The prediction-error expansion (PEE) was first proposed by Thodi and Rodriguez [21] . The mechanism of PEE-based embedding and extraction can be briefly described as follows:

Let x be the intensity of a pixel in a gray-scale image, and $\hat{x}$ its predicted value. For embedding a watermark bit i, the prediction-error $e=x-\hat{x}$ is expanded by shifting left its binary format so as to create a vacant LSB into which i is inserted. The expanded prediction-error $e_w$ and the watermark value $x_w$ are given by

$e_w=2e+i$ (1)

$x_w=\hat{x}+e_w=x+e+i$ (2)

For watermark decoding, first, the prediction-error $e_w=x_w-\hat{x}$ is computed from the watermark image. Then, the embedded bit i is extracted from the LSB

position of $e_w$. Next, the original prediction-error is obtained by $e=\lfloor \frac{e_w}{2}\rfloor$. Finally, the original pixel value is restored as follows:

$x=x_w-e-i$ (3)

For example, assume $x=223$, $a=208$, $b=213$ et $c=213$. Then, the prediction error is given by: $e=223-208=15$. Let $i=1$ be the embedding watermark bit. The expanded prediction error and the watermarked pixel values can be computed as follows: $e_w=2\ast 15+1=31$ and $x_w=208+31=239$. At detection phase, the concealed bit and the original prediction error are given by:

$i=\text{LSB}\left(e_w\right)=1$ and $e=\lfloor \frac{31}{2}\rfloor =15$. Lastly, the original pixel value can be restored as follows: $x=239-15-1=223$.

In this work, we assume that the original pixel x is the two least significant digits (LSDs) of any numerical attributes to be selected for watermarking, and its predicted intensity $\hat{x}$ is the relevant tuple primary key hash value, which is known at both embedding and detection phases.

The main goal of our solution is to construct a reversible semi-fragile watermark in such a way that, besides detecting malicious modifications, it could allow some legal updates. A fragile watermark is usually constructed from attribute using one-way hash functions such as MD5 or SHA. It is the property of one-way hash functions that any minor change to the input will randomize the output. Since, different attributes might have different degrees of sensitivity to legitimate modification, we can obtain a database semi-fragile watermarking if we can categorize attributes according to their importance in the database, and define some criteria for their inclusion in the hash calculation.

Let $R\left(P_k,A_0,A_1,\cdots ,A_{\gamma -1}\right)$ be the database relation to watermark. $A_0,A_1,\cdots ,A_{\gamma -1}$ are all numeric attributes, and $P_k$ is the primary key. The design of our reversible semi-fragile scheme is as follows:

Step 1. Attribute classification: Based on the sensitivity to benign updates, we define three classes of attributes, namely Sensitive attributes (S), Semi-Sensitive attributes (SS) and Non-Sensitive attributes (NS), such that $S\cup SS\cup NS=R$ and $S\cap SS\cap NS=\varnothing$. Class S contains attributes that do not need to be updated once they are recorded. Examples of such attributes include primary key, social security numbers (SSN), age, blood group, account number, etc. SS attributes are those that can be legitimately modified within certain boundaries, i.e., up to a predefined level of distortion. For example, we can allow to update all parts of a phone number except the country code. If 00227******** is a phone number, then 00227 represents the country code and * denotes the updatable part. NS is the category of attributes that can be freely modified.

Step 2. Legal update constraints for SS attributes: In order to allow legal modification of SS attributes, we need to define the degree of distortion that could be tolerated. For this purpose, we divide each SS attribute into two parts: a “rough portion” (SSR) and a “flat portion” (SSF). The rough portion is the non-updateable part of the attribute. Any modification made to it should be detected as tampering. The flat portion of the attribute can be legitimately altered. For numeric attributes, it could be defined in terms of the number of least significant digits (LSDs) or least significant bits (LSBs) available for modification. Since different attributes may tolerate different levels of distortion, we define ${\epsilon }_k$ LSDs as legal alteration bandwidth for each attribute $A_k$ of SS class.

Step 3. Attribute Sorting: In a database relation, the order of attributes is normally not important. However, for ensuring the synchronization between the embedded and the extracted watermarks, this order should be the same at both embedding and detection phases. To satisfy this requirement, we define a recoverable secret “initial” order of attributes as follows. First, a name hash value is computed for each attribute using a secret key only known to the owner. Then, the attributes are virtually sorted in ascending order of their name hash values. Since attribute names, usually, do not change in a database relation, it is clear that the secret order can be efficiently recovered at watermark detection. As a result, attribute sorting operation will not be considered as an attack.

For tamper localization, our strategy consists in virtually splitting the database relation into g secret groups, in which a watermark is embedded independently. The grouping technique is presented in Algorithm 1 . The relation R is securely partitioned based on the primary key hash values of tuples. Using the property that secure hash functions generate uniformly distributed message digests, our partitioning method will create groups of roughly equal size. Notice that the sorting operation is also virtual. It is necessary to enforce some correlation between tuples.

Usually, the more important an attribute is, the less it may be legally modified after watermark insertion. For this reason, in other to ensure reversibility, we choose to embed the semi-fragile watermark by expanding the prediction-error of the two LSDs of sensitive attributes. Since the distortions caused by this process are minor and not permanent, the data usefulness will not be compromised. The watermark embedding process in a given group, depicted in Algorithm 2 , is explained as follows. First, a watermark is generated from the hash values of tuples as shown in Algorithm 3 . Note that, NS attributes and SSF data are excluded in the hash calculation. Afterwards, the prediction-error of the selected sensitive attribute is expanded with the corresponding watermark bit. Finally, the new value of the two LSDs is combined with the corresponding most significant digits (MSD) to update the value of the watermarked attribute.

The watermarked data may be exposed to attacks intending to modify the database content. An attack will succeed, if the pirate could maliciously modify S or SSR data, without disturbing the watermark. For watermark synchronization, it is important to restore the original order of attributes. In addition, as in the embedding stage, the relation is virtually divided into secret groups ( Algorithm 1 ). For tamper detection, each group is authenticated independently. Algorithm 4 outlines the steps involved in the detection process. First, a watermark W* is extracted from the suspicious group as shown by lines 1 through 6. Then, the original attribute value is restored. Lastly, the integrity of the group is verified by comparing the generated watermark W with the extracted one as described from line 11 through 14. The detection process is fully blind because it does not require the knowledge of the original database relation.

There are three single modifications: alter an attribute value, insert a tuple, delete a tuple. Assume that the attacker modifies a single value in the database. If the modification is made to a sensitive attribute or the rough part of a semi-sensitive attribute, the relevant group hash value will be randomized. Since the embedded watermark W is extracted from group hash, the watermark will also be randomized. After the modification, each bit of the embedded watermark W has equal probability to match the corresponding bit in the extracted watermark W*. Therefore, the error rate for detecting this attack is given by

$P_e=\frac{1}{2^v}$ (4)

where v is the watermark size, which is determined by the number of tuples in the group.

Now, suppose that the pirate inserts a tuple into the protected relation. Due to our grouping technique, the newly inserted tuple will fall into a single group, thus increasing the associated watermark size v. Therefore, the failure rate in detecting this tampering is formulated as

$P_e=\frac{1}{2^{v+1}}$ (5)

Similarly, the deletion of a single tuple will reduce the affected group size. Consequently, the relevant watermark will be randomized. Since there are $v-1$ bits remaining in the watermark, we obtain

$P_e=\frac{1}{2^{v-1}}$ (6)

Figure 1 shows the probability of error for the three single modification attacks using various watermark sizes. We can easily see that, in all cases, the failure rate is very low, and it decreases exponentially when the watermark length increases.

This category of attacks includes multiple values alteration, multiple tuples insertion, and multiple tuples deletion.

Consider the scenario where multiple attribute values are maliciously modified. Assume that $k\left(1\le k\le g\right)$ groups are affected. Since the probability that our

scheme fails to detect a single value change in any group is $\frac{1}{2^v}$, the overall probability that the modification does not affect any group watermark is obtained by

$P_e=\frac{1}{2^{vk}}$ (7)

Now, let $n\left(n\ge 2\right)$, be the number of inserted records. After grouping, each new tuple has equal probability to be assigned to any group. Assume that

$k\left(k\le g\right)$ groups are affected. When $n>k$, an average of $\frac{n}{k}$ tuples are added to each group. Thus, the failure rate for any group is $\frac{1}{2^{v+\frac{n}{k}}}$. Therefore, the probability that all embedded watermarks remain unchanged after the attack is given by

$P_e={\left(\frac{1}{2^{v+\frac{n}{k}}}\right)}^k=\frac{1}{2^{vk+n}}$ (8)

As for multiple tuples insertion, the deletion of $n\left(n\ge 2\right)$ tuples could affect several groups. In this case, if $k\left(k\le g\right)$ groups are changed, we have

$P_e=\frac{1}{2^{vk-n}}$ (9)

The failure probabilities for massive attacks are all monotonic decreasing with the watermark size v and the number of relevant watermarks k. This is illustrated in Figure 2 using different watermark sizes. For simplicity, we set $k=5$ and $n=20$. Here again, we can see the error rates are extremely low.

On the basis of the theoretical results, the proposed scheme is efficient enough to detect and localize traditional attacks.

Two different experiments were performed for this attack: 1) alteration of sensitive data, and 2) alteration of non-sensitive data. For each experiment, we randomly modified 10% to 90% of the values with varying watermark sizes.

In the first case, we only modified values from sensitive attributes (S) and rough portion of semi-sensitive attributes (SSR). The results are displayed in Figure 3 . We observe that:

In the second case, only non-sensitive values (NS) and flat part of semi-sensitive attributes (SSF) were altered. The results are shown in Figure 4 . We observe that, no matter what are the alteration rate and the watermark size v, the detection rate is 0%. This is obvious, because the performed modifications are legitimate. Therefore, this result confirms the semi-fragileness of our scheme.

Figure 5 shows the results for multiple tuples deletion. We performed the experiments with varying deletion rates and watermark sizes. For small groups, we can observe that:

To simulate this attack, we randomly and repeatedly inserted fake tuples into the watermarked groups. As a result, because of the fragileness of our scheme regarding illegal change, all relevant hash values and watermarks are randomized. As shown in Figure 6 , we observe that the proposed method can fully detect tampered groups for different values of v.

In Table 2 , we present a comparison of our scheme with three most relevant recent works. We consider the following features: embedding channel (i.e., data type), data updateability (i.e. legitimate modification), innocent attacks (i.e. tuple/attribute sorting), tamper detection, and reversibility (i.e. data recovery). We can easily see that, at the difference of other techniques, our scheme can allow data updateability, while enabling data restoration and tamper detection.