Definition of Protocols for Secure Anonymous Purchase Borja Richart1, Ramon Martí1, Jaime Delgado1, Abdul H. Sadka2, Peter Sweeney2 1 Universitat Pompeu Fabra (UPF) [email protected], [email protected], [email protected] 2 CCSR, University of Surrey (UniS) [email protected], [email protected]

Abstract Digital watermarking is the art of hiding information in digital contents such as images, audio clips, and videos. We can take advantage of this technique by adding author information as well as buying information for a digital purchase. In this paper we propose a protocol for secure anonymous digital purchase to deter buyers from executing illegal redistribution of digital contents. We propose a protocol to allow merchants to obtain a proof of treachery from dishonest buyers.

1. Introduction This paper describes the idea of asymmetric schemes applied to secure anonymous digital purchases. This work has been divided in research of three parts: − Buyer's registration: Design of a protocol that guarantees the anonymity of buyers in any digital purchase. Moreover, it will help to unmask the fraudulent buyers (they will loose their anonymity). − Digital purchase: Proposal of an architecture between buyers, merchants and a trusted third party (also known as asymmetric server) who will carry out the watermark process. − Unmask the dishonest buyers: If merchants find out an illicit copy of the content they have sold, they will have a proof of treachery to denounce buyers. This is the aim of that protocol. Inverse watermarking techniques will be useful to recover the buyer identity.

2. Motivation Nowadays we live with a great variety of audiovisual content in digital format. The digital format has a lot of advantages over the analogical format, such

as the easiness producing perfect digital copies. That is the reason why part of providers are reticent to offer their services on-line, since they want to avoid illegal copies and free distribution of copyrighted data. Different methods have been used through history, to guarantee intellectual property and privacy. For example: the signature of the artist on a painting; the mark of a ring on sealing wax; ISBN number in a book, etc. However, the digital world introduces a different kind of problems. One can very easily modify and copy any kind of file. The drawback of this technological improvement is the illicit distribution of copies, at very low cost and without any deterioration of the quality. This is why we need more sophisticated methods to ensure their protection. A great deal of attention is currently paid to approaches aiming at protecting authors'/creators' rights. A lot of research work has been invested into the design of methods that technically support the copyright protection of digital data. One class of such methods consists of techniques called fingerprinting schemes. The other class of such methods is called watermarking schemes. Watermarking is clearly one of the reasonable alternatives to solve several problems such as violation of ownership and illegal distribution of copies. It enables the owner of a digital asset to embed some information in the digital content and to extract it. Moreover, it enables a merchant to trace the buyer from the illegally redistributed copy. It is in that point where we are focusing our research.

3. Background & State of the Art 3.1. Digital Purchase (e-commerce) E-commerce provides an additional method for buying or selling. In traditional sales, the buyer and/or the salesman are the active parties. In one case, the buyer initiates the purchase by either going to the store

to buy or calling on the phone and making an order. In the other case, the salesman goes to the home or place of business to make the sale, or he calls on the phone to make the sale. A third method combines action from both parties. The business sales department mails a catalogue or other material, and the customer then makes a purchase from the catalogue. The above methods apply to business-to-person as well as to business-to-business sales. On-line commerce adds a new method, similar to a mail order catalogue. The business sales department posts a Web site with an on-line catalogue. The buyer then selects items from the on-line catalogue and makes the purchase, either on-line or by phoning or mail order. Although the buyer is actually using an on-line catalogue, the metaphor of browsing a store with a shopping cart is often used in e-commerce. This allows the customer to put items in the shopping cart to be held until checkout or when the purchase is finally made. [1] 3.1.1. Elements of interaction Some elements interact in an e-commerce digital purchase: − The digital item or content is the data to be retrieved and watched or listened. − The buyer of the digital item or customer. He/she must be able to watch the content he/she has paid for. He/she owns a decoder in order to carry out this task. The buyer should be able to store the digital item, but digital copies should be prevented from illegal distribution. Some services are targeted to a small audience, while others are targeted to thousands, even millions of people. − The merchant is the business offering the multimedia content. The merchant receives payments from the buyers. On the other hand, the merchant can collect statistical data from his/her customers, in order to improve the services. − The catalogue browsing and selection is data exchanged when the buyer searches and selects the digital item to buy. − The electronic payment is a token the buyer gives to the merchant to get the digital item. There are several e-payments methods. Some e-payment systems, such as electronic coins, provide the same level of security as conventional cash payments. − The carrier network is the entity over which goods travel from merchants to customers, and payments return from customers to merchants. Some multimedia e-commerce platforms use private

networks, while other use open ones like Internet. [2]

Figure 1. E-commerce scheme 3.1.2. Merchants requirements Just as in traditional commerce, especially mail order one, there are certain elements required to perform on-line business as in [1]. Merchants must: − Promote merchant Web site presence − Have an on-line catalogue or store − Have the capability to receive payments The item purchase can be complex, but it must be made as simple as possible for customers. 1. The customer must give certain personal information, usually name, address and e-mail. 2. A mutually acceptable payment method must be chosen. Payment or billing information must be gathered. 3. The merchant must process the customer's payment information. 4. Finally, the customer must receive confirmation of the sale. − Be able to deliver the item − Provide after-the-sale support 3.1.3. Anonymity Maintaining user anonymity is desirable in a great number of electronic commerce applications. For example, if you vote electronically, you probably do not want anyone to know the candidate for whom you voted; or if you use electronic cash to purchase a product, you may not want your identity to be known since this information could be used to trace your spending patterns, and maybe spam you with junk mail. Although the interest of financial operators in providing anonymity is not clear, anonymity in ecommerce systems is clearly an attractive for buyers. Purchasing digital items (especially in open networks) reveals information about the buyer shopping behavior. Such buyer-profiles are very appealing to commercial misuse. Thus it is desirable for buyers to be capable of purchasing digital items anonymously and remain anonymous as long as they do not distribute the digital content illegally. To solve this problem anonymous asymmetric fingerprinting watermarking schemes were first proposed by Pfitzmann and Waidner [3] [4]. The basic idea is that buyers do not have to identify themselves for the purchase, but if necessary the merchant can

trace any traitors. The schemes are asymmetric so that honest buyers stay anonymous. Since then, some anonymous asymmetric fingerprinting schemes have been proposed.

3.2. Copyright Protection Preventing unlawful copy requires some hardware enforcement, copying licenses or some cryptographic software routines, but hackers usually break these techniques in a relatively short time. The DVD anticopy technique was broken some years ago, so anyone can make a digital copy simply using a freeware application downloaded from a public website. On the other hand, Microsoft Media Player's Digital Right Management has recently reported to be broken. Thus, copy detection techniques appear as the main solution for protecting the copyright of content in electronic format. The idea here is to track who made illegal copies rather than prevent the action. Fingerprinting techniques use a watermarking system in order to embed a mark that identifies the buyer who has bought a certain copy of the content. Mark embedding ALTERATIONS applied to the content must be imperceptible. This means that the quality of the content should not decrease after watermarking. Moreover, watermarking techniques must be robust to content manipulation: for example, a mark must be recoverable from a JPEG picture even if it has been rotated after marking [5]. Several robust watermarking techniques have been proposed for pictures, more than for music or videos.

3.3. Watermarking Traditional watermarking techniques used in real currency involve changing the density of the paper to create a mark that cannot be duplicated or erased without destroying the note itself. Digital watermarking takes a similar track by changing the image, film, or music in the spatial or frequency domains in a way that only computers can detect. More than that, the coded information remains with the picture regardless of whether the image is printed, packaged, and transmitted across the Internet or, in some cases, compressed. In other words, Digital watermark is some information, which is added to digital content and can later be discovered or extracted to demand rights on this content [6].

Figure 2. Watermarking process In Figure 2 it can be seen a traditional watermarking process. First of all, the watermark is embeded into the original signal (any kind of file); there are many techniques to do it like spectral watermarks or spatial watermarks. Then the product can be distributed and if if it is needed to know the author right or other embedded information it can be read by inversing the watermark process and recuperate that information. According to Pfitzmann in [3] a good transaction watermarking system should at least fulfill the following requirements: − Data must be tolerant to errors: On the one hand, the marks must not decrease the usefulness of the copy to the buyer. On the other hand, the buyer should not be able to derive from the redundancy of the data where the marks are. − Collusion tolerance: Even if the dishonest buyers have up to a certain number of copies, they should not be able to find all marks by comparing the copies. In particular, the watermarks must have a common intersection. In other words, a given number of copies should have marks that cannot be found by comparing the copies. − Tolerance to additional errors: If a dishonest buyer adds some noise to the copy, the watermark should still be recognizable, unless there is so much noise that the copy as such is useless. In other words, the watermark should tolerate a greater level of noise than the data. In addition, it should remain for lossy data compression. 3.3.1. Watermarking Techniques Although in principle digital watermarks may be embedded in any digital medium, by far most published research on watermarking deals with graphic images and text. Robust image watermarking commonly takes two forms: spatial domain and frequency domain. Spatial domain watermarking technique slightly modifies the pixels in one of two randomly selected subsets of an image. Modification might include flipping the low-

order bit of each pixel representation. It is easy to see how this would have little perceptible effect on the image when viewed with the common 24-bit color gamuts used today in monitors of generic home/office computers. Of course, this will work well only if the image is not subject to any human or “noisy” modification, but it does seem to hold up well under lossy image compression and selected filtering techniques. Spatial watermarking can also be applied using color separation so watermark only appears in one of the color bands. This renders the watermark sufficiently subtle that it can be imperceptible for all intents and purposes. However, the watermark appears immediately when colors are separated for printing. This renders the document useless to the printer unless the watermark can be removed from the color band. This approach is used commercially for journalists to inspect digital pictures from a stock-photo house before buying un-watermarked versions. Watermarking can also be applied in the transform domain, including transforms like Fast Fourier, discrete cosine and wavelet. In the case of frequency transforms, the values of chosen frequencies can be altered from the original. Since high frequencies will be lost by compression or scaling, the watermark signal is applied to lower frequencies or, better yet, applied adaptively to frequencies that contain important information of the original picture (feature-based schemes). Since watermarks applied to the frequency domain will be dispersed over the entirety of the spatial image upon inverse transformation, this method is not as susceptible to defeat by cropping as the spatial technique. However, there is more than a trade-off between invisibility and decodability, since the watermark is in effect applied indiscriminately across the spatial image. Other transform domain techniques have their own particular characteristics with respect to the litmus test above. Watermarking can be applied to text images as well. Three proposed methods are text-line coding, wordspace coding and character encoding. For text-line coding, the text lines of a document page are shifted imperceptibly up or down. For a 40-line text page, for instance, this yields 240 possible code words. For word-space coding, the spacing between words in a line of justified text is altered. Of course, the watermark can be defeated by retyping the text.[7][8]

taken place. Watermarking is the main technique for hiding copyright information in content such as image, music, and film. The information being hidden or embedded is called watermarking. We take advantage of that technique using specific information. We embed serial number or nickname identifying the buyer that is what we call transaction watermarking. The scheme can deter people from executing illegal redistribution of digital contents by making it possible for the merchant to identify the original buyer of the redistributed copy, usually referred as traitor or dishonest buyer.

4.1. Symmetric vs. Asymmetric In general, transaction watermarking schemes are classified into two different classes called symmetric transaction watermarking schemes and asymmetric transaction watermarking schemes. In symmetric watermarking, the mark is embedded into the content by the merchant who later sells the marked copy to the buyer. So, both the merchant and the buyer know the marked copy. The main problem of such schemes is that a dishonest merchant can redistribute a copy recently sold and accuse the buyer of illegal redistribution. On the other hand, this argument can be used by a dishonest buyer who can claim it was the merchant who redistributed his/her copy. Thus, we have a security hole in the system and then we cannot decide who is the actually dishonest. While in symmetric schemes the merchant watermarks the data item, in asymmetric schemes this is achieved through an interactive protocol between the buyer and the merchant where the buyer also embeds his own secret (nickname). At the end of the protocol only the buyer knows the watermarked data item. The advantage of the asymmetric schemes over the symmetric ones is that the merchant can obtain a proof of treachery to convince any honest third party. [9]

4.2. Protocol Description

4. Secure Anonymous Purchase Protocol Proposal

The Secure anonymous purchase protocol we are proposing is spited in three parts: 1. Buyer's registration. With Buyer and Anonymous server entities 2. Dealing process. With Buyer and Merchant entities. 3. Transaction watermarking. With Buyer, Merchant and Asymmetric server (Trusted third parties) entities.

In this paper we are proposing a Secure Anonymous Purchase Protocol for copy detection. The idea is not to prevent copying, but to track whether copying has

4.2.1. Buyer’s Registration The Buyers must be registered in the Anonymous Server. The information about buyers will be saved in

the anonymous server database. The server must have a process to generate private codes or random nicknames to deliver to the buyers. In that communication we can encrypt the messages, by using a public key system in order to make the system safer.

has been watermarked with no problems then the Asymmetric server sends the watermarked item to the buyer (see 5 in Figure 4). We have to be careful and avoid security holes; i.e.: by sending all kind of data (requests, items, nicknames…) encrypted.

Figure 3. Registration process As we can see in Figure 3 the buyer registration protocol has three steps: 1. Buyers send the request and also their public key. 2. Anonymous Server saves buyer information in the database and execute the nickname generation process. 3. Finally, Anonymous Server sends the nickname that has been generated to the buyer. Anonymous Server should send it through a digital envelope using the buyer public key. 4.2.2. Dealing Process Merchants usually have a licenses server in order to manage the digital purchase. Buyer places order at Merchant’s web site paying with card. Merchant routes the transaction authorization request through payment processor to the appropriate card system. Issuing bank returns authorization to card association, or a rejection if the transaction is not authorized, so the merchant can requestione or cancel. The card system contacts issuing bank (buyer’s bank) to request transaction authorization. Issuing bank approves transfer of money to acquiring bank (merchant’s account). Finally, buyers receive what they have bought from the asymmetric server. [10] 4.2.3 Transaction Watermarking To arrive at this point we need the merchant and the buyer to agree in the dealing process (see 1 and 2 in Figure 4). Once they have agreed and accepted the business, the Asymmetric server becomes the starring. Asymmetric server receives the digital item from merchant (see 3a in Figure 4) and buyer’s nickname from buyer (see 3b in Figure 4). With that information the Asymmetric server is ready to make the transaction watermarking process (see 4 in Figure 4). The algorithm inputs are the buyer’s code and the file, and then it starts the embedding process that should fulfill requirements such as imperceptibility, robustness and capacity. Finally, the algorithm returns the watermarked item as the output. Once the digital item

Figure 4. Asymmetric protocol

4.3. Unmasking Protocol In case a merchant find an illegally redistributed copy of the digital item, the dishonest buyer can be discovered and persecuted or denounced. Nowadays, many P2P programs (emule[11], DC++[12], torrent...) exist where merchants can find illegal copies very easily. In order to unmask the dishonest buyers we propose another protocol to help in this direction. Firstly, merchants send the illegal copy that has found to the Asymmetric Server. They should identify themselves as merchants and should have the transaction receipt to prevent dishonest merchants and make the protocol safer. Then, the asymmetric server extracts the watermark to obtain the buyer nickname and send it to the anonymous server. The anonymous server looks up in its database to check the buyer identity. In addition, the anonymous server sends the buyer information to the merchant that will be able to prosecute the dishonest buyer with irrefutable proofs (thanks to the trusted third parties). As it can be seen in Figure 5 when the merchants find an illegal copy and they want to denounce the buyers, they have to follow 6 steps: 1. Merchant sends an illegal copy to the asymmetric server. 2. Asymmetric server obtains the embedded information 3. Asymmetric server sends the embedded information (nickname) to the anonymous server. 4. Anonymous server checks the nickname and gets the real buyer identity (maybe, the buyer is introduced into the anonymous server black list).

5. 6.

Anonymous server sends the buyer's data to the merchant. Merchant may prosecute the buyer.

− Study the security of the secure anonymous purchase protocols focused on the behavior of buyers and merchants. − Study efficient watermarking techniques in order to make purchases faster to customers.

7. Acknowledgment The work presented was developed within VISNET, a European Network of Excellence (http://www.visnetnoe.org), funded under the European Commission IST FP6 programme.

8. References [1] Digital purchase. http://www.school-forchampions.com/ecommerce/basics.htm [2] Antoni Martinez Balleste, “Real-Time Pay-per-View of Protected Multimedia Content” 2004.

Figure 5. Unmasking protocol

5. Conclusions

[3] B. Pfitzmann and M. Schunter, “Asymmetric fingerprinting”, Advances in Cryptology EUROCRYPT 1996.

In this paper we propose Secure anonymous purchase protocols to discourage buyers from illegally redistributing the digital data they have purchased. These schemes enable merchants to identify the original buyer of the data. Anonymous watermarking schemes allow the buyers to purchase their watermarking digitals goods anonymously. Only upon illegal redistribution can anonymity be revoked. That is an aim fulfilled. There is many research in the watermarking and fingerprinting field, both in a theoretic way. Using a trusted third party is not uncommon in e-commerce and cryptographic protocols, and it is a price worth paying if it can turn asymmetric watermarking into a practical alternative. One must to be very careful in the election of the auditing authority to manage the asymmetric server and the anonymous server. They must be absolutely trusted. Large multimedia producers or large certification authorities (CA) could play that role.

[4] B. Pfitzmann and M. Waidner, “Anonymous fingerprinting”, Advances in Cryptology EUROCRYPT 1997.

6. Future work

[11] E-mule. http://www.emule-project.net

Three main areas are foreseen for future work: − Study the tolerance of the secure anonymous purchase protocols under real-life scenarios. Integrate these protocols in e-commerce.

[12] DC++. http://dcplusplus.sourceforge.net/

[5] A. Martinez-Balleste, F. Sebe, J. Domingo-Ferrer and M. Soriano, “Practical Asymmetric Fingerprinting with a TTP” [6] C. Garcia and R. Cano, “Digital Rights Management”. Master’s thesis in Image Coding 2003. [7] Hal Berghel, “Watermarking Cyberspace”. Communications of the ACM November 1997 [8] Hal Berghel, ”Digital Watermarking Makes Its Digital” Communications of the ACM 1998 [9] M. Kim, J. Kim, and K. Kim, “Anonymous Fingerprinting as Secure as the Bilinear Diffie-Hellman Assumption”. IRIS [10] E-cash. http://www.ecash.com/