230 likes | 419 Views
Geong Sen Poh 31 Oct 2006. Buyer-Seller Watermarking (BSW) Protocols. Outline. Introduction Motivation Development of BSW Goals, Methodology and Assumptions Protocols Memon-Wong Protocol (MW) Lei et al. Protocol (Lei) Zhang et al. Protocol (Zhang) Analysis of Zhang et al. Protocol
E N D
Geong Sen Poh 31 Oct 2006 Buyer-Seller Watermarking (BSW) Protocols
Outline • Introduction • Motivation • Development of BSW • Goals, Methodology and Assumptions • Protocols • Memon-Wong Protocol (MW) • Lei et al. Protocol (Lei) • Zhang et al. Protocol (Zhang) • Analysis of Zhang et al. Protocol • Summary
Motivation Seller Buyer • How can the seller identifies buyers that illegally distributed songs, movies etc.? • The seller can embeds unique watermarks… £££££ £££££ songs, movies etc. Distributes copies
Motivation • BUT… • The seller is the entity that generates and embeds the watermark into a digital work • If illegal copies are found and a buyer is identified through the embedded watermark, the buyer can claim that he/she is framed by the seller since the seller can embed the buyer’s watermark into any digital work. • SO… • Buyer-Seller Watermarking Protocol
Development of BSW 1998 IEEE MW 2003 ICISC 2004 IEEE Ju Lei 2004 ACNS 2003 ACNS 2006 IEE Goi Attack I Choi Attack I Zhang 2005 IWDW 2005 EUC Choi II Goi Attack II
Goals • No Framing • An honest buyer should not be falsely accused by a malicious seller or other buyers • No Repudiation • The buyer accused of reselling an unauthorised copy should not be able to claim that the copy was created by the seller or a security breach of the seller’s system • Traceability • A buyer who has illegally distributed digital works can be traced • Collusion Tolerance • An attacker should not be able to find, generate, or delete the fingerprint by comparing the marked copies, even if they have access to a large number of copies • Anonymity • A buyer should be able to buy anonymously • Unlinkability • Given two marked digital works, no one can decide whether or not they were bought by the same buyer B. M. Goi, R. C.-W. Phan, Y. Yang, F. Bao, R. H. Deng and M. U. Siddiqi, Cryptanalysis of Two Anonymous Buyer-Seller Watermarking Protocols and an Improvement for True Anonymity, ACNS 2004, LNCS 3089, pp. 369-382, 2004
Methodology • Interactive Protocol • Registration • Buy and Sell • Identification and Arbitration • Seller does not know the watermark • Buyer does not know the embedded watermark
Principals Involved • Buyer (B) • Seller (S) • Certificate Authority (CA) • Fully trusted • Issues certificates to WCA, A, B, and S • Watermark Certificate Authority (WCA) • Fully trusted • Issues and certifies buyer’s watermark • Arbiter (A) • Fully trusted • Resolves dispute between B and S
Assumptions • Each of the principals involved (e.g. buyer and seller) has a CA certified public and private key pair, (PKi, SKi) for i the identity of the principal • The public-key encryption algorithm is homomorphic
Homomorphic Encryption • E(x) + E(y) = E(x + y) • E(x) E(y) = E(x y) • Example: RSA • Paillier homomorphic encryption (in Zhang Protocol): • E(x) E(y) = E(x + y) • If the public key is: n,e then: • E(x1) E(x2) • = x1ex2e mod n • = (x1x2)e mod n • = E(x1 x2)
Request watermark EPKB(WB), SignWCA(EPKB(WB)) S does not know the watermark EPKB(WB), SignWCA(EPKB(WB)) EPKB(O’ * σ(WB)) B does not know the embedded watermark MW Protocol Registration, Buy and Sell WCA • Generate WB S B O’ = O * WS σ(EPKB(WB)) = EPKB(σ(WB)) EPKB(O’) * EPKB(σ(WB)) = EPKB(O’ * σ(WB)) DSKB(EPKB(O’ * σ(WB))) = O’ * σ(WB) B = Buyer S = Seller WCA = Watermark Certificate Authority O = Original Work O’ = Marked Work Wk = k’s Watermark σ = Random permutation of degree n * = Embedding algorithm Ek(.) = Encrypt with k’s public key Signk(.) = Sign with k’s private key
σ, EPKB(WB), SignWCA(EPKB(WB)), Y Request private key Private key MW Protocol Identification and Arbitration On discovering an illegal copy of O’, say Y, S can determine B by detecting σ(WB)embedded using a watermark detection algorithm and search the buyer details from his database. A S B B = Buyer S = Seller A = Arbiter WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work Y = Illegal copy Wk = k’s Watermark σ = Random permutation of degree n * = Embedding algorithm Ek(.) = Encrypt with k’s public key Signk(.) = Sign with k’s private key
Issue with MW • MW Protocol achieved: • No Framing • No repudiation • Traceability • But… • No anonymity, • No unlinkability for the buyers
pkB CertCA(pkB) Anonymous key pair Lei Protocol Registration CA B • Generate certCA(pkB) • Generate (skB,pkB) ARG = An agreement between the buyer and the seller * = Embedding algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair B = Buyer S = Seller O = Original Work O’, O” = Marked Work Wk = k’s Watermark
CertpkB(pk’), ARG, s, O’ S & B do not know the watermark Epk’(WB), EWCA(WB), SWCA, pk’, s Unlinkable key pair CertCA(pkB), CertpkB(pk’), ARG, s Epk’(O’ * WB) Lei Protocol Buy and Sell WCA • Generate WB • SWCA= SignWCA(WB) S B • O’ = O * WS • Generate (sk’,pk’) for this transaction • s = Signsk’(ARG) • Generate CertpkB(pk’) • Epk’(O’) * Epk’(WB) = Epk’(O’ * WB) Dsk’(Epk’(O’ * σ(WB))) = O’ * σ(WB) ARG = An agreement between the buyer and the seller * = Embedding algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair B = Buyer S = Seller WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work Wk = k’s Watermark
WB EWCA(WB) O’, Y, CertCA(pkB), CertpkB(pk’), ARG, s, Epk’(WB), EWCA(WB), SWCA Lei Protocol Identification and Arbitration On discovering an illegal copy of O’, say Y, S carries out the following steps: A WCA • W’ = Det(Y) • W’ = WB ? S ARG = An agreement between the buyer and the seller * = Embedding algorithm Det(. , .) = Detection algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair S = Seller A = Arbiter WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work Y = Illegal Copy Wk = k’s Watermark
Zhang Protocol • Similar to Lei Protocol except that there is no WCA • No need WCA to generate and certify watermark: • S generates his part of the watermark • B generates his part of the watermark • The final watermark embedded in the digital work is the combination of S and B’s watermarks
pkB CertCA(pkB) Zhang Protocol Registration CA B • Generate certCA(pkB) • Generate (skB,pkB) ARG = An agreement between the buyer and the seller SECi = Secret string of i * = Embedding algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair B = Buyer CA = Certificate Authority O = Original Work O’, O” = Marked Work Of = Illegal Copy Wk = k’s Watermark
CertCA(pkB), CertpkB(pk’), ARG, e, s Epk’(O’ * WB) Zhang Protocol Buy and Sell S B • O’ = O * WS • Epk’(WB) = Epk’(SECS)(Epk’(SECB) • = Epk’(SECS + SECB) • Epk’(O’) * Epk’(WB) = Epk’(O’ + WB) • Generate (sk’,pk’) for this transaction • Generate a secret SECB • e = Epk’(SECB) • s = Signsk’(Epk’(SECB), ARG) • Generate CertpkB(pk’) Dsk’(Epk’(O’ + WB)) = O’ + WB ARG = An agreement between the buyer and the seller SECi = Secret string of i * = Embedding algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair B = Buyer S = Seller O = Original Work O’, O” = Marked Work Of = Illegal Copy Wk = k’s Watermark
CertCA(pkB), CertpkB(pk’), e SECB O’, Y, CertCA(pkB), CertpkB(pk’), ARG, e, s, SECS SECB e = Epk’(SECB) Zhang Protocol Identification and Arbitration A CA • Compute WB = SECS + SECB • W’ = Det(Y) • W’ = WB ? S B • Found Y • Dsk’(Epk’(SECB)) = SECB ARG = An agreement between the buyer and the seller SECi = Secret string of i * = Embedding algorithm Det(. , .) = Detection algorithm Ek(.) = Homomorphic encrypt with k’s public key Dk(.) = Homomorphic decrypt with k’s private key Signk(.) = Sign with k’s private key (skB,pkB), (sk’, pk’) = Buyer generated random key pair B = Buyer S = Seller A = Arbiter CA = Certificate Authority O = Original Work O’ = Marked Work Y = Illegal Copy Wk = k’s Watermark
Analysis of Zhang et al. Protocols • Issues • Buyer can remove his part of the watermark easily since… • O’ + WB = O’ + SECS + SECB and • Buyer knows SECB, to remove… • O’ + SECS + SECB – SECB
Summary • The motivation of BSW • The proposals to date • MW, Lei and Zhang • The issues • No formal security model, protocols designed in ad hoc manner • Current focus • To continue analyse other proposals (Ju, Choi, Goi), with issues when parties collude with each others (Seller colludes with WCA etc.)