920 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

A Provably Secure Anonymous Buyer–SellerWatermarking Protocol

Alfredo Rial, Mina Deng, Tiziano Bianchi, Member, IEEE, Alessandro Piva, Senior Member, IEEE, andBart Preneel, Member, IEEE

Abstract—Buyer–seller watermarking (BSW) protocols allowcopyright protection of digital content. The protocol is anonymouswhen the identity of buyers is not revealed if they do not releasepirated copies. Existing BSW protocols are not provided witha formal analysis of their security properties. We employ theideal-world/real-world paradigm to propose a formal securitydefinition for copyright protection protocols, and we analyze ananonymous BSW protocol and prove that it fulfills our defini-tion. Additionally, we implement the protocol and measure itsefficiency.

Index Terms—Buyer–seller watermarking (BSW) protocol,ideal-world/real-world paradigm.

I. INTRODUCTION

T HE rapid proliferation of computer networks facilitatesthe efficient distribution of multimedia content. However,

it also eases the reproduction and the distribution of illegalcopies. Therefore, the development of techniques that allowthe protection of intellectual property rights in digital form isnecessary. Moreover, privacy protection for both customers andcontent providers is an important concern.

Encryption and digital watermarking are recognized aspromising techniques for copyright protection. Encryptionprevents unauthorized access to digital content. The limitationis that, once the content is decrypted, it does not prevent illegalreplications by an authorized user. Digital watermarking [1],[2] is a technique that allows some information to be embeddedinto a digital content. As an application of watermarking, fin-gerprinting can be used to identify the content and to associateit to a customer. The fingerprint can be either an intrinsic fea-ture of the content or some external information embedded intothe content. At algorithmic level, watermarking is the functionthat embeds this information, while fingerprinting refers to thecomplete protocol between seller and buyer.

Previous work. Fingerprinting schemes have been proposedto identify different kinds of digital content, such as documents

Manuscript received April 01, 2010; revised August 03, 2010; accepted Au-gust 03, 2010. Date of publication September 02, 2010; date of current versionNovember 17, 2010. This work supported in part by the Italian Research Project(PRIN 2007): “Privacy aware processing of encrypted signals for treating sen-sitive information” and by the IAP Programme P6/26 BCRYPT of the BelgianState (Belgian Science Policy). The work of A. Rial was supported by the Re-search Foundation—Flanders (FWO). The associate editor coordinating the re-view of this manuscript and approving it for publication was Prof. Nasir Memon.

A. Rial, M. Deng, and B. Preneel are with IBBT and the COSIC Group ofDepartement Elektrotechniek (ESAT), Katholieke Universiteit Leuven, B-3001Leuven, Belgium (e-mail: firstname.lastname@esat.kuleuven.be).

T. Bianchi and A. Piva are with the Dipartimento di Elettronica e Telecomu-nicazioni, Università di Firenze, I-50139 Firenze, Italy (e-mail: firstname.last-name@unifi.it).

Digital Object Identifier 10.1109/TIFS.2010.2072830

[3], [4], images or videos [5]–[7], or computer programs [8]. Afirst improvement of fingerprinting techniques was the designof collusion-resistant schemes [9], [10], [6], i.e., schemes thattolerate a collusion of buyers up to a certain size by preventingcolluding buyers, that compare their different copies, from cre-ating a copy that cannot be traced back to one of the colluders.

Traditional watermarking-based fingerprinting schemes as-sume that content providers are trustworthy that they wouldnever distribute content illegally and always perform the water-mark embedding honestly. However, in practice, such assump-tions are not fully established. This problem was first identi-fied by Qian and Nahrstedt as the customer’s rights problem[11], where the watermark is generated and embedded solelyby the content provider (or the seller). A customer (or a buyer)whose watermark has been found in unauthorized copies canclaim that the pirated copy was created by the seller. This couldbe done, for instance, by a malicious seller who may be inter-ested in framing the buyer. It could be also possible when theseller is not the original owner but a reselling agent who couldpotentially benefit from making unauthorized copies. Finally,even if the seller was not malicious, an unauthorized copy con-taining the buyer’s fingerprint could have originated from a se-curity breach in the seller’s system but not from the buyer [11].

The owner–customer watermarking protocol proposed byQian and Nahrstedt [11] tries to solve this problem such that thecustomer provides the owner with an encrypted predeterminedbit-string, and the owner embeds the encrypted value using aninvisible watermarking technique. Upon receiving the water-marked content delivered from the owner, the customer is ableto prove to a third party the legitimate ownership of the copyin the customer’s possession, since only the buyer knows thedecryption key. The drawback of this protocol is that it does notsolve the problem of irrevocable binding the customer and thespecific copy sold to him, and holding the customer responsiblefor any unauthorized copies of the same found in the market.This is due the problem of traditional symmetric fingerprintingschemes, where both buyer and seller know the copy thatthe buyer gets. In symmetric schemes, a malicious seller canrelease a pirated copy in order to frame an honest buyer, anda guilty buyer can repudiate the accusation of copyright in-fringements by invoking the possibility of being framed by theseller or caused by a security breach in the seller’s system. As aconsequence, the watermark tracing mechanism is discredited.

It is against this background that asymmetric schemes[12]–[14] were introduced, where only the buyer obtains theexact watermarked content, and hence the buyer cannot claimthat a pirated copy was originated from the seller. In theasymmetric fingerprinting protocol proposed by Pfitzmann and

1556-6013/$26.00 © 2010 IEEE

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL 921

Schunter [12], the buyer chooses a secret and sends a commit-ment to the secret to the seller. Then buyer and seller execute aprotocol at the end of which the buyer obtains a watermarkedcontent with the buyer’s secret, while the seller does not getany information. Therefore, when the seller is able to providethe secret chosen by the buyer, it must be the case that he founda pirated copy, and thus the buyer is found guilty.

In the aforementioned symmetric and asymmetric schemes,the buyer needs to be authenticated by the seller at each pur-chase. To protect buyers’ privacy, Pfitzmann and Waidner [13]introduced anonymous asymmetric schemes, where buyers re-main anonymous as long as they do not release pirated copies.Buyers are required to register at a registration entity priorto any purchase and, if the seller finds a pirated copy, he canquery this registration entity to revoke buyers’ anonymity. Firstanonymous asymmetric schemes [15] require interaction withthe buyer in case of dispute to find out whether the buyer wasguilty or not. Pfitzmann and Sadeghi [16] and Camenisch [17]proposed schemes that allow direct nonrepudiation, where theseller, upon finding a pirated copy, possesses enough informa-tion to convince a third party of the buyer’s culpability.

Combining encryption with digital watermarking, abuyer–seller watermarking (BSW) protocol is in fact anasymmetric fingerprinting protocol where the fingerprint isembedded by means of watermarking in the encrypted domain.The basic idea is that each buyer obtains a slightly different copyof the digital content offered by the seller. Such a difference,the watermark (or fingerprint), does not harm the perceptualquality of the digital content and cannot be easily removed bythe buyer. Thanks to the latter property, when a malicious buyerredistributes a pirated copy, the seller can associate the piratedcopy to its buyer by its embedded watermark. On the otherhand, a malicious seller cannot frame an honest buyer becausethe buyer’s watermark and the delivered watermarked contentare unknown to the seller.

Since the introduction of the concept by Memon and Wong[18], a number of BSW protocols have been proposed [19]–[23].However, none of these proposals provides a formal securitydefinition of the concept of BSW protocol, and therefore, noneof them proves that the proposed protocol satisfies the requiredsecurity properties.

Our contribution. The main contribution of our work isa formal security analysis of BSW protocols. We employ theideal-world/real-world paradigm [24] to define security ofanonymous BSW protocols. With respect to classical asym-metric fingerprinting schemes, which define each securityproperty separately, this definition leads to the constructionof protocols that are secure under composition. Our definitionis general in the sense that it captures the security propertiesrequired for any copyright protection protocol that providesbuyers with anonymity. Additionally, we define security forblind and readable watermarking schemes, and analyze theproperties that watermarking schemes should provide for theconstruction of secure BSW protocols.

We describe a slightly modified version of the BSW protocolproposed in [23], and we prove that this protocol fulfills our se-curity definition. This protocol uses a blind and readable wa-termarking scheme and a homomorphic encryption scheme, a

group signature scheme and several zero-knowledge proofs ofknowledge as main cryptographic building blocks. We prove thesecurity of the protocol when instantiated with any secure water-marking schemes and with any secure building blocks. In PartII of this paper [25], we provide efficient implementations ofthe proposed BSW protocol, instantiate the protocol with securebuilding blocks, and measure its efficiency.

Outline of the paper. In Section II, we propose security def-initions for blind and readable watermarking schemes and foranonymous BSW protocols. We recall the definition and theproperties of the employed cryptographic building blocks inSection III, and we describe our BSW protocol in Section IV. InSection V, we analyze the security of our protocol, in Section VIwe discuss its efficiency, and we conclude in Section VII.

II. DEFINITIONS

A. Blind Watermarking

A blind and readable watermarking scheme [2] consists of asetup algorithm , a watermark embedding algorithm

, and finally a watermark detection algorithm .outputs a secret watermarking key , and a de-

scription of an original content space and of a watermarkspace . , on input , original con-tent , and watermark , outputs watermarkedcontent . The algorithm can be computed in the en-crypted domain, where both and the result are encryptedwith a public key of a public key encryption scheme. The algo-rithm outputs the watermark embedded in

.A secure watermarking scheme should be robust and col-

lusion resistant. Let be a distortion metric that quantifiesthe distortion suffered by a watermarked content when itunderwent signal processing operations such as compression,filtering, noise addition, desynchronization, cropping, inser-tions, mosaicing, and collage. Under a distortion metric anda given distortion bound , given output byand output by , a scheme is -robustif an adversary outputs a distorted content such that

outputs and withnegligible probability .

The collusion resistance property requires that a collusion ofup to parties cannot manipulate or remove the watermark froma watermarked content by comparing or composing their differ-ently watermarked copies. In other words, it requires that undera distortion metric and a given distortion bound , a schemeis -secure against coalitions of size , if all the p.p.t. adversarieswin the game defined below with probability less than . We for-malize this property as follows.

Definition 1 (Collusion Resistant Watermarking): The collu-sion resistance property is defined through the following gamebetween a challenger and an adversary .

• Challenge. runs to get , picksrandom original content , and, forto , picks random watermark and runs

. sends to.

• Response. outputs watermarked content .

922 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

wins if there exists such that andoutputs a watermark such that, for

to , . A blind watermarking scheme is collusionresistant if all p.p.t. adversaries win the game above withnegligible probability.

Current practical watermarking schemes do not provide col-lusion-resistance against any p.p.t. adversary. In Section V, weassume that the watermarking scheme used to instantiate theprotocol fulfills this definition, and thus we conclude that ourprotocol is secure against any p.p.t. adversary. When the pro-tocol is instantiated with a given watermarking scheme, the se-curity offered against malicious buyers is lowered to the securityoffered by the watermarking scheme. In the security analysis ofour protocol (Section V), Claim 2 is not fulfilled if the water-marking scheme is not collusion resistant.

B. Anonymous BSW Protocol

We define security following the ideal-world/real-world par-adigm [24]. In the real world, a set of parties interact accordingto the protocol description in the presence of a real adversary ,while in the idealworlddummyparties interactwithanideal func-tionality that carriesout the desired task in the presence ofan idealadversary . A protocol is secure if there exists no environment

that can distinguish whether it is interacting with adversaryand parties running protocol or with the ideal process for car-rying out the desired task, where ideal adversary and dummyparties interact with an ideal functionality . More formally, wesaythatprotocol emulatestheidealprocesswhen,foranyadver-sary , thereexistsasimulator suchthat forall environments ,the ensembles IDEAL and REAL are computation-ally indistinguishable. We refer to [24] for a description of howthese ensembles are constructed. In the ideal-world/real-worldparadigm [24], every protocol instance has a session identifierthat distinguishes it from other protocol instances. For the sakeof ease of notation, we omit session identifiers in the descriptionof our ideal functionalities and in the description of our protocol.

We define an ideal functionality that models the be-havior and desirable properties of any copyright protection pro-tocol in which buyers are provided with anonymity. We con-sider a setting with five parties: a seller that sells protecteddigital contents ; a set of buyers that purchases protecteddigital contents from ; a registration authority where buyersmust register before purchasing; a judge that decides whethera buyer is guilty of releasing pirated copies; a deanonymiza-tion authority that revokes the anonymity of a buyer whenrequested by . is parameterized with a set of partiesthat contains the aforementioned entities. models the prop-erties that a copyright protection protocol should fulfill underthree assumptions. First, the judge is never corrupted by theideal adversary . Second, parties can be corrupted statically,i.e., the ideal adversary decides at the beginning of the pro-tocol execution the set of parties it wishes to corrupt and cannotmodify this set throughout the execution. Finally, assumesthat uncorrupted buyers never release pirated copies.

Under those assumptions, requires that, when the selleris uncorrupted, buyers receive unique protected content ateach purchase. This unique protected content, when released asa pirated copy, can be traced back to a single transaction. (In the

case of a BSW protocol, unique protected content is computedby embedding a different watermark at each purchase phase.)

also requires that, if the deanonymization authority isuncorrupted, an uncorrupted seller is always able to get the iden-tity of corrupted buyers that release pirated copies. To trace pro-tected copies, maintains a transaction table with en-tries of the form , where is a protected copy, is thebuyer that purchased the copy, and is a bit that equals 0 if thecopy was released by a malicious .

When the seller is corrupted, does not require buyersto receive the unique protected content . Instead, they receive acopy chosen by . However, requires that is not able toframe uncorrupted buyers, who by assumption do not release pi-rated copies. Additionally, it requires that released pirated copiesare traced back to corrupted buyers that collude with .

Below we describe formally . In Section V, we prove thatour BSW protocol realizes functionality . This means thatour protocol fulfills the aforementioned properties.

Functionality

Parameterized with a set of parties works as follows,where means the registration or deanonymizationprocess succeeded and means a content is not apirated copy:

• Upon receiving (register) from buyer , checksthat . Then it sends register to . Ifis corrupted, receives a bit regresp fromthe ideal adversary , else it sets . sendsregresp to and, if , includes in its

registration table .• Upon receiving request from buyer , where

identifies the item, checks that .sends buyrequest to , who returns original

content reqresp . computes unique protectedcontent from . If is corrupted, receivesreqresp from and sets to . sendsreqresp to and stores , where ,

in a transaction table .• Upon receiving release from , sets to 0

in the entry of . If no such entry exists,stores in .

• Upon receiving detect from , if in theentry or such entry does not exist, sendsdetresp to and . If , sendsdetect to . If is corrupted, receives a bitdeanonym from , else sets . If ,

sends detresp to and , and otherwise it sendsdetresp to and .

In Section V, we prove that our BSW protocol realizes func-tionality in the -hybrid model, where parties registertheir public keys at a trusted registration entity and obtain fromit a common reference string. Do not confuse this entity withthe registration entity . Below we depict the ideal function-ality . is parameterized with a distribution and aset of participants , which is restricted to contain the registra-tion authority , the deanonymization authority , the buyers

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL 923

, the seller , and the judge . can be implementedwith a public key infrastructure.

Functionality

Parameterized with a set of parties and a distribution, works as follows, where (crs) is a request of the

common reference string, is the common reference string,and is the registered value such as ’s public key:

• On input (crs) from party , if it aborts.Otherwise, if there is no value recorded, it picks

and records . It sends to .• Upon receiving register from party , it

records the value .• Upon receiving retrieve from party , if

is recorded then return retrieve to .Otherwise send retrieve to .

III. PRELIMINARIES

A function is negligible if, for every integer , there existsan integer such that for all , .

A. Group Signature Schemes

Group signature schemes [26] enable a group of users, eachhaving her own private key, to sign messages on behalf of thegroup. The scheme is called dynamic if it allows adding mem-bers to the group with time. In the following, we recall the de-scription of dynamic group signature schemes in [27].

The scenario consists of four kinds of parties: a trusted partyfor system setup, an authority called the issuer , an authoritycalled the opener , and users that may become group mem-bers. The communication between and takes place over pri-vate and authenticated channels.

The scheme consists of the algorithms , ,, , , , , and .

outputs an issuer key , an opening key , and a grouppublic key on input a security parameter . outputsa user key pair on input a security parameter .

and are interactive algorithms run by and ,respectively. receives as inputs andreceives as inputs. outputs a privatesigning key and outputs registration information

to be stored in a registration table . outputs asignature of a message on input a secret key . ,on input a signature , a message , and a group public key

, outputs a bit if is correct and otherwise., on input the group public key , the registration

table , an opening key , a message , and a signature, and outputs a pair , where identifies the user that

computed ( if no group member produced the signature)and is a publicly verifiable proof that computed . ,on input a group public key , an integer , a public key

, a message , a signature , and a proof , and outputsif is a valid proof that produced and otherwise.

A dynamic group signature scheme must provide the proper-ties of anonymity, traceability, and nonframeability. Anonymityrequires that an adversary , unable to corrupt , cannot dis-tinguish which of two signers of his choice signed a message of

his choice. Traceability requires that , unable to corrupt and(albeit able to compromise ), cannot compute a signature

for which either an honest cannot identify the user that pro-duced it or cannot compute a proof that a user produced it.Nonframeability requires that cannot produce a proof thatan honest user computed a valid signature unless the user indeedcomputed the signature. We refer to [27] for formal definitions.Our construction in Section IV can be instantiated with any se-cure group signature scheme.

B. Homomorphic Encryption

A public key encryption scheme consists of the algorithms, , and . outputs a public key and a se-

cretkey . outputsaciphertext on inputapublickey anda message . outputs the message on input the ciphertext

and the secret key . Roughly speaking, indistinguishabilityunder chosen plaintext attack [28] (IND-CPA) guarantees that anadversary does not get any knowledge about from .

We employ a public key homomorphic encryptionscheme that supports two operations. An operationthat, on input two ciphertexts andthat encrypt messages and , outputs a ciphertex

that encryptsthe addition of the messages, and an operation that, on inputa message and a ciphertext , outputs a ciphertext

that encrypts the multiplicationof the messages and . The public key homomorphic encryp-tion scheme proposed by Paillier [29], and its generalizationby Damgård and Jurik [30], supports these operations, andtherefore, can be used to instantiate the encryption scheme

employed in Section IV.In our construction in Section IV, we need a function that, on

input a bit and an encryption of a bit , computesthe encryption , where denotes the exclusiveor operation. This function can be computed as follows. If

, output . If , output.

C. Zero-Knowledge Proofs of Knowledge

A zero-knowledge proof of knowledge [31] is a two-partyprotocol between a prover and a verifier. The prover proves tothe verifier knowledge of some secret input that fulfills somestatement without disclosing this input to the verifier. The pro-tocol should fulfill two properties. First, it should be a proof ofknowledge, i.e., a prover without the knowledge of the secretinput convinces the verifier with negligible probability. Moretechnically, there exists a knowledge extractor that extracts thesecret input from a successful prover with all but negligibleprobability. Second, it should be zero-knowledge, i.e., the veri-fier does not learn any information about the secret input. Moretechnically, for all possible verifiers there exists a simulator that,without knowledge of the secret input, yields a transcript thatcannot be distinguished from the interaction with a real prover.

To express a zero-knowledge proof of knowledge, we followthe notation introduced by Camenisch and Stadler [32]. For ex-ample, denotes a “zero-knowledge proofof knowledge of secret input such that ”. Letters in

924 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

the parenthesis, in this example , denote the secret input, whileand the function are also known to the verifier.We employ a proof of knowledge

, i.e., a proof that is a cor-rect encryption under of the secret key related with publickey , so that a party in possession of the secret key re-lated with can recover from . The verifiable encryptionschemes proposed by Camenisch et al. [33] and by Poupard andStern [34] can be employed to instantiate the encryption scheme

used in our construction in Section IV.We also use a proof of knowledge of the statement

, i.e., a proof that the valueencrypted in ciphertext under public key is a bit. Such aproof is described in [30].

IV. CONSTRUCTION

A. Intuition Behind Our Construction

Our buyer–seller watermarking protocol BSW is basedmainly on two cryptographic primitives: group signatures andhomomorphic encryption. Group signatures allow buyers tosign the purchase messages they send to the seller on behalf ofthe group of buyers. Thanks to that, the seller can verify thesignature without knowing buyer’s identity, and thus purchasesare anonymous. When a pirated copy is found and traced backto a particular purchase, the corresponding signature can beopened to know the identity of the buyer that released thepirated copy. We note that, although in the description ofour construction all the buyers belong to the same group, inpractical implementations there can be several groups.

Homomorphic encryption allows buyer and seller to jointlycompute an encryption of the watermark to be embeddedin the original content, in such a way that none of the partiesknows . (The encryption of the watermark is embedded bycomputing algorithm in the encrypted domain.) Thisis an essential property. On the one hand, since the seller doesnot learn , later on a malicious seller cannot produce piratedcopies that embed in order to frame an honest buyer. On theother hand, a malicious buyer can neither remove nor releasepirated copies and claim that the seller produced them.

The protocol consists of four phases: setup, registration, pur-chase, and arbitration. In the setup phase, a trusted registrationentity releases the group public key , gives the issuer secretkey to the registration authority and the opening secretkey to the deanonymization authority . acts as the issuerof the group signature scheme, and as the opener. Addition-ally, buyers register their public keys at the trusted registrationentity. Finally, the judge also registers a public key .

In the registration phase, buyers query and obtain a privatesigning key of the group signature scheme. obtains reg-istration information .

In the purchase phase, a buyer requests item and ob-tains from seller watermarked content , in such a way thatnone of the parties knows the watermark . ( does not learn

either.) equals , where andare chosen by the seller, while

is chosen by buyer. is used by to relate a pirated copy with

the transaction in which the pirated copy was sold. andare random values of enough length.

First, generates a key pair of the homomorphicencryption scheme, picks random , and encrypts it bitwisewith . also encrypts with the public key of thejudge and obtains a ciphertext . sets a request message thatincludes , the bitwise encryption of , , and . Finally,

computes a group signature on her request message ,sends it to and proves in zero-knowledge that the request iscorrectly computed.

picks unique random and random , and by usingthe homomorphic property of the encryption scheme, is able tocompute a bitwise encryption of under

. embeds in the original content by running the water-mark embedding algorithm in the encrypted domain and sendsthe result to . decrypts the result to obtain watermarkedcontent . stores an entry indexed by with information

about the transaction in a transactions table.In the arbitration phase, when receives a pirated copy,

runs the watermark detection algorithm to obtain the watermark. uses to relate the pirated copy to a transac-

tion and sends the table entry and to .uses his secret key to obtain buyers secret key ,

uses to obtain from the bitwise encryption, and sets. checks if . If it is the case,

it sends to , which returns the identity of the mali-cious buyer that released the pirated copy.

The trusted registration entity can be implemented with aconventional public key infrastructure, and the registration au-thority and deanonymization authority can be implemented withthe issuer and opener of any dynamic group signature scheme,respectively. The judge represents the entity in charge of deter-mining if a buyer is guilty of releasing pirated copies. Since inpractical settings there can be several entities in charge of thistask, we propose to employ a unique trusted entity in posses-sion of the secret key corresponding to public key . (Sucha trusted entity could even be the trusted registration entity,but conventional PKI do not offer such a service.) Every judgequeries this entity to decrypt a ciphertext encrypted with .

In the description of our construction, we employ a single wa-termarking key . If, in order for the watermarking schemeto be collusion resistant, a different watermarking key should beassociated to each of the original contents, our construction canbe modified to watermark each content with a different key.

B. Construction

In the following, andstand for the algorithms for

key generation, encryption, and decryption of the public keyencryption schemes used by and , respectively. They aredescribed in Section III.

In the setup phase depicted in Fig. 1, the trusted registrationfunctionality runs the setup algorithm of the groupsignature scheme, stores the group public key , and sends theissuer’s secret key to and the opening secret key to

. Every party can obtain by sending (crs) to .Additionally, each buyer runs to obtain a user key

pair and registers at . The judge runs

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL 925

Fig. 1. Setup phase of the BSW protocol: 1) group key generation; 2) � key generation; 3) � key generation; 4) � sets up the watermarking scheme and obtainssecret watermarking key.

Fig. 2. Registration protocol performed between the buyer � and the registration authority �.

Fig. 3. Watermark generation and embedding protocol performed between the seller � and the buyer �.

his key generation algorithm in order to generate a keypair and registers at . Every party canretrieve public keys of other parties by querying .

Finally, the seller executes the watermarking setup algo-rithm to obtain secret watermarking key . en-crypts and sends to .

After the setup phase, our protocol consists of three phases:registration, purchase, and arbitration. We begin with a highlevel description of our construction. Details on the algorithmscan be found below.

Protocol BSW

• Registration. The registration phase is depicted inFig. 2. When is activated with (register), and

execute and , respectively. inputsand inputs . obtains

a private signing key and outputs regresp ,while obtains registration information to bestored in the registration table .

• Purchase. The purchase phase is presented inFig. 3. When is activated with request and

is activated with reqresp , and runthe interactive algorithms and ,respectively. inputs the group public key , herprivate signing key , , and the public key of

. inputs , the secret watermarking key, and the original content . obtains transaction

information and stores it in the table entry Tab,where Tab is a table that stores information of allthe transactions. outputs watermarked contentreqresp .

• Arbitration. The identification and arbitrationprotocol is depicted in Fig. 4. When is activated

with detect , runs Tab toobtain the table entry that corresponds to andsends to . runs toobtain a bit and a deanonymization message .If , sends to and outputsdetresp . Otherwise sends to, which runs (

is obtained from ) and returns and a proofthat deanonymization was done correctly. runs

to check the validityof the proof . If the output is , sendsto and outputs detresp . Otherwise sends

to and outputs detresp .

• . Run to obtaina key pair . Run to get an en-cryption of . Pick a random stringand, for to , run to encryptbitwise . Set a message andrun to compute a signature . (Ifdoes not belong to the message space of the group signa-ture scheme, use a collision-resistant hash function tocompute a hash that belongs to the message spaceand sign .) Send to . As the prover, engagewith in the following interactive zero-knowledge proofsof knowledge: a proof

thatare correctly setup and that is an encryption of under

; for to , a proofthat each encrypts

a bit. Upon receiving , decrypt andoutput .

926 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

Fig. 4. Copyright violator identification and arbitration protocol performed among the seller � , the judge � , and the deanonymization authority �.

• . Receive message. Parse as . Run

and abort if the output is 0. Asthe verifier, engage in the execution of the interactiveproofs and, for to , and abort if any ofthem is not correct. Pick random and,for to , compute . Pickrandom unique and, for to , encrypt

. Set the watermark to be embedded as, and let its bitwise encryption

be . Perform the watermark embeddingoperation in theencrypted domain to obtain an encrypted watermarkedcontent . Send and outputtransaction information .

• Tab . Execute the watermark detection al-gorithm to obtain the watermark

, parse the table entry , computeand output .

• . Parse asand as . Runand abort if the output is 0. Decrypt toobtain . For to , decrypt toobtain . Check whether . If it is the case,output and . Otherwise output

and .• . Parse as .

Run to obtain an identityand a proof . Output .

• . Parse as. Run to obtain

a bit . Output .

V. SECURITY ANALYSIS

Theorem 1: This BSW scheme securely realizes .In order to prove this theorem, we need to build a simulator

that invokes a copy of adversary and interacts with andenvironment in such a way that ensembles IDEALand REAL are computationally indistinguishable.

We analyze formally the security of our scheme when theseller and a subset of buyers are corrupted, and when (a subsetof) buyers are corrupted. We also describe briefly the securityguarantees that our scheme provides when the registration au-thority and the deanonymization authority are corrupted.

A. Security Analysis When Seller Is Corrupted

Claim 1: When the seller and a subset of the buyersare corrupted, the distribution ensembles IDEALand REAL are computationally indistinguish-able under the zero-knowledge property of the proofs ofknowledge, the IND-CPA security of encryption schemes

and , and thetraceability, nonframeability, and anonymity properties of thegroup signature scheme.

Proof: We show by means of a series of hybrid gamesthat the environment cannot distinguish between the realexecution ensemble REAL and the simulated ensembleIDEAL with nonnegligible probability. We denote by

the probability that distinguishes between theensemble of and that of the real execution.

• : This game corresponds to the execution of thereal-world protocol with a subset of honest buyers andhonest , , and . Thus .

• : This game proceeds as , except thataborts if the received message-signature pair

is correct according to algorithm butcannot be successfully opened through algorithm .The probability that aborts is bounded by thefollowing lemma:

Lemma 1: Under the traceability property of the group sig-nature scheme, .

Proof: We construct an algorithm that, if there exists anadversary that makes abort with nonnegligible prob-ability , breaks the traceability property of the group signaturescheme with nonnegligible probability . The traceability prop-erty is formally defined in [27] as a game between a challengerand an adversary. First, gives to the adversary andaccess to several oracles (we refer to [27] for the description of theoracles). Eventually, adversary submits a message-signature pair

, and wins the game if outputs 1and if outputs a pair suchthat either or outputs 0.

Algorithm operates as follows. First, receivesfrom and sends to when queried with (crs). For eachhonest buyer , invokes oracle and later onoracle to obtain the secret key and the privatesigning key . Each time wants to register a publickey of a corrupted buyer , invokes the corruptionoracle . When sends a request to reg-ister a corrupted buyer , invokes oracle .

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL 927

simulates purchase requests by honest buyers followingalgorithm . Each time sends an arbitration message

, runs to ob-tain and . If either oroutputs 0, sends to break the traceability property.

• : This game proceeds as , except thataborts if, in the arbitration phase, sends a mes-

sage-signature pair that algorithm openssuccessfully to an uncorrupted buyer’s identity and buyer

did not send a signature on to . The probabilitythat distinguishes between and isbounded by the following lemma:

Lemma 2: Under the nonframeability of the group signaturescheme, .

Proof: We construct an algorithm that, if there exists anadversary that makes abort with nonnegligible prob-ability , breaks the nonframeability property of the group sig-nature scheme with nonnegligible probability . The nonframe-ability property is formally defined in [27] as a game betweena challenger and an adversary. First, gives to the adversary

and access to several oracles (we refer to [27]for the description of the oracles). Eventually, adversary submitsa message-signature pair and a proof , and winsthe game if outputs 1, if belongs to anhonest user and if outputs 1.

Algorithm operates as follows. First, receivesfrom and sends to when queried

with (crs). Each time wishes to register a public keyof a corrupted buyer , invokes oracle .Each time wishes to register a corrupted buyer, runs

with . For every honest buyer ,invokes oracle and stores the output. For eachpurchase request made by an honest buyer for item ,computes a request message following algorithm ,obtains a signature by invoking oracle , andsends to . Each time sends an arbitration message

, runs to getand . If belongs to an honest buyer, did not receive beforea signature by on , andoutputs 1, then sends to to break the non-frameability property.

• : This game proceeds as , except that theproofs

andare replaced by simu-

lated proofs. Under the assumption that the proof systemis zero-knowledge, .

• : This game proceeds as , except thatthe ciphertext is replaced by a ci-phertext that encrypts a random message. At this point, theproof of knowledge

is a simulatedproof of a false statement. The probability that distin-guishes between and is bounded by thefollowing lemma:

Lemma 3: Under the IND-CPA security of the encryptionscheme that consists of algorithms ,

.

Proof: We construct an algorithm that, given an envi-ronment that distinguishes and with non-negligible probability, breaks the IND-CPA security of the en-cryption scheme with nonnegligible probability. Chosen plain-text security is formally defined through a game between a chal-lenger and an adversary [28]. First, provides the adversarywith a public key . The adversary sends two messagesand . flips a coin and sends to theadversary. Finally, the adversary sends his guess and wins if

is nonnegligible.Let be the number of purchase requests. We consider a se-

quence of hybrid games, where, in game- , ciphertext is re-placed by the encryption of a random message in the first pur-chase requests, while the remaining requests remain unchanged.Clearly, game-0 corresponds to and game- corre-sponds to . If distinguishes andwith nonnegligible probability , there must be an index suchthat distinguishes game- from game- with nonnegli-gible probability .

Our algorithm operates as follows. First, receives thepublic key from . computes by running

and sends to when queried with (crs). regis-ters adversarial buyers as usual. computes . For

to , it computes purchase requests following algorithm, except that is replaced by the encryption of a random

value and by a simulated proof. For to , pur-chase requests are computed following algorithm . For

, picks random and submits to . flipsa coin and returns , and uses to computethe request. outputs a bit , which is forwarded by to .

• : This game proceeds as , except thataborts upon receiving an arbitration request

, where was previously sent toand was the buyer’s watermark associated with therequest . The probability that distinguishes be-tween and is bounded by the followinglemma:

Lemma 4: Under the IND-CPA security of the encryptionscheme that consists of algorithms ,

.Proof: Let be the number of purchase requests. We

construct an algorithm that, given an adversary thatmakes abort with nonnegligible probability, breaksthe chosen plaintext security of the encryption scheme withnonnegligible probability .

Algorithm operates as follows. First, receives thepublic key from . computes by run-ning and sends to when queried with (crs).registers adversarial buyers as usual. For the first purchaserequest made by an honest buyer for item , picks random

and, for to , encrypts bitwiseusing . To encrypt the last bit, sends

to and receives back a ciphertext , which is used tocomplete the bitwise encryption of the buyer’s watermark .The rest of the request message is computed following algo-rithm , except that the encryptionis replaced by the encryption of a random value and the proofs

and are replaced by simulated proofs. (Note that

928 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

knows neither nor the bit encrypted in .) The remainingrequests are computed following algorithm .

sends an arbitration message that makesabort. If this arbitration message does not correspond to thefirst request, fails. Otherwise, if the last bit of is 0,sends to , and otherwise to .

• : This game proceeds as , except thatall the group signatures of purchase requests are replacedby group signatures computed by using the same privatesigning key of a unique buyer. The probability that dis-tinguishes between and is bounded bythe following lemma:

Lemma 5: Under the anonymity property of the group signa-ture scheme, .

Proof: We note that, at this point, we have already proventhat is not able to frame honest buyers, who by assumption donot release pirated copies. Therefore, the identity of an honestbuyer will never be revealed at the arbitration protocol, and sothe change we make on the identity of the buyer that computespurchase requests cannot be detected there. We only have toprove that this change is indistinguishable at the purchase phase.

The anonymity property of dynamic group signatures is for-mally defined in [27] and it consists of a game between a chal-lenger and an adversary. First, the challenger gives the ad-versary and access to several oracles. Then the ad-versary gives the challenger a message and two identitiesand . flips a coin and sends to adversary a group signature

. wins if he guesses with nonnegli-gible probability.

We employ a sequence of hybrid games. Let game-0 denotethe game in which all the group signatures remain unmodi-fied, and game- denote the game in which all of them havebeen replaced. Clearly, game-0 corresponds to andgame- corresponds to . If there is an environment

that distinguishes and with nonnegligibleprobability , then there exists an index such that distin-guishes game- and game- with nonnegligible proba-bility . Given such , we construct an algorithm thatbreaks the anonymity property of the group signature schemewith nonnegligible probability . Our algorithm receives

from . invokes oracle to registerthe new honest user employed to simulate purchase requests.

follows algorithm to compute the request message. Then sends , where is the identity of the original

buyer that sends the request, as its challenge. flips a coinreturns a signature of , and sends

to . If , the distribution corresponds to game- ,and, if , to game- . outputs a bit , which is for-warded by to challenger as its guess.

performs all the changes described in , and for-wards and receives messages from as described in our sim-ulation below.

• Setup. When sends a request (crs) to obtain , runsto obtain the group public key , the issuer’s

secret key , and the opening secret key . sendsto . When sends a request retrieve ,

runs in order to generate a key pairand sends retrieve to .

• Registration. Upon receiving a registration request from, executes the interactive algorithm on input

. If the execution ends successfully,stores in and sends (register) to on behalf of

. knows the identity of the corrupted buyer becausethe communication channel is authenticated.

• Purchase. Upon receiving buyrequest from , ifthis is the first request runs to obtain a userkey pair and algorithms andon input and , respectively,to obtain a private signing key . This key is used tosimulate all the requests. follows the interactive algo-rithm with all the changesdescribed until to compute a request for itemand receive watermarked content . stores the request

along with in the request table andsends reqresp to .

• Release. Upon receiving a pirated copy from , sendsrelease to and stores in a table of re-

leased copies.• Arbitration. When sends , parses as

, verifies , and checks if encrypts .If it is not the case, sends detect to , receivesdetresp , and forwards detresp

to . Otherwise runsand obtains an identifier and a proof . ( aborts if

fulfills any of the conditions described in thesequence of games.) Then proceeds as follows:— If corresponds to an adversarial buyer, chooses any

of the pirated copies and sends detectto . returns detresp , which is for-warded to .

— If corresponds to the buyer used by to simulate pur-chases, sends detect to . (Note that we as-sume that honest buyers never release pirated copies.)

returns detresp , which is forwardedto .

The distribution produced in is identical to that of oursimulation. By summation we have that .

B. Security Analysis When Buyers Are Corrupted

Claim 2: When only (a subset of) the buyers are corrupted,the distribution ensembles IDEAL and REALare computationally indistinguishable under the traceability andnonframeability properties of the group signature scheme andthe collusion resistance of the watermarking scheme.

Proof: We show by means of a series of hybrid gamesthat the environment cannot distinguish between the realexecution ensemble REAL and the simulated ensembleIDEAL with nonnegligible probability.

• : This game corresponds to the execution of thereal-world protocol with honest , , , and . There-fore, .

• : This game proceeds as , except thataborts if the received message-signature pair

is correct but cannot be opened through algorithm. The probability that aborts is bounded

by the following lemma:

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL 929

Lemma 6: Under the traceability property of the group sig-nature scheme, .

The proof of this lemma follows the proof of traceabilitygiven in Section V-A.

• : This game proceeds as , except thataborts if the received message-signature pair

is opened correctly to an uncorrupted buyer’sidentity . The probability that aborts is boundedby the following lemma:

Lemma 7: Under the nonframeability property of the groupsignature scheme, .

The proof of this lemma follows the proof of nonframeabilitygiven in Section V-A.

• : This game operates as , except that thestring that is used to compute the wa-termark embedding is replaced by a random string. Sincethe strings and are picked at random by the honestseller, is a random string that leaks no information on

. Therefore, .• : This game operates as , except that

aborts if releases a watermarked contentwhose watermark does not equal that of any of the wa-termarked contents previously received by . The prob-ability that aborts is bounded by the followinglemma:

Lemma 8: Under the assumption that the watermarkingscheme is collusion resistant,

.We construct an algorithm that, given an adversary that

makes abort with nonnegligible probability, breaksthe collusion-resistant property of the watermarking schemewith nonnegligible probability. interacts with the challenger

of the collusion resistant game described in Definition 1.First, receives the challenge from . com-putes by running and sends towhen queried with (crs). registers adversarial buyers as usual.When receiving a purchase request for item , replies byencrypting a not previously used with . (We assume thatitem 1 is requested no more than times.) For other purchase,replies as usual. Eventually, releases a pirated copy whosewatermark does not equal any of the watermarks embedded in

. forwards to .performs all the changes described in , and for-

wards and receives messages from as described in our sim-ulation below.

• Setup. When sends a request (crs) to obtain , runsto obtain the group public key , the issuer’s

secret key and the opening secret key . sendsto . When sends a request register

to register the public key of buyer , stores. When sends a request retrieve , runs

in order to generate a key pair andsends retrieve to .

• Registration. Upon receiving a registration request from, behaves as in Section V-A.

• Purchase. Upon receiving from , checkswhether is correct. As verifier,

executes the proofs and, for to , ,

TABLE ILEVELS OF TRUST IN AUTHORITIES FOR EACH SECURITY PROPERTY

and ignores the request if any of them fails. runs, parses as

, and sends request to onbehalf of . returns reqresp . computes

and sends to .• Release. Upon receiving a pirated copy from , sends

release to .The distribution produced in is identical to that of oursimulation. By summation, we have that .

C. Security Analysis When Other Parties Are Corrupted

We do not formally analyze the security of our scheme inthese cases since in practical application scenarios the regis-tration authority and the deanonymization authority aretrusted. We note that the security of our scheme relies on thesecurity of the group signature scheme. In our scheme, actsas the issuer of the group signature scheme, and acts as theopener. Bellare et al. [27] analyze the security of the group sig-nature scheme when the adversary corrupts the issuer and theopener. In Table I, they describe the maximum level of corrup-tion that the scheme tolerates so that anonymity, traceability, andnonframeability still hold. (Partial corruption means that the se-cret key of a party is revealed to the adversary, but the adversarycannot influence the behavior of that party.) Interestingly, non-frameability holds even when the issuer and the opener are fullycorrupted. Therefore, our scheme protects honest buyers frombeing falsely accused when , , and are corrupted. We re-call that we assume that the judge is always uncorrupted.

VI. IMPLEMENTATION

The efficiency of the proposed solution is verified by runninga practical implementation of the BSW protocol on a network ofgeneral purpose personal computers. The implementation con-sists of a set of four programs, each implementing a differententity of the protocol. The seller , the buyer , and the judge

are implemented as separate programs. The functionalities ofthe registration authority and the deanonymization authority

are implemented in a single program. All tested programshave been implemented in C using the GNU Multi-Preci-sion (GMP) library [35] and the NTL library [36] and commu-nicate each other via TCP, using the standard socket library pro-vided by Linux operating system. As to encrypted domain wa-termark embedding, the proposed solution is based on the ef-ficient composite embedding strategy presented in [23], usinga quantization scale factor . Such a strategy permitsan encrypted domain implementation of several watermarkingalgorithms, achieving a robustness very close to that of the cor-responding plaintext implementations. For details on the aboveimplementation, the reader is referred to [23].

930 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

TABLE IIEXECUTION TIMES (IN SECONDS) IN THE WATERMARK GENERATION AND

EMBEDDING PROTOCOL VERSUS THE NUMBER OF BITS OF PAILLIER’S KEY

TABLE IIIEXCHANGED KBYTES IN THE WATERMARK GENERATION AND EMBEDDING

PROTOCOL VERSUS THE NUMBER OF BITS OF PAILLIER’S KEY

The buyer and the judge have been tested on an Intel(R)Core(TM)2 Quad CPU at 2.40 GHz, used as a single processor.The seller has been tested on an AMD Athlon 64 at 2.40GHz. The registration/deanonymization authority has beentested on an Intel(R) Centrino(TM) at 1.7 GHz. The machineswere connected by a 100-Mb/s LAN. We tested two differentimage sizes, 512 512 and 1024 1024, and two differentwatermark lengths, and . In order to investigatethe effects of security parameters on the complexity, since thenumber of group signature operations is negligible with respectto the number of Paillier’s encryptions, we only change theencryption security parameters. Three different security levelsfor Paillier’s cryptosystem were considered, using keys with1024, 2048, and 3072 bits, whereas the group signature schemeused 2048-bit keys.

For each entity, we measured the exchanged bytes and theactual computation time. The most computationally expensiveprotocol was the Watermark Generation and Embedding Pro-tocol. The execution time of the Identification and ArbitrationProtocol was always less than 2% of the execution time of theWatermark Generation and Embedding Protocol, whereas forthe Registration Protocol, the overall execution time was alwaysbelow 500 ms, so its complexity is negligible with respect to theother phases. The execution times and the total amount of dataexchanged in the Watermark Generation and Embedding Pro-tocol are given in Tables II and III, respectively.

The implementation results show that the execution time of theprotocol on a 512 512 image is within 1 min when using thelower security level, whereas it grows to about 9 min when usingthe higher security level. The overall complexity is dominated bythecomputationtimeoftheseller,whichisaboutfourtimeshigherthan thecomputation timeof thebuyer.Thecommunicationcom-plexity is dominated by the encryption of the image, however,thanks to the composite representation, it is almost insensitive tothe security level. Considering the foreseeable evolution of thecomputational and network capacity of modern systems, the re-sults suggest that theproposed techniquecanbesuccessfullyusedin practical applications in the near future.

VII. CONCLUSION AND FUTURE WORK

We have proposed a security definition for copyright protec-tion protocols in the ideal-world/real-world paradigm. Further-more, we have analyzed the security of an anonymous BSW andproven that it fulfills our definition. Particularly, we have shownthat the protocol is secure against any p.p.t. adversary when in-stantiated with a watermarking scheme, an encryption scheme,a group signature scheme, and zero-knowledge proofs of knowl-edge that provide security against any p.p.t. adversary. Unlikethe other building blocks, no watermarking scheme has beenproven to offer this security level, and thus the actual securityof the protocol against malicious buyers is lowered to the secu-rity offered by the watermarking scheme.

Further research needs to be conducted to adapt or extendour definition to protocols that offer additional properties. Forexample, one desirable property for e-commerce protocols istransaction fairness [37], and thus defining and designing pri-vacy-preserving fair BSW protocols is an interesting goal.

REFERENCES

[1] I. Cox, M. Miller, J. Bloom, and M. Miller, Digital Watermarking:Principles & Practice, ser. The Morgan Kaufmann Series in Multi-media Information and Systems. San Mateo, CA: Morgan Kauf-mann, 2001.

[2] M. Barni and F. Bartolini, Watermarking Systems Engineering: En-abling Digital Assets Security and Other Applications, 1st ed. BocaRaton, FL: CRC Press, Feb. 2004.

[3] J. Brassil, S. H. Low, N. F. Maxemchuk, and L. O’Gorman, “Elec-tronic marking and identification techniques to discourage documentcopying,” IEEE J. Sel. Areas Commun., vol. 13, no. 8, pp. 1495–1504,Oct. 1995.

[4] D. Boneh and J. Shaw, “Collusion-secure fingerprinting for digitaldata,” LNCS, vol. 963, pp. 452–465, 1995.

[5] Z. J. Wang, M. Wu, H. V. Zhao, W. Trappe, and K. J. R. Liu, “Anti-col-lusion forensics of multimedia fingerprinting using orthogonal modu-lation,” IEEE Trans. Image Process., vol. 14, no. 6, pp. 804–821, Jun.2005.

[6] W. Trappe, M. Wu, Z. J. Wang, and K. J. R. Liu, “Anti-collusion fin-gerprinting for multimedia,” IEEE Trans. Image Process., vol. 51, no.4, pp. 1069–1087, Apr. 2003.

[7] K. Liu, W. Trappe, Z. Wang, M. Wu, and H. Zhao, Multimedia Finger-printing Forensics for Traitor Tracing, ser. EURASIP Book Series onSignal Processing and Communications. New York: Hindawi Pub-lishing Co., 2005.

[8] D. Grover, “The protection of computer software: Its technology andapplications,” in The British Computer Society Monographs in Infor-matics. Cambridge, U.K.: Cambridge Univ. Press, 1992.

[9] G. R. Blakley, C. Meadows, and G. B. Purdy, “Fingerprinting long for-giving messages,” in CRYPTO, ser. Lecture Notes in Computer Sci-ence, H. C. Williams, Ed. New York: Springer, 1985, vol. 218, pp.180–189.

[10] D. Boneh and J. Shaw, “Collusion-secure fingerprinting for digital data(extended abstract),” in CRYPTO, ser. Lecture Notes in Computer Sci-ence, D. Coppersmith, Ed. New York: Springer, 1995, vol. 963, pp.452–465.

[11] L. Qian and K. Nahrstedt, “Watermarking schemes and protocols forprotecting rightful ownership and customer’s rights,” J. Vis. Commun.Image Represent., vol. 9, no. 3, pp. 194–210, Sep. 1998.

[12] B. Pittzmann and M. Schunter, “Asymmetric fingerprinting,” in Adv.in Cryptology—EUROCRYPT’96 LNCS 1070, 1996, pp. 84–95.

[13] B. Pfitzmann and M. Waidner, “Anonymous fingerprinting,” in Adv. inCryptology—EUROCRYPT’97, 1997, pp. 88–102.

[14] I. Biehl and B. Meyer, “Protocols for collusion-secure asymmetric fin-gerprinting,” in Proc. 14th STACS LNCS 1200, 1997, pp. 213–222.

[15] A. Adelsbach, B. Pfitzmann, and A.-R. Sadeghi, “Proving ownership ofdigital content,” in Information Hiding, ser. Lecture Notes in ComputerScience, A. Pfitzmann, Ed. New York: Springer, 1999, vol. 1768, pp.117–133.

[16] B. Pfitzmann and A.-R. Sadeghi, “Anonymous fingerprinting with di-rect non-repudiation,” in ASIACRYPT, ser. Lecture Notes in ComputerScience, T. Okamoto, Ed. New York: Springer, 2000, vol. 1976, pp.401–414.

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL 931

[17] J. Camenisch, “Efficient anonymous fingerprinting with group signa-tures,” in ASIACRYPT, ser. Lecture Notes in Computer Science, T.Okamoto, Ed. New York: Springer, 2000, vol. 1976, pp. 415–428.

[18] N. D. Memon and P. W. Wong, “A buyer-seller watermarking pro-tocol,” IEEE Trans. Image Process., vol. 10, no. 4, pp. 643–649, Apr.2001.

[19] H.-S. Ju, H.-J. Kim, D.-H. Lee, and J.-I. Lim, “An anonymous buy-erseller watermarking protocol with anonymity control,” Inf. SecurityCryptology, pp. 421–432, Nov. 2002.

[20] C.-L. Lei, P.-L. Yu, P.-L. Tsai, and M.-H. Chan, “An efficient andanonymous buyer-seller watermarking protocol,” IEEE Trans. ImageProcess., vol. 13, no. 12, pp. 1618–1626, Dec. 2004.

[21] J. Zhang, W. Kou, and K. Fan, “Secure buyer-seller watermarking pro-tocol,” Proc. Inst. Elect. Eng. Information Security, vol. 153, no. 1, pp.15–18, Mar. 2006.

[22] S. Katzenbeisser, A. Lemma, M. U. Celik, M. van der Veen, and M.Maas, “A buyer-seller watermarking protocol based on secure embed-ding,” IEEE Trans. Inf. Forensics Security, vol. 3, no. 4, pp. 783–786,Dec. 2008.

[23] M. Deng, T. Bianchi, A. Piva, and B. Preneel, “An efficient buyer-sellerwatermarking protocol based on composite signal representation,” inProc. 11th ACM Workshop on Multimedia and Security, Princeton, NJ,New York, 2009, pp. 9–18, ACM.

[24] R. Canetti, “Universally Composable Security: A New Paradigm forCryptographic Protocols,” in Proc. 42nd IEEE Symp. Foundations ofComputer Science, 2001, pp. 136–145.

[25] M. Deng, T. Bianchi, A. Piva, A. Rial, and B. Preneel, “Anonymousbuyer–seller watermarking protocols—Part II: Efficient implementa-tions,” IEEE Trans. Inf. Forensics Security, submitted for publication.

[26] D. Chaum and E. van Heyst, “Group signatures,” in EUROCRYPT,1991, pp. 257–265.

[27] M. Bellare, H. Shi, and C. Zhang, “Foundations of group signatures:The case of dynamic groups,” in CT-RSA, ser. Lecture Notes in Com-puter Science, A. Menezes, Ed. New York: Springer, 2005, vol. 3376,pp. 136–153.

[28] S. Goldwasser and S. Micali, “Probabilistic encryption,” J. Comput.Syst. Sci., vol. 28, no. 2, pp. 270–299, 1984.

[29] P. Paillier, “Public-key cryptosystems based on composite degreeresiduosity classes,” in EUROCRYPT, 1999, pp. 223–238.

[30] I. Damgärd and M. Jurik, “A generalisation, a simplification and someapplications of paillier’s probabilistic public-key system,” in PublicKey Cryptography, ser. Lecture Notes in Computer Science, K. Kim,Ed. New York: Springer, 2001, pp. 119–136, vol. 1992.

[31] M. Bellare and O. Goldreich, “On defining proofs of knowledge,” inCRYPTO’92, E. F. Brickell, Ed., 1992, vol. 740, pp. 390–420, Springer-Verlag.

[32] J. Camenisch and M. Stadler, Proof Systems for General StatementsAbout Discrete Logarithms Institute for Theoretical Computer Science,ETH, Zürich, Tech. Rep. TR 260, Mar. 1997.

[33] J. Camenisch and V. Shoup, “Practical verifiable encryption and de-cryption of discrete logarithms,” in CRYPTO, ser. Lecture Notes inComputer Science, D. Boneh, Ed. New York: Springer, 2003, vol.2729, pp. 126–144.

[34] G. Poupard and J. Stern, “Fair encryption of RSA keys,” in EURO-CRYPT, 2000, pp. 172–189.

[35] GNU Multiple Precision Arithmetic Library [Online]. Available: http://gmplib.org/

[36] NTL: A Library for Doing Number Theory [Online]. Available: http://www.shoup.net/ntl/

[37] S. Kremer, “Formal Analysis of Optimistic Fair Exchange Protocols,”Ph.D. dissertation, Université Libre de Bruxelles, Brussels, Belgium,2004.

[38] T. Okamoto, Ed., in Proc. 6th Int. Conf. Theory and Application ofCryptology and Information Security, Advances in Cryptology (ASI-ACRYPT 2000), Kyoto, Japan, Dec. 3–7, 2000, vol. 1976, Springer,ser. Lecture Notes in Computer Science.

Alfredo Rial received the Master’s degree intelecommunication engineering from the Univer-sidade de Vigo, Spain, in 2008. Currently he isworking toward the Ph.D. degree at KatholiekeUniversiteit Leuven, Belgium, under the supervisionof Prof. B. Preneel.

His research interests include public key cryptog-raphy, cryptographic protocols design and privacy.

Mina Deng received the M.Sc. degree in electricalengineering and the Ph.D. degree in engineering(cryptography) from the Katholieke UniversiteitLeuven, Belgium, in 2004 and 2010, respectively.

She is currently a researcher at the ComputerSecurity and Industrial Cryptography (COSIC)Research Laboratory, Department of Electrical En-gineering, Katholieke Universiteit Leuven, Belgium.She also works as a scientific researcher for the In-terdisciplinary Institute for BroadBand Technology(IBBT) Belgium. Her research interests include

applied cryptography, content protection, security and privacy, and identitymanagement.

Tiziano Bianchi (S’03–M’05) was born in Prato,Italy, in 1976. He received the M.Sc. degree (Laurea)in electronic engineering and the Ph.D. degree ininformation and telecommunication engineeringfrom the University of Florence, Italy, in 2001 and2005, respectively.

Since March 2005, he is with the Department ofElectronics and Telecommunications, University ofFlorence as a Research Assistant. His research inter-ests have involved processing of SAR images, signalprocessing in communications, multicarrier modula-

tion techniques, and ultra-wideband systems. Current research topics includemultimedia security technologies and signal processing in the encrypted do-main.

Alessandro Piva (M’04–SM’10) received the Ph.D.degree in computer science and telecommunicationsengineering from the University of Florence in 1999.

From 2002 to 2004, he was a Research Scientistat the National Inter-University Consortium forTelecommunications. He is at present AssistantProfessor at the University of Florence, Firenze.Italy. His current research interests are the tech-nologies for multimedia content security, and imageprocessing techniques for the Cultural Heritage field.He is coauthor of more than 100 papers published in

international journals and conference proceedings.Dr. Piva holds three Italian patents and an international one regarding

watermarking. He serves as Associate Editor of the IEEE TRANSACTIONS

ON INFORMATION FORENSICS AND SECURITY, of the EURASIP Journal onInformation Security, and of the LNCS Transactions on Data Hiding andMultimedia Security.

Bart Preneel (S’85–M’87) received the M.S. degreein electrical engineering and the Ph.D. degree in ap-plied sciences (cryptology) from the Katholieke Uni-versiteit Leuven, Belgium, in 1987 and 1993, respec-tively.

He is currently Full Professor with the KatholiekeUniversiteit Leuven, Leuven, Belgium. He was Vis-iting Professor at five universities in Europe and wasa Research Fellow with the University of Californiaat Berkeley. He has authored and coauthored morethan 300 reviewed scientific publications and is the

inventor of three patents. His main research interests are cryptography and in-formation security.

Prof. Preneel is President of the International Association for CryptologicResearch (IACR) and of the Leuven Security Excellence Consortium (L-SECvzw.), an association of 60 companies and research institutions in the area ofe-security.