Teddy Furon - Academia.edu (original) (raw)
Papers by Teddy Furon
EURASIP journal on information security, Nov 17, 2020
This paper investigates the visual quality of the adversarial examples. Recent papers propose to ... more This paper investigates the visual quality of the adversarial examples. Recent papers propose to smooth the perturbations to get rid of high frequency artifacts. In this work, smoothing has a different meaning as it perceptually shapes the perturbation according to the visual content of the image to be attacked. The perturbation becomes locally smooth on the flat areas of the input image, but it may be noisy on its textured areas and sharp across its edges. This operation relies on Laplacian smoothing, well-known in graph signal processing, which we integrate in the attack pipeline. We benchmark several attacks with and without smoothing under a white box scenario and evaluate their transferability. Despite the additional constraint of smoothness, our attack has the same probability of success at lower distortion.
Lecture Notes in Computer Science, 2013
Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes ... more Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes are well understood, the notion of security is still not completely well defined. The approach proposed in the last five years is too theoretical and solely considers the embedding process, which is half of the watermarking scheme. This paper proposes a new measurement of watermarking security, called the effective key length, which captures the difficulty for the adversary to get access to the watermarking channel. This new methodology is applied to the Distortion Compensated Dither Modulation Quantized Index Modulation (DC-DM QIM) watermarking scheme where the dither vector plays the role of the secret key. This paper presents theoretical and practical computations of the effective key length. It shows that this scheme is not secure as soon as the adversary gets observations in the Known Message Attack context.
Springer eBooks, 2005
Most of watermarking techniques are based on Wide Spread Spectrum (WSS). Security of such schemes... more Most of watermarking techniques are based on Wide Spread Spectrum (WSS). Security of such schemes is studied here in adopting a cryptanalysis point of view. The security is proportional to the difficulty the opponent has to recover the secret parameters, which are, in WSS watermarking scheme, the private carriers. Both theoretical and practical points of view are investigated when several pieces of content are watermarked with the same secret key. The opponent's difficulty is measured by the amount of data necessary to estimate accurately the private carriers, and also by the complexity of the estimation algorithms. Actually, Blind Source Separation algorithms really help the opponent exploiting the information leakage to disclose the secret carriers. The article ends with experiments comparing blind attacks to these new hacks. The main goal of the article is to warn watermarkers that embedding hidden messages with the same secret key might is a dangerous security flaws.
Proceedings of SPIE, Mar 21, 2005
This second part focuses on estimation of secret parameters of some practical watermarking techni... more This second part focuses on estimation of secret parameters of some practical watermarking techniques. The first part reveals some theoretical bounds of information leakage about secret keys from observations. However, as usual in information theory, nothing has been said about practical algorithms which pirates use in real life application. Whereas Part One deals with the necessary number of observations to disclose secret keys (see definitions of security levels), this part focuses on the complexity or the computing power of practical estimators. Again, we are inspired here by the work of Shannon as in his famous article [15], he has already made a clear cut between the unicity distance and the work of opponents' algorithm. Our experimental work also illustrates how Blind Source Separation (especially Independent Component Analysis) algorithms help the opponent exploiting this information leakage to disclose the secret carriers in the spread spectrum case. Simulations assess the security levels theoretically derived in Part One.
IEEE Transactions on Information Forensics and Security, Aug 1, 2012
The class of joint decoder in fingerprinting codes is of utmost importance in theoretical papers ... more The class of joint decoder in fingerprinting codes is of utmost importance in theoretical papers to establish the concept of fingerprint capacity. However, no implementation supporting a large user base is known to date. This paper presents an iterative decoder which is the first attempt toward practical large-scale joint decoding. The discriminative feature of the scores benefits on one hand from the side-information of previously found users, and on the other hand, from recently introduced universal linear decoders for compound channels. Neither the code construction nor the decoder makes assumptions about the collusion size and strategy, provided it is a memoryless and fair attack. The extension to incorporate soft outputs from the watermarking layer is straightforward. An extensive experimental work benchmarks the very good performance and offers a clear comparison with previous state-of-the-art decoders.
HAL (Le Centre pour la Communication Scientifique Directe), Jan 17, 2010
This paper considers the security aspect of the robust zero-bit watermarking technique 'Broken Ar... more This paper considers the security aspect of the robust zero-bit watermarking technique 'Broken Arrows'(BA), 1 which was invented and tested for the international challenge BOWS-2. The results of the first episode of the challenge showed that BA is very robust. Last year, we proposed an enhancement so-called AWC, 2 which further strengthens the robustness against the worst attack disclosed during the challenge. However, in the second and third episodes of the challenge, when the pirate observes plenty of watermarked pictures with the same secret key, some security flaws have been discovered. They clearly prevent the use of BA in multimedia fingerprinting application, as suggested in. 3 Our contributions focus on finding some counterattacks. We carefully investigate BA and its variant AWC, and take two recently published security attacks 4 as the potential threats. Based on this, we propose three countermeasures: benefiting from the improved embedding technique AWC; regulating the system parameters to lighten the watermarking embedding footprint; and extending the zero bit watermarking to multi-bits for further increase the security level. With this design, experimental results show that these security attacks do not work any more, and the security level is further increased.
Entropy, Feb 8, 2020
Image watermarking is usually decomposed into three steps: (i) a feature vector is extracted from... more Image watermarking is usually decomposed into three steps: (i) a feature vector is extracted from an image; (ii) it is modified to embed the watermark; (iii) and it is projected back into the image space while avoiding the creation of visual artefacts. This feature extraction is usually based on a classical image representation given by the Discrete Wavelet Transform or the Discrete Cosine Transform for instance. These transformations require very accurate synchronisation between the embedding and the detection and usually rely on various registration mechanisms for that purpose. This paper investigates a new family of transformation based on Deep Neural Networks trained with supervision for a classification task. Motivations come from the Computer Vision literature, which has demonstrated the robustness of these features against light geometric distortions. Also, adversarial sample literature provides means to implement the inverse transform needed in the third step above mentioned. As far as zero-bit watermarking is concerned, this paper shows that this approach is feasible as it yields a good quality of the watermarked images and an intrinsic robustness. We also tests more advanced tools from Computer Vision such as aggregation schemes with weak geometry and retraining with a dataset augmented with classical image processing attacks.
HAL (Le Centre pour la Communication Scientifique Directe), Aug 27, 2012
HAL is a multidisciplinary open access archive for the deposit and dissemination of scientific re... more HAL is a multidisciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
arXiv (Cornell University), Dec 17, 2021
We revisit watermarking techniques based on pre-trained deep networks, in the light of self-super... more We revisit watermarking techniques based on pre-trained deep networks, in the light of self-supervised approaches. We present a way to embed both marks and binary messages into their latent spaces, leveraging data augmentation at marking time. Our method can operate at any resolution and creates watermarks robust to a broad range of transformations (rotations, crops, JPEG, contrast, etc). It significantly outperforms the previous zero-bit methods, and its performance on multi-bit watermarking is on par with state-of-the-art encoder-decoder architectures trained end-to-end for watermarking. The code is available at github.com/facebookresearch/ssl_watermarking
The paper proposes a new approach for evaluating the security levels of digital watermarking sche... more The paper proposes a new approach for evaluating the security levels of digital watermarking schemes, which is more in line with the formulation proposed in cryptography. We first exhibit the class of equivalent decoding keys. These are the keys allowing a reliable decoding of contents watermarked with the secret key. Then, we evaluate the probability that the adversary picks an equivalent key. The smaller this probability, the higher the key length. This concept is illustrated on two main families of watermarking schemes: DC-QIM (Distortion Compensation Quantization Index Modulation) and SS (Spread Spectrum). The trade-off robustness-security is again verified and gives some counter-intuitive results: For instance, the security of SS is a decreasing function of the length of the secret vector at a fixed Document to Watermark power ratio. Additionally, under the Known Message Attack, the practical key length of the watermarking scheme rapidly decreases to 0 bits per symbol.
IEEE Transactions on Information Forensics and Security, Jun 1, 2007
In the watermark detection scenario, also known as zero-bit watermarking, a watermark, carrying n... more In the watermark detection scenario, also known as zero-bit watermarking, a watermark, carrying no hidden message, is inserted in a piece of content. The watermark detector checks for the presence of this particular weak signal in received contents. The article looks at this problem from a classical detection theory point of view, but with side information enabled at the embedding side. This means that the watermark signal is a function of the host content. Our study is twofold. The first step is to design the best embedding function for a given detection function, and the best detection function for a given embedding function. This yields two conditions, which are mixed into one 'fundamental' partial differential equation. It appears that many famous watermarking schemes are indeed solution to this 'fundamental' equation. This study thus gives birth to a constructive framework unifying solutions, so far perceived as very different.
Signal Processing, Oct 1, 2003
The analysis of the security of watermarking algorithms has received increasing attention since i... more The analysis of the security of watermarking algorithms has received increasing attention since it has been recognized that the sole investigation of robustness issues is not enough to properly address the challenges set by practical applications. Such a security analysis, though, is still in its infancy, up to a point that a general agreement has not yet been reached even on the most fundamental problems. The purpose of this paper is to provide a general security framework encompassing most of the problems encountered in real-world applications. By considering the amount of information the attacker has about the watermarking algorithm, we introduce the notion of fair and unfair attacks, so to ease the classification of different systems and attacks. Though we recognize that many important differences exist between watermarking and cryptographic security, a large part of our work is inspired by the Diffie-Helmann's paradigm, which is widely used in cryptography. For each class of systems great care is taken to describe both the attacker's and watermarker's point of view, presenting the challenges raised by each system to these different actors. Finally, we try to outline some research directions which, according to us, deserve further analysis.
Statistics and Computing, Apr 5, 2011
This paper discusses a novel strategy for simulating rare events and an associated Monte Carlo es... more This paper discusses a novel strategy for simulating rare events and an associated Monte Carlo estimation of tail probabilities. Our method uses a system of interacting particles and exploits a Feynman-Kac representation of that system to analyze their fluctuations. Our precise analysis of the variance of a standard multilevel splitting algorithm reveals an opportunity for improvement. This leads to a novel method that relies on adaptive levels and produces estimates with optimal variance. The motivation for this theoretical work comes from problems occurring in watermarking and fingerprinting of digital contents, which represents a new field of applications of rare event simulation techniques. Some numerical results show the performance of our technique for these practical applications.
HAL (Le Centre pour la Communication Scientifique Directe), May 15, 2012
Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes ... more Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes are well understood, the notion of security is still not completely well defined. The approach proposed in the last five years is too theoretical and solely considers the embedding process, which is half of the watermarking scheme. This paper proposes a new measurement of watermarking security, called the effective key length, which captures the difficulty for the adversary to get access to the watermarking channel. This new methodology is applied to the Distortion Compensated Dither Modulation Quantized Index Modulation (DC-DM QIM) watermarking scheme where the dither vector plays the role of the secret key. This paper presents theoretical and practical computations of the effective key length. It shows that this scheme is not secure as soon as the adversary gets observations in the Known Message Attack context.
In the watermark detection scenario, also known as zero-bit watermarking, a watermark, carrying n... more In the watermark detection scenario, also known as zero-bit watermarking, a watermark, carrying no hidden message, is inserted in content. The watermark detector checks for the presence of this particular weak signal in content. The article looks at this problem from a classical detection theory point of view, but with side information enabled at the embedding side: the watermark signal is a function of the host content. Our study is twofold. The first issue is to design the best embedding function for a given detection function (a Neyman-Pearson detector structure is assumed). The second issue is to find the best detection function for a given embedding function. This yields two conditions, which are mixed into one 'fundamental' partial differential equation. Solutions of this fundamental equation are heavily dependent on the probability distribution function of the host signals. This conference paper is an extract of [7], where we only look at white gaussian hosts. This gives birth to polynomials solutions known as Hermite polynomial, whose extension is the JANIS watermarking scheme, invented heuristically some years ago.
Traitement Du Signal, Apr 28, 2010
Thème-Communication et codage : Cryptage et tatouage (Traçage de documents marqués) Problème trai... more Thème-Communication et codage : Cryptage et tatouage (Traçage de documents marqués) Problème traité-Identifier les utilisateurs malhonnêtes ayant participéà la création d'une copie pirate d'un document numérique. Originalité-Utilisation d'un algorithme itératif et de nouvelles fonctions pour la partie accusation du code de Tardos. Résultats-Amélioration de la phase d'accusation qui permet de réduire la taille du code. 1 Contexte Nous parlons dans cet article de fingerprinting, désigné aussi sous les noms de traitor tracing, ou transactional watermarking. Le problème est le suivant : un distributeur de données numériques (images, audio, vidéo,...) distribue des copies d'un contenuà n utilisateurs. Quelques uns de ces utilisateurs sont malhonnêtes, aussi appelés colluders, et mélangent leurs contenus pour créer une copie pirate qui est redistribuée illégalement. On souhaite retrouver leur identité en analysant la copie pirate. Pour cela, on associe une technique de marquage robuste avec un code anti-collusion, partieétudiée ici. 2 Code de Tardos En 2003, G. Tardos a présenté une famille de codes de fingerprinting probabilistes très efficaces [2]. Leur intérêt réside surtout dans leur taille réduite et dans la facilité de génération des mots de code. B. Skoric et al ont proposé un décodage symétrique de ces codes, ainsi qu'une version pour alphabet q-aire [3]. Ces articles utilisent des fonctions d'accusations qui sont les mêmes pour tous les types d'attaques. En 2008, Furon et al [1] ont montré que ces fonctionsétaient bien les meilleures qu'on pouvait utiliser dans un contexte général, mais qu'elles pouvaientêtre optimisées si la stratégie des colluders est connue. Commençons par rappeler en quoi consistent les codes de Tardos pour un alphabet binaire [3]. Soit n le nombre d'utilisateurs et m la longueur du code. Soit X la matrice contenant l'ensemble des mots du code. On désigne par X j = (X j1 , X j2 ,. .. , X jm) le mot de code de l'utilisateur j. On tire m valeurs p i ∈ [0, 1] indépendantes et identiquement distribuées suivant la pdf f (p) =
arXiv (Cornell University), Apr 29, 2011
The class of joint decoder of probabilistic fingerprinting codes is of utmost importance in theor... more The class of joint decoder of probabilistic fingerprinting codes is of utmost importance in theoretical papers to establish the concept of fingerprint capacity [1]-[3]. However, no implementation supporting a large user base is known to date. This article presents an iterative decoder which is, as far as we are aware of, the first practical attempt towards joint decoding. The discriminative feature of the scores benefits on one hand from the side-information of previously accused users, and on the other hand, from recently introduced universal linear decoders for compound channels [4]. Neither the code construction nor the decoder make precise assumptions about the collusion (size or strategy). The extension to incorporate soft outputs from the watermarking layer is straightforward. An extensive experimental work benchmarks the very good performance and offers a clear comparison with previous state-of-the-art decoders.
arXiv (Cornell University), Feb 16, 2012
Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes ... more Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes are well understood, the notion of security is still not completely well defined. The approach proposed in the last five years is too theoretical and solely considers the embedding process, which is half of the watermarking scheme. This paper proposes a new measurement of watermarking security, called the effective key length, which captures the difficulty for the adversary to get access to the watermarking channel. This new methodology is applied to additive spread spectrum schemes where theoretical and practical computations of the effective key length are proposed. It shows that these schemes are not secure as soon as the adversary gets observations in the Known Message Attack context.
HAL (Le Centre pour la Communication Scientifique Directe), Dec 3, 2012
This paper proposes a new fingerprinting decoder based on the Markov Chain Monte Carlo (MCMC) met... more This paper proposes a new fingerprinting decoder based on the Markov Chain Monte Carlo (MCMC) method. A Gibbs sampler generates groups of users according to the posterior probability that these users could have forged the sequence extracted from the pirated content. The marginal probability that a given user pertains to the collusion is then estimated by a Monte Carlo method. The users having the biggest empirical marginal probabilities are accused. This MCMC method can decode any type of fingerprinting codes. This paper is in the spirit of the 'Learn and Match' decoding strategy: it assumes that the collusion attack belongs to a family of models. The Expectation-Maximization algorithm estimates the parameters of the collusion model from the extracted sequence. This part of the algorithm is described for the binary Tardos code and with the exploitation of the soft outputs of the watermarking decoder. The experimental body considers some extreme setups where the fingerprinting code lengths are very small. It reveals that the weak link of our approach is the estimation part. This is a clear warning to the 'Learn and Match' decoding strategy.
EURASIP journal on information security, Nov 17, 2020
This paper investigates the visual quality of the adversarial examples. Recent papers propose to ... more This paper investigates the visual quality of the adversarial examples. Recent papers propose to smooth the perturbations to get rid of high frequency artifacts. In this work, smoothing has a different meaning as it perceptually shapes the perturbation according to the visual content of the image to be attacked. The perturbation becomes locally smooth on the flat areas of the input image, but it may be noisy on its textured areas and sharp across its edges. This operation relies on Laplacian smoothing, well-known in graph signal processing, which we integrate in the attack pipeline. We benchmark several attacks with and without smoothing under a white box scenario and evaluate their transferability. Despite the additional constraint of smoothness, our attack has the same probability of success at lower distortion.
Lecture Notes in Computer Science, 2013
Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes ... more Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes are well understood, the notion of security is still not completely well defined. The approach proposed in the last five years is too theoretical and solely considers the embedding process, which is half of the watermarking scheme. This paper proposes a new measurement of watermarking security, called the effective key length, which captures the difficulty for the adversary to get access to the watermarking channel. This new methodology is applied to the Distortion Compensated Dither Modulation Quantized Index Modulation (DC-DM QIM) watermarking scheme where the dither vector plays the role of the secret key. This paper presents theoretical and practical computations of the effective key length. It shows that this scheme is not secure as soon as the adversary gets observations in the Known Message Attack context.
Springer eBooks, 2005
Most of watermarking techniques are based on Wide Spread Spectrum (WSS). Security of such schemes... more Most of watermarking techniques are based on Wide Spread Spectrum (WSS). Security of such schemes is studied here in adopting a cryptanalysis point of view. The security is proportional to the difficulty the opponent has to recover the secret parameters, which are, in WSS watermarking scheme, the private carriers. Both theoretical and practical points of view are investigated when several pieces of content are watermarked with the same secret key. The opponent's difficulty is measured by the amount of data necessary to estimate accurately the private carriers, and also by the complexity of the estimation algorithms. Actually, Blind Source Separation algorithms really help the opponent exploiting the information leakage to disclose the secret carriers. The article ends with experiments comparing blind attacks to these new hacks. The main goal of the article is to warn watermarkers that embedding hidden messages with the same secret key might is a dangerous security flaws.
Proceedings of SPIE, Mar 21, 2005
This second part focuses on estimation of secret parameters of some practical watermarking techni... more This second part focuses on estimation of secret parameters of some practical watermarking techniques. The first part reveals some theoretical bounds of information leakage about secret keys from observations. However, as usual in information theory, nothing has been said about practical algorithms which pirates use in real life application. Whereas Part One deals with the necessary number of observations to disclose secret keys (see definitions of security levels), this part focuses on the complexity or the computing power of practical estimators. Again, we are inspired here by the work of Shannon as in his famous article [15], he has already made a clear cut between the unicity distance and the work of opponents' algorithm. Our experimental work also illustrates how Blind Source Separation (especially Independent Component Analysis) algorithms help the opponent exploiting this information leakage to disclose the secret carriers in the spread spectrum case. Simulations assess the security levels theoretically derived in Part One.
IEEE Transactions on Information Forensics and Security, Aug 1, 2012
The class of joint decoder in fingerprinting codes is of utmost importance in theoretical papers ... more The class of joint decoder in fingerprinting codes is of utmost importance in theoretical papers to establish the concept of fingerprint capacity. However, no implementation supporting a large user base is known to date. This paper presents an iterative decoder which is the first attempt toward practical large-scale joint decoding. The discriminative feature of the scores benefits on one hand from the side-information of previously found users, and on the other hand, from recently introduced universal linear decoders for compound channels. Neither the code construction nor the decoder makes assumptions about the collusion size and strategy, provided it is a memoryless and fair attack. The extension to incorporate soft outputs from the watermarking layer is straightforward. An extensive experimental work benchmarks the very good performance and offers a clear comparison with previous state-of-the-art decoders.
HAL (Le Centre pour la Communication Scientifique Directe), Jan 17, 2010
This paper considers the security aspect of the robust zero-bit watermarking technique 'Broken Ar... more This paper considers the security aspect of the robust zero-bit watermarking technique 'Broken Arrows'(BA), 1 which was invented and tested for the international challenge BOWS-2. The results of the first episode of the challenge showed that BA is very robust. Last year, we proposed an enhancement so-called AWC, 2 which further strengthens the robustness against the worst attack disclosed during the challenge. However, in the second and third episodes of the challenge, when the pirate observes plenty of watermarked pictures with the same secret key, some security flaws have been discovered. They clearly prevent the use of BA in multimedia fingerprinting application, as suggested in. 3 Our contributions focus on finding some counterattacks. We carefully investigate BA and its variant AWC, and take two recently published security attacks 4 as the potential threats. Based on this, we propose three countermeasures: benefiting from the improved embedding technique AWC; regulating the system parameters to lighten the watermarking embedding footprint; and extending the zero bit watermarking to multi-bits for further increase the security level. With this design, experimental results show that these security attacks do not work any more, and the security level is further increased.
Entropy, Feb 8, 2020
Image watermarking is usually decomposed into three steps: (i) a feature vector is extracted from... more Image watermarking is usually decomposed into three steps: (i) a feature vector is extracted from an image; (ii) it is modified to embed the watermark; (iii) and it is projected back into the image space while avoiding the creation of visual artefacts. This feature extraction is usually based on a classical image representation given by the Discrete Wavelet Transform or the Discrete Cosine Transform for instance. These transformations require very accurate synchronisation between the embedding and the detection and usually rely on various registration mechanisms for that purpose. This paper investigates a new family of transformation based on Deep Neural Networks trained with supervision for a classification task. Motivations come from the Computer Vision literature, which has demonstrated the robustness of these features against light geometric distortions. Also, adversarial sample literature provides means to implement the inverse transform needed in the third step above mentioned. As far as zero-bit watermarking is concerned, this paper shows that this approach is feasible as it yields a good quality of the watermarked images and an intrinsic robustness. We also tests more advanced tools from Computer Vision such as aggregation schemes with weak geometry and retraining with a dataset augmented with classical image processing attacks.
HAL (Le Centre pour la Communication Scientifique Directe), Aug 27, 2012
HAL is a multidisciplinary open access archive for the deposit and dissemination of scientific re... more HAL is a multidisciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
arXiv (Cornell University), Dec 17, 2021
We revisit watermarking techniques based on pre-trained deep networks, in the light of self-super... more We revisit watermarking techniques based on pre-trained deep networks, in the light of self-supervised approaches. We present a way to embed both marks and binary messages into their latent spaces, leveraging data augmentation at marking time. Our method can operate at any resolution and creates watermarks robust to a broad range of transformations (rotations, crops, JPEG, contrast, etc). It significantly outperforms the previous zero-bit methods, and its performance on multi-bit watermarking is on par with state-of-the-art encoder-decoder architectures trained end-to-end for watermarking. The code is available at github.com/facebookresearch/ssl_watermarking
The paper proposes a new approach for evaluating the security levels of digital watermarking sche... more The paper proposes a new approach for evaluating the security levels of digital watermarking schemes, which is more in line with the formulation proposed in cryptography. We first exhibit the class of equivalent decoding keys. These are the keys allowing a reliable decoding of contents watermarked with the secret key. Then, we evaluate the probability that the adversary picks an equivalent key. The smaller this probability, the higher the key length. This concept is illustrated on two main families of watermarking schemes: DC-QIM (Distortion Compensation Quantization Index Modulation) and SS (Spread Spectrum). The trade-off robustness-security is again verified and gives some counter-intuitive results: For instance, the security of SS is a decreasing function of the length of the secret vector at a fixed Document to Watermark power ratio. Additionally, under the Known Message Attack, the practical key length of the watermarking scheme rapidly decreases to 0 bits per symbol.
IEEE Transactions on Information Forensics and Security, Jun 1, 2007
In the watermark detection scenario, also known as zero-bit watermarking, a watermark, carrying n... more In the watermark detection scenario, also known as zero-bit watermarking, a watermark, carrying no hidden message, is inserted in a piece of content. The watermark detector checks for the presence of this particular weak signal in received contents. The article looks at this problem from a classical detection theory point of view, but with side information enabled at the embedding side. This means that the watermark signal is a function of the host content. Our study is twofold. The first step is to design the best embedding function for a given detection function, and the best detection function for a given embedding function. This yields two conditions, which are mixed into one 'fundamental' partial differential equation. It appears that many famous watermarking schemes are indeed solution to this 'fundamental' equation. This study thus gives birth to a constructive framework unifying solutions, so far perceived as very different.
Signal Processing, Oct 1, 2003
The analysis of the security of watermarking algorithms has received increasing attention since i... more The analysis of the security of watermarking algorithms has received increasing attention since it has been recognized that the sole investigation of robustness issues is not enough to properly address the challenges set by practical applications. Such a security analysis, though, is still in its infancy, up to a point that a general agreement has not yet been reached even on the most fundamental problems. The purpose of this paper is to provide a general security framework encompassing most of the problems encountered in real-world applications. By considering the amount of information the attacker has about the watermarking algorithm, we introduce the notion of fair and unfair attacks, so to ease the classification of different systems and attacks. Though we recognize that many important differences exist between watermarking and cryptographic security, a large part of our work is inspired by the Diffie-Helmann's paradigm, which is widely used in cryptography. For each class of systems great care is taken to describe both the attacker's and watermarker's point of view, presenting the challenges raised by each system to these different actors. Finally, we try to outline some research directions which, according to us, deserve further analysis.
Statistics and Computing, Apr 5, 2011
This paper discusses a novel strategy for simulating rare events and an associated Monte Carlo es... more This paper discusses a novel strategy for simulating rare events and an associated Monte Carlo estimation of tail probabilities. Our method uses a system of interacting particles and exploits a Feynman-Kac representation of that system to analyze their fluctuations. Our precise analysis of the variance of a standard multilevel splitting algorithm reveals an opportunity for improvement. This leads to a novel method that relies on adaptive levels and produces estimates with optimal variance. The motivation for this theoretical work comes from problems occurring in watermarking and fingerprinting of digital contents, which represents a new field of applications of rare event simulation techniques. Some numerical results show the performance of our technique for these practical applications.
HAL (Le Centre pour la Communication Scientifique Directe), May 15, 2012
Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes ... more Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes are well understood, the notion of security is still not completely well defined. The approach proposed in the last five years is too theoretical and solely considers the embedding process, which is half of the watermarking scheme. This paper proposes a new measurement of watermarking security, called the effective key length, which captures the difficulty for the adversary to get access to the watermarking channel. This new methodology is applied to the Distortion Compensated Dither Modulation Quantized Index Modulation (DC-DM QIM) watermarking scheme where the dither vector plays the role of the secret key. This paper presents theoretical and practical computations of the effective key length. It shows that this scheme is not secure as soon as the adversary gets observations in the Known Message Attack context.
In the watermark detection scenario, also known as zero-bit watermarking, a watermark, carrying n... more In the watermark detection scenario, also known as zero-bit watermarking, a watermark, carrying no hidden message, is inserted in content. The watermark detector checks for the presence of this particular weak signal in content. The article looks at this problem from a classical detection theory point of view, but with side information enabled at the embedding side: the watermark signal is a function of the host content. Our study is twofold. The first issue is to design the best embedding function for a given detection function (a Neyman-Pearson detector structure is assumed). The second issue is to find the best detection function for a given embedding function. This yields two conditions, which are mixed into one 'fundamental' partial differential equation. Solutions of this fundamental equation are heavily dependent on the probability distribution function of the host signals. This conference paper is an extract of [7], where we only look at white gaussian hosts. This gives birth to polynomials solutions known as Hermite polynomial, whose extension is the JANIS watermarking scheme, invented heuristically some years ago.
Traitement Du Signal, Apr 28, 2010
Thème-Communication et codage : Cryptage et tatouage (Traçage de documents marqués) Problème trai... more Thème-Communication et codage : Cryptage et tatouage (Traçage de documents marqués) Problème traité-Identifier les utilisateurs malhonnêtes ayant participéà la création d'une copie pirate d'un document numérique. Originalité-Utilisation d'un algorithme itératif et de nouvelles fonctions pour la partie accusation du code de Tardos. Résultats-Amélioration de la phase d'accusation qui permet de réduire la taille du code. 1 Contexte Nous parlons dans cet article de fingerprinting, désigné aussi sous les noms de traitor tracing, ou transactional watermarking. Le problème est le suivant : un distributeur de données numériques (images, audio, vidéo,...) distribue des copies d'un contenuà n utilisateurs. Quelques uns de ces utilisateurs sont malhonnêtes, aussi appelés colluders, et mélangent leurs contenus pour créer une copie pirate qui est redistribuée illégalement. On souhaite retrouver leur identité en analysant la copie pirate. Pour cela, on associe une technique de marquage robuste avec un code anti-collusion, partieétudiée ici. 2 Code de Tardos En 2003, G. Tardos a présenté une famille de codes de fingerprinting probabilistes très efficaces [2]. Leur intérêt réside surtout dans leur taille réduite et dans la facilité de génération des mots de code. B. Skoric et al ont proposé un décodage symétrique de ces codes, ainsi qu'une version pour alphabet q-aire [3]. Ces articles utilisent des fonctions d'accusations qui sont les mêmes pour tous les types d'attaques. En 2008, Furon et al [1] ont montré que ces fonctionsétaient bien les meilleures qu'on pouvait utiliser dans un contexte général, mais qu'elles pouvaientêtre optimisées si la stratégie des colluders est connue. Commençons par rappeler en quoi consistent les codes de Tardos pour un alphabet binaire [3]. Soit n le nombre d'utilisateurs et m la longueur du code. Soit X la matrice contenant l'ensemble des mots du code. On désigne par X j = (X j1 , X j2 ,. .. , X jm) le mot de code de l'utilisateur j. On tire m valeurs p i ∈ [0, 1] indépendantes et identiquement distribuées suivant la pdf f (p) =
arXiv (Cornell University), Apr 29, 2011
The class of joint decoder of probabilistic fingerprinting codes is of utmost importance in theor... more The class of joint decoder of probabilistic fingerprinting codes is of utmost importance in theoretical papers to establish the concept of fingerprint capacity [1]-[3]. However, no implementation supporting a large user base is known to date. This article presents an iterative decoder which is, as far as we are aware of, the first practical attempt towards joint decoding. The discriminative feature of the scores benefits on one hand from the side-information of previously accused users, and on the other hand, from recently introduced universal linear decoders for compound channels [4]. Neither the code construction nor the decoder make precise assumptions about the collusion (size or strategy). The extension to incorporate soft outputs from the watermarking layer is straightforward. An extensive experimental work benchmarks the very good performance and offers a clear comparison with previous state-of-the-art decoders.
arXiv (Cornell University), Feb 16, 2012
Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes ... more Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes are well understood, the notion of security is still not completely well defined. The approach proposed in the last five years is too theoretical and solely considers the embedding process, which is half of the watermarking scheme. This paper proposes a new measurement of watermarking security, called the effective key length, which captures the difficulty for the adversary to get access to the watermarking channel. This new methodology is applied to additive spread spectrum schemes where theoretical and practical computations of the effective key length are proposed. It shows that these schemes are not secure as soon as the adversary gets observations in the Known Message Attack context.
HAL (Le Centre pour la Communication Scientifique Directe), Dec 3, 2012
This paper proposes a new fingerprinting decoder based on the Markov Chain Monte Carlo (MCMC) met... more This paper proposes a new fingerprinting decoder based on the Markov Chain Monte Carlo (MCMC) method. A Gibbs sampler generates groups of users according to the posterior probability that these users could have forged the sequence extracted from the pirated content. The marginal probability that a given user pertains to the collusion is then estimated by a Monte Carlo method. The users having the biggest empirical marginal probabilities are accused. This MCMC method can decode any type of fingerprinting codes. This paper is in the spirit of the 'Learn and Match' decoding strategy: it assumes that the collusion attack belongs to a family of models. The Expectation-Maximization algorithm estimates the parameters of the collusion model from the extracted sequence. This part of the algorithm is described for the binary Tardos code and with the exploitation of the soft outputs of the watermarking decoder. The experimental body considers some extreme setups where the fingerprinting code lengths are very small. It reveals that the weak link of our approach is the estimation part. This is a clear warning to the 'Learn and Match' decoding strategy.