- Research Article
- Open Access

# Broken Arrows

- Teddy Furon
^{1}Email author and - Patrick Bas
^{2}

**2008**:597040

https://doi.org/10.1155/2008/597040

© T. Furon and P. Bas. 2008

**Received:**11 December 2007**Accepted:**21 August 2008**Published:**8 September 2008

## Abstract

This paper makes an account of the design and investigations done for the still image watermarking technique used in the 2nd edition of the BOWS challenge. This technique is named “broken arrows” for some reasons given later on, and abbreviated “BA.” This zero-bit algorithm is an implementation of a recent theoretical result by Merhav and Sabbag (2008) with precautions taken with respect to robustness, security, and imperceptibility. A new robustness criterion, based on the nearest border point of a cone, is proposed. The security constraint is taken into account by increasing the diversity of the watermark, sculpturing and randomizing the shape of the detection regions. The imperceptibility and robustness are also provided by adopting proportional embedding in the wavelet domain. The algorithm has been benchmarked using a database of 2000 images. For a probability of false alarm below and a PSNR of 43 dB, the overall robustness regarding various classical image processing seems a promising and strong basis for the challenge.

## Keywords

- Watermark Image
- Watermark Scheme
- Detection Region
- Watermark Signal
- Attack Noise

## 1. “Broken Arrows” in a Nutshell

### 1.1. Motivations

The watermarking technique “broken arrows” has been designed especially for the break our watermarking scheme 2nd edition (BOWS-2) contest. From the lessons learnt during BOWS-1, we had in mind to design a pure zero-bit watermarking scheme (no message decoding), which spreads the presence of the mark all over the host image. The BOWS-2 challenge is divided into three episodes with different contexts. The first episode aims at benchmarking the robustness of the technique against common image processing tools (compression, denoising, filtering, etc.). Thus, “BA” must be efficient so that it strongly multiplexes the original content and the watermarking signal in a nonreversible way when the secret key is not known. Moreover, no robustness against geometrical attacks is needed because they yield low PSNR values unacceptable in the contest. The second episode is dedicated to oracle attacks. The technique must be sufficiently simple so that the software implementation of the detector runs very fast because we expect a huge number of trials during this second episode. Counterattacks should be included if possible in the design. The third episode focuses on threats when many contents watermarked with the same secret key are released. The contenders are expected to deduce some knowledge about the secret key in order to better hack the pictures. “BA” must not be trivially hacked. This is not an easy task especially since zero-bit watermarking tends to lack diversity.

- (i)
We do not know how to zero-bit watermark an image. However, the recent work [1] shows that the optimum scheme for Gaussian vectors under certain restrictions among which is the low complexity of the detector exactly matching our requirement.

- (ii)
Multiplicative embedding (aka proportional embedding) offers many advantages: an embedding that is easy to implement and compliant with the human visual system [4], plus a good approximation of game theoretical optimum solution for spread spectrum schemes [2].

- (iii)
One of the most difficult things in zero-bit watermarking is to assess that the false alarm probability is lower than a given level. Yet, one exception is for detection regions shaped like hypercones where tractable numerical calculations exist [1, 3].

- (iv)
The wavelet domain is one of the best embedding domain even if the watermark signal has been created in another space, because it is compliant with the human visual system. There exists a fast wavelet transform based on the lifting scheme.

In a nutshell, the detection regions are represented by a set of slightly modified hypercones. The embedding is classically done by moving a feature vector of the host content deep inside this detection region to obtain a watermarked vector . The detection is performed by checking whether a feature vector extracted from a submitted image belongs or not to one of these hypercones (see Section 3).

### 1.2. Three General Constraints

Other subtleties of BA are motivated by the general constraints in image watermarking, for example, security, robustness, and distortion.

Distortion

The visual distortion has been taken into account by choosing the medium and high frequencies of the image thanks to the wavelet transform (see Section 2.2) and applying the proportional embedding (see Section 4). The PSNR of the watermarked images is controlled during the embedding, resorting to norm conservation property of some orthogonal transforms (see Section 2) and by taking into account the proportional embedding step (see Section 4.1).

Robustness

BA relies on two techniques in order to have a decent robustness. The first one is commonly known as informed embedding. Vector is generated in order to be as far as possible from the border of the detection region (see Section 3.1.2). Furthermore, proportional embedding in a transform domain enables to merge two signals sharing the same statistical structure. The host is almost decorrelated in this transform domain like the watermark signal, while the watermark signal amplitude is shaped as the one of the host. This helps to be robust against denoising attacks like Wiener filtering.

Security

The original content is projected successively onto lower-dimensional subspaces in order to ease the creation of the watermark signal (see Sections 2.2 and 2.3). However, the first projection is private and depends on the secret key. This prevents the pirate from tracing the contents in the successive subspaces, and it restricts his playground to a very high-dimensional space. The dimension is almost as big as the number of pixels in the image. The detection region is composed of several regions introducing some diversity in the embedding because the host contents are pushed towards many different regions (see Section 3.2). We hope that this diversity brings some gain in security level in the sense that the private projection will remain secret even if many watermarked contents are observed. Finally, at the detection side, the security is also strengthened by randomizing the decision of the detector when the signal is near the frontier (see Section 5.1) and by introducing notches in the detection region (see Section 5.2).

## 2. Four Nested Spaces

*X*,

*Y*,

*W*” denote, respectively, the representatives of the original content, the watermarked content, and the watermark signal to be embedded. We use the following terminology and notations to denote the representatives in the different domains:

- (i)
“image” in the pixel space of width and height : ,

- (ii)
“signal” in the wavelet subspace, which is a subset of : (due to the discrete nature of pixels values, this subspace and the following ones are not stricto sensu homomorphic to , or ),

- (iii)
“vector” in the correlation space, which is a subset : ,

- (iv)
“coordinates” in the MCB plane, which is a subset : .

### 2.1. The Pixel Space

where MSE is the mean square error: , with being the width and height of the image in pixels.

### 2.2. The Wavelet Subspace

As stated in the introduction, the wavelet transform is an excellent embedding domain because of its compliance to the human visual system.

We perform the 2D wavelet transform (Daubechies 9/7) on three levels of decomposition of the original image . This transform is very fast thanks to a very efficient lifted scheme implementation. We select the coefficients from all the bands except the low-frequency LL band. These wavelet coefficients are then stored into a signal (a column vector) . In our implementation, the image dimensions must be multiple of 8. This signal lies in , a space we call the wavelet subspace. The low-low frequency band coefficients are kept in memory, and they will be used in the inverse extraction process.

The embedding process in this domain is in charge of mixing the host and watermark signals in a nonreversible way. The result is the watermarked signal . We mean by nonreversible the fact that an attacker observing should not be able to split it back to the two private signals.

### 2.3. The Secret Subspace

We use secret binary antipodal carrier signals of size : . They are produced by a pseudorandom generator seeded by the secret key . Their norm equals one, they are independent and we assume that they are orthogonal since their cross correlations are negligible (their expectations are zero, and their standard deviations equal ) compared to their unitary norms when is big. The host signal is projected onto these carrier signals: . These correlations are stored into a vector . It means that represents the host signal in the secret subspace. We can write this projection with the matrix whose columns are the carrier signals: . The norm is conserved because the secret carriers are assumed to constitute a basis of the secret subspace: .

The secret subspace has several advantages. Its dimension is much lower than the wavelet subspace; the vectors in this space are easier to manipulate. It brings robustness against noise or, in other words, it increases the signal to noise power ratio at the detection side, because the noise is not coherently projected onto the secret subspace. Moreover, it boils down the strong nonstationarity of the wavelet coefficients: components of are almost independent and identically distributed as Gaussian random variables.

### 2.4. The Miller, Cox & Bloom Plane

Hence, the MCB plane is the plane containing and . As far as we know, [5] is the first paper proposing the idea that the watermark vector should belong to the plane containing the secret and the host, hence the name MCB plane.

The coordinates representing the host are with , and . Note that whereas is always positive, the sign of is not a priori fixed. However, we will define so that is indeed always positive (see (14)).

so that . Now, the vector to be added in the secret subspace is indeed first generated in the MCB plane, such that . Then, .

## 3. Embedding and Detection

As mentioned in the previous section, the embedding first needs to go from the spatial domain to the MCB plane. Then, it creates the watermark signal and finally maps it back to the spatial domain. We have seen how to go from one subspace to another. We now explain the definition of the watermark representatives for the three domains.

We do not know what is the optimal way to watermark an image. This is mainly due to the nonstationarity of this kind of host. However, as mentioned earlier, host vectors in the secret subspace can be modeled as random white Gaussian vectors. We know what is the optimal way (in some sense) to watermark a Gaussian white vector according to [1]. The embedder has to create a watermarked vector as , where is a secret vector and and are scalars to be determined. This shows that the watermarked vector belongs to the plane , that is, the MCB plane. However, contrary to [1], we prefer to look for the optimum watermarked coordinate in the basis of the MCB plane.

### 3.1. The MCB Plane

The absolute value in the detection formula implies that the detection region is indeed a two-sheet cone as advised by Merhav and Sabbag [1].

The goal of the embedding process in this domain is to bring the coordinates of the watermarked vector deep inside the cone. There are actually several methods: maximizing a robustness criterion [6, Section 5.1.3], maximizing the detection score [1], or maximizing the error exponent [7]. These strategies assume different models of attack noise (resp., the noise vector is orthogonal to the MCB plane, the noise vector is null, or the noise vector is white and Gaussian distributed). We propose our own strategy which, in contrast, does not assume any model of attack as it foresees the worst possible noise. A geometrical interpretation makes the link between our strategy and the one from [6, Section 5.1.3].

#### 3.1.1. Maximum Robustness

The radius is related to the embedding distortion constraint. We give its formula in Section 4.1.

Roughly speaking, represents the amount of noise energy to go outside the detection region provided that is inside [6, Section 5.1.3]. The maximum robustness strategy selects the angle maximizing the robustness: , where is a function of (7). This can be done via a dichotomy search or a Newton algorithm.

#### 3.1.2. A New Criterion Based on the Nearest Border Point Attack

The definition of the robustness explained above makes sense whenever the noise vector is orthogonal to the MCB plane. However, many attacks (filtering, compression, etc.) introduce a distortion which is indeed to be very dependent on the host vector. Hence, the previous assumption may not be realistic. We describe here a new embedding strategy maximizing the distance between the watermarked vector and the nearest border point on the detection region frontier. We first introduce it in an intuitive manner with geometrical arguments, and then we prove it with a Lagrange resolution which is indeed the best strategy.

This second constrained optimization is also easily solved by a Lagrange resolution. The study is divided into two parts depending on the first Lagrange resolution:

Case 1.

If , the minimal distance equals which is positive since is inside the cone. The nearest border point belongs to the MCB plane (i.e., ) with coordinates .

The second Lagrange resolution gives the watermarked coordinates: . Yet, this solution is acceptable only if , that is, . The maximum of the minimum square distance is then . Vector instances are shown in Figure 5 with superscript .

Case 2.

If (i.e., is on the axis of the cone), then , and the nearest border points are located on a circle: , and .

The distortion constraint allows to place the watermarked coordinates on the axis of the cone only if , and then . We rediscover here the embedding proposed in [1, Theorem 2], where optimal parameters are given by [1, (33)]. This is the “erase” strategy where the embedder first erases the noncoherent projection of the host and then spends the remaining distortion budget to emits a signal in the direction of the secret vector . Vector instances are shown in Figure 5 with superscript .

The two cases are possible and compete if . A development of the two expressions of shows that, in this case, the first case gives the real maximum minimum distance. Denote . Our embedder amounts to place to maximize this criterion.

where is the the nearest border point attacked coordinate.

In conclusion, a geometrical interpretation of the robustness criterion given in [6, Section 5.1.3] gives us an idea of changing it for . This idea has been checked via a double Lagrange optimization. This new formula has links with the embedding strategy of [1] and also avoids the iterative search, as the optimal watermarked coordinates have now closed-form equation. The locus for the watermarked coordinates having the same robustness (aka contour of constant robustness) is the cone translated by the vector . This is quite a different constant robustness surface as the hyperbola (defined through (8)) gets very close to the border as the norm of the vector increases [5].

### 3.2. Increasing the Diversity of the Watermark Signal

Zero-bit watermarking is known to provide weak security levels due to its lack of diversity. The detection region, for the moment, is only composed of one two-nappe hypercone around the axis supported by . Analyzing several watermarked signals, an attacker might disclose the secret signal that parameterized the detection region, using clustering or principal component analysis tools [8â€“, 10].

This secret vector is used for the embedding in the MCB plane. Chosen as is, projection is always positive. At the detection side, the same vector has a high probability to be selected since the embedding increases correlation .

We can predict two consequences. The first one is an advantage; we increase the probability of correct embedding. is chosen as the closest vector of from , whence, for a given embedding distortion, it is more likely to push a vector in its hypercone. This acceptance region split into several areas mimics the informed coding used in positive rate or zero rate watermarking scheme such as dirty paper trellis or quantized index modulation. The second one is a drawback; the angle of the cones decreases with the number of cones in order to maintain a probability of false alarm below a given significance level. Consequently, narrower hypercones yield a lower robustness, as less attack distortion is needed to go outside.

The following subsections investigate this issue from a theoretical and an experimental point of view.

### 3.3. Modeling the Host

In the wavelet subspace, one possible statistical model is to assume a Gaussian mixture. The wavelet coefficient is Gaussian distributed but with its own variance : . We will also pretend that they are conditionally independent given their variances, which is of course not exactly true [11]. In the secret subspace, the components of the host vector are Gaussian i.i.d. because the carrier signals are mutually independent, and the correlations are indeed linear combinations of Gaussian random variables: , with .

### 3.4. Probability of False Alarm

As shown in Figure 6, the angle of the cone is moderately decreasing with .

### 3.5. Experimental Investigations

Figure 6 depicts the distributions of the coordinates of 5500 original images and their watermarked versions (PSNR of 45 dB) in their MCB plane for different numbers of cones while keeping the probability of false alarm below . The host model is represented by the green line on the left. The bigger the number of cones is the better the approximative model feats the experimental distribution. The effect of the proposed strategy to maximize the robustness is clearly visible. The points representing watermarked contents are either located on the axis or nearly distributed along the blue line on the right parallel to the line modeling the host coordinates. Host coordinates above the dotted blue line are just shifted by the vector .

- (i)
For images with a low magnitude of , the robustness decreases with the number of cones.

- (ii)
For images with a high magnitude of , the robustness increases according to the number of cones.

- (iii)
For a given number of cones, there is a range of , for example, a class of images, where the robustness is maximal.

- (iv)
The average robustness is monotonically increasing with the number of cones. It tends to saturate for . This is an extremely surprising experimental result because we expected to have an optimal number of cones like the optimum number of codewords in Costa's theory [13].

This subsection has investigated the watermark embedding and detection only in the MCB plane. This exactly simulates an additive spread spectrum embedding where the watermark signal defined in (13) is directly added to the wavelet coefficients: . This provides a tractable model in the MCB plane but it has many drawbacks, as we will see in the next section.

## 4. Proportional Embedding

In other words, the signal is hidden in the content via a proportional embedding. Such an embedding in the wavelet domain provides a simple human visual system in the sense that it yields perceptually acceptable watermarked pictures for PSNR above 40 dB [4]. Moreover, this scheme has shown to be close to the optimal embedding strategy given by a game theory approach, but less computationally expensive [2]. However, some corrections are needed in the BA algorithm.

### 4.1. Corrections

#### 4.1.1. Impact on Embedding Distortion

#### 4.1.2. Equivalent Projection

with .

At the embedding side, we take into account this phenomenon right in the MCB plane. We model it by searching the best watermark coordinates with a vector , which reflects the coordinates of the vector after proportional embedding in the MCB plane. But, the coordinates to be projected back to the secret subspace is indeed .

In the MCB plane, the ratio is the only difference between the additive and the proportional embedding methods.

### 4.2. Experimental Investigations

Other experimental works not described in this article showed us that bigger values of and are expected when is important, but there is almost no obvious statistical inference between and the norm of the host vector. The expectation of this ratio is around and , weakly increasing with . It has a strong variance around this expectation. The most important is that the ratio is always lower than 1. It means that embedding circle in the MCB plane is smaller with a proportional embedding than an additive embedding.

The final experimental work is a benchmark of four watermarking techniques. We used 2000 luminance images of size . These pictures represent natural and urban landscapes, people, or objects, taken with many different cameras from 2 to 5 millions of pixels.

Four watermarking techniques with different embedding strategies have been benchmarked:

- (i)
maximization of the robustness criterion defined by (8) with a proportional embedding,

- (ii)
maximization of the error exponent as detailed in [7] with a proportional embedding,

- (iii)
maximization of the new robustness criterion with a proportional embedding,

- (iv)
maximization of the new robustness criterion with an additive embedding.

We apply a set of 40 attacks mainly composed of combinations of JPEG and JPEG 2000 compressions at different quality factors, low-pass filtering, wavelet subband erasure, and a simple denoising algorithm. This latter consists in thresholding wavelet coefficients of 16 shifted versions of the image, afterward the inverse wavelet transforms are shifted back and averaged.

## 5. Counterattacks

In the BOWS-2 contest, the broken arrows algorithm has to face attacks linked to security. The first one is the oracle attack whose goal is to disclose the shape of the detection region and/or to find nearest border point. The second one is based on information leakage, and the goal here is to try to estimate the secret subspace. We consequently decided to implement a counterattack in order to make these attacks (a bit) more complicated. The only solution we found to cope with information leakage attacks is to increase the diversity of the key by using several cones as explained previously in the paper (see Section 3.2). Initially, we also tried to increase the diversity of the key by using technique relying on perceptual hashing, but this technique was not mature enough to be implemented in the last final version of the algorithm. Regarding oracle attacks, we adopted three counterattacks presented below.

### 5.1. Randomized Boundary

An attacker having unlimited access to the detector as a black sealed box can lead oracle attacks. Many of them are based on the concept of sensitivity, where the attacker tries to disclose the tangent hyperplane locally around a point (called sensitive vector) on the border of the detection region. A counterattack formalized by [16] is to slightly randomize the detection region for each call. This counterattack is very similar to the one that consists in having a chaotic boundary as proposed in [17, 18], both want to prevent an easy gradient ascent algorithm by making the detection border more difficult to analyse.

We process very simply by picking up a random threshold uniformly distributed in the range has a corresponding probability of false alarm of (resp., ).

### 5.2. Snake Traps

The “snake” is a new kind of oracle attack invented by Craver and Yu [19]. It consists in a random walk or a diffusion process in a constrained area of the space, which is indeed the detection region. This approach is a very efficient way to explore the detection region and to estimate parameters of the watermark detector. An important fact is that the snake tends to grow along the detection region border.

Our counterattack is to shape the boundary of the detection region, trapping the snakes in small regions to stop their growth. We draw “teeth” in the MCB plane, in the following way:

- (i)
if , then detection is positive if ,

- (ii)
else the watermark is detected if , where is a random variable as explained above.

and set the periodicity and the width of the “teeth.” Note that the teeth are longer as the vector is far away from the origin. Depending on the step of the random walk, we hope to increase the probability of trapping a snake as it grows. The teeth slightly reduce the size of the acceptance region, hence, the probability of false alarm is even lower.

Snakes almost grow infinitely in a cone because this detection region is not bounded (in practice, the pixel luminance dynamic bounds it). Hence, the average direction of several independent snakes can disclose the axis of the cone. Yet, we deal with several cones, and more importantly, the cones are indeed not disjoint for the considered probability of false alarm; the angle is always bigger than in Figure 6 and around rad in the final implementation. The snakes will then be trapped in a subspace of dimension , where no average direction will emerge. This does not mean that snakes do no longer constitute a threat. A principal component analysis of several long snakes might disclose the secret subspace. We expect at least a strong increase of detection trials.

### 5.3. Camouflage of the Cone

The detection score is virtually independent of a value-metric scaling. This is a nice robustness feature, but very few detectors provide this advantage. Hence, this leaves clues [19]. We consequently decided to conceal the use of hypercones by truncating it; a content is deemed not watermarked if . Note that the value has to be small enough to guaranty that the nearest border point is not located on the truncated section of the cone.

### 5.4. Nasty Tricks

Concerning the challenge, we have the choice for the images proposed for the contest. We benchmark our watermarking technique over a set of 2000 images and against a bunch of common image processing attacks, in order to fine tune all the parameters, but also to investigate which images from this database were the most robust. These latter ones are used for the first episode of the challenge. In the same way, we made a light JPEG compression to let participants think that the embedding domain is the DCT domain!

## 6. Software Implementation

The BA software was developed in C using the libit [20] library in order to get fast embedding and detection schemes. During the whole contest, the embedding distortion is set by a targeted PSNR of 43 dB. In practice, due to pseudo-orthogonal carriers and the different approximations made in Section 4.1, the real PSNR is in between 42.5 dB and 43 dB.

A four-level wavelet decomposition is performed via libit with its very efficient implementation of a lifting step factorization using a Daubechies 9/7 biorthogonal wavelet [21]. The coefficients in subbands form the vector .

The pseudorandom generator is the Mersenne Twister pseudorandom number generator [22] whose seed, that is, the secret key , is 128 bit long. The dimension of the secret subspace is . It is spanned by pseudo-orthogonal carriers on size . The Gram-Schmidt orthogonalization has been skipped because it is too much time-consuming. Antipodal carriers speed the correlation calculus because coefficients are accumulated in a sum which is in accordance with the sign of the corresponding carrier sample. We can also trade speed against memory; all the carriers' samples are not stored in memory but they are generated as the need arises.

The number of cones equals . There is no point in creating yet another set of secret directions for the axis of the cones. The secret subspace is already private via the secrecy of the antipodal carriers. Consequently, vector is just the th element of the canonical basis of the secret subspace. The angles and are chosen to obtain probabilities of false alarm lower than and , respectively. These two probabilities bound the probability of false alarm of the whole system.

During the detection process, we choose a truncating parameter equal to , a period equal to , and a width of the teeth equal to . The random parameter to choose angle is computed using time as a seed of the pseudorandom generator.

For a grey-scale image, the computational time for an embedding is of approximately 1.0 second for the embedding and 0.8 seconds for the detection on the BOWS-2 server (a 3-ghz Intel Xeon). Consequently, the BOWS-2 server, with 2 dual-core processors, has the possibility to detect around 350 000 images per day.

The source code of the BA embedding and detection schemes and the images used during the contest are available on http://bows2.gipsa-lab.inpg.fr.

## 7. Conclusion

The name “broken arrows” comes from the fact that the detection region is a set of cones shaped like heads of arrows, where the very end has been broken (see Section 5.3). Moreover, such a name suits perfectly the BOWS contest.

Designing a practical watermarking technique for a contest is a very challenging task. We would like to point out that a design is necessary done under constraints of time, man, and computer powers, with the sword of Damocles that a contender hacks the technique within the first hours of the challenge. Especially, the countermeasures presented in Section 5 have not been thoroughly tested due to lack of time. Consequently, a design is quite a different work than the writing of scientific paper. However, algorithms performing well in practice are often based on strong theoretical background. Not knowing the final results of the challenge by the time of writing, we humbly hope that lessons of scientific interest will be learnt.

## Declarations

### Acknowledgments

The authors thank Guillaume Stehlin and Francois Cayre for their knowhow in code optimization. They also thank HervÃ© JÃ©gou, Vivien Chappelier, and Francois Cayre, the authors of the libit, for providing them such a simple and efficient C library as well as the denoiser software. The quality of this article has been really improved thanks to the careful reviewing of ClÃ©o Baras, Francois Cayre, and the anonymous reviewers of EURASIP JIS. The authors also thank the French national ANR projects Nebbiano (ANR-06-SETI-009) and Estivale (ANR-05-RIAM-1902) for funding the BOWS-2 server. Last but not least, special thanks to Maj. Deakins and Capt. Hale for having supported them during the running of the challenge.

## Authors’ Affiliations

## References

- Merhav N, Sabbag E:
**Optimal watermark embedding and detection strategies under limited detection resources.***IEEE Transactions on Information Theory*2008,**54**(1):255-274.MATHMathSciNetView ArticleGoogle Scholar - Pateux S, Guelvouit GL:
**Practical watermarking scheme based on wide spread spectrum and game theory.***Signal Processing: Image Communication*2003,**18**(4):283-296. 10.1016/S0923-5965(02)00145-5Google Scholar - Miller M, Bloom J:
**Computing the probability of false watermark detection.**In*Proceedings of the 3rd International Workshop on Information Hiding (IH '99), September 1999, Dresden, Germany, Lecture Notes in Computer Science*.*Volume 1768*. Edited by: Pfitzmann A. Springer; 146-158.Google Scholar - Bartolini F, Barni M, Cappellini V, Piva A:
**Mask building for perceptually hiding frequency embedded watermarks.***Proceedings of IEEE International Conference on Image Processing (ICIP '98), October 1998, Chicago, Ill, USA***1:**450-454.Google Scholar - Miller ML, Cox IJ, Bloom JA:
**Informed embedding: exploiting image and detector information during watermark insertion.***Proceedings of the IEEE International Conference on Image Processing (ICIP '00), September 2000, Vancouver, Canada***3:**1-4.Google Scholar - Cox I, Miller M, Bloom J:
*Digital Watermarking*. Morgan Kaufmann, San Francisco, Calif, USA; 2001.Google Scholar - ComesaÃ±a P, Merhav N, Barni M:
**Asymptotically optimum embedding strategy for one-bit watermarking under Gaussian attacks.***Security, Forensics, Steganography, and Watermarking of Multimedia Contents, January 2008, San Jose, Calif, USA, Proceedings of SPIE***6819:**1-12.Google Scholar - DoÃ«rr G, Dugelay J-L:
**Danger of low-dimensional watermarking subspaces.***Proceedings of IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP '04), May 2004, Montreal, Canada***3:**93-96.Google Scholar - Cayre F, Fontaine C, Furon T:
**Watermarking security: theory and practice.***IEEE Transactions on Signal Processing*2005,**53**(10):3976-3987.MathSciNetView ArticleGoogle Scholar - Bas P, DoÃ«rr G:
**Practical security analysis of dirty paper trellis watermarking.**In*Proceedings of the 9th International Workshop on Information Hiding (IH '07), June 2007, Saint Malo, France, Lecture Notes in Computer Science*Edited by: Furon T, Cayre F, DoÃ«rr G, Bas P.**4567:**174-188.Google Scholar - Liu J, Moulin P:
**Information-theoretic analysis of interscale and intrascale dependencies between image wavelet coefficients.***IEEE Transactions on Image Processing*2001,**10**(11):1647-1658. 10.1109/83.967393MATHMathSciNetView ArticleGoogle Scholar - Wikipedia : Fisher-tippett distributionâ€”wikipedia, the free encyclopedia. August 2008Google Scholar
- Costa MHM:
**Writing on dirty paper.***IEEE Transactions on Information Theory*1983,**29**(3):439-441. 10.1109/TIT.1983.1056659MATHView ArticleGoogle Scholar - Su JK, Eggers JJ, Girod B:
**Analysis of digital watermarks subjected to optimum linear filtering and additive noise.***Signal Processing*2001,**81**(6):1141-1175. 10.1016/S0165-1684(01)00038-XMATHView ArticleGoogle Scholar - Guelvouit GL, Pateux S:
**Wide spread spectrum watermarking with side information and interference cancellation.**In*Security and Watermarking of Multimedia Contents V, January 2003 , Santa Clara, Calif, USA, Proceedings of SPIE*Edited by: Wong PW, Delp E.**5020:**278-289.View ArticleGoogle Scholar - El Choubassi M, Moulin P:
**On the fundamental tradeoff between watermark detection performance and robustness against sensitivity analysis attacks.**In*Security, Steganography, and Watermarking of Multimedia Contents VIII, January 2006, San Jose, Calif, USA, Proceedings of SPIE*Edited by: Delp EJ, Wong PW.**6072:**1-12.Google Scholar - Linnartz J-PMG, van Dijk M:
**Analysis of the sensitivity attack against electronic watermarks in images.**In*Proceedings of the 2nd International Workshop on Information Hiding (IH '98), April 1998, Portland, Ore, USA, Lecture Notes in Computer Science*.*Volume 1525*. Edited by: Aucsmith D. Springer; 258-272.Google Scholar - Mansour M, Tewfik A:
**Secure detection of public watermarks with fractal decision boundaries.***Proceedings of the 11th European Signal Processing Conference (EUSIPCO '02), September 2002, Toulouse, France*Google Scholar - Craver S, Yu J:
**Reverse-engineering a detector with false alarms.**In*Security, Steganography, and Watermarking of Multimedia Contents IX, January 2007, San Jose, Calif, USA, Proceedings of SPIE*Edited by: Delp EJ, Wong PW.**6505:**1-10.Google Scholar - JÃ©gou H, Chappelier V, Cayre F:
**libit: Information theory and signal processing library.**http://libit.sourceforge.net - Daubechies I, Sweldens W:
**Factoring wavelet transforms into lifting steps.***Journal of Fourier Analysis and Applications*1998,**4**(3):247-269. 10.1007/BF02476026MATHMathSciNetView ArticleGoogle Scholar - Matsumoto M, Nishimura T:
**Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator.***ACM Transactions on Modeling and Computer Simulation*1998,**8**(1):3-30. 10.1145/272991.272995MATHView ArticleGoogle Scholar

## Copyright

This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.