- Research Article
- Open Access
- Published:

# On the Implementation of Spread Spectrum Fingerprinting in Asymmetric Cryptographic Protocol

*EURASIP Journal on Information Security*
**volume 2010**, Article number: 694797 (2010)

## Abstract

Digital fingerprinting of multimedia contents involves the generation of a fingerprint, the embedding operation, and the realization of traceability from redistributed contents. Considering a buyer's right, the asymmetric property in the transaction between a buyer and a seller must be achieved using a cryptographic protocol. In the conventional schemes, the implementation of a watermarking algorithm into the cryptographic protocol is not deeply discussed. In this paper, we propose the method for implementing the spread spectrum watermarking technique in the fingerprinting protocol based on the homomorphic encryption scheme. We first develop a rounding operation which converts real values into integer and its compensation, and then explore the tradeoff between the robustness and communication overhead. Experimental results show that our system can simulate Cox's spread spectrum watermarking method into asymmetric fingerprinting protocol.

## 1. Introduction

Due to the recent advances in broad-band network and multimedia technologies, the distribution and sharing of digital multimedia contents are increasing. It also helps a malicious party to duplicate and redistribute the contents, hence the protection of the ownership is strongly required. Encryption of the content cannot solve the problem because it must be ultimately decrypted at legitimate users who are the potential traitors in the future. Therefore, additional protection mechanisms are needed to discourage unauthorized redistribution. One of the mechanisms is the fingerprinting of multimedia which enables a seller to trace illegal users by embedding identification information into the content prior to distribution [1].

The research on fingerprinting techniques is classified into two studies: collusion resistant fingerprinting systems and cryptographic protocol. Since each user purchases a content containing his own fingerprint, each content is slightly different. If users collect some of them, they try to find the difference and delete/change the embedded information. In order to tolerate such an attack, designing collusion resistant fingerprint codes [2, 3] and orthogonal fingerprinting schemes like the spread spectrum watermarking technique [4] had been proposed. In a cryptographic protocol, the goal is to achieve the asymmetric property between a buyer and a seller such that only the buyer can obtain a uniquely watermarked content because of the threat of dispute. If both of the parties know the content, the buyer may redistribute a pirated copy but later repudiate it by insisting that the copy come from the seller.

In [5–9], the asymmetric protocol is performed by exploiting the homomorphic property of the public-key cryptosystem that enables a seller to obtain the ciphertext of watermarked content by operating an encrypted fingerprint with an encrypted content. Since the ciphertext is computed using a buyer's encryption key, only the buyer can decrypt it; hence, only he can obtain the watermarked content. It is also desirable for the fingerprinting protocol to solve the unbinding problem such that the relation between fingerprint information and a specific transaction performed by a buyer and a seller [10]. On the other hand, Pfitzmann and Sadeghi [5, 6] introduced the digital cash scheme to a fingerprinting protocol, and Camenisch [7] used group signature schemes for the solution of the unbinding problem. In both schemes, bit commitment schemes are exploited at the embedding protocol using zero-knowledge proof because the protocol is performed only by a buyer and seller. For the realization of two-party protocol, their scheme sacrifices the selection of embedding information, namely a fingerprint. In their protocol, a fingerprint is a randomly selected integer by a buyer, and each bit of the fingerprint is committed to a seller for the security reason. In such a case, the encoding of the fingerprint by a collusion secure code [2, 3, 11] is difficult because the seller cannot check that the committed data is the codeword, and the exploitation of the spread spectrum watermarking technique is also difficult. In addition, the protocol of the zero-knowledge proof consumes much communicational resources for the transaction. These characteristics greatly degrade the practicality of the fingerprinting protocol.

The fingerprinting protocol in [10] introduced a trusted authority who generates a robust fingerprint when valid items of a certain transaction between a buyer and a seller are transmitted from the seller. Furthermore, the enciphering rate of the two-party protocol applied in the conventional schemes [6, 7] must be less than for the security of commitment schemes. If the data size of a content is 1 MB, the amount of communication data is more than 1 GB, which is extremely inefficient. In [9], the enciphering rate is drastically improved using a public-key cryptosystem with an additive homomorphism. Although the homomorphic property is effective for constructing asymmetric fingerprinting, there are still problems in its implementation.

In this paper, we propose the method for implementing the spread spectrum watermarking technique by carefully designing parameters for rounding operation. The preliminary version of this paper was presented in EUSIPCO2008 [12]. If frequency components of digital contents are used for the embedding of fingerprint information, they must be quantized in order to truncate real value to integer. Then, the precision of the frequency components should be considered in order not to degrade a watermarked image. When the spread spectrum watermarking technique in [4] is applied, the precision of the representing watermark signal is sensitive for the implementation. By scaling up the parameters by multiplying a constant factor, the precision is increased in our scheme. Then, the tradeoff between the scaling factor and the amount of data to be transmitted must be considered. In addition, for the characteristic of the fingerprinting protocol, frequency components and the watermark signal must be separately encrypted after quantization. In such a case, the consistency of the precision is a sensitive issue. Since an embedding operation is performed by addition of frequency components and a spread spectrum sequence, the additive homomorphic property of public-key cryptosystems [13, 14] can be directly exploited for the embedding. Then, the separate rounding operation causes interference terms in a deciphered data at a buyer side. Without loss of secrecy of an original content, the interference term is removed after decryption. The performance of our proposed method is evaluated by comparing it with the conventional scheme [4], which confirms the similar identification capability of illegal buyers.

## 2. Related Works

### 2.1. Asymmetric Property

If both a buyer and a seller obtain a watermarked content in a fingerprinting protocol, the seller cannot prove the illegal distribution by the buyer to a third party, even if the buyer's fingerprint is extracted. This is because the seller may distribute it himself in order to frame an innocent buyer. Hence, it is desirable that only a buyer is able to obtain his own fingerprinted content in the protocol. Such a protocol is called asymmetric fingerprinting protocol which concept was presented by Pfitzmann and Schunter [15]. In order to achieve such an asymmetric property, the homomorphic property of public-key cryptosystems is introduced in the fingerprinting protocols [8, 9, 16].

Let be a ciphertext of a message . The homomorphic property satisfies the following equation:

where and is one of the operations, *addition, multiplication, XOR,* and so forth, which is related to the applied cryptosystem and the embedding algorithm (Most public-key cryptosystems select multiplication for ). If is regarded as a digital content and as a fingerprint, the fingerprint can be embedded in the content without decryption by multiplying those ciphertexts. Since they are calculated using a buyer's public encryption-key, the watermarked content is decrypted only by the buyer, hence the asymmetric property is satisfied. The embedding operation based on the homomorphic property is basically performed for each element of fingerprint information which will be composed of bit-sequence or spread spectrum sequence, hence each element is separately embedded in its corresponding position. Thus, is not the entire content, but one of the components like the frequency elements to be fingerprinted by a watermarking technique. When the vector representation of is given by , the ciphertext is also represented as . As a consequence, the detail of (1) is given by

Memon and Wong [8] apply multiplicative property of RSA scheme [17] to embed the fingerprint, and Pfitzmann and Sadeghi [5, 6] exploit bit commitment schemes based on the quadratic residues [18]. Kuribayashi and Tanaka [9] apply the additive homomorphic property of public-key cryptosystem such as Okamoto Uchiyama encryption scheme [13] and Paillier cryptosystem [14].

In watermarking techniques [1] for digital images, it is advisable to embed information in the frequency components for both the robustness and perceptual quality. However, as the frequency components are generally represented by real value, there is a difficult problem to apply cryptographic techniques directly because they are based on the algebraic property of integers. Many schemes [8, 10] ignored the implementation of watermarking algorithm into the asymmetric fingerprinting protocols, instead they merely showed the validity of the cryptographic protocols which ensure the asymmetric property and the anonymity of buyers.

Considering the adaption of watermarking techniques for cryptographic fingerprinting protocol, a quantization method is useful as a fingerprint that can be embedded when the coefficients are quantized. In [9], the quantization index modulation based watermarking technique (QIM) [19] is applied for the embedding procedure because it rounds the values of frequency components in integers. Prins et al. [20] adapted three kinds of dithering modulations, which can improve the robustness of the QIM method, to the fingerprinting scheme, and implemented the method using a sufficiently large scaling factor. However, the enciphering rate is neglected. We assume that the bit-length of the message space is and that of each watermarked frequency components is . Generally, is much larger than . In order to exploit the message space effectively, dozens of watermarked frequency components are packed in one message in [9], hence, the enciphering rate is almost equivalent to that of an applied cryptosystem by suitably designing the message space of a ciphertext. It is remarkable that a negative number must be avoided because it is represented by much longer bit-sequence under the finite field of applied cryptosystem, which affects the other packed ones.

Although the capacity of embeddable information is large, considering the robustness against collusion attacks the spread spectrum watermarking technique is superior to QIM and its variants. In [8], the adaption of Cox's spread spectrum watermarking scheme [4] is discussed. Regretfully, there is a problem in the implementation because the rounding-off operation is not deeply considered for the spread spectrum watermarking algorithm.

### 2.2. Collusion Resilience

It is important to generate fingerprints that can identify colluders. In a fingerprinting scheme, each fingerprinted copy is slightly different, hence, malicious users will collect some copies with respective watermark in order to remove/alter the watermark. A number of works on designing fingerprints that are resistant against the collusion attack have been proposed. Many of them can be categorized into two approaches. One is to exploit the Spread Spectrum (SS) technique [4, 21, 22], and the other approach is to devise an exclusive code, known as collusion-secure code [2, 3, 11], which has traceability of colluders.

In the former approach, spread spectrum sequences which follow a normal distribution are assigned to users as fingerprints. The origin of the spread spectrum watermarking scheme is Cox's method [4] that embeds the sequence into frequency components of digital image and detects it using a correlator. Since normally distributed values allow the theoretical and statistical analysis of the method, modeling of a variety of attacks have been studied. Studies in [21] have shown that a number of nonlinear collusions such as interleaving attack can be well approximated by averaging collusion plus additive noise. So far, many variants of the spread spectrum watermarking scheme are based on the Cox's method.

Since the QIM watermarking technique [9] and its variants [20] are aiming at the extraction of a watermark bit-sequence, the latter approach is suitable to implement. The practicality of the latter approach is, however, restricted because of the long code length. In [23], the capability of QIM for the latter approach has been explored. The results show that one variant, which is called the spread transform dither modulation (STDM), retains an advantage under the blind detection. Under the non-blind detection, which is a reasonable assumption in a fingerprinting system, there is still a performance gap with the spread spectrum method. Moreover, in [24], the traceability is further improved by combining a spread spectrum embedding like Cox's method. Hereafter, we focus on the implementation of Cox's method in a fingerprinting protocol.

Let be a watermark signal composed of elements and each of them is embedded into selected DCT coefficient based on the following equation:

where is a normal distribution with mean 0 and variance 1, and is an embedding strength. At the detector side, we determine which SS sequence is present in a test image by evaluating the similarity of sequences. From the suspicious copy, a sequence is detected by calculating the difference from the original image, and its similarity with is obtained as follows:

If the value exceeds a threshold, the embedded sequence is regarded as . When an original image is available, the above similarity measurement is valid because the main interference term, which is the frequency components of the original image, can be completely removed at the detection. However, under the blind detection, the removal of the interference term becomes a serious problem for an optimum detection. There are some related works [25, 26] concerning to the problem. Since our scope is to implement the spread spectrum method on the encrypted domain in the asymmetric protocol, the detail of the related works is omitted in this paper. Furthermore, in a fingerprinting, it is assumed that an original image is available at the detection because the operation is performed by the author or his agent. Hence, at the detection, DCT coefficients of a test image are subtracted from those of the original image, and then the correlations with every candidates of watermark signal are computed. Thus, non-blind and informed watermarking scheme can be applied.

A simple, yet effective collusion attack is to average some variants of copy because when copies are averaged, the similarity value calculated by (4) results in shrinking by a factor of , which will be roughly [4]. Even in this case, we can detect the embedded watermark and identify colluders by using an appropriately designed threshold.

### 2.3. Unbinding Problem

In the elementary fingerprinting protocol [8] involving a trusted authority, fingerprint information to be embedded is not well considered, which is merely related to user's information such as name, address, phone number, e-mail address, and so forth. When a seller finds an illegal copy and detects the corresponding buyer by extracting the fingerprint, he will go to court with the collected proofs. A malicious seller, however, frames the detected buyer by embedding the obtained fingerprint into other contents which are more expensive than the detected one that he really sold to the buyer. Therefore, once a seller obtains a fingerprint, it is possible for him to transplant it into another more expensive contents so that he can get compensated more.

In [10], a fingerprint is binded with a common agreement () by producing the signature of a trusted watermark certification authority (WCA), and the transaction of digital contents is uniquely associated with a log file. For anonymity of buyers, a digital certification authority (CA) is introduced in the fingerprinting protocol. A buyer B first randomly selects a key pair , where and are the public and secret keys of public-key cryptosystem, respectively. He sends , which is a pseudonym associated with B, to CA in order to get an anonymous certificate . When B makes an order to a seller S, he checks the validity of . Then S asks WCA to generate a unique watermark W for the current transaction between B and S. The protocol between the buyer B and seller S is summarized below (the detail is referred to [10]).

(1)B selects one-time key pair and generates its certificate using the public key . After making a common agreement , B calculates a digital signature using the one-time public key . B sends , , , , , and to S.

(2)If the validity of the received items is verified, S generates a watermark and embeds it into contents . The watermarked one is denoted by . The watermark is reference information to retrieve this sale record from illegally distributed copy; hence it could be omitted if the seller wants to avoid the degradation of quality. Then, S send , , , and to WCA.

(3)Upon receiving the items, WCA verifies the validity of the certificate and signature, and reject the transaction if any of them is invalid. Otherwise, using it generates an unique and robust watermark as fingerprint information which is specific to this transaction. Then, it computes , , and , and sends them back to S.

(4)When S receives the response, the embedding operation in encrypted domain is performed by computing

where implies the embedding operation based on the homomorphic property. Then, S delivers to B.

(5)After decrypting the received , B obtains the watermarked content ,

where is an enciphering function using a public key . The flow of the transaction is summarized in Figure 1.

## 3. Implementation for Watermarking Algorithm

In this section, we show how to implement the spread spectrum watermarking technique [4] in the fingerprinting protocol based on the homomorphic property of public-key cryptosystem. Hereafter, for simplicity, the embedding of the reference information is omitted in the protocol, and we assume that an original image is composed of pixels and is represented by the DCT selected coefficients and the remaining ones .

### 3.1. Embedding

The embedding operation in (3) can be easily performed using the additive homomorphic property of public-key cryptosystems such as the Okamoto-Uchiyama encryption scheme [13] and the Paillier cryptosystem [14]. Remember that (3) is composed of two operations; multiplication and addition for and , respectively. Since the multiplication is realized by the iteration of addition, the embedding operation is represented by the multiplication and exponentiation as follows:

The above operation can be directly applied for the operation in (5). Here, it is noticed that a watermark signal and DCT coefficients are generally represented by real values and they must be rounded to integers before the encryption. If such parameters are directly rounded to the nearest integers, it may result in the loss of information. Hence, they should be scaled before rounding-off. In addition, negative numbers should be avoided considering the property of a cryptosystem as mentioned in Section 2.1 Hence, a rounding operation that maps real value into positive integer is required.

At first, we show the operation concerning to a watermark signal . Since the ciphertext of is computed by a watermark certification authority WCA, the enciphering operation is performed previously sent to a seller S. A constant positive integer value is added to each element of watermark signal to make the value positive. Then, it is scaled by a factor of in order to keep the degree of precision, and it is quantized to . Such operations are formalized by the following one equation:

where outputs the nearest integer from a real value , and is the quantization error of . After the operation, WCA encrypts using a public key , and the ciphertexts , and are sent to S. It is noted that corresponds to in Figure 1, and the corresponding ciphertext of is also sent to S.

Next, S performs the rounding operation to DCT coefficients as follows. A positive integer value is added to each DCT coefficient, and then scaled by . By quantizing it, the rounded DCT coefficient is obtained:

where is the quantization error of . For the control of rounding operation of each DCT coefficient, the watermark strength is modified to ;

where is the quantization error of . Using the above items, S embeds into for based on the additive homomorphic property of public cryptosystem as follows:

Since the plain value of the ciphertext is

The scaling factor and the adjustment factor are necessary to calculate the actual watermarked DCT coefficients . The reason why is rounded to an integer is explained in Section 3.4 Therefore, these two parameters and are sent to B as well as . It is noticed that the remaining DCT coefficients should be sent to B. In order to keep the secrecy of the embedding position, they must be encrypted before delivery. Without loss of generality, the rounding operation for those coefficients are given by

and the ciphertexts are sent with to B. Namely, the ciphertexts of a watermarked image , which is corresponding to in Figure 1, is composed of those ones.

### 3.2. Decryption and Post-Processing

After the decryption of the received ciphertexts , B divides the results by a factor of , and then subtracts as the post-processing operation. It is noticed that the adjustment factor contains a rounding error , so it is rewritten by

At the embedding position, the ciphertexts are and the post-processing operation outputs the watermarked coefficients as follows:

where is a deciphering function using a secret key and is the total rounding error represented by

At the other position, the ciphertexts are and B obtains after the postprocessing operation:

It is remarkable that the embedding position is kept secret from B, the classification of the above operations is difficult.

### 3.3. Amount of Quantization Error

If an original image is available at the detection, the embedded watermark signal is extracted by calculating the differences of pirated copy's DCT coefficients from the original ones. The extracted signal must contain the quantization error caused by the rounding operation at embedding, and it is represented by

The amount of quantization error depends on the parameters , , , and :

It is noted that the values of the quantization errors , , and is uniformly distributed within the range [0.5, 0.5). So, if the scaling parameter is small, the term remains as a dominant factor in , and the quantization error is almost uniformly distributed in the range.

The energy of the quantization error in a watermarked copy is

Suppose that each watermarked copy contains a quantization error with energy and colluders average their copies. As the value of each copy's becomes , the energy becomes . The averaged copy contains the sum of such attenuated quantization error, hence the total energy of the quantization error in the averaged copy is estimated to be . With the increase of , the energy of the quantization error is to be dropped to of its original value.

### 3.4. Consideration

In Cox's method, a watermark is selected from Gaussian distribution . From the statistical property, when a parameter is given, the error probability that is less than 0 is obtained as follows:

where stands for the complementary error function. In other words, if the error probability is fixed, we can calculate the smallest integer . For example, when , the error probability is . Under a certain probability, when is less than 0, such a value is rounded to 0 in order to avoid the underflow. Considering the amount of the quantization error in (18), it is desirable to select as small as possible.

In (3), the watermarked coefficient is composed of two terms; and . Since is encrypted at the center WCA prior to the embedding operation at S, and are rounded separately. Considering the post-processing at B, the scaling factors , , and the compensation factor should be constant. Here, we assume that a constant value is uniformly added to real values which are and to make it positive. Then, B must subtract the interference term related to both and , which requires additional communication costs. If the adjustment factor is varied with respect to , the amount of information to be sent to B from S becomes very large. In order to avoid it, we set a constant value by controlling the value . Even if and is known and is fixed, to obtain is still informationally difficult because of two unknown parameters and for a given one equation . As a consequence, the secrecy of the original DCT coefficients is assured. If the value of is sufficiently large, that of the parameter is also large and hence the value of is positive.

### 3.5. Concatenation

Notice that if the values of scaling factors are are increased, the proposed scheme can simulate the original Cox method more precisely. From the viewpoint of enciphering rate, however, these factors should be small. Referring to [9], the bit-length of a watermarked coefficient , which is represented by a constant bit-length , is much smaller than that of message space in cryptosystems such as the Okamoto-Uchiyama encryption scheme [13] and the Paillier cryptosystem [14], and some of are packed in one message :

where denotes a concatenation and is the number of packed coefficients which is dependent on and . Such a packing operation is easily performed by computing the th power of :

The appropriate size of and are explored by implementing them on a computer and evaluating the simulated performance. It is worth mentioning that the enciphering rate of the Paillier cryptosystem approaches asymptotically 1 using the extension of the cryptosystem [27] and then more data can be packed in one ciphertext. Although the works in [28, 29] can encode rational numbers by a limited precision, they are not suitable for the packing operation.

## 4. Experimental Results

We have implemented our algorithm presented in Sect.3 and compared the performance with the original spread spectrum watermarking technique [4]. Since the basic algorithm of our scheme is Cox's scheme with a limited precision, we evaluate the degradation of an image by PSNR and the detected correlation values because it directly reflects the amount of changes between our fingerprinted image and the original fingerprinted one. If the results are similar, we regard that the performance of our simulated scheme is not degraded from that of the original one. In our simulation, a standard gray-scaled image "lenna" of pixels is used, and the constant values are set and ( is calculated by (13)). Even if and are added, the values of and might be negative. In such a case, the values are simply rounded to 0. In the following simulation, the number of simulation is times, and the results are the averaged values.

A quantization error is caused by the rounding operation after orthogonal transformation which converts the frequency domain into the spatial domain as well as the rounding operation at the embedding of signal. For the evaluation of the quantization error shown in (18), the differences of watermarked images are calculated with respect to the scaling parameters and , and the probability density function (p.d.f.) is depicted in Figure 2 when and changing the scaling parameters and . Figure 2(a) shows the quantization error by fixing one scaling parameter . We can see that the shape of the p.d.f. is sharpened centering on zero with the increase of . It is because of the decrease of the first term in (18). Figure 2(b) shows the quantization error by fixing the other scaling factor . It confirms that the value of the quantization error is almost uniformly distributed when is small because the first term is not changed and it distributes uniformly in the range . It is also noticed that the other terms in (18) is attenuated by the increase of . Figure 2(c) confirms that the variance of the quantization error is decreased when both and are increased. Since the performance of Cox's scheme depends on the parameters and , the comparison of the p.d.f. is shown in Figure 3 using different values. We can see that the variance of the p.d.f. becomes large when is increased and is decreased. It is because the magnitude of selected DCT coefficients becomes small when is increased, hence, the value of the corresponding quantization error becomes large. It is remarked that the embedded signal energy as a watermark becomes smaller when is decreased. In the following simulation, we use the parameters and for the evaluation.

It is important to evaluate the quantization error when a collusion attack is performed. Considering the studies in [21], we perform the averaging as the collusion attack. The changes in the quantization error are depicted in Figure 4 using several combination of and . We can see that there is a big changes of p.d.f. when from Figure 4(b). It is because the first term in (18) follows Gaussian distribution considering the statistical property if is sufficiently large.

For the comparison of the image quality, the degradation of watermarked images and averaged copies is shown in Figure 5. We can see that the PSNR of our method is approaching to the original one according to the increase of scaling parameters and , and the degradation of the PSNR is mainly dependent on . It is because the first term in (18) becomes small with the increase of . From the results, we can say that our watermarked images are very close to the original ones if and .

For the evaluation of correlation values, we embed a watermark signal using the original Cox's scheme and our scheme. The comparison of correlation values for the watermark images is shown in Figure 6(a), where that of the original scheme is 31.680 depicted by black line on the top of the graph. The correlation values of averaged copies are also shown in Figures 6(b) and 6(c), where the original values are 14.134 and 9.954, respectively. We can see that the performance is asymptotically reaching the original value according to the increase of the scaling factors and . Different from the results of PSNR, the correlation values becomes very close to the original value if and . This means that the quantization error degrades the correlation value much more than the value of PSNR. The results indicate that the correlation value is more sensitive to the noise injected to a watermarked image. The degradation of the correlation values is also compared by changing the number of colluders, which results are shown in Figure 7. From the results, we can say that the correlation values of our scheme using are almost coincident with the original values.

The error (false-positive) probability is an important factor to evaluate the performance of fingerprinting scheme, and the probability is dependent on the design of the threshold for a correlation value to determine guilty. If our method uses the same design of the threshold as the original one, the changes of the probability can be evaluated by the distribution of non-colluders' correlation values. Using watermark signals assigned for non-colluders, the correlation values are calculated. The mean and variance of the correlation values and the maximum values are shown Table 1. From the results, we can say that the distribution of our method is very similar to that of original one. It is remarkable that the maximum value of our method is slightly smaller than that of original one. This means that the error probability of our method is slightly improved.

From the above results, the degradation of performance from the original scheme is very slight, and it does not affect the robustness against attacks. It is noted that the scaling factors and is closely related to the degradation of performance. It is better to increase the value of these parameters, for example and , but we have to consider the communication costs because the bit-length to represent the watermarked DCT coefficient is increased according to the size of and , which degrades the coding rate of such information. For other images, "aerial", "baboon", "barbala", "f16", "girl", and "peppers", the similar results are derived with the above parameters as shown in Tables 2 and 3. The attenuation of PSNR value from the original one is at most , that of the correlation value is at most , and under the averaging collusion the attenuation is less than . As a consequence, recommended parameters are and from our simulation results. It is expected that other kinds of spread spectrum watermarking schemes will be simulated with the similar precision, and the implementation is our future work.

When we use the above recommended parameters, the value of can be represented by 20 bits (the range must be within [0, ] if and ). For the security reason, the bit-length of a composite for the modulus of the Paillier cryptosystem should be no less than 1024 bits. When , an 1024-bit message is encrypted to an 2048-bit ciphertext. Under the above condition, the number of watermarked DCT coefficients in one ciphertext is at most . Since the number of DCT coefficients are , the number of ciphertexts is 1286 and the total size of the ciphertexts is about 2.5 MB, which is about 40 times larger than the original file size 66 KB. In the case that the packing is not performed, the total size is more than 128 MB. Therefore, the proposed method efficiently implements the Cox's spread spectrum watermarking scheme in the asymmetric fingerprinting protocol.

## 5. Conclusion

In this paper, we discuss about the implementation of the fingerprinting protocol based on the additive homomorphic property of public-key cryptosystems. The effects of rounding operation which maps a real value into a positive integer are formulated, and an auxiliary operation to obtain a watermarked content is presented. From our simulation results, the identification capability of our algorithm is quite similar to the Cox's algorithm, hence we can simulate the scheme on the cryptographic protocol with a limited precision.

## References

- 1.
Katzenbeisser S, Petitcolas FAP:

*Information Hiding Techniques for Steganography and Digital Water-Marking*. Artech House, Boston, Mass, USA; 2000. - 2.
Boneh D, Shaw J: Collusion-secure fingerprinting for digital data.

*IEEE Transactions on Information Theory*1998, 44(5):1897-1905. 10.1109/18.705568 - 3.
Trappe W, Wu M, Wang ZJ, Liu KJR: Anti-collusion fingerprinting for multimedia.

*IEEE Transactions on Signal Processing*2003, 51(4):1069-1087. 10.1109/TSP.2003.809378 - 4.
Cox IJ, Kilian J, Leighton FT, Shamoon T: Secure spread spectrum watermarking for multimedia.

*IEEE Transactions on Image Processing*1997, 6(12):1673-1687. 10.1109/83.650120 - 5.
Pfitzmann B, Sadeghi A: Coin-based anonymous fingerprinting. In

*Proceedings of the Advances in Cryptology (EURO-CRYPT '99), 1999, Lecture Notes in Computer Science*.*Volume 1592*. Springer; 150-164. - 6.
Pfitzmann B, Sadeghi A: Anonymous fingerprinting with direct non-repudiation. In

*Proceedings of the Advances in Cryptology (ASIACRYPT '00), 2000, Lecture Notes in Computer Science*.*Volume 1976*. Springer; 401-414. - 7.
Camenisch J: Efficient anonymous fingerprinting with group signatures. In

*Proceedings of the Advances in Cryptology (ASIACRYPT '00), 2000, Lecture Notes in Computer Science*.*Volume 1976*. Springer; 415-428. - 8.
Memon N, Wong PW: A buyer-seller watermarking protocol.

*IEEE Transactions on Image Processing*2001, 10(4):643-649. 10.1109/83.913598 - 9.
Kuribayashi M, Tanaka H: Fingerprinting protocol for images based on additive homomorphic property.

*IEEE Transactions on Image Processing*2005, 14(12):2129-2139. - 10.
Lei C-L, Yu P-L, Tsai P-L, Chan M-H: An efficient and anonymous buyer-seller watermarking protocol.

*IEEE Transactions on Image Processing*2004, 13(12):1618-1626. 10.1109/TIP.2004.837553 - 11.
Zhu Y, Feng D, Zou W: Collusion secure convolutional spread spectrum fingerprinting. In

*Proceedings of the 4th International Workshop on Digital Watermarking (IWDW '05), 2005, Lecture Notes in Computer Science*.*Volume 3710*. Springer; 67-83. - 12.
Kuribayashi M, Morii M: On the implementation of asymmetric fingerprinting protocol.

*Proceedings of the European Signal Processing Conference (EUSIPCO '08), 2008*SS7-1 - 13.
Okamoto T, Uchiyama S: A new public-key cryptosystem as secure as factoring. In

*Proceedings of the Advances in Crypgology (EUROCRYPT '98), 1998, Lecture Notes in Computer Science*.*Volume 1403*. Springer; 308-318. - 14.
Paillier P: Public-key cryptosystems based on composite degree residuosity classes. In

*Proceedings of the Advances in Crypgology (EUROCRYPT '99), 1999, Lecture Notes in Computer Science*.*Volume 1592*. Springer; 223-238. - 15.
Pfitzmann B, Schunter M: Asymmetric fingerprinting. In

*Proceedings of the Advances in Crypgology (EUROCRYPT '96), 1996, Lecture Notes in Computer Science*.*Volume 1070*. Springer; 84-95. - 16.
Pfitzmann B, Waidner M: Anonymous fingerprinting. In

*Proceedings of the Advances in Crypgology (EUROCRYPT '97), 1997, Lecture Notes in Computer Science*.*Volume 1070*. Springer; 88-102. - 17.
Rivest RL, Shamir A, Adleman L: A method for obtaining digital signatures and public key cryptosystems.

*Communications of the ACM*1978, 21(2):120-126. 10.1145/359340.359342 - 18.
Brassard G, Chaum D, Crépeau C: Minimum disclosure proofs of knowledge.

*Journal of Computer and System Sciences*1988, 37(2):156-189. 10.1016/0022-0000(88)90005-0 - 19.
Chen B, Wornell GW: Quantization index modulation: a class of provably good methods for digital watermarking and information embedding.

*IEEE Transactions on Information Theory*2001, 47(4):1423-1443. 10.1109/18.923725 - 20.
Prins JP, Erkin Z, Lagendijk RL: Anonymous fingerprinting with robust QIM watermarking techniques.

*EURASIP Journal on Information Security*2007, 2007:-13. - 21.
Zhao HV, Wu M, Wang ZJ, Liu KJR: Forensic analysis of nonlinear collusion attacks for multimedia fingerprinting.

*IEEE Transactions on Image Processing*2005, 14(5):646-661. - 22.
Wang ZJ, Wu M, Zhao HV, Trappe W, Liu KJR: Anti-collusion forensics of multimedia fingerprinting using orthogonal modulation.

*IEEE Transactions on Image Processing*2005, 14(6):804-821. - 23.
Swaminathan A, He S, Wu M: Exploring QIM based anti-collusion fingerprinting for multimedia.

*Security, Steganography, and Watermarking of Multimedia Contents VIII, 2006, San Jose, Calif, USA, Proceedings of SPIE*6072, article 60721T: - 24.
Yacobi Y: Improved boneh-shaw content fingerprinting. In

*Proceedings of Topics in Cryptology (CT-RSA '01), 2001, Lecture Notes in Computer Science*.*Volume 2020*. Springer; 378-391. - 25.
Cheng Q, Huang TS: Robust optimum detection of transform domain multiplicative watermarks.

*IEEE Transactions on Signal Processing*2003, 51(4):906-924. 10.1109/TSP.2003.809374 - 26.
Barni M, Bartolini F, de Rosa A, Piva A: Optimum decoding and detection of multiplicative watermarks.

*IEEE Transactions on Signal Processing*2003, 51(4):1118-1123. 10.1109/TSP.2003.809371 - 27.
Damgård I, Jurik M: A generalisation, a simplification and some applications of paillier's probabilistic public-key system. In

*Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography (PKC '01), 2001, Lecture Notes in Computer Science*.*Volume 1992*. Springer; 119-136. - 28.
Fouque PA, Stern J, Wackers GJ: Cryptocomputing with rationals. In

*Proceedings of the Financial Cryptography, 2003, Lecture Notes in Computer Science*.*Volume 2357*. Springer; 136-146. - 29.
Orlandi C, Piva A, Barni M: Oblivious neural network computing via homomorphic encryption.

*EURASIP Journal on Information Security*2007, 2007:-11.

## Acknowledgment

This research was partially supported by the Ministry of Education, Culture, Sports Science and Technology, Grant-in-Aid for Young Scientists (B) (21760291), 2009.

## Author information

## Rights and permissions

**Open Access** This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (https://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

## About this article

#### Received

#### Accepted

#### Published

#### DOI

### Keywords

- Watermark Image
- Quantization Error
- Spread Spectrum
- Cryptographic Protocol
- Commitment Scheme