1: \documentclass[journal]{IEEEtran}
2: \usepackage{epsfig,latexsym,graphics,psfrag,cite}
3: \usepackage[mathcal]{euscript} % redefine \mathcal to be \EuScript;
4: % \CMcal{} is old \mathcal
5:
6: \def\ps@first{%
7: \def\@oddhead{\hfil{\small \status}\hfil}%
8: \def\@evenhead{\hfil{\small \status}\hfil}}
9:
10:
11: %% Convenient definitions and macros.
12: \usepackage{amssymb,amsmath,amsfonts,oldgerm,euscript}
13:
14: \newtheorem{lemma}{Lemma}
15: \newtheorem{theorem}{Theorem}
16: \newtheorem{definition}{Definition}
17:
18:
19: \newcommand{\real}{\sf R}
20: \newcommand{\integers}{\sf N}
21:
22: % macros to represent a full sequence such as X_1^n
23: \newcommand{\ful}[1]{#1_1^n}
24: \newcommand{\fulh}[1]{\hat{#1}_1^n}
25: \newcommand{\fulhh}[1]{\check{#1}_1^n}
26: \newcommand{\fulb}[1]{\{#1_i\}_{i=1}^n}
27:
28: \newcommand{\thrmref}[1]{Theorem~\mbox{\ref{#1}}}
29: \newcommand{\lemref}[1]{Lemma~\mbox{\ref{#1}}}
30: \newcommand{\propref}[1]{Proposition~\mbox{\ref{#1}}}
31: \newcommand{\figref}[1]{Figure~\mbox{\ref{#1}}}
32: \newcommand{\secref}[1]{Section~\mbox{\ref{#1}}}
33: \newcommand{\chapref}[1]{Chapter~\mbox{\ref{#1}}}
34: \newcommand{\appref}[1]{Appendix~\mbox{\ref{#1}}}
35: \newcommand{\myeqref}[1]{Eqn.~(\mbox{\ref{#1}})}
36: % This command produces the symbol for strongly jointly typical set.
37: % For example \styp{e}{n} produces A_e^{*(n)}.
38: \newcommand{\styp}[2]{A_{#1}^{*(#2)}}
39:
40: \newcommand{\dthrm}{$\spadesuit$}
41:
42: \newcommand{\fancy}[1]{{\ensuremath{\mathcal{#1}}}}
43: \newcommand{\script}[1]{\begin{mathcal}#1\end{mathcal}}
44: \newcommand{\abs}[1]{\left|#1\right|}
45: \newcommand{\innerProd}[2]{\prec #1 \mid #2 \succ}
46: \newcommand{\norm}[1]{\parallel #1 \parallel}
47: \newcommand{\defeq}{\stackrel{\Delta}{=}}
48:
49: \def\argmax{\mathop{\rm arg\,max}}
50: \def\argmin{\mathop{\rm arg\,min}}
51: \def\sgn{{\rm sgn}}
52:
53: \newcommand{\qed}{\rule[0.1ex]{1.4ex}{1.6ex}}
54:
55: \renewcommand{\ful}[1]{#1^n}
56: \newcommand{\comp}{\mathrm{c}}
57:
58: % notation for the source capital and lowercase
59: \newcommand{\nSrc}{S}
60: \newcommand{\nsrc}{s}
61:
62: % notation for channel input capital and lowercase
63: \newcommand{\nChIn}{X}
64: \newcommand{\nchin}{x}
65:
66: % notation for auxiallary variable
67: \newcommand{\nAux}{U}
68: \newcommand{\naux}{u}
69:
70: % notation for auxiallary variable 1 capital and lowercase
71: \newcommand{\nAuxDeg}{U}
72: \newcommand{\nauxdeg}{u}
73:
74: % notation for auxiallary variable 2 capital and lowercase
75: \newcommand{\nAuxRef}{T}
76: \newcommand{\nauxref}{t}
77:
78: % notation for first channel output capital and lowercase
79: \newcommand{\nChOut}{Y}
80: \newcommand{\nchout}{y}
81:
82: % notation for undegraded channel output capital and lowercase
83: \newcommand{\nChOutRef}{\nChOut_{\mathrm{f}}}
84: \newcommand{\nchoutref}{\nchout_{\mathrm{f}}}
85:
86: % notation for degraded channel output capital and lowercase
87: \newcommand{\nChOutDeg}{\nChOut_{\mathrm{c}}}
88: \newcommand{\nchoutdeg}{\nchout_{\mathrm{c}}}
89:
90:
91: %{\frakfamily S}
92: %${\frakfamily S}$
93: %${\EuFrak{S}}$
94: %$\frak{S}$
95: %$\EuScript{S}$
96: %$\cal{S}$
97: %$4 + \textgoth{S}_P$
98: %$4 + \textfrak{S}_P$
99: %$4 + \textswab{S}_P$
100:
101: % traditional security event
102: \newcommand{\ptsec}{\mathcal{E}_T}
103: % strong security event
104: \newcommand{\strongSecDeg}{\mathcal{E}_{S_1}}
105: \newcommand{\strongSecRef}{\mathcal{E}_{S_2}}
106: \newcommand{\authsucc}{\mathcal{E}_S}
107: \newcommand{\authfail}{\mathcal{E}_U}
108:
109:
110: % note if the following are changed you
111: % need to change the encoding and decoding example figures
112: \newcommand{\fqnt}{F} % quantize
113: \newcommand{\fsetz}{G} % set some bits to 0
114: \newcommand{\fasg}{Q} % embed signature bits
115: \newcommand{\frec}{P} % reconstruct
116: \newcommand{\dtag}{\tau} % tag for digital signature
117:
118: % source alphabet
119: \newcommand{\srcAlph}{\mathcal{S}}
120:
121: % auxiallary variable alphabet
122: \newcommand{\auxAlph}{\mathcal{U}}
123:
124: % channel input alphabet
125: \newcommand{\chinAlph}{\mathcal{X}}
126:
127: % digital signature key generation algorithm
128: \newcommand{\keygen}{\mathcal{K}}
129:
130: % digital signature signing algorithm
131: \newcommand{\dsign}{\EuScript{S}}
132:
133: % digital signature verifying algorithm
134: \newcommand{\dver}{\EuScript{V}}
135:
136:
137: % symbol for distortion
138: \newcommand{\Dist}{D}
139: \newcommand{\Diste}{D_{\mathrm{e}}}
140: \newcommand{\Distr}{D_{\mathrm{r}}}
141: \newcommand{\Distei}{D_{\mathrm{e},i}}
142: \newcommand{\Distri}{D_{\mathrm{r},i}}
143: \newcommand{\Distrc}{D_{\mathrm{r}}^{\mathrm{c}}}
144: \newcommand{\Distrf}{D_{\mathrm{r}}^{\mathrm{f}}}
145: \newcommand{\diste}{d_{\mathrm{e}}}
146: \newcommand{\distr}{d_{\mathrm{r}}}
147: \newcommand{\distrc}{d_{\mathrm{r}}}
148: \newcommand{\distrf}{d_{\mathrm{r}}}
149:
150: % symbol for decoding failure
151: \newcommand{\dfail}{\varnothing}
152:
153: % \newcommand{\encScheme}{\mathcal{G}}
154: \newcommand{\encoder}{\Upsilon_n}
155: % \newcommand{\Xenc}{\Upsilon}
156: \newcommand{\secKey}{\theta}
157: \newcommand{\pubKey}{\secKey_p}
158: \newcommand{\privKey}{\secKey_s}
159:
160: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
161: %
162: % decoder stuff
163: %
164:
165: \newcommand{\decoder}{\Phi_n}
166: % full decoding function indexed by n
167: \newcommand{\xdecn}[1]{\Phi_{n}\left(#1\right)}
168: % full decoding function
169: \newcommand{\xdec}[1]{\Phi\left(#1\right)}
170: % full decoding function indexed by i
171: \newcommand{\xdeci}[1]{\Phi_{i}\left(#1\right)}
172: % first part of decoder which estimates Y
173: \newcommand{\xdecY}[1]{\Phi_A\left(#1\right)}
174: % second part of decoder which estimates X given Y
175: \newcommand{\xdecE}[1]{\Phi_B(#1)}
176:
177: %% degraded decoder stuff
178:
179: \newcommand{\refsedec}[2]{g_{\mathrm{f}}\left(#1,#2\right)}
180: \newcommand{\degsedec}[1]{g_{\mathrm{c}}\left(#1\right)}
181: % full decoding function indexed by n
182: \newcommand{\degxdecn}[1]{\Psi_{n}\left(#1\right)}
183: % full decoding function
184: \newcommand{\degxdec}[1]{\Psi\left(#1\right)}
185: % full decoding function indexed by i
186: \newcommand{\degxdeci}[1]{\Psi_{i}\left(#1\right)}
187:
188: % encoding failure events
189: \newcommand{\encSNotTyp}{\mathcal{E}_\mathrm{st}}
190: \newcommand{\encFail}{\mathcal{E}_\mathrm{et}}
191: \newcommand{\encChFail}{\mathcal{E}_\mathrm{ct}}
192: \newcommand{\decFail}{\mathcal{E}_\mathrm{dt}}
193: \newcommand{\edfail}{\mathcal{E}_\mathrm{tf}}
194: \newcommand{\noedfail}{\edfail^\comp}
195:
196: \newcommand{\encDegFail}{\mathcal{E}_2}
197: \newcommand{\encRefFail}{\mathcal{E}_3}
198:
199: \iffalse
200: dv = distortion violation
201: sa = successful attack
202: tf = typicality failure
203: st = source typicality failure
204: et = encoder typicality failure
205: ct = channel typicality failure
206: dt = decoder typicality failure
207: \fi
208:
209:
210: % excess distortion error events
211: % \newcommand{\exdist}[1]{\mathcal{E}_{\dist_{#1}}}
212: \newcommand{\exdiste}{\mathcal{E}_{\Diste}}
213: \newcommand{\exdistr}{\mathcal{E}_{\Distr}}
214: \newcommand{\Edv}{\mathcal{E}_\mathrm{dv}}
215:
216: % undetected error event
217: \newcommand{\undetErr}{\mathcal{E}_\mathrm{sa}}
218: \newcommand{\undetErrDeg}{\mathcal{E}_{\mathrm{sa}_1}}
219: \newcommand{\undetErrRef}{\mathcal{E}_{\mathrm{sa}_2}}
220:
221: % overall error event
222: % \newcommand{\overallErr}{\mathcal{E}}
223:
224: % probability of decoding error
225: \newcommand{\pesterr}{P_e^{(n)}}
226:
227: % codebooks, codewords, admissable codewords and rates
228: \newcommand{\reconSet}{\mathcal{R}}
229: \newcommand{\cbook}{\mathcal{C}}
230: \newcommand{\cbookdeg}{\mathcal{C}_{\mathrm{c}}} % degraded codebook
231: \newcommand{\cbookref}{\mathcal{C}_{\mathrm{f}}} % refinement codebook
232: \newcommand{\codeword}[1]{c_{#1}}
233: \newcommand{\admissOC}{\mathcal{A}_1}
234: \newcommand{\admissTC}[1]{\mathcal{A}_{\codeword{#1}}}
235: \newcommand{\admissC}{\mathcal{A}}
236: \newcommand{\cbkR}{R}
237: \newcommand{\cbkRdeg}{R_{\mathrm{c}}}
238: \newcommand{\cbkRref}{R_{\mathrm{f}}}
239: \newcommand{\cdeg}{c_{\mathrm{c}}}
240: \newcommand{\cdegh}{\hat{c}_{\mathrm{c}}}
241: \newcommand{\cref}{c_{\mathrm{f}}}
242: \newcommand{\crefh}{\hat{c}_{\mathrm{f}}}
243:
244: % snr and dnr
245: \newcommand{\snr}{\mathrm{SNR}}
246: \newcommand{\dnr}{\mathrm{DNR}}
247: \newcommand{\ldnr}{\mathrm{LDNR}}
248: %
249:
250: % set up shading macros for pictures
251: \newcommand{\sizedquantregion}[3]{
252: \texture{ff888888 88ffffff ff22a222 a2ffffff ff888888 88ffffff ff2a2a2a 2affffff
253: ff888888 88ffffff ffa222a2 22ffffff ff888888 88ffffff ff2a2a2a 2affffff
254: ff888888 88ffffff ff22a222 a2ffffff ff888888 88ffffff ff2a2a2a 2affffff
255: ff888888 88ffffff ffa222a2 22ffffff ff888888 88ffffff ff2a2a2a 2affffff }
256: \put(#1,#2){\shade\ellipse{#3}{15}}
257: \texture{cccccccc 0 0 0 cccccccc 0 0 0
258: cccccccc 0 0 0 cccccccc 0 0 0
259: cccccccc 0 0 0 cccccccc 0 0 0
260: cccccccc 0 0 0 cccccccc 0 0 0}
261: }
262:
263:
264: \newcommand{\smallquantregion}[2]{
265: \texture{ff888888 88ffffff ff22a222 a2ffffff ff888888 88ffffff ff2a2a2a 2affffff
266: ff888888 88ffffff ffa222a2 22ffffff ff888888 88ffffff ff2a2a2a 2affffff
267: ff888888 88ffffff ff22a222 a2ffffff ff888888 88ffffff ff2a2a2a 2affffff
268: ff888888 88ffffff ffa222a2 22ffffff ff888888 88ffffff ff2a2a2a 2affffff }
269: \put(#1,#2){\shade\ellipse{40}{20}}
270: \texture{cccccccc 0 0 0 cccccccc 0 0 0
271: cccccccc 0 0 0 cccccccc 0 0 0
272: cccccccc 0 0 0 cccccccc 0 0 0
273: cccccccc 0 0 0 cccccccc 0 0 0}
274: }
275:
276: \newcommand{\bigquantregion}[2]{
277: \texture{11000000 00333333 33000000 00333333 33000000 00333333
278: 33000000 00333333 33000000 00333333 33000000 00333333 33000000
279: 00333333 33000000 00333333 33000000 00333333 33000000 00333333
280: 33000000 00333333 33000000 00333333 33000000 00333333 33000000
281: 00333333 33000000 00333333 33000000 00333333 }
282: \put(#1,#2){\shade\ellipse{220}{15}}
283: \texture{cccccccc 0 0 0 cccccccc 0 0 0
284: cccccccc 0 0 0 cccccccc 0 0 0
285: cccccccc 0 0 0 cccccccc 0 0 0
286: cccccccc 0 0 0 cccccccc 0 0 0}
287: }
288:
289: %
290: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
291:
292: \newcommand{\card}[1]{\left|#1\right|}
293: \newtheorem{prop}{Proposition}
294:
295: \DeclareMathOperator{\semiB}{semi-Bernoulli}
296:
297: % channel output alphabet
298: \newcommand{\choutAlph}{\mathcal{Y}}
299:
300: % scalar estimation/decoding function
301: \newcommand{\sedec}[1]{g(#1)}
302: \newcommand{\sedeci}[2]{g_{#1}(#2)}
303: \newcommand{\fulsedec}[1]{\ful{g}(#1)}
304: % scalar encoding function?
305: \newcommand{\senc}[1]{f(#1)}
306: \newcommand{\fulsenc}[1]{\ful{f}(#1)}
307:
308: \newcommand{\reals}{\mathbb{R}}
309: \newcommand{\complexes}{\mathbb{C}}
310: \renewcommand{\integers}{\mathbb{Z}}
311: \newcommand{\naturals}{\mathbb{N}}
312:
313: % notation for insecure channel output capital and lowercase
314: \newcommand{\nIChOut}{Y}
315: \newcommand{\nichout}{y}
316:
317: % notation for insecure channel output (non-degraded) capital and lowercase
318: \newcommand{\nIChOutND}{Y_2}
319: \newcommand{\nichoutnd}{y_2}
320:
321: % notation for insecure channel output (non-degraded) capital and lowercase
322: \newcommand{\nIChOutD}{Y_1}
323: \newcommand{\nichoutd}{y_1}
324:
325: % max of d_i
326: \newcommand{\dmax}[1]{\bar{d}_{#1}}
327:
328: %
329: \newcommand{\genrv}{T}
330:
331: \newcommand{\nCode}{C}
332: \newcommand{\ncode}{c}
333:
334: \newcommand{\nSrch}{\hat{\nSrc}}
335: \newcommand{\nSrct}{\tilde{\nSrc}}
336: \newcommand{\nsrch}{\hat{\nsrc}}
337:
338: % \newcommand{\nSrcc}{\check{\nSrc}}
339: % \newcommand{\nsrcc}{\check{\nsrc}}
340:
341: \newtheorem{claim}{Claim}
342:
343: \newcommand{\crossProb}{p}
344:
345: \def\cA{{\EuScript A}}
346: \def\cY{{\EuScript Y}}
347: \def\cW{{\EuScript W}}
348: \def\cU{{\EuScript U}}
349: \def\cX{{\EuScript X}}
350: \def\cS{{\EuScript S}}
351: \def\cV{{\EuScript V}}
352: \def\cE{{\EuScript E}}
353: \def\cC{{\EuScript C}}
354: \def\cN{{\EuScript N}}
355: \def\cL{{\EuScript L}}
356: \def\cP{{\EuScript P}}
357:
358: \begin{document}
359:
360: \title{Authentication with Distortion Criteria}
361: %
362: \author{Emin~Martinian,~\IEEEmembership{Member,~IEEE,} Gregory~W.~Wornell,~\IEEEmembership{Fellow,~IEEE} and~Brian~Chen~\IEEEmembership{Member,~IEEE}%
363: \thanks{Manuscript received May 2002; revised January 2004 and
364: February 2005. This work has been supported in part by the National
365: Science Foundation under Grant No.~CCR-0073520 and through a National
366: Science Foundation Graduate Fellowship, Microsoft Research,
367: Hewlett-Packard through the MIT/HP Alliance, and Texas Instruments
368: through the Leadership Universities Program. This work was presented
369: in part at ISIT-2001, Washington, DC.}%
370: \thanks{The authors are affiliated with the Department of Electrical
371: Engineering and Computer Science, Massachusetts Institute of
372: Technology, Cambridge, MA 02139. (E-mail: \{emin,gww,bchen\}@mit.edu).}}
373:
374: \markboth{IEEE Trans.\ Inform.\ Theory,~Vol.~X, No.~XX,~~2005}{Martinian\MakeLowercase{\textit{et al.}}:
375: Authentication with Distortion Criteria}
376:
377: % \pubid{0000--0000/00\$00.00~\copyright~2005 IEEE}
378:
379: \maketitle
380:
381: % intentional or incidental, benign or malicious
382: % degrade, enhance, transform, modify, perturb
383:
384: \begin{abstract}
385: In a variety of applications, there is a need to authenticate content
386: that has experienced legitimate editing in addition to potential
387: tampering attacks. We develop one formulation of this problem based
388: on a strict notion of security, and characterize and interpret the
389: associated information-theoretic performance limits. The results can
390: be viewed as a natural generalization of classical approaches to
391: traditional authentication. Additional insights into the structure of
392: such systems and their behavior are obtained by further specializing
393: the results to Bernoulli and Gaussian cases. The associated systems
394: are shown to be substantially better in terms of performance and/or
395: security than commonly advocated approaches based on data hiding and
396: digital watermarking. Finally, the formulation is extended to obtain
397: efficient layered authentication system constructions.
398: \end{abstract}
399:
400: \begin{keywords}
401: coding with side information, data hiding, digital signatures,
402: digital watermarking, information embedding, joint source-channel
403: coding, multimedia security, robust hashing, tamper-proofing,
404: transaction-tracking
405: \end{keywords}
406:
407: %\setcounter{section}{0}
408:
409: \section{Introduction}
410:
411: \PARstart{I}{n} traditional authentication problems, the goal is to
412: determine whether some content being examined is an exact replica of
413: what was created by the author. Digital signature techniques
414: \cite{diffie_hellman} are a natural tool for addressing such problems.
415: In such formulations, the focus on exactness avoids consideration of
416: semantic issues. However, in many emerging applications, semantic
417: issues are an integral aspect of the problem, and cannot be treated
418: separably. As contemporary examples, the content of interest may be
419: an audio or video waveform, or an image, and before being presented to
420: a decoder the waveform may experience any of a variety of possible
421: perturbations, including, for example, degradation due to noise or
422: compression; transformation by filtering, resampling, or transcoding;
423: or editing to annotate, enhance, or otherwise modify the waveform.
424: Moreover, such perturbations may be intentional or unintentional,
425: benign or malicious, and semantically significant or not. Methods for
426: reliable authentication from such perturbed data are important as
427: well.
428:
429: The spectrum of applications where such authentication capabilities
430: will be important is enormous, ranging from drivers' licenses,
431: passports, and other government-issued photo identication; to news
432: photographs and interview tapes; to state-issued currency and other
433: monetary instruments; to legal evidence in the form of audio and video
434: recordings in court cases. Indeed, the rapidly increasing ease with
435: which such content can be digitally manipulated in sophisticated ways
436: using inexpensive systems, whether for legitimate or fraudulent
437: purposes, is of considerable concern in these applications.
438:
439: Arising out of such concerns, a variety of technologies have been
440: introduced to facilitate authentication in such settings. Examples
441: include various physical watermarking technologies --- such as
442: hologram imprinting in images --- as well as more recent digital
443: decendents. See, e.g., \cite{pak99} for some of the rich history in
444: this area going back several hundred years. However, regardless of
445: the implementation, all involve the process of marking or altering the
446: content in some way, which can be viewed as a form of encoding.
447:
448: A rather generic problem that encompasses essentially all the
449: applications of interest is that of transaction-tracking in a content
450: migration scenario. In this scenario, there are essentially three
451: types of participants involved in the migration of a particular piece
452: of content. There is the original author or creator of the content,
453: who delivers an encoding of it.\footnote{There are no inherent
454: restrictions on what can constitute ``content'' in this generic
455: problem. Typical examples include video, audio, imagery, text, and
456: various kinds data.} There is the editor who makes modifications to
457: this encoded content, and publishes the result.\footnote{The motives
458: and behavior of the editor naturally depend on the particular
459: application and situation. At one extreme the editor
460: might just perform some benign resampling or other transcoding, or, at
461: the other extreme, might attempt to create a forgery from the content.
462: In the latter case, the editor would be considered an attacker.} And
463: there is the reader or end-user for whom the published work is
464: intended. The reader wants to be able to determine 1) whether
465: published work being examined was derived from content originally
466: generated by the author, and 2) how it was modified by the editor. At
467: the same time, the editor wants the author's encoding to be
468: (semantically) close to the original content, so that the
469: modifications can take the semantics into account as necessary.
470:
471: In the recent literature, researchers have proposed a variety of
472: approaches to such problems based on elements of digital watermarking,
473: cryptography, and content classification; see, e.g., \cite{fridrich,
474: rey_2000, wolfgang_1996, friedman, kundur, wong, wu_liu, queluz,
475: bat_kut, md00, eggers_2001, yeung_1997, schneider_1996, Lin_2001,
476: Me_2001, Lu_2001} and the references therein. Ultimately, the methods
477: developed to date implicitly or explicitly attempt to balance the
478: competing goals of robustness to benign perturbations, security
479: against tampering attacks, and encoding distortion.
480:
481: Within this literature, there are two basic types of approaches. In
482: the first, the authentication mechanism is based on embedding what is
483: referred to as a ``fragile'' watermark known to both encoder and
484: decoder into the content of interest. At the decoder, a watermark is
485: extracted and compared to the known watermark inserted by the encoder.
486: The difference between the extracted watermark and the known watermark
487: is then interpreted as a measure of authenticity. Examples of this
488: basic approach include \cite{kundur, yeung_1997, wolfgang_1996,
489: eggers_2001}.
490:
491: The second type of approach is based on a ``robust'' watermarking
492: strategy, whereby the important features of the content are extracted,
493: compressed and embedded back into the content by the encoder. The
494: decoder attempts to extract the watermark from the content it obtains
495: and authenticates by comparing the features encoded in the watermark
496: to the features in the content itself. This strategy is sometimes
497: termed ``self-embedding.'' Examples of this basic approach include
498: \cite{rey_2000, bat_kut, schneider_1996}.
499:
500: Despite the growing number of proposed systems, many basic questions
501: remain about 1) how to best model the problem and what we mean by
502: authentication, 2) what the associated fundamental performance limits
503: are, and 3) what system structures can and cannot approach those
504: limits. More generally, there are basic questions about the degree to
505: which the authentication, digital watermarking, and data hiding
506: problems are related or not.
507:
508: While information-theoretic treatments of authentication problems are
509: just emerging, there has been a growing literature in the information
510: theory community on digital watermarking and data hiding problems, and
511: more generally problems of coding with side information, much of which
512: builds on the foundation of \cite{gelfand_1980, costa_83, heg83}; see,
513: e.g., \cite{mos98, cw00b, cl00, mos00, chen_wornell_2001, moulin2003,
514: sm01, cohen_2002, swanson, memon, cox, cpr99, pcr03, seg00,
515: rjb_bc_gw_preprint, bcw01, Merhav_2000, cc01, esz00, zse02,
516: Sutivong_2002} and the references therein. Collectively, this work
517: provides a useful context within which to examine the topic of
518: authentication.
519:
520: Our contribution in this paper is to propose one possible formulation
521: for the general problem of authentication with a semantic model, and
522: examine its implications. In particular, using distortion criteria to
523: capture semantic aspects of the problem, we assess performance limits
524: in terms of the inherent trade-offs between security, robustness, and
525: distortion, and in turn develop the structure of systems that make
526: these trade-offs efficiently. As we will show, these systems have
527: important distinguishing characteristics from those proposed to date.
528: We also see that under this model, the general authentication problem
529: is substantially different from familiar formulations of the digital
530: watermarking and data hiding problems, and has a correspondingly
531: different solution.
532:
533: A detailed outline of the paper is as follows. We begin by briefly
534: defining our notation and terminology in \secref{sec:notation}. Next
535: in \secref{sec:informal_problem}, we develop a system model and
536: problem formulation, quantifying a notion of authentication. In
537: \secref{sec:codethms}, we characterize the performance limits of such
538: systems via our main coding theorem. \secref{sec:proofs} contains
539: both the associated achievability proof, which identifies the
540: structure of good systems, and a converse. In
541: \secref{sec:binary_hamming} the results are applied to the case of
542: binary content with Hamming distortion measures, and in
543: \secref{sec:gaussian} to Gaussian content with quadratic distortion
544: measures. \secref{sec:discussion} then analyzes other classes of
545: authentication techniques in the context of our framework, and shows
546: that they are inherently either less efficient or less secure that the
547: systems developed here. Next, \secref{sec:layered} generalizes the
548: results of the paper to include layered systems that support multiple
549: levels of authentication. Finally, \secref{sec:conc} contains some
550: concluding remarks.
551:
552: \section{Notation and Terminology}
553: \label{sec:notation}
554:
555: We use standard information theory notation (e.g., as found in
556: \cite{cover}). Specifically, $E[A]$ denotes expectation of the random
557: variable $A$, $H(A)$, and $I(B;C)$ denote entropy and mutual
558: information, and $A \leftrightarrow B \leftrightarrow C$ denotes the
559: Markov condition that random variables $A$ and $C$ are independent
560: given $B$. We use the notation $v_i^j$ to denote the sequence
561: $\{v_i,v_{i+1},\dots,v_j\}$, and define $\ful{v}=v_1^n$. Alphabets
562: are denoted by uppercase calligraphic letters, e.g., $\srcAlph$,
563: $\chinAlph$. We use $\card{\cdot}$ to denote the cardinality of a set
564: or alphabet.
565:
566: Since the applications are quite varied, we keep our terminology
567: rather generic. The content of interest, as well as its various
568: encodings and recontructions, will be generically referred to as
569: ``signals,'' regardless of whether they refer to video, audio,
570: imagery, text, data, or any other kind of content. The original
571: content we will also sometimes simply refer to as the ``source.''
572: Moreover, we will generally associate any manipulations of the encoded
573: content with the ``editor,'' regardless of whether any human is
574: involved. However, as an exception, we will often use the term
575: ``attacker'' in lieu of ``editor'' for cases where the manipulations
576: are specifically of a malicious nature.
577:
578: \section{System Model and Problem Formulation}
579: \label{sec:informal_problem}
580:
581: Our system model for the transaction-tracking scenario is as depicted
582: in Fig.~\ref{fig:channel}. To simplify the exposition, we model the
583: original content as an independent and identically distributed
584: (i.i.d.)\footnote{Our results do not depend critically on the i.i.d.\
585: property, which is chosen for convenience. In fact, the i.i.d.\ model
586: is sometimes pessimistic; better performance can often be obtained by
587: taking advantage of correlation present in the source or channel. We
588: believe that qualitatively similar results would be obtained in more
589: general settings (e.g., using techniques from \cite{Verdu_1994,
590: Steinberg_1996}).} sequence $\nSrc_1, \nSrc_2, \ldots, \nSrc_n$. In
591: practice $\ful{\nSrc}$ could correspond to sample values or signal
592: representations in some suitable basis.
593:
594: \begin{figure*}[tbp]
595: \centering
596: \psfrag{S}{\huge$\ful{\nSrc}$}
597: \psfrag{X}{\huge$\ful{\nChIn}$}
598: \psfrag{Y}{\huge$\ful{\nChOut}$}
599: \psfrag{Sh}{\huge$\ful{\nSrch}$ or $\dfail$}
600: \includegraphics[angle=0,width=5in]{figs/channel.eps}
601: \caption{Authentication system model. The source $\ful{\nSrc}$ is
602: encoded by the content creator into $\ful{\nChIn}$, incurring some
603: distortion. The channel models the actions of the editor, i.e., all
604: processing experienced by the encoded content before it is made
605: available to the end-user. The decoder, controlled by the end-user,
606: produces from the channel output $\ful{\nChOut}$ either an authentic
607: reconstruction $\ful{\nSrch}$ of the source to within some fidelity,
608: or indicates that authentication is not possible using the special
609: symbol $\dfail$.
610: \label{fig:channel}}
611: \end{figure*}
612:
613: The encoder takes as input the block of $n$ source samples
614: $\ful{\nSrc}$, producing an output $\ful{\nChIn}$ that is suitably
615: close to $\ful{\nSrc}$ with respect to some distortion measure. The
616: encoder is under the control of the content creator. The encoded
617: signal then passes through a channel, which models the actions of the
618: generic ``editor'', and encompasses all processing experienced by the
619: encoded signal before it is made available to the end-user as
620: $\ful{\nChOut}$. This processing would include all effects ranging
621: from routine handling to malicious tampering. The decoder, which is
622: controlled by the end-user, either produces, to within some fidelity
623: as quantified by a suitable distortion measure, a reconstruction
624: $\ful{\nSrch}$ of the source that is guaranteed to be free from the
625: effects of any modifications by the editor, or declares that it is not
626: possible to produce such a reconstruction. We term such
627: reconstructions ``authentic.''
628:
629: Our approach to the associated channel modeling issues in the
630: formulation of Fig.~\ref{fig:channel} has some novel features, and
631: thus warrants special discussion. Indeed, as we now discuss, our
632: approach to such modeling is not to \emph{anticipate} the possible
633: behaviors of the editor, but to effectively \emph{constrain} them. In
634: particular, we avoid choosing a model that tries to characterize the
635: range of processing the editor might undertake. If we did, the
636: security properties of the resulting system would end up being
637: sensitive to any modeling errors, i.e., to any behavior of the editor
638: that is inconsistent with the model.
639:
640: Instead, the focus is on choosing a model that defines the range of
641: processing the editor can undertake and have such edits accepted by
642: the end-user. We refer to this as our ``reference channel model.''
643: Specifically, we effectively design the system such the decoder will
644: successfully authenticate the modified content if and only if the
645: edits are consistent with the reference channel model. Thus, the
646: editor is free to edit the content in any way (and we make no attempt
647: to model the range of behavior), but the subset of behaviors for which
648: the system will authenticate is strictly controlled via the reference
649: channel construct. Ultimately, since the end-user will not accept
650: content that cannot be authenticated, the editor will constrain its
651: behavior according to the reference channel.
652:
653: From this perspective, the reference channel model is a system design
654: parameter, and thus is known a priori to encoders, decoders, and
655: editors. To simplify our analysis, we will restrict our attention to
656: memoryless probabilistic reference channel models. In this case, the
657: model is characterized by a simple conditional distribution
658: $p(\nChOut|\nChIn)$.
659:
660: As our main result, in Section~\ref{sec:codethms} we characterize when
661: authentication systems with the above-described behavior are possible,
662: and when they are not. Specifically, let $\Diste$ denote the encoding
663: distortion, i.e., the distortion experienced in the absence of a
664: channel, and let $\Distr$ denote the distortion in the reconstruction
665: produced by the decoder when the signal can be authenticated, i.e.,
666: when the channel transformations are consistent with the chosen
667: reference distribution $p(\nchout|\nchin)$. Then we determine which
668: distortion pairs $(\Diste,\Distr)$ are asymptotically achievable.
669:
670: We emphasize that the distortion pair $(\Diste,\Distr)$ corresponds
671: precisely to the performance characteristics of direct interest in the
672: system for the transaction-tracking scenario. Indeed, a small
673: $\Diste$ means the editor is given work with a faithful version of the
674: original content. Moreover, a small $\Distr$ means that the end-user
675: is able to accurately estimate the editor's modifications by comparing
676: the decoder input to the authentic reconstruction.
677:
678: \subsection{Defining ``Authenticity''}
679:
680: To develop our main results, we first need to quantify the concept of
681: an ``authentic reconstruction.'' Recall that our intuitive notion of
682: an authentic reconstruction is one that is free from the effects of
683: the edits when the reference channel is in effect. Formally, this is
684: naturally expressed as follows.
685: \begin{definition} \label{def:authrec}
686: A reconstruction $\ful{\nSrch}$ produced by the decoder from the
687: output $\ful{\nChOut}$ of the reference channel is said to be
688: authentic if it satisfies the Markov condition below:
689: \begin{equation}
690: \ful{\nSrch} \leftrightarrow \{ \ful{\nSrc}, \ful{\nChIn} \}
691: \leftrightarrow \ful{\nChOut}
692: \label{eq:estmarkov}
693: \end{equation}
694: \end{definition}
695: Note that as special cases, this definition would include systems in
696: which, for example, $\ful{\nSrch}$ is a deterministic or randomized
697: function of $\ful{\nSrc}$. More generally, this definition means that
698: the authentic reconstructions are effectively defined by the encoder
699: in such systems. This will have implications later in the system
700: design.
701:
702: \iffalse
703: Of course, the decoder may fail to successfully decode $\ful{\nSrch}$
704: from the channel output $\ful{\nChOut}$. To avoid confusing security
705: and decoding error, however, our security requirement is defined in
706: the case that decoding succeeds and we deal with the probability of
707: decoding error separately. The advantage of this approach is that if
708: an authentication system produces a reconstruction satisfying
709: \eqref{eq:estmarkov}, then a user can be completely confident that he
710: will be unaffected by any actions of a malicious adversary.\footnote{
711: A disadvantage is that this definition may be unnecessarily strict; a
712: different definition may capture a satisfactory notion of
713: authentication with fewer limits on system design. We defer further
714: comments on other notions of authenticity to Sections
715: \ref{sec:fragile} and \ref{sec:conc}.}
716: \fi
717:
718: \subsection{An Example Distortion Region}
719: \label{sec:exdr}
720:
721: Before developing our main result, we illustrate with an example the
722: kinds of results that will be obtained. This example corresponds to a
723: problem involving a symmetric Bernoulli source, Hamming distortion
724: measures, and a (memoryless) binary symmetric reference channel with
725: crossover probability $p$.
726:
727: Under this example scenario, the editor is allowed to flip a fraction
728: $p$ of the binary source samples, and the end-user must (almost
729: certainly) be able to generate an authentic reconstruction from such a
730: perturbation. If the edits are generated from a different
731: distribution, such as a binary symmetric channel with a cross-over
732: probability greater than $p$, then the decoder must (almost certainly)
733: declare an authentication failure.
734:
735: The corresponding achievable distortion region is depicted in
736: Fig.~\ref{fig:ham_reg}. Several points on the frontier are worth
737: discussing. First, note that the upper left point on the frontier,
738: i.e., $(\Diste,\Distr) = (0,1/2)$, reflects that if no encoding
739: distortion is allowed, then authentic reconstructions are not
740: possible, since the maximum possible distortion is incurred. At the
741: other extreme, the lower right point of the frontier, i.e.,
742: $(\Diste,\Distr) = (1/2,p)$, corresponds to a system in which the
743: source is first source coded to distortion $p$, afterwhich the
744: resulting bits are digitally signed and channel coded for the BSC.
745:
746: \begin{figure}[tbp]
747: \centering
748: \psfrag{&2}{\huge$\Diste$}
749: \psfrag{&1}{\huge$\Distr$}
750: \psfrag{&3}{\LARGE$p$}
751: \psfrag{&4}{\LARGE$\frac{1}{2}$}
752: \psfrag{&5}{\LARGE$p$}
753: \psfrag{&6}{\LARGE$\frac{1}{2}$}
754: %\includegraphics[angle=0,width=4in]{figs/discex.eps}
755: \includegraphics[angle=0,width=3.5in]{figs/ham_reg.eps}
756: \caption{The shaded area depicts the achievable distortion region for
757: a symmetric Bernoulli source used in conjunction with a binary
758: symmetric reference channel of crossover probability $p$. Distortions
759: are with respect to the Hamming measure. The case $p=0$ corresponds
760: to traditional digital signatures. If authentication was not
761: required, the point $(\Diste = 0, \Distr = p)$ could be achieved.
762: \label{fig:ham_reg}}
763: \end{figure}
764:
765: While no amount of encoding distortion can reduce the reconstruction
766: distortion below $p$, the point $(\Diste,\Distr) = (p,p)$ on the
767: frontier establishes that a reconstruction distortion of $p$ is
768: actually achievable with much less encoding distortion than the lower
769: right point suggests. In fact, because the required encoding
770: distortion is only $p$, the decoder can be viewed as completely
771: eliminating the effects of the reference channel when it is in effect:
772: the minimum achievable reconstruction distortion $\Distr$ is the same
773: as the distortion $\Diste$ at the output of the encoder.
774:
775: The more general structure of the frontier is also worth observing.
776: In particular, $\Distr$ is a decreasing function of $\Diste$ along the
777: frontier. This reflects that the objectives of small $\Diste$ (which
778: the editor wants) and a small $\Distr$ (which the end-user wants) are
779: conflicting and a fundamental tradeoff is involved for any given
780: reference channel. In fact, as we will see in the sequel, this
781: behavior is not specific to this example, but a more general feature
782: of our authentication problem formulation.\footnote{This should not be
783: surprising, since such tradeoffs frequently arise in joint
784: source-channel coding problems with uncertain channels; see, e.g.,
785: \cite{Mittal_2002, Reznic_2002, Shamai_1998}.}
786:
787: Finally, observe that the achievable region decreases monotonically
788: with $p$, the severity of edits allowed. Thus, if one has particular
789: target encoding and reconstruction distortions, then this effectively
790: limits how much editing can be tolerated. As the extreme point, the
791: case $p=0$ in which no editing is allowed corresponds to the
792: traditional scenario for digital signatures. In this case, as the
793: figure reflects, authentication is achievable without incurring any
794: encoding distortion nor reconstruction distortion. It is worth noting
795: that the nature of the interplay between the severity of the reference
796: channel and the achievable distortion region is not specific to this
797: example, but arises more generally with this formulation of the
798: authentication problem.
799:
800: \section{Characterization of Solution: Coding Theorems}
801: \label{sec:codethms}
802:
803: An instance of the authentication problem consists of the seven-tuple
804: \begin{equation}
805: \left\{ \srcAlph, p(\nsrc), \chinAlph, \choutAlph, p(\nchout|\nchin),
806: \diste(\cdot,\cdot), \distr(\cdot,\cdot) \right\}.
807: \label{eq:authprob}
808: \end{equation}
809: We use $\srcAlph$ to denote the source alphabet---which is finite unless
810: otherwise indicated---and $p(\nsrc)$ is its (i.i.d.) distribution. The
811: channel input and output alphabets are $\chinAlph$ and $\choutAlph$
812: and $p(\nchout|\nchin)$ is the (memoryless) reference channel law.
813: Finally, $\diste(\cdot,\cdot)$ and $\distr(\cdot,\cdot)$ are the
814: encoding and reconstruction distortion measures.
815:
816: A solution to this problem (i.e., an authentication scheme) consists
817: of an algorithm that returns an encoding function $\encoder$, a
818: decoding function $\decoder$, and a secret key $\secKey$. The secret
819: key is shared only between the encoder and decoder; all other
820: information is known to all parties including editors. (For the
821: interested reader, straightforward adaptations of our solutions to
822: public-key implementations are summarized in the Appendix. However,
823: we otherwise restrict our attention to private-key schemes in the
824: paper to focus the exposition.)
825:
826: The secret key $\secKey$ is a $k$-bit sequence with $k$ sufficiently
827: large. The encoder is a mapping from the source sequence and the
828: secret key to codewords, i.e.,
829: \begin{equation*}
830: \encoder(\ful{\nSrc},\secKey):\quad\srcAlph^n
831: \times \{0,1\}^k \mapsto \chinAlph^n.
832: \end{equation*}
833:
834: The decoder is a mapping from the channel output and the secret key to
835: either an authentic source reconstruction $\ful{\nSrch}$ (i.e., one
836: satisfying \eqref{eq:estmarkov}) or the special symbol $\dfail$ that
837: indicates such a reconstruction
838: is not possible; whence,
839: \begin{equation*}
840: \xdecn{\ful{\nIChOut},\secKey}:\quad \choutAlph^n \times
841: \{0,1\}^k \mapsto \srcAlph^n \cup \{\dfail\}.
842: \end{equation*}
843: Notice that since an authentic reconstruction must satisfy
844: \eqref{eq:estmarkov}, and since the decoder must satisfy the Markov
845: condition $\{\ful{\nSrc},\ful{\nChIn}\} \leftrightarrow \ful{\nChOut}
846: \leftrightarrow \xdecn{\ful{\nChOut},\secKey}$, we have that
847: $\ful{\nSrch} \leftrightarrow \{\ful{\nSrc},\ful{\nChIn}\}
848: \leftrightarrow \xdecn{\ful{\nChOut},\secKey}$ forms a Markov chain
849: only \emph{when successful decoding occurs}. Thus, the
850: authentic reconstruction $\ful{\nSrch}$ should be defined as a
851: quantity that the decoder attempts to deduce since defining
852: $\ful{\nSrch} = \xdecn{\ful{\nChOut,\secKey}}$ will generally not
853: satisfy \eqref{eq:estmarkov}.
854:
855: Henceforth, except when there is risk of confusion, we omit both the
856: subscript $n$ and the secret key argument from the encoding and
857: decoding function notation, letting the dependence be implicit.
858: Moreover, when the encoder and/or decoder are randomized functions,
859: then all probabilities are taken over these randomizations as well as
860: the source and channel law.
861:
862: The relevant distortions are the encoding and decoding
863: distortion computed as the sum of the respective (bounded) single
864: letter distortion functions $\diste$ and $\distr$, i.e.,
865: \begin{equation*}
866: \frac{1}{n} \sum_{i=1}^n \diste(\nSrc_i,\nChIn_i)\qquad\text{and}\qquad
867: \frac{1}{n} \sum_{i=1}^n \distr(\nSrc_i,\xdeci{\ful{\nChOut}}).
868: \end{equation*}
869: Evidently,
870: \begin{align}
871: \diste &:\quad \srcAlph\times\chinAlph \mapsto \reals^+ \\
872: \distr &:\quad \srcAlph\times\srcAlph \mapsto \reals^+.
873: \end{align}
874:
875: The system can fail in one of three ways. The first two failure modes
876: correspond to either the encoder introducing excessive encoding
877: distortion, or the decoder failing to produce an authentic
878: reconstruction with acceptable distortion when the reference channel
879: is in effect. Accordingly, we define the overall distortion violation
880: error event to be
881: \begin{equation}
882: \Edv = \exdiste \cup \exdistr
883: \label{eq:Edv-def}
884: \end{equation}
885: where, for any $\epsilon>0$,
886: \begin{align}
887: \exdiste
888: &= \left\{\frac{1}{n}\sum_{i=1}^n \diste(\nSrc_i,\nChIn_i)
889: > \Diste +\epsilon \right\} \label{eq:d1def}\\
890: \exdistr
891: &= \bigg\{\xdecn{\ful{\nChOut}} = \dfail \bigg\} \notag\\
892: & \ \ \ \ \cup \left\{ \frac{1}{n}\sum_{i=1}^n
893: \distr(\nSrc_i,\xdeci{\ful{\nChOut}})
894: > \Distr + \epsilon \right\} \notag\\
895: & \ \ \ \ \cap \bigg\{\xdecn{\ful{\nChOut}} \neq \dfail \bigg\}.
896: \label{eq:d2def}
897: \end{align}
898:
899: In the remaining failure mode, the system fails to produce the desired
900: authentic reconstruction $\ful{\nSrch}$ from the channel output and
901: instead of declaring that authentication is not possible produces an
902: incorrect estimate. Specifically, we define the successful attack
903: event according to
904: \begin{equation}
905: \undetErr =
906: \{ \xdec{\ful{\nIChOut}} \neq \dfail \} \cap
907: \{ \xdec{\ful{\nIChOut}} \neq \nSrch^n \}.
908: \label{eq:undetErr-def}
909: \end{equation}
910:
911:
912: % \overallErr = \undetErr \cup \Edv.
913:
914:
915: \begin{definition}
916: \label{def:adr}
917: The achievable distortion region for the problem \eqref{eq:authprob}
918: is the closure of the set of pairs $(\Diste,\Distr)$ such that there
919: exists a sequence of authentication systems, indexed by $n$, where for
920: every $\epsilon > 0$ and as $n\rightarrow\infty$,
921: $\Pr[\undetErr]\rightarrow0$ regardless of the channel law in effect,
922: $\Pr[\exdiste]\rightarrow0$, and $\Pr[\exdistr]\rightarrow0$
923: when the reference channel is in effect, with $\undetErr$, $\exdiste$,
924: and $\exdistr$ as defined in \eqref{eq:undetErr-def},
925: \eqref{eq:d1def}, and \eqref{eq:d2def}.
926: \end{definition}
927:
928: For such systems, we have the following coding theorem:
929: \begin{theorem}
930: \label{th:main}
931: The distortion pair $(\Diste,\Distr)$ lies in the achievable
932: distortion region for the problem \eqref{eq:authprob} if and only if
933: there exist functions $\senc{\cdot,\cdot}$, $\sedec{\cdot}$ and
934: a distribution $p(\nchout,\nchin,\naux,\nsrc) =
935: p(\nsrc)p(\naux|\nsrc)p(\nchin|\naux,\nsrc)p(\nchout|\nchin)$ with
936: $\nChIn$ deterministic
937: (i.e. $p(\nchin|\naux,\nsrc)=1_{\nchin=\senc{\nsrc,\naux}}$)
938: such that
939: \begin{subequations}
940: \label{eq:thm}
941: \begin{align}
942: I(\nAux;\nChOut) - I(\nSrc;\nAux) &\geq 0 \label{eq:thm:a} \\
943: E[\diste(\nSrc,\senc{\nAux,\nSrc})] &\leq \Diste \label{eq:thm:b} \\
944: E[\distr(\nSrc,\sedec{\nAux})] &\leq \Distr. \label{eq:thm:c}
945: \end{align}
946: The alphabet $\auxAlph$ of the auxiliary random variable $\nAux$
947: requires cardinality $\card{\auxAlph}
948: \le (\card{\srcAlph} + \card{\chinAlph} +
949: 3)\cdot\card{\srcAlph}\cdot\card{\chinAlph}$.\footnote{\textnormal{If
950: instead $f(\nAux,\nSrc)$ is allowed to be a non-deterministic mapping,
951: then it is sufficient to consider distributions where the auxiliary
952: random variable has the smaller alphabet $\card{\auxAlph} \le
953: \card{\srcAlph} + \card{\chinAlph} + 3$.}}
954: \end{subequations}
955: \end{theorem}
956:
957: Essentially, the auxiliary random variable $\nAux$ represents an
958: embedded description of the source that can be authenticated, $\nChIn$
959: represents the encoding of the source $\nSrc$, and $\sedec{\nAux}$ in
960: \eqref{eq:thm:c} represents the authentic reconstruction. The usual
961: condition that the channel output is determined from the channel input
962: (i.e., the encoder does not know what the channel output will be until
963: after the channel input is fixed) is captured by the requirement that
964: the full joint distribution $p(\nchout,\nchin,\naux,\nsrc)$ factors as
965: shown above. The requirement \eqref{eq:estmarkov} that the authentic
966: reconstruction does not depend directly on the editors manipulations
967: --- i.e., the realization of the reference channel --- is captured by
968: the fact that $\sedec{\cdot}$ depends only on $\nAux$ and not on
969: $\nChOut$. Without the authentication requirement, the set of
970: achievable distortion pairs can be enlarged by allowing the
971: reconstruction to depend on the channel output, i.e.\ $\sedec{\nAux}$
972: in \eqref{eq:thm:c} can be replaced by $\sedec{\nAux,\nChOut}$. Thus,
973: as we shall see in Sections~\ref{sec:binary_hamming} and
974: \ref{sec:gaussian}, security comes at a price in this problem.
975:
976: Theorem~\ref{th:main} has some interesting features. First, it is
977: worth noting that since the problem formulation is inherently
978: ``analog,'' dealing only with waveforms, we might expect the best
979: solutions to the problem to be analog in nature. However, what the
980: theorem suggests, and what its proof confirms, is that digital
981: solutions are in fact sufficient to achieve optimality. In
982: particular, as we will see, source and channel coding based on
983: discrete codebooks are key ingredients of the achievability argument.
984: In some sense, this is the consequence of the inherently discrete
985: functionality we have required of the decoder with our formulation.
986:
987: As a second remark, note that Theorem~\ref{th:main} can be contrasted
988: with its information embedding counterpart, which as generalized from
989: \cite{gelfand_1980} in \cite{rjb_bc_gw_preprint}, states that a pair
990: $(R,\Diste)$, where $R$ is the embedding rate, is achievable if and
991: only if there exists a function $\senc{\cdot,\cdot}$ and a
992: distribution $p(\nchout,\nchin,\naux,\nsrc) =
993: p(\nsrc)p(\naux|\nsrc)p(\nchin|\nsrc,\naux)p(\nchout|\nchin)$ with
994: $\nChIn$ deterministic
995: (i.e. $p(\nchin|\naux,\nsrc)=1_{\nchin=\senc{\nsrc,\naux}}$) such that
996: \begin{subequations}
997: \label{eq:ie-thm}
998: \begin{align}
999: I(\nAux;\nChOut) - I(\nSrc;\nAux) &\geq R \label{eq:ie:a} \\
1000: E[\diste(\nSrc,\senc{\nAux,\nSrc})] &\leq \Diste. \label{eq:ie:b}
1001: \end{align}
1002: Thus we see that the authentication problem is substantially
1003: different from the information embedding problem.
1004: \end{subequations}
1005:
1006: Before developing the proofs of Theorem~\ref{th:main}, to develop
1007: intuition we describe the general system structure, and its
1008: specialization to the Gaussian-quadratic case.
1009:
1010: \subsection{General System Structure}
1011: \label{sec:geometric_view}
1012:
1013: As developed in detail in \secref{sec:proofs}, an optimal
1014: authentication system can be constructed by choosing a codebook
1015: $\cbook$ with codewords appropriately distributed over the space of
1016: possible source outcomes. The elements of a randomly chosen subset of
1017: these codewords $\admissC \subset \cbook$ are marked as admissible and
1018: the knowledge of $\admissC$ is a secret shared between the encoder and
1019: decoder, and kept from editors.
1020:
1021: The encoder maps (quantizes) the source $\ful{\nSrc}$ to the nearest
1022: admissible codeword $\ful{\nAux}$ and then generates the channel input
1023: $\ful{\nChIn}$ from $\ful{\nAux}$. The decoder maps the signal it
1024: obtains to the nearest codeword $\ful{\nCode}\in\cbook$. If
1025: $\ful{\nCode}\in\admissC$, i.e., $\ful{\nCode}$ is an admissible
1026: codeword, the decoder produces the reconstruction $\ful{\nSrch}$ from
1027: $\ful{\nCode}$. If $\ful{\nCode}\not\in\admissC$, i.e.,
1028: $\ful{\nCode}$ is not admissible, the decoder declares that an
1029: authentic reconstruction is not possible.
1030:
1031: Observe that the $\admissC$ must have the following three
1032: characteristics. First, to avoid a successful attack the number of
1033: admissible codewords must be appropriately small. Indeed, since
1034: attackers do not know $\admissC$, if an attacker's tampering causes
1035: the decoder to decode to any codeword other than $\ful{\nAux}$ then
1036: the probability that the decoder is fooled by the tampering and does
1037: not declare a decoding failure is bounded by
1038: $\card{\admissC}/\card{\cbook}$. Second, to avoid an encoding
1039: distortion violation, the set of admissible codewords should be dense
1040: enough to allow the encoder to find an appropriate $\ful{\nChIn}$ near
1041: $\ful{\nSrc}$. Third, to avoid a reconstruction distortion violation,
1042: the decoder should be able to distinguish the possible encoded signals
1043: at the output of the reference channel. Thus the codewords should be
1044: sufficiently separated that they can be resolved at the output of the
1045: reference channel.
1046:
1047: \subsubsection{Geometry for Gaussian-Quadratic Example}
1048: \label{sec:sphere_packing}
1049:
1050: We illustrate the system geometry in the case of a white Gaussian
1051: source, quadratic distortion measure, and an additive white Gaussian
1052: noise reference channel, in the high signal-to-noise ratio (SNR)
1053: regime. We let $\sigma_{\nSrc}^2$ and $\sigma_N^2$ denote the source
1054: and channel variances, respectively. For this example, we can
1055: construct $\cbook$ by packing codewords into the space of possible
1056: source vectors such that no codeword is closer than some distance
1057: $r\sqrt{n}$ to any other, i.e., packing spheres of radius $r\sqrt{n}$
1058: into a sphere of radius $\sigma_{\nSrc}\sqrt{n}$ where the center of
1059: the spheres correspond to codewords. Next, a fraction $2^{-n\gamma}$
1060: of the codewords in $\cbook$ are chosen at random and marked as
1061: admissible to form $\admissC$. It suffices to let $\gamma=1/\sqrt{n}$
1062: and $r^2=\sigma_N^2+\epsilon$ for some $\epsilon>0$ that is
1063: arbitrarily small. This construction is illustrated in
1064: Fig.~\ref{fig:sphere_packing}.
1065:
1066: \begin{figure*}[tbp]
1067: \centering
1068: \epsfbox{figs/sphere_packing.eps}
1069: \caption{Codebook construction for the Gaussian-quadratic scenario.
1070: The large sphere represents the space of possible source vectors and
1071: the small spheres representing the noise are centered on codewords.
1072: When the small spheres do not overlap, the codewords can be resolved at
1073: the output of the reference channel. The shaded spheres represent the
1074: admissible codewords---a secret known only to the encoder and decoder.
1075: \label{fig:sphere_packing}}
1076: \end{figure*}
1077:
1078: \iffalse
1079: Since the source lies inside a source sphere of
1080: radius $\sigma_{\nSrc} \sqrt{n}$ with high probability, the number of
1081: admissible codewords in this sphere is
1082: \begin{equation*}
1083: \frac{\card{\admissC}}{\card{\cbook}} \cdot
1084: \left(\frac{\sigma_{\nSrc}}{r}\right)^n = 2^{-n\gamma}
1085: \left(\frac{r}{\sigma_{\nSrc}}\right)^n,
1086: \end{equation*}
1087: which is negligibly small for large $n$.
1088: \fi
1089:
1090: The encoder maps the source $\ful{\nSrc}$ to a nearby admissible
1091: codeword $\ful{\nAux}$, which it chooses as the encoding
1092: $\ful{\nChIn}$. Since the number of admissible codewords in a sphere
1093: of radius $d$ centered on $\ful{\nSrc}$ is roughly
1094: \begin{equation*}
1095: \frac{\card{\admissC}}{\card{\cbook}} \cdot \left(\frac{d}{r}\right)^n,
1096: \end{equation*}
1097: on average there exists at least one codeword within distance $d$ of
1098: the source provided $d \geq r 2^{\gamma}$. Thus, the average
1099: encoding distortion is roughly $r^2 2^{2\gamma}$, which approaches
1100: $\sigma_N^2+\epsilon$ as $n\rightarrow\infty$.
1101:
1102: The authentic reconstruction is $\ful{\nSrch} = \ful{\nAux}$. Thus,
1103: when the decoder correctly identifies $\ful{\nAux}$, the
1104: reconstruction distortion is the same as the encoding distortion. And
1105: when the reference channel is in effect, the decoder does indeed
1106: correctly identify $\ful{\nAux}$. This follows from the fact that
1107: with high probability, the reference channel noise creates a
1108: perturbation within a noise sphere of radius $\sigma_N \sqrt{n}$ about
1109: the encoding $\ful{\nChIn}$, and the noise spheres do not
1110: intersect since $r>\sigma_N$.
1111:
1112: Furthermore, when the reference channel is not in effect and an
1113: attacker tampers with the signal such that the nearest codeword
1114: $\nCode$ is different from that chosen by the encoder $\ful{\nAux}$,
1115: then the probability that $\nCode$ was marked as admissible in the
1116: codebook construction phase is
1117: \begin{equation*}
1118: \Pr[\nCode \in \admissC| \nCode \neq \ful{\nAux}] =
1119: \frac{\card{\admissC}}{\card{\cbook}} = 2^{-n\gamma},
1120: \end{equation*}
1121: which goes to zero as $n\rightarrow\infty$. The decoder generates
1122: $\dfail$ if it decodes to a non-admissible codeword, so the
1123: probability of a nonauthentic reconstruction is vanishingly small.
1124:
1125: Thus the distortions $\Diste=\Distr=\sigma_N^2$ can be approached with
1126: an arbitrarily small probability of successful attack. See
1127: \cite{mthesis, martinian_2001} for insights into the
1128: practical implementation of this class of systems including those
1129: designed based on a public key instead of a secret key.
1130:
1131: \section{Proofs}
1132: \label{sec:proofs}
1133:
1134: \subsection{Forward Part: Sufficiency}
1135: \label{sec:forw-part:-suff}
1136:
1137: Here we show that if there exist distributions and functions
1138: satisfying \eqref{eq:thm}, then for every $\epsilon >0 $ there exists
1139: a sequence of authentication system with distortion at most
1140: $(\Diste+\epsilon,\Distr+\epsilon)$. Since the achievable distortion region
1141: is a closed set this implies that $(\Diste,\Distr)$ lies in the
1142: achievable distortion region.
1143:
1144: We prove this forward part of \thrmref{th:main} by showing the
1145: existence of a random code with the desired properties.
1146:
1147: \subsubsection{Codebook Generation}
1148:
1149: We begin by choosing some $\gamma>0$ such that
1150: \begin{equation}
1151: I(\nChOut;\nAux) - I(\nAux;\nSrc) > 3\gamma.
1152: \label{eq:gammadef}
1153: \end{equation}
1154: where $\gamma$ decays to zero more slowly than $1/n$, i.e.,
1155: \begin{equation}
1156: \text{$\gamma\rightarrow0$ and $n\gamma\rightarrow\infty$ as
1157: $n\rightarrow\infty$}.
1158: \label{eq:gamma-props}
1159: \end{equation}
1160: Given the choice of $\gamma$, the encoder chooses a random
1161: codebook $\cbook$ of rate
1162: \begin{equation}
1163: \cbkR = I(\nSrc;\nAux) + 2\gamma.
1164: \label{eq:Rdef}
1165: \end{equation}
1166: Each codeword in $\cbook$ is a
1167: sequence of $2^{n\cbkR}$ i.i.d.\ random variables selected according
1168: to the distribution $p(\naux) = \sum_{\nsrc \in \srcAlph}\,
1169: p(\naux | \nsrc ) p( \nsrc )$.
1170: Then, for each realized codebook $\cbook$ the encoder randomly marks
1171: $2^{n(\cbkR-\gamma)}$ of the codewords in $\cbook$ as
1172: admissible and the others as forbidden. We denote this new codebook of
1173: admissible codewords as $\admissC$, which has effective rate
1174: \begin{equation}
1175: \cbkR' = \cbkR - \gamma = I(\nSrc;\nAux) + \gamma,
1176: \label{eq:Rpdef}
1177: \end{equation}
1178: where the last equality follows from substituting \eqref{eq:Rdef}.
1179: The knowledge of which codewords are forbidden is the secret key and
1180: is revealed only to the decoder. The codebook $\cbook$ is publicly
1181: revealed.
1182:
1183: \subsubsection{Encoding and Decoding}
1184:
1185: The encoder first tries to find an admissible codeword $\ful{\naux}
1186: \in \admissC$ that is $\delta$-strongly jointly typical with its
1187: source sequence $\ful{\nSrc}$ according to $p(\naux|\nsrc)$. If the
1188: codeword $\ful{\naux} \in \admissC$ is found to be typical, the
1189: encoder output is produced by mapping the pair
1190: $(\ful{\nsrc},\ful{\naux})$ into $\ful{\nchin}$ via
1191: $\nchin=f(\nsrc,\naux)$. If no jointly typical admissible codeword
1192: exists, the encoder expects the system to fail, and thus selects an
1193: arbitrary codeword.
1194:
1195: The decoder attempts to produce the authentic reconstruction
1196: $\ful{\nsrch} = \fulsedec{\ful{\naux}}$ where
1197: \begin{equation}
1198: \fulsedec{\ful{\naux}} =
1199: (\sedec{\naux_1}, \sedec{\naux_2}, \dots,
1200: \sedec{\naux_n}).
1201: \end{equation}
1202: The decoder $\xdec{\cdot}$ tries to deduce $\ful{\nsrch}$
1203: by searching for a unique admissible codeword
1204: $\ful{\hat{\naux}} \in \admissC$ that is $\delta$-strongly jointly
1205: typical with the obtained sequence $\ful{\nChOut}$. If such a
1206: codeword is found the reconstruction produced is
1207: $\fulsedec{\ful{\hat{\naux}}}$. If no such unique
1208: codeword is found, the
1209: decoder produces the output symbol $\dfail$.
1210:
1211: \subsubsection{System Failure Probabilities}
1212:
1213: We begin by analyzing the system failure probabilities.
1214:
1215: \paragraph{Probability of Successful Attack.}
1216:
1217: Suppose the attacker causes the codeword obtained by the decoder to be
1218: jointly typical with a unique codeword $\ful{c}\in\cbook$. Since the
1219: attacker has no knowledge of which codewords are admissible, the
1220: probability that codeword $\ful{c}$ was chosen as admissible in the
1221: codebook construction phase is
1222: \begin{equation*}
1223: \Pr[\ful{c} \in \admissC]
1224: = \frac{\left|\admissC\right|}{\left|\cbook\right|} =
1225: \frac{2^{n\cbkR'}}{2^{n\cbkR}} = 2^{-n\gamma}.
1226: \end{equation*}
1227: where we have used \eqref{eq:Rpdef} and \eqref{eq:Rdef}. Therefore,
1228: \begin{equation*}
1229: \Pr[\undetErr] \leq \Pr[\xdec{\ful{\nIChOut}} \neq
1230: \dfail \mid \xdec{\ful{\nIChOut}} \neq \ful{\nSrch}] = 2^{-n\gamma}.
1231: \end{equation*}
1232: which goes to zero according to \eqref{eq:gamma-props}. Note that
1233: this argument applies regardless of the method used by the attacker
1234: since without access to the secret key its actions are statistically
1235: independent of which codewords are admissible.
1236:
1237: \paragraph{Probability of Distortion Violation.}
1238:
1239: The distortion violation events $\exdiste$ and $\exdistr$ defined in
1240: \eqref{eq:d1def} and \eqref{eq:d2def} can arise due to any of the
1241: following typicality failure events:
1242: \begin{itemize}
1243: \item $\encSNotTyp$: The source is not typical.
1244: \item $\encFail$: The encoder fails to find an admissible codeword
1245: that is jointly typical with its input.
1246: \item $\encChFail$: The channel fails to produce an output jointly
1247: typical with its input when the reference channel law is in effect.
1248: \item $\decFail$: The decoder fails to find a codeword jointly typical
1249: with its input when the reference channel law is in effect.
1250: \end{itemize}
1251:
1252: A distortion violation event can also occur if there is no typicality
1253: failure but the distortion is still too high. Letting
1254: \begin{equation}
1255: \edfail = \encSNotTyp \cup \encFail \cup \encChFail \cup \decFail
1256: \label{eq:edfail}
1257: \end{equation}
1258: denote the typicality failure event, we have then that the probability
1259: of a distortion violation can be expressed as
1260: \begin{multline}
1261: \Pr[\Edv]
1262: = \Pr[\Edv \mid \edfail]\cdot\Pr[\edfail]
1263: + \Pr[\Edv \mid \noedfail]\cdot\Pr[\noedfail] \\
1264: \leq \Pr[\Edv \mid \noedfail] + \Pr[\edfail] \\
1265: = \Pr\left[\Edv \mid \noedfail \right]
1266: + \Pr[\encSNotTyp]
1267: + \Pr[\encFail\mid\encSNotTyp^\comp]\\
1268: +\Pr[\encChFail\mid\encSNotTyp^\comp,\encFail^\comp]
1269: +\Pr[\decFail\mid\encSNotTyp^\comp,\encFail^\comp,\encChFail^\comp].
1270: \label{eq:enc_error}
1271: \end{multline}
1272:
1273: First, according to well-known properties of typical sequences
1274: \cite{cover}, by choosing $n$ large enough we can make
1275: \begin{align}
1276: \Pr[\encSNotTyp]
1277: &\leq \epsilon/4 \label{eq:prob_encsnottyp} \\
1278: \Pr[\encChFail \mid \encSNotTyp^\comp,\encFail^\comp]
1279: &\leq \epsilon/4. \label{eq:prob_encchfail}
1280: \end{align}
1281:
1282: Second, provided that the source is typical, the probability that the
1283: encoder fails to find a sequence $\ful{\naux}\in\admissC$ jointly
1284: typical with the source follows from \eqref{eq:Rpdef} as
1285: \begin{equation}
1286: \Pr[\encFail\mid\encSNotTyp^\comp] \leq 2^{-n[R' - I(\nSrc;\nAux)]} =
1287: 2^{-n\gamma}
1288: \label{eq:degfail}
1289: \end{equation}
1290: from standard joint typicality arguments.
1291:
1292: Third,
1293: \begin{equation}
1294: \Pr[\decFail \mid \encSNotTyp^\comp,\encFail^\comp,\encChFail^\comp]
1295: \leq 2^{-n\gamma} + \epsilon/4.
1296: \label{eq:decfail}
1297: \end{equation}
1298: Indeed, using standard joint typicality results, the probability that
1299: the sequence $\ful{\nChOut}$ presented to the decoder is not
1300: $\delta$-strongly jointly typical with the correct codeword
1301: $\ful{\nAux}$ selected by the encoder can be made smaller than
1302: $\epsilon/4$ for $n$ large enough, and the probability of it being
1303: strongly jointly typical with any other admissible codeword is, using
1304: \eqref{eq:gammadef} with \eqref{eq:Rdef}, at most
1305: \begin{equation*}
1306: 2^{-n[I(\nAux;\nChOut)-\cbkR]} \le 2^{-n\gamma}.
1307: \end{equation*}
1308:
1309: Fourth,
1310: \begin{equation}
1311: \Pr\left[\Edv \mid \noedfail \right] = 0.
1312: \label{eq:prob_bad_system}
1313: \end{equation}
1314: Indeed, provided there are no typicality failures, the pair
1315: $(\ful{\nSrc},\ful{\nChOut})$ must be strongly jointly typical, so by
1316: the standard properties of strong joint typicality,
1317: \begin{align*}
1318: \frac{1}{n} \sum_{i=1}^n \diste(\nSrc_i,\nChIn_i)
1319: &\leq E[\diste(\nSrc,\nChIn)] + \delta \cdot \dmax{1}\\
1320: \frac{1}{n} \sum_{i=1}^n \distr(\nSrc_i,\sedeci{i}{\nAux_i})
1321: &\leq E[\distr(\nSrc,\sedec{\nAux})] + \delta \cdot \dmax{2},
1322: \end{align*}
1323: where $\dmax{1}$ and $\dmax{2}$ are bounds defined via
1324: \begin{align}
1325: \dmax{1} &= \sup_{(\nsrc,\nchin)\in\srcAlph\times\chinAlph}
1326: \diste(\nsrc,\nchin) \label{eq:dmax1-def}\\
1327: \dmax{2} &= \sup_{(\nsrc,\nsrch)\in\srcAlph\times\srcAlph}
1328: \distr(\nsrc,\nsrch). \label{eq:dmax2-def}
1329: \end{align}
1330: Thus, choosing $\delta$ such that
1331: \begin{equation*}
1332: \delta < \max \left(\frac{\epsilon}{\dmax{1}},
1333: \frac{\epsilon}{\dmax{2}} \right)
1334: \end{equation*}
1335: and making $n$ large enough we obtain \eqref{eq:prob_bad_system}.
1336:
1337: Finally, using \eqref{eq:prob_encsnottyp}, \eqref{eq:prob_encchfail},
1338: \eqref{eq:degfail}, \eqref{eq:decfail}, and \eqref{eq:prob_bad_system}
1339: in \eqref{eq:enc_error} we obtain
1340: \begin{equation}
1341: \label{eq:exdist_err}
1342: \Pr[\Edv] \leq 3 \epsilon/4 + 2 \cdot 2^{-n\gamma}
1343: \end{equation}
1344: which can be made less than $\epsilon$ for $n$ large enough.
1345: Thus $\Pr[\exdiste]\rightarrow0$ and, when the reference channel is in
1346: effect, $\Pr[\exdistr]\rightarrow0$.
1347:
1348: \noindent\qed
1349:
1350: \subsection{Converse Part: Necessity}
1351: \label{sec:converse_part}
1352:
1353: Here we show that if there exists an
1354: authentication system where the pair
1355: $(\Diste,\Distr)$ is in the achievable distortion
1356: region, then there exists a distribution $p(\naux|\nsrc)$ and
1357: functions $\sedec{\cdot}$, $\senc{\cdot,\cdot}$ satisfying
1358: \eqref{eq:thm}. In order to apply previously developed tools, it is
1359: convenient to define the rate-function
1360: \begin{multline}
1361: \label{eq:def-rate-func}
1362: R^*(\Diste,\Distr) \defeq\\
1363: \sup_{\textnormal{\parbox{1.75in}{\begin{center}
1364: $p(\nAux|\nSrc),f:\auxAlph\times\srcAlph\mapsto\chinAlph,g:\auxAlph\mapsto\srcAlph$\\
1365: \mbox{$: E[\diste(\nSrc,\senc{\nAux,\nSrc})]\leq\Diste,
1366: E[\distr(\nSrc,\sedec{\nAux})]\leq\Distr$}\end{center}}}}
1367: I(\nAux;\nChOut) - I(\nSrc;\nAux).
1368: \end{multline}
1369: Note that $R^*(\Diste,\Distr) \geq 0$ if and
1370: only if the conditions in \eqref{eq:thm} are satisfied. Thus our
1371: strategy is to assume that the sequence of
1372: encoding and decoding functions discussed in \secref{sec:codethms}
1373: exist with $\lim_{n\rightarrow\infty}\Pr[\undetErr]=0$,
1374: $\lim_{n\rightarrow\infty}\Pr[\exdiste]=0$, and---when the reference
1375: channel is in effect---$\lim_{n\rightarrow\infty}\Pr[\exdistr]=0$.
1376: We then show that these functions imply that $R^*(\Diste,\Distr) \geq
1377: 0$ and hence \eqref{eq:thm} is satisfied.
1378:
1379: To begin we note that it suffices to choose $\sedec{\cdot}$ to be the
1380: minimum distortion estimator of $\nSrc$ given $\nAux$. Next,
1381: by using techniques from \cite{gelfand_1980} or
1382: by directly applying \cite[Lemma 2]{rjb_bc_gw_preprint} it is possible to
1383: prove that allowing $\nChIn$ to be non-deterministic has no advantage,
1384: i.e.,
1385: \begin{multline}
1386: \label{eq:det-good-enough}
1387: R^*(\Diste,\Distr) \geq\\
1388: \sup_{\textnormal{\parbox{1.75in}{\begin{center}
1389: $p(\nAux|\nSrc),p(\nChIn|\nAux,\nSrc):$\\
1390: \mbox{$E[\diste(\nSrc,\nChIn)]\leq\Diste,
1391: E[\distr(\nSrc,\sedec{\nAux})]\leq\Distr$}\end{center}}}}
1392: I(\nAux;\nChOut) - I(\nSrc;\nAux).
1393: \end{multline}
1394: Arguments similar to those in \cite{gelfand_1980} and
1395: \cite[Lemma 1]{rjb_bc_gw_preprint} show that $R^*(\Diste,\Distr)$ is
1396: monotonically non-decreasing and concave in $(\Diste,\Distr)$. These
1397: properties will later allow us to make use of the following lemma,
1398: whose proof follows readily from that of Lemma~4 in \cite{gelfand_1980}:
1399: \begin{lemma}
1400: \label{gelfand_lemma}
1401: For arbitrary random variables $V,A_1,A_2,\dots,A_n$ and a sequence of
1402: i.i.d.\ random variables $\nSrc_1,\nSrc_2,\dots,\nSrc_n$,
1403: \begin{multline}
1404: \sum_{i=1}^n
1405: \left[ I(V,A_1^{i-1},S_{i+1}^n;A_i)-I(V,A_1^{i-1},S_{i+1}^n;S_i)
1406: \right] \\
1407: \geq I(V;\ful{A}) - I(V;\ful{S}).
1408: \end{multline}
1409: \end{lemma}
1410:
1411: As demonstrated by the following Lemma, a suitable $\nAux_i$ is
1412: \begin{equation}
1413: \nAux_i = (\ful{\nSrch},\nChOut_{1}^{i-1},\nSrc_{i+1}^n).
1414: \label{eq:def_nauxdeg}
1415: \end{equation}
1416: \begin{lemma}
1417: \label{lem:umarkov}
1418: The choice of $\nAux_i$ in \eqref{eq:def_nauxdeg} satisfies the
1419: Markov relationship
1420: \begin{equation}
1421: \nChOut_i \leftrightarrow (\nSrc_i, \nChIn_i) \leftrightarrow \nAux_i.
1422: \label{eq:umarkov}
1423: \end{equation}
1424: \end{lemma}
1425: \begin{proof}
1426: It suffices to note that
1427: \begin{align}
1428: p(\nchout_i|\nchin_i,\nsrc_i)
1429: &= p(\nchout_i|\nchin_i)
1430: = \frac{p(\nchout_1^i|\ful{\nchin})}{p(\nchout_1^{i-1}|\ful{\nchin})}
1431: = \frac{p(\nchout_1^i|\ful{\nchin},\ful{\nsrc})}
1432: {p(\nchout_1^{i-1}| \ful{\nchin},\ful{\nsrc})}
1433: \label{eq:from_memless_ch:a} \\
1434: &= \frac{p(\nchout_1^i|\ful{\nchin},\ful{\nsrch} ,\ful{\nsrc})}
1435: {p(\nchout_1^{i-1}|\ful{\nchin},\ful{\nsrch},\ful{\nsrc})}
1436: = p(\nchout_i|\ful{\nchin},\ful{\nsrc},\ful{\nsrch},\nchout_1^{i-1})
1437: \label{eq:from_other_m_cond}
1438: \end{align}
1439: where the equalities in \eqref{eq:from_memless_ch:a} follow from the
1440: memoryless channel model, and the first equality in
1441: \eqref{eq:from_other_m_cond} follows from the fact that the system
1442: generates authentic reconstructions so \eqref{eq:estmarkov} holds.
1443: Thus, \eqref{eq:from_other_m_cond} implies the Markov relationship
1444: \begin{equation}
1445: \nChOut_i \leftrightarrow (\nChIn_i,\nSrc_i) \leftrightarrow
1446: (\nChIn_1^i,\nChIn_{i+1}^n,\nSrc_1^i,\nSrc_{i+1}^n,\nChOut_1^{i-1},\ful{\nSrch}),
1447: \label{eq:markov:almost}
1448: \end{equation}
1449: which by deleting selected terms from the right hand side yields
1450: \eqref{eq:umarkov}.
1451: \end{proof}
1452:
1453: Next, we combine these results to prove the converse part of
1454: \thrmref{th:main} except for the cardinality bound on $\auxAlph$ which
1455: is derived immediately thereafter.
1456: \begin{lemma}
1457: \label{lem:deg_prod_space}
1458: If a sequence of encoding and decoding
1459: functions $\encoder(\cdot)$ and
1460: $\xdecn{\cdot}$ exist such that the decoder can generate authentic
1461: reconstructions achieving the distortion pair $(\Diste,\Distr)$ when the
1462: reference channel is in effect then
1463: \begin{equation}
1464: R^*(\Diste,\Distr) \geq 0.
1465: \label{eq:deg_prod_space}
1466: \end{equation}
1467: \end{lemma}
1468: \begin{proof}
1469: Define $\Distei$ and $\Distri$ as the component-wise distortions
1470: between $\nSrc_i$ and $\nChIn_i$ and between $\nSrc_i$ and
1471: $\nSrch_i$. We have the following chain of inequalities:
1472: \begin{align}
1473: R^*(\Diste,\Distr) &= R^*\left(\frac{1}{n}\sum_{i=1}^n \Distei,
1474: \frac{1}{n}\sum_{i=1}^n \Distri\right)\\
1475: %
1476: \label{eq:rstar-conc}
1477: &\geq \frac{1}{n} \sum_{i=1}^n R^*(\Distei,\Distri)\\
1478: %
1479: \label{eq:rstar-bigger}
1480: &\geq \frac{1}{n}
1481: \sum_{i=1}^n[I(\nAux_i;\nChOut_i)-I(\nAux_i;\nSrc_i)] \\
1482: %
1483: \label{eq:use-gf-lemma}
1484: &\geq \frac{1}{n} \left[
1485: I(\ful{\nSrch};\ful{\nChOut})-I(\ful{\nSrch};\ful{\nSrc}) \right]\\
1486: %
1487: &=\frac{1}{n} \left[
1488: H(\ful{\nSrch}|\ful{\nSrc})-H(\ful{\nSrch}|\ful{\nChOut}) \right] \\
1489: %
1490: &\geq -\frac{1}{n} H(\ful{\nSrch}|\ful{\nChOut})\\
1491: %
1492: \label{eq:fin-apply-fano}
1493: &\geq -\frac{1}{n} - \Pr[\xdecn{\ful{\nChOut}}\neq\ful{\nSrch}]
1494: \log\card{\srcAlph}.
1495: \end{align}
1496:
1497: The concavity of $R^*(\Diste,\Distr)$ yields \eqref{eq:rstar-conc}.
1498: To obtain \eqref{eq:rstar-bigger}, we combine \lemref{lem:umarkov}
1499: with \eqref{eq:det-good-enough}. Next, to obtain
1500: \eqref{eq:use-gf-lemma}, let $V = \ful{\nSrch}$ and $A_i=\nChOut_i$ to
1501: apply \lemref{gelfand_lemma} with $\nAux_i$ chosen according to
1502: \eqref{eq:def_nauxdeg}. Fano's inequality yields
1503: \eqref{eq:fin-apply-fano}.
1504:
1505: Finally, using (in order) Bayes' law,
1506: \eqref{eq:undetErr-def}, and \eqref{eq:d2def}, we obtain
1507: \begin{align}
1508: \Pr[\xdecn{\ful{\nChOut}}&\neq\ful{\nSrch}] = \Pr[\undetErr] \notag\\
1509: & \hspace{-40pt} + \Pr[\{\xdecn{\ful{\nChOut}}\neq\ful{\nSrch}\} \cap
1510: \{\xdecn{\ful{\nChOut}}=\dfail\}]\\
1511: %
1512: &\leq \Pr[\undetErr] +
1513: \Pr[\{\xdecn{\ful{\nChOut}}=\dfail\}]\\
1514: %
1515: &\leq \Pr[\undetErr] + \Pr[\exdistr].
1516: \label{eq:key_fano_term}
1517: \end{align}
1518: Therefore exploiting that the system generates an authentic
1519: reconstruction ($\lim_{n\rightarrow\infty}\Pr[\undetErr] = 0$) of the
1520: right distortion ($\lim_{n\rightarrow\infty}\Pr[\exdistr] = 0$) and
1521: that the alphabet of $\nSrc$ is finite, we have that
1522: \eqref{eq:fin-apply-fano} and \eqref{eq:key_fano_term} imply
1523: \eqref{eq:deg_prod_space}.
1524: \end{proof}
1525:
1526: The following proposition bounds the cardinality of $\auxAlph$.
1527: \begin{prop}
1528: \label{prop:card}
1529: Any point in the achievable distortion region defined by
1530: \eqref{eq:thm} can be attained with $\nAuxDeg$ distributed over an
1531: alphabet $\auxAlph$ of cardinality at most $(\card{\srcAlph} +
1532: \card{\chinAlph} + 3)\cdot\card{\srcAlph}\cdot\card{\chinAlph}$ with
1533: $p(\nchin|\naux,\nsrc)$ singular or over an
1534: alphabet $\auxAlph$ of cardinality at most $\card{\srcAlph} +
1535: \card{\chinAlph} + 3$ if $p(\nchin|\naux,\nsrc)$ is not required to be
1536: singular.
1537: \end{prop}
1538:
1539: \begin{proof}
1540: This can be proved using standard tools from convex set theory.
1541: Essentially, we define a convex set of continuous functions
1542: $f_j({\mathbf p})$ where ${\mathbf p}$ represents a distribution of
1543: the form $\Pr(\nSrc=\nsrc,\nChIn=\nchin|\nAux=\naux)$ and the
1544: $f_j(\cdot)$ functions capture the features of the distributions
1545: relevant to \eqref{eq:thm}. According to Carath\'{e}odory's Theorem
1546: \cite[Theorem 14.3.4]{cover}, \cite{it:wyner_1975}, there exist
1547: $j_{\max}$ +1 distributions ${\mathbf p}_1$ through ${\mathbf
1548: p}_{\textnormal{$j_{\max}$ +1}}$ such that any vector of function values,
1549: $(f_1({\mathbf p'}), f_2({\mathbf p'}), \dots,
1550: f_{\textnormal{$j_{\max}$}}({\mathbf p'}))$, achieved by some
1551: distribution ${\mathbf p'}$ can be achieved with a convex combination of
1552: the ${\mathbf p}_i$ distributions. Since each distribution
1553: corresponds to a particular choice for $\nAux$, at most $j_{\max}$ + 1
1554: possible values are required for $\nAux$. Specifically, the desired
1555: cardinality bound for our problem can be proved by making the
1556: following syntactical modifications to the argument in \cite[bottom
1557: left of p.~634]{it:ahlswede_1976}:
1558:
1559: \begin{enumerate}
1560:
1561: \item Replace $\Pr(X = x \mid U = u)$ with $\Pr(\nSrc = \nsrc,\nChIn =
1562: \nchin \mid \nAux = \naux)$ which is represented by the notation
1563: $\mathbf{p}$.
1564:
1565: \item Choose
1566: \begin{equation}
1567: f_j(\mathbf{p}) =
1568: \sum_{\nchin} \Pr(\nSrc = j,\nChIn = \nchin \mid \nAux = \naux)
1569: \end{equation}
1570: for $j \in \{1,2,\dots,n\}$ where $n = \card{\srcAlph}$.
1571:
1572: \item Choose
1573: \begin{multline}
1574: f_{n+1}(\mathbf{p}) =\\ \sum_{\nsrc} \sum_{\nchin}
1575: \diste(\nchin,\nsrc) \,
1576: \Pr(\nSrc = \nsrc,\nChIn = \nchin \mid \nAux = \naux).
1577: \end{multline}
1578:
1579: \item Choose
1580: \begin{multline}
1581: f_{n+2}(\mathbf{p}) =\\ \sum_{\nsrc} \sum_{\nchin}
1582: \distr(\sedec{\naux},\nsrc)\,
1583: \Pr(\nSrc = \nsrc, \nChIn = \nchin \mid \nAux = \naux).
1584: \end{multline}
1585:
1586: \item Choose
1587: \begin{multline}
1588: f_{n+3}(\mathbf{p}) = \sum_{\nsrc} \left[\sum_{\nchin}
1589: \Pr(\nSrc = \nsrc,\nChIn = \nchin \mid \nAux = \naux)
1590: \cdot\right.\\
1591: \left.\ \ \log \left(\sum_{\nchin}
1592: \Pr(\nSrc = \nsrc,\nChIn = \nchin \mid \nAux = \naux) \right)\right].
1593: \end{multline}
1594:
1595:
1596: \item Let
1597: \begin{multline*}
1598: m(s,u,x,y) = \\\Pr(\nChOut=\nchout \mid \nChIn=\nchin)
1599: \Pr(\nSrc = \nsrc,\nChIn = \nchin \mid \nAux = \naux)
1600: \end{multline*}
1601: and choose
1602: \begin{multline}
1603: f_{n+4}(\mathbf{p}) = \sum_{\nchout} \left[
1604: \left(\sum_{\nchin}\sum_{\nsrc} m(s,u,x,y)\right) \right.\cdot\\
1605: \left. \left(\sum_{\nchin}\sum_{\nsrc} \log m(s,u,x,y) \right)\right].
1606: \end{multline}
1607:
1608: \item Choose
1609: \begin{equation}
1610: f_{n+5+j}(\mathbf{p}) = \sum_{\nsrc} \Pr(\nSrc = \nsrc,\nChIn =
1611: j \mid \nAux = \naux)
1612: \end{equation}
1613: for $j \in \{1,2, \dots,\card{\chinAlph}\}$.
1614:
1615:
1616:
1617: \end{enumerate}
1618:
1619: Since the $f_j(\mathbf{p})$ determine $\Pr[\nSrc = \nsrc]$ (and
1620: therefore $H(\nSrc)$ as well), $\Diste$, $\Distr$,
1621: $H(\nSrc|\nAuxDeg)$, $H(\nChOut|\nAuxDeg)$, and $\Pr[\nChIn = \nchin]$
1622: (and therefore $\Pr[\nChOut=\nchout]$ and $H(\nChOut)$ also), they can
1623: be used to identify all points in the distortion region. According to
1624: \cite[Lemma 3]{it:ahlswede_1976}, for every point in this region
1625: obtained over the alphabet $\auxAlph$ there exists a $U^*$ from
1626: alphabet $\auxAlph^*$ with cardinality $\card{\auxAlph^*}$ at most one
1627: greater than the dimension of the space spanned by the vectors $f_i$.
1628: The $f_i$ corresponding to $\Pr[\nSrc=\nsrc]$ and $\Pr[\nChIn=\nchin]$
1629: contribute $\card{\srcAlph}-1$ and $\card{\chinAlph}-1$ dimensions
1630: while the other $f_i$ contribute four more dimensions. Thus it
1631: suffices to choose $\card{\auxAlph^*} \leq \card{\chinAlph} +
1632: \card{\srcAlph} + 3$. Note that this cardinality bound applies to the
1633: general case where $\nChIn$ is not necessarily a deterministic
1634: function of $\nSrc$ and $\nAux^*$.
1635:
1636: By directly applying \cite[Lemma 2]{rjb_bc_gw_preprint} to each pair
1637: $(\naux^*,\nsrc)$ in $\auxAlph^*\times\srcAlph$, we can split each $\naux^*$
1638: into $\card{\chinAlph}$ new symbols $\naux^{**}$ such that the mapping
1639: from $(\naux^{**},\nsrc)$ to $\nchin$ is deterministic. The new
1640: auxiliary random variable $\nAux^{**}$ takes values over the alphabet
1641: $\auxAlph^{**}$ where
1642: \begin{equation}
1643: \card{\auxAlph^{**}} = \card{\auxAlph^*}\cdot\card{\srcAlph}\cdot\card{\chinAlph}
1644: = (\card{\chinAlph} + \card{\srcAlph} +
1645: 3)\cdot\card{\srcAlph}\cdot\card{\chinAlph}.
1646: \end{equation}
1647: Furthermore, this process does not change the distortion or violate
1648: the mutual information constraint. Thus a deterministic mapping from
1649: the source and auxiliary random variable to the channel input can be
1650: found with no loss of optimality provided a potentially larger alphabet is
1651: allowed for the auxiliary random variable.
1652: \end{proof}
1653:
1654: We next apply Theorem~\ref{th:main} to two example scenarios of
1655: interest---one discrete and one continuous.
1656:
1657: \section{Example: the Binary-Hamming Scenario}
1658: \label{sec:binary_hamming}
1659:
1660: In some applications of authentication, the content of interest is
1661: inherently discrete. For example, we might be interested in
1662: authenticating a passage of text, some of whose characters may have
1663: been altered in a benign manner through errors in optical character
1664: recognition process or error-prone human transcription during
1665: scanning. Or the alterations might be by the hand of human editor
1666: whose job it is to correct, refine, or otherwise enhance the
1667: exposition in preparation for its publication in a paper, journal,
1668: magazine, or book. Or the alternations may be the result of an
1669: attacker deliberately tampering with the text for the purpose of
1670: distorting its meaning and affecting how it will be interpreted.
1671:
1672: As perhaps the simplest model representative of such discrete
1673: problems, we now consider a symmetric binary source with a binary
1674: symmetric reference channel. Specifically, we model the source as an
1675: i.i.d.\ sequence where each $\nSrc_i$ is a Bernoulli($1/2$) random
1676: variable\footnote{We adopt the convention that all Bernoulli random
1677: variables take values in the set $\{0,1\}$.} and the reference channel
1678: output is $\nChOut_i = \nChIn_i \oplus N_i$, where $\oplus$ denotes
1679: modulo-$2$ addition and where $\ful{N}$ is an i.i.d.\ sequence of
1680: Bernoulli($\crossProb$) random variables. Finally, we adopt the
1681: Hamming distortion measure:
1682: \begin{equation*}
1683: d(a,b) =
1684: \begin{cases}
1685: 0, & \text{ if $a = b$}\\
1686: 1, & \text{ otherwise }.
1687: \end{cases}
1688: \end{equation*}
1689:
1690: For this problem, a suitable auxiliary random variable is
1691: \begin{equation}
1692: \nAuxDeg = \left\{ \nSrc \oplus (A \cdot \genrv) \oplus
1693: [(1-A) \cdot V]\right\} + 2 \cdot (1-A),
1694: \label{eq:bin_dist_def:u}
1695: \end{equation}
1696: where $A$, $\genrv$, and $V$ are Bernoulli $\alpha$, $\tau$, and $\nu$
1697: random variables, respectively, and are independent of each other and
1698: $\nSrc$ and $N$. Without loss of generality, the parameters
1699: $\tau$ and $\nu$ are restricted to the range $(0,1/2)$. Note that
1700: $\auxAlph=\{0, 1, 2, 3\}$.
1701:
1702: The encoder function $\nChIn=f(\nSrc,\nAux)$ is, in turn, given by
1703: \begin{equation}
1704: \nChIn = \begin{cases}
1705: \nAuxDeg, & \text{if $\nAuxDeg \in \{0, 1\}$} \\
1706: \nSrc, & \text{if $\nAuxDeg \in \{2, 3\}$},
1707: \end{cases}
1708: \label{eq:bin_dist_def:x}
1709: \end{equation}
1710: from which it is straightforward to verify via
1711: \eqref{eq:bin_dist_def:u} that the encoding distortion is
1712: \begin{equation}
1713: \Diste = \alpha\tau.
1714: \label{eq:Diste-bh}
1715: \end{equation}
1716:
1717: The corresponding decoder function $\nSrch=g(\nAux)$ takes the
1718: form
1719: \begin{equation}
1720: \nSrch = \nAux \bmod 2,
1721: \end{equation}
1722: from which it is straightforward to verify via
1723: \eqref{eq:bin_dist_def:u} that the reconstruction distortion is
1724: \begin{equation}
1725: \Distr = \alpha\tau + (1-\alpha)\nu.
1726: \label{eq:Distr-bh}
1727: \end{equation}
1728:
1729: In addition, $I(\nAuxDeg;\nSrc)$ takes the form
1730: \begin{align}
1731: I(\nAuxDeg;\nSrc) &= H(\nSrc) - H(\nSrc|\nAuxDeg)\notag\\
1732: &= H(\nSrc) - H(\nSrc,A|\nAuxDeg) + H(A|\nAuxDeg,\nSrc)\notag\\
1733: &= H(\nSrc) - H(\nSrc|\nAuxDeg,A) - H(A|\nAuxDeg) + H(A|\nAuxDeg,\nSrc)\notag\\
1734: &= 1 - \alpha\cdot h(\tau) - (1-\alpha)\cdot h(\nu),
1735: \label{eq:ius-val}
1736: \end{align}
1737: where the second and third equalities follow from the entropy chain
1738: rule, where the last two terms on the third line are zero
1739: because knowing $\nAuxDeg$ determines $A$, and where the last equality
1740: follows from \eqref{eq:bin_dist_def:u}, with $h(\cdot)$ denoting the
1741: binary entropy function, i.e., $h(q)=-q\log q - (1-q)\log(1-q)$ for
1742: $0\le q\le 1$. Similarly, $I(\nAux;\nChOut)$ takes the form
1743: \begin{align}
1744: I(\nAuxDeg;\nChOut) &= H(\nChOut) - H(\nChOut|\nAuxDeg)\notag\\
1745: &= H(\nChOut) - H(\nChOut,A|\nAuxDeg) + H(A|\nAuxDeg,\nChOut)\notag\\
1746: &= H(\nChOut) - H(\nChOut|\nAuxDeg,A) - H(A|\nAuxDeg) + H(A|\nAuxDeg,\nChOut)\\
1747: &= 1 - \alpha\, h(\crossProb) - (1-\alpha)
1748: h\left(\crossProb(1- \nu) + (1-\crossProb)\nu\right).
1749: \label{eq:iuy-val}
1750: \end{align}
1751: For a fixed $\crossProb$, varying the parameters $\alpha$, $\nu$,
1752: and $\tau$ such that \eqref{eq:iuy-val} is at least as big as
1753: \eqref{eq:ius-val} as required by \eqref{eq:thm:a} generates the
1754: achievable distortion region shown in Fig.~\ref{fig:ham_bin_reg}.
1755: Note from \eqref{eq:iuy-val}, \eqref{eq:ius-val}, \eqref{eq:Diste-bh}
1756: and \eqref{eq:Distr-bh} that the boundary point $\Diste = \Distr =
1757: \crossProb$, in particular, is obtained by the parameter values
1758: $\alpha=1$ and $\tau=\crossProb$ (with any choice of $\nu$).
1759: Numerical optimization over all $p(\nauxdeg|\nsrc)$ and all (not
1760: necessarily singular) $p(\nchin|\nsrc,\naux)$ with the alphabet size
1761: $\card{\auxAlph} =
1762: 7$ chosen in accordance with Proposition~\ref{prop:card} confirms that
1763: Fig.~\ref{fig:ham_bin_reg} captures all achievable distortion pairs.
1764:
1765: \begin{figure}[tbp]
1766: \centering
1767: \psfrag{TITLE}{}
1768: \psfrag{D1}{\LARGE$\Diste$}
1769: \psfrag{D2}{\LARGE$\Distr$}
1770: \includegraphics[angle=0,width=3.0in]{figs/ham_bin_reg.eps}
1771: \caption{The solid curve represents the frontier of the achievable
1772: distortion region for a binary symmetric source and a binary symmetric
1773: reference channel with cross-over probability $\crossProb=0.2$. This
1774: plot reflects the system behavior when the reference channel is in
1775: effect. The dashed line represents the boundary of the larger
1776: distortion region achievable when authentication is not required.
1777: \label{fig:ham_bin_reg}}
1778: \end{figure}
1779:
1780: For comparison, we can also develop the achievable distortion region
1781: when authentication is not required. In this setting the goal is to
1782: provide a representation of the source which allows a decoder to
1783: obtain a good reconstruction from the reference channel output while
1784: keeping the encoding distortion small. Although in general hybrid
1785: analog-digital coding schemes can be used \cite{rjb_bc_gw_preprint},
1786: optimality can also be achieved without any coding in the
1787: binary-Hamming case and thus all points in the region $\Diste\geq0$
1788: and $\Distr\geq\crossProb$ are achievable, as also shown in
1789: Fig.~\ref{fig:ham_bin_reg}. Thus we see that the requirement that
1790: reconstructions be authentic strictly decreases the achievable
1791: distortion region as shown in Fig~\ref{fig:ham_bin_reg}.
1792:
1793: \section{Example: the Gaussian-Quadratic Scenario}
1794: \label{sec:gaussian}
1795:
1796: In some other applications of authentication, the content of interest
1797: is inherently continuous. Examples involve sources such as imagery,
1798: video, or audio. In addition to tampering attacks, such content may
1799: encounter degradations as a result of routine handling that includes
1800: compression, transcoding, resampling, printing, and scanning, as well
1801: as perturbations from editing to enhance the content.
1802:
1803: As perhaps the simplest model representative of such continuous
1804: problems, we consider a white Gaussian source with a white Gaussian
1805: reference channel. Specifically, we model the source as an i.i.d.\
1806: Gaussian sequence where each $\nSrc_i$ has mean zero and variance
1807: $\sigma_{\nSrc}^2$, and the independent reference channel noise as an
1808: i.i.d.\ sequence whose $i$\/th element $N_i$ has mean zero and
1809: variance $\sigma_N^2$. Furthermore, we adopt the quadratic distortion
1810: measure $d(a,b) = (a-b)^2$.
1811:
1812: While our proofs in Section~\ref{sec:proofs} exploited that our
1813: signals were drawn from finite alphabets and that all distortion
1814: measures were bounded to simplify our development, the results can be
1815: generalized to continuous-alphabet sources with unbounded distortion
1816: measures using standard methods. In the sequel, we assume without
1817: proof that the coding theorems hold for Gaussian sources with
1818: quadratic distortion. Since it appears difficult to obtain a
1819: closed-form expression for the optimal distribution for
1820: $\nAuxDeg$,\footnote{An analysis using calculus of variations
1821: suggests that the optimal distribution is not even Gaussian.} we
1822: instead develop good inner and outer bounds on the boundary of the
1823: achievable distortion region.
1824:
1825: \subsection{Unachievable Distortions: Inner Bounds}
1826: \label{sec:gaussian:unachievable}
1827:
1828: To derive an inner bound, we ignore the requirement that
1829: reconstructions be authentic, i.e., satisfy \eqref{eq:estmarkov}, and
1830: study the distortions possible in this case.
1831:
1832: For a given constraint on the power $P$ input to the reference
1833: channel, it is well-known that the minimum possible source
1834: reconstruction distortion $\Distr$ achievable from the output of the
1835: channel can be achieved without either source or channel coding in
1836: this Gaussian scenario, and the resulting distortion is
1837: \begin{equation}
1838: \Distr = \frac{\sigma_N^2 \sigma_{\nSrc}^2}{\sigma_N^2 + P}.
1839: \label{eq:d2:tx}
1840: \end{equation}
1841: Moreover, for a scheme with encoding distortion $\Diste$, the
1842: Cauchy-Schwarz inequality implies that $P$ is
1843: bounded according to
1844: \begin{multline}
1845: P = E[\nChIn^2] = E[(\nChIn-\nSrc + \nSrc)^2]
1846: = E[(\nChIn-\nSrc)^2] + E[\nSrc^2]\\
1847: + 2E[(\nChIn-\nSrc)\nSrc]
1848: \leq \Diste + \sigma_{\nSrc}^2 + 2\sqrt{\Diste\sigma_{\nSrc}^2},
1849: \label{eq:max_nchout_var}
1850: \end{multline}
1851: where equality holds if and only if $\nChIn = \left(1 +
1852: \sqrt{\Diste/\sigma_{\nSrc}^2}\right)\nSrc$. Thus, substituting
1853: \eqref{eq:max_nchout_var} into \eqref{eq:d2:tx} yields the inner bound
1854: \begin{equation}
1855: \Distr = \frac{\sigma_N^2 \sigma_{\nSrc}^2}{\sigma_N^2 +
1856: \left(\sqrt{\Diste} + \sigma_{\nSrc}\right)^2}.
1857: \label{eq:d2:lb}
1858: \end{equation}
1859:
1860: \subsection{Achievable Distortions: Outer Bounds}
1861: \label{sec:gaussian:ach_dist}
1862:
1863: To derive outer bounds we will consider codebooks where
1864: $(\nSrc,\nAux,\nChIn)$ are jointly Gaussian. Since it is sufficient
1865: to consider $\nChIn$ to be a deterministic function of $\nAux$ and
1866: $\nSrc$, the innovations form
1867: \begin{subequations}
1868: \label{eq:gauss_innov_form}
1869: \begin{align}
1870: \genrv &\sim N(0,\sigma_{\genrv}^2), \ \ E[\genrv\nSrc] = 0\\
1871: \nAux &= a \nSrc + c \genrv\\
1872: \nChIn &= b \nAux + d \genrv
1873: \end{align}
1874: \end{subequations}
1875: conveniently captures the desired relationships.\footnote{It can be
1876: shown that choosing either $a=1$ or $c=1$ incurs no loss of
1877: generality.} We examine two regimes: a low $\Diste$ regime in which
1878: we restrict our attention to the parameterization $(a,b,c,d) =
1879: (1,1,1/\alpha,1)$, and a high $\Diste$ regime in which we restrict our
1880: attention to the parameterization $(a,b,c,d) = (1,\beta,1,0)$. As
1881: we will see, time-sharing between these parameterizations yields
1882: almost the entire achievable distortion region for Gaussian codebooks.
1883:
1884: \subsubsection*{Low $\Diste$ Regime}
1885:
1886: We obtain an encoding that is asymptotically good at low
1887: $\Diste$ by using a distribution with structure similar to that used
1888: to achieve capacity in the related problem of information embedding
1889: \cite{costa_83}. In the language of \cite{chen_wornell_2001}, the
1890: encoding process involves distortion-compensation. In particular, the
1891: source is amplified by a factor $1/\alpha$, quantized to the nearest
1892: codeword, attenuated by $\alpha$, and then a fraction of the resulting
1893: quantization error is added back to produce the final encoding, i.e.,
1894: \begin{equation}
1895: \ful{\nChIn} = \alpha Q[\ful{\nSrc}/\alpha] + (1-\alpha) ( \ful{\nSrc}
1896: - \alpha Q[\ful{\nSrc}/\alpha])
1897: \end{equation}
1898: where $Q[\cdot]$ denotes the quantizer function.
1899:
1900: With this encoding structure, it is convenient to make the assignment
1901: $\ful{\nAux} = \alpha Q[\ful{\nSrc}/\alpha]$, so that we may write
1902: \begin{align}
1903: \nAux &= \nSrc + \genrv/\alpha \label{eq:dc-aux}\\
1904: \nChIn &= \nAux + (1-\alpha)(\nSrc-\nAux) = \nSrc + \genrv \label{eq:dc-chin}
1905: \end{align}
1906: where $\genrv$ is a Gaussian random variable with mean zero and
1907: variance $\sigma_{\genrv}^2$ independent of both the source $\nSrc$
1908: and the reference channel noise $N$.
1909:
1910: We choose $\sedec{\cdot}$ to be the minimum mean-square estimate of
1911: $\nSrc$ given $\nAux$. Thus the resulting distortions are, via
1912: \eqref{eq:dc-aux} and \eqref{eq:dc-chin},
1913: \begin{equation}
1914: \Diste = E[(\nChIn-\nSrc)^2]
1915: = E[(\nSrc + \genrv - \nSrc)^2]
1916: = \sigma_{\genrv}^2
1917: \label{eq:d1:bnd}
1918: \end{equation}
1919: and, in turn,
1920: \begin{align}
1921: \Distr &= E[\nSrc^2]\left(1 -
1922: \frac{E[\nSrc\nAux]^2}{E[\nSrc^2]E[\nAux^2]}\right)\notag\\
1923: %
1924: &= \frac{\sigma_{\nSrc}^2
1925: (\sigma_{\genrv}^2+\alpha^2\sigma_{\nSrc}^2 ) -
1926: \alpha^2\sigma_{\nSrc}^4}{\sigma_{\genrv}^2+\alpha^2\sigma_{\nSrc}^2
1927: }\notag\\
1928: %
1929: &= \frac{\sigma_{\nSrc}^2
1930: \Diste}{\Diste+\alpha^2\sigma_{\nSrc}^2}.
1931: \label{eq:d2:bnd}
1932: \end{align}
1933:
1934: To show that distortions \eqref{eq:d1:bnd} and \eqref{eq:d2:bnd} are
1935: achievable requires proving that \eqref{eq:thm:a} holds. In
1936: \cite{costa_83}, the associated difference of mutual informations is
1937: computed (using slightly different notation) as
1938: \begin{multline}
1939: I(\nAux;\nChOut)-I(\nSrc;\nAux) =\\
1940: \frac{1}{2}\log\frac{\sigma_{\genrv}^2(\sigma_{\genrv}^2 +
1941: \sigma_{\nSrc}^2 +
1942: \sigma_N^2)}{\sigma_{\genrv}^2\sigma_{\nSrc}^2(1-\alpha)^2 +
1943: \sigma_N^2(\sigma_{\genrv}^2 + \alpha^2\sigma_{\nSrc}^2)}
1944: \end{multline}
1945: which implies that to keep the difference of mutual informations
1946: nonnegative we need
1947: \begin{equation}
1948: \sigma_{\genrv}^2(\sigma_{\genrv}^2 +
1949: \sigma_{\nSrc}^2 +
1950: \sigma_N^2) \geq \sigma_{\genrv}^2\sigma_{\nSrc}^2(1-\alpha)^2 +
1951: \sigma_N^2(\sigma_{\genrv}^2 + \alpha^2\sigma_{\nSrc}^2).
1952: \end{equation}
1953: Collecting terms in powers of $\alpha$ yields
1954: \begin{equation}
1955: \alpha^2(\sigma_{\genrv}^2\sigma_{\nSrc}^2 +
1956: \sigma_{N}^2\sigma_{\nSrc}^2) - 2\alpha
1957: \sigma_{\genrv}^2\sigma_{\nSrc}^2 - \sigma_{\genrv}^4
1958: = (\alpha-r_+)(\alpha-r_-) \le 0
1959: \label{eq:r12-poly}
1960: \end{equation}
1961: where
1962: \begin{align}
1963: r_+ &= \frac{1 +
1964: \sqrt{1 + \sigma_{\genrv}^2/\sigma_{\nSrc}^2 +
1965: \sigma_{N}^2/\sigma_{\nSrc}^2}}{1 +
1966: \sigma_{N}^2/\sigma_{\genrv}^2} \ge 0 \label{eq:rp-def}\\
1967: r_- &= \frac{1 -
1968: \sqrt{1 + \sigma_{\genrv}^2/\sigma_{\nSrc}^2 +
1969: \sigma_{N}^2/\sigma_{\nSrc}^2}}{1 +
1970: \sigma_{N}^2/\sigma_{\genrv}^2} \le 0. \label{eq:rm-def}
1971: \end{align}
1972: Therefore to satisfy the mutual information constraint we need
1973: $r_- \leq \alpha \leq r_+$.
1974:
1975: To minimize the distortions, \eqref{eq:d2:bnd} and \eqref{eq:d1:bnd}
1976: imply we want $|\alpha|$ as large as possible subject to the
1977: constraint \eqref{eq:r12-poly}. Thus we choose $\alpha = r_+$, from which
1978: we see that
1979: \begin{equation}
1980: \frac{\alpha_{\mathrm{auth}}}{\alpha_{\mathrm{ie}}}
1981: =\left(1+\sqrt{1+\frac{\sigma_{\genrv}^2+\sigma_N^2}{\sigma_{\nSrc}^2}}\right),
1982: \end{equation}
1983: where
1984: $\alpha_{\mathrm{ie}}=\sigma_{\genrv}^2/(\sigma_{\genrv}^2+\sigma_N^2)$
1985: is the corresponding information embedding scaling parameter
1986: determined by Costa \cite{costa_83}. Evidently, the scaling parameter
1987: for the authentication problem is at least twice the scaling for
1988: information embedding and
1989: significantly larger when either the
1990: SNR $\sigma_{\nSrc}^2/\sigma_N^2$ or signal-to-(encoding)-distortion
1991: ratio (SDR) $\sigma_{\nSrc}^2/\sigma_{\genrv}^2$ is small.
1992:
1993: \subsubsection*{High $\Diste$ Regime}
1994:
1995: An encoder that essentially amplifies the quantization of the
1996: source to overcome the reference channel noise is asymptotically good
1997: at high $\Diste$. A system with this structure corresponds to
1998: choosing the encoder random variables according to
1999: \begin{align}
2000: \nAuxDeg &= \nSrc + \genrv\\
2001: \nChIn &= \beta \nAuxDeg.
2002: \end{align}
2003: In turn, choosing as $\sedec{\cdot}$ the minimum mean-square
2004: error estimator of $\nSrc$ given $\nAuxDeg$ yields the distortions
2005: \begin{align}
2006: \Diste &= (1-\beta)^2\sigma_{\nSrc}^2 + \beta^2\sigma_{\genrv}^2
2007: \label{eq:d1_high_d1}\\
2008: \Distr &=
2009: \frac{\sigma_{\nSrc}^2\sigma_{\genrv}^2}{\sigma_{\nSrc}^2 + \sigma_{\genrv}^2}.
2010: \label{eq:d2_high_d1}
2011: \end{align}
2012:
2013: It remains only to determine $\beta$. Since
2014: \begin{equation}
2015: I(\nAuxDeg;\nSrc) =
2016: \frac{1}{2}\log\frac{\sigma_{\nSrc}^2+\sigma_{\genrv}^2}{\sigma_{\genrv}^2}
2017: \end{equation}
2018: and
2019: \begin{equation}
2020: I(\nAuxDeg;\nChOut) =
2021: \frac{1}{2}\log\frac{\beta^2 (\sigma_{\nSrc}^2 + \sigma_{\genrv}^2) +
2022: \sigma_N^2}{\sigma_N^2},
2023: \end{equation}
2024: the mutual information constraint \eqref{eq:thm:a} implies that
2025: \begin{equation}
2026: \beta \geq
2027: \sqrt{\frac{\sigma_{\nSrc}^2\sigma_N^2}{\sigma_{\genrv}^2(\sigma_{\nSrc}^2
2028: + \sigma_{\genrv}^2)}}.
2029: \label{eq:beta_def}
2030: \end{equation}
2031:
2032: \subsection{Comparing and Interpreting the Bounds}
2033:
2034: Using \eqref{eq:d2:bnd} with $\alpha$ given by \eqref{eq:rp-def} and
2035: varying $\sigma_{\genrv}^2$ yields one outer bound. Using
2036: \eqref{eq:d1_high_d1} and \eqref{eq:d2_high_d1} with
2037: \eqref{eq:beta_def} and again varying $\sigma_{\genrv}^2$ yields the
2038: other outer bound. The lower convex envelope of this pair of outer
2039: bounds is depicted in Fig.~\ref{fig:str_reg} at different SNRs. To
2040: see that the first and second outer bounds are asymptotically the best
2041: achievable for low and high $\Diste$, respectively, we superimpose on
2042: these figures the best Gaussian codebook performance, as obtained by
2043: numerically optimizing the parameters in \eqref{eq:gauss_innov_form}.
2044:
2045: \begin{figure*}[tbp]
2046: \centering
2047: \psfrag{D1AX}{\LARGE\hspace{-30pt}\raisebox{-.05in}{$\Diste/\sigma_N^2$ (in dB)}}
2048: \psfrag{D2AX}{\LARGE\hspace{-30pt}\raisebox{.1in}{$\Distr/\sigma_N^2$ (in dB)}}
2049: \includegraphics[angle=0,width=5.5in]{figs/str_reg_4plots.eps}
2050: \caption{Bounds on the achievable distortion region for the
2051: Gaussian-quadratic problem. The lowest solid curve is the inner bound
2052: corresponding to the boundary of the achievable region when
2053: reconstructions need not be authentic. The numerically obtained upper
2054: solid curve is the outer bound resulting from the use of Gaussian
2055: codebooks. The dashed curve corresponds to the lower convex envelope
2056: of the simple low and high $\Diste$ analytic outer bounds derived in
2057: the text. \label{fig:str_reg}}
2058: \end{figure*}
2059:
2060: By using \eqref{eq:d2:lb},
2061: \eqref{eq:d2:bnd}, and \eqref{eq:d2_high_d1}, it is possible to show
2062: that for any fixed $\Diste \ge \sigma_N^2$ the inner and outer bounds
2063: converge asymptotically in SNR in the sense that
2064: \[
2065: \lim_{\textnormal{SNR}\rightarrow\infty}
2066: \frac{D_{r,\textnormal{outer}}}{D_{r,\textnormal{inner}}} = 1
2067: \]
2068: where $D_{r,\textnormal{inner}}$ and $D_{r,\textnormal{outer}}$
2069: represent the inner and outer bounds corresponding to the fixed value
2070: of $\Diste$. Thus, in this high SNR regime, Gaussian codebooks are
2071: optimal, and \eqref{eq:d2:lb} accurately characterizes their
2072: performance as reflected in Fig.~\ref{fig:str_reg}.
2073:
2074: The figure also indicates (and it is possible to prove) that for any
2075: fixed SNR, the inner and outer bounds converge asymptotically in
2076: $\Diste$ in the sense that
2077: \[
2078: \lim_{\Diste\rightarrow\infty}
2079: \frac{D_{r,\textnormal{outer}}(\Diste)}{D_{r,\textnormal{inner}}(\Diste)} = 1
2080: \]
2081: where $D_{r,\textnormal{inner}}(\Diste)$ and
2082: $D_{r,\textnormal{outer}}(\Diste)$ represent the inner and outer
2083: bounds as a function of the encoding distortion $\Diste$. Evidently
2084: in this high encoding distortion regime, $\Distr/\sigma_N^2$ can be
2085: made arbitrarily small by using Gaussian codebooks and making
2086: $\Diste/\sigma_N^2$ sufficiently large. While this implies that, in
2087: principle, there is no fundamental limit to how small we can make
2088: $\Distr$ by increasing $\Diste$ through amplification of the source,
2089: in practice secondary effects not included in the model such as
2090: saturation or clipping will provide an effective limit.
2091:
2092: Finally, note that the cost of providing authentication is readily
2093: apparent since the inner bound from \eqref{eq:d2:lb} represents the
2094: distortions achievable when the reconstruction need not be authentic.
2095: Since for a fixed SNR, the bounds converge asymptotically for large
2096: $D_e$, and for a fixed $D_e \geq \sigma_N^2$ the bounds converge
2097: asymptotically for large SNR, we conclude that the price of
2098: authentication is negligible in these regimes. However, for low
2099: $\Diste$ regimes of operation, requiring authenticity strictly reduces
2100: the achievable distortion region. This behavior is analogous to that
2101: observed in the binary-Hamming case.
2102:
2103: \section{Comparing Authentication Architectures}
2104: \label{sec:discussion}
2105:
2106: The most commonly studied architectures for authentication are robust
2107: watermarking (i.e., self-embedding) and fragile watermarking. In the
2108: sequel we compare these architectures to that developed in this paper.
2109:
2110: \subsection{Authentication Systems Based on Robust Watermarking}
2111: \label{sec:robust}
2112:
2113: The robust watermarking approach to encoding for authentication (see,
2114: e.g., \cite{schneider_1996, queluz, bat_kut, rey_2000, Lin_2001})
2115: takes the form of a quantize-and-embed strategy. The basic steps of
2116: the encoding are as follows. First, the source $\ful{S}$ is quantized
2117: to a representation in terms of bits using a source coding
2118: (compression) algorithm. Second the bits are protected using a
2119: cryptographic technique such as a digital signature or hash function.
2120: Finally, the protected bits are embedded into the original source
2121: using an information embedding (digital watermarking) algorithm. At
2122: the decoder, the embedded bits are extracted. If their authenticity
2123: is verified via the appropriate cryptographic technique, a
2124: reconstruction of the source is produced from the bits. Otherwise,
2125: the decoder declares that an authentic reconstruction is not possible.
2126:
2127: It is straightforward to develop the information-theoretic limits of
2128: such approaches, and to compare the results to the optimum systems
2129: developed in the preceding sections. In particular, if we use optimum
2130: source coding and information embedding in the quantize-and-embed
2131: approach, it follows that, in contrast to Theorem~\ref{th:main}, the
2132: distortion pair $(\Diste,\Distr)$ lies in the achievable distortion
2133: region for a quantize-and-embed structured solution to the problem
2134: \eqref{eq:authprob} if and only if there exists distributions
2135: $p(\nsrch|\nsrc)$ and $p(\naux|\nsrc)$, and a function
2136: $\senc{\cdot,\cdot}$, such that
2137: \begin{subequations}
2138: \label{eq:qe}
2139: \begin{align}
2140: I(\nAux;\nChOut) - I(\nSrc;\nAux) &\geq I(\nSrc;\nSrch) \label{eq:qe:a} \\
2141: E[\diste(\nSrc,\senc{\nAux,\nSrc})] &\leq \Diste \label{eq:qe:b} \\
2142: E[\distr(\nSrc,\nSrch)] &\leq \Distr. \label{eq:qe:c}
2143: \end{align}
2144: These results follow from the characterization of the rate-distortion
2145: function of a source \cite{cover} and the capacity of information
2146: embedding systems with distortion constraints as developed in
2147: \cite{rjb_bc_gw_preprint} as an extension of \cite{gelfand_1980}.
2148: \end{subequations}
2149:
2150: Comparing \eqref{eq:qe} to \eqref{eq:thm} with $\nSrch=g(\nAux)$ we
2151: see that quantize-and-embed systems are unnecessarily constrained,
2152: which translates to a loss of efficiency relative to the optimum joint
2153: source--channel--authentication coding system constructions of
2154: \secref{sec:proofs}. This performance penalty can be quite severe in
2155: the typical regimes of interest, as we now illustrate. In particular,
2156: we quantify this behavior in the two example scenarios considered
2157: earlier: the binary-Hamming and Gaussian-quadratic cases.
2158:
2159:
2160: \subsubsection{Example: Binary-Hamming Case}
2161:
2162: In this scenario, the rate-distortion function is \cite{cover}
2163: \begin{equation}
2164: R(\Distr) = 1 - h(\Distr),
2165: \label{eq:rd-bh}
2166: \end{equation}
2167: while the information embedding capacity is (see
2168: \cite{rjb_bc_gw_preprint}) the upper concave envelope of the function
2169: \begin{equation}
2170: g_p(\Diste) =
2171: \begin{cases}
2172: 0, & \text{if $0\leq d<p$,} \\
2173: h(\Diste)-h(p), & \text{if $p\leq \Diste\leq1/2$,}
2174: \end{cases}
2175: \label{eq:g-ie}
2176: \end{equation}
2177: i.e.,
2178: \begin{equation}
2179: C(\Diste) =
2180: \begin{cases}
2181: \displaystyle
2182: \frac{g_p(\Dist_p)}{\Dist_p}\Diste, & \text{if $0\leq \Diste\leq \Dist_p$,} \\
2183: g_p(\Diste), & \text{if $\Dist_p< \Diste \leq 1/2$,}
2184: \end{cases}
2185: \label{eq:ie-bh}
2186: \end{equation}
2187: where $\Dist_p=1-2^{-h(p)}$. Equating $R$ in \eqref{eq:rd-bh} to $C$
2188: in \eqref{eq:ie-bh}, we obtain a relation between $\Distr$ and
2189: $\Diste$. This curve is depicted in Fig.~\ref{fig:h_comp} for
2190: different reference channel parameters. As this figure reflects, the
2191: optimum quantize-and-embed system performance lies strictly inside the
2192: achievable region for the binary-Hamming scenario developed in
2193: \secref{sec:binary_hamming}, with the performance gap largest for the
2194: cleanest reference channels. Moreover, since as we saw in
2195: Section~\ref{sec:exdr} clean reference channels correspond to ensuring
2196: small encoding and reconstruction distortions, this means that
2197: quantize-and-embed systems suffer the largest losses precisely in the
2198: regime one would typically want to operate in.
2199:
2200: \begin{figure*}[tbp]
2201: \centering
2202: \psfrag{D1}{\Large$\Diste$}
2203: \psfrag{D2}{\Large$\Distr$}
2204: \psfrag{TT1}{$\crossProb=0.05$}
2205: \psfrag{TT2}{$\crossProb=0.10$}
2206: \psfrag{TT3}{$\crossProb=0.15$}
2207: \psfrag{TT4}{$\crossProb=0.20$}
2208: \includegraphics[angle=0]{figs/h_comp_wmark_4plots.eps}
2209: \caption{Performance loss of quantize-and-embed systems for the
2210: Binary-Hamming scenario with various reference channel crossover
2211: probabilities $p$. The solid curve depicts the boundary of the
2212: achievable regions for the optimum system; the dashed curve depicts
2213: that of the best quantize-and-embed system. \label{fig:h_comp}}
2214: \end{figure*}
2215:
2216: \subsubsection{Example: Gaussian-Quadratic Case}
2217:
2218: In this scenario, the rate-distortion function is \cite{cover}
2219: \begin{equation}
2220: R(\Distr) =
2221: \begin{cases} \frac{1}{2} \log\frac{\sigma_{\nSrc}^2}{\Distr},
2222: & 0 \le \Distr \le \sigma_{\nSrc}^2 \\
2223: 0, & \Distr > \sigma_{\nSrc}^2,
2224: \end{cases}
2225: \label{eq:rd-gq}
2226: \end{equation}
2227: while the information embedding capacity is \cite{costa_83}
2228: \begin{equation}
2229: C(\Diste) = \frac{1}{2}\log\left(1 + \frac{\Diste}{\sigma_N^2}\right).
2230: \label{eq:ie-gq}
2231: \end{equation}
2232: Again, equating $R$ in \eqref{eq:rd-gq} to $C$ in \eqref{eq:ie-gq}, we
2233: obtain the following relation between $\Distr$ and $\Diste$ for all
2234: $\Diste > 0$:
2235: \begin{equation}
2236: \Distr =\frac{\sigma_{\nSrc}^2}{(1 + \Diste/\sigma_N^2)}.
2237: \label{eq:qe-gq}
2238: \end{equation}
2239: This curve is depicted in Fig.~\ref{fig:g_comp} for different
2240: reference channel SNRs. This figure reflects that the optimum
2241: quantize-and-embed system performance lies strictly inside the
2242: achievable region for the Gaussian-quadratic scenario developed in
2243: \secref{sec:gaussian}. Likewise, the performance gap is largest for
2244: the highest SNR reference channels. Indeed, comparing the inner bound
2245: \eqref{eq:d2:lb} on the performance of the optimum system with that of
2246: quantize-and-embed, i.e., \eqref{eq:qe-gq}, we see that while
2247: quantize-and-embed incurs no loss at low SNR:
2248: \begin{equation}
2249: \frac{\Distr^{\mathrm{qe}}}{\Distr} \rightarrow 1 \quad\text{as}\quad
2250: \frac{\sigma_{\nSrc}^2}{\sigma_N^2} \rightarrow 0,
2251: \end{equation}
2252: at high SNR the loss is as much as $\mathrm{SNR}/2$ for
2253: $\Diste\ge\sigma_N^2$:
2254: \begin{equation}
2255: \frac{\sigma_N^2}{\sigma_{\nSrc}^2}
2256: \frac{\Distr^{\mathrm{qe}}}{\Distr} \rightarrow
2257: \frac{1}{1+\Diste/\sigma_N^2} \le \frac{1}{2} \quad\text{as}\quad
2258: \frac{\sigma_{\nSrc}^2}{\sigma_N^2} \rightarrow \infty,
2259: \end{equation}
2260: where we have used $\Distr^{\mathrm{qe}}$ to denote the
2261: quantize-and-embed reconstruction distortion \eqref{eq:qe-gq}.
2262:
2263: Hence, as in the binary-Hamming case, we see again that
2264: quantize-and-embed systems suffer the largest losses in the regime
2265: where one is most interested in operating --- that where the editor is
2266: allowed to make only perturbations small enough that the corresponding
2267: encoding and reconstruction distortions are small.\footnote{It should
2268: be emphasized that while one could argue that the quadratic distortion
2269: measure is a poor measure of semantic proximity in many applications,
2270: such reasoning confuses two separate issues. We show here that
2271: quantize-and-embed systems are quite poor when the quadratic measure
2272: corresponds \emph{exactly} to the semantics of interest. For problems
2273: where it is a poor match, one can expect systems based on more
2274: accurate measures to exhibit the same qualitative behavior --- that
2275: quantize-and-embed systems will be least attractive in regimes where
2276: the source encodings and reconstructions are constrained to be
2277: semantically close to the original source.}
2278:
2279: \begin{figure*}[hbt]
2280: \centering
2281: \psfrag{-10DBSNR}{\Large\hspace{.5in} -10 dB SNR}
2282: \psfrag{0DBSNR}{\Large\hspace{.5in} 0 dB SNR}
2283: \psfrag{10DBSNR}{\Large\hspace{.5in} 10 dB SNR}
2284: \psfrag{30DBSNR}{\Large\hspace{.5in} 30 dB SNR}
2285: \psfrag{DAX1}{\Large\hspace{-30pt}\raisebox{-.05in}{$\Diste/\sigma_N^2$ (in dB)}}
2286: \psfrag{DAX2}{\Large\hspace{-30pt}\raisebox{.1in}{$\Distr/\sigma_N^2$ (in dB)}}
2287: \includegraphics[angle=0]{figs/g_comp_wmark_4plots.eps}
2288: \caption{Performance loss of quantize-and-embed systems for the
2289: Gaussian-quadratic scenario at various reference channel SNRs. The
2290: solid curve depicts the asymptotic outer bound of the
2291: achievable regions for the optimum system; the dashed curve depicts
2292: that of the best quantize-and-embed system. \label{fig:g_comp}}
2293: \end{figure*}
2294:
2295:
2296: \iffalse
2297: Recently, more sophisticated quantize-and-embed strategies
2298: generalizing the traditional robust watermarking approach have started
2299: to appear \cite{sun_2002}. Such schemes do not directly embed the
2300: compressed source signal, but rather embed parity check bits from an
2301: error correcting code computed from the original signal. The decoder
2302: essentially treats the its signal as side information and
2303: combines it with the extracted parity check bits to provide an
2304: authentic reconstruction.
2305: \fi
2306:
2307: \subsection{Authentication Systems Based on Fragile Watermarking}
2308: \label{sec:fragile}
2309:
2310: A fundamentally different approach to the authentication problems of
2311: this paper is based on constraining the semantic severity of the
2312: modifications the editor is allowed to make. In particular, given a
2313: distortion measure that captures the semantic impact of edits to the
2314: content, the decoder will declare the edited content authentic if and
2315: only if the distortion is below some predetermined threshold. We
2316: refer to these as authentication systems based on semantic
2317: thresholding.
2318:
2319: It is important to appreciate that the manner in which the editor is
2320: constrained in systems based on semantic thresholding is qualitatively
2321: quite different from the way the editor is constrained in the systems
2322: developed in this paper. In particular, in our formulation, the
2323: editor is contrained according to a reference channel model that can
2324: be freely chosen --- independently of any semantic model.
2325:
2326: While in this section we are primarily interested in discussing the
2327: properties of such systems, we first briefly describe how such
2328: systems can be designed. We begin by noting that role of the encoder
2329: in such systems is to mark the original content so as to enable the
2330: eventual decoder to estimate the distortion between the edited content
2331: and that original content, despite not having direct access to the
2332: latter.
2333:
2334: One approach to such a problem would be to use the self-embedding idea
2335: discussed in \secref{sec:robust}. In particular, a compressed version
2336: of the original content would be embedded into that content so that it
2337: could be reliably extracted from the edited content by the decoder and
2338: used in the distortion calculation. In practice, such self-embedding
2339: can be somewhat resource inefficient, much as it was in the context of
2340: \secref{sec:robust}. Instead, an approach based on so-called fragile
2341: watermarking is more typically proposed, which allows the decoder to
2342: measure the distortion without explicitly being given an estimate of
2343: the original content. With this approach, distortion in the known
2344: watermark that results from editing the content are used to infer the
2345: severity of distortion in the content itself.
2346:
2347: Typical implementations of the fragile watermarking approach to
2348: encoding for authentication (see, e.g., \cite{kundur, yeung_1997,
2349: wolfgang_1996, eggers_2001}) take the following form. A watermark
2350: message $M$ known only to the encoder and decoder (and kept secret
2351: from the editor) is embedded into the source signal by the encoder.
2352: The editor's processing of the encoded content indirectly perturbs the
2353: watermark. A decoder extracts this perturbed watermark $\hat{M}$,
2354: measures the size of the perturbation (e.g., by computing the
2355: distortion between $\hat{M}$ and $M$ with respect to some suitable
2356: measure), then uses the result to assess the (semantic) severity of
2357: the editing the content has undergone. If the severity is below some
2358: predetermined threshold, the decoder declares the signal to be
2359: authentic.
2360:
2361: A detailed information-theoretic characterization of authentication
2362: systems based on semantic thresholding is beyond the scope of this
2363: paper. However, in the sequel we emphasize some important qualitative
2364: differences in the security characteristics between such schemes and
2365: those developed in this paper. In particular, as we now develop,
2366: there is a fundamental vulnerability in semantic thresholding schemes
2367: that results from their inherent sensitivity to mismatch in the chosen
2368: semantic model.
2369:
2370: To see this, consider a mismatch scenario in which the authentication
2371: system is designed with an incorrect semantic model (distortion
2372: measure). If the system is based on semantic thresholding, then an
2373: attacker who recognizes the mismatch can exploit this knowledge to
2374: make an edit that is semantically significant, but which the system
2375: will deem as semantically insignificant due to the model error, and
2376: thus accept as authentic. Thus, for such systems, a mismatch can lead
2377: to a security failure.
2378:
2379: By contrast, for the authentication systems developed in this paper,
2380: designing the system based on the incorrect semantic model reduces the
2381: efficiency of the system, but does not impact its security. In
2382: particular, use of the incorrect semantic model leads to encodings
2383: and/or authentic reconstructions with unnecessarily high distortions
2384: (with respect to the correct model). However, attackers cannot
2385: exploit this to circumvent the security mechanism, since they are
2386: constrained by the reference channel, which is independent of the
2387: semantic model.
2388:
2389: From such arguments, one might conclude that systems based on semantic
2390: thresholding might be preferable so long as care is taken to develop
2391: accurate semantic models. However, such a viewpoint fails to
2392: recognize that in practice some degree of mismatch is inevitable ---
2393: the high complexity of accurate semantic models makes them inherently
2394: difficult to learn. Thus, in a practical sense, authentication
2395: systems based on semantic thresholding are intrinsically less secure
2396: than those developed in this paper.
2397:
2398: \section{Layered Authentication: Broadcast Reference Channels}
2399: \label{sec:layered}
2400:
2401: For many applications, one might be interested in an authentication
2402: system with the property that an authentic reconstruction is always
2403: produced, but that its quality degrades gracefully with the
2404: extensiveness of the editing the content has undergone. In this
2405: section we show that discretized versions of such behavior are
2406: possible, and can be built as a natural extension of the formulation
2407: of this paper.
2408:
2409: To develop this idea, we begin by observing that the systems developed
2410: thus far in the paper represent a first-order approximation to such
2411: behavior. In particular, for edits consistent with the reference
2412: channel model, an authentic reconstruction of fixed quality is
2413: produced. When the editing is not consistent with the reference
2414: channel, the only possible authentic reconstruction is the minimal
2415: quality one one obtained from the \emph{a priori} distribution for the
2416: content, since the edited version must be ignored altogether. In this
2417: section, we show that by creating a hierarchy of reference channels
2418: corresponding to increasing amounts of editing, one can create
2419: multiple authentication reconstructions. In this way, a graceful
2420: degradation characteristic can be obtained to any desired granularity.
2421:
2422: Such systems can be viewed as layered authentication systems, and
2423: arise naturally out of the use of broadcast reference channel models.
2424: With such systems there is a fixed encoding of the source that incurs
2425: some distortion. Then, from edited content that is consistent with
2426: any of the constituent reference channels in the broadcast model, the
2427: decoder produces an authentic reconstruction of some corresponding
2428: fidelity. Otherwise, the decoder declares that an authentic
2429: reconstruction is not possible.
2430:
2431: For the purpose of illustration, we focus on the two-user memoryless
2432: degraded broadcast channel \cite{cover} as our reference channel.
2433: This corresponds to a two-layer authentication system. For
2434: convenience, we refer to the strong channel as the ``mild-edit'' one,
2435: and the weak channel, which is a degraded version of the strong one,
2436: as the ``harsh-edit'' one. Edits consistent with the mild-edit branch
2437: of the reference channel will allow higher quality authentic
2438: reconstructions, which we will call ``fine,'' while edits consistent
2439: with the harsh-edit branch will allow lower quality authentic
2440: reconstructions, which we will call ``coarse''. For edits
2441: inconsistent with either branch, the only authentic reconstruction
2442: will be one that ignores the edited data, which will be of lowest
2443: quality.
2444:
2445: In this scenario, for any prescribed level of encoding distortion
2446: $\Diste$, there is a fundamental trade-off between the achievable
2447: distortions $\Distrf$ and $\Distrc$ of the corresponding fine and
2448: coarse authentic reconstructions, respectively. Of course
2449: $\Distrc\ge\Distrf$ will always be satisfied. However, as we will see,
2450: achieving smaller values of $\Distrc$ in general requires accepting
2451: larger values of $\Distrf$ and vice-versa. Using the ideas of this
2452: paper, one can explore the fundamental nature of such trade-offs.
2453:
2454: \subsection{Achievable Distortion Regions}
2455:
2456: The scenario of interest is depicted in
2457: Fig.~\ref{fig:broadcast_prob_mod}. As a natural generalization of its
2458: definition in the single-layer context \eqref{eq:authprob}, an
2459: instance of the layered authentication problem consists of the eight-tuple
2460: \begin{equation}
2461: \left\{ \srcAlph, p(\nsrc), \chinAlph, \choutAlph,
2462: p(\nchoutdeg|\nchoutref), p(\nchoutref|\nchin),
2463: \diste(\cdot,\cdot), \distr(\cdot,\cdot) \right\},
2464: \label{eq:layauthprob}
2465: \end{equation}
2466: where, since our reference channel is a degraded broadcast channel,
2467: the reference channel law takes the form
2468: \begin{equation}
2469: \label{eq:deg_cond}
2470: p(\ful{\nchoutdeg},\ful{\nchoutref}|\ful{\nchin}) =
2471: p(\ful{\nchoutdeg}|\ful{\nchoutref})\,p(\ful{\nchoutref}|\ful{\nchin}).
2472: \end{equation}
2473:
2474: \begin{figure*}[tbp]
2475: \centering
2476: \psfrag{X}{$\ful{\nSrc}$}
2477: \psfrag{Y}{$\ful{\nChIn}$}
2478: \psfrag{A}{$\ful{\nChOutDeg}$}
2479: \psfrag{B}{$\ful{\nChOutRef}$}
2480: \psfrag{C}{$\ful{\nSrch_{\mathrm{c}}}$}
2481: \psfrag{D}{$\ful{\nSrch_{\mathrm{f}}}$}
2482: \includegraphics[angle=0,width=6in]{figs/broadcast_prob_mod.eps}
2483: \caption{Two-layer authentication system operation when the reference
2484: channel is in effect. From the outputs $\nChOutRef$ and $\nChOutDeg$
2485: of the degraded broadcast reference channel, corresponding to mild and
2486: harsh editing, the respective fine and coarse authentic
2487: reconstructions $\ful{\nSrch_{\mathrm{f}}}$ and
2488: $\ful{\nSrch_{\mathrm{c}}}$ are produced. The common encoding
2489: obtained from the source $\ful{\nSrc}$ is $\ful{\nChIn}$.
2490: \label{fig:broadcast_prob_mod}}
2491: \end{figure*}
2492:
2493: Let $\ful{\nSrch_{\mathrm{c}}}$ denote the (coarse) authentic
2494: reconstruction obtained when decoder input is consistent with the
2495: harsh-edit output of the reference channel, and let
2496: $\ful{\nSrch_{\mathrm{f}}}$ denote the (fine) authentic reconstruction
2497: obtained when decoder input is consistent with the mild-edit output of
2498: the reference channel. In turn, the corresponding two reconstruction
2499: distortions are defined according to
2500: \begin{subequations}
2501: \begin{align}
2502: \Distrc &= \frac{1}{n} \sum_{i=1}^n
2503: \distrc(\ful{\nSrc},\ful{\nSrch_{\mathrm{c}}})\\
2504: %
2505: \Distrf &= \frac{1}{n} \sum_{i=1}^n
2506: \distrf(\ful{\nSrc},\ful{\nSrch_{\mathrm{f}}}).
2507: \end{align}
2508: \label{eq:distr-lay}
2509: \end{subequations}
2510:
2511: The following theorem develops trade-offs between the encoding
2512: distortion $\Diste$, and the two reconstruction distortions
2513: \eqref{eq:distr-lay} that are achievable.
2514: \begin{theorem}
2515: \label{thm:layered}
2516: The distortion triple $(\Diste, \Distrc, \Distrf)$ lies in the
2517: achievable distortion region for the layered authentication problem
2518: \eqref{eq:layauthprob} if there exist distributions
2519: $p(\nauxdeg,\nauxref|\nsrc)$ and $p(\nchin|\nauxdeg,\nauxref,\nsrc)$,
2520: and functions $\degsedec{\cdot}$ and $\refsedec{\cdot}{\cdot}$ such
2521: that
2522: \begin{subequations}
2523: \label{eq:layered:thm}
2524: \begin{align}
2525: I(\nAuxDeg;\nChOutDeg) - I(\nSrc;\nAuxDeg) &\geq 0 \label{eq:layered:a}\\
2526: I(\nAuxRef;\nChOutRef|\nAuxDeg) - I(\nSrc;\nAuxRef|\nAuxDeg) &\geq 0
2527: \label{eq:layered:b} \\
2528: E[\diste(\nSrc,\nChIn)] &\leq \Diste \label{eq:layered:c}\\
2529: E[\distrc(\nSrc,\degsedec{\nAuxDeg})] &\leq \Distrc. \label{eq:layered:d}\\
2530: E[\distrf(\nSrc,\refsedec{\nAuxDeg}{\nAuxRef})] &\leq
2531: \Distrf. \label{eq:layered:e}
2532: \end{align}
2533: \end{subequations}
2534: \end{theorem}
2535: In this theorem, the achievable distortion region is defined in a
2536: manner that is the natural generalization of that for single-layer
2537: systems as given in Definition~\ref{def:adr}.
2538:
2539: In the interests of brevity and since it closely parallels that for
2540: the single-layer case, we avoid a formal derivation of this result.
2541: Instead, we sketch the key ideas of the construction. We also leave
2542: determining the degree to which the distortion region can be further
2543: extended via more elaborate coding for future work.
2544:
2545: \begin{proof}[Sketch of Proof:]
2546:
2547: First a codebook $\cbookdeg$ is created for the harsh-edit layer at
2548: rate $\cbkRdeg = I(\nAuxDeg;\nSrc) + 2\gamma$ where only
2549: $2^{n(\cbkRdeg+\gamma)}$ codewords are marked as admissible as in
2550: \thrmref{th:main}. Then for each codeword $\cdeg \in \cbookdeg$ an
2551: additional random codebook $\cbookref(\cdeg)$ of rate $\cbkRref =
2552: I(\nAuxRef;\nSrc|\nAuxDeg) + 2\gamma$ is created according to the
2553: marginal distribution $p(\nauxref|\nauxdeg)$ where only $2^{n(\cbkRref
2554: + \gamma)}$ codewords are marked as admissible.
2555:
2556: The encoder first searches $\cbookdeg$ for an admissible codeword $\cdeg$
2557: jointly typical with the source and then searches $\cbookref(\cdeg)$ for a
2558: refinement $\cref$ that is jointly typical with the source. The pair
2559: $(\cdeg,\cref)$ is then mapped into the channel according to
2560: $p(\nchin|\nauxdeg,\nauxref,\nsrc)$. By standard arguments the
2561: encoding will succeed with high probability provided that $\cbkRdeg >
2562: I(\nAuxDeg;\nSrc)$ and $\cbkRref > I(\nAuxRef;\nSrc|\nAuxDeg)$.
2563:
2564: When the channel output is consistent with either output of the
2565: reference channel, the decoder locates an admissible codeword $\cdegh
2566: \in \cbookdeg$ jointly typical with the signal. If the
2567: signal is consistent with the harsh-edit output of the reference
2568: channel, in particular, the decoder then produces the coarse authentic
2569: reconstruction $\ful{\nSrch}_{\mathrm{c}} = \degsedec{\cdegh}$.
2570: However, if the signal is consistent with the mild-edit output of
2571: the reference channel, the decoder then proceeds to locate an
2572: admissible $\crefh \in \cbookref(\cdegh)$ and produces the fine
2573: authentic reconstruction $\ful{\nSrch}_{\mathrm{f}} =
2574: \refsedec{\cdegh}{\crefh}$.
2575:
2576: By arguments similar to those used in the single-layer case (i.e.,
2577: proof of \thrmref{th:main}), this strategy achieves vanishingly small
2578: probabilities of successful attack, and when the reference channel is
2579: in effect meets the distortion targets provided that $\cbkRdeg <
2580: I(\nAuxDeg;\nChOutDeg)$ and $\cbkRref <
2581: I(\nAuxRef;\nChOutRef|\nAuxDeg)$.
2582:
2583: \end{proof}
2584:
2585: \subsection{Example: Gaussian-Quadratic Case}
2586:
2587: The Gaussian-quadratic case corresponds to the mild- and harsh-edit
2588: outputs of the reference channel taking the forms $\nChOutRef = \nChIn
2589: + N$ and $\nChOutDeg = \nChOutRef + V$, respectively, where $N$ and
2590: $V$ are Gaussian random variables independent of each other, as well
2591: as $\nSrc$ and $\nChIn$.
2592:
2593: For this case, a natural approach to the layered authentication system
2594: design has the structure depicted in Fig.~\ref{fig:sigspacelay}, which
2595: generalizes that of the single-layer systems developed in
2596: Section~\ref{sec:gaussian}. The encoder determines the codeword
2597: $\ful{\nAuxRef}$ nearest the source $\ful{\nSrc}$, then perturbs
2598: $\ful{\nAuxRef}$ so as to reduce the encoding distortion, producing
2599: the encoding $\ful{\nChIn}$. If the channel output stays within the
2600: darkly shaded sphere centered about $\ful{\nAuxRef}$, e.g., producing
2601: $\ful{\nChOutRef}$ as shown, the decoder produces a fine-grain
2602: authentic reconstruction from $\ful{\nAuxRef}$. If the channel output
2603: is outside the darkly shaded sphere, but inside the encompassing
2604: lightly shaded sphere centered about $\ful{\nAuxDeg}$, e.g., producing
2605: $\ful{\nChOutDeg}$ as shown, the decoder produces a coarse-grain
2606: authentic reconstruction from $\ful{\nAuxDeg}$. If the channel output
2607: is outside any shaded region, e.g., producing $\ful{Z}$, the decoder
2608: indicates that an authentic reconstruction is not possible.
2609:
2610: \begin{figure*}[tbp]
2611: \centering
2612: \psfrag{Sn}{\large$\ful{\nSrc}$}
2613: \psfrag{Xn}{\large$\ful{\nChIn}$}
2614: \psfrag{Un}{\large$\ful{\nAuxDeg}$}
2615: \psfrag{Tn}{\large$\ful{\nAuxRef}$}
2616: \psfrag{Wna}{\large$\ful{\nChOutRef}$}
2617: \psfrag{Wnb}{\large$\ful{\nChOutDeg}$}
2618: \psfrag{Wnc}{\large$\ful{Z}$}
2619: \includegraphics[angle=0,width=5in]{figs/sigspacelay.eps}
2620: \caption{Illustration of the nested codebook geometry associated with
2621: a two-layer authentication system for the Gaussian-quadratic scenario.
2622: The centers of large and small shaded spheres correspond to admissible
2623: coarse and fine authentic reconstructions, respectively.
2624: \label{fig:sigspacelay}}
2625: \end{figure*}
2626:
2627: An achievable distortion region for this layered authentication
2628: scenario is obtained from Theorem~\ref{thm:layered} with the
2629: auxiliary random variables chosen according to
2630: \begin{align}
2631: \nAuxDeg &= \nSrc + A/\alpha\\
2632: \nAuxRef &= \nSrc + B/\beta\\
2633: \nChIn &= \nSrc + A + B.
2634: \end{align}
2635: where $A$ and $B$ are Gaussian random variables independent of
2636: $\nSrc$. Choosing $\degsedec{\cdot}$ and $\refsedec{\cdot}{\cdot}$ to
2637: be the minimum mean-square error estimates of $\nSrc$ from $\nAuxDeg$
2638: and $(\nAuxDeg,\nAuxRef)$, respectively, yields
2639: \begin{align}
2640: \Diste &= \sigma_A^2 + \sigma_B^2\\
2641: \Distrc &= \sigma_{\nSrc}^2\left(1 -
2642: \frac{E[\nSrc\nAuxDeg]^2}{E[\nSrc^2]E[\nAuxDeg^2]}\right) =
2643: \frac{\sigma_{\nSrc}^2\sigma_A^2}{\sigma_A^2 + \alpha^2
2644: \sigma_{\nSrc}^2}\\
2645: \Distrf &= \sigma_{\nSrc}^2 - \Lambda_{\nSrc,[\nAuxDeg \nAuxRef]}
2646: \Lambda_{[\nAuxDeg \nAuxRef]}^{-1} \Lambda_{[\nAuxDeg \nAuxRef],
2647: \nSrc} \notag\\
2648: & =
2649: \frac{\sigma_{\nSrc}^2\sigma_A^2\sigma_B^2}{\beta^2 \sigma_{\nSrc}^2
2650: \sigma_A^2 + \sigma_A^2\sigma_B^2 + \alpha^2\sigma_{\nSrc}^2\sigma_B^2},
2651: \end{align}
2652: where $\Lambda$ with a single subscript denotes the covariance of its
2653: argument, and $\Lambda$ with a subscript pair denotes the
2654: cross-covariance between its arguments.
2655:
2656: To produce $\ful{\nSrch_{\mathrm{c}}}$, a decoder essentially views
2657: $B$ as additive channel noise. Therefore, we can immediately apply
2658: the arguments from \secref{sec:gaussian:ach_dist} to obtain
2659: \begin{multline}
2660: I(\nAux;\nChOutDeg)-I(\nSrc;\nAux) =\\
2661: \frac{1}{2}\log\frac{\sigma_{A}^2(\sigma_{A}^2 +
2662: \sigma_{\nSrc}^2 +
2663: \sigma_N^2+\sigma_V^2+\sigma_B^2)}{\sigma_{A}^2\sigma_{\nSrc}^2(1-\alpha)^2 +
2664: (\sigma_N^2+\sigma_V^2+\sigma_B^2)(\sigma_{A}^2 +
2665: \alpha^2\sigma_{\nSrc}^2)}.
2666: \end{multline}
2667: From this we can solve for $\alpha$ as in the single-layer case of
2668: \secref{sec:gaussian:ach_dist} by simply replacing $\sigma_{\genrv}^2$
2669: and $\sigma_{N}^2$ with $\sigma_{A}^2$ and $\sigma_N^2 + \sigma_V^2 +
2670: \sigma_B^2$, respectively, in \eqref{eq:rp-def}.
2671:
2672: Finally, since
2673: \begin{multline}
2674: I(\nSrc;\nAuxRef|\nAuxDeg) - I(\nAuxRef;\nChOutRef|\nAuxDeg)
2675: =
2676: H(\nAuxRef|\nAuxDeg,\nChOutRef) - H(\nAuxRef|\nAuxDeg,\nSrc) \\
2677: =H(\nAuxRef,\nAuxDeg,\nChOutRef)-H(\nAuxDeg,\nChOutRef)\\ -
2678: H(\nAuxRef,\nAuxDeg,\nSrc)+ H(\nAuxDeg,\nSrc).
2679: \end{multline}
2680: we see that \eqref{eq:layered:b} implies
2681: \begin{equation}
2682: \frac{\det(\Lambda_{[\nAuxRef \nAuxDeg
2683: \nChOutRef]})}{\det(\Lambda_{[\nAuxDeg \nChOutRef]})} \leq
2684: \frac{\det(\Lambda_{[\nAuxRef \nAuxDeg \nSrc]})}{\det(\Lambda_{[\nAuxDeg \nSrc]})}.
2685: \label{eq:det_cond}
2686: \end{equation}
2687: By varying $\sigma_A^2$, $\sigma_B^2$, and $\beta$ such that
2688: \eqref{eq:det_cond} is satisfied we can trace out the volume of an
2689: achievable distortion region. Fig.~\ref{fig:layered_g_plots} shows
2690: slices of this three dimensional region by plotting the fine and
2691: coarse reconstruction distortions $\Distrf$ and $\Distrc$ for various
2692: values of the encoding distortion $\Diste$. Note that it follows from
2693: our single-layer inner bounds that for a particular choice of encoding
2694: distortion $\Diste$, the achievable trade-offs between $\Distrc$ and
2695: $\Distrf$ are contained within the region
2696: \begin{align}
2697: \Distrc &\ge \frac{\sigma_\nSrc^2 (\sigma_N^2+\sigma_V^2)}{\sigma_N^2
2698: + \sigma_V^2 +
2699: \left(\sqrt{\Diste} + \sigma_\nSrc\right)^2} \label{eq:Distrc-bd}\\
2700: \Distrf &\ge \frac{\sigma_\nSrc^2\sigma_N^2}{\sigma_N^2 + \left(\sqrt{\Diste} + \sigma_\nSrc\right)^2},\label{eq:Distrf-bd}
2701: \end{align}
2702: where obviously the lower bound of \eqref{eq:Distrf-bd} is smaller than
2703: that of \eqref{eq:Distrc-bd}.
2704:
2705: \begin{figure*}[tbp]
2706: \centering
2707: \psfrag{D2AXLABEL}{\raisebox{-.05in}{\Large$\Distrc/\sigma_N^2$ (in dB)}}
2708: \psfrag{D3AXLABEL}{\raisebox{-.025in}{\Large$\Distrf/\sigma_N^2$ (in dB)}}
2709: \includegraphics[angle=0,width=6in]{figs/layered_g_plots.eps}
2710: \caption{Achievable fine and coarse quality reconstruction distortion
2711: pairs $(\Distrf,\Distrc)$ in a layered authentication system for the
2712: Gaussian-quadratic case with $\sigma_{\nSrc}^2/\sigma_N^2 = 30$ dB,
2713: $\sigma_V^2/\sigma_N^2 = 10$ dB, and $\sigma_N^2 = 1$. From left to
2714: right, the curves are the boundaries of achievable distortion regions
2715: corresponding to encoding distortions of $\Diste/\sigma_N^2 = 10, 5, 0,
2716: -5, -10$ dB. The dashed curve corresponds to time-sharing between two
2717: operating points on the $\Diste/\sigma_N^2=0$ dB
2718: curve. \label{fig:layered_g_plots}}
2719: \end{figure*}
2720:
2721: A simple alternative to the layering system for such authentication
2722: problems is time-sharing, whereby some fraction of time the encoder
2723: uses a codebook appropriate for the harsh-edit reference channel, and for
2724: the remaining time uses a codebook appropriate for the mild-edit reference
2725: channel. When the harsh-edit reference channel is in effect, the decoder
2726: produces the coarse authentic reconstruction for the fraction of time
2727: the corresponding codebook is in effect and produces zero the rest of
2728: the time. When the mild-edit reference channel is in effect, the decoder
2729: produces the fine authentic reconstruction during the fraction of time
2730: the corresponding codebook is in effect, and produces the coarse
2731: reconstruction for the remaining time (since the broadcast channel is
2732: a degraded one). However, as Fig.~\ref{fig:layered_g_plots}
2733: also illustrates, this approach is in general quite
2734: inefficient: the use of such time-sharing results in a substantially
2735: smaller achievable region.
2736:
2737:
2738: \section{Concluding Remarks}
2739: \label{sec:conc}
2740:
2741: This paper develops one meaningful formulation for authentication
2742: problems in which the content may undergo a variety of types of
2743: legitimate editing prior to authentication. As part of this
2744: formulation, we adopt a particular formal notion of security in such
2745: settings. For such a formulation, and with the simplest classes of
2746: models, we establish that secure authentication systems can be
2747: constructed, and subsquently analyze their fundamental performance
2748: limits. From these models, we further develop how such systems offer
2749: significant advantages over other proposed solutions.
2750:
2751: Many opportunities for further research remain. For example,
2752: extensions of the main results to richer content, semantic, and edit
2753: models may provide additional insights into the behavior of such
2754: sysems. It would also be useful to understand the degree to which
2755: robust and/or universal solutions exist for the problem; such
2756: approaches seek to avoid requiring accurate prior model knowledge
2757: during system design.
2758:
2759: There are additional opportunities to further refine the analysis even
2760: for the existing models. For example, characterizing the manner in
2761: which asymptotic limits are approached --- for example via error
2762: exponents --- would provide useful engineering insights. Likewise,
2763: further analyzing public-key formulations, in which edits are more
2764: generally subject to computational constraints, could also be
2765: revealing. From this persective, the Appendix represents but a
2766: starting point.
2767:
2768: More generally, identifying and relating other meaningful notions of
2769: security for such problems would be particularly useful in putting the
2770: results of this paper in perspective. For example, a broader unifying
2771: framework for characterizing and comparing different notions of
2772: security could provide a mechanism for selecting a formulation best
2773: matched to the social needs and/or engineering constraints at hand.
2774:
2775: Finally, there are many interesting questions about how to best
2776: approach the development of practical authentication systems based on
2777: these ideas. These include questions of customized code design and
2778: implementation, but also architectural issues concerning the degree to
2779: these systems can be built from interconnections of existing and often
2780: standardized components --- i.e., existing compression systems,
2781: error-control codes, and public-key cryptographic tools.
2782:
2783: \appendix[A Public-Key Adaptation of the Private-Key Authentication
2784: System Model]
2785:
2786: To simplify the analysis we have focussed on private key systems where
2787: the encoder and decoder share a secret key $\secKey$, which is kept
2788: hidden from editors. In most practical applications, however, it is
2789: more convenient to use public key systems where a public key $\pubKey$
2790: is known to all parties (including editors) while a signing key,
2791: $\privKey$, is known only to the encoder. The advantage of public key
2792: systems is that while only the encoder possessing $\privKey$ can
2793: encode, anyone possessing $\pubKey$ can decode and verify a properly
2794: encoded signal. In this section, we briefly describe how a secret key
2795: authentication system can be combined with a generic digital signature
2796: scheme to yield a public key system. Some additional aspects of such
2797: an implementation are discussed in, e.g., \cite{martinian_2001,
2798: mthesis}.
2799:
2800: A digital signature scheme consists of a signing function $\dtag =
2801: \dsign(m,\privKey)$ and verifying function $\dver(m,\dtag,\pubKey)$.
2802: Specifically, the signing function maps an arbitrary length message
2803: $m$ to a $\gamma$ bit tag $\dtag$ using the signing key $\privKey$.
2804: The verifying function returns true (with high probability) when given
2805: a message, public key, and tag generated using the signing function
2806: with the corresponding signing key. Furthermore, it is
2807: computationally infeasible to produce a tag accepted by the verifier
2808: without using the signing key. Many such digital signature schemes
2809: have been described in the cryptography literature where $\tau$
2810: requires a number of bits that is sub-linear in $n$ or even finite.
2811:
2812: \textit{Modified Encoder:}
2813:
2814: \begin{enumerate}
2815:
2816: \item The public key of the digital signature scheme is published, and
2817: there is no secret key (equivalently, the secret key in the
2818: our original formulation is simply published).
2819:
2820: \item The encoder uses the original authentication system to map the
2821: source $\ful{\nSrc}$ to $\ful{\tilde{\nChIn}}=\encoder(\ful{\nSrc})$.
2822:
2823: \item For a system like the one described in
2824: \secref{sec:forw-part:-suff}, there are a finite number of possible
2825: values for the authentic reconstruction $\ful{\nSrch}$ and the
2826: authentic reconstruction is a deterministic function of
2827: $\ful{\nSrc}$. Thus each reconstruction can be assigned a bitwise
2828: representation $\codeword{ }(\ful{\nSrch})$, from which the encoder
2829: computes the digital signature tag $\dtag = \dsign(\codeword{
2830: }(\ful{\nSrch}),\privKey)$ using the digital signature algorithm.
2831:
2832: \item Finally the signature $\dtag$ is embedded into
2833: $\ful{\tilde{\nChIn}}$, producing $\ful{\nChIn}$, using an
2834: information embedding (data hiding) algorithm. The chosen algorithm
2835: can be quite crude since $\dtag$ only requires a sub-linear number
2836: of bits. The algorithm parameters are chosen to that the embedding
2837: incurs asymptotically negligible additional distortion to the overall
2838: encoding process.
2839:
2840: \end{enumerate}
2841:
2842: \textit{Modified Decoder:}
2843:
2844: \begin{enumerate}
2845:
2846: \item The decoder extracts from $\ful{\nChOut}$ an estimate
2847: $\hat{\dtag}$ of the embedded signature $\dtag$. Since the size of
2848: $\dtag$ is sub-linear, the embedding algorithm parameters can be
2849: further chosen so that $\hat{\dtag} = \dtag$ with arbitrarily high
2850: probability when the reference channel is in effect.
2851:
2852: \item Next, the decoder uses the original authentication system to
2853: produce $\ful{\nSrct}=\xdecn{\ful{\nChOut}}$, and then, in turn, its
2854: bitwise representation $\codeword{ }(\ful{\nSrct})$.
2855:
2856: \item The decoder checks whether the digital signature verifying
2857: algorithm $\dver(\codeword{ }(\ful{\nSrct}),\hat{\tau},\pubKey)$
2858: accepts the $\ful{\nSrct}$ as valid.
2859:
2860: \item If so, then the decoder produces the authentic reconstruction
2861: $\ful{\nSrch}=\ful{\nSrct}$. Otherwise, the decoder produces the
2862: special symbol $\dfail$, declaring that it is unable to
2863: authenticate.
2864:
2865: \end{enumerate}
2866:
2867: With this construction, we see that the security of such a system is
2868: determined by the security of the underlying public-key digital
2869: signature scheme used. Specifically, the only way an attacker can
2870: defeat the system is to find a matching $\ful{\nSrch}$ and $\dtag$
2871: accepted by the digital signature verifying algorithm. All other
2872: performance aspects of the system are effectively unchanged.
2873:
2874: \section*{Acknowledgment}
2875:
2876: The authors are grateful to Prof.~Ram Zamir for many helpful
2877: suggestions including improvements to the proof of the converse part
2878: of \thrmref{th:main}. The authors would also like to thank the
2879: reviewers and associate editor for their careful reading of the
2880: manuscript and suggestions for improvement.
2881:
2882:
2883: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2884: %
2885: % Set up some stuff in bibliography
2886:
2887:
2888: % \bibliographystyle{IEEEtran}
2889: % \bibliography{IEEEabrv,paper,gww}
2890:
2891: \begin{thebibliography}{10}
2892: \providecommand{\url}[1]{#1}
2893: \csname url@rmstyle\endcsname
2894: \providecommand{\newblock}{\relax}
2895: \providecommand{\bibinfo}[2]{#2}
2896: \providecommand\BIBentrySTDinterwordspacing{\spaceskip=0pt\relax}
2897: \providecommand\BIBentryALTinterwordstretchfactor{4}
2898: \providecommand\BIBentryALTinterwordspacing{\spaceskip=\fontdimen2\font plus
2899: \BIBentryALTinterwordstretchfactor\fontdimen3\font minus
2900: \fontdimen4\font\relax}
2901: \providecommand\BIBforeignlanguage[2]{{%
2902: \expandafter\ifx\csname l@#1\endcsname\relax
2903: \typeout{** WARNING: IEEEtran.bst: No hyphenation pattern has been}%
2904: \typeout{** loaded for the language `#1'. Using the pattern for}%
2905: \typeout{** the default language instead.}%
2906: \else
2907: \language=\csname l@#1\endcsname
2908: \fi
2909: #2}}
2910:
2911: \bibitem{diffie_hellman}
2912: W.~Diffie and M.~E. Hellman, ``New directions in cryptography,'' \emph{IEEE
2913: Trans.\ Inform.\ Theory}, vol.~67, pp. 644--654, Nov. 1976.
2914:
2915: \bibitem{pak99}
2916: F.~A.~P. Petitcolas, R.~J. Anderson, and M.~G. Kuhn, ``Information hiding --- a
2917: survey,'' \emph{Proc.\ IEEE}, vol.~87, no.~7, pp. 1062--1078, July 1999.
2918:
2919: \bibitem{fridrich}
2920: J.~Fridrich, ``Methods for tamper detection in digital images,'' \emph{Proc.\
2921: Multimedia and Security Workshop at ACM Multimedia}, 1999.
2922:
2923: \bibitem{rey_2000}
2924: C.~Rey and J.-L. Dugelay, ``Blind detection of malicious alterations on still
2925: images using robust watermarks,'' in \emph{IEE Seminar Secure Images and
2926: Image Authentication}, 2000, pp. 7/1--7/6.
2927:
2928: \bibitem{wolfgang_1996}
2929: R.~B. Wolfgang and E.~J. Delp, ``A watermark for digital images,'' in
2930: \emph{Proc.\ Int.\ Conf.\ Image Processing (ICIP)}, vol.~3, 1996, pp.
2931: 219--222.
2932:
2933: \bibitem{friedman}
2934: G.~L. Friedman, ``The trustworthy digital camera: Restoring credibility to the
2935: photographic image,'' \emph{IEEE Trans.\ Consumer Electronics}, vol.~39, pp.
2936: 905--910, Nov. 1993.
2937:
2938: \bibitem{kundur}
2939: D.~Kundur and D.~Hatzinakos, ``Digital watermarking for telltale tamper
2940: proofing and authentication,'' in \emph{Proc.\ IEEE}, vol.~87, July 1999, pp.
2941: 1167--1180.
2942:
2943: \bibitem{wong}
2944: P.~W. Wong, ``A public key watermark for image verification and
2945: authentication,'' in \emph{Proc.\ Int. Conf. Image Processing (ICIP)},
2946: vol.~1, 1998, pp. 445--459.
2947:
2948: \bibitem{wu_liu}
2949: M.~Wu and B.~Liu, ``Watermarking for image authentication,'' in \emph{Proc.\
2950: Int.\ Conf.\ Image Processing (ICIP)}, vol.~2, 1998, pp. 437--441.
2951:
2952: \bibitem{queluz}
2953: M.~P. Queluz, ``Towards robust, content based techniques for image
2954: authentication,'' in \emph{Proc. Workshop Multimedia Signal Processing
2955: (MMSP)}, 1998, pp. 297--302.
2956:
2957: \bibitem{bat_kut}
2958: S.~Bhattacharjee and M.~Kutter, ``Compression tolerant image authentication,''
2959: in \emph{Proc.\ Int.\ Conf.\ Image Processing (ICIP)}, vol.~1, 1998, pp.
2960: 435--439.
2961:
2962: \bibitem{md00}
2963: B.~Macq and J.-L. Dugelay, ``Watermarking technologies for authentication and
2964: protection of images,'' \emph{Ann. Telecomm.}, vol.~55, no. 3--4, pp.
2965: 92--100, Mar.-Apr. 2000.
2966:
2967: \bibitem{eggers_2001}
2968: J.~J. Eggers and B.~Girod, ``Blind watermarking applied to image
2969: authentication,'' in \emph{Proc.\ Int.\ Conf.\ Acoustics, Speech, Signal
2970: Processing (ICASSP)}, Salt Lake City, Utah, May 2001.
2971:
2972: \bibitem{yeung_1997}
2973: M.~M. Yeung and F.~Mintzer, ``An invisible watermarking technique for image
2974: verification,'' in \emph{Proc.\ Int.\ Conf.\ Image Processing (ICIP)},
2975: vol.~2, 1997, pp. 680--683.
2976:
2977: \bibitem{schneider_1996}
2978: M.~Schneider and S.~Chang, ``A robust content based digital signature for image
2979: authentication,'' in \emph{Proc.\ Int.\ Conf.\ Image Processing (ICIP)},
2980: vol.~3, 1996, pp. 227--230.
2981:
2982: \bibitem{Lin_2001}
2983: C.-Y. Lin and S.-F. Chang, ``A robust image authentication method
2984: distinguishing {JPEG} compression from malicious manipulation,'' \emph{IEEE
2985: Trans.\ Circuits Syst.\ Video Technol.}, vol.~11, no.~2, pp. 153--168, Feb.
2986: 2001.
2987:
2988: \bibitem{Me_2001}
2989: L.~Me and G.~R. Arce, ``A class of authentication digital watermarks for secure
2990: multimedia communication,'' \emph{IEEE Trans.\ Image Processing}, vol.~10,
2991: no.~11, pp. 1754--1764, Nov. 2001.
2992:
2993: \bibitem{Lu_2001}
2994: C.-S. Lu and H.~Liao, ``Multipurpose watermarking for image authentication and
2995: protection,'' in \emph{IEEE Trans.\ Image Processing}, vol.~10, 2001, pp.
2996: 1579--1592.
2997:
2998: \bibitem{gelfand_1980}
2999: S.~I. Gel'Fand and M.~S. Pinsker, ``Coding for channel with random paramters,''
3000: \emph{Prob.\ Contr.\ Inform.\ Theory}, vol.~9, no.~1, pp. 19--31, 1980.
3001:
3002: \bibitem{costa_83}
3003: M.~H.~M. Costa, ``Writing on dirty paper,'' \emph{IEEE Trans.\ Inform.\
3004: Theory}, vol. IT-29, no.~3, pp. 439--441, May 1983.
3005:
3006: \bibitem{heg83}
3007: C.~Heegard and A.~A. El~Gamal, ``On the capacity of computer memory with
3008: defects,'' \emph{IEEE Trans.\ Inform.\ Theory}, vol.~29, pp. 731--739, Sept.
3009: 1983.
3010:
3011: \bibitem{mos98}
3012: J.~A. O'Sullivan, P.~Moulin, and J.~M. Ettinger, ``Information-theoretic
3013: analysis of steganography,'' in \emph{Proc.\ Int.\ Symp.\ Inform.\ Theory},
3014: Cambridge, MA, Aug. 1998, p. 297.
3015:
3016: \bibitem{cw00b}
3017: B.~Chen and G.~W. Wornell, ``Quantization index modulation: A class of provably
3018: good methods for digital watermarking and information embedding,'' in
3019: \emph{Proc.\ Int.\ Symp.\ Inform.\ Theory}, Sorrento, Italy, June 2000.
3020:
3021: \bibitem{cl00}
3022: A.~Cohen and A.~Lapidoth, ``On the {G}aussian watermarking game,'' in
3023: \emph{IEEE Int. Symp. Inform. Theory}, June 2000, p.~48.
3024:
3025: \bibitem{mos00}
3026: P.~Moulin and J.~O'Sullivan, ``Information-theoretic analysis of information
3027: hiding,'' in \emph{IEEE Int. Symp. Inform. Theory}, June 2000, p.~19.
3028:
3029: \bibitem{chen_wornell_2001}
3030: B.~Chen and G.~W. Wornell, ``Quantization index modulation: a class of provably
3031: good methods for digital watermarking and information embedding,'' \emph{IEEE
3032: Trans.\ Inform.\ Theory}, vol.~47, no.~4, pp. 1423--1443, May 2001.
3033:
3034: \bibitem{moulin2003}
3035: P.~Moulin and J.~A. O'Sullivan, ``Information-theoretic analysis of information
3036: hiding,'' \emph{IEEE Trans.\ Inform.\ Theory}, vol.~49, no.~3, pp. 563--593,
3037: Mar. 2003.
3038:
3039: \bibitem{sm01}
3040: Y.~Steinberg and N.~Merhav, ``Identification in the presence of side
3041: information with application to watermarking,'' \emph{IEEE Trans.\ Inform.\
3042: Theory}, vol.~47, no.~4, pp. 1410--1422, May 2001.
3043:
3044: \bibitem{cohen_2002}
3045: A.~Cohen and A.~Lapidoth, ``The {G}aussian watermarking game,'' \emph{IEEE
3046: Trans.\ Inform.\ Theory}, vol.~48, no.~6, pp. 1639--1667, June 2002.
3047:
3048: \bibitem{swanson}
3049: M.~D. Swanson, M.~Kobayashi, and A.~H. Tewfik, ``Multimedia data-embedding and
3050: watermarking technologies,'' in \emph{Proc.\ IEEE}, vol.~86, June 1998, pp.
3051: 1064--1087.
3052:
3053: \bibitem{memon}
3054: N.~Memon and P.~W. Wong, ``Protecting digital media content,'' \emph{Commun.
3055: ACM}, vol.~41, no.~7, pp. 35--42, July 1998.
3056:
3057: \bibitem{cox}
3058: I.~J. Cox and J.-P. M.~G. Linnartz, ``Some general methods for tampering with
3059: watermarks,'' \emph{IEEE J.\ Select.\ Areas Commun.}, vol.~16, no.~4, pp.
3060: 587--593, May 1998.
3061:
3062: \bibitem{cpr99}
3063: J.~Chou, S.~S. Pradhan, and K.~Ramchandran, ``On the duality between
3064: distributed source coding and data hiding,'' in \emph{Proc. Asilomar Conf.
3065: Signals, Systems, Computers}, Pacific Grove, CA, 1999.
3066:
3067: \bibitem{pcr03}
3068: S.~S. Pradhan, J.~Chou, and K.~Ramchandran, ``Duality between source and
3069: channel coding and its extension to the side information case,'' \emph{IEEE
3070: Trans.\ Inform.\ Theory}, vol.~49, no.~5, pp. 1181--1203, May 2003.
3071:
3072: \bibitem{seg00}
3073: J.~K. Su, J.~J. Eggers, and B.~Girod, ``Illustration of the duality between
3074: channel coding and rate distoriton with side information,'' in \emph{Proc.
3075: Asilomar Conf. Signals, Systems, Computers}, Pacific Grove, CA, Nov. 2000.
3076:
3077: \bibitem{rjb_bc_gw_preprint}
3078: R.~J. Barron, B.~Chen, and G.~W. Wornell, ``The duality between information
3079: embedding and source coding with side information and some applications,''
3080: \emph{IEEE Trans.\ Inform.\ Theory}, vol.~49, no.~5, pp. 1159--1180, May
3081: 2003.
3082:
3083: \bibitem{bcw01}
3084: R.~J. Barron, B.~C. Chen, and G.~W. Wornell, ``The duality between information
3085: embedding and source coding with side information and some applications,'' in
3086: \emph{Proc.\ Int.\ Symp.\ Inform.\ Theory}, Washington, DC, June 2001.
3087:
3088: \bibitem{Merhav_2000}
3089: N.~Merhav, ``On random coding error exponents of watermarking systems,''
3090: \emph{IEEE Trans.\ Inform.\ Theory}, vol.~46, no.~2, pp. 420--430, Mar. 2000.
3091:
3092: \bibitem{cc01}
3093: M.~Chiang and T.~M. Cover, ``Unified duality of channel capacity and rate
3094: distortion with state information,'' in \emph{Proc.\ Int.\ Symp.\ Inform.\
3095: Theory}, Washington, DC, June 2001.
3096:
3097: \bibitem{esz00}
3098: U.~Erez, S.~Shamai, and R.~Zamir, ``Capacity and lattice-strategies for
3099: cancelling known interference,'' in \emph{Proc.\ Int.\ Symp.\ Inform.\ Theory
3100: \& Appl.}, Honolulu, HI, Nov. 2000, pp. 681--684.
3101:
3102: \bibitem{zse02}
3103: R.~Zamir, S.~Shamai, and U.~Erez, ``Nested linear/lattice codes for structured
3104: multiterminal binning,'' \emph{IEEE Trans.\ Inform.\ Theory}, June 2002, to
3105: appear.
3106:
3107: \bibitem{Sutivong_2002}
3108: A.~Sutivong, T.~Cover, M.~Chiang, and Y.-H. Kim, ``Rate vs. distortion
3109: trade-off for channels with state information,'' in \emph{Proc. International
3110: Symposium on Information Theory}, July 2002, p. 226.
3111:
3112: \bibitem{cover}
3113: T.~M. Cover and J.~A. Thomas, \emph{Elements of Information Theory}.\hskip 1em
3114: plus 0.5em minus 0.4em\relax John Wiley and Sons, Inc., 1991.
3115:
3116: \bibitem{Verdu_1994}
3117: S.~Verdu and T.~S. Han, ``A general formula for channel capacity,'' \emph{IEEE
3118: Trans.\ Inform.\ Theory}, vol.~40, no.~4, pp. 1147--1157, Jul. 1994.
3119:
3120: \bibitem{Steinberg_1996}
3121: Y.~Steinberg and S.~Verdu, ``Simulation of random processes and rate-distortion
3122: theory,'' \emph{IEEE Trans.\ Inform.\ Theory}, vol.~42, no.~1, pp. 63--86,
3123: Jan. 1996.
3124:
3125: \bibitem{Mittal_2002}
3126: U.~Mittal and N.~Phamdo, ``Hybrid digital-analog ({HDA}) joint source-channel
3127: codes for broadcasting and robust communications,'' \emph{IEEE Trans.\
3128: Inform.\ Theory}, vol.~48, no.~5, pp. 1082--1102, May 2002.
3129:
3130: \bibitem{Reznic_2002}
3131: Z.~Reznic, R.~Zamir, and M.~Feder, ``Joint source-channel coding of a
3132: {G}aussian mixture source over the gaussian broadcast channel,'' \emph{IEEE
3133: Trans.\ Inform.\ Theory}, vol.~48, no.~3, pp. 776--781, Mar. 2002.
3134:
3135: \bibitem{Shamai_1998}
3136: S.~Shamai, S.~Verdu, and R.~Zamir, ``Systematic lossy source/channel coding,''
3137: \emph{IEEE Trans.\ Inform.\ Theory}, vol.~44, no.~2, pp. 564--579, Mar. 1998.
3138:
3139: \bibitem{mthesis}
3140: E.~Martinian, ``Authenticating multimedia in the presence of noise,'' Master's
3141: thesis, Massachusetts Institute of Technology, Cambridge, MA, 2000.
3142:
3143: \bibitem{martinian_2001}
3144: E.~Martinian, B.~Chen, and G.~W. Wornell, ``Information theoretic approach to
3145: the authentication of multimedia,'' in \emph{Proc.\ SPIE: Security and
3146: Watermarking of Multimedia Contents III (part of Electronic Imaging 2001)},
3147: 2001.
3148:
3149: \bibitem{it:wyner_1975}
3150: A.~D. Wyner and J.~Ziv, ``The rate-distortion function for source coding with
3151: side information at the decoder,'' \emph{IEEE Trans.\ Inform.\ Theory}, vol.
3152: IT-22, no.~1, pp. 1--10, Jan. 1976.
3153:
3154: \bibitem{it:ahlswede_1976}
3155: R.~Ahlswede and J.~K{\"{o}}rner, ``Source coding with side information and a
3156: converse for degraded broadcast channels,'' \emph{IEEE Trans.\ Inform.\
3157: Theory}, vol. IT-21, no.~6, pp. 629--637, Nov. 1976.
3158:
3159: \end{thebibliography}
3160:
3161: \begin{biographynophoto}{Emin Martinian}
3162:
3163: (S'00-M'05) completed his undergraduate degree
3164: in electrical engineering and computer science at the University of
3165: California at, Berkeley in 1997. After a year and a half at the
3166: startup OPC Technologies, he joined the doctoral program at MIT in
3167: 1998, receiving the masters degree in 2000, and the doctoral degree
3168: in 2004. His masters research was in the area of multimedia
3169: authentication, and his doctoral thesis was in the area of dynamic
3170: information and constraints in source and channel coding.
3171:
3172: Since completing his doctorate, he has been working on problems of
3173: video processing, distribution, and compression at Mitsubishi
3174: Electric Research Laboratories in Cambridge, MA. His broader
3175: research interests include digital communications, signal
3176: processing, information theory, belief propagation, and
3177: cryptography. While at MIT he held an NSF Graduate Fellowship, and
3178: received the Capocelli Award of the 2004 Data Compression Conference
3179: for the best student-authored paper.
3180:
3181: \end{biographynophoto}
3182:
3183: \begin{biographynophoto}{Gregory W. Wornell}
3184:
3185: (S'83-M'91-SM'00-F'04) received the
3186: B.A.Sc.\ degree from the University of British Columbia, Canada, and
3187: the S.M. and Ph.D. degrees from the Massachusetts Institute of
3188: Technology, all in electrical engineering and computer science, in
3189: 1985, 1987 and 1991, respectively.
3190:
3191: Since 1991 he has been on the faculty at MIT, where he is Professor
3192: of Electrical Engineering and Computer Science, co-director of the
3193: Center for Wireless Networking, and Chair of Graduate Area I
3194: (Systems, Communication, Control, and Signal Processing) within the
3195: department's doctoral program. He has held visiting appointments at
3196: the former AT\&T Bell Laboratories, Murray Hill, NJ, the University
3197: of California, Berkeley, CA, and Hewlett-Packard Laboratories, Palo
3198: Alto, CA.
3199:
3200: His research interests and publications span the areas of signal
3201: processing, digital communication, and information theory, and
3202: include algorithms and architectures for wireless and sensor
3203: networks, broadband systems, and multimedia environments. He has
3204: been involved in the Signal Processing and Information Theory
3205: societies of the IEEE in a variety of capacities, and maintains a
3206: number of close industrial relationships and activities. He has won
3207: a number of awards for both his research and teaching.
3208:
3209: \end{biographynophoto}
3210:
3211: \begin{biographynophoto}{Brian Chen}
3212:
3213: is a quantitative researcher at the hedge fund Fort Hill
3214: Capital Management. He is an alumnus of the Digital Signal
3215: Processing Group at the Massachusetts Institute of Technology, where
3216: he received a Ph.D. in Electrical Engineering and Computer Science.
3217: His areas of expertise include estimation, prediction, and other
3218: signal processing algorithms, which can be used in such diverse
3219: applications as financial modeling, multimedia, and communications.
3220: His Ph.D. thesis explored topics in information hiding and digital
3221: watermarking. Some of the techniques described in this thesis were
3222: exploited by Chinook Communications, a company that he co-founded,
3223: to alleviate last-mile bandwidth congestion problems in broadband
3224: networks.
3225:
3226: \end{biographynophoto}
3227:
3228:
3229: \end{document}
3230:
3231:
3232:
3233: