Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006."— Presentation transcript:

1 Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006

2 2 Outline Introduction  Motivation  Development of BSW  Goals, Methodology and Assumptions Protocols  Memon-Wong Protocol (MW)  Lei et al. Protocol (Lei)  Zhang et al. Protocol (Zhang) Analysis of Zhang et al. Protocol Summary

3 3 Motivation How can the seller identifies buyers that illegally distributed songs, movies etc.?  The seller can embeds unique watermarks… songs, movies etc. £££££ Seller Buyer Distributes copies

4 4 Motivation BUT… The seller is the entity that generates and embeds the watermark into a digital work If illegal copies are found and a buyer is identified through the embedded watermark, the buyer can claim that he/she is framed by the seller since the seller can embed the buyer’s watermark into any digital work. SO… Buyer-Seller Watermarking Protocol

5 5 Development of BSW MW Choi Attack I Goi Attack I Choi II Goi Attack II Lei Zhang 1998 2003 2004 2005 2004 2006 IWDW ACNS IEEE EUC IEEE IEE Ju 2003ICISC

6 6 Goals No Framing  An honest buyer should not be falsely accused by a malicious seller or other buyers No Repudiation  The buyer accused of reselling an unauthorised copy should not be able to claim that the copy was created by the seller or a security breach of the seller’s system Traceability  A buyer who has illegally distributed digital works can be traced Collusion Tolerance  An attacker should not be able to find, generate, or delete the fingerprint by comparing the marked copies, even if they have access to a large number of copies Anonymity  A buyer should be able to buy anonymously Unlinkability  Given two marked digital works, no one can decide whether or not they were bought by the same buyer B. M. Goi, R. C.-W. Phan, Y. Yang, F. Bao, R. H. Deng and M. U. Siddiqi, Cryptanalysis of Two Anonymous Buyer-Seller Watermarking Protocols and an Improvement for True Anonymity, ACNS 2004, LNCS 3089, pp. 369-382, 2004

7 7 Methodology Interactive Protocol  Registration  Buy and Sell  Identification and Arbitration Seller does not know the watermark Buyer does not know the embedded watermark

8 8 Principals Involved Buyer (B) Seller (S) Certificate Authority (CA)  Fully trusted  Issues certificates to WCA, A, B, and S Watermark Certificate Authority (WCA)  Fully trusted  Issues and certifies buyer’s watermark Arbiter (A)  Fully trusted  Resolves dispute between B and S

9 9 Assumptions Each of the principals involved (e.g. buyer and seller) has a CA certified public and private key pair, (PK i, SK i ) for i the identity of the principal The public-key encryption algorithm is homomorphic

10 10 Homomorphic Encryption E(x) + E(y) = E(x + y) E(x)  E(y) = E(x  y) Example: RSA Paillier homomorphic encryption (in Zhang Protocol): E(x)  E(y) = E(x + y) If the public key is: n,e then: E(x 1 )  E(x 2 ) = x 1 e x 2 e mod n = (x 1 x 2 ) e mod n = E(x 1  x 2 )

11 11 MW Protocol WCA SB O’ = O * W S σ(E PKB (W B )) = E PKB (σ(W B )) E PKB (O’) * E PKB (σ(W B )) = E PKB (O’ * σ(W B )) Request watermark E PKB (W B ), Sign WCA (E PKB (W B )) B = Buyer S = Seller WCA = Watermark Certificate Authority O = Original Work O’ = Marked Work W k = k’s Watermark E PKB (W B ), Sign WCA (E PKB (W B )) σ = Random permutation of degree n * = Embedding algorithm E k (.) = Encrypt with k’s public key Sign k (.) = Sign with k’s private key E PKB (O’ * σ(W B )) D SKB (E PKB (O’ * σ(W B ))) = O’ * σ(W B ) Generate W B Registration, Buy and Sell S does not know the watermark B does not know the embedded watermark

12 12 MW Protocol A SB Request private key Private key σ, E PKB (W B ), Sign WCA (E PKB (W B )), Y B = Buyer S = Seller A = Arbiter WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work Y = Illegal copy W k = k’s Watermark σ = Random permutation of degree n * = Embedding algorithm E k (.) = Encrypt with k’s public key Sign k (.) = Sign with k’s private key On discovering an illegal copy of O’, say Y, S can determine B by detecting σ(W B ) embedded using a watermark detection algorithm and search the buyer details from his database. Identification and Arbitration

13 13 Issue with MW MW Protocol achieved:  No Framing  No repudiation  Traceability But…  No anonymity,  No unlinkability for the buyers

14 14 Lei Protocol CAB pk B Cert CA (pk B ) Generate (sk B,pk B ) Generate cert CA (pk B ) B = Buyer S = Seller O = Original Work O’, O” = Marked Work W k = k’s Watermark ARG = An agreement between the buyer and the seller * = Embedding algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair Registration Anonymous key pair

15 15 Lei Protocol WCA SB Generate (sk ’,pk ’ ) for this transaction s = Sign sk’ (ARG) Generate Cert pkB (pk’) B = Buyer S = Seller WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work W k = k’s Watermark ARG = An agreement between the buyer and the seller * = Embedding algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair Cert CA (pk B ), Cert pkB (pk’), ARG, s O’ = O * W S E pk’ (O’ * W B ) E pk’ (O’) * E pk’ (W B ) = E pk’ (O’ * W B ) Cert pkB (pk’), ARG, s, O’ E pk’ (W B ), E WCA (W B ), S WCA, pk’, s Generate W B S WCA = Sign WCA (W B ) D sk’ (E pk’ (O’ * σ(W B ))) = O’ * σ(W B ) Buy and Sell Unlinkable key pair S & B do not know the watermark

16 16 Lei Protocol The B Identity B X 1 (sk 1, pk 1 ) Y 11 (sk 11, pk 11 ) X 2 (sk 2, pk 2 ) X n (sk n, pk n ) Y 1m (sk 1m, pk 1m ) Y 21 (sk 21, pk 21 ) Y 2k (sk 2k, pk 2k ) Y n1 (sk n1, pk n1 ) Y nt (sk nt, pk nt ) Linkable, to X 1 Unlinkable, S knows is from X 1 S knows is from X 2 S does not know X 1 links to X 2 S does not know X 1,X 2,…,X n link to B

17 17 Lei Protocol Identification and Arbitration S = Seller A = Arbiter WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work Y = Illegal Copy W k = k’s Watermark ARG = An agreement between the buyer and the seller * = Embedding algorithm Det(.,.) = Detection algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair A S WCA E WCA (W B ) WBWB O’, Y, Cert CA (pk B ), Cert pkB (pk’), ARG, s, E pk’ (W B ), E WCA (W B ), S WCA W’ = Det(Y) W’ = W B ? On discovering an illegal copy of O’, say Y, S carries out the following steps:

18 18 Zhang Protocol Similar to Lei Protocol except that there is no WCA No need WCA to generate and certify watermark:  S generates his part of the watermark  B generates his part of the watermark  The final watermark embedded in the digital work is the combination of S and B’s watermarks

19 19 Zhang Protocol CAB pk B Cert CA (pk B ) Generate (sk B,pk B ) Generate cert CA (pk B ) B = Buyer CA = Certificate Authority O = Original Work O’, O” = Marked Work O f = Illegal Copy W k = k’s Watermark ARG = An agreement between the buyer and the seller SEC i = Secret string of i * = Embedding algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair Registration

20 20 Zhang Protocol SB Generate (sk ’,pk ’ ) for this transaction Generate a secret SEC B e = E pk’ (SEC B ) s = Sign sk’ (E pk’ (SEC B ), ARG) Generate Cert pkB (pk’) B = Buyer S = Seller O = Original Work O’, O” = Marked Work O f = Illegal Copy W k = k’s Watermark ARG = An agreement between the buyer and the seller SEC i = Secret string of i * = Embedding algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair Cert CA (pk B ), Cert pkB (pk’), ARG, e, s O’ = O * W S E pk’ (W B ) = E pk’ (SEC S )(E pk’ (SEC B ) = E pk’ (SEC S + SEC B ) E pk’ (O’) * E pk’ (W B ) = E pk’ (O’ + W B ) E pk’ (O’ * W B ) D sk’ (E pk’ (O’ + W B )) = O’ + W B Buy and Sell

21 21 Zhang Protocol B = Buyer S = Seller A = Arbiter CA = Certificate Authority O = Original Work O’ = Marked Work Y = Illegal Copy W k = k’s Watermark ARG = An agreement between the buyer and the seller SEC i = Secret string of i * = Embedding algorithm Det(.,.) = Detection algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair A S CA Cert CA (pk B ), Cert pkB (pk’), e SEC B O’, Y, Cert CA (pk B ), Cert pkB (pk’), ARG, e, s, SEC S Found Y Compute W B = SEC S + SEC B W’ = Det(Y) W’ = W B ? B e = E pk’ (SEC B ) SEC B D sk’ (E pk’ (SEC B )) = SEC B Identification and Arbitration

22 22 Analysis of Zhang et al. Protocols Issues  Buyer can remove his part of the watermark easily since… O’ + W B = O’ + SEC S + SEC B and Buyer knows SEC B, to remove… O’ + SEC S + SEC B – SEC B

23 23 Summary The motivation of BSW The proposals to date  MW, Lei and Zhang The issues  No formal security model, protocols designed in ad hoc manner Current focus  To continue analyse other proposals (Ju, Choi, Goi), with issues when parties collude with each others (Seller colludes with WCA etc.)

24 Thank You

Download ppt "Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006."

Similar presentations

1 An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes.

1 An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Optionally Identifiable Private Handshakes Yanjiang Yang.

Optionally Identifiable Private Handshakes Yanjiang Yang.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Pretty Good Privacy (PGP). How PGP works PGP uses both public-key cryptography and symmetric key cryptography, and includes a system which binds the public.

Pretty Good Privacy (PGP). How PGP works PGP uses both public-key cryptography and symmetric key cryptography, and includes a system which binds the public.
Anonymous Fingerprinting Paper by: Birgit Pfitzmann, and Michael Waidner Presentation by: James Campbell.

Anonymous Fingerprinting Paper by: Birgit Pfitzmann, and Michael Waidner Presentation by: James Campbell.
1 A Buyer-Seller Watermarking Protocol IEEE Trans. On Image Processing, Vol.10,No.4, pp. 643-649, April 2001 Multimedia Security.

1 A Buyer-Seller Watermarking Protocol IEEE Trans. On Image Processing, Vol.10,No.4, pp , April 2001 Multimedia Security.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
ICWS 2003 Implementing Watermark Token in WS-Security for Digital Contents Distribution Presenter: Patrick Hung Co-authors:

ICWS 2003 Implementing Watermark Token in WS-Security for Digital Contents Distribution Presenter: Patrick Hung Co-authors:
1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.

1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.

Similar presentations

Ads by Google