A Buyer-Seller Watermarking Protocol - CiteSeerX

16 downloads 11410 Views 156KB Size Report
Digital watermarks have recently been proposed for the purposes of copy protec- ..... certification authorities signature to ensure the validity of the encrypted ...
A Buyer-Seller Watermarking Protocol Nasir Memon∗ Polytechnic University

Ping Wah Wong Apalo.com

Abstract Digital watermarks have recently been proposed for the purposes of copy protection and copy deterrence for multimedia content. In copy deterrence, a content owner (seller) inserts a unique watermark into a copy of the content before it is sold to a buyer. If the buyer sells unauthorized copies of the watermarked content, then these copies can be traced to the unlawful reseller (original buyer) using a watermark detection algorithm. One problem with such an approach is that the original buyer whose watermark has been found on unauthorized copies can claim that the unauthorized copy was created or caused (for example, by a security breach) by the original seller. In this paper we propose an interactive buyer-seller protocol for invisible watermarking in which the seller does not get to know the exact watermarked copy that the buyer receives. Hence the seller cannot create copies of the original content containing the buyer’s watermark. In cases where the seller finds an unauthorized copy, the seller can identify the buyer from a watermark in the unauthorized copy, and furthermore the seller can prove this fact to a third party using a dispute resolution protocol. This prevents the buyer from claiming that an unauthorized copy may have originated from the seller.



N. Memon was partially supported by NSF Grant NCR-9996145.

1

1

Introduction

Recent years have seen a rapid growth in the availability of multimedia content in digital form. Given the ease by which content in digital form can be duplicated there has been an increasing interest in developing copy protection or copy deterrence mechanisms. Digital watermarks represent one particular approach that have been proposed for solving these problems [14, 22]. A watermark is a secret key dependent signal added to digital data (namely audio, video or an image) which can later be extracted or detected to make an assertion about the data. In general, the watermark could be visible or invisible1 . A visible watermark typically contains a conspicuously visible message or a company logo indicating the ownership of the image. On the other hand, invisibly watermarked content appears perceptually identical to the original. The existence of an invisible watermark can only be determined using an appropriate watermark extraction or detection algorithm. In this paper we restrict our attention to invisible watermarks. For some excellent and recent reviews on invisible watermarking techniques the reader is referred to [5, 10, 21] Invisible watermarks can potentially be used for both copy protection and copy deterrence applications. For an example of a copy protection application, consider a closed system where the multimedia content needs special hardware for copying and/or viewing. An invisible watermark can be inserted into this content indicating the number of copies, if any, that will be permitted by the hardware. Every time a copy is made the watermark can be modified by the hardware and after a point the hardware would not create further copies of the data. An example of such a system is being standardized for the second generation Digital Video Disc (DVD) [1, 13]. Copy deterrence, on the other hand, is achieved by a mechanism that can trace unauthorized copies to the original owner of the content. For example, in applications where multimedia content is electronically distributed over a network, the content owner can em1

In a strict sense this terminology is incorrect when watermarking other forms of multimedia data such as sound clips. We say “visible” and “invisible” when in a wider sense we mean “perceptible” and “imperceptible” respectively.

2

bed a distinct watermark, (a fingerprint), in each copy of the data that is distributed. If, at a later point in time, unauthorized copies of the data are found, then the origin of the copy can be determined by retrieving the unique watermark corresponding to each buyer. This discourages unauthorized duplication and distribution. For such a scheme to work, the watermark clearly needs to be invulnerable against deliberate attempts to forge, remove or invalidate. One problem, first identified in [17], with traditional watermarking based fingerprinting techniques is that the watermark is inserted solely by the seller. A buyer whose watermark has been found in unauthorized copies can claim that the unauthorized copy was created by the seller! This could be done for example, by a malicious seller who may be interested in framing the buyer. It could also be possible when the seller is not the original owner but a reselling agent who could potentially benefit from making unauthorized copies [17]. Finally, even if the seller was not malicious, an unauthorized copy containing the buyers fingerprint could have originated from a security breach in the sellers system and not from the buyer. In order to deal with this problem, Qian and Nahrstedt [17] propose a owner-customer watermarking protocol. In this scheme, a customer supplies the owner with an encrypted version of a pre-determined and fixed bit-sequence. Upon receiving this, the owner embeds the encrypted sequence into the image using an invisible watermarking algorithm. This watermarked copy is then transmitted to the buyer. Since only the buyer knows the decryption key, he can prove to a third party the legitimate ownership of the copy in his possession. However, the protocol does not solve the problem of irrevocably binding the customer the specific copy sold to him and holding him responsible for any unauthorized copies of the same found in the market. This is because, as with traditional fingerprinting, the owner knows the exact copy in each buyers possession and the buyer can claim as mentioned above that an unauthorized copy was created by the seller or caused by a security breach in the sellers system. In this paper we propose an interactive buyer-seller protocol for invisible watermarking

3

in which the seller does not get to know the exact watermarked copy that the buyer receives. Hence the seller cannot create copies of the original content containing the buyers watermark. However, in case the seller finds an unauthorized copy, she can identify the buyer from whom this unauthorized copy has originated and furthermore also prove this fact to a third party by means of dispute resolution protocol. Hence, the buyer cannot claim that an unauthorized copy may have originated from the seller. The watermark embedding protocol is based on public key cryptography and has little overhead in terms of the total data communicated between the buyer and the seller. The dispute resolution protocol is a 3-party protocol and requires the buyer to participate in order to prove his innocence in case the seller accuses him of making unauthorized copies. If a buyer refuses to participate then this would be taken as an admission of guilt on the part of the buyer. The rest of this paper is organized as follows: in the next section we first give a general description of our protocol which is followed by an explicit construction in section 3. In section four we discuss possible attacks. In section five we conclude and discuss future avenues of research.

2

The Buyer-Seller Watermarking Protocol

Before we describe the watermarking protocol in detail, we first establish some notation, introduce some terminology, and state certain assumptions. For ease of exposition we assume that the content being sold is a still image, though in general the protocol is also applicable to audio and video data. We view an image X to be a vector of “features” X = {x1 , x2 , . . . , xn } and the watermark as a vector of “watermark elements” W = {w1 , w2 , . . . , wm } with n ≥ m. We restrict our attention to linear watermarking techniques where the watermarking insertion step can be represented as: X0 = X ⊕ W

4

(1)

where X 0 is the watermarked image, X is the original image, W is the watermark information being embedded, and ⊕ is the insertion operation. By X ⊕ W we mean X ⊕ W = {x1 ⊕ w1 , . . . , xm ⊕ wm , xm+1 , . . . , xn }.

(2)

We assume the existence of a public key cryptosystem that is a privacy homomorphism with respect to the binary operator ⊕. By privacy homomorphism with respect to ⊕ we mean it has the property that EK (a ⊕ b) = EK (a) ⊕ EK (b)

(3)

for every a and b in the message space. Here EK (·) is the encryption function and K is the public (encryption) key. For example, the well known RSA public key cryptosystem [18] is a privacy homomorphism with respect to multiplication [20]. A public key encryption function that is a privacy homomorphism with respect to addition is given in [3]. The Buyer-Seller watermarking protocol that we present in this section has four subprotocols as shown in Figure 1: Watermark generation protocol, Watermark insertion protocol, Copyright violation detection protocol and Dispute resolution protocol. In our presentation of the protocol we assume that Alice is the agent selling the content and Bob is the buyer. We assume that Alice and Bob have public keys KA and KB respectively, and the corresponding private keys KA0 and KB0 , all of which have been registered with appropriate certification authorities. Finally, we assume there is a trusted watermark certification authority who generates random watermarks in the required manner and issues them to any user upon request. For clarity of exposition, we first describe our buyer-seller watermarking protocol assuming the watermark certification authority is memoryless and does not maliciously or otherwise keep track of the different watermarks issued to different users. Later, we discuss how this assumption can be weakened. We now describe the four sub-protocols in general terms.

5

2.1

Watermark generation protocol

Bob sends a certification of his identity and his public key to the trusted watermark certification authority C and requests a valid watermark. The watermark certification authority, after establishing Bob’s credentials, generates a random but valid watermark W and sends to Bob EKB (W ), the watermark encrypted with Bob’s public key, along with a digital signature SignC (EKB (W )) that certifies the validity of the watermark. Note that by EKB (W ) we mean EKB (W ) = EKB ({w1 , w2 , . . . , wn }) = {EKB (w1 ), EKB (w2 ), EKB (wn )}.

(4)

That is, each of the individual elements of the watermark W are encrypted as separate messages but with the same key.

2.2

Watermark insertion protocol

This is a 2-party protocol between Alice and Bob which proceeds as follows: 1. Bob sends to Alice the encrypted watermark, EKB (W ), along with the signature SignC (EKB (W )) of the certification authority C. Alice verifies SignC (EKB (W )) in order to be assured that EKB (W ) is indeed a valid watermark generated by C. 2. Let X denote the image that Bob wishes to purchase from Alice. Alice generates a unique watermark for this transaction, V , which she inserts into the image X to get the watermarked image X 0 . Note that in this step Alice is free to use any watermarking scheme of her choosing, public or private, spatial domain or transform domain, linear or non-linear. The sole purpose of the watermark V is to enable Alice to identify the specific user an illegal copy has potentially arisen from. That is, V is not the watermark the Alice will use to prove that Bob has made illegal copies of an image. 3. Alice then generates a random permutation σ of degree m which she uses to permute the elements of the encrypted watermark EKB (W ) received from Bob. In other words, Alice computes σ(EKB (W )) = EKB (σ(W )). 6

(5)

The above is true as EKB (W ) is of the form {EKB (w1 ), EKB (w2 ), EKB (wn )} and permuting first and encrypting later gives you the same result as encrypting first and permuting later. 4. Alice inserts the permuted watermark obtained above as a second watermark into the already watermarked image X 0 . Since the watermark received from Bob is encrypted with Bob’s public key KB , Alice inserts this second watermark in the encrypted domain also using KB which is known to her. Inserting a watermark in the encrypted domain is possible as we assume that the public-key cryptosystem being used is a privacy homomorphism with respect to ⊕, the operation that inserts a watermark in the image. That is, Alice computes ˆ = EK (X 0 ) ⊕ EK (σ(W )) = EK (X 0 ⊕ σ(W )). EKB (X) B B B

(6)

ˆ to Bob. Alice then transmits EKB (X) 5. Alice stores ID of Bob, EKB (W ), V, SignC (EKB (W )) and σ in TableX . TableX is a table of records maintained by Alice for image X containing one entry for each copy of X that she sells. The table contains the identity of the buyer, the unique watermark V known only to her that corresponds to the particular buyer, the encrypted watermark EKB (W ) which she received from the buyer along with the certificate authorities signature SignC (EKB (W )) attesting the validity of the watermark, and finally the permutation σ that she used to permute the encrypted watermark before inserting into the copy which was sold to the buyer. ˆ That 6. Bob decrypts the data he receives from Alice to obtain a watermarked image X. is Bob computes ˆ =X ˆ = X 0 ⊕ σ(W ) DKB0 (EKB (X))

(7)

where KB0 is the private decryption key corresponding to the public encryption key ˆ of X KB and D(·) is the decryption function. Now Bob has a watermarked copy X 7

that Alice cannot reproduce since she does not know the corresponding private key ˆ even though he KB0 . Also, since Bob does not know σ he cannot remove σ(W ) from X knows W . Neither can he remove V which is also unknown to him.

2.3

Copyright violater identification protocol

On discovering an unauthorized copy of X, say Y , Alice can determine the buyer from whom this copy has originated by detecting the unique watermark that she inserted for each buyer. This is done by means of a watermark extraction function D which takes Y , and depending on the watermarking technique, X as inputs. Let U denote the watermark that is returned by the watermark extraction function D(X, Y ). Using this extracted watermark U Alice then locates the buyer in TableX to whom Y was sold. The exact mechanism for locating the buyer in TableX depends on the watermarking technique used. For robust watermarks this would generally be accomplished by correlating U with every watermark V in TableX and selecting the one with the highest correlation beyond a confidence threshold. Once this V is located in TableX , Alice reads the Buyer ID field to obtain the identification of the buyer from whom this copy has originated. If U cannot be matched to any watermark V in TableX , then the protocol returns failure.

2.4

Dispute resolution protocol

In case Bob denies that an unauthorized copy Y has originated from his version of the image, Alice can reveal σ and EKB (W ) and SignC (EKB (W )) to the judge. The judge first verifies SignC (EKB (W )). He would then ask Bob for his private key DB using which he can compute W and check for the presence of σ(W ) in Y . Actually, Bob need not reveal his private key, as this is undesirable. He could just reveal (W ) to the judge by decrypting EKB (W ). The judge could then verify W by encrypting it with Bob’s public key and checking if it equals to EKB (W ). After verifying W , the judge can then run the watermark extraction algorithm on Y and check if σ(W ) is indeed present in Y . If σ(W ) is found in Y , Bob is found guilty otherwise 8

Bob is innocent. Note that the dispute resolution protocol is a 3-party protocol. Bob has to take part in the protocol by revealing W to the judge.

3

An example construction

In the previous section we gave a general description of the buyer-seller watermarking protocol where we assumed the existence of appropriate watermarking and encryption techniques such that the watermark could be inserted in the encrypted domain. In this section we give a specific construction which uses a spread-spectrum watermarking techniques proposed by Cox et al [4] along with the RSA cryptosystem [18]. Cox et al [4] embed a set of independent real numbers W = {w1 , w2 , . . . wm } drawn from a zero mean, variance 1, Gaussian distribution into the m largest DCT AC coefficients of an image. Results reported using the largest 1000 AC coefficients show the technique to be remarkably robust against various image processing operations, and also after printing and re-scanning. Specifically, they take the 2-dimensional DCT of an image X and the watermark W is inserted into the largest m AC coefficients {x1 , x2 , . . . , xm } by a suitable insertion formula to yield modified coefficients {x01 , x02 , . . . , x0m }. For example, the insertion formula used could be x0i = xi (1 + αwi ) where α is a small constant. An inverse 2D DCT is then taken, yielding the watermarked image X 0 . To determine if a given image Y contains the watermark W , the decoder extracts T = {t1 , t2 , · · · tm } from Y by taking the largest m DCT AC coefficients of Y and subtracting their value from xi . That is, t i = xi − y i .

(8)

The confidence measure on the presence of the watermark W in Y is taken to be the correlation between W and T . Watermark detection can also be done without using the original image in the process [24], but then the robustness of the technique is diminished.

9

The above watermarking technique can be used along with the well known RSA public key system to provide a specific construction of the general buyer-seller protocol described in the previous section. The RSA crytosystem operates in Zn where n is a product of two very large primes p and q. A message x is then encrypted as y = Ea (x) = xa mod n

(9)

where a is the public encryption key and the corresponding decryption function is x = Db (y) = y b mod n

(10)

where b is the private decryption key. In the context of the proposed buyer-seller watermarking protocol, the watermark generation step consists of the watermark certification authority constructing a watermark W for Bob by using M randomly chosen samples from a zero mean, variance 1, Gaussian distribution.

For a practical implementation, the samples would be truncated to

some fixed precision, say 64 bits. They would then be used to generate the watermark W = {(1 + α · w1 ), . . . , (1 + α · wm )} and encrypting them, element by element, with Bob’s public key. This encrypted watermark vector EB (W ) along with its signature is transmitted to Bob who may keep a copy of it before transmitting it along to Alice. Alice can verify the certification authorities signature to ensure the validity of the encrypted watermark vector she has received. Alice then inserts her own watermark V into the original image X to get X 0 . As we mentioned before, V could be based on any watermarking technique of her choice. She then permutes the elements of EB (W ) and embeds them into the N largest AC coefficients by computing ˆ = EB (X 0 ) · σ(EB (W )) = EB (X 0 ) · (EB (σW )) = EB (X 0 · σW ). X

(11)

Since the RSA cryptosystem has the property that E(x) · E(y) = E(xy) the watermark W gets embedded into the image in the encrypted domain. Here again, each DCT coefficient can be represented with some fixed precision, say 64 bits. In order for Bob to be able to 10

recover xy we have to select the modulus n of RSA to be large enough such that xy < n. Hence if W and X have 64 bit precision then n should be at least 128 bits. But this is not a problem in practice, n is usually 512 or 1024 bits. Alice transmits this encrypted and doubly watermarked image to Bob who can decrypt and then compute an inverse DCT to get his unique watermarked copy. It is easy to see that since Alice has permuted the elements of W , Bob cannot remove W from his copy although he is the only party (aside from the watermark certification authority which we assumed is memoryless) that knows W . Also, Alice can only compute an encrypted version of Bobs unique copy which is useless as she cannot decrypt and distribute to falsely frame Bob. In the case of a dispute Alice takes the evidence listed in the previous section to the judge who can determine whether an unauthorized copy belongs to Bob. Although we have presented in this section an example implementation that uses a spreadspectrum watermarking technique and the RSA cryptosystem, similar examples can be constructed using other techniques. The above framework, for example, also holds for any additive technique (in the spatial or transform domain) and an appropriate public key cryptographic system that is a privacy homomorphism with respect to the addition operation. In a conference paper [15], the authors used the El-Gamal cryptosystem [20] and a spatial domain amplitude modulation watermarking technique [11] to provide another implementation. It was subsequently brought to our notice that the El-Gamal cryptosystem is not a privacy homomorphism with respect to addition [8]. However, there exist other public key encryption systems that are privacy homomorphisms with respect to addition [3] and can be used instead. We omit a detailed description of such an implementation as it would provide no new insight to the basic framework presented in the previous section.

11

4

Discussion - Attacks, Weaknesses and Countermeasures

The security of proposed protocol relies critically on the security of the underlying watermarking and encryption techniques used in the specific construction. The encryption technique we have used, the RSA cryptosystem is a mature and well studied technique that is believed to be secure if properly used [20]. Watermarking techniques, on the other hand, are a relatively new phenomenon and their ability to withstand attacks is still under question [7, 16]. However, there are many robust watermarking techniques that have been developed in the past few years. See, for example, [4, 9, 23, 25]. Among them, the Cox. et. al. scheme used in the previous section is one of the best known and has been shown to be remarkably robust against common image processing attacks and even several cycles of analog to digital conversions. The robustness of the scheme critically relies on the availability of the original image which can be used to undo operations like scaling, cropping, rotations etc. prior to watermark detection. Hence the protocol we propose is secure only as much as the underlying watermarking techniques are secure and robust. Nevertheless, it should be noted that our protocol does not critically make use of the properties of any one particular watermarking technique. As long as the watermark is linear (in the transform or spatial domain), it can be used in conjunction with an appropriate cryptosystem which is a privacy homomorphism with respect to the insertion operation. Hence, if a better watermarking technique is discovered, it could be readily used in the proposed protocol. Note that the proposed protocol does not require the watermarking technique to be either public or private. Either type of technique can be used. However, private watermarking techniques typically are much more robust than their public counterparts as the original image can be used to undo many image processing operations like scaling, cropping and rotation[2, 12]. Hence, it is expected that the watermark W would be inserted using a private technique. Having said that, let us examine the protocol itself and different ways in which a malicious 12

participant or observer may attempt to circumvent it. We do this by examining each of the four sub-protocols individually.

4.1

Watermark generation protocol

Here, Bob requests and obtains an encrypted and signed watermark from a trusted watermark certification authority. If the encryption and digital signature techniques used are secure, and the underlying Public Key Infrastructure (PKI) enables the watermark certification authority to reliably verify Bob’s identity then there is no way Bob could change or substitute the watermark. Furthermore, inclusion of a time stamp along with information about the transaction would prevent Bob from replacing the watermark with an older one he may have obtained previously from the watermark certification authority. It should also be noted that since the different watermark elements are being encrypted individually, the precision with which the watermark is being represented can have significant impact on the security of the encryption. For example if each watermark element has 32 bits of precision then Alice (the seller) can exhaustively try all 232 possible watermark elements and completely determine W . Hence each element in W must at least have 64 bits of precision (preferably 128) to make such brute force attacks infeasible.

4.2

Watermark insertion protocol

Here, Alice first inserts a watermark V which she can later use to determine the source of an illegal copy. Clearly, it is against her own interest not to perform this step in the right manner as she will not be able to identify the source of an illegal copy. In the second step, she inserts σ(WB ) into X 0 . Again, it is against her interest not to perform this step in the proper manner. For instance, she could insert another watermark in X 0 instead of σ(WB ). Specifically, she could use a watermark obtained from another user obtained from a prior transaction. This serves no purpose as it would result in a severely corrupted image when Bob decrypts the encrypted watermarked image with his own key. This is because the watermark and the image would have been encrypted with different keys. Alice could also 13

use a watermark obtained from Bob, but from a prior transaction. This, however, would be revealed during the dispute resolution protocol and as a result Alice will no longer be able to prove to an adjudicator that Bob has made illegal copies. This is against her interest. Also, since the watermark W sent to her by Bob is encrypted, she has no way of gleaning any information about it as long as the underlying encryption scheme is secure.

4.3

Copyright violator identification

This protocol is run by Alice to check the identity of the buyer from whom an unauthorized copy has originated. At this point she could try and find another watermark inserted into the copy of another buyer, say Trevor, that is declared present in the image by the watermark detection function. That is, a false positive. In this case Alice could conceivably hold Trevor responsible for the illegal copy. However, since the different watermarks inserted into different copies of the content have been generated randomly by the watermark certification authority, they are uncorrelated and it is highly unlikely that Alice would detect a false positive in the relatively small number of instances which she has at her disposal to try. This is especially difficult as she has no knowledge about the watermark inserted in Trevor’s copy and has seen it only in the encrypted form. Another interesting issue is the fact that if Alice obtains a copy of the image sold to Bob, that is I + V + σ(W ), she can compute W as she knows I, V and , σ. However, this really is of no use to her as now that she has a copy of the image sold to Bob she can in any case make as many copies of it as she wants, whether she knows W or not. Removing σ(W ) also is of no use as she already knows I + V . Nor can she embed W in another image with malicious intent as W is bound to the specific transaction between Alice and Bob by the signed message she receives from the watermarking authority which she has to produce in case of dispute resolution.

14

4.4

Dispute resolution protocol

Here Alice takes evidence to the Judge that incriminates Bob for copyright violation. So the question arises, can Alice fabricate evidence? The answer is no. As she does not know W she is unable to do this. Bob on the other hand can refuse to co-operate, but as we said before, this would be taken as an admission of guilt. For example, when the Judge asks Bob for W , Bob can send some random watermark T instead. However, Alice has presented the Judge with a signed and encrypted copy of W and this would not match with EB (T ). If the watermark certification authority is to be trusted Bob would be considered the culprit.

4.5

Watermark certification authority

Perhaps the most undesirable feature of the proposed protocol is the requirement of a watermark certification authority C who generates valid watermarks upon request, and sends them along with a time-stamp and a digital signature. However, given the current structure of the proposed protocol, the watermark W needs to originate from a third party. Otherwise, Bob could generate a maliciously designed watermark that would be approximately invariant to permutation and send this to Alice. Since Alice only sees the encrypted watermark she is unable to tell the difference between a valid watermark and an invalid watermark. A simple way of avoiding this problem is to originate the watermark from an independent and trusted third party. The practice of using a trusted third party is actually quite common in cryptographic protocols where keys are often obtained from trusted key distribution centers. However, placing complete trust in a single source is still undesirable. For example, if Alice and C collude then they can frame Bob. Similarly if Bob and C collude then they can cheat Alice. However, C by itself cannot cheat as it knows only W and not σ, just as Bob. Nevertheless, the requirement of a trusted watermark certification authority can indeed be reduced by using some sophisticated tools from cryptography, like oblivious transfers and blind signatures. Discussion of these mechanisms would take us far out of the scope of the current paper and would take away from the simplicity of the proposed technique. 15

Another undesirable consequence of the fact that the watermark is generated by the watermark certification authority is that it is not possible to “shape” the watermark to the given image in order to make it perceptually imperceptible. This inherently restricts the “strength” of the watermark signal which in turn effects the robustness of the underlying watermarking technique. However, a technique like the NEC scheme already shapes the watermark to a limited extent by embedding it only in, say, the first 1000 AC coefficients of the image.

5

Conclusions

In this paper we have presented a interactive buyer-seller protocol for invisible watermarking in which the seller does not get to know the exact watermarked copy that the buyer receives. Hence the seller cannot create copies of the original content containing the buyers watermark. However, in case the seller finds an unauthorized copy, she can identify the buyer from whom this unauthorized copy has originated and furthermore also prove this fact to a third party by means of dispute resolution protocol. Hence, the buyer cannot claim that an unauthorized copy may have originated from the seller. The watermark embedding protocol is based on public key cryptography and has little overhead in terms of the total data communicated between the buyer and the seller. Furthermore, the protocol we have presented is quite general and can be used with different watermarking techniques and appropriate public key encryption techniques.

References [1] J. Bloom et. al., “Copy protection for DVD video,” IEEE Proceedings, vol. 87, No. 7, pp 1267-1276, July 1999. [2] G. W. Braudaway, F. C. Mintzer, “Automatic recovery of invisible image watermarks from geometrically distorted images,” Security and Watermarking of Multimedia Contents II, SPIE Proceedings, 3971-06, February 2000. 16

[3] Josh D. Cohen and Michael J. Fischer. “A robust and verifiable cryptographically secure election scheme (extended abstract)”. In 26th Annual Symposium on Foundations of Computer Science, pages 372-382, Portland, Oregon, 21-23 October 1985. IEEE. [4] I. J. Cox, J. Kilian, T. Leighton, and T. Shamoon, “Secure spread spectrum watermarking for multimedia,” IEEE Transactions on Image Processing, vol. 6, no. 12, pp. 1673–1687, 1997. [5] I. J. Cox and M. L. Miller. A review of watermarking and the importance of perceptual modeling. In Proceedings, SPIE Human Vision and Electronic Imaging II, volume SPIE Vol. 3016, February 1997. [6] I. J. Cox and J.-P. M. G. Linnartz, “Some general methods for tampering with watermarks,” in IEEE Journal on Selected Areas in Communications 16, no. 4, pp. 587–593, May 1998. [7] S. Craver, B. L. Yeo and M. Yeung, “Technical trials and legal tribulations,” Commun. ACM, 4, no. 7, pp. 44-54, July 1998. [8] K. Gopalakrishnan. Private communication. [9] F. Hartung and B. Girod. “Digital watermarking of uncompressed and compressed video,” Signal Processing, vol. 66, no. 3, pp. 283-301, May 1998. [10] F. Hartung and M. Kutter, “Multimedia Watermarking Techniques,” IEEE Proceedings, vol. 87, No. 7, pp 1079-1107, July 1999. [11] J. R. Hernandez, F. Perez-Gonzalez, J. M. Rodriguez and G. Nieto, Performance Analysis of a 2-D Multipulse Amplitude Modulation Scheme for Data Hiding and Watermarking of Still Images. IEEE Journal on Selected Areas of Communication, 16:4, 510-524, May 1998.

17

[12] Neil F.Johnson, Zoran Duric and Sushil Jajodia, “ Recovery of Watermarks from Distorted Images,” Proceedings of the Third Information Hiding Workshop, - Dresden, Germany - October 1999. [13] T. Kalker, “Digital Video Watermarking for DVD Copy Protection,” In proceedings,Multimedia Archival and Storage, Photonics East, Boston, Sept. 1999. [14] N. Memon and P. W. Wong, “Protecting digital media content,” Communications of the ACM, 4, no. 7, pp. 11-24, July 1998. [15] N. Memon and P. W. Wong, “ A Buyer-Seller Watermarking Protocol Based on Amplitude Modulation and the El Gamal Public Key Crypto System,” Image and Multimedia Security, Electonic Imaging, Photonics West, SPIE Proceedings, San Jose, Jan 1999. [16] F. Petitcolas, R. Anderson and M. Kuhn. “Attacks on copyright marking systems”. In Information Hiding, @nd International Workshop, Lecture Notes in COmputer Science, Vol 1525, D. Aucsmith Ed., Berlin, Germany, Springer-Verlag, pp 218-238, 1998. [17] L. Qian and K. Nahrstedt, “Watermarking Schemes and Protocols for Protecting Rightfuk Ownership and Customer’s Rights,” Jounal of Visual Commun. and Image Rep., 9, no. 3, pp. 194-210, Sept. 98. [18] R. Rivest, A. Shamir and l. Adelman, “A method for obtaining digital signatures and public key cryptosystems,” Communications of the ACM, 21, pp. 120-126, 1978. [19] J. R. Smith and B. O. Comiskey. Modulation and Information Hiding in Images. In Proceedings of Internaitonal Waorkshop on Information Hiding, Cambridge, UK, May 1996 pp 39-48. [20] D. Stinson, Cryptography: Theory and Practice, CRC Press, 1995. [21] M. Swanson, M. Kobayashi, and A. Tewfik, “Multimedia Data Embedding and Watermarking Technologies,” IEEE Proceedings, vol. 86, No. 6, pp 1064-1087, June 1998. 18

[22] G. Voyatzis and I. Pitas, “The use of watermarks in the protection of digital multimedia products,” IEEE Proceedings, vol. 87, No. 7, pp 1197-1207, July 1999. [23] R. Wolfgang, C. Podilchuk and E. Delp, “Perceptual watermarks for digital images and video ,” IEEE Proceedings, vol. 87, No. 7, pp 1108-1126, July 1999. [24] W. Zeng and B. Liu, ”A statistical watermark detection technique without using original images for resolving rightful ownerships of digital images,” IEEE Trans. Image Processing, vol. 8, no. 11, pp. 1534-1548, Nov. 1999 [25] J. Zhao and E. Koch, “Embedding Robust Labels into images for Copyright Protection,” Intellectual Property Rights and New Technologies, Proceedings of the KnowRight’95 Conference 1995, pp. 242–51.

19

Bob

Alice

Alice

Watermark Generation Protocol

Watermark Insertion Protocol

Watermark Certification Authority

Bob

Copyright Violator Identification Protocol

Judge Alice

Dispute Resolution Protocol

Bob

Figure 1: The Four sub-protocols that comprise the Buyer-Seller Watermarking Protocol

Captions Figure 1: The Four sub-protocols that comprise the Buyer-Seller Watermarking Protocol

Nasir Memon received his M. S. and Ph.D. from the University of Nebraska in 1989 and 1992 respectively. He was an Assistant Professor of Computer Science at Arkansas State University from Aug 1992 to July 1994 and at Northern Illinois University from 1994 to 1998. He is currently an Associate Professor in the Computer Science department at Polytechnic University, New York. He was a visiting Faculty at HP Labs Palo-Alto from August 1997 to July 1998 and From June to August 1999. Prof. Memon’s research interests include Data Compression, Data Encryption, Image Processing, Multimedia Content Protection and Multimedia Communication and Computing. He has published more than 100 articles in journals and conference proceedings and holds two patents in image compression. He was actively involved in the formation of a new international standard on lossless image compression, called JPEG-LS. He has been the principal investigator on funded research projects from HP, Intel, Panasonic, Mitsubishi and Sun Microsystems. In 1996 he received an NSF CAREER award for research in lossless image compression. He has organized and chaired many sessions in international conferences and is currently an associate editor for the IEEE Transactions on Image processing. Ping Wah Wong Ping Wah Wong received the B.Sc.(Eng.) degree from the University of Hong Kong in 1977, the M.S.E.E. degree from the University of Michigan-Dearborn in 1985, and the Ph.D. degree from Stanford University in 1989. From 1977 to 1981, he was with Coronet Industries Limited, Hong Kong where he designed radio frequency circuits and digital tuning systems. From 1981 to 1983, he worked on an automatic train control system at Mass Transit Railways Corporation, Hong Kong. From 1989 to 1992, he was an Assistant Professor at the Department of Electrical and Computer Engineering, Clarkson University, Potsdam NY. From 1992 to 1999, he was been with Hewlett-Packard Company, first with HP Laboratories where he was Project Manager in Halftoning and Image Processing, and then Manager with Internet Imaging Operation of HP responsible for imaging server/client software. He co-founded IDzap LLC in 1999

that provides anonymous web services. He co-founded Apalo.com in 2000 to provide digital photo services in Hong Kong. His interests are in digital signal processing, data security, compression, and communications. Dr. Wong was an Associate Editor for IEEE Transactions on Image Processing from 1995 to 1997. He is now an Associate Editor for Journal on Electronic Imaging. He has been a co-chair of the Conference on Security and Watermarking of Multimedia Contents at the SPIE/IS&T Symposium on Electronic Imaging since 1999. He is a Senior Member of IEEE.