http://ieeexplore.ieee.org TOC Alert for Publication# 10206 2009 November 23 4 4 C1 C4 46 4 4 C2 C2 35 4 4 757 757 25 Multiparty multilevel digital rights management (DRM) architecture involving several levels of distributors in between an owner and a consumer has been suggested as an alternative business model to the traditional two-party (buyer-seller) DRM architecture for digital content delivery. In the two-party DRM architecture, cryptographic techniques are used for secure delivery of the content, and watermarking techniques are used for protecting the rights of the seller and the buyer. The cryptographic protocols used in the two-party case for secure content delivery can be directly applied to the multiparty multilevel case. However, the watermarking protocols used in the two-party case may not directly carry over to the multiparty multilevel case, as it needs to address the simultaneous security concerns of multiple parties such as the owner, multiple levels of distributors, and consumers. Towards this, in this paper, we propose a joint digital watermarking scheme using Chinese remainder theorem for the multiparty multilevel DRM architecture. In the proposed scheme, watermark information is jointly created by all the parties involved; then a watermark signal is generated out of it and embedded into the content. This scheme takes care of the security concerns of all parties involved. Further, in the event of finding an illegal copy of the content, the violator(s) can be traced back. ]]> 4 4 758 767 1843 The rate of a fingerprinting code is defined as $R= {({1}/{N})} log _{2} M$ , where $N$ is the code length and $M$ the number of users. Capacity is the supremum of achievable rates for a given class of collusion attacks. Most fingerprinting codes in current literature are algebraic constructions with high minimum distance. These codes have low rate (relative to capacity) and thus long fingerprints for a given number of users and colluders. However, short fingerprints are valuable in media fingerprinting due to the limited number of robust features available for embedding. This paper proposes a framework to build high-rate fingerprinting codes operating near the fundamental capacity limit by concatenating short, random, and statistically independent subcodes. A practical implementation based on the turbo code construction is presented. Each subcode is decoded by a list Viterbi decoding algorithm, which outputs a list of suspect users. These lists are then processed using a matched filter, which extracts the most suspect user and declares him or her guilty. We provide examples of codes that are short, accommodate millions of users, and withstand (with an error probability of the order of 1%) dozens of colluders against the averaging or interleaving attack followed by additive white Gaussian noise. Our fingerprinting codes operate reliably at rates within 30% to 50% of capacity, which are substantially higher than any other existing code. The decoding complexity is linear in $N$, or, equivalently, in $log M$. ]]> 4 4 768 780 517 In 2007, Kim proposed a secure compression code called the Secure Arithmetic Code (SAC). The code was claimed to be secure against chosen plaintext attacks. However, we find that the SAC is not as secure as the authors have claimed. In this paper, we show the code is prone to two attacks. The first attack completely breaks the code using an adaptive chosen plaintext attack with a polynomial number of queries. The second attack is a ciphertext-only attack, which removes a part of the output permutation. ]]> 4 4 781 789 2157 In this paper, we propose a novel scheme called a self-verifying visual secret sharing scheme, which can be applied to both grayscale and color images. This scheme uses two halftone images. The first, considered to be the host image, is created by directly applying a halftoning technique to the original secret image. The other, regarded as the logo, is generated from the host image by exploiting the interpolation and error diffusion techniques. Because the set of shadows and the reconstructed secret image are generated by simple Boolean operations, no computational complexity and no pixel expansion occur in our scheme. Experimental results confirm that each shadow generated by our scheme is a noise-like image and eight times smaller than the secret image. Moreover, the peak signal-to-noise ratio value of the reconstructed secret image is larger than 33 dB. Based on the extracted halftone logo, the proposed scheme provides an effective solution for verifying the reliability of the set of collected shadows as well as the reconstructed secret image. Furthermore, the reconstructed secret image can be established completely if and only if $k$ out of $n$ valid shadows have been collected. To achieve our objectives, four techniques were adopted: error diffusion, image clustering, interpolation, and inverse halftoning-based edge detection. ]]> 4 4 790 801 2101 Orientation field (OF) estimation is a crucial preprocessing step in fingerprint image processing. In this paper, we present a novel method for OF estimation that uses traced ridge and valley lines. This approach provides robustness against disturbances caused, e.g., by scars, contamination, moisture, or dryness of the finger. It considers pieces of flow information from a larger region and makes good use of fingerprint inherent properties like continuity of ridge flow perpendicular to the flow. The performance of the line-sensor method is compared with the gradients-based method and a multiscale directional operator. Its robustness is tested in experiments with simulated scar noise which is drawn on top of good quality fingerprint images from the FVC2000 and FVC2002 databases. Finally, the effectiveness of the line-sensor-based approach is demonstrated on 60 naturally poor quality fingerprint images from the FVC2004 database. All orientations marked by a human expert are made available at the journal's and the authors' website for comparative tests. ]]> 4 4 802 811 2256 Iris recognition is one of the most accurate biometric methods in use today. However, the iris recognition algorithms are currently implemented on general purpose sequential processing systems, such as generic central processing units (CPUs). In this work, we present a more direct and parallel processing alternative using field-programmable gate arrays (FPGAs), offering an opportunity to increase speed and potentially alter the form factor of the resulting system. Within the means of this project, the most time-consuming operations of a modern iris recognition algorithm are deconstructed and directly parallelized. In particular, portions of iris segmentation, template creation, and template matching are parallelized on an FPGA-based system, with a demonstrated speedup of 9.6, 324, and 19 times, respectively, when compared to a state-of-the-art CPU-based version. Furthermore, the parallel algorithm on our FPGA also greatly outperforms our calculated theoretical best Intel CPU design. Finally, on a state-of-the-art FPGA, we conclude that a full implementation of a very fast iris recognition algorithm is more than feasible, providing a potential small form-factor solution. ]]> 4 4 812 823 1363 The richness and apparent stability of the iris texture make it a robust biometric trait for personal authentication. The performance of an automated iris recognition system is affected by the accuracy of the segmentation process used to localize the iris structure. Most segmentation models in the literature assume that the pupillary, limbic, and eyelid boundaries are circular or elliptical in shape. Hence, they focus on determining model parameters that best fit these hypotheses. However, it is difficult to segment iris images acquired under nonideal conditions using such conic models. In this paper, we describe a novel iris segmentation scheme employing geodesic active contours (GACs) to extract the iris from the surrounding structures. Since active contours can 1) assume any shape and 2) segment multiple objects simultaneously, they mitigate some of the concerns associated with traditional iris segmentation models. The proposed scheme elicits the iris texture in an iterative fashion and is guided by both local and global properties of the image. The matching accuracy of an iris recognition system is observed to improve upon application of the proposed segmentation algorithm. Experimental results on the CASIA v3.0 and WVU nonideal iris databases indicate the efficacy of the proposed technique. ]]> 4 4 824 836 3872 We take advantage of the temporal continuity in an iris video to improve matching performance using signal-level fusion. From multiple frames of a frontal iris video, we create a single average image. For comparison, we reimplement three score-level fusion methods (Ma , Krichen , and Schmid ). We find that our signal-level fusion of $N$ images performs better than Ma's or Krichen's score-level fusion methods of $N$ Hamming distance scores. Our signal-level fusion performs comparably to Schmid's log-likelihood method of score-level fusion, and our method achieves this performance using less computation time. We compare our signal fusion method with another new method: a multigallery, multiprobe method involving score-level fusion of $N^2$ Hamming distances. The multigallery, multiprobe score fusion has slightly better recognition performance, while the signal fusion has significant advantages in memory and computation requirements. No published prior work has shown any advantage of the use of video over still images in iris biometrics. ]]> 4 4 837 848 2359 Automatically verifying the identity of a person by means of biometrics (e.g., face and fingerprint) is an important application in our day-to-day activities such as accessing banking services and security control in airports. To increase the system reliability, several biometric devices are often used. Such a combined system is known as a multimodal biometric system. This paper reports a benchmarking study carried out within the framework of the BioSecure DS2 (Access Control) evaluation campaign organized by the University of Surrey, involving face, fingerprint, and iris biometrics for person authentication, targeting the application of physical access control in a medium-size establishment with some 500 persons. While multimodal biometrics is a well-investigated subject in the literature, there exists no benchmark for a fusion algorithm comparison. Working towards this goal, we designed two sets of experiments: quality-dependent and cost-sensitive evaluation. The quality-dependent evaluation aims at assessing how well fusion algorithms can perform under changing quality of raw biometric images principally due to change of devices. The cost-sensitive evaluation, on the other hand, investigates how well a fusion algorithm can perform given restricted computation and in the presence of software and hardware failures, resulting in errors such as failure-to-acquire and failure-to-match. Since multiple capturing devices are available, a fusion algorithm should be able to handle this nonideal but nevertheless realistic scenario. In both evaluations, each fusion algorithm is provided with scores from each biometric comparison subsystem as well as the quality measures of both the template and the query data. The response to the call of the evaluation campaign proved very encouraging, with the submission of 22 fusion systems. To the best of our knowledge, this campaign is the first attempt to benchmark quality-based multimodal fusion algorithms. In the presence of ch- anging image quality which may be due to a change of acquisition devices and/or device capturing configurations, we observe that the top performing fusion algorithms are those that exploit automatically derived quality measurements. Our evaluation also suggests that while using all the available biometric sensors can definitely increase the fusion performance, this comes at the expense of increased cost in terms of acquisition time, computation time, the physical cost of hardware, and its maintenance cost. As demonstrated in our experiments, a promising solution which minimizes the composite cost is sequential fusion, where a fusion algorithm sequentially uses match scores until a desired confidence is reached, or until all the match scores are exhausted, before outputting the final combined score. ]]> 4 4 849 866 1962 Single biometric cryptosystems were developed to obtain win-win scenarios for security and privacy. They are seriously threatened by spoof attacks, in which a forged biometric copy or artificially recreated biometric data of a legitimate user may be used to spoof a system. Meanwhile, feature alignment and quantization greatly degrade the accuracy of single biometric cryptosystems. In this paper, by trying to bind multiple biometrics to cryptography, a cryptosystem named multibiometric cryptosystem (MBC), is demonstrated from the theoretical point of view. First, an MBC with two fusion levels: fusion at the biometric level, and fusion at the cryptographic level, is formally defined. Then four models, namely biometric fusion model, MN-split model, nonsplit model, and package model, adopted at those two levels for fusion are presented. Shannon entropy analysis shows that even if the biometric ciphertexts and some biometric traits are disclosed, the new constructions still can achieve consistently data security and biometric privacy. In addition, the achievable accuracy is analyzed in terms of false acceptance rate/false rejection rate at each model. Finally, a comparison on the relative advantages and disadvantages of the proposed models is discussed. ]]> 4 4 867 882 996 Online feedback-based rating systems are gaining popularity. Dealing with unfair ratings in such systems has been recognized as an important but difficult problem. This problem is challenging especially when the number of regular ratings is relatively small and unfair ratings can contribute to a significant portion of the overall ratings. Furthermore, the lack of unfair rating data from real human users is another obstacle toward realistic evaluation of defense mechanisms. In this paper, we propose a set of statistical methods to jointly detect collaborative unfair ratings in product-rating type online rating systems. Based on detection, a framework of trust-assisted rating aggregation system is developed. Furthermore, we collect unfair rating data from real human users through a rating challenge. The proposed system is evaluated through simulations as well as experiments using real attack data. Compared with existing schemes, the proposed system can significantly reduce negative impact from unfair ratings. ]]> 4 4 883 898 2277 In this paper, we propose a novel accurate detection framework of demosaicing regularity from different source images. The proposed framework first reversely classifies the demosaiced samples into several categories and then estimates the underlying demosaicing formulas for each category based on partial second-order derivative correlation models, which detect both the intrachannel and the cross-channel demosaicing correlation. An expectation-maximization reverse classification scheme is used to iteratively resolve the ambiguous demosaicing axes in order to best reveal the implicit grouping adopted by the underlying demosaicing algorithm. Comparison results based on syntactic images show that our proposed formulation significantly improves the accuracy of the regenerated demosaiced samples from the sensor samples for a large number of diversified demosaicing algorithms. By running sequential forward feature selection, our reduced feature sets used in conjunction with the probabilistic support vector machine classifier achieve superior performance in identifying 16 demosaicing algorithms in the presence of common camera postdemosaicing processing. When applied to real applications, including camera model and RAW-tool identification, our selected features achieve nearly perfect classification performances based on large sets of cropped image blocks. ]]> 4 4 899 910 1300 In multimedia social networks, there exists complicated dynamics among users who share and exchange multimedia content. Using multimedia fingerprinting as an example, this paper investigates the human behavior dynamics in the multimedia social networks with side information. Side information is the information other than the colluded multimedia content that can help increase the probability of detection. We study the impact of side information in multimedia fingerprinting and show that the statistical means of the detection statistics can help the fingerprint detector significantly improve the collusion resistance. We then investigate how to probe the side information and model the dynamics between the fingerprint detector and the colluders as a two-stage extensive game with perfect information. We model the colluder-detector behavior dynamics as a two-stage game and find the equilibrium of the colluder-detector game using backward induction and show that the min-max solution is a Nash equilibrium, which gives no incentive for everyone in the multimedia fingerprint social network to deviate. This paper demonstrates that the proposed side information can significantly help improve the system performance to almost the same as the optimal correlation-based detector. Such result opens up a new scope in the research of fingerprinting system that given any fingerprint code, leveraging side information can improve the collusion resistance. Also, we provide the solutions to how to reach optimal collusion strategy and the corresponding detection, thus lead to a better protection of the multimedia content. ]]> 4 4 911 927 1522 How to measure the security of image hashing is still an open issue in the field of image authentication. Some works have been conducted on the security measure of image hashing. One of the most important works is the randomness measure proposed by Swaminathan , which uses differential entropy as a metric to evaluate the security of randomized image features and has been applied mainly in the security analysis of the feature extraction stage of image hashing. It is meaningful to measure the randomness of the image features over the secret-key set for the security of image hashing because the image features extracted by image hashing should be generated randomly and difficult to guess. However, as is well known, differential entropy is not invariant to scaling; thus it might not be enough to evaluate the security of randomized image features. In this paper, we show the fact that if the image features of an image hash function are scaled by a constant that is large than one, then the tradeoff between the robustness and the fragility of the image hash function will not change at all, but the security indicated by the randomness measure will increase. The above-mentioned fact seems to contradict the following. First, the security of image hashing, which conflicts with robustness and fragility, cannot increase freely. Secondly, a deterministic operation, such as deterministic scaling, does not change the security of image hashing in terms of the difficulty of guessing the secret key or randomized image features. Therefore, the randomness measure should be modified to be invariant to scaling at least. ]]> 4 4 928 932 396 A three-factor authentication scheme combines biometrics with passwords and smart cards to provide high-security remote authentication. Most existing schemes, however, rely on smart cards to verify biometric characteristics. The advantage of this approach is that the user's biometric data is not shared with remote server. But the disadvantage is that the remote server must trust the smart card to perform proper authentication which leads to various vulnerabilities. To achieve truly secure three-factor authentication, a method must keep the user's biometrics secret while still allowing the server to perform its own authentication. Our method achieves this. The proposed scheme fully preserves the privacy of the biometric data of every user, that is, the scheme does not reveal the biometric data to anyone else, including the remote servers. We demonstrate the completeness of the proposed scheme through the GNY (Gong, Needham, and Yahalom) logic. Furthermore, the security of our proposed scheme is proven through Bellare and Rogaway's model. As a further benefit, we point out that our method reduces the computation cost for the smart card. ]]> 4 4 933 945 538 Mobile ad hoc networks (MANETs) have many well-known applications in military settings as well as in emergency and rescue operations. However, a lack of infrastructure and centralized control make MANETs inherently insecure, and therefore specialized security services are needed for their deployment. Self-certification is an essential and fundamental security service in MANETs. It is needed to securely cope with dynamic membership and topology, and to bootstrap other important security primitives and services (such as secure routing and group key management) without the assistance of any centralized trusted authority. An ideal protocol must involve minimal interaction among the MANET nodes, since connectivity can be unstable. Also, since MANETs are often composed of weak or resource-limited devices, a self-certification protocol must be efficient in terms of computation and communication. In this paper, we propose a power-aware and fully noninteractive self-certification protocol based on bivariate polynomial secret sharing and a noninteractive threshold signature scheme. In contrast with prior work, our techniques do not require any interaction and do not involve any costly reliable broadcast communication among MANET nodes. We thoroughly analyze our proposal and show that it compares favorably to previous mechanisms. ]]> 4 4 946 955 588 This paper addresses privacy leakage in biometric secrecy systems. Four settings are investigated. The first one is the standard Ahlswede–CsiszÁr secret-generation setting in which two terminals observe two correlated sequences. They form a common secret by interchanging a public message. This message should only contain a negligible amount of information about the secret, but here, in addition, we require it to leak as little information as possible about the biometric data. For this first case, the fundamental tradeoff between secret-key and privacy-leakage rates is determined. Also for the second setting, in which the secret is not generated but independently chosen, the fundamental secret-key versus privacy-leakage rate balance is found. Settings three and four focus on zero-leakage systems. Here the public message should only contain a negligible amount of information on both the secret and the biometric sequence. To achieve this, a private key is needed, which can only be observed by the terminals. For both the generated-secret and the chosen-secret model, the regions of achievable secret-key versus private-key rate pairs are determined. For all four settings, the fundamental balance is determined for both unconditional and conditional privacy leakage. ]]> 4 4 956 973 820 In November 2008, we audited contests in Santa Cruz and Marin counties, California. The audits were risk-limiting: they had a prespecified minimum chance of requiring a full hand count if the outcomes were wrong. We developed a new technique for these audits, the trinomial bound. Batches of ballots are selected for audit using probabilities proportional to the amount of error each batch can conceal. Votes in the sample batches are counted by hand. Totals for each batch are compared to the semiofficial results. The “taint” in each sample batch is computed by dividing the largest relative overstatement of any margin by the largest possible relative overstatement of any margin. The observed taints are binned into three groups: less than or equal to zero, between zero and a threshold $d$ , and larger than $d$ . The number of batches in the three bins have a joint trinomial distribution. An upper confidence bound for the overstatement of the margin in the election as a whole is constructed by inverting tests for trinomial category probabilities and projecting the resulting set. If that confidence bound is sufficiently small, the hypothesis that the outcome is wrong is rejected, and the audit stops. If not, there is a full hand count. We conducted the audits with a risk limit of 25%, ensuring at least a 75% chance of a full manual count if the outcomes were wrong. The trinomial confidence bound confirmed the results without a full count, even though the Santa Cruz audit found some errors. The trinomial bound gave better results than the Stringer bound, which is commonly used to analyze financial audit samples drawn with probability proportional to error bounds. ]]> 4 4 974 981 242 In this paper, a novel multimedia identification system based on quantum hashing is considered. Many traditional systems are based on binary hash which is obtained by encoding intermediate hash extracted from multimedia content. In the system considered, the intermediate hash values extracted from a query are encoded into quantum hash values by incorporating uncertainty in the binary hash values. For this, the intermediate hash difference between the query and its true-underlying content is considered as a random process. Then, the uncertainty is represented by the probability density estimate of the intermediate hash difference. The quantum hashing system is evaluated using both audio and video databases, and with marginal increment in computational cost, the quantum hashing system is shown to be more robust against various distortions than the binary hashing system using the same intermediate hash values. ]]> 4 4 982 994 824 A novel binary audio fingerprint obtained by filtering and then quantizing the spectral centroids is proposed. A feature selection algorithm, coined pairwise boosting (PB), is used to determine the filters and quantizers by casting the fingerprinting problem of identifying a query audio clip into a binary classification problem. The PB algorithm selects the filters and quantizers which lead to accurate classification of matching and nonmatching audio pairs: a matching pair is an audio pair that should be classified as being identical, and a nonmatching pair is a pair that should be classified as being different. By iteratively reducing the classification error of both matching and nonmatching pairs, the PB algorithm improves both the robustness and discriminating ability. In our experiments, the proposed fingerprint outperformed previously reported binary fingerprints in terms of robustness and discriminating ability. In the experiment, we compared the performances of a number of distance measures. ]]> 4 4 995 1004 1534 Postelection audits of a random sample of batches of ballots against a trustworthy audit trail can limit the risk of certifying an incorrect electoral outcome to $alpha$ , guaranteeing that—if the apparent outcome is wrong—the chance of a full hand count of the audit trail is at least $1-alpha$. Risk-limiting audits can be built as sequential tests that audit more batches until either 1) there is strong evidence that the outcome is correct, given the errors found, or 2) there has been a complete hand count. The $P$ -value of the hypothesis that the outcome is wrong is the largest chance, for all scenarios in which the outcome is wrong, that overstatements of the margins between winners and losers would be “no larger” than they were observed to be. Different definitions of “larger” give different $P$ -values. A small $P$ -value is strong evidence that the outcome is correct. This paper gives simple approaches to calculating a conservative $P$-value for several ways of summarizing overstatements and several ways of drawing the sample of batches to audit, emphasizing sampling with probability proportional to a bound $u_{p}$ on the error in the $p$th audit batch (PPEB sampling). A $P$-value based on Markov's inequality applied to a martingale constructed from the data seems the most efficient among the methods discu- ssed; there are plans to use it to audit contests in two California counties in November 2009. ]]> 4 4 1005 1014 355 4 4 1015 1021 47 4 4 1022 1022 21 4 4 1023 1024 46 4 4 1025 1032 104 4 4 C3 C3 32