A Lightweight Buyer-Seller Watermarking Protocol

The buyer-seller watermarking protocol enables a seller to successfully identify a traitor from a pirated copy, while preventing the seller from framing an innocent buyer. Based on finite field theory and the homomorphic property of public key cryptosystems such as RSA, several buyer-seller watermarking protocols (N. Memon and P. W. Wong (2001) and C.-L. Lei et al. (2004)) have been proposed previously. However, those protocols require not only large computational power but also substantial network bandwidth. In this paper, we introduce a new buyer-seller protocol that overcomes those weaknesses by managing the watermarks. Compared with the earlier protocols, ours is n times faster in terms of computation, where n is the number of watermark elements, while incurring only O(1/lN) times communication overhead given the finite field parameter lN. In addition, the quality of the watermarked image generated with our method is better, using the same watermark strength.


INTRODUCTION
The rapid development of computer networks and increased use of multimedia data via the Internet have resulted in fast and convenient exchange of digital information. With the ease of editing and perfect reproduction, the protection of ownership of digital audio, image and video materials become an important concern. Copyright marking [1] is a relatively new technique for hiding information in multimedia content with the aim of tracing any traitor who redistributes the content illegally. Its application is broad, for instance, copyright protection [2][3][4].
In general, a watermarking scheme for traitor tracing (a traitor is a legitimate buyer who subsequently distributes his copy illegally) involves three steps: first, an owner embeds into a cover image a watermark that identifies the buyer. Secondly, if a suspicious image is found, the owner will detect the watermark in the image. Once the watermark of a specific buyer is identified, the owner will take the case to a court. Finally, the authority will independently detect the watermark again in the image in question. If the watermark is really found, the traitor is confirmed. A number of watermarking protocols have been proposed in [5][6][7][8][9] to track down the distributors of illegal replicas.
However, the accusation against the charged distributor, who was the buyer in some earlier transaction, could be objectionable because the seller also has access to the watermarked copies and, hence, is able to release such a replica on his own to frame the distributor.
To solve the customer's right problem [10] in the arbitration phase, Memon and Wong [11] proposed an interactive buyer-seller protocol (hereafter referred to as MW protocol) for invisible watermarking. In the protocol, the seller does not know the watermark of the buyer, so the seller cannot create copies of the protected content containing the buyer's watermark. After the seller finds an unauthorized copy, the seller can identify the buyer from a watermark in the unauthorized copy, and furthermore the seller can prove this fact to a third party using a dispute resolution protocol. This prevents the buyer from claiming that the unauthorized copy may have originated from the seller himself. Memon and Wong proposed two embodiments in [11,12] based on RSA [13] and ElGamal [14] crytosystems, respectively.
As explained in [15], Memon's protocol has a weakness in that the seller can frame a buyer with a higher-value image; this is known as unbinding problem in [15]. To rectify the problem, Lei et al. proposed another buyer-seller protocol (called LYTC protocol hereinafter), which inserts a second watermark into the cover image. The second watermark is generated by a watermark certification authority (WCA) and sent to the buyer securely. As further observed in [15, page 1620], "the protocol (note: [11]) restricts itself to the use 2 Advances in Multimedia of linear watermarking schemes and, hence, provides limited flexibility in practice." However, Lei et al. did not propose any nonlinear method that would have allowed them to replace the asymmetric cipher in their protocol with a much cheaper symmetric cipher. Zhang et al. [16] enhanced the previous buyer-seller schemes with the same computational complexity so as to defeat malicious arbitrator. Recently, Zhao et al. [17] follow the footprint of MW scheme. It is not clear whether it is possible to design a nonlinear scheme because the popular/standard asymmetric cryptosystems are in finite fields. For example, other buyer-seller schemes such as [18] also employ asymmetric cipher. Hence the cover image has to be separated and encrypted independently in the previous schemes.
Neither MW nor LYTC is efficient in terms of computation cost and communication overhead, because a lot of asymmetric cipher operations are performed. As the buyerseller protocol may be employed in an online application, for example a paid Internet image gallery, response time is important to user retention. In particular, the buyer may be using a mobile device that has only limited computing power, battery life, and/or communication bandwidth. Therefore, to be feasible in practice, an alternative light-weight buyer-seller protocol is needed.
Kuribayashi and Tanaka [19] proposed an anonymous fingerprinting that improves the enciphering rate with interactive Zero-knowledge proof. But it is computationally intensive and bandwidth inefficient.
In our proposed protocol, the seller asks a WCA to generate two independent watermarks W and W, where W is used for identifying the buyer at the WCA side. Let V = W + β W where β is a predefined parameter to ensure frame-proof. V is for the seller securely while W is for the buyer securely. To be able to identify the buyer with V at the seller side, the seller embeds V into the cover image to produce a watermarked image. The buyer obtains the watermarked image which she watermarks again with (β W); this effectively reverses out β W and leaves the final copy that is watermarked with W. The identification step is the same as that in [5]. While the proposed protocol may look similar to multiwatermarking schemes (e.g., [20,21]) at first sight, our scheme is really different from them in nature. Specifically, the watermarks in multiwatermarking are independent and all the watermarked images are of high quality. In contrast, the watermarks V and W in our scheme are dependent, and only the final watermarked copy derived by the buyer is of high quality since one watermark alleviates the effect of the other.
The reminder of this paper is as follows. Section 2 elaborates on our protocol. Section 3 analyzes the protocol in terms of frame deterrence, performance comparison, and so forth. Section 4 describes experiment results. Finally, Section 5 concludes the paper.

THE PROPOSED BUYER-SELLER PROTOCOL
Denote the original image as X = {x 1 , x 2 , . . . , x n } and the watermarks for identifying a buyer as W = {w 1 , w 2 , . . . , w n } and W = { w 1 , w 2 , . . . , w n }, where n is the number of image elements (e.g., DCT coefficients) to be manipulated. Our protocol is a light-weight buyer-seller watermarking scheme that focuses on managing the watermarks. We do not design a new embedding method, but simply employ a state-of-theart scheme for embedding the watermarks. In particular, the robust watermarking method Add-embedding in [5] is used for illustrating our proposed solution where α is the watermark strength relating to watermark robustness and invisibility. Y = {y 1 , y 2 , . . . , y n } is the watermarked image.

Trust model
In our protocol, the trust model is the same as that in MW and LYTC. There are three participants: seller, buyer, and WCA. The seller may attempt to frame an innocent buyer with an image that is embedded with the buyer's watermark (customer's right problem), or frame a traitor with a higher-value image (unbinding problem. ( unbinding problem: when a pirated copy is found and the illegal distributor is identified, a higher-value image enables the seller to seek much higher compensation from the illegal distributor.) The buyer may attempt to disseminate her legal copy without being identified (traitor tracing problem). In addition, the WCA, who is a trusted third party, is assumed to manage the watermarks secretly in the process of watermark generation, storage, delivery, and arbitration. We also assume that the watermarks are independent and normalized. That is to say, for any pair of watermarks W 1 and W 2 , For simplicity, for the rest of this paper we assume that all the communication messages are authentic and that the cover signal is an image.

Watermarking protocol
In the watermarking process, the original image is doublywatermarked with the watermarks generated from a WCA. Figure 1 summarizes the message flows in the watermarking process.
(1) Acting on information such as advertisement or the seller's website, the buyer B decides to purchase an image. She thus sends a request for the image.
(2) The seller S generates a fingerprint h S from the original image from the features of original image X (e.g., [22]). He then forwards the request of the buyer along with h S to a WCA.
(3) The WCA generates two independent watermark sequences W and W based on h S and buyer's description. Let V = W + β W, where β > 1 is a predefined parameter that controls the quality of the watermarked image at the seller side. The WCA sends the ciphertext E B (αβ W) to the buyer, and E S (V) to the seller respectively. (In order to speed Figure 1: Our proposed watermarking protocol. Y 1 is the seller's copy, and Y 2 is the buyer's copy. E B (·) is a hybrid encryption [23] with the public key of buyer. h S is the fingerprint of the original image, and it is signed by the seller (the signature is not shown here). up encryption/decryption, a hybrid algorithm [23] is used to produce E S (V): WCA generates a random session key K, then encrypts K with the seller's public key, and encrypts the watermark V with the session key K. A similar process is applied to produce E B ( W).) (4) The seller decrypts E S (V) to extract V. Next he inserts V into the cover image X to produce his watermarked copy The seller sends Y 1 and h S to the buyer.
(5) The buyer decrypts E B (αβ W) with her private key to obtain αβ W, then she generates her watermarked copy Afterwards, the buyer will reconstruct the fingerprint h B of Y 2 . Due to the invisibility property of watermarking, the original image is only manipulated slightly. Hence, h S should match the fingerprint h B at a very high probability. Thus, if h S / = h B , the buyer rejects the watermarked image Y 2 and complains to the WCA.

Identification protocol
Whenever the seller finds a suspicious copy Y = Y 2 + αD, where D is a distortion due to whatever reasons, he tests the copy with the buyer's message V based on the method in [5]. Specifically, he checks whether for some predefined threshold η S , where is a small number. Thus, the seller will accuse the buyer if γ S > η S . If there are more than one potential traitor, the seller may target the one with the largest γ S .

Dispute resolving protocol
In case the buyer denies that an unauthorized copy originated from her version of the image, the seller asks the WCA (for simplicity, we assume that the WCA is also the arbitrator.) to resolve the dispute. Since the WCA calculates the correlation value with W instead of V according to (4), smaller noise is involved in WCA's detection. Hence the WCA's decision is final: where is small since D and W are independent.

ANALYSIS OF THE PROPOSED PROTOCOL
In this section, we analyze the proposed protocol with regards to customer's right, traitor tracing, and performance.

Parameter selection
The present scheme has to select some parameters, especially α and β. α is used to control the quality of the watermarked image generated by buyer, and β is used to prevent the seller from framing the buyer. For the sake of security, both α and β are unknown to the buyer. Based on (8) in Section 3.2, β = 10 is enough since the interference noise can reduce the quality of watermarked image 20 dB. The other parameters for threshold values (e.g., η S for seller's detection and η W for arbitrator's detection) can be decided based on the security requirement.

Frame-resilience
Since the seller knows the image Y 1 which is watermarked with both W and W, an accused buyer may argue that she has been framed by the buyer. Fortunately, the watermarked image Y 1 that the seller possesses is of low quality due to the large amount of noise α(W + β W), so it is not worth to protect the watermarked image Y 1 at all. To demonstrate the fidelity of the watermarking, let us measure the distortion mean squared error (MSE) σ 1 and σ 2 of the watermarked images Y 1 and Y 2 : Therefore, the difference Δ PSNR in peak signal-to-noise ratio (PSNR) [24] between Y 1 and Y 2 is = 10log 10 α 2 1 + β 2 M − 10log 10 α 2 M = 10log 10 where M is the number of pixels in the image. To achieve high robustness, Cox's watermarking method in (1) is performed in frequency domain, thus, (5) and (6) are calculated in frequency domain. However, PSNR is defined in spatial domain. We are still able to calculate the difference in PSNR with (7) though, because the MSE in spatial domain is equal to that in frequency domain. According to (8), the quality of the watermarked image Y 1 is much lower than that of Y 2 . Therefore, the buyer is willing to execute the second embedding so as to reduce the embedding noise. Since Y 1 is of very low quality, the seller has no reason to frame a buyer with such a poor-quality image.

Detecting malicious buyer
The identification protocol in Section 2.3 can detect a traitor if she follows the protocol faithfully. However, a malicious buyer may attempt to defeat the protocol by exploiting knowledge of the watermarked image Y 1 and her watermark W. For instance, the buyer selects a random sequence Z over a distribution with mean 1, and generates a new watermark αβ W which is close to αβ W: Then, she calculates If the seller finds an illegal Y 2 , he will check it with (3) as Clearly, the correlation value γ S is a random variable which depends on variable Z. Since αβ is unknown to the buyer, z i should be selected by the buyer in a small interval [1−ε, 1+ε]. Therefore, the expected value of γ S is In contrast, the expected correlation value γ S of an innocent buyer with watermark pair (W , W ) is Thus, a traitor can be identified at a high probability, while an innocent buyer has a very low probability of being accused wrongly.

Performance comparison
In this subsection, we compare our protocol with the earlier protocols in [11,15], in terms of computation cost and communication overhead. Here, Mul-RSA denotes the protocols in [11,15]. Table 1 gives the comparative performance among the protocols. In the table, the first row indicates the quality degradation of the final watermarked image Y 2 with reference to the original image X. Clearly, our method (in (6)) produces watermarked images of better quality than that achievable by [11] or [15], with the same parameter α.
In the previous schemes [11,15], each element is processed independently, thus the computation cost and overhead increase linearly with the number n of the manipulated elements. In contrast, our protocol which employs the hybrid scheme [23] has only one asymmetric operation at the seller/buyer, and two asymmetric operations at the WCA. Correspondingly, the communication overhead is almost constant. As a result, our scheme is much more efficient in terms of computation cost (rows 3-5) and communication overhead (rows 6-7). Roughly, the earlier schemes are n times slower while generating l N /l X times more network traffic.
To illustrate the performance differences, we use typical parameter settings l X = 64, l N = 1024, l W = 32, and n = 10000. Since symmetric cipher (e.g., AES/RC4) is much faster (over 1000 times) than asymmetric cipher (e.g., RSA-1024), we can ignore the computation time of symmetric encryption/decryption. According to the experiment in [25] with Pentium IV 2.1 GHz processor running Windows XP, T e = 0.18 millisecond, T d = 4.77 millisecond, T sk ≈ 100T d = 477 millisecond. As shown in Table 2, the protocols of [11,15] are almost 360 times slower than our scheme at the seller, Y. Wu and H. Pang and 10000 times slower at the buyer. The latter differentiation is particularly critical for buyers that use portable devices with limited computing and communication resources. We should also clarify that the proposed protocol has the disadvantage that the WCA (or seller) has to record all the watermarks W (or V, resp.) associated to each transaction, whereas in [15] only seller records the watermarks, and WCA is memoryless.

EXPERIMENTAL RESULTS
In the following experiments, we set α = 20, β = 10, and the size of the test images to 200 × 200. The normalized watermarks W and W are of length n = 1000. For each 8 × 8 DCT block, 16 coefficients are selected for embedding. Thus, each watermark is embedded with the repetition r = (200 × 200/8 × 8) × 16/n = 10 to achieve robustness in detection.
As our protocol aims to protect customer's right, it employs Cox's embedding method [5] twice and hence produces the watermarked images Y 1 and Y 2 . The entire watermarking process includes the following steps. (1) The WCA produces watermarks W and W. (2) The seller performs DCT on the original image X, embedding V = W + β W into X in the DCT domain, IDCT, and round IDCT output into integer interval [0, 255] to produce Y 1 . (3) The buyer executes DCT on Y 1 , embedding β W into Y 1 in DCT domain, IDCT, and round IDCT output to produce Y 2 .
The following experiment results indicate that our protocol has little side-effect to the underlying embedding method in terms of robustness and invisibility.

Detecting "honest" traitor
To verify the detection method in Section 2.3, assume 400 watermark pairs (W, W) are generated by the WCA, and assigned to 400 buyers. We generate a watermarked image Y 2 with the watermarks of the 200th buyer according to (3). The seller then calculates the correlation values γ S with (3). Figure 2 illustrates the correlation values at the seller. It shows clearly that the 200th buyer is the traitor. Similarly, Figure 3 shows the detection result of the WCA with (4). The WCA confirms that the 200th buyer is indeed the traitor.

Detecting malicious buyer
As mentioned in Section 3.3, a malicious buyer may use (10) instead of (3) to create a pirated copy. Assume that the buyer selects z i uniformly from (0.9, 1.1) with mean 1. Since the watermark W is close to W, her watermarked image will be of good quality. If such a pirated copy is found, the seller calculates the correlation value γ S based on (3). Figure 4 illustrates the detection results by the seller for the traitor and innocent users. Similarly, Figure 5 is the detection result γ W from WCA according to (4). As with "honest" traitors, the malicious buyer will be identified by the seller and WCA according to Figures 4  and 5. Therefore, the traitor is accused correctly while other buyers are not framed despite the traitor modifying the watermarking method. This experiment result is in concert with our analysis in (12) and (13).

Comparing PSNR of watermarked image
To demonstrate the different quality of the watermarked images, we now test a group of images. Figure 6 shows the PSNRs of the watermarked images, and Figure 7 shows a portion of the watermarked images Y 1   the PSNR of Y 1 is 16 dB lower than that of Y 2 ; (due to integer transform, the experimental Δ PSNR is smaller than that in (8)), this confirms that it is pointless for the seller to frame the buyer with Y 1 .

CONCLUSION
Since the buyer-seller protocols in [11,15] employed the homomorphic property of public key cryptosystem to encrypt each image element (i.e., DCT coefficient), they incur large computation costs and increase the size of the intermediate (encrypted) images (i.e., the first watermarked image). To overcome these shortcomings, we propose a watermark management solution that preserves the functionality in [11,15], but is much more efficient in terms of computation cost and communication overhead. Another advantage is that watermarked images generated by our solution have significantly higher quality than that achievable by [11] or [15].