Cryptanalysis of a Hamming Code and Logistic-Map based Pixel-Level Active Forgery Detection Scheme

In this paper, we analyze the security of a fragile watermarking scheme for tamper detection in images recently proposed by S. Prasad et al. The chaotic functions are used in the scheme to exploit its pseudo-random behavior and its sensibility to initial condition and control parameter, but despite that, security flaws have been spotted and cryptanalysis of the scheme is conducted. Experimental results shows that the scheme could not withstand the attack and watermarked images were manipulated without triggering any alarm in the extraction scheme. In this paper, two different approaches of attacks are demonstrated and conducted to break the scheme. This work falls into the context of improving the quality of the designed cryptographic schemes taking into account several cryptanalysis techniques. Keywords—Cryptanalysis; watermarking; tamper detection; attack; chaotic functions; forgery localization


I. INTRODUCTION
Nowadays we are living in the era of technology, and with a huge leap of internet technology the advancement is going faster and faster thanks to the easy and fast exchange of information, this makes led to the emergence of powerful software and hardware. Powerful devices with huge computational capacity became available at reasonable prices.
The amount of data exchanged via the internet is huge, multimedia contents represent a big percentage of these files, and with the presence of powerful and easy to use software the manipulation of these files became easier. With more than 300 million images uploaded every single day, the protection of these images became a necessity since it can be used to spread fake news, create problems between individuals or even nations, and now digital images could be presented as evidence in courtrooms. for these reasons, the scientific community is facing the challenge to present efficient solutions to control the integrity of these images.
Robust watermarking schemes are typically designed for copyright protection [20], [21], [22]. The owner should be able to extract and verify an embedded watermark even from a falsified image, on the other hand, Fragile and semi-fragile watermarking schemes are designed to control the integrity of the cover image [23], [24], [25], [26], [27], [28], [29], [30], [31], [32], [18], [19], any unauthorized modification on the watermarked image should affect the embedded watermark and therefore detected by the legitimate receiver. The legitimate receiver is typically whoever possesses the secret key(s) to extract the watermark, and despite that the schemes are protected by secret key(s), successful attacks on these schemes has been conducted and the watermarks has been removed without possession of the key(s) [33], [34], [35], [36], [37]. The work presented by the cryptanalysts helped improving the quality of the future proposed security schemes. In this context w analyze the security of a recently proposed fragile watermarking scheme by S. Prasad et al [1], security flaws have been spotted in the scheme and two different types of attacks are performed and we were able to modify the image without being detected by the detection scheme, finally, an improvement of the scheme is proposed to cover the security problems.
The rest of the paper is organized as follows: In Section 2 we present a description of the scheme under study, Section 3 two types of attack are demonstrated and results are presented, finally, the paper is concluded in Section 4.

II. THE SCHEME UNDER STUDY
The scheme in [1] proposes a fragile watermarking scheme for tamper detection in digital images. The scheme is based on (7,4) hamming code and logistic map: for each pixel the 4 most significant bits (MSBs) are selected and (7,4) hamming code is used to generate 3-bits authentication code that is then further processed using the logistic map and embedded into the LSBs of the pixel in question. In this section we present a brief description of the scheme under study.

A. Authentication Watermark Generation and Embedding
Given a cover image I with size (M ×N ) the steps leading to the generation and the embedding of the watermark are as follows: Step 1: The logistic map is used to generate a pseudo- The Logistic map is defined by equation 1.The values generated by the equations are in [0,1], α 0 represents the initial condition provided by the user, and β is the control parameter of the function, where β ∈ [0, 4].
The initial condition α 0 and the control parameter β are considered as secret keys of scheme.
Step 2: At this point we have a pseudo-random sequence α = α i (i = 1 : M N ), with the same size of the image, each value from the sequence α will be associated to a pixel, where i represent the index of the pixel in processing. The pseudo-random sequence is then converted to be in the range from 0 to 7 using the equations 2, 3 and 4.
Step 3: The i th pixel in the cover image I is selected, converted to binary then its 4 MSBs are selected to compute its hamming code c = (c 7 , c 6 , c 5 , c 4 , c 3 , c 2 , c 1 ). The watermark is considered the 3 LSBs of the calculated hamming code: W = (c 3 , c 2 , c 1 ) Step 4: The computed watermark is converted into an integer to obtain T .
Step 5: Starting from the secret value K i a list R is created: Step 6: The value of the watermark T is Searched within the list R and its position in R is saved as "j".
Step 7: Calculate z = mod (P i , 8). Where P i is the pixel in processing.
Step 9: The watermarked pixel is represented by the j th element in the list P R.
Step 10: The rest of the cover image is processed by applying the steps 3 to 9 to obtain the watermarked image W I.
A flowchart of the embedding schemes is shown in Fig. 1.

B. Extraction and Tamper Detection
Given a received watermarked image W I. The steps leading to the extraction of the watermark in order to locate any possible tampering in the image are described as follows: Step 1: Generate the same pseudo-random sequence α using the logistic map defined in equation 1 with the parameters α 0 and β as secret keys keys.
is the size of the image W I.
Step 2: The pseudo-random sequence α is then converted to be in the range from 0 to 7 using the equations 2, 3 and 4. The list K with the same size as the image and each element represents the secret value that will be used to generate the list R for each pixel.
Step 3: The i th pixel P W i in the received image W I is selected, then converted to binary then its 4 MSBs are selected to compute its hamming code c = (c 7 , c 6 , c 5 , c 4 , c 3 , c 2 , c 1 ). The 3-bits authentication code watermark is the 3 LSBs of the calculated hamming code c: W = (c 3 , c 2 , c 1 ) Step 4: The list R is generated starting from the elements of the list K: for the i th pixel the element K i is used to calculate the list R: Step 5: Compute z = mod (P W i , 8) + 1 which represents the index of the extracted watermark E AC in the list R.
Step 6: The comparison between the extracted watermark E AC and the calculated one W will reveal if the pixel in question has been tampered with: each pixel where E AC = W is considered falsified, therefore its position in the received image is set to zero which represent the black color.
A flowchart of the extraction and tamper detection schemes is shown in Fig. 2. III. CRYPTANALYSIS OF THE SCHEME

A. Offline Attack
In general, an attacker's goal is is either to guess or recover the value of the secret key(s) or something equivalent to the key(s) in order to recover the plaintext without knowledge of the secret key and that is due to kerckhoff's principle that states www.ijacsa.thesai.org that everything about the cryptosystem is public knowledge except for the keys.
In other words, the only thing secret about a cryptosystem is the secret key(s), everything else should be known and the job of a cryptographer is to design a cryptosystem that stands against any type of attack taking into consideration Kerckhoff's law [38].
The scheme under study [1] is a fragile watermarking system for tamper detection in digital images, after a successful cryptanalysis we should be able to manipulate the watermarked images without being detected by the extraction scheme. To achieve that goal, the keys or the equivalent of the keys are needed.
In the scheme in [1] the keys are the initial condition α 0 and the control parameter β of the logistic map.
The keys (α 0 , beta) are used to generate a pseudo-random sequence α with the same size of the image then the sequence is quantified to be in the range of [0,7] to obtain the sequence K ad each element K i in K is assigned to the pixel i in the image and the sequence R is constructed : One of the main features of the chaotic maps is the high sensibility to initial conditions and control parameter, which make the attempt of any prediction or guess to their values starting from the pattern of the function nearly impossible, beside the pattern of the function is not available, but we know that it has been used to construct the lists K and R.
Since that the main keys are very hard to find our goal is to reveal alternative keys which are the lists R for each pixel we attempt to modify, and the list K if needed in any other attack intercepted from the same source.
In this section we will demonstrate how to reveal the list R for each pixel and as a result we will be able to construct the list K for the image: Given an intercepted watermarked image "WI" with size M × N , the steps leading to the revelation of the lists R and K are as follows: Step 1: The i th pixel P W i in the intercepted watermarked image W I is selected, then converted to binary then its 4 MSBs are selected to compute its hamming code c = (c 7 , c 6 , c 5 , c 4 , c 3 , c 2 , c 1 ). The 3-bits authentication code watermark is the 3 LSBs of the calculated hamming code c: W = (c 3 , c 2 , c 1 ) It should be noted that i represents the index of the pixel in the image : i = 1 : M * N .
Step 2: Compute z = mod (P W i , 8) which represents the index of the watermark W in the list R.
Step 3: Starting from the z th position, the list R could be reconstructed using equation 7.
It should be noted that the authors in [1] used z = mod (P W i , 8) + 1 based on the indexation starts from 1 not 0, in our attack we dealt with the lists from 0 to 7 indexation.
Step 4: The first element in the list R represents the value K i in the pseudo random-sequence K. Once all pixels of the intercepted image are processed the pseudo-random sequence K is revealed.
Step 5: The i th pixel could now be modified and the watermark is substituted with the new one with the possession of the list R.
With the possession of the equivalent keys (The lists R and K), the watermarked image could now be manipulated and the watermark is replaced without being detected by the extraction scheme. Next we present two examples how to calculate the list R for a given pixel and find the corresponding value K i . a) Example 1:: In the first example the value of the pixel P i = 165 and K i = 3.
First the watermark embedding process: 1) The list R is constructed using equation 5 The image is then intercepted during transmission, next we demonstrate how the list R is calculated along with the value K i . 1) P W i = 167 is the value of the ith pixel in the intercepted watermarked image "WI" P W i is then converted to binary and the hamming code is calculated for its 4 MSBs to obtain T . 4) The first element in the list R represents the value K i where i is the index of the pixel in question :

5)
The i th pixel could now be modified and the watermark substituted with the possession of the list R.
b) Example 2:: In the second example the value of the pixel P i = 99 and K i = 5.
First the watermark embedding process: 1) The list R is constructed using equation 5 The image is then intercepted during transmission, next we demonstrate how the list R is calculated along with the value K i . 1) P W i = 102 is the value of the i th pixel in the intercepted watermarked image "WI" P W i is then converted to binary and the hamming code is calculated for its 4 MSBs to obtain T .

B. Online Attack
The second approach to attack the scheme under study is to use one of the online attacks. Online attacks could be summarized in three main approaches [39]: 1) KPA Known plaintext attack : In this scenario the cryptanalyst has one or several plain-text and their corresponding cipher-text. the cryptanalyst then tries to conclude the key or an equivalent key from the analysis of these pairs. 2) CPA Chosen plain-text attack: As in the case of KPA the cryptanalyst possesses pairs of plain-text and their corresponding ciphers only in this scenario, the attacker has access to the encryption machinery and can chose the plain-texts to be encrypted. 3) CCA Chosen cipher-text attack : In this scenario the attacker has access to the decryption machinery and can chose cipher-texts to get the corresponding plain-texts. Based on the study of these plain/ciphertexts the cryptanalyst tries to conclude the key or an equivalent of the key.
These scenarios represent the most common techniques in cryptanalysis. any security system should be tested to avoid vulnerability against these attacks.
Using KPA or CPA, only a single pair of original image and its corresponding watermarked image is needed to break the system and reveal the secret keys (The list R for each pixel and the list K for the image): Let "OI" be the original image and "WI" its corresponding watermarked image with size M × N , and OP i , W P i are the pixels of "OI" and "WI" respectively, where i represents the index of the pixel, the secret lists R and K could be calculated as follows: (8) 5) The first element in the list R represents the secret value K i . Once all pixel are processed the list K will be revealed.
With the revelation of the secret list K the image could be manipulated and the watermark is successfully replaced without being detected by the extraction scheme.   3 shows the results of the attack. Multiples images were used in the experiments, we were able to calculate the keys used in the embedding process, as a result, the watermarks were successfully removed in order to manipulate the images, then using the calculated keys, new watermark are embedded into the falsified images in order to prevent any alarms in the extraction process.
The experiments shows that the extraction scheme failed to detect the falsifications which proves the weakness of the proposed scheme.

IV. CONCLUSION
In this paper, a cryptanalysis of a recently proposed watermarking scheme is conducted, two types of attacks were conducted successfully. As a result, the watermarked images could be falsified without triggering any alarm in the extraction process. This proves that even if very complicated steps were used in the design of a cryptographic scheme, that doesn't mean that the scheme is secure, several cryptalysis techniques could be used to attack these scheme, and these cryptanalysis techniques should be taken into consideration when designing a cryptographic scheme. As future work, an improvement of the attacked scheme could be proposed to cover the flaws and problems demonstrated in this paper.