Open AccessArticle

A Watermarking Protocol Based on Blockchain

Franco Frattolillo

Department of Engineering, University of Sannio, Corso Garibaldi 107, 82100 Benevento, Italy

Appl. Sci. 2020, 10(21), 7746; https://doi.org/10.3390/app10217746

Submission received: 27 September 2020 / Revised: 28 October 2020 / Accepted: 30 October 2020 / Published: 2 November 2020

(This article belongs to the Special Issue Data Hiding and Its Applications: Digital Watermarking and Steganography)

Download

Browse Figure

Versions Notes

Abstract

Digital watermarking can be used to implement mechanisms aimed at protecting the copyright of digital content distributed on the Internet. Such mechanisms support copyright identification and content tracking by enabling content providers to embed perceptually invisible watermarks into the distributed copies of content. They are employed in conjunction with watermarking protocols, which define the schemes of the web transactions by which buyers can securely purchase protected digital content distributed by content providers. In this regard, the “buyer friendly” and “mediated” watermarking protocols can ensure both a correct content protection and an easy participation of buyers in the transactions by which to purchase the distributed content. They represent a valid alternative to the classic “buyer and seller” watermarking protocols documented in the literature. However, their protection schemes could be further improved and simplified. This paper presents a new watermarking protocol able to combine the “buyer friendly” and “mediated” design approach with the blockchain technology. The result is a secure protocol that can support a limited and balanced participation of both buyers and content providers in the purchase transactions of protected digital content. Moreover, the protocol can avoid the direct involvement of trusted third parties in the purchase transactions. This can reduce the actual risk that buyers or sellers can violate the protocol by illicitly interacting with trusted third parties. In fact, such peculiarities make the proposed protocol suited for the current web context.

Keywords:

watermarking protocols; digital copyright protection; blockchain

1. Introduction

Social networks and user-generated content platforms have turned common web users into actual producers of multimedia digital content. Such content can be easily duplicated without reducing their perceptual quality. They can be also maliciously modified and/or re-distributed, thus damaging the reputation of their legitimate owners, or revealing their private information, or causing economic loss. In addition, current mechanisms implemented to protect the copyright of multimedia digital content cannot adequately meet the protection requirements needed to solve piracy problems on the Internet.

One of the technologies proposed to protect the users’ copyrights on their multimedia digital content is “digital watermarking” [1,2] used in conjunction with “watermarking protocols” [3,4,5].

Digital watermarking makes it possible to insert hidden information, such as, for example, a “fingerprint” [6,7,8], within any copy of content that has to be protected. Such information, called a “watermark”, can be used to identify the user who possesses the content, and makes the copy of the content unique and personalized.

However, to combat the unauthorized sharing of multimedia digital content on the Internet, it is necessary to distribute the watermarked content according to specific interaction schemes defined by watermarking protocols. Thus, whenever a copy of watermarked content is found in a suspicious location, such as in file repositories shared by peer-to-peer applications, the embedded watermark can be used as a proof of ownership to establish who has initially obtained the copy and then illegally shared it on the Internet.

The most relevant watermarking protocols documented in the literature enable the implementation of mechanisms for copyright protection based on content tracking by fingerprinting [3,4,5,8,9]. They mainly involve two parties: the “buyer” and the “seller”. The former wishes to get content from a web content provider, whereas the latter wishes to release it in a digitally protected form obtained by inserting a watermark. In particular, the early experiences also involve specific trusted third parties (TTPs), called “watermark certification authorities” (WCAs), whose main function is to guarantee the correct execution of the protocols [4,10,11,12,13,14,15]. However, the introduction of WCAs can reduce the security level of the protocols, since TTPs can give rise to potential collusive behaviors with buyers or sellers [2,16]. As a consequence, a number of watermarking protocols are based on “simplified” interaction schemes that do not exploit WCAs [17,18,19,20,21]. Such approaches appear to be more secure, but they turn out to be impracticable in the current web context, since they are characterized by interaction schemes that force buyers to perform complex security actions to complete content purchase transactions [22].

The watermarking protocols described in [22,23,24] attempt to overcome the drawbacks affecting previous solutions existing in the literature by proposing a new “buyer friendly” and “mediated” design approach. Such an approach reintroduces the TTP, but its role is carefully limited to a restricted part of the protocol, so as to enable a simplified participation of buyers in the content purchase transactions without reducing the security level of the protocol.

Although such experiences represent a good balance between security and easy participation of buyers in the protocol, further efforts are needed to simplify the interaction schemes of such watermarking protocols, so as to make them best suited to the current web context that does not like the presence of TTPs. In this regard, it is worth noting that blockchain technology has begun to be employed in the area of digital copyright protection [25,26,27,28,29]. In fact, blockchain belongs to the category of distributed ledger technologies that enable commercial or network transaction data to be recorded in cryptographic chained blocks by employing several security technologies, such as cryptographic hash, digital signature, and distributed consensus mechanism. When they are appended to a chain, blocks are timestamped and linked in a way that makes them resilient to modifications. Therefore, they are considered to be trusted for transactions among web entities, and can be verified in a decentralized way by exploiting multiple web nodes to form a consensus on whether a transaction is valid or not. In addition, blockchain supports the so-called “smart contracts”, which represent a way to automatically execute the terms of an agreement reached between distinct web entities. More precisely, a smart contract encapsulates a number of preset rules in the form of code, and sets corresponding trigger events under specific conditions: when the conditions are met, the terms of the agreement are automatically executed without control from a central authority [26,27,28,29,30,31].

This paper presents a new watermarking protocol based on blockchain technology. The protocol is built on the experiences previously conducted with the protocols documented in [22,23,24], and follows the buyer friendly and mediated design approach. The main aim is to simplify the interaction scheme of the protocol by exploiting the blockchain technology, which makes it possible to better control the involvement of the TTP in the protocol. In fact, such an involvement has been further restricted in order to reduce the possibility of collusive actions from the TTP, making the developed protocol more secure and suited to the current web context.

The paper is organized as follows. Section 2 reports on related work. Section 3 introduces the main challenges faced in developing the proposed protocol. Section 4 reports the basics of the proposed protocol, whereas Section 5 describes the protocol in detail. Section 6 analyzes the proposed protocol. Section 7 focuses on the main implementation aspects of the watermarking protocol. The final remarks are in Section 8.

2. Related Work

Most of the watermarking protocols documented in the literature do not exploit blockchain technology, but they are based on the well-known “buyer and seller” protection schemes and their variants characterized by the absence of TTPs. They are widely described and discussed in [5,22,23,24]. Some of them also inspire the so-called DRM (digital rights management) systems, which are complex web platforms that adopt specific technologies and interaction schemes to enable the copyright protection of digital content on the Internet [32,33]. More precisely, DRM systems do not actually define watermarking protocols, but they still implement mechanisms by which to prevent the unauthorized use of protected digital content without payment. To achieve such a goal, DRM systems use technologies based on encryption and key management [34]. However, such technologies cannot inhibit legitimate users from illegally sharing their purchased content on the Internet.

To overcome the drawbacks reported above, a number of DRM systems implement protection schemes based on “trusted computing”. They prevent the sharing of illegal keys and protected content by enabling the access to such content on the basis of the web users’ biometric features [35,36]. In fact, such systems appear to be very promising, but they lack flexibility, since they need particular hardware, such as “trusted platform modules” (TPMs) or fingerprint recognizers, and cannot defend against specific attacks, such as screen recording or I/O monitoring.

The blockchain technology, in conjunction with digital watermarking, is employed in a number of DRM systems to provide some copyright management services, such as to keep track of possible and required content modifications, copyright transfers or other transaction trails related to the managed digital content [37,38,39]. In particular, digital watermarking is mainly used to provide content tracking by fingerprinting. However, such DRM systems do not implement protection schemes able to address the peculiar problems that affect watermarking protocols, such as the “customer’s right problem” or the “unbinding problem” [4,11,22]. As a consequence, once content is downloaded and tampered, there is no legal way to prove the ownership of the content and to trace who should be responsible for copyright infringement. In fact, such considerations motivate the design of innovative watermarking protocols able to exploit the blockchain technology to overcome the limitations described above.

3. Main Challenges

One of the main challenges in designing watermarking protocols consists of accurately defining the role played by TTPs in the purchase transactions, since TTPs could collude with the other parties involved in the protocols [17,20,40] so as to impair them. In this regard, the best solution would be to totally eliminate TTPs from protocols. However, such a solution is not always possible, since protocols often need TTPs to validate specific data, or some phases of the protocol, or, for example, the plug-ins that have to be downloaded and installed in the buyers’ web browsers to complete the purchase transactions [22,23]. Furthermore, when TTPs play a limited role in the protocols, buyers end up being forced to perform complex security actions to complete the purchase transactions, and this makes the protocols impractical for the web context [17,18,19,20,21,40,41,42,43,44].

The watermarking protocols presented in [22,23,24] do not completely eliminate the TTP, but they carefully exploit it without assigning it a central role in order to simplify the buyer participation in the protocols. In particular, the TTP participates only in the initial phase of the protocols and restricts its role to the generation of a number of tokens needed to unambiguously bind the chosen content to the buyer, the seller and the ongoing purchase transaction.

Although the role of the TTP is rather restricted in the protocols described in [22,23,24], it has to be further limited if the main goal is to develop an innovative watermarking protocol suited for the current web context. In this regard, blockchain technology represents a challenge to achieve such a goal. In fact, it can be exploited in the proposed protocol with the aim of securely tracking the purchase transactions in a public ledger that can be updated by automatically executing smart contracts without resorting to the control of a TTP [26,27,28,29]. Thus, the TTP involved in the proposed protocol can act as a simple and trusted web distributor of secure tokens needed to complete the purchase transactions of protected digital content. In fact, it is not a WCA, even though it has to behave as a TTP in the sense of a common certification authority (CA) [45,46,47].

The adoption of blockchain technology to strongly restrict the role of TTP makes it necessary to accurately design and code the smart contract that controls the execution of the proposed watermarking protocol and validates each purchase transaction. In fact, this represents a relevant practical challenge well documented in the literature, since the code that implements the contract, once it has been released, can no longer be modified or updated. Therefore, if the code of the contract is incorrect or gives rise to a problem during use, it ends up impairing the entire protocol [48].

4. Basics of the Protocol

The proposed watermarking protocol is based on a limited set of well-known security facilities: public key infrastructure (PKI), homomorphic cryptosystem [49], encrypted and signed tokens [4,5,22], and blind and readable watermarking scheme [1]. Furthermore, it exploits the public key and secure communication support implemented by the SSL/TLS protocol for all the messages exchanged among the web entities involved in the protocol [46].

In more detail, if a piece of content and a watermark can be described according to a block-wise representation in the form of

X = {x_{1}, x_{2}, \dots x_{l}}

and

W = {w_{1}, w_{2}, \dots w_{l}}

respectively, the watermark insertion adopted by the proposed protocol, denoted as ⊕, results in the following expression:

X \oplus W = {x_{1} \oplus w_{1}, x_{2} \oplus w_{2}, \dots x_{l} \oplus w_{l}} = \bar{X}

since such an insertion is assumed to be based on linear watermarks [1,10,17,50]. Furthermore, if

X = {x_{1}, x_{2} \dots x_{l}}

is a digital content, its encryption by means of the function

E

results in the following expression:

E_{p k} (X) = E_{p k} (x_{1}, x_{2} \dots x_{l}) = (E_{p k} (x_{1}), E_{p k} (x_{2}) \dots E_{p k} (x_{l}))

since

E

is assumed to be a block-wise function [10,50].

Finally, the encryption function

E

is assumed to be “homomorphic” with respect to the watermark insertion. This means that any linear watermark can be embedded directly into the encrypted domain according to the following expression [10,50]:

E_{p k} (X \oplus W) = E_{p k} (X) \oplus E_{p k} (W) = E_{p k} (\bar{X})

In fact, a cryptosystem

E

is homomorphic with respect to an operation ⊙ if

E_{p k} (m_{1} ⊙ m_{2}) = E_{p k} (m_{1}) ⊙ E_{p k} (m_{2})

for any two plain messages

m_{1}

and

m_{2}

[49]. As a consequence, homomorphic encryption makes it possible to perform operations by directly working on encrypted data.

5. Watermarking Protocol

The proposed watermarking protocol is an enhancement of the buyer friendly and mediated protocols presented in [22,23,24]. It has been designed and developed according to what is reported in Section 3. Therefore, it exploits the blockchain technology to avoid the participation of a TTP in the core of the protection phase so as to simplify and secure the basic interaction scheme characterizing the protocols described in [22,23,24]. The result is an innovative watermarking protocol in which the blockchain is employed to lock in a public ledger the main tokens characterizing purchase transactions. In fact, such tokens are collected and controlled by executing a specific smart contract: if they turn out to be correct, the ongoing purchase transaction is automatically validated and completed without the direct intervention of a TTP.

Even though the proposed protocol can run without a centralized control, it still needs a TTP acting as a trusted web distributor of security tokens, such as one-time public and private key pairs and encrypted “nonces” [51], needed to complete the purchase transactions of protected digital content according to the original buyer friendly and mediated approach [22]. Moreover, the proposed protocol needs a further TTP, called “judge”. It does not participate in the phase of the protocol that applies the protection to the digital content distributed on the Internet. It only participates in the subsequent “identification and arbitration phase” needed to determine the identity of an illegal distributor of a copy of a protected digital content [22,23,24]. In fact, the TTP and the judge could even coincide, but conventional certification authorities do not usually implement the service performed by the judge [17,22].

More precisely, the proposed watermarking protocol is characterized by a protection scheme in which: (1) the seller or content provider

CP

releases content in an encrypted and watermarked form; (2) the buyer

B

can obtain the protected content by simply decrypting it; (3) the purchase transaction of a protected digital content occurring between the buyer and the content provider is validated by automatically executing a smart contract within a blockchain

BC

, which takes charge of controlling all the tokens generated by the transaction; (4) buyer and content provider take part in transactions that employ security tokens guaranteed by a “registration authority”

RA

[22,23,24]; (5) a judge

J

guarantees the dispute resolution protocol and determines if a buyer is guilty of having released pirated copies [22,23,24].

The protocol consists of two subprotocols: the protection protocol and the identification and arbitration protocol. The meanings of the symbols used to describe the protocol are reported in Table 1.

5.1. Protection Protocol

The protocol, whose scheme is reported in Table 2, starts when

B

visits the

CP

’s web site, chooses the content X, and sends the purchase request to

CP

in the message

m_{1}

Upon receiving the purchase request,

CP

contacts

RA

, by sending the message

m_{2}

, in order to obtain the security tokens to complete the purchase transaction. In fact,

RA

is a TTP that publishes a list of pairs, each including a public key

p k_{RA}^{X}

and an encrypted token

E_{p k_{RA}^{X}} (N)

. In particular,

p k_{RA}^{X}

corresponds to the secret key

s k_{RA}^{X}

. They represent a one-time key pair that can be used only in the current transaction [52]. N is a “nonce” represented by a binary string. It is encrypted by employing the public key

p k_{RA}^{X}

and a cryptosystem that is “privacy homomorphic” [49] with respect to the subsequent watermark insertion. In fact, the resulting token

E_{p k_{RA}^{X}} (N)

will be then used to generate the watermark to be inserted into the content X.

The chosen pair

(p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

is returned by

RA

in the message

m_{3}

together with the signature

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

Upon receiving

m_{3}

CP

can confirm the purchase request made by

B

. In fact,

CP

generates two tokens,

X_{d}

and

T_{X}

. The former is a string that identifies the requested content X. It includes the name of the content and further data that can unambiguously describe it. The latter is a timestamp that is referred to the ongoing transaction. Then,

CP

generates the signature

S_{CP} (X_{d}, T_{X}, p k_{RA}^{X}, S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)))

and sends the message

m_{4}

B

, which includes

X_{d}

T_{X}

p k_{RA}^{X}

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

, and

S_{CP} (X_{d}, T_{X}, p k_{RA}^{X}, S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)))

After having confirmed the purchase request,

CP

can apply the protection to X. Therefore,

CP

generates its part of watermark, denoted by

W_{CP}

, which is a fingerprinting binary code obtained as an anti-collusion code [6,7,16] concatenated with an error correcting code used to address the problems of bit errors that can arise during the watermark verification process. Then,

CP

encrypts

W_{CP}

and X using the public key

p k_{RA}^{X}

and the same homomorphic cryptosystem used by

RA

to encrypt N, thus generating

E_{p k_{RA}^{X}} (W_{CP})

and

E_{p k_{RA}^{X}} (X)

Then, according to the basics reported in Section 4,

CP

concatenates

E_{p k_{RA}^{X}} (W_{CP})

and

E_{p k_{RA}^{X}} (N)

to generate the encrypted watermark

E_{p k_{RA}^{X}} (W)

according the following expression:

E_{p k_{RA}^{X}} (W) = E_{p k_{RA}^{X}} (W_{CP}) ∥ E_{p k_{RA}^{X}} (N) = E_{p k_{RA}^{X}} (W_{CP} ∥ N)

(1)

Moreover,

CP

can embed the encrypted watermark

E_{p k_{RA}^{X}} (W)

directly into the encrypted content

E_{p k_{RA}^{X}} (X)

according to the following expression:

\bar{E_{p k_{RA}^{X}} (X)} = E_{p k_{RA}^{X}} (\bar{X}) = E_{p k_{RA}^{X}} (X \oplus W) = E_{p k_{RA}^{X}} (X) \oplus E_{p k_{RA}^{X}} (W)

(2)

since encryption is homomorphic with respect to watermark insertion [10,49,50]. The encrypted and watermarked content

\bar{E_{p k_{RA}^{X}} (X)}

can be thus sent by

CP

B

in the message

m_{5}

At this point,

CP

and

B

can activate the smart contract in the blockchain

BC

by sending the messages

m_{6}

and

m_{7}

, respectively.

In particular, the message

m_{6}

is sent by

CP

BC

, and contains

X_{d}

T_{X}

p k_{RA}^{X}

E_{p k_{RA}^{X}} (N)

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

, and the signature

S_{CP} (X_{d}, T_{X}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N), S_{R A} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)))

The message

m_{7}

is sent by

B

BC

, and includes

X_{d}

T_{X}

p k_{RA}^{X}

, and

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

. In addition,

B

also sends

B_{i d}

and

B_{a d}

BC

in the message

m_{7}

: the former is a token that unambiguously identifies

B

, whereas the latter represents his/her destination address. In particular,

$B_{i d}$ is generated depending on the specific “negotiation mechanism” chosen by $B$ among those ones supported by $BC$ [4,5]. In this regard, in the proposed protocol $BC$ is assumed to provide multiple negotiation mechanisms, which enable $B$ to be identified, for example, using an anonymous digital certificate or a personal digital certificate or a credit card [4,5]. In fact, the last two mechanisms enable $B$ to be directly identified. However, they are assumed to be implemented according to the concept of “multilateral security” applied to web transactions [53,54].
$B_{a d}$ is the $B$ ’s shipping address that will enable him/her to receive the secret key $s k_{RA}^{X}$ corresponding to the public key $p k_{RA}^{X}$ .

When the messages

m_{6}

and

m_{7}

are received by

BC

, the code associated to a specific smart contract is automatically executed. The code of the contract mainly compares the tokens, verifies the signatures contained in the two received messages, and checks whether the tokens

p k_{RA}^{X}

and

E_{p k_{RA}^{X}} (N)

, generated by

RA

, have been already used in a previous purchase transaction or not. In fact, this means to check whether

p k_{RA}^{X}

and

E_{p k_{RA}^{X}} (N)

have been already published in a node of the blockchain or not. If all data turn out to be correct, match, and the tokens generated by

RA

have not been used in previous transactions, the code enables the generation of a new node in

BC

, which makes some of the tokens identifying the ongoing transactions, such as

X_{d}

T_{X}

p k_{RA}^{X}

E_{p k_{RA}^{X}} (N)

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

, and

S_{CP} (X_{d}, T_{X}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N), S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)))

, public. Moreover, the execution of the smart contract within

BC

takes also charge of implementing the payment phase. It ends by sending two messages,

m_{8}

and

m_{9}

, to

RA

and

CP

, respectively.

The message

m_{8}

includes

B_{a d}

and

p k_{RA}^{X}

, and enables

RA

to send the secret key

s k_{RA}^{X}

B

in the message

m_{10}

B

can thus decrypt

\bar{E_{p k_{RA}^{X}} (X)}

and obtain the final protected content according to the following equalities:

\bar{E_{p k_{RA}^{X}} (X)} = E_{p k_{RA}^{X}} (\bar{X}), \bar{X} = D_{s k_{RA}^{X}} (\bar{E_{p k_{RA}^{X}} (X)})

(3)

The message

m_{9}

contains the security token

E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

. It is stored by

CP

in a new entry in its databases, whose search key is the watermark

W_{CP}

. The entry also includes the following tokens:

X_{d}

T_{X}

p k_{RA}^{X}

E_{p k_{RA}^{X}} (N)

, and

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

. Such tokens are needed to prove that

B

is the legitimate owner of the protected content

\bar{X}

sold by

CP

through a transaction registered by a node published in the blockchain

BC

5.2. Identification and Arbitration Protocol

The protocol is run by

CP

to identify the responsible distributor of a pirated copy of

\bar{X}

, who was the legitimate copyright owner of

\bar{X}

, with undeniable evidence [4,5].

As shown in Table 3, the first step of the protocol consists of extracting the watermark

W^{'}

from the pirated copy of

\bar{X}

, denoted as

X^{'}

. After the extraction of

W^{'} = W_{CP}^{'} ∥ N^{'}

CP

can access its databases and use

W_{CP}^{'}

to search them for a match. If a possible match is found [11],

CP

can retrieve the tokens saved during the purchase transaction of

\bar{X}

, which are

X_{d}

T_{X}

p k_{RA}^{X}

E_{p k_{RA}^{X}} (N)

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

, and

E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

. Then,

CP

can send the tokens, together with

W^{'}

, to

J

in the message

m_{1}

J

receives

m_{1}

and verifies the signature

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

. Then, it searches the blockchain

BC

for a node using

p k_{RA}^{X}

and

E_{p k_{RA}^{X}} (N)

as search keys. If a node is found,

J

can access the tokens published by the node, which are reported in Table 2, and compare them with those one received by

CP

. If all the tokens match,

J

can send

p k_{RA}^{X}

E_{p k_{RA}^{X}} (N)

, and

E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

RA

in the message

m_{2}

RA

decrypts

E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

and verifies the received tokens. If all data are correct,

RA

decrypts

E_{p k_{RA}^{X}} (N)

and sends

B_{i d}

and N to

J

in the message

m_{3}

Upon receiving

m_{3}

J

compares

N^{'}

and N. If

N^{'} = N

, the identity of the buyer

B_{i d}

is revealed, and

J

can adjudicate him/her to be a traitor, thus closing the case. Otherwise, the protocol ends without exposing any identity.

6. Protocol Analysis

In the conducted analysis, the ideal behavior of the proposed watermarking protocol can be modeled as follows: a content provider

CP

sells the digital content X to a buyer

B

;

B

obtains the protected digital content

\bar{X}

from

CP

; a blockchain

BC

is a ledger that publishes the tokens that identify each purchase transaction of digital content distributed on the web; a registration authority

RA

generates some specific data that have to be used by

CP

to protect X; a judge

J

decides whether

B

is guilty of releasing pirated copies.

The ideal behavior is modeled under the following assumptions:

$J$ and $RA$ cannot be corrupted.
$CP$ and $B$ can be only corrupted “statically”, i.e., the set of the corrupt entities is decided at the beginning of the protocol execution and cannot be modified throughout the execution [55].
$BC$ is assumed to be characterized by an “honest-but-curious” behavior [55]. As a consequence, $BC$ is obliged to follow the rules of the protocol, even though it can try its best to get information from the executed actions. This means that $BC$ cannot collude with $B$ or $CP$ , and this is a reasonable assumption, since $BC$ is assumed to limit its action to automatically executing a smart contract whose code is approved and accepted in advance and cannot be modified during the life of the blockchain [26,27,28,29,30].
Uncorrupt buyers and content providers are assumed to never release pirated copies.

The assumptions reported above ensure that, if

CP

and

B

are uncorrupt,

B

receives a unique and personalised protected content

\bar{X}

during the purchase transaction. Therefore, if a pirated copy of

\bar{X}

is found on the web, it can be always traced back to

B

and to the purchase transaction. On the contrary, if

CP

is corrupt,

B

receives a protected content

\bar{X}

that cannot be correctly tied to any buyer. As a consequence, nobody can be adjudicated to be a traitor, and the corruption of

CP

ends up being useless and pernicious just for

CP

. Likewise, if

B

is corrupt,

CP

can abort the purchase transaction without releasing any content.

6.1. Assumptions

The proposed protocol assumes that the watermark insertion technique employed to protect a digital content is robust against the most common and nonmalevolent manipulations, and survives the most relevant and intentional attacks, such as signal processing based attacks, geometric attacks, or collusion attacks [6,7,56,57,58,59,60]. In fact, such an assumption is realistic since there is a vast literature on watermark insertion techniques that documents the existence of increasingly robust and secure watermarking algorithms [1,20,21,61,62,63,64,65] together with a promising and increasing research activity in the development of new techniques and algorithms.

The protocol also assumes that the digital encryption applied within the context of a PKI is characterized by indistinguishability under chosen plaintext attack (IND-CPA). As a consequence, an adversary cannot get any knowledge about a plaintext message m from the corresponding ciphertext c.

Finally, the protocol assumes that the adopted cryptosystem is privacy homomorphic with respect to watermark insertion according to what is specified in Section 4 [49].

6.2. Analysis

The security analysis follows the scheme adopted in [22,23,24], and examines the behavior of the proposed watermarking protocol when corrupt entities make their strongest attacks [46,47,66,67]. Therefore, the analysis is restricted to two main attacks, which represent the two worst cases for security: (1) when

CP

is corrupt and tries to cheat

B

; (2) when

B

is corrupt and attempts to cheat

CP

. In both cases, according to what is reported in Section 3 and Section 5, the analysis is conducted by assuming the presence of an honest-but-curious

BC

[55,68] and of a TTP

RA

6.2.1. $CP$ is Corrupt

Consider the execution of the proposed protocol when a corrupt party

{CP}^{c}

and an honest

B

are involved.

B

chooses the content X and communicates the wish to buy it to

{CP}^{c}

{CP}^{c}

interacts with

RA

and obtains

p k_{RA}^{X}

and

E_{p k_{RA}^{X}} (N)

. During this preliminary phase, no corrupting actions may occur.

Lemma 1

(Basic Lemma). Under the basic assumptions reported in Section 6.1, if

{CP}^{c}

tries to embed a corrupt watermark

W^{c}

into X in order to accuse an innocent buyer of illegal content distribution, such a corruption is disclosed by running the identification and arbitration protocol.

Proof.

Since the watermark W is composed of N and

W_{CP}

(see Expression (1)),

{CP}^{c}

can embed a corrupt watermark into X only if it can corrupt the part N of W. Therefore, consider the case in which

{CP}^{c}

wants to embed a corrupt

N^{c}

into the content X purchased by

B

. To achieve such a goal,

{CP}^{c}

has to be able to:

1.: embedd the watermark $W^{c} = W_{CP} | | N^{c}$ into the content X directly in the encrypted domain, according to the Expressions (1) and (2);
2.: obtain the generation of a node in the blockchain $BC$ , which occurs only if $BC$ can certify consistency between the security tokens sent in the messages $m_{6}$ and $m_{7}$ by ${CP}^{c}$ and $B$ respectively (see Table 2).

The former condition is needed because

B

obtains the final and protected version of the purchased content

\bar{X}

by decrypting the content

\bar{E_{p k_{RA}^{X}} (X)}

with the secret key received by

RA

in the message

m_{10}

(see Table 2), according to the Expression (3). This also means that, if

{CP}^{c}

wants to use a corrupt key

p k_{RA}^{X^{c}}

to encrypt the nonce

N^{c}

, it has also to control the corresponding secret key sent by

RA

B

in the message

m_{10}

, which has to necessarily become

s k_{RA}^{X^{c}}

The latter condition implies that

{CP}^{c}

can obtain or generate a valid and verifiable signature

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N^{c}))

on the corrupt token

E_{p k_{RA}^{X}} (N^{c})

. Furthermore, if

{CP}^{c}

decides to also employ a corrupt key

p k_{RA}^{X^{c}}

to encrypt

N^{c}

, then the corrupt signature to obtain or generate becomes

S_{RA} (p k_{RA}^{X^{c}}, E_{p k_{RA}^{X^{c}}} (N^{c}))

In this regard, it is worth noting that, under the assumptions reported in Section 6.1,

{CP}^{c}

cannot generate a valid signature

S_{RA} (\dots)

on corrupt tokens. This means that

{CP}^{c}

cannot choose an arbitrary nonce

N^{c}

or key pair (

p k_{RA}^{X^{c}}

s k_{RA}^{X^{c}}

) to conduct a purchase transaction, but it could only attempt to reuse tokens generated by

RA

in previous purchase transactions. However, the following considerations have to be taken into account:

1.: When a key pair ( $p k_{RA}^{X}$ , $s k_{RA}^{X}$ ) and an encrypted nonce $E_{p k_{RA}^{X}} (N)$ are employed in a valid purchase transaction, they are included and published in a node of $BC$ , and can no longer be re-used, as reported in Section 5.1.
2.: Once the public key $p k_{RA}^{X}$ has been chosen and sent to $B$ in the message $m_{4}$ , it can no longer be corrupted by ${CP}^{c}$ , since it has to correspond to the secret key $s k_{RA}^{X}$ released by $RA$ in the message $m_{10}$ . Therefore, if ${CP}^{c}$ encrypts the watermark to be inserted into X using the corrupt key $p k_{RA}^{X^{c}}$ , it ends up generating the content $\bar{E_{p k_{RA}^{X^{c}}} (X))}$ . However, $B$ will employ the secret key $s k_{RA}^{X}$ to decrypt the received content $\bar{E_{p k_{RA}^{X^{c}}} (X))}$ according to the Expression (3), thus generating a protected content containing an unknown and unpredictable watermark. In fact, this just damages ${CP}^{c}$ , which ends up releasing a piece of content including a watermark that cannot be linked to any buyer.
3.: If ${CP}^{c}$ receives the key $p k_{RA}^{X}$ from $RA$ in the message $m_{3}$ and forwards the corrupt key $p k_{RA}^{X^{c}}$ to $B$ in the message $m_{4}$ , the key exchange is always disclosed by $BC$ unless ${CP}^{c}$ generates a valid signature $S_{RA} (p k_{RA}^{X^{c}}, \dots)$ , which, as reported above, is impossible. This is because $BC$ compares the tokens received in the messages $m_{6}$ and $m_{7}$ , and generates a new node in the blockchain only if the tokens turn out to be consistent.
4.: For the same reason reported at the previous point, if ${CP}^{c}$ receives the encrypted nonce $E_{p k_{RA}^{X}} (N)$ from $RA$ in the message $m_{3}$ and forwards the corrupt nonce $E_{p k_{RA}^{X}} (N^{c})$ to $BC$ in the message $m_{6}$ , the nonce exchange is always disclosed by $BC$ unless ${CP}^{c}$ generates a valid signature $S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N^{c}))$ , which, as reported above, is impossible.

Therefore, suppose that

B

starts a purchase transaction and that

{CP}^{c}

receives the message

m_{3}

containing

p k_{RA}^{X}

E_{p k_{RA}^{X}} (N)

, and

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

(see Table 2). Suppose also that

{CP}^{c}

inserts a corrupt watermark

W^{c} = W_{CP} | | N^{c}

into the content X, thus creating the protected copy

{\bar{X}}^{c}

, and suppose that

{\bar{X}}^{c}

is found in the market.

{CP}^{c}

starts the identification and arbitration protocol by extracting the watermark

W^{c}

from

{\bar{X}}^{c}

and by sending to

J

all the tokens existing in its databases and associated to

W^{c}

, according to what is reported in Section 5.2.

Suppose that

{CP}^{c}

wants to cheat

J

in order to accuse a buyer of illegal content distribution. To achieve such a goal,

{CP}^{c}

has to send, among the others, the following corrupt tokens

p k_{RA}^{X}

E_{p k_{RA}^{X}} (N^{c})

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N^{c}))

E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N^{c}))

J

(see Table 3), which have to be all coherent with

N^{c}

. However, according to what is reported above and under the assumptions of Section 6.1, the following constraints have to be considered:

${CP}^{c}$ cannot generate a valid signature $S_{RA} (\dots)$ on arbitrary security tokens;
the security tokens that can be employed in a valid purchase transaction have to be among those ones generated by $RA$ ;
${CP}^{c}$ cannot reuse security tokens employed in previous purchase transactions and already published in the nodes of $BC$ ;

As a consequence, if

{CP}^{c}

attempts to accuse an innocent buyer of illegal content distribution by generating corrupt tokens coherent with the corrupt watermark

W^{c} = W_{CP} | | N^{c}

embedded into the content

X^{c}

found in the market, the attempt ends up being revealed by the execution of the identification and arbitration protocol, and this prevents the protocol from adjudicating anybody to be a traitor. ☐

Lemma 2.

Under the assumptions reported in Section 6.1, if

{CP}^{c}

tries to alter the tokens that are managed during the protection phase in order to accuse an innocent buyer of illegal content distribution, such a corruption is disclosed by the identification and arbitration protocol.

Proof.

The basic lemma proves that the security tokens, such as

p k_{RA}^{X}

E_{p k_{RA}^{X}} (N)

, and

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

, generated by

RA

and associated to a valid purchase transaction registered by a node of

BC

, cannot be coherently corrupted by

{CP}^{c}

to insert an arbitrary watermark into the content purchased by

B

without such a corruption being disclosed by running the identification and arbitration protocol. More precisely, the impossibility of corrupting the security tokens has been proved be the basic lemma independently of the corruption of the watermark to be inserted into X. In fact, the proof is mainly based on the general incapacity of

{CP}^{c}

to alter or regenerate or reuse the tokens generated by

RA

for a given purchase transaction [22,23,24]. Therefore, the attempts of

{CP}^{c}

to alter the tokens generated by

RA

can be always disclosed by running the identification and arbitration protocol, since such tokens either have been generated and employed during previous, valid purchase transactions by

RA

or are directly generated by

{CP}^{c}

and so they cannot be registered in a node of

BC

. ☐

The lemmas reported above prove that

{CP}^{c}

cannot frame an innocent buyer, because every attempt to corrupt the security tokens that have to be registered in the nodes of

BC

is disclosed by the identification and arbitration protocol, and this prevents the watermarking protocol from adjudicating anybody to be a traitor.

6.2.2. $B$ is Corrupt

Consider the execution of the proposed protocol when the involved parties are a corrupt buyer

B^{c}

and an honest

CP

Suppose that

B^{c}

contacts

CP

in order to buy the content X.

B^{c}

receives the confirmation message

m_{4}

from

CP

, which contains the following tokens:

X_{d}

T_{X}

p k_{RA}^{X}

S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))

S_{CP} (X_{d}, T_{X}, p k_{RA}^{X}, S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)))

(see Table 2).

Lemma 3

(Basic Lemma). Under the basic assumptions reported in Section 6.1, if

B^{c}

tries to complete the purchase transaction by employing a corrupt content identifier

X_{d}^{c}

in order to impair the piracy tracing mechanism implemented by

CP

, such a corruption is disclosed and the purchase transaction is aborted.

Proof.

Suppose that

B^{c}

wants to use a corrupt identifier

X_{d}^{c}

to conduct the purchase transaction. Under the assumptions reported in Section 6.1, such a goal can be achieved only if

B^{c}

can obtain the generation of a node in the blockchain

BC

which contains

X_{d}^{c}

. This occurs only when

BC

can certify consistency between the security tokens sent by

CP

and

B^{c}

in the messages

m_{6}

and

m_{7}

respectively (see Table 2). This also means that, if

B^{c}

wishes to include the corrupt identifier

X_{d}^{c}

in the message

m_{7}

, the buyer must ensure that the corresponding signature

S_{CP} (X_{d}, \dots)

is included in the message

m_{6}

. However, it is worth noting that, under the assumptions reported in Section 6.1:

1.: $B^{c}$ cannot autonomously generate a valid and verifiable signature $S_{CP} (\dots)$ on corrupt tokens.
2.: $X_{d}$ is generated by $CP$ to unambiguously identify the content X requested by the buyer. Therefore, $CP$ uniquely accepts the content identifiers that it has generated during the initial phase of the protection protocol. No other identifiers can be accepted.
3.: $X_{d}$ is always sent by $CP$ to $BC$ in the message $m_{6}$ , together with the corresponding signature $S_{CP} (\dots)$ . Therefore, if the content identifiers included in the messages $m_{6}$ and $m_{7}$ do not coincide or do not match with the signature $S_{CP} (\dots)$ , $BC$ does not complete the purchase transaction.

As a consequence,

B^{c}

cannot employ arbitrary content identifiers in the protection protocol, but he/she can, at the most, exploit pairs (

X_{d}

S_{CP} (X_{d}, \dots)

) generated by

CP

in other previous, incomplete purchase transactions. In fact, such pairs must not be already included in nodes of the blockchain.

Suppose that

B^{c}

can get two distinct content identifiers

Y_{d}

and

Z_{d}

, together with the corresponding signatures

S_{CP} (Y_{d}, \dots)

and

S_{CP} (Z_{d}, \dots)

, from

CP

. The two identifiers refer to the content Y and Z distributed by

CP

Suppose that

B^{c}

starts a transaction with

CP

to purchase X.

B^{c}

receives

X_{d}

and

S_{CP} (X_{d}, \dots)

from

CP

in the message

m_{4}

. This also means that

BC

will receive

X_{d}

and

S_{CP} (X_{d}, \dots)

from

CP

in the subsequent message

m_{6}

, and this will prevent

B^{c}

from using any other pair of content identifier and signature in the message

m_{7}

. In fact, if this happens,

BC

can always disclose the mismatch between the tokens included in the message

m_{6}

and those ones included in the message

m_{7}

, according to what is reported above. As a consequence, every attempt of

B^{c}

to conduct a purchase transaction by employing corrupt content identifiers causes the purchase transaction to abort. ☐

Lemma 4.

Under the assumptions reported in Section 6.1, if

B^{c}

tries to corrupt the tokens needed to run the protection protocol in order to impair the piracy tracing mechanism implemented by the watermarking protocol, such a corruption is directly disclosed by

BC

and the purchase transaction is aborted.

Proof.

This lemma is an extension of the basic lemma, which has proved that

B^{c}

cannot deceive

BC

by proposing arbitrary content identifiers or identifiers that are incoherent with the corresponding signatures. The trivial reason is that

BC

accepts the tokens sent by

B^{c}

in the message

m_{7}

only if they are consistent with those ones sent by

CP

in the message

m_{6}

. Therefore, every attempt of

B^{c}

to corrupt the tokens generated by

CP

during a purchase transaction causes the protection protocol to abort without releasing any protected content. ☐

The lemmas reported above prove that the corrupt entity

B^{c}

cannot cheat

CP

in order to release a piece of content not tied to any buyer, because every attempt to corrupt the tokens managed by the protection protocol is always disclosed by

BC

, which can thus abort the purchase transaction.

7. Implementation

The first prototype implementation of the proposed protocol is mainly based on the experiences documented in [22,24]. It consists of two parts.

The former comprises the same set of C++ separate programs that implement

B

CP

RA

, and

J

in [22,24]. The programs run on Linux operating system and communicate via TCP implemented by standard socket library. They implement the encryption/decryption and watermark insertion algorithms by exploiting the NTL library and the GNU Multi Precision Arithmetic library. In particular, watermark insertion is based on the “Quantization Index Modulation” algorithm [61] extended to the homomorphic cryptosystem proposed by Paillier [69] according to the main ideas reported in [9,63]. It follows the indications reported in [42], which successfully address a number of problems that tend to make watermark insertion directly into the encrypted domain inefficient. In this regard, in order to reduce both the number of encryptions and the operations performed on encrypted values, watermark insertion is carried out in the encrypted domain by exploiting the specific technique of the “composite signal representation” described in [42], also called “efficient composite embedding” [50].

The latter implements the blockchain

BC

according to the Figure 1. In particular, the blockchain can be classified as “public”, with a fully decentralized architecture, and based on the classic “proof of work” consensus algorithm [27]. Furthermore, the nodes of the blockchain are implemented in Ethereum [70], whereas the smart contract employed by the proposed protocol is written in Solidity [71].

The performance of the proposed prototype implementation mainly depends on both the basic operations characterizing watermarking protocols and the overhead induced by the blockchain management. In fact, the former are the classic encryption/decryption and watermark insertion operations. Their performances are omitted because, as reported above, they are well documented by the results published in [22,24]. On the contrary, the latter depends on a number of factors, such as, for example, the Ethereum node implementation, the adopted consensus algorithm, and the number of nodes averagely involved in the blockchain, which are essentially independent of proposed watermarking protocol [28,29]. In this regard, it is worth noting that an Ethereum, public and decentralized blockchain, based on the “proof of work” consensus algorithm, is characterized by undoubted advantages, such as decentralization, lack of trusted third parties, and immutability [27,28,29], but it is also affected by low performance and efficiency levels caused by the time needed for propagating, processing, and validating the purchase transactions [72]. In fact, the higher the number of nodes participating in the blockchain is, the more limiting power consumption and block generation rate become. However, the main goals of the proposed protocols are to achieve high levels of robustness and security without reducing simplicity of the protection scheme. After all, it is not wrong to think that the proposed watermarking protocol will be able to take advantage of the next generation blockchains, which promise to achieve higher performance and efficiency levels, particularly in terms of power consumption, due the development of new consensus algorithms. Nevertheless, such performance aspects have not been investigated because they are out of the scope of this paper.

8. Conclusions

The main goal in developing the proposed protocol has been to simplify the basic interaction scheme that characterizes the previous protocols that adopt a “buyer friendly” and “mediated” design approach without compromising on their relevant achievements [22,23,24]. The solution has been found in the smart contracts to be exploited within the blockchain technology. In fact, a smart contract has been employed to simply validate the security tokens generated during purchase transactions and then published as immutable purchase information in the blocks maintained by the blockchain [27,28,29,31]. It has made it possible to avoid the direct involvement of a TTP in the protection scheme without forcing buyers to carry out complex actions to participate in the purchase transactions. In this way, the interaction scheme turns out to be simple while, at the same time, it strongly reduces the possibility of collusion actions among the parties participating in the protocol, thus making the protocol secure and suited to the current web context.

The proposed protocol also confirms the security achievements characterizing the previous similar protocols [22,23,24]: (1)

CP

keeps control on the content that it distributes on the Internet, since it never releases them in unprotected forms; (2)

B

is the only entity that gets access to the final watermarked content

\bar{X}

, and this makes it possible to trace back pirated copies of

\bar{X}

B

; (3) X is never released in a partially protected form, thus solving the specific problem arisen in the watermarking protocol proposed in [11] and discussed in [22,23]; (4) a suspected buyer is not required to cooperate in the “identification and arbitration protocol” to make appropriate adjudications.

Finally, it is worth noting that the adoption of blockchain technology represents a relevant step in the direction of secure and simplified buyer friendly and mediated watermarking protocols. Moreover, the performance achieved by the prototype implementation of the proposed protocol is overall good, even though it is penalised by the adopted consensus algorithm. However, this cannot be considered an actual problem, since next generations of blockchains will be able to implement improved algorithms and to provide better and better performances [73,74].

Funding

This research received no external funding.

Acknowledgments

The author wishes to thank Domenico Di Pietro for his good advice.

Conflicts of Interest

The author declares no conflict of interest.

References

Cox, I.; Miller, M.; Bloom, J.; Fridrich, J.; Kalker, T. Digital Watermarking and Steganography; Morgan Kaufmann: Burlington, MA, USA, 2007. [Google Scholar]
Barni, M.; Bartolini, F. Data Hiding for Fighting Piracy. IEEE Signal Process. Mag. 2004, 21, 28–39. [Google Scholar] [CrossRef]
Gopalakrishnan, K.; Memon, N.; Vora, P.L. Protocols for watermark verification. IEEE Multimed. 2001, 8, 66–70. [Google Scholar] [CrossRef] [Green Version]
Frattolillo, F. Watermarking protocol for web context. IEEE Trans. Inf. Forensics Secur. 2007, 2, 350–363. [Google Scholar] [CrossRef]
Frattolillo, F. Watermarking Protocols: Problems, Challenges and a Possible Solution. Comput. J. 2015, 58, 944–960. [Google Scholar] [CrossRef]
Trappe, W.; Wu, M.; Wang, Z.J.; Liu, K.J.R. Anti-collusion fingerprinting for multimedia. IEEE Trans. Signal Process. 2003, 41, 1069–1087. [Google Scholar] [CrossRef] [Green Version]
Liu, K.J.R.; Trappe, W.; Wang, Z.J.; Wu, M.; Zhao, H. Multimedia Fingerprinting Forensics for Traitor Tracing; Hindawi Publishing Corporation: New York, NY, USA, 2005. [Google Scholar]
Pehlivanoglu, S. An Asymmetric Fingerprinting Code for Collusion-resistant Buyer-seller Watermarking. In Proceedings of the 1st ACM Workshop on Information Hiding and Multimedia Security, Montpellier, France, 17–19 June 2013; ACM: New York, NY, USA, 2013; pp. 35–44. [Google Scholar]
Kuribayashy, M.; Tanaka, H. Fingerprinting Protocol for Images Based on Additive Homomorphic Property. IEEE Trans. Image Process. 2005, 14, 2129–2139. [Google Scholar] [CrossRef] [PubMed] [Green Version]
Memon, N.; Wong, P.W. A buyer-seller watermarking protocol. IEEE Trans. Image Process. 2001, 10, 643–649. [Google Scholar] [CrossRef]
Lei, C.L.; Yu, P.L.; Tsai, P.L.; Chan, M.H. An Efficient and Anonymous Buyer-Seller Watermarking Protocol. IEEE Trans. Image Process. 2004, 13, 1618–1626. [Google Scholar] [CrossRef] [PubMed] [Green Version]
Fan, C.I.; Chen, M.T.; Sun, W.Z. Buyer-Seller Watermarking Protocols with Off-line Trusted Parties. In Proceedings of the IEEE Int. Conf. on Multimedia and Ubiquitous Engineering, Seul, Korea, 26–28 April 2007; IEEE Computer Society: Washington, DC, USA, 2007; pp. 1035–1040. [Google Scholar]
Das, V.V. Buyer-Seller Watermarking Protocol for an Anonymous Network Transaction. In Proceedings of the 1st Int. Conf. on Emerging Trends in Engineering and Technology, Nagpur, India, 16–18 July 2008; IEEE Computer Society: Washington, DC, USA, 2008; pp. 807–812. [Google Scholar]
Laxmi, V.; Khan, M.N.; Kumar, S.S.; Gaur, M.S. Buyer seller watermarking protocol for digital rights management. In Proceedings of the 2nd Int. Conf. on Security of information and networks, Famagusta, North Cyprus, 6–10 October 2009; ACM: New York, NY, USA, 2009; pp. 298–301. [Google Scholar]
Hu, D.; Li, Q. A secure and practical buyer-seller watermarking protocol. In Proceedings of the Int. Conf. on Multimedia Information Networking and Security, Hubei, China, 18–20 November 2009; IEEE Computer Society: Washington, DC, USA, 2009; pp. 105–108. [Google Scholar]
Zhao, H.V.; Liu, K.J.R. Traitor-within-Traitor Behavior Forensics: Strategy and Risk Minimization. IEEE Trans. Inf. Forensics Secur. 2006, 1, 440–456. [Google Scholar] [CrossRef] [Green Version]
Rial, A.; Deng, M.; Bianchi, T.; Piva, A.; Preneel, B. A Provably Secure Anonymous Buyer–Seller Watermarking Protocol. IEEE Trans. Inf. Forensics Secur. 2010, 5, 920–931. [Google Scholar] [CrossRef] [Green Version]
Rial, A.; Balasch, J.; Preneel, B. A Privacy-Preserving Buyer–Seller Watermarking Protocol Based on Priced Oblivious Transfer. IEEE Trans. Inf. Forensics Secur. 2011, 6, 202–212. [Google Scholar] [CrossRef] [Green Version]
Xu, Z.; Li, L.; Gao, H. Bandwidth Efficient Buyer-seller Watermarking Protocol. Int. J. Inf. Comput. Secur. 2012, 5, 1–10. [Google Scholar] [CrossRef]
Bianchi, T.; Piva, A. TTP-free asymmetric fingerprinting based on client side embedding. IEEE Trans. Inf. Forensics Secur. 2014, 9, 1557–1568. [Google Scholar] [CrossRef] [Green Version]
Bianchi, T.; Piva, A.; Shullani, D. Anticollusion solutions for asymmetric fingerprinting protocols based on client side embedding. Eurasip J. Inf. Secur. 2015, 2015. [Google Scholar] [CrossRef] [Green Version]
Frattolillo, F. A Buyer–Friendly and Mediated Watermarking Protocol for Web Context. ACM Trans. Web. 2016, 10, 1–8. [Google Scholar] [CrossRef]
Frattolillo, F. Watermarking protocols: An excursus to motivate a new approach. Int. J. Inf. Secur. 2018, 17, 587–601. [Google Scholar] [CrossRef]
Frattolillo, F. A multiparty watermarking protocol for cloud environments. J. Inf. Secur. Appl. 2019, 47, 246–257. [Google Scholar] [CrossRef]
Tapscott, D.; Tapscott, A. Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World; Portfolio-Penguin: New York, NY, USA, 2016. [Google Scholar]
Mougayar, W. The Business Blockchain: Promise, Practice, and Application of the Next Internet Technology; Wiley: Hoboken, NJ, USA, 2016. [Google Scholar]
Zheng, Z.; Xie, S.; Dai, H.N.; Chen, X.; Wang, H. Blockchain challenges and opportunities: A survey. Int. J. Web Grid Serv. 2018, 14, 352–375. [Google Scholar] [CrossRef]
Casino, F.; Dasaklis, T.K.; Patsakis, C. A systematic literature review of blockchain-based applications: Current status, classification and open issues. Telemat. Inform. 2019, 36, 55–81. [Google Scholar] [CrossRef]
Aggarwal, S.; Chaudhary, R.; Aujla, G.S.; Kumar, N.; Choo, K.K.R.; Zomaya, A.Y. Blockchain for smart communities: Applications, challenges and opportunities. J. Netw. Comput. Appl. 2019, 144, 13–48. [Google Scholar] [CrossRef]
Tresise, A.; Goldenfein, J.; Hunter, D. What Blockchain Can and Can’t Do for Copyright. Aust. Intellect. Prop. J. 2018, 28, 144–157. [Google Scholar]
Macrinici, D.; Cartofeanu, C.; Gao, S. Smart contract applications within blockchain technology: A systematic mapping study. Telemat. Inform. 2018, 35, 2337–2354. [Google Scholar] [CrossRef]
Ku, W.; Chi, C.H. Survey on the Technological Aspects of Digital Rights Management. In Proceedings of the 7th Int. Information Security Conference, Lecture Notes in Computer Science, Palo Alto, CA, USA, 27–29 September 2004; Zhang, K., Zheng, Y., Eds.; Springer: Berlin, Germany, 2004; Volume 3225, pp. 391–403. [Google Scholar]
Zhang, Z.; Pei, Q.; Ma, J.; Yang, L. Security and Trust in Digital Rights Management: A Survey. Int. J. Netw. Secur. 2009, 9, 247–263. [Google Scholar]
Abdalla, H.; Hu, X.; Wahaballa, A.; Abdalla, A.; Ramadan, M.; Zhiguang, Q. Integrating the Functional Encryption and Proxy Re-cryptography to Secure DRM Scheme. Int. J. Netw. Secur. 2017, 19, 27–38. [Google Scholar]
Barbareschi, M.; Cilardo, A.; Mazzeo, A. A partial FPGA bitstream encryption enabling hardware DRM in mobile environment. In Proceedings of the ACM Int. Conf. on Computing Frontiers, Como, Italy, 16–18 May 2016; ACM: New York, NY, USA, 2016; pp. 443–448. [Google Scholar]
Lee, C.C.; Li, C.T.; Chen, Z.W.; Lai, Y.M.; Shieh, J.C. An improved E-DRM scheme for mobile environments. J. Inf. Secur. Appl. 2018, 39, 19–30. [Google Scholar] [CrossRef]
Bhowmik, D.; Feng, T. The multimedia blockchain: A distributed and tamper-proof media transaction framework. In Proceedings of the 22nd Int. Conf. on Digital Signal Processing, London, UK, 23–25 August 2017; IEEE Computer Society: Washington, DC, USA, 2017; pp. 1–5. [Google Scholar]
Meng, Z.; Morizumi, T.; Miyata, S.; Kinoshita, H. Design Scheme of Copyright Management System Based on Digital Watermarking and Blockchain. In Proceedings of the IEEE 42nd Annual Computer Software and Applications Conference, Tokyo, Japan, 23–27 July 2018; IEEE Computer Society: Washington, DC, USA, 2018; pp. 359–364. [Google Scholar]
Zhaofeng, M.; Weihua, H.; Hongmin, G. A new blockchain-based trusted DRM scheme for built-in content protection. Eurasip J. Image Video Process. 2018, 2018, 91. [Google Scholar] [CrossRef]
Deng, M.; Preneel, B. Attacks On Two Buyer-Seller Watermarking Protocols and An Improvement for Revocable Anonymity. In Proceedings of the IEEE Int. Symp. on Electronic Commerce and Security, Guangzhou, China, 3–5 August 2008; IEEE Computer Society: Washington, DC, USA, 2008; pp. 923–929. [Google Scholar]
Deng, M.; Preneel, B. On secure and anonymous buyer-seller watermarking protocol. In Proceedings of the 3rd Int. Conf. on Internet and Web Applications and Services, Athens, Greece, 8–13 June 2008; IEEE Computer Society: Washington, DC, USA, 2008; pp. 524–529. [Google Scholar]
Deng, M.; Bianchi, T.; Piva, A.; Preneel, B. An efficient buyer-seller watermarking protocol based on composite signal representation. In Proceedings of the 11th ACM Workshop on Multimedia and Security, Princeton, NJ, USA, 7–8 September 2009; ACM: New York, NY, USA, 2009; pp. 9–18. [Google Scholar]
Wen, Q.; Wang, Y. Improvement of the Digital Watermarking Protocol based on the Zero-Watermark Method. In Proceedings of the 3rd Annual Summit and Conf. of Asia Pacific Signal and Information Processing Association, Xi’an, China, 18–21 October 2011; APSIPA Publisher: Xi’an, China, 2011. [Google Scholar]
Terelius, B. Towards transferable watermarks in buyer-seller watermarking protocols. In Proceedings of the IEEE Int. Work. on Information Forensics and Security, Guangzhou, China, 18–21 November 2013; IEEE Computer Society: Washington, DC, USA, 2013; pp. 197–202. [Google Scholar]
Qiao, L.; Nahrstedt, K. Watermarking schemes and protocols for protecting rightful ownership and customer’s rights. J. Vis. Commun. Image Represent. 1998, 9, 194–210. [Google Scholar] [CrossRef] [Green Version]
Poh, G.S.; Martin, K.M. Classification Framework for Fair Content Tracing Protocols. In Proceedings of the 8th Int. Workshop on Digital Watermarking, Guildford, UK, 24–26 August 2009; Ho, A.T.S., Shi, Y.Q., Kim, H.J., Barni, M., Eds.; Lecture Notes in Computer Science. Springer: Berlin, Germany, 2009; Volume 5703, pp. 252–267. [Google Scholar]
Poh, G.S. Design and Analysis of Fair Content Tracing Protocols. Ph.D. Thesis, Department of Mathematics Royal Holloway, University of London, Egham, Surrey, UK, 2009. [Google Scholar]
Cong, L.W.; He, Z. Blockchain Disruption and Smart Contracts. Rev. Financ. Stud. 2019, 32, 1754–1797. [Google Scholar] [CrossRef]
Fontaine, C.; Galand, F. A Survey of Homomorphic Encryption for Nonspecialists. Eurasip J. Inf. Secur. 2007, 2007. [Google Scholar] [CrossRef] [Green Version]
Bianchi, T.; Piva, A. Secure Watermarking for Multimedia Content Protection: A Review of its Benefits and Open Issues. IEEE Signal Process. Mag. 2013, 30, 87–96. [Google Scholar] [CrossRef]
Ellison, C.; Frantz, B.; Lampson, B.; Rivest, R.; Thomas, B.; Ylonen, T. SPKI Certificate Theory; RFC 2693; RFC Editor: Marina del Rey, CA, USA, 1999. [Google Scholar]
Williams, D.M.; Treharne, H.; Ho, A.T.S. On the Importance of One-time Key Pairs in Buyer-seller Watermarking Protocols. In Proceedings of the Int. Conf. on Security and Cryptography, Athens, Greece, 26–28 July 2010; IEEE Computer Society: Washington, DC, USA, 2010; pp. 441–446. [Google Scholar]
Rannenberg, K. Multilateral Security. In A Concept and Examples for Balanced Security. In Proceedings of the 9th ACM Workshop on New Security Paradigms, Ballycotton, County Cork, Ireland, 18–21 February 2001; ACM: New York, NY, USA, 2001; pp. 151–162. [Google Scholar]
Rannenberg, K.; Royer, D.; Deuker, A. The Future of Identity in the Information Society—Challenges and Opportunities; Springer: Berlin, Germany, 2009. [Google Scholar]
Canetti, R. Security and Composition of Cryptographic Protocols: A Tutorial. ACM SIGACT News. 2006, 37, 67–92. [Google Scholar] [CrossRef]
Hartung, F.; Su, J.K.; Girod, B. Spread Spectrum Watermarking: Malicious Attacks and Counterattacks. In Proceedings of the SPIE Security and Watermarking of Multimedia Contents, San Jose, CA, USA, 23–27 January 1999; Delp, E.J., Wong, P.W., Eds.; SPIE: Bellingham, WA, USA, 1999; Volume 3657, pp. 147–158. [Google Scholar]
Katzenbeisser, S.; Veith, H. Securing Symmetric Watermarking Schemes Against Protocol Attacks. In Proceedings of the SPIE Security and Watermarking of Multimedia Contents IV, San Jose, CA, USA, 19 January 2002; Delp, E.J., Wong, P.W., Eds.; SPIE: Bellingham, WA, USA, 2002; Volume 4675, pp. 260–268. [Google Scholar]
Petitcolas, F.A.P. Watermarking schemes evaluation. IEEE Signal Process. Mag. 2000, 17, 58–64. [Google Scholar] [CrossRef]
Petitcolas, F.A.P.; Steinebach, M.; Raynal, F.; Dittmann, J.; Fontaine, C.; Fates, N. A public automated web-based evaluation service for watermarking schemes: StirMark Benchmark. In Proceedings of the SPIE Electronic Imaging 2001, Security and Watermarking of Multimedia Contents, San Jose, CA, USA, 22–25 January 2001; Wong, P.W., Delp, E.J., Eds.; SPIE: Bellingham, WA, USA, 2001; Volume 4314, pp. 575–584. [Google Scholar]
Barni, M.; Bartolini, F. Watermarking Systems Engineering: Enabling Digital Assets Security and Other Applications; CRC Press: Boca Raton, FL, USA, 2004. [Google Scholar]
Chen, B.; Wornell, G. Quantization index modulation: A class of provably good methods for digital watermarking and information embedding. IEEE Trans. Inf. Theory 2001, 47, 1423–1443. [Google Scholar] [CrossRef] [Green Version]
Malvar, H.S.; Florêncio, D.A.F. Improved Spread Spectrum: A New Modulation Technique for Robust Watermarking. IEEE Trans. Signal Process. 2003, 51, 898–905. [Google Scholar] [CrossRef] [Green Version]
Prins, J.P.; Erkin, Z.; Lagendijk, R.L. Anonymous fingerprinting with robust QIM watermarking techniques. Eurasip J. Inf. Secur. 2007, 2007. [Google Scholar] [CrossRef] [Green Version]
Zebbiche, K.; Khelifi, F.; Loukhaoukha, K. Robust additive watermarking in the DTCWT domain based on perceptual masking. Multimed. Tools Appl. 2018, 77, 21281–21304. [Google Scholar] [CrossRef] [Green Version]
Begum, M.; Uddin, M.S. Analysis of Digital Image Watermarking Techniques through Hybrid Methods. Adv. Multimed. 2020, 2020. [Google Scholar] [CrossRef]
Bellare, M.; Rogaway, P. The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In Proceedings of the 25th Int. Cryptology Conference, Saint Petersburg, Russia, 28 May–1 June 2006; Vaudenay, S., Ed.; Lecture Notes in Computer Science. Springer: Berlin, Germany, 2006; Volume 4004, pp. 409–426. [Google Scholar]
Williams, D.M.; Treharne, H.; Ho, A.T.S.; Waller, A. Formal Analysis of Two Buyer-Seller Watermarking Protocols. In Proceedings of the 7th Int. Workshop on Digital Watermarking, Lecture Notes in Computer Science, Busan, Korea, 10–12 November 2008; Kim, H.J., Katzenbeisser, S., Ho, A.T.S., Eds.; Springer: Berlin, Germany, 2008; Volume 5450, pp. 278–292. [Google Scholar]
Canetti, R. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In Proceedings of the 42nd IEEE Int. Symp. on Foundations of Computer Science, Newport Beach, CA, USA, 8–11 October 2001; IEEE Computer Society: Washington, DC, USA, 2001; pp. 136–145. [Google Scholar]
Paillier, P. Public-key Cryptosystems Based on Composite Degree Residuosity Classes. In Proceedings of the Eurocrypt ‘99, Lecture Notes in Computer Science, Prague, Czech Republic, 2–6 May 1999; Springer: Berlin, Germany, 1999; Volume 1592, pp. 223–238. [Google Scholar]
Ethereum. Available online: https://ethereum.org (accessed on 1 November 2020).
Solidity. Available online: https://solidity.readthedocs.io (accessed on 1 November 2020).
Bamakan, S.M.H.; Motavali, A.; Bondarti, A.B. A survey of blockchain consensus algorithms performance evaluation criteria. Expert Syst. Appl. 2020, 154, 113385. [Google Scholar] [CrossRef]
Fernandez-Carames, T.M.; Fraga-Lamas, P. A Review on the Application of Blockchain to the Next Generation of Cybersecure Industry 4.0 Smart Factories. IEEE Access 2019, 7, 45201–45218. [Google Scholar] [CrossRef]
Palacios, R.C.; Gordon, M.S.; Aranda, D.A. A critical review on blockchain assessment initiatives: A technology evolution viewpoint. J. Softw. Evol. Process. 2020, 2020. [Google Scholar] [CrossRef]

Figure 1. The blockchain within the proposed watermarking protocol.

Table 1. Meanings of the symbols used to describe the proposed protocol.

Symbol	Meaning
$B$	buyer
$CP$	content provider or seller
$RA$	registration authority
$BC$	blockchain
$J$	judge
X	digital content purchased by $B$
$X_{d}$	information used by $CP$ to unambiguously identify X
$T_{X}$	timestamp referred to the transaction by which $B$ buys X
$B_{i d}$	information used to identify $B$
$B_{a d}$	destination address provides by $B$
N	nonce used to mark the watermarking transaction
W	watermark
$W_{E n t .}$	part of the watermark W generated by the entity $E n t .$
$\bar{X}$	watermarked X
$p k_{E n t .}$	public key of the entity $E n t .$
$s k_{E n t .}$	secret key of the entity $E n t .$
$p k_{E n t .}^{X}$	one time public key generated by the entity $E n t .$ in the transaction to watermark X
$s k_{E n t .}^{X}$	one time secret key generated by the entity $E n t .$ in the transaction to watermark X
$E_{k e y} (\dots)$	token encrypted using the key $k e y$ and a public key cryptosystem
$S_{k e y} (\dots)$	token digitally signed using the secret key $k e y$ and the SHA-1 secure hash algorithm
$E_{k e y} (\dots)$	token encrypted using the key $k e y$ and a cryptosystem that is privacy homomorphic with respect to the watermark insertion
$D_{k e y} (\dots)$	decryption function corresponding to the encryption function $E_{k e y} (\dots)$

Table 2. Protection protocol.

$B$	:	visits the $CP$ ’s web site and chooses the content X
$B \to CP$	:	$m_{1} = {$ request for $X}$
$CP \to RA$	:	$m_{2} =$ {request for security tokens}
$RA \to CP$	:	$m_{3} = {p k_{RA}^{X}, E_{p k_{RA}^{X}} (N), S_{R A} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))}$
$CP \to B$	:	$m_{4} = {X_{d}, T_{X}, p k_{RA}^{X}, S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)),$
		$S_{CP} (X_{d}, T_{X}, p k_{RA}^{X}, S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)))}$
$CP$	:	generates $W_{CP}, E_{p k_{RA}^{X}} (W_{CP}), E_{p k_{RA}^{X}} (X)$
$CP$	:	generates $E_{p k_{RA}^{X}} (W) = E_{p k_{RA}^{X}} (W_{CP}) ∥ E_{p k_{RA}^{X}} (N)$
$CP$	:	generates $\bar{E_{p k_{RA}^{X}} (X)} = E_{p k_{RA}^{X}} (X) \oplus E_{p k_{RA}^{X}} (W)$
$CP \to B$	:	$m_{5} = {\bar{E_{p k_{RA}^{X}} (X)}}$
$CP \to BC$	:	$m_{6} = {X_{d}, T_{X}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N), S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)),$
		$S_{CP} (X_{d}, T_{X}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N), S_{R A} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)))}$
$B \to BC$	:	$m_{7} = {X_{d}, T_{X}, p k_{RA}^{X}, S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)), B_{i d}, B_{a d}}$
$BC$	:	activates the smart contract
$BC$	:	compares the tokens and verifies the signatures included in $m_{6}$ and $m_{7}$
$BC$	:	generates a node in the blockchain by which to publish $X_{d}$ , $T_{X}$ ,
		$p k_{RA}^{X}$ , $E_{p k_{RA}^{X}} (N)$ , $S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))$ ,
		$S_{CP} (X_{d}, T_{X}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N), S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)))$
$BC$	:	implements the payment phase
$BC \to RA$	:	$m_{8} = {B_{a d}, p k_{RA}^{X}}$
$BC$	:	$E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))$
$BC \to CP$	:	$m_{9} = {E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))}$
$CP$	:	saves a new entry in its databases composed of $X_{d}$ , $T_{X}$ , $p k_{RA}^{X}$ , $E_{p k_{RA}^{X}} (N)$ ,
		$S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))$ , and $E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))$
		whose search key is $W_{CP}$
$RA \to B$	:	$m_{10} = {s k_{RA}^{X}}$
$B$	:	$\bar{X} = D_{s k_{RA}^{X}} (\bar{E_{p k_{RA}^{X}} (X)})$

Table 3. Identification and arbitration protocol.

$CP$	:	finds $X^{'}$ in the market and extracts $W^{'} = W_{CP}^{'} ∥ N^{'}$
$CP$	:	searches its databases for a possible match on $W_{CP}^{'}$
$CP \to J$	:	$m_{1} = {W^{'}, X_{d}, T_{X}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N), S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)),$
		$E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))}$
$J$	:	searches $BC$ for a node including $p k_{RA}^{X}$ and $E_{p k_{RA}^{X}} (N)$
$J$	:	retrieves the tokens published in the node of $BC$ , which are $X_{d}$ , $T_{X}$ , $p k_{RA}^{X}$ ,
		$E_{p k_{RA}^{X}} (N)$ , $S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))$ ,
		$S_{CP} (X_{d}, T_{X}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N), S_{RA} (p k_{RA}^{X}, E_{p k_{RA}^{X}} (N)))$
$J$	:	verifies if the tokens retrieved from $BC$ match those ones received from $CP$
$J \to RA$	:	$m_{2} = {p k_{RA}^{X}, E_{p k_{RA}^{X}} (N), E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))}$
$RA$	:	decrypts $E_{p k_{RA}} (B_{i d}, p k_{RA}^{X}, E_{p k_{RA}^{X}} (N))$
$RA \to J$	:	$m_{3} = {B_{i d}, N}$
$J$	:	compares $N^{'}$ with N and adjudicates

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

© 2020 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Frattolillo, F. A Watermarking Protocol Based on Blockchain. Appl. Sci. 2020, 10, 7746. https://doi.org/10.3390/app10217746

AMA Style

Frattolillo F. A Watermarking Protocol Based on Blockchain. Applied Sciences. 2020; 10(21):7746. https://doi.org/10.3390/app10217746

Chicago/Turabian Style

Frattolillo, Franco. 2020. "A Watermarking Protocol Based on Blockchain" Applied Sciences 10, no. 21: 7746. https://doi.org/10.3390/app10217746

APA Style

Frattolillo, F. (2020). A Watermarking Protocol Based on Blockchain. Applied Sciences, 10(21), 7746. https://doi.org/10.3390/app10217746

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Menu

A Watermarking Protocol Based on Blockchain

Abstract

1. Introduction

2. Related Work

3. Main Challenges

4. Basics of the Protocol

5. Watermarking Protocol

5.1. Protection Protocol

5.2. Identification and Arbitration Protocol

6. Protocol Analysis

6.1. Assumptions

6.2. Analysis

6.2.1. $CP$ is Corrupt

6.2.2. $B$ is Corrupt

7. Implementation

8. Conclusions

Funding

Acknowledgments

Conflicts of Interest

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI

Article Menu

A Watermarking Protocol Based on Blockchain

Abstract

1. Introduction

2. Related Work

3. Main Challenges

4. Basics of the Protocol

5. Watermarking Protocol

5.1. Protection Protocol

5.2. Identification and Arbitration Protocol

6. Protocol Analysis

6.1. Assumptions

6.2. Analysis

6.2.1. CP is Corrupt

6.2.2. B is Corrupt

7. Implementation

8. Conclusions

Funding

Acknowledgments

Conflicts of Interest

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI

6.2.1. $CP$ is Corrupt

6.2.2. $B$ is Corrupt