Hologram authentication based on a secure watermarking algorithm using cellular automata Wen-Jyi Hwang,1 Hao-Tang Chan,1 and Chau-Jern Cheng2,* 1

Department of Computer Science and Information Engineering, National Taiwan Normal University, No. 88, Sec. 4, Tingzhou Rd., Taipei 117, Taiwan 2

Institute of Electro-Optical Science and Technology, National Taiwan Normal University, No. 88, Sec. 4, Tingzhou Rd., Taipei 117, Taiwan *Corresponding author: [email protected] Received 18 April 2014; revised 25 June 2014; accepted 26 June 2014; posted 26 June 2014 (Doc. ID 210472); published 30 July 2014

A secure watermarking algorithm for hologram authentication is presented in this paper. The algorithm exploits the noise-like feature of holograms to randomly embed a watermark in the domain of the discrete cosine transform with marginal degradation in transparency. The pseudo random number (PRN) generators based on a cellular automata algorithm with asymmetrical and nonlocal connections are used for the random hiding. Each client has its own unique PRN generators for enhancing the watermark security. In the proposed algorithm, watermarks are also randomly generated to eliminate the requirements of prestoring watermarks in the clients and servers. An authentication scheme is then proposed for the algorithm with random watermark generation and hiding. © 2014 Optical Society of America OCIS codes: (200.3050) Information processing; (100.4998) Pattern recognition, optical security and encryption; (100.2000) Digital image processing. http://dx.doi.org/10.1364/AO.53.000G64

1. Introduction

Content authentication [1,2] is gaining importance for multimedia data due to the widespread popularity of the Internet for data distribution. A common approach to content authentication is based on the watermarking techniques where a fragile pattern, easily corrupted by malicious tampering and attacks, is embedded in host media [3]. The integrity test will be failed if the extracted watermark from the host media is found to be destroyed. These types of techniques are termed fragile watermark techniques, as opposed to robust watermarking methods, which are used mainly for copyright protection [4–8]. In addition to detecting malicious manipulations, content authentication has advantages of reducing 1559-128X/14/270G64-10$15.00/0 © 2014 Optical Society of America G64

APPLIED OPTICS / Vol. 53, No. 27 / 20 September 2014

the computation burden for image reconstruction and processing of some types of media data such as digital holograms. With rapid advances of digital holography technologies [9], holograms have been found to be effective in various applications [10–12] for three-dimensional (3D) rendering. As compared with two-dimensional (2D) images, digital holograms require additional diffraction computation [13] and phase unwrapping operations [14] before rendering. These operations have high computational complexities. With the employment of content authentication, efforts are made only for the holograms with proved integrity. An issue for implementing the content authentication for holograms is that the host media for many fragile watermarking algorithms [15–17] are the 2D images stored in the JPEG format. These watermarking algorithms are based on the discrete cosine transform (DCT). A drawback of the JPEG-based

techniques is that a watermark is usually hidden in the high frequency coefficients to achieve minimum visual degradation. A security breach may be possible when the locations of coefficients containing watermark information are known. The interception of the hidden watermark would result in counterfeiting attacks. Although holograms are used as host media for fragile watermarking in [18], the watermark is stored in a fixed location in the DCT domain. The watermarking system would then still be prone to security breach for attackers with a prior knowledge of the algorithm. As compared with other host media such as 2D images, the holograms tend to be noise-like due to a wide range of spatial frequencies superimposed in the interference patterns produced by object beam and reference beam for CCD recording. The noiselike features may enhance the flexibility for the selection of DCT coefficients for watermarking. That is, the watermark hiding in different coefficients may introduce similar visual degradation in the spatial domain for noisy patterns. However, this feature is not fully exploited by existing fragile watermarking algorithms for the improvement of security for content authentication. The goal of this paper is to present a novel secure watermarking algorithm for hologram authentication. In the proposed algorithm, the watermark is embedded in DCT coefficients randomly selected by a pseudo random number (PRN) generator. Because the watermark is not hidden in a small set of known locations, the difficulty for counterfeiting attacks based on intercepting or forging watermarks is increased. Due to the noise-like feature of holograms, the perceivable degradation in transparency is unlikely for the PRN-based selections of coefficients for watermark hiding. Therefore, the proposed algorithm is well-suited for holograms by exploiting the noise-like feature to enhance the security for watermarking at the expense of marginal loss in transparency. The PRN generator considered in this paper is based on cellular automata (CA) [19–21]. In addition to providing high-quality random numbers, the CA has low computational complexities and is effective for hardware implementation. Moreover, the CA algorithm with asymmetrical and nonlocal connections [19] is flexible and allows the construction of a large number of independent PRN generators. In this way, different clients need not share the same PRN generator. Unique random sequence generation for each client is beneficial for enhancing the security of the proposed system. The proposed algorithm can be further extended by randomly generated watermarks using CA. Therefore, it is not necessary to prestore watermarks in clients and servers. A client may randomly generate a watermark using a PRN generator and store the watermark in the locations randomly determined by another PRN generator. In addition to the watermark, the initial seed values and the identifiers of

both the PRN generators are also embedded in the holograms. The server is able to extract two watermarks: one is hidden in the DCT coefficients, and the other is from the PRN generator. A marked hologram will pass the integrity test when a match is observed between both watermarks. If a marked hologram fails the authentication, the locations of mismatches also indicate the positions where malicious manipulations may occur. The remaining parts of this paper are organized as follows. Section 2 studies the CA-based PRN generators in detail. The proposed secure watermarking algorithm is then presented in Section 3. The experimental results of the proposed algorithm are included in Section 4. Finally, Section 5 contains some concluding remarks of this study. 2. CA for PRN Generation

A CA-based PRN generator consists of an array of identical cells operating in parallel. Let A be the number of cells in the array. Figure 1 shows the basic architecture of each cell i, i
0; …; A − 1, consisting of only one table, one memory unit, and one output [19]. The memory unit of cell i stores the output of the current generation of that cell. Based on the inputs to cell i, the table of that cell is used to determine the output of the next generation. Let K be the number of inputs to each cell. All the cells operate concurrently in each generation. Let ym
fyi m; i
0; …; A − 1g

(1)

be the output of the PRN in the generation m, where yi m is the output of cell i. As shown in Fig. 1, yi m is actually the value held by the memory unit in the cell i in generation m. The collection of the outputs in the initial generation, y0
fyi 0; i
0; …; A − 1g, is termed the initial seed of the PRN generator. The initial seed can be used as a key for watermark extraction. Let xi;j m, j
0; …; K − 1, be the inputs.

Fig. 1. Basic architecture of cell i in the CA-based PRN generator. 20 September 2014 / Vol. 53, No. 27 / APPLIED OPTICS

G65

In the PRN generator, the values of the K inputs are obtained from the outputs of K cells in the array. Let d
fdj ; j
0; …; K − 1g be a set of integers with different values (i.e., di ≠ dj when i ≠ j). In addition, the value of each integer is in the range from 0 to A − 1 (i.e., 0 ≤ dj ≤ A − 1). Let q
i  dj 

mod A:

(2)

The jth input to cell i obtains its value from the output of cell q. That is, xi;j m
yq m:

(3)

Therefore, the set d specifies the connection of each cell to other cells. Because 0 ≤ dj ≤ A − 1, each cell can be connected to any cell in the array; the connection is nonlocal. In addition, di ≠ dj when i ≠ j; the connection is nonsymmetric. Given the inputs xi;j m, j
0; …; K − 1, the table in cell i is then used to find the output yi m  1. Let T be the table in the cell. It then follows that yi m  1
Txi;0 m; …; xi;j m; …; xi;K−1 m:

(4)

All the inputs xi;j m, j
0; …; K − 1, take binary values. Therefore, there are 2K entries in the table. The output of the table also takes binary values. The table of all the A cells in the PRN generator are the same. In cell i, the memory unit will update its value to yi m  1 in generation m  1. Table 1 shows an example of the table for K
4. Figure 2 Table 1.

xi;0 m xi;1 m xi;2 m xi;3 m yi m  1

Example of CA Table T for K
4 with 2K
16 Entries

0 0 0 0 0

1 0 0 0 1

0 1 0 0 1

1 1 0 0 1

0 0 1 0 0

1 0 1 0 0

0 1 1 0 1

1 1 1 0 0

0 0 0 1 1

1 0 0 1 1

0 1 0 1 0

1 1 0 1 1

0 0 1 1 1

1 0 1 1 0

0 1 1 1 0

1 1 1 1 0

shows a PRN generator with A
64, K
4, and d
f0; 63; 2; 1g. Given a table T, there are A!∕K! PRN generators, each with a different connection d. All these PRN generators form a group. It can be easily shown that K K there are 22 tables. Therefore, there are 22 groups, each has A!∕K! generators. Given an A and a K, the K total number of PRN generators is then 22 A!∕K!. For K
4 and A
64, there are 9.9936 × 1011 ≈ 1012 PRN generators. Therefore, an advantage of a nonlocal and nonsymmetric CA array is that a large number of PRN generators can be derived by selecting different tables and connections. This is beneficial for enhancing the security of the proposed watermarking system because different clients or holograms don’t have to share the same PRN generator. In addition to the initial seed, the identifier of the PRN generator can also be used as another key for watermark extraction. 3. CA-Based Secure Watermarking A. Watermark Embedding

The proposed watermarking algorithm embeds a watermark in the DCT domain. The location of the DCT coefficients for watermark hiding are determined randomly by the CA-based PRN generators discussed in the previous section. After the embedding process, the marked holograms are transformed back to the spatial domain for subsequent storage and/or delivery. Let H be a host hologram with dimension 2N × 2N . Let W be the watermark to be embedded in H. The dimension of W is 2n × 2n , where n ≤ N. The watermark is assumed to be binary. That is, each pixel in W has only 1 bit. Before embedding W, the host hologram H is first separated into nonoverlapping equal size blocks U i;j , 0 ≤ i, j ≤ 2n − 1, where the size of each block is 2k × 2k, and k
N − n. Let wi;j be the i; jth element of W. In the proposed algorithm, wi;j is embedded in the DCT domain of U i;j.

Fig. 2. CA-based PRN generator with A
64, K
4, and d
f0; 63; 2; 1g. G66

APPLIED OPTICS / Vol. 53, No. 27 / 20 September 2014

The watermark W is separated into two parts: W 1 and W 2 . When wi;j ∈ W 1 , wi;j is embedded in a fixed DCT coefficient of U i;j. In the proposed algorithm, the initial seed of two CA-based PRN generators and their corresponding identifiers are included in W 1 as a part of the watermark W. Let yi 0 and idi be the initial seed and the identifier of the PRN generator i, i
1; 2 used in the algorithm. All the pixels in W 2 are produced by the PRN generator 1 with initial seed y1 0. The selection of DCT coefficients of U i;j for embedding a pixel wi;j ∈ W 2 is based on the PRN generator 2 with initial seed y2 0. For the sake of simplicity, we omit the subscript i, j from wi;j and U i;j in the remaining part of this paper. Assume w is the mth pixel of W 2 based on the raster scan order. In the proposed algorithm, w
f 1 y1 m;

(5)

where y1 m is the output of PRN generator 1 in the generation m, and f 1 is a function which maps the L-bit y1 m into 1-bit w. An example of f 1 is a simple exclusive OR operation on all the elements of y1 m. Figure 3 shows an example of the generation of the watermark W. In this example, W 1 is the first two columns of W. The remaining part of W is W 2. The blocks in H are also separated into two categories: blocks for hiding W 1 and blocks for hiding W 2. Procedures for embedding W 1 and W 2 are similar. Their only difference is the selection of DCT coefficients. For hiding W 2, DCT coefficients are selected randomly using PRN generator 2. However, the DCT coefficients containing pixels in W 1 are fixed and known to servers. The embedding procedure

for W 1 can then be viewed as a simplified version of that for W 2. It then suffices to discuss only the embedding procedure for W 2 in this subsection. Let V be the set of DCT coefficients of U. Because U is a 2k × 2k block, V contains 2k × 2k coefficients. Let vr be the rth element of V in the zigzag order. It is necessary to use 2k bits to specify an r. Let c be the selected DCT coefficient for embedding w. Suppose r
f 2 y2 m;

(6)

where y2 m is the output of PRN generator 2 in the generation m, and f 2 is a function which maps the L-bit y2 m into a 2k-bit r. Assume L > 2k. A simple example of f 2 is then to extract 2k bits from y2 m to form r. We then use vr as the selected DCT coefficient c for the watermark embedding of pixels in W 2 . After watermark W 2 is generated, and the location for hiding each pixel in W 2 is determined, the next step is then embed each w ∈ W 2 to its corresponding c using the quantizer proposed in [18]. In the quantizer, a real axis is separated into nonoverlapping equal-size intervals with length L. The range of interval i is iL; i  1L with center Ii located at Ii
iL 

L ; 2

(7)

where i is the index of the interval. The quantization proceeds by first inspecting the value of w. When w
0, c is mapped to the closest interval with even index. Otherwise, c is mapped the closest interval with odd index. Let p be the index of the interval c is currently located, which can be computed by c p
⌊ ⌋: L

(8)

Based on w and p, let p be the index of the closest interval to c. Table 2 summarizes the computation. After p is found, the new value of c, denoted by c , is then obtained by c
Ip :

(9)

The set V with the new c is then transformed back to the spatial domain using inverse DCT. The resulting block can be viewed as a marked version of U. Note that each pixel of the block may be a real number. Therefore, it is necessary to perform rounding-off Table 2.

Fig. 3. Example of the generation of the watermark W. The first two columns of W are W 1 . The remaining part of W is W 2 .

Quantization Procedure for Determining p 

w

p

1 1 1 0 0 0

odd even even even odd odd

Ip c < Ip c ≥ Ip c < Ip c ≥ Ip

p p ←p p ←p − 1 p ←p  1 p ←p p ←p − 1 p ←p  1

20 September 2014 / Vol. 53, No. 27 / APPLIED OPTICS

G67

Fig. 4. Proposed watermark embedding process with block size 4 × 4 (i.e., k
2).

operations so that the marked block can be stored ¯ be the marked U after in finite precision. Let U rounding-off operations. Let b be the number of bits ¯ The b can be prespecified. The used to represent U. collections of all the finite-precision marked blocks ¯ Figure 4 form the marked hologram, denoted by H. summarizes the watermark embedding operations. B.

Watermark Extraction

The goal of watermark extraction is to recover two watermarks R1 and R2 from a marked hologram ¯ The authentication will be successful when these H. two watermarks are identical. Both R1 and R2 contain W 1 and W 2 . In addition, they have a common approach to retrieve W 1 . However, the W 2 in R1 and R2 are obtained by different methods. The extraction of W 1 is based on the fact that all the pixels in W 1 are embedded in the DCT domain with a fixed position. Suppose V¯ is the set of the ¯ containing a DCT coefficients of a marked block U pixel in W 1 . The server is able to recover W 1 by first extracting c¯ , the DCT coefficient containing w, ¯ After that, we repeat the quantization procfrom V. ess for finding the index of the interval p¯ by Eq. (8). That is, c¯ p¯
⌊ ⌋: L

(10)

When p¯ is even, the corresponding extracted water¯ is 1. After all the mark pixel w is 0. Otherwise, w blocks containing a pixel of W 1 are examined, the extraction of W 1 is then completed. Information of PRN generator identifiers id1, id2 and their initial seeds y1 0, y2 0 is then available. G68

APPLIED OPTICS / Vol. 53, No. 27 / 20 September 2014

The retrieval of W 2 in R1 is straightforward. Based on the identifier id1 extracted from W 1 , the PRN generator 1 is identified in the server. The W 2 in R1 is obtained by directly using the PRN generator 1 with the initial seed y1 0, which can also be obtained from W 1 . The procedure for regenerating the m th pixel in W 2 is based on Eq. (5) in this approach. Figure 5 depicts the extraction process for the recovery of W 1 and W 2 in R1 , and W 1 in R2 . To recover W 2 in R2 , it is necessary to identify the PRN generator 2 from id2 extracted from W 1 . The PRN generator 2, together with the initial seed y2 0, is able to provide the location of DCT coefficients hiding pixels in W 2 . Suppose V¯ is the DCT of the mth marked block containing a pixel in W 2 ; ¯ where r is given then c¯ is the r th coefficient in V, by Eq. (6). After c¯ is found, the computation of w for W 2 is identical to that for w in W 1 . The W 2 in R2 is recovered after all the marking blocks containing W 2 are visited. This procedure is also summarized in Fig. 6. In the proposed algorithm, the selection of interval length L and precision level b has impact on the performance. In fact, a smaller L value can reduce the distortion caused by hiding watermark. In addition, a smaller number of bits b for representing each pixel ¯ is able to lower the size for storing watermarked of U hologram. The L and b, however, cannot be prespecified independently. This is because rounding-off errors due to finite precision representation of each ¯ may lead to corruption in the embedded pixel in H watermark. Rounding-off errors are dependent on quantization interval length L and precision level b. To ensure that the extracted watermark is identical to the original watermark when there are

Fig. 5. Proposed watermark extraction process for constructing W 1 and W 2 in R1 , and W 1 in R2 .

no tampering attacks or delivery errors, c¯ should satisfy j¯c − c j