A Buyer-Seller Digital Watermarking Protocol without Third Party Authorization

. For protecting copyright of digital work, a kind of digital work commerce protocol is proposed based on RSA public key system. Digital fingerprint information that embedded in digital work can only be generated by the cooperation of the publisher and the user. The publisher cannot obtain this digital work, but the publisher can judge whether the fingerprint information exists in illegal copied digital work. This protocol can be utilized to trace and accuse the illegal piracy. Meanwhile, it can also protect legal user from framed by publishers. The digital fingerprint identification procedure that dispenses with participation of the third party can effectively avoid forgery in the procedure, which makes the scheme more convenient and safer than the scheme that needs the third party.


Introduction
The convenience of digital work duplication provides an easy way for pirates.As a result, digital watermarking and fingerprint technologies are widely used to protect multi-media digital works without decline of the quality of those works and awareness of the fingerprint.The digital watermarking is mainly used in identifying ownership, while the digital fingerprint is used in buyer identification.The latter method usually uses fingerprint as the only mark of buyer's identity.Publishers add this mark in the sold copy of digital work, by which they can trace the source of illegal copy when piratical duplication is found, and then pursue legal obligation of illegal duplication.In early period, digital fingerprint schemes only concerning with symmetric fingerprint plan, the emphasis of which is fingerprint coding research in preventing collusion attack of buyers.Researchers have developed many works on the field of withstanding the collusion attack [1][2][3][4][5].
Another problem that digital fingerprint facing with is that the symmetric scheme cannot determine the source of the illegal duplication after the piracy is detected.Does this piratical work is duplicated by a user, or it is duplicated by the publisher and then impute to other people?To solve this problem, scholars proposed a concept named asymmetric fingerprint and many kinds of buyerseller protocol that base on the asymmetric fingerprint [6][7][8].In this asymmetric fingerprint method, the digital work containing fingerprint requires users to firstly decipher the work with private key.The publisher has no way to obtain digital work containing fingerprint that can be directly used.By doing so, legal user can be effectively protected from malicious accusation of the publisher.At present, most of asymmetric schemes require the publisher offers evidence to an authoritative and credible third party when he accuses a user's illegal duplication.The third party, like certificate authority and copyright center [9][10][11], should apply valid authentication.However, if the third party colludes with the user, the user can get rid of the accusation, and can even obtain original digital content and then further infringe equity of the publisher.On the other side, if the third party colludes with the publisher, the publisher can frame up any legal user.The literature [12] proposed a kind of asymmetric fingerprint method without requiring the third party.But this method has low efficiency on discovering forgery in the fingerprint identification procedure, and it also requires the user to process many data.On the basis of the literature [12], this paper proposes a kind of buyerseller protocol that does not need authoritative third party to access information.This protocol can be used in piracy tracing and accusation, it can prevent that the publisher frames the user, and can also effectively avert user's forgery during the identification procedure.In addition, this protocol has significantly decreased calculation quantity compared with [12].

Asymmetric Fingerprint Scheme Based on RSA Public Key System
The RSA cryptographic algorithm is a widely used asymmetric cryptographic algorithm with highly security.The algorithm use keys to encrypt and decrypt, where the encryption key (k d , n)is public, as it is called the public key, and the decryption key (k e ,n)is safeguarded by the user, which is correspondingly called private key.The encryption and decryption procedures are: In the RSA encryption algorithm, n is the product of two big prime numbers.The security of the algorithm is mainly decided by the difficulty of disintegrating n.Hence it is normally required to guarantee that n is longer than 512 bits to ensure the security.
The asymmetric fingerprint scheme in [12] is a kind of buyer-seller protocol that based on RSA asymmetric encryption system.The sold products within this protocol contain digital fingerprints that used in tracing products and accusing illegal duplicator, respectively.The seller embeds the fingerprint in the production for product tracing before it is sold, and then the seller and the buyer generate the fingerprint using for illegal duplicator accusation together.The process to generate this copyright watermarking that embedded in digital product is as follows: Step 1: When a user request to purchase a multi-media digital product, the publisher will firstly embed a tracing digital fingerprint DT in the original product to generate a product X for sale.Each product for sale has different tracing fingerprint.This fingerprint is only used to trace illegal duplication instead of serve as evidence in accusing the illegal duplicator.
Step 2: The user choose a digital fingerprint DF independently, here DF is a vector that its value is uniformly near 1.That is, every element of DF is uniformly valued in (1-ε,1+ε), ε is a trivial positive number.It means that , where L is the sample amount (or coefficient amount in transformation field) of the digital work X.The user will keep the secrecy of DF, and use 256 bits to denote every element in DF, and then use the public key to encrypt elements individually: ( After obtained encrypted chosen fingerprint ' DF , send this ciphered vector ' DF to the publisher.
Step 3: After received ' DF , the publisher scrambles the sequence of elements in ' DF and obtains The scrambling method ψ needs to be maintained secretly.The publisher use 256 bits to represent every element in X' as well, and encrypt every number of user's public key (k d ，n).Then multiply it with corresponding location of * DF and then get vector X*, that is: The publisher sends the vector X* as an encrypted product to the user.
Step 4: The user utilizes the private key (ke，n)to decrypt X* and then gains a digital product with tracing fingerprint.Because the length of X and DF are both 256 bits, the length of their product will not overpass 512 bits.Hence there is: Advanced Engineering Forum Vols.6-7 From Eq.6, if only the value of each element in vector DF is close to 1, Y will close to X'.In other words, it will not affect the application of the multi-media digital work X', and it will not damage the tracing fingerprint DT which is embedded in the work neither.During this process, the publisher cannot get the production since the publisher does not know the private key of the user.On the other hand, the user can not erase the fingerprint DF as the user does not know the scrambling method ψ and consequently cannot obtain ψ(DF).After the processes mentioned above, the user can get digital production with fingerprint embedded in.If the user only paid for use right rather than transfer right, the user is forbidden to copy this digital product.When a user who didn't pay for use right owns a protected digital product, the user that illegally duplicated the version he/she purchased can be confirmed according to the fingerprint DT embedded in the illegal duplication.However, DT cannot serve as evidence in accusation, and then an authorized third party is needed in that case.The publisher and the user provide the scrambling method ψ and DF to the third party respectively.The third party will decide whether DF is contained in the illegal duplication.If the third party provides the scrambling method ψ to the user, the user can erase the fingerprint.On the other hand, if the third party gives DF to the publisher, the publisher can generate Y and then frame up legal user.Consequently, both the publisher and the user hope to maintain the secrecy of their information in the fingerprint identification procedure.

Improved Asymmetric Fingerprint Scheme
Considering the defect of the mentioned scheme, a kind of asymmetric fingerprint scheme that does not need the authorized third party is proposed.The core idea is that collectively generate a batch of test signals by both the publisher and the user, only one of which contains the fingerprint DF.If the illegal duplication engendered by the user indeed, the publisher can obtain an approximate DF by compare it with the original content, and then the test signal that contains DF can be determined.No matter whether the judgment of the publisher is correct or not, the user does not need to reveal DF, while the publisher does not have to betray the scrambling method ψ.The entire process can be executed without the participation of the third party.If this procedure is applied in the court, the judicial officer, act as a bystander, can judge whether there is violation and record the final identification result.
According to the scheme proposed above, when the publisher discover an illegal duplication Y', as long as the duplication Y' is basically identical with Y, the publisher can determine from which user the duplication is generated through the pre-embedded fingerprint DT.Because of: The publisher can also obtain a fingerprint that approximate to the other fingerprint DF, which is generated by the user, from the illegal duplication.That is to say the publisher can indicate DF from multiple vectors, whose elements are uniformly valued from (1-ε,1+ε).In that situation, only if DF uniformly valued in (1-ε,1+ε), the publisher can accuse the user for the infringement without requiring user to offer DF and revealing scrambling method ψ.
The generative process of digital product with fingerprint is as follows: Step 1: Similar with the Step 1 in the previous part, that is: the publisher embeds a tracing fingerprint DF in the original digital work and gain the version X'.This fingerprint does not serve as evidence for illegal duplicator accusing neither.
Step 2: The user generates 2×L secret vectors DF 2 that every element of them are uniformly valued in (1-ε,1+ε).Then cipher DF 2 in accordance with formula (3) and get '   2 DF , and then deliver ' 2 DF to the publisher.The publisher will randomly choose half of ' 2 DF and request the user to decipher it.If the deciphered data comply with uniform distribution in (1-ε,1+ε) indeed, the rest of ' 2 DF will be considered as real accusing fingerprint DF'.The user is demanded to sign the DF', otherwise the user is believed have violated rule.Hence the publisher could refuse to sell the corresponding multi-media digital work to the user.Information Technology for Manufacturing Systems III Step 3: The publisher obtains DF* by scrambling DF', and then uses 256 bits to represent each element in X', and then encrypts each number with the public key (k d ，n)of the user, at last, multiplies it with the corresponding location of * DF and gains vector X*.
Step 4: The publisher ciphers X' with user's public key and multiplies it with ' DF , which has scrambled in terms of formula (4).Then send the production that contains tracing fingerprint and accusing fingerprint to the user.The user can obtain a digital production X* by decrypt the production.
When illegal duplication appears, the publisher can determine the illegal duplicated user according to the pre-embedded fingerprint DT.Then the publisher can accuse the suspected infringing user and launch the fingerprint identification process.The steps of the process are as follow: Step 1: The user generates (2K-1)×L random data S that are uniformly distributed in (1-ε,1+ε), that is: , where L has the same meaning as previous, K is a integer denoting the entire number of fingerprints, only one of which is the real fingerprint.The bigger the K is, the less the possible for the publisher to frame up the user is, but the calculation quantity is bigger as well.Then the user individually represents every element of S by 256 bits and encrypts it with the public key, and then obtain S'.That is: After that, calculates Hash value SH of each element in S':

Where
)) ( ( . Then transmit SH to the publisher.
Step 2: The publisher receives and records SH, and then randomly pick L elements from SH to construct vector SH K , while the rest elements are randomly divided into 2K-1 vectors that marked by SH j , . The publisher will inform the grouping situation to the user.Step 3: According to the grouping situation of the publisher, the user generates (2K-1) random vectors from the random data yield in Step 1 with the same grouping method.By doing so, a random vector group ST is obtained: where st i are vectors with L dimensions, and every element of it is obtained from S, while no overlap exists.
Step 4: The user utilizes ST and DF to generate (K-1) test signals containing fake fingerprint and a test signal containing real fingerprint DF.
Then scramble the order of those K test signals (not scrambling the inner elements in those signals).After that, convey those signals to the publisher and require the publisher to indicate which signal contains the real fingerprint DF.
If the publisher has obtained DF from the illegal duplication, the number of interrelations between DF and every test signals can be worked out.Since every element of DF are uniformly distributed in (1-ε,1+ε), if the test signal does not contain the real fingerprint, the interrelated coefficient will close to 0. On the other side, if the test signal does contain the real fingerprint DF, the interrelated coefficient will bigger than 0. Hence the publisher can indicate that the test signal corresponding to the maximum interrelated coefficient contains fingerprint DF.The publisher cannot estimate DF, in case that the publisher frames up the user.The probability of pointing out the correct test signal is only 1/K, and it is easy to see that when K is big enough, this probability will approximate to 0.
Advanced Engineering Forum Vols.6-7 Step 5: The user discloses the former (2K-2) random vectors of the (2K-1) random vectors that generated in Step 3, and the encryption value ' ( If any of those three conditions is false, the user is believed infringing in the fingerprint identification.If the user indeed duplicated the digital production and the user didn't infringe in the identification process, then the user cannot disavowal the correctness of the fingerprint identification that pointed out by the publisher.Meanwhile, because st 2k-1 is steal private, the publisher cannot calculate DF from t k , which guarantees the security of DF and eliminates the possibility of the publisher framing up the user.Otherwise, if the publisher frames a user and executes fingerprint identification, even if the attempt fails, the publisher can obtain test signal DF that contains real fingerprint.This will much benefit the publisher for later defamation.
From procedures above, it is clear that if the illegal digital production is certainly duplicated by the user, the publisher can indicate the test signal that contains the real fingerprint; if the publisher calumniates legal user, then the success probability is only 1/K.In the fingerprint identification process, the publisher and the user respectively maintain the scrambling method and the fingerprint DF secret.

Performance Analysis
In the scheme proposed in this paper and [12], there exists one important premise, that is: both the fingerprint and the random data offered by the user that adopted in fingerprint identification must uniformly distributed in (1-ε,1+ε).If the random data that provided by the user in identification process severely diverges from (1-ε,1+ε), then the identification result will be severely affected.This will result the user escaping from the accusation.However, in the identification process, one cannot command the user announces all of the random data, because the publisher can deduce the fingerprint of the user and this may result the possibility that the publisher framing up the user.To solve this problem, in the identification process of literature [12], the publisher requires the user announces part of the data to verify whether the user's generated data satisfy the uniform distribution requirement.This requirement can investigate that whether the user tricked in the identification.Nevertheless, if the user due illegally duplicated the digital production, the user may yield some data that severely diverge from (1-ε,1+ε) to counterfeit data that truly uniformly distributed in (1-ε,1+ε).As mentioned formerly, one cannot demand the user to announce all of the random data, the possibility that the user successfully fakes still exists.Here assume that m is the number of random data that generated by the user, r is the number of random data that the user is required to announce, and then the probability for the user to successfully fakes in the identification process is: On purpose of prevent the cheat, the user should reveal those random data as much as possible.On the other side, to avoid the publisher frames the user, m must achieve a certain magnitude, which cause r becomes huge.
The probability for the publisher successfully denigrating the user is: When the digital work is a digital image of 512×512, on purpose of satisfying information hiding imperceptibility, ε must smaller than 0.055, while K must no smaller than 100.It can be seen that the amount of data that require the user to generate and process is quite large.Therefore only part of data is requested to reveal in [12].Assume that 1/3 of the whole data is commanded to announce, the rest 2/3 of data is used for identification, according to Eq. 13, the probability for a user to successfully counterfeit in the identification is 0.667.So the literature cannot avoid this counterfeit effectively.
In this paper, the probability for a user to successfully counterfeit in the identification is: It shows that 1 2 P P << , the capability of preventing counterfeit of the algorithm proposed in this paper is better than that of [12].This algorithm can effectively find user's counterfeit activity in the identification process, and all of random data that generated by the user can be used in the identification.Moreover, the literature [12] needs an additional part of data to judge whether the user has counterfeited.If the user reveals 1/3 data, then the random data that needs user to process is 1/3 more than that in this algorithm.Hence this algorithm can significantly reduce the amount of work for users.

Conclusions
A kind of asymmetric fingerprint scheme that free from the authorized third party is proposed in this paper.The published digital production has two fingerprints embedded in, the fingerprint for tracing and the fingerprint for accusing piracy.When the publisher accuses a user for illegally duplicated a protected digital production, the publisher can indicate the exact user that executed the piracy, and can also verify the credibility of the identification to the judge without participation of any authorized third party.During the entire procedure, the publisher and the user can maintain their information secret.This will not cause potential threat, and can effectively avoid the user's counterfeit in the identification process.A new idea is provided in this paper for equitable electronic transaction and digital fingerprint.It has theoretical and practical sense in intellectual property rights protection and other fields.

6 :
The publisher verifies whether the following three conditions are true: (1) Whether the disclosed (2K-2) random vectors are uniformly distributed in(1-ε,1+ε).belongs to S (by judging whether the HASH value of each element of vector