*7.1. Security Considerations*

The security of the method was based on the secrecy of the KLT basis. Thus, this set of orthonormal vectors constituted the secret key. This basis may be derived from any sample of vectors belonging to a vector space of the right dimension: in our case, the EU was composed of 28 bytes; thus, the vector space should be of dimension 28.

For example, considering a grayscale image and building vectors from pixel values taken in raster scan order allowed the computation of a covariance matrix from which to derive an orthonormal basis (as shown in Section 3): if the image were kept secret, so would be the KLT basis and consequently the embedding space of the watermark bit string. This prevented an attacker from creating forged vertices embedding a correct watermark given that she/he would not know the kernel basis of the transform.

If the length of the watermark stored in each EU were *m* bits (i.e., the payload was *m* bpv), then the probability that a forged vertex would not be detected as such would be 1/2*m*. Nonetheless, as previously said, if the modification were in the higher part of the vertex data, then all the polygons sharing that vertex would detect the modification: given that for each polygon, the probability to fail detection would be 1/2*m*, if the forged vertex were shared amongst *k* polygons, then the probability that the tampering went undetected by all polygons would be 1/2*mk*.

#### **8. Conclusions**

The proposed method performed an integrity protection of 3D models in a more secure embedding space of the watermark while reducing the distortion induced to the model. It applied a small modification to some attributes of the vertices of the model (in the current implementation, vertices' coordinates, but it could be extended to other vertex features). The error introduced w.r.t. the original attribute values was in the order of 4.3 <sup>×</sup> <sup>10</sup>−<sup>7</sup> (average MAE for the models analyzed in Table 3) and was not noticeable from the rendered model (as subjectively judged from a sample of 10 observers).

The security of the whole process lied in the secrecy of the KLT basis, which, in turn, was based on the secrecy of the vectors used to compute it. Public parameters of the algorithm were the cryptographic hash function, the payload *m* (in bpv), the orders of the *m* KLT coefficients, and the embedding position *p*.

As future work, we plan to extend the algorithm to protect other vertex attributes, like *uv* coordinates and normals.

**Author Contributions:** Conceptualization: M.B., D.C. and M.G.; Methodology: M.B. and D.C.; Software: M.B.; Data Curation: P.P.;writing—original draft preparation, M.B., D.C., M.G. and P.P.; writing—review, M.B., D.C., M.G. and P.P. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research received no external funding.

**Conflicts of Interest:** The authors declare no conflict of interest.
