Robust Signature-Based Copyright Protection Scheme Using the Most Significant Gray-Scale Bits of the Image

The most significant bit(MSB-) plane of an image is least likely to change by the most signal processing operations. This paper presents a novel multibit logo-based signature, using the most significant gray-scale bits, which is then used to develop an extremely simple but robust copyright protection scheme, where images along with their signatures are sent to a trusted third party when a dispute arises. Different ways of processing the MSB-plane before calculating the robust signature have been developed. This paper then presents an innovative classifier-based technique to test the robustness and uniqueness of any signature-based scheme. A new MSB-based attack, which would defeat our scheme most, has also been proposed. Experimental results have clearly demonstrated the superiority of the proposed scheme showing the high robustness of different MSB-based signatures over the existing signaturebased schemes.


Introduction
For last few years, we have been using electronic commerce that includes online and offline distribution of multimedia data like images, audios, and videos.However, digital multimedia files can be easily manipulated using commercial graphics tools.Duplicating digital files has become as simple as clicking a button.Since maintaining an exact or manipulated duplicate of any digital data is easier than before, the enforcement of copyright protection has become more imperative than ever.Although copyright laws are being applied against abusers in order to ensure secure electronic commerce, the current problems with copyright protection obstruct the rapid evolution of computer and communication networks.As a result, the enhancement and further development of digital copyright protection is in central to the development of future communication networks [1].There may be three types of solutions to the copyright protection problem: cryptographic tools, digital watermarking techniques, and digital signature-based techniques.
Cryptographic tools [2] can be used to encrypt a multimedia file using some secret key.The encrypted file is no more perceptually understandable and can be distributed to the users.Only the appropriate user that holds the secret key can decrypt and use this file.Such a technique while suitable for text documents is not suitable for multimedia data for the following two reasons.First, multimedia file size is much larger than that of text.Therefore, encrypting or decrypting a multimedia file is highly time consuming.Second, the encrypted media file is not useful in the public domain, for example, in the Internet.Because the encrypted file is not perceptually understandable and if the encrypted information is decrypted once, the information is no longer protected.However, the multimedia file provides an opportunity that the text document does not.That is, while no distortion is allowed in the signed text, some distortions are allowed in the signed multimedia file as long as it is perceptually similar to the original file.
Digital watermarking techniques take the opportunity of the abovementioned property of the media file.They embed a watermark such as logos, seals, or sequence numbers, into the original image.The embedded watermark should survive against both malicious and nonmalicious attacks depending on the applications.Latter, the embedded information is extracted from or detected in the watermarked image in order to verify the ownership [3][4][5][6][7][8][9][10][11].
Any watermarking technique should satisfy a number of essential properties [1,5,6].However, many of the existing techniques do not satisfy some of the properties and, therefore, may not be applicable to build a proper copyright protection system [1,8,9].They always distort the original image that might not be acceptable in some applications like medical imagery, law enforcement, and astrophysics research [7].The amount of distortions increases with the increase of the embedding strength which though increases the chance of the survival of the watermark under different signal processing attacks.Some attacks like geometric distortions, collusion, and copy (averaging) attacks still challenge the robustness property.The watermark can also be removed using denoising [9].Multiple watermarking (buyer's and seller's watermarks) in a single media is also problematic, since previous embedded watermark cannot be guaranteed to survive after the embedding of next watermark.Publicly verification of watermarking is another unsolved problem.
Digital signature-based copyright protection schemes [1,[12][13][14][15] combine the advantages of both digital watermarking and cryptographic solutions.This technique, in general, calculates a digital signature using a logo and the extracted features from the original image (see Figure 1).The signature may then be protected using cryptography and certified by a trusted third party (TTP).Later, the signature is used to retrieve the logo from the test image.The retrieved logo is compared with the original logo using some similarity measurement function and a decision is made based on a threshold.
The reason of using a logo as a watermark [16] or to calculate signature [1,[12][13][14][15] is because it is a true representative of a company, an owner, or a customer.In the verification phase, in addition to "yes" or "no" answer based on the threshold, logo-based copyright protection schemes also allow perceptual recognition of the logo.Watermarking techniques embedding logos [16] mainly embed small binary logos and are unable to use large multibit (e.g., gray-scale) logos due to limited embedding capacity.However, large multibit logos are more practical and offer greater security than small binary logos.In contrast, signature-based schemes may calculate signature using any type (e.g., binary, grayscale) and size of logos.There are also other signature-based schemes [17,18], which do not use logos.
There are many advantages of signature-based schemes over watermarking techniques.They cause no visual quality degradation to images as they do not embed any information.They offer cryptographic security and can sign any sizes of logos.They resolve multiple ownership claims by adding timestamp with the signature.They can use both buyer and seller logos while calculating the signature, thus providing practical usefulness of the copyright protection system in the network world.They can use any multibit logos that offer greater opportunity to survive than binary logos.In addition, they allow public verification when the signature is generated using public key cryptographic infrastructure.
Katzenbeisser [19] argued that watermarking alone is not sufficient to resolve rightful ownership of digital data; therefore, a protocol relying on the existing cryptographic tools is necessary.Macq et al. [20] mentioned that watermarking along with registration authorities and transaction certifications are essential for digital right management of Internet distributed images.The signature-based schemes along with cryptographic tools can be considered as the complementary to the watermarking techniques to design a proper digital right management system.
In this paper, we propose a computationally inexpensive signature-based gray-scale image copyright protection scheme intuitively using the most significant bit-(MSB-) plane (MSB-based scheme), which is least likely to change by any image processing operation.The MSB-plane of an image can be chosen in different ways before calculating the signature using the bit-planes of the logo: (i) directly choosing the MSB-plane at a region-of-interest (ROI), (ii) choosing the MSB-planes of textured blocks, (iii) choosing the MSBs of DC coefficients of the MSB-plane, and (iv) choosing the MSB-plane after t-scale wavelet decomposition.Besides being image size invariant, the proposed scheme can be used with any n-bit logo.In order to prove the robustness and the uniqueness of this scheme, we also present a novel idea of finding a classifier to separate logo retrieval instances of attacked images with the original signature against all other possible alternatives.To avoid any bias, we further propose a new MSB-based attack, which would defeat our scheme most.We then present a comprehensive TTP management policy that uses classifier-based thresholds in order to minimize false alarms.Experimental results not only reveal very high logo retrieval rate and visual quality of the retrieved logos by the proposed scheme against those by the existing schemes [12,13] that also use multibit logos but also show the weakness of the latter as they fail to produce any classifier as discussed above.Note that the proposed signature-based scheme along with some preliminary results was published in [21].
The rest of the paper is organized as follows: Section 2 presents the previous signature-based schemes using logos; Section 3 describes why we have chosen MSB bit-plane for the proposed scheme; Section 4 presents the proposed scheme; Section 5 presents the experimental results and then compares the proposed scheme with the existing schemes; finally Section 6 concludes the paper with future research directions.

Previous Works
Lee and Chen [13] calculated the signature of an image with a gray-scale logo using vector quantization (VQ) on the coarse scale of the image obtained by a t-scale wavelet transform.The scheme is publicly verifiable and robust to a wide variety of attacks.However, it is weak to high lossy compression and geometric distortions.the original image size is small as demanded by the WWW.Chen et al. [1] later extended this idea for binary logos by replacing VQ with a polarity table.However, uniqueness of the signature, where it should verify the corresponding image only, may not be guaranteed with binary logos.
Chang et al. [14] calculated signature with a gray-scale logo using torus automorphism functions.To survive in cropping attacks, the idea of using a rectangular region-ofinterest (ROI) in the image was introduced in [12].This technique can be used for cartoon graphics and survives on repainting.Nevertheless, it still cannot survive in high lossy compression and geometric distortions.It also cannot calculate signature if the type of the logo and the image is different, for example, binary logo and gray-scale image.
The scheme in [15] used visual secret sharing technique to calculate signature using binary logos.It offers cryptographic security and allows generating meaningful share.It also allows multiple owners to share the same image.However, robustness depends on the sorting algorithm; that is, if the image is modified moderately, the sorting algorithm may result different share.Consequently, it cannot survive in high JPEG compression and small geometric distortions.
All the above existing schemes offer very high time complexity.The time complexity increases, due to use of VQ encoding [13], torus automorphism [12,14], permutation [1], or visual cryptography [15], with the increase of image size.Some of the above schemes [1,13] incorporate digital signature including timestamp with the published image  [12] and VQ-based [13] schemes under different JPEG quality factors.allowing public verification.Nonetheless, they increase the file size and the risk of losing copyright if the signature is removed from the header accidentally or intentionally.

Why the Most Significant Bit?
The MSBs are least likely to change by any image processing operation, for example, JPEG compression, filtering, and so forth.However, watermarking techniques cannot embed the watermark in the MSB-plane of an image.Because changes to MSBs introduce higher noticeable distortions.In the following experiments, we observed that the robustness of the MSB-based digital signature would be very high.
We conducted experiments on a large database of 1032 images [22], including the benchmark ones [23].In each case, we measured the MSB similarity rate, which means the percentage of MSBs that remain unchanged under the attack.Figure 2(a) shows that on average more than 91%   [27] is d = 30.2and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm [28].Attack numbers 0-9 are referred using Table 3.
of the gray-scale MSBs remained the same even when JPEG quality was set at the minimum; while more than 88% of the MSBs remained unchanged if the image is rotated by no more than ±5 • .We further observed that under median filter, histogram equalization, salt and pepper noise, and Gaussian noise attacks on average more than 97%, 80%, 97%, and 90% of MSBs, respectively, remained unchanged, as shown in Table 1.In addition, we also tested the MSB similarity rate in the following four cases: (i) the MSB-plane at an ROI, (ii) the MSB-planes of textured blocks, (iii) the MSBs of DC coefficients of the MSB-plane, and (iv) the MSB-plane after   [27] is d = 31.5 and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm [28].Attack numbers 0-9 are referred using Table 3.
4-scale wavelet decomposition.Table 1 shows that histogram equalization and rotation attacks changed more MSBs than filtering and noising attacks.In StirMark attacks [24] like small random distortions, first three cases kept more than 80% MSBs unchanged and 4-level wavelet decomposition case is the most sensitive to these attacks.We will discuss how the MSBs were extracted in these four cases in Section 4.1.
In order to avoid any bias, we now propose a new attack, namely, the MSB attack, where for a given target imagequality, in peak-signal-to-noise ratio (PSNR), the maximum number of gray-scale MSBs are changed.We sort the pixels in Advances in Multimedia Note that the distance between support vectors by SVM [27] is d = 31.3and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm [28].Attack numbers 0-9 are referred using Table 3.Note that the distance between support vectors by SVM [27] is d = 25.1 and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm [28].Attack numbers 0-9 are referred using Table 3.
an array in the ascending order according to their differences with the mid-gray value.Then, the MSB of the pixel with the lowest difference is flipped first and the entry for that pixel in the sorted list is taken out.This operation is continued until a certain PSNR is obtained.Figure 2(b) shows that on average more than 80% of the MSBs, with no more than 10% standard deviation, remained unchanged at 30 dB target PSNR, below which the visual quality of the image is unacceptable to the human eyes [13].

PSNR (dB)
Figure 10: SVM classification and K-means clustering results by the existing TROI-based scheme [12].Note that the distance between support vectors by SVM [27] is d = 5.1 and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm [28].Attack numbers 0-9 are referred using Table 3.  [13].Note that the distance between support vectors by SVM [27] is D = 9.2 and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm [28].Attack numbers 0-9 are referred using Table 3.
same at 35 dB target PSNR, and among these cases 4-level DWT decomposition left most of the MSBs unchanged.
From Figure 2 and Table 1, it is observed that even when the images are distorted to a limit where the PSNR becomes as low as 15 dB to 30 dB, the majority of the MSBs still remain the same.This is because in signal processing attacks (JPEG, filtering, etc.), image pixels do not change their locations and thus majority of the MSBs do not change.On the other hand, in geometric attacks (rotation, scaling, etc.) image pixels change their locations and thus the MSB similarity rate drops even in small rotation angle change.In the case of high geometric distortions, it is possible to estimate the transformation parameters first [25] and then to reverse the transformation before using the MSBs for signature calculation.

Proposed Scheme
The proposed MSB-based scheme first selects a set of MSBs from the image and then calculates digital signature of an image for a logo.The signature is certified by the TTP.When a dispute arises between two images of two parties, both parties send their certified signatures and images along with their corresponding parameters to the TTP to judge.

Selecting the MSBs.
The MSBs can be selected in different ways.In this section, we discuss four of them.
Consider an n-bit gray-scale image I = {i b (x, y)} of size w I × h I pixels where 1 ≤ x ≤ w I , 1 ≤ y ≤ h I , and 1 ≤ b ≤ n.Similarly, consider an n-bit gray-scale logo L = {l b (x, y)} of size w L × h L .Depending on the different ways of pre-processing the MSB-plane of the image, the MSB-based scheme may be named as different approaches.
(i) UROI.The MSB-plane at an ROI of the image is chosen directly.Notice that an ROI can be user defined and can be located using reference points, for example, corners [26].
(ii) TBLK.The MSB-planes of textured blocks at the ROI are chosen.We select 8 × 8 textured blocks from the image using the technique represented in [7].
The MSB-planes of the selected textured blocks are accumulated as a single MSB-plane, where textured blocks are first taken in row-wise and then in columnwise.
(iii) DCTMSB.We can choose the MSBs of DC coefficients of MSB-plane.We divide the MSB-plane into 8 × 8 blocks before taking DCT.Then we take the MSB of DCT coefficients in original space order (without sorting them).
(iv) t-DWT.The MSB-plane of LL t after t-scale wavelet decomposition of the original image is chosen.

Signature Calculation.
Let M I = {m j }, where 1 ≤ j ≤ z, be the collective set of MSBs selected from I using one of the above approaches.Without any loss of generality, it is assumed that The signature S I of I for L with M I is thus calculated as If the generality assumption in (1) cannot be met, m j 's could be reused iteratively once exhausted.Moreover, any color image can be signed using its gray-scale equivalent with even a colored logo after stripping it into three gray-scale channels.Once the signature is calculated, the owner sends the following message, in the form of a triplet, to the TTP using public key cryptography: where E T,PUB and E O,PRV are the public and private key encryptions of the TTP and the owner respectively and A I contains information about the MSB selection approach.On receiving the above message from the owner O at time TS, the message is first decrypted to receive the signature triplet as follows: [I, S I , where D O,PUB and D T,PRV are the public and private key decryptions of the owner and the TTP, respectively.The TTP verifies S I for I using A I , appends timestamp TS, and sends back the following message to the owner: where E O,PUB and E T,PRV are the public and private key encryptions of the owner and the TTP, respectively.The owner decrypts the above message with his private key as where D O,PRV is the private key decryptions of the owner.We name S c I as the certified signature for the image I.

Signature Verification.
When a dispute arises for two images I i and I j between two persons P 1 and P 2 , they send the following messages claiming the ownership to the TTP: where E P1,PRV and E P2,PRV are the private key encryptions of P 1 and P 2 , respectively.The TTP decrypts the above messages as where D P1,PUB and D P2,PUB are the public key decryptions of P 1 and P 2 , respectively.The TTP then decrypted the certified signatures S c Ii and S c Ij with its public key; this ensures the certificates have been issued by the TTP and the timestamps have not been changed afterwards their generation: The TTP recalculates the signatures S Ii and S Ij and compares with the existing ones.This check ensures that encrypted signatures S c Ij and S c Ij have been generated for images I i and I j , respectively. 3MSB-plane was divided into 8 × 8 blocks before taking DCT. 4 4-level wavelet decomposition. 53 × 3 window. 6Latest small random distortion.

Finding Disputable Images.
Let L = S −1 (I, S I , A I ) denote the logo retrieval operation using the inverse process in (2) (see Figure 1(b)).The TTP has to confirm whether images I i and I j are disputable before taking a final decision based on the timestamps TS i and TS j .Two images are disputable if they are the same image or one is an attacked version of another.To do that the TTP executes the following two test cases: where the logo retrieved from I i using signature and feature of I j is compared against the logo of P 2 , and vice versa.
If the logo retrieval rate (LRR), which is the percentage of unchanged bits, and the PSNR (with respect to original logos L 1 and L 2 ) of above two test cases TC 1 and TC 2 are above certain identification thresholds (Th LRR , Th PSNR ), then the images are considered as disputable.

Verification.
If I i and I j are proved to be disputable, then the TTP compares timestamps TS i and TS j .The image is authenticated for P 1 if TS i < TS j or for P 2 if TS i < TS j .

Estimating Identification Thresholds.
To avoid the risk of error due to arbitrary selection of identification thresholds (Th LRR , Th PSNR ), we propose the following innovative classifier-based threshold estimation technique, which can also be used to test the robustness and uniqueness of any signature-based scheme.The lower the value of (Th LRR , Th PSNR ), the lower the scheme is robust.Let TD = {[I i , S Ii , A Ii ]} be a large image training database and let B i = {I i ( j)} be a set of attacked images from I i for all i.Let TC a, b, c, d, j = S −1 I a j , S Ib , A Ic | S −1 I d , S Id , A Id (11) be a test case where the logo retrieved from the jth attacked image of I a using the signature of I b and the feature of I c is compared against the logo used to sign I d , 1 ≤ a, b, c, d ≤ |TD|, and 1 ≤ j ≤ |B a |.Let the positive (C + ) and negative (C − ) classes be defined as C + = ∀a, ∀ j : TC a, a, a, a, j , C − = ∀a, ∀b, ∀c, ∀d, ∀ j : TC a, b, c, d, j − C + .(12) Note that the LRR and PSNR of all the test cases in (C + ) should ideally be significantly higher than those in (C − ).Any 1 Decomposition level t = 4. 2 3 × 3 window. 3Latest small rand.dist. 4Row-col-removal. 5Resized to original.
efficient classifier can now be used to separate the positive and negative classes based on the LRR and PSNR of all the test cases and the values of (Th LRR , Th PSNR ) can then be estimated synergistically from this classifier.

Robustness and Uniqueness
Tests.The identification thresholds (Th LRR , Th PSNR ) defined in the previous section is useful for determination of robustness and uniqueness properties of a scheme.A scheme is not robust to a particular attack if the logo retrieved from the corresponding attacked image offers low PSNR and LRR with respect to (Th LRR , Th PSNR ).In that case, the corresponding (PSNR, LRR) entry in C + causes a false negative alarm by the classifier.We need to consider all the tests cases of C + , as defined by (12), in robustness tests.On the other hand, a scheme fails uniqueness test to a particular attack if the signature calculated from image I d verifies the corresponding attacked version of a different image I a .In that case, the corresponding (PSNR, LRR) entry in C − , as defined by (12), is high with respect to (Th LRR , Th PSNR ) and causes a false-positive alarm by the classifier.Therefore, we need to consider only the following test cases of the class C − in uniqueness tests:

Performance Study
We implemented the proposed MSB-based scheme and existing TROI-based [12] and VQ-based [13] schemes with MATLAB 7 and tested their robustness using all the watermarking benchmark images in [23] with different logos against many attacks including those in stirMark 4.0 [24].However, as we decided almost the same performance for each pair of a benchmark image and a logo, only results obtained using "Lena" and "Elaine" images signed by Monash and NUS logos, respectively (shown in Figure 3), are presented.Where necessary, the attacked images were resized to original.In fact, a corner matching technique can be used to undo the geometric transformations before verifying the copyright information [26].We used the following two metrics to evaluate the performance: (i) PSNR determines the visual quality of the attacked media or retrieved logo with respect to its original copy; (ii) LRR determines the percentage of bits that are correctly retrieved from the given image using the given signature.
In Section 5.1, we present different types of attacks we considered in our experiments.Section 5.2 presents the detail classifier setup by different signature-based schemes.Section 5.3 presents the experimental results and discussions.Finally, Section 5.4 provides detail discussions on the overall performance of different signature-based schemes.

Attacks.
All the attacks we tested to prove the efficacy of the proposed schemes are in Table 2. Below, we represent some attacks that require detail discussions.If not mentioned, the attack was done using MATLAB 7.

BPM Attack.
In blind pattern matching (BPM) attack, we divided Lena image into 4 × 4 nonoverlapping blocks.For each block, the most similar 4 × 4 block was found out from Elaine image at 25 dB.The block with PSNR greater than or equal to 25 dB was considered as a similar one.Total 15736 blocks were replaced when the attacked image PSNR became 22.94 dB.In the same way, when we attacked Elaine image using Lena image, we replaced total 16371 blocks and attacked image PSNR was 21.99 dB.

Print-Copy-Scan.
We printed each image using a 1200 dpi laser printer.The printed image was then photocopied and scanned using a 300 dpi and 8-bit gray-scale scanner.Finally, it was resized to 512 × 512.The PSNR of Lena image after print-copy-scan attack was 11.63 dB and that of Elaine image was 19.56 dB.

MSB Attack.
We attacked each image by flipping its MSB-plane.Maximum MSBs were changed at a particular PSNR.First, we found absolute difference of each pixel to flip its MSB.Second, we sorted the absolute differences in the ascending order.Finally, we flipped the MSB of the pixel with lowest absolute difference first.We continued flipping until the PSNR is decreased beyond a particular value.Since this attack changes the maximum number of MSBs for a given target PSNR, the proposed MSB-based scheme should suffer the most.However, we observed that most images cannot be degraded to less than 20 dB even if all of its MSBs were flipped.After the MSB attack at 30 dB the MSB similarity rate for Lena image was 73% and for Elaine image was 70%.

unZign Attack.
The image was divided into 8 × 8 blocks.A pixel was selected randomly from each block and was either deleted or repeated randomly.All blocks were then put back in their original positions.The PSNR of Lena image after unZign attack was 29.08 dB and that of Elaine image was 29.79 dB.5.1.5.Self-Similarities.This attack was done by stirMark 4.0 in RGB space of the image.The image was then converted to its gray-scale equivalent.The PSNR of Lena image after this attack was 26.04 dB and that of Elaine image was 25.48 dB.

Classifiers.
In order to design classifiers for the different approaches, that is, UROI, TBLK, DCTMSB, and t-DWT, of the proposed MSB-based and existing TROI-based [12] and VQ-based [13] schemes, we used 10 different types of attacked images as shown in Table 3.We assigned numbers to the attacks for later references.The image Lena was signed using Monash logo and the image Elaine was signed with NUS logo.Then, different attacked images of Lena and Elaine were sent after signing with different logos with different or same A I for verification.For UROI approach and TROIbased scheme, A I indicates the same or different ROIs; while for t-DWT approach and VQ-based scheme, A I indicates the same or different decomposition levels; and for TBLK approach, A I indicates same or different set of textured blocks.We had total 8 different types of data points with two pairs of images and logos (Lena-Monash and Elaine-NUS).Therefore, maximum 160 logo retrieval instances (20 in C + and 140 in C − ) were used while designing each classifier.However, in the case of DCTMSB approach, there were total 80 instances (20 in C + and 60 in C − ); since for the same type and size (8-bit, 64 × 64) of logo, the image was Table 4: Attacked images along with their corresponding retrieved logos using Lena image and Monash logo by different approaches of the proposed MSB-based scheme and existing TROI-based [12] and VQ-based [13]  divided into blocks of the same size (4 × 2) before taking DCT, assuming the image size (512 × 512) also remained the same.On the other hand, for VQ-based scheme, there were total 120 instances (20 in C + and 100 in C − ); since with different decomposition levels t, logo retrieval operation was not possible from a smaller codebook (due to larger t) using the indices set containing higher indices values, while it was possible from a bigger codebook (due to smaller t) using the indices set containing lower indices values.We used support vector machines (SVMs) with linear kernel [27] and K-means clustering [28] separately for classification.Results by both SVM classification and K-means clustering are useful for the determination of the robustness and the uniqueness properties of the proposed and existing schemes.SVM results, especially, enabled to find out the values for identification thresholds (Th LRR , Th PSNR ), defined in Section 4.3.The more the accuracy of the classification and the distance d between the support vectors of the SVM for a scheme, the more the scheme is robust (i.e., the two classes are well separated).
In the robustness test, the distance from a data point in C + (corresponding to an attack) to the SVM decision hyperplane is used to decide different levels of robustness (high, medium, low, and no).For example, if the data point is correctly classified and resides outside the nearest support vector (i.e., far away from the decision plane), then the robustness against the corresponding attack is high.If the data point is correctly classified but stays in the space between the nearest support vector and the decision plane and then the robustness against the corresponding attack is medium (when close to the support vector) or low (when close to the decision plane).If the data point is on the other side of the hyper plane (misclassified), then the copyright scheme is not robust to the corresponding attack.In the uniqueness test, if a data point in C − (corresponding to an attack) is incorrectly classified then the scheme does not possess the uniqueness property under this attack.

Experimental
Results.We will present the experimental results in two parts.In Section 5.3.1, we present the robustness of the proposed and existing schemes in terms of PSNR  [12] and VQ-based [13] schemes against various attacks using Elaine image and NUS logo.
and LRR under different attacks.In Section 5.3.2,we present the classifiers from which we can evaluate overall robustness and uniqueness of the respective signature-based schemes.

Robustness Results.
In this section, we first present and discuss robustness results of the proposed and existing schemes under different attacks.We then detail the results for two attacks-JPEG which is the most common unintentional attack and newly proposed MSB attack which would defeat our scheme the most.Table 2 shows the logo retrieval results using Lena image and Monash logo by different approaches of the MSB-based scheme and existing TROI-based [12] and VQ-based [13] schemes.Table 4 shows the attacked images along with their corresponding retrieved logos using Lena image and Monash logo.Table 5 and Table 6 present the same, respectively, using Elaine image and NUS logo.
We observed that all the approaches of the proposed scheme performed almost the same except the t-DWT approach which was sensitive to geometric distortions.In contrast, both the TROI-based and VQ-based schemes were very much sensitive to geometric attacks and the former did not survive under high JPEG lossy compression (quality less than 10).In most of the cases, the PSNR and in all the cases the LRR of the retrieved logos by the proposed scheme were higher than those by the TROI-based scheme.In the remaining few cases, the PSNR of the retrieved logos by the proposed scheme were lower.In most of the cases, Table 6: Attacked images along with their corresponding retrieved logos using Elaine image and NUS logo by different approaches of the proposed MSB-based scheme and existing TROI-based [12] and VQ-based [13]  the LRR by the MSB-based scheme was higher than the VQ-based scheme; while in many cases, the PSNR by the latter was higher due to its VQ coding.However, it is no way an indication to the superiority of the existing schemes for these kinds of attacks; because the logo quality degrades severely during the torus-mapping and VQ coding, as shown in Figures 3(e)-3(h), and as a consequence the PSNR and LRR remained almost unchanged irrespective of logos.Table 7 presents the MSB-attacked images along with their corresponding retrieved logos using Lena image and Monash logo by the proposed MSB-based scheme and existing TROI-based [12] and VQ-based [13] schemes.Table 8 presents the same using Elaine image and NUS logo.Among the approaches of the proposed scheme, DWT-based approach showed the highest resistance against the MSB attack.The proposed scheme survived down to PSNR 30 dB of the attacked image.Lee and Chen [13] argued that the visual quality of the image is unacceptable to the human eyes if the PSNR is less than 30 dB.Moreover, we observed that the proposed scheme performed better if the PSNR of the MSB attacked image increases, while for the existing schemes the PSNR and LRR of the retrieved logos remained almost unchanged irrespective of the PSNR of the attacked images.However, since the distortion in an image is more noticeable in the mid-gray region and sensitivity changes parabolically as the gray value fluctuates on the both sides of mid-gray level [7], as a precaution to the MSB attack, we suggest excluding mid-gray pixels during signature calculation.
Figure 4(a) plots the LRR and Figure 4(b) plots the PSNR of the retrieved logos using Lena image and Monash logo against different JPEG quality factors.Figure 5(a) and Figure 5(b) plot the same using Elaine image and NUS logo.We found that the t-DWT approach performed the best among different approaches of the MSB-based scheme and existing TROI-based and VQ-based schemes.Both the LRR and PSNR increased with the increase of JPEG quality factor for the proposed scheme, while for the existing schemes they remained almost the same.While the proposed scheme always offered higher LRR; it outperformed the existing schemes in term of the PSNR when JPEG quality factor was greater than 70.This result is consistent with the observation made in motivation.

Classification Results (Robustness and Uniqueness).
In this section, we present and discuss classification results of the proposed and existing schemes.We can infer the overall robustness and uniqueness of each scheme from the respective classifier.
Figures 6, 7, 8, 9, 10, and 11 present classification results using SVM with linear kernel [27] and K-means clustering [28] separating the positive and negative classes of test cases, defined in the Section 4.3, for the MSB-based scheme and existing TROI-based [12] and VQ-based [13] schemes.Though we conducted the experiments with all entries in C − , for clarity we show C − , as defined in (13), instead of C − in Figure 6 to Figure 11.Table 9 shows the classification results obtained by SVM and K-means.If for a scheme a data point in C + corresponding to an attack is misclassified by a classifier, then the scheme is decided not to be robust under that attack.Similarly, if for a scheme a data point in C − corresponding to an attack is misclassified by a classifier, then the scheme is decided not to be unique under that attack.While the classes could be distinctively separated (no misclassification) with a large distance d between the support vectors for UROI (d = 30.2) schemes resulted in 20% and 30% positive misclassifications, respectively.We found no miss by K-means clustering for UROI, TBLK, and DCTMSB approaches, while for t-DWT approach and TROI-and VQbased schemes, we found 35% positive, 26% negative, and 30% positive miss, respectively.Logo quality degradation due to torus-mapping and VQ coding constitute this problem for the existing schemes.Note that no misclassification and the large separation between positive and negative classes for UROI, TBLK, and DCTMSB approaches of the MSB-based scheme is so significant that simple PSNR-only (vertical) or LRR-only (horizontal) linear classifier can be used as well.Considering classification and clustering results and the distance from the SVM decision hyperplane to a corresponding entry of a particular attack, we took the decision of robustness and uniqueness tests.From Table 9, we see that UROI and DCTMSB approaches are highly robust and TBLK approach is moderately robust; while TROI-based scheme failed both robustness and uniqueness tests, and t-DWT approach and VQ-based scheme failed robustness test.We found that TBLK and t-DWT approaches are highly sensitive to geometric attacks.10 presents comparisons among the different approaches of the proposed MSB-based scheme and the existing TROI-based [12] and Table 9: Results and decisions for different approaches of the proposed MSB-based scheme and existing TROI-based [12] and VQ-based [13] schemes by the support vector machines (SVM) [27] and K-means clustering algorithm [28].The existing signature-based schemes that can sign images with multibit logos are not robust against geometric attacks and neither a linear nor a polynomial kernel of the SVM can classify them correctly.Among the approaches of the proposed MSB-based scheme, t-DWT approach is the best against the proposed MSB attack and JPEG.

Schemes
this approach fails to be correctly classified due to its weakness against geometric attacks.On the other hand, classifiers designed by the UROI, TBLK, and DCTMSB approaches are excellent in the sense that they offer no misclassification and simple PSNR-only or LRR-only classifier can be used.

Figure 1 :Figure 2 :
Figure 1: Signature-based scheme using logo: (a) signature calculation and (b) logo retrieval operation and verification.

Figure 5 :
Figure 5: (a) Logo retrieval rate and (b) PSNR using Elaine image and NUS logo by different approaches of the proposed MSB-based scheme and existing TROI-based[12] and VQ-based[13] schemes under different JPEG quality factors.

Figure 6 :
Figure6: SVM classification and K-means clustering results by the UROI approach of the proposed MSB-based scheme.Note that the distance between support vectors by SVM[27] is d = 30.2and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm[28].Attack numbers 0-9 are referred using Table3.

Figure 7 :
Figure7: SVM classification and K-means clustering results by the TBLK approach of the proposed MSB-based scheme.Note that the distance between support vectors by SVM[27] is d = 31.5 and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm[28].Attack numbers 0-9 are referred using Table3.

Figure 8 :
Figure8: SVM classification and K-means clustering results by the DCTMSB approach of the proposed MSB-based scheme.Note that the distance between support vectors by SVM[27] is d = 31.3and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm[28].Attack numbers 0-9 are referred using Table3.

Figure 9 :
Figure9: SVM classification and K-means clustering results by the t-DWT (t = 4) approach of the proposed MSB-based scheme.Note that the distance between support vectors by SVM[27] is d = 25.1 and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm[28].Attack numbers 0-9 are referred using Table3.

Figure 11 :
Figure11: SVM classification and K-means clustering results by the existing VQ-based scheme[13].Note that the distance between support vectors by SVM[27] is D = 9.2 and cluster 1 and cluster 2 are positive and negative clusters, respectively, by K-means clustering algorithm[28].Attack numbers 0-9 are referred using Table3.
2), TBLK (d = 31.4),and DCTMSB (d = 31.4)approaches of the proposed scheme; the SVM classifier for t-DWT approach resulted in 5% positive misclassification with a large d = 25.0 and the classifiers for the TROI-based (d = 10.0) and VQ-based (d = 9. Number of miss (%)To individual attacks (robustness: h = high, m = moderate, Size of training set by SVM by K-means Distance 1 l = low, and n = no robustness; and f = uniqueness fail) It cannot calculate signature if the type of the logo and the image is different, for example, binary logo and gray-scale image.The size of the coarse image reduces exponentially as t increases.Compounded with the approximation due to VQ, this can potentially lead to a very poor quality of the retrieved logo, especially when extraction

Table 1
also shows that in above four cases, on the average 85% MSB remained the

Table 1 :
Most significant bit (MSB) similarity rate under different attacks.

Table 2 :
[13]rimental results (PSNR in dB and LRR in %) by different approaches of the proposed MSB-based scheme and existing TROIbased[12]and VQ-based[13]schemes against various attacks using Lena image and Monash logo.

Table 3 :
Attacks considered while designing the classifier.

Table 5 :
Experimental results (PSNR in dB and LRR in %) by different approaches of the proposed MSB-based scheme and existing TROIbased schemes.
applications; (iii) robust to almost all kinds of attacks; (iv) the comprehensive TTP management policy ensures secure e-commerce.