A Buyer-Seller Watermarking Protocol

Nasir Memon∗

Polytechnic UniversityPing Wah Wong

Apalo.com

Abstract

Digital watermarks have recently been proposed for the purposes of copy protec-tion and copy deterrence for multimedia content. In copy deterrence, a content owner(seller) inserts a unique watermark into a copy of the content before it is sold to abuyer. If the buyer sells unauthorized copies of the watermarked content, then thesecopies can be traced to the unlawful reseller (original buyer) using a watermark detec-tion algorithm. One problem with such an approach is that the original buyer whosewatermark has been found on unauthorized copies can claim that the unauthorizedcopy was created or caused (for example, by a security breach) by the original seller.In this paper we propose an interactive buyer-seller protocol for invisible watermarkingin which the seller does not get to know the exact watermarked copy that the buyerreceives. Hence the seller cannot create copies of the original content containing thebuyer’s watermark. In cases where the seller finds an unauthorized copy, the seller canidentify the buyer from a watermark in the unauthorized copy, and furthermore theseller can prove this fact to a third party using a dispute resolution protocol. Thisprevents the buyer from claiming that an unauthorized copy may have originated fromthe seller.

∗N. Memon was partially supported by NSF Grant NCR-9996145.

1

1 Introduction

Recent years have seen a rapid growth in the availability of multimedia content in digital

form. Given the ease by which content in digital form can be duplicated there has been

an increasing interest in developing copy protection or copy deterrence mechanisms. Digital

watermarks represent one particular approach that have been proposed for solving these

problems [14, 22]. A watermark is a secret key dependent signal added to digital data

(namely audio, video or an image) which can later be extracted or detected to make an

assertion about the data. In general, the watermark could be visible or invisible1. A visible

watermark typically contains a conspicuously visible message or a company logo indicating

the ownership of the image. On the other hand, invisibly watermarked content appears

perceptually identical to the original. The existence of an invisible watermark can only be

determined using an appropriate watermark extraction or detection algorithm. In this paper

we restrict our attention to invisible watermarks. For some excellent and recent reviews on

invisible watermarking techniques the reader is referred to [5, 10, 21]

Invisible watermarks can potentially be used for both copy protection and copy deterrence

applications. For an example of a copy protection application, consider a closed system where

the multimedia content needs special hardware for copying and/or viewing. An invisible

watermark can be inserted into this content indicating the number of copies, if any, that will

be permitted by the hardware. Every time a copy is made the watermark can be modified

by the hardware and after a point the hardware would not create further copies of the data.

An example of such a system is being standardized for the second generation Digital Video

Disc (DVD) [1, 13].

Copy deterrence, on the other hand, is achieved by a mechanism that can trace unau-

thorized copies to the original owner of the content. For example, in applications where

multimedia content is electronically distributed over a network, the content owner can em-

1In a strict sense this terminology is incorrect when watermarking other forms of multimedia data suchas sound clips. We say “visible” and “invisible” when in a wider sense we mean “perceptible” and “imper-ceptible” respectively.

2

bed a distinct watermark, (a fingerprint), in each copy of the data that is distributed. If,

at a later point in time, unauthorized copies of the data are found, then the origin of the

copy can be determined by retrieving the unique watermark corresponding to each buyer.

This discourages unauthorized duplication and distribution. For such a scheme to work, the

watermark clearly needs to be invulnerable against deliberate attempts to forge, remove or

invalidate.

One problem, first identified in [17], with traditional watermarking based fingerprinting

techniques is that the watermark is inserted solely by the seller. A buyer whose watermark

has been found in unauthorized copies can claim that the unauthorized copy was created by

the seller! This could be done for example, by a malicious seller who may be interested in

framing the buyer. It could also be possible when the seller is not the original owner but a

reselling agent who could potentially benefit from making unauthorized copies [17]. Finally,

even if the seller was not malicious, an unauthorized copy containing the buyers fingerprint

could have originated from a security breach in the sellers system and not from the buyer.

In order to deal with this problem, Qian and Nahrstedt [17] propose a owner-customer

watermarking protocol. In this scheme, a customer supplies the owner with an encrypted

version of a pre-determined and fixed bit-sequence. Upon receiving this, the owner embeds

the encrypted sequence into the image using an invisible watermarking algorithm. This wa-

termarked copy is then transmitted to the buyer. Since only the buyer knows the decryption

key, he can prove to a third party the legitimate ownership of the copy in his possession.

However, the protocol does not solve the problem of irrevocably binding the customer the

specific copy sold to him and holding him responsible for any unauthorized copies of the

same found in the market. This is because, as with traditional fingerprinting, the owner

knows the exact copy in each buyers possession and the buyer can claim as mentioned above

that an unauthorized copy was created by the seller or caused by a security breach in the

sellers system.

In this paper we propose an interactive buyer-seller protocol for invisible watermarking

3

in which the seller does not get to know the exact watermarked copy that the buyer receives.

Hence the seller cannot create copies of the original content containing the buyers watermark.

However, in case the seller finds an unauthorized copy, she can identify the buyer from whom

this unauthorized copy has originated and furthermore also prove this fact to a third party by

means of dispute resolution protocol. Hence, the buyer cannot claim that an unauthorized

copy may have originated from the seller. The watermark embedding protocol is based on

public key cryptography and has little overhead in terms of the total data communicated

between the buyer and the seller. The dispute resolution protocol is a 3-party protocol and

requires the buyer to participate in order to prove his innocence in case the seller accuses

him of making unauthorized copies. If a buyer refuses to participate then this would be

taken as an admission of guilt on the part of the buyer.

The rest of this paper is organized as follows: in the next section we first give a general

description of our protocol which is followed by an explicit construction in section 3. In

section four we discuss possible attacks. In section five we conclude and discuss future

avenues of research.

2 The Buyer-Seller Watermarking Protocol

Before we describe the watermarking protocol in detail, we first establish some notation,

introduce some terminology, and state certain assumptions. For ease of exposition we assume

that the content being sold is a still image, though in general the protocol is also applicable to

audio and video data. We view an image X to be a vector of “features” X = {x1, x2, . . . , xn}and the watermark as a vector of “watermark elements” W = {w1, w2, . . . , wm} with n ≥m. We restrict our attention to linear watermarking techniques where the watermarking

insertion step can be represented as:

X ′ = X ⊕W (1)

4

where X ′ is the watermarked image, X is the original image, W is the watermark information

being embedded, and ⊕ is the insertion operation. By X ⊕W we mean

X ⊕W = {x1 ⊕ w1, . . . , xm ⊕ wm, xm+1, . . . , xn}. (2)

We assume the existence of a public key cryptosystem that is a privacy homomorphism

with respect to the binary operator ⊕. By privacy homomorphism with respect to ⊕ we

mean it has the property that

EK(a⊕ b) = EK(a)⊕ EK(b) (3)

for every a and b in the message space. Here EK(·) is the encryption function and K is the

public (encryption) key. For example, the well known RSA public key cryptosystem [18] is a

privacy homomorphism with respect to multiplication [20]. A public key encryption function

that is a privacy homomorphism with respect to addition is given in [3].

The Buyer-Seller watermarking protocol that we present in this section has four sub-

protocols as shown in Figure 1: Watermark generation protocol, Watermark insertion pro-

tocol, Copyright violation detection protocol and Dispute resolution protocol. In our presen-

tation of the protocol we assume that Alice is the agent selling the content and Bob is the

buyer. We assume that Alice and Bob have public keys KA and KB respectively, and the

corresponding private keys K ′A and K ′

B, all of which have been registered with appropriate

certification authorities.

Finally, we assume there is a trusted watermark certification authority who generates

random watermarks in the required manner and issues them to any user upon request.

For clarity of exposition, we first describe our buyer-seller watermarking protocol assuming

the watermark certification authority is memoryless and does not maliciously or otherwise

keep track of the different watermarks issued to different users. Later, we discuss how this

assumption can be weakened. We now describe the four sub-protocols in general terms.

5

2.1 Watermark generation protocol

Bob sends a certification of his identity and his public key to the trusted watermark certifi-

cation authority C and requests a valid watermark. The watermark certification authority,

after establishing Bob’s credentials, generates a random but valid watermark W and sends to

Bob EKB(W ), the watermark encrypted with Bob’s public key, along with a digital signature

SignC(EKB(W )) that certifies the validity of the watermark. Note that by EKB

(W ) we mean

EKB(W ) = EKB

({w1, w2, . . . , wn}) = {EKB(w1), EKB

(w2), EKB(wn)}. (4)

That is, each of the individual elements of the watermark W are encrypted as separate

messages but with the same key.

2.2 Watermark insertion protocol

This is a 2-party protocol between Alice and Bob which proceeds as follows:

1. Bob sends to Alice the encrypted watermark, EKB(W ), along with the signature

SignC(EKB(W )) of the certification authority C. Alice verifies SignC(EKB

(W )) in

order to be assured that EKB(W ) is indeed a valid watermark generated by C.

2. Let X denote the image that Bob wishes to purchase from Alice. Alice generates a

unique watermark for this transaction, V , which she inserts into the image X to get the

watermarked image X ′. Note that in this step Alice is free to use any watermarking

scheme of her choosing, public or private, spatial domain or transform domain, linear

or non-linear. The sole purpose of the watermark V is to enable Alice to identify the

specific user an illegal copy has potentially arisen from. That is, V is not the watermark

the Alice will use to prove that Bob has made illegal copies of an image.

3. Alice then generates a random permutation σ of degree m which she uses to permute

the elements of the encrypted watermark EKB(W ) received from Bob. In other words,

Alice computes

σ(EKB(W )) = EKB

(σ(W )). (5)

6

The above is true as EKB(W ) is of the form {EKB

(w1), EKB(w2), EKB

(wn)} and per-

muting first and encrypting later gives you the same result as encrypting first and

permuting later.

4. Alice inserts the permuted watermark obtained above as a second watermark into the

already watermarked image X ′. Since the watermark received from Bob is encrypted

with Bob’s public key KB, Alice inserts this second watermark in the encrypted domain

also using KB which is known to her. Inserting a watermark in the encrypted domain

is possible as we assume that the public-key cryptosystem being used is a privacy

homomorphism with respect to ⊕, the operation that inserts a watermark in the image.

That is, Alice computes

EKB(X̂) = EKB

(X ′)⊕ EKB(σ(W )) = EKB

(X ′ ⊕ σ(W )). (6)

Alice then transmits EKB(X̂) to Bob.

5. Alice stores ID of Bob, EKB(W ), V, SignC(EKB

(W )) and σ in TableX . TableX is a ta-

ble of records maintained by Alice for image X containing one entry for each copy of

X that she sells. The table contains the identity of the buyer, the unique watermark

V known only to her that corresponds to the particular buyer, the encrypted water-

mark EKB(W ) which she received from the buyer along with the certificate authorities

signature SignC(EKB(W )) attesting the validity of the watermark, and finally the per-

mutation σ that she used to permute the encrypted watermark before inserting into

the copy which was sold to the buyer.

6. Bob decrypts the data he receives from Alice to obtain a watermarked image X̂. That

is Bob computes

DK′B(EKB

(X̂)) = X̂ = X ′ ⊕ σ(W ) (7)

where K ′B is the private decryption key corresponding to the public encryption key

KB and D(·) is the decryption function. Now Bob has a watermarked copy X̂ of X

7

that Alice cannot reproduce since she does not know the corresponding private key

K ′B. Also, since Bob does not know σ he cannot remove σ(W ) from X̂ even though he

knows W . Neither can he remove V which is also unknown to him.

2.3 Copyright violater identification protocol

On discovering an unauthorized copy of X, say Y , Alice can determine the buyer from whom

this copy has originated by detecting the unique watermark that she inserted for each buyer.

This is done by means of a watermark extraction function D which takes Y , and depending

on the watermarking technique, X as inputs. Let U denote the watermark that is returned

by the watermark extraction function D(X, Y ). Using this extracted watermark U Alice

then locates the buyer in TableX to whom Y was sold. The exact mechanism for locating

the buyer in TableX depends on the watermarking technique used. For robust watermarks

this would generally be accomplished by correlating U with every watermark V in TableX

and selecting the one with the highest correlation beyond a confidence threshold. Once this

V is located in TableX , Alice reads the Buyer ID field to obtain the identification of the

buyer from whom this copy has originated. If U cannot be matched to any watermark V in

TableX , then the protocol returns failure.

2.4 Dispute resolution protocol

In case Bob denies that an unauthorized copy Y has originated from his version of the image,

Alice can reveal σ and EKB(W ) and SignC(EKB

(W )) to the judge. The judge first verifies

SignC(EKB(W )). He would then ask Bob for his private key DB using which he can compute

W and check for the presence of σ(W ) in Y . Actually, Bob need not reveal his private key,

as this is undesirable. He could just reveal (W ) to the judge by decrypting EKB(W ). The

judge could then verify W by encrypting it with Bob’s public key and checking if it equals

to EKB(W ).

After verifying W , the judge can then run the watermark extraction algorithm on Y and

check if σ(W ) is indeed present in Y . If σ(W ) is found in Y , Bob is found guilty otherwise

8

Bob is innocent. Note that the dispute resolution protocol is a 3-party protocol. Bob has to

take part in the protocol by revealing W to the judge.

3 An example construction

In the previous section we gave a general description of the buyer-seller watermarking proto-

col where we assumed the existence of appropriate watermarking and encryption techniques

such that the watermark could be inserted in the encrypted domain. In this section we give

a specific construction which uses a spread-spectrum watermarking techniques proposed by

Cox et al [4] along with the RSA cryptosystem [18].

Cox et al [4] embed a set of independent real numbers W = {w1, w2, . . . wm} drawn from

a zero mean, variance 1, Gaussian distribution into the m largest DCT AC coefficients of

an image. Results reported using the largest 1000 AC coefficients show the technique to

be remarkably robust against various image processing operations, and also after printing

and re-scanning. Specifically, they take the 2-dimensional DCT of an image X and the

watermark W is inserted into the largest m AC coefficients {x1, x2, . . . , xm} by a suitable

insertion formula to yield modified coefficients {x′1, x′2, . . . , x′m}. For example, the insertion

formula used could be

x′i = xi(1 + αwi)

where α is a small constant. An inverse 2D DCT is then taken, yielding the watermarked

image X ′. To determine if a given image Y contains the watermark W , the decoder extracts

T = {t1, t2, · · · tm} from Y by taking the largest m DCT AC coefficients of Y and subtracting

their value from xi. That is,

ti = xi − yi. (8)

The confidence measure on the presence of the watermark W in Y is taken to be the corre-

lation between W and T . Watermark detection can also be done without using the original

image in the process [24], but then the robustness of the technique is diminished.

9

The above watermarking technique can be used along with the well known RSA public

key system to provide a specific construction of the general buyer-seller protocol described

in the previous section. The RSA crytosystem operates in Zn where n is a product of two

very large primes p and q. A message x is then encrypted as

y = Ea(x) = xa mod n (9)

where a is the public encryption key and the corresponding decryption function is

x = Db(y) = yb mod n (10)

where b is the private decryption key.

In the context of the proposed buyer-seller watermarking protocol, the watermark gen-

eration step consists of the watermark certification authority constructing a watermark

W for Bob by using M randomly chosen samples from a zero mean, variance 1, Gaus-

sian distribution. For a practical implementation, the samples would be truncated to

some fixed precision, say 64 bits. They would then be used to generate the watermark

W = {(1 + α · w1), . . . , (1 + α · wm)} and encrypting them, element by element, with Bob’s

public key. This encrypted watermark vector EB(W ) along with its signature is transmitted

to Bob who may keep a copy of it before transmitting it along to Alice. Alice can verify the

certification authorities signature to ensure the validity of the encrypted watermark vector

she has received. Alice then inserts her own watermark V into the original image X to

get X ′. As we mentioned before, V could be based on any watermarking technique of her

choice. She then permutes the elements of EB(W ) and embeds them into the N largest AC

coefficients by computing

X̂ = EB(X ′) · σ(EB(W )) = EB(X ′) · (EB(σW )) = EB(X ′ · σW ). (11)

Since the RSA cryptosystem has the property that E(x) · E(y) = E(xy) the watermark W

gets embedded into the image in the encrypted domain. Here again, each DCT coefficient

can be represented with some fixed precision, say 64 bits. In order for Bob to be able to

10

recover xy we have to select the modulus n of RSA to be large enough such that xy < n.

Hence if W and X have 64 bit precision then n should be at least 128 bits. But this is not a

problem in practice, n is usually 512 or 1024 bits. Alice transmits this encrypted and doubly

watermarked image to Bob who can decrypt and then compute an inverse DCT to get his

unique watermarked copy.

It is easy to see that since Alice has permuted the elements of W , Bob cannot remove W

from his copy although he is the only party (aside from the watermark certification authority

which we assumed is memoryless) that knows W . Also, Alice can only compute an encrypted

version of Bobs unique copy which is useless as she cannot decrypt and distribute to falsely

frame Bob. In the case of a dispute Alice takes the evidence listed in the previous section

to the judge who can determine whether an unauthorized copy belongs to Bob.

Although we have presented in this section an example implementation that uses a spread-

spectrum watermarking technique and the RSA cryptosystem, similar examples can be con-

structed using other techniques. The above framework, for example, also holds for any

additive technique (in the spatial or transform domain) and an appropriate public key cryp-

tographic system that is a privacy homomorphism with respect to the addition operation.

In a conference paper [15], the authors used the El-Gamal cryptosystem [20] and a spatial

domain amplitude modulation watermarking technique [11] to provide another implementa-

tion. It was subsequently brought to our notice that the El-Gamal cryptosystem is not a

privacy homomorphism with respect to addition [8]. However, there exist other public key

encryption systems that are privacy homomorphisms with respect to addition [3] and can be

used instead. We omit a detailed description of such an implementation as it would provide

no new insight to the basic framework presented in the previous section.

11

4 Discussion - Attacks, Weaknesses and Countermea-

sures

The security of proposed protocol relies critically on the security of the underlying wa-

termarking and encryption techniques used in the specific construction. The encryption

technique we have used, the RSA cryptosystem is a mature and well studied technique that

is believed to be secure if properly used [20].

Watermarking techniques, on the other hand, are a relatively new phenomenon and their

ability to withstand attacks is still under question [7, 16]. However, there are many robust

watermarking techniques that have been developed in the past few years. See, for example,

[4, 9, 23, 25]. Among them, the Cox. et. al. scheme used in the previous section is one

of the best known and has been shown to be remarkably robust against common image

processing attacks and even several cycles of analog to digital conversions. The robustness

of the scheme critically relies on the availability of the original image which can be used to

undo operations like scaling, cropping, rotations etc. prior to watermark detection.

Hence the protocol we propose is secure only as much as the underlying watermarking

techniques are secure and robust. Nevertheless, it should be noted that our protocol does not

critically make use of the properties of any one particular watermarking technique. As long as

the watermark is linear (in the transform or spatial domain), it can be used in conjunction

with an appropriate cryptosystem which is a privacy homomorphism with respect to the

insertion operation. Hence, if a better watermarking technique is discovered, it could be

readily used in the proposed protocol. Note that the proposed protocol does not require the

watermarking technique to be either public or private. Either type of technique can be used.

However, private watermarking techniques typically are much more robust than their public

counterparts as the original image can be used to undo many image processing operations

like scaling, cropping and rotation[2, 12]. Hence, it is expected that the watermark W would

be inserted using a private technique.

Having said that, let us examine the protocol itself and different ways in which a malicious

12

participant or observer may attempt to circumvent it. We do this by examining each of the

four sub-protocols individually.

4.1 Watermark generation protocol

Here, Bob requests and obtains an encrypted and signed watermark from a trusted water-

mark certification authority. If the encryption and digital signature techniques used are

secure, and the underlying Public Key Infrastructure (PKI) enables the watermark certifi-

cation authority to reliably verify Bob’s identity then there is no way Bob could change or

substitute the watermark. Furthermore, inclusion of a time stamp along with information

about the transaction would prevent Bob from replacing the watermark with an older one

he may have obtained previously from the watermark certification authority.

It should also be noted that since the different watermark elements are being encrypted

individually, the precision with which the watermark is being represented can have significant

impact on the security of the encryption. For example if each watermark element has 32 bits

of precision then Alice (the seller) can exhaustively try all 232 possible watermark elements

and completely determine W . Hence each element in W must at least have 64 bits of

precision (preferably 128) to make such brute force attacks infeasible.

4.2 Watermark insertion protocol

Here, Alice first inserts a watermark V which she can later use to determine the source

of an illegal copy. Clearly, it is against her own interest not to perform this step in the

right manner as she will not be able to identify the source of an illegal copy. In the second

step, she inserts σ(WB) into X ′. Again, it is against her interest not to perform this step

in the proper manner. For instance, she could insert another watermark in X ′ instead of

σ(WB). Specifically, she could use a watermark obtained from another user obtained from

a prior transaction. This serves no purpose as it would result in a severely corrupted image

when Bob decrypts the encrypted watermarked image with his own key. This is because the

watermark and the image would have been encrypted with different keys. Alice could also

13

use a watermark obtained from Bob, but from a prior transaction. This, however, would be

revealed during the dispute resolution protocol and as a result Alice will no longer be able

to prove to an adjudicator that Bob has made illegal copies. This is against her interest.

Also, since the watermark W sent to her by Bob is encrypted, she has no way of gleaning

any information about it as long as the underlying encryption scheme is secure.

4.3 Copyright violator identification

This protocol is run by Alice to check the identity of the buyer from whom an unauthorized

copy has originated. At this point she could try and find another watermark inserted into the

copy of another buyer, say Trevor, that is declared present in the image by the watermark

detection function. That is, a false positive. In this case Alice could conceivably hold

Trevor responsible for the illegal copy. However, since the different watermarks inserted into

different copies of the content have been generated randomly by the watermark certification

authority, they are uncorrelated and it is highly unlikely that Alice would detect a false

positive in the relatively small number of instances which she has at her disposal to try.

This is especially difficult as she has no knowledge about the watermark inserted in Trevor’s

copy and has seen it only in the encrypted form.

Another interesting issue is the fact that if Alice obtains a copy of the image sold to

Bob, that is I + V + σ(W ), she can compute W as she knows I, V and , σ. However, this

really is of no use to her as now that she has a copy of the image sold to Bob she can in

any case make as many copies of it as she wants, whether she knows W or not. Removing

σ(W ) also is of no use as she already knows I + V . Nor can she embed W in another image

with malicious intent as W is bound to the specific transaction between Alice and Bob by

the signed message she receives from the watermarking authority which she has to produce

in case of dispute resolution.

14

4.4 Dispute resolution protocol

Here Alice takes evidence to the Judge that incriminates Bob for copyright violation. So

the question arises, can Alice fabricate evidence? The answer is no. As she does not know

W she is unable to do this. Bob on the other hand can refuse to co-operate, but as we said

before, this would be taken as an admission of guilt. For example, when the Judge asks Bob

for W , Bob can send some random watermark T instead. However, Alice has presented the

Judge with a signed and encrypted copy of W and this would not match with EB(T ). If the

watermark certification authority is to be trusted Bob would be considered the culprit.

4.5 Watermark certification authority

Perhaps the most undesirable feature of the proposed protocol is the requirement of a wa-

termark certification authority C who generates valid watermarks upon request, and sends

them along with a time-stamp and a digital signature. However, given the current structure

of the proposed protocol, the watermark W needs to originate from a third party. Otherwise,

Bob could generate a maliciously designed watermark that would be approximately invari-

ant to permutation and send this to Alice. Since Alice only sees the encrypted watermark

she is unable to tell the difference between a valid watermark and an invalid watermark. A

simple way of avoiding this problem is to originate the watermark from an independent and

trusted third party. The practice of using a trusted third party is actually quite common in

cryptographic protocols where keys are often obtained from trusted key distribution centers.

However, placing complete trust in a single source is still undesirable. For example, if Alice

and C collude then they can frame Bob. Similarly if Bob and C collude then they can

cheat Alice. However, C by itself cannot cheat as it knows only W and not σ, just as Bob.

Nevertheless, the requirement of a trusted watermark certification authority can indeed be

reduced by using some sophisticated tools from cryptography, like oblivious transfers and

blind signatures. Discussion of these mechanisms would take us far out of the scope of the

current paper and would take away from the simplicity of the proposed technique.

15

Another undesirable consequence of the fact that the watermark is generated by the

watermark certification authority is that it is not possible to “shape” the watermark to the

given image in order to make it perceptually imperceptible. This inherently restricts the

“strength” of the watermark signal which in turn effects the robustness of the underlying

watermarking technique. However, a technique like the NEC scheme already shapes the

watermark to a limited extent by embedding it only in, say, the first 1000 AC coefficients of

the image.

5 Conclusions

In this paper we have presented a interactive buyer-seller protocol for invisible watermarking

in which the seller does not get to know the exact watermarked copy that the buyer receives.

Hence the seller cannot create copies of the original content containing the buyers watermark.

However, in case the seller finds an unauthorized copy, she can identify the buyer from whom

this unauthorized copy has originated and furthermore also prove this fact to a third party by

means of dispute resolution protocol. Hence, the buyer cannot claim that an unauthorized

copy may have originated from the seller. The watermark embedding protocol is based on

public key cryptography and has little overhead in terms of the total data communicated

between the buyer and the seller. Furthermore, the protocol we have presented is quite

general and can be used with different watermarking techniques and appropriate public key

encryption techniques.

References

[1] J. Bloom et. al., “Copy protection for DVD video,” IEEE Proceedings, vol. 87, No. 7,

pp 1267-1276, July 1999.

[2] G. W. Braudaway, F. C. Mintzer, “Automatic recovery of invisible image watermarks

from geometrically distorted images,” Security and Watermarking of Multimedia Con-

tents II, SPIE Proceedings, 3971-06, February 2000.

16

[3] Josh D. Cohen and Michael J. Fischer. “A robust and verifiable cryptographically se-

cure election scheme (extended abstract)”. In 26th Annual Symposium on Foundations

of Computer Science, pages 372-382, Portland, Oregon, 21-23 October 1985. IEEE.

[4] I. J. Cox, J. Kilian, T. Leighton, and T. Shamoon, “Secure spread spectrum water-

marking for multimedia,” IEEE Transactions on Image Processing, vol. 6, no. 12, pp.

1673–1687, 1997.

[5] I. J. Cox and M. L. Miller. A review of watermarking and the importance of perceptual

modeling. In Proceedings, SPIE Human Vision and Electronic Imaging II, volume SPIE

Vol. 3016, February 1997.

[6] I. J. Cox and J.-P. M. G. Linnartz, “Some general methods for tampering with water-

marks,” in IEEE Journal on Selected Areas in Communications 16, no. 4, pp. 587–593,

May 1998.

[7] S. Craver, B. L. Yeo and M. Yeung, “Technical trials and legal tribulations,” Commun.

ACM, 4, no. 7, pp. 44-54, July 1998.

[8] K. Gopalakrishnan. Private communication.

[9] F. Hartung and B. Girod. “Digital watermarking of uncompressed and compressed

video,” Signal Processing, vol. 66, no. 3, pp. 283-301, May 1998.

[10] F. Hartung and M. Kutter, “Multimedia Watermarking Techniques,” IEEE Proceed-

ings, vol. 87, No. 7, pp 1079-1107, July 1999.

[11] J. R. Hernandez, F. Perez-Gonzalez, J. M. Rodriguez and G. Nieto, Performance

Analysis of a 2-D Multipulse Amplitude Modulation Scheme for Data Hiding and

Watermarking of Still Images. IEEE Journal on Selected Areas of Communication,

16:4, 510-524, May 1998.

17

[12] Neil F.Johnson, Zoran Duric and Sushil Jajodia, “ Recovery of Watermarks from

Distorted Images,” Proceedings of the Third Information Hiding Workshop, - Dresden,

Germany - October 1999.

[13] T. Kalker, “Digital Video Watermarking for DVD Copy Protection,” In proceed-

ings,Multimedia Archival and Storage, Photonics East, Boston, Sept. 1999.

[14] N. Memon and P. W. Wong, “Protecting digital media content,” Communications of

the ACM, 4, no. 7, pp. 11-24, July 1998.

[15] N. Memon and P. W. Wong, “ A Buyer-Seller Watermarking Protocol Based on Ampli-

tude Modulation and the El Gamal Public Key Crypto System,” Image and Multimedia

Security, Electonic Imaging, Photonics West, SPIE Proceedings, San Jose, Jan 1999.

[16] F. Petitcolas, R. Anderson and M. Kuhn. “Attacks on copyright marking systems”.

In Information Hiding, @nd International Workshop, Lecture Notes in COmputer Sci-

ence, Vol 1525, D. Aucsmith Ed., Berlin, Germany, Springer-Verlag, pp 218-238, 1998.

[17] L. Qian and K. Nahrstedt, “Watermarking Schemes and Protocols for Protecting

Rightfuk Ownership and Customer’s Rights,” Jounal of Visual Commun. and Image

Rep., 9, no. 3, pp. 194-210, Sept. 98.

[18] R. Rivest, A. Shamir and l. Adelman, “A method for obtaining digital signatures and

public key cryptosystems,” Communications of the ACM, 21, pp. 120-126, 1978.

[19] J. R. Smith and B. O. Comiskey. Modulation and Information Hiding in Images. In

Proceedings of Internaitonal Waorkshop on Information Hiding, Cambridge, UK, May

1996 pp 39-48.

[20] D. Stinson, Cryptography: Theory and Practice, CRC Press, 1995.

[21] M. Swanson, M. Kobayashi, and A. Tewfik, “Multimedia Data Embedding and Wa-

termarking Technologies,” IEEE Proceedings, vol. 86, No. 6, pp 1064-1087, June 1998.

18

[22] G. Voyatzis and I. Pitas, “The use of watermarks in the protection of digital multimedia

products,” IEEE Proceedings, vol. 87, No. 7, pp 1197-1207, July 1999.

[23] R. Wolfgang, C. Podilchuk and E. Delp, “Perceptual watermarks for digital images

and video ,” IEEE Proceedings, vol. 87, No. 7, pp 1108-1126, July 1999.

[24] W. Zeng and B. Liu, ”A statistical watermark detection technique without using o-

riginal images for resolving rightful ownerships of digital images,” IEEE Trans. Image

Processing, vol. 8, no. 11, pp. 1534-1548, Nov. 1999

[25] J. Zhao and E. Koch, “Embedding Robust Labels into images for Copyright Pro-

tection,” Intellectual Property Rights and New Technologies, Proceedings of the

KnowRight’95 Conference 1995, pp. 242–51.

19

Watermark Insertion Protocol

Bob Watermark GenerationProtocol

Copyright Violator

Identification Protocol

Dispute ResolutionProtocol

Bob

Bob

Judge Alice

Alice

Alice

Watermark

Certification

Authority

Figure 1: The Four sub-protocols that comprise the Buyer-Seller Watermarking Protocol

Captions

Figure 1: The Four sub-protocols that comprise the Buyer-Seller Watermarking Protocol

Nasir Memon received his M. S. and Ph.D. from the University of Nebraska in 1989 and

1992 respectively. He was an Assistant Professor of Computer Science at Arkansas State

University from Aug 1992 to July 1994 and at Northern Illinois University from 1994 to 1998.

He is currently an Associate Professor in the Computer Science department at Polytechnic

University, New York. He was a visiting Faculty at HP Labs Palo-Alto from August 1997

to July 1998 and From June to August 1999. Prof. Memon’s research interests include

Data Compression, Data Encryption, Image Processing, Multimedia Content Protection

and Multimedia Communication and Computing. He has published more than 100 articles

in journals and conference proceedings and holds two patents in image compression. He

was actively involved in the formation of a new international standard on lossless image

compression, called JPEG-LS. He has been the principal investigator on funded research

projects from HP, Intel, Panasonic, Mitsubishi and Sun Microsystems. In 1996 he received

an NSF CAREER award for research in lossless image compression. He has organized and

chaired many sessions in international conferences and is currently an associate editor for

the IEEE Transactions on Image processing.

Ping Wah Wong Ping Wah Wong received the B.Sc.(Eng.) degree from the University

of Hong Kong in 1977, the M.S.E.E. degree from the University of Michigan-Dearborn in

1985, and the Ph.D. degree from Stanford University in 1989.

From 1977 to 1981, he was with Coronet Industries Limited, Hong Kong where he de-

signed radio frequency circuits and digital tuning systems. From 1981 to 1983, he worked

on an automatic train control system at Mass Transit Railways Corporation, Hong Kong.

From 1989 to 1992, he was an Assistant Professor at the Department of Electrical and

Computer Engineering, Clarkson University, Potsdam NY. From 1992 to 1999, he was been

with Hewlett-Packard Company, first with HP Laboratories where he was Project Manager

in Halftoning and Image Processing, and then Manager with Internet Imaging Operation

of HP responsible for imaging server/client software. He co-founded IDzap LLC in 1999

that provides anonymous web services. He co-founded Apalo.com in 2000 to provide digital

photo services in Hong Kong. His interests are in digital signal processing, data security,

compression, and communications.

Dr. Wong was an Associate Editor for IEEE Transactions on Image Processing from

1995 to 1997. He is now an Associate Editor for Journal on Electronic Imaging. He has been

a co-chair of the Conference on Security and Watermarking of Multimedia Contents at the

SPIE/IS&T Symposium on Electronic Imaging since 1999. He is a Senior Member of IEEE.