A Provably Secure Anonymous Buyer–Seller Watermarking Protocol

1 downloads 270 Views 672KB Size Report
group signature scheme and several zero-knowledge proofs of knowledge as main .... digital contents ; a set of buyers that purchases protected digital contents ...
920

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

A Provably Secure Anonymous Buyer–Seller Watermarking Protocol Alfredo Rial, Mina Deng, Tiziano Bianchi, Member, IEEE, Alessandro Piva, Senior Member, IEEE, and Bart Preneel, Member, IEEE

Abstract—Buyer–seller watermarking (BSW) protocols allow copyright protection of digital content. The protocol is anonymous when the identity of buyers is not revealed if they do not release pirated copies. Existing BSW protocols are not provided with a formal analysis of their security properties. We employ the ideal-world/real-world paradigm to propose a formal security definition for copyright protection protocols, and we analyze an anonymous BSW protocol and prove that it fulfills our definition. Additionally, we implement the protocol and measure its efficiency. Index Terms—Buyer–seller watermarking (BSW) protocol, ideal-world/real-world paradigm.

I. INTRODUCTION

T

HE rapid proliferation of computer networks facilitates the efficient distribution of multimedia content. However, it also eases the reproduction and the distribution of illegal copies. Therefore, the development of techniques that allow the protection of intellectual property rights in digital form is necessary. Moreover, privacy protection for both customers and content providers is an important concern. Encryption and digital watermarking are recognized as promising techniques for copyright protection. Encryption prevents unauthorized access to digital content. The limitation is that, once the content is decrypted, it does not prevent illegal replications by an authorized user. Digital watermarking [1], [2] is a technique that allows some information to be embedded into a digital content. As an application of watermarking, fingerprinting can be used to identify the content and to associate it to a customer. The fingerprint can be either an intrinsic feature of the content or some external information embedded into the content. At algorithmic level, watermarking is the function that embeds this information, while fingerprinting refers to the complete protocol between seller and buyer. Previous work. Fingerprinting schemes have been proposed to identify different kinds of digital content, such as documents Manuscript received April 01, 2010; revised August 03, 2010; accepted August 03, 2010. Date of publication September 02, 2010; date of current version November 17, 2010. This work supported in part by the Italian Research Project (PRIN 2007): “Privacy aware processing of encrypted signals for treating sensitive information” and by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy). The work of A. Rial was supported by the Research Foundation—Flanders (FWO). The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Nasir Memon. A. Rial, M. Deng, and B. Preneel are with IBBT and the COSIC Group of Departement Elektrotechniek (ESAT), Katholieke Universiteit Leuven, B-3001 Leuven, Belgium (e-mail: [email protected]). T. Bianchi and A. Piva are with the Dipartimento di Elettronica e Telecomunicazioni, Università di Firenze, I-50139 Firenze, Italy (e-mail: [email protected]). Digital Object Identifier 10.1109/TIFS.2010.2072830

[3], [4], images or videos [5]–[7], or computer programs [8]. A first improvement of fingerprinting techniques was the design of collusion-resistant schemes [9], [10], [6], i.e., schemes that tolerate a collusion of buyers up to a certain size by preventing colluding buyers, that compare their different copies, from creating a copy that cannot be traced back to one of the colluders. Traditional watermarking-based fingerprinting schemes assume that content providers are trustworthy that they would never distribute content illegally and always perform the watermark embedding honestly. However, in practice, such assumptions are not fully established. This problem was first identified by Qian and Nahrstedt as the customer’s rights problem [11], where the watermark is generated and embedded solely by the content provider (or the seller). A customer (or a buyer) whose watermark has been found in unauthorized copies can claim that the pirated copy was created by the seller. This could be done, for instance, by a malicious seller who may be interested in framing the buyer. It could be also possible when the seller is not the original owner but a reselling agent who could potentially benefit from making unauthorized copies. Finally, even if the seller was not malicious, an unauthorized copy containing the buyer’s fingerprint could have originated from a security breach in the seller’s system but not from the buyer [11]. The owner–customer watermarking protocol proposed by Qian and Nahrstedt [11] tries to solve this problem such that the customer provides the owner with an encrypted predetermined bit-string, and the owner embeds the encrypted value using an invisible watermarking technique. Upon receiving the watermarked content delivered from the owner, the customer is able to prove to a third party the legitimate ownership of the copy in the customer’s possession, since only the buyer knows the decryption key. The drawback of this protocol is that it does not solve the problem of irrevocable binding the customer and the specific copy sold to him, and holding the customer responsible for any unauthorized copies of the same found in the market. This is due the problem of traditional symmetric fingerprinting schemes, where both buyer and seller know the copy that the buyer gets. In symmetric schemes, a malicious seller can release a pirated copy in order to frame an honest buyer, and a guilty buyer can repudiate the accusation of copyright infringements by invoking the possibility of being framed by the seller or caused by a security breach in the seller’s system. As a consequence, the watermark tracing mechanism is discredited. It is against this background that asymmetric schemes [12]–[14] were introduced, where only the buyer obtains the exact watermarked content, and hence the buyer cannot claim that a pirated copy was originated from the seller. In the asymmetric fingerprinting protocol proposed by Pfitzmann and

1556-6013/$26.00 © 2010 IEEE

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL

Schunter [12], the buyer chooses a secret and sends a commitment to the secret to the seller. Then buyer and seller execute a protocol at the end of which the buyer obtains a watermarked content with the buyer’s secret, while the seller does not get any information. Therefore, when the seller is able to provide the secret chosen by the buyer, it must be the case that he found a pirated copy, and thus the buyer is found guilty. In the aforementioned symmetric and asymmetric schemes, the buyer needs to be authenticated by the seller at each purchase. To protect buyers’ privacy, Pfitzmann and Waidner [13] introduced anonymous asymmetric schemes, where buyers remain anonymous as long as they do not release pirated copies. Buyers are required to register at a registration entity prior to any purchase and, if the seller finds a pirated copy, he can query this registration entity to revoke buyers’ anonymity. First anonymous asymmetric schemes [15] require interaction with the buyer in case of dispute to find out whether the buyer was guilty or not. Pfitzmann and Sadeghi [16] and Camenisch [17] proposed schemes that allow direct nonrepudiation, where the seller, upon finding a pirated copy, possesses enough information to convince a third party of the buyer’s culpability. Combining encryption with digital watermarking, a buyer–seller watermarking (BSW) protocol is in fact an asymmetric fingerprinting protocol where the fingerprint is embedded by means of watermarking in the encrypted domain. The basic idea is that each buyer obtains a slightly different copy of the digital content offered by the seller. Such a difference, the watermark (or fingerprint), does not harm the perceptual quality of the digital content and cannot be easily removed by the buyer. Thanks to the latter property, when a malicious buyer redistributes a pirated copy, the seller can associate the pirated copy to its buyer by its embedded watermark. On the other hand, a malicious seller cannot frame an honest buyer because the buyer’s watermark and the delivered watermarked content are unknown to the seller. Since the introduction of the concept by Memon and Wong [18], a number of BSW protocols have been proposed [19]–[23]. However, none of these proposals provides a formal security definition of the concept of BSW protocol, and therefore, none of them proves that the proposed protocol satisfies the required security properties. Our contribution. The main contribution of our work is a formal security analysis of BSW protocols. We employ the ideal-world/real-world paradigm [24] to define security of anonymous BSW protocols. With respect to classical asymmetric fingerprinting schemes, which define each security property separately, this definition leads to the construction of protocols that are secure under composition. Our definition is general in the sense that it captures the security properties required for any copyright protection protocol that provides buyers with anonymity. Additionally, we define security for blind and readable watermarking schemes, and analyze the properties that watermarking schemes should provide for the construction of secure BSW protocols. We describe a slightly modified version of the BSW protocol proposed in [23], and we prove that this protocol fulfills our security definition. This protocol uses a blind and readable watermarking scheme and a homomorphic encryption scheme, a

921

group signature scheme and several zero-knowledge proofs of knowledge as main cryptographic building blocks. We prove the security of the protocol when instantiated with any secure watermarking schemes and with any secure building blocks. In Part II of this paper [25], we provide efficient implementations of the proposed BSW protocol, instantiate the protocol with secure building blocks, and measure its efficiency. Outline of the paper. In Section II, we propose security definitions for blind and readable watermarking schemes and for anonymous BSW protocols. We recall the definition and the properties of the employed cryptographic building blocks in Section III, and we describe our BSW protocol in Section IV. In Section V, we analyze the security of our protocol, in Section VI we discuss its efficiency, and we conclude in Section VII. II. DEFINITIONS A. Blind Watermarking A blind and readable watermarking scheme [2] consists of a , a watermark embedding algorithm setup algorithm , and finally a watermark detection algorithm . outputs a secret watermarking key , and a deand of a watermark scription of an original content space space . , on input , original con, and watermark , outputs watermarked tent can be computed in the encontent . The algorithm and the result are encrypted crypted domain, where both with a public key of a public key encryption scheme. The algooutputs the watermark embedded in rithm . A secure watermarking scheme should be robust and collusion resistant. Let be a distortion metric that quantifies when it the distortion suffered by a watermarked content underwent signal processing operations such as compression, filtering, noise addition, desynchronization, cropping, insertions, mosaicing, and collage. Under a distortion metric and output by a given distortion bound , given and output by , a scheme is -robust outputs a distorted content such that if an adversary outputs and with negligible probability . The collusion resistance property requires that a collusion of up to parties cannot manipulate or remove the watermark from a watermarked content by comparing or composing their differently watermarked copies. In other words, it requires that under a distortion metric and a given distortion bound , a scheme is -secure against coalitions of size , if all the p.p.t. adversaries win the game defined below with probability less than . We formalize this property as follows. Definition 1 (Collusion Resistant Watermarking): The collusion resistance property is defined through the following game between a challenger and an adversary . runs to get , picks • Challenge. , and, for random original content to , picks random watermark and runs . sends to . • Response. outputs watermarked content .

922

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

wins if there exists such that and outputs a watermark such that, for to , . A blind watermarking scheme is collusion resistant if all p.p.t. adversaries win the game above with negligible probability. Current practical watermarking schemes do not provide collusion-resistance against any p.p.t. adversary. In Section V, we assume that the watermarking scheme used to instantiate the protocol fulfills this definition, and thus we conclude that our protocol is secure against any p.p.t. adversary. When the protocol is instantiated with a given watermarking scheme, the security offered against malicious buyers is lowered to the security offered by the watermarking scheme. In the security analysis of our protocol (Section V), Claim 2 is not fulfilled if the watermarking scheme is not collusion resistant. B. Anonymous BSW Protocol We define security following the ideal-world/real-world paradigm [24]. In the real world, a set of parties interact according to the protocol description in the presence of a real adversary , while in the ideal world dummy parties interact with an ideal functionality that carries out the desired task in the presence of an ideal adversary . A protocol is secure if there exists no environment that can distinguish whether it is interacting with adversary and parties running protocol or with the ideal process for carrying out the desired task, where ideal adversary and dummy parties interact with an ideal functionality . More formally, we say thatprotocol emulates theidealprocesswhen,foranyadversary , there exists a simulator such that for all environments , and REAL are computationthe ensembles IDEAL ally indistinguishable. We refer to [24] for a description of how these ensembles are constructed. In the ideal-world/real-world paradigm [24], every protocol instance has a session identifier that distinguishes it from other protocol instances. For the sake of ease of notation, we omit session identifiers in the description of our ideal functionalities and in the description of our protocol. that models the beWe define an ideal functionality havior and desirable properties of any copyright protection protocol in which buyers are provided with anonymity. We consider a setting with five parties: a seller that sells protected digital contents ; a set of buyers that purchases protected digital contents from ; a registration authority where buyers must register before purchasing; a judge that decides whether a buyer is guilty of releasing pirated copies; a deanonymizathat revokes the anonymity of a buyer when tion authority is parameterized with a set of parties requested by . that contains the aforementioned entities. models the properties that a copyright protection protocol should fulfill under three assumptions. First, the judge is never corrupted by the ideal adversary . Second, parties can be corrupted statically, i.e., the ideal adversary decides at the beginning of the protocol execution the set of parties it wishes to corrupt and cannot assumes modify this set throughout the execution. Finally, that uncorrupted buyers never release pirated copies. requires that, when the seller Under those assumptions, at is uncorrupted, buyers receive unique protected content each purchase. This unique protected content, when released as a pirated copy, can be traced back to a single transaction. (In the

case of a BSW protocol, unique protected content is computed by embedding a different watermark at each purchase phase.) also requires that, if the deanonymization authority is uncorrupted, an uncorrupted seller is always able to get the identity of corrupted buyers that release pirated copies. To trace promaintains a transaction table with entected copies, , where is a protected copy, is the tries of the form buyer that purchased the copy, and is a bit that equals 0 if the copy was released by a malicious . does not require buyers When the seller is corrupted, to receive the unique protected content . Instead, they receive a copy chosen by . However, requires that is not able to frame uncorrupted buyers, who by assumption do not release pirated copies. Additionally, it requires that released pirated copies are traced back to corrupted buyers that collude with . Below we describe formally . In Section V, we prove that . This means that our BSW protocol realizes functionality our protocol fulfills the aforementioned properties. Functionality Parameterized with a set of parties works as follows, means the registration or deanonymization where process succeeded and means a content is not a pirated copy: checks • Upon receiving (register) from buyer , . Then it sends register to . If that is corrupted, receives a bit regresp from . sends the ideal adversary , else it sets regresp to and, if , includes in its . registration table • Upon receiving request from buyer , where identifies the item, checks that . sends buyrequest to , who returns original . computes unique protected content reqresp content from . If is corrupted, receives reqresp from and sets to . sends reqresp to and stores , where , . in a transaction table • Upon receiving release from , sets to 0 of . If no such entry exists, in the entry stores in . from , if in the • Upon receiving detect entry or such entry does not exist, sends detresp to and . If , sends detect to . If is corrupted, receives a bit deanonym from , else sets . If , sends detresp to and , and otherwise it sends detresp to and . In Section V, we prove that our BSW protocol realizes funcin the -hybrid model, where parties register tionality their public keys at a trusted registration entity and obtain from it a common reference string. Do not confuse this entity with the registration entity . Below we depict the ideal function. is parameterized with a distribution and a ality set of participants , which is restricted to contain the registration authority , the deanonymization authority , the buyers

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL

, the seller , and the judge . with a public key infrastructure.

can be implemented

Functionality Parameterized with a set of parties and a distribution , works as follows, where (crs) is a request of the common reference string, is the common reference string, and is the registered value such as ’s public key: it aborts. • On input (crs) from party , if Otherwise, if there is no value recorded, it picks and records . It sends to . from party , it • Upon receiving register . records the value • Upon receiving retrieve from party , if is recorded then return retrieve to . to . Otherwise send retrieve III. PRELIMINARIES A function is negligible if, for every integer , there exists , . an integer such that for all A. Group Signature Schemes Group signature schemes [26] enable a group of users, each having her own private key, to sign messages on behalf of the group. The scheme is called dynamic if it allows adding members to the group with time. In the following, we recall the description of dynamic group signature schemes in [27]. The scenario consists of four kinds of parties: a trusted party for system setup, an authority called the issuer , an authority called the opener , and users that may become group members. The communication between and takes place over private and authenticated channels. , , The scheme consists of the algorithms , , , , , and . outputs an issuer key , an opening key , and a group public key on input a security parameter . outputs on input a security parameter . a user key pair and are interactive algorithms run by and , receives as inputs and respectively. receives as inputs. outputs a private and outputs registration information signing key to be stored in a registration table . outputs a . , signature of a message on input a secret key on input a signature , a message , and a group public key , outputs a bit if is correct and otherwise. , on input the group public key , the registration , an opening key , a message , and a signature table , and outputs a pair , where identifies the user that if no group member produced the signature) computed ( , and is a publicly verifiable proof that computed . , an integer , a public key on input a group public key , a message , a signature , and a proof , and outputs if is a valid proof that produced and otherwise. A dynamic group signature scheme must provide the properties of anonymity, traceability, and nonframeability. Anonymity requires that an adversary , unable to corrupt , cannot distinguish which of two signers of his choice signed a message of

923

his choice. Traceability requires that , unable to corrupt and (albeit able to compromise ), cannot compute a signature for which either an honest cannot identify the user that produced it or cannot compute a proof that a user produced it. Nonframeability requires that cannot produce a proof that an honest user computed a valid signature unless the user indeed computed the signature. We refer to [27] for formal definitions. Our construction in Section IV can be instantiated with any secure group signature scheme. B. Homomorphic Encryption A public key encryption scheme consists of the algorithms , , and . outputs a public key and a seoutputs a ciphertext on input a public key and cret key . outputs the message on input the ciphertext a message . and the secret key . Roughly speaking, indistinguishability under chosen plaintext attack [28] (IND-CPA) guarantees that an adversary does not get any knowledge about from . We employ a public key homomorphic encryption scheme that supports two operations. An operation that, on input two ciphertexts and that encrypt messages and , outputs a ciphertex that encrypts the addition of the messages, and an operation that, on input , outputs a ciphertext a message and a ciphertext that encrypts the multiplication of the messages and . The public key homomorphic encryption scheme proposed by Paillier [29], and its generalization by Damgård and Jurik [30], supports these operations, and therefore, can be used to instantiate the encryption scheme employed in Section IV. In our construction in Section IV, we need a function that, on of a bit , computes input a bit and an encryption , where denotes the exclusive the encryption or operation. This function can be computed as follows. If , output . If , output . C. Zero-Knowledge Proofs of Knowledge A zero-knowledge proof of knowledge [31] is a two-party protocol between a prover and a verifier. The prover proves to the verifier knowledge of some secret input that fulfills some statement without disclosing this input to the verifier. The protocol should fulfill two properties. First, it should be a proof of knowledge, i.e., a prover without the knowledge of the secret input convinces the verifier with negligible probability. More technically, there exists a knowledge extractor that extracts the secret input from a successful prover with all but negligible probability. Second, it should be zero-knowledge, i.e., the verifier does not learn any information about the secret input. More technically, for all possible verifiers there exists a simulator that, without knowledge of the secret input, yields a transcript that cannot be distinguished from the interaction with a real prover. To express a zero-knowledge proof of knowledge, we follow the notation introduced by Camenisch and Stadler [32]. For exdenotes a “zero-knowledge proof ample, ”. Letters in of knowledge of secret input such that

924

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

the parenthesis, in this example , denote the secret input, while and the function are also known to the verifier. We employ a proof of knowledge , i.e., a proof that is a correlated with public rect encryption under of the secret key , so that a party in possession of the secret key rekey from . The verifiable encryption lated with can recover schemes proposed by Camenisch et al. [33] and by Poupard and Stern [34] can be employed to instantiate the encryption scheme used in our construction in Section IV. We also use a proof of knowledge of the statement , i.e., a proof that the value encrypted in ciphertext under public key is a bit. Such a proof is described in [30]. IV. CONSTRUCTION A. Intuition Behind Our Construction Our buyer–seller watermarking protocol BSW is based mainly on two cryptographic primitives: group signatures and homomorphic encryption. Group signatures allow buyers to sign the purchase messages they send to the seller on behalf of the group of buyers. Thanks to that, the seller can verify the signature without knowing buyer’s identity, and thus purchases are anonymous. When a pirated copy is found and traced back to a particular purchase, the corresponding signature can be opened to know the identity of the buyer that released the pirated copy. We note that, although in the description of our construction all the buyers belong to the same group, in practical implementations there can be several groups. Homomorphic encryption allows buyer and seller to jointly to be embedded compute an encryption of the watermark in the original content, in such a way that none of the parties knows . (The encryption of the watermark is embedded by in the encrypted domain.) This computing algorithm is an essential property. On the one hand, since the seller does not learn , later on a malicious seller cannot produce pirated in order to frame an honest buyer. On the copies that embed other hand, a malicious buyer can neither remove nor release pirated copies and claim that the seller produced them. The protocol consists of four phases: setup, registration, purchase, and arbitration. In the setup phase, a trusted registration , gives the issuer secret entity releases the group public key to the registration authority and the opening secret key to the deanonymization authority . acts as the issuer key of the group signature scheme, and as the opener. Additionally, buyers register their public keys at the trusted registration . entity. Finally, the judge also registers a public key In the registration phase, buyers query and obtain a private of the group signature scheme. obtains regsigning key istration information . requests item and obIn the purchase phase, a buyer tains from seller watermarked content , in such a way that none of the parties knows the watermark . ( does not learn either.) equals , where and are chosen by the seller, while is chosen by buyer. is used by to relate a pirated copy with

and the transaction in which the pirated copy was sold. are random values of enough length. of the homomorphic First, generates a key pair encryption scheme, picks random , and encrypts it bitwise . also encrypts with the public key of the with judge and obtains a ciphertext . sets a request message that , , and . Finally, includes , the bitwise encryption of computes a group signature on her request message , sends it to and proves in zero-knowledge that the request is correctly computed. picks unique random and random , and by using the homomorphic property of the encryption scheme, is able to under compute a bitwise encryption of . embeds in the original content by running the watermark embedding algorithm in the encrypted domain and sends decrypts the result to obtain watermarked the result to . content . stores an entry indexed by with information about the transaction in a transactions table. In the arbitration phase, when receives a pirated copy, runs the watermark detection algorithm to obtain the watermark . uses to relate the pirated copy to a transacand to . tion and sends the table entry uses his secret key to obtain buyers secret key , uses to obtain from the bitwise encryption, and sets . checks if . If it is the case, to , which returns the identity of the maliit sends cious buyer that released the pirated copy. The trusted registration entity can be implemented with a conventional public key infrastructure, and the registration authority and deanonymization authority can be implemented with the issuer and opener of any dynamic group signature scheme, respectively. The judge represents the entity in charge of determining if a buyer is guilty of releasing pirated copies. Since in practical settings there can be several entities in charge of this task, we propose to employ a unique trusted entity in posses. (Such sion of the secret key corresponding to public key a trusted entity could even be the trusted registration entity, but conventional PKI do not offer such a service.) Every judge . queries this entity to decrypt a ciphertext encrypted with In the description of our construction, we employ a single wa. If, in order for the watermarking scheme termarking key to be collusion resistant, a different watermarking key should be associated to each of the original contents, our construction can be modified to watermark each content with a different key. B. Construction and stand for the algorithms for key generation, encryption, and decryption of the public key and , respectively. They are encryption schemes used by described in Section III. In the setup phase depicted in Fig. 1, the trusted registration runs the setup algorithm of the group functionality , and sends the signature scheme, stores the group public key to and the opening secret key to issuer’s secret key . Every party can obtain by sending (crs) to . runs to obtain a user key Additionally, each buyer and registers at . The judge runs pair In

the

following,

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL

925

Fig. 1. Setup phase of the BSW protocol: 1) group key generation; 2) B key generation; 3) J key generation; 4) S sets up the watermarking scheme and obtains secret watermarking key.

Fig. 2. Registration protocol performed between the buyer B and the registration authority R.

Fig. 3. Watermark generation and embedding protocol performed between the seller S and the buyer B .

his key generation algorithm in order to generate a key and registers at . Every party can pair . retrieve public keys of other parties by querying Finally, the seller executes the watermarking setup algorithm to obtain secret watermarking key . enand sends to . crypts After the setup phase, our protocol consists of three phases: registration, purchase, and arbitration. We begin with a high level description of our construction. Details on the algorithms can be found below.

, runs Tab to with detect that corresponds to and obtain the table entry to . runs to sends . obtain a bit and a deanonymization message If , sends to and outputs detresp . Otherwise sends to , which runs ( is obtained from ) and returns and a proof that deanonymization was done correctly. runs to check the validity , sends of the proof . If the output is to and outputs detresp . Otherwise sends to and outputs detresp .

Protocol BSW • Registration. The registration phase is depicted in Fig. 2. When is activated with (register), and execute and , respectively. inputs and inputs . obtains and outputs regresp , a private signing key while obtains registration information to be . stored in the registration table • Purchase. The purchase phase is presented in is activated with request and Fig. 3. When is activated with reqresp , and run and , the interactive algorithms inputs the group public key , her respectively. , , and the public key of private signing key . inputs , the secret watermarking key , and the original content . obtains transaction and stores it in the table entry Tab, information where Tab is a table that stores information of all outputs watermarked content the transactions. reqresp . • Arbitration. The identification and arbitration protocol is depicted in Fig. 4. When is activated



. Run to obtain a key pair . Run to get an en. Pick a random string cryption of and, for to , run to encrypt . Set a message and bitwise run to compute a signature . (If does not belong to the message space of the group signato ture scheme, use a collision-resistant hash function that belongs to the message space compute a hash and sign .) Send to . As the prover, engage with in the following interactive zero-knowledge proofs of knowledge: a proof that are correctly setup and that is an encryption of under ; for to , a proof that each encrypts and a bit. Upon receiving , decrypt output .

926

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

Fig. 4. Copyright violator identification and arbitration protocol performed among the seller S , the judge J , and the deanonymization authority D .



. Receive message as . Run and abort if the output is 0. As the verifier, engage in the execution of the interactive and, for to , and abort if any of proofs and, them is not correct. Pick random for to , compute . Pick and, for to , encrypt random unique . Set the watermark to be embedded as , and let its bitwise encryption be . Perform the watermark embedding in the operation encrypted domain to obtain an encrypted watermarked . Send and output content transaction information . Tab . Execute the watermark detection alto obtain the watermark gorithm , parse the table entry , compute and output . . Parse as and as . Run and abort if the output is 0. Decrypt to obtain . For to , decrypt to . Check whether . If it is the case, obtain and . Otherwise output output and . . Parse as . to obtain an identity Run and a proof . Output . . Parse as . Run to obtain a bit . Output . .









Parse

V. SECURITY ANALYSIS Theorem 1: This BSW scheme securely realizes . In order to prove this theorem, we need to build a simulator that invokes a copy of adversary and interacts with and in such a way that ensembles IDEAL environment and REAL are computationally indistinguishable. We analyze formally the security of our scheme when the seller and a subset of buyers are corrupted, and when (a subset of) buyers are corrupted. We also describe briefly the security guarantees that our scheme provides when the registration authority and the deanonymization authority are corrupted.

A. Security Analysis When Seller Is Corrupted Claim 1: When the seller and a subset of the buyers are corrupted, the distribution ensembles IDEAL and REAL are computationally indistinguishable under the zero-knowledge property of the proofs of knowledge, the IND-CPA security of encryption schemes and , and the traceability, nonframeability, and anonymity properties of the group signature scheme. Proof: We show by means of a series of hybrid games cannot distinguish between the real that the environment and the simulated ensemble execution ensemble REAL with nonnegligible probability. We denote by IDEAL the probability that distinguishes between the and that of the real execution. ensemble of : This game corresponds to the execution of the • real-world protocol with a subset of honest buyers and . honest , , and . Thus : This game proceeds as , except that • aborts if the received message-signature pair is correct according to algorithm but cannot be successfully opened through algorithm . aborts is bounded by the The probability that following lemma: Lemma 1: Under the traceability property of the group sig. nature scheme, Proof: We construct an algorithm that, if there exists an makes abort with nonnegligible probadversary that ability , breaks the traceability property of the group signature scheme with nonnegligible probability . The traceability property is formally defined in [27] as a game between a challenger and an adversary. First, gives to the adversary and access to several oracles (we refer to [27] for the description of the oracles). Eventually, adversary submits a message-signature pair , and wins the game if outputs 1 outputs a pair such and if or outputs 0. that either Algorithm operates as follows. First, receives from and sends to when queried with (crs). For each , invokes oracle and later on honest buyer to obtain the secret key and the private oracle signing key . Each time wants to register a public of a corrupted buyer , invokes the corruption key . When sends a request to regoracle invokes oracle . ister a corrupted buyer ,

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL

simulates purchase requests by honest buyers following . Each time sends an arbitration message algorithm , runs to obtain and . If either or outputs 0, sends to break the traceability property. : This game proceeds as , except that • aborts if, in the arbitration phase, sends a message-signature pair that algorithm opens successfully to an uncorrupted buyer’s identity and buyer did not send a signature on to . The probability distinguishes between and is that bounded by the following lemma: Lemma 2: Under the nonframeability of the group signature . scheme, Proof: We construct an algorithm that, if there exists an adversary that makes abort with nonnegligible probability , breaks the nonframeability property of the group signature scheme with nonnegligible probability . The nonframeability property is formally defined in [27] as a game between a challenger and an adversary. First, gives to the adversary and access to several oracles (we refer to [27] for the description of the oracles). Eventually, adversary submits and a proof , and wins a message-signature pair the game if outputs 1, if belongs to an outputs 1. honest user and if operates as follows. First, receives Algorithm from and sends to when queried with (crs). Each time wishes to register a public key of a corrupted buyer , invokes oracle . wishes to register a corrupted buyer, runs Each time with . For every honest buyer , invokes oracle and stores the output. For each for item , purchase request made by an honest buyer computes a request message following algorithm , by invoking oracle , and obtains a signature sends to . Each time sends an arbitration message , runs to get and . If belongs to an honest buyer, did not receive before a signature by on , and outputs 1, then sends to to break the nonframeability property. • : This game proceeds as , except that the proofs and are replaced by simulated proofs. Under the assumption that the proof system . is zero-knowledge, • : This game proceeds as , except that is replaced by a cithe ciphertext phertext that encrypts a random message. At this point, the proof of knowledge is a simulated proof of a false statement. The probability that distinand is bounded by the guishes between following lemma: Lemma 3: Under the IND-CPA security of the encryption , scheme that consists of algorithms .

927

Proof: We construct an algorithm that, given an enviand with nonronment that distinguishes negligible probability, breaks the IND-CPA security of the encryption scheme with nonnegligible probability. Chosen plaintext security is formally defined through a game between a challenger and an adversary [28]. First, provides the adversary with a public key . The adversary sends two messages and . flips a coin and sends to the adversary. Finally, the adversary sends his guess and wins if is nonnegligible. Let be the number of purchase requests. We consider a sequence of hybrid games, where, in game- , ciphertext is replaced by the encryption of a random message in the first purchase requests, while the remaining requests remain unchanged. and game- correClearly, game-0 corresponds to sponds to . If distinguishes and with nonnegligible probability , there must be an index such with nonneglithat distinguishes game- from game. gible probability Our algorithm operates as follows. First, receives the from . computes by running public key and sends to when queried with (crs). regiscomputes . For ters adversarial buyers as usual. to , it computes purchase requests following algorithm , except that is replaced by the encryption of a random by a simulated proof. For to , purvalue and . For chase requests are computed following algorithm , picks random and submits to . flips , and uses to compute a coin and returns the request. outputs a bit , which is forwarded by to . • : This game proceeds as , except that aborts upon receiving an arbitration request , where was previously sent to and was the buyer’s watermark associated with the . The probability that distinguishes berequest tween and is bounded by the following lemma: Lemma 4: Under the IND-CPA security of the encryption , scheme that consists of algorithms . be the number of purchase requests. We Proof: Let that, given an adversary that construct an algorithm abort with nonnegligible probability, breaks makes the chosen plaintext security of the encryption scheme with . nonnegligible probability operates as follows. First, receives the Algorithm from . computes by runpublic key ning and sends to when queried with (crs). registers adversarial buyers as usual. For the first purchase request made by an honest buyer for item , picks random and, for to , encrypts bitwise using . To encrypt the last bit, sends to and receives back a ciphertext , which is used to . complete the bitwise encryption of the buyer’s watermark The rest of the request message is computed following algo, except that the encryption rithm is replaced by the encryption of a random value and the proofs and are replaced by simulated proofs. (Note that

928

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

knows neither nor the bit encrypted in .) The remaining requests are computed following algorithm . sends an arbitration message that makes abort. If this arbitration message does not correspond to the is 0, first request, fails. Otherwise, if the last bit of sends to , and otherwise to . : This game proceeds as , except that • all the group signatures of purchase requests are replaced by group signatures computed by using the same private signing key of a unique buyer. The probability that disand is bounded by tinguishes between the following lemma: Lemma 5: Under the anonymity property of the group signa. ture scheme, Proof: We note that, at this point, we have already proven that is not able to frame honest buyers, who by assumption do not release pirated copies. Therefore, the identity of an honest buyer will never be revealed at the arbitration protocol, and so the change we make on the identity of the buyer that computes purchase requests cannot be detected there. We only have to prove that this change is indistinguishable at the purchase phase. The anonymity property of dynamic group signatures is formally defined in [27] and it consists of a game between a challenger and an adversary. First, the challenger gives the adand access to several oracles. Then the adversary versary gives the challenger a message and two identities and . flips a coin and sends to adversary a group signature . wins if he guesses with nonnegligible probability. We employ a sequence of hybrid games. Let game-0 denote the game in which all the group signatures remain unmodified, and game- denote the game in which all of them have and been replaced. Clearly, game-0 corresponds to . If there is an environment game- corresponds to that distinguishes and with nonnegligible probability , then there exists an index such that distinwith nonnegligible probaguishes game- and game. Given such , we construct an algorithm that bility breaks the anonymity property of the group signature scheme . Our algorithm receives with nonnegligible probability from . invokes oracle to register the new honest user employed to simulate purchase requests. follows algorithm to compute the request message . Then sends , where is the identity of the original that sends the request, as its challenge. flips a coin buyer returns a signature of , and sends to . If , the distribution corresponds to game- , and, if , to game. outputs a bit , which is forwarded by to challenger as its guess. performs all the changes described in , and foras described in our simwards and receives messages from ulation below. , runs • Setup. When sends a request (crs) to obtain to obtain the group public key , the issuer’s , and the opening secret key . sends secret key to . When sends a request retrieve , runs in order to generate a key pair and sends retrieve to .

• Registration. Upon receiving a registration request from , executes the interactive algorithm on input . If the execution ends successfully, stores in and sends (register) to on behalf of . knows the identity of the corrupted buyer because the communication channel is authenticated. from , if • Purchase. Upon receiving buyrequest this is the first request runs to obtain a user and algorithms and key pair on input and , respectively, . This key is used to to obtain a private signing key simulate all the requests. follows the interactive algowith all the changes rithm to compute a request for item described until and receive watermarked content . stores the request along with in the request table and to . sends reqresp • Release. Upon receiving a pirated copy from , sends release to and stores in a table of released copies. sends , parses as • Arbitration. When , verifies , and checks if encrypts . to , receives If it is not the case, sends detect detresp , and forwards detresp to . Otherwise runs and obtains an identifier and a proof . ( aborts if fulfills any of the conditions described in the sequence of games.) Then proceeds as follows: — If corresponds to an adversarial buyer, chooses any and sends detect of the pirated copies to . returns detresp , which is forwarded to . — If corresponds to the buyer used by to simulate purto . (Note that we aschases, sends detect sume that honest buyers never release pirated copies.) returns detresp , which is forwarded to . is identical to that of our The distribution produced in . simulation. By summation we have that B. Security Analysis When Buyers Are Corrupted Claim 2: When only (a subset of) the buyers are corrupted, and REAL the distribution ensembles IDEAL are computationally indistinguishable under the traceability and nonframeability properties of the group signature scheme and the collusion resistance of the watermarking scheme. Proof: We show by means of a series of hybrid games cannot distinguish between the real that the environment and the simulated ensemble execution ensemble REAL with nonnegligible probability. IDEAL : This game corresponds to the execution of the • real-world protocol with honest , , , and . There. fore, : This game proceeds as , except that • aborts if the received message-signature pair is correct but cannot be opened through algorithm . The probability that aborts is bounded by the following lemma:

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL

Lemma 6: Under the traceability property of the group sig. nature scheme, The proof of this lemma follows the proof of traceability given in Section V-A. : This game proceeds as , except that • aborts if the received message-signature pair is opened correctly to an uncorrupted buyer’s identity . The probability that aborts is bounded by the following lemma: Lemma 7: Under the nonframeability property of the group . signature scheme, The proof of this lemma follows the proof of nonframeability given in Section V-A. : This game operates as , except that the • that is used to compute the wastring termark embedding is replaced by a random string. Since are picked at random by the honest the strings and is a random string that leaks no information on seller, . Therefore, . • : This game operates as , except that aborts if releases a watermarked content whose watermark does not equal that of any of the watermarked contents previously received by . The probability that aborts is bounded by the following lemma: Lemma 8: Under the assumption that the watermarking scheme is collusion resistant, . We construct an algorithm that, given an adversary that abort with nonnegligible probability, breaks makes the collusion-resistant property of the watermarking scheme with nonnegligible probability. interacts with the challenger of the collusion resistant game described in Definition 1. receives the challenge from . comFirst, by running and sends to putes when queried with (crs). registers adversarial buyers as usual. replies by When receiving a purchase request for item , . (We assume that encrypting a not previously used with item 1 is requested no more than times.) For other purchase, replies as usual. Eventually, releases a pirated copy whose watermark does not equal any of the watermarks embedded in . forwards to . performs all the changes described in , and forwards and receives messages from as described in our simulation below. , runs • Setup. When sends a request (crs) to obtain to obtain the group public key , the issuer’s secret key and the opening secret key . sends to . When sends a request register to register the public key of buyer , stores . When sends a request retrieve , runs in order to generate a key pair and to . sends retrieve • Registration. Upon receiving a registration request from , behaves as in Section V-A. • Purchase. Upon receiving from , checks is correct. As verifier, whether executes the proofs and, for to , ,

929

TABLE I LEVELS OF TRUST IN AUTHORITIES FOR EACH SECURITY PROPERTY

and ignores the request if any of them fails. runs , parses as , and sends request to on . returns reqresp . computes behalf of and sends to . • Release. Upon receiving a pirated copy from , sends release to . The distribution produced in is identical to that of our . simulation. By summation, we have that C. Security Analysis When Other Parties Are Corrupted We do not formally analyze the security of our scheme in these cases since in practical application scenarios the regisand the deanonymization authority are tration authority trusted. We note that the security of our scheme relies on the security of the group signature scheme. In our scheme, acts as the issuer of the group signature scheme, and acts as the opener. Bellare et al. [27] analyze the security of the group signature scheme when the adversary corrupts the issuer and the opener. In Table I, they describe the maximum level of corruption that the scheme tolerates so that anonymity, traceability, and nonframeability still hold. (Partial corruption means that the secret key of a party is revealed to the adversary, but the adversary cannot influence the behavior of that party.) Interestingly, nonframeability holds even when the issuer and the opener are fully corrupted. Therefore, our scheme protects honest buyers from being falsely accused when , , and are corrupted. We recall that we assume that the judge is always uncorrupted. VI. IMPLEMENTATION The efficiency of the proposed solution is verified by running a practical implementation of the BSW protocol on a network of general purpose personal computers. The implementation consists of a set of four programs, each implementing a different entity of the protocol. The seller , the buyer , and the judge are implemented as separate programs. The functionalities of the registration authority and the deanonymization authority are implemented in a single program. All tested programs have been implemented in C using the GNU Multi-Precision (GMP) library [35] and the NTL library [36] and communicate each other via TCP, using the standard socket library provided by Linux operating system. As to encrypted domain watermark embedding, the proposed solution is based on the efficient composite embedding strategy presented in [23], using . Such a strategy permits a quantization scale factor an encrypted domain implementation of several watermarking algorithms, achieving a robustness very close to that of the corresponding plaintext implementations. For details on the above implementation, the reader is referred to [23].

930

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 4, DECEMBER 2010

TABLE II EXECUTION TIMES (IN SECONDS) IN THE WATERMARK GENERATION AND EMBEDDING PROTOCOL VERSUS THE NUMBER OF BITS OF PAILLIER’S KEY

TABLE III EXCHANGED KBYTES IN THE WATERMARK GENERATION AND EMBEDDING PROTOCOL VERSUS THE NUMBER OF BITS OF PAILLIER’S KEY

VII. CONCLUSION AND FUTURE WORK We have proposed a security definition for copyright protection protocols in the ideal-world/real-world paradigm. Furthermore, we have analyzed the security of an anonymous BSW and proven that it fulfills our definition. Particularly, we have shown that the protocol is secure against any p.p.t. adversary when instantiated with a watermarking scheme, an encryption scheme, a group signature scheme, and zero-knowledge proofs of knowledge that provide security against any p.p.t. adversary. Unlike the other building blocks, no watermarking scheme has been proven to offer this security level, and thus the actual security of the protocol against malicious buyers is lowered to the security offered by the watermarking scheme. Further research needs to be conducted to adapt or extend our definition to protocols that offer additional properties. For example, one desirable property for e-commerce protocols is transaction fairness [37], and thus defining and designing privacy-preserving fair BSW protocols is an interesting goal. REFERENCES

The buyer and the judge have been tested on an Intel(R) Core(TM)2 Quad CPU at 2.40 GHz, used as a single processor. The seller has been tested on an AMD Athlon 64 at 2.40 GHz. The registration/deanonymization authority has been tested on an Intel(R) Centrino(TM) at 1.7 GHz. The machines were connected by a 100-Mb/s LAN. We tested two different image sizes, 512 512 and 1024 1024, and two different and . In order to investigate watermark lengths, the effects of security parameters on the complexity, since the number of group signature operations is negligible with respect to the number of Paillier’s encryptions, we only change the encryption security parameters. Three different security levels for Paillier’s cryptosystem were considered, using keys with 1024, 2048, and 3072 bits, whereas the group signature scheme used 2048-bit keys. For each entity, we measured the exchanged bytes and the actual computation time. The most computationally expensive protocol was the Watermark Generation and Embedding Protocol. The execution time of the Identification and Arbitration Protocol was always less than 2% of the execution time of the Watermark Generation and Embedding Protocol, whereas for the Registration Protocol, the overall execution time was always below 500 ms, so its complexity is negligible with respect to the other phases. The execution times and the total amount of data exchanged in the Watermark Generation and Embedding Protocol are given in Tables II and III, respectively. The implementation results show that the execution time of the protocol on a 512 512 image is within 1 min when using the lower security level, whereas it grows to about 9 min when using the higher security level. The overall complexity is dominated by thecomputationtimeoftheseller,whichisaboutfourtimeshigher than the computation time of the buyer. The communication complexity is dominated by the encryption of the image, however, thanks to the composite representation, it is almost insensitive to the security level. Considering the foreseeable evolution of the computational and network capacity of modern systems, the results suggest that the proposed technique can be successfully used in practical applications in the near future.

[1] I. Cox, M. Miller, J. Bloom, and M. Miller, Digital Watermarking: Principles & Practice, ser. The Morgan Kaufmann Series in Multimedia Information and Systems. San Mateo, CA: Morgan Kaufmann, 2001. [2] M. Barni and F. Bartolini, Watermarking Systems Engineering: Enabling Digital Assets Security and Other Applications, 1st ed. Boca Raton, FL: CRC Press, Feb. 2004. [3] J. Brassil, S. H. Low, N. F. Maxemchuk, and L. O’Gorman, “Electronic marking and identification techniques to discourage document copying,” IEEE J. Sel. Areas Commun., vol. 13, no. 8, pp. 1495–1504, Oct. 1995. [4] D. Boneh and J. Shaw, “Collusion-secure fingerprinting for digital data,” LNCS, vol. 963, pp. 452–465, 1995. [5] Z. J. Wang, M. Wu, H. V. Zhao, W. Trappe, and K. J. R. Liu, “Anti-collusion forensics of multimedia fingerprinting using orthogonal modulation,” IEEE Trans. Image Process., vol. 14, no. 6, pp. 804–821, Jun. 2005. [6] W. Trappe, M. Wu, Z. J. Wang, and K. J. R. Liu, “Anti-collusion fingerprinting for multimedia,” IEEE Trans. Image Process., vol. 51, no. 4, pp. 1069–1087, Apr. 2003. [7] K. Liu, W. Trappe, Z. Wang, M. Wu, and H. Zhao, Multimedia Fingerprinting Forensics for Traitor Tracing, ser. EURASIP Book Series on Signal Processing and Communications. New York: Hindawi Publishing Co., 2005. [8] D. Grover, “The protection of computer software: Its technology and applications,” in The British Computer Society Monographs in Informatics. Cambridge, U.K.: Cambridge Univ. Press, 1992. [9] G. R. Blakley, C. Meadows, and G. B. Purdy, “Fingerprinting long forgiving messages,” in CRYPTO, ser. Lecture Notes in Computer Science, H. C. Williams, Ed. New York: Springer, 1985, vol. 218, pp. 180–189. [10] D. Boneh and J. Shaw, “Collusion-secure fingerprinting for digital data (extended abstract),” in CRYPTO, ser. Lecture Notes in Computer Science, D. Coppersmith, Ed. New York: Springer, 1995, vol. 963, pp. 452–465. [11] L. Qian and K. Nahrstedt, “Watermarking schemes and protocols for protecting rightful ownership and customer’s rights,” J. Vis. Commun. Image Represent., vol. 9, no. 3, pp. 194–210, Sep. 1998. [12] B. Pittzmann and M. Schunter, “Asymmetric fingerprinting,” in Adv. in Cryptology—EUROCRYPT’96 LNCS 1070, 1996, pp. 84–95. [13] B. Pfitzmann and M. Waidner, “Anonymous fingerprinting,” in Adv. in Cryptology—EUROCRYPT’97, 1997, pp. 88–102. [14] I. Biehl and B. Meyer, “Protocols for collusion-secure asymmetric fingerprinting,” in Proc. 14th STACS LNCS 1200, 1997, pp. 213–222. [15] A. Adelsbach, B. Pfitzmann, and A.-R. Sadeghi, “Proving ownership of digital content,” in Information Hiding, ser. Lecture Notes in Computer Science, A. Pfitzmann, Ed. New York: Springer, 1999, vol. 1768, pp. 117–133. [16] B. Pfitzmann and A.-R. Sadeghi, “Anonymous fingerprinting with direct non-repudiation,” in ASIACRYPT, ser. Lecture Notes in Computer Science, T. Okamoto, Ed. New York: Springer, 2000, vol. 1976, pp. 401–414.

RIAL et al.: PROVABLY SECURE ANONYMOUS BUYER–SELLER WATERMARKING PROTOCOL

[17] J. Camenisch, “Efficient anonymous fingerprinting with group signatures,” in ASIACRYPT, ser. Lecture Notes in Computer Science, T. Okamoto, Ed. New York: Springer, 2000, vol. 1976, pp. 415–428. [18] N. D. Memon and P. W. Wong, “A buyer-seller watermarking protocol,” IEEE Trans. Image Process., vol. 10, no. 4, pp. 643–649, Apr. 2001. [19] H.-S. Ju, H.-J. Kim, D.-H. Lee, and J.-I. Lim, “An anonymous buyerseller watermarking protocol with anonymity control,” Inf. Security Cryptology, pp. 421–432, Nov. 2002. [20] C.-L. Lei, P.-L. Yu, P.-L. Tsai, and M.-H. Chan, “An efficient and anonymous buyer-seller watermarking protocol,” IEEE Trans. Image Process., vol. 13, no. 12, pp. 1618–1626, Dec. 2004. [21] J. Zhang, W. Kou, and K. Fan, “Secure buyer-seller watermarking protocol,” Proc. Inst. Elect. Eng. Information Security, vol. 153, no. 1, pp. 15–18, Mar. 2006. [22] S. Katzenbeisser, A. Lemma, M. U. Celik, M. van der Veen, and M. Maas, “A buyer-seller watermarking protocol based on secure embedding,” IEEE Trans. Inf. Forensics Security, vol. 3, no. 4, pp. 783–786, Dec. 2008. [23] M. Deng, T. Bianchi, A. Piva, and B. Preneel, “An efficient buyer-seller watermarking protocol based on composite signal representation,” in Proc. 11th ACM Workshop on Multimedia and Security, Princeton, NJ, New York, 2009, pp. 9–18, ACM. [24] R. Canetti, “Universally Composable Security: A New Paradigm for Cryptographic Protocols,” in Proc. 42nd IEEE Symp. Foundations of Computer Science, 2001, pp. 136–145. [25] M. Deng, T. Bianchi, A. Piva, A. Rial, and B. Preneel, “Anonymous buyer–seller watermarking protocols—Part II: Efficient implementations,” IEEE Trans. Inf. Forensics Security, submitted for publication. [26] D. Chaum and E. van Heyst, “Group signatures,” in EUROCRYPT, 1991, pp. 257–265. [27] M. Bellare, H. Shi, and C. Zhang, “Foundations of group signatures: The case of dynamic groups,” in CT-RSA, ser. Lecture Notes in Computer Science, A. Menezes, Ed. New York: Springer, 2005, vol. 3376, pp. 136–153. [28] S. Goldwasser and S. Micali, “Probabilistic encryption,” J. Comput. Syst. Sci., vol. 28, no. 2, pp. 270–299, 1984. [29] P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in EUROCRYPT, 1999, pp. 223–238. [30] I. Damgärd and M. Jurik, “A generalisation, a simplification and some applications of paillier’s probabilistic public-key system,” in Public Key Cryptography, ser. Lecture Notes in Computer Science, K. Kim, Ed. New York: Springer, 2001, pp. 119–136, vol. 1992. [31] M. Bellare and O. Goldreich, “On defining proofs of knowledge,” in CRYPTO’92, E. F. Brickell, Ed., 1992, vol. 740, pp. 390–420, SpringerVerlag. [32] J. Camenisch and M. Stadler, Proof Systems for General Statements About Discrete Logarithms Institute for Theoretical Computer Science, ETH, Zürich, Tech. Rep. TR 260, Mar. 1997. [33] J. Camenisch and V. Shoup, “Practical verifiable encryption and decryption of discrete logarithms,” in CRYPTO, ser. Lecture Notes in Computer Science, D. Boneh, Ed. New York: Springer, 2003, vol. 2729, pp. 126–144. [34] G. Poupard and J. Stern, “Fair encryption of RSA keys,” in EUROCRYPT, 2000, pp. 172–189. [35] GNU Multiple Precision Arithmetic Library [Online]. Available: http:// gmplib.org/ [36] NTL: A Library for Doing Number Theory [Online]. Available: http:// www.shoup.net/ntl/ [37] S. Kremer, “Formal Analysis of Optimistic Fair Exchange Protocols,” Ph.D. dissertation, Université Libre de Bruxelles, Brussels, Belgium, 2004. [38] T. Okamoto, Ed., in Proc. 6th Int. Conf. Theory and Application of Cryptology and Information Security, Advances in Cryptology (ASIACRYPT 2000), Kyoto, Japan, Dec. 3–7, 2000, vol. 1976, Springer, ser. Lecture Notes in Computer Science. Alfredo Rial received the Master’s degree in telecommunication engineering from the Universidade de Vigo, Spain, in 2008. Currently he is working toward the Ph.D. degree at Katholieke Universiteit Leuven, Belgium, under the supervision of Prof. B. Preneel. His research interests include public key cryptography, cryptographic protocols design and privacy.

931

Mina Deng received the M.Sc. degree in electrical engineering and the Ph.D. degree in engineering (cryptography) from the Katholieke Universiteit Leuven, Belgium, in 2004 and 2010, respectively. She is currently a researcher at the Computer Security and Industrial Cryptography (COSIC) Research Laboratory, Department of Electrical Engineering, Katholieke Universiteit Leuven, Belgium. She also works as a scientific researcher for the Interdisciplinary Institute for BroadBand Technology (IBBT) Belgium. Her research interests include applied cryptography, content protection, security and privacy, and identity management.

Tiziano Bianchi (S’03–M’05) was born in Prato, Italy, in 1976. He received the M.Sc. degree (Laurea) in electronic engineering and the Ph.D. degree in information and telecommunication engineering from the University of Florence, Italy, in 2001 and 2005, respectively. Since March 2005, he is with the Department of Electronics and Telecommunications, University of Florence as a Research Assistant. His research interests have involved processing of SAR images, signal processing in communications, multicarrier modulation techniques, and ultra-wideband systems. Current research topics include multimedia security technologies and signal processing in the encrypted domain.

Alessandro Piva (M’04–SM’10) received the Ph.D. degree in computer science and telecommunications engineering from the University of Florence in 1999. From 2002 to 2004, he was a Research Scientist at the National Inter-University Consortium for Telecommunications. He is at present Assistant Professor at the University of Florence, Firenze. Italy. His current research interests are the technologies for multimedia content security, and image processing techniques for the Cultural Heritage field. He is coauthor of more than 100 papers published in international journals and conference proceedings. Dr. Piva holds three Italian patents and an international one regarding watermarking. He serves as Associate Editor of the IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, of the EURASIP Journal on Information Security, and of the LNCS Transactions on Data Hiding and Multimedia Security.

Bart Preneel (S’85–M’87) received the M.S. degree in electrical engineering and the Ph.D. degree in applied sciences (cryptology) from the Katholieke Universiteit Leuven, Belgium, in 1987 and 1993, respectively. He is currently Full Professor with the Katholieke Universiteit Leuven, Leuven, Belgium. He was Visiting Professor at five universities in Europe and was a Research Fellow with the University of California at Berkeley. He has authored and coauthored more than 300 reviewed scientific publications and is the inventor of three patents. His main research interests are cryptography and information security. Prof. Preneel is President of the International Association for Cryptologic Research (IACR) and of the Leuven Security Excellence Consortium (L-SEC vzw.), an association of 60 companies and research institutions in the area of e-security.