1 A Buyer-Seller Watermarking Protocol IEEE Trans. On Image Processing, Vol.10,No.4, pp , April 2001 Multimedia Security

2 Invisible Watermark Copy Deterrence Copy protection If unauthorized copies of the data are found, the origin of the copy can be determined by retrieving the unique watermark corresponding to each buyer. → Fingerprinting. Every time a copy is made the watermark can be modified by the hardware and after a point the hardware would not create further copies of the data. →DVD

3 Problems of the Traditional Fingerprinting Techniques products watermarked Seller embedding buyers products watermarks (Fingerprints) Since the watermark is inserted solely by the seller. A buyer whose watermark has been found in unauthorized copies can claim that the unauthorized copy was created by the seller!

4 This could be done by a malicious seller who may be interested in framing the buyer. It could be possible when the seller is not the original owner but a reselling agent who could potentially benefit from making unauthorized copies. Even if the seller was not malicious, an unauthorized copy containing the buyers’ fingerprint could have originated from a security breach in the sellers system and not from the buyer.

5 The Owner-Customer Watermarking protocol A customer supplies the owner with an Encrypted version of a predetermined and fixed bit-sequence. Upon receiving this, the owner embeds the Encrypted sequence into the image using an Invisible watermark algorithm. This watermarked copy is then transmitted to the buyer. Since only the buyer knows the decryption key, he can prove to a third party the legitimate ownership of the copy in his possessions.

6 However, the protocol does not solve the problem of Irrevocably Binding ( 不能變更的 約束） the customer the specific copy sold to him and holding him responsible for any unauthorized copies of the same found in the market.

7 This is because the owner knows the exact copy in each buyers possession and the buyer can claim that an unauthorized copy was created by the seller or caused by a security breach in the seller system.

8 What kind of protocol will work better? The seller does not get to know the exact watermarked copy that the buyer receives. → the seller cannot create copies of the original content containing the buyers watermark.

9 In case the seller finds an unauthorized copy, she can identify the buyer from whom this unauthorized copy has originated and furthermore also prove this fact to a third party by means of “Dispute Resolution （爭論（執） 決議案） protocol”. The dispute resolution protocol is a three-party protocol and requires the buyer to participate in order to prove his innocence in case the seller accuses him of making unauthorized copies.

10 Common/Mutual Agreement If a buyer refuses to participate then this would be taken as an admission of guilt on the part of the buyer.

11 Image X →a vector of features, and Watermark W → a vector of watermark elements with n ≧ m. Assume “Linear Watermarking Techniques” is adopted,that is, the watermark insertion step can be represented as :

12 watermarked image original image watermark information being embedded insertion operation where

13 We assume the existence of a “Public Key Cryptosystem” that is “Privacy Homomorphism” with respect to the binary operator ⊕. By privacy homomorphism w.r.t. ⊕ we mean it has the property that for every a and b in the message space. where, is the encryption function and k is the public (encryption) key. RSA public key cryptosystem is a privacy homomorphism w.r.t. multiplication.

14 The Buyer-Seller Watermarking Protocol There are 4 subprotocols in the buyer-seller watermarking protocol: Watermark Generation Watermark certification Bob Protocol Authority. C Watermark Insertion Alice Protocol Bob Copyright Violator Alice Identification Protocol Judge Dispute Resolution Alice Protocol Bob

15 Alice : the agent selling the content Bob : the buyer Alice and Bob have public keys and private keys, respectively, and all of which have been registered with appropriate certification authority.

16 There is a trusted watermark certification authority, C, who generates random watermarks in the required manner and issues them to any user upon request. The watermark certification authority is memoryless and does not maliciously or otherwise keep track of the different watermarks issued to different users.

17 The Watermark Generation Protocol Bob send certification of Bob’s identity C Bob’s public key request valid watermark C : after establishing Bob’s credentials, generates a random but valid watermark W and sends to Bob “ ”, the watermark encrypted with Bob’s public key, along with a digital signature that certifies the validity of the watermark.

18 By we mean That is, each of the individual elements of the watermark W are encrypted as separate messages but with the same key.

19 ID, Bob C the Watermark Generation Protocol

20 The Watermark Insertion Protocol This is a two-party protocol between Alice and Bob which proceeds as follows. (1)Bob sends to Alice the encrypted watermark,, along with the signature of the certification authority C. Alice verifies in order to be sure that is indeed a valid watermark generated by C.

21 (2) Let X denote the image that Bob wishes to purchase from Alice. Alice generates a unique watermark for this transaction, V, which she inserts into the image X to get the watermarked image. In this step, Alice is free to use any watermarking scheme of her choosing, public or private, spatial domain or transform domain, linear or nonlinear.

22 The sole purpose of the watermark V is to enable Alice to identify the specific user an illegal copy has potentially arisen from. That is, V is not the watermark the Alice will use to prove that Bob has made illegal copies of an image.

23 (3) Alice then generates a random permutation σof degree m which she uses to permute the elements of the encrypted watermark received from Bob. That is, Alice computes The above is true as is of the form and “Permuting first and Encrypting later” gives us the same result as “Encrypting first and permuting later”.

24 (4) Alice inserts the “permuted watermark” obtained above as a second watermark into the already watermarked image. Since the watermark received from Bob is encrypted with Bob’s public key, Alice inserts this second watermark in the encrypted domain also using which is known to her. Inserting a watermark in the encrypted domain is possible as we assume that the public-key cryptosystem being used is a “Privacy Homomorphism” with respect to ⊕.

25 Alice computes, Alice then transmits to Bob.

26 (5) Alice stores ID of Bob, and σ in Table X. Table X is a table of records maintained by Alice for image X containing one entry for each copy of X that she sells.

27 The table contains the identity of the buyer, the unique watermark V known only to her that corresponds to the particular buyer, the encrypted watermark which she received from the buyer along with the certificate authorities signature attesting the validity of the watermark, and finally the permutation σthat she used to permute the encrypted watermark before inserting into the copy which was sold to the buyer.

28 (6) Bob decrypts the data he received from Alice to obtain a watermarked image. That is Bob computes where is the private decryption key corresponding to the public encryption key and D(.) is the decryption function.

29 Now Bob has a watermarked copy of X that Alice cannot reproduces since she does not know the corresponding private key. Also, since Bob does not know σhe cannot remove σ(w) from even through he knows W. Neither can he remove V which is also unknown to him.

30 The copyright Violator Identification Protocol On discovering an unauthorized copy of X, say Y, Alice can determine the buyer from whom this copy has originated by detecting the unique watermark that she inserted for each buyer. This is done by means of a watermark extraction function Ex which takes Y, and depending on the watermarking technique, X as inputs.

31 Let U denote the watermark that is returned by the watermark extraction function Ex(X,Y). Using this extracted watermark U Alice then locates the buyer in Table X to whom Y was sold. The exact mechanism for locating the buyer in Table X depends on the watermarking technique used.

32 For robust watermarks, this would generally be accomplished by “Correlating” U with every watermark V in Table X and selecting the one with the highest correlation beyond a confidence threshold. Once this V is located in Table X, Alice reads the Buyer ID field to obtain the identification of the buyer from whom this copy has originated. If U cannot be matched to any watermark V in Table X, then the protocol returns failure.

33 The Dispute Resolution Protocol In case Bob denies that an unauthorized copy Y has originated from his version of the image, Alice can reveal σ and and to the judge. The judge first verifies He would then ask Bob for his “Private Key” using which he can compute W and check for the presence of σ(w) in Y.

34 Actually, Bob need not reveal his private key, as this is undesirable. He could just reveal (w) to the judge by decrypting. The judge could then verity W by encrypting it with Bob’s public key and checking if it equals to After verifying W, the judge can then run the watermark extraction algorithm on Y and check if σ(w) is indeed present in Y. If σ(w) is found in Y, Bob is found guilty otherwise Bob is innocent.

35 Note that the dispute resolution protocol is a “three-party” protocol. Bob has to take part in the protocol by revealing W to the judge! Constraints of this protocol : (1)the cryptosystem must be a privacy homomorphism w.r.t. ⊕ (2)The certification authority is trustful (Not malicious). (3)The buyer must participate in the dispute resolution protocol.

36 An Example Construction Watermarking : Spread-Spectrum technique. Cryptosystem : RSA public-key system. real numbers draw from a zero-mean, variance-1, Gaussian distribution, this set of real numbers is embedded into the m largest DCT AC coefficients of an image. That is, where α is a small constant.

37 A 2-D IDCT is than taken,yielding the watermarked image. To determine if a given image Y contains the watermark W, the decoder extracts from Y by taking the largest m DCT AC coefficients of Y and subtracting their value from, that is, The confidence measure on the presence of the watermark W in Y is taken to be the correlation between W and T.

38 The adopted RSA public key system operates in, where n is a product of two very large primes p and g. A message x is then encrypted as where a is the public encryption key and the corresponding decryption function is where b is the private decryption key.

39 For a practical implementation, the samples would be truncated to some fixed precision, say 64 bits. They would then be used to generate the watermark and encrypting them, element by element, with Bob’s public key. This encrypted watermark vector along with its signature is transmitted to Bob who may keep a copy of it before transmitting to Alice.

40 Alice then inserts her own watermark V into the original image X to get. V could be based on any watermarking technique of her choice. She then permutes the elements of and embeds them into the m largest AC coefficients by computing

41 Since the RSA cryptosystem has the property that, the watermark W gets embedded into the image in the encrypted domain. Here again, each DCT coefficient can be represented with some fixed precision, say 64 bits. In order for Bob to be able to recover xy, we have to select the modulus n of RSA to be large enough such that xy < n. (i.e. n should be at least 128 bits)

42 Alice transmits this encrypted and doubly watermarked image to Bob who can decrypt and then compute an IDCT to get his unique watermarked copy. Since Alice has permuted the elements of W, Bob cannot remove W from his copy although he is the only party (aside from the watermark certification authority which we assumed is memoryless) that knows W. Also Alice can only compute an “encrypted version” of Bobs unique copy which is useless as she cannot decrypt and distribute to falsely frame Bob.

43 The security of purposed protocol relies critically on the security of the underlying watermarking and encryption techniques used in the specific construction. RSA : secure if properly used watermarking : the ability to withstand attacks is still under question →the proposed protocol is secure only as much as the underlying watermarking techniques are secure and robust. Discussion – Attacks, Weakness, and Countermeasures

44 The protocol with “Malicious Participants” A.Watermark Generation Protocol If the encryption and digital signature techniques used are secure, and the underlying public key infrastructure (PKI) enables the watermark certification authority to reliably verify Bob’s identity then there is no way Bob could change or substitute the watermark. Furthermore, inclusion of a time stamp along with information about the transaction would prevent Bob from replacing the watermark with an older one he may have obtained previously from the watermark certification authority.

45 Since the different watermark elements are being encrypted individually, the “precision” with which the watermark is being represented can have “significant” impact on the security of the encryption. For example, if each watermark element has 32 bits of precision then Alice (the seller) can exhaustively try all possible watermark elements and completely determine W. Hence each element in W must at least have 64 bits of precision (preferably 128) to make such brute force attacks infeasible.

46 B. Watermark Insertion Protocol Alice inserts a watermark V which she can later use to determine the source of an illegal copy. – it is against her own interest not to perform this step in the right manner. Alice inserts σ(w) into. – it is against her interest not to perform this step in the proper manner.

47 For example, Alice could use a watermark obtained from another user obtained from a prior transaction. This serves no purpose as it would result in a severely corrupted image when Bob decrypts the encrypted watermark image with his own key. This is because the watermark and image would have been encrypted with different keys.

48 Alice could also use a watermark obtained from Bob, but from a prior transaction. This could be revealed during the dispute resolution protocol and as a result Alice will no longer be able to prove to an adjudicator （判決者） that Bob has made illegal copies. This is against her interest. Also, since the watermark W sent to her by Bob is encrypted, she has no way of gleaning ( 蒐集 ) any information about it as long as the underlying encryption scheme is secure.

49 C. Copyright Violator Identification At this point Alice could try and find another watermark inserted into the copy of another buyer, say Trevor, that is declared present in the image by the watermark detection function. – a false positive. In this case, Alice could conceivably hold Trevor responsible for the illegal copy.

50 Since the different watermarks inserted into different copies of the content have been generated randomly by the watermark certification authority, they are uncorrelated and it is highly unlikely that Alice would detect a false positive in the relatively small number of instances which she has at her disposal ( 處置權，配置權 ) to try. This is especially difficult as she has no knowledge about the watermark inserted in Trevor’s copy and has seen it only in the encrypted form.

51 If Alice obtains a copy of the image sold to Bob, that is I+V+σ(w), she can compute W as she knows I, V, and σ. However, this really is of no use to her as now she has a copy of the image sold to Bob she can in any case make as many copies of it as she wants, whether she knows W or not.

52 Removing σ(w) also is of no use as she already knows I+V. Nor can she embed W in another image with malicious intent as W is bound to the specific transaction between Alice and Bob by the signed message she received from the watermark authority which she has to produce in case of dispute resolution.

53 D. Dispute Resolution Protocol Can Alice fabricate evidence? The answer is no. As she does not know W she is unable to do this. Bob on the other hand can refuse to cooperate, but as mentioned before, this would be taken as an admission of guilt.

54 For example, when the Judge asks Bob for W, Bob can send some random watermark T instead. However, Alice has presented the Judge with a signed and encrypted copy of W and this would not match with. If the watermark certification authority is to be trusted, Bob would be considered the culprit ( 罪犯 ).

55 E. Watermark Certification Authority The most undesirable feature of the proposed protocol is the requirement of a watermark certification authority C who generates valid watermarks upon request, and sends them along with a time-stamp and a digital signature. Given the current structure of the proposed protocol, the watermark W needs to originate from a third party.

56 Otherwise, Bob could generate a malicious designed watermark that would be approximately “invariant to permutation” and send this to Alice. Since Alice only sees the encrypted watermark she is unable to tell the difference between a valid watermark and an invalid watermark. A simple way of avoiding this problem is to originate the watermark from an independent and trusted third party.

57 Placing complete trust in a single source is still undesirable. For example, if Alice and C collude ( 串通 ) then they can frame Bob. Similarly if Bob and C collude then they can cheat Alice. However, C by itself cannot cheat as it knows only W and not σ, just as Bob. Nevertheless, the requirement of a trusted watermark certification authority can indeed be reduced by using some sophisticated tools from cryptography, like “oblivious transfers and blind signatures”.

58 Another undesirable consequence is that the watermark is generated by the watermark certification authority, the seller may not possible to “shape” the watermark to the given image in order to make it perceptually imperceptible. This will restrict the “strength” of the watermark signal which in turn effects the robustness of the underlying watermarking technique.