JP2003510925A - Authentication of digital data products using signatures and watermarks - Google Patents

Abstract

(57) [Summary] A method is provided for authenticating a digital data work that can confirm the integrity or certainty of the digital data work. This method determines the unique signature for an immutable work, and in some way reverses this signature and embeds it into the immutable work to some extent so that the work actually modifies itself. And to suggest.

Description

Detailed Description of the Invention

[0001]

TECHNICAL FIELD OF THE INVENTION

The invention relates in particular to a method for authenticating a digital data product in order to make it easy to detect unauthorized changes to the product.

[0002]

[Prior art]

Systems based on digital data are becoming common and absolutely necessary. The concentration of these individual components brought about by digital data, digital data communications, digital audio, digital cameras, and the Internet between computers has created the context of the prior art for this invention.

There are many applications for techniques that allow easy detection of unauthorized changes to digital images and digital audio. For example, it is now very easy to tamper with a digital photo using image manipulation software, making it doubtful about the authenticity of the digital photo. This has very serious implications, for example using digital photo evidence in criminal proceedings. Therefore,
It would be advantageous to be able to assert that the integrity of a given digital photograph can be guaranteed.

Similarly, it has become common to archive (store) documents such as legal contracts and financial instruments by performing image processing and storing them in a non-erasable digital medium such as WORM. . There is an urgent need for tampering with these digital recordings. There are similar problems associated with digital audio and video. For example, where recorded digital audio data is generally used as evidence to ascertain the existence of a dictation agreement and its commitment, verifying the integrity of the recording is particularly useful.

[0005]

[Problems to be Solved by the Invention]

In the areas of data communication and digital audio, various techniques have been established to ensure data integrity. For example, using error correction technology that relies on checksums. However, these techniques require that a digital signal generated by a device such as a CD player is an accurate transmission, and that C
It is designed to guarantee replay from the source, such as data stored in D. This differs from being able to detect whether a duplicate made from the original CD is a perfect rendition of the original CD without having to access the original CD.

The present invention was devised to solve this problem (whether the integrity of the digital data work is compromised). Therefore, the present invention does not modify the small units of data in order to provide the digital data with information specific to an accurate understanding of the digital data itself, but instead tamper with the digital work. It is intended to make tampering and tampering easy to detect.

Digital signatures are a widely used technique for verifying the integrity of digital information, especially for verifying the integrity of digital information transmitted between remote locations. Currently, it is possible to include a simple signature in the header of a data file of a digital data product. The header typically includes a checksum based on the content of the data file so that any content tampering will always result in a checksum mismatch. Mismatches can be easily detected and tampering can be detected. However, it is relatively easy to remove the checksum in the header, in which case data integrity cannot be established.

Thus, the conventional signature-based method for verifying the integrity of a digital file is as follows. A person wishing to authenticate a digital file computes the signature by applying an appropriate algorithm to the data values in the file.
This signature is then added to the end of the original file or written to another file. Signing is for anyone who wants to verify the use and authenticity of a file,
Sent with the file. The processing of the verification part is performed by the recipient of the file. The recipient must have knowledge of the key that controls the algorithm used to calculate the signature and that algorithm. Using these tools, signatures are calculated on the received files. The value of the signature sent is then compared with the signature calculated this time. Whatever the method, if the compared values are the same, it indicates that the file sent is exactly the same as the original file.

As explained in EP-A-0402210, another possibility is to write the signature to a secure hardware device. EP-A-0402210
Verifies the integrity of the message by examining the unique signature that can be obtained from part of the message and comparing it to the signature obtained from the original message, stored in a secure location. Explaining that.

Reference is also made to EP-A-96920963.4. EP-A-96920
963.4 establishes the authenticity of a digital data product by modifying the digital data product according to a special algorithm so that some or all of the components of the digital data product have measurable characteristics. The method to do is clarified. The measurable characteristics are those that are changed when the digital data product is tampered with. Changes in this feature can be detected by the detection process.

Reference may also be made to US5613004. US5613004 describes embedding an invisible watermark message in an image. The hash of the message is also embedded, and you can find out if the message has been tampered with. Therefore, the signature is a message embedded in it, although not the work itself.

[0012]

[Means for Solving the Problems]

The present invention adopts the following configuration in order to solve the above points. <Structure> The method for authenticating a digital data product according to the present invention includes a step of calculating a signature for a digital data product that has not been modified in the original and an unauthorized modification to the product. Altering the digital data product that has not been tampered with in its original, based on the signature, to produce a modified product such that the work is measurably modified. .

<Operation> Therefore, the essence of the invention is to obtain a product that has not been tampered with, by calculating a unique signature or hash for the product that has not been tampered with, and actually changing the product itself. , By embedding a unique signature in some way, to establish the integrity and authenticity of the digital data work. This is in contrast to traditional methods of simply adding a signature as a header, or adding something to a data production. It is also different from embedding a message and a hash of the message in order to guarantee the integrity of the message.

According to the present invention, EP-A-969 is used to actually falsify a digital data product.
Although it is based on the concept of 20963.4, EP-A-969209
Since 63.4 does not reveal the concept of tampering with a digital data product by embedding a unique signature obtained from the data product itself in the digital data product, the present invention exceeds that.

The signature is usually embedded in the digital work itself so that the use of the original file is not affected by the signature calculation. In fact, the user is unlikely to notice the presence of embedded information.

The method of the present invention has two important implications. First, the place and method in which the signature is embedded in the original data product enables more advanced encryption, which may enable a higher level of security than conventional methods. Second, the data part in which the signature is encoded must be processed by a specially designed algorithm. This algorithm makes its data portion available to the entire signature in such a way that what is applied to the signature is unaffected by the signature encoding process applied to the digital image.

In each case of an image file compressed in JPEG format and an audio file compressed in MP3 format, encoding a signature on data requires an extra step so as not to deteriorate the quality of the data product. Needed, but the better method applies equally to both of these files.

One of the possible implementations of the method is that the signature is calculated using only a part of the digital data file and the calculated signature is embedded in this selected part. For example, a document may be scanned into digital form and a particularly important document area (eg, a check or a handwritten signature of a contract) may be selected. For each of these important areas, a signature is calculated and embedded in the data. in this way,
Tampering with these selected areas can be detected. On the other hand, it can be proved that the unselected parts are not changed.

In the case of a JPEG file, it is a different case. In this case, having a signature based on the whole file including the header would be important in some sense. However, when a signature is embedded, it is necessary to embed the signature in a specific part of the data (see below), because some part of the data contains important information in such a way that any tampering makes the information meaningless. .

Similar to MPEG files, signatures are based only on the data portion or on the entire file including the header, but the embedding must be performed only on the data value.

The nature of the signature depends on the requirements under consideration. The signature calculation algorithm, known as the "hash function", has been studied for a long time and has a widely used and reliable version. Another algorithm, called SHA-1, was invented in 1994 and has a high security level. This type of signature is a digest of highly compressed digital data. 64 megabytes of information
It may be mapped to a bit signature. Obviously, there could be many images that map to any one signature, but with a good hashing algorithm,
It is virtually impossible to find an image or audio file that contains the same signature calculated from the original data. The method contemplated in embodiments of the invention would make an algorithm such as SHA-1 ideal when the tampering (but small) of the original data is calculated (as described in this specification). , Authentication "type A" method).

The present invention also addresses allowing files to be tampered with on a small scale but still accepted (“type B”). There are two common cases where Type B processing can be useful. First, the file is compressed, but it is almost impossible to perceive tampering with the reproduced image or audio. The second case is when the image file is hard-copied and therefore has to be screened and equivalently processed, but still of sufficient quality to be accepted as an authentic version of the original. is there. For these two cases, this specification describes how signatures should be used to ensure integrity and to measure how much change has occurred.

In the latter case of type B, signatures require properties that are explicitly avoided in SHA-1 type algorithms. A small change in the image is a property that produces a small change in the signature. The reason is that an operation using SHA-1 (such as compression) may produce a signature value that is completely different from the value corresponding to the original. In the type B method described in this specification, signature variations are treated as a measure of the deterioration that has occurred.

The latter type of signature has the drawback of being more likely to generate two images with the same signature, but with careful selection of the function, this risk can be acceptably small.

“Approximate” signatures for Type B applications typically use a set of orthogonal functions to develop the description of the image. These functions are key dependent so that they do not develop a general method for making known changes to a signature. Alternatively, the person tampering with the file may compute the signature by randomly sampling pixels from the data, choosing pixels such that all sampling points are unavoidable.

In one embodiment, the original digital data work is modified not only by the signature, but also by the externally generated code. The code may also form part of a copyright management system.

In another aspect of the present invention, a method of detecting any tampering with a digital data product, to which the authentication method of the present invention has been applied, the step of reading a signature embedded in the modified product. And comparing the calculated signature with the embedded signature read from the modified work, and the embedded signature does not match the calculated signature, or If not, determining that the modified work has been tampered with is provided. This confirms or rejects the authenticity of the digital data work.

Yet another aspect of the invention is to provide a digital data product to which the authentication method included in the invention is applied. A computer program that authenticates a digital data work using the authentication method, a computer program that detects any changes to the digital data work to which the authentication method is applied, and finally, the computer program It is a digital medium recorded in.

[0029]

DETAILED DESCRIPTION OF THE INVENTION

Hereinafter, the present invention will be described with reference to FIG. First, the embedding of a signature will be described. In a preferred embodiment of the implementation of the present invention, the embedding of the signature in the original data is (i) the file format of the original data is not changed, (ii) any modification of the file data is made into an image or sound clip. Sometimes it's done so small that it's unrecognizable. The nature of this embedding depends on whether type A or type B is considered. Type A authentication (as described above) is designed to detect all changes, even if small, but with Type B authentication, the embedded signature must survive operations that are less important and not illegal. It may not be necessary in some cases.

Referring now to the Type A method, some spatial domain (as opposed to frequency domain) modification of the data work must occur in the actual authentication process, but embeds the signature. Because of this, the number of data locations that are changed must always be kept to a minimum. To further increase the security of the process, the location of these data is chosen by a process that relies on user-specific cryptographic keys. There are many selection methods available. The random number generator is a simple method. Another method used in the previous fingerprint application (EP-A-96904936.0) is a permutation-based selection method.

Embedding a signature in a JPEG file requires a great deal of data differentiation. J
In the PEG format, some of the information is encoded in the form of variable length coding, or "Huffman" code, in which frequently occurring values are encoded with codes that are shorter than rarely occurring values. The problem with this type of code is that it cannot be modified to include information without making the code unreadable. For this reason, signature embedding in JPEG files must be performed on the part of the file that simply gives the magnitude of the data values after the Discrete Cosine Transform (DCT).

These changes affect the quality of the information to a lesser extent. The perceptibility of these changes is minimized by selecting from a region with multiple DCT coefficients (non-zero). The actual choice is governed by the encoding key, which provides a higher level of security. These areas are areas that correspond to portions of the image that have many changes, and areas that may be tampered with with little impact on image quality, rather than flat areas. For JPEG data, the signature is for only part of the data or a subset of the data (subdivision)
Can be calculated for a complete file, including headers.

However, in each case the constraints on the embedding scheme described above have to be applied. For uncompressed files, the image is divided into subsets. For JPEG files, the subset is "restart marker"
Is executed by inserting. The hash value is calculated using all the data that describes the given subset, regardless of the interpretation of the image. In one embodiment, the hash value includes a Huffman table and a quantization table that are an integral part of the header.

In the case of MPEG files, another complexity comes into play. In this case, the data following the header is saved frame by frame, but for compression there is a reference frame which is placed at regular intervals and which encodes the intermediate frame in a more economical way. One way to process a signature is to compute the signature on all frames, but with a technique similar to that used in JPEG files, which limits embedding to reference frames only.

MP3 files such as JPEG files (defined in ISO / IEC11172-3) have a compression format with a variable length code. Again, like the JPEG file, it is essential to change the values in such a way that there is no risk to the overall structure of the file and the interpretation of the file, even with minor degradation in audio quality.

As in the previous case, the MP3 file is split into subsets, a hash value is calculated for each subset part and then embedded back into that subset part. For MP3, the data is divided into fixed length subset parts as part of the compression algorithm. The reason is that audio data is analyzed in the frequency domain to take into account psychological audio effects in order to remove data that produces sounds masked by louder sounds on adjacent frequencies. The data is then represented as frequency domain amplitudes, complicated by the inclusion of scaling factors.

Two embodiments are illustrated here. In the first embodiment, the hash value is M
It is embedded in the "magnification" specified in the P3 specifications. Since each frame of MP3 data has several scale factors, an appropriate scale factor is chosen for the correction to perceptually minimize the effect. In the second embodiment, the hash value is “pref
It is embedded by changing "lag" (see MP3 specifications). This is an amount that occurs less sparsely than the scaling factor, but can still be changed without compromising audio quality.

In type B authentication, the embedded signature may have to go through a less important operation, as mentioned above. In this case, the signature will be embedded in the form of an invisible fingerprint or watermark (EP-A-96904936.0).
See). The essence of watermarking is that many data values are affected, but only a very small amount is changed. So, for example, if such a file were compressed, the embedded signature would still be readable from the watermark, and the signature itself calculated from the data in the file would have approximately equal values. Let's do it.

The basic feature of the authentication method described here is that tampering is detected when data is cut, copied or pasted from an authenticated file. The method of authentication is as detailed in this patent, where a hash value is obtained to describe the set of data, which hash value depends on a user-specific key. The hash value is then added to the file or embedded back into the file as in the present proposal. In some cases, the hash value describes a complete file, and therefore, if tampering is detected in the file, there is no way to identify where the tampering occurred.

In some cases, the file may be split into subsets and a hash value may be determined for each subset part. In such a case, when tampering occurs, it is possible not only to detect it but also to locate the tampering position in each subset part.

The above scenario may expose two weaknesses. The first weakness is
Cuts and pastes may go undetected, and a second weakness is file cuts may go undetected. This is best explained by example.

Suppose authentication is used to protect a set of scanned checks. Authentication divides the image into convenient subset parts, computes a hash value for each subset part, and embeds the hash value back into the file. The method of embedding the hash value may depend on the software's user-specific key, which is used to select where the hash value is embedded. The entire set of checks may be authenticated with the same key.

When one area of the subset portion is a portion indicating the remittance amount of a check, a hash function is used for this area, and in the sense that the same embedding location is selected for embedding the hash value, each check Is treated in exactly the same way. If this check critical area is copied from one check to another, the hash value will match the data and the presence of forgery will not be detected.

The second problem relates to clipping, but it is a serious problem for images and audio clips. Images used in the courtroom would have a completely different interpretation if some parts were clipped (eg, the criminal scene was removed from the person who was present). The meaning of an audio clip would be different if the preliminary and definitive phrases were omitted. Again, the patent as described verifies the authenticity of a particular file, assuming that it is a complete subset of the original, even if it is omitted. It is possible.

There are several embodiments of the present invention that solve the above problems. In one embodiment, the hash value calculated for the subset portion of the image or audio clip has a value that indicates the location of the subset portion in the file. For example, if the image is divided into rectangles, the distance from the edge of the original file to each side of the rectangle is included in the hash value. Then, if cropping of the image occurs, the distance to the edge is tampered with and the hash value is forged.

In another embodiment, the hash value or subset portion depends on the value of the adjacent subset portion. The number of values can be chosen according to the size of the area where tampering may be detected and also based on the probability of false values producing the same hash value. In this case, if it is assumed that the area is cut and pasted, an illegal value for the peripheral area changes the hash value, and forgery can be detected.

Next, with respect to the details of the type A authentication, detection of a small level change will be described. This description assumes that there is a set D of digital values {di}. Each user has a key K, which is used to select a small subset D _e compared to D. The signature is embedded in this D _e . Therefore, _{D = D u + D e ......} (1) as a set of values that do not change the D _u. Thus, a 128 bit signature can be embedded in a 1 megabyte file.

Algorithm A maps a set of values onto one value S, which is the signature of the data. At its simplest, this is to add each pixel value multiplied by the x and y coordinates and ignore the overflow if the value exceeds 128 bits. Alternatively, for an audio file, the amplitude value is multiplied by the position in the file and the value is accumulated in the same manner as the image file.

The values in D _e , as well as the values in the unaltered collection D _u , must be used to compute the signature. This prevents tampering with the group D _e not being detected. The problem is that the value of D _e seen by the verifier may be different from the value seen by the detector because it has been modified during the signature embedding process. To address this issue, it is necessary to use the modified value from D _e for the signature calculation, which was modified in such a way that the modifications required by the embedding process would not affect the signature calculation (example below). See).

In mathematical terms, the mapping M and the coding algorithm C are arranged as follows. M maps the value of D _e to a new set D _{e, m} . M (D _e ) = D _{e, m} (2) The signature for the data set D is calculated. This signature uses the value of D _u , which is part of the data and has not been modified along with the modified value D _e of the embedding set. S = A (D _u + D _{e, m} ) ... (2A)

Since this signature has been calculated, it needs to be embedded in D _e by the encoding algorithm C. A very simple way is to represent S as a binary string,
Embedding the value of S by changing the value of D _e to an even number to display "0" and changing it to an odd number to display "1". Therefore, the value of S is encoded by the algorithm C into the value D _e . C (S, D _e ) = D _{e, c} (3) The mapping M has the required property M (D _e, ) = M (C (S, D _{e, m} )) (4) There must be. That is, what the constituents of the collection D _e give to the signature must not be tampered with by changing the value implemented to include the encoded signature.

The data integrity confirmation work includes (i) calculating D _e from the key K, (ii) mapping D _e to D _{e, m} , and (iii) S = A (D _e + C (S, D _{e, m} )) ... (5), (iv) C (S, D _{e, m} ) derives the embedded signature, and (v) the derived signature. , (Iii) S in some cases.

Next, security will be described. It takes the form of encryption and there are four areas where additional security can be added. 1. A method of mapping the key K to a selection algorithm that gathers D _e to embed the signature. 2. Selection of hash algorithm A for computing the signature. Selection of Encoding Algorithm C for Mapping a Set of Values of D _{e to} a New Set of Values Part of the security method is involved in access control to the software that signs. The signature will be added to a few secure locations and the detection program is expected to be widely distributed.

And for most applications, a fairly simple level of encryption will suffice to prevent the most sophisticated attacks, not just attacks. However, if the detectors are distributed, it is possible to reverse engineer the algorithm. The detector must in all cases be equipped with an algorithm that selects algorithms A and C, as well as D _e .

Mapping keys to location choices will also be described. The key can be of virtually any length, depending on the level of security required. The calculated signature can be converted into a binary string of any length, with the requirement that the number of places chosen to embed the string must equal its length.

One method of selecting the appropriate location is EP-A-9690 in the name of the Applicant.
4936.0 (the text of which is incorporated by reference to this specification). This method relies on internal permutations to generate a set of permutations that identify a collection of locations in the file. These locations are then used to embed the encoded signature. The values at these selected locations are
It is mapped to new values in the Type M algorithm above, and these modified values are used in the signature calculation.

The calculation of the signature (the above algorithm “A”) will be described. Many hash algorithms with acceptable security levels are available. For example, the SHA-1 algorithm is used by PGP in its application. Any such algorithm can be used to generate an embedded signature. However, security is not completely preserved by hashes, so simpler hashing algorithms or algorithms with special properties may be used and even more secure signatures are possible.

Next, the encoding of the signature (“C” and “M” above) will be described. The easiest way to encode the signature S is probably to take a binary string and
The coding C so that the "bits" correspond to odd values and the "0" bits correspond to even values.
Would be used to embed a binary string in a specified location. This type of encoding ensures that no data needs to be changed by multiple units. This, together with the fact that the number of places where changes are needed is very small, ensures that changes are minimal and invisible.

The mapping M for this special coding algorithm can be a “divide by 2 while giving the result as the nearest integer” as long as the odd and even coding is done by subtraction rather than addition. . This is best explained by example.

If the original value is 25 and is treated as an even number, the adjusted value should be 24 instead of 26, based on 25/2 = 24/2, ignoring the fractional part. That is, M (D _e, ) = M (C (S, D _{e, m} )) (7), and if D _e = 25, then C (D _e ) = 24, M (C ( D _e )) = 12 …… (
8) M (D _e ) = M (25) = 12 (9) There are some more sophisticated encoding algorithms that can provide higher security.

For example, as described above, assuming that there is a constraint in the encoding algorithm that the values must not be changed by multiple units, the encoding algorithm again divides the data value into pairs, The interpretation of each element of the pair may vary depending on the rules in use. Here, an example will be described again.

Assume that each element of the dataset is a value in the range 0 to 7. It is also assumed that there are four places for embedding the signature 1001. Assume the original values that were in these places are 4, 6, 3, 5. To embed signature 1001 using the method described above, these values are changed to odd, even, even, and odd, respectively. Therefore 4,6,3,5 is mapped to 3,6,2,5. The value used to calculate the signature is half of each of the above values. That is,
These take the values 2,3,1,2, which is true for both the original and the modified set. Thus, in the above system, data values are mapped to encoded values as follows: (2-0 is interpreted as "2 is mapped to 0") 0-0, 1-1-1, 2-0, 3-1, 1, 4-0, 5-1, 1, 6-0, 7-1 ... (10) However, it is also possible to pair the numbers exactly the same in different ways. For example, 0 to 0, 1 to 1, 2 to 1, 3 to 0, 4 to 1, 5 to 0, 6 to 0, 7-1 ... (11)

Then, when it is desired to embed 1001 in the data values that were originally 4, 6, 3, and 5, the following measures are taken. The value 4 corresponds to the value 1 in (11) and therefore does not need to be changed. The value 6 corresponds to the value 0 in (11). Therefore, the value 3 does not need to be changed. The value 3 corresponds to the value 0 in (11). Since it corresponds to, there is no need to change. The value 5 corresponds to the value 0 in (11), so it must be changed to 4 corresponding to 1 in (11). Note that since M (5) = 2 and M (4) = 2, the values used in the signature calculation are unchanged.

In general discussion of the above, if the range of data values is 0 to (n−1), then these values are grouped in pairs. One element of each pair is made to correspond to the value one and the other corresponds to the value zero. The choice of which corresponds to one and which corresponds to zero may be determined by a key or signature based algorithm.

From a security perspective, the best method is to select an algorithm by signature. For example, if the signature is represented by a binary string, then whenever a 1 occurs, the pair of numbers is assigned in order 01, whereas when a 0 occurs, the pair of numbers is ordered. It will be allocated at 10. Adding some encryption to security can be used in mapping the signature to the encrypted value.

A higher level security can be provided by the following method.
The signature S is calculated as described above. This key is then encrypted with the private key of the asymmetric cryptographic algorithm to generate a new signature S _e . The RSA method has an appropriate algorithm. S _e is embedded in the data by the encoding algorithm C.

The detection software only has a public key. The detection process includes the process of calculating the signature S by the method described above and the process of reading the encoded embedded signature S _e . The public key is also used to decode S _e when comparable to the value of S.

Next, with respect to the details of the type B authentication, detection of a change due to legitimate processing (ignoring a small change) will be described. If at least partially handwritten documents (checks and financial documents) are scanned as grayscale images, then such documents can be authenticated with an approximate hash function. Therefore, if stored in compressed form, it is possible to check if there have been any significant changes to the image. (OCR is likely to be used, assuming that all documents are created with the keyboard.) If the above document were printed, an approximate hash function could indicate the presence or absence of major changes. .

If the image had to be authenticated at the point of delivery before compression, this could be represented by an approximate hash function. Since this hash function is only slightly changed by compression or printing, it is possible to maintain the confidence level for the change.

Next, the approximation algorithm will be described. The approximation algorithm works similar to the Type A method in that a hash value for the entire image is calculated and then embedded back into the document. However, in the approximation algorithm, the LSB may not be embedded in a simple structure because the LSB may be changed by a small level change that the algorithm needs to handle. This embedding resembles a watermark for medical images, where sensitivity is important, rather than a very light watermark shape, where every pixel is subtly altered. Another method of embedding the hash value is to encrypt and store the hash value in the database.

An essential feature of the approximate hash function is that it corresponds to the geometric properties of the image. This means that small changes in the image cause small changes in the calculated signature, especially in the case of JPEG files and printed files, the signature corresponds to only small changes. The general strength of hash algorithms is that small changes in data values produce completely different hash values. This provides security and makes it difficult to generate a second document that has the same hash value as the existing document.

The approximation algorithm must protect its security in other ways.
One way is to apply asymmetric cryptography to the hash value before it is written as a watermark. The security is high if the security protocol is such that the decoder only needs the public key to verify integrity and the private key is in the hands of a trusted party.

The hash algorithm is applied to files that are not subject to changes in orientation or aspect ratio because the files remain completely in the electronic domain, or to files that are hard copied and rescanned. It requires slightly different characteristics. These two cases are described below.

The electronic file will be described. The hash algorithm is essentially a geometric image descriptor with high accuracy. The simplest descriptor available corresponds to the concept of center of mass and drive axis 1
The second moment and the second moment. An additional set of descriptors must be added to limit the image manipulations performed without detection. The use of moments derived from orthogonal functions may give a set of such descriptors.

A method of protecting security while using a simple moment calculation is to divide an image into a plurality of different sets selected by a user key, and further obtain a linear moment from each set. is there. If linear moments were sought without any other protection, it would be much easier for the user to tamper without changing the center of mass of the image. However, if the moments are derived from a randomly selected subset of images, then there is no possibility of such tampering.

The plurality of sets described above are selected so that a group of pixels having a size that is meaningful to the corresponding document belongs to one set. Thus, for a document, the sets consist of groups of pixels that are approximately the size of the printed character.

Further, the hard copy file will be described. In the case of a hardcopy file, the first and second moments of the whole image are used to determine the magnification and orientation. The description below is evaluated by using these moments as one coordinate system. A set of orthogonal functions will give a more detailed explanation, or, as mentioned above, the simple moments for the selected subset will be used. The accompanying flow chart (Figure 1) summarizes the main parts of the above process.

[Brief description of drawings]

[Figure 1]   4 is a process flow diagram of a method according to the present invention.

─────────────────────────────────────────────────── ─── Continued Front Page (51) Int.Cl. ⁷ Identification Code FI Theme Coat (Reference) G10L 19/00 G10L 9/00 E H04N 1/387 9/18 M

Claims (22)

[Claims] 1. A method for authenticating a digital data product in order to easily detect an unauthorized change to the digital data product, wherein the original digital data product is unchanged. Embedding a signature in the original, unaltered digital data product to generate a modified product such that any unauthorized changes to the product make a measurable change to the product. Modifying the original, unaltered digital data work based on the signature. 2. The method of claim 1, wherein only a portion of the digital data work is used in the calculation and the calculated signature is embedded in the portion. 3. The method of claim 2, wherein the digital data work is an image and the portion of the image for which the signature is calculated and the signature is embedded contains the most important information. 4. The method according to claim 1, wherein the signature is calculated using the entire digital data file and the calculated signature is embedded in all but the part with the important information that should not be changed. 5. The method of claim 1, wherein the signature is used to measure the amount of acceptable change that has occurred in the digital data work. 6. The method of claim 5, wherein the signature has the property that small changes in the data work produce small changes in the signature so that changes in the signature can be used as a measure of degradation that has occurred. 7. A signature is calculated for a person attempting to modify a file by randomly extracting pixels from a work of image data, choosing the pixels such that it is difficult to avoid all sampling points. The method according to claim 1. 8. The method of claim 1, wherein the original digital data work is modified with a signature and an externally generated code. 9. The method of claim 8, wherein the externally generated code may form part of a copyright management system. 10. The method of claim 1, wherein distribution of signatures within a digital data work is selected by an encryption process. 11. The method of claim 10, wherein the encryption process is a permutation method. 12. The method of claim 1, wherein the data product is an MPEG audio file and the signature value is calculated on every frame, but the embedding is limited to the reference frame. 13. The method of claim 1, wherein the data product is a JPEG image file and the embedding of the signature is performed in a portion of the file that provides a magnitude of the data value after the discrete cosine transform. 14. The method of claim 1, wherein the data work undergoes a small acceptable operation in which the signature is embedded in the form of an invisible watermark. 15. The embedded signature can nevertheless be derived from the watermark,
And a small acceptable operation will affect a large number of data values of the watermark, so that the signature calculated from the data in the file will have a value approximately equal to the embedded signature, but a very small amount. The method according to claim 14. 16. Using a hashing algorithm chosen such that it is virtually impossible to find some image or audio files that produce the same signature calculated from the original digital data production. The method of claim 1, wherein the watermark is derived. 17. A method for detecting a change in a digital data product to which the authentication method according to any one of claims 1 to 16 is applied, comprising a step of reading a signature embedded in the modified product, and a modified product. For the work, the steps of calculating the signature, comparing the embedded signature read from the work with the calculated signature, and the embedded signature does not match or does not correspond to the calculated signature, Determining that the modified work has been tampered with. 18. A method for confirming the integrity of a digital data product to which the authentication method according to any one of claims 1 to 16 is applied, the method comprising: (a) reading a signature embedded in the modified product; (B) calculating a signature for the modified product, (c) comparing the embedded signature read from the product with the calculated signature, and (d) calculating the embedded signature. Verifying the integrity of the modified work, if it matches or corresponds to the provided signature. 19. A digital data product to which the authentication method according to any one of claims 1 to 16 is applied. 20. A computer program operable to authenticate a digital data work using the method of any of claims 1-16. 21. A computer program operable using the method of claim 17 to detect a change to a digital data work to which the authentication method of claims 1 to 16 has been applied. 22. A digital medium prerecorded with a computer program according to either claim 20 or claim 21.