a secure and robust hash-based scheme for image authentication
TRANSCRIPT
ARTICLE IN PRESS
Contents lists available at ScienceDirect
Signal Processing
Signal Processing 90 (2010) 1456–1470
0165-16
doi:10.1
� Cor
E-m
journal homepage: www.elsevier.com/locate/sigpro
A secure and robust hash-based scheme for image authentication
Fawad Ahmed a, M.Y. Siyal a,�, Vali Uddin Abbas b
a School of Electrical and Electronic Engineering, Nanyang Technological University, Singaporeb Department of Electronic and Power Engineering, Pakistan Navy Engineering College, National University of Sciences and Technology, Pakistan
a r t i c l e i n f o
Article history:
Received 1 November 2008
Received in revised form
7 May 2009
Accepted 21 May 2009Available online 6 June 2009
Keywords:
Randomized pixel modulation
Robustness
Tamper detection
Image security
Quantization
Hash collision
Wavelet transform
84/$ - see front matter & 2009 Elsevier B.V. A
016/j.sigpro.2009.05.024
responding author.
ail address: [email protected] (M.Y. Siyal).
a b s t r a c t
To authenticate an image using a hash function is a challenging task since several core
issues like tamper detection, security and robustness needs to be addressed. In this
paper, we propose a hash-based image authentication scheme that simultaneously
attempts to address these core issues. Unlike most of the existing schemes that use
secret key in the feature extraction stage, we use secret key to randomly modulate
image pixels to create a transformed feature space. The key-dependent transformed
feature space is then used to calculate the image hash. To reduce the size of the hash, a
4-bit quantization scheme is also proposed. The experimental results reported in this
paper reveals that the proposed scheme offers good robustness against JPEG
compression, low-pass and high-pass filtering. Besides being robust, the proposed
hashing scheme can detect minute tampering with localization of the tampered area.
These results along with the receiver operating curve (ROC) and security analysis
presented in this work makes the proposed technique a candidate for practical digital
image signature systems where the transmitted or stored image might undergo JPEG
compression, low-pass or high-pass filtering.
& 2009 Elsevier B.V. All rights reserved.
1. Introduction
With tremendous growth in the field of multimediatechnology and the availability of powerful image proces-sing software, it has now become easy to tamper digitalimages [1]. This possesses a serious issue, especially, if adigital image is to be used as evidence in a court of law.Hence, there should be some mechanism to prove theauthenticity of the image in question. Cryptographicdigital signatures [2] can be used to authenticate a digitalimage as proposed in [3]. The main drawback of thistechnique is that even a single bit change in the image dueto some content preserving operation like compression orfiltering will completely change the hash value. Multi-media image authentication, therefore, requires techni-ques which should be some what resilient to contentpreserving manipulations and at the same time be fragileenough to detect malicious manipulations.
ll rights reserved.
Several image authentication schemes have beenproposed in recent years. These schemes can be broadlyclassified into two types: watermark-based and hash-based. Watermarking techniques embed an imperceptiblesignal into a cover work to form a watermarked image. Atthe receiver’s end, the extracted watermark from thewatermarked image is used for authenticating purpose[4,5]. In contrast to watermark-based techniques, hash-based (or digital signature-based) techniques use aperceptual hash function (PHF) to extract a set of featuresfrom the image to form a compact representation that canbe used for authentication [6].
1.1. Merits and important requirements of an image hash
function used for authentication
One main disadvantage of a PHF-based scheme forimage authentication is that the hash is an extra overheadthat needs to be transmitted or stored besides the image.However, hash-based schemes have many useful advan-
ARTICLE IN PRESS
F. Ahmed et al. / Signal Processing 90 (2010) 1456–1470 1457
tages as compared to watermarked-based authenticationschemes, for example:
�
There is no distortion introduced in the image. � The size of the authentication watermark is limited bythe image embedding capacity. This is not the casewith image hash as it is a separate entity.
� It is not necessary that the image hash is transmittedalong with the image. It can even be transmitted beforeor after the image in question is transmitted. Similarlythe image and its respective hash can be stored at twodifferent physical locations.
Following are some important requirements that areexpected from a PHF used to authenticate an image[7–12].
�
Robustness against non-malicious manipulations, forexample, lossy compression, low-pass/high-pass filter-ing, minor contrast enhancement, etc. � The PHF should be highly sensitive to malicioustampering and should be able to detect the locationof tampering.
� The PHF should be key dependent. Without knowledgeof the correct key, it should be extremely difficult togenerate the correct hash.
� A key-based PHF should satisfy the property ofmodified weak collision [7]. According to this property,given an image, I, and its corresponding robust hash,HðIÞ, it should not be feasible to find another image, P
such that HðIÞ ¼ HðPÞ when I is significantly differentfrom P.
� The PHF should possess a high level of security againstcounterfeit attacks or attacks that are meant to fool theauthentication system.
� By looking at the hash values, it should be extremelydifficult for an attacker to guess the contents of theimage or reverse engineer the secret key that was usedto calculate the hash.
1.2. Review of some hash-based image authentication
schemes
In recent years, a number of researchers have proposedmany interesting and novel ideas to formulate image hashfunctions for the purpose of image authentication. In 1993,Friedman [3] introduced the idea of a Trustworthy Digital
Camera to authenticate digital images using cryptographichash functions and public key cryptography. For this schemeto work, it is necessary that the signature verifier shouldreceive exactly the same image that was used whilecalculating the signature inside the camera. This limitationmotivated researchers to devise content-based hash functionsthat are robust to non-malicious manipulations and fragile tomalicious manipulations. One of the early works in designingcontent-based hash function for image authentication wascarried out by Schneider and Chang [13] using intensityhistogram approach. There are two serious limitations with
this method. First, an image or a specific block can bemanipulated in such a way that its intensity histogramremains same or within the distortion bound. The secondproblem is the storage requirement as the histograms shouldbe stored in an encrypted form, otherwise, given theknowledge of the block size, an attacker can easily create aforged image without even requiring the genuine image.
Xie et al. [14] used mean of an image block to constructshort binary representation of an image which they call asApproximate Image Message Authentication Codes (AI-MAC). However, since the AIMAC only uses the MSB of theblock’s mean value to generate the hash, therefore, it isquite easy to manipulate an image block in such a waythat the visual appearance of the block is changed but theblock is still authenticated. A some what similar signaturescheme having a compact hash is proposed by Lou and Liu[15]. Queluz [16] proposed a signature scheme that usesmoments and edges of an image. Moments may be goodfrom the global perspective; however, local tamperingdoes not have much effect on the moment. Secondly, it ispossible to modify an image such that its moment doesnot change. Edge-based features capture more informa-tion of the image semantic as compared to moments.However, using edges as a feature vector has several issueslike the length of the hash, robustness of the edges againstnon-malicious manipulations, for example, JPEG compres-sion, etc.
Bhattacharjee and Kutter [17] proposed the use of scaleinteraction model in the wavelet domain to extractvisually salient image feature points which are used forauthentication. The location of these points is used toform the hash of the image. Although their scheme candetect the position of malicious manipulations, however,there are some errors in detecting the exact location ofthese positions due to wrap-around effect of the wavelettransform. Venkatesan et al. [18] construct robust imagehash for the purpose of image indexing by waveletdecomposition of an image and then random tiling eachsub-band into small rectangles. For each rectangle, somestatistical measure such as mean or variance is calculatedand quantized using a random quantizer. This scheme ismeant to compare the image as a whole. It is not clearhow effectively tampering within an image can besuccessfully detected. Lefebvre et al. [19] used theinvariance properties of the radon transform to constructthe image hash. A set of random vectors is first obtainedby projecting the luminance plane of the input image indifferent angular directions. To achieve robustness againstaverage luminance changes, the angular increment be-tween two successive projections are is instead of directlyusing the projections. To reduce the size of the signature,the covariance matrix of the radon vectors is estimated.The digital signature is formed by selecting the eigenvec-tor that corresponds to the largest two eigenvalues. Thescheme is not very robust for an image that has a highfrequency texture.
Lu and Liao [8] have proposed an image authenticationscheme that uses the parent–child pairs located at themultiple scales in the wavelet domain to obtain an imagehash. Their scheme is based on the observation that themagnitude difference between a parent node and its four
ARTICLE IN PRESS
F. Ahmed et al. / Signal Processing 90 (2010) 1456–14701458
child nodes at consecutive scales in the wavelet domainmostly remains preserved for content preserving manip-ulations like JPEG compression and blurring. However, formalicious manipulations, this relationship changes whichenables to detect tampering. A draw back of this scheme isthat the signature obtained does not depend on any secretkey and can be extracted/verified by anyone who has theknowledge of the algorithm. Secondly, since no secret keyis used, therefore for a single image, only one uniquesignature can be generated. Lin and Chang [9] haveproposed a block-based image authentication techniquethat relies on the invariant relationship between any twoselected DCT coefficients which are at the same position oftwo different 8� 8 image blocks. This scheme has veryhigh robustness to JPEG compression and can detect andlocalize tampering. Secret keys are used to select theblocks and the DCT coefficients. Radhakrishnan andMemon [10] and Uehara and Safavi-Naini [11] have shownattacks to find the secret key used to generate hash in [9].Similarly, Sun and Chang [12] have also proposed a block-based JPEG compression tolerant DCT-based authentica-tion scheme. This scheme, however, uses only three DCTAC coefficients for every 8� 8 image block along with theDC coefficients. Later in this paper we show a securityloop hole present in [9,12] that needs to be taken care ofwhile designing block-based DCT hashing schemes forimage authentication.
To cater for geometric distortion, many novelschemes have been proposed. For example, Monga andBrian [20] have proposed a hash-based image authentica-tion scheme that generates hash using importantfeature points extracted from an image. This scheme hasgood robustness properties, especially for geometricdistortions like scaling, rotation, cropping, etc. However,we observe that significant feature points are not presentin all perceptual units of an image. Hence, it is not clear ifthis scheme can detect tampering in small perceptualunits, especially change of gray-level shades in lowtexture areas of an image. Monga and Mihcak [21] proposethe use of non-negative matrix factorization for imagehashing. An image is treated as a matrix and hashing isconsidered as a randomized dimensionality reduction thatretains the essence of the original image matrixwhile preventing intentional attacks of guessing andforgery. This scheme is robust to JPEG compression,rotation, cropping and resizing. Motivated by the workof Monga and Mihcak [21], Lv and Wang have recentlyproposed a fast Johnson–Lindenstrauss transform forimage hashing [22]. Swaminathan et al. [23] proposedan image hashing scheme resilient to geometricand filtering operations by using the properties of discretepolar Fourier transform. Lu and Hsu [24] have pro-posed geometric distortion-invariant image hashingscheme by extracting robust meshes from an image.The normalized meshes are then used for generating thehash in the DCT domain. The proposed scheme hasgood robustness to several types of geometric distortions.This idea is further extended in the watermarking domain[25] in which hash-dependent watermarks are generatedusing meshes that are extracted from the image to bewatermarked.
Interestingly, Deng et al. [26–28] uses affine covariantregions for watermark embedding. For example, in [26] anaffine covariant point detector is used to extract featurepoints for the constructions of affine covariant ellipticalregions. These regions are then normalized into circlewith specific rotation to align with the dominant gradientorientation of the corresponding feature points. Theproposed scheme has good robustness to many commonimage processing operations, especially geometric distor-tions, like cropping, scale invariance and rotation. Theideas proposed in [25,26] can be further investigated tocome up with hashing schemes that besides being robustto lossy compression and image filtering, offer goodresilience properties for geometric distortions.
1.3. Paper organization
The remaining paper is organized as follows. In Section2, we explain the proposed hash generation and imageauthentication algorithms. In Section 3, we propose a 4-bit quantization scheme that significantly decreases thesize of the hash. In Section 4, several experimental resultsare presented that show the receiver operating curve(ROC), tamper detection and robustness capability of theproposed scheme. Section 5 presents the security analysisof the proposed scheme. Section 6 finally concludes thispaper with future directions.
2. Proposed algorithm for image authentication
Our aim is to develop an image authentication systemusing PHF that encompasses the three core componentsi.e. security, tamper detection and robustness. To meetthese requirements, a wavelet-based hashing scheme isproposed in this section. We had presented some initialwork on this technique in [29,30]. The wavelet transformis used due to its good time–frequency localizationproperty. We have experimentally observed that the useof LL, LH and HL wavelet coefficients gives good robustnessfor non-malicious distortions like JPEG compression withhigh compression ratios, low-pass and high-pass filtering.In addition, for some malicious tampering in an imagearea, there is a significant change in these coefficients. Toaddress the security issue, pixels in the spatial domain arerandomly modulated using a secret key before taking thewavelet transform. In this paper, we call this technique asrandomized pixel modulation (RPM). The RPM randomlymodulates each pixel of the input image using a secret keyto obtain the RPM-transformed image. The RPM-trans-formed image is a random pattern which is a function ofthe input image pixel values and the secret key.
Most of the PHF-based image authentication techni-ques, like the ones proposed in [9,12] use the secret key inthe feature extraction stage to enforce security. In such astrategy, the attacker knows the feature space that is usedto generate the hash, but without the knowledge of thesecret key cannot actually pinpoint the exact subset of thefeatures that are used to generate the hash. Dependingupon the type of underlying algorithm used to generatethe hash, this strategy has a security loop hole that is
ARTICLE IN PRESS
F. Ahmed et al. / Signal Processing 90 (2010) 1456–1470 1459
discussed in Section 5 of this paper. To prevent an attackerfrom knowing the feature space, we apply the secret keybefore the feature extraction stage using the RPMtechnique. No matter what type of features are used, theyall depend upon the values of image pixels. Generallyspeaking, changing pixel values in a random fashion canpossibly make the feature space random. Therefore, if anattacker replaces an image block with a visually differentimage block, without knowledge of the secret key, he/shecannot predict how the replaced block would contributetowards forming the feature space. There are manyinteresting properties of RPM related to system’s securityand tamper detection capabilities that are discussed inlater sections of this paper. The proposed image authenti-cation system consists of hash generation module andimage verification module. There are two secret keys, K1
and K2 used by the system. These keys are shared by boththe modules. To distinguish between the parameters ofsender and receiver, we shall use a bar over parametersthat relate to the receiver. Details of our proposedtechnique are presented in the following sections.
2.1. Hash generation module
The block diagram of the hash generation module isshown in Fig. 1. Following are the various steps involved inthe hash generation process:
1.
Let the input image be represented by I of dimensionN � N pixels. The image I is partitioned into non-overlapping blocks, each of dimension J � J pixels. Thisgives a total of N2=J2 blocks. Each block is representedby Bi, where i ¼ 0; . . . ;N2=J2� 1. In our proposedscheme, each block is divided into 16� 16 pixels, i.e.J ¼ 16 [31]. Choosing a block size of 8� 8 pixels mayincrease the accuracy, however, it would also increasethe hash size. After doing experiments on a number ofdifferent images, we have found that a block size of16� 16 pixels gives a good-trade-off between thetamper detection capability and size of the block.
2.
Let Biðx; yÞ represent the gray value of a pixel at spatiallocation ðx; yÞ in the block Bi . Let K1 be the secret keythat is shared between the sender and the receiver(verifier). Since J ¼ 16, each block consists of 256pixels. Pixels of each block are modulated usingpermutation sequence that has 256 elements. Thepermutation sequences are obtained using the RC4algorithm [32] that is initialized using the secret keyK1. The RC4 is a well-studied algorithm in cryptogra-phy that produces sequences having repetition cycle of10100. Let the permutation sequence of each block beFig. 1. Hash generation
represented by SiðmÞ, where i is the block index and m
is the index of a specific element in Si.
3. To make the image hash key-dependent, pixels of eachblock Bi are RPM-transformed using the permutationsequence Si to get a new image that we call as theRPM-transformed image, IRPM . Each pixel, Biðx; yÞ
� ofIRPM is calculated as follows:
Biðx; yÞ�¼ ½Biðx; yÞ þ a� SiðmÞ�
for 0 � x; y � J � 1 and 0 � m � J2� 1. (1)
The parameter SiðmÞ can have any value between 1 and256. Due to the random property of RC4, even similarlooking blocks are mapped to different hash values.This point is illustrated in Section 5.
4.
The IRPM image is wavelet transformed such that eachsub-band coefficient approximately represents a 16�16 area in IRPM . For example, if I has dimension of256� 256 pixels, then IRPM will also have the samedimension. The 4th level wavelet decomposition ofIRPM would yield LL; LH;HL and HH sub-bands ofdimension 16� 16 such that each coefficient in thesub-band exactly represents a 16� 16 area in IRPM . Wehave chosen 16� 16 area as it gives good precision ofdetecting tampering with reasonable hash size. Due totime–frequency localization property of the wavelettransform, each sub-band coefficient relates to itscorresponding spatial area in IRPM . Thus tampering ina specific image area of I would effect the same area inIRPM according to Eq. (1) thus only perturbing thecorresponding wavelet coefficient in the sub-bandsobtained from IRPM . This helps to detect tamperingwith localization.5.
Let the position of a wavelet coefficient in the sub-bands be indexed by p and q, where 0 � p; q � Z. Leteach coefficient in the respective sub-band be repre-sented by LLðp; qÞ, LHðp; qÞ, HLðp; qÞ and HHðp; qÞ. Theintermediate hash of I is calculated by the followingtwo equations:HI1ðp; qÞ ¼ LLðp; qÞ þ LHðp; qÞ, (2)
HI2ðp; qÞ ¼ LLðp; qÞ þ HLðp; qÞ for all 0 � p; q � Z. (3)
6.
The final hash of I is obtained by permuting the entriesof HI1and HI2with the secret key, K2. The permuted
matrices are represented by HI1and HI2
, respectively.
7. The sender also determines the threshold, t. Theproper selection of t is very important as it definesthe boundary between non-malicious distortion andmalicious tampering. The strategy to select the para-meter t is described in Section 4.
module.
ARTICLE IN PRESS
Fig. 2. Image verification module.
F. Ahmed et al. / Signal Processing 90 (2010) 1456–14701460
2.2. Image verification module
The image verification module shown in Fig. 2 is usedto authenticate the received image, I w.r.t. its hash. Theactual image I may be transmitted through an insecurechannel. Therefore I may undergo non-malicious opera-tion like JPEG compression, etc. or malicious tampering.The hash of I that shall be used to authenticate its receivedversion I and other system parameters N, K1, K2, a and J
are transmitted securely. Following are the steps involvedin the image verification process:
1.
Using the secret key K1, the received image I of N � Npixels is passed through the same steps as mentionedin Section 2.1 to get the intensity transformed version,IRPM .
2.
The intermediate hash of I is calculated using theformula outlined by Eqs. (2) and (3). Let the inter-mediate hash of I be represented by HI1and HI2.
3.
Using the secret key K2, inverse permutation is appliedto the received hash HI1and HI2to get the matrices of
intermediate hash HI1and HI2
, respectively.
4. Difference matrices D1 and D2 are calculated asfollows:
D1ðp; qÞ ¼ jHI1ðp; qÞ � HI1
ðp; qÞj, (4)
D2ðp; qÞ ¼ jHI2ðp; qÞ � HI2
ðp; qÞj for all 0 � p; q � Z.
(5)
5.
An error matrix Eðp;qÞ is calculated that contains themaximum value of D1 or D2.Eðp;qÞ ¼maxðD1ðp; qÞ;D2ðp; qÞÞ for all 0 � p; q � Z.
(6)
6.
Each entry of the matrix E is compared with thethreshold, t. If any entry is greater than t, then thecorresponding spatial area in I shall be considered astampered and the image I will not be positivelyauthenticated.
3. Quantization scheme for hash size reduction
In this Section, we propose a quantization method toreduce the size of the hash. Interestingly, the proposedmethod not only reduces the size of the hash, but it alsoenhances the security of the system. When quantization isused, the hash permutation module shown in Fig. 1 and itscorresponding inverse permutation module shown in Fig.2 are not required. Therefore, the secret key K2 is notrequired. The block diagrams of hash generation andimage verification system with quantization moduleadded are shown in Figs. 3 and 4, respectively.
In the hash generation phase, the input to thequantization module are the intermediate hash matricesHI1
and HI2of dimension Z � Z. These two matrices are
scanned row-wise to form vectors, VHI1and VHI2
, respec-tively. The two vectors VHI1
and VHI2are then concate-
nated to form a vector, VH ¼ ½VHI1VHI2�. Let the
intermediate hash coefficients in VH be represented byck, where 0 � k � 2Z2
� 1.The output of the quantization module consists of two
parts. The first part is the 160-bit hash of the input image I
obtained using the cryptographic hash function, SHA1 [2].The second part consists of a perturbation vector, Ok, thatis generated as part of the quantization process. Thedimension of VH and Ok is same and each entry in Okrequires four bits and corresponds to the entry at the sameposition in VH . The information contained in Ok is used toadjust the intermediate hash coefficients ck in the vectorVH during image verification stage before performingquantization. This adjustment ensures that if the driftbetween ck and ck due to non-malicious operation is lessthan or equal to the defined threshold t, then ckcoefficients would quantize to the same value that wascalculated in the hash generation phase. To positivelyauthenticate an image, it is necessary that all the
ARTICLE IN PRESS
Fig. 3. Hash generation module with quantization.
Fig. 4. Image verification module with quantization.
F. Ahmed et al. / Signal Processing 90 (2010) 1456–1470 1461
coefficients ck and ck fall in the same quantizationinterval in the hash generation and image verificationphase.
3.1. Quantization procedure
The details of the quantization process are nowpresented. The sender calculates the quantization inter-vals for each ck in the vector VH. All the quantizationintervals are then concatenated and hashed using thecryptographic hash function SHA1 [2] that gives a 160-bithash. For each ck, a 4-bit value called perturbationinformation is calculated and recorded in Ok. As describedabove, the perturbation information is used at thereceiver’s end to adjust the value of ck coefficients in VH
before performing quantization. The quantization proce-dure is described with the help of Fig. 5. Let Qk represent aquantization interval, where k represents the index to aspecific intermediate hash coefficient in VH . Let t be themaximum allowable difference between ck and ck valuesdue to non-malicious operation. Each quantization inter-val is then equal to t. The quantization interval for ck iscalculated by dividing ck by t and rounding the result
using the floor operator.
Qk ¼ckt
� �. (7)
Let HSHA1ð�Þ represent the cryptographic hash functionusing the SHA1 algorithm [2] and k represents theconcatenation operator. The sender calculates the hash,HI , of the image I using the following equation:
HI ¼ HSHA1ðQ0kQ1kQ2k; . . . ; kQkÞ. (8)
Let the 4-bit perturbation information for a quantiza-tion interval Qk be represented by two 2-bit variables r1kand r2k. Due to non-malicious operation, it is quitepossible that hash coefficients drift from their originalvalues such that one or more quantization intervals aredifferent from their original counterpart. According to Eq.(8), to positively authenticate an image, it is necessarythat Qk ¼ Qk 8k. Therefore, before the receiver calculatesQk, 8k ck is adjusted such that Qk ¼ Qk if jck �ckj � t.
For a specific ck, its corresponding recorded values r1kand r2k are used by the receiver to adjust ck beforecalculating Qk. The parameters r1k and r2k enable thereceiver to decide whether shifting in ck is required ornot. Further, if shifting is required, whether the shiftingshould be in the positive or the negative direction.
;
;
ARTICLE IN PRESS
� 2� 4� 5� 6�3�
2 3 4 510
0 1 2 3 0 1
0.25� 1.50� 2.75� �κ
�1κ�2κ
Qκ
Fig. 5. Illustration of quantization procedure.
F. Ahmed et al. / Signal Processing 90 (2010) 1456–14701462
For a quantization interval Qk, the sender calculatesr1k as follows:
r1k ¼ Qk mod 4. (9)
As shown in Fig. 5, each quantization interval is dividedinto four equal parts. To show how the two bits of r2k arerecorded, consider the interval between t and 2t, i.e.Qk ¼ 1. The two bits of the parameter r2k are recorded asfollows:
r2k ¼
0 : t � cko1:25t;1 : 1:25t � cko1:50t;2 : 1:50t � cko1:75t;3 : 1:75t � cko2:0t:
8>>>><>>>>:
(10)
The receiver will adjust ck coefficients to cater for non-malicious operation to get the adjusted coefficient, c�k. Let& and j represent logical AND and OR operators,respectively. Let sk be a parameter that enables thereceiver to know if ck has drifted one quantizationinterval in either direction. In case if any ck coefficientis drifted more than one quantization interval, then it willbe considered as a drift due to malicious tampering, henceno adjustment in ck will be done. This implies QkaQk.This is the reason a single quantization interval is equal tot. The receiver calculates sk as follows:
sk ¼0 : r1k ¼ ðr1k � 1Þmod 4;
1 : r1k ¼ ðr1k þ 1Þmod 4;
2 : otherwise:
8><>: (11)
Before calculating Qk, the receiver will adjust ckaccording to the following rule:
c�k ¼
ck þ t : ðsk ¼ 0Þ & ðr2k ¼ 0Þ;
ck þ t : ðsk ¼ 0Þ & ðr2k ¼ 1Þ &
ðr2k ¼ 1jr1k ¼ 2jr1k ¼ 3Þ;
ck þ t : ðsk ¼ 0Þ & ðr2k ¼ 2Þ & ðr2k ¼ 2jr1k ¼ 3Þ
ck þ t : ðsk ¼ 0Þ & ðr2k ¼ 3Þ & ðr2k ¼ 3Þ;
ck � t : ðsk ¼ 1Þ & ðr2k ¼ 0Þ & ðr2k ¼ 0Þ;
ck � t : ðsk ¼ 1Þ & ðr2k ¼ 1Þ & ðr2k ¼ 0jr2k ¼ 1Þ
ck � t : ðsk ¼ 1Þ & ðr2k ¼ 2Þ &
ðr2k ¼ 0jr2k ¼ 1jr2k ¼ 2Þ;
ck � t; ðsk ¼ 1Þ & ðr2k ¼ 3Þ;
ck otherwise:
8>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>:
(12)
After obtaining c�k coefficients, the receiver calculatesthe quantization intervals and the image hash:
Qk ¼c�kt
$ %, (13)
HI ¼ HSHA1ðQ0kQ1kQ2k; . . . ; kQkÞ. (14)
The received image I will be positively authenticated if
HI ¼ HI. (15)
Since the final hash is calculated using the cryptographichash function, therefore, if tampering in any 16� 16 imagearea is such that its corresponding jck � ckj4t thenQkaQk which implies HI and HI will be completely different.
3.2. Hash size reduction due to quantization
It is to be noted that without quantization, the hash ofthe image consists of coefficients in the matrices HI1
andHI2
. As discussed later in Section 4.4, after performingexperiments on a number of different images, we haveobserved that each hash coefficient takes 14 bits of storage.For an image of size 256� 256 pixels, the total entries in HI1
and HI2will be 2� 16� 16. With each entry taking 14 bits,
the size of the hash will be 896 bytes. With quantization,the information contained in Ok requires 2� 162
� 4 bits ofstorage, plus additional 160 bits for the hash. Therefore, thereceiver requires 276 bytes of information to perform theauthentication. By using the quantization process, theoverhead is 3.24 times less thus saving the bandwidth orstorage space. As stated above, an additional benefit ofquantization is that it also enhances the security of thesystem. This point is discussed in Section 5.
3.3. Non-malicious and malicious operation
In this section, the quantization procedure is furtherelaborated. Let the system threshold t ¼ 10. In Section3.3.1, an example of non-malicious operation is presented.In Section 3.3.2, the detection condition of malicioustampering is given along with examples.
3.3.1. Non-malicious operation
Consider the case of a non-malicious operation.Assume the value of a hash coefficient ck ¼ 46, fallingin Qk ¼ 4. Then r1k ¼ 4 mod 4 ¼ 0 and r2k ¼ 2. Nowsuppose at the receiver, due to a non-malicious operation,
ARTICLE IN PRESS
F. Ahmed et al. / Signal Processing 90 (2010) 1456–1470 1463
the same coefficient, is drifted from 46 to 38, thus fallingin Qk ¼ 3 instead of Qk ¼ 4. If no adjustment is made,then HIaHI , hence I will not be positively authenticated.To make adjustment in ck, the receiver calculates r1k, r2kand sk using Eqs. (9)–(11), respectively, yielding r1k ¼ 3,r2k ¼ 3 and sk ¼ 0. Using Eq. (12), the receiver will adjustck such that c�k ¼ ck þ 10 ¼ 48. Using Eq. (13),Qk ¼ 4 ¼ Qk. It is easy to check that for any k, as longas jck � c�kj � t, Qk ¼ Qk thus HI ¼ HI .
3.3.2. Malicious tampering and its detection condition
Let us consider the case of malicious tampering, i.e.jck � c�kj4t, where t ¼ 10. Assume the same condition atthe sender’s side, i.e. ck ¼ 46, which implies r1k ¼ 0 andr2k ¼ 2. At the receiver’s side, let ck ¼ 35, i.e.jck � ckj410. In this case, r1k ¼ 3, r2k ¼ 2 and sk ¼ 0,therefore, c�k ¼ ck þ 10 ¼ 45. This implies Qk ¼ Qk de-spite the fact that jck � ckj4t.This is a contradictionfrom the fact that QkaQk if jck �ckj4t. The reason forthis discrepancy is the resolution of the quantizationinterval. Since each interval is divided into four equalparts, therefore r2k will not change if the drift incko0:25t. However, it is guaranteed that QkaQk ifjck � ckj 1:25t.
Let us take another example in which for the same driftof 11 in ck, tampering will be detected. At the sender’sside, let ck ¼ 40, this implies Qk ¼ 4, r1k ¼ 0 and r2k ¼ 0.At the receiver’s side, let ck ¼ 29 which implies,r1k ¼ 2aðr1k � 1Þmod 4, r2k ¼ 3 and sk ¼ 2. There willbe no change in ck which implies c�k ¼ ck. ThereforeQk ¼ 2aQk. Therefore HIaHI .
To generalize this discussion; using quantization,tampering will be detected if jck �ckj4tk, wheret � tk � 1:25t. Let x be the distance between any twodivisions of a quantization interval, where 0 � x � 0:25t:
xk ¼ckt
� �mod 0:25
� �t. (16)
Depending upon the position of ck in a quantizationinterval, the value of tk at which tampering will bedetected is given by the following equation:
tk ¼ tþ xk. (17)
For every ck, tk will be different. It will be inefficientthat the sender transmits all the tk to the receiver. Hence incase of quantization, for any k if jck � ckj 1:25t, HIaHI .
3.4. Condition for detection of tampered blocks
If tampering is detected in I, then HIaHI whichindicates that I is not authentic. The quantization algo-rithm, however, cannot detect the location of tampering inI. Interestingly, the perturbation information stored in Okcan be used by the receiver to detect the location oftampering provided r�1kar1k, where r�1k ¼ c�k mod 4.Once the index k is determined, the correspondinglocation in I can be determined.
4. Experimental results and discussion
An image hashing scheme should be robust againstnon-malicious manipulations like JPEG compression,
low-pass/high-pass filtering, contrast enhancement, etc.and simultaneously be sensitive enough to detect mal-icious manipulations. In addition, the entire hashingscheme should fulfill a number of security requirements.The degree of robustness is a trade-off with respect to theamount of fragility required to detect malicious manip-ulations and the level of security that is desired. In thissection, we present several experimental results todemonstrate the robustness and tamper detection cap-ability of the proposed scheme. The parameter a in Eq. (1)is used for enforcing security by generating a hash thatdepends not only on the image pixels but also on thesecret key. Increasing the value of a though increases therandomness in the hash, also increases the size of thewavelet coefficients that forms the hash. For example, incase of the Cameraman image, if a is kept at 0.5, thenmaxðHI1
ðp; qÞ;HI2ðp; qÞÞ ¼ 4039 and around 74 percent
blocks of the Cameraman image are detected as tamperedfor incorrect keys. However, if a is kept at 1.5, thenmaxðHI1
ðp; qÞ;HI2ðp; qÞÞ ¼ 6278 and around 97 percent
blocks of the Cameraman image are detected as tamperedfor incorrect keys. After doing experiments on a number ofimages, the value of a ¼ 1:5 has been found to give goodrandomness in the hash along with a reasonable hash size.
4.1. System’s robustness and discussion on threshold
selection
The threshold t draws the boundary between robust-ness, tamper detection capability and security of theauthentication system. In our proposed scheme, increas-ing t will increase system’s robustness while decreasingtamper detection capability and security. The proposedscheme offers good robustness against JPEG compression,low-pass and high-pass filtering. It is important to notethat robustness characteristics vary from image to image.To explore this fact, we formed a database of 1000different images; each image having a size of 256� 256pixels. Fig. 6a shows the response of the authenticationsystem due to JPEG compression. The JPEG quality factor,QF, was kept at 20. The parameter maxðEðp;qÞÞ wascalculated using Eq. (6). The value of maxðEðp; qÞÞ variesbetween 33 and 78. Similarly, Fig. 6b and c show theresponse of the system when the receiver gets low-passand high-pass filtered version of the transmitted image,respectively. The average value of maxðEðp;qÞÞ for JPEGcompression, low-pass and high-pass filtering is 42, 28and 23, respectively. In view of these results, we proposethat defining a global threshold for all images will notprove efficient. For example, in case of Image No. 200, themaxðEðp; qÞÞ value due to JPEG compression is 39. Usingthis set of data, if a global threshold strategy is adoptedthat caters for JPEG compression, then for any image,tampering will only be detected if maxðEðp;qÞÞ478 (theresponse of Image No. 645 for JPEG compression). In sucha case, for Image No. 200, tampering that results inmaxðEðp; qÞÞo79 will not be detected despite the fact thatmaxðEðp; qÞÞ for this image is 39. Keeping in view this fact,we propose that when the sender is sending an image I toa receiver, the sender also estimates the desired threshold
ARTICLE IN PRESS
0 200 400 600 800 10000
50
100
150
Images
max
(E(p
,q))
0 200 400 600 800 10000
50
100
150
Images
max
(E(p
,q))
0 200 400 600 800 10000
50
100
150
Images
max
(E(p
,q))
Fig. 6. System robustness to JPEG compression, low-pass and high-pass filtering: (a) Effect of JPEG compression. (b) Effect of low-pass filtering. (c) Effect
of high-pass filtering.
F. Ahmed et al. / Signal Processing 90 (2010) 1456–14701464
that the receiver shall be bound to use. This implies thatthe sender is also putting a constraint on the amount ofrobustness that can be tolerated. The threshold parametercan be included in the digital signature so that a thirdparty can also correctly authenticate I.
Bounding the receiver by the sender to use a specificthreshold makes sense because the sender has the actualimage that needs to be authenticated at the receiver’s end.For a specific image, the sender can have some estimateabout the authentication system response to differentthresholds. The sender can then select a specific thresholdthat gives a reasonable trade-off between robustness,tamper detection and security.
Consider the Baboon image shown in Fig. 7a. In Fig. 7b, aslightly tampered version of the Baboon image is shown inwhich the right eye ball has been replaced with the left eyeball. The value of maxðEðp;qÞÞ for this tampering is 60. Todetect such a minute tampering, to60. Fig. 8 shows themaxðEðp; qÞÞ for the Baboon image by varying JPEG QF from100 to 1. If such a minute tampering is to be detected, thenthe Baboon image should not be compressed below JPEGQF ¼ 12 (at JPEG QF ¼ 12;maxðEðp; qÞÞ ¼ 56, whereas atJPEG QF ¼ 11;maxðEðp; qÞÞ ¼ 73) while being transmittedfrom the sender to the receiver. From this discussion wewould simply like to emphasize the point that in robustimage hashing, the selection of threshold is quite a complexissue, as the sender does not know in advance what may bethe magnitude of malicious and non-malicious distortion
in the image while it is in transit. However, with theempirical analysis shown above, one has some idea aboutrobustness versus tamper detection capability of thesystem. As a future research direction, algorithms basedon artificial intelligence or other techniques can be devisedthat can ask the user to specify important image areas thatneed more protection and the type of non-maliciousoperation that the image may undergo during transmis-sion. Based on this data, the algorithm can give someoptimum threshold that the sender can bound the receiverto use while authenticating the received image.
4.2. Detection of tampering
In this section, we present some further experimentalresults to show the proposed system sensitivity towardsdetecting tampering. For the purpose of illustration weused the Cameraman image for which the value ofmaxðEðp; qÞÞ for JPEG QF between 100 and 20, low-passand high-pass filtering is 48. Suppose our robustnessrequirement is to bypass any distortion in the receivedimage if it has undergone JPEG compression up to QF of20. Let us choose the system’s threshold as 50 and analyzethe sensitivity of the system to detect malicious tamper-ing. Tampering can be either low contrast or high contrast.High contrast tampering is easy to detect as compared tolow contrast tampering. Fig. 9a shows the original
ARTICLE IN PRESS
Fig. 7. Minute tampering that may go undetected at small threshold: (a) Original Baboon image. (b) Tampered Baboon image. Tampering is shown inside
the circle.
0 20 40 60 80 1000
50
100
150
200
250
JPEG Quality Factor
max
(E(p
,q))
Fig. 8. Change in maxðEðp; qÞÞ as the receiver receives compressed
version of the Baboon image with varying JPEG QF.
F. Ahmed et al. / Signal Processing 90 (2010) 1456–1470 1465
Cameraman image while Fig. 9b shows its tamperedversion with tampered areas marked inside a circle. Thefirst tampering is with the lens which is a high contrasttampering. In the second tampering, the roof of the smallbuilding is tampered. This tampering is low contrast ascompared to the first one. Fig. 9c shows the detectionresult in which both the tampered areas were successfullydetected. The interesting thing to note is that for the lenstampering, Eðp; qÞ ¼ 330, while for the building tampering,Eðp; qÞ ¼ 98. The former is a high contrast tampering ascompared to the latter. Both these value are quite high ascompared to the system’s threshold. This result revealsthat the proposed system can detect minute tampering athigh compression ratio.
4.3. The receiver operating curve
The receiver operating curve is a plot of the probabilityof false positive PFP versus the probability of false negative
PFN as the system threshold is varied. In context to ourauthentication system, the two probabilities are definedas follows:
PFP ¼Number of tampered blocks detected as genuine
Total number of tampered blocks,
(18)
PFN ¼Number of genuine blocks detected as tampered
Total number of genuine blocks.
(19)
To estimate PFP , we conducted an experiment using theCameraman image (Fig. 9a) and the Baboon image (Fig. 7a).The Cameraman image is considered as the genuine imagewhose hash is compared with the hash of the Baboonimage. The hash comparison is done by comparing eachblock of the Cameraman image with all blocks of theBaboon image and identifying those blocks for whichEðp; qÞot. For each t, the total number of comparisons are65 536. A tampered block shall be considered as genuine ifthe respective Eðp; qÞ for the block is less than t. The PFP isthen calculated using Eq. (18). By looking at the Baboonimage, it is easy to judge that nearly all the blocks of theBaboon image are visually different from the blocks of theCameraman image. Due to this reason, we consider theBaboon image as a tamper test case w.r.t. the Cameramanimage. The false negative probability PFN is estimated bychoosing JPEG compression as the non-malicious opera-tion. The Circusman image is used that gives the worstrobustness response to JPEG compression. The genuinehash is first calculated using the Circusman’s image whichis then compared with the hash of the same image JPEGcompressed at QF ¼ 20. Each block of the Circusman’simage is compared with the corresponding block of itscompressed version. The comparison though genuine shallbe considered as tampered if for any block Eðp; qÞ4t. Theprobability PFN is calculated using Eq. (19) using the samevalues of thresholds that were used to calculate PFP . Whileestimating the ROC, the parameter t was varied from 0 to150. The result of this experiment is presented in Fig. 10.Even at low values of PFN , the proposed system gives a
ARTICLE IN PRESS
Fig. 9. Tamper detection capability of the proposed scheme: (a) Original Cameraman image. (b) Tampered Cameraman image. Tampering is shown inside
the circle. (c) Result of tamper detection.
0 0.005 0.01 0.015 0.020
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.1
False Positive Probability
Fals
e N
egat
ive
Pro
babi
lity
Fig. 10. The receiver operating curve.
0 100 200 300 400 500 600 700 800 90010000
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
Images
Max
imum
val
ue o
f wav
elet
coe
ffici
ent
for e
ach
imag
e
Fig. 11. The maximum value of wavelet coefficient for each image in the
database.
F. Ahmed et al. / Signal Processing 90 (2010) 1456–14701466
reasonably low PFP. This is basically a trade-off betweenrobustness, tamper detection capability and security of theauthentication system. For example, if PFP is kept at 0.01,then the corresponding PFN is 0.005. These results are quiteencouraging when compared to the results in the literature,for example [20,6].
4.4. Hash size
The size of the hash depends upon the size of theimage. Fig. 11 shows the maximum value of the waveletcoefficient for each image in our database of 1000 images.The block size used was 16� 16 pixels. The maximum
ARTICLE IN PRESS
F. Ahmed et al. / Signal Processing 90 (2010) 1456–1470 1467
value of the wavelet coefficient is 7549 that requires 13bits of storage. Let us allocate 14 bits of storage for eachwavelet coefficient so that its maximum value can span upto 16 384. In this case, the size of hash for a 256� 256image will be 896 bytes.
5. Security analysis
In this section we analyze the security of our proposedscheme. To enforce security, two secret keys K1 and K2 areused in the hash generation and verification stages. Thepurpose of K1 is to change the gray levels of all the pixelswithin a specific image block by the random pixelmodulation given by Eq. (1). For each image block, thistransformation is random and unique. The basic ideabehind the proposed RPM technique is to make theintermediate hash dependent on the input image andthe secret key K1. Due to small size of an image block, abrute force attack can be launched to estimate K1. Tothwart this possibility, the second secret key K2 is used torandomly permute the intermediate hash coefficients. Bylooking at the permuted hash coefficients, an attacker willnot be able to relate a hash coefficient to its respectiveimage block. This shall prevent the attacker from launch-ing a brute force attack to estimate K1. In case ifquantization is used, the secret key K2 is not required.This point is discussed in Section 5.4. In the following sub-sections, we discuss the impact of the proposed rando-mized pixel modulation on the security of the proposedscheme. Further, the effect of the secret key K1 on thesecurity of the system and the probability of hash collisionis also discussed.
5.1. Randomized pixel modulation and its impact on
system’s security
Most of the image hashing techniques proposed in theliterature, for example [9,12] use the secret key to selectthe subset of the feature space to generate the image hash.This strategy enables the attacker to know the featurespace, however, the attacker is not aware which featuresare selected from the feature space. Depending on thetype of underlying hashing algorithm, this strategy canhave security loop holes. For example, the DCT schemeproposed by Sun and Chang [12] forms the hash features
Fig. 12. For smooth texture blocks, most of the DCT AC coefficients are zero: (a) A
8� 8 block shown in Fig. 12a.
by dividing an image into 8� 8 non-overlapping blocks.From each block, the DCT DC coefficient and three DCT ACcoefficients are selected. The selection of the AC coeffi-cients is done using a secret key. To illustrate the securityweakness in this scheme, consider the 8� 8 block markedin the background of the Cameraman image shown in Fig.12a. Fig. 12b shows the DCT coefficients of this block. Sincethe block belongs to image background with smoothtexture, hence most of the DCT AC coefficients are zero. Insuch a scenario, the impact of the secret key that is used torandomly select the DCT AC coefficient is significantlyreduced. The same is true for the scheme proposed by Linand Chang [9]. Generally speaking, any hashing schemethat has weak secrecy in the feature selection stage canhave such security issues.
In this paper we adopt a different approach. Instead ofusing the secret key to randomly select features, we usethe secret key to transform the feature space using theRPM transformation given by Eq. (1). Through thistransformation, each image pixel is changed into a newvalue which depends upon the original pixel value and thesecret key K1. Fig. 13a shows how an RPM-transformedCameraman image looks like. It is to be noted that theRPM-transformed image is used at run-time by thealgorithm to calculate the hash and is not transmitted tothe receiver. Fig. 13b shows the RPM-transformed DCTcoefficients of the same block that was shown in Fig. 12b.In Fig. 12b most of the DCT coefficients were zero becauseof the smooth texture of the block. However, due torandomized pixel modulation, random key-dependentDCT coefficients are obtained. Hence even for image areasthat have very low entropy, the proposed RPM techniqueincreases the entropy of the feature space as in this caseby generating DCT coefficients that are random. Increasingthe entropy of the feature space increases the security ofthe hash that is generated using the feature space. Thesame applies for the LL; LH and HL wavelet coefficientsthat are used in this paper to generate hash of an image. Inthe next section, we show the sensitivity of the secret keyon the randomness of the wavelet coefficients.
5.2. Effect of secret key on the hash
In this section, we discuss the effect of secret key K1 onthe intermediate hash values. The change in the secret keyshould significantly change the hash. To verify this fact,
n 8� 8 block marked on the Cameraman image. (b) DCT coefficient of the
ARTICLE IN PRESS
Fig. 13. The proposed RPM technique increases the entropy of the feature space: (a) RPM-transformed Cameraman image. (b) DCT coefficient after the
8� 8 block shown in Fig. 12a is RPM-transformed.
0 200 400 600 800 10000
50
100
150
200
250
300
1000 random keys
Num
ber o
f blo
cks
iden
tifie
das
mal
icou
s
0 200 400 600 800 10000
50
100
150
200
250
300
1000 random keys
max
(E(p
,q))
of e
ach
bloc
k
Fig. 14. Effect of the change of secret key K1 on the intermediate hash. (a) Number of blocks identified as malicious from a total of 256 blocks. (b)
Magnitude of error between the hashes.
0.005
0.01
0.015
0.02
0.025
0.03
0.035
0.04
0.045
0.05
Pro
babi
lity
of h
ash
colli
sion
F. Ahmed et al. / Signal Processing 90 (2010) 1456–14701468
hash of the Cameraman image was generated and thencompared with 1000 hashes of the same image generatedwith 1000 randomly generated keys. The system thresholdwas kept at 48, which means that the receiver will toleratethe incoming image even if it is JPEG compressed with aQF of 20. Fig. 14a shows the result of this experiment. Onthe average, 96 percent of image blocks for a different keyare detected as malicious. Fig. 14b shows the maxðEðp; qÞÞfor each random key. The average value of maxðEðp; qÞÞtaken over all the 1000 random keys is 240 which is fivetimes higher than the threshold value of 48. Hence theseresults show that the proposed RPM-technique is verysensitive to a change in the secret key.
0 200 400 600 800 10000
Images
Fig. 15. Probability of collision of hash values.
5.3. Probability of hash collision
Probability of hash collision means that if an attackerreplaces any block of a genuine image with any arbitraryblock, what is the probability that the arbitrary block willget positively authenticated. To carry out this test, weused the Cameraman image and compared its hash withhashes of 1000 different images in our database. For eachcomparison, hash coefficient of every single block of theCameraman image was compared with hash coefficientsof all the blocks of the target image. A collision occurs iffor any block of the Cameraman and the target image,Eðp; qÞot. Since all the images used are of size 256� 256pixels with block size of 16� 16 pixels, therefore, for eachtarget image, total block comparisons are 65 536. The
probability of collision for a single block is calculated bydividing the total number of collisions with the totalcomparisons. The threshold used was 48, i.e. the systemcan withstand high compression ratios. Fig. 15 shows theprobability of collision if any block of the Cameramanimage is replaced by any block of the target image. Theaverage probability of collision for a single block is 0.0052.The probability of collision per block is not low as we findin cryptographic hash functions. It should be noted that an
ARTICLE IN PRESS
F. Ahmed et al. / Signal Processing 90 (2010) 1456–1470 1469
image hash function is required to bypass non-maliciousoperations like compression, etc., which is not the casewith cryptographic hash functions. Interestingly, thechance of success of an attacker to randomly replace allblocks of an image with visually different blocks such thatall the replaced blocks get positively authenticated isextremely low. If average probability of collision for asingle block is taken as 0.0052, then the probability thatall the replaced blocks get positively authenticated is0:0052N , where N in our case is 256. This result explainsthe importance of the secret key in an image authentica-tion system. If secret key is not used, the attacker knowsthe hash coefficient. Therefore, it is easy for an attacker tofind collision in the hash values. The attacker will besuccessful even if the hash is sent encrypted because thehashing algorithm is public. However, with the proposedRPM-transformation, by simply looking at the image, anattacker cannot estimate the wavelet coefficients withoutknowledge of the secret key. Furthermore, in our scheme,even if the final permuted hash is exposed, it is notfeasible for an attacker to estimate the secret keys K1 andK2. This is possible because a permuted hash value doesnot give any clue to its respective image block. Hence K2
cannot be estimated. This implies that the secret key K1
cannot be estimated. If more robustness is required, thesystem threshold has to be increased. This, however, shallincrease the probability of collision. Depending upon thetype of application, a trade-off is required betweenrobustness and security of the authentication system.
5.4. Quantization and system’s security
When quantization is used, the intermediate hashcoefficients are quantized and the quantization intervalsare hashed using the cryptographic hash function. With-out the knowledge of K1, an attacker cannot guess thequantization intervals. To launch a brute force attack, theattacker has to search the key space such that all thequantization intervals are correctly found. This is theadvantage of using the cryptographic hash function. Forexample, if the attacker is close to the finding the key andthe quantization interval differs say by even a unit value,still the hashed output will be entirely different. Hencethe attacker has no idea whether he/she is even close tothe actual key or not. Further, the perturbation vector doesnot leak any information regarding the quantizationinterval as observed from Eqs. (9) and (10).
6. Conclusion
In this paper, we have proposed a novel hashingscheme that simultaneously tackles robustness, securityand tamper detection issues. Instead of using secret key torandomly select the image features, we have proposed arandomized pixel modulation method that makes theentire feature space random. The proposed RPM method isvery sensitive to change in the key and can effectivelydetect tampering. In addition, the proposed scheme isrobust to JPEG compression, low-pass and high-passfiltering that are content preserving operations. We have
also proposed a quantization scheme that significantlyreduces the size of the hash. The information used by thequantization algorithm at the receiver’s end does not leakinformation required to estimate the hash or the secretkey. The system is very sensitive to a change in the secretkey. If the final permuted hash is exposed, it is not feasiblefor an attacker to estimate the secret keys K1 and K2. Inaddition, the permuted hash values do not give any clue totheir respective image blocks. Since the image hash isformed by taking into account the LL sub-band waveletcoefficients, the proposed system is not robust to otherparameters like change in brightness, contrast enhance-ment, etc. This is a performance trade-off as practically itis very difficult to come up with a PHF that is robust to allnon-malicious manipulations and still has a high level ofsecurity and tamper detection capability. Discarding theLL sub-band coefficients in the hash for example will helpto improve the system’s robustness to contrast enhance-ment, however, the system may then fail to detecttampering that involves a smooth change in the grayvalues. This is the reason we have also used the LL
coefficients.
References
[1] W. Li, Y. Yuan, N. Yu, Passive detection of doctored JPEG image viablock artifact grid extraction, Signal Processing, 89 (2009) 1821-1829.
[2] B. Schneier, Applied Cryptography, Wiley, USA, 1996.[3] G.L. Friedman, The trustworthy digital camera: restoring credibility
to the photographic image, IEEE Transactions on ConsumerElectronics 39 (4) (1993) 905–910.
[4] P.W. Wong, N. Memon, Secret and public key image watermarkingschemes for image authentication and ownership verification, IEEETransactions on Image Processing 10 (10) (2001) 1593–1601.
[5] X. Zhang, S. Wang, Fragile watermarking scheme using a hierarch-ical mechanism, Signal Processing 89 (2009) 675–679.
[6] A. Swaminathan, Y. Mao, M. Wu, Robust and secure image hashing,IEEE Transactions on Information Forensics and Security 1 (2)(2006) 215–230.
[7] R. Radhakrishnan, Z. Xiong, N. Memon, On the security of the visualhash function, in: E.J. Delp III, P.W. Wong (Eds.), Security andWatermarking of Multimedia Contents V, SPIE, vol. 5020, 2003, pp.644–652.
[8] C.S. Lu, H.-Y.M. Liao, Structural digital signature for imageauthentication: an incidental distortion resistant scheme, IEEETransactions on Multimedia 5 (2) (2003) 161–173.
[9] C.Y. Lin, S.-F. Chang, A robust image authentication methoddistinguishing JPEG compression from malicious manipulation,IEEE Transactions on Circuits and Systems for Video Technology11 (2) (2001) 53–168.
[10] R. Radhakrishnan, N. Memon, On the security of the digest functionin the SARI image authentication system, IEEE Transactions onCircuits and Systems for Video Technology 12 (11) (2002)1030–1033.
[11] T. Uehara, R. Safavi-Naini, On (In) security of a robust imageauthentication method, in: Y.-C. Chen, et al. (Eds.), Lecture Notes inComputer Science, vol. 2532, Springer, Berlin, 2002, pp. 1025–1032.
[12] Q. Sun, S.-F. Chang, A robust and secure media signature scheme forJPEG images, Journal of VLSI Signal Processing 41 (2005) 305–317.
[13] M. Schneider, S.F. Chang, A content based digital signature for imageauthentication, in: International Conference on Image Processing,Lausanne, Switzerland, 16–19 September 1996, pp. 227–230.
[14] L. Xie, G.R. Arce, R.F. Graverman, Approximate message authentica-tion codes, IEEE Transactions on Multimedia 3 (2) (2001) 242–252.
[15] D.-C. Lou, J.-L. Liu, Fault resilient and compression tolerantsignature for image authentication, IEEE Transactions on ConsumerElectronics 46 (1) (2000) 31–39.
[16] M.P. Queluz, Content-based integrity protection of digital images,in: P.W. Wong, E.J. Delp (Eds.), Security and Watermarking ofMultimedia Contents, vol. 3657, 1999, pp. 85–93.
ARTICLE IN PRESS
F. Ahmed et al. / Signal Processing 90 (2010) 1456–14701470
[17] S. Bhattacharjee, M. Kutter, Compression tolerant image authenti-cation, in: Proceedings of the International Conference on ImageProcessing, Chicago, USA, 4–7 October, 1998, pp. 435–438.
[18] R. Venkatesan, S.-M. Koon, M.H. Jakubowski, P. Moulin, Robustimage hashing, in: International Conference on Image Processing,Vancouver, Canada, 10–13 September 2000, pp. 664–666.
[19] F. Lefebvre, J. Czyz, B. Macq, A robust soft hash algorithm for digitalimage signature, in: International Conference on Image Processing,Barcelona, Spain, 14–18 September 2003, pp. 495–498.
[20] V. Monga, B.L. Evans, Perceptual image hashing via feature points:performance evaluation and tradeoffs, IEEE Transactions on ImageProcessing 15 (11) (2006) 3453–3466.
[21] V. Monga, M.K. Mihcak, Robust and secure image hashing via non-negative matrix factorizations, IEEE Transactions InformationForensics and Security 2 (3) (2007) 376–390.
[22] X. Lv, Z.J. Wang, Fast Johnson–Lindenstrauss transform for Robustand secure image hashing, in: 10th IEEE Workshop on Multimediaand Signal Processing, Cairns, Queensland, Australia, 8–10 October2008, pp. 725–729.
[23] A. Swaminathan, Y.M. Mao, M. Wu, Image hashing resilient togeometric and filtering operations, in: IEEE 6th Workshop onMultimedia Signal Processing, Siena, Italy, 29 September–1 October2004, pp. 355–358.
[24] C.-S. Lu, C.-Y. Hsu, Geometric distortion-resilient image hashingscheme and its applications on copy detection and authentication,Multimedia Systems 11 (2) (2005) 159–173.
[25] C.-S. Lu, S.-W. Sun, C.-Y. Hsu, P.-C. Chang, Media hash-dependentimage watermarking resilient against both geometric attacks and
estimation attacks based on false positive-oriented detection, IEEETransactions on Multimedia 8 (4) (2006) 668–685.
[26] C. Deng, X. Gao, D. Tao, X. Li, Geometrically invariant watermarkingusing affine covariant regions, in: International Conference onImage Processing, San Diego, USA, 12–15 October 2008, pp.413–416.
[27] C. Deng, X. Gao, X. Li, D. Tao, Invariant image watermarking basedon local feature regions, in: International Conference on Cyber-worlds, Hanzhou, China, 22–24 September 2008, pp. 6–10.
[28] C. Deng, X. Gao, D. Tao, X. Li, Digital watermarking in image affineco-variant regions, in: Sixth International Conference on MachineLearning and Cybernetics, Hong Kong, 19–22 August 2007, pp.2125–2130.
[29] F. Ahmed, M.Y. Siyal, A secure and robust wavelet-based hashingscheme for image authentication, in: Advances in MultimediaModeling, Lecture Notes in Computer Science, vol. 4352, Springer,Berlin, 2007, pp. 51–62.
[30] F. Ahmed, M.Y. Siyal, Image authentication using soft hashingtechnique, in: Proceedings of the 26th International Conference onInformation, Communication and Signal Processing, Singapore,10–14 December 2007, pp. 1–5.
[31] B. Coskun, N. Memon, Confusion/diffusion capabilities of somerobust hash functions, in: Proceedings of the 40th AnnualConference on Information Sciences and Systems, Princeton, NJ,22–24 March 2006, pp. 1188–1193.
[32] W. Stallings, Cryptography and Network Security: Principlesand Practices, Pearson Education Inc., 2006, pp. 191–194(Chapter 6).