An AMBTC Authentication Scheme With Recoverability Using Matrix Encoding and Side Match

This paper presents an authentication scheme with recoverability based on Absolute moment block truncation coding (AMBTC). Previous works do not take into account characteristics of the AMBTC compressed codes. Therefore, the qualities of marked and recovered images are not satisfactory. In this paper, we generate the recovery codes according to block similarities. The recovery codes are scrambled and stored in the bitmaps of smooth blocks using Matrix encoding. The bits in the bitmap are flipped to obtain a set of authentication codes. The code that causes the least error is embedded into the quantization values using the adaptive pixel pair matching technique (APPM). For those complex blocks, the authentication codes are generated from the bitmaps, and are embedded into the quantization values. After authenticating, the tampered blocks are recovered by untampered ones with the same cluster information. Some blocks that cannot be recovered in the previous stage are recovered by using the Side match technique. The experimental results show that our method provides better image quality and recoverability than prior works.


I. INTRODUCTION
Digital images are one of the most popular media on the Internet. However, with the advancement of retouching software and computing performance of computers, images are susceptible to tampering during the transmission process, causing the authenticity of images to be questioned. Therefore, authenticating the integrity of images becomes a very important issue. The objective of our work is to propose an efficient authentication method to detect image tampering with the capability to recover the tampered parts.
Image authentication can be divided into two major types depending on the detection method. The first type uses the statistical properties to detect the image authenticity [1]- [3]. Because the image itself has some natural statistical features, they will be changed if the image is tampered with. Methods of this type use the change of such features to detect whether The associate editor coordinating the review of this manuscript and approving it for publication was Abdullah Iliyasu . the image has been tampered with. These methods do not require to alter pixels of images and thus no damage to the image quality. However, their detection results are less accurate and they are not possible to repair tampered regions.
The second type is termed as the watermarking method, which protects the image by embedding authentication data into pixels. Methods of this type can be categorized into robust, fragile and semi-fragile watermarking. Robust watermarking should be capable of resisting intentional or unintentional image editing, so it is often used for copyright protection [4], [5]. Semi-fragile watermarking is not sensitive to minor image modifications (e.g., JPEG compression), but is sensitive to malicious tampering [6]. In contrast, fragile watermarking is sensitive to any tampering [7]- [25], which protects the image to the largest extent. For the fragile watermarking method, since the embedded authentication code is fragile, tampering with the image will also destroy the authentication code. This will cause the extracted code to be different from the original embedded one. Therefore, it is possible to determine whether the image has been tampered with or not. This technique requires embedding the authentication code into the image, and the quality of the image will be degraded inevitably. Nevertheless, it has a better detection effect and some of methods [9]- [12] can also recover the tampered regions roughly.
Fragile watermarking methods can be divided into two categories according to their domain of application: spatial domain [7]- [11] and compressed domain [12]- [25]. Spatial domain techniques embed authentication codes into pixel values by data embedding techniques [26]- [30]. Because spatial domain images provide a larger amount of redundancy, they have a higher payload and can be embedded with a larger amount of information. Therefore, many spatial domain image authentication techniques also provide a recovery capability [10], [11] to repair the tampered regions. However, most of images on the Internet are transmitted in their compressed format. Therefore, image authentication techniques in the compressed domain have attracted a lot of research, such as those for JPEG [13]- [14], VQ [15] and AMBTC [16]- [25]. The AMBTC compression method is proposed by Lema and Mitchell [32], which compresses a block of images into two quantization values and a bitmap. Since AMBTC requires less computation yet provides relatively acceptable image quality, some studies [16]- [25] have started to develop AMBTC-based image authentication techniques in recent years.
Li et al. [18] propose an AMBTC image authentication method in which they use a reference table to fill authentication codes into the bitmaps. The length of authentication codes can be adjusted so that a balance between image quality and detection accuracy can be achieved. Lin et al. [19] propose a hybrid AMBTC image authentication method by dividing the image into smooth and complex blocks, and use them to generate authentication codes. Different techniques are applied to embed authentication codes into bitmap or quantization values respectively to improve the image quality. Chen and Chang [20] improve the security of [18] so that the bitmaps of [18] can be protected without loss of image quality. In Hong et al.'s method [21], the most significant bit (MSB) of quantization values is adjusted to obtain different authentication codes, and embed them into the least significant bit (LSB) of quantization values. The distortions of the image block are evaluated, and the code that causes the least distortion will be selected and embedded in the LSB. Su et al.'s method [23] uses Matrix encoding [31] technique to embed the authentication codes into bitmaps. Instead of flipping a bit in bitmap, their method embeds the position of to-be-flipped bit into the quantization values and yields a good image quality. Chen et al. [22] propose an AMBTC image authentication technique based on the Turtle shell reference table. In their method, authentication codes are embedded into the quantization values using an iterative method to provide high image quality and detectability.
Although the above mentioned methods [18]- [23] achieve the purpose of tampering detection, they are unable to recover the tampered regions. This is because authentication methods with recovery capabilities require additional space to embed the recovery codes, which is a challenge task for compressed images that have limited embedding space. Hu et al. [24] first propose a recoverable AMBTC image authentication technique. They use two quantization values to carry the authentication codes, and use bitmaps of smooth blocks to embed the recovery codes. An adjustment mechanism is applied to reduce the embedding error caused by the authentication code embedment. The recovery code of a block is the average value of pixels in the block. Multiple copies of the recovery code are embedded to reduce the number of unrecoverable blocks. Based on [24], Hong et al. [25] propose a recoverable AMBTC image authentication technique. Unlike [24], Hong et al. use the cluster information of the image blocks as the recovery codes. The recovery codes are embedded into the bitmap of smooth blocks, while the authentication codes are embedded in the LSB of the quantized values using MSB perturbation. The detected tampered blocks are restored with the average of the same group of untampered blocks.
Although the image quality of [25] is higher than that of [24], the recovery code of [25] is embedded using a method similar to the LSB replacement. Therefore, the increase in image quality is limited. Furthermore, the methods of [24] and [25] do not effectively use the neighboring blocks to recover a tampered one that could not be repaired in the primary recovery. Therefore, some tampered blocks cannot be recovered or recovered blocks have a less natural appearance.
In this paper, the proposed method embeds recovery codes into bitmaps using Matrix encoding. To embed 6-bit recovery code, only two out of 14 bits in the bitmap are required to be modified. By flipping bits in the bitmap, the authentication code that causes the least distortion is embedded into quantization values using the APPM. After authenticating, most tampered blocks can be detected and recovered. The Side match technique is then applied to find the most suitable blocks to recover those unrecoverable ones at the primary recovery stage. The experiments show that not only the marked image quality is higher, but also the visual effect of recovered regions is better than prior works.
The rest of the paper is organized as follows. Section II introduces the AMBTC compression, Matrix encoding and APPM embedding methods. Section III introduces the proposed method in this paper, while Sections IV and V present the experimental results and conclusions, respectively.

II. RELATED WORKS
In this section, we introduce three related techniques, including AMBTC compression, Matrix encoding, and APPM embedding methods. We will use the Matrix encoding and APPM methods to embed the recovery codes and authentication codes into the bitmaps and quantization values respectively. VOLUME  . Averaging the pixels in O i with values less than or equal to m i , we obtain the lower quantization value a i . The upper quantization value b i is obtained by averaging the pixels with values greater than m i . To obtain a bitmap, we first prepare an empty bitmap B i = {B i,j } n×n−1 j=0 , and visit each pixel in O i in raster scanning order. If O i,j ≤ m i , then B i,j = 0. Otherwise, B i,j = 1. All blocks are processed in the same way and finally we can get the AMBTC compressed When decompressing, prepare a matrix I of the same size as O, and partition I into N blocks of size n × n, i.e., To embed msg into c v , we first calculate (H * c T v ) ⊕ msg T , where T , ⊕ and * represent the transpose, exclusive-or, and mouldo-2 operators, respectively. Let the calculated result be ρ of 1×k−bit and (ρ) 10

C. ADAPTIVE PIXEL PAIR MATCHING
The APPM embedding method [29] uses two pixels to embed a digit of base λ using a reference table R λ of size 256 × 256, which is equivalent to embed log 2 λ−bit message. The value of reference table R λ at position (a, b) can be generated by the following equation: where c λ is a constant. When λ = 4, 16, 64 and 256, c λ are 2, 6, 14 and 60, respectively. To embed a digit d i of base λ into a pixel pair (a i , b i ), we first find a location ( is then used to replace (a i , b i ), as shown in Fig. 1 Fig. 1 and (30,26) is the closest to (30,27), the value of (30, 27) is modified to (â i ,b i ) = (30, 26) after embedding the message d i = 12. The embedded digit d i = 12 can be extracted by querying the value at R 16 (30,26).

III. THE PROPOSED METHOD
In the past two related works, Hu et al.'s method [24] uses random numbers to generate the authentication code, which results in some intentional tampering cannot be detected. Furthermore, the embedding technique used in Hu et al.'s method is not effective in reducing the damage to the pixel values, and thus the quality of the marked image is relatively low. In addition, their method uses the average value of the image blocks as the recovery code to repair the tampered blocks, which also results in a mosaic-like effect on the recovered regions. Hong et al. [25] improve the shortcomings of [24], so that the quality of marked and recovered images is higher than [24] and the malicious tampering can be detected. However, their method uses LSB substitution for embedding the authentication codes and perturbs the MSB value to find the minimum distortion. Besides, it has been shown in [29] that the error caused by the LSB-like embedding method is larger than that of the APPM. Meanwhile, when embedding the recovery code, Hong et al.'s method adopts an approach by directly replacing the bitmap with the recovery code, resulting in a larger distortion of the marked images. Finally, for those un-recoverable blocks, Hong et al.'s method only uses information of the surrounding blocks to restore them, which will make the recovery of edge or complex blocks ineffective.
In this paper, we propose an AMBTC compression authentication scheme that can approximately recover tampered images with a tampering rate of less than 20%. In our method, the AMBTC image is divided into blocks of size 4 × 4. Then these blocks are classified into 64 groups according to their similarity using k-means algorithm [33]. Then an index table is used to record these groupings, and each index value in the table is a number between 0 and 63. These numbers are scrambled and then embedded into the bitmap of the smooth blocks using Matrix encoding. After embedding, the two bits that do not participate in Matrix encoding are flipped. A set of authentication codes is generated by hashing the flipped bitmaps, and the one that causes the minimum distortion is embedded using APPM into quantization values of the smooth block. Because the distortion caused by APPM is even smaller than that of the LSB-like embedment, our method can achieve a better image quality.
For complex blocks, since modifying the bitmaps will cause a larger distortion, the bitmaps are not employed to embed the recovery codes. However, they are used to generate the authentication codes, which are then embedded in the quantization values using APPM. After detection, the tampered blocks are known by comparing the regenerated authentication codes with the ones that extracted from the quantization values. The tampered blocks are recovery by averaging those untampered blocks with the same cluster. In some cases, the original cluster information of tampered blocks may be lost. If this happens, the Side match technique is used to estimate the cluster index of these blocks. The detailed description of the proposed method is discussed in the following subsections.

A. GENERATION OF THE RECOVERY CODES
In our method, we use the cluster information of image blocks as their recovery codes. There is a lower chance that image blocks belonging to the same group will be tampered with at the same time when recovering tampered blocks. Therefore, we can use the average of blocks that have not been tampered with and belong to the same group to recover the tampered ones. Let I O be the original image, and after AMBTC compression, we have the compression codes i=0 . By decompressing the AMBTC code, we will obtain a decompressed image I . Let I i be the decompressed block after decompressing the i−th code j=0 . By employing k-means algorithm [33] to cluster , which is utilized as the recovery codes.
To perform the k-means algorithm, we randomly select 64 blocks from u=0 . By comparing the distances between I i and {C u } 63 u=0 , I i is categorized to group k if I i has the nearest distance to C k for 0 ≤ k ≤ 63 and 0 ≤ i ≤ N . Then, blocks of the same group are averaged to generate an updated codebook u=0 . This process is repeated several times and the final codebook C f can be obtained. Finally, I i is coded by ϕ i if I i has the shortest distance to C ϕ i . Note that ϕ i stands for the image block I i which is classified into the ϕ i −th group, and 0 ≤ ϕ i ≤ 63. In the next section, we will use the Matrix encoding technique to embed {ϕ i } N −1 i=0 into the bitmaps of smooth blocks.

B. EMBEDMENT OF AUTHENTICATION AND RECOVERY CODES
The recovery code of a block must be stored in another block to prevent the loss of recovery information due to tampering. This can be done by using a scramble function to randomly assign a block to carry another blocks' recovery information. Using the key κ S , the scramble function n = s(i) can obtain the next embedding position n of the current position i, where s(i) = s(j) if i = j and s(i) = i. When repairing a block, we need to know where the recovery code of the block is hidden. The previous position p of i can also be obtained using the inverse-scramble function p = s −1 (i). Therefore, we have i = s −1 (n) and i = s(p). We illustrate the scramble function n = s(i) and inverse-scramble function p = s −1 (i) in Fig. 2.
Since recovery code of a block is embedded in the bitmap of a smooth block, we must distinguish whether a block is smooth or complex. Let T 0 be a pre-defined threshold. if b i − a i ≤ T 0 , then the block I i is considered as a smooth block, otherwise it is a complex one. If I s(i) is a smooth block, VOLUME 9, 2021 the cluster information ϕ i of block I i will be embedded into the bitmap B s(i) of block I s(i) . Similarly, if I i is a smooth block, then the cluster information ϕ s −1 (i) will be embedded into bitmap B i . Assume that I i is a smooth block, and we will use B i to embed ϕ p , where p = s −1 (i). Firstly, the bitmap B i of block I i is divided into two areas, the first 14 bits are in the embedding area. In this area, we will use Matrix encoding to embed 6-bit recovery code. The other two bits are located in the flipping area, and we will use the bit-flipping technique (BFT) to minimize embedding distortion. We divide the bits j=0 in the embedding area into {B i,j } 6 j=0 and {B i,j } 13 j=7 , and convert ϕ p into its binary representation (ϕ p ) 2 of 6 bits. We use (ϕ 0 p ) 2 and (ϕ 1 p ) 2 to represent the first and last 3 bits of (ϕ p ) 2 , respectively. The Matrix encoding is then applied to embed (ϕ 0 p ) 2 and (ϕ 1 j=0 and {B i,j } 13 j=7 , respectively. In our method, the authentication code of smooth block I i is generated by hashing the bitmap of I i and the location information i. Therefore, modifying the value of the two bits j=14 in the flipping area will generate different authentication codes. Embedding these codes into a i and b i using the APPM method will also result in different distortions. Therefore, the BFT flips two bits {B i,j } 15 j=14 in the flipping area into four different combinations (00 2 , 01 2 , 10 2 , and 11 2 ) and j=14 and the block location i are hashed using MD5 [34], and fold the hashed result into α−bit authentication code using the XOR operation, where the symbol || is the concatenation operator. The APPM is then applied to embed the authentication code ac i into a i and b i .
with the smallest distortion as the marked AMBTC code. The process of finding the minimum distortion mentioned above can be described as an optimization problem: Subject to: The fold(x, α) in Eq. (7) represents a function that folds a bitstream x into α bits, and the appm() and ambtc() functions denote the APPM and the AMBTC techniques, respectively. By solving the above equations, we can obtain a set of optimal solutionsâ i ,b i andB i such that the corresponding decompressed block has the minimum distortion.
When b i − a i > T 0 , I i is a complex block. The bitmap of a complex block does not carry a recovery code, thus the bitmap keeps unaltered. Hash B i and location information i using MD5, and fold the hashed result to α−bit authentication code ac i . The APPM method is then applied to embed ac i into a i and b i to obtainâ i andb i by ensuring b i −â i > T 0 .
The AMBTC code of the complex block after embedment is denoted as {â i ,b i ,B i }, whereB i = B i . Image blocks are processed using the aforementioned method based on the block smoothness, and the final marked AMBTC code i=0 can be obtained. Followings are the list of algorithms of our embedding method: Step 1: Partition the original image I O into N blocks of size 4 × 4.
Step 2: Generate the AMBTC codes i=0 of I O , and subsequently we obtain the AMBTC decompressed image I = {I i } N −1 i=0 , as described in Section II.A.
Step 3: Use the k-means algorithm to generate cluster infor- , as described in Section III.A.
Step 4: Use key κ S to scramble Step 5: If b i − a i ≤ T 0 , use the Matrix encoding to embed recovery codes ϕ p into {B i,j } 6 j=0 and {B i,j } 13 j=7 , then we obtain {B i,j } 6 j=0 and {B i,j } 13 j=7 . If b i − a i > T 0 , we keep B i unaltered.
Step 6: Generate authentication codes and embed them into a i and b i using the APPM, as described in Section III.B. Step 7: Repeat Steps 5-6 until all blocks are processed, and we obtain the marked AMBTC codes . The following is an example to illustrate how to embed authentication and recovery codes for smooth and complex blocks. Let I 0 be an AMBTC image block with the code j=14 , four flipped cases 00 2 , 01 2 , 10 2 and 11 2 are obtained. Then, we utilize the marked bitmaps 0010010||1000000||00, 0010010||1000000|| 01, 0010010||1000000||10, and 0010010||1000000||11 to generate four sets of authentication codes using Eq. (7).
Suppose the generated authentication codes with these four cases are 0110 2 , 1001 2 , 0010 2 and 1101 2 . These four generated codes are to be embedded into quantization values using APPM, and the one that causes the least distortion will be selected as the final authentication code. To embed 0110 2 = 6, because R 16 (24, 26) = 6 and (24, 26) has the shortest distance to (23, 26) (see Fig. 1(b)), we obtain a 0 = 24 andb 0 = 26. Other authentication codes can be embedded in the same way, and finally we obtain four sets of different quantization values and subsequently four decompressed blocks are obtained. Assuming that the MSE of the decompressed block with I 0 is minimal when the code 0110 2 is embedded. Therefore, we choose {B 0,j } 15 j=14 = 00 2 (B 0 is shown in Fig. 3 (b)), and the marked AMBTC codes are {â 0 ,b 0 ,B 0 } = {24, 26, 0010 0101 0000 0000}, as shown in Fig. 3 (c). The process of embedding the authentication and recovery codes can be found in Fig. 3 (d).

C. IMAGE AUTHENTICATION
To detect whether the marked AMBTC code {â i ,b i ,B i } has been tampered with, we first recalculate the α−bit authentication codeâc i = flod(md5(i,B i ), α), and use the APPM to extract the embedded authentication codeêac i fromâ i andb i . Ifêac i =âc i , it means that AMBTC code {â i ,b i ,B i } has not been tampered with. Otherwise, the code has been tampered with. All AMBTC codes i=0 are processed in the same way, and eventually we can detect which blocks have been tampered with. The above detection process is termed as the primary detection. In our method, a secondary detection is also utilized to refine the detection result. In general, most of the tampered regions are clustered. Hence, in the secondary detection, if an un-tampered block is surrounded by two or more tampered ones, the block is more likely to have been tampered with. Therefore, the block will be re-judged to be tampered.

After authenticating the marked AMBTC codes {â
i=0 , we can tell which blocks have been tampered with or not. Because we will use the cluster information to recover tampered ones, we must first extract the cluster information embedded in untampered blocks.
Let {â u ,b u ,B u } N u −1 u=0 be all untampered AMBTC codes and are the decompressed blocks of these codes, where N u is the total number of untampered blocks. The cluster information ϕ p of blockÎ p is stored in bitmapB u , where p = s −1 (u). Extract {B u,j } 6 j=0 and {B u,j } 13 j=7 fromB u and decode them using Matrix encoding, we obtain (ϕ 0 p ) 2 and (ϕ 1 p ) 2 , respectively. Convert (ϕ 0 p ) 2 ||(ϕ 1 p ) 2 to its decimal representation, we obtain the cluster information ϕ p embedded inB u , which is the cluster information of blockÎ p .
We continue with the above example to illustrate the recovery code extraction process. Assuming that the authentication codeêac 0 extracted from {â 0 ,b 0 ,B 0 } is the same as the regenerated oneâc 0 , it means that block I 0 has not been tampered with. In this case, extract {B 0,j } 6 j=0 = 0010010 2 and {B 0,j } 13 j=7 = 1000000 2 fromB 0 , and apply Matrix encoding to decode them, we obtain (ϕ 0 p ) 2 = 101 2 and (ϕ 1 p ) 2 = 001 2 . Convert (ϕ 0 p ) 2 || (ϕ 1 p ) 2 into its decimal representation, we know that the cluster information embedded inB 0 is 41. By applying the inverse-scramble function, we obtain p = 39 and the cluster information ϕ 39 = 41 of block I 39 is known. Finally, since I 1 is a complex block, no recovery codes are embedded and need not to be extracted. The process of extracting the recovery code from an untampered smooth one is shown in Fig. 4.
. Because blocks with the same cluster information are more similar to each other, we can average those blocks that have not been tampered with and have the same cluster information. Therefore, we obtain 64 blocks {Ī r } 63 r=0 of size 4 × 4, whereĪ r represents the average of all blocks with cluster information r.
To recover the tampered blockÎ t , we know that the cluster information ϕ t ofÎ t is embedded in bitmapB s(t) using key κ S . Extract {B s(t),j } 6 j=0 and {B s(t),j } 13 j=7 fromB s(t) , then use Matrix encoding to decode them and obtain (ϕ 0 s(t) ) 2 and (ϕ 1 s(t) ) 2 , respectively. Convert (ϕ 0 s(t) ) 2 ||(ϕ 1 s(t) ) 2 to decimal representation, the cluster information ϕ t ofÎ t is obtained, and finally the tampered blockÎ t is recovered byĪ ϕ t . By this way, most of the tampered blocks can be recovered using the same process.
However, some blocks in {Ī r } 63 r=0 cannot be generated due to the loss of cluster information. Fortunately, unrecoverable blocks are often sparsely distributed in the tampered regions. Therefore, we can use the Side match technique to estimate the unrecoverable blocks with their surrounding ones that have been recovered previously. LetÎ τ be the block need to be recovered by using the Side match technique, andÎ N ,Î W , I S , andÎ E are the north, west, south, and east blocks ofÎ τ , respectively, as shown in Fig. 5.
For most of natural images, the difference between of adjacent pixel values is small. Therefore, the border pixels inÎ τ can be estimated byÎ τ,0 = (Î N , 12   r=0 with the least difference is selected to recover the unrecoverable blockÎ τ . Finally, we obtain the recovery image . Followings are the list of our decoding and recovery algorithms: Step 1: i=0 and compute the authentication code of {â i ,b i ,B i } using the equationâc i = fold(md5(i,B i ), α).
Step 2: Extractêac i fromâ i andb i using the APPM, and compareêac i withâc i . If they are the same, Otherwise, it is judged to have been tampered with.
Step 3: Repeat Steps 1-2 until all blocks are processed, and re-scan the image blocks. If an untampered block surrounds by two or more tampered blocks, then the block is re-judged as a tampered one. After performing this step, we obtain un-tampered AMBTC codes Step 4: Use the inverse-scramble function p = s −1 (u) to obtain the cluster information ofÎ p stored in B u . Then, extract {B u,j } 6 j=0 and {B u,j } 13 j=7 fromB u and obtain (ϕ 0 p ) 2 and (ϕ 1 p ) 2 using Matrix encoding. Finally, convert (ϕ 0 p ) || (ϕ 1 p ) into its decimal representation and obtain the cluster information ϕ p of blockÎ p .
Step 5: Repeat Step 4 until all {â u ,b u ,B u } N u −1 i=0 are processed, and we obtain the cluster information . Then, average the blocks with the same cluster information and obtain {Ī r } 63 r=0 .
Step 7: Repeat Step 6 until all tampered blocks are visited and processed.
Step 8: For those blocks that cannot recovered in Steps 6-7, we perform the secondary recovery using the Side match technique, as described in Section III.D. Finally, the recovered image I R can be obtained.

IV. EXPERIMENTAL RESULTS
In this section, we will conduct several experiments to demonstrate the effectiveness of the proposed method. In our experiments, ten grayscale images of size 512 × 512 are used as test images. Among them, Lena, Baboon, House, Stream, Tiffany, Splash, Airplane, and Boat are obtained from the USC-SIPI image database [35]. The Building and Cloud are natural images obtained from a modern digital camera. These images are shown in Fig. 7. In our experiments, a block size of 4 × 4 is used. The size of the image has a small impact on the detectability of our method, but the detectability will be significantly influenced by the block size. For each block embedded with equal-length authentication codes, the larger blocks yield rougher results, while the smaller ones yield more accurate results.
We use the peak signal-to-noise ratio PSNR to measure the quality of the marked images. Higher PSNR means that the marked images are closer to the original ones. The metric PSNR used in this paper is defined as: PSNR = 10 log 10 255 2 where x i and x i are the pixel values of the AMBTC compressed images and the marked images, respectively.

A. IMAGE QUALITY EVALUATION OF THE PROPOSED METHOD
In this section, we examine the image quality at different thresholds with and without using the BFT, as described in Section III.B. The comparison results are shown in Table 1, where 'w/BFT' and 'w/o BFT' denote with and without applying the BFT, respectively. In this experiment, the quantization values of both smooth and complex blocks are VOLUME 9, 2021 FIGURE 6. The secondary recovery procedures using the side match technique. embedded with 4-bit authentication codes, while the bitmaps of smooth blocks are embedded with 6-bit recovery codes. As can be observed from Table 1, the image quality decreases with increasing T 0 . This is because a larger T 0 represents a larger number bitmaps of image blocks being used to embed the recovery codes, and thus it causes a larger image distortion. For example, when T 0 = 5, the Lena image has an embedding capacity of 93,406 bits, while the embedding capacity reaches 152,260 bits when T 0 = 30. In addition, we can also observe that the use of BFT has a significant improvement on the image quality when the threshold value is small. However, with the increase of T 0 , the improvement of image quality by BFT is not significant. We take the House image as an example. When T 0 = 5, the use of BFT improves 46.65−46.07 = 0.58 dB than without using BFT, while when T 0 = 30, only 36.55 − 36.50 = 0.05 dB is improved. This is because the larger the threshold, the greater the difference between the upper and lower quantization values. In real applications, the selection of the threshold mainly depends on the actual needs. If the quality of the marked image is more desirable than the recovery capability, we can choose a smaller threshold; otherwise, a larger threshold is selected.
However, not every smooth image block can reduce the embedding error using the BFT. The reason is that flipping bits using the BFT operation also causes some errors. Fig. 8 shows the distribution of reduced or unaltered errors when applying the BFT. In this figure, black and white blocks are spread over the image. The black blocks indicate that the use of the BFT reduces embedding distortions, while the white ones indicate that the technique is not effective. When T 0 = 5, an equal number of white and black blocks can be found; while when T 0 = 10, there are significantly fewer black blocks than white ones. The experimental results are consistent with the analysis given above.

B. DETECTABILITY AND RECOVERABILITY OF THE PROPOSED METHOD
In order to evaluate the detection and recovery performance of the proposed method, this experiment performs on ten test images with different tampering. The tampering rates of the images are 10.01%, 7.97%, 6.62%, 10.42%, 9.30%, 9.22%, 8.83%, 5.21%, 8.12% and 10.56%, respectively, and the tampered images can be seen in Figs. 9 (a)-(j). In the experiments of this section, we set T 0 = 20 to achieve a balance between the detectability and recoverability. The lengths of the authentication and recovery codes are set to 4 and 6 bits, respectively. Figure 10 shows the secondary detection results of the ten tampered images. At the first detection, the probability of a hash collision is 1/2 4 = 0.0625 since 4 bits of authentication code are embedded. As a result, about 6.25% of tampering per image goes undetected. In secondary detection, if a tampered block is within the tampered region, it has a higher probability of being redetected as a tampered one than if it is at the edge of the tampered region. Therefore, the more the tampered regions is clustered, the better the final detection result will be. For example, images with less clustered tampered regions, such as Stream, have a detection rate of only 94.50 %. However, for the Lena, Tiffany and Splash images, the tampered regions are clustered, and they all achieve a detection result of more than 99%. As can be seen from Fig. 10, the tampered regions can be detected with a good result using our method regardless of whether they are clustered or not.
To further present the detection performance of the proposed method, Table 2 shows the true positive rate (TPR), false negative rate (FNR), true negative rate (TNR) and false positive rate (FPR) of Tiffany images at T 0 = 20. TPR is the rate of recognizing tampered blocks as tampered, while FNR is the rate of recognizing tampered blocks as untampered. TNR is the rate of recognizing untampered blocks as untampered, and FPR is the rate of recognizing untampered blocks as tampered. In the experiment, the length of authentication code is set to 4. Theoretically, the hash collision rate is 1/2 4 = 0.0625. From the table, we can see that the TPR of the first detection is 93.23%, which is well matched with the theoretical value. Since FNR = 100% − TPR, the FNR is also consistent with the theoretical value. In the primary detection, the value of TNR is 100% and FPR is 0%. This is  because the primary detection does not misidentify untampered blocks as tampered. However, after the secondary detection, some untampered blocks are misclassified as tampered, and the TNR is reduced to 99.97%. Nevertheless, the TPR is increased to 99.21%, and the FNR is reduced to 0.79%, revealing the effectiveness of the secondary detection. Although the experiment is based on the Tiffany image, other images show very similar results. Therefore, the test results for the other images are not shown in Table 2. Figure 11 shows the secondary recovery results for the ten tampered images. Note that the PSNRs shown in the figure only measures the quality of recovered regions (not the whole image), making it easier to compare the recovery effect. As can be seen from the figure, the quality of the recovered image is related to the smoothness of the original image and the size of tampered regions. For example, Lena and Stream have roughly the same tampering rate. However, since Lena is smoother than Stream, the quality of recovery is higher for Lena than Stream. This is because with the same threshold, a smooth image will have more blocks for  embedding the recovery code and thus a better recoverability can be achieved. In fact, the primary recovery rates of the ten images are 77.26%, 33.88%, 53.69%, 34.31%, 77.61%, 83.45%, 72.13%, 67.41%, 65.41%, and 65.55%, respectively. Although the recovery rates of some images in the first phase are somewhat unsatisfactory due to the limited space for embedding the recovery codes, the recovery results in the second phase are very impressive, as shown in Fig. 11. The experimental results reveal that our method can roughly recover the tampered area with a tampering rate of less than 20%.

C. PERFORMANCE COMPARISONS WITH OTHER WORKS
In this section, we compare the proposed method with other works in terms of image quality, detectability, and recoverability. For a fair comparison, each method will embed a 4-bit authentication code with a 6-bit recovery code. Table 3 shows comparisons of the marked image qualities of [24], [25] and the proposed method under different thresholds. The last row of the table represents the quality average of the ten test images.
From Table 3, it can be observed that the quality of the marked images obtained by the proposed method is the highest when the same number of bits are embedded. This is because the APPM method is more effective in embedding data than other related ones. The methods of [24] and [25] embed the recovery code by using LSB-like substitution, while the proposed method uses Matrix encoding to embed the recovery codes. Since the use of Matrix encoding reduces the modification of bitmaps, it effectively reduces the damage  to bitmaps. When T 0 = 30, the average marked image quality obtained by the proposed method is 37.77−36.16 = 1.61 dB higher than that of [25] and 37.77 − 30.64 = 7.13 dB higher than that of [24].
To compare the detection and recovery performance with different methods, we add a daisy to Lena's hat, as shown in Fig. 12 (a), whereas the region of tampering is shown in Fig. 12 (b). Figure 13 shows the comparisons of detection and recovery results of [24], [25], and the proposed method. From the secondary detection results (See Figs. 13 (a), (d) and (g)), it can be seen that the proposed method and other works can achieve a good detection performance of more than 99%. However, compared to [24], the proposed method and [25] have better primary recovery results, as seen in Figs. 13 (b), (e) and (h). This is because [24] embeds the average value of each block directly into the bitmap of smooth block. If the bitmap used to store the average value of a block is damaged, the block will not be recovered in the primary recovery process. Reference [25] and the proposed method both use the cluster information to embed the recovery code. If the bitmap used to embed the recovery code of a block is tampered with,  the block can be recovered with blocks of the same group. Figs. 13 (i), (f) and (c) are the secondary recovery results of [24], [25] and the proposed method, respectively. From Fig. 13 (i), it is observed that the block recovered by [24] has an apparent mosaic-like pattern, which is due to the fact that all pixels in a tampered block are recovered by an identical average value. Compared with the secondary recovery result of [25] (Fig. 13 (f)), the proposed method uses the Side match technique to more effectively utilize the pixels at the block borders, and obtains better recovery results. Note that the secondary recovery qualities obtained by [24], [25] and the proposed method are 22.09, 24.71 and 24.93 dB, respectively, and the proposed method also has the best visual quality. Table 4 shows the comparisons of the proposed method with other works in various aspects, where AC and RC denote the abbreviations of authentication code and recovery code, respectively. Reference [24] uses the parity of bits in bitmap to generate the authentication code, causing failure in detecting special tampering, such as two bits in bitmaps are flipped simultaneously. However, since [25] and our method hash the bitmap to generate authentication code, the aforementioned tampering can be successfully detected. In addition, recovered images of [24] will exhibit mosaic-like patterns as their method uses a mean value to repair a tampered block. Both [25] and our method do not have this phenomenon because the tampered block is recovered by a similar one. Besides, both [24] and [25] use LSB substitution to embed the recovery codes, while our method utilizes the Matrix encoding to effectively reduce the embedding error. Moreover, [24], [25] and our method utilize different approaches to embed the authentication codes. As can be seen from the experiments, the APPM used in our method achieves the highest image quality. Finally, the Side match technique is utilized to recover tampered blocks in the proposed method, which has the best recovery performance than [24] and [25]. Therefore, our method is better than the other works in terms of detectability and recoverability.

V. CONCLUSION
In this paper, we propose an image authentication method with recovery capability based on the AMBTC compressed images. The proposed method employs Matrix encoding to embed the recovery code into the bitmap of a smooth block. Therefore, only two out fourteen bits are required to be modified at most for embedding a 6-bit recovery code, which reduces the image distortion in a great extent. Besides, our method generates the authentication code by flipping bits in the bitmap, and selecting the code that causes the least embedding error. Finally, the authentication code is embedded in the quantization values using APPM. The experimental results show that the quality of the marked and the recovered images obtained by our method are better than prior works.
However, there are some limitations to our approach. Since each block of AMBTC is represented by only two quantization values and one bitmap, the quality of AMBTC decompressed image is not high. Therefore, our approach is not suitable to be applied to mark cards, certificates, cheques, and handwritten images. Nevertheless, this paper still uses common test images obtained from the USC-SIPI image database and two natural images obtained from a digital camera to demonstrate the effectiveness of our method. Future developments can be implemented by improving the quality of compressed images for use in a wider range of applications. Besides, when the tampering rate is higher than 20%, some blocks located in the tampered area may not be successfully recovered in our method. Therefore, in the future work, we will improve the recoverability of our method so that the tampering can be recovered with a higher tampering rate.