RST Resilient Watermarking Scheme Based on DWT-SVD and Scale-Invariant Feature Transform

Abstract: Currently, most digital image watermarking schemes are affected by geometric attacks like rotation, scaling, and translation (RST). In the watermark embedding process, a robust watermarking scheme is proposed against RST attacks. In this paper, three-level discrete wavelet transform (DWT) is applied to the original image. The three-level low frequency sub-band is decomposed by the singular value decomposition (SVD), and its singular values matrix is extracted for watermarking embedding. Before the watermarking extraction, the keypoints are selected by scale-invariant feature transform (SIFT) in the original image and attacked image. By matching the keypoints in two images, the RST attacks can be precisely corrected and the better performance can be obtained. The experimental results show that the proposed scheme achieves good performance of imperceptibility and robustness against common image processing and malicious attacks, especially geometric attacks.


Introduction
With the tremendous growth in information industry recently, as one of the most essential methods to convey the information from one side to the other, digital images can be easily tampered, which can consequently result in security problems with copyright issues.Thus, the scheme for the authenticity and integrity of image protection becomes essential and meaningful.To solve this problem, digital signatures [1,2] and digital image watermarking [3] are proposed.Because digital signatures can only estimate whether images are tampered but cannot locate the tampered region, the watermarking technique, an effective method to solve the copyright problem of image content, is proposed.According to different characters, watermarking can be classified into three categories: (i) robust watermarking used for copyright protection, which can resist all kinds of attacks; (ii) fragile watermarking, which is sensitive to attacks including malicious tampering and common processing; and (iii) semi-fragile watermarking used to distinguish malicious tampering from non-malicious modification, which is a combination of advantages of robust and fragile watermarking.In addition, both fragile watermarking methods and semi-fragile watermarking methods can be applied in image tamper, location, and recovery.
From the perspective of the working domain where the watermark is embedded, this effective technique can be divided into spatial domain and transform domain [4].The spatial domain methods modify the pixel value of the digital image directly to embed the watermark information.The advantages of spatial watermarking method are easy implementation and low computational complexity.However, this kind of method is fragile to the common image processing operation and other attacks.In contrast, the watermark information is embedded into the host image by modifying transform coefficients of the original image in the transform domain methods.Compared with spatial of fields such as object recognition, image indexing, segmentation, registration, and data hiding [21].In recent years, SIFT is applied extensively in watermarking.Lee et al. [22] proposed a novel image watermarking scheme using local invariant features, as well as embedding the watermark into the patches in circle shapes generated by SIFT.To deal with the synchronization errors, Luo et al. [23] proposed an adaptive watermarking scheme based on DFT and SIFT.In this method, DFT is performed on the sub-image selected from the host image for watermark embedding.In [24], Lyu et al. proposed image watermarking scheme based on SIFT and DWT, where they applied the DWT on the selected SIFT areas.Thorat and Jadhav [25] proposed an anti-geometrical attacks watermarking scheme based on IWT and SIFT.This scheme applied SIFT on the red components of the image, extracted the feature points and performed IWT on the blue and green components to extract low-frequency coefficients for watermark embedding.Pham et al. [26] proposed a robust watermarking scheme based on SIFT and DCT, embedding the watermark into the selected feature region after DCT.In [27], Zhang and Tang proposed a watermarking algorithm based on SVD and SIFT to solve the synchronization problem.The SIFT is used for watermarking resynchronization.The embedding of watermark is done using SVD technique, and SIFT algorithm is used to find feature points, which is further used for watermarking detection.Besides that, for geometric invariance of the watermarking schemes, the moments transform domain has attracted the watermarking community as an alternative transform domain to embed the watermark recently.In [28], Yuan and Pun introduced a geometric invariant watermarking based on SIFT and Zernike moments, where SIFT is applied to obtain the circular region as well as the Zernike moment performed on binary regions, and magnitudes of local Zernike moments altered for watermark embedding.In [29], Wang et al. proposed a geometrically invariant watermarking scheme using radial harmonic Fourier moments to embed the watermark into their magnitudes by quantization.Tsougenis et al. [30] made great efforts to analyze advantages and disadvantages of watermarking methods based on moment theory, and achieved comparative study on performance of moment-based watermarking scheme.Due to the efficiency of SIFT for image matching and image features, it is becoming an innovative option for the image watermarking method in recent years.The basic theory of the SIFT will be illustrated later in Section 2.
In this paper, a new robust watermarking scheme based on SVD, DWT, and SIFT is proposed.Firstly, the host image is performed by DWT for three times, and the LL 3 sub-band is selected for SVD operation.Then, the watermark is embedded into the three-level LL 3 sub-band.The SIFT keypoints, also known as feature points, are saved as keys for correcting the RST attacks.In the extraction process, the capability of attack resistance can be attained owing to the SIFT feature matching.Experimental results show that, with the excellent imperceptibility, the proposed scheme is resilient to both common image processing and various attacks, e.g., Gaussian noise, salt and pepper noise, RST, cropping, etc.
The rest of this paper is organized as follows.In Section 2, we present the SIFT algorithm.Section 3 addresses the concrete watermark embedding and extraction procedures.Section 4 gives experimental evaluation of robustness and imperceptibility compared with previous schemes, and demonstrates the advantage of the proposed scheme.Conclusions and the future works are given finally in Section 5.

SIFT Algorithm
Lowe [20] proposed to extract the local scale-invariant feature keypoints of descriptors, and use these descriptors for the matching of two related images.Generating steps of SIFT feature descriptor are described, which contains four parts in total.

Scale-Space Peak Selection
The basic theory of the scale-space approach [31] is to introduce a scale parameter in the visual information processing model and obtain visual processing information on different scales by continuously changing scale parameters.Then, the information is integrated to explore essential characteristics of the image.For achieving the scale transformation, Gaussian convolution kernel [32] is the only linear kernel applied.The scale-space kernel f out can be defined as Equation (1): where K n is the kernel, f in is the input signal, and * represents the convolutional calculation.
The scale-space S(x, y, σ) of the image I(x, y) is shown as Equation (2): where G(x, y, σ) is the scale variable Gaussian function, (x, y) is the spatial coordinates, and σ is the scale-space factor, which decides the smoothness of the image.The large value of σ represents smoother image overview features of large scales, and the small value of σ describes the abundant image detailed features of small scales.
To detect stable points in scale-space effectively, Lowe [20] proposed the difference of Gaussian (DOG) scale-space presented as Equation (3): where I(x, y) is the input image and k is the multiple between two neighboring scale-spaces.
With the help of DOG scale-space image, all extreme points can be detected as keypoints in the candidate points.

Keypoints Location
The next step is to locate keypoints, aiming at orientating the location of keypoints precisely.In this way, a large number of extreme points are obtained.However, not all the extreme points are keypoints, and there should be a method to eliminate some points.There are two steps for point elimination: rough picking and fine picking.Rough picking is mainly to pick those candidate keypoints with low contrast and marginalized candidate keypoints.Due to fact that the DOG operator has a strong response for image edges, fine picking is adopted in the way of edge response to further eliminate the keypoints.Thus, the procedure of keypoint location has been completed.

Direction Matching
The next step is the keypoint orientation assignment, and the purpose is to achieve the SIFT features of rotation invariance.For scaling smoothed image I L , which means that the image I L has been performed by keypoint elimination, we compute the central derivative of I L at every keypoints.Further scale and orientation at every keypoint (x, y) can be calculated by Equation (4): where θ(x, y) is the direction of the gradient and g(x, y) is the gradient modulus value.After obtaining the gradient direction and amplitude, the gradient direction of the keypoints can be determined by a gradient direction histogram.The maximum/peak value of the histogram represents the direction of gradient at the neighbor of this keypoint.The peak value of histogram is set as the main direction of this keypoint, and when there is another peak with the value of the main peak's 80%, this direction is expected to be recorded as the auxiliary direction of this keypoint to improve the robustness.The direction matching has been completed with the location, orientation, and scale.

Keypoint Description
The keypoint description is to find the local image descriptor of the keypoints.Lowe [20] chose the gradient direction histograms to describe the keypoints.The specific procedures of keypoint description can be concluded with three steps: Step 1 The scale and orientation are computed in the 16 × 16 neighbor of keypoints.
Step 2 The 16 × 16 neighborhood is divided into 4 × 4 blocks.Thus, there are 16 blocks in the neighbor of every keypoint as well as eight orientations in the central point of every 4 × 4 block.
Step 3 128 orientations can be obtained as the keypoint feature in the vector with size of 1 × 128.
To simplify the analysis, suppose the 8 × 8 neighbor of the keypoint is divided into 4 × 4 blocks, and there will be four sub-blocks.The diagram of keypoints directions are shown in Figure 1.
Algorithms 2017, 10, 41 5 of 21 Step 1 The scale and orientation are computed in the 16 × 16 neighbor of keypoints.
Step 2 The 16 × 16 neighborhood is divided into 4 × 4 blocks.Thus, there are 16 blocks in the neighbor of every keypoint as well as eight orientations in the central point of every 4 × 4 block.
Step 3 128 orientations can be obtained as the keypoint feature in the vector with size of 1 × 128.To simplify the analysis, suppose the 8 × 8 neighbor of the keypoint is divided into 4 × 4 blocks, and there will be four sub-blocks.The diagram of keypoints directions are shown in Figure 1.So far, all of the steps of the SIFT algorithm are completed.In this paper, SIFT is applied to correct the RST attacks to obtain better robustness of the watermarked image.

Watermark Embedding Process
The flow diagram of the watermark embedding process is shown in Figure 2.  The concrete steps are described as follows: Step 1 The original image I is transformed with DWT three times, and each level of DWT is performed sequentially on the original image, LL1, and LL2.Finally, LL3 is obtained for the SVD transform in Step 3. Due to the fact that the LL sub-band has sufficient information, the capacity of watermark embedding is large in the LL sub-band, which can ensure the good imperceptibility of the proposed method.So far, all of the steps of the SIFT algorithm are completed.In this paper, SIFT is applied to correct the RST attacks to obtain better robustness of the watermarked image.

Watermark Embedding Process
The flow diagram of the watermark embedding process is shown in Figure 2.
Algorithms 2017, 10, 41 5 of 21 Step 1 The scale and orientation are computed in the 16 × 16 neighbor of keypoints.
Step 2 The 16 × 16 neighborhood is divided into 4 × 4 blocks.Thus, there are 16 blocks in the neighbor of every keypoint as well as eight orientations in the central point of every 4 × 4 block.
Step 3 128 orientations can be obtained as the keypoint feature in the vector with size of 1 × 128.To simplify the analysis, suppose the 8 × 8 neighbor of the keypoint is divided into 4 × 4 blocks, and there will be four sub-blocks.The diagram of keypoints directions are shown in Figure 1.So far, all of the steps of the SIFT algorithm are completed.In this paper, SIFT is applied to correct the RST attacks to obtain better robustness of the watermarked image.

Watermark Embedding Process
The flow diagram of the watermark embedding process is shown in Figure 2.  The concrete steps are described as follows: Step 1 The original image I is transformed with DWT three times, and each level of DWT is performed sequentially on the original image, LL1, and LL2.Finally, LL3 is obtained for the SVD transform in Step 3. Due to the fact that the LL sub-band has sufficient information, the capacity of watermark embedding is large in the LL sub-band, which can ensure the good imperceptibility of the proposed method.The concrete steps are described as follows: Step 1 The original image I is transformed with DWT three times, and each level of DWT is performed sequentially on the original image, LL 1 , and LL 2 .Finally, LL 3 is obtained for the SVD transform in Step 3. Due to the fact that the LL sub-band has sufficient information, the capacity of watermark embedding is large in the LL sub-band, which can ensure the good imperceptibility of the proposed method.
Step 2 The watermark information is encrypted with the Arnold transform, and the scrambling time is saved as key T.
Step 3 According to Equations ( 5) and ( 6), SVD is performed on the LL 3 sub-band to get three matrices: both U and V are orthogonal matrices, and S is the diagonal matrix of singular values.After that, singular values of the LL 3 sub-band are altered: where α is the scaling factor, determining the performance of the watermarking scheme in robustness and imperceptibility, and W a is the watermark encrypted with Arnold transform.
Step 4 Owing to the fact that the watermark for embedding is an image matrix, S w is not a diagonal matrix after Equation ( 6), which can result in distortion in inverse SVD transform.Thus, SVD is performed on the S w again to obtain the watermarked diagonal matrix, which is illustrated by: Step 5 The watermarked sub-band I LL 3w is generated by S ww , U, and V, as shown in Equation ( 8): Step 6 According to the concrete process in Step 1, three-level inverse DWT (IDWT) is performed with other sub-bands to generate the watermarked image I w .
Step 7 After Step 6, SIFT is performed on the watermarked image I w , and feature points are extracted.Meanwhile, descriptors of the watermarked image are recorded as keys P for the feature matching in the extraction process.To be more concrete, the coordinates, scales, and orientations of the feature points in the watermarked image are obtained, which are used for RST attack correction.
In the end, the watermark embedding process is finished.

Watermark Extraction Process
The extraction process can be implemented without the original image but feature keys, which can be regarded as the semi-blind watermark scheme.The flow diagram of the watermark extraction process is shown in Figure 3.
Algorithms 2017, 10, 41 6 of 21 Step 2 The watermark information is encrypted with the Arnold transform, and the scrambling time is saved as key T .
Step 3 According to Equations ( 5) and ( 6), SVD is performed on the LL3 sub-band to get three matrices: both U and V are orthogonal matrices, and S is the diagonal matrix of singular values.After that, singular values of the LL3 sub-band are altered: where α is the scaling factor, determining the performance of the watermarking scheme in robustness and imperceptibility, and a W is the watermark encrypted with Arnold transform.
Step 4 Owing to the fact that the watermark for embedding is an image matrix, w S is not a diagonal matrix after Equation ( 6), which can result in distortion in inverse SVD transform.Thus, SVD is performed on the w S again to obtain the watermarked diagonal matrix, which is illustrated by: Step 5 The watermarked sub-band is generated by ww S , U , and V , as shown in Equation ( 8): Step 6 According to the concrete process in Step 1, three-level inverse DWT (IDWT) is performed with other sub-bands to generate the watermarked image w I .
Step 7 After Step 6, SIFT is performed on the watermarked image w I , and feature points are extracted.Meanwhile, descriptors of the watermarked image are recorded as keys P for the feature matching in the extraction process.To be more concrete, the coordinates, scales, and orientations of the feature points in the watermarked image are obtained, which are used for RST attack correction.
In the end, the watermark embedding process is finished.

Watermark Extraction Process
The extracting process can be implemented without the original image but feature keys, which can be regarded as the semi-blind watermark scheme.The flow diagram of the watermark extraction process is shown in Figure 3.The concrete steps are demonstrated as follows:

Watermark Extraction
Step 1 The attacked image I a is performed with SIFT, and the feature points P a in the attacked image can be obtained accordingly.
Step 2 In the embedding process, the feature points in watermarked image are recorded as keys P.
In this step, keys P should be stored in a matrix and transmitted along with the watermarked image for feature matching with the feature points P a .
As can be seen in Figure 4, two sets of feature points in two images are selected as matching keypoints, and lines are drawn between two keypoints in two images separately.
Step 3 After the feature matching process finished, RST attacks can be corrected with the angle, coordinates, and scales, which is illustrated concretely in Section 3.3.Then, the RST corrected image I c is obtained for watermark extraction.
Step 4 Three-level DWT is performed on the corrected image I c , and then LL 3 , LH 3 , HL 3 , and HH 3 bands are obtained.Similar to the embedding process, the LL 3 sub-band I * LL 3w is selected for the SVD transform in the next step.
Step 5 SVD is performed on the corrected sub-band using Equation ( 9), and S ww * is recorded for the next step.
Step 6 S * w is retrieved back by Equation ( 10): Step 7 The extracted watermark is generated for the LL 3 sub-band, which is shown in Equation ( 11): Step 8 The extracted watermark is decrypted by the Arnold transform with key T recorded in the embedding process.
Algorithms 2017, 10, 41 7 of 21 The concrete steps are demonstrated as follows: Step 1 The attacked image a I is performed with SIFT, and the feature points a P in the attacked image can be obtained accordingly.
Step 2 In the embedding process, the feature points in watermarked image are recorded as keys P .In this step, as shown in Figure 4, keys P should be stored in a matrix and transmitted along with the watermarked image for feature matching with the feature points a P .
As can be seen in Figure 4, two sets of feature points in two images are selected as matching keypoints, and lines are drawn between two keypoints in two images separately.
Step 3 After the feature matching process finished, the RST attacks can be corrected with the angle, coordinates, and scales, which are illustrated concretely in Section 3.3.Then, the RST corrected image c I is obtained for watermark extraction. Step Step 6 S is retrieved back by Equation ( 10): Step 7 The extracted watermark is generated for the LL3 sub-band, which is shown in Equation ( 11): Step 8 The extracted watermark is decrypted by the Arnold transform with key T recorded in the embedding process.So far, the watermark extraction process is finished.

RST Attack Correction Based on SIFT
As demonstrated in Sections 3.1 and 3.2, after that, the SIFT feature of the image is extracted, and horizontal coordinates, vertical coordinates, scales, orientation factors, as well as the descriptors of keypoints can be obtained.Descriptors of feature keypoints P saved in the embedding process and descriptors of feature points a P are matched, and M pairs of matching points can be obtained for the following correction.So far, the watermark extraction process is finished.

RST Attack Correction Based on SIFT
As demonstrated in Sections 3.1 and 3.2, after that, the SIFT feature of the image is extracted, and horizontal coordinates, vertical coordinates, scales, orientation factors, as well as the descriptors of Algorithms 2017, 10, 41 8 of 21 keypoints can be obtained.Descriptors key of feature keypoints P saved in the embedding process and descriptors key of feature points P a are matched, and M pairs of matching points can be obtained for the following correction.

Rotation Attack Correction
The image is rotated by a certain degree, resulting in information destruction and loss.The match between rotated image and watermarked image is shown in Figure 5.The image is rotated by a certain degree, resulting in information destruction and loss.The match between rotated image and watermarked image is shown in Figure 5.The two keypoints of watermarked image are set as w i and w j separately, and two keypoints of rotated image are set as r i and r j .According to the basic mathematics, the vector can be obtained by the calculation on coordinates between two points.Thus, the vector in the watermarked image and rotated image can be set as w w i j  and r r i j  , respectively.For the correction, the rotation angle of the kth matching point is recorded as k φ .So far, the corrected angle of rotation can be given in Equation ( 12): where m is the number of valid matching points.Equation (12) means that any two pairs of matching points are picked out to calculate the rotation angle, and then the average value of the angles' sum is calculated.In this context, the corrected angle c β is obtained.Thus, the attacked image at the receiving end should be rotated by the angle of c β for the rotation correction.

Scaling Attack Correction
Scaling attack is a type of tampering method that can change the size of one image, which can result in the image distortion.The match between scaled image and watermarked image is shown in Figure 6.The two keypoints of watermarked image are set as i w and j w separately, and two keypoints of rotated image are set as i r and j r .According to the basic mathematics, the vector can be obtained by the calculation on coordinates between two points.Thus, the vector in the watermarked image and rotated image can be set as → i w j w and → i r j r , respectively.For the correction, the rotation angle of the kth matching point is recorded as φ k .So far, the corrected angle of rotation can be given in Equation (12): where m is the number of valid matching points.Equation ( 12) means that any two pairs of matching points are picked out to calculate the rotation angle, and then the average value of the angles' sum is calculated.In this context, the corrected angle β c is obtained.Thus, the attacked image at the receiving end should be rotated by the angle of β c for the rotation correction.

Scaling Attack Correction
Scaling attack is a type of tampering method that can change the size of one image, which can result in the image distortion.The match between scaled image and watermarked image is shown in Figure 6.
Owing to the SIFT characteristics, the scaling coefficient is equal to the size relationship between scaled image and watermarked image.Thus, the scaling coefficient can be extracted from M pairs of matching points.s w k and s s k are the kth scale values of the matching points in watermarked image and scaled image, respectively.The corrected scaling coefficient γ is shown as Equation ( 13): Apparently, γ is the mean of ratios between s w k and s s k .After obtaining the corrected scaling coefficient, the received image should be scaled with the parameter γ to achieve the rotation complementary.

 
where m is the number of valid matching points.Equation ( 12) means that any two pairs of matching points are picked out to calculate the rotation angle, and then the average value of the angles' sum is calculated.In this context, the corrected angle c β is obtained.Thus, the attacked image at the receiving end should be rotated by the angle of c β for the rotation correction.

Scaling Attack Correction
Scaling attack is a type of tampering method that can change the size of one image, which can result in the image distortion.The match between scaled image and watermarked image is shown in Figure 6.

Translation Attack Correction
The definition of the translation attack is that all points of one image are moved towards the same linear direction for the same distance.The translation attack cannot change the shape and size of the attacked image, but result in image information destruction.The match between horizontally translated image (128 pixels) and watermarked image is shown in Figure 7. Owing to the SIFT characteristics, the scaling coefficient is equal to the size relationship between scaled image and watermarked image.Thus, the scaling coefficient can be extracted from M pairs of matching points.Apparently, γ is the mean of ratios between w k s and s k s .After obtaining the corrected scaling coefficient, the received image should be scaled with the parameter γ to achieve the rotation complementary.

Translation Attack Correction
The definition of the translation attack is that all points of one image are moved towards the same linear direction for the same distance.The translation attack cannot change the shape and size of the attacked image, but result in image information destruction.The match between horizontally translated image (128 pixels) and watermarked image is shown in Figure 7. Translation correction is implemented with the help of matching points' coordinates.Similar to scaling attack correction, the coordinates of the watermarked image and translated image are set as w w ( , ) x y and t t ( , ) x y , and the size of the image is N N × .The corrected horizontal and vertical coordinates, c x and c y , can be calculated by Equation ( 14): After that, c x and c y are used to correct the attacked image on the horizontal and vertical location of coordinates in the inverse direction to achieve the translation correction.The correction of RST attacks are demonstrated, respectively, as above all.

Experimental Results and Analysis
In this section, performances in watermark robustness and imperceptibility of the proposed method are given and analyzed.This scheme is tested on the image with size of 512 × 512, and the watermark applied in this scheme is a binary image with size of 64 × 64.The scheme is tested on Translation correction is implemented with the help of matching points' coordinates.Similar to scaling attack correction, coordinates of the watermarked image and translated image are set as (x w , y w ) and (x t , y t ), and the size of the image is N × N. The corrected horizontal and vertical coordinates, x c and y c , can be calculated by Equation ( 14): After that, x c and y c are used to correct the attacked image on the horizontal and vertical location of coordinates in the inverse direction to achieve the translation correction.
The corrections of RST attacks are demonstrated, respectively, as above all.

Experimental Results and Analysis
In this section, performances in watermark robustness and imperceptibility of the proposed method are given and analyzed.This scheme is tested on the image with size of 512 × 512, and the watermark applied in this scheme is a binary image with size of 64 × 64.The scheme is tested on MATLAB R2014a with an Intel (R) Core (TM), Santa Clara, TX, USA, i3-2100 3.10 GHz CPU, 6 GB memory computer.
The proposed scheme is performed on a number of standard images, which are shown in Figure 8.
Algorithms 2017, 10, 41 10 of 21 The proposed scheme is performed on a number of standard images, which are shown in Figure 8.The Lena and Barbara images are selected for representative in this scheme.Compared with the Lena image, the Barbara image has more texture information.Similarly, considering symmetry and asymmetry of watermarks, the English character and logo images of Shandong University, China, set as 1 w and 2 w , are applied in this scheme for representation.In addition, the character watermark is embedded into the host image of Lena, and the image logo watermark is embedded into the image of Barbara.

Evaluation of Imperceptibility
After the watermark embedding, compared with the original image, the quality of the watermarked image will be reduced.Peak signal-to-noise ratio (PSNR) is the quality evaluation index adopted in most watermarking schemes to evaluate the imperceptibility performance of the The Lena and Barbara images are selected for representative in this scheme.Compared with the Lena image, the Barbara image has more texture information.Similarly, considering symmetry and asymmetry of watermarks, the English character and logo images of Shandong University, China, set as w 1 and w 2 , are applied in this scheme for representation.In addition, the character watermark is embedded into the host image Lena, and the logo image watermark is embedded into the host image Barbara.

Evaluation of Imperceptibility
After the watermark embedding, compared with the original image, the quality of the watermarked image will be reduced.Peak signal-to-noise ratio (PSNR) is the quality evaluation index adopted in most watermarking schemes to evaluate the imperceptibility performance of the algorithm.As for an image with size of N × N, the PSNR is defined as Equation ( 15): where I(i, j) and I w (i, j) are the pixel values on the coordinates of row i and column j in the host image and the watermarked image separately.Structural similarity index (SSIM) overcomes the disadvantage of PSNR, becoming a useful index of the similarity detection, which is defined as Equation ( 16): where µ I and µ I w denote the mean of original image I and watermarked or restored image I w , respectively.Furthermore, σ I and σ I w are the variance of image I and I w separately, while σ I I w is the covariance between I and I w .C 1 , C 2 , and C 3 are positive parameters.The value of SSIM ranges from 0 to 1.When SSIM is equal to 1, I and I w are exactly the same.Figure 9 shows the good perceptual transparency of the watermarked image compared with the original image.After SIFT is performed on Lena and Barbara images, 1233 keypoints and 1590 keypoints are extracted in these two watermarked images, respectively.
where ( , ) I i j and w ( , ) I i j are the pixel values on the coordinates of row i and column j in the host image and the watermarked image separately.Structural similarity index (SSIM) overcomes the disadvantage of PSNR, becoming a useful index of the similarity detection, which is defined as Equation ( 16):  (f) watermarked Barbara.

Evaluation of Robustness
The normalized correlation (NC) is applied to calculate the similarity of two images and further evaluate the robustness of the watermarking scheme, which is defined as Equation ( 17):

Evaluation of Robustness
The normalized correlation (NC) is applied to calculate the similarity of two images and further evaluate the robustness of the watermarking scheme, which is defined as Equation ( 17): where W o is the original watermark and W e is the extracted watermark.The size of the watermark is n × n.
The watermark is embedded into host images with different scaling factors, as shown in Figure 10.To resolve the trade-off between the robustness and invisibility of watermarking, the scaling factor is set as 0.5.
where o W is the original watermark and e W is the extracted watermark.The size of the watermark is n n × .
The watermark is embedded into host images with different scaling factors, as shown in Figure 10.To resolve the trade-off between the robustness and invisibility of watermarking, the scaling factor is set as 0.5.Table 1 gives the results of test images in number of keypoints and NC value (host images are tested with watermark 1).Table 1 gives the results of test images in number of keypoints and NC value (host images are tested with watermark 1).(2) Salt and pepper noise (0.01 and 0.05).(2) Salt and pepper noise (0.01 and 0.05).(3) Gaussian noise ((0, 0.01) and (0, 0.05)).

RST Attacks
In Figures 16-18, the watermarked image and extracted watermark of the proposed scheme are shown under RST attacks with different parameters.For rotation, there are five cases of parameters simulated in the scheme, which contain 2°, 5°, 10°, 30°, and 45°.In the scaling attacks, four different scales are performed to change the size of watermarked images, i.e., 0.25, 0.5, 0.9, and 1.2.In the perspective of translation attacks, the translation of watermarked image is performed in the horizontal and vertical directions for 128 pixels, respectively.

RST Attacks
In Figures 16-18, watermarked images and extracted watermarks of the proposed scheme are shown under RST attacks with different parameters.For rotation, there are five cases of parameters simulated in the scheme, which contain 2 • , 5 • , 10 • , 30 • , and 45 • .In the scaling attacks, four different scales are performed to change the size of watermarked images, i.e., 0.25, 0.5, 0.9, and 1.2.In the perspective of translation attacks, the translation of watermarked image is performed in horizontal and vertical directions for 128 pixels, respectively.

RST Attacks
In Figures 16-18, the watermarked image and extracted watermark of the proposed scheme are shown under RST attacks with different parameters.For rotation, there are five cases of parameters simulated in the scheme, which contain 2°, 5°, 10°, 30°, and 45°.In the scaling attacks, four different scales are performed to change the size of watermarked images, i.e., 0.25, 0.5, 0.9, and 1.2.In the perspective of translation attacks, the translation of watermarked image is performed in the horizontal and vertical directions for 128 pixels, respectively.
(1) Rotation.(2) Scaling.watermark image is embedded into the singular values in the three-level DWT domain.With the help of the SIFT, RST attacks on the host image can be corrected to promote the robustness.Experimental results show that the proposed scheme is able to resist different attacks, including common image processing and malicious attacks.Notably, compared with the previous scheme, the proposed scheme achieves better imperceptibility and robustness against RST attacks.For future work, the novel watermarking scheme applied to color images should be researched.

Figure 2 .
Figure 2. Flow diagram of the watermark embedding process.

Figure 2 .
Figure 2. Flow diagram of the watermark embedding process.

Figure 2 .
Figure 2. Flow diagram of the watermark embedding process.

Figure 3 .
Figure 3. Flow diagram of the watermark extraction process.

Figure 3 .
Figure 3. Flow diagram of the watermark extraction process.
w k s and s k s are the th k scale values of the matching points in watermarked image and scaled image, respectively.The corrected scaling coefficient γ is shown as Equation (13):

μ
denote the mean of original image I and watermarked or restored image w I , respectively.Furthermore, I σ and w I σ are the variance of image I and w I separately, while w II σ is the covariance between I and w I . 1 C , 2 C , and 3 C are positive parameters.The value of SSIM ranges from 0 to 1.When SSIM is equal to 1, I and w I are exactly the same.

Figure 9 Figure 9 .
Figure9shows the good perceptual transparency of the watermarked image compared with the original image.After SIFT is performed on Lena and Barbara images, 1233 keypoints and 1590 keypoints are extracted in these two watermarked images, respectively.

Figure 10 .
Figure 10.Structural similarity index (SSIM) and normalized correlation (NC) values of the proposed method with different quantization steps.

Figure 10 .
Figure 10.Structural similarity index (SSIM) and normalized correlation (NC) values of the proposed method with different quantization steps.

4. 2 . 1 .
Common AttacksIn, the extracting results under different image attacks are given, such as JPEG 100, salt and pepper noise with densities of 0.01 and 0.05, Gaussian noise with mean 0, and variances of 0.01 and 0.05, center cropping on the 256 × 256 region, and median filter (3 × 3).
In Figures11-15, the extracting results under different image attacks are given, such as JPEG 100, salt and pepper noise with densities of 0.01 and 0.05, Gaussian noise with mean 0, and variances of 0.01 and 0.05, center cropping on the 256 × 256 region, and median filter (3 × 3).

Figure 12 .
Figure 12.Watermarked images and extracted watermarks under salt and pepper noise: (a) watermarked Lena under salt and pepper noise (0.01); (b) extracted watermark 1 w ;
In Figures11-15, the extracting results under different image attacks are given, such as JPEG 100, salt and pepper noise with densities of 0.01 and 0.05, Gaussian noise with mean 0, and variances of 0.01 and 0.05, center cropping on the 256 × 256 region, and median filter (3 × 3).
4Three-level DWT is performed on the corrected image c I , and then LL3, LH3, HL3, and HH3 bands are obtained.Similar to the embedding process, the LL3 sub-band

Table 1 .
Experimental results on test images.

Table 1 .
Experimental results on test images.