The invention relates to a method and device for embedding a watermark in a data signal, and in particular to embedding a watermark in the signal using look-up tables. Moreover, the invention relates to methods and devices for detecting a watermark in a data signal, as well as to computer readable code for implementing the methods of the invention.
Digital watermarking has proven an effective deterrent against illegal distribution of copyrighted material in digital form, for instance over computer networks, via electronic content distribution (ECD) applications or via hand-to-hand public distribution.
Forensic tracking watermarks are embedded in multimedia content to trace distributed copies of the content. Embedding watermarks in multimedia content is a complex operation in terms of computer power. Large-scale deployment of forensic tracking watermarks requires an efficient, scalable system of embedding watermarks and distributing the watermarked contents. Client-side embedding solves the scalability problem, since the server's processing load is distributed to the clients. Moreover, instead of sending distinct watermarked copies with point-to-point connections, a common unmarked copy can be broadcast—or multicast, cached at intermediate nodes, etc.
In the article “Chameleon—a new kind of stream cipher” by R. J. Anderson and C. Manifavas published in FSE'97: Proc. of the 4th Int. Workshop on Fast Software Encryption, Springer-Verlag 1997, pp. 107-113; a method is disclosed where a pseudo-random number generator operated in output-feedback mode is used to generate a keystream, a plaintext is enciphered by a process where four words selected from the keystream are EXOR-ed together and subsequently EXOR-ed with the plaintext.
The inventors of the present invention have appreciated that an improved means of handling watermarking of digital content is of benefit, and has in consequence devised the present invention. The inventors have had the insight that the method of the prior art deals with bit modifications of the data stream in the form of exclusive-or operations, and is thereby fragile to removal of the watermark. The present invention seeks to provide an improved means for copyright protection, and preferably, the invention alleviates, mitigates or eliminates one or more disadvantages of the prior art, singly or in any combination.
According to a first aspect of the present invention there is provided, a method for embedding a spread spectrum watermark in a data signal, the method comprising:
receiving an encrypted data signal, the data signal being encrypted by modifying the data signal in accordance with one or more entries of an encryption table; receiving a decryption table, the decryption table being a modified version of the encryption table; and
decrypting the data signal in accordance with entries of the decryption table thereby embedding a watermark in the data signal.
The method according to the invention embeds a spread spectrum watermark. The encrypted, watermarked or generally modified bits are spread or distributed over multiple bits. It is more robust than the prior art watermark, and can better be detected. The method includes a first step where the unmarked data signal is modified in accordance with one or more entries of an encryption table, and a second step where the encrypted signal is decrypted and watermarked in a single process. The decryption is based on a decryption table being a modified version of the encryption table. The modification is preferably obtained by applying, e.g. adding or multiplying, a watermark table to the encryption table. The encryption table may be randomly generated.
The data signal may be a signal of, or a signal containing or including, audio, video, images, multimedia software, multidimensional graphical models, software structures, etc. singly or any combination.
The data signal may be represented by a series of symbols, where a symbol of the data signal is to be understood as any representation of the data signal, such as a segments of the bit stream, a base-band signal, a DCT coefficient of the signal in the transform domain, etc. In an example, the present invention may be applied to each pixel value or a subset of pixel values in an image or video sequence, in this case the symbol of the signal may be the pixel values. In another example, the present invention may be applied to transform coefficients of the data signal, in this case the symbol of the signal may be the transform coefficients. For example for audio signals the coefficient may be coefficient representing the amplitude, pitch or the like of the signal. The coefficients may also be coefficient of a specific encoding of the signal, such as MDCT coefficients, linear prediction coefficients, Fourier coefficient, etc.
The invention according to the first aspect is particularly but not exclusively advantageous for a number of reasons. Spread spectrum watermarking is typically resistant to tampering, degradation and common signal processing operations, contrary to watermarking by means of bit-modifications, where at least some types of modifications may be removed by setting the modified bits to random values and thereby removing the watermark. Moreover, in order to be able to detect the embedded watermark in accordance with the present invention, the original unmarked data signal is not required. Only the watermark, typically in the form of a watermark table, and the corresponding entries of the decryption table may be needed. Moreover, the watermark may be embedded in accordance with a perceptual mask, dictating the strength of the watermark at specific locations in the signal.
The optional feature as defined in claim 2 is advantageous since the size of the input key may be considerably smaller than the size of the encryption, decryption or watermark table. For example compared to a method using one-time pads (OTP), the key size is significantly reduced.
The optional features as defined in claim 3 describe an advantageous implementation of the method where the data signal is encrypted at a first computing system, such as a secure system, and wherein the data signal is decrypted and the watermark embedded at a second computing system, the second system not necessarily being a secure system. The decryption table may be generated at the first computing system or accessed by the first computing system, e.g. at another computing system communicatively connected to the first computing system.
Claim 4 describes advantageous embodiments of embedding a watermark. It is an advantage of the present invention, that a watermark may be embedded both additively and multiplicatively in the signal.
The optional feature as defined in claim 5 is advantageous since by basing the watermark table on a modified version of a reference watermark table a payload may be inserted.
In an embodiment a series of decryption tables are generated based on a series of watermark tables, the series of watermark tables may be modified versions of a reference watermark table. The modified version may be obtained by circularly shifting the reference watermark table, the shift representing a payload.
According to a second aspect of the present invention there is provided a method of detecting a watermark in a data signal, the method comprising:
receiving a data signal possibly including a spread spectrum watermark, the possible watermark being embedded in accordance with entries of a decryption table;
generating a sequence of indices corresponding to the entries of a watermark table, and constructing the watermark therefrom;
detecting the presence of the watermark in the data signal.
The method according to the second aspect of the invention is provided in accordance with detecting a watermark embedded by the method of the first aspect of the invention.
The detection of the watermark may be obtained from a correlation of the data signal with the watermark. Optionally may an estimated watermark be derived from the data signal and the presence of the watermark may be detected in the estimated watermark. The watermark to be detected may be generated from a watermark table and the sequence of entries.
According to a third aspect of the present invention there is provided a method of detecting a watermark in a data signal, the method comprising:
receiving a data signal possibly including a spread spectrum watermark, the possible watermark being embedded in accordance with entries of a decryption table;
generating a sequence of indices corresponding to the entries of the decryption table;
accumulating segments of the data signal in an accumulation table at positions corresponding to the sequence of indices, thereby generating an accumulation table of the data signal;
detecting the presence of the watermark in the accumulation table.
The method according to the third aspect of the invention is provided in accordance with detecting a watermark embedded by the method of the first aspect of the invention.
The method according to the third aspect of the invention is advantageous, since the accumulation table may be much shorter that the signal, thereby providing a faster detection process. In a situation where a large number of possible watermarks is to be searched in a given data signal, it is important that the detection process is fast.
The detection of the watermark may be obtained from a correlation of the accumulation table with the watermark table. Optionally may an estimated watermark be derived from the data signal, and the presence of the watermark may be detected in the estimated watermark. The accumulation table may be constructed from the estimated watermark.
In an embodiment a series of decryption tables generated based on a series of watermark tables, the series of watermark tables being modified versions of a reference watermark table. The modified version may be obtained by circularly shifting the reference watermark table. The detection of the watermark may be obtained by a correlation of the accumulation table with the series of watermark tables, or from a correlation of the accumulation table with the reference table.
In a fourth aspect of the invention is provided a watermark embedder for embedding a spread spectrum watermark in a data signal.
In fifth and sixth aspects of the invention are watermark detectors for detecting the presence of a watermark possibly being embedded in a data signal.
In seventh, eight and ninth aspects of the invention are provided computer readable code for implementing the methods of the first, second and third aspects.
In general the various aspects of the invention may be combined and coupled in any way possible within the scope of the invention. These and other aspects, features and/or advantages of the invention will be apparent from and elucidated with reference to the embodiments described hereinafter.
Embodiments of the invention will be described, by way of example only, with reference to the drawings, in which
The embedding process is conducted in two steps or parts, in a first part the signal is encrypted, this part is typically performed at the server 15, and in the second part, the signal is decrypted and the watermark is embedded, this part is typically performed at the client device 16.
The input of the encryption process comprises inputting an input key 5 into a secure index generator 1, the secure index generator being operable to generate a unique series of indices from the input key. Each index of the index generator is pointing to an entry in a look-up table 6. The look-up table is received by, accessed by or generated at the server by means of a table unit 2. The data is encrypted at an encryption unit 3 by modifying the data signal in accordance with the entries of the encryption table. The encrypted signal 9 is then distributed to a user. The encrypted signal 9 is receiving or accessing at signal unit 18 for receiving the encrypted data signal, the user-device, i.e. the client device, also receives or accesses the input key 5. Given the input key, the secure index generator 1 is capable of generating the same series of indices as used for encrypting the data signal. Moreover, the client device receives or accesses a decryption table 8 at an encryption table unit 12, the decryption table being a watermarked version of the encryption table. The encrypted signal is decrypted at an embedding unit 13 by modifying the encrypted data signal in accordance with the corresponding entries of the decryption table. Because the decryption table is a watermarked version of the encryption table, the decrypted signal 14 is a watermarked version of the original input signal. The input key and the decryption table are distributed to the client via a secure communication channel, either separately or collectively. The input key and the decryption table are normally sent separate from the encrypted data signal. The signal may be distributed via a computer network, via an electronic content distribution (ECD) application, via a record carrier, such as a recordable or ROM optical record carrier or semiconductor or magnetic based carrier, etc. A user of the signal may then render or playback the signal on a device adapted for reading the data signal, such as on a CD-player, a DVD-player, a computer, a portable playback device, a game console, etc.
The process of the present invention thus renders it possible to embed and distribute watermarked content in a secure, efficient and scalable manner. Handling of unmarked and unencrypted data may be done at a trusted site, e.g. by a trusted server device 15. Unmarked, but encrypted data is distributed to a potentially untrusted client 16, which locally performs the decryption and the watermarking of the data signal in a process where neither the unmarked content nor the watermark signal is exposed to the client. The user only gains accesses to the input key and the decryption table.
The watermarking is based on an index generator 22 and an encryption table 23. The index generator 22 may be a secure pseudo-random number generator, such as a stream-cipher operating in output-feedback mode (OFB). A stream-cipher in OFB-mode is capable of generating a series of indices 24, 25 from a short term input key 21. The size of the input key may be 64 or 128 bits. The encryption look-up table (LUT) 23 is a long-term table, or key, comprising a large number of entries. The encryption LUT is also referred to as E. The LUT size may be in the range between 128 KB to 128 MB. A size of 1 MB may be a typical size, the specific size of the LUT may be determined in a trade-off between security and size.
In the illustrated embodiment, the process is exemplified with integer entries of the look-up table and an integer value representation of the data signal, however it is to be understood that the process is not limited to this. The data signal is represented as a series of symbols. The symbol of the data signal is to be understood as any representation of the data signal, such a segments of the bit stream or the DCT coefficient, Cn, of the signal in the transform domain, here represented by integer values.
The look-up table 23 may be randomly generated at the server. In
A number of pointers or indexes 24, 25 are generated for each symbol of the data signal, here exemplified by two, however, any number such as 3, 4, 5, 10 or even more pointers may be applied.
The LUT entries indexed by each pointer are extracted 28, 29 and added together 200, e.g. E(t2n)=−127 and E(t2n+1)=+14 are extracted and added resulting in an encryption key for the given symbol of the data signal, here the integer number −113 as denoted by 205. The encryption key 205 is subsequently combined (added) 202 with the symbol of the data signal, here exemplified with the number +128 as denoted by 206, resulting in an encrypted data symbol 203, in this case being +15 as denoted by 207. In terms of transform domain coefficient, a modified, i.e. encrypted coefficient may be expressed as:
C′
n
=C
n
+E(t2n)+E(t2n+1).
From the LUT E, the server constructs the long-term decryption table 33 Dk. The decryption table being user-specific, k referring to a user-specific index, e.g.: Dk=−(E+Wk). The user may be a specific end user, a group of end-users, or the like. The user-specific watermark is referred to as Wk. The entries of Wk may be random variables with a variance much less than E. The watermark is also in the form of a LUT typically of the same size as E. By indexing the decryption table (i.e. the watermark table) forensic tracking is possible, since a given watermark may be linked to the intended user.
The decryption and watermarking is performed at the client side 16, by generating indices and modifying the data with the LUT corresponding to these indices.
As in connection with the encryption, indices are generated by an index generator 22 (stream-cipher operating in the OFB-mode). The short term input key 21 is used for generating the corresponding sequence or series of pointers 34,35 tn, as in connection with the encryption of the data.
The watermarking of the encryption table slightly alters entries of the table entries. In this embodiment where Dk=−(E+Wk), the entry denoted 36 has been altered by subtracting 3 giving a new entry of +130, whereas the entry denoted 37 has not been altered, since the entry in the watermark table is zero, instead the entry denoted 31 has been altered. The corresponding watermark LUT 53 is illustrated in
As in connection with the encryption, the decryption LUT entries of each pointer are extracted 38, 39 and added together 300, e.g. E(t2n)=+130 and E(t2n+1)=−14 are extracted and added resulting in a decryption key, here the integer number +116 as denoted by 306. The decryption key is subsequently combined 302 with the symbol of the encrypted data signal, here exemplified with the number +15 as denoted by 207 (the resulting encrypted symbol of
C
W,n
=C′
n
+D(t2n)+D(t2n+1).
The data signal 47 possibly including a watermark is received at a signal unit 41, and optionally the watermark is estimated at an estimator unit 46 from the received data signal. The watermark estimation may e.g. be the application of a high-pass filter which may enhance the watermark signal, other types of watermark estimation method may be used. Detection of the watermark may, however, also be conducted on the data signal in the received form.
The input key 21 used for generating the sequence of entries for the watermark possibly in the data signal is inputted into the secure index generator 22, and the relevant entries of a watermark LUT 45, is extracted at a table unit 42 and the watermark is generated therefrom. Subsequently the presence 48 of the generated watermark is detected at a detector unit 43 in the signal by comparing the data signal or estimated watermark with the watermark deduced from the watermark LUT.
As in connection with the encryption and decryption, indices 54, 55 are generated by an index generator 21, 22 (a stream-cipher operating in the OFB-mode). The indices are used together with the watermark LUT 53 to reconstruct the watermark sequence.
The watermark LUT is the difference LUT between the encryption and the decryption LUT. In the given example all but a few of the entries are zero, however more entries, most entries or even all entries may include finite (typically small) values. The LUT entries of each pointer is extracted 58, 59 and added together 500 to construct the watermark value, e.g. Wk(t2n)=−3 as denoted by 56 and Wk(t2n+1)=0 as denoted by 57 are extracted 58, 59 and added 500 resulting in the watermark value, here the integer number −3 as denoted by 506. From the investigated data signal 501, the watermark is optionally estimated 502 (e.g. by means of a high-pass transform of the data signal) and the estimated watermark value is correlated 503 with the watermark values deduced from the watermark LUT 53. The correlation result is compared to a threshold value 504 so as to determine 505 whether or not the investigated (or suspected) data did in fact contain the watermark in question.
The data signal 67 possibly including a watermark is received at a signal unit 64 and optionally the watermark is estimated from the received data signal at an estimator unit 66. The input key 21 and the index generator 22 are used for generating and extracting the relevant entries as before. However, in the present embodiment, the segments, or symbols, of the data signal corresponding to the sequence of indices are accumulated in an accumulation LUT by an accumulation unit 63. The watermark 62 is detected by a detector unit 61 in the signal by correlating the accumulation LUT with the watermark LUT. Thus, in this embodiment the received data signal is rearranged in an accumulation table so that the relevant segments of the data signal are arranged in accordance with the entries generated by the secure index generator 22.
As in connection with the encryption and decryption, indices are generated by an index generator 22 and the input key 21. The data is received 71 and the watermark is optionally estimated 72 therefrom. The symbol of the data signal is extracted, here exemplified by the integer −2 as denoted by 706. The symbols of the data signal are accumulated 73 in an accumulation table 74 in accordance with the series of indices as generated by the index generator. The accumulation table is initially empty. In the situation that the entries of the symbol of the data signal correspond to t2n and t2n+1, the symbol is inserted into the accumulation table 74 at these positions 75, 76. Once the entire accumulation table has been constructed, the accumulation table is correlated 77 with the watermark LUT 53 of the watermark. The correlation result is compared to a threshold value 78 so as to determine 79 whether or not the data signal did in fact contain the watermark in question.
In connection with the Figures the embodiments applying additive watermarking have been illustrated. The present invention may however also be applied in connection with multiplicative watermarking. In this case, addition and subtraction are replaced by multiplication and division.
In embodiments of the present invention different watermarks can be embedded into the same data signal by using different decryption tables on the encrypted signal. In that case, the decryption tables may be based on corresponding, but different, watermark tables. Moreover, these watermark tables may be derived from a common reference table. In one embodiment, the watermark tables are generated by circularly shifting the reference table. In that case, the detection process may be performed by a computation of the correlation between the accumulation table and all different watermark tables, such a correlation computation may in accordance with the present invention be performed in an efficient manner. The efficient computation involves correlating the accumulation table with the reference table. This process may be performed in the frequency domain by determining a correlation vector, C, as:
C=IFFT(FFT(AccumulationTable)*Conj(FFT(ReferenceTable)),
where FFT(.) refers to the fast Fourier transform, IFFT(.) to the inverse fast Fourier transform, and Conj(.) to the conjugate of a complex signal. The resulting correlation vector C corresponds to the correlation values for all possible shifts of the reference table. As a result, correlations with all different watermark tables, which are shifted versions of the reference table, can be performed in a single step, saving processing time as opposed to correlating each watermark table individually with the accumulation table.
In other embodiments it may be necessary to correlate the data signal with the series of watermarks, and possible it may even be necessary to correlate the data signal with a number of reference watermarks, each reference watermark being represented by a series of watermark samples. In the Figures only the situation of a single instant of a watermark possible being, or being based on, a reference watermark is illustrated, it is however to be understood that the illustrated embodiments may be generalized to embed and detect watermarks based on a reference watermark.
In preferred embodiments of the invention, the watermarking method and apparatus also comprise perceptual masking. Perceptual masking refers to local and/or global adjustments to the watermark strength in accordance with the human audio-visual perception. Exploiting the human perception characteristics renders it possible to embed a stronger watermark signal to the digital content, thus improving the robustness against malicious attacks, without any adverse effects on the perceptual quality of the watermarked digital object. The process of perceptual masking typically involves applying a perceptual mask filter h(.) to the watermark w. The mask is preferably computed from the digital content in advance of the actual watermark embedding process. If such advance computing is not possible or feasible, a generic mask filter may be used.
In the watermarking method according to the invention, the mask filter h(.) can not be applied to the watermark wk, because the watermark as such is not accessible. Instead, the filter h(.) is applied to the encryption key (i.e. the sequence of entries of encryption table 23 as added by adder 200 in
Using the notation E(t) for the encryption key, the encrypted digital object, e(x), can be written as:
e(x)=x+h(E(t))
The decryption key Dk(t) differs from E(t) by the client-specific watermark wk:
D
k(t)=E(t)−wk
The watermarked signal is obtained by decryption of e(x) using Dk(t):
x
w
=e(x)−h(Dk(t))
Using the required linear property of the perceptual mask filter, this yields:
x
w=(x+h(E(t)))−(h(E(t)−h(wk))=x+h(wk)
In summary, the invention relates to embedding a spread spectrum watermark in a data signal as well as to detection of the embedded watermark. A data signal is encrypted or received in the form of an encrypted data signal, the signal being encrypted by modifying it in accordance with one or more entries of a look-up-table in which an encryption table is stored. The encryption is carried out by a first computing device such as a server device. The watermark is actually embedded while decrypting the signal. This takes place in a second computing device, possibly in a client device, in a similar manner. The client device employs a decryption table, which is a modified (i.e. watermarked) version of the encryption table. The decryption table may generated by the server and securely communicated to the client. The data signal is decrypted in accordance with entries of a look-up-table. The look-up-tables in server and client are addressed by the same sequence of pointers generated by respective index generators. The mismatch between encryption table and decryption table causes the decrypted signal to have an embedded watermark.
The invention can be implemented in any suitable form including hardware, software, firmware or any combination of these. The invention or some features of the invention can be implemented as computer software running on one or more data processors and/or digital signal processors. The elements and components of an embodiment of the invention may be physically, functionally and logically implemented in any suitable way. Indeed, the functionality may be implemented in a single unit, in a plurality of units or as part of other functional units. As such, the invention may be implemented in a single unit, or may be physically and functionally distributed between different units and processors.
Although the present invention has been described in connection with the specified embodiments, it is not intended to be limited to the specific form set forth herein. Rather, the scope of the present invention is limited only by the accompanying claims. In the claims, the term “comprising” does not exclude the presence of other elements or steps. Additionally, although individual features may be included in different claims, these may possibly be advantageously combined, and the inclusion in different claims does not imply that a combination of features is not feasible and/or advantageous. In addition, singular references do not exclude a plurality. Thus, references to “a”, “an”, “first”, “second” etc. do not preclude a plurality. Furthermore, reference signs in the claims shall not be construed as limiting the scope.
Number | Date | Country | Kind |
---|---|---|---|
06112166.1 | Apr 2006 | EP | regional |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/IB2007/051107 | 3/29/2007 | WO | 00 | 10/1/2008 |