Crypto Final Presentation B 林敬倫 B 李佳蓉 B 王姵瑾 B 周振平

Watermarking Maps: Hiding Information in Structured Data Sanjeev Khanna Francis Zane Accepted by SODA2000

1.Introduction What ’ s Watermarking? Where one embeds hidden info into the data which encodes ownership and copyright. Applied to: Image, Video, Audio, etc. Owner: compiles accurate map data Provider: provide end-user access.

Map Watermarking Problem Schemes: Which allow the owner to distribute and identify many different copies( marked copy ) New nodes or edges are not allowed. Change small length are not allowed. Each marked copy must involve only a slight distortion.

Suspect! An owner should be able to accurately determine the unique provider from that copy using only public accessible info. The owner access the provider ’ s data as an end-user.

Goal Maximize the number of copies the owner can distribute under these constraints. If the owner encounter a suspect copy. Then he has complete access to the data for this copy which he can determine the guilty party.

2.Preliminaries How to distortion measured? What type of information does the provider give in response to queries? Is the provider free to answer as he chooses in order to evade detection?

Mesaures of Distortion Additive distortion of d Multiplicative distortion of d With respect to a graph G Additive and multiplicative distortion for a path P. G ’ is a d-distortion of G if it has distortion d with respect to G.

Queries and Responses Edge Queries Gives the owner complete access to the copy of the provider. Distance Queries Route Queries Only a path. Might be using by a cheating provider.

Adversarial vs. Nonadversarial A provider add additional distortion to evade detection No-adversarial: If provider answers all queries correctly Otherwise it ’ s adversarial No effective scheme against large distortion or has fairly accurate knowledge.

Marking Schemes M is marking algorithm Map each r to a copy of the map G r Such that G r is a d-distortion of G. D is detection algorithm ( detector ) Answers to its queries to recover the provider r

3. Overview of Results

Nonadversarial Edge and Distance THEOREM 3.1. For the nonadversarial edge model, there are marking schemes that encode Ω(m 1/2-ε ) bits with additive distortion and Ω(m) bits with multiplicative distortion. For the nonadversarial distance model,there are marking schemes that encode Ω(n 1/2-ε ) bits with additive distortion and Ω(n) bits with multiplicative distortion. In each case, the additive distortion is O(1/ε) while the multiplicative distortion is (1 + o(1)).

Adversarial Edge and Distance Models  THEOREM 3.2. For the adversarial edge model, there is a marking scheme that encodes Ω(m 1/2-ε ) bits while for the adversarial distance model, there is a marking scheme that encodes Ω(n 1/2-ε ) bits.

Nonadversarial Route Models In route models, problem becomes significantly more complex. Ask the graph to satisfy some “ good property ” Tradeoff between requirement of the graph and the bits we can encode

Nonadversarial Route Models THEOREM 3.3. For the nonadversarial route model, there is a marking scheme that encodes Ω(m 1/2-ε ) bits with small multiplicative distortion when the underlying graph is 2-edge connected and its length function is nearly- uniform.

4. Nonadversarial Case

Edge Model: Additive Distortion Goal: generate many distinct graphs while introducing only small distortion Let P  P(G) be a shortest path in G with the largest number of edges, and let L denote the number of edges on P. Let u0, ul,..., uL be the nodes along the path P.

Edge Model: Additive Distortion We discuss two cases: L  L 0 L  L 0 （ L 0 will be defined later) With L  L 0 : With our marking scheme, For any pair x, y of nodes, | d G’ (x, y) - d G’ (x, y) | < 2.

Edge Model: Additive Distortion With L  L 0 By results from the two cases, THEOREM 4.1. There is a marking scheme that encodes Ω (m 1/2-ε ) bits of information with only an additive distortion of  1/ ε  for any 0 < ε < 1/2.

Edge Model: Multiplicative Distortion THEOREM 4.2. There is a marking scheme that gives 0 (m) bits of information with only a (1 + o(1)) multiplicative distortion.

Distance Model: Additive Distortion Again, discuss two cases L  L 0, L  L 0 With L  L 0, For any pair x,y of nodes, | d G’ (x,y) – d G’ (x,y) |  3 With L  L 0, Let V'  V be obtained by randomly picking each node with probability p = 1/(L o n 2 ε ). Then V' is an ε -good node marking set of size Ω(pn) with probability at least 1/3

Distance Model: Additive Distortion THEOREM 4.3. There is a marking scheme that gives O(n 1/2-ε ) bits of information with only an additive distortion of  1/ ε  for any 0 < ε < 1/2.

5. Adversarial Case

Adversarial Case Model and Assumptions Assumption 1 (Bounded Distortion Assumption) : For all (u, v) E V × V, |A(u, v) - d G (u, v)| <= d', where d' is an absolute constant.

DEFINITION 5.1. W  V × V is low-bias with respect to S  {0, +1, - 1} E if for all (u, v) Ε W, | Δ(u,v)| <= 1 & for all z E {0, + l, - 1}, Pr[Δ(u, v) = z] <= ½ δ E S Adversarial Case

DEFINITION 5.2. S  {0, + 1, - 1} E is (γ, ρ)-unpredictable if for any W  V X V, such that W is low-bias with respect to S and |W| = ω(1), any strategy A Gδ available to the adversary satisfies Pr [ Σ [ A Gδ (u,v)= Δ(u,v) > (1/2 + γ )|W| ] < p δ E S (u,v) E W

Adversarial Case Assumption 2 (Limited Knowledge Assumption) : For any S  {0, + 1, - 1} E such that |S| = ω(1), S is (γ, ρ)-unpredictable.

Framework Marking Algorithm: For each provider r, we chose a random vector B r E {+1,-1} L. From this vector, we obtain a vector D such that D(i) = a 2 if B'(i) = +1 and D(i) = a l, otherwise. Now use D to construct δ r as guaranteed by the framework conditions and output the graph G δ, with length function l δr, = l + δ r.

Framework Detection Algorithm: Given access to a suspect map, we compute an implied L-dimensional vector Z, defined by Z(i) = A(u i, v i ). Let X(i) = d G (u i, v i ) and define a mid = (a 1 +a 2 )/2, a diff = (a 2 – a l )/2 For each provider r, we then compute a similarity measure sim (B r, Z) = 1/ a diff B r (Z - ( X + a mid 1)) Choosing a threshold parameter t = 0.1, if sim(B r, Z) >= tL, then we say that the provider r is responsible for the suspect copy.

Analysis False Positives 物枉 Show that the probability that an individual suspect provider generates a false positive is small, even for an adversary with access to the original map. False Negatives 物縱 Show that the probability of a false negative(a guilty party evading detection) is also low.

False Positives Y(i) = X(i) + a mid + a diff B(i) Assume for all i, |Z(i) - X(i)| <= d'. Using Chernoff bounds, we can show that PROPOSITION 5.1. Given any valid Z, Pr[sim (B r, Z) > tL] <= e -q^2t^2L/2 when B is generated randomly independent of Z and q = a diff /(d' + a mid ). COROLLARY 5.1 If L = Ω(logK), then the probability of a false positive error by the detector is o(1).

False Negatives PROPOSITION 5.2. If sim (B, Z) < tL, then B ( Z - Y) < - a diff (1 - t)L. PROPOSITION 5.3. Let 0 = L/2 + cL/4(d' + 1) with probability at that 1 – e – Ω(L).

False Negatives LEMMA 5.1 If γ = e -o(L), then the probability of a false negative by the detector is at most 2p. Proof by contradiction!

Analysis THEOREM 5.1. Given a scheme consistent with the framework, γ = e -o(L), O(L) bits can be encoded such that the probability of error by the detector is at most max{2p, o(1)}.

Distance Model