A Commutative Encrypted Protocol for the Privacy Protection of Watermarks in Digital Contents

Shing-chi Cheung; Ho-fung Leung; Changjie Wang

doi:10.1109/HICSS.2004.1265256

Abstract

Analysis by Forrester research revealed that 18% of global exports will flow online in 2004 and that the volume of e-commerce will surpass $400 billion. Digital rights protection is a major issue in the e-commerce of multimedia contents. Watermarking technology has been proposed as a promising enabling technology for the rights protection of multimedia digital contents. A unique watermark is embedded in each piece of multimedia contents before it is distributed to a customer. When unauthorized copies of a piece of contents are found, the customer who owns the contents can be readily identified by means of the embedded watermark. However, the unauthorized copies may also come from the content provider itself. It is therefore a challenging problem to determine whether an unauthorized copy is distributed by an unethical customer or by an unethical content provider. In this paper, we propose a watermarking protocol to address the problem using cryptographic technologies. Our protocol employs a commutative encryption algorithm to protect the privacy of watermarks. Information is doubly locked by two encryption keys kept separately by a customer and a content provider. In the protocol, a customer only gets a piece of watermarked multimedia contents in a transaction and the content provider has no idea how the watermark is formed. This facilitates the authority to determine the unethical party in case of unauthorized distribution of digital contents. We also discuss a couple of common attacks and show that our protocol can defend successfully against them.

1. Introduction

Moving Pictures Experts Group audio layer 3 (MP3) ^[15] compression format has gained popularity for distributing digital music over the Internet. The MP3 format allows raw digital music to be compressed down to one-tenth or more in size, while still keeping reasonably high fidelity. Further with Peer-to-Peer applications like Napster ^[17], KaZaA ^[11], and Morpheus ^[16], digital contents could be distributed over the Internet without control. This promotes unauthorized acts like unauthorized copying and distributing of digital contents. It was estimated that the music industry suffered an annual business loss of five billion dollars ^[6]. This makes major music companies hesitated to sell music in digital formats over the Internet. In order to reinforce protection and access control to digital contents, digital rights management (DRM) systems are introduced ^[13]. DRM systems support a security infrastructure for the distribution of tailor-made protected digital contents with digital rights to individual customers.

Analysis by Forrester research ^[7] revealed that 18% of global exports will flow online in 2004 and that the volume of e-commerce will surpass $400 billion. As a significant portion of the trades is expected to deal with multimedia contents, digital rights protection becomes an eminent issue in e-commerce. Digital watermarking has been proposed as a promising technique employed by various DRM systems to achieve rights management. It supports rights information, such as the owner's identity, transaction dates and serial numbers, to be embedded as unperceivable signals into digital contents. For example, watermarking techniques for audios are based on the imperfection of the human auditory system. Since human ears are insensitive to small level changes and low-amplitude echoes, watermark signals embedding rights information can be encoded at the frequency domain by making small spectral magnitude changes ^[12]. Furthermore, there exist robust watermarking techniques that can resist tampering and allow watermark signals to be later detected and extracted. These watermark signals recover the rights information originally embedded in a piece of digital contents. Origins of pirate copies can thus be traced, therefore deterring unauthorized distribution or copying of digital contents. Graphic: The Processes for (a) Watermark Insertion and (b) Watermark Detection

Figure 1:Figure 1:

We distinguish the roles of customers and content providers in the modeling of watermarking infrastructures for digital rights management. Based on this model, a novel watermarking protocol is proposed to address a common problem in Internet trading where customers and content providers may not have mutual trusts.

The remainder of this paper is organized as follows. Section 2 overviews the watermarking infrastructure and related work in watermarking protocol. Section 3 proposes a watermarking protocol based on a commutative encryption scheme. Section 4 presents a security analysis of the protocol. Section 5 discusses the applicability and issues in deploying the protocol. Finally, we conclude at Section 6.

2. Background and related work

In this section, we present the basic principle of watermarking schemes and the advantages of our watermarking protocols, by comparing related works.

2.1 Principle of Watermarking Schemes

Watermarking schemes refer to the use of signal processing techniques to process watermarking signals in a piece of digital contents. Existing watermarking schemes generally involve two stages: watermark insertion and watermark detection, as shown in figure 1.

Suppose we have a digital content $X$ , a watermark $W$ , and a permutation function $\sigma$ . A piece of watermarked contents $X$ ’ can be generated where $X^{\prime}=I(X, W, \sigma)$

Let us explain the principle of the insertion scheme based on a popular secure spread-spectrum watermarking technique proposed by Cox et al . (1997). In the spread-spectrum technique, we assume the content $X$ to be a vector of “features” $X=\{x_{1}, x_{2}, \ldots, x_{n}\}$ and the watermark signal to be a vector of “watermark elements” $W=\{w_{1}, \,w_{2}, \ldots, w_{m}\}$ with $n\geq m$ . The permutation function $\sigma$ is a bijection that shuffles the watermark elements before inserting them to the content $X$ . As such, the shuffled watermark is a vector of $\sigma(W)=\{w_{1}^{\prime}, w_{2}^{\prime}, \ldots, w_{m}^{\prime}\}$ where $w_{i}^{\prime}=\sigma(w_{j})$ with $i,j\leq m$ . The permutation function is to protect the secrecy of the watermark to be inserted to the content $X$ Shuffled watermark elements are then inserted to the most significant $m^{th}$ components of content $X$ by means of a insertion operation $\oplus$ such that $X$ ’ in the insertion algorithm $I$ is given by: $X\oplus\sigma(W)=\{x_{1}\oplus w_{1}^{\ \ \prime}, x_{2}\oplus w_{2}^{\ \ \prime}, \ldots, x_{n}\oplus w_{m}^{\ \ \prime}\} \eqno{\hbox{(1)}}$ Corresponding to the watermark insertion function $I$ ) there is a watermark detection function $D$ , which returns a confidence measure of the existence of a watermark $W$ exists in a piece of contents $X$ ’. A watermarking technique is referred to as non-blind watermarking when its detection function $D$ requires the knowledge of the original contents $X$ , i.e. , $\left\{\matrix{ D(X, X^{\prime},W, \sigma)={\rm true}\hfill & {\rm if}\, W\, {\rm exists\, in}\, X^{\prime}\hfill\cr D(X, X^{\prime},W, \sigma)= {\rm false} \hfill & {\rm if}\, W\, {\rm does\, not\, exist\, in}\ X^{\prime} \hfill}\right.$

If $D$ does not require the original content $X$ ’ the scheme is called oblivious watermarking ^[10]. There are two main scenarios where watermarking techniques are used for rightful ownerships. In the first scenario, the content provider of a piece of digital content inserts a unique watermark into the content. If a copy of the content is later found, the content provider can prove its ownership by detecting its unique watermark from the contents. In the second scenario, because content providers can insert different watermarks to the sold content to identify each of their customers, the origin of that copy can be traced if a pirated copy is found.

2.2 Watermarking Infrastructure

We identify three distinguished roles in a watermarking infrastructure for digital rights management, viz., Customer, Content provider and Public authority (or Trusted Third Party) as shown in Figure 2. Customers are the end users of digital contents. Each copy of digital contents is individually watermarked to identify its customer. Content providers are sellers of digital contents; they own the rights of digital contents. They employ their own, possibly proprietary, watermarking techniques to embed watermarks into digital contents before selling them to customers. Graphic: Overview of a Watermarking Infrastructure for Digital Rights Protection

Figure 2:Figure 2:

Public authorities are trusted third parties to resolve watermark disputes between customers and content providers. Based on the evidence submitted by a content provider, a public authority will decide whether an allegation against a customer is justified. Studies have been made to examine the issues in digital rights management under different variations of these three roles in a watermarking infrastructure ^[19],^[21],^[9],^[8],^[14],^[4],^[13].

2.3 Watermarking Protocols

Watermarking protocols govern the process of exchanging watermarks and watermarked digital contents in a watermarking infrastructure. A watermarking protocol generally comprises three major processes: watermark generation, watermark insertion, and dispute resolution. The watermark generation process concerns the creation of a legitimate watermark that can identify a customer. The watermark insertion process concerns the insertion of watermarks to digital contents and the distribution of watermarked contents reliably to customers. The dispute resolution concerns the resolution of digital rights upon the detection of suspected copies. In connection to these three major processes, latest researches on watermarking protocol generally address the six issues as tabulated in Table 1. Regarding the issues (b) to (f), different work makes different assumptions on the degree of trusts.

Table 1: Research Issues of Watermarking Protocols

There are few technical research issues in the protection of watermark secrecy in the process of watermark generation. As such, most existing work does not address issue (a). This issue is addressed similarly in ^[14] and ^[4] by having customers to present a valid public key on requesting a Watermark Certification Authority for a legitimate watermark. That public key must be recognized by a trusted Public Key Infrastructure (PKI) Certification Authority. Issue (b) is addressed by almost all proposed watermarking protocols in the way that customers are not trusted to provide a legitimate watermark. To resolve this issue, most protocols make content providers to be responsible for the watermark generation.

Several studies have been made to address the problem that content providers may not be trusted in the process of watermark insertion, i.e., the issue (c) in Table 1. Qiao and Nahrstedt ^[19] suggested two ways to tackle the problem. One is to introduce a trusted third party (TTP). The content provider first sends the original content to the TTP, the content is encrypted with a symmetric key system. Then the watermark is generated at the TTP and inserted to the original content. Finally, the watermarked content is delivered to the customer through a secured channel between the TTP and the customer. Another alternative is to use cryptographic protocols between content providers and customers. The content provider uses the customer's unique identification certificate (a random bit sequence) to generate the watermark. This identification certificate is generated by the customer using the standard DES (Data Encryption Standard) algorithm ^[21] and contains an encrypted copy of the seed information privately agreed between the customer and the content provider. The encryption key of the identification certificate is known only to the customer. This protocol prevents content providers to generate identification certificates without customers' involvement. However, it still relies on the honesty of the content providers not to abuse the identification certificates and not to disseminate them to other parties. Another watermarking protocol is proposed by Jun et al . ^[9] for digital contents rights protection. Like the approach by Qiao and Nahrstedt ^[19], it assumes a trusted third party called monitoring service provider (MSP) to keep all the inserted watermarks.

Regarding the dispute resolution phase, most watermarking protocols require contents and sensitive information to be revealed to a third party, commonly referred to as a public authority, for verification. If the public authority cannot be trusted, problems will arise as a watermark can be removed easily when it is known. To address the issue (f) in Table 1, Gopalakrishnan et al . ^[8] suggested a protocol that does not need to reveal watermarks to a public authority in the dispute resolution phase. However, there is a disadvantage with this scheme. The verification procedure can be expensive and complicated.

Amongst existing watermarking protocols that we are aware of, the ones proposed by Memon ^[14] and Cheung ^[4] offer the highest protection to customers in the sense that they restrict a piece of watermarked content to be used only by its customer. The protocols address the issue (c) where unethical content providers can frame customers. For instance, a content provider might reproduce a copy of watermarked contents that were purchased by a customer, distribute it illegally, and subsequently sue the customer for compensation. Their protocols make use of encrypted watermarks acquired from a trusted watermarking certification authority.

However, two problems remain unsolved. Firstly, the quality of watermarked digital contents cannot be verified at the content provider site because the content provider may only access to an encrypted version of a customer's watermark in the watermark certificate. Secondly, watermarked digital contents cannot be subject to lossy compression in their distribution. These problems are addressed with the use of a commutative encrypted watermarking protocol proposed in this paper. Our watermarking protocol is designed to address the following issues in trust.

The privacy of customers' watermarks should be maintained because these watermarks identify customers.
Customers cannot be trusted to release their genuine watermark or not to distribute unauthorized copies. In addition, customers cannot be trusted to reveal their watermarks used in ‘suspected’ unauthorized copies during the process of watermark dispute resolution.
Content providers cannot be trusted not to abuse the watermark provided by customers. The genuineness of evidence submitted by content providers during the process of watermark dispute resolution must be verifiable.
To facilitate scalability, public authorities (or trusted third parties) are only involved in dispute resolution.

3. Protocol Description

In this section, we propose a new protocol aiming to protect the privacy of the watermark in the e-commerce of digital contents over the Internet. It allows the customer to obtain a watermarked copy of digital contents without revealing the watermarked copy to the content provider.

3.1 An Illustrative Example

The protocol involves three generic parties, i.e. , a customer, a content provider and a public authority. The underlying idea of our protocol is simple, which can be demonstrated in the following illustrative example. We assume that each customer owns at least two legitimate watermarks identifying the customer.¹ After paying the content provider, the customer provides both of his watermarks to the content provider, and the latter generates two different watermarked digital contents $M^{(1)}$ and $M^{(2)}$ based on these two different watermarks. Assume that each of these watermarked contents is composed of 32 frames, the two watermarks are embedded into each and every individual frame.² The customer then obtains a complete copy of watermarked digital contents, by picking, at his own will, the first frame of the complete copy from either $M^{(1)}$ or $M^{(2)}$ , the second frame of the complete copy from either $M^{(1)}$ or $M^{(2)}$ , and so on. Consequently, this complete copy of watermarked digital contents is associated with a watermark pattern $\{k_{1},k_{2},\ldots,k_{32}\}$ , such that $k_{i}=0$ if the frame $i$ is picked from $M^{(1)}$ and $k_{i}=1$ if the frame $i$ is picked from $M^{(2)}$ . Cryptographic technologies are employed in our protocol to ensure that the customer can only obtain one complete digital contents embedded with the customer's two watermarks in a particular watermark pattern, and that the watermark pattern is not revealed to the content provider. In other word, the content provider has no idea what is the watermark pattern of the contents the customer obtains after a transaction. Thus, the privacy of the watermark pattern is protected. A detailed description of the protocol will be given in section 3.3.

3.2 Commutative Encryption Algorithms

We employ in the proposed protocol a special class of encryption algorithms that have the property of being commutative . One instance of such encryption algorithms is that proposed in ^[3]. An encryption algorithm CE is commutative if it satisfies the following property: for any two keys $k_{1}$ and $k_{2}$ and any message $m$ , $CE(k_{1},CE(k_{2},m))=CE(k_{2},CE(k_{1},m)) \eqno{\hbox{(2)}}$

The decryption of a cipher message $c=CE(k,m)$ is denoted $m=CE^{-1}(k,c)$ . It should be noted that if a message is encrypted by two different keys $k_{1}$ and $k_{2}$ , then it can be recovered by decrypting the cipher message using $k_{1}$ , followed by decrypting using $k_{2}$ . The original message can also be recovered by decrypting the cipher message using $k_{2}$ , followed by decrypting using $k_{1}$ .

3.3 Message Flows in the Protocol

Here, let us explain the protocol as a sequence of messages among the involved parties.

On receiving the buying request of a digital contents $M$ and the due payment from the customer, the content provider generates two identical copies of $M$ (denoted as $M^{(1)}$ and $M^{(2)}$ ), and splits each copy into $\zeta$ frames,i.e. $M^{(i)}=\{m^{(i,1)},m^{(i,2)},\ldots,m^{(i,\zeta)}\}, i=\{1,2\} \eqno{\hbox{(3)}}$

Let the customer's two watermarks be $W_{A}^{(1)}$ and $W_{A}^{(2)}$ . ³ The content provider then embeds $W_{A}^{(1)}$ into each of the $\zeta$ frames of $M^{(1)}$ and $W_{A}^{(2}$ into each of the $\zeta$ frames of $M^{(2)}$ , effectively producing two pieces of watermarked contents $M_{A}^{(1)}$ and $M_{A}^{(2)}$ , respectively. That is:

$M_{A}^{(i)}=\{m_{A}^{(i,1)},m_{A}^{(i,2)},\ldots,m_{A}^{(i,\zeta)}\}$ , where $m_{A}^{(i,j)}=m^{(i,j)}\oplus W_{A}^{(i)}, \ i=\{1,2\},j=\{1,2,\ldots, \zeta\} \eqno{\hbox{(4)}}$

The content provider then arbitrarily selects a secret key $S$ and uses a commutative cryptosystem CE to encrypt the $2\zeta$ frames $m_{A}^{(i,j)}$ and generates two encrypted digital contents vector $C_{1}$ and $C_{2}$ as follows, $\left\{\matrix{C_{1}=(c_{(1,1)},c_{(1,2)},\ldots,c_{(1,\zeta)}), \ {\rm where}\ c_{(1,j)}=CE(S,m_{A}^{(1,j)})\hfill\cr C_{2}=(c_{(2,1)},c_{(2,2)},\ldots,c_{(2,\zeta)}), \ {\rm where}\ c_{(2,j)}=CE(S,m_{A}^{(2,j)})\hfill}\right.\eqno{\hbox{(5)}}$

The content provider sends $C_{1}$ and $C_{2}$ to the customer $A$ . When the customer $A$ receives $C_{1}$ and $C_{2}$ , it constructs a new encrypted vector $C^{\prime}=(c_{1}^{\prime},c_{2}^{\prime},\ldots,c_{\zeta}^{\prime})$ by arbitrarily choosing $c_{i}^{\prime}$ from either $c_{(1,i)}$ or $c_{(2,i)}$ as follows. $A$ first arbitrarily chooses a $\zeta$ -bit integer $K_{A}$ , which is denoted as a bit pattern $\{k_{1},k_{2},\ldots,k_{\zeta}\}$ where $k_{j}\in\{0,1\}$ , and constructs $C^{\prime}=(c_{1}^{\prime},c_{2}^{\prime},\ldots,c_{\zeta}^{\prime})$ by: $\left\{\matrix{c_{j}^{\prime}=c_{(1,j)} \hfill &k_{j}=0\hfill\cr c_{j}^{\prime}=c_{(2,j)}\hfill &k_{j}=1\hfill}\right.\eqno{\hbox{(6)}}$

After generating $C^{\prime}, A$ arbitrarily chooses a secret key $R$ and uses the commutative cryptosystem $CE$ to encrypt $C^{\prime}$ to get an encrypted vector $D=\{d_{1},d_{2},\ldots,d_{\zeta}\}$ , where $\eqalignno{&\ d_{i}=CE(R,c_{i}^{\prime})=CE(R,CE(S,m_{A}^{(k_{i}+1,i)}))\cr &=CE(S,CE(R,m_{A}^{(k_{i}+1,i)}))&{\hbox{(7)}}}$

Then the customer $A$ sends the encrypted vector $D$ to the content provider, who decrypts vector $D$ with $S$ and gets the vector $U$ , $U=\{u_{1},u_{2},\ldots,u_{\zeta}\}, \ {\rm where}\ u_{i}=CE^{-1}(S,d_{i}) \eqno{\hbox{(8)}}$

It should be noted that: $\eqalignno{u_{i}&=CE^{-1}(S,d_{i})\cr &=CE^{-1}(S,CE(R,c_{i}^{\prime}))\cr &=CE^{-1}(S,CE(R,CE(S,m_{A}^{(k_{i}+1,i)})))\ . \cr &=CE^{-1}(S,CE(S,CE(R,m_{A}^{(k_{i}+1,i)})))\cr &=CE(R,m_{A}^{(k_{i}+1,i)})}$

After the decryption, the content provider sends $U$ to $A$ . Note that the content provider does not know from which of $M_{A}^{(1)}$ and $M_{A}^{(2)}$ the customer $A$ chooses each frames, as the vector $D$ is encrypted by the customer $A$ with a key $R$ unknown to the content provider.

The customer $A$ now obtains from $U$ all $\zeta$ frames of watermarked contents $m_{A}^{(i)}$ by decrypting each $u_{i}$ in vector $U$ with the key $R$ , i.e. , $m_{A}^{(k_{i}+1,i)}=CE^{-1}(R,u_{i})=CE^{-1}(R,CE(R,m_{A}^{(k_{i}+1,i)}))$ . As a result, the customer $A$ gets a complete piece of watermarked contents $M_{A}$ by assembling these frames in sequence, i.e. $M_{A}=\{m_{A}^{(k_{1}+1,1)},m_{A}^{(k_{2}+1,2)},\ldots,m_{A}^{(k_{\zeta}+1,\zeta)}\}$ .

In order to generate an evidence for solving the possible piracy disputes in the future, the customer $A$ should send an encapsulated data $B_{A}=E_{{\rm Authority}}(K_{A},H(M_{A}))$ to the content provider for record purpose, where $K_{A}$ is the $\zeta$ -bit integer chosen by the customer $A$ to computer $C^{\prime}, \,H(M_{A})$ is a secure hash function value on $M_{A}$ , and $E_{{\rm Authority}}$ is an encryption function using the public key of the public authority. The content provider keeps $B_{A}$ and returns a self-signed copy of $B_{A}$ to $A$ as a receipt. The content provider keeps records of all transactions in his database, where each transaction is summarized as a five-order tuple $<TN, ID_{A}, W_{A}^{(1)}, W_{A}^{(2)}, B_{A}>$ where $TN$ is the transaction number (we assume that this number can refer to which digital contents $M$ is sold in this transaction), $ID_{A}$ is the identity information of customer, $W_{A}^{(1)}$ and $W_{A}^{(2}$ are the two watermarks. If suspected unauthorized distribution of $M_{A}$ is detected, the content provider should reconstruct $M_{A}^{(1)}$ and $M_{A}^{(2)}$ with $W_{A}^{(1)}$ and $W_{A}^{(2)}$ , and then submits $M_{A}^{(1)}$ and $M_{A}^{(2)}$ with the transaction record to the public authority, who will determine who is guilty by decrypting and checking the data $B_{A}$ . We will discuss this issue in details later. A block diagram depicting the above protocol is shown in Figure 3. Graphic: The interactive protocol between CP and customer

Figure 3:Figure 3:

4. Security Analysis

In this section, we make a security analysis on our protocol, by considering several possible attacks on the system. We also explain how our protocol defends those attacks.

4.1 Attacks from CP

Let us first consider attacks originated from a CP .

Theorem 1

The CP can never know the form information of the watermark in $M_{A}$ , even he is trying to perform incorrectly .

Lemma 1

It is impossible for the CP to figure out which $c_{(i,j)}, i=\{1,2\}$ and $j=\{1,2,\ldots,\zeta\}$ the customer A selects .

From the description in section 3, we can see that the only available information for the CP from the customer $A$ is $D=\{d_{1},d_{2},\ldots,d_{32}\}$ , where $d_{i}=CE(R,c_{i}^{\prime})$ . To trace the origin of $c_{i}^{\prime}$ (i.e ., to find out whether $c_{i}^{\ \ \prime}$ is $c_{(1,i)}$ or $c_{(2,i)})$ , the CP has to calculate ${c_{i}}^{\prime}$ from $d_{i}$ without knowing $R$ , which is the secret key held privately by the customer $A$ . Such computation, however, is as hard as to break the encryption algorithm CE , which is generally agreed to be computationally intractable. Therefore, the privacy of the watermark in the $M_{A}$ is protected. Note that the value of $R$ is randomly chosen by the customer $A$ in each transaction. There is no relation between the values of $R$ across transactions.

Lemma 2

The CP cannot cheat the customer by generating two pieces of completely same watermarked contents $M_{A}^{(i)}$ without being detected .

Another possible attack from the CP is to generate two pieces of identical watermarked contents instead of two different ones so that he can easily trace the origin of $c_{i}^{\prime}$ . Such cheating of the CP , however, will be detected by the customer $A$ or the public authority in our protocol. To cheat, the CP has the following two methods.

The CP encrypts the two identical copies of $M_{A}^{(i)}$ using the same key $S$ to get $C_{1}=(c_{(1,1)},c_{(1,2)},\ldots,c_{(1,\zeta)})$ and $C_{2}=(c_{(2,1)},c_{(2,2)},\ldots,c_{(2,\zeta)})$ sent to the $A$ . In such case, however, the $A$ can easy notice the cheating behavior of the CP , since that $c_{(1,i)}$ equals $c_{(2,i)}$ for each $i=\{1,2,\ldots,\zeta\}$ ;
The CP encrypts the two identical copies of $M_{A}^{(i)}$ using the two different keys $S_{1}$ and $S_{2}$ , and thus $C_{1}=(c_{(1,1)},c_{(1,2)},\ldots,c_{(1,\zeta)})$ and $C_{2}=(c_{(2,1)},c_{(2,2)},\ldots,c_{(2,\zeta)})$ are different. In such case, the $A$ is not conscious of the cheating when receiving $C_{1}$ and $C_{2}$ , and then performs the protocol normally as described in section 3. However, the CP has troubles when performing the decryption on $D$ encrypted by $A$ . That is, the CP does not know which key ( $S_{1}$ or $S_{2}$ ) should be used for the decryption of $d_{i}$ , since he does not know whether $d_{i}$ corresponds to $c_{(1,i)}$ or $c_{(2,i)}$ . It is hard for the CP to choose a right key for decryption on the total $\zeta$ frames (the successful possibility is $1/2^{\zeta}$ ). Clearly, decryption on $d_{i}$ by the $CP$ with a wrong key will lead to an invalid $M_{A}$ obtained by $A$ finally. Such cheating of the CP will then be detected when the $A$ request the public authority to check all data in the protocol. Assuming that the CP needs to be authenticated before participating in a trade, he cannot deny what he has generated since he has signed on the $C_{1}, C_{2}$ and $U$ for non-repudiation.

From the above theorem, we have shown that our protocol successfully defends against the attacks from the CP , which ensures that the CP cannot frame a customer for pirating successfully.

4.2 Attacks from Customer

In the following, let us discuss several possible attacks from the customer and explain how these can be defended in our protocol.

Theorem 2

The customer $A$ can only obtain one piece of valid watermarked contents $M_{A}$ in the implementation of the protocol once .

One possible attack from a customer $A$ is to obtain two or more valid $M_{A}$ (say, $M_{A}$ and $M_{A}$ ’) so that $A$ can make unauthorized distribution of $M_{A}$ , without being accused. However, acquisition of two or more valid $M_{A}$ is impossible. Firstly, it is unlikely that the CP performs the decryption operation on more than one vector $D$ sent by $A$ . Therefore, $A$ cannot get two different $M_{A}$ by sending two $D$ to the CP . Actually, the situation of the customer $A$ can be considered as follows.

Suppose $A$ has already retrieved $\zeta$ frames $m_{A}^{(i)} \, \ m_{A}^{(i)}\in\{m_{A}^{(1,i)},m_{A}^{(2,i)}\}$ for $i=\{1,2,\ldots,\zeta\}$ . Now, $A$ tries to recover extra $m_{A}^{(i,j)}, \ i=\{1,2\},j=\{1,2,\ldots,\zeta\}$ , without the decryption help from the CP . The problem is equivalent to this:

Having $c_{1}, \ m_{1}, \ c_{2}, \ m_{2}, \ \ldots, \ c_{\zeta}, \ m_{\zeta}$ such that $c_{1}=CE(S,m_{1}), \ c_{2}=CE(S,m_{2}), \ \ldots, \ c_{\zeta}=CE(S,m_{\zeta})$ , the $A$ then tries to find $m_{i}$ such that $c_{i}=CE(S,m_{i})$ for the unknown $S$ .

There are two possible solutions to the problem. The first one is to find $S$ through $c_{i}=m_{i}^{S}\ \bmod\ p$ for $i=1,2,\ldots,32$ . However, such computation is also equivalent to break the encryption algorithm CE . As we have mentioned in Lemma 1, such breaking is difficult.

The second one is to calculate $c_{i}$ from $c_{1},c_{2},\ldots,c_{32}$ through some arithmetic operations. Such attack is also infeasible if we employ a carefully designed $CE$ .

Theorem 3

The customer $A$ cannot cheat our system by encapsulating a false $K_{A}$ in the $B_{A}$ sent to the $CP$ ,

As described in section 3, the customer randomly generates a $\zeta$ -bit integer $K_{A}$ for choosing frames from vector $C_{1}$ and $C_{2}$ , and finally obtains a corresponding watermarked contents $M_{A}$ . Suppose the customer $A$ puts a false $K_{A}$ , instead of $K_{A}$ , in $B_{A}$ to generate a ${B_{A}}^{\prime}=E_{Authority}(K_{A}^{\ \prime}H(M_{A}))$ , which is sent to the CP to record. Although the CP cannot notice the $A$ 's trick since the $B_{A}$ is encrypted with the public key of the public authority, such cheating of $A$ will be detected by the authority in case of finding unauthorized copies of $M_{A}$ . That is, when receiving an accusation request from the CP , ⁴ the authority decrypts the $B_{A}$ for checking. From ${K_{A}}^{\prime}$ , the authority can recover a piece of watermarked contents, denoted by ${M_{A}}^{\prime}$ . Clearly, ${M_{A}}^{\prime}\neq M_{A}$ since that ${K_{A}}^{\prime}\neq K_{A}$ . However, the $A$ is also judged to be guilty because that the hash value of the recovered ${M_{A}}^{\prime}$ does not equal $H(M_{A})$ which is extracted from $B_{A}$ .

With theorem2 and theorem 3, we show that our protocol is secure against the attacks from the customer as well, which means that a customer making unauthorized distribution will always be successfully identified.

5. Discussions

Here, let us discuss some issues regarding the applicability of the commutative encrypted watermarking protocol.

5.1 Authentication

We skip authentication details when we presented our protocol in above sections. Actually, authentication is necessary in some situations, say, before make payment, the customer should authenticate the identity of the CP . Similarly, the CP will only do the decryption operation for a customer who has made the corresponding payment. There are many ways to do authentication, such as public key solutions, secret key solutions, password based solutions and so on. In our protocol, we assume that both CP and the customer possesses a private/public key pair and a corresponding certificate issued by a trusted Certification Authority (CA) prior to the transaction. Thus, the public key solution for authentication is applicable in our protocol. Note that there is a trusted public authority (PA) in our scheme who resolves the disputes of unauthorized distribution between customers and CP , and the CA can also take the role of the PA here.

5.2 Non-repudiation

It is possible that the customer or the CP is dishonest sometimes during the transaction (say, the CP make a false decryption in step 3, after receiving the payment from the customer). When a dispute occurs between the customer and the CP in a transaction, they may need the public authority to judge who is cheating. The solution is to require that the customer sign on the $D$ and the CP sign on the $C_{1}, C_{2}$ and $U$ While processing the dispute, the public authority may request the cooperation of either the CP or the customer to check $D$ and $U$ Nonrepudiation is also necessary in step 5 and step 6. That is, both the customer and the CP should sign on the $B_{A}$ as the non-repudiation evidence, such that neither the customer can deny has generated $B_{A}$ nor the CP can deny has received $B_{A}$ .

5.3 Fair exchange

If the customer follows the protocol faithfully, the CP gets the payment and the customer get one watermarked digital contents without revealing the formed information of the watermark to the CP . However, either the CP or the customer may stop the protocol unexpectedly. For example, after getting the payment the CP may stop the protocol and refuse to send the contents to the customer, or the customer may break the protocol after getting the $U$ (with the further step of decryption, the customer can get the watermarked contents), without sending a $B_{A}$ to the CP as evidence. To solve this problem, the financial cryptography protocol named fair exchange may be applied, which is to achieve the strong fairness between the two parties in a transaction. For more details in fair exchange, please refer to ^[1],^[2].

5.4 Unauthorized distribution

When unauthorized copies of a piece of watermarked contents, denoted by $M_{A}$ , are detected. The CP may accuse the customer $A$ for pirating behavior by submitting some evidences to the public authority.⁵ As we addressed in section 3.3, the CP maintain a record list $L:\{TN, ID_{A}, \,WM_{A}^{(i)}, i=\{1,2\}, \ B_{A}\}$ of each transaction. From the record list $L$ , the CP can recover $M_{A}^{(i)}, i=\{1,2\}$ as equation (4), and then submits $M_{A}^{(i)}$ and $B_{A}$ to the public authority for verification. By decrypting the $B_{A}$ with his private key, the authority get $K_{A}$ and $H(M_{A})$ . From $M_{A}^{(i)}, i=\{1,2\}$ and $K_{A}$ , the authority can assemble the watermarked contents $M_{A}$ obtained by customer $A$ in the transaction, as equation (6). By verifying that whether $M_{A}=M^{\prime}_{A}$ , the authority may determine who is guilty. That is, if $M_{A}=M_{A}^{\prime}$ then $A$ must be guilty for pirating; ⁶ if $M_{A}\neq M_{A}^{\prime}$ then the CP made the unauthorized distribution himself. Note that, after recovering the $M_{A}$ using $K_{A}$ , the authority also checks that whether the $H(M_{A})$ equal to the hash value in the $B_{A}$ , if not then $A$ is also proven guilty even $M_{A}\neq M_{A}^{\prime}$ . In such way, the customer $A$ cannot make unauthorized distribution without being accused by encapsulating a false $K_{A}$ in $B_{A}$ sent to the CP .

5.5 Relative Merits

We identify a couple of merits in the application of the proposed protocol to the e-commerce of digital contents.

The CP can never know the form of the watermark in $M_{A}$ no matter how maliciously the CP performs. As presented in section 3.3, the customer $A$ chooses $\zeta$ encrypted watermarked frames one by one from either $C_{1}$ or $C_{2}$ in a random manner and then constructs a new vector $D$ . Since the $D$ is encrypted by $A$ with a randomly selected secret key $R$ before being sent to the CP , and thus the CP has no idea which frames are selected. Therefore, the privacy of the watermark of $A$ is perfectly protected.
The customer can get only one piece of watermarked digital contents in the implementation of the protocol once. This feature makes the protocol meaningful. That is, if there is an unauthorized distribution of the contents $M_{A}$ , we can easily determine who is guilty since the customer possesses only one piece of valid watermarked contents.
The CP should maintain a database for all transactions. If a record list of a transaction is too large for storage, then the protocol is not practical for really Internet based E-commerce system. In our protocol, however, a record list only includes $\{TN, \ ID_{A}, \,WM_{A}^{(i)}, i=\{1,2\}, B_{A}\}$ where the $B_{A}$ is the encryption result of a $\zeta$ -bid integer and a secure hash function value of the contents $H(M_{A})$ , ⁷7 A one-way hash function ^[18], denoted as $H$ . operates on an arbitrary-length message $m$ and returns a fixed-length hash value $h$ , where $h=H(m)$ . Usually, the hash value $h$ is only 128-bit or 160-bit length, and the encryption result on $h$ is no more than 1024 bits in most popular public key encryption algorithm, say, RSA. instead of the encryption of the $M_{A}$ itself. Table 2 gives the estimated size of a ransaction record for a piece of digital contents partitioned into $\zeta$ ( $\zeta=32$ here) frames and using two 1024 bit watermarks. As such, the proposed protocol is economic with respect to storage requirements.
Table 2: Length of a transaction record for a digital content partitioned into 32 frames and using 1024 bit watermarks
To judge who is guilty for the unauthorized distribution is mechanical in the proposed protocol, and this feature results in a higher efficiency of our protocol. The public authority can make judge by only a step of decryption on $B_{A}$ , which is submitted by the CP . Furthermore, our protocol does not request that the customer have to keep something (say, a key or something else) as evidence to prove his innocence in case of dispute related to unauthorized distribution. Actually, the customer is even not necessary to cooperate with judge in judging and it is convinced that the CP cannot frame the customer by submitting a fake $B_{A}$ since there should be a signature of the customer $A$ on $B_{A}$ .
The protocol is reliable. Both the CP and the customer randomly choose secret key $S$ and $R$ respectively for every transaction. Therefore, it is impossible for any attacker to get the other's secret key used in the current transaction even he knows the key in the previous transactions.

6. Conclusion

In this paper, we have proposed a practical protocol for privacy protection of watermark in transaction of digital contents. In our protocol, the form of the particular watermark embedded in the digital contents in a transaction is determined by the content provider and the customer together. Therefore, the content provider alone can never figure out the watermarked digital contents possessed by the customer. In such case, it is mechanical for the public authority to judge who is guilty when there is an allegation of unauthorized distribution. With a security analysis, we have shown that our protocol is secure against any possible attacks from either the Content Provider or the customer. Besides the security feature, our protocol is economic with respect to storage requirements.

Note that the computation of $CE(k,m)$ and $CE^{-1}(k,c)$ could be expensive in our protocol in case of transaction involved large amount digital contents. One possible solution is to use a symmetric key cryptosystem (say, DES or AES) to encrypt each frame, while only the key is encrypted with the CE algorithm. Such solution will improve the efficiency of our protocol. We are developing a symmetric key encryption algorithm with commutative property.

Footnotes

1 A mechanism of acquiring such watermarks can be found in ^[4].

2 Note that there are two different watermarks embedded into the frames of two contents separately.

3 Usually, a watermark $W_{A}$ should include the identity information or authenticated information of $A$ . Note here, the two watermarks $W_{A}^{(1)}$ and $W_{A}^{(2)}$ should be different.

4 The CP also submits the original $M_{A}^{1}, M_{A}^{2}, B_{A}$ and a unauthorized copy of $M_{A}$ to the public authority

5 The customer $A$ also can accuse the CP of framing, since the CP possesses the original $M_{A}^{(i)}$ as well.

6 Although the CP knows the two watermarked contents $M_{A}^{(i)}, i=\{1,2\}$ that are split into $\zeta$ frames respectively, he has no idea which frames are chosen by $A$ eventually to construct the $M_{A}$ . It is easy to calculate that there are totally $2^{\zeta}$ possible assembling combinations from those frames to generate full watermarked contents. Even there is a theoretically possible (only $1/2^{\zeta}$ possibility) that the CP can frame $A$ successfully, we believe it is impossible for the CP to frame the custom $A$ successfully in practice.

7 A one-way hash function ^[18], denoted as $H$ . operates on an arbitrary-length message $m$ and returns a fixed-length hash value $h$ , where $h=H(m)$ . Usually, the hash value $h$ is only 128-bit or 160-bit length, and the encryption result on $h$ is no more than 1024 bits in most popular public key encryption algorithm, say, RSA.

References

[1]Asokan, N. , Shoup, V. and Waidner, M. (1997), “Optimistic Protocols for fair exchange,” T. Matsumoto editor, in 4th ACM Conference on Computer and Communications Security, pp. 8–17, Zurich, Switzerland, ACM Press.
[2]Asokan, N. , Shoup, V. and Waidner, M. (1998), “Optimistic fair exchange of digital signatures,” In Advances in Cryptology-EUROCRYPT'98, Vol 1403 of LNCS, pp 591–606, Springer-Verlag.
[3]Bao , Feng and Deng, Robert H. (2001), “Privacy Protection for Transactions of Digital Contents,” ICICS'01, pp 202–213, LNCS, Springer-Verlag.
[4]Cheung, S.C. and Curreem, H. (2002), “Buyer-Reseller Watermarking Protocol for MP3 Music,” in Proceedings of the 26th Annual International Computer and Applications Conference (COMPSAC 2002), Oxford, August 2002, pp. 105–110.
[5]Cox, I.J. , Kilian, J. , Leighton, F.T. , and Shamoon, T. (1997), “Secure Spread Spectrum Watermarking for Multimedia,” IEEE Transactions on Image Processing, vol. 6, pp. 1673–1687.
[6]eBiz (2001). Windows Media Security Issues - White Paper [On-line]. Published on July, 2001. Available: http://www.ebizis.com/techcenter/media.html
[7]Forrester Research, “Sizing Global Online Exports,” Available: http://forrester.com (November, 2000).
[8]Gopalakrishnan, K. , Memon, N. D. and Vora, P. (2001), “Protocols for Watermark Verification,” IEEE Multimedia (8:4), pp. 66–70.
[9]Jun, J.M. , Lee, B.M. , Kim, K.K. and Won, D.H. (2000), “Digital watermarking and practical distribution protocol for digital contents copyright protection,” in Proceedings of the WISA'2000, Seoul, Korea, pp. 251–264.
[10]Katzenbeisser, S. and Petitcolas, Fabien A.P. (2000), Information hiding techniques for steganography and digital watermarking, Artech House.
[11]KaZaA (2002). Available: http://www.kazaa.com
[12]Kirovski, D. and Malvar, H. (2001), “Robust Spread-Spectrum Audio Watermarking,” in Proceedings of IEEE International Conference on Acoustics, Speech, and Signal Processing (3), Salt Lake City, UT. pp. 1345–1348.
[13]Kwok , JamesS.H. , Wong, S.C. Cheung, K.C. , Tsang, K.F. , Cheung and Tam, K.Y. (2003), “Integration of Digital Rights Management into Internet Open Trading Protocol (IOTP),” Decision Support Systems, vol 34, 2002, pp. 413–425.
[14]Memon, N. and Wong, P. W. (2001), “A Buyer-Seller Watermarking Protocol,” IEEE Transactions on Image Processing (10:4), pp. 643–649.
[15]MPEG (2002). Available: http://mpeg.telecomitalialab.com/
[16]Morpheus (2002). Available: http://www.musiccity.com
[17]Napster (2001). Available: http://www.napster.com
[18]Preneel, B. , Govaerts, R. and Vandewalle, J. (1993), “Information authentication: Hash functions and digital signatures,” Computer Security and Industrial Cryptography: State of the Art and Evolution (LNCS741), pp. 87–131, Springer-Verlag.
[19]Qiao, L. and Nahrstedt, K. (1998), “Watermarking schemes and protocols for protecting rightful ownership and customer's rights,” Journal of Visual Communication and Image Representation (9:3), pp. 194–210.
[20]Rivest, R. , ShamirA. and AdlemanL. (1978), “A method for obtaining digital structures and public-key cryptosystem,” Communication of ACM, 21(2), Feb 1978.
[21]Stallings, W. (1999), Cryptography and Network Security, Principles and Practice, Prentice Hall.