Abstract

In this paper, we describe some weaknesses of public-key blockwise fragile authentication watermarkings and the means to make them secure. Wong's (1998) original algorithm is not secure against a mere block cut-and-paste or the well-known birthday attack. To make it secure, some schemes have been proposed to make the signature of each block depend on the contents of its neighboring blocks. We attempt to maximize the change localization resolution using only one dependency per block with a scheme we call hash block chaining version 1 (HBC1). We then show that HBC1, as well as any neighbor-dependent scheme, are susceptible to another forgery technique that we have named a transplantation attack. We also show a new kind of birthday attack that can be effectively mounted against HBC1. To thwart these attacks, we propose using a nondeterministic digital signature together with a signature dependent scheme (HBC2). Finally, we discuss the advantages of using discrete logarithm signatures instead of RSA for watermarking.