Collusion Attack Resilient 3D Mesh Watermarking Based on Anti-Collusion Fingerprint Code

: Collusion attack is one of the techniques used for unauthorized removal of embedded marks. However, there are no algorithms that utilize the averaging-resilient ﬁngerprint code into 3D mesh watermarking. In this paper, we propose a collusion resilient 3D mesh watermark based on mesh spectral analysis and the anti-collusion ﬁngerprint code. We present two ﬁngerprint schemes by exploiting the theoretically proven anti-collusion codes: the group-divisible partially balanced incomplete block design, and Tardos’s ﬁngerprint code. The proposed extraction scheme not only met the requirement for an anti-collusion code but also provided sufﬁcient length of the payload for the ﬁngerprint code. To minimize the detection error, we also modeled the response of the detector and herein present optimized thresholds for our method. Based on the experiments with public benchmarks, the proposed method outperformed conventional robust mesh watermarking against collusion attack, and provided robustness to the combination of a small amount of added noise and collusion attack. the accuracy of result shows that was to the a small amount of and collusion


Introduction
Digital watermarking is the process of hiding digital information in a noise-tolerant signal such as multimedia data. The watermark can be used to determine authorship when a copyright dispute occurs, and can be used as a fingerprint to track a distribution path when a prototype in the hands of only a few people, is leaked. Digital watermarking technology have been applied to various kind of multimedia contents such as 3D mesh watermarking [1], and 2D and 3D video watermarking [2,3]. Collusion attack is one of the main techniques used for unauthorized removal of embedded marks [4]. Attackers can exploit different versions of the fingerprinted content to estimate the original content. Moreover, a simple averaging process of some different protected contents can be used to disable detection of the embedded pattern. To cope with collusion attacks, two categories of countermeasure techniques were previously researched. The first technique works by pre-warping at the signal-processing level, so that each copy of the multimedia content is varied in a slightly different way [5,6]. However, in the case that the method fails to protect against collusion attack, it cannot provide information useful for tracking the attackers. The second countermeasures are based on the averaging-resilient fingerprint, which theoretically guarantees robustness against several attackers [4,[7][8][9][10]. In contrast to pre-warping-based methods, the anti-collusion-based-techniques work passively by providing explicit clues for tracking the attackers.
Recently, the demand for 3D mesh watermarking has increased due to the emergence of low-cost 3D printers. On the other hand, copyright issues will inevitably occur with the expansion of 3D model sharing platforms such as Thingiverse, Pinshape, and Sketchfab. In spite of various watermarking methods [1,[11][12][13], mesh watermarking techniques resilient to collusion attack were rarely considered [6,14]. Uccheddu et al. [6] proposed anti-collusion watermarking for 3D meshes by pre-warping, which changes the vertices ordering and the associated faces. However, there is no algorithm that utilizes the averaging-resilient fingerprint code into 3D mesh watermarking. This paper is an extension of our previous work [15]. Our previous work proposed a mesh watermarking algorithm based on a mesh Laplacian matrix [16] with group-divisible partially balanced incomplete block design (GD-PBIBD). In this extension, we used two anti-collusion fingerprint code system: one is based on the GD-PBIBD [9], and another one is based on Tardos's fingerprint code [17], and the codes were changed as a form of unsigned random pattern to prevent the attenuation of embedded signal by collusion attack. By modeling the detector response of the proposed method, we theoretically determined a threshold to minimize the detection error. As a result of our tests, we experimentally demonstrate that the proposed method does not lose recipient information during collusion attack.
The rest of this paper is organized as follows. Section 2 is a brief introduction of the necessary background knowledge, and Section 3 explains the details of the proposed method. To demonstrate the performance of the proposed scheme, we tested our method with mesh benchmark sets, and report the results in Section 4. In Section 5, the conclusions are presented.

Model for Collusion Attack
In this section, we will illustrate the frequent types of collusion attack. Collusion attack is a type of unauthorized removal of fingerprint when an adversary obtains several copies of a content marked with different fingerprints [4]. The adversary combines the fingerprinted copies of given contents to attenuate the power of fingerprints of the each copy. The most frequent type of collusion attack is linear collusion. The simplest example of this type of attack is averaging the copies. Figure 1 illustrate the process of linear collusion. Alice's original content x is distributed with fingerprints w 1 to w n . Suppose Bob obtained the marked copies y 1 to y n . Bob mix those copies by averaging and add noise z and acquired attacked content y. Attacked content y has reduced power of each fingerprints, the attacked contents y become similar to the original work x. Therefore, Bob may issue that the content y is his original content. As the number of copies increases, the power of each fingerprint becomes weaker, and harder to declare the original ownership.
If the marking algorithm spreads the fingerprint throughout the entire contents, cut-and-paste has a similar effect to averaging attack. Algorithm such as spread spectrum-based embedding in transform domain, mixing the part of copies by cut-and-paste also reduces the power of each fingerprints. For example, suppose Bob takes 1/n parts equally from each copies w k , and paste them into new copy y. If the fingerprints are embedded in transformed domain such as frequency domains, the power of each fingerprints will be attenuated. Another type of collusion attack is non-linear collusion. The concept of this type of attack is taking maximum, minimum or median, rather than taking the average, of among the observed copies.

Related Work
There are two categories of countermeasure techniques were previously researched to cope with collusion attacks. The first technique works by pre-warping at the signal-processing level, so that each copy of the multimedia content is varied in a slightly different way [5,6]. The pre-warping process is effective to cope with collusion attack, because a simple averaging attack causes degradation of the quality of the protected contents. Colluders must then resort to more complex attacks that bring about the registration of the original contents prior to the attack itself [5]. However, some doubts exist about the real effectiveness of these techniques given that registering the pre-warping contents does not appear to be an impossible task [6]. Moreover, in the case that the method fails to protect against collusion attack, it cannot provide information useful for tracking the attackers. The second countermeasures are based on the averaging-resilient fingerprint, which theoretically guarantees robustness against several attackers [4,[7][8][9][10]. In contrast to pre-warping-based methods, the anti-collusion based techniques work passively by providing explicit clues for tracking the attackers. Boneh et al. [4] first defined the collusion attack for digital data, and they analyzed the characteristics of a collusion-attack resilient code. Based on the combinatorial theory, Stinson et al. [7] proposed a code system for an anti-collusion fingerprint code. Kang et al. [9] proposed a constructive algorithm for an anti-collusion fingerprint code, which is called group-divisible partially balanced incomplete block design (GD-PBIBD), based on group-divisible designs. Tardos has proposed a randomized fingerprinting code that is provably secure against collusion attack [17] which performs state-of-the-art performance. The papers listed in this paragraph only proposed a code system, so that they did not suggest any practical system or experimental results for multimedia data. For fingerprinting system based on the anti-collusion code, Trappe et al. [8] proposed an image fingerprinting system using balanced incomplete block design (BIBD). For video fingerprinting, Kang et al. [18] introduced a practical fingerprint scheme that adopted the anti-collusion fingerprint, which was called group-divisible partially balanced incomplete block design (GD-PBIBD). Maity et al. [19] proposed a collusion resilient optimized image watermarking scheme using genetic algorithms and multiband wavelets. Kuribayashi [20] suggested a simplified maximum a posteriori detector for binary fingerprinting code.
Recently, the demand for 3D mesh watermarking has increased due to the emergence of low-cost 3D printers and 3D model sharing platforms such as Thingiverse, Pinshape, and Sketchfab. In spite of various watermarking methods [1,[11][12][13]21,22], mesh watermarking techniques resilient to collusion attack were rarely considered [6,14]. Uccheddu et al. [6] proposed anti-collusion watermarking for 3D meshes by pre-warping, which changes the vertices ordering and the associated faces. However, there is no algorithm that utilizes the averaging-resilient fingerprint code into 3D mesh watermarking. As we found in the previous literature, most of the watermarking schemes based on anti-collusion codes were intended to protect image and video data. To the best of our knowledge, anti-collusion code-based 3D mesh watermarking has not been reported yet.

Proposed Method
The main assumption for designing the anti-collusion fingerprint codes is that the averaging attack of the anti-collusion code has the same effect as a bitwise AND operation of every bit position. Therefore, the embedded bit information has to be zero for the averaging attack when each bit from each colluded work is different. However, conventional robust mesh watermarking methods such as [11][12][13]23,24] did not consider this aspect. Moreover, anti-collusion fingerprint code requires relatively several payloads in many cases, so that the existing mesh watermarkings are not suitable to carry anti-collusion fingerprint codes. (see Table 1). In contrast to the existing robust mesh watermarking, our proposed method has sufficient capacity to carry the anti-collusion fingerprint code. We will evaluate them in the experimental results section later. Unlike the image and video watermarking described in [8,18], each vertex of a 3D mesh model is non-uniformly sampled, so that the spatial structure of the mesh is not suitable for utilizing fingerprint codes. Alternatively, we can divide the mesh into disjoint bands in the frequency domain and embed a watermark in them. To perform the frequency analysis, we use a technique called mesh spectral analysis [25] that can be considered a principal component analysis of the shape. We now describe each step of watermark embedding and detection in detail.

Watermark Embedding Algorithm
The spectrum of a 3D mesh is computed from connectivity and coordinates of vertices of the mesh. Eigenvalue decomposition of a mesh Laplacian matrix is required to produce spectral coefficients. For the Laplacian matrix, we employed a mesh Laplacian matrix proposed by Bollobás [16], referred to as the Kirchhoff matrix. The Kirchhoff matrix K is defined as follows: where D is a diagonal matrix of which an element is defined by a degree of each vertex, and A is an adjacent matrix of the mesh of which elements a i,j are equal to '1' if vertices i and j are adjacent, and otherwise '0'. A mesh M with m vertices produces a Kirchhoff matrix K of size m × m, and its eigenvalue decomposition may be described as follows: where Λ is a diagonal matrix composed of the m eigenvalues λ i in ascending order, and U is a unitary matrix composed of the m-dimensional normalized eigenvectors. The Laplacian eigenvector basis is used to perform an orthogonal decomposition of a function. The spectra of the mesh are obtained by projection of the vector according to the Laplacian basis, as indicated in the following equation.
where c = (c 1 , c 2 , ..., c m ) T is a spectral coefficient of input mesh, and x is a vector of the vertices of the mesh. We generate a watermark pattern using a 'group-divisible partially balanced incomplete block design' (GD-PBIBD) [26]. Using a generator proposed by Kang et al. [9], the generated code set is defined as an N × R binary matrix N in which a column represents a unique fingerprint code for each user, and where N is the length of each fingerprint code. The generated fingerprint code set N for R = s 2(p−1) recipients can protect cover work from n attackers (s − 1). Detailed information can be found in [26].
For the u-th recipient, we obtain u-th column vector y u from the generated fingerprint code set N. Each binary value '0, 1' from y u is encoded into two symbol vectors s 0 , s 1 with same length L, then we obtain a watermark sequence w with length N · L. We use zero value vectors for symbol vector s 0 . For symbol vector s 1 , we use a pseudo-random sequences with positive values generated by a watermark key. We embed the generated pattern w by changing the amplitude of the spectral coefficient vector c. First, we determine a frequency band for watermark embedding by selecting a start index i 0 of the coefficient vector. The watermarking process is computed using the following equation: where 1 ≤ i ≤ (N · L), and α is the strength of the watermark (α > 0). Here, c i and w i denote the i-th index of c and w, respectively. The watermarked mesh is obtained by combining the Laplacian basis U with coefficient c as in the following equation.
where x is a vector of the reconstructed vertices for the watermarked mesh model.

Detection of the Embedded Watermark
We designed the proposed collusion-resilient watermarking based on informed-detection watermarking that requires a reference mesh. For the watermark extraction, we first obtained a spectral coefficient vector c * = (c * 1 , c * 2 , ..., c * n ) T and c from the suspicious mesh M * , and reference mesh M using the method described in the embedding section. Then, we calculated the residuals vector r * by subtracting c * from c.
where 1 ≤ j ≤ N, and s 1 is the symbol vector used in the embedding step, and n is the number of attackers that can be covered by the code set N. Here, τ w is a threshold to minimize a false-positive rate (<10 −5 ) that was determined by experiment without any collusion attack. Because the embedded signal could be attenuated by 1 n (in the worst case), τ w must be adjusted by the maximum number of attackers to avoid false-negative error. The function term corr(r, s) denotes the normalized correlation calculated as in the following equation: where the bar above a symbol denotes the mean value. When the sum of correlation values is smaller than τ w n , we reject the suspicious model as a watermarked model whether the extracted code is attacked or not.

Colluder Accusation
To detect bit information '1', detector response ψ was derived using the embedding signal Equation (4), where 1 ≤ i ≤ n c , and c * j is the corresponded vector of s * j . Based on ψ, we reconstruct the fingerprint y * based on the embedding equation as follows: where y * j denote the j-th index of y, and τ b is a threshold to minimize the error rate (discussed in Section 3.3).
When we suspect that the extracted fingerprint has been attacked, we examine the extracted fingerprint y * using the code set N. The averaging attack on the binary sequences can be considered the logical AND of the fingerprint codes [8]. Using the GD-PBIBD code, we can find the pirates by comparing the bit position of a result sequence whose value is '1' with all columns in the code set N. Therefore, we designed an examination process: where v * is a vector of which the index indicates each recipient. By normalizing and applying a floor function to each value of v * , we obtain vector v as follows: Using the vector v , we decided whether the extracted code w * was attacked or not. If |v | = 1 then w * was not attacked by pirates. In contrast, if |v | > 1 then |y * | indicates the number of attackers, and values from v demonstrate explicit clues for tracking the attackers.

Detector Response Modeling and Error Minimization
To reflect the statistical characteristics of the actual noise and interference, the threshold τ b has to be controlled to minimize the bit error ratio. In this section, we model a distribution of the responses from the extracted bit, and determine τ b by analyzing the proposed model. The averaging attack of the anti-collusion code has the same effect as a bitwise AND operation of every bit position. Therefore, bit information '1' can survive during the averaging when '0' was not exist in the same bit position of the attacker's code. The probability of '1' from the code set N is n−1 n [26], where n denotes the number of attackers covered by N. After the collusion with n attackers, the expected value of bit information '1' can be modeled as a binomial distribution as where k is the number of the '1' bit in the same position of the attacker's code.
To reflect the statistical characteristic of the actual noise and interference, the detector response ψ was modeled as a mixture of the Gaussian distribution. Similar to Equation (13), the embedded signal from Equation (4) is attenuated by the number of attackers (n). Therefore, the distribution of the attenuated signal of bit '1' can be modeled as where f (x|µ, σ 2 ) denotes the probability density function of the Gaussian distribution, and σ is determined by the watermark-to-noise-ratio (WNR) σ = ||α|| 2 /σ 2 d , where σ 2 d is the strength of the additive noise. Figure 2 shows simulated plots of the E(n), and Ψ(x|n, σ), where n = 8 and σ = 0.1.
To verify the proposed model in Equation (14), we measured the detector response from 1000 sample models with the same parameters (n = 8, σ = 0.1). As a result of the tests, Figure 3a shows a histogram of the measured responses that has structure very similar to that of the proposed model (Figure 2b).  Using the model Ψ, we determine the threshold τ b by minimizing the code extraction error as follows: where e 1 and e 2 are false positive error and false negative error, respectively. Each error probability was derived from Ψ as follows, From now on, we focus on mathematical derivation, in order to provide the threshold value τ b illustrated in Figure 3b. From Equation (15), τ b is value that makes the derivative of e 1 + e 2 by t to be zero.
Substitute ( n k ) 1 n k (1 − 1 n ) n−k to α k for k = 1 to n.
Substitute e t nσ 2 to x and α k e − k 2 2n 2 σ 2 to β k for k = 1 to n.
Therefore, the value τ b that minimizes e 1 + e 2 can be derived from solving following polynomial of degree n.
Finally, we can get τ b by using solution of Equation (24) τ b = n · σ 2 · ln (x) (25) Figure 3b shows τ b values for various σ and n by solving Equation (15). For instance, (τ b = 0.9378) for the test environment n = 8, σ = 0.1 is presented as a red line in Figure 3a.

Tardos's Fingerprint Code
Among the various fingerprint codes against collusion attack, Tardos code [17] performs state-of-the-art performance. Tardos has proposed a randomized fingerprinting code based on the Boneh and Shaw's scheme [4] that is provably secure against collusion attack. Compared with conventional methods, this code reduced the length of the code to the square of its length. Following Tardos [17], we have provides the formal definition of the fingerprint code below.
A fingerprint code of length m for n users over the alphabet Σ is a distribution over the pairs (X, σ), where X is an n × m matrix over Σ and σ is an algorithm that takes a string y ∈ Σ m (the pirated copy) as input, and produces a subset σ(y) ⊆ [n] := 1, 2, · · · , n (the set of accused users). For φ = = C ⊆ [n] a C-strategy is an algorithm ρ that takes the submatrix of X formed by the rows with indices in C as input, and produces a string y = ρ ∈ Σ m as output 1 and satisfies the marking condition that, for all positions 1 ≤ i ≤ m, if all the values X ij for j ∈ C agree with some letter s ∈ Σ then y i = s. We say that a fingerprint codes is -secure against coalitions of of size c, if for any C ⊆ [n] of size |C| ≤ c and for any C-strategy ρ, the error probability, is at most . Tardos's fingerprint code is an n × m binary matrix, where n denotes number of users and m denotes the length of the fingerprint codes. The number of user n, the size of collusion c and the error bound are the key parameters that decide the size of the fingerprint code matrix.

Extended Mesh Fingerprinting Scheme Using Tardos's Code
Tardos's fingerprint code directly applied to the embedding equation Equation (4) as the same way in the case of GD-PBIBD code. In addition, the detection of the embedded watermark described in Section 3.2.1 also can be used with the fingerprint code. Then, embedded bit information y * is extracted using Equations (9) and (10).
In contrast with the embedding and code extraction process, we should modified the accusation process described in Section 3.2.2. First, we examine the extracted fingerprint y * as follows. Assume that the number of users is n and the length of the fingerprint code is m, Tardos defined the n × m matrix U and its entries are defined as follows: where p i values from the probability array used in the fingerprint code generation step, and X ji is an element in the fingerprint code matrix.2 Let the algorithm accuse user j on the extracted fingerprint where Z = 20c log(1.0/ ) as a threshold parameter. As described in [17], both false positive and false negative errors are controlled by the error bound . When the parameter for the lower error bound decreases for the robust fingerprint system, the length of the fingerprint code dramatically increases. Therefore, because of the limited number of the spectral coefficients (<3000) from the cover mesh model, the usage of the Tardos's code is relatively limited (e.g., the generated code with = 0.2, c = 6 has length 4024).

Experimental Results
To assess the proposed scheme, we tested its robustness against collusion attacks. Experiments were carried out on six triangular mesh models from 3D mesh watermarking benchmark project [27]: Bunny, Rabbit, Venus, Horse, Cow, and Ramesses. We used the fingerprint code set constructed by [9] with parameters (72, 81, 9, 8, 0, 1), which could protect the model against n = 8 attackers. The watermarking algorithm was implemented in MATLAB 2012b using the mesh toolbox [28]. The geometric distortion was measured using maximum root mean square error (MRMS) [29]. Figure 4b shows the watermark with MRMS = 0.02% (α = 0.05), and no visual difference can be perceived between Figure 4a,b. In addition, we embedded the watermark with high strength factor (α = 0.5) to show the visual shape of the watermark (MRMS = 2%). The embedded watermark appears as noise strongly represented on certain areas of the model's surface. In addition, Figure 5 illustrates the distortion maps which represents the HSV maps of the geometric objective distortions between the original and the watermarked meshes based on the hausdorff distance [29].

Robustness Test for Collusion Attack
The experiments were divided into two test environments: (1) collusion attack test with a variety of compared methods; and (2) robustness test with collusion and noise addition attacks. To compare our method against the performance of a conventional scheme, we used a variety of robust watermarking methods as follows: Ohbuchi et al. [11], and Cho et al. [12]. Similar to our method, the method of Ohbuchi et al. [11] is based on the mesh spectral decomposition. The method of Cho et al. [12] embedded a watermark pattern by modifying the statistical features of the vertex norm. Anti-collusion codes were adopted not only our method but also the compared methods [11,12]. In the experiments, we generated 81 watermarked models by embedding a fingerprint code for each recipient of the models. Then collusion attacks were performed 100 times using a set of randomly selected watermarked models for each iteration. For the collusion attack for our tests, we averaged a set of selected models and obtained one attacked model. We also conducted experiments by varying the number of selected models k (1 ≤ k ≤ 8). Robustness for collusion attack was evaluated by the number of times that tracing all attackers was successful. Figure 6 shows the experimental results of collusion attack of the proposed method, Ohbuchi et al. [11], and Cho et al. [12]. In this figure, Cho-mean and Cho-var indicate the first and the second method of Cho et al., respectively. The proposed method perfectly found attackers for every attack when the number of attackers was 1-7, and it also performed well when the number of attackers was '8'. Because the GD-BIBD codes in the test were generated with n = 8, which could protect the model against (n ≤ 8) attackers, the results decrease drastically when n > 8. In contrast, Cho-mean and Ohbuchi et al. did not trace attackers for all attacks when the number of attackers was two or more. Cho-var also did not work when the number of attackers was three or more. The results showed that proposed scheme was much more robust against collusion attack compared to the conventional schemes.  Figure 7 shows robustness to the combination of noise addition and collusion attack. We added Gaussian noise N (0, σ) to the averaged model, where σ = 0.1, 0.01, 0.001, or 0.0001, and traced the attackers using the proposed detector. The performance of the proposed method for the noise strength σ < 0.001 was as good as the result for σ = 0, and the results in cases with σ = 0.001 was also acceptable. On the other hand, in the experiments with strong noise (σ ≥ 0.01), the accuracy of our method decreased. Therefore, the result shows that the proposed method was robust to the combination of a small amount of added noise and collusion attack.

Experimental Results of Tardos's Code-Based Scheme
For the experiments with Tardos's fingerprint code, we used two parameter sets to generate the fingerprint code matrix: parameter set 1 ( = 0.1, c = 3, length = 2072), parameter set 2 ( = 0.3, c = 4, length = 1926). In addition, we generated 100 watermarked models by embedding a fingerprint code for each recipient of the models. Then collusion attacks were performed 100 times using a set of randomly selected watermarked models for each iteration. For the collusion attack for our tests, we averaged a set of selected models and obtained one attacked model. We also conducted experiments by varying the number of selected models k (1 ≤ k ≤ c). Robustness for collusion attack was evaluated by the number of times that tracing all attackers was successful. Figure 8 shows robustness to the combination of noise addition and collusion attack. We added Gaussian noise N (0, σ) to the averaged model, where σ = 0.01, 0.001, or 0.0001, and traced the attackers using the proposed detector. The performance of the proposed method for the noise strength σ < 0.001 was acceptable compare to the results without noise attack. On the other hand, in the experiments with strong noise (σ ≥ 0.01), the accuracy of our method decreased. Therefore, similar to the the result shows that the proposed method was robust to the combination of a small amount of added noise and collusion attack. Compared to the GD-PBIBD-based scheme, Tardos's code-based scheme requires more bit capacity to carry the fingerprint code. This aspect results reduction in the ratio between imperceptibility and robustness for the fingerprinting scheme. Although Tardos's fingerprint code outperforms the other anti-collusion codes in many applications, it does not work well in some cases of the mesh fingerprinting such as the high number of accused users, and the environment in which noise can be added. (a)

Discussion and Conclusions
The main contribution of our work is a collusion resilient watermark based on the anti-collusion fingerprint code. In contrast to the existing robust mesh watermarking, our proposed method has sufficient capacity to carry the anti-collusion fingerprint code. To minimize the detection error, we also modeled the response of the detector and presented optimized thresholds for our method. Based on experiments with a public benchmark, the proposed method outperformed the conventional robust mesh watermarking in all cases.
Nowadays, the demand for 3D mesh watermarking has increased due to the emergence of low-cost 3D printers. On the other hand, copyright issues will inevitably occur with the expansion of 3D model sharing platforms such as Thingiverse, Pinshape, and Sketchfab. In spite of various watermarking methods, mesh watermarking techniques resilient to collusion attack were rarely considered. Therefore, we believe that the proposed method can give advantages to our industry as well as the academic society.