Attacks on Two Buyer-Seller Watermarking Protocols and an Improvement for Revocable Anonymity

Buyer-seller watermarking protocols incorporate digital watermarking with cryptography, in order to protect digital copyrights and privacy rights for the seller and the buyer before, during, and after trading activities in e-commerce. In this paper, we present attacks on two recently proposed buyer-seller watermarking protocols, and prove that these protocols are not able to provide security for both the buyer and the seller simultaneously. Further, we point out that both protocols don't function properly when employing homomorphic probabilistic cryptosystems. We also show that the buyer's anonymity and/or the transaction unlinkability is not achieved in these protocols. We propose an improved secure and anonymous buyer-seller protocol, which is secure and fair for both the seller and the buyer. In contrast to early work, our scheme is able to provide all the security properties that a secure buyer-seller watermarking protocol is expected to hold.

As a consequence, it is possible for a malicious seller to frame an innocent buyer, or for an accused buyer to repudiate the guilt. This customer's rights problem in symmetric schemes was first pointed out (Qiao & Nahrstedt, 1998), and the problem can be solved by asymmetric schemes (Pittzmann & Schunter, 1996), (Pfitzmann & Waidner, 1997), (Biehl & Meyer, 1997) where only the buyer can obtain the exact watermarked or fingerprinted copy, and hence the buyer cannot claim that an pirated copy was originated from the seller. When a pirated copy is found, the seller is able to obtain a means to identify and prove the copyright violation to a trusted third party. Moreover, in order to provide the buyer's anonymity, anonymous schemes (Pfitzmann & Sadeghi, 1999, 2000 further make use of a registration service to eliminate the need of exposing the buyer's identity to the seller. A buyer-seller watermarking protocol is one that combines encryption, digital watermarking, and other techniques to ensure rights protection for both the buyer and the seller in ecommerce. A complete and sound buyer-seller watermarking protocol is expected to solve the following problems. 1. The piracy tracing problem: once a pirated copy is found, the seller should be able to trace and identify the copyright violator. 2. The customer's rights problem: when a watermark is inserted solely by the seller, the seller may benefit from framing attacks to an innocent buyer or it causes unsettled disputes. On the other hand, the accused buyer of distributing an unauthorized copy may claim that the copy originated from the seller or there existed a security breach in the seller's system. 3. The unbinding problem: upon discovering a pirated copy, the seller can fabricate piracy by transplanting the buyer's watermark into another digital content. Therefore, it is necessary to bind a chosen watermark with a specific transaction. 4. The anonymity problem: the identity of a buyer should remain unexposed during transactions unless he is proven to be guilty. 5. The conspiracy problem: malicious parties may collude with each other and mount attacks to frame an innocent buyer or to confound the tracing by removing the watermark from the digital content. 6. The dispute problem: the arbitrator should be able to resolve disputes, without the buyer revealing his identity or private key. Accordingly, a buyer-seller watermarking protocol should provide the following security properties as the strategic design principle. 1. Traceability: a copyright violator should be able to be traced and identified.
2. Non-framing: nobody can accuse an honest buyer. 3. Non-repudiation: a guilty buyer cannot deny his responsibility for a copyright violation caused by him. 4. Dispute resolution: the copyright violator should be identified and adjudicated without him revealing his private information, e.g. private keys or watermark. 5. Conspiracy resistance: no colluded parties should be able to frame an innocent buyer or to confound the tracing by removing the watermark from the digital content. 6. Anonymity: a buyer's identity is undisclosed until he is judged to be guilty. 7. Unlinkability: nobody can determine whether the different watermarked contents are purchased by the same buyer or not.

Analysis of the Existing Work
The literature is rich of relevant buyer-seller watermarking protocols. Qiao and Nahrstedt (Qiao & Nahrstedt, 1998), first pointed out the customer's rights problem in the watermarking protocols for piracy tracing. However, their scheme is symmetric and doesn't guarantee the buyer's security. The first known asymmetric buyer-seller watermark protocol was introduced by Memon and Wong (Memon & Wong, 2001), and it was improved by Ju et al. (Ju et al., 2002). Since the first introduction of the concept, several alternative design solutions have been proposed. Due to the space limit, instead of a full security analysis, we summarize the analysis and point out the shortcomings of each previous protocols (Choi et al., 2003), (Goi et al., 2004), (Lei et al., 2004), (Zhang et al., 2006), (Shao, 2007), and (Ibrahim et al., 2007). Except that the piracy tracing problem and the customer's rights problem are solved in the early schemes, the existing solutions to the other problems are either impractical or incomplete, as depicted in Table 1. Comparison of some existing buyer-seller watermarking protocols with our protocol 1. The piracy tracing problem. All of these protocols are able to resolve the piracy tracing problem, and provide a mechanism for the seller to trace and recover the identity of a guilty buyer. 2. The customer's rights problem. All these protocols can solve the customer's rights problem, since the protocols are designed asymmetric, i.e., the seller doesn't know the exact value of the buyer's watermark, neither does she know the final watermarked digital content that the buyer gets. Therefore, the accused buyer for a illegal replication or distribution cannot claim that the copy is originated from the seller or a security breach in the seller's system. 3. The unbinding problem. Lei et al. (Lei et al., 2004) addressed the unbinding problem in (Memon & Wong, 2001), (Ju et al., 2002), (Choi et al., 2003), (Goi et al., 2004) and provided a mechanism to bind a specific transaction of a digital content to a specific buyer, such that a malicious seller cannot transplant the watermark embedded in a digital content to another higher-priced content. The similar design principle is applied in (Zhang et al., 2006) and (Shao, 2007). 4. The conspiracy problem. Choi et al. (Choi et al., 2003) pointed out the conspiracy problem of (Memon & Wong, 2001), (Ju et al., 2002) where a malicious seller can collude with an untrustworthy third party to fabricate piracy to frame an innocent buyer. Goi et al. (Goi et al., 2004) found the conspiracy problem couldn't be solved through commutative cryptosystems of (Choi et al., 2003), and further point out that the schemes of (Memon & Wong, 2001), (Ju et al., 2002), (Choi et al., 2003) are vulnerable against conspiracy attacks, and show that the protocol's security shouldn't rely on any third party. Zhang et al. (Zhang et al., 2006) apply the idea of (Goi et al., 2004)and ensure that the buyer's watermark is generated by the buyer, instead of a watermark certificate authority (WCA). According to our analysis, we conclude that the protocols of (Lei et al., 2004), (Shao, 2007), and (Ibrahim et al., 2007) cannot resist the conspiracy attack, where a malicious seller can collude with a third party, such that the seller can discover the buyer's watermark. 5. The anonymity problem. Memon and Wong's protocol (Memon & Wong, 2001) requires the seller to know the buyer's identity to carry out a transaction. Protocols of (Ju et al., 2002), (Choi et al., 2003) improve (Memon & Wong, 2001) by applying an anonymous key pair in each transaction. However, both protocols require the WCA to know the buyer's identity, which means that the buyer's anonymity is not preserved against conspiracy attacks. In (Goi et al., 2004), the buyer is required to request a signature from the certification authority (CA) of the public key infrastructure (PKI) to generate a watermark. However, (Goi et al., 2004) cannot solve the anonymity problem efficiently, since before each transaction, the buyer has to contact the CA for a new signature. (Lei et al., 2004), (Zhang et al., 2006), (Shao, 2007) apply anonymous certificates, i.e., digital certificates without real identities of applicants. Unfortunately, transaction unlinkability is not provided: during all transactions, the anonymous certificate stays the same, unless the buyer contacts the CA before each transaction for a new certificate, which is impractical for real life applications. 6. The dispute problem. Zhang et al. (Zhang et al., 2006) presented a scheme, derived from (Lei et al., 2004), where no trusted third party (TTP) is required in the watermark generation phase and the conspiracy problem is solved. Unfortunately, we find the existence of dispute resolution problem in (Zhang et al., 2006), in order to resolve disputes the buyer is required to cooperate and reveal his secret key or his secret watermark to the judge or to the CA, which is unrealistic in real-life applications. Similarly, schemes of (Memon & Wong, 2001), (Choi et al., 2003), (Goi et al., 2004) all require the accused but possible innocent buyer to disclose his identity or private key. Moreover, these protocols don't operate properly if the underlying cryptosystem is probabilistic, because the data encrypted by the judge or the CA may not be equal to the data provided by the seller. In (Ju et al., 2002), the buyer creates a key escrow cipher to escrow his anonymous private key at the judge. The problem is that the buyer's secrecy would not be protected against conspiracy attacks if the judge was malicious. In (Lei et al., 2004), the judge requests the buyer's watermark from the WCA, and hence the security depends on the trustworthiness of the WCA.

Our Approach
From the above analysis, we show that none of the existing protocols fulfils the design requirements. Our contribution of this paper is twofold: first, we analyze the security and present attacks on the protocols by Lei et al. (Lei et al., 2004), and Ibrahim et al. (Ibrahim et al., 2007), and prove that neither of them is able to provide security for the buyer and/or the seller as claimed. Further, both protocols require to employ deterministic cryptosystems. Unfortunately, all efficient privacy homomorphic cryptosystems are probabilistic (Fontaine & Galand, 2007), and both protocols require a privacy homomorphism for watermark insertion in the encrypted domain. In this regard, we can prove that both protocols are not able to work properly as designed to be. Next, we point out that the buyer's anonymity or the transaction unlinkability is not provided by these two protocols. Second, we propose an anonymous buyer-seller watermarking protocol, which is secure and fair for both the seller and the buyer. Our protocol employs privacy homomorphic cryptosystems to protect the buyer's secret watermark, and group signature schemes to provide revocable anonymity of the buyer. The proposed protocol is an improvement of the early work (Deng & Preneel, 2008), (Zhang et al., 2006). The rest of the paper is organized as follows. The security of the protocol by Lei

Attacks on the Protocol of Lei et al.
In the protocol of (Lei et al., 2004), the players are the seller Alice A, the buyer Bob B, the certificate authority CA, the watermark certificate authority WCA, and the arbitrator J. The protocol comprises three phases, namely the registration protocol, the watermark generation and insertion protocol, and the identification and arbitration protocol. We provide an overview of the protocol in Fig. 1, Fig. 2 to Alice. After Alice obtains W , she knows all the necessary information X , V , W to reproduce the watermarked content ´X for Bob. Lei et al. assume that the WCA will not reveal Bob's information to Alice. However, the assumption is unrealistic. Because there is no technical enforcement for the WCA not to reveal any private information to Alice, the conspiracy attack is effective. Once Alice gets Bob's watermark, any important features of the protocol would end up getting compromised. First, the piracy traceability won't be achieved, since both the buyer and the seller might be the traitor. Second, non-framing fails, even though the unbinding problem is solved in the protocol. Alice is able to frame an innocent Bob by reproducing and redistributing the watermarked content ´X . Third, non-repudiation fails, even though B doesn't know W and cannot remove W from ´X . A malicious Bob can deny his guilt by claiming that the pirated copy was created by Alice or a security breach in Alice's computing system. In fact, this attack weakens the security for both the buyer and the seller.  (Lei et al., 2004).

Attack on the Seller's Security
Collusion of the buyer and the WCA. Besides the conspiracy attack explained above, a malicious buyer and the untrustworthy WCA can also collude. In this case, the WCA informs Bob the actual value of W directly, so that it is possible for Bob to remove his watermark from the watermarked digital content. Therefore, non-repudiation won't hold, and the protocol fails to provide security for the seller.

Failure for Probabilistic Cryptosystems
In the arbitration and identification protocol, the WCA is required by the arbitrator J to decrypt ( ) verification won't work using probabilistic cryptosystems. As explained in Sec. The buyerseller watermarking protocol requires watermarking insertion to be performed in the encrypted domain, and it should be achieved by employing privacy homomorphic cryptosystems. However, all efficient privacy homomorphic cryptosystems are probabilistic (Fontaine & Galand, 2007). As a result, the protocol fails to function properly as claimed.   (Lei et al., 2004).

Failure for Unlinkability
In the protocol, Bob first obtains an anonymous certificate ( )

CA B
Cert pk from the CA, i.e., a digital certificate without the real identity of the applicant, in order to provide the buyer's anonymity. As Lei et al. claimed Cert pk stays the same, unless the buyer contacts the CA before each transaction to acquire a new certificate, which is impractical for real-life applications. www.intechopen.com

Attacks on the Protocol of Ibrahim et al.
The players involved in the protocol (Ibrahim et al., 2007), are the seller A, the buyer B, the certificate authority CA, and the arbitrator J. The protocol comprises two phases, namely the watermark generation and insertion protocol and the identification and arbitration protocol. The watermark generation and insertion protocol is reviewed in Fig. 4.  (Ibrahim et al., 2007).

Attack on the Seller's Security
In the protocol, Bob generates his secret watermark W , and W is approved by the CA. The watermarked content is ´X X V W    , V is Alice's watermark. Since Bob knows W , it is possible for Bob to remove his watermark W from the watermarked content ´X . Hence, the protocol fails to provide non-repudiation and traitor traceability. Ibrahim et al. assume that it is impossible for Bob to remove W from ´X , because Bob doesn't have access of the original content X nor the watermark embedding algorithm. Unfortunately, the assumption is unrealistic, and it can be combated by employing a blind watermarking scheme (Kutter & Petitcolas, 1999), (Eggers et al., 2000), where the original content is not required to remove the watermark. On the other hand, there is no technical enforcement to ensure that Bob can't get the knowledge of the watermarking algorithm employed in the protocol. In fact, according to Kerckhoffs' principle in cryptography, "a cryptosystem should be secure even if everything about the system, except the key, is public knowledge." "The system must not require secrecy and can be stolen by the enemy without causing trouble" (Kerckhoffs, 1883). Therefore, the attack is effective and non-repudiation fails. The protocol fails to provide both the basic requirement of traitor traceability and the seller's security.

Failure for Probabilistic Cryptosystems
In the watermark generation and insertion protocol, after Alice receives the encrypted value (´( ))  Homomorphic cryptosystems can be classified as two groups, namely those security relies on the "decisional composite residuosity assumption" (DCRA), and those of the ElGamal class based on "decisional Diffie-Hellman assumption" (DDH). The strongest security level a privacy homomorphism can reach is IND-CPA, instead of IND-CCA2. The state of the art of privacy homomorphic cryptosystems is presented in (Fontaine & Galand, 2007). For instance, the deterministic RSA cryptosystem (Rivest et al., 1978) and the ElGamal cryptosystem (ElGamal, 1985) are multiplicative privacy homomorphism. In contrast to deterministic RSA, ElGamal is IND-CPA. The Goldwasser-Micali cryptosystem (Goldwasser & Micali, 1982), the Paillier cryptosystem (Paillier, 1999), and Paillier's generalization the Damgård-Jurik cryptosystem (Damgåard & Jurik, 2001) are additive privacy homomorphism.

Group Signature
Group signatures (Chaum & van Heyst, 1991), (Camenisch & Stadler, 1997) enable group members, each with its own private signature key to produce signatures on behalf of the group. Group signature schemes can either be for static groups, where the identities of group members are fixed in the group setup phase; or for dynamic groups, which allow to update group members with time. Dynamic schemes have the advantage that instead of assigning a high level of trust to a single group manager, the group manager is separated as an issuer, to issue private signature keys to the group members, and an opener, to open signatures. This provides more security with a lower level of trust. The security properties of static and dynamic group signature schemes are formalized in (Bellare et al., 2003(Bellare et al., , 2005 as follows: 1) Anonymity allows group members to create signatures anonymously, such that it is hard for an adversary, not in possession of the group manager's opening key to recover the identity of the signer. 2) Traceability permits the signer's anonymity to be revoked by the group manager in case of misuse, and ensures that no colluded group members can create unverifiable signatures, or signatures that can't be traced back to some member of the coalition. 3) Non-frameability requires that no adversary can produce a signature in the name of a user unless the latter indeed produced it.

Verifiable Encryption
Verifiable encryption schemes enable the encrypter to ensure that the plaintext satisfies certain application-dependent properties without compromising secrecy. It can be employed in numerous applications including escrow schemes (Young & Yung, 1998), (Poupard & Stern, 2000), group signature and identity escrow schemes (Ateniese et al., 2000), (Kilian & Petrank, 1998), and digital payment with revocable anonymity (Frankel et al., 1996), (Camenisch et al., 1996). Specific schemes are proposed in (Camenisch & Shoup, 2003) for both discrete-log based and factoring based schemes. In our proposed scheme, verifiable encryption is used for key escrow, such that the buyer can prove to the seller that the plaintext is valid without revealing any private information, and hence the buyer's privacy is preserved.

Model of Anonymous Buyer-Seller Watermarking Protocols
be the cover data,  be the set of all watermarked copies of 0 X , and k be a security parameter as a common input for all algorithms. An anonymous buyer-seller watermarking protocol involves four parties: a seller Alice A that is the copyright holder, a buyer Bob B, a certificate authority CA that functions as a group manager, and a judge J that adjudicates lawsuits against the infringement of copyrights. The protocol consists of the following three subprotocols.    reg . The CA's output is the identity id of a guilty buyer with a proof  . J verifies  and provides A the output as id or an empty string  in case of failure.
Note that the registration protocol Reg is required to be performed once in the setup-phase by the CA for each new buyer. The watermarking protocol WK should be executed multiple times for multiple transactions between the buyer and the seller. The arbitration protocol Arb is executed for dispute resolution.

Proposed Protocol
The proposed buyer-seller watermarking protocol involves four players: the seller Alice, the buyer Bob, the trustworthy CA that functions as a group manager, and an arbitrator. The protocol consists of three phases. First, Bob registers at the CA before the purchase in the registration protocol. Second, Bob only needs to contact Alice during transactions in the watermark generation and insertion protocol. Third, in case Alice found a pirated copy, the identification and arbitration protocol enables her to identify the copyright violator, with the help of the judge and the CA. The following assumptions should hold in the protocol, otherwise, the security properties cannot be guaranteed. We assume a public key infrastructure PKI is well deployed, such that each entity has a PKI certificate issued by the CA. The CA is assumed to be trustworthy, because the PKI should be secure. For consistency, we assume that the digital content is a still image, although the protocol can be applied to other multimedia formats such as audio or video. Note that the security of the protocol depends on the security of the underlying watermarking and cryptographic building blocks. Hence, the watermarking scheme employed should be collusion resistant. In particular, nobody is able to detect and delete the embedded watermark from a content without knowing the watermark. Our scheme employs the privacy homomorphism of the Paillier cryptosystem (Paillier, 1999) and Cox et al.'s robust collusion resistant watermarking scheme (Cox et al., 1997). Camenisch et al.'s verifiable encryption scheme (Camenisch & Shoup, 2003) is employed for the key escrow of the buyer's private key at the CA, such that the buyer can prove to the seller that the plaintext is valid without revealing the secrecy. We choose to employ the dynamic group signature proposed by Bellare et al. (Bellare et al., 2005) as an example.

Registration Protocol
The registration protocol, performed between the buyer Bob and the CA, is depicted in Fig. 5. 1) In the group key generation phase, the CA generates a tuple ( , ) gpk gmsk . The group public key gpk consists of a public encryption key e pk , a certificate verification key s pk , and some security parameters. The manager secret key gmsk is the decryption key e sk corresponding to e pk . The certificate creation key is s sk , corresponding to s pk .

Watermark Generation and Embedding Protocol
The watermark generation and insertion protocol, as depicted in Fig. 6, can be executed multiple times for multiple transactions between the seller Alice and the buyer Bob. In order to uniquely bind a particular transaction to the item of interest X , Alice and Bob first negotiate a purchase agreement ARG on transaction specifications. 2) Alice verifies Bob's signature and verifiable proof, as well as Bob's group signature on his anonymous public key. Similarly, Alice generates two unique watermarks V and A W for each transaction. The first round of watermark insertion is performed as: Note that the sole purpose of V , is to be used as a key to search the sales record in case Alice finds a pirated copy of her products (Memon & Wong, 2001), (Lei et al., 2004).
3) Alice computes the composite watermark W in the encrypted domain by employing privacy homomorphism: , Bob obtains the watermarked content ´X from Alice.

Identification and Arbitration Protocol
The identification and arbitration protocol is executed among the seller Alice A, an judge J, and the CA, as depicted in Fig. 7.
1) In case Alice finds a pirated copy Y of X , she extracts the watermark U from Y , and searches the sales record by correlating U with every V in A Table . Then she provides all relevant information together with the intermediate watermarked content 2) If the signature provided by Alice is verified, J accepts the case and forwards the seller's key escrow cipher to the CA to recover the private key of the buyer. from the buyer and the seller. If they match with a high correlation, the suspected buyer is proven to be guilty. Otherwise, the buyer is innocent. Note that until now, the buyer's identity is unexposed. 5) To recover the buyer's identity, J orders the CA to open the buyer's group signature, with the group manager's secret key gmsk . 6) Upon receiving the recovered identity B and a claim proof  , J verifies the CA's claim. 7) If verified, J closes the case and announces that the buyer with identity B is guilty.

Security Analysis
In this section, we analyze the security properties of the proposed scheme. The soundness and completeness of the protocol rely on the security and robustness of the underlying cryptographic and watermarking primitives.  (Bellare et al., 2005), it is computationally infeasible for an adversary, not in possession of the opener's opening key ok , to recover the identity of the signer from its signature. Note that the CA is trustworthy, otherwise the group signature www.intechopen.com scheme would not be secure. In case of disputes, Alice collects the transaction information and sends  , has bought the product X , but it doesn't disclose the identity of Bob. Only when Bob is adjudicated to be guilty, the judge can send a legal order for the CA to recover Bob's identity. Therefore, Bob's anonymity is not revoked by the CA only until he is adjudicated to be guilty. 7. Unlinkability. Unlinkability is provided in the proposed protocol because of the unlinkability property introduced by the underlying group signature and Bob's onetime key pair ) , ( * * B B sk pk . Given the list of sales information, no one can relate two transactions together as if they were from the same buyer. 8. Mutual authentication. Man-in-the-middle attacks on the protocol are infeasible. First, the PKI is well deployed to ensure mutual authentication between entities, as the basic requirement of a secure protocol. Second, all messages are transferred in a secure communication channel, such that eavesdropping is infeasible.

Conclusion
In this paper, we present attacks on two buyer-seller watermarking protocols proposed by Lei et al. (Lei et al., 2004) and Ibrahim et al. (Ibrahim et al., 2007), and prove that neither of these protocols is able to provide security for the buyer or the seller as claimed. Further, we point out that both protocols are not able to work properly when employing homomorphic probabilistic cryptosystems. We also address the anonymity and unlinkability problem in these protocols. We propose an improved protocol, which is secure and fair for both the seller and the buyer. Our protocol employs privacy homomorphic cryptosystems and group signature schemes, in order to protect the secrecy of the buyer and the seller, and to preserve revocable anonymity of the buyer. Comparing with early work, our scheme is able to provide all the required security properties of a secure and anonymous buyer-seller watermarking protocol, namely non-framing, non-repudiation, traceability, mutual authentication, dispute resolution, anonymity and unlinkability.

Acknowledgment
The work reported here has been funded in part by the European Community's Sixth Framework Programme under grant number 034238, SPEED project -Signal Processing in the Encrypted Domain. The work reported reflects only the authors' views; the European Community is not liable for any use that may be made of the information contained herein. This work was also supported in part by the Concerted Research Action (GOA) AMBioRICS 2005/11 of the Flemish Government, by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy).
Bart Preneel received a Master's Degree in electrical engineering and the Doctorate in applied sciences (cryptology) from the Katholieke Universiteit Leuven (Belgium) in 1987 and 1993 respectively. He is currently full professor at the Katholieke Universiteit Leuven. He was visiting professor at five universities in Europe and was a research fellow at the University of California at Berkeley. He has authored and co-authored more than 200 reviewed scientific publications and is inventor of two patents. His main research interests are cryptography and information security.
Prof. Preneel is president of the IACR (International Association for Cryptologic Research) and of L-SEC vzw. (Leuven Security Excellence Consortium), an association of 60 companies and research institutions in the area of e-security. He is a member of the Editorial Board of the Journal of Cryptology, the IEEE Transactions on Forensics and Information Security, and the International Journal of Information and Computer Security. He has participated to more than 20 research projects sponsored by the European Commission, for four of these as project manager. He has been program chair of ten international conferences (including Eurocrypt 2000, SAC 2005and ISC 2006) and he has been invited speaker at more than 30 conferences. In 2003, he has received the European Information Security Award in the area of academic research, and he received an honorary Certified Information Security Manager (CISM) designation by the Information Systems Audit and Control Association (ISACA).