buyer-seller watermarking (bsw) protocols
DESCRIPTION
Geong Sen Poh 31 Oct 2006. Buyer-Seller Watermarking (BSW) Protocols. Outline. Introduction Motivation Development of BSW Goals, Methodology and Assumptions Protocols Memon-Wong Protocol (MW) Lei et al. Protocol (Lei) Zhang et al. Protocol (Zhang) Analysis of Zhang et al. Protocol - PowerPoint PPT PresentationTRANSCRIPT
Buyer-Seller Watermarking (BSW) Protocols
Geong Sen Poh
31 Oct 2006
2
Outline
Introduction Motivation Development of BSW Goals, Methodology and Assumptions
Protocols Memon-Wong Protocol (MW) Lei et al. Protocol (Lei) Zhang et al. Protocol (Zhang)
Analysis of Zhang et al. Protocol Summary
3
Motivation
How can the seller identifies buyers that illegally distributed songs, movies etc.? The seller can embeds unique watermarks…
songs, movies etc.
£££££ £££££
Seller
Buyer
Distributes copies
4
Motivation BUT…
The seller is the entity that generates and embeds the watermark into a digital work
If illegal copies are found and a buyer is identified through the embedded watermark, the buyer can claim that he/she is framed by the seller since the seller can embed the buyer’s watermark into any digital work.
SO…
Buyer-Seller Watermarking Protocol
5
Development of BSW
MW
Choi Attack I Goi Attack I
Choi II Goi Attack II
Lei
Zhang
1998
2003 2004
2005 2005
2004
2006
IWDW
ACNS ACNS
IEEE
EUC
IEEE
IEE
Ju
2003 ICISC
6
Goals No Framing
An honest buyer should not be falsely accused by a malicious seller or other buyers
No Repudiation The buyer accused of reselling an unauthorised copy should not be
able to claim that the copy was created by the seller or a security breach of the seller’s system
Traceability A buyer who has illegally distributed digital works can be traced
Collusion Tolerance An attacker should not be able to find, generate, or delete the
fingerprint by comparing the marked copies, even if they have access to a large number of copies
Anonymity A buyer should be able to buy anonymously
Unlinkability Given two marked digital works, no one can decide whether or not
they were bought by the same buyer
B. M. Goi, R. C.-W. Phan, Y. Yang, F. Bao, R. H. Deng and M. U. Siddiqi, Cryptanalysis of Two Anonymous Buyer-Seller Watermarking Protocols and an Improvement for True Anonymity, ACNS 2004, LNCS 3089, pp. 369-382, 2004
7
Methodology
Interactive Protocol Registration Buy and Sell Identification and Arbitration
Seller does not know the watermarkBuyer does not know the embedded
watermark
8
Principals Involved
Buyer (B)Seller (S)Certificate Authority (CA)
Fully trusted Issues certificates to WCA, A, B, and S
Watermark Certificate Authority (WCA) Fully trusted Issues and certifies buyer’s watermark
Arbiter (A) Fully trusted Resolves dispute between B and S
9
Assumptions
Each of the principals involved (e.g. buyer and seller) has a CA certified public and private key pair, (PKi, SKi) for i the identity of the principal
The public-key encryption algorithm is homomorphic
10
Homomorphic Encryption
E(x) + E(y) = E(x + y) E(x) E(y) = E(x y) Example: RSA
Paillier homomorphic encryption (in Zhang Protocol):E(x) E(y) = E(x + y)If the public key is: n,e then:
E(x1) E(x2) = x1
ex2e mod n
= (x1x2)e mod n= E(x1 x2)
11
MW Protocol
WCA
S B
O’ = O * WS
σ(EPKB(WB)) = EPKB(σ(WB))EPKB(O’) * EPKB(σ(WB)) = EPKB(O’ * σ(WB))
Request watermark
EPKB (W
B ), SignW
CA (EPKB (W
B ))
B = BuyerS = SellerWCA = Watermark Certificate AuthorityO = Original WorkO’ = Marked WorkWk = k’s Watermark
EPKB(WB), SignWCA(EPKB(WB))
σ = Random permutation of degree n* = Embedding algorithmEk(.) = Encrypt with k’s public keySignk(.) = Sign with k’s private key
EPKB(O’ * σ(WB))
DSKB(EPKB(O’ * σ(WB))) = O’ * σ(WB)
• Generate WB
Registration, Buy and Sell
S does not know the watermark
B does not know the embedded watermark
12
MW Protocol
A
S B
Request private key
Private key
σ, EPKB
(WB),
Sign WCA(E PKB
(WB)),
Y
B = BuyerS = SellerA = ArbiterWCA = Watermark Certificate AuthorityO = Original WorkO’, O” = Marked WorkY = Illegal copyWk = k’s Watermark
σ = Random permutation of degree n* = Embedding algorithmEk(.) = Encrypt with k’s public keySignk(.) = Sign with k’s private key
On discovering an illegal copy of O’, say Y, S can determine B by detecting σ(WB)
embedded using a watermark detection algorithm and search the buyer details from his database.
Identification and Arbitration
13
Issue with MW
MW Protocol achieved: No Framing No repudiation Traceability
But… No anonymity, No unlinkability for the buyers
14
Lei Protocol
CA BpkB
CertCA(pkB)
• Generate (skB,pkB)• Generate certCA(pkB)
B = BuyerS = SellerO = Original WorkO’, O” = Marked WorkWk = k’s Watermark
ARG = An agreement between the buyer and the seller* = Embedding algorithmEk(.) = Homomorphic encrypt with k’s public keyDk(.) = Homomorphic decrypt with k’s private keySignk(.) = Sign with k’s private key(skB,pkB), (sk’, pk’) = Buyer generated random key pair
Registration
Anonymous key pair
15
Lei Protocol
WCA
S B
• Generate (sk’,pk’) for this transaction• s = Signsk’(ARG)• Generate CertpkB(pk’)
B = BuyerS = SellerWCA = Watermark Certificate AuthorityO = Original WorkO’, O” = Marked WorkWk = k’s Watermark
ARG = An agreement between the buyer and the seller* = Embedding algorithmEk(.) = Homomorphic encrypt with k’s public keyDk(.) = Homomorphic decrypt with k’s private keySignk(.) = Sign with k’s private key(skB,pkB), (sk’, pk’) = Buyer generated random key pair
CertCA(pkB), CertpkB(pk’), ARG, s
• O’ = O * WS
Epk’(O’ * WB)
• Epk’(O’) * Epk’(WB) = Epk’(O’ * WB)
Cert pkB(pk’), A
RG, s, O’
E pk’(WB), E WCA
(W B), S WCA
, pk’, s
• Generate WB
• SWCA= SignWCA(WB)
Dsk’(Epk’(O’ * σ(WB))) = O’ * σ(WB)
Buy and Sell
Unlinkable key pair
S & B do not know the watermark
17
Lei ProtocolIdentification and Arbitration
S = SellerA = ArbiterWCA = Watermark Certificate AuthorityO = Original WorkO’, O” = Marked WorkY = Illegal CopyWk = k’s Watermark
ARG = An agreement between the buyer and the seller* = Embedding algorithmDet(. , .) = Detection algorithmEk(.) = Homomorphic encrypt with k’s public keyDk(.) = Homomorphic decrypt with k’s private keySignk(.) = Sign with k’s private key(skB,pkB), (sk’, pk’) = Buyer generated random key pair
A
S
WCAEWCA(WB)
WB
O’, Y, C
ert CA(pk B
), Cert pkB
(pk’), ARG, s,
E pk’(WB), E WCA
(W B), S WCA
• W’ = Det(Y)• W’ = WB ?
On discovering an illegal copy of O’, say Y, S carries out the following steps:
18
Zhang Protocol
Similar to Lei Protocol except that there is no WCA No need WCA to generate and certify watermark:
S generates his part of the watermark B generates his part of the watermark The final watermark embedded in the digital work is the
combination of S and B’s watermarks
19
Zhang Protocol
CA BpkB
CertCA(pkB)
• Generate (skB,pkB)• Generate certCA(pkB)
B = BuyerCA = Certificate AuthorityO = Original WorkO’, O” = Marked WorkOf = Illegal CopyWk = k’s Watermark
ARG = An agreement between the buyer and the sellerSECi = Secret string of i* = Embedding algorithmEk(.) = Homomorphic encrypt with k’s public keyDk(.) = Homomorphic decrypt with k’s private keySignk(.) = Sign with k’s private key(skB,pkB), (sk’, pk’) = Buyer generated random key pair
Registration
20
Zhang Protocol
S B
• Generate (sk’,pk’) for this transaction• Generate a secret SECB
• e = Epk’(SECB)• s = Signsk’(Epk’(SECB), ARG)• Generate CertpkB(pk’)
B = BuyerS = SellerO = Original WorkO’, O” = Marked WorkOf = Illegal CopyWk = k’s Watermark
ARG = An agreement between the buyer and the sellerSECi = Secret string of i* = Embedding algorithmEk(.) = Homomorphic encrypt with k’s public keyDk(.) = Homomorphic decrypt with k’s private keySignk(.) = Sign with k’s private key(skB,pkB), (sk’, pk’) = Buyer generated random key pair
CertCA(pkB), CertpkB(pk’), ARG, e, s
• O’ = O * WS
• Epk’(WB) = Epk’(SECS)(Epk’(SECB) = Epk’(SECS + SECB)• Epk’(O’) * Epk’(WB) = Epk’(O’ + WB)
Epk’(O’ * WB)
Dsk’(Epk’(O’ + WB)) = O’ + WB
Buy and Sell
21
Zhang Protocol
B = BuyerS = SellerA = ArbiterCA = Certificate AuthorityO = Original WorkO’ = Marked WorkY = Illegal CopyWk = k’s Watermark
ARG = An agreement between the buyer and the sellerSECi = Secret string of i* = Embedding algorithmDet(. , .) = Detection algorithmEk(.) = Homomorphic encrypt with k’s public keyDk(.) = Homomorphic decrypt with k’s private keySignk(.) = Sign with k’s private key(skB,pkB), (sk’, pk’) = Buyer generated random key pair
A
S
CACertCA(pkB), CertpkB(pk’), e
SECB
O’, Y, C
ert CA(pk B
), Cert pkB
(pk’), ARG, e, s,
SEC S
• Found Y
• Compute WB = SECS + SECB
• W’ = Det(Y)• W’ = WB ?
B
e =
Epk’ (S
EC
B )
SE
CB
• Dsk’(Epk’(SECB)) = SECB
Identification and Arbitration
22
Analysis of Zhang et al. Protocols
Issues Buyer can remove his part of the watermark
easily since… O’ + WB = O’ + SECS + SECB and Buyer knows SECB, to remove… O’ + SECS + SECB – SECB
23
Summary
The motivation of BSW The proposals to date
MW, Lei and Zhang The issues
No formal security model, protocols designed in ad hoc manner
Current focus To continue analyse other proposals (Ju, Choi,
Goi), with issues when parties collude with each others (Seller colludes with WCA etc.)
Thank You