}^{l}} \right \} = wnew\) and \(\left \{ \tilde {w}_{n}^{l} \right \} = \tilde {w}\) denote the regenerated and extracted versions of w. Ideally, \(wnew = \tilde {w}= w\), but assuming a few possible bit errors in \(\tilde {w}\) (usually addressed by some error correction code) and possible adversary actions leading to a different wnew, they are differently denoted. The extraction function, E −1(⋅) is the inverse of E such that E −1(⋅) extracts the bits (considering them as watermark bits) from the same embedding locations in \(\bar {i}\). As shown in Model 1, D(⋅) then block-wise authenticates \(\bar {i}\) using V e r i f y(⋅) as follows: for all l and n,

$$ \mathit{Verify}\left( \bar{B}_{n}^{l}, \tilde{w}_{n}^{l}, {\mathit{wne}{w_{n}^{l}}}\right)= \left\{\begin{array}{ll} \bar{B}_{n}^{l}, &\text{for}~\tilde{w}_{n}^{l} = {\mathit{wne}{w_{n}^{l}}} \\ \bar{\bar{B}}_{n}^{l}, &\text{otherwise} \end{array}\right. $$
(1)

Any tampered blocks \(\left \{\bar {\bar {B}}_{n_{1}}^{l}\right \}\), where {n 1}⊆{n}, are then recovered using the recovery function, R e c o v e r(⋅) such that \(\{\tilde {B}_{n_{1}}^{l}\} \leftarrow Recover\left (\{\bar {\bar {B}}_{n_{1}}^{l}\}, \{\tilde {w}_{n_{1}}^{l}\}\right )\). If no tampered blocks are found, D(⋅) returns a pass, ⊤ indicating the input image is authentic. Otherwise, the tampering localized and recovered images, \(\bar {\bar {i}}=\{\bar {\bar {B}}_{n_{1}}^{l}\} \cap \{\bar {B}_{n-n_{1}}^{l}\}\) and \(\tilde {i}=\{\tilde {B}_{n_{1}}^{l}\} \cap \{\bar {B}_{n-n_{1}}^{l}\}\) are output, respectively.

Therefore, in SAW schemes, D(⋅) performs verification in two phases: authentication, and tampering localization and recovery. For the security analysis, however, we only consider here the authentication phase, where an attacker is particularly interested to break in. For an authentic and un-tampered watermarked image, \(\bar {i}\), thus there exists a match between \(\left \{ \tilde {w}_{n}^{l} \right \}\) and \(\left \{ wne{w_{n}^{l}} \right \}\) such that \(D_{k}:\left \{ \bar {B}_{n}^{l} \right \}\neq \bot \) or simply \(D_{k}\left (\bar {i} \right ) \neq \bot \). With satisfying this property of D(⋅), we will show in the following sections, how an attacker may modify \(\bar {i}\) in different counterfeiting scenarios.

4 New counterfeiting attacks

In a general counterfeiting scenario, a valid watermarked image is maliciously manipulated to get undetectably verified. Consider an attacker outputs an attacked image, \(\bar {i}_{a}\) (which is a maliciously modified version of a valid watermarked image, \(\bar {i}=E_{k}\left \{i, w\right \}\)) and wishes to verify \(\bar {i}_{a}\) as authentic. We note here that, \(\bar {i}_{a}\) and \(\bar {i}\) may or may not be “perceptually similar” to each other depending on the intended use of \(\bar {i}_{a}\). (Perceptual similarity is a watermarking property that defines the minimum distances or dissimilarities between the perceptual content of two images. For more precise definition, see ref. [31, 35].) Additionally, \(\bar {i}_{a}\) may have either an original or new watermark, w or w a , respectively. As a detector authenticates \(\bar {i}\) with \(D_{k}\left (\bar {i} \right ) \neq \bot \), we can also define a general win condition (irrespective of the attacker’s capability) to determine a successful counterfeiting attack.

Definition 1 (Win condition)

An attacker outputs an attacked image, \(\bar {i}_{a}\) for a SAW scheme, and wins with \(D_{k}\left (\bar {i}_{a} \right ) \neq \bot \).

An attacker’s capability and intention, however, play an important role in counterfeiting attacks. Attackers of different capabilities (e.g., to choose input image(s) with/without watermark(s), to access to component functions or to know the secret parameters of a scheme) and intentions (e.g., what the attacked image is to be used for) may output an attacked image in different ways to satisfy the win condition. In practice, it is reasonable in attack modelling to assume the expected capabilities of an attacker. While a strong attacker may have access to all watermarking functions and can choose a watermark or a set of watermarked images, a weak attacker may only work on a single (or more) watermarked image(s) and with any disclosed secret information.

Depending upon the capability and intention, an attacker may recover the secret parameters (i.e., key or mapping sequence) using different methods: exhaustive key search [19], verification device attack [19], or a four-scanning attack [5] as discussed in Section 2.2. We propose here another effective approach, G e t m a p(⋅) for the mapping sequence recovery by combining the four-scanning attack with the verification device attack. In the G e t m a p(⋅), the exhaustive search principle of four-scanning attack is used to generate initial mapping sequence, and then the verification device attack principle is used to correct the sequence. The main difference between the G e t m a p(⋅) and those above mentioned methods is that G e t m a p(⋅) can operate on a set of watermarked images (watermarked with the same key), instead of only one watermarked image for mapping sequence recovery.

Moreover, the output obtained from G e t m a p(⋅) can be exploited in different ways to modify a (valid) watermarked image and to satisfy the win condition. To demonstrate this, we propose three new counterfeiting attacks; namely, Counterfeiting Attack 1, Counterfeiting Attack 2, and Counterfeiting Attack 3. We discus the G e t m a p(⋅) and the identified attacks, and develop their models below. (As discussed in [31, 32, 35], we use XY to denote that two images X and Y are perceptually similar, and X?Y to denote that they are not perceptually similar).

4.1 The getmap function

The block mapping sequence of a SAW scheme can be recovered without authorisation (i.e., without knowing the secret key). To this, G e t m a p(⋅) is developed, which outputs a complete (or partial) set of mapped block indexes using G(⋅) and the inverse of the modified embedding function, E m b e d(⋅). The watermark is generated using G(⋅) such that \(G(\cdot ):\left \{\bar {B}_{u}^{l} \right \} \rightarrow \left \{wne{w_{u}^{l}}\right \}\), where wnew is the regenerated version of the w. Here, {u}⊆{n} is the set of indexes of the selected blocks \(\left \{{B_{u}^{l}}\right \}\) that the attacker wants to modify. Further, E m b e d −1(⋅) is used to extract the original watermarks, w embedded in the blocks \(\left \{\bar {B}_{u}^{l}\right \}\) such that \(Embed^{-1}:\left \{\bar {B}_{u}^{l}\right \} \rightarrow \left \{\tilde {w}_{u}^{l}\right \}\), where \(\tilde {w}\) is the extracted version of the w. It is worth noting here that, unlike E k (⋅), E m b e d(⋅) embeds the watermark(s) directly into the block(s) without the secret mapping sequence (and thus without the key) such that \(Embed:\left \{{B_{u}^{l}}\right \} \times \left \{{w_{u}^{l}}\right \}\rightarrow \left \{\bar {B}_{u}^{l}\right \}\). So, the extracted watermark(s) using E m b e d −1(⋅) remains in the order as they were embedded, which suggests that the match between two versions of block-wise watermarks, \(\left \{wne{w_{u}^{l}}\right \}\) and \(\left \{\tilde {w}_{u}^{l}\right \}\) may lead to the secret mapping sequence. G e t m a p(⋅) also attempts to correct any ambiguous pairs (i.e., an index pair is ambiguous to another pair, when they have a common mapped block index). This is illustrated in Model 2.

figure e

We show G e t m a p(⋅) here as one of a few possible options to recover the mapping sequence. As a distinctive feature, G e t m a p(⋅) allows an attacker to use a set of watermarked images to obtain an unambiguous mapping sequence. In Model 2, the basic G e t m a p(⋅) model is shown to operate on a single watermarked image, \(\bar {i}\). However, note that it can also operate on a set of V–valid watermarked images, \(\left \{\bar {i}_{v}:\bar {i}_{v}=E_{k}\left (i_{v},w_{v}\right )\right \}\) for all v∈{1,⋯ , V}. In other words, when an attacker has a set of images watermarked using the same embedding key, G e t m a p(⋅) can operate on the images \(\left \{\bar {i}_{v}\right \}\) to get the mapped indexes of the selected image blocks more efficiently. Once the key or mapping sequence is known, there is an open opportunity for an attacker to output successful attacked images with not only malicious, but also “meaningful” modifications. (A “meaningful” modification roughly means that the modification has visual semantic in the application context).

4.2 Counterfeiting attack 1

An attacker, without any specific use of the attacked image in mind, may wish to modify a watermarked image simply with manipulating the pixel locations. The image pixels can be rearranged such that original watermarks remain valid for the new orientation of original pixels. An attacker modifies neither any pixels nor their watermarks to output such an attacked image. However, the attacked image may be perceptually different from the input (valid watermarked) image for the new orientation of original pixels. The adversary actions in this scenario form our Counterfeiting Attack 1. Two cases can be studied here.

Entire block swap

In this case, an attacker is interested in all image blocks and swaps all of them with their mapped blocks. Thus, the pixels of an image (or image blocks) remain the same as the watermarked image but with different orientation (i.e., their original blockindexes are now their mapped indexes, and vice versa). We call this swap of all image blocks as entire block swap.

Selected block swap

In this case, an attacker is interested in a particular set of image block(s) rather than all the blocks in an image. Here, an attacker chooses a set of blocks to swap, which requires correction of the orientation of swapped blocks’ watermarks to remain valid [34]. We call this selected block swap.

Model 3 illustrates the general steps of the Counterfeiting Attack 1. For an entire block swap, the attacker simply interchanges all the blocks, \(\left \{\bar {B}_{u}^{l}\right \}|_{u=n}\) with their respective mapped blocks, \(\left \{\bar {B}_{uu}^{l}\right \}|_{uu=q}\) (see Step 7 and 8 of the model). On the other hand, Steps 3–5 describe a selected block swap. Here, as mentioned above, watermarks embedded in \(\left \{\bar {B}_{u}^{l}\right \}\) —the selected blocks, \(\left \{\bar {B}_{uu}^{l}\right \}\)—the mapped blocks of \(\left \{\bar {B}_{u}^{l}\right \}\), and \(\left \{\bar {B}_{uux}^{l}\right \}\) —the mapped blocks of \(\left \{\bar {B}_{uu}^{l}\right \}\) need watermark correction along with the interchange between \(\left \{\bar {B}_{u}^{l}\right \}\) and \(\left \{\bar {B}_{uu}^{l}\right \}\). Finally, in both cases, an attacker outputs an attacked image, \(\bar {i}_{a}\). In this attack scenario, an attacker can also shuffle all the pixels in a selected block to introduce a more “meaningful” modification with \(\bar {i}_{a}\), keeping respective watermarks’ locations unchanged. Considering the inputs of the model 3, the Counterfeiting Attack 1 represents a “weak” counterfeiting attack. Here, the attacker’s capability may only include a set of watermarked images and access to the embedding function.

figure f

4.3 Counterfeiting attack 2

In a more sophisticated counterfeiting scenario, an attacker may wish to modify some (or all) watermarked image blocks for a more meaningful outcome. Here, a set of selected blocks may either be modified directly or be replaced with another set of chosen blocks. Unlike Counterfeiting Attack 1, where no pixels and watermarks were modified (but their locations), in this counterfeiting scenario, the original watermarks remain unchanged and valid for the replaced blocks. This is defined as our Counterfeiting Attack 2 and illustrated in Model 4.

figure g

An attacker first outputs a set of blocks perceptually similar to the set of chosen blocks. These output blocks must have the same watermark as the selected (original) blocks to remain valid. The output blocks then replace the selected blocks in the watermarked image. We define the construction of the perceptually similar blocks as a function S i m(⋅), which outputs a set of blocks, \(\left \{{A_{u}^{l}}\right \}\) for the set of chosen blocks, \(\left \{{C_{u}^{l}}\right \}\) such that \(Sim:\left \{{C_{u}^{l}}\right \}\times \left \{\bar {B}_{u}^{l}\right \} \rightarrow \left \{{A_{u}^{l}}\right \} \cup \left \{\bot \right \}\), where \(\left \{{A_{u}^{l}}\right \} \approx \left \{{C_{u}^{l}}\right \} \approx \left \{\bar {B}_{u}^{l}\right \}\), and \(\left \{{w_{u}^{l}}\right \} \leftarrow G:\left \{{A_{u}^{l}}\right \}\). Here, ⊥ is a failure and \(\left \{\bar {B}_{u}^{l}\right \}\) are the selected blocks to be replaced with the blocks \(\left \{\bar {A}_{u}^{l}\right \}\). As shown in Model 4, once S i m(⋅) outputs \(\left \{{A_{u}^{l}}\right \}\), an attacker extracts the watermarks embedded in the selected blocks, and embed that extracted watermarks in \(\left \{{A_{u}^{l}}\right \}\). Finally, the watermarked blocks, \(\left \{\bar {A}_{u}^{l}\right \}\) replace the selected blocks, \(\left \{\bar {B}_{u}^{l}\right \}\) to output an attacked image, \(\bar {i}_{a}\) as shown in the attack model.

A successful Counterfeiting Attack 2, therefore, mainly depends on the success of the function S i m(⋅). With the output of S i m(⋅), the attacker may output an attacked image that satisfies the win condition. With this additional requirement of S i m(⋅), this attack presents a “stronger” notion of counterfeiting attack than the Counterfeiting Attack 1. A simple S i m(⋅), for example, can replace the pixels in a selected input block with their average intensity or pixel value (leaving their LSBs— least significant bits intact that carry watermark bits). For the output (modified) blocks, the watermarks remain valid as the modification in the output blocks does not affect the watermark. We have used this simple construction of S i m(⋅) for Counterfeiting Attack 2 implementation and will discuss it in Section 6. We note here that the principle of keeping average intensity of a block unchanged for a modified block is the main idea of a constant-average attack [5].

However, the constant-average attack differs from the above example of S i m(⋅) construction, where all pixels of a modified block will have the average intensity value of the block. In constant-average attack, the pixels of a modified block are usually different but their average intensity remains the same as that of the original block, as mentioned in Section 2.2. In other words, an attacker attempts to adjust the pixels of an already modified block further so that their average intensity equals that of the original block. Thus, the constant-average attack representing a case of our Counterfeiting Attack 2, employs a S i m(⋅) different from the one we used in this paper.

Moreover, S i m(⋅) generally extends the equivalence class principle (of the VQ attack [21]) for the block-wise dependent watermarking schemes, as pointed out in Section 2.2. Once the G e t m a p(⋅) (or any other secret recovery method) outputs the mapping sequence (or key), the block-wise dependence property is actually lost. Consequently, S i m(⋅) outputs a block from an equivalence class, which will give the same watermark as the original block and valid for the secret key (used for the original watermarked image). However, unlike the VQ equivalence principle, S i m(⋅) has an additional requirement of perceptual similarity and thus has to output a block perceptually similar to the chosen input blocks. It is worth noting here that, with a very strict perceptual similarity requirement, S i m(⋅) may not work effectively, and may output a failure.

4.4 Counterfeiting attack 3

As a notion of a more stronger attacker, we illustrate another counterfeiting scenario that introduces the highest level of modification into a watermarked image. Unlike the other counterfeiting scenarios discussed above, here an attacker can choose new blocks and generate their watermarks to output an attacked image. This means that this attacker’s capability include the access to the watermark generation and embedding functions. We call this counterfeiting scenario Counterfeiting Attack 3. The severity of this attack is that an attacker with the access to all watermarking functions can make a more meaningful modifications than the above counterfeiting attacks.

The general steps of the Counterfeiting Attack 3 model are shown in the Model 5. An attacker starts with choosing a set of new blocks, \(\left \{{C_{u}^{l}}\right \}\) and extracting the embedded watermarks, \(\left \{{w_{u}^{l}}\right \}\) from the selected blocks, \(\left \{{B_{u}^{l}}\right \}\). Having access to the watermark generation and embedding functions, an attacker may embed the extracted watermark in the chosen blocks. The chosen blocks’ watermarks, \(\left \{w_{ua}^{l}\right \} \) are also generated and required to be embedded in the selected blocks’ mapped blocks, \(\left \{B_{uu}^{l}\right \} \). Finally, the chosen blocks replace the selected blocks to output an attacked image.

figure h

5 Practicality of the identified attacks

We have developed and presented the counterfeiting attack models in last section. To demonstrate their practicality, we now discuss how the identified attacks can be mounted on the SAW schemes. Although the attack models theoretically apply to the schemes that follow the general SAW model presented in Section 3, two typical SAW schemes [8, 46] are studied here that capture the medical and other image applications. The Zain and Fauzischeme (or ZF scheme) [46] is a variant of the prominent Lin et al. scheme [27], and later applied in a potential medical imaging environment [26]. The Edupuganti, Shih, and Chang scheme (or ESC scheme) [8] is recently proposed for tampering localisation and recovery of digital images. Below, we briefly review those schemes and discuss the implementation of the identified attacks.

5.1 The ZF and ESC schemes

The ZF Scheme [46] operates on 8 × 8 non-overlapping blocks and their 4×4 sub-blocks of an image of size M × N. In order to get the mapping sequence for the image block indexes, an 1D linear transformation is used. This transform uses a secret key, which is a prime number chosen from the range of 1 to the total number of the blocks, which limits the key-space to \(\left [2,\left (\frac {M}{8}\times \frac {N}{8}\right )\right ]\). ZF scheme avoids the VQ weaknesses and has good localisation ability. For higher recovery rate of tampered pixels and their better restoration quality, this scheme considers average intensity of individual sub-blocks as their recovery watermarks. However, in addition to the common weakness of the small key-space, ZF scheme uses the watermarks generated from local image properties, which have not been justified for image authentication and integrity verification.

On the other hand, the ESC scheme [8] operates on 2 × 2 non-overlapping blocks of an image of size M × M, where M is a multiple of 2. A lookup table is generated containing the mapped indexes of the image block from the set of block indexes, {1,⋯ , N} by using a secret key, where \(N = \left \{\frac {M}{2}\times \frac {M}{2}\right \}\). The secret key is chosen as a prime number from the range of the block indexes, [2, N−1]. Similar to ZF scheme, a liner transform is used in the ESC scheme to obtain an initial mapping sequence. But, this mapping sequence is modified in ESC scheme using a “block-shift” operation to construct the final lookup table. The dual watermarking principle, 5-bit image block feature, and use of CRC-2 and lookup table make the ESC scheme attractive. However, the ESC scheme suffers from various weaknesses that may cause security problems in a target application. Like ZF scheme, this scheme has a small key-space (of [2, N−1]). Further, use of feature bits, lookup table and CRC-2 is not justified for any expected security problems.

5.2 Implementation of the identified attacks

Our identified counterfeiting attacks are accomplished in two parts: secret recovery and forgery. In the first part, an attacker tries to recover the secret parameters (e.g., key, mapping sequence). The general steps of this part are already shown in G e t m a p(⋅) model (Model 2) and discussed in Section 4.1. We note that the computation of this part may vary depending on the design of the target SAW scheme.

We implement the G e t m a p(⋅) to demonstrate the relative computation time for an attacker to obtain the mapping sequence of both the ZF and ESC schemes. However, in order to implement our attacks on ZF and ESC schemes, we assume that the attacker has the secret keys. Since the key space of both schemes is too small, it is not difficult to obtain the key at all, even for an attacker having limited computational power. For example, for a typical image of size 512 × 512, the maximum key size of the ZF and ESC schemes are 13-bit and 15-bit respectively. Theoretically, compared with cryptographic keys, these key lengths do not provide any protection [16].

In the second part, an attacker has to output a forgery using the secret key or mapping sequence obtained in the first part. The output is valid for the embedded watermark (to satisfy the win condition), and is different from any previous outputs of the SAW scheme. In other words, an attacker outputs a new watermarked image (with new pixels or watermarks, or both), which remains valid for a given key. Here, an attacker of different capabilities (discussed in the beginning of Section 4) may output forgeries in different levels: change of pixel locations only, change of original pixels only, and change of original pixels and watermarks, as shown in Table 1. Attacker’s capabilities are generally classified here to indicate their relative notions of strength. We implement the identified attacks that individually represent different levels of counterfeiting scenarios (see Table 1).

Table 1 Counterfeiting attack levels
Full size table

Therefore, the identified attacks address the counterfeiting scenarios at three levels of modifications, and we argue that any counterfeiting scenarios (i.e., any possible ways of modifying a valid watermarked image) can be described from one of these three levels. In other words, our identified counterfeiting attacks capture all possible counterfeiting scenarios at the three levels. In fact, an attacker may have different ways to modify a watermarked image at a particular counterfeiting level. However, we implement a few of them to demonstrate the practicality and consequences of modifying a valid watermarked image at each counterfeiting level. All necessary simulation and implementation were carried out using MATLAB (R2012a-7.14.0.739) and an Intel Core i5 3.2GHz CPU.

6 Experimental results

In this section, we present our experimental results to validate the effectiveness and to demonstrate possible consequences of the identified counterfeiting attacks. Several experiments were conducted with a set of medical and other images. We analyse the computation time for the effectiveness, and present a set of attacked images for illustrating the possible consequences, of the identified attacks on the ESC scheme [8] and ZF scheme [46]. (The reason for choosing those schemes are discussed in Section 5).

The G e t m a p(⋅) computation time, illustrated in Fig. 1, is obtained for the increasing number of image blocks up to the image size of 512 × 512. As expected, finding the mapping sequence for the ZF scheme is computationally less expensive than the ESC scheme. Further, the average attack computation time of both schemes (shown in Fig. 1) for yielding attacked images for the identified attacks are obtained. To output an attacked image with any level of modifications, it took less than a minute for an input image of size 512 × 512. We note that these computation times are relative, and depend not only on the computing power of the operating machine, but also on the image and block sizes, number of blocks to modify, underlying design of the schemes, etc. Here, we used a total of 113 (medical and other) images of size 512 × 512, and varied their sizes to observe the influence of varying image size on the computation time (Fig. 1).

Fig. 1
figure 1

Average computation time for the images (size up to 512 × 512)

Full size image

A set of examples of the attacked images from our experimental results are shown in Figs. 3 and 4 for the ESC and ZF schemes, respectively. The set of corresponding original watermarked images are shown in Fig. 2. The modified regions (unless the entire image is modified) of the attacked images are indicated by a (red) dotted-ellipse. All the attacked images in complete block swap of Counterfeiting Attack 1 are completely distorted as illustrated in Figs. 3 and 4 (from top, first rows). Although these images may have no practical implication, they are verified as authentic and un-tampered by the detector.

Fig. 2
figure 2

Original set of watermarked images: (ac) ESC scheme and (df) ZF scheme. (Original test images for (ac) and (df) are downloaded from: [6] and [2], respectively)

Full size image
Fig. 3
figure 3

Attacks on the ESC scheme watermarked images: (a) cameraman, (b) house and (c) jet-plane. From top, 1st row: Counterfeiting Attack 1 (entire blocks); 2nd row: Counterfeiting Attack 1 (selected blocks); 3rd row: Counterfeiting Attack 2; and 4th row Counterfeiting Attack 3

Full size image
Fig. 4
figure 4

Attacks on the ZF scheme watermarked images: (a) abdomen, (b) colon and (c) retina. From top, 1st row: Counterfeiting Attack 1 (entire blocks); 2nd row: Counterfeiting Attack 1 (selected blocks); 3rd row: Counterfeiting Attack 2; and 4th row Counterfeiting Attack 3

Full size image

As expected, the attacked images in selected block swap, shown in Figs. 3 and 4 (from top, second rows), are not completely distorted. Unlike the ZF scheme, ESC scheme embeds two copies of a watermark (for each block) into two halves of the input images. As a result, it is evident in Fig. 3 (from top, second row) that the selected block swap has symmetric visual artefacts in the two halves of the output attacked images. Since for the selected block swap, we arbitrarily chose a set of block indexes, the output images had no or little practical significance. However, satisfying the win condition with these attacked images suggests that an attacker may succeed with modifying a valid watermarked image having more significant implications. For example, location of a tumour in a Head MRI may be moved in another region of interest, using the selected block swap.

Unlike the Counterfeiting Attack 1, the attacked images (shown in Figs. 3 and 4, from top, third rows) for Counterfeiting Attack 2, are almost similar to the original watermarked images (in Fig. 2). This is because that the function S i m(⋅) is designed here to compute a new block using the average intensity of the selected block pixels as described in Section 4.3. Although this example represents a particular case in this counterfeiting level like constant-average attack, there can be many other ways to design S i m(⋅). Further, instead of entire blocks manipulation, an attacker may also consider a selected block scenario for this attack, requiring an additional watermark correction process as mentioned for Counterfeiting Attack 1 in Section 4.2.

Furthermore, the attacked images shown in Figs. 3 and 4 (from top, fourth rows) for the Counterfeiting Attack 3 illustrate how an attacker outputs a successful forgery with the highest level of modification. An attacker may select a set of arbitrary blocks of a valid watermarked image to replace with a set of chosen blocks. Win with such a modification leads an attacker to making a complete practical sense for an attacked image in many possible ways, which demonstrates the severity of this attack.

Attacked images of identified attacks, although are perceptually different from the original watermarked images, are not clear for all cases in Figs. 3 and 4 (as shrunk to fit in the page size). Therefore, to observe the difference between the attacked images and respective original watermarked images, we present their PSNR and MSSIM values in Table 2. However, we stress here that the modifications in attacked images are random, and depend on attacker’s objectives. So the performance of the attacks and pattern of consequences cannot be determined from the qualitative measures (e.g., PSNR or MSSIM).

Table 2 Perceptual differences between output and input images of the identified attacks
Full size table

Both the ZF and ESC schemes accept all the attacked images (including the images in Figs. 3 and 4) as authentic, where clearly they are not. The implications of the attacked images can be more severe if the attacks are applied in a more meaningful way. However, the presented examples in this paper reasonably show that Counterfeiting-Attack 1, -Attack 2, and -Attack 3 render the schemes invalid for their intended purpose. They also suggest that there would be similar consequences for other SAW schemes based on similar watermarking principle.

7 Countermeasure

Many SAW schemes (including the ZF and ESC schemes) irrespective of their technical differences, do not consider the required properties of the watermarks explicitly. This also means that the requirements for a SAW scheme either have not been completely studied yet or are not well understood, which is possibly the main source of several security problems as discussed in Section 2.2. Addressing this, we outline here a set of general requirements for SAW schemes below. We also discuss some guidelines to meet the requirements using existing authentication tools. We particularly illustrate, with extending the SAW Model presented in Section 3, how some of the tools can be employed to achieve the requirements and thus to avoid the counterfeiting weaknesses.

7.1 General requirements for the SAW schemes

General requirements of image (and other multimedia) authentication are well known [3, 17, 18, 38]. However, a SAW scheme, in general, has additional requirements from the typical image authentication, which we call here SAW requirements. We attempt to determine a set of requirements for the SAW schemes in view of the standard authentication tools (e.g., message authentication code, digital signature, etc.) and existing image authentication schemes. The general SAW requirements thus can be: (i) authenticity, (ii) integrity, (iii) unforgeability, (iv) non-repudiation (v) localisation accuracy, (vi) recovery quality, (vii) perceptual similarity, (viii) embedding capacity, (ix) efficiency, and (x) reliability. These requirements are discussed below. It is worth noting that, for simplicity, we do not formulate these requirements explicitly.

Authenticity

The presence of a valid watermark in a watermarked image implies that the content is deliberately watermarked by the embedder. It is important for a SAW scheme to establish the image content is genuine and was watermarked by an embedder possessing the proper embedding (and/or generation) key (used in watermark embedding and/or generation).

Integrity

A valid watermark also ensures the image content is not undetectably modified in an unauthorised way. This further requires the following properties for the watermark:

Fragile :

A valid watermark embedded in an image is required to be invalid for any smallest changes in the image.

Block-wise collision resistance :

For a given image block, it is hard to find another image block, which will have the same watermark. (This is a notion of weak collision resistance; however a strong collision resistance can be considered as discussed in Section 2.1).

Unforgeability

A valid watermark can only be generated and embedded by a valid generator and embedder (i.e., possessing the proper generation and/or embedding key(s)), respectively. In other words, it is to be computationally “hard” to forge a valid watermark. Here, a watermark may require the following properties: block-wise dependence and block-wise collision resistance. Block-wise dependence can be of two types:

Intra-block dependence :

An image block is to be used as an input for its watermark generation. This is required to be copy attack resistant (where an attacker directly copies a valid watermark to illicitly embed that in a chosen image which is later verified as authentic for the given key).

Inter-block dependence :

Image blocks are to be mutually watermark dependent (i.e., watermark of one block is embedded into its mapped block) for the VQ attack resistance.

Non-repudiation

A watermarked image must be verifiable to resolve a dispute arising either from a deceitful entity trying to repudiate the watermarked image or from a fraudulent claimant.

Localisation accuracy

In case of a tampered image, the localisation of the tampered pixels must come with an optimum accuracy considering computational cost and time.

Recovery quality

In case of a tampered image, the localised image pixels must be recovered with an “acceptable” image quality. The notion of “acceptable” image quality may vary with the applications.

Perceptual similarity

A watermarked image must be perceptually similar, which ensures an “acceptable” level of distortion in the image, and thus the image remains usable for its intended application.

Embedding capacity

A SAW scheme must have the required capacity to accommodate the payload (i.e., the watermark plus any side information). This requirement however may conflict with the restoration quality and perceptual similarity requirements, and thus a necessary trade-off is to be made.

Efficiency

A SAW scheme must be computationally efficient to generate, embed and detect (with optimum tampering localisation accuracy and recovery quality) a watermark for a given image. Although the computational effort depends upon the size of input image, the “work” should not grow rapidly with the image size.

Reliability

A SAW scheme must be reliable to perform objectively (i.e., to attain the above specified requirements) under given conditions and over a specified period of time.

7.2 How can the SAW requirements be met?

Meeting the above mentioned SAW requirements is a challenging task, which naturally poses a fundamental question: can the conventional authentication tools meet the SAW requirements? Addressing this question, we discuss some general principles of using conventional tools as building blocks in SAW schemes. We outline their capabilities and limitations to meet the requirements for the following objectives of a SAW scheme: (i) content authentication, and (ii) tampering localisation and recovery. This is discussed below and summarised in Table 3.

Table 3 Attainment of SAW Requirements
Full size table

Using Encryption

Encryption is a cryptographic tool generally used to preserve confidentiality of information. Therefore, a direct use of encryption may not help meet the SAW requirements. Encryption of a “suitable” image feature (either by a shared or public key) may help achieve the requirements of integrity, authenticity, etc. to a certain extent [4, 43]. (The suitability of an image feature may depend on several factors; namely, feature length in bits, its computation and uniqueness for image blocks, etc.) For a SAW scheme, the encrypted image-block-features can be used for tampering localisation and recovery. Thereby, some SAW requirements such as integrity, authentication, localization accuracy, etc., can be attained, whereas meeting unforgeability, efficiency, etc., can still be challenging.

Using Message Authentication Code (MAC)

A MAC (or a keyed hash function) is a cryptographic tool that generates and later verifies an authentication code (or checksum) using a symmetric (or shared) key [36]. For the SAW schemes, block-wise integrity and authentication can be achieved by computing the MAC for each given block (or its unique features) and embedding it into a mapped block. This will help achieve the security level of the used MAC scheme. However, similar to using encryption, the computation time and payload size may grow with the increasing size of the input image and its block, resulting in an efficient SAW scheme. Using MAC also seems incapable of tampering recovery.

Using Digital Signature (DS)

DS is another cryptographic tool widely used today, which offers many security services [36]; for example, integrity, authenticity, non-repudiation, unforgeability, etc. Similar to MAC, DS can be block-wise used for the SAW schemes. Such a use of DS can offer tampering localisation, although it still lacks tampering recovery capability. Besides, as DS is usually slower than MAC [36], it can be more computationally expensive for the block-wise embedding principle. It also requires trusted certificates that may incur an additional cost.

Using Perceptual Hash Function (PHF)

PHF (also known as visual or robust (image) hashing) is a keyed and content-based hash function that uses image features robust to content-preserving manipulation (e.g., file-format conversion, compression, etc.) and fragile to content-modifying manipulation (e.g., change of objects, background, etc.) [10]. Similar to MAC, it can be used for image integrity and authentication. But, for some special requirements such as access to search a large database of pre-computed hashes, PHF can be more computationally expensive than the other tools. Presumably, the security levels of PHF are also not well known as the cryptographic tools, and thus using PHF without any security proof can be vulnerable in a SAW scenario. Its tampering recovery capability is also unknown.

Using Perceptual Digital Signature (PDS)

PDS (also known as visual or content-based digital signature) uses the content-preserving-manipulation-invariant features (like PHF) and public key schemes [7]. PDS has potential to provide several security services like DS, considering the PDS’s security levels are known for the application. Generally speaking the performance of a PDS mainly depends upon the image features and their extraction processes. However, for the block-wise embedding principle, PDS is probably faster than PHF as PDS usually does not require any database access and learning process like PHF. Similar to PHF, tampering recovery capability of PDS is also not known.

Whither are the Above Conventional Tools Leading?

It is obvious that the above tools distinguish their two different notion of security services: strict and selective. Cryptographic tools like MAC and DS are intended to serve the strict security services, where a single bit change can be detected. Whereas, the multimedia content-based tools like PHF and PDS are robust to content-preserving manipulation like compression, file-format conversion, etc., and thus provide the selective security services. However, since defining the notion of selective security, in general, is more than challenging for different applications, the use of cryptographic tools in SAW schemes can be relatively secure, efficient, and straight-forward. The above considerations and their summary in Table 3 lead us to a conclusion that any individual tool is not sufficient for the attainment of SAW requirements, and thus to considering their combined use.

7.3 An extended SAW model

We extend the construction of the SAW model developed in Section 3. This extended model incorporates the novel approach of employing conventional authentication tools. Use of those tools are not new for image (or other multimedia) authentication, for example, in [1, 4, 7, 9, 13, 17, 18, 29, 40, 43, 44], where authenticity and integrity verification of the visual semantics of multimedia information is mainly addressed. However, as mentioned above, the SAW schemes as a general form of multimedia authentication, also have an additional tampering localisation and recovery objective. Combined use of some of those conventional authentication tools thus seem to be a better option. To this, we consider two different image features, global and local. The global feature is computed over the whole image and the local feature is computed block-wise. Those features are used for content authentication, and tampering localisation and recovery objectives, respectively.

For simplicity, we partitioned the SAW objectives into two classes: (i) primary (i.e., content authentication) and (ii) secondary (i.e., tampering localisation and recovery). We consider the tampering localization and recovery as the secondary objective, since it logically comes after the content authentication (i.e., once the image integrity is found compromised). For the primary objective, a suitable signature scheme can be used for the global feature. Whereas, for the secondary objective, a private key encryption scheme can be used for the local features. The choice of the private key encryption here is made based on the following facts: (i) it is simpler and faster than the public key encryption, and (ii) using digital signature (for the content authentication), which uses public key, would complement any security need that the used private key encryption does not provide. With this setting, we extend the SAW model, where authenticity and integrity of a watermarked image can be verified publicly (using a public key) and if found tampered, tampering can be localized and recovered using a private key. Before presenting the proposed SAW model, we discuss its component functions below.

Key generation function, KeyGen(⋅)

On the given security parameter τ, K e y G e n(⋅) generates a set of keys: {(K S , K P ), K R }. The pair of public and private keys, K S and K P , are used for the signature scheme to sign and to verify the signature, respectively. A private key, K R is used for both the encryption scheme (which is symmetric and thus shares the same key for encryption and decryption) and mapping function, M a p(⋅).

Feature extraction function, Feature(⋅)

This function takes any (watermarked or un-watermarked) image and outputs its global and local features, f pri and f sec, used for primary and secondary objectives, respectively. Note that f pri is computed over the whole input image and f sec is computed block-wise, i.e., \(f^{sec}= \left \{f^{sec}_{n}\right \}\), where an input image i is divided into total N b non-overlapping blocks such that i = {B n } and n ∈ {1, 2, ⋯, N b }.

Signature scheme (Sign(⋅), SigVerify(⋅), K S , K P )

The signing function S i g n(⋅) outputs a signature, w pri on the primary feature, f pri and private signing key, K S . This signature is embedded as a watermark and extracted in detection to be verified using S i g V e r i f y(⋅) and its public key, K P . Thus the signature scheme can serve the primary objective. Recall that the V e r i f y(⋅) in the general SAW model (Section 3) simultaneously verify the image blocks’ authenticity, tampering localization and recovery. However, for security reasons and more logical construction, as those tasks have been separated in terms of primary and secondary objectives, the S i g V e r i f y(⋅) is used here to only declare the whole image’s authenticity and integrity. If this verification fails, tampering localization and recovery is attempted.

Encryption scheme (Encrypt(⋅), Decrypt(⋅), K R )

The local feature f sec is block-wise encrypted using encryption function E n c r y p t(⋅) and its private key K R . The encrypted features are block-wise embedded as another watermark for the secondary objective. If an image fails the signature verification, the regenerated watermark, \(\{w^{newsec}_{n}\}\) of the tampered image are compared with the extracted watermark \(\{\tilde {w}^{sec}_{n}\}\). For a mismatch, a block \(\bar {B}_{n}\) is marked as a tampered block \(\bar {\bar {B}}_{n}\), which is recovered by the recovery function, R e c o v e r(⋅).

Recovery function, Recover(⋅)

This is a component function of the detection, D(⋅), which outputs the recovered block, \(\tilde {B}_{n}\) for a given tampered block, \(\bar {\bar {B}}_{n}\), using the extracted and decrypted local feature of the block, \(\tilde {f}^{sec}_{n_{1}}\).

Embedding functions, Epri(⋅) and Esec(⋅)

In embedding, E(⋅), two separate embedding functions, namely E p r i(⋅) and E s e c(⋅), are used for embedding the separate watermarks, w pri and w sec respectively. Unlike E p r i(⋅) that embeds w pri over the whole image, E s e c(⋅) is used to block-wise embed w sec using M a p(⋅) and its key K R . Both embedding functions operate on input images without interfering with each other (e.g., embedding regions are different), and cannot distinguish whether the input images are watermarked or not. To extract the embedded watermarks, their respective inverse functions, E p r i −1(⋅) and E s e c −1(⋅) are used. As discussed in Section 3, the notion of being inverse of the embedding function lies in the fact that these inverse embedding functions extract the bits considering them as the watermark bits.

Mapping function, Map(⋅)

A mapping function, M a p(⋅) is used in block-wise embedding of the encrypted local features. As mentioned in Section 3, for the general SAW model, M a p(⋅) uses a linear mapping transform (i.e., q = [(k × n)m o d N b ]+1 for all n). However, we stress here that a pseudo-random-number-generator based mapping transform can be used to avoid the discussed mapping weakness (Section 2.1).

Model 6 presents the construction of our SAW model based on the above principle and functions. The use of signature and encryption schemes are shown there to achieve the primary and secondary objectives, respectively. Using a signature scheme, the authenticity and integrity of a watermarked image is publicly verifiable (with K P ). Additionally, for a tampered image, tampering can be localised and recovered privately (with K R ) as a secondary objective if required (e.g., for digital forensic processing). We note here that the above extended model, although aimed at capturing all the necessary construction details of a SAW scheme, is not completely general. There are always ways to include additional options depending on the application scenarios, which will be briefly outlined in the following section.

figure i

8 Future challenges

The desirable notion of security of the SAW schemes may vary and depends on the application scenario. Because even if the system (or non-security) requirements (e.g., perceptual similarity, embedding capacity, etc.) remain the same in different applications, the required security goal and attackers’ capabilities may significantly vary. Until we know which scheme is the best for a particular application, developing the new schemes may be left detached from their practical use despite their validation for a partial set of requirements. Although we have studied the case of SAW schemes, our study has revealed some fundamental challenges for the broad range of SAW schemes. These challenges, given below, should essentially be addressed in future research.

Development of a scheme based on the extended SAW model

This requires further study on: (i) the local and global feature extraction processes; (ii) the required properties of the features for different objectives; (iii) user key management; and (iv) overall security and performance analysis of the scheme, for an application. Choice of the suitable mapping transform, and the embedding, signature, and encryption schemes should also be clearly justified for the application.

Formal treatment of SAW schemes as a watermarking primitive

This includes formally defining a SAW scheme and its requirements, analysis of the existing state-of-the-art constructions, developing attack models for broad application scenarios, etc. This will help generate a methodological knowledge to identify the similarities or differences among the variants of SAW scheme such as the self-embedding and self-recovery schemes. As a result, knowing the strength and weakness of a scheme, determining its security level, and thereby choosing an appropriate scheme for an application would be easier and systematic.

Development of quantitative measure for SAW requirements

In addition to the above challenges, another question may naturally arise; can we quantify how well a SAW scheme meets the requirements? Since not all applications will have the similar (level) requirements, it can be a further challenge to determine/develop such measures that help verify the attainment of those requirements, for the SAW schemes. Note that, to assess the performance of robust watermarking schemes that are mainly used for copyright protection and fingerprinting, a number of benchmarks (e.g., StirMark [37], Fair benchmark [23], etc.) have been proposed. However, due to having different properties and application requirements, SAW schemes require further development in this area.

9 Conclusions

We have developed a SAW model for the block-based fragile watermarking schemes. We then identified three counterfeiting attacks, developed their models and validated them for the SAW model. We observed that neither the weaknesses of a SAW scheme nor their exploiting in the secret recovery demonstrate how they can affect a target application. In fact, there can be many counterfeiting instances for the SAW schemes in different application scenarios. It is more than difficult (and may not be necessary too) to individually consider every possible counterfeiting instance for developing a SAW scheme. Our identified attacks individually represent the counterfeiting instances in three levels of modifications of a valid watermarked image: (i) change of pixel locations only, (ii) change of original pixels only, and (iii) change of original pixels and watermarks. We, therefore, have argued that the identified attacks generalise all possible counterfeiting instances in those three levels of modification. Experimental results have successfully demonstrated their practical consequences and showed how a SAW scheme can violate the systematic definition of security.

In order to resist the counterfeiting attacks, we have extended the SAW model. Since the model is based on the block-based fragile embedding principle, the state-of-the-art fragile watermarking technique can be used in a block-wise fashion. We have partitioned the objectives of the SAW schemes into primary (i.e., content authentication) and secondary (i.e., tampering localisation and recovery). We have then determined a set of general requirements and presented guidelines for their attainment using conventional authentication tools as building blocks of SAW schemes. We observed that none of the conventional tools can individually help to completely achieve the SAW requirements. These efforts have led us to a logical extension of the SAW model that employs the digital signature and encryption for attaining the primary and secondary objectives, respectively.

Additionally, our study has revealed some fundamental challenges in systematic development and formal analysis of the SAW schemes; namely: (i) development of a scheme based on the extended SAW model, (ii) formal treatment of SAW schemes as a watermarking primitive, and (iii) development of quantitative measure for SAW requirements. We have particularly stressed on formalising the concept of the SAW schemes to systematically determine their security levels.

As a final remark, the presented contributions can be useful in the development and security analysis of SAW schemes. The identified attack models can be used as a means to systematically examine the security levels of similar schemes. Additionally, the extended SAW model with an appropriate consideration of the identified requirements may lead to developing more secure variants of SAW scheme. As this study has demonstrated, failure to consider the security levels and requirements can render a SAW scheme vulnerable for its intended application. In other words, identifying the security levels and the properties of a SAW scheme can help not only to justify the merit of the scheme, but to also show any potential security holes for similar schemes.