A Novel Zero-Watermarking Scheme Based on Variable Parameter Chaotic Mapping in NSPD-DCT Domain

In this paper, a novel image zero-watermarking scheme against rotation attacks is proposed based on nonsubsampled pyramid decomposition (NSPD) and discrete cosine transform (DCT). It utilizes the intrinsic characteristics of NSPD and DCT to extract the robust feature of an image as the original zero-watermark. To increase the security of the proposed scheme, a variable parameter chaotic mapping (VPCM) is designed for the processes of watermark encryption and robust feature extraction. Firstly, the host gray-scale image is decomposed by NSPD, and the low-frequency sub-band image is divided into non-overlapping blocks. After the blocks are transformed by DCT, the signs of the first AC coefficients from all the blocks are used to construct a binary feature image. Then an exclusive-or operation is performed between the binary feature image and the encrypted watermark image to obtain the verification zero-watermark image. Furthermore, a method against arbitrary rotation attacks is employed to improve the robustness of the scheme against geometric attacks. The experimental results demonstrate that the proposed scheme is highly robust against various image processing attacks such as filtering, JPEG compression, scaling, translation, rotation and Checkmark attacks.


I. INTRODUCTION
With the rapid development of computer technology and the Internet, digital media such as image, audio and video, can be more easily tampered and distributed than ever before. Therefore, the protection of multimedia content is currently a serious issue. Digital watermarking has been proposed as a potential solution to address this problem. It embeds some special secret information into host data and the information can be retrieved to identify the ownership of these data when necessary [1]- [4]. Digital watermarking has been widely used in many applications, including copyright protection, authentication, transaction tracking, and broadcast monitoring [5], [6]. The characteristics of an effective watermarking scheme include imperceptibility, robustness, security, and The associate editor coordinating the review of this manuscript and approving it for publication was SK Hafizul Islam . embedding capacity [7]- [10]. Imperceptibility means that the original host data and watermarked data can not be differentiated by the human visual system [8]. Robustness refers to the ability of the watermarking scheme to extract the embedded watermark under various attacks [9]. Security ensures that the watermarking scheme is difficult to be cracked, and it depends mainly on the secret keys used in the process of watermark extraction [10]. Embedding capacity denotes the amount of watermark bits.
Depending on the various properties, the watermarking algorithms can be categorized in various ways [8]. According to the required information of original data in the process of watermark extraction, watermarking schemes are categorized into blind, non-blind and semi-blind algorithms [11]. Bind algorithms do not require the original data when extracting the watermark, while non-bind watermarking algorithms require the complete information of original data. On the VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ other hand, semi-blind watermarking algorithms only require the partial information of the original data to detect the watermark. According to their applications and purposes, watermarking algorithms can be categorized into fragile and robust watermarking algorithms [12]. Fragile algorithms [13] are used for image authentication and tamper detection, while robust watermarking algorithms are used for copyright protection. According to the domain in which the watermark will be embedded, watermarking algorithms can be categorized into spatial domain algorithms and transform domain algorithms [11]. In spatial domain algorithms [14]- [16], watermarks are usually embedded into the host images by modifying their pixels directly. In transform domain watermarking algorithms, one or more transforms are applied to the host images, then the watermarks are embedded by modifying the transformed coefficients in the frequency domain. Spatial domain algorithms usually have lower computational complexity than the transform domain watermarking algorithms. However, due to the limitations of watermarking in the spatial domain involving visualization and robustness [17], most image watermarking algorithms use the transforms such as Cosine transform [18]- [22], Fourier transform [23], [24], Wavelet transform [25], [26], Contourlet transform [27], [28], and Shearlet transform [29]- [31].
In the above-mentioned traditional watermarking algorithms, whether the original watermarks are embedded in the spatial domain or transform domain, the host images are distorted to some extent. Therefore, there is inevitably a contradiction between imperceptibility and robustness of the watermark. The traditional watermarking methods are usually limited for medical images [32]- [34] and remote-sensing images [35] which require low distortion and high resolution. In this case, the zero-watermarking was firstly proposed by Wen et al. [36], which has attracted wide attention of researchers in recent years. Zero-watermarking extracts the intrinsic features of original data without modifying the data. Hence it can address the contradiction between imperceptibility and robustness of the traditional watermarking methods.
Several zero-watermarking algorithms have been proposed in the past 15 years. In [36], Wen et al. constructed a zero-watermark by computing high-order cumulants. Their method is robust to common image processing attacks and slight scaling rotation, but it is fragile to large-scale rotations and requires a lot of time to compute the high-order cumulants. Ye [37] proposed a zero-watermarking algorithm based on singular value decomposition (SVD) and discrete cosine transform (DCT). In their algorithm, the host image is firstly divided into non-overlapping blocks. Then, the zerowatermark sequence is derived by comparing the numerical relationship between the direct current (DC) coefficients of two adjacent blocks after every block is performed with SVD and DCT. The algorithm gave out a new idea of zerowatermarking by combining matrix decomposition and traditional transforms, but the attacks used in the experiments were very slight. Based on [36] and [37], Zhang et al. [38] presented three improved zero-watermarking schemes respectively named by DC-RE, CU-SVD and CU-SVD-RE. These schemes are more robust than the algorithms in [36] and [37], but the security of these schemes needs to be improved. Rani and Raman [39] also extracted the robust features of an image as the zero-watermark based on DCT and SVD. The scheme divided the host image into overlapping blocks of size 8 × 8 and performed DCT and SVD to every block. The zero-watermark is obtained by comparing the relationship between the two largest singular values, which are selected out randomly using four pseudo-random number sequences. The robustness and security of the algorithm are acceptable for the protection of images to some extent. However, dividing the host image into overlapping blocks generates a large number of image blocks, which increased the computational complexity of the algorithm. Ta Minhn Thanh et al. [40] extracted the robust feature as the master share from the host image by combining the QR decomposition and one-dimensional (1D) DCT. In their scheme, the host images are RGB images, and two zero-watermarking construction schemes were proposed utilizing the luminance Y-components of the host images. The Y-component is also divided into non-overlapping blocks, and the master share is generated by comparing the DC coefficients of two adjacent blocks after all the blocks have undergone QR decomposition and 1D-DCT.
Lin et al. [41] proposed a spatial domain zerowatermarking scheme based on generalized Arnold transform (GAT) and spread spectrum and despreading (SSD) techniques. In their method, the GAT is used to scramble the original watermark for security. Then, a binary feature matrix is obtained from the original host image in quantitative embedding rules. Finally, the zero-watermark is generated by performing an exclusive-or operation between the scrambled watermark and the feature matrix. Considering that better robustness of watermarking can be achieved in transform domain, some multi-scale transforms such as Contourlet [42] and Shearlet [43], [44], regarded as extension of the wavelet transform, have been applied to the zero-watermarkings. In [42], a robust zero-watermarking algorithm was proposed based on contourlet transform (CT) and DCT for medical images, Logistic Map is used to encrypt the original watermark to ensure the security of it. The experimental results show that the method is effective to against common and slightly geometric attacks. Nonsubsampled shearlet transform (NSST) is a new and very important multi-scale and multi-direction analysis tool that can provide nearly optimal approximation properties for image representation [45]. Han et al. [43] proposed a zero-watermarking method based on NSST and LU decomposition. In their method, after the host image is decomposed by NSST, a random sub-image of the low-frequency sub-band image is divided into nonoverlapping blocks. Then, every block undergoes LU decomposition to obtain the matrix U. The final zero-watermark is generated by comparing the numerical relationship between the sum of the first row elements from every matrix U and the mean of all the sums. In [44], a robust zero-watermarking scheme was proposed that employed multi-resolution and multi-scale representation characteristics of NSST to analyze the direction features of the host image. In the algorithm, a sub-band image is firstly selected as the embedding position by calculating the direction feature information intensity. Then, the sub-band image is divided into non-overlapping blocks. The zero-watermark is constructed by comparing the 2-norms of every block with a threshold.
Although the above-mentioned zero-watermarking algorithms can resist conventional image processing operations, they are almost fragile to the geometrical distortions such as rotation and translation attacks. Gao and Jiang [46] developed a zero-watermarking algorithm against geometric attacks based on the Bessel-Fourier moment. In their algorithm, the image normalization is applied to the host image. Then, the magnitudes of the Bessel-Fourier moments of the normalized image are computed to construct a binary feature image. The final verification image is generated by performing an exclusive-or operation between the binary feature image and the original watermark image. Wang et al. [47] introduced a zero-watermarking algorithm against geometric attacks based on polar complex exponential transform (PCET) and logistic mapping (LM). Their algorithm computes the PCET of the original gray-scale image and randomly selects PCET coefficients based on LM. Then, the magnitudes of the PCET are computed to construct the binary feature image. These abovementioned zero-watermarking methods are summarized by Table 1. In this paper, we propose a robust zero-watermarking scheme based on NSPD-DCT and VPCM. Our experimental results demonstrate that the proposed algorithm can effectively resist the conventional image processing operations and several geometrical distortions. The contributions of this paper are the following: (1) A novel invariant feature of an image is found by combining the shift-invariant characteristic of NSPD and the robustness of the signs of some DCT coefficients against various attacks. (2) In order to improve the security of the proposed scheme, a VPCM system is designed for two processes: watermark encryption and robust feature extraction.
(3) To get better robustness of watermarking against geometrical attacks, a simple method for estimating the rotation angles of images is utilized by computing the normalized cross-correlation (NC) between the scaled down host image and the scaled down image to be detected. The rest of this paper is organized as follows. Section II presents the preliminaries of the Arnold transform, DCT, and NSPD. This section also briefly describes VPCM. Section III explains the proposed zero-watermarking scheme. In this section, the zero-watermark generation and extraction are illustrated in different subsections. Section IV provides the results and discussions. Finally, Section V presents the conclusions drawn from this work.

A. ARNOLD TRANSFORM
Arnold transform is an image scrambling method also regarded as a two-dimensional (2D) chaotic mapping [19]. In many watermarking schemes, Arnold transform is applied to the watermark image to expand the robustness of the proposed algorithm and provide extra security for the embedded watermark [8]. The positions of different pixels in an image can be changed after the image undergoes the Arnold transform. The 2D Arnold transform is defined as: where (x, y) are the location coordinates of the original image pixels, x, y ∈ {0, 1, 2, . . . , P − 1}, (x , y ) are the location coordinates of the scrambled image pixels, and P is the size of the watermark. When all of the pixels of the image are transformed, the scrambled image is obtained. Arnold scrambling is periodic. Considering that T is the transform period, the image can return to the original state after T iterations [48]. The number of iterations for image scrambling and T can be regarded as the private keys. Without the keys, the original image cannot be restored. In our method, the Arnold transform is also used to scramble the original watermark image.

B. DISCRETE COSINE TRANSFORM
Discrete cosine transform has been used in the field of various images and signal processing, including in image coding and watermarking. The DCT transforms an image from the spatial domain into the frequency domain [21], [49]. DCT has an excellent energy compactness property, which is why it is used in the JPEG compression technique to separate and remove the insignificant high frequency components in images [50]. The forward 2D-DCT formula is defined as: (2) VOLUME 8, 2020 where x, y, u, v = 0, 1, 2, . . . , N − 1, and The inverse 2D-DCT formula is described as where f (x, y) is the gray value of a pixel, and F(u, v) is the DCT coefficient. After this transformation, an image consists of one DC coefficient and multiple alternate current (AC) coefficients. The DC and AC coefficients are arranged in the Zigzag scanning order, as shown in Fig. 1. The DC coefficient locating at the top-left corner of the coefficient matrix is a large positive number. It represents most of the energy of the image. Except for the DC coefficient, all the other coefficients are the AC coefficients. The AC coefficients represent the characteristics of different frequency bands, including low, middle and high frequency bands. Moreover, the AC coefficients are either positive or negative numbers, and their amplitudes are less than the DC coefficient [22], [51].

C. NONSUBSAMPLED PYRAMID DECOMPOSITION
Nonsubsampled pyramid decomposition was proposed by Cunha et al. when they designed the nonsubsampled contourlet transform (NSCT) [52]. The nonsubsampled pyramid (NSP) is achieved by replacing the Laplacian pyramid with two-channel nonsubsampled 2D filter banks as shown in Fig.2 (a). The decomposition filters H 0 (z), H 1 (z) and the composition filters G 0 (z), G 1 (z) satisfy the Bezout identical equation H 0 (z)G 0 (z) + H 1 (z)G 1 (z) = 1. The equation ensures the NSP filter banks satisfying the perfect reconstruction condition, where H 0 (z) is a low-pass filter and H 1 (z) is a highpass filter [53]. The frequency expansion of NSPD is conceptually similar to the one-dimensional nonsubsampled wavelet transform (NSWT) computed with the àtrous algorithm. It has J +1 redundancy, where J denotes the number of decomposition stages [52]. The sketch map of NSPD and the relevant frequency division with J = 3 stages are shown in Fig. 2 (b) and (c) respectively. The ideal pass-band support of the low-pass filter at the j-th stage is the region [(−π/2 j ), (π/2 j )] 2 . Accordingly, the ideal support of the equivalent high-pass filter which is the complement of the low-pass filter is the region [52]. By contrast, the 2D àtrous algorithm has 3J +1 redundancy. Besides having nice multi-resolution characteristics, NSPD can overcome the weakness of traditional DWT without shift-invariant characteristic and has less redundancy then NSWT [54]. Fig.3 shows an example for NSPD of Man image at J = 4. In Fig. 3, (a) is an original image, (b) is a low-pass image, and (c)-(e) are the band-pass images from coarse to fine stages.

D. VARIABLE PARAMETER CHAOTIC MAPPING
Chaotic mappings are widely used in most watermarking schemes to encrypt the original watermark. In this section, we propose a variable parameter chaotic mapping denoted by VPCM based on two typical chaotic systems: logistic mapping and piecewise linear chaotic mapping (PWLCM). The LM widely used in many watermarking algorithms [10], [47], [55] is defined as: where µ ∈ [0, 4] is the control parameter, and x n is the chaos sequence of the map. Furthermore, because PWLCM has the properties, including uniform distribution, good ergodicity, confusion, and diffusion, it is also utilized for encrypting the watermarks [56]- [58]. PWLCM can be described as: where x n ∈ (0, 1) and the control parameter p ∈ (0, 0.5).
To enhance the robustness and security of the proposed scheme, we replace the control parameter p of the above PWLCM system with a variable parameter p n . p n depends on the random sequence x n generated by the LM. To satisfy p n ∈ (0, 0.5), we make p n to be a third of x n . The proposed VPCM system can be presented as follows: The parameter µ and the initial state values of VPCM are regarded as private keys. In our watermarking scheme, we utilize the VPCM system to generate two random sequences to be used for watermark image encryption and robust feature extraction.

III. PROPOSED ZERO-WATERMARKING SCHEME BASED ON NSPD-DCT AND VPCM
In this section, we introduce a new robust feature extraction method for images. we performed experiments to show that the extracted feature of an image is highly robust to some image processing attacks. Finally, we explain the proposed zero-watermarking scheme based on NSPD-DCT and VPCM in detail. The zero-watermarking scheme mainly includes two procedures: zero-watermark generation and zero-watermark extraction [47]. Zero-watermark is usually generated from the important feature of an image [46]. In our scheme, after the host image undergoes NSPD and DCT, the signs of the first AC coefficients from the DCT blocks are used to construct the zero-watermark. Since the zero-watermarking does not need inverse transformation, the process of zero-watermark extraction is similar to that of zero-watermark generation. Furthermore, in order to improve the performance of the proposed scheme against rotation attacks, we introduce a method of image rotation correction which is applied before the zero-watermark extraction.

A. ROBUST FEATURE EXTRACTION IN NSPD-DCT DOMAIN
Li et al. proposed a zero-watermarking algorithm for protecting medical images in the DCT domain [59]. In their algorithm, they pointed out that the signs of some DCT coefficients remain unchanged against some strong geometric attacks. Their method applies DCT to the host image, then the sign sequence of the low-frequency coefficients is extracted as the feature vector to construct the zero-watermark. The method has been extended to the DWT-DCT hybrid domain in [60]. However, the embedding capacities of watermarks in [59], [60] were limited. Drawing inspiration from the methods in [59], [60], we here extract robust feature vector based on NSPD and DCT. To describe our method in detail, we performed several experiments as follows. Suppose the original test Man image shown in Fig. 3 (a) is denoted by H . We firstly performed the NSPD with J = 5 stages on H to obtain the low-frequency subband image H L . Then H L was divided into non-overlapping blocks of size 8×8, and every block was transformed by DCT.  In these experiments, we tested the robustness of eight AC coefficients from each selected block. According to the Zigzag scanning order, the positions of the eight AC coefficients are (1, 2), (2, 1), (3, 1), (2, 2), (1, 3), (1, 4), (2,3) and (3,2). The host Man image was distorted via seven image processing attacks, such as (a) Gaussian noise (0.1), (b) Speckle noise (0.2), (c) Median filtering (7 × 7), (d) JPEG compression (5%), (e) Scaling (1/8), (f)Translation (turn down by 5 pixels), (g) Rotation (2 • ). Table 2 shows the DCT coefficients of D 1 for the Man image under the above-mentioned different attacks. The coefficients shown in bold in Table 2     and the DCT coefficients of D 1 are changed greatly, but their signs almost did not change.
Moreover, we extracted the signs of the AC coefficients at the same positions for the eight selected blocks to construct a sign sequence of 8 bits, such as 10101111 , where 1 represents a positive or zero coefficient, and 0 represents a negative coefficient. Eight sign sequences can be obtained according to the eight different positions of the selected AC coefficients in every block. Tables 3 to 6 show the sign sequences of the Man image and the number of changed signs after different attacks. The elements of the sign sequences shown in bold also denote that the signs of the coefficients have changed after the test image was subjected to some attacks. As seen in Tables 3 to 6, the signs of the selected AC coefficients are robust to the above attacks. We can utilize the polarities of the signs to construct the binary feature vector as the original zero-watermark. In our watermarking scheme, we used the sign of the first AC coefficient at (1, 2) of every block to construct the original zero-watermark because its robustness is the best to various attacks for all the selected coefficients in our experiments. Furthermore, if every block of size 8 × 8 can generate at least one bit of zero-watermark, the embedding capacity of the watermark will be increased compared with the methods in [59], [60].  Fig. 5 and described as follows.
Step 1: Original watermark image scrambling The original watermark W is scrambled by the Arnold transform to obtain W 1 with the private keys k 1 and T ,   Step 2: Watermark encryption A random sequence Y 1 = {y n |n = 1, 2, . . . , M 2 + L 1 } is generated by the VPCM system. Then, a new sequence P 1 = {y n |n = L 1 + 1, L 1 + 2, . . . , M 2 + L 1 } is defined. P 1 is converted into a binary image denoted by G 1 . Then an exclusive-or operation is performed between G 1 and W 1 to obtain the encrypted watermark W 2 , Step 3: Robust feature extraction NSPD is performed on the original host image I . Then, the low-frequency sub-band image I L is divided into nonoverlapping blocks of size n 1 × n 1 . Every block is decomposed by 2D-DCT, and the first AC coefficients in the order of Zigzag scanning for all blocks are selected out to construct the 1D feature vector U (k).
Step 4: Zero-watermark vector construction As Step 2., the random sequences Y 2 = {z n |n = 1, 2, . . . , M 2 + L 2 } and P 2 = {z n |n = L 2 + 1, L 2 + 2, . . . , M 2 + L 2 } are generated. Then, the elements of P 2 are arranged in ascending order using the equation [P 3 , S] = sort(P 2 ) to obtain a new sequence P 3 and the index location vector S. The zero-watermark vector V (k) is constructed by judging whether every element of U (k) is larger than 0 or not as the order of S, Step 5: Generation of the verification zero-watermark image V (k) is reshaped into a binary image denoted by Q. Then, an exclusive-or operation is performed between the encrypted watermark W 2 and Q to generate the verification zero-watermark image W ,

C. ZERO-WATERMARK EXTRACTION
The procedure of zero-watermark extraction consists of two processes: image rotation correction and final VOLUME 8, 2020 zero-watermark extraction. After doing a abundant of experiments, we found that the significant differences can exist among the NC values, which are used to assess the similarities between an image and its rotated images with different angles. In addition, when the original image and its rotated images are scaled down to the smaller size simultaneously, the differences among above NC values are not cut down. So this experimental conclusion can be utilized to estimate the angle of the rotated image. Based on the conclusion, the method of image rotation correction proposed in our previous work [61] is used again in this scheme. The block diagram of the zero-watermark extraction process is shown in Fig. 6. Suppose I 1 is the image to be verified, which may have undergone some attacks, the detailed steps of zero-watermark extraction are described as follows.
Step 1: Image rotation detection and correction (a) To decide whether I 1 undergoes rotation attacks or not, the means of four blocks of size b 1 × b 1 , which are located in the four corners of I 1 , are calculated. If I 1 has undergone rotation attacks, the processes from (b) to (e) are performed. Otherwise, Step 2 is performed immediately.
(b) In order to reduce the computational cost, I and I 1 of size N × N are scaled down into two new images A and A 1 of size b 2 × b 2 respectively.
(c) A is rotated by 10m degrees sequentially, where m is a positive integer from 1 to 36. The NC value (described in Section 4) is calculated between every rotated A and A 1 for each m. The number m 1 is corresponds to the largest NC value.
(d) A is rotated by 10m 1 + e degrees sequentially, where e is a positive integer from 1 to 10. The NC value is calculated between every rotated A and A 1 in turns again for each e.
(e) I 1 is rotated by the angle corresponding to the largest NC value in (d) in the opposite direction to obtain the corrected image I 2 .
Step 2: Robust vector extraction NSPD is performed on the image I 2 . Note that I 2 is the same with I 1 if I 1 does not undergo rotation attacks. The low-frequency sub-band image I 2L is divided into nonoverlapping blocks of size n 1 × n 1 , and the 1D feature vector U (k) is constructed by the process of zero-watermark generation.
Step 3: Zero-watermark vector construction The random sequence P 3 and its index location vector S are generated by the same secret keys. Then, the zero-watermark vector V (k) is obtained as follows: Step 4: Final watermark image extraction V (k) is reshaped into a binary image Q , and the chaotic binary image G 1 is also generated by the saved private keys. Then, an exclusive-or operations and the inverse Arnold transform are performed to extract the final watermark W * by

IV. EXPERIMENTAL RESULTS
To verify the validity and feasibility of the proposed scheme, we performed a series of experiments in this section. Eight well-known images of size 512×512 from the image database of USC-SIPI [62] were taken as the host images, i.e., Man, Tiffany, Elain, Lena, Goldhill, Boat, Bridge and Peppers, as shown in Fig. 7. Four binary watermark images with different sizes were used as the original watermark images, as shown in Fig. 8. The host images were decomposed by NSPD with J = 5 stages and 'maxflat' filter. The lowfrequency sub-band image of size 512 × 512 was divided into non-overlapping blocks according to the size of watermark. For the Arnold transform, the scrambling time k 1 was 12 and T = 24. The initial state values and control parameters of the VPCM system for the two random sequences were respectively assigned as µ 1 = 3.89999, where I and I represent the host and the attacked images of size N × N , respectively.   The NC and BER were used to evaluate the robustness of the proposed scheme. They are respectively defined as [3], [47]: where W and W * represent the original and the extracted watermarks of size M × M , respectively. B is the sum of inaccurate bits.

A. UNIQUENESS VERIFICATION OF ZERO-WATERMARKS
In this subsection, we discuss the uniqueness verification of zero-watermarks similar to the method used in [37]. The zero-watermark constructed from an image should only be relevant to this image. In other words, the zero-watermarks constructed from different images should be different so that the zero-watermark constructed from an image just can uniquely identify this image [43]. The similarity between two different zero-watermark binary images constructed from different images is shown in Table 7. Table 7 shows that the maximum NC value of two different images is 0.5701, which is far less than 1. Therefore, the zero-watermark constructed from an image can be effectively distinguished from the zerowatermarks constructed from other different images.
To further verify the uniqueness of the zero-watermark constructed from an image in the proposed scheme, we produced 1200 random binary sequences from a uniform distribution and reshaped them into 2D images. Then, we calculated their respective NC values with the zero-watermark binary image constructed from the Man image. The results are shown in Fig. 9, where the 600th sequence corresponds to the zero-watermark of the Man image. Fig. 9 shows that all the NC values fluctuate around 0.5 in an extremely small range except the right zero-watermark of the Man image. Hence, it can be concluded that the zero-watermark constructed from an image in our proposed method can not be generated randomly and the image can be identified uniquely. VOLUME 8, 2020

B. ROBUSTNESS TESTS OF THE PROPOSED SCHEME
In this subsection, we present the experimental results for the robustness test of the proposed scheme under various attacks. The watermark image 1 was firstly used in this part. Several conventional image processing operations (adding noise, filtering, and JPEG compression) and the geometrical distortions (scaling, cropping, and rotation) were performed on the original host images. The robustness of the proposed scheme under the above-mentioned attacks was evaluated as follows.

1) ADDITION OF NOISE
Gaussian noise, Salt and Peppers noise are usually used to test the robustness of watermarking algorithms. For the Gaussian noise, we varied the amount of noise with respect to its variance while fixing its mean. For the Salt and Peppers noise, we degraded the quality by changing the noise densities. Table 8 shows the results of adding the Gaussian white noise with a mean of 0 and variances of 0.01 to 0.2 to the host images in terms of PSNR and NC values. Meanwhile, Table 9 shows the results of adding the Salt and Peppers noise with densities of 0.01 to 0.2 to the host images. As can be seen in the Tables, even though the test images are degraded greatly by the two types of noise with various noise variances or densities, the high NC values can be obtained. This means that the proposed scheme is robust against noise attacks.

3) JPEG COMPRESSION
Any effective watermarking algorithm should be robust against compression attacks. We test our watermarking algorithm against JPEG compression, which is one of the most widely used common compression attacks. JPEG compression attacks with different quality factors of 1%, 5%, 10%, 20% and 40% were applied to the host images. The results in terms of PSNR and NC are summarized in Table 12. Table 12 shows that even though the quality factor is 1%, high NC values can be achieved. Therefore, the proposed scheme is highly robust against the JPEG compression attacks because the low-frequency components of the host images are used to construct the zero-watermarks.

4) CROPPING ATTACKS
To test the robustness against cropping attacks, the host images were cropped with different cropping windows. We used cropping window sizes of 64×64, 128×128, 64 × 512, and 128 × 512, and the cropping windows were black. The results in terms of PSNR and NC values are shown in Table 13. As seen in Table 13, even though the cropping window size is 128 × 512, all the NC values are larger than 0.88 for the different test images. This verifies that the proposed scheme is robust against cropping attacks.

5) SCALING ATTACKS
For scaling attacks, we resized the original images by multiplying by a scaling factor, and then scaled back the images to their original sizes. If the scaling factor is less than 1, the images are scaled down, otherwise they are scaled up.     Table 14, it can be demonstrated that the proposed watermarking scheme shows strong resistance to the scaling attacks.

6) TRANSLATION ATTACKS
For translation attacks, we translate the host images from left to right by 1, 2, 3, 4 and 5 pixels in turns before performing watermark extraction. The experimental results are shown in Table 15. As seen in Table 15, the NC values of the extracted zero-watermarks for translation attacks are not larger than those for other attacks, such as the addition of noise, filtering, and JPEG compression, but the minimum NC value is larger than 0.91. This means that the proposed scheme can effectively resist to the translation attacks.

7) ROTATION ATTACKS
The host images were also tested for geometric attacks of rotation. The images were respectively rotated by 5 • , 10 • , 20 • , 40 • and 90 • before performing watermark detection. The results in terms of PSNR and NC values are shown in Table 16. Table 16 shows that the proposed scheme can successfully resist rotation attacks. Furthermore, the proposed scheme performs best against rotation attacks when the rotation angle is 90 • . In fact, the same result can be obtained if the rotation angle is 180 • or 270 • because of the proposed method of image rotation correction. Since the proposed scheme can resist the rotation, scaling, and translation (RST) attacks, it can be considered as an RST-invariant watermarking algorithm. From the experimental results shown in Tables 8 to 16, we can conclude that the proposed scheme is highly robust against conventional image processing operations and some geometrical distortions.  To further demonstrate the robustness of the proposed scheme, more experiments for robustness test were completed. In this part, sixteen attacks were selected shown in Table 17, and Lena was used as host image. After above sixteen attacks, attacked Lena images are shown in Fig. 10. The PSNR values of attacked Lena images and the NC/BER values of watermarks extracted from them are also shown in Table 17. The PSNR values indicate that the host images are badly distorted under different attacks. The NC and BER values of the extracted watermarks prove that the extracted watermarks are very closely similar to the original watermark excepting for the cropping attacks with large areas. These data generally illustrate that the proposed scheme is robust to different attacks for multiple watermarks also with different sizes. For watermark image 1 of size 64 × 64, watermark image 3 of size 64 × 64 and watermark image 4 of size 128 × 128, the extracted watermarks from the corresponding attacked Lena images are shown in Fig. 11 to Fig. 13. In any case, it can be observed form the Fig. 10 to Fig. 13 that even though the host images are seriously degraded by different attacks, the corresponding extracted watermarks with different contents and sizes are basically clear enough. This VOLUME 8, 2020 demonstrates that the proposed scheme exhibits excellent performance against the attacks mentioned in Table 17. Table 18 shows the robustness test results of the proposed scheme against the standard benchmark software Checkmark [64]. In Table 18, twenty kinds of attacks in Checkmark, which are not almost mentioned in Table 17, are selected out to test the proposed scheme, and the PSNR, NC and BER values for different attacks are shown respectively. For these attacks, the NC and BER values are well accepted except the rotation scale, shearing and warp attacks, but the minimum NC value is 0.8807 while the maximum BER value is 0.1758. As can be seen from Table 18, the proposed scheme is robust to Checkmark attacks to some extent.

C. COMPARISON WITH OTHER ZERO-WATERMARKING ALGORITHMS
To evaluate the robustness of the proposed scheme in comparison with other methods, we have compared the results of our scheme with the three methods in [38], [40], [42]. We firstly embedded the 64 × 64 watermark image 2, shown in    Fig. 7 was used as the test image at this time. Table 19 shows the extracted watermarks from attacked Peppers images using the proposed scheme and the three methods in [38], [40], [42], and it can prove that the proposed scheme is more robust than other three methods. Because of the strong attack parameters used in the comparison experiments, some of the extracted watermarks in other three comparative methods are almost not clear enough in Table 19. For the watermark image 2 of size 32 × 32, watermark image 3 of size 64 × 64 and watermark image 4 of size 128 × 128, the same host image and attacks mentioned in Table 19 are used to test the robustness among the different methods. Fig.14 to Fig. 16 show the comparison of the results in terms of average BER values of the extracted different   watermarks for eight test images shown in Fig. 7. As can be seen from Fig. 14 to Fig. 16, it is clear that the proposed scheme generally outperforms the other three watermarking methods in [38], [40], [42] for the above attacks. Especially, this advantage is more obvious when the size of watermark is large, for instance, the watermark image 4 used in Fig.16.

D. STATISTICAL ANALYSIS
In this section, a statistical analysis is performed between our proposed scheme and the each method in [38], [40], [42].   According to the way mentioned in [65], Wilcoxon signed ranks test with a significance level of 0.05 is same to be used to assess the statistical significance of the difference between the proposed scheme and the each method in [38], [40], [42]. The robustness tests of the these compared algorithms against the attacks are shown in Tables 20 to 28.  In the Tables 20 to 28, the average PSNR/NC values under different attacks for all the eight test images, shown in Fig. 7, are calculated. Furthermore, in order to satisfy the requirement for the number of statistical samples, the number of a certain type attacks in Tables 20 to 28 is increased form 5 to 7 comparing with that in the Tables 8 to 16.    In this part, IBM SPSS Statistics 26 was used to perform the statistical calculations. The null hypothesis H 0 indicates that there is no significant difference between the proposed scheme and the each method in [38], [40], [42]. In contrast, the alternative hypothesis H 1 indicates that a significant difference exists between the proposed scheme and the each    method in [38], [40], [42]. With a 95% confidence level, H 0 is rejected if α ≤ 0.05, and H 0 can not be rejected if α > 0.05. In the case of rejecting H 0 (α ≤ 0.05), the final decision is made according to the result whether the sum of the negative ranks w − is smaller than or equal to the critical value for the Wilcoxon signed rank test. If the sum of the negative ranks value is smaller than or equal to the critical value for the Wilcoxon signed rank test (i.e., w − ≤ w * α ), the proposed scheme is more robust than the each method in [38], [40], [42]. Otherwise, the proposed scheme can not be obviously recognized as the better one [65].
The results of this statistical analysis is shown in Table 29. As can be seen from Table 29, the proposed scheme generally outperforms the each method in [38], [40], [42] except Median filtering and Cropping attacks. For Median filtering, the proposed scheme is better than the each method in [38], [40], [42] when the window sizes are 3 × 3, 4 × 4, 5 × 5, 6 × 6 and 7 × 7. But the nice average NC values are not obtained when the window sizes are 9 × 9, 11 × 11 due to the three images, including Elain, Goldhill, and Bridge. Moreover, the each method in [38], [40] is more superior than the proposed scheme against Cropping attacks, but the superiority is not very significant. Finally, it is not difficult to find that the proposed scheme is more robust than the methods in [38], [40], [42] based on the Tables 20 to 29.

E. SECURITY ANALYSIS
The security of a watermarking scheme mainly depends on the encryption algorithms used in the watermarking scheme. In this paper, the secret keys from Arnold transform and the two random sequences produced by VPCM system together ensure the high security of the proposed scheme. Even though the algorithm of zero-watermark generation is open, the right zero-watermark image will not be extracted in the process of watermark detection if any one of the secret keys is incorrect. Due to the limited length of this paper, we only analyse how the secret key µ 1 affects the security of the proposed scheme in this subsection. In the previous experiments, we know that the correct µ 1 is 3.89999. To test the security of the scheme, we design the experiments as follows. Assuming that all the secret keys in the process of watermark extraction are correct except µ 1 , which is variable, we varied µ 1 from 3.89950 to 3.90049 with 0.00001 steps to extract 100 zerowatermarks. The 100 NC values were respectively calculated between the 100 extracted zero-watermarks and the original zero-watermark generated with the correct µ 1 for different images. The experimental results are shown in Fig. 17. Fig. 17 shows that the NC value is 1 when µ 1 is correct. However, the NC value is just about 0.5 when µ 1 is incorrect, which means that the watermark is extracted unsuccessfully. It is important to note that finding out the correct µ 1 randomly is very difficult. Therefore, all the secret keys perfectly ensure the security of the proposed scheme, and it is impossible to extract the correct zero-watermark without all the correct secret keys.

F. COMPUTATION TIME
The average computation time of the zero-watermark generation and extraction for the eight test images mentioned in Fig.7 are shown in Table 30. The computer used for our experiments had a 3.20 GHz Processor, 4-GB RAM, and a Microsoft Windows 7 operating system with 32 bits. The experiments were completed in the environment of MATLAB 2014. Table 30 illustrates that the computation time of the zero-watermark generation and extraction in the proposed scheme are acceptable.

V. CONCLUSION
In the proposed scheme for the copyright protection of digital images, NSPD and DCT were used to extract the robust feature of a host image as the original zero-watermark. Several experiments were performed to demonstrate that the signs of some AC coefficients of an image in the NSPD-DCT domain almost do not change under various attacks. To enhance the security of the proposed scheme, we combined PWLCM with LM to generate the VPCM system used for the watermark encryption and the robust feature vector extraction. Furthermore, an image rotation correction procedure was used before zero-watermark detection to improve the robustness of the scheme against rotation attacks. The experimental results have demonstrated that the NSPD-DCT based zerowatermarking scheme was highly robust to common image processing operations, several geometric attacks and some Checkmark attacks, and it had better performance than some existing algorithms. In the future, we will further improve the robustness of the proposed zero-watermarking scheme against combined attacks and extend this scheme to video watermarking.
PENG ZHANG received the B.S. degree in electronic information science and technology from the Zhengzhou University of Light Industry, Henan, China, in 2018. He is currently pursuing the master's degree with the College of Electronic Information and Automation, Civil Aviation University of China, Tianjin. His research interests include image processing and information hiding. YUJIN ZHANG (Member, IEEE) received the Ph.D. degree in communication and information system from Shanghai Jiao Tong University, Shanghai, China, in 2014. Since 2015, he has been with the School of Electronic and Electrical Engineering, Shanghai University of Engineering Science. His research interests include multimedia forensics, signal processing, artificial intelligence, and pattern recognition. VOLUME 8, 2020