Article
Reference
Attacks on Digital Watermarks : Classification, Estimation-based
Attacks and Benchmarks
VOLOSHYNOVSKYY, Svyatoslav, et al.
Abstract
Watermarking is a potential method for protection of ownership rights on digital audio, image
and video data. Benchmarks are used to evaluate the performance of different watermarking
algorithms. For image watermarking, the Stirmark package is the most popular benchmark,
and the best current algorithms perform well against it. However, results obtained by the
Stirmark benchmark have to be handled carefully since Stirmark does not properly model the
watermarking process and consequently is limited in its potential for impairing sophisticated
image watermarking schemes. In this context, the goal of this article is threefold. First, we give
an overview of the current attacking methods. Second, we describe attacks exploiting
knowledge about the statistics of the original data and the embedded watermark. We propose
a stochastic formulation of estimation-based attacks. Such attacks consist of two main stages:
a) watermark estimation; b) exploitation of the estimated watermark to trick watermark
detection or create ownership ambiguity. The full strength of estimation-based attacks can be
achieved by introducing additional noise, [...]
VOLOSHYNOVSKYY, Svyatoslav, et al. Attacks on Digital Watermarks : Classification,
Estimation-based Attacks and Benchmarks. IEEE communications magazine, 2001, vol. 39,
no. 8, p. 118-127
DOI : 10.1109/35.940053
Available at:
http://archive-ouverte.unige.ch/unige:47520
Disclaimer: layout of this document may differ from the published version.
1 / 1
IEEE Communications Magazine • August 2001
2
Attacks on Digital Watermarks:
Classification, Estimation-Based
Attacks, and Benchmarks
0163-6804/01/$10.00 © 2001 IEEE
ABSTRACT
Watermarking is a potential method for pro-
tection of ownership rights on digital audio,
image, and video data. Benchmarks are used to
evaluate the performance of different water-
marking algorithms. For image watermarking,
the Stirmark package is the most popular bench-
mark, and the best current algorithms perform
well against it. However, results obtained by the
Stirmark benchmark have to be handled careful-
ly since Stirmark does not properly model the
watermarking process and consequently is limit-
ed in its potential for impairing sophisticated
image watermarking schemes. In this context,
the goal of this article is threefold. First, we give
an overview of the current attacking methods.
Second, we describe attacks exploiting knowl-
edge about the statistics of the original data and
the embedded watermark. We propose a stochas-
tic formulation of estimation-based attacks. Such
attacks consist of two main stages:
• Watermark estimation
• Exploitation of the estimated watermark to
trick watermark detection or create owner-
ship ambiguity
The full strength of estimation-based attacks can
be achieved by introducing additional noise,
where the attacker tries to combine the estimat-
ed watermark and the additive noise to impair
watermark communication as much as possible
while fulfilling a quality constraint on the
attacked data. With a sophisticated quality con-
straint it is also possible to exploit human per-
ception: the human auditory system in case of
audio watermarks and the human visual system
in case of image and video watermarks. Third,
we discuss the current status of image water-
marking benchmarks. We briefly present Fabien
Petitcolas’ Stirmark benchmarking tool [1]. Next,
we consider the benchmark proposed by the
University of Geneva Vision Group that con-
tains more deliberate attacks. Finally, we sum-
marize the current work of the European
Certimark project, whose goal is to accelerate
efforts from a number of research groups and
companies in order to produce an improved
ensemble of benchmarking tools.
INTRODUCTION
Digital watermarking is a communication
method in which information
b is embedded
directly and imperceptibly into digital data
x
(e.g., image, video, or audio signals), also called
original data or host data, to form watermarked
data
y. Loosely analogous to watermarks in arti-
cle documents, the embedded information is
bound to the watermarked data wherever it
goes. The embedded information should still be
decodable from the watermarked data, even if
the watermarked data is processed, copied, or
redistributed. Potential applications of digital
watermarking include copyright protection, dis-
tribution tracing, authentication, and conditional
access control. Thus, the information
b could be
a user-ID, a serial number for a certain copy of
a document, or authentication information.
We will concentrate our analysis on the copy-
right protection of still images, an urgent prob-
lem for modern e-commerce. Obviously, the
attacks introduced in the article can be applied
to audio and video watermarking algorithms
with the safety of generality and technical modi-
fications depending on the physics of the consid-
ered media.
The watermark can be regarded as an addi-
tive signal
w, which contains the encoded and
Sviatolsav Voloshynovskiy, Shelby Pereira, and Thierry Pun, University of Geneva
Joachim J. Eggers and Jonathan K. Su, University of Erlangen-Nuremberg
DIGITAL WATERMARKING FOR Copyright, IEEE, 2001. Permission to
COPYRIGHT PROTECTION: reprint/republish must be
A C
OMMUNICATIONS PERSPECTIVE obtained from the IEEE.
IEEE Communications Magazine • August 2001
3
modulated watermark message b under con-
straints on the introduced perceptible distortions
given by a mask
M so that
y = x + w(M).
Note that
w need not be independent from
the original data
x. The simplest approach to
achieve a perceptually indistinguishable water-
marked and original signal is to keep the power
of the watermark signal very low. Using sophisti-
cated psycho-acoustic or psycho-visual models,
more appropriate masks
M can be applied to
enhance the robustness of the watermarking
scheme. Commonly used embedding techniques
can be classified into
additive [2], multiplicative
[2], and quantization-based schemes [3, 4]. In
additive schemes, there are usually very weak
dependencies between
w and x (e.g., introduced
by choosing
w dependent on a data-dependent
perceptual mask
M). In multiplicative schemes,
samples of the original data are multiplied by an
independent signal
v so that w = xv – x. Here, w
and x are of course dependent on each other.
Strong local dependencies between the realiza-
tions of
w and x exist in quantization-based
watermarking schemes. However, these depen-
dencies are such that statistically
x and w appear
(almost) independent.
The term
watermark itself is not always well-
defined in the literature. To be precise, we have
to distinguish between the watermark signal
w,
which is the actual signal added to the original
data, and the watermark message or information
b that is conveyed by the watermark signal. Usu-
ally the meaning is clear from context. Coding
schemes can be used to achieve reliable water-
mark communication. In some cases only one bit
need to be communicated (on-off signaling),
while in other cases a sequence of
M-ary water-
mark symbols is transmitted.
In most watermarking applications, the
marked data is likely to be processed in some
way before it reaches the watermark receiver.
The processing could be lossy compression, sig-
nal enhancement, or digital-to-analog (D/A) and
analog-to-digital (A/D) conversion. An embed-
ded watermark may unintentionally or inadver-
tently be impaired by such processing. Other
types of processing may be applied with the
explicit goal of hindering watermark reception.
In watermarking terminology, an
attack is any
processing that may impair detection of the
watermark or communication of the information
conveyed by the watermark. The processed
watermarked data is then called
attacked data.
An important aspect of any watermarking
scheme is its robustness against attacks. The notion
of robustness is intuitively clear: A watermark is
robust if it cannot be impaired without also render-
ing the attacked data useless. Watermark impair-
ment can be measured by criteria such as miss
probability, probability of bit error, or channel
capacity. For multimedia, the usefulness of the
attacked data can be gauged by considering its per-
ceptual quality or distortion. Hence, robustness can
be evaluated by simultaneously considering water-
mark impairment and the distortion of the attacked
data. An attack succeeds in defeating a watermark-
ing scheme if it impairs the watermark beyond
acceptable limits while maintaining the perceptual
quality of the attacked data.
Since the complete theoretical analysis of the
watermarking algorithm performance with
respect to different attacks is rather complicated,
the developers of watermarking algorithms refer
to the results of experimental testing performed
in the scope of some benchmark. The bench-
mark combines the possible attacks into a com-
mon framework and weights the resulted
performances depending on the possible applica-
tion of the watermarking technology.
This article discusses several state-of-the-art
attacks that deliberately attempt to impair the
watermark without excessively distorting the
attacked data. Where possible, we take a general
point of view to highlight attack principles that can
be applied in many different circumstances. When
it comes to practical examples, we usually refer to
image watermarking since the background of the
authors is strongest in this application area.
First, we briefly summarize state-of-the-art
watermarking attacks and coarsely categorize
them. Next, we discuss a relatively new direction:
attacks based on watermark estimation. Combin-
ing the estimated watermark with additional
noise in an optimized way can significantly
improve the strength of attacks. Finally, three
different approaches for benchmarking image
watermarking schemes are presented.
STATE-OF-THE-ART
WATERMARKING ATTACKS
One categorization of the wide class of existing
attacks contains four classes of attacks: removal
attacks, geometric attacks, cryptographic attacks,
and protocol attacks. Here, we describe coarsely
these four attack types and present some examples.
More detailed descriptions can be found in [5, 6].
REMOVAL ATTACKS
Removal attacks aim at the complete removal of
the watermark information from the water-
marked data without cracking the security of the
watermarking algorithm (e.g., without the key
used for watermark embedding). That is, no pro-
cessing, even prohibitively complex, can recover
the watermark information from the attacked
data. This category includes denoising, quantiza-
tion (e.g., for compression), remodulation, and
collusion attacks. Not all of these methods always
come close to their goal of complete watermark
removal, but they may nevertheless damage the
watermark information significantly.
Sophisticated removal attacks try to optimize
operations like denoising or quantization to
impair the embedded watermark as much as
possible while keeping the quality of the attacked
document high enough. Usually, statistical mod-
els for the watermark and the original data are
exploited within the optimization process.
Collusion attacks are applicable when many
copies of a given data set, each signed with a key or
different watermark, can be obtained by an attacker
or a group of attackers. In such a case, a successful
attack can be achieved by averaging all copies or
taking only small parts from each different copy.
Recent results show that a small number of differ-
ent copies (e.g., about 10) in the hands of one
attacker can lead to successful watermark removal.
In most
watermarking
applications,
the marked data
is likely to be
processed in
some way before
it reaches the
watermark
receiver. The
processing could
be lossy
compression,
signal
enhancement, or
D/A and A/D
conversion.
IEEE Communications Magazine • August 2001
4
GEOMETRIC ATTACKS
In contrast to removal attacks, geometric attacks
do not actually remove the embedded water-
mark itself, but intend to distort the watermark
detector synchronization with the embedded
information. The detector could recover the
embedded watermark information when perfect
synchronization is regained. However, the com-
plexity of the required synchronization process
might be too great to be practical.
For image watermarking, the best known
benchmarking tools, Unzign and Stirmark [1],
integrate a variety of geometric attacks. Unzign
introduces local pixel jittering and is very effi-
cient in attacking spatial domain watermarking
schemes. Stirmark introduces both global and
local geometric distortions. We give a few more
details about these attacks later in this article.
However, most recent watermarking methods
survive these attacks due to the use of special
synchronization techniques. Robustness to global
geometric distortions often relies on the use of
either a transform-invariant domain (Fourier-
Melline) or an additional template, or specially
designed periodic watermarks whose autocovari-
ance function (ACF) allows estimation of the
geometric distortions. However, as discussed
below, the attacker can design dedicated attacks
exploiting knowledge of the synchronization
scheme.
Robustness to global affine transformations is
more or less a solved issue. However, resistance
to the local random alterations integrated in
Stirmark still remains an open problem for most
commercial watermarking tools. The so-called
random bending attack in Stirmark exploits the
fact that the human visual system (HVS) is not
sensitive to local shifts and affine modifications.
Therefore, pixels are locally shifted, scaled, and
rotated without significant visual distortion.
However, it is worth noting that some recent
methods are able to resist this attack.
CRYPTOGRAPHIC ATTACKS
Cryptographic attacks aim at cracking the securi-
ty methods in watermarking schemes and thus
finding a way to remove the embedded water-
mark information or to embed misleading water-
marks. One such technique is brute-force search
for the embedded secret information. Another
attack in this category is the so-called Oracle
attack, which can be used to create a non-water-
marked signal when a watermark detector device
is available. Practically, application of these
attacks is restricted due to their high computa-
tional complexity.
PROTOCOL ATTACKS
Protocol attacks aim at attacking the entire con-
cept of the watermarking application. One type of
protocol attack is based on the concept of
invert-
ible watermarks
[7]. The idea behind inversion is
that the attacker subtracts his own watermark
from the watermarked data and claims to be the
owner of the watermarked data. This can create
ambiguity with respect to the true ownership of
the data. It has been shown that for copyright
protection applications, watermarks need to be
noninvertible. The requirement of noninvertibility
of the watermarking technology implies that it
should not be possible to extract a watermark
from a non-watermarked document. A solution to
this problem might be to make watermarks signal-
dependent by using one-way functions.
Another protocol attack is the
copy attack. In
this case, the goal is not to destroy the water-
mark or impair its detection, but to estimate a
watermark from watermarked data and copy it
to some other data, called
target data [8]. The
estimated watermark is adapted to the local fea-
tures of the target data to satisfy its impercepti-
bility. The copy attack is applicable when a valid
watermark in the target data can be produced
with neither algorithmic knowledge of the water-
marking technology nor knowledge of the water-
marking key. Again, signal-dependent
watermarks might be resistant to the copy attack.
ESTIMATION-BASED ATTACKS
Here, we consider attacks that take into account
the knowledge of watermarking technology and
exploit statistics of the original data and water-
mark signal [5, 9–12]. In addition, we emphasize
that for the design of attacks against watermark-
ing schemes, the distortion of the attacked docu-
ment and the success of watermark impairment
has to be considered. Within the scope of these
attacks, we present the concept of
estimation-
based attacks
. This concept is based on the
assumption that the original data or the water-
mark can be estimated — at least partially —
from the watermarked data using some prior
knowledge of the signals’ statistics. Note that esti-
mation does not require any knowledge of the
key used for watermark embedding. Furthermore,
knowledge of the embedding rule is not required,
but the attack can be more successful with it.
Depending on the final purpose of the attack,
the attacker can obtain an estimate of the origi-
nal data or of the watermark based on some
stochastic criteria such as maximum likelihood
(ML), maximum a posteriori probability (MAP),
or minimum mean square error (MMSE). We
do not focus here on the particularities of the
above estimation but rather concentrate on dif-
ferent ways to exploit the obtained estimates to
impair the embedded watermark. Depending on
the way the estimate is used, we can classify esti-
mation-based attacks as removal, protocol, or
desynchronization attacks.
■ Figure 1. A perceptual remodulation attack.
Marked
data
Attacked
data
Watermark
estimation
Additional
noise
Scaling factor
gamma
+
–
Mask
estimation
IEEE Communications Magazine • August 2001
5
ESTIMATE OF THE ORIGINAL DATA
Considering the watermark as noise in the water-
marked data, the attacker can try to estimate the
original unwatermarked data. This attack results
in the design of an optimal denoising scheme.
Taking into account the results of recent investi-
gation that established the strong connection
between denoising and compression for filtering
of additive noise from the images, this means in
the case of image watermarks that the attacker
can easily apply the most recent advanced coders
based on wavelet decompositions to remove the
watermark. Keeping in mind the design of such
coders in terms of an optimal rate-distortion
trade-off, the attacker can obtain a considerable
gain in resolving the compromise between dis-
tortions introduced by the attack and success in
removal of the watermark. Note that in both
denoising and optimized compression, both the
perceptual and objective quality of the attacked
image can be improved significantly. We classify
both denoising and optimized compression as
removal attacks.
REMODULATION ATTACKS
Remodulation attacks aim at modification of the
watermark using modulation opposite to that
used for watermark embedding. Assuming the
estimated watermark is correlated with the actu-
al watermark, meaning a good estimate could be
obtained, the estimated watermark can be sub-
tracted from the watermarked data. Subtracting
a very inaccurate estimate of the watermark
might decrease the document quality without
affecting the watermark too much. On the other
hand, correlation-based detection can be defeat-
ed by subtracting an amplified version of the
estimated watermark. For this reason, we intro-
duced a gain factor
g ≥ 1, which gives us the
possibility to trade off the distortion of the
attacked document vs. the success of the attack.
There are four basic variations of the remod-
ulation attack. First, when
g = 1, the attack
yields the MMSE/MAP estimate of the original
and reduces to the denoising attack. Second, for
g > 1, the quality of the attacked document
might be reduced, but correlation-based detec-
tion might be defeated more successfully. The
attack can even drive the correlation to zero so
that the detector incorrectly decides that the
watermark is not present in the attacked data.
Third, when using a more sophisticated dis-
tortion measure than simple MSE, a better com-
promise between success of the attack and
introduced distortion can be obtained by weight-
ing the remodulated watermark by a perceptual
mask. Fourth, the attacker can not only subtract
the weighted, estimated watermark, but also add
outliers to obtain a non-Gaussian noise distribu-
tion, which decreases the performance of corre-
lation-based detection. Moreover, exploiting
features of the human perceptual system, the
attacker can efficiently embed a large amount of
outliers in perceptually less significant parts of
the data. For image data, this approach has been
demonstrated to be successful in [9]. We refer to
this attack as
perceptual remodulation (Fig. 1).
COPY ATTACK
The estimated watermark can be exploited to
implement a copy attack, as already described. Of
course, the copied watermark has to be adapted
to the target data to keep the quality of the false-
ly watermarked target data high enough. There
are many practical ways to adapt the watermark
to the target data based on perceptual models.
For images, contrast sensitivity and texture mask-
ing phenomena of the HVS can be exploited. The
estimation-based copy attack is most successful
when the same perceptual model is used as in the
original watermarking algorithm.
Note that the copy attack in its described ver-
sion is mainly applicable to additive watermark-
ing schemes. In the case of quantization-based
watermarking schemes, even a perfectly estimat-
ed watermark signal
w cannot be copied since it
is highly unlikely that the copied signal
w is a
valid watermark in the target signal (Fig. 2).
SYNCHRONIZATION REMOVAL
Watermark estimation can also be very efficient-
ly applied to attack synchronization mechanisms.
The basic idea of
synchronization removal is to
detect synchronization patterns, remove them,
and then apply desynchronization techniques,
such as global affine transformation in the case
of image watermarking.
Here, we concentrate on synchronization
methods for image watermarking based on a
template in the magnitude image spectrum or on
the ACF of periodic watermarks. In both cases,
peaks are generated in the Fourier domain [5,
9]. It is obvious that such peaks can easily be
detected. Once the peaks have been detected,
the next step of the attack is to interpolate the
spectrum of the watermarked image or previous-
ly attacked image in the locations of spatial fre-
quencies determined by a local peak detector.
The generalized block diagram of this attack is
shown in Figure 3, where
¡ and ¡
–1
denote
direct and inverse Fourier transforms, respec-
tively, |.| is the magnitude, and
arg is the phase.
COUNTERMEASURES AGAINST
ESTIMATION-BASED ATTACKS
To resist estimation-based attacks, the embedder
aims at making the watermark difficult to esti-
mate. This approach has been investigated for
two different scenarios.
■ Figure 2. A copy attack.
Watermark
estimation
Scaling factor
gamma
Attacked
data
Marked
data
Mask
estimation
Target
data
+
+