Watermarking Protocols: Problems, Challenges ... - Semantic Scholar

The Computer Journal Advance Access published March 13, 2014 © The British Computer Society 2014. All rights reserved. For Permissions, please email: [email protected] doi:10.1093/comjnl/bxu015

Watermarking Protocols: Problems, Challenges and a Possible Solution Franco Frattolillo∗ Department of Engineering, University of Sannio, Benevento, Italy ∗Corresponding author: [email protected]

Keywords: watermarking protocols; digital watermarking; digital copyright Received 30 May 2012; revised 4 February 2014 Handling editor: Fionn Murtagh

1.

INTRODUCTION

In recent years, the growth of networked multimedia systems promoted by content digitalization has widely increased the possibilities to reproduce and distribute information. Digitalization allows for copying without loss of quality at a very low cost, whereas the Internet facilitates the access to and the distribution of information. Therefore, the ease with which unauthorized copies of digital content can be made, together with the wide spreading of file-sharing services enabled by peerto-peer software platforms, has caused the problem of copyright protection of multimedia data. Moreover, the growing concern about the protection of digital copyright is posing relevant challenges and motivates the development of technological solutions geared to preventing economic losses due to piracy for web content providers (CPs). Digital watermarking [1] is emerging as one of the most appropriate techniques that aims at implementing copyright protection of digital content distributed on the Internet. It consists in inserting a proprietary mark, called ‘watermark’, in the content distributed on the web, which may be easily retrieved by the owner to verify ownership or authenticity. As a signature, the watermark can be also used as a ‘fingerprint’ to identify content consumers, since each distributed copy of content can be individually marked with the fingerprint of the

consumer [2, 3]. Thus, each authorized copy of content carries a unique watermark which links the copy to the consumer who receives it. Therefore, if the watermarking algorithm proves to be robust against intentional attacks and signal processing modifications, such as lossy compression or filtering, and shows good anticollusion properties [2–5], upon discovery of an unauthorized copy of a multimedia file (e.g. on a peer-to-peer network), it should be possible to trace the originator of the copy, since the watermark present in it can reveal the identity of the consumer who originally bought the copied content. However, digital watermarking needs to be used in combination with appropriate web protocols able to manage the whole process of content protection and web-based distribution, in order to protect digital copyright and privacy rights for the seller and the buyer before, during and after the purchase activities taking place in e-commerce transactions. These protocols, called ‘watermarking protocols’, define appropriate infrastructures which support digital rights management processes for digital content in e-commerce transactions, and provide mechanisms for tracking down improper use of digital content that is owned and then distributed by CPs [6, 7]. Over the last decade, a variety of relevant watermarking protocols have been proposed in the literature [7–19], all allowing CPs to embed in distributed content both the providers’

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ by guest on March 14, 2014

Digital watermarking is recognized as an innovative technique developed to deal with the problem of copyright protection of digital content distributed on the Internet. Such a technique can address the problem of asserting authorship but cannot directly solve the problem of determining accountability when piracy occurs. Therefore, it is necessary to implement watermarking protocols to determine whether a user illegally possesses content distributed by content providers as well as to protect the entire digital asset of the web-based distribution and of the associated rights. In this paper, the author reviews and discusses merits and limitations of relevant proposals existing in the literature in the field of watermarking protocols, identifies open issues and challenges, and presents a novel watermarking protocol able both to solve specific documented problems and to meet the requirements of robustness, security, modularity and flexibility needed in the current models of web-based content distribution.

2

F. Frattolillo

2.

RELATED WORK

One of the first and relevant examples of watermarking protocols proposed in the literature is the ‘buyer–seller’protocol presented in [8]. This protocol, as many others [7, 9, 11– 19], tries to firstly solve the piracy tracing problem. This means that the protocol has to enable a CP to determine whether a user illegally possesses a digital content as well as who has appropriately purchased a content and then illegally shared it via, for example, peer-to-peer network applications. Furthermore, the protocol should also make it possible to collect undeniable proof against the malicious accuse of a CP or the repudiation from an illegal distributor [3, 7]. To achieve these goals, the protocol employs, for the first time, a solution based on a public-key infrastructure (PKI) and on three main entities: the seller, the buyer and the WCA. The basic idea consists in preventing the seller from direct access to the final watermarked copy, in order to specifically solve the customer’s right problem. This problem arises if the protocol does not prevent a malicious CP from fabricating piracy to frame an innocent buyer. In fact, a CP could make and distribute a copy of a digital content purchased by a buyer and then accuse the buyer of illegal

distribution [9]. To this end, in order to avoid such a situation, the buyer initially demands from WCA for a valid watermark. WCA generates the watermark, encrypts it with the buyer’s public key and sends it back to the buyer after having digitally signed it. In particular, the applied encryption function is assumed to be ‘privacy-homomorphic’ [9] with respect to the watermarking scheme adopted by the protocol. As a result, the buyer can forward the encrypted and signed watermark to the seller, who can manipulate and insert it into the content to be protected in the encrypted domain. This means that the encrypted watermark can be directly inserted into the content encrypted with the buyer’s public key. Finally, the buyer receives the watermarked content encrypted with his/her public key, and decrypts it with his/her private key, thus obtaining a correctly watermarked copy of the purchased content. Although the protocol proposed in [8] is characterized by a number of innovative ideas, it is affected by some problems. First, the protocol restricts itself to the use of ‘linear’ watermarking schemes [10], and this entails a limited flexibility in practice. Moreover, the protocol is affected by the dispute resolution problem, since it requires the participation of the suspected buyer in the phase of dispute resolution, when the protocol tries to identify the ‘traitor’, i.e. the buyer who distributed illegal replicas. In fact, a protocol should enable a CP to make appropriate adjudications without involving the suspected buyer, since, in actuality, such a buyer is very unlikely to cooperate. Furthermore, a protocol should not be based on the disposition of presuming the guilt of an uncooperative buyer, because, in the general practice of law, it is the responsibility of the accuser to prove the guilt of the defendant, not the reverse. Finally, it is not reasonable for a protocol to depend on the cooperation between the buyer and the CP, because this could enable a malicious CP to easily harass an innocent buyer by repeatedly requiring cooperation [9]. The protocol proposed in [8] also suffers from the unbinding problem, since it allows a dishonest CP to frame an innocent buyer by transplanting the buyer’s watermark into a copy of higher-priced digital content which the buyer never bought. Thus, the CP might accuse the buyer of illegal distribution as well as obtain a compensatory payment [9]. To solve the problems reported above, a more advanced protocol has been proposed in [9]. The protocol employs a PKI to attain important achievements, such as to address, for the first time, the anonymity problem. In fact, the protocol implements the correct authentication of buyers without exposing their identities during the purchase web transactions. Thus, the protection of the buyers’ privacy against CPs during the purchase transactions is guaranteed, and CPs cannot collect sensitive data about buyers, which could be then resold to other parties or used to do criminal actions [7, 9]. Furthermore, the protocol solves the dispute resolution problem, and can exploit trusted WCAs in order both to carry out watermark insertions and to ensure a correct copyright protection process. However, the protocol allows only buyers provided with digital certificates



information to preserve the copyright and the customers’ information to identify copyright violators. These protocols are mainly based on three web entities: the buyer, the CP or seller, and the watermark certification authority (WCA), which is usually assumed to be a trusted entity responsible for monitoring and guaranteeing the whole protection and distribution process. From the analysis of these proposals it is possible to derive that most of them are not suited to be integrated into the models of business and content distribution currently adopted on the Internet [7]. In this paper, a new watermarking protocol is proposed. The protocol overcomes the limitations and drawbacks affecting existing solutions, and solves the problems caused by the contradiction between the content protection requirements, such as the CPs’ desire for copyright protection and traceability of copyright violators, versus web users’ interests, such as anonymity, transaction unlinkability, and simplicity of the actions by which digital content can be bought. In addition, the protocol has been designed according to a flexible and modular scheme, which makes it possible to adopt different watermark embedding algorithms, such as the ‘asymmetric’ [7, 9] and ‘secure’ ones [15, 20–22]. The paper is organized as follows. Section 2 discusses some of the most relevant watermarking protocols existing in the literature and identifies the main problems affecting them. Section 3 describes the main design challenges posed by the protocols examined in the previous section. Section 4 describes the proposed protocol in detail. Section 5 analyses the protocol and discusses its main achievements. In Section 6, a brief conclusion is available.

Watermarking Protocols

Furthermore, the absence of the WCA is compensated by the introduction of an ‘Arbitrator’, that is an entity behaving as a TTP or a WCA, and this re-proposes the conspiracy problem. Another solution to the problems caused by the presence of a WCA in a watermarking protocol is presented in [12], in which the WCA is ‘off-line’. In fact, WCA is no longer a web entity, but becomes a tamper-resistant hardware device integrated into the seller’s computer system for generating watermarks and digital signatures. Thus, it is possible to simplify the scheme of the web transactions needed to protect content. However, this makes it necessary to design and implement a device whose embedded information and programs cannot be thieved or modified. Furthermore, the protocol is affected by the ambiguity problem since it cannot avoid a double watermark insertion. The problems affecting the solution described in [12] are solved by the watermarking protocol proposed in [19]. This protocol follows the approach presented in [12], which avoids the on-line participation of a TTP. This party has to be contacted by the buyer in advance in order to run the watermark generation protocol. Then, once generated the watermarks sent to the buyer, the TTP acting as a WCA can be off-line during the purchase transaction, thus reducing the overhead due to its participation in each transaction between buyer and seller. However, such an approach forces the seller to implement the watermark insertion as well as perform complex security action (i.e. simplicity problem). Moreover, the dispute resolution phase requires the buyer’s participation, thus giving rise to the dispute resolution problem. A first innovative evolution of the watermarking protocol described in [9] is presented in [14], which proposes a scheme that solves both the customer’s right problem and the unbinding problem without requiring a double watermark insertion. Furthermore, the protocol allows the buyer to anonymously verify whether the purchased digital content is original, thus solving a new problem specifically identified by the author and called the buyer’s anonymous verification problem. In fact, in [9], the buyer sends his/her public key to the WCA through the seller in order to enable the generation of a valid watermark. This can reveal the buyer’s identity to the seller, thus enabling the buyer to claim that unauthorized copies of the purchased content might have fraudulently originated from the seller. Therefore, the protocol proposed in [14] is based on watermarks originated from anonymous buyer’s encrypted randomly generated keys, the seller’s public key and the product identification numbers generated by the WCA. This enables buyers to check the originality of the purchased digital content by verifying the embedded watermarks. Although the buyer’s anonymous verification problem could be considered as a questionable problem, the main weak point of the solution proposed in [14] consists in the simplicity and dispute resolution problems that affect the protocol. In fact, the buyer has the burden of both checking the originality of the content and participating in the ‘dispute resolution protocol’.



issued by certification authorities (CAs) to purchase digital content distributed by CPs. As a consequence, the protocol is affected by the multiple negotiation problem, since it does not support multiple interaction schemes, also called ‘negotiation mechanisms’, by which a buyer can participate in the web transactions needed to purchase a digital content distributed by a CP. To this end, it is worth noting that each negotiation mechanism defines the method adopted by the watermarking protocol to identify the buyer. Therefore, a watermarking protocol should supply more than one negotiation mechanism so as to give buyers real purchase options. Finally, the protocol proposed in [9] is characterized by two further problems named the role problem and the ambiguity problem. The role problem is caused by the adopted interaction scheme, which requires that buyers can participate in purchase transactions only if they can autonomously perform complex security actions, such as the management of the digital signature of the exchanged messages. In fact, while it is reasonable to assume that a trusted third party (TTP) or a CP can perform such actions, it appears to be questionable to make the same assumptions for the buyer, who is usually unable to watermark a digital content or generate valid watermarks and fingerprinting codes. The ambiguity problem is caused by the double watermark insertion performed by the distinct entities involved in the watermarking protocol, such as CP and WCA. In fact, multiple watermark insertions could confuse the copyright information embedded in a digital content or impair the final quality of the protected content, thus reducing its commercial value. In fact, it is well known that, when applied independently, the second watermark could confuse or discredit the authority of the first watermark, thus acting as an actual ‘ambiguity attack’ [23, 24]. The protocol proposed in [9] exploits a WCA to guarantee fairness to both the seller and buyer in the web-based content distribution. However, the introduction of a WCA could decrease the security level of the protocol, since it could give rise to the conspiracy problem [18, 25]. In particular, this problem arises when a dishonest CP or a malicious buyer collude with an untrustworthy third party to fabricate piracy. In fact, a CP could attempt to cause the same effects of the unbinding problem or the customer’s right problem, whereas the buyer could confound the tracing of piracy by obtaining the removal of the watermark from the purchased content. To this end, the protocol proposed in [11] does not need the assistance of a TTP, but it only involves buyer and seller. The basic idea is to generate a watermark composed of two secrets independently produced by the buyer and the seller. This prevents both buyer and seller from knowing the exact embedded watermark, which can thus neither be removed from the protected content by the buyer nor be generated by the seller to fabricate piracy. However, the proposed approach is affected by the ambiguity problem and the dispute resolution problem, since the protocol needs a double watermark insertion and the participation of the buyer in the dispute resolution phase.

3

4

F. Frattolillo two-party protocol between a ‘prover’ and a ‘verifier’, which allows the prover to prove to the verifier knowledge of some secret input that fulfills some statement without disclosing this input to the verifier. Although the protocol presented in [18] is characterized by some innovative ideas that make it collusion-resistant, the proposed solution can be considered as impractical in the web context, since it is affected by a number of relevant problems, such as the role and multiple negotiation problems. In fact, buyers are required to perform complex security actions, such as encryption and watermark generation, and can purchase content only if they are able to participate in group signature transaction schemes, without having further alternatives.

3.

CHALLENGES

The considerations reported in Section 2 show that watermarking protocols have evolved over the last years according to welldefined trends that have posed specific challenges. 3.1.

Negotiation mechanisms

Digital certificates issued by CAs are widely used to identify buyers in current watermarking protocols. They are used in an anonymous form when buyers want to keep their identities unexposed during purchase web transactions. This implies that a buyer, who is not provided with a digital certificate, is not allowed to participate in such protocols. However, digital certificates are widely used for e-commerce transactions by buyers residing within specific areas, such as Western Europe, the USA and Japan, but their spread within many other geographical areas with high population densities is still a slow and difficult process. Such a situation ends up limiting the sale possibilities of CPs on the Internet. On the contrary, buyers should not be forced to adhere to a unique and rigid identification method when they want to buy digital content, but they should be able to choose among different and usable identification methods, thus being able to accept the right trade-off between some of their goals, such as simplicity and anonymity [7, 29–32]. To this end, it is worth noting that e-commerce transactions usually require buyers to be provided with credit cards. Therefore, credit cards can also be used in watermarking protocols to identify buyers in place of digital certificates, since they are always associated with real identities and, although they can be cloned, if not invalidated, they can be exploited to pay for the purchased content. This very much resembles what common web users do when shopping on the Internet, and just cannot be any simpler. In addition, such a use can also be exploited to deter buyers from illegally sharing their legitimately purchased content. To this end, if the watermark embedded in a content is derived from the buyer’s name and from his/her credit card’s number in the form of a fingerprinting code, the watermark itself could become



Another evolution of the protocol described in [9] is proposed in [16]. It solves many of the problems reported above without requiring a double watermark insertion. However, the protocol is affected by the simplicity problem, since the buyer has to generate complex enciphered messages and to compute hash functions. Moreover, the protocol is also affected by a number of transaction problems, since it does not address the event of ‘non-payment’ by buyer even after the receipt of the protected content and the event of ‘non-forwarding’ of the content by the seller even after the receipt of money. The problems affecting the protocol presented in [16] are solved by the solution proposed in [17], which follows the typical approach originated by [9]. In particular, the protocol solves the major, common problems documented in the literature, does not require the buyer to have any knowledge of cryptography and watermarking, avoids the double watermark insertion and is not limited to linear watermarking schemes. However, the seller has to generate the watermark that is to be used to identify the guilty user, and this implies that the seller is skilled in the field of digital copyright protection (i.e. simplicity problem). In the real world, sellers prefer to invest their resources in business affairs rather than in securityoriented technologies [7]. A novel approach different from those ones reported above is presented in [15]. Such an approach is based on a ‘secure’ watermark embedding algorithm implemented by using symmetric ciphers and ‘partial encryption’. In fact, the algorithm additively distorts selected transform coefficients of a content with a noise sequence, which has to be then partially removed by the buyer, thus leaving only the watermark [21, 26]. The main aim is to achieve a high level of efficiency in applying the watermark protection, since the adopted enciphering scheme only involves computations of modular additions, whereas the other schemes based on homomorphic encryption require computations of modular exponentiations, which are much more expensive than modular additions. However, the proposed solution is mainly affected by the simplicity problem, since the buyer has to take charge of removing the added noise and of performing complex security actions, such as the generation of an encrypted random session key. An interesting watermarking protocol is described in [18]. The protocol is based on three cryptographic building blocks: group signature [27], homomorphic encryption [9] and zeroknowledge proof of knowledge [28]. The first block allows buyers to sign the purchase messages they send to the seller on behalf of the group of buyers. This enables the seller to verify the signature without knowing the buyers’ identity, thus implementing anonymous purchases. However, when a pirated copy is found and traced back to a particular purchase, the corresponding signature can be opened to know the identity of the buyer who released the pirated copy. The second block allows the buyer and the seller to jointly compute an encryption of the watermark to be embedded in the original content in such a way that none of the parties knows it. The third block is a

Watermarking Protocols representative of confidential data directly linked to the buyer. Therefore, if the buyer shares a content thus marked, he/she ends up indirectly spreading data that could be fraudulently used by Internet ‘pirates’. As a consequence, the more buyers share their watermarked content, the more they could be cheated. 3.2.

Single watermark insertion

3.3.

Modular and flexible implementation

Watermarking protocols define the interaction scheme that has to regulate the process of web-based content distribution so as to prevent or deter web users from violating copyright law. They are assumed as the basis to correctly design the web software platforms employed by CPs to distribute their protected content. Such platforms are often designed as ‘service-oriented architectures’ [35] structured as federations of coordinated web entities that play distinct roles and dynamically interact

within trusted environments [36, 37]. They enable distinct web entities to dynamically and securely apply watermarking procedures on the basis of the content to be protected, according to an ‘on-the-fly’ protection scheme typical of purchase web transactions [38, 39]. However, a watermarking protocol strongly tied to a particular buyer registration phase or to a specific watermarking technique ends up being characterized by a monolithic scheme that does not make the protocol suited to be implemented by modern web software platforms used by CPs. For instance, as reported in Section 2, most of the modern anonymous buyer–seller watermarking protocols are based on ‘asymmetric’ protection schemes, where watermarks are embedded into content directly in the encrypted domain. Such protocols employ encryption functions assumed to be ‘privacyhomomorphic’ [9] with respect to the adopted watermarking schemes, so as to incorporate cryptography with digital watermarking. However, novel and efficient approaches, based on ‘secure’ watermark embedding algorithms implemented by using symmetric ciphers and ‘partial encryption’ [15, 20–22], are considered as very promising. Therefore, a watermarking protocol that aims at being suited for the web context has to be characterized by a modular and flexible structure. This means that the protocol can be arranged in distinct phases that can be isolated and based on a core that can be replaced without invalidating the protocol. As a consequence, such a protocol can adopt different protection schemes, such as, for instance, the ‘asymmetric’ or the ‘secure’ one, without affecting its security or needing impractical modifications, but requiring minor revisions at most.

3.4.

Buyer participation

As reported above, watermarking protocols are the basis of web software platforms used by CPs to distribute their protected content. Therefore, such platforms should enable buyers to easily participate in the purchase transactions. However, in most of the current watermarking protocols proposed in the literature, buyers have to directly take part in strategic phases of the protocols and perform actions more complex than just obtaining digital certificates issued by CAs, or establishing secure sockets layer (SSL)/transport layer security (TLS) connections, or downloading and executing mobile code fragments, such as ActiveX controls or Java bytecode. For instance, they have to generate one-time anonymous public and private key pairs based on specific security parameters, or participate in group signature schemes, or generate valid watermarks, or digitally sign or encrypt messages [18, 25, 40, 41]. In fact, such actions cannot be automatically carried out by the web browsers that buyers commonly use to purchase digital content distributed on the Internet. As a consequence, many watermarking protocols are impractical or unsuited for the web context, and novel approaches, based on a simplified buyer participation, are needed.



Double watermark insertion is often strategic to solve the unbinding problem [9]. However, a digital content, when coded in a compressed format, has a limited capacity of including hidden information without suffering either a deterioration in its perceptual quality or a weakness in the information hiding scheme [23, 24]. On the contrary, a single watermark insertion can result in being secure and robust [22, 33], and enables the insertion of long fingerprinting codes particularly useful to exploit ‘anti-collusion’ techniques [2, 3, 5, 34]. However, a protection scheme based on a single watermark insertion often needs further mechanisms to securely link content, buyer, seller and transaction. A possible solution to this problem can be derived from the experiences conducted in the field of commercial software, which are commonly based on the use of ‘licenses’. More precisely, the watermarks used to protect content can be employed as license numbers to be saved into encrypted digital certificates associated to the corresponding protected content together with further information about buyers, sellers, transactions and other data generated by running the protocol. Such certificates can be then employed as licenses released to buyers, who cannot directly access them, but can use them to prove the legitimate possession of content. To this end, it is worth noting that the effectiveness of a watermarking protocol strictly depends on the security and robustness of the adopted watermark insertion scheme. In fact, if the inserted watermark cannot be correctly extracted as a consequence of attacks or manipulations, the whole protection scheme implemented by a watermarking protocol fails whether the insertion scheme is based on a single watermark or not. On the contrary, if watermarks can be extracted with low bit error rates and can also code redundant information about content, buyer, seller and transaction, a single watermark insertion becomes sufficient, in conjunction with other mechanisms like that based on licenses.

5

6

F. Frattolillo

3.5. TTPs and collusion

TABLE 1. The main characteristics of the proposed protocol.

Watermarking protocols usually employ TTPs, acting as WCAs, Arbitrators or Judges, to guarantee security of their transaction schemes. To this end, some authors claim that, in the real world, third parties have to be considered as ‘untrusted’, since they could collude with the other parties involved in the protocols, thus impairing security. Therefore, protocols should be designed so as not to employ such parties or, at most, to strongly limit the role played by them [18, 25]. However, such a design approach presents two crucial aspects that have to be considered:

As a consequence, if TTPs cannot be completely eliminated from watermarking protocols, it is better to carefully exploit them in order to simplify protocols rather than to generate problems that make the protocols only useless exercises.

4.

PROPOSED WATERMARKING PROTOCOL

The protocol described in this section is an improved version of the original solution presented in [7], and differs from it in a number of aspects, the most important of which is concerned with the protection core, which has been re-designed so as to make the protocol flexible, modular and able to adopt different watermark embedding schemes. The protocol is mainly based on three web entities: the buyer (B), the content provider or seller (CP), and the WCA, which is assumed to be an ‘online’ trusted authority that does not carry out colluding actions [42–44]. A fourth, optional, entity is represented by the service provider (SP), which is a web entity specialized in supplying trusted watermarking services. It employs specific and advanced web-oriented technologies [45] to guarantee a high level of reliability and security to its services. Its role consists in enabling WCAs to be relieved of the task of directly watermarking digital content and to provide web users with an effective and on-the-fly protection service [46]. Therefore, each WCA is directly responsible for the behaviour of their chosen SP. In fact, such an approach is justified by current trends in e-commerce transactions, which are characterized by business operators who need more and more service providers to implement new services based on advanced technologies that are not part of their original business core.

Environment Computing resources Secure communication support Public key support TTPs Building blocks

B, CP, WCA, SP WCA is fully trusted problems reported in Section 2 are solved all the entities have sufficient resources required required online WCA Public key infrastructure Blind watermarking scheme Homomorphic encryption scheme Digital encryption and signature schemes

Formally, the main characteristics of the proposed protocol are summarized in Table 1 in terms of ‘fundamentals’ and ‘environment’, according to the framework presented in [43, 44] and purposely developed to describe watermarking protocols. In particular, ‘fundamentals’ aim at providing a clear view on the main objectives of the proposed protocol, and consist of the parties involved, the trust assumptions and the security properties of the protocol. ‘Environment’ aims at identifying the elements that are exploited for constructing the proposed protocol, and consists of computing resources, trust infrastructures and building blocks. The proposed watermarking protocol comprises two subprotocols: the protection protocol and the identification and arbitration protocol. 4.1.

Protection protocol

The protection protocol consists of three main phases: negotiation, protection and delivery. 4.1.1. Negotiation The negotiation phase, whose scheme is shown in Table 2, groups the transactions that enable B to be linked to the chosen content. In this phase, the protocol, according to what was reported in Section 3, provides multiple negotiation mechanisms. In particular, a first mechanism is based on the use of anonymous digital certificates [9], the second is based on the use of personal digital certificates and the third is based on the use of credit cards. In fact, the last two mechanisms enable B to be identified. However, they are implemented according to the concept of ‘multilateral security’ applied to web transactions [31, 32], and this enables B to keep his/her identity anonymous during the transactions with CPs. In fact,



(1) despite their base assumption about third parties, the protocols that follow the approach reported above need al least one TTP to guarantee correctness and security in all the phases of their transaction schemes; this demonstrates that TTPs cannot be completely eliminated from watermarking protocols; (2) the untrusted behaviour of third parties assumed by the protocols results in protection schemes that force buyers to perform complex security actions to participate in purchase transactions; this makes such protocols impractical and unsuited for the web context.

Fundamentals Parties involved Trust assumptions Security properties

7

Watermarking Protocols TABLE 2. The negotiation phase.

TABLE 3. Information contained in Bid depending on the negotiation mechanisms.

Negotiation phase B: B → CP: CP: CP → B: B → WCA: WCA:

visits the CP’s web site and chooses the content X m1 = {AGRX } SgnCP = SignpkCP (AGRX , TIDCP , TSCP ); List(WCA) m2 = {SgnCP , List(WCA)} m3 = {CP, AGRX , SgnCP , Bid } verifies m3

(1) CP, which is the reference to the content provider CP that sells X; (2) AGRX , which is the document referring to X mentioned above; (3) SgnCP , which is a security token that links the purchase transaction to the content and the seller; (4) Bid , which includes the information by which B chooses to be identified in the protection protocol.

Bid Personal information

Anonymous

Anonymous digital certificate Personal Personal digital certificate Personal digital certificate Based on credit card Identity on credit card

Payment information Anonymous pre-paid card Anonymous pre-paid card Credit card Credit card

In particular, according to the negotiation mechanisms provided by the protocol, Bid can be represented as a pair of information, named ‘personal’ information and ‘payment’ information, as reported in Table 3. The former can be derived from the anonymous or personal digital certificate or from personal data reported on B’s credit card. The latter can be derived from the anonymous pre-paid card or from the B’s credit card. After receiving m3 , WCA verifies data contained in Bid . If B has chosen the ‘anonymous’ identification method, WCA verifies the anonymous digital certificate and the data associated to the pre-paid card presented by B. If B has presented a personal digital certificate and/or his/her credit card, WCA verifies these data. Therefore, if the data sent in m3 are incorrect or the payment card turns out to be invalidated or B cannot pay X, the transaction is aborted. Otherwise, the protection phase can start. 4.1.2. Protection Message m3 involves WCA in the protection protocol. The protection can be applied according to two different schemes: the well-known ‘asymmetric’ watermark embedding scheme [7, 9] and the ‘secure’ watermark embedding scheme [15, 20–22]. In the ‘asymmetric’scheme, which is shown in Table 4, WCA generates the message m4 , which is composed of two main parts: the former includes information needed to protect X, whereas the latter contains information needed to mark the protection transaction. As for the former, WCA adopts the watermark generation technique that was originally proposed in [7] as an application of the security techniques reported in [47, 48]. Such a technique was then adopted in [19] and is based on the generation of n fingerprinting binary codes denoted as Wi : Wi = WBid + Ri ,

i = 1 · · · n,

where a base code WBid is concatenated with Ri , which is a value selected at random from the range ] ω · n · i,

ω · n · (i + 1)[



B’s identity is revealed solely to WCA, which is the TTP involved in the protocol. The negotiation phase starts when B visits the CP’s web site and, after having chosen a content X, negotiates with CP to set up a common agreement AGRX . During this phase, B has free access to the CP’s web site and may keep his/her identity unexposed. The function of AGRX is twofold. It represents: (1) a ‘use license’ that refers to X and states the rights and obligations of B and CP; (2) a ‘purchase order’ placed by B. AGRX is sent by B to CP in the message m1 to manifest the will of buying X. In particular, this first message and all the other messages exchanged among the web entities involved in the watermarking protocol are assumed to be transferred over secure and anonymous communication channels. Upon receiving AGRX , CP generates TIDCP , which is the transaction identifier, and TSCP , which is the timestamp used to make the freshness of the exchanged token assessable. CP also generates the signature SgnCP = SignpkCP (AGRX , TIDCP , TSCP ) by using its public key pkCP , and a list of WCAs, denoted by List(WCA), which can be contacted by B to continue the purchase transaction. To this end, all the WCAs included in the list have to be trusted and reported in publicly available registries so that B can carry out a check on them. In fact, WCAs are similar to common digital CAs known in the literature. Then CP sends the signature and the list to B in the message m2 . Then B receives m2 and chooses a WCA from List(WCA) to continue the transaction; B generates the message m3 and sends it to the chosen WCA in order to manifest the will of buying X from CP and to require WCA to apply a digital protection according to what is stated in AGRX . Therefore, m3 includes:

Negotiation mechanism

8

F. Frattolillo TABLE 4. The protection phase (‘asymmetric’ embedding scheme). Protection phase WCA: WCA → CP: CP: CP → WCA: WCA: WCA → SP: SP: SP → WCA:

W1 , W2 · · · Wn ; SgnWCA = SignpkWCA (Bid , CP, AGRX , TIDWCA , TSWCA ) m4 = {W1 , W2 · · · Wn , AGRX , SgnCP , SgnWCA } Epk X (W1 ) · · · Epk X (Wn ); Epk X (X) CP CP CP m5 = {Epk X (W1 ) · · · Epk X (Wn ), AGRX , Epk X (X), SgnWCA } CP CP CP Epk X (Wchs ) ∈ {Epk X (W1 ) · · · Epk X (Wn )} CP CP CP m6 = {Epk X (Wchs ), Epk X (X)} CP CP Epk X (X) CP m7 = {Epk X (X)} CP

subsequent watermark insertion, thus generating the tokens EpkCP X (W1 ) · · · Epk X (Wn ). Furthermore, CP encrypts X by CP employing the same cryptosystem, thus generating the content EpkCP X (X) that has to be watermarked. Then, CP sends AGRX , the enciphered content and watermarks, together with the signature SgnWCA , to WCA in the message m5 . WCA verifies its signature SgnWCA returned in the message m5 and aborts the transaction if the data turn out to be invalid. Then, it chooses one of the n enciphered watermarks, denoted as EpkCP X (Wchs ), with chs ∈ [1, n], and sends it, together with EpkCP X (X), in the message m6 to an SP selected from a list of accredited web entities. After receiving m6 , SP can directly watermark EpkCP X (X), since, as reported above, the encryption function applied by CP is ‘privacy homomorphic’ with respect to the watermark insertion operation. Then, SP can return the encrypted and watermarked content EpkCP X (X) to WCA in the message m7 , which closes the protection phase. In fact, it is possible to think of a variant of the scheme described above. Such a variant, shown in Table 5, differs from the scheme reported in Table 4 in the watermark generation. More in detail, WCA can generate the base watermark WBid according to what is reported above, and send it to CP in the message m4 together with AGRX , SgnCP and SgnWCA . CP receives m4 and encrypts WBid , thus generating EpkCP X (WBid ). Then, CP can send Epk X (WBid ) to WCA in CP the message m5 together with AGRX , the enciphered content EpkCP X (X) and the signature SgnWCA . After receiving EpkCP X (WBid ) in the message m5 , WCA can generate a random permutation function σ to permute the elements of EpkCP X (WBid ) [8]. The function σ applied to the encrypted watermark EpkCP X (WBid ) results in the following expression: σ (EpkCP X (WBid )) = Epk X (σ (WBid )) CP since the function E is a block-wise encryption function and the watermarking scheme can be considered as based on permutation tolerant or linear watermarks [18]. This means that



with ω being a multiplicative factor. In fact, the basic idea about the generation of Wi can be summarized as follows: if n is large enough, CP cannot reasonably guess which randomly generated watermark will be chosen by WCA to protect X, and this, as shown in Section 5, is a precondition of the proposed watermarking protocol [7, 19, 47, 48]. WBid can be obtained by concatenating five distinct binary strings. A first string can be derived from the ‘personal’ information sent by B in Bid , such as his/her anonymous or personal digital certificate or credit card. A second string can be derived from the ‘payment’ information sent by B in Bid and based on data reported on a pre-paid or credit card. A third string can be obtained as an anti-collusion code [2, 3, 34], whereas a fourth string can be a redundant code used to address the problem of bit errors resulting from the watermark extraction process. A fifth string can be a transaction identifier. Ri has to be a long binary code (more than 512 bit), and this means that also ω has to be large enough. In fact, Wi , i = 1 · · · n, can also be built as long and fully random binary codes [19], since both the choices, the one described above and the random one, can be made without impairing protocol security. As for the latter, WCA generates the signature SgnWCA = SignpkWCA (Bid , CP, AGRX , TIDWCA , TSWCA ) by using its public key, denoted as pkW CA . In more detail, TIDWCA is the code used by WCA to identify the current transaction, whereas TSWCA is the timestamp needed to make the freshness of the exchanged token assessable. SgnWCA , like SgnCP , is used as a security token that links the purchase transaction to X, B, CP and WCA. Then, WCA creates the message m4 by including AGRX , SgnCP , SgnWCA , and the generated watermarks, and sends it to CP. CP verifies its signature SgnCP returned in the message m4 and aborts the transaction if the data turn out to be invalid. Then CP, according to what is reported in [49], generates X X a public and private key pair (pkCP , skCP ) to be used only in the current transaction, and employs the public key to encrypt the received watermarks by using a cryptosystem that is ‘privacy homomorphic’ [9, 10] with respect to the

9

Watermarking Protocols TABLE 5. The protection phase (variant of the ‘asymmetric’ embedding scheme). Protection phase WCA: WCA → CP: CP: CP → WCA: WCA: WCA → SP: SP: SP → WCA:

WBid ; SgnWCA = SignpkWCA (Bid , CP, AGRX , TIDWCA , TSWCA ) m4 = {WBid , AGRX , SgnCP , SgnWCA } Epk X (WBid ); Epk X (X) CP CP m5 = {Epk X (WBid ), AGRX , Epk X (X), SgnWCA } CP CP Epk X (Wchs ) = σ (Epk X (WBid )) CP CP m6 = {Epk X (Wchs ), Epk X (X)} CP CP Epk X (X) CP m7 = {Epk X (X)} CP

EpkCP X (w1 , w2 · · · wl ) = (EpkCP X (w1 ), Epk X (w2 ) · · · Epk X (wl )). CP CP As a consequence, the encrypted and permuted watermark σ (EpkCP X (WBid )) can be assumed as the watermark EpkCP X (Wchs ) that WCA sends to SP to protect X: EpkCP X (Wchs ) = σ (Epk X (WBid )) = Epk X (σ (WBid )). CP CP In fact, the random choice of a watermark in the set Wi = WBid + Ri ,

i = 1···n

can be considered as equivalent to the random permutation σ (WBid ). This consideration can also be applied to the encryption domain, since the random choice of an encrypted watermark in the set EpkCP X (W1 ), Epk X (W2 ) · · · Epk X (Wn ) CP CP can be considered as equivalent to the random permutation σ (EpkCP X (WBid )). Once EpkCP X (Wchs ) has been built, WCA can send it to SP in the message m6 together with EpkCP X (X). SP can then watermark EpkCP X (X) and return the protected content to WCA in the message m7 . 4.1.3. Delivery The delivery phase, shown in Table 6, starts with WCA, which forwards the protected content EpkCP X (X) to B in the message m8 . After receiving EpkCP X (X), B returns an acknowledgement to WCA, which notifies this event to CP with the message m9 . In particular, m9 contains IDX, which is a serial number that shall be used by CP to refer to the data associated to the current transaction. IDX is generated by WCA by applying a specific function on Wchs . This function is derived from the so-called ‘key derivation functions’ [50] and is denoted by KDFW CA . Therefore, IDX = KDFW CA (Wchs ). Furthermore, m9 contains TIDWCA and TSWCA , which have to be stored by

TABLE 6. The delivery phase. Delivery phase WCA → B: B → WCA: WCA: WCA → CP: CP → B: B: B → WCA: WCA: WCA → CP: WCA → B: CP:

m8 = {Epk X (X)} CP ack IDX = KDFWCA (Wchs ) m9 = {IDX, TIDWCA , TSWCA } X } m10 = {skCP X¯ = Dsk X (Epk X (X)) CP CP ack on X¯ payment m11 = {Cert(B, CP, X)} m11 = {Cert(B, CP, X)} saves a new entry in its databases

CP as information useful for running the ‘identification and arbitration protocol’. The correct receipt of m9 assures CP that B has received the encrypted content EpkCP X (X) and that his/her payment card can be charged. As a consequence, CP can send B the private key X X skCP corresponding to the public key pkCP purposely used to X in the message encrypt X. After receiving the private key skCP m10 , B can decrypt EpkCP X (X), thus generating the final version ¯ In fact, the privacy of the watermarked copy of X, denoted by X. homomorphic cryptosystem used by CP and WCA results in the following equalities: ¯ EpkCP X (X) = Epk X (X), CP

X¯ = DskCP X (Epk X (X)), CP

where the operator Dsk denotes the decryption function corresponding to the encryption function Epk . Once X¯ id generated, B notifies the availability of the purchased content to WCA, which can charge B’s payment card. Then, WCA can generate the token Cert(B, CP, X) = EpkWCA (AGRX , Bid , CP . . . SignCP , SgnWCA , IDX, Wchs ),



if a watermark W can be represented as a bit block concatenation denoted as (w1 , w2 · · · wl ), then

10

F. Frattolillo TABLE 7. The protection phase (‘secure’ embedding scheme).

Protection phase WCA: WCA → CP: CP: CP → WCA: WCA:

TABLE 8. The delivery phase (‘secure’ embedding scheme). Delivery phase

WB ; SgnWCA = SignpkWCA (Bid , CP, AGRX , TIDWCA , TSWCA ) m4 = {AGRX , SgnCP , SgnWCA } EX ; secX EsecX (X) CP ; CP m5 = {EsecX (X), EX , AGRX , SgnWCA } CP D(X,B) [j ] = −EX [j ] + WB [j ] j = 0 · · · t − 1

4.1.4. Secure embedding scheme As reported in Section 4.1.2, the protection can be also applied according to a ‘secure’ watermark embedding scheme, such as, for example, the watermarking scheme presented in [21]. In this case, as shown in Table 7, after the negotiation phase depicted in Table 2, WCA can generate a personalized watermark for B, denoted as WB , which is a look-up table (LUT) whose t elements follow a Gaussian distribution N (0, σw ). Then, WCA can send CP the message m4 , which includes AGRX , SgnCP and SgnWCA , thus starting the protection phase. CP generates a long-term and content-dependent master encryption LUT EX of size t, whose entries are random variables following a Gaussian distribution N (0, σe ), with σe > σw . The LUT EX is used to encrypt a number of copies of X distributed on the Internet by means of a content dependent key secX CP specifically generated by CP to protect such copies [21]. Then, CP encrypts X by adding r entries of the LUT EX , randomly selected according to the key secX CP , to each of the elements of X, thus generating EsecXCP (X). Then, CP sends the LUT EX , the enciphered content EsecXCP (X), AGRX , and the signature SgnWCA to WCA in the message m5 . WCA generates a personalized decryption LUT D(X,B) by combining component-wise the master encryption LUT EX and the watermark LUT WB : D(X,B) [j ] = −EX [j ] + WB [j ],

j = 0···t − 1

and this operation closes the protection phase. The delivery phase, shown in Table 8, starts with WCA that sends the enciphered content EsecXCP (X) to B together with the personalized decryption LUT D(X,B) in the message m6 .

m6 = {EsecX (X), DX,B } CP ack IDX = KDFscWCA (WB ); EpkWCA (WB ) m7 = {IDX, EpkWCA (WB ), TIDWCA , TSWCA } stores EpkWCA (WB ) in WMEset(EX ,secX ) CP m8 = {secX CP } X¯ ack on X¯ payment m9 = {Cert(B, CP, X)} m9 = {Cert(B, CP, X)} saves a new entry in its databases

TABLE 9. The identification and arbitration protocol (‘asymmetric’ embedding scheme). Identification and arbitration protocol CP: CP → WCA: WCA: WCA → SP: SP: SP → WCA: WCA: WCA → CP: CP: CP → WCA: WCA:

finds X m1 = {X } selects an SP m2 = {X } from X extracts Wchs m3 = {Wchs } ) IDX = KDFW CA (Wchs m4 = {IDX } searches its databases for a possible match on IDX ; if a match is found then m5 = {Cert(B, CP, X) , TIDCP , TSCP , TIDWCA , TSWCA , AGRX } adjudicates

After receiving the message m6 , B returns an acknowledgement to WCA, which notifies this event to CP with the message m7 . m7 contains IDX, which is a serial number that shall be used by CP to refer to the data associated to the current transaction. IDX is generated by WCA by applying a specific function on the watermark LUT WB . This function is derived from the ‘key derivation functions’ [50] and is denoted by KDFscW CA . Therefore, IDX = KDFscWCA (WB ). Furthermore, m7 contains TIDWCA and TSWCA , which have to be stored by CP as information useful for running the ‘identification and arbitration protocol’. To this end, WCA has also to encrypt the watermark LUT WB with its public key pkWCA , thus generating EpkWCA (WB ), and include it in m7 . The correct receipt of m7 assures CP that B has received the encrypted content EsecXCP (X), the personalized decryption LUT D(X,B) , and that his/her payment card can be charged. As a consequence, CP can send B the content-dependent key



which represents the digital purchase certificate to be sent to B and CP in the message m11 . Cert(B, CP, X) contains enciphered data, and this prevents both B and CP from maliciously modifying it. After receiving the purchase certificate, CP has to store a new entry in its databases, whose search key is IDX and whose corresponding contents are AGRX , TIDCP , TSCP , TIDWCA , TSWCA and Cert(B, CP, X). In fact, such information is needed to prove that B is the legitimate owner of the content X sold by CP through a transaction guaranteed by WCA.

WCA → B: B → WCA: WCA: WCA → CP: CP: CP → B: B: B → WCA: WCA: WCA → CP: WCA → B: CP:

11


Cert(B, CP, X) = EpkWCA (AGRX , Bid , CP . . . SignCP , SgnWCA , IDX, WB , D(X,B) ), which represents the digital purchase certificate sent to B and CP in the message m9 to close the phase. After receiving the purchase certificate, CP has to store a new entry in its databases, whose search key is IDX and whose corresponding contents are AGRX , TIDCP , TSCP , TIDWCA , TSWCA and Cert(B, CP, X). Such information is needed to prove that B is the legitimate owner of the content X sold by CP through a transaction guaranteed by WCA. 4.2.

Identification and arbitration protocol

This protocol is conducted whenever a pirated copy X of a protected digital content is found in the market. The main aim is to determine the identity of the responsible distributor, who was the legitimate buyer in some earlier transaction, with undeniable evidence. The protocol can follow two variants depending on the protection scheme used to embed the watermark in X . If the ‘asymmetric’ watermark embedding scheme has been used to protect X (see Tables 4 and 5), CP can start the protocol by sending X to WCA in the message m1 (see Table 9). WCA retrieves the list of the SPs that can be involved in the watermark extraction process and selects an SP. Then, WCA sends X to the selected SP in the message m2 . SP extracts the , and sends it to WCA in watermark from X , denoted as Wchs the message m3 . WCA receives Wchs and applies the function KDFW CA to it in order to generate the search index IDX , which is sent to CP in m4 . CP accesses its databases and uses IDX to search them for a match. When a possible match is found [9], CP retrieves the

TABLE 10. The identification and arbitration protocol (‘secure’ embedding scheme). Identification and arbitration protocol finds X and retrieves WMEset(E

CP:

CP → WCA: m1 = {X , WMEset(E

X X ,secCP )

X X ,secCP ) X

and secX CP

, secCP }

WCA:

decrypts all the elements in WMEset(E

:

correlates all the sequences derived from the LUTs WB in WMEset(E ,secX ) with West ;

X X ,secCP )

X

;

CP

) : if a match is found then IDX = KDFscWCA (WB WCA → CP: m2 = {IDX } CP: searches its databases for a possible match on IDX ; if a match is found then CP → WCA: m3 = {Cert(B, CP, X) , TIDCP , TSCP , TIDWCA , TSWCA , AGRX } WCA: adjudicates

corresponding purchase certificate , CP . . . Cert(B, CP, X) = EpkWCA (AGRX , Bid SignCP , SgnWCA , IDX , Wchs )

and all other plaintext information stored with it represented by AGRX , TIDCP , TSCP , TIDWCA and TSWCA . Then, CP requires the buyer identification by sending the certificate and the retrieved information to WCA in the message m5 . WCA decrypts the purchase certificate and compares the data contained in it with the plaintext information received from CP in the message m5 . If all data turn out to be correct, the identity of the buyer is revealed, and WCA can adjudicate him/her to be a traitor, thus closing the case. Otherwise, the protocol ends without exposing any identity. If X has been protected by applying the ‘secure’ watermark embedding scheme (see Table 10), CP can start the ‘identification and arbitration protocol’ by retrieving from its databases the key secX CP and all the watermarks stored in WMEset(E ,secX ) , which were used to protect a number of X

CP

copies of X . Then, CP sends X , WMEset(E ,secX ) , and secX CP X CP to WCA in the message m1 . WCA receives m1 and decrypts the elements contained in WMEset(E ,secX ) by applying its private key skWCA , thus X CP obtaining all the watermark LUTs WB used to protect the copies of X distributed on the Internet. Then, WCA has to compute the watermark sequences derived by applying the key secX CP to the LUTs WB and correlate them with an estimated watermark West obtained from X . The correlation values are compared with a purposely chosen threshold to decide if one of the generated watermark sequences is present in X . In fact, according to what is reported in [21], the correlation process has to be repeated for all the LUTs WB contained in WMEset(E ,secX ) until a X CP possible match is found. However, more efficient watermark



secX CP , used to encrypt X, in the message m8 . However, in order to enable a correct execution of the ‘identification and arbitration protocol’, CP has also to build and maintain in its databases the link between the encryption LUT EX , the key secX CP and the set of all the watermark LUTs WB used to compute the personalized decryption LUTs D(X,B) , which have made it possible to watermark the copies of X sold to different buyers. In particular, this set, denoted by WMEset(EX ,secXCP ) , contains the watermark LUTs WB encrypted with the public key of WCA. Therefore, CP stores EpkWCA (WB ), received in the message m7 , in WMEset(EX ,secXCP ) . After receiving secX CP in the message m8 , B can perform the joint decryption and watermarking of X. This operation consists in adding r entries of the LUT D(X,B) , randomly selected according to the key secX CP , to each of the elements of EsecXCP (X). In fact, it makes it possible to decrypt EsecXCP (X) and, at the same time, to leave the watermarking component in ¯ it, thus generating X. ¯ Once generated X, B notifies the availability of the purchased content to WCA, which can charge B’s payment card. Then, WCA can generate the token

12

F. Frattolillo

extraction processes can be considered [21, 22], even though they are beyond the scope of the paper. If a match is found, the corresponding watermark LUT WB is used to compute IDX = KDFscW CA (WB ), which is then sent by WCA to CP in the message m2 . CP accesses its databases and uses IDX to search them for a match [9]. When a possible match is found, CP retrieves the purchase certificate Cert(B, CP, X) = EpkWCA (AGRX , Bid , CP . . . SignCP , SgnWCA , IDX , WB , D(X,B) )

and all other plaintext information stored with it represented . Then, CP by AGRX , TIDCP , TSCP , TIDWCA and TSWCA requires the buyer identification by sending the certificate and the retrieved information to WCA in the message m3 . WCA decrypts the purchase certificate and compares the data contained in it with the plaintext information received from CP in the message m3 . If all data turn out to be correct, the identity of the buyer is revealed, and WCA can adjudicate him/her to be a traitor, thus closing the case. Otherwise, the protocol ends without exposing any identity.

5.

DISCUSSION

This section analyses the main characteristics and achievements of the proposed protocol, which are summarized in Table 11 in terms of solved problems. In particular, the analysis has been conducted without resorting to formal methods, such as those documented in [18, 51] and in [43, 44, 52, 53], in order to make the described arguments easy and readable. The main ideas at the basis of the proposed protocol and that make it immune from the most common attacks and vulnerabilities known in the literature [18, 25, 44, 52, 53] are the following: (1) All messages exchanged among the web entities involved in the proposed watermarking protocol are

TABLE 11. Comparison among watermarking protocols. Watermarking Protocols Solved problems Piracy tracing Customer’s right Unbinding Anonymity Dispute resolution Conspiracy Ambiguity Multiple negotiation Role

[8] √ √

[9] √ √ √ √ √

√ √

√

[11] √ √ √ √

[12] √ √ √ √ √ √

[19] √ √ √ √

[14] √ √ √ √

√ √

√ √

[16] √ √ √ √ √ √ √

[17] √ √ √ √ √ √ √

[15] √ √ √ √ √ √ √

√


[18] √ √ √ √ √ √ √

this √ √ √ √ √ √ √ √ √


transferred over secure and anonymous communication channels implemented through SSL/TLS connections, which are widely supported by web browsers and guarantee a high security level, as demonstrated by the world of e-commerce transactions, which is mainly based on such security technologies. Furthermore, transaction identifiers, timestamps and digital signatures are exploited according to literature to prevent possible transaction attacks, such as ‘replay’ and ‘man in the middle’ attacks, and to enable the web entities involved in the protocol to control the ongoing transactions. In fact, the freshness and possible mismatch of the exchanged tokens can be always monitored and checked at each step of the protocol. This makes the information that can be learned by the web entities involved in interleaving runs of the protocol useless to compromise security, since the information learned from a run of the protocol cannot be exploited in a different and overlapping run of the protocol. Therefore, only if all the exchanged tokens and phases of the protocol result in being correct, the delivery of X¯ and the payment process can take place. (2) All the phases of the proposed watermarking protocol are controlled and directly managed by WCA, that is a fully trusted party. This is a key choice in the protocol design since it prevents B and CP from implementing direct colluding actions. Furthermore, B is not involved in the protection phase of the protocol, and this prevents him/her from attacking it. In fact, a dishonest B can only affect the negotiation or delivery phases. However, in both the cases, the possible effects on the security of the protocol are null, since they can be trivially detected by the fully trusted WCA. On the contrary, B can check the list of the WCAs proposed by CP in the negotiation phase and choose the one he/she considers the best by referring to the


More precisely, each content X sold by CP is protected by the insertion of a personalized, perceptually invisible watermark, which is also stored in a purchase certificate that is delivered to B and CP in order to prove the legitimate possession of ¯ The certificate is generated by WCA and the protected X. contains coherent information digitally signed and encrypted by WCA. Therefore, nobody can autonomously generate a valid digital purchase certificate, or only access or coherently modify a certificate generated by WCA. To this end, it is worth noting that the watermark stored by WCA in the certificate associated to the content X¯ is autonomously generated by WCA, together with further n − 1 watermarks that have to be all sent to CP as plaintext. This is necessary because all the watermarks, together with X, have to be encrypted by CP by using the same key, in order to enable the watermark insertion directly in the encrypted domain. Thus, the proposed protocol guarantees that only CP can get access to the unprotected content X. However, this procedure enables CP to know all the watermarks among which WCA chooses the one to be used to protect X. Therefore, it is statistically hard for CP, in the case of n and ω sufficiently high, to guess the watermark chosen by WCA to protect X; nevertheless CP can try to fool WCA and B by replacing the watermarks sent by WCA with others purposely generated or reusing watermarks taken from previous correct transactions. On the other hand, WCA cannot establish if the watermarks encrypted and returned by CP have been fraudulently changed. However, CP cannot generate valid purchase certificates containing reused or purposely generated watermarks, and coherent data on the content description and the buyer’s identity. In fact, purchase certificates bind the watermark Wchs , autonomously selected by WCA, to the buyer’s identity, CP, the purchased content and the web

transaction by which the content is bought. In addition, as reported above, they are released by WCA in an enciphered and signed form. As a consequence, CP can obtain a content X¯ protected with a known and arbitrary watermark Warbitrary by cheating WCA. However, CP cannot obtain the generation of a valid purchase certificate containing Warbitrary and associated to X¯ . Therefore, running the ‘identification and arbitration protocol’ on a content protected by a watermark fraudulently provided by CP makes it impossible to adjudicate anybody to be a traitor, and this just ends up damaging CP, which, by cheating WCA, promotes the release of content that cannot be correctly tied to any buyer. Thus, the ‘piracy tracing problem’ is solved. In order to exemplify what is reported above, let Wki , with i = 1 · · · n, denote the watermarks generated by WCA and then encrypted by CP, according to what is mentioned in Section 4.1.2. Let us suppose that CP discards the watermarks Wki received from WCA and generates new watermarks Whi , with i = 1 · · · n, in an attempt to cheat WCA. Then, CP encrypts the watermarks Whi , thus generating EpkCP X (Whi ), with i = 1 · · · n. These watermarks are sent to WCA, which cannot establish whether the encrypted data returned by CP are the encrypted versions of the watermarks Wki or whether they are the encrypted versions of the watermarks Whi . Therefore, once chosen a value chs ∈ [1, n], the watermark Whchs will be used to protect X, whereas the watermark Wkchs will be stored ¯ in the purchase certificate associated to the watermarked X. However, since watermarks that are used to protect content are always and autonomously generated by WCA, there is no way to force WCA to generate a certificate containing Whchs , in place of Wkchs , to protect X. As a consequence, the protection process ends with the content X¯ watermarked with Whchs , whereas the certificate Cert(B, CP, X) released to B contains Wkchs and is pointed by IDXk = KDFW CA (Wkchs ). ¯ Let the ‘identification and arbitration protocol’ be run on X. The extracted watermark will be Whchs , whereas the function KDFW CA applied to the watermark Whchs will generate the value IDXh . As a consequence, since no purchase certificate including Whchs and IDXh can be exhibited by CP, nobody can be considered a traitor. The protection core based on purchase certificates makes the proposed protocol usable, modular, flexible and secure without needing a double watermark insertion, thus solving the ‘ambiguity problem’. In fact, the protocol is usable, since web users can purchase digital content distributed by CPs without having to be provided with digital certificates issued by CAs, and this solves the ‘multiple negotiation problem’. Moreover, a suspected buyer is not required to cooperate in the ‘identification and arbitration protocol’, since WCA, CP and SP can make appropriate adjudications autonomously and collaboratively. This solves the ‘dispute resolution problem’. In addition, CPs are not required to watermark their distributed digital content, and the role of B is limited to three main actions: the first consists in choosing X; the second consists in sending out the purchase order; the third



publicly available registers of trusted WCAs. This enables B to recognize possible dishonest behaviours of CP. (3) Once a pirated copy of X¯ is found in the market, nobody can be considered a traitor, if there not exist a valid purchase certificate that can be correctly associated to X¯ and from which the identity of the traitor can be derived. This also means that the watermark extracted from X¯ and the watermark stored in the associated purchase certificate have to match. To this end, it is worth noting that the purchase certificate is autonomously generated by WCA. Therefore, the watermark embedded into X¯ is chosen by WCA and inserted into the purchase certificate independently of all the attacks that can be conducted by CP. As a consequence, if CP tries to force the insertion of ¯ it can only obtain a an arbitrary watermark into X, mismatch between the watermark inserted into X¯ and the associated purchase certificate generated by WCA, thus nullifying the protocol protection against its own interests.

13

14

F. Frattolillo watermark, or the applied protection turned out to be ineffective. In fact, the first situation can be avoided by WCA, which can compare EpkCP X (X) and Epk X (X), thus aborting the protocol if CP the two contents result in being equal. In the second case, SP would end up generating a content protected by a watermark that cannot be stored in the purchase certificate associated to the content, thus creating the same situation described above, which makes it impossible to adjudicate anybody to be a traitor, if a copy of such a content is found in the market. Finally, in the third case, an inadequately protected copy of X would end up being delivered to B. However, it is worth noting that SP is directly chosen by WCA as a trusted web service provider, and its business possibilities mainly depend on its capability to effectively protect digital content on behalf of CPs. Therefore, if a content distributed by CP and not adequately protected by SP were found in the market, WCA could break its relations with SP and damage SP’s reputation, thus strongly limiting the business possibilities of SP. The protocol also enables WCA, if it is able, to directly apply the watermark protection without resorting to SPs. However, the possibility of resorting to SPs is mainly tied to the need for WCA to supply an effective protection service, which can be more easily implemented by adopting advanced and high-performance software architectures that exploit SPs [46]. The proposed protocol guarantees that the management of confidential data on buyers is compatible with the concept of ‘multilateral security’ [31, 32]. In fact, the creation and management of such data are often unavoidable during web transactions, particularly when they are indispensable for correctly providing or charging for a service. However, the protocol preserves the ownership of such data, thus preventing any misuse. In particular, according to what is reported in Table 3, the protocol guarantees that the B’s identity can be known only by WCA, that is a trusted web entity, but only if B decides to participate in the protocol by presenting his/her personal certificate or credit card. In the other cases, anonymity is preserved. In fact, the protocol enables B to accept the right trade-off between opposite goals, such as simplicity and anonymity. Thus, the ‘anonymity problem’ is solved. Finally, the proposed protocol assumes that CPs store all information generated by the protocol, such as the digital purchase certificates. In fact, this can be considered reasonable, since CPs are very likely to already have their databases needed to manage their web activities.

6.

CONCLUSION

In this paper, a usable, modular, flexible and secure watermarking protocol has been presented. The protocol has been developed taking into account previous experiences documented in the literature. Such experiences have made it possible to identify problems and challenges that have then



consists in downloading the purchased content and decrypting it, thus obtaining the protected content. These actions could require B to download and execute mobile code fragments in order to manage the web transactions and the decryption of EpkCP X (X). However, this is not a problem for buyers provided with the commonly used web browsers. On the contrary, this resembles what common users do when shopping on the Internet, and just cannot be any simpler. This solves the ‘role problem’. The protocol is also modular and flexible, since it is arranged in three well-defined phases and, differently from other solutions proposed in the literature, can exploit different watermark embedding schemes, such as the ‘asymmetric’ and ‘secure’ ones, without needing impractical or substantial changes, or ‘zero-knowledge proof’ techniques [6, 10]. The protocol is secure, since it achieves the following goals. First, it is useless to fool WCA and B by altering the watermarks generated by WCA, because, as reported above, this causes content to be protected with incorrect watermarks, thus making it impossible to adjudicate anybody to be a traitor. This definitively solves the ‘unbinding problem’. Furthermore, X is never released by CP in an unprotected form. Therefore, CP can always keep the control on its original content and is never forced to release it. Moreover, B is the sole entity that receives the content X¯ protected with a personalized watermark. Therefore, no other entity involved in the protocol ¯ and if copies of X¯ are can distribute illegal replicas of X, found in the market, they can only originally come from B. This solves the ‘customer’s right problem’. In addition, B cannot cheat CP, since he/she plays a marginal role in the proposed protocol. More precisely, he/she only participates in the negotiation and delivery phases, and this prevents him/her from influencing the protection process. Furthermore, B can neither know which watermarking algorithm has been used to protect X nor calculate the binary code representing the watermark, because this code is not always the same for a given buyer, as reported in Section 4.1.2. Finally, X is never released in a partially protected form, as happens in other watermarking protocols proposed in the literature, such as [9] or [18]. In such protocols, WCA receives a copy of X originally watermarked by CP but not bound to any buyer. As a result, WCA could illegally distribute copies of such a partially protected content without running the risk of being adjudicated to be a traitor, since it can claim that the illegal replicas were created and directly distributed by CP. In fact, this is a relevant problem that has not been addressed until now. Thus, the ‘conspiracy problem’ is solved. The protocol enables CPs to take advantage of SPs. In particular, the content to be protected is sent from WCA to SP in an encrypted form, and so SP can neither access content nor know which CP is the owner of the content. Therefore, SPs cannot collude with CPs since there is never a direct contact between them. However, problems could arise if an SP did not watermark a received content, or attempted to reuse a

Watermarking Protocols guided the design of the proposed protocol so as to devise a solution suited to the web context. To this end, the major achievements that characterize the protocol can be summarized as follows:

Therefore, the proposed protocol can solve the problems and meet the challenges reported in the previous sections. It adopts a design approach based on the use of digital purchase certificates, which makes the protocol actually implementable in the web context, whereas most of the relevant watermarking protocols proposed in the literature still result in being impractical or unsuited for such a context.

REFERENCES [1] Cox, I., Bloom, J. and Miller, M. (2001) Digital Watermarking: Principles & Practice. Morgan Kaufman, Burlington, MA, USA. [2] Trappe, W., Wu, M., Wang, Z.J. and Liu, K.J.R. (2003) Anticollusion fingerprinting for multimedia. IEEE Trans. Signal Process., 41, 1069–1087. [3] Liu, K.J.R., Trappe, W., Wang, Z.J., Wu, M. and Zhao, H. (2005) Multimedia Fingerprinting Forensics for Traitor Tracing. Hindawi Publishing Corporation, New York, NY, USA. [4] Boneh, D. and Shaw, J. (1998) Collusion-secure fingerprinting for digital data. IEEE Trans. Inf. Theory, 44, 1897–1905. [5] Wu, M., Trappe, W., Wang, Z.J. and Liu, K.J.R. (2004) Collusionresistant fingerprinting for multimedia. IEEE Signal Process. Mag., 21, 15–27. [6] Gopalakrishnan, K., Memon, N. and Vora, P.L. (2001) Protocols for watermark verification. IEEE Multimedia, 8, 66–70. [7] Frattolillo, F. (2007) Watermarking protocol for web context. IEEE Trans. Inf. Forensics Sec., 2, 350–363.

[8] Memon, N. and Wong, P.W. (2001) A buyer–seller watermarking protocol. IEEE Trans. Image Process., 10, 643–649. [9] Lei, C.L., Yu, P.L., Tsai, P.L. and Chan, M.H. (2004) An efficient and anonymous buyer–seller watermarking protocol. IEEE Trans. Image Process., 13, 1618–1626. [10] Kuribayashy, M. and Tanaka, H. (2005) Fingerprinting protocol for images based on additive homomorphic property. IEEE Trans. Image Process., 14, 2129–2139. [11] Zhang, J., Kou, W. and Fan, K. (2006) Secure buyer–seller watermarking protocol. IEE Proc. Inf. Secur., 153, 15–18. [12] Fan, C.I., Chen, M.T. and Sun, W.Z. (2007) Buyer–Seller Watermarking Protocols with Off-Line Trusted Parties. Proc. IEEE Int. Conf. on Multimedia and Ubiquitous Engineering, Seoul, South Korea, April 26–28, pp. 1035–1040. IEEE Computer Society, Washington, DC, USA. [13] Ibrahim, I.M., El-Din, S.H.N. and Hegazy, A.F.A. (2007) An Effective and Secure Buyer–Seller Watermarking Protocol. Proc. 3rd Int. Symp. on Information Assurance and Security, Manchester, UK, August 29–31, pp. 21–28. IEEE Computer Society, Washington, DC, USA. [14] Das, V.V. (2008) Buyer–Seller Watermarking Protocol for an Anonymous Network Transaction. Proc. 1st Int. Conf. on Emerging Trends in Engineering and Technology, Nagpur, Maharashtra, India, July 16–18, pp. 807–812. IEEE Computer Society, Washington, DC, USA. [15] Katzenbeisser, S., Lemma, A., Celik, M.U., van der Veen, M. and Maas, M. (2008) A buyer–seller watermarking protocol based on secure embedding. IEEE Trans. Inf. Forensics Sec., 3, 783–786. [16] Laxmi, V., Khan, M.N., Sarath, S. and Gaur, M.S. (2009) Buyer Seller Watermarking Protocol for Digital Rights Management. Proc. 2nd Int. Conf. on Security of Information and Networks, Famagusta, North Cyprus, October 6–10, pp. 298–301. ACM, New York, NY, USA. [17] Hu, D. and Li, Q. (2009) A Secure and Practical Buyer– Seller Watermarking Protocol. Proc. Int. Conf. on Multimedia Information Networking and Security, Wuhan, China, November 18–20, pp. 105–108. IEEE Computer Society, Washington, DC, USA. [18] Rial, A., Deng, M., Bianchi, T., Piva, A. and Preneel, B. (2010) A provably secure anonymous buyer–seller watermarking protocol. IEEE Trans. Inf. Forensics Sec., 5, 920–931. [19] Hu, Y. and Zhang, J. (2009) A secure and efficient buyer–seller watermarking protocol. J. Multimedia, 4, 161–168. [20] Poh, G.S. and Martin, K.M. (2009) An Efficient Buyer–Seller Watermarking Protocol Based on Chameleon Encryption. In Kim, H.J., Katzenbeisser, S. and Ho, A.T.S. (eds), Proc. 7th Int. Workshop on Digital Watermarking, Busan, Korea, November 10–12, Lecture Notes in Computer Science 5450, pp. 433–447. Springer, Berlin, Germany. [21] Celik, M., Lemma, A., Katzenbeisser, S. and van der Veen, M. (2008) Lookup table based secure client-side embedding for spread-spectrum watermarks. IEEE Trans. Inf. Forensics Sec., 3, 475–487. [22] Piva, A., Bianchi, T. and De Rosa, A. (2010) Secure client-side ST-DM watermark embedding. IEEE Trans. Inf. Forensics Sec., 5, 13–26. [23] Hartung, F., Su, J.K. and Girod, B. (1999) Spread Spectrum Watermarking: Malicious Attacks and Counterattacks. In Delp,



(1) CP is the sole entity that gets access to the unprotected content X; (2) B is the sole entity that is allowed to get access to the ¯ final watermarked content X; (3) WCA does not receive copies of X originally watermarked by CP but not bound to any buyer; (4) WCAs can take advantage of SPs, whereas CPs cannot collude with them since there is never contact between them; (5) content protection can be implemented without requiring a double watermark insertion; (6) buyer participation in the protocol is simple, similar to that required by the most common e-commerce transactions, and supported by multiple negotiation mechanisms; (7) content protection can be applied flexibly, according to both ‘asymmetric’ and ‘secure’ watermark embedding schemes; (8) confidential data are managed by a unique trusted web entity, that is WCA; (9) roles of the web entities involved in the protocol are limited and well-defined.

15

16

[24]

[25]

[26]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

E.J. and Wong, P.W. (eds), Security and Watermarking of Multimedia Contents, San Jose, CA, USA, April 9, Proceeding of SPIE 3657, pp. 147–158. SPIE, Bellingham, WA, USA. Katzenbeisser, S. and Veith, H. (2002) Securing Symmetric Watermarking Schemes Against Protocol Attacks. In Delp, E.J. and Wong, P.W. (eds), Security and Watermarking of Multimedia Contents IV, San Jose, CA, USA, April 29, Proceeding of SPIE 4675, pp. 260–268. SPIE, Bellingham, WA, USA. Deng, M. and Preneel, B. (2008) Attacks on Two Buyer–Seller Watermarking Protocols and An Improvement for Revocable Anonymity. Proc. IEEE Int. Symp. on Electronic Commerce and Security, Guangzhou, China, August 3–5, pp. 923–929. IEEE Computer Society, Washington, DC, USA. Lemma, A.N., Katzenbeisser, S., Celik, M.U. and v.d. Veen, M. (2006) Secure Watermark Embedding Through Partial Encryption. In Shi, Y.-Q. and Jeon, B. (eds), Proc. 5th Int. Workshop on Digital Watermarking, Springer, November 8–10, Lecture Notes in Computer Science 4283, pp. 433–445. Springer, Berlin, Germany. Bellare, M., Shi, H. and Zhang, C. (2005) Foundations of Group Signatures: The Case of Dynamic Groups. In Menezes, A. (ed.), CT-RSA, San Francisco, CA, USA, February 14–18, Lecture Notes in Computer Science 3376, pp. 136–153. Springer, Berlin, Germany. Bellare, M. and Goldreich, O. (1992) On Defining Proofs of Knowledge. In Brickell, E.F. (ed.), Proc. 12th Annual Int. Cryptology Conf., Santa Barbara, CA, USA, August 16–20, Lecture Notes in Computer Science 740, pp. 390–420. Springer, Berlin, Germany. Frattolillo, F. and D’Onofrio, S. (2006) A Web Oriented and Interactive Buyer–Seller Watermarking Protocol. In Delp, E.J. and Wong, P.W. (eds), Security, Steganography, and Watermarking of Multimedia Contents VIII, San Jose, CA, USA, January, Proceeding of SPIE 6072, pp. 718–726. SPIE. Campidoglio, M., Frattolillo, F. and Landolfi, F. (2009) The Copyright Protection Problem: Challenges and Suggestions. Proc. 4th Fourth Int. Conf. on Internet and Web Applications and Services, Venice, Italy, May 24–28, pp. 522–526. IEEE Computer Society, Washington, DC, USA. Rannenberg, K., Royer, D. and Deuker, A. (2009) The Future of Identity in the Information Society—Challenges and Opportunities. Springer, Berlin, Germany. Rannenberg, K. (2000) Multilateral Security. A Concept and Examples for Balanced Security. Proc. 9th ACM Workshop on New Security Paradigms, Cork, Ireland, September 18–21, pp. 151–162. ACM, New York, NY, USA. Chen, B. and Wornell, G. (2001) Quantization index modulation: a class of provably good methods for digital watermarking and information embedding. IEEE Trans. Inf. Theory, 47, 1423–1443. Zhao, H.V. and Liu, K.J.R. (2006) Traitor-within-traitor behavior forensics: strategy and risk minimization. IEEE Trans. Inf. Forensics Sec., 1, 440–456. Hostetler, G. and Hasznos, S. (2009) Web Service and SOA Technologies. Practicing Safe Techs, Denver, CO, USA.

[36] Frattolillo, F. and Landolfi, F. (2008) Designing a DRM System. Proc. 4th Int. Conf. on Information Assurance and Security, Naples, Italy, September 8–10, pp. 221–226. IEEE Computer Society, Washington, DC, USA. [37] Frattolillo, F., Landolfi, F. and Marulli, F. (2009) A Novel Approach to DRM Systems. Proc. 12th IEEE Int. Conf. on Computational Science and Engineering, Vancouver, Canada, August 29–31, pp. 492–497. IEEE Computer Society, Washington, DC, USA. [38] Frattolillo, F. and D’Onofrio, S. (2005) Applying Web Oriented Technologies to Implement an Adaptive Spread Spectrum Watermarking Procedure and a Flexible DRM Platform. In Montague, P. and Safavi-Naini, R. (eds), Proc. 3rd Australasian Information Security Workshop, Newcastle, Australia, 2 February, Conferences in Research and Practice in Information Technology 44, pp. 159–167. Australian Computer Society, Sydney, Australia. [39] Frattolillo, F. and D’Onofrio, S. (2005) An Effective and Dynamically Extensible DRM Web Platform. InYang, L.T., Rana, O.F., Di Martino, B. and Dongarra, J. (eds), Proc. of the Int. Conf. on High Performance Computing and Communications, Sorrento, Italy, September, Lecture Notes in Computer Science 3726, pp. 411–418. Springer. [40] Deng, M. and Preneel, B. (2008) On Secure and Anonymous Buyer–Seller Watermarking Protocol. Proc. 3rd Int. Conf. on Internet and Web Applications and Services,Athens, Greece, June 8–13, pp. 524–529. IEEE Computer Society, Washington, DC, USA. [41] Deng, M., Bianchi, T., Piva,A. and Preneel, B. (2009)An Efficient Buyer–Seller Watermarking Protocol Based on Composite Signal Representation. Proc. 11th ACM Workshop on Multimedia and Security, Princeton, NJ, USA, 7–8 September, pp. 9–18. ACM, New York, NY, USA. [42] Qiao, L. and Nahrstedt, K. (1998) Watermarking schemes and protocols for protecting rightful ownership and customer’s rights. J. Visual Commun. Image Represent., 9, 194–210. [43] Poh, G.S. and Martin, K.M. (2009) Classification Framework for Fair Content Tracing Protocols. In Ho, A.T.S., Shi, Y.Q., Kim, H.J. and Barni, M. (eds), Proc. 8th Int. Workshop on Digital Watermarking, Guildford, UK, August 24–26, Lecture Notes in Computer Science 5703, pp. 252–267. Springer, Berlin, Germany. [44] Poh, G.S. (2009) Design and Analysis of Fair Content Tracing Protocols. Ph.D. Thesis, Department of Mathematics, Royal Holloway, University of London Egham, Surrey, England. [45] Weerawarana, S., Curbera, F., Leymann, F., Storey, T. and Ferguson, D.F. (2005) Web Services Platform Architecture: SOAP, WSDL, WS-Policy, WS-Addressing, WS-BPEL, WS-Reliable Messaging, and More. Prentice Hall, Upper Saddle River, NJ, USA. [46] Frattolillo, F. and Landolfi, F. (2010) A Cluster Grids Based Platform for Digital Copyright Protection. Proc. 12th IEEE Int. Symp. on Web Systems Evolution, Timisoara, Romania, September 17–18, pp. 83–87. IEEE Computer Society, Washington, DC, USA. [47] Zwierko, A. and Kotulski, Z. (2005) A New Protocol for Group Authentication Providing Partial Anonymity. Proc. 1st



[27]

F. Frattolillo

Watermarking Protocols Conf. on Next Generation Internet Networks-Traffic Engineering, Rome, Italy, April 18, pp. 356–363. IEEE Computer Society, Washington, DC, USA. [48] Zwierko, A. and Kotulski, Z. (2007) A light-weight e-voting system with distributed trust. Electron. Notes Theor. Comput. Sci., 168, 109–126. [49] Williams, D.M., Treharne, H. and Ho, A.T.S. (2010) On the Importance of One-Time Key Pairs in Buyer–Seller Watermarking Protocols. Proc. Int. Conf. on Security and Cryptography, Athens, Greece, 26–28 July, pp. 441–446. IEEE Computer Society, Washington, DC, USA. [50] McGrew, D. and Weis, B. (2010) Key Derivation Functions and Their Uses. Technical Report. Internet Engineering Task Force, Fremont, CA, USA.

17

[51] Canetti, R. (2006). Security and composition of cryptographic protocols: A tutorial. Cryptology ePrint Archive, Report 2006/465. [52] Williams, D.M., Treharne, H., Ho, A.T.S. and Culnane, C. (2008) Using a Formal Analysis Technique to Identify an Unbinding Attack on a Buyer–Seller Watermarking Protocol. Proc. 10th ACM workshop on Multimedia and Security, Oxford, UK, September 22–23, pp. 205–214. ACM, New York, NY, USA. [53] Williams, D.M., Treharne, H., Ho, A.T.S. and Waller, A. (2008) Formal Analysis of Two Buyer–Seller Watermarking Protocols. In Kim, H.J., Katzenbeisser, S. and Ho, A.T.S. (eds), Proc. 7th Int. Workshop on Digital Watermarking, Busan, Korea, November 10–12, Lecture Notes in Computer Science 5450, pp. 278–292. Springer, Berlin, Germany.

