A new data hiding scheme for binary image authentication with small image distortion

A new data hiding scheme for binary image authentication with small image distortion

Information Sciences 179 (2009) 3866–3884 Contents lists available at ScienceDirect Information Sciences journal homepage: www.elsevier.com/locate/i...
Download PDF
1MB Sizes 0 Downloads 124 Views
Report

Information Sciences 179 (2009) 3866–3884

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

A new data hiding scheme for binary image authentication with small image distortion Younho Lee a, Heeyoul Kim b,*, Yongsu Park c a

Department of Information and Communication Engineering, Yeungnam University, Republic of Korea Department of Computer Science, Kyonggi University, Republic of Korea c College of Information and Communications, Hanyang University, Republic of Korea b

a r t i c l e

i n f o

Article history: Received 19 June 2008 Received in revised form 30 June 2009 Accepted 19 July 2009

Keywords: Security Information hiding Image authentication Digital watermarking Authentication codes

a b s t r a c t A new data hiding scheme for binary image authentication that has a small distortion of the cover image is proposed in this paper. Using the data-embedding algorithm that is based on Hamming codes, the proposed scheme embeds authentication information into the cover image with flipping only a small number of pixels. A special type of the pixels are selected and flipped by a new algorithm to minimize visual distortion. This new algorithm is based on ELSSM (Edge Line Segment Similarity Measure). Randomly shuffling the bit-order of the authentication information to be embedded, the information can only be extracted by the designated receiver who has the symmetric key. We employ two measurement metrics: miss detection rates for the degree of security and PSNR (Peak Signalto-Noise Ratio) and ELSSM for the degree of the image distortion to demonstrate the feasibility of the proposed scheme. Using these metrics, we analyze the proposed scheme and the previous schemes. The analysis reveals that the proposed scheme requires less image distortion than the previous schemes whilst achieving the same level of the miss detection rate. Experimental results demonstrate that the proposed scheme is more resilient against recent steganalysis attacks than the previous schemes. Ó 2009 Elsevier Inc. All rights reserved.

1. Introduction

Generally, data hiding techniques are used to embed specified/secret data into digital cover content to produce stego-content with the least amount of distortion. Data hiding can be classified as digital watermarking and steganography. Digital watermarking aims to embed copyright information or authentication information into cover content for digital rights management or content authentication [3,11,14–17,26,20,27,30]. Whilst the main objective of steganography is to make it difficult for anyone except the designated receiver to detect the existence of a secret message hidden in stego-content. This can be useful in military applications [2,12,29]. Digital watermarking can be further classified into two methods: robust watermarking insures the existence of embedded copyright information in spite of various content-distortion attacks whereas fragile watermarking (a.k.a. content authentication) is designed to detect modification in spite of slight change of the stego-content. Here, we focus on fragile watermarking. Many methods have been suggested for color images or gray-scale images in data hiding for image contents [3,11,13,21,20,25–27]. However, data hiding for binary images has only recently become a focus in spite of its wide range of applications, such as fax images and hand-written signatures. Designing a secure data hiding scheme for binary images * Corresponding author. E-mail addresses: [email protected] (Y. Lee), [email protected] (H. Kim), [email protected] (Y. Park). 0020-0255/$ - see front matter Ó 2009 Elsevier Inc. All rights reserved. doi:10.1016/j.ins.2009.07.014

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

3867

is more difficult than that for color images or gray-scale images. Pixels in binary images have only either 0 (black color) or 1 (white color) value, so even a small number of flipping pixels can cause a large amount of visual distortion. Over the past years, some data hiding schemes for binary image authentication have been suggested [14–17,28,32,33]. Unfortunately, the miss detection rate1 is more than 220 in some of the schemes [28,32]. This is inappropriate for practical applications, since the authenticity and integrity of the cover image cannot be guaranteed. The other schemes [14–16,33] require a large number of pixels to be flipped to embed authentication information. Flipping a large number of pixels produces low-quality images. It is vulnerable to data hiding detection techniques that are based on recognizing the frequently occurring patterns in the data-hidden images [6,7]. In this paper, we propose a new data hiding scheme for binary images. The miss detection rate of the proposed scheme is at most 280 . The proposed scheme requires less image distortion than the previous schemes. The proposed scheme employs a data embedding technique based on Hamming codes (H-EMBED) [29,10] to minimize the number of flipped pixels per bit of the cover image. If H-EMBED is used, a relatively large amount of data can be embedded by flipping only a small number of pixels. However, if an adversary extracts the Hamming code values from the stego-image, he can modify some part of the stego-image, such that the same authentication information is extracted from the modified image [19]. The proposed scheme shuffles the bit order of the authentication information when it is embedded to prevent this type of attack. Such a move makes it hard for the malicious party to find the bit order of the Hamming code. A new algorithm that is based on ELSSM (Edge Line Segment Similarity Measure) [5] is designed to select ‘flippable pixels’ to reduce visual distortion of the cover image. HEMBED is applied to only these selected flippable pixels. The authentication information employed for the proposed scheme is a message authentication code (MAC) [8]. It guarantees the miss detection rate of the proposed scheme is at most 280 [9]. We demonstrate the feasibility of the proposed scheme by conducting three types of analysis: first, the miss detection rates of the proposed scheme and the previous schemes are analyzed. Second, we compare the proposed scheme with Yang et al.’s scheme. It is known to have the least image distortion among the earlier schemes [5]. We analyze the schemes using two metrics: Peak Signal-to-Noise Ratio (PSNR) and Edge Line Segment Similarity Measure (ELSSM) [5] to further quantify the amount of image distortion. Finally, provide evidence based on experimental results that the proposed scheme is resilient against two recent steganalysis attacks [6,7]. The reminder of this paper is organized as follows. In Section 2, the related work is given. The proposed scheme is explained in Section 3. Section 4 analyzes the performance of various schemes. Section 5 concludes the paper. 2. Related work This section deals with work related to the proposed scheme. There has been much research on binary image authentication to date [14–17,28,32,33]. In Tzeng et al.’s scheme [28], a cover image is divided into a number of blocks. Then, the scheme embeds codewords into the blocks. To embed a codeword, one of the codeholders is selected by the condition that the smallest number of flipping pixels is required for embedding, where codeholders represent pixel positions in which the codewords are embedded. The image verifier verifies the stego-image by checking that each block has at least one of the codewords. In 2004, Kim et al. suggested a scheme where the positions of the pixels into which authentication information is embedded are open to the public [15]. Since cryptographic primitives such as MAC or digital signature are embedded, the scheme achieves a high level of miss detection rate. However, it pseudo-randomly selects the positions of pixels into which the cryptographic primitives are embedded. This makes the stego-image have relatively highly distorted visually. A number of new approaches have been proposed to minimize visual distortion. Wu et al. introduced flippablity criterion to select the pixels to minimize the visual distortion, even though they are flipped by embedding messages [32]. Yang et al. and Kim et al. proposed new schemes with different flippability criteria from Wu et al.’s, respectively [33,16,17]. Unlike Wu et al.’s approach, image verifiers know the positions of the pixels where the authentication information is embedded in their approaches. Due to this property, their schemes are able to employ cryptographic primitives as image authentication information. However, their schemes require 0.5 pixel flipping on average to embed a bit of authentication information, a high pixel-flipping rate according to [10]. Our research objective is first, to reduce the high pixel-flipping rate caused by embedding authentication information, and second, to use new flippability criteria and method to minimize visual distortion. 3. Proposed scheme Section 3.1, we introduce a conceptual scenario for binary image authentication. Then, we define notation in Section 3.2. In Section 3.3 we describe overview of the proposed scheme. In Section 3.4, we explain subroutines employed by the proposed scheme, followed by the details of the proposed scheme in Section 3.5. Finally, the proposed flippability criteria are explained in Section 3.6. 1 The miss detection rate is the probability that the modified image (made by an adversary), which is different from the legitimate stego-image in which authentication information is embedded, can pass the image verification test.

3868

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

3.1. Scenario The scenario of binary image authentication is depicted in Fig. 1. There are three actors in this scenario: Alice who embeds hidden messages in cover images to make stego-images and sends them to Bob, Bob who extracts hidden messages from the stego-images after receiving them from Alice and verifies the validity of the extracted messages, and Warden, who checks if the images that are transferred from Alice to Bob have hidden messages and sometimes executes subtle modification of the images to break their authenticity and integrity. Before running the scenario, we assume that a symmetric key K 2 f0; 1g is shared between Alice and Bob. In the data embedding process, Alice first makes a hidden message, i. e. authentication information, using K and some cryptographic algorithms such as MAC [8]. Alice uses a data embedding algorithm with K to generate a stego-image to embed the hidden message. The stego-image is sent to Warden. Warden executes two procedures: (i) Warden used statistical analysis to check if the received image has a hidden message. If Warden finds statistical anomalies in the received image compared to the usual images where there is no hidden message, he does not pass the image to Bob. (ii) Sometimes, Warden tries to deliberately modify the image, such that the modified one can pass Bob’s stego-image verification test. If the stego-image passes the check procedure of (i), and the procedure (ii) is finished, it is sent to Bob. After receiving the stego-image, Bob runs a stego-image verification algorithm. If Bob successfully verifies the stego-image, he accepts it. If not, he regards the stego-image is modified by Warden and discards it. Warden may detect the existence of a hidden message in the stego-image, or he may modify the stego-image so that the modified stego-image passes Bob’s verification test. Informally, we say that the binary image authentication algorithm is secure if Warden cannot achieve either outcome. The following metrics are used to measure the degree of the resiliency against Warden’s attacks:  Miss detection rate is the probability that the modified stego-image (by Warden) passes the stego-image verification algorithm. This should be very low to be resilient against Warden’s stego-image modification attack.  Degree of image distortion denotes how much the stego-image is distorted from the original cover image by embedding the hidden message. It is closely related to the resiliency against Warden’s statistical analysis attack, because Warden can detect the statistical anomalies in the stego-image with increasing ease as the degree of image distortion becomes larger. One should consider the difference in pixel values, as well as the degree of visual distortion in terms of Human Visual System (HVS), to measure the degree of image distortion accurately. Section 4.2.1 deals with quantifying the image distortion. We introduce recent stego-image detection techniques using the statistical anomalies of stego-images in Section 4.2.2. 3.2. Notations This subsection explains the notation used to describe the proposed scheme and the subroutines employed by the proposed scheme. The following notation will be used throughout this paper:

Fig. 1. Scenario of binary image authentication.

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

             

3869

K 2 f0; 1g : the shared key between the data embedder, e.g., Alice in Fig. 1, and the image verifier, e.g., Bob in Fig. 1. height; width: the height and width of the cover image. Zn : f0; 1; . . . ; n  1g. I 2 f0; 1gwidthheight : the cover image. pi 2 Zwidth  Zheight , si 2 f0; 1g: pi ¼ ðx; yÞ denotes the position of ith flippable pixel, and si denotes the value of the ith flippable pixel. t I : the number of flippable pixels in image I. Iðpi Þ: the variable that corresponds to the value of the pixel whose position is pi in image I. Changing this variable affects the corresponding pixel value at pi in I. jAj: the bit length of A, where A is any object that can be represented as a bit string. jj: concatenation operation. – : bitwise-NOT operation. r: authentication information to be embedded into the cover image. k: the size of the hidden message to be embedded ðk 6 t I Þ. S 2 f0; 1gwidthheight : the stego-image. M: the message to be embedded into the cover image using Hamming-code-based data embedding algorithm (See Appendix B for more details). In the proposed scheme, it is r or a chunk of r, depending on the number of flippable pixels in the cover image and k.

3.3. Overview of the proposed scheme Our scheme is comprised of four algorithms: authentication information generation algorithm (AuthGen), data embedding algorithm (Embed), data extraction algorithm (Ext), and authentication information verification algorithm (AuthVer). Assume that there exist a sender, a receiver, and an adversary (e.g., in Fig. 1, Alice, Bob, Warden, respectively). Given the cover image I and the shared symmetric key K as inputs, first, the sender runs AuthGen() with K and I to create authentication information by using MAC (Message Authentication Codes) [8]. He/she uses Embed() algorithm to embed this information. This embeds the authentication information in I (K is also used to shuffle the flipped bits) to produce the stego-image S. The Embed() algorithm consists of three subroutines: FindFlip() to find flippable pixels in the cover image I, RandPerm() to shuffle the flippable pixels, and H-Embed() to embed the authentication information into only some part of the flippable pixels (using Hamming codes). When the receiver receives the stego-image S, he/she runs the Ext() algorithm to extract authentication information in the image. Ext() consists of three subroutines: FindFlip() to find flippable pixels in the stego-image, RandPerm() to shuffle the flippable pixels, and H-Ext() to extract the embedded authentication information. Then, the receiver runs the AuthVer() algorithm to verify both authenticity and integrity of the stego-image with extracted authentication information. Then, AuthVer() runs AuthGen() to generate authentication information using MAC. Then, it compares the generated authentication information to the extracted one. If they are identical, the stego-image is authenticated (see Fig. 1). 3.4. Employed subroutines The following algorithms act as subroutines for the proposed scheme.  t widthheight ! ðZheight  Zwidth Þ  f0; 1g I . This algorithm finds flippable pixels in image I and returns  FindFlipðIÞ : f0; 1g   their sequence of positions and pixel values, i.e., ðp1 ; s1 Þ; . . . ; ðptI ; stI Þ where pi ¼ ðxi ; yi Þ and si ¼0 or 1. Although this algorithm can be implemented by using Yang et al.’s method [33] or Kim et al.’s method [14], we devise a new scheme to find more in Section 3.6.  flippable pixels than   [33].  This is explained  t  RandPerm ðp1 ; s1 Þ; . . . ; ðptI ; stI Þ ; K : Zheight  Zwidth  f0; 1g I  f0; 1g ! ððZheight  Zwidth Þ  f0; 1gÞtI . This shuffles the sequence of (position, pixel value) pairs using a pseudo-random permutation algorithm [1,23,24] with symmetric key K. This algorithm can be implemented with standard symmetric key encryption algorithms.  MACGenðI; KÞ : f0; 1gwidthheight  f0; 1g ! f0; 1gk . This is a MAC generation algorithm that gets I as a message and K as a symmetric key. Various secure MAC algorithms, such as HMAC and VMAC [8,18], can be used.  H-EmbedðI; MÞ : f0; 1gwidthheight  f0; 1gblog2 ðwidthheightþ1Þc ! f0; 1gwidthheight . This is the data embedding algorithm based on the Hamming code. Given a c-bit cover image, it can embed at most blog 2 ðc þ 1Þc bit message into the cover image by flipping only 1-pixel in the cover image. Refer to Appendix B for more information about this algorithm.  H-ExtðSÞ : f0; 1gwidthheight ! f0; 1gblog2 ðwidthheightþ1Þc . It is the data extraction algorithm based on the Hamming code. Given a stego-image S, which is c-bit long, it extracts at most blog 2 ðc þ 1Þc hidden message for S. The description of this algorithm is detailed in Appendix B. 3.5. Proposed algorithms In this subsection, the algorithms in the proposed scheme are explained. They are the authentication information generation algorithm (AuthGen), data embedding algorithm (Embed), data extraction algorithm (Ext), and authentication information verification algorithm (AuthVer).

3870

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

3.5.1. AuthGen Given the cover image and a shared symmetric key as inputs, AuthGen generates authentication information. It first finds the flippable pixels in the cover image and sets them zero. This means they are cleared to be black pixels. Then, it computes the MAC of the cleared cover image and returns the MAC. Algorithm 1 describes AuthGen in detail. Algorithm 1. Authentication information generation algorithm (AuthGen) Require: Image I 2 f0; 1gwidthheight , symmetric key K 2 f0; 1g   1: ðp1 ; s1 Þ; ðp2 ; s2 Þ; . . . ; ðptI ; stI Þ FindFlipðIÞ.// Find flippable pixels ðpi ¼ ðxi ; yi Þ; si ¼ 0 or 1Þ. 0; . . . ; IðptI Þ 0.// Clear the found flippable pixels in I. 2: Iðp1 Þ MACGenðI; KÞ.// Generate authentication information using K. 3: r 4: returnr.// Return the authentication information.

3.5.2. Embed Embed algorithm is characterized by the following techniques. Note that authentication information should be embedded into only the flippable pixels. To do this, Embed shuffles the positions of the flippable pixels by using the pseudo random permutation based on the symmetric key. Authentication information is embedded into the shuffled positions, where the number of flipped pixels is minimized using H-Embed. We now describe why we combine H-Embed and this shuffling technique, rather than just employ H-Embed as a data embedding algorithm: This incurs a problem where anyone can find/forge other stego-images that have the same hidden message as the original stego-image. More specifically, recall that in H-Embed, blog 2 ðc þ 1Þc bits of a message can be embedded into a c-bit cover image by flipping at most one pixel from the cover image. However, due to the property of the Hamming code, for a given c-bit stego-image S, anyone can find another 2cblog2 ðcþ1Þc c-bit images, where the same message is embedded as S. In the sense of conventional data hiding, which aims to transfer a secret message without degrading the visual quality of the cover image, this property does not cause a serious problem, even if just H-Embed is used for the data embedding algorithm. However, if the authenticity and integrity preservation problems are of concern, this is serious because it allows the adversary (Warden) to replace the original stego-image with another fake image that has the same hidden message as the original: the stego-image verifier cannot discover the replacement. A block-wise approach is employed in the proposed scheme to increase the embedding capacity. All flippable pixels are divided into n F-BLOCKs, FB1 ; FB2 ; . . . ; FBn , each of which has the same bit length ð¼ tI =nÞ. Then authentication information is also divided into n chunks. Finally, each chunk is embedded into each FBi . This is a trade-off between capacity and image distortion: the number of embedded bits increases as n, the number of FBLOCKs, increases. However, larger n increases the number of flipped pixels, since it is necessary to flip at most one pixel in each FBi . The Embed algorithm is described in Algorithm 2 in detail.

Algorithm 2. Description of Embed Require: Image I 2 f0; 1gwidthheight , symmetric key K 2 f0; 1g , auth. information r 2 f0; 1gk .    1: ðp1 ; s1 Þ; . . . ; ptI ; stI FindFlipðIÞ.// Find flippable pixels ðpi ¼ ðxi ; yi Þ; si ¼ 0=1Þ.      RandPerm ðp1 ; s1 Þ; . . . ; ðptI ; stI Þ ; K .// Shuffle the flippable pixels. 2: ðp01 ; s01 Þ; . . . ; ðp0tI ; s0tI Þ 3: Find n such that k 6 nðblog 2 ðbtI =nc þ 1ÞcÞ. If there is no n satisfying the equation, exit the procedure because the bit length of r is too big to be embedded into I. 4: Divide s01 ks02 k    ks0tI into n of bt I =nc-bit chunks FB1 ; . . . ; FBn , where FBj ¼ s0ðj1ÞbtI =ncþ1 k    ks0jbtI =nc ð1 6 j 6 nÞ. 5: Divide r into a number of blog 2 ðbtI =ncÞ þ 1c -bit chucks. Let the number of chucks be n0 ð6 nÞ and the chunks be m1 ; . . . ; mn0 . 6: For i ¼ 1; . . . ; n0 , execute RBi H  EmbedðFBi ; mi Þ.// RB1 ; . . . ; RBn0 : Modified flippable pixels where r is embedded. 7: For i ¼ 1; . . . ; n0 , find the position fi ð2 f1; 2; . . . ; btI =ncgÞ at which the pixel value in FBi is different from that in RBi . If there is no difference between FBi and RBi , set fi 0. 8: for i=1 to n0 // for each FBi , do 9: if fi –0 then s0ði1ÞbtI =ncþf // Flip the pixel value at position fi on FBi in I 10: Iðp0ði1ÞbtI =ncþfi Þ i

11: end if 12: end for 13: S I 14: return S// Return the stego-image.

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

3871

3.5.3. Ext Ext algorithm is the reverse procedure of Embed. First it divides the received stego-image into a number of F-BLOCKs, considering the bit length of authentication information to be received. Then, it extracts the authentication information from the F-BLOCKs after finding the F-BLOCKs using the pseudo-random permutation of flippable pixels with a shared symmetric key. Note that the positions of flippable pixels should be the same in both the cover image and its corresponding stego-image. In Section 3.6, we describe a new algorithm to uncover them. Algorithm 3 explains the Ext algorithm. 3.5.4. AuthVer This algorithm verifies both the authenticity and integrity of the stego-image with authentication information, extracted by the Ext algorithm. If the flippable pixels in the stego-image are cleared, this cleared stego-image is the same as the cleared cover image: this is the result of clearing all the flippable pixels in the cover image. On this basis, if the stego-image is not forged, the MAC of the cleared stego-image is the same as that of the cleared cover image on the same symmetric key. Algorithm 3. Description of Ext Require: S 2 f0; 1gwidthheight ; K 2 f0; 1g ; k: length of r.   1: ðp1 ; s1 Þ; . . . ; ðptI ; stI Þ FindFlipðSÞ.       0 0 0 0 RandPerm ðp1 ; s1 Þ; . . . ; ðptI ; stI Þ; K . 2: p1 ; s1 ; . . . ; ptI ; stI 3: Find n such that k 6 nðblog 2 ðbtI =nc þ 1ÞcÞ. If there is no n satisfying the equation, exit the procedure because the bit length of r is too big. 4: Divide s01 ks02 k    ks0tI into n of bt I =nc-bit chunks RB1 ; . . . ; RBn , where RBj ¼ s0ðj1ÞbtI =ncþ1 k    ks0jbtI =nc ð1 6 j 6 nÞ. 5: For i ¼ 1; . . . ; n, execute mi H  ExtðRBi Þ. most significant k-bit of m1 k    kmn . 6: r 7: return r.

AuthVer algorithm computes the MAC of the cleared stego-image with a shared symmetric key, and checks if the generated MAC is the same as the authentication information. This is the MAC of the cleared cover image. If both MACs are the same, AuthVer returns 1: that is the stego-image is authenticated. Otherwise it returns 0. Algorithm 4 explains AuthVer. Algorithm 4. Description of AuthVer Require:S 2 f0; 1gwidthheight ; K 2 f0; 1g , and r 2 f0; 1gk .// r: extracted auth. information.   1: ðp1 ; s1 Þ; ðp2 ; s2 Þ; . . . ; ðptI ; stI Þ FindFlipðSÞ.// Find flippable pixels. 0; . . . ; SðptI Þ 0.// Clear the flippable pixels. 2: Sðp1 Þ MACGenðS; KÞ.// Generate authentication information. 3: r0 4: if r ¼ r0 then 5: return 1. 6: end if 7: return 0.

3.6. New efficient algorithm for finding flippable pixels In this subsection, we describe a new algorithm to find flippable pixels. The algorithm should meet the following two requirements. First, it should be able to carefully choose the flippable pixels, such that the visual distortion caused by flipping (some of) these pixels is minimized, and second, the algorithm should be able to find the identical pixels in both the original cover image and the stego-image. To the best of our knowledge, Yang et al.’s method [33] and Kim et al.’s algorithm [14] meet these two requirements. We enhance Yang et al.’s method by using ELSSM (Edge Line Segment Similarity Measure) [5] to minimize visual distortion. In Yang et al.’s method, the image I is processed by 3  3 or 4  4 block, or larger (blocks can be either disjoint or interlaced [33]). Each pixel in a block can be a boundary pixel or internal pixel. (e.g., in 4  4 block, the center four pixels are internal and 12 others are boundary). For all internal pixels in each block, this scheme finds flippable pixels to meet the above two requirements (by using d  2 and p  4 condition [33]). This scheme uses flippability criteria to minimize visual distortion. This provides a means to check if significant visual distortion is caused by flipping the center pixel in each of 3  3 sub-blocks in the block (see Fig. A.1 in Appendix A). This scheme checks d  2 and p  4 conditions [33] for all internal pixels in the block to meet the second requirement. If these pixels pass these conditions, they can be considered as flippable. This scheme guarantees that if the sender finds a sequence of the flippable pixels to meet d  2 and p  4 conditions, although some of the pixels are flipped, the receiver can correctly recover the same sequence of the flippable pixels in the stego-image.

3872

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

1(8)

3(8*)

3(4*)

1(8)

3(4*)

3(4*)

The cases where the proposed scheme uses. 3(4*)

All the cases where line is not broken and there is no salt pixel. 2(4)

3(8*)

3(4*)

3(4*)

3(8)

black pixel

3(8)

white pixel center pixel 3(16)

3(16)

3(16)

3(16)

3(16)

All the cases where ELSS ≤3.

a(b) a: ELSS distortion of each pattern

*

b: The number of cases in each pattern (overall 256 cases because the center pixel is not considered) : Excluding the reversion case, where all of the pixels are flipped except the center pixel.

Fig. 2. Flippablity criteria in the proposed method.

First, we enhance Yang et al.’s scheme by increasing the block size infinitely. Recall that in each block, boundary pixels cannot be flippable so if the block size is increased, there is a possibility that the number of flippable pixels can be increased. However, as shown in [33] and Fig. 4 in Section 4.2, experimental results show that the blockless method does not significantly increase the number of flippable pixels and adopting a 4  4 block is optimal in most cases. Hence, we use flippablity criteria that differ from Yang et al.’s method. Our criteria are based on ELSSM [5]. Let us consider the problem of flipping the center pixel in a 3  3 sub-block. Since the sub-block consists of nine pixels and the center pixel is regarded as ‘‘don’t care pixel,” there are 28 ¼ 256 cases. For each case, we calculated ELSS [5] to represent the degree of visual distortion (by flipping the center pixel). Then, we select the cases where ELSS is less than or equal to 3 (see Fig. 2). Among them, we further carefully select seven patterns where flipping does not break the line or produce the salty (isolated) pixel. Using these seven patterns we conducted various experiments to show that if we include the 7th pattern, the number of flippable pixels is reduced. Hence, we exclude this pattern and use only six patterns (Fig. 2.) The rationale why the seven patterns are selected is detailed in Appendix D. 4. Performance analysis The performance comparison between the proposed scheme and the previous schemes is carried out in this section. We analyze the miss detection rate and the amount of distortion of the stego-images, defined in Section 3.1. We formulate the number of the flipped pixels in terms of the bit length of the cover image and the bit length of the authentication information embedded. PSNR and ELSSM are employed to quantify the degree of visual distortion. 4.1. Analysis of miss detection rates and the number of flipped pixels In this subsection, the miss detection rate and the number of flipped pixels of the proposed scheme are first analyzed. Then, the comparative results between the proposed and the previous schemes are shown. 4.1.1. Analysis of the proposed scheme In the proposed scheme, at most one pixel is flipped per each F-BLOCK, and the number of F-BLOCKs is determined based on the bit length of the embedded data. If the embedded data is k-bit long, and the number of flippable pixels is t I , the relation between k; tI , and the number of F-BLOCK n is defined by the equation k ¼ nbðlog 2 ðbtI =nc þ 1ÞÞc. In this case, the probability of flipping a pixel in an F-BLOCK is ð1  ð1=2Þblog2 ðbtI =ncþ1Þc Þ, because each F-BLOCK is mapped to a chunk of the embedded data with blog 2 ðbtI =nc þ 1Þc-bit long, 1=2blog2 ðbtI =ncþ1Þc is the probability that an F-BLOCK is mapped to the data chunk as it is, i.e. the probability that a pixel of an F-BLOCK should be flipped to embed the data chunk is 1  1=2blog2 ðbtI =ncþ1Þc .2 Therefore, the number of flipped pixels in the stego-image is nð1  ð1=2Þblog2 ðbtI =ncþ1Þc Þ on average. 2

Note that flipping only one pixel in an F-BLOCK is enough to have the F-BLOCK be mapped to the intended data chunk.

3873

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

Table 1 Performance comparison (n: # of F-blocks. h: bit length of watermark (MAC or visually recognizable one). y: It depends on used MAC algorithm, e.g., C  2112 for the 224-bit HMAC-SHA. x : m: # of blocks, q: # of codeholders, k: Size of each codeholder, c: bit length of the cover image U : Due to the parity attack [13]). Schemes Wu et al. [32]

Miss detection rate

Distortion

Tzeng et al. [28]

1=h    q  P P k x m ki¼1 i  ðAi  Ai1 Þ Al ¼ 1  2k kj¼lþ1 j

h=2 h i 1  ðð2k  1Þ=2k Þq (in [28])

Kim [14] and Yang et al. [33]

Cy

Proposed scheme

Cy

h=2   n 1  1=2blog2 ðbc=ncþ1Þc

U

The miss detection rate of the proposed scheme is derived as follows. The adversary should generate a new MAC, which corresponds to the modified stego-image, and should embed it for a modified stego-image to pass the image verification test. Thus, if the modified pixels are not flippable, the probability that the modified stego-image passes the test is the same as that of being successful in cryptographically forging the original MAC in the stego-image. If the malicious party modifies the flippable pixels in the stego-image, the modified stego-image cannot pass the verification test because there is one-to-one relation between the stego-image and its MAC value. That is, given a secret key, the only MAC value to make the stego-image pass the test is the original one. Therefore, the probability that the modified stego-image can pass the verification test is at most the probability that a MAC can be cryptographically forged. This is extremely small and depends on the bit length of the MAC, k in the proposed scheme [9]. 4.1.2. Comparative results on miss detection rates and distortion Table 1 shows the number of flipped pixels and miss detection rates of the proposed and the previous schemes based on the bit length of the cover image and that of the embedded authentication information. From this table, it has been shown that Wu et al.’s scheme [32] has relatively high miss detection rate3; Table 1 implies that the proposed scheme requires to flip smaller number of pixels than Yang et al.’s and Kim et al.’s schemes [14,33]. Fig. 3 shows that the number of flipped pixels required in each of the schemes according to the bit length of the cover images, where 224-bit MAC is used as authentication information. We adjusted the parameters used for each of the schemes so they have the same miss detection rate.4 We assume that 1.7% of pixels are flippable in common binary images (obtained from our experiments). Fig. 3 implies that the proposed scheme is better than Tzeng et al.’s, Kim et al.’s, and Yang et al.’s schemes in terms of the number of the flipped pixels. The number of flipped pixels decreases in the proposed scheme as the size of the cover image is bigger. 4.2. Comparison of Yang et al.’s flippablity algorithm and the proposed algorithm to find flippable pixels In this subsection, we compare Yang et al.’s method [33] and our algorithm in terms of the number of flippable pixels. Fig. 4 shows the experimental results on various images. As described in Section 3.6, in Yang et al.’s scheme the blockless method does not significantly increase the number of flippable pixels. However, using our new flippablity criteria, described in Section 3.6, for most cases the number of flippable pixels is significantly increased. 4.2.1. Visual distortion assessment We assess the visual distortion of the proposed scheme by comparing the proposed scheme to previous schemes. Since previous work indicates that Yang et al.’s scheme is the best scheme in terms of visual distortion [5], we only compare the proposed scheme with Yang et al.’s scheme by measuring PSNR and ELSSM in the case where various lengths of MACs are embedded into various types of cover images in both of the schemes. PSNR is a well-known method to assess the visual distortion of digital images [4,5,7,22]. It is defined as follows:

P2  width  height PSNRðdBÞ ¼ 10log10 Pwidth1 Pheight1 ; ðgðx; yÞ  f ðx; yÞÞ2 x¼0 y¼0

ð1Þ

where f ðx; yÞ is the pixel value located ðx; yÞ in the cover image, gðx; yÞ is that in the stego-image, and P denotes the maximum peak-to-peak signal difference: since pixel value can be only either 0 or 1, P ¼ 1 in binary images. width and height denote the width and height of the images, respectively. To the best of our knowledge, ELSSM [5] is the most accurate method to measure visual distortion amongst the recent work such as DRDM (Distance Reciprocal Distortion Measure) [22] and CSCM (Change in Smoothness and Connectivity Measure) [4]. In ELSSM, the cover image is divided into a number of segments. A segment consists of a number of black pixels. 3 According to our analysis, Wu et al.’s scheme requires additional techniques to achieve appropriate level of the miss detection rate in spite of its good advantage of requiring only small amount of visual distortion in data embedding process, thereby we omitted Wu et al.’s scheme in Fig. 3. 4 Because Tzeng et al.’s scheme does not embed arbitrary authentication information, we make Tzeng et al.’ scheme have the same miss detection rate ¼ 2112 by adjusting the other parameters for fair comparison.

3874

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

Distortion (the number of flipped pixels)

120

Yang et al and Kim's schemes [31],[5] Tzeng et al's scheme [25] The proposed scheme

100

80

60

40

20

0 4 10

10

5

10

6

10

7

10

8

10

9

Size of cover image (in bits) Fig. 3. Distortion comparison for different host image sizes (the miss detection rate: 2112 , the number of flippable pixels: 1.7% of the host image size).

1800

Number of available flippable pixels

Yang (4x4 interlaced block)

1600

Yang (no block) Proposed scheme

1400 1200 1000 800 600 400 200 0

Clinton's Hunter Photo Chinese Japanese English Text Korean (288*48) (120*150) (256*256) (217*177) (327*101) (342*178) (389*214) (640*337) Fig. 4. Comparison results on the number of flippable pixels.

Each of which is connected with at least one of the other pixels in the segment; then the stego-image is also divided into a number of segments. Next, each of the segments in the stego-image is mapped to each of those in the cover image with respect to their location. After the mappings are finished, the change of borderlines5 between the segments in the stego-image and their corresponding segments in the cover image is measured. The degree of the change is quantified by the assessment criteria that reflect the visual effect caused by the change. Fig. 5 shows the positions of flipped pixels in English  1 image and Hunter image [32] in the case where the MAC is embedded with the proposed scheme and Yang et al.’s scheme. From Fig. 5 it is shown that the number of flipped pixels is less in the stego-images for the proposed scheme compared to Yang et al.’s scheme.

5

Borderline means the black pixels that are connected with at least one white pixel.

3875

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

The proposed scheme (136 pixels are flipped)

Yang et al.’s scheme with no block (265 pixels are flipped)

Yang et al.’s scheme with 4x4 interlaced block (252 pixels are flipped)

(a) Chinese (327 101) cover image (e) Hunter (120 150) cover image

(f) The proposed scheme

(b) The proposed scheme

(c) Yang et al’s scheme with no block (g) Yang et al’s scheme with no block

(d) Yang et al’s scheme with 4

(h) Yang et al’s scheme with 4 4 interlaced block

4 interlaced block

Fig. 5. Distortion (shown in black) comparison, where the 224-bit HMAC (with SHA-224) is used.

We carried out the experiments with five text images and three picture images. The specifications of the images are shown in Fig. 8, where we calculated PSNR and ELSSM of the images after embedding various sized authentication information.

3876

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

Korean (217 * 177) 10

Text (256 * 256)

Yang (4*4)

1.6

PSNR (db)

Yang (blockless) 10

10

Proposed

1.5

10 10

1.6

1.5

1.4

10 0

200

400

1.4

0

600

200

400

600

The amount of data embedded (in bits) Chinese (327 * 101) 10

English (389 * 214)

1.6

10 10

1.5

10 10

1.6

1.5

1.4

0

200

400

600

0

Japanese (342 * 178)

10

600

1.7

1.6

10 10

400

Photo (640 * 347) 10

10

200

1.6

1.5

10

1.4

0

200

400

600

1.5

0

200

400

600

Fig. 6. Comparison of PSNR for various types of images.

Figs. 6 and 7 show the amount of visual distortion with respect to PSNR and ELSSM where various sizes of authentication information are embedded into diverse types of cover images using the proposed scheme and Yang et al.’s scheme. Fig. 8 depicts the cover images used in the analysis. Generally, when less visual distortion occurs on the stego-image, the bigger the PSNR value of the stego-image. Conversely, the ELSSM value is in proportion to the amount of visual distortion. From Figs. 6 and 7, it is shown that the proposed scheme produces smaller visual distortion than the previous works in order to embed the same amount of authentication information into the cover image. 4.2.2. Resiliency against recent steganalysis attacks Recently, two steganalysis attacks have been proposed against data hiding for binary images [6,7]. The first one aims to detect secret messages hidden in the stego-image. The basis of the attack is that secret messages are hidden in the L-blocks with high probability, because this causes less visual distortion than the other types of blocks [6]. The L-block is shown in Fig. 9. In the attack, a target image, which is suspected of having a hidden message, is divided into a number of segments.6 Then, the segments are divided into a number of groups based on their similarity. Next, each of groups selects the representative segment, whose pixel values are rounded-off values from the average of those of all the segments in the group. Finally, each 6

A segment consists of the black pixels connected to one another.

3877

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

Text (256 * 256)

Korean (217 * 177) 600

800

ELSSM

600

yang (4*4) yang (blockless) proposed

500 400 300

400

200 200 100 0 0

Exceeding available capacity

200 400 600 The amount of data embedded (in bits)

0 0

Chinese (327 * 101)

200

400

600

English (389 * 214)

600

500

500

400

400 300 300 200 200 100

100 0 0

200

400

600

0 0

Japanese (342 * 178) 600

500

500

400

400

300

300

200

200

100

100 200

400

400

600

Photo (640 * 347)

600

0 0

200

600

0 0

200

400

600

Fig. 7. Comparison of ELSSM for various types of images.

of segments in the same group is compared to the representative with respect to the center pixel value of the L-blocks in them, as follows. Let G1 be a group and its representative segment be sr . If the member segments of G1 are s1 ; . . . ; sk , EG1 ; EG1 ðe1 Þ , and EG1 ðe2 Þ are defined as follows.  EG1 ¼ fðx; yÞj8i 2 ½1; k; si ðx; yÞ–sr ðx; yÞ ^ ðx; yÞ is the L  block centerg, where sðx; yÞ is the pixel value at position ðx; yÞ in segment s.  EG1 ðe1 Þ ¼ fðx; yÞjðx; yÞ 2 EG1 ^ ðx; yÞ is adjacent to center of L  blockg.  EG1 ðe2 Þ ¼ fðx; yÞjðx; yÞ 2 EG1 n EG1 ðe1 Þ g. After calculating EG1 ; EG1 ðe1 Þ , and EG1 ðe2 Þ , the representative values of G1 ; n1ðG1 Þ ¼ jEG1 ðe1 Þ j=jEG1 j and n2ðG1 Þ ¼ jEG1 ðe2 Þ j=jEG1 j are computed. These steps are executed for all the groups in the stego-image. After the execution, let the average values of n1ðGi Þ s and n2ðGi Þ s be n1 and n2 , respectively, where Gi is a group in the target stego-image. Then, the representative value of the target stego-image k is computed using the following equation:

k ¼ jn1  n2 j:

ð2Þ

Cheng et al. [6] shows that if some hidden message is embedded into the target stego-image, then k of the target stego-image is greater than 0.04.

3878

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

(a) Text (256 * 256)

(e) Korean (217 * 177)

(b) English (389 * 214)

(f) Photo (640 * 337) (c) Chinese (327 * 101) (g) Clinton’s signature (288 * 48)

(h) Hunter (120 * 150) (d) Japanese (342 * 178) Fig. 8. Various types of cover images used in the experiments.

Fig. 9. An L-block. 16 types of L-blocks exist by complementing, mirroring, and rotating. The pixel that includes’A’ is at the center of the L-block.

Based on the criteria in [6], we check if the k values of the stego-images generated with the proposed scheme are less than 0.04. Since the method of [6] mainly targets binary text images, we apply this analysis for all the binary text images and just one picture image. The result is shown in Fig. 10. From this analysis, it is concluded that the proposed scheme is resilient to the attack of [6]. In addition, the 6th graph in Fig. 10 shows that the steganalysis does not work for picture images as the authors of [6] claim in their paper. Regardless of the scheme used, the k value of the ‘‘photo” image is very close to zero. The main target of the second attack is binary cartoon images [7]. In the attack, the corresponding cover image is recovered from the candidate stego-image based on the predefined rules. After the recovery, it measures the degree of visual distortion in the stego-image with the recovered cover image based on well-known measurement metrics such as PSNR and ELSSM. If the difference of the metrics between the candidate stego-image and the recovered cover image is beyond the appropriate level, the attack algorithm concludes the candidate stego-image has a hidden message. This type of attack does not work for the proposed scheme, because the proposed scheme is intended to generate the stego-image whose PSNR and ELSSM are very close to those of the original cover image. Moreover, the attack algorithm cannot generate the exact original cover image as the recovery algorithm. Thus, the difference of PSNR (and ELSSM) between the recovered cover image and the stego-image is less than that between the original cover image and the stego-image. Due to this reason, the proposed scheme is resilient to the attack in [7]. 4.3. Capacity limitation This subsection deals with the issue of the maximum amount of data to be embedded. The proposed scheme has a limited amount of embeddable data. This is the number of available flippable pixels in host image. If the bit length of data is greater

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

3879

Fig. 10. Resiliency against the steganalysis attack in [6]. If k > 0:04, adversary detects the existence of a hidden message in the stego-image.

than this, the data cannot be embedded using the proposed scheme. However, the main objective of data hiding is that data can be embedded into the host content, whilst minimizing the degradation of its visual quality by data embedding. Thus, the foremost requirement should be that the content modification by data embedding should not, to a great extent, degrade visual quality. Available capacity is inevitably limited due to this constraint. We tried to maximize the number of bits that can be embedded. The experimental results, in Figs. 6 and 7 of Section 4.2.2, show our scheme has higher available capacity than Yang et al.’s scheme when the same amount of image distortion is allowed in both cases. Moreover, the proposed scheme is superior to Yang et al.’s scheme in terms of the maximum amount of embeddable data. This depends on the number of flippable pixels in most of the recent data hiding schemes for binary images [16,14,33] that consider minimizing the visual distortion using data embedding. Fig. 4 shows that, in most cases, the number of flippable pixels in the proposed scheme is more than that in Yang et al.’s approach for the same host image. In terms of image authentication, the proposed scheme supports a way to embed a sufficient amount of data in the sense that the required number of bits to embed cryptographically secure information is just 64 [18]. As in Figs. 4 and 8, the proposed scheme supports around 100-bits capacity, even though the host image is just a hand-written signature of very small size. 5. Conclusion In this paper, we proposed a new binary image authentication scheme with small image distortion preserving very low level of miss detection rates. We showed that the proposed scheme flips fewer pixels and causes less visual distortion than

3880

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

the previous schemes in terms of PSNR and ELSSM criteria. We devised new flippability criteria based on ELSSM where experimental results show that our criteria find more flippable pixels than Yang et al.’s criteria. Moreover, experimental results show that the proposed scheme is more resilient against some known steganalysis attacks. Acknowledgements The authors would like to thank the editor-in-chief and anonymous reviewers for helpful comments and suggestions that improved the quality and readability of the paper. This work was supported by the Korea Research Foundation Grant funded by the Korean Government (MOEHRD) (KRF:2007-357-D00243). Appendix A. Yang et al.’s pixel flippablity criteria Yang et al.’s flippability criteria are detailed in this section. To formalize the criteria, it is assumed that pc is the value of the target pixel whose flippability is being judged and pc ’s eight adjacent pixels are denoted as w1 ; w2 ; . . . ; w8 . The positions of the adjacent pixels related to the target pixel are depicted in Fig. A.1a. N v w ; N v b ; N ir , and N C values are computed by the following equations to judge the flippability of pc . In the equations, 0 and 1 represent white and black pixel, respectively, – denotes the bitwise-NOT operator, and  is bitwise-AND operator.

Nv w ¼

X

pc  wk  w2kþ1  w2k1 ; Nv b ¼

k¼1;3

Nir ¼

4 X

X

pc  wk  wkþ4 ;

ðA:1Þ

k¼1;3

pc  w2k  w2kþ1  w2k1

ðw1 ¼ w9 Þ;

ðA:2Þ

k¼1

NC ¼

4 X

pc  w2k  w2kþ1  w2kþ2  w2kþ3  w2kþ4

ðwt ¼ wtmod8 Þ:

ðA:3Þ

k¼1

After computing N v w ; N v b ; N ir , and N C values, these values are computed once more, setting pc pc . If all of the values are the same in both cases, then the target pixel is flippable. Otherwise, it is not. Fig. A.1b shows the meaning of Nv b ; N v w ; N ir , and N C in terms of pixel connectivity. Appendix B. Data embedding method based on Hamming codes (H-Embed/H-Ext) The Hamming code based data embedding algorithm, which is also called the matrix embedding algorithm [10,29], is a data embedding method using the Hamming code. With this algorithm, for a c-bit cover image, blog2 ðc þ 1Þc-bit message can

w6

w7

w8

w5

pc

w1

w4

w3

w2

(a) The description of target pixel and its eight adjacent pixels

1) Flipping center pixel changes 2) There is a black corner pixel whose neighbors are raw or column connectivity. white. (Nir) (Nvb, Nvw)

(b) The cases where the center pixel is not flipable (

3) Flipping center pixel changes the existence of sharp corner (NC) : Don’t care pixel)

Fig. A.1. Yang et al.’s flippability criteria [33].

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

3881

be embedded with at most one-bit flipping. The description of the data embedding (H-Embed) and extraction (H-Ext) algorithms are given in Algorithm 5. Algorithm 5. Hamming-code-based data embedding (H-Embed)/extraction (H-Ext) algorithms. /* H-Embed algorithm */ Require: I 2 f0; 1gc ; r 2 f0; 1gblog2 ðcþ1Þc . 1: Regard I as a Hamming codeword. {Assume Hamming codeword I consists of c  blog 2 ðc þ 1Þc-bit data d and blog 2 ðc þ 1Þc-bit parity p.} 2: From d, calculate a new Hamming codeword Iham 2 f0; 1gc where Iham consists of data bits d and parity bits pham . 3: if ðp pham –mÞ then 4: Iðp pham mÞ Iðp pham mÞ. {Flip the number bit of ðp pham mÞth position in I . ( : bitwise XOR operation)} 5: end if 6: S I. 7: return S. /* H-Ext algorithm */ Require: S 2 f0; 1gc . 1: Regard S as a Hamming codeword. {Assume S consists of ðd0; p0Þ, where d0 is data bits, and p0 is parity bits.} 0 0 2: From d , calculate a new Hamming codeword I0ham 2 f0; 1gc where I0ham consists of ðd ; p0ham Þ. 0 0 3: m p pham . 4: return m.

Appendix C. Analysis of the previous schemes This section analyzes the previous schemes in terms of miss detection rates and number of flipped pixels for data embedding. C.1. Tzeng et al.’s approach [28] Tzeng et al.’s scheme is analyzed based on the following assumption. Let the bit length of the codeword be k and there exist q codeholders. It is assumed that the c is the bit length of the cover image, and the cover image is divided into n blocks, for fair comparison of the proposed scheme. In Tzeng et al.’s scheme, authentication codes a1 ; a2 ; . . . ; an are generated with a shared symmetric key K, and they are embedded into n blocks, respectively. If authentication codes are uniformly selected in f0; 1gk ; k  n is the sum of bit lengths of the authentication codes. The number of flipped pixels per block is derived as follows. Without loss of generality, assume that t 1 ; . . . ; tq are k-bit codewords that q codeholders select in ith block so as to embed ai . In this case, the number of flipped pixels in ith block is the minimum number of bit differences between ai and t 1 ; t 2 ; . . . ; tq . Since t1 ; t2 ; . . . ; tq are uniformly chosen, the random variable representing the number of bit differences between each of t 1 ; t 2 ; . . . ; t q and ai forms the binomial distribution. On this basis, the expectation of the random variable representing the minimum difference between ai and t 1 ; . . . ; t q is the average number of flipped pixels in each block, derived as follows:

ðThe average number of flipped pixels in a blockÞ ¼ !q ! k   k 1 X Ai ¼ 1  : 2k j¼iþ1 j

k X i¼0

i  Ai 

k1 X

!! Aj

j¼0

Since the above number of pixels are flipped per each block, the overall number of bit flipping in the c-bit cover image is scaled to factor n. A block passes the verification test if the block has at least one of q codewords in terms of miss detection rates. Considering q  1 candidate codewords, other than the originally embedded codeword per each block, the following miss detection rate is derived:

ðThe miss detection rateÞ ¼

  q X q ik ð1Þiþ1 2 : i i¼1

3882

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

C.2. Wu et al.’s approach [32] Wu et al. introduced the concept of flippable pixels. Unlike previous approaches, Wu et al. considered the visual distortion caused by pixel flipping. They concentrated on the reliability of hidden message transmission, and increasing the transmission capacity [32,31]. Thus, for an application requiring reliable hidden message transmission, Wu et al.’s scheme is very useful. Unfortunately, in terms of image authentication to preserve authenticity and integrity of the cover image, strong reliability of message transmission may cause a negative effect due to the reliability of their approach making it possible to recover a hidden message correctly even though a part of stego-image is modified. For example, their first approach employing EvenOdd embedding is vulnerable to parity attack [14]. Due to this attack, if h-bit is embedded into the cover image, the miss detection rate is 1=h.

C.3. Kim et al.’s approach [15,16,14] In Kim et al.’s first approach [15,16], a public pseudo random generator is employed to select the positions of pixels into which the message is embedded. The selected pixels are cleared to be zero to use the digital signature (DS) or MAC for the cover image. Then, the DS or MAC for the cleared cover image is generated. Finally, the generated DS or MAC is embedded into the cleared pixels. The average number of flipped pixels depends on the DS or MAC algorithm employed, i.e. the half of the bit length of DS or MAC. The miss detection rate of this approach relies on the security of the employed DS or MAC algorithm. Table C.1 shows the bit security of several well-known algorithms. These are given by FIPS 140-2 [9]. By it can be derived from the nature of bit security, that Kim et al.’s scheme with a DS or MAC algorithm whose bit security is s-bit has 2s miss detection rate. The second approach of Kim et al. aims to decrease the visual distortion [14]. The second approach has the same performance as the first one in terms of the number of flipped pixels and miss detection rate. However, the second approach causes much less visual distortion in terms of HVS.

C.4. Lee et al.’s approach [19] Lee et al.’s scheme does not consider the degradation of visual quality by flipping pixels. The metric to measure image distortion is different to that in this paper. In [19], the amount of visual distortion is measured by the number of pixels flipped to embed authentication information. Conversely, the proposed scheme in this paper considers the visual distortion, suggesting a flippability criterion that gives a means to determine if the chosen pixel causes much image distortion. Due to this reason, the visual effect caused by embedding authentication information is much severer in the scheme of [19] than in the proposed scheme. As mentioned in Section 4.2, among the recent schemes, Yang et al.’s scheme causes the least visual distortion [33]. Thus, we just compared the proposed scheme to Yang et al.’s scheme in terms of visual distortion. The proposed scheme can employ a cryptographically secure object that provides an appropriately low miss detection rate with regard to the false negative rate (i.e. miss detection rate), as shown in Table C.1. Therefore, both schemes support sufficiently low miss detection rate enough.

C.5. Yang et al.’s approach [33] Yang et al.’s approach is analogous to Kim et al.’s second approach. The difference is that Yang et al.’s approach considers the visual distortion effect more. Yang et al. suggested new flippablity criteria and showed that they cause little visual distortion. Based on some recent researches dealing with the visual effect caused by message embedding, Yang et al.’s flippability criteria cause less visual distortion than any other prior approach [5].

Table C.1 Bit security of the cryptographic algorithms in FIPS 140-2 [9]. Bit security

80 112 128 192 256

Symmetric encryption algorithms

N/A 3DES AES-128 AES-192 AES-256

Required bit lengths for public key algorithms DSA/DH

RSA

ECC

1024 2048 3072 7680 15360

1024 2048 3072 7680 15360

160 224 256 384 512

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

3883

Fig. D.1. Comparing the proposed scheme to the case of choosing all the patterns in ELSS < 3 as flippable pixels with respect to the number of available flippable pixels.

Appendix D. On the selection of the flippability criterion The section shows why the proposed flippability criteria have been adopted. We first justify why we exclude the cases of the pixel patterns of three by three blocks whose ELSS values are greater than three. These patterns of ELSS > 3 definitely have salt pixels or break the existing line if the center pixel of the patterns is flipped. According to Yang et al.’s work and Cheng et al.’s work [5,33], these patterns should be excluded, because flipping the center pixels in these patterns causes much more visual distortion than others. As in Fig. 2, some patterns whose ELSS equals to three are included in one of the two cases. However, we exclude all of these cases too. Hence, we decided to exclude all the patterns of ELSS > 3. Now let us discuss the cases of selecting just the cases of ELSS < 3 as flippable pixels. If the scheme just employs the patterns whose ELSS is less than 3, the stegoimage would have higher visual quality than that of the proposed scheme. However, since the number of such pixels is very small, it reduces the available capacity of the host image significantly if these patterns are just employed for data embedding. We analyze the number of available flappable pixels in each host image, where the proposed scheme is set to choose the pixels whose ELSS is less than three, and where the proposed flippability criteria are employed. The result of analysis (in Fig. D.1) shows that regardless of the host image used, the number of available pixels is about halved if we just choose all the patterns of ELSS < 3 as flippable pixels instead of the method in the proposed scheme. References [1] S. Akl, H. Meijer, A fast pseudo random permutation generator with applications for cryptology, in: Proc. Advances in Cryptology: CRYPTO, LNCS, vol. 196, 1985, pp. 269–275. [2] C. Cachin, An information-theoretic model for steganography, Information and Computation 192 (1) (2004) 41–56. [3] Chin-Chen Chang, Wen-Chuan Wu, Yi-Hui Chen, Joint coding and embedding techniques for multimedia images, Information Sciences 178 (18) (2008) 3543–3556. [4] J. Cheng, A.C. Kot, Objective distortion measure for binary images, in: Proc. IEEE TENCON, 2004, pp. 355–358. [5] J. Cheng, A.C. Kot, Objective distortion measure for binary text image based on edge line segment similarity, IEEE Transactions on Image Processing 16 (6) (2007) 1691–1695. [6] J. Cheng, A.C. Kot, J. Liu, H. Cao, Detection of data hiding in binary text image, in: Proc. IEEE International Conference on Image Processing (ICIP), vol. 3, 2005, pp. 73–76. [7] J.Cheng, A.C. Kot, S. Rahardja, Steganalysis of binary cartoon image using distortion measure, in: Proc. IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP), vol. 2, 2007, pp. 261-264. [8] D. Eastlake, T. Hansen, US Secure Hash Algorithms (SHA and HMAC-SHA), IETF RFC 4634, 2006. . [9] FIPS 140-2, Security requirements for cryptographic modules: compromising the security of the key establishment method, NIST. [10] J. Fridrich, D. Soukal, Matrix embedding for large payloads, IEEE Transactions on Information Forensics and Security 6 (4) (2004) 528–538. [11] H. Guo, Y. Li, S. Jajodia, Chaining watermarks for detecting malicious modifications to streaming data, Information Sciences 177 (1) (2007) 281–298. [12] N. Hopper, J. Langford, L. von Ahn, Provably secure steganography, in: Proc. Advances in Cryptology: CRYPTO, LNCS, vol. 2442, 2002, pp. 77–92. [13] S. Hsieh, J. Jian, I. Tsai, B. Huang, A color image watermarking scheme based on secret sharing and wavelet transform, in: Proc. IEEE International Conference on Systems, Man and Cybernetics, 2007, pp. 2143–2148. [14] H. Kim, A new public-key authentication watermarking for binary document images resistant to parity checks, in: Proc: IEEE International Conferences on Image Processing (ICIP), vol. 2, 2005, pp. 1074–1077. [15] H. Kim, A. Afif, Secure authentication watermarking for binary images, in: Proc. Brazilian Symposium on Computer Graphics and Image Processing, 2003, pp. 199–206.

3884

Y. Lee et al. / Information Sciences 179 (2009) 3866–3884

[16] H. Kim, A. Afif, A secure authentication watermarking for halftone and binary images, International Journal of Imaging Systems and Technology 14 (4) (2004) 147–152. [17] H. Kim, R. Queiroz, Alteration-locating authentication watermarking for binary images, in: Proc. International Workshop on Digital Watermarking (IWDW), LNCS, vol. 3304, 2005, pp. 125–136. [18] T. Krovetz, Message authentication on 64-bit architectures, in: Proc. Selected Areas in Cryptography, LNCS, vol. 4356, 2007, pp. 327–341. [19] Y. Lee, J. Hur, H. Kim, Y. Park, H. Yoon, A new binary image authentication scheme with small distortion and low false negative rates, IEICE Transactions on Communications E90-B (11) (2007) 3259–3261. [20] X. Li, J. Wang, A steganographic method based upon JPEG and particle swarm optimization algorithm, Information Sciences 177 (15) (2007) 3099– 3109. [21] H. Liu, Z. Zhang, J. Huang, X. Huang, Y. Shi, A high capacity distortion-free data hiding algorithm for palette image, in: Proc. International Symposium on Circuits and Systems (ISCAS), vol. 2, 2003, pp. 916–919. [22] H. Lu, A.C. Kot, Y. Shi, Distance-reciprocal distortion measure for binary document images, IEEE Signal Processing Letters 11 (2) (2004) 228–231. [23] M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions, SIAM Journal on Computing 17 (2) (1988) 373–386. [24] S. Myers, Efficient-amplification of the security of weak pseudo-random function generators, in: Proc. Advances in Cryptology: EUROCRYPT, LNCS, vol. 2045, 2001, pp. 358–372. [25] G. Pan, Z. Wu, Y. Pan, A data hiding method for few-color images, in: Proc. IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP), vol. 4, 2002, pp. 3469–3472. [26] C. Rey, R. Duglay, A survey of watermarking algorithms for image authentication, EURASIP Journal on Applied Signal Processing 2002 (6) (2002) 613– 621. [27] H. Tsai, D. Sun, Color image watermark extraction based on support vector machines, Information Sciences 177 (2) (2007) 550–569. [28] C. Tzeng, W. Tsai, A new approach to authentication of binary images for multimedia communication with distortion reduction and security enhancement, IEEE Communications Letters 7 (9) (2003) 443–445. [29] A. Westfield, high capacity despite better steganalysis (F5-A steganographic algorithm), in: Proc. Information Hiding, 4th International Workshop, LNCS, vol. 2137, 2001, pp. 289–302. [30] F. Wang, K. Yen, L. Jain, J. Pan, Multiuser-based shadow watermark extraction system, Information Sciences 177 (12) (2007) 2522–2532. [31] M. Wu, J. Fridrich, M. Goljan, H. Gu, Handling uneven embedding capacity in binary images: a revisit, in: Proc. SPIE, Security, steganography, and watermarking of multimedia contents, vol. 5681, 2005, pp. 194–205. [32] M. Wu, B. Liu, Data hiding in binary images for authentication and annotation, IEEE Transactions on Multimedia 6 (4) (2004) 528–538. [33] H. Yang, A.C. Kot, Pattern-based data hiding for binary image authentication by connectivity-preserving, IEEE Transactions on Multimedia 9 (3) (2007) 475–486.