Birthday Attack on Efficient and Anonymous Buyer-Seller Watermarking Protocol BY Qurat-ul-Ain M. Mahboob Yasin COMSATS Institute of Information Technology, Islamabad

Presentation Scheme What is a Digital Watermark Use of the digital watermarks Watermarking Protocols: Qiao and K. Nahrstedt watermarking Protocol Memon and Wong watermarking Protocol Lie et all watermarking protocol Birthday Paradox Birthday Attack on Efficient and Anonymous Buyer- Seller Watermarking Protocol Proposed Solution Conclusion

What are Digital Watermarks? Copyright marks embedded into digital content to prove legal ownership of an intellectual property The embedding is performed with the help of a key and recovery of the embedded mark will reveal the actual owner of the digital contents

Customers’ Right Problem A B O Digital Content X’ with W Digital Content X’ with W Cant tell who is has legally bought the product. Its impossible to pinpoint who is behind pirating the contents if illegal copies are found X W X’ +

Protecting rightful ownership and customer’s rights The buyer sends the encrypted data to the seller. The seller generates a unique watermark based on the encrypted data received and inserts it into the digital content Seller sends X‘ to the buyer. The buyer can prove his possession of the watermarked copy. E KB (Bits) X’ BuyerSeller [L Qiao and K. Nahrstedt, Sept 98]

What if The Seller is Malicious As the seller has the exact watermarked copy which is sold to the buyer, an illegal copy cannot prove a buyer guilty of pirating the copy after analyzing the embedded watermark. [N. Memon and P. W. Wong, Apr ]

How Memon & Wong Solved the Problem There is a third trusted party, to generate watermarks, called WCA. Seller need not to know the watermark. The seller inserts the watermark in encrypted domain. So seller has no access to the final water marked copy which the buyer gets

Privacy Homomorphic Encryption function Epk is privacy homomorphic if following equation holds Epk (a  b)= Epk (a)  Epk (b)  a & b

Memon and Wong Watermarking Protocol ID B, P B E PB (W), S WCA (E PB (W)) E PB (X``) BuyerWCA Seller

Unbinding Problem Unable to bind a watermark to particular digital contents or transaction. [C.L. Lei, P.L. YU, P.L Tsai and M.H Chan, Dec 2004 ]

Example: A buys digital contents X’’ containing watermark Wx. Now if X’ is illegally distributed by A, the seller can extract the watermark from the pirated copy and insert it to the other expensive product Y to get Y’’ and can prove that Y’ is being pirated to be compensated more. Secondly seller can ignore the watermark and insert the previously used watermark by the same buyer in some previous transaction to prove piracy of both digital contents if the buyer illegally distribute one.

Efficient and Anonymous Buyer-Seller Watermarking Protocol Buyer can remain anonymous by getting several anonymous certificate from a CA. Buyer has to generate new public private key for each transaction to solve the unbinding problem.

Continued… Cert CA (p B ), Cert pB (pk*), ARG, Spk*(ARG) Cert pB (pk*), ARG, Spk*(ARG), X` E pk* (W), pk WCA (W), Sign WCA (E pk* (W),pk*, S pk* (ARG)) E pk* (X``) The Seller The Watermark Certification Authority WCA The Buyer [C.L. Lei, P.L. YU, P.L Tsai and M.H Chan, Dec 2004 ]

Problems with EASBW Protocol Buyer’s anonymity allows a malicious buyer to collect digital content time and again and abort the transaction saying he cannot decrypt the contents provided. Seller sends the watermark copy X’ to WCA. With X’ in hand WCA can generate X’’. Seller is maintaining a huge database having unique public key for each transaction.

Birthday Paradox What is the minimum value of k such that the probability is nearly 50% that at least 2 people in a group of k people have the same birthday

Example: In a group of 23 people, though the probability that birthday a member A shares his birthday with another group member is 23/365, but the probability is more than 50% that at least two of them will have the same birthday.

Birthday Attack on the EABSW protocol The security of EASBW requires that for each transaction buyer must generate new public private key pair. The final watermarked copy is encrypted using the key generated for a specific transaction.

Continued… Suppose a seller has a million entries for different buyers and the seller generates a million entries for different private public key of n bits in size. For the probability of success in matching to be 50%, the database size should be √n that is much less than n as expected from a key size of n bits The probability of a success increases if elliptic curve cryptography is used

What if The Attack is successful Cert pB (pk*), ARG, Spk*(ARG), X E pk* (W), pk WCA (W), S WCA (E pk* (W),pk*, S pk* (ARG)) The SellerThe Watermark Certification Authority WCA

Arbitration Process Seller generate X’’ by inserting W after decrypting Epk*(W). In arbitration process the seller has all the evidence to prove an innocent buyer guilty of pirating the digital contents.

Proposed Solution Watermarking Certification Authority should not be memory less WCA should maintain a database of public keys used in each transaction. Before generating watermark WCA must ensure pk* is not used in any transaction. Seller must only give specification to WCA not the Watermarked copy X’ to prevent WCA of pirating digital contents

Conclusions The watermark certification authority should maintain a database of all public keys against which it has issued watermarks. We propose that the seller may only tell the characteristics of the original digital contents. If anonymity is given to the buyer then there should be a mechanism to avoid malicious buyer to cancel the transaction.

Questions?