Secret dither estimation in lattice-quantization data hiding: a set-membership approach ∗ Luis P´ erez-Freire, Fernando P´ erez-Gonzalez and Pedro Comesa˜ na Signal Theory and Communications Dept. University of Vigo 36310 Vigo, Spain ABSTRACT In this paper, security of lattice-quantization data hiding is considered under a cryptanalytic point of view. Security in this family of methods is implemented by means of a pseudorandom dither signal which randomizes the codebook, preventing unauthorized embedding and/or decoding. However, the theoretical analysis shows that the observation of several watermarked signals can provide sufficient information for an attacker willing to estimate the dither signal, quantifying information leakages in different scenarios. The practical algorithms proposed in this paper show that such information leakage may be successfully exploited with manageable complexity, providing accurate estimates of the dither using a small number of observations. The aim of this work is to highlight the security weaknesses of lattice data hiding schemes whose security relies only on secret dithering. Keywords: Lattice data hiding, DC-DM, security, residual entropy, set-membership estimation 1. INTRODUCTION Recently, there have been some attempts at addressing the concept of watermarking security 1, 2 from a cryptan- alytic point of view, where all the information about watermarking schemes is public, and security relies only on the use of secret keys that parameterize the embedding and/or decoding processes. In additive spread-spectrum methods, for instance, security usually depends on the secrecy of the pseudorandom sequence which is added to the host signal. Theoretical studies 1, 2 have shown that, for these methods, some information about the secret key leaks from the observation of watermarked signals, so an attacker can take advantage of this information leakage to obtain an estimate of that pseudorandom sequence. Thereafter, the attacker may use his knowledge about the secret key to devise smart attacks to defeat the watermarking scheme. In this paper we consider the security of lattice-quantization data hiding schemes for which security relies only on the secret dither signal that randomizes the codebook. 3, 4 In our set-up, the attacker is able to gather a collection of N o watermarked signals along with additional information in some instances. Depending on the degree of additional information, three different scenarios are considered, following the nomenclature introduced in 1 : a) Known Message Attack (KMA), where the attacker knows the messages embedded in each watermarked signal; b) Constant Message Attack (CMA), where all watermarked signals are assumed to convey the same message; and c) Watermarked Only Attack (WOA), where no additional information is available. Although all these scenarios are addressed under theoretical and practical points of view, the main focus is put on the KMA scenario because of its central role in the analysis of the other cases, showing the relationship between them. ∗ This work was partially funded by Xunta de Galicia under projects PGIDT04 TIC322013PR and PGIDT04 PXIC32202PM; MEC project DIPSTICK, reference TEC2004-02551/TCM; FIS project IM3, reference G03/185 and European Comission through the IST Programme under Contract IST-2002-507932 ECRYPT. ECRYPT disclaimer: The information in this paper is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. Further author information: (Send correspondence to F.P.G.) L.P.F.: E-mail: lpfreire@gts.tsc.uvigo.es F.P.G.: E-mail: fperez@gts.tsc.uvigo.es P.C.: E-mail: pcomesan@gts.tsc.uvigo.es