1 / 23

Buyer-Seller Watermarking (BSW) Protocols

Geong Sen Poh 31 Oct 2006. Buyer-Seller Watermarking (BSW) Protocols. Outline. Introduction Motivation Development of BSW Goals, Methodology and Assumptions Protocols Memon-Wong Protocol (MW) Lei et al. Protocol (Lei) Zhang et al. Protocol (Zhang) Analysis of Zhang et al. Protocol

holleb
Download Presentation

Buyer-Seller Watermarking (BSW) Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Geong Sen Poh 31 Oct 2006 Buyer-Seller Watermarking (BSW) Protocols

  2. Outline • Introduction • Motivation • Development of BSW • Goals, Methodology and Assumptions • Protocols • Memon-Wong Protocol (MW) • Lei et al. Protocol (Lei) • Zhang et al. Protocol (Zhang) • Analysis of Zhang et al. Protocol • Summary

  3. Motivation Seller Buyer • How can the seller identifies buyers that illegally distributed songs, movies etc.? • The seller can embeds unique watermarks… £££££ £££££ songs, movies etc. Distributes copies

  4. Motivation • BUT… • The seller is the entity that generates and embeds the watermark into a digital work • If illegal copies are found and a buyer is identified through the embedded watermark, the buyer can claim that he/she is framed by the seller since the seller can embed the buyer’s watermark into any digital work. • SO… • Buyer-Seller Watermarking Protocol

  5. Development of BSW 1998 IEEE MW 2003 ICISC 2004 IEEE Ju Lei 2004 ACNS 2003 ACNS 2006 IEE Goi Attack I Choi Attack I Zhang 2005 IWDW 2005 EUC Choi II Goi Attack II

  6. Goals • No Framing • An honest buyer should not be falsely accused by a malicious seller or other buyers • No Repudiation • The buyer accused of reselling an unauthorised copy should not be able to claim that the copy was created by the seller or a security breach of the seller’s system • Traceability • A buyer who has illegally distributed digital works can be traced • Collusion Tolerance • An attacker should not be able to find, generate, or delete the fingerprint by comparing the marked copies, even if they have access to a large number of copies • Anonymity • A buyer should be able to buy anonymously • Unlinkability • Given two marked digital works, no one can decide whether or not they were bought by the same buyer B. M. Goi, R. C.-W. Phan, Y. Yang, F. Bao, R. H. Deng and M. U. Siddiqi, Cryptanalysis of Two Anonymous Buyer-Seller Watermarking Protocols and an Improvement for True Anonymity, ACNS 2004, LNCS 3089, pp. 369-382, 2004

  7. Methodology • Interactive Protocol • Registration • Buy and Sell • Identification and Arbitration • Seller does not know the watermark • Buyer does not know the embedded watermark

  8. Principals Involved • Buyer (B) • Seller (S) • Certificate Authority (CA) • Fully trusted • Issues certificates to WCA, A, B, and S • Watermark Certificate Authority (WCA) • Fully trusted • Issues and certifies buyer’s watermark • Arbiter (A) • Fully trusted • Resolves dispute between B and S

  9. Assumptions • Each of the principals involved (e.g. buyer and seller) has a CA certified public and private key pair, (PKi, SKi) for i the identity of the principal • The public-key encryption algorithm is homomorphic

  10. Homomorphic Encryption • E(x) + E(y) = E(x + y) • E(x)  E(y) = E(x  y) • Example: RSA • Paillier homomorphic encryption (in Zhang Protocol): • E(x)  E(y) = E(x + y) • If the public key is: n,e then: • E(x1)  E(x2) • = x1ex2e mod n • = (x1x2)e mod n • = E(x1  x2)

  11. Request watermark EPKB(WB), SignWCA(EPKB(WB)) S does not know the watermark EPKB(WB), SignWCA(EPKB(WB)) EPKB(O’ * σ(WB)) B does not know the embedded watermark MW Protocol Registration, Buy and Sell WCA • Generate WB S B O’ = O * WS σ(EPKB(WB)) = EPKB(σ(WB)) EPKB(O’) * EPKB(σ(WB)) = EPKB(O’ * σ(WB)) DSKB(EPKB(O’ * σ(WB))) = O’ * σ(WB) B = Buyer S = Seller WCA = Watermark Certificate Authority O = Original Work O’ = Marked Work Wk = k’s Watermark σ = Random permutation of degree n * = Embedding algorithm Ek(.) = Encrypt with k’s public key Signk(.) = Sign with k’s private key

  12. σ, EPKB(WB), SignWCA(EPKB(WB)), Y Request private key Private key MW Protocol Identification and Arbitration On discovering an illegal copy of O’, say Y, S can determine B by detecting σ(WB)embedded using a watermark detection algorithm and search the buyer details from his database. A S B B = Buyer S = Seller A = Arbiter WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work Y = Illegal copy Wk = k’s Watermark σ = Random permutation of degree n * = Embedding algorithm Ek(.) = Encrypt with k’s public key Signk(.) = Sign with k’s private key

  13. Issue with MW • MW Protocol achieved: • No Framing • No repudiation • Traceability • But… • No anonymity, • No unlinkability for the buyers

  14. pkB CertCA(pkB) Anonymous key pair Lei Protocol Registration CA B • Generate certCA(pkB) • Generate (skB,pkB) ARG = An agreement between the buyer and the seller * = Embedding algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair B = Buyer S = Seller O = Original Work O’, O” = Marked Work Wk = k’s Watermark

  15. CertpkB(pk’), ARG, s, O’ S & B do not know the watermark Epk’(WB), EWCA(WB), SWCA, pk’, s Unlinkable key pair CertCA(pkB), CertpkB(pk’), ARG, s Epk’(O’ * WB) Lei Protocol Buy and Sell WCA • Generate WB • SWCA= SignWCA(WB) S B • O’ = O * WS • Generate (sk’,pk’) for this transaction • s = Signsk’(ARG) • Generate CertpkB(pk’) • Epk’(O’) * Epk’(WB) = Epk’(O’ * WB) Dsk’(Epk’(O’ * σ(WB))) = O’ * σ(WB) ARG = An agreement between the buyer and the seller * = Embedding algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair B = Buyer S = Seller WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work Wk = k’s Watermark

  16. WB EWCA(WB) O’, Y, CertCA(pkB), CertpkB(pk’), ARG, s, Epk’(WB), EWCA(WB), SWCA Lei Protocol Identification and Arbitration On discovering an illegal copy of O’, say Y, S carries out the following steps: A WCA • W’ = Det(Y) • W’ = WB ? S ARG = An agreement between the buyer and the seller * = Embedding algorithm Det(. , .) = Detection algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair S = Seller A = Arbiter WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work Y = Illegal Copy Wk = k’s Watermark

  17. Zhang Protocol • Similar to Lei Protocol except that there is no WCA • No need WCA to generate and certify watermark: • S generates his part of the watermark • B generates his part of the watermark • The final watermark embedded in the digital work is the combination of S and B’s watermarks

  18. pkB CertCA(pkB) Zhang Protocol Registration CA B • Generate certCA(pkB) • Generate (skB,pkB) ARG = An agreement between the buyer and the seller SECi = Secret string of i * = Embedding algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair B = Buyer CA = Certificate Authority O = Original Work O’, O” = Marked Work Of = Illegal Copy Wk = k’s Watermark

  19. CertCA(pkB), CertpkB(pk’), ARG, e, s Epk’(O’ * WB) Zhang Protocol Buy and Sell S B • O’ = O * WS • Epk’(WB) = Epk’(SECS)(Epk’(SECB) • = Epk’(SECS + SECB) • Epk’(O’) * Epk’(WB) = Epk’(O’ + WB) • Generate (sk’,pk’) for this transaction • Generate a secret SECB • e = Epk’(SECB) • s = Signsk’(Epk’(SECB), ARG) • Generate CertpkB(pk’) Dsk’(Epk’(O’ + WB)) = O’ + WB ARG = An agreement between the buyer and the seller SECi = Secret string of i * = Embedding algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair B = Buyer S = Seller O = Original Work O’, O” = Marked Work Of = Illegal Copy Wk = k’s Watermark

  20. CertCA(pkB), CertpkB(pk’), e SECB O’, Y, CertCA(pkB), CertpkB(pk’), ARG, e, s, SECS SECB e = Epk’(SECB) Zhang Protocol Identification and Arbitration A CA • Compute WB = SECS + SECB • W’ = Det(Y) • W’ = WB ? S B • Found Y • Dsk’(Epk’(SECB)) = SECB ARG = An agreement between the buyer and the seller SECi = Secret string of i * = Embedding algorithm Det(. , .) = Detection algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair B = Buyer S = Seller A = Arbiter CA = Certificate Authority O = Original Work O’ = Marked Work Y = Illegal Copy Wk = k’s Watermark

  21. Analysis of Zhang et al. Protocols • Issues • Buyer can remove his part of the watermark easily since… • O’ + WB = O’ + SECS + SECB and • Buyer knows SECB, to remove… • O’ + SECS + SECB – SECB

  22. Summary • The motivation of BSW • The proposals to date • MW, Lei and Zhang • The issues • No formal security model, protocols designed in ad hoc manner • Current focus • To continue analyse other proposals (Ju, Choi, Goi), with issues when parties collude with each others (Seller colludes with WCA etc.)

  23. Thank You

More Related