Buyer-Seller Watermarking (BSW) Protocols

1
Buyer-Seller Watermarking (BSW) Protocols

• Geong Sen Poh
• 31 Oct 2006

2
Outline

• Introduction
• Motivation
• Development of BSW
• Goals, Methodology and Assumptions
• Protocols
• Memon-Wong Protocol (MW)
• Lei et al. Protocol (Lei)
• Zhang et al. Protocol (Zhang)
• Analysis of Zhang et al. Protocol
• Summary

3
Motivation
Seller
Buyer

songs, movies etc.
Distributes copies

• How can the seller identifies buyers that
  illegally distributed songs, movies etc.?
• The seller can embeds unique watermarks

4
Motivation

• BUT
• The seller is the entity that generates and
  embeds the watermark into a digital work
• If illegal copies are found and a buyer is
  identified through the embedded watermark, the
  buyer can claim that he/she is framed by the
  seller since the seller can embed the buyers
  watermark into any digital work.
• SO
• Buyer-Seller Watermarking Protocol

5
Development of BSW
1998
IEEE
MW
2004
IEEE
2003
ICISC
Lei
Ju
2003
2004
ACNS
ACNS
2006
IEE
Choi Attack I
Goi Attack I
Zhang
2005
IWDW
2005
EUC
Choi II
Goi Attack II
6
Goals

• No Framing
• An honest buyer should not be falsely accused by
  a malicious seller or other buyers
• No Repudiation
• The buyer accused of reselling an unauthorised
  copy should not be able to claim that the copy
  was created by the seller or a security breach of
  the sellers system
• Traceability
• A buyer who has illegally distributed digital
  works can be traced
• Collusion Tolerance
• An attacker should not be able to find, generate,
  or delete the fingerprint by comparing the marked
  copies, even if they have access to a large
  number of copies
• Anonymity
• A buyer should be able to buy anonymously
• Unlinkability
• Given two marked digital works, no one can decide
  whether or not they were bought by the same buyer

B. M. Goi, R. C.-W. Phan, Y. Yang, F. Bao, R. H.
Deng and M. U. Siddiqi, Cryptanalysis of Two
Anonymous Buyer-Seller Watermarking Protocols and
an Improvement for True Anonymity, ACNS 2004,
LNCS 3089, pp. 369-382, 2004
7
Methodology

• Interactive Protocol
• Registration
• Buy and Sell
• Identification and Arbitration
• Seller does not know the watermark
• Buyer does not know the embedded watermark

8
Principals Involved

• Buyer (B)
• Seller (S)
• Certificate Authority (CA)
• Fully trusted
• Issues certificates to WCA, A, B, and S
• Watermark Certificate Authority (WCA)
• Fully trusted
• Issues and certifies buyers watermark
• Arbiter (A)
• Fully trusted
• Resolves dispute between B and S

9
Assumptions

• Each of the principals involved (e.g. buyer and
  seller) has a CA certified public and private key
  pair, (PKi, SKi) for i the identity of the
  principal
• The public-key encryption algorithm is
  homomorphic

10
Homomorphic Encryption

• E(x) E(y) E(x y)
• E(x) ? E(y) E(x ? y)
• Example RSA
• Paillier homomorphic encryption (in Zhang
  Protocol)
• E(x) ? E(y) E(x y)

If the public key is n,e then E(x1) ? E(x2)
x1ex2e mod n (x1x2)e mod n E(x1 ? x2)
11
MW Protocol
Registration, Buy and Sell
WCA

• Generate WB

S
B
O O WS s(EPKB(WB)) EPKB(s(WB)) EPKB(O)
EPKB(s(WB)) EPKB(O s(WB))
DSKB(EPKB(O s(WB))) O s(WB)
B Buyer S Seller WCA Watermark Certificate
Authority O Original Work O Marked Work Wk
ks Watermark
s Random permutation of degree n Embedding
algorithm Ek(.) Encrypt with ks public
key Signk(.) Sign with ks private key
12
MW Protocol
Identification and Arbitration
On discovering an illegal copy of O, say Y, S
can determine B by detecting s(WB) embedded using
a watermark detection algorithm and search the
buyer details from his database.
A
S
B
B Buyer S Seller A Arbiter WCA Watermark
Certificate Authority O Original Work O, O
Marked Work Y Illegal copy Wk ks Watermark
s Random permutation of degree n Embedding
algorithm Ek(.) Encrypt with ks public
key Signk(.) Sign with ks private key
13
Issue with MW

• MW Protocol achieved
• No Framing
• No repudiation
• Traceability
• But
• No anonymity,
• No unlinkability for the buyers

14
Lei Protocol
Registration
CA
B

• Generate certCA(pkB)

• Generate (skB,pkB)

ARG An agreement between the buyer and the
seller Embedding algorithm Ek(.)
Homomorphic encrypt with ks public key Dk(.)
Homomorphic decrypt with ks private key Signk(.)
Sign with ks private key (skB,pkB), (sk, pk)
Buyer generated random key pair
B Buyer S Seller O Original Work O, O
Marked Work Wk ks Watermark
15
Lei Protocol
Buy and Sell
WCA

• Generate WB
• SWCA SignWCA(WB)

S
B

• O O WS

• Generate (sk,pk) for this transaction
• s Signsk(ARG)
• Generate CertpkB(pk)

• Epk(O) Epk(WB) Epk(O WB)

Dsk(Epk(O s(WB))) O s(WB)
ARG An agreement between the buyer and the
seller Embedding algorithm Ek(.)
Homomorphic encrypt with ks public key Dk(.)
Homomorphic decrypt with ks private key Signk(.)
Sign with ks private key (skB,pkB), (sk, pk)
Buyer generated random key pair
B Buyer S Seller WCA Watermark Certificate
Authority O Original Work O, O Marked
Work Wk ks Watermark
16
Lei Protocol

• The B Identity

Y11 (sk11, pk11)
X1 (sk1, pk1)
Y1m (sk1m, pk1m)
Y21 (sk21, pk21)
X2 (sk2, pk2)
Y2k (sk2k, pk2k)
B
Yn1 (skn1, pkn1)
Xn (skn, pkn)
Ynt (sknt, pknt)
17
Lei Protocol
Identification and Arbitration
On discovering an illegal copy of O, say Y, S
carries out the following steps
A
WCA

• W Det(Y)
• W WB ?

S
ARG An agreement between the buyer and the
seller Embedding algorithm Det(. , .)
Detection algorithm Ek(.) Homomorphic encrypt
with ks public key Dk(.) Homomorphic decrypt
with ks private key Signk(.) Sign with ks
private key (skB,pkB), (sk, pk) Buyer
generated random key pair
S Seller A Arbiter WCA Watermark
Certificate Authority O Original Work O, O
Marked Work Y Illegal Copy Wk ks Watermark
18
Zhang Protocol

• Similar to Lei Protocol except that there is no
  WCA
• No need WCA to generate and certify watermark
• S generates his part of the watermark
• B generates his part of the watermark
• The final watermark embedded in the digital work
  is the combination of S and Bs watermarks

19
Zhang Protocol
Registration
CA
B

• Generate certCA(pkB)

• Generate (skB,pkB)

ARG An agreement between the buyer and the
seller SECi Secret string of i Embedding
algorithm Ek(.) Homomorphic encrypt with ks
public key Dk(.) Homomorphic decrypt with ks
private key Signk(.) Sign with ks private
key (skB,pkB), (sk, pk) Buyer generated
random key pair
B Buyer CA Certificate Authority O Original
Work O, O Marked Work Of Illegal Copy Wk
ks Watermark
20
Zhang Protocol
Buy and Sell
S
B

• O O WS
• Epk(WB) Epk(SECS)(Epk(SECB)
• Epk(SECS SECB)
• Epk(O) Epk(WB) Epk(O WB)

• Generate (sk,pk) for this transaction
• Generate a secret SECB
• e Epk(SECB)
• s Signsk(Epk(SECB), ARG)
• Generate CertpkB(pk)

Dsk(Epk(O WB)) O WB
ARG An agreement between the buyer and the
seller SECi Secret string of i Embedding
algorithm Ek(.) Homomorphic encrypt with ks
public key Dk(.) Homomorphic decrypt with ks
private key Signk(.) Sign with ks private
key (skB,pkB), (sk, pk) Buyer generated
random key pair
B Buyer S Seller O Original Work O, O
Marked Work Of Illegal Copy Wk ks Watermark
21
Zhang Protocol
Identification and Arbitration
A
CA

• Compute WB SECS SECB
• W Det(Y)
• W WB ?

S
B

• Found Y

• Dsk(Epk(SECB)) SECB

ARG An agreement between the buyer and the
seller SECi Secret string of i Embedding
algorithm Det(. , .) Detection algorithm Ek(.)
Homomorphic encrypt with ks public key Dk(.)
Homomorphic decrypt with ks private key Signk(.)
Sign with ks private key (skB,pkB), (sk, pk)
Buyer generated random key pair
B Buyer S Seller A Arbiter CA Certificate
Authority O Original Work O Marked Work Y
Illegal Copy Wk ks Watermark
22
Analysis of Zhang et al. Protocols

• Issues
• Buyer can remove his part of the watermark easily
  since
• O WB O SECS SECB and
• Buyer knows SECB, to remove
• O SECS SECB SECB

23
Summary

• The motivation of BSW
• The proposals to date
• MW, Lei and Zhang
• The issues
• No formal security model, protocols designed in
  ad hoc manner
• Current focus
• To continue analyse other proposals (Ju, Choi,
  Goi), with issues when parties collude with each
  others (Seller colludes with WCA etc.)

24
Thank You