Birthday Attack on Efficient and Anonymous Buyer-Seller Watermarking Protocol BY Qurat-ul-Ain M. Mahboob Yasin COMSATS Institute of Information Technology, Islamabad
Dec 21, 2015
Birthday Attack on Efficient and Anonymous Buyer-Seller Watermarking Protocol
BYQurat-ul-Ain
M. Mahboob YasinCOMSATS Institute of Information
Technology, Islamabad
Presentation Scheme What is a Digital Watermark
Use of the digital watermarks Watermarking Protocols:
Qiao and K. Nahrstedt watermarking Protocol Memon and Wong watermarking Protocol Lie et all watermarking protocol
Birthday Paradox Birthday Attack on Efficient and Anonymous
Buyer-Seller Watermarking Protocol Proposed Solution Conclusion
What are Digital Watermarks?
Copyright marks embedded into digital content to prove legal ownership of an intellectual property
The embedding is performed with the help of a key and recovery of the embedded mark will reveal the actual owner of the digital contents
Customers’ Right ProblemA
B
O
Digital Content
X’ with W
Digital Content
X’ with W
Cant tell who is has legally bought the product.
Its impossible to pinpoint who is behind pirating the contents if illegal copies are found
X
W
X’ +
Protecting rightful ownership and customer’s rights
The buyer sends the encrypted data to the seller.
The seller generates a unique watermark based on the encrypted data received and inserts it into the digital content
Seller sends X‘ to the buyer.
The buyer can prove his possession of the watermarked copy.
EKB(Bits)
X’
BuyerSeller
[L Qiao and K. Nahrstedt, Sept 98]
What if The Seller is Malicious
As the seller has the exact watermarked copy which is sold to the buyer, an illegal copy cannot prove a buyer guilty of pirating the copy after analyzing the embedded watermark.
[N. Memon and P. W. Wong, Apr. 2001.]
How Memon & Wong Solved the Problem
There is a third trusted party, to generate watermarks, called WCA. Seller need not to know the watermark.
The seller inserts the watermark in encrypted domain. So seller has no access to the final water marked copy which the buyer gets
Privacy Homomorphic
Encryption function Epk is privacy homomorphic if following equation holds Epk (a b)= Epk (a) Epk (b) a & b
Memon and Wong Watermarking Protocol
IDB, PB
EPB(W), SWCA (EPB (W))
EPB (W), SWCA(EPB (W))
EPB (X``)
BuyerWCA Seller
Unbinding Problem
Unable to bind a watermark to particular digital contents or transaction.
[C.L. Lei, P.L. YU, P.L Tsai and M.H Chan, Dec 2004 ]
Example: A buys digital contents X’’ containing
watermark Wx. Now if X’ is illegally distributed by A, the seller can extract the watermark from the pirated copy and insert it to the other expensive product Y to get Y’’ and can prove that Y’ is being pirated to be compensated more.
Secondly seller can ignore the watermark and insert the previously used watermark by the same buyer in some previous transaction to prove piracy of both digital contents if the buyer illegally distribute one.
Efficient and Anonymous Buyer-Seller Watermarking Protocol Buyer can remain anonymous by
getting several anonymous certificate from a CA.
Buyer has to generate new public private key for each transaction to solve the unbinding problem.
Continued…
CertCA(pB), CertpB(pk*), ARG, Spk*(ARG)
CertpB(pk*), ARG, Spk*(ARG), X`
Epk*(W), pkWCA(W), SignWCA(Epk*(W),pk*,
Spk*(ARG))
Epk*(X``)
The Seller The Watermark Certification Authority WCA
The Buyer
[C.L. Lei, P.L. YU, P.L Tsai and M.H Chan, Dec 2004 ]
Problems with EASBW Protocol Buyer’s anonymity allows a malicious
buyer to collect digital content time and again and abort the transaction saying he cannot decrypt the contents provided.
Seller sends the watermark copy X’ to WCA. With X’ in hand WCA can generate X’’.
Seller is maintaining a huge database having unique public key for each transaction.
Birthday Paradox
What is the minimum value of k such that the probability is nearly 50% that at least 2 people in a group of k people have the same birthday
Example:
In a group of 23 people, though the probability that birthday a member A shares his birthday with another group member is 23/365, but the probability is more than 50% that at least two of them will have the same birthday.
Birthday Attack on the EABSW protocol
The security of EASBW requires that for each transaction buyer must generate new public private key pair.
The final watermarked copy is encrypted using the key generated for a specific transaction.
Continued…
Suppose a seller has a million entries for different buyers and the seller generates a million entries for different private public key of n bits in size. For the probability of success in matching to be 50%, the database size should be √n that is much less than n as expected from a key size of n bits
The probability of a success increases if elliptic curve cryptography is used
What if The Attack is successful
CertpB(pk*), ARG, Spk*(ARG), X
Epk*(W), pkWCA(W), SWCA(Epk*(W),pk*, Spk*(ARG))
The Seller The Watermark Certification Authority WCA
Arbitration Process
Seller generate X’’ by inserting W after decrypting Epk*(W).
In arbitration process the seller has all the evidence to prove an innocent buyer guilty of pirating the digital contents.
Proposed Solution Watermarking Certification Authority
should not be memory less WCA should maintain a database of public
keys used in each transaction. Before generating watermark WCA must
ensure pk* is not used in any transaction. Seller must only give specification to
WCA not the Watermarked copy X’ to prevent WCA of pirating digital contents
Conclusions The watermark certification authority
should maintain a database of all public keys against which it has issued watermarks.
We propose that the seller may only tell the characteristics of the original digital contents.
If anonymity is given to the buyer then there should be a mechanism to avoid malicious buyer to cancel the transaction.