A) Homomorphic encryption

Let m ₁ and m ₂ be plaintexts. A homomorphic enciphering function E() satisfies the following property:

(1)$$E(m_1)\cdot E(m_2) = E(f(m_1,m_2)),$$

where f() is an arithmetic operation such as addition, multiplication, exclusive-or and, so on. For instance, it is multiplication in the RSA cryptosystem [Reference Rivest, Shamir and Adleman9]. Among some homomorphic encryption schemes, the additive homomorphism of Paillier's cryptosystem has attracted many researchers. It allows us to perform the following two operations in an encrypted domain.

(2)$$ E(m_1)\cdot E(m_2) = E(m_1+m_2) $$

(3)$$ E(m_1)^{m_2} = E(m_1\cdot m_2). $$

The Paillier cryptosystem [Reference Paillier10] encrypts a plaintext m to obtain a ciphertext C by mapping ℤ_n to ${\open Z}^{\ast}_{N^2}$, where N is a composite of two large primes similar to the RSA cryptosystem.

• • Key generation

  According to a security parameter, two large primes P and Q are selected, and its product N = PQ is calculated. The Carmichael's function is used to calculate λ = lcm(P − 1, Q − 1). A generator g is selected from ${\open Z}^{\ast }_{N^2}$. The public key is (N,  g) and the secret key is λ.

• • Encryption

  A ciphertext C is calculated from a plaintext m by using a random number r ∈ ℤ_N as follows:

  (4)$$ C = E(m, r) = g^m r^N \bmod N^2 $$

• • Decryption

  If C < N ², then the plaintext can be calculated as follows:

  (5)$$ D(C) = \displaystyle{{L(C^\lambda \bmod N^2)}\over{L(g^\lambda \bmod N^2)}} \bmod N, $$
  where L(x) = (x − 1)/N.

For the security reason, the size of N should be more than 1024 bits to assure that the factoring the composite is sufficiently difficult in a realistic computational resources. In a RSA cryptosystem, it is recommended to use 2048 bit modulus, and hence, the ciphertext size of Paillier cryptosystem is 4096 bits in such a case though the plaintext size is 2048 bits.

B) Cryptographic protocol

In [Reference Pfitzmann and Sadeghi11–Reference Kuribayashi and Tanaka15], the asymmetric property is realized by using the homomorphic property of public-key cryptosystems. It enables a seller to embed fingerprint in multimedia content in an encrypted domain. The fingerprinting system composed of protocols such as initialization protocol, purchase protocol, and tracing protocol.

Lei et al. [Reference Lei, Yu, Tsai and Chan2] considered the unbinding problem such that the relation between fingerprint information and a specific transaction performed by a buyer and a seller cannot be retrieved. On the other hand, Pfitzmann et al. [Reference Pfitzmann and Sadeghi11,Reference Pfitzmann and Sadeghi12] introduced the digital cash scheme to a fingerprinting protocol, and Camenisch [Reference Camenisch13] used group signature schemes for the solution of the unbinding problem.

The protocols in [Reference Lei, Yu, Tsai and Chan2] introduced a trusted authority who generates a robust fingerprint when valid items of a certain transaction between a buyer and a seller are transmitted from the seller. In [Reference Kuribayashi and Tanaka15,Reference Deng, Bianchi, Piva and Preneel16], the enciphering rate is improved using a public-key cryptosystem with an additive homomorphism [Reference Paillier10] by packing several bits in one ciphertext.

Although the homomorphic property is effective for constructing the asymmetric purchase protocol, the protocol incurs heavy computational costs. The efficiency of the transaction between a seller and buyer must be considered for a real-time distribution over the network. Although complicated cryptographic protocols are required to assure a sufficiently high security level, the computational cost must be reasonably small. In [Reference Kuribayashi and Tanaka17], the asymmetric property is satisfied by managing the decryption keys issued to users, which enables us to use a symmetric cryptosystem like advanced encryption standard (AES). In [Reference Ferrer and Megías18], a P2P protocol for distributed multicast of fingerprinted content is proposed by combining cryptographic primitives and robust watermarking. The protocol is improved by introducing an idea of recombination mechanism in a P2P-based distribution scenario in [Reference Megías and Ferrer19]. Its tracing algorithm is simplified into a simple and efficient database search in [Reference Megías20]. By using a discretized bias-based fingerprinting code [Reference Nuida4] in [Reference Megías and Qureshi21], the tracing protocol is developed in an encrypted domain, protecting the privacy of all users except for illegal users.

C) Fingerprinting code

A fingerprinting code has been investigated to solve the problem of collusion attacks such that a coalition of users called colluders compares the differences among their copies and tries to modify/delete the embedded fingerprint. Boneh and Shaw [Reference Boneh and Shaw22] presented the first construction of a fingerprinting code under a well-known marking assumption. The marking assumption enforces colluders to produce a pirated codeword so that they cannot change the symbols of codeword at the positions where all of their symbols are identical.

Among some fingerprinting codes, Tardos [Reference Tardos3] proposed a bias-based code which code length is theoretically minimum order. Let N _u be the number of users in a system and ℓ be the code length. The code length ℓ can be determined both by the number of users N _u in a system and maximum number c _max of colluders assumed at the setting of code. A binary codeword of j-th user is denoted by X _j,i ∈ {0,  1}, (1 ≤ j ≤ N _u,  1 ≤ i ≤ ℓ), where X _j,i is generated from an independently and identically distributed random number with a probability p _i such that $\Pr [X_{j,i}=1]=p_i$ and $\Pr [X_{j,i}=0]=1-p_i$. This probability p _i in the Tardos code follows a probability distribution ${\cal P}$ over an open unit interval (0,  1), which is called bias distribution. Due to the use of such a bias, it is called bias-based fingerprinting code.

Suppose that a pirated codeword y _i, (1 ≤ i ≤ ℓ) is produced by colluders with a certain collusion strategy. The tracing algorithm of Tardos code calculates a similarity of codeword extracted from a pirated copy with candidates. The similarity is calculated by the correlation score S _j which is the sum of each piece S _j,i for each element y _i of codeword with length ℓ.

(6)$$ S_j = \sum_{i=1}^{\ell}S_{j,i} = \sum_{i=1}^{\ell}y_iU_{j,i}, $$

where

(7)$$U_{j,i} = \left\{ {\matrix{ {-\sqrt {\displaystyle{{p_i} \over {1-p_i}}} } \hfill & {{\rm if}\; X_{j,i} = 0} \hfill \cr {\sqrt {\displaystyle{{1-p_i} \over {p_i}}} } \hfill & {{\rm if}\; X_{j,i} = 1} \hfill \cr } } \right..$$

If a correlation score of a codeword assigned to a user exceeds a certain threshold Z, the user is detected as guilty.

The original tracing algorithm only uses a half of information from a pirated copy because the value of the score S _j,i becomes zero when y _i = 0. In order to utilize the whole information, $\breve {\rm S}$korić et al. [Reference Škorić, Katzenbeisser and Celik6] proposed a symmetric version of the scoring function.

(8)$$ S^{sym}_{j,i} = (2y_i-1)U_{j,i}. $$

D) Problem in tracing protocol

In the above conventional systems, when a pirated copy is discovered, a seller first extracts the fingerprinting codeword, and then requests a trusted center to identify colluders. The center calculates correlation scores for all users registered in a system, and identifies colluders whose score exceeds a threshold. As such an operation at the center requires heavy computational resources, we consider a load dispersion at the tracing protocol. However, the secrecy of parameters in a fingerprinting code must be considered in the protocol. Once users' codewords X _j,i are leaked to a malicious seller, innocent users may be accused from fake content distributed by the seller because he can produce a specific fingerprinted version of content by his choice. On the contrary, without X _j,i the score $S^{sym}_j$ cannot be calculated. In a similar reason, the bias probability p _i is also important parameter in the tracing protocol.

A) Delegated authority

A delegated server generates a public key and secret key pair of the Paillier cryptosystem, and registers the public key at a public key infrastructure (PKI). In order to ensure its independency, the trusted center does not know the secret key.

The trusted center allows the server to check a correlation score whether it exceeds a threshold which is determined by the center. The server is blind to the setting of fingerprinting code except for the threshold and the number c _max. The server's task is to decrypt a ciphertext received from a seller, and return a binary decision.

The role of server is regarded as a decryption oracle which receives a ciphertext and returns the decryption result. As discussed in cryptographic community, the number of queries to the server should be limited for a security reason. The more queries a seller requests, the more information about X _j,i and p _i he obtains. As there are many users, the seller requests multiple ciphertexts simultaneously to find suspicious users whose score $S^{sym}_j$ exceeds the threshold Z. In order to manage the information leakage, three restrictions are introduced into the check at the server.

One is the number of ciphertexts at each request which must be equal to the number of users in a system. Due to the limitation of traceability in a fingerprinting code, the number of suspicious users must be less than c _max. If the number of the scores exceeding the threshold is more than c _max, the server rejects the request. This is the second restriction. The third one is the statistical distribution of scores. It is known that the scores of innocent users follows Gaussian distribution with zero means [Reference Škorić, Vladimirova, Celik and Talstra23,Reference Furon, Guyader and Cérou24]. Except for a few scores of colluders, the scores observed after the decryption of requested ciphertexts must follow the distribution. Hence, a server checks the soundness of the request by the above three restrictions.

B) Initialization

There are four parties in the system, trusted center, delegated server, seller, and buyer(user). The procedure is illustrated in Fig. 1.

Fig. 1. Illustration of initialization phase. After the initialization, a trusted center need not to participate in a tracing protocol.

A trusted center selects a security parameter to generate parameters such as c _max and p _i, (1 ≤ i ≤ ℓ) of a fingerprinting code, and issues a codeword $\vec {\bi X}_j$ to j-th user whose ID information is id _j. Then, the weighting parameters U _j,i are calculated for the codeword $\vec {\bi X}_j$.

The trusted center gets the public key of a delegated server. Remember that a plaintext in the Paillier cryptosystem is an element in an integer finite field ℤ_N. In order to encrypt U _j,i, (1 ≤ i ≤ ℓ), the center first multiplies a scaling parameter α to scale up its small number, and then, rounds the value into a nearest integer using a round function round().

(9)$$\tilde{U}_{j,i} = {\rm round}(\alpha U_{j,i})$$

Finally, the center encrypts $\tilde {U}_{j,i}$ by using a random number r _j,i.

In the conventional studies [Reference Tardos3,Reference Škorić, Katzenbeisser and Celik25], the weighting parameters U _j,i are stored as a two-dimensional array, and one of two values is selected according to X _j,i ∈ {0,  1}. On the other hand, we make one ciphertext $E(\tilde {U}_{j,i},\, r_{j,i})$ from i-th element of codeword X _j,i for 1 ≤ i ≤ ℓ. Hence, ℓ ciphertexts $E(\vec {\bi U}_j,\, \vec {\bi r}_j)$ are generated for each user.

(10)$$ E(\vec{\bi U}_j, \vec{\bi r}_j)=\big(E(\tilde{U}_{j,1}, r_{j,1}), \ldots , E(\tilde{U}_{j,\ell}, r_{j,\ell})\big). $$

The trusted center sends a list of ciphertexts $E(\vec {\bi U}_j,\, \vec {\bi r}_j)$ and the corresponding ID information $\vec {\bi id}=(id_1,\, \ldots ,\, id_{N_u})$ to a seller. When the number of users is N _u, the total number of ciphertexts is N _uℓ, which is transmitted to the seller from the center.

A threshold $\tilde {Z}$ is calculated from $\tilde {U}_{j,i}$ by using the probabilistic algorithm [Reference Cérou, Furon and Guyader7] which can estimate very low probability of error. The trusted center informs N _u, c _max and $\tilde {Z}$ to the server.

C) Tracing protocol

After the above setup, a certain secure fingerprinting protocol is executed between a seller and each user. Then, each user obtains a fingerprinted copy containing his codeword $\vec {\bi X}_j$. Suppose that a coalition of malicious users produce a pirated copy, and the seller finds the copy at somewhere.

First, the seller tries to extract a codeword from the pirated copy. Let $\vec {\bi y}=(y_1,\, \ldots ,\, y_{\ell })$, y _i ∈ {0,  1} be the codeword. Then, a scaled correlation score $\tilde {S}^{sym}_j$ for each user is calculated in an encrypted domain under the modulus N ² using an encrypted weighting parameters $E(\vec {\bi U}_j,\, \vec {\bi r}_j)$ for 1 ≤ j ≤ N _u:

(11)$$\matrix{ {\prod\limits_{i = 1}^\ell E {({\tilde{U}}_{j,i},r_{j,i})}^{2y_i-1}} \hfill & { = E\left( {\sum\limits_{i = 1}^\ell {(2y_i-1)} {\tilde{U}}_{j,i},r_{j,i}^{\prime} } \right)} \hfill \cr {} \hfill & { = E\left( {\tilde{S}_j^{sym} ,r_j^{\prime} } \right),} \hfill \cr } $$

where $r^\prime _{j,i} = r^{2y_i-1}_{j,i} \bmod N$ and $r^\prime _j=\sum r^\prime _{j,i} \bmod N$. It is noted that $\tilde {S}^{sym}_j \approx \alpha S^{sym}_j$ if α is sufficiently large from equation (9).

The seller sends the ciphertexts $E(\tilde {S}^{sym}_j,\, r^\prime _j)$, (1 ≤ j ≤ N _u) to the server. The server decrypts the ciphertexts and checks the scores. If the number of the scores satisfying the condition $\tilde {S}^{sym}_j > \tilde {Z}$ is more than c _max, the server rejects the request. Otherwise, the indices of the scores satisfying the condition are sent to the seller. Namely, the server calculates the following indices $\vec {\bi I}$:

(12)$$ \vec{\bi I}=(I_1, \ldots , I_{N_u}), $$

where

(13)$$I_j = \left\{ {\matrix{ 1 \hfill & {\tilde{S}_j^{sym} > \tilde{Z}} \hfill \cr 0 \hfill & {{\rm otherwise}} \hfill \cr } } \right.,$$

and $\vert \vec {\bi I} \vert \le c_{max}$. Finally, the statistical distribution of $\tilde {S}^{sym}_j$ is measured whether it follows Gaussian. According to the indices $\vec {\bi I}$, the seller can identify the illegal users as the results. It is noted that the number of requests to a delegated server is limited. It is because of the security reason explained at next section. The above protocol is illustrated in Fig. 2.

Fig. 2. Illustration of tracing protocol.

After the protocol, the seller can claim the illegal action of identified users to a judge by showing the items used in the protocol.

If an anonymous fingerprinting protocol is employed, it is necessary to check the pseudonyms at the center for the identification.

A) Between trusted center and seller

As shown in equation (7), the weighting parameters U _j,i are dependent on the each element X _j,i of codeword $\vec {\bi X}_j$ and the bias probability p _i. If a seller gets the weighting parameters, these parameters can be analyzed by comparing i-th elements U _j,i among N _u users for 1 ≤ i ≤ ℓ. In the proposed method, the weighting parameters are encrypted so as to keep X _j,i and p _i secret.

Because of the random number used at the encryption, two ciphertexts E(m,  r ₁) and E(m,  r ₂) are indistinguishable for any 0 ≤ m < N and r ₁ ≠ r ₂. Hence, among N _u users, i-th weighting parameter U _j,i has two candidates $-\sqrt {p_i/(1-p_i)}$ and $\sqrt {(1-p_i)/p_i}$ as shown in equation (7), a seller cannot distinguish them from the observation of their ciphertexts $E(\vec {\bi U}_j,\, \vec {\bi r}_j)$, (1 ≤ j ≤ N _u). It means that no information about the elements of codewords $\vec {\bi X}_j$ as well as $\vec {\bi p}$ from the ciphertexts. Therefore, the seller gets no information about users from the ciphertexts transmitted from a trusted center.

B) Between seller and delegated server

When a malicious seller makes a request with dummy ciphertexts, a delegated server can reject the request in the following reasons.

If the number of ciphertexts is not N _u, the request is immediately judged invalid. Hence, a seller must send N _u ciphertexts that must be the ciphertexts of correlation scores. In case of dummy ciphertexts, the server will be able to find an illegal action of seller by checking the decrypted values. It is sufficient for the server to analyze the statistical distribution of the scores whether it follows Gaussian. In addition, when the number of values exceeding the threshold $\tilde {Z}$ is more than c _max, the ciphertexts are regarded as guilty.

If a malicious seller makes a dummy ciphertext $E(\tilde {U}_{j,i})^\gamma $ by using a certain large integer γ. Then, the decrypted value becomes $\gamma \tilde {U}_{j,i} > \tilde {Z}$ with a probability $\Pr [X_{j,i}=1]=p_i$. Since a seller does not know the parameters p _i, $\tilde {U}_{j,i}$, and $\tilde {Z}$, it is difficult to control the number of values exceeding the threshold $\tilde {Z}$. If the seller can make a request many times, the control might be possible. However, the number of request is limited in the proposed method, and hence, it is difficult.

A) Accuracy

In the proposed method, we use a scaling parameter α to ensure the precision of weighting parameters U _j,i. The degradation of traceability is measured under the following conditions. We use a Nuida code [Reference Nuida4] with c _max = 8 and ℓ = 1024. The number of users is N _u = 10 000 and the threshold is calculated by the rare event simulator [Reference Cérou, Furon and Guyader7] with a false-positive probability set to be 10⁻⁸. The tracing protocol is run for 1000 times, and the average number of colluders detected from a pirated copy are calculated in the simulation. Table 2 shows the number of detected colluders for some typical collusion strategies when the number of colluders is 4, where “original” is the case that no rounding operation is performed to U _j,i. By changing the number of colluders, the traceability is measured for the majority voting strategy, which result is shown in Fig. 3. As the results in case of α ≤ 1000 are very close to the results of the original, their results are omitted in the figure. Because of the probabilistic setting of threshold $\tilde {Z}$ by the rare event simulator, the values in the tables are slightly fluctuated, especially in case of α = 10 in Table 2. Nevertheless, it can be said from these results that α ≥ 1000 is sufficient to assure the traceability.

Fig. 3. Comparison of traceability against majority voting strategy.

Table 2. Number of detected colluders when four colluders produce a pirated copy.

B) Computational costs

At the tracing protocol, a seller calculates a correlation score in an encrypted domain by executing the modular multiplication (MM) and modular exponentiation (ME). The number of MM and ME is ℓ times for each score. Hence, the computational cost is linearly increased with the number of users N _u.

We implemented the protocol and measured the time consumption under the following computer environment. The CPU is AMD Ryzen 7 2700X and the RAM memory is 32 GBytes. We use the GNU C compiler and GNU multiple precision (GMP) library at a X86-64 CentOS 7.5 linux. Table 3 shows the amount of time consumption both at the seller and delegated server.

Table 3. Time consumption [sec.] when majority voting is performed.

The computational costs for calculating correlation scores in an encrypted domain is10 times larger than the costs for decryption. If y _i = 1, no operation is performed at the calculation of $E(\tilde {U}_{j,i},\, r_{j,i})^{2y_i-1}$ in equation (11). Otherwise, the multiplicative inverse $E(\tilde {U}_{j,i},\, r_{j,i})^{-1}$ is calculated. The computational cost for such an operation is much less than the costs for the ME at the decryption.

It is noted that the time consumption is dependent on the number of users N _u and the code length ℓ, which is O(N _uℓ). At the setup of fingerprinting system, N _u and c _max must be assumed to derive its corresponding ℓ as well as the time consumption.

Although the computational costs are increased in total in the proposed system, our main objective is to reduce the burden at a trusted center. If the center manages several systems, it is desirable to reduce the burden as small as possible. Once the center setups the environment of fingerprinting system, no further work is required, which is the main advantage. Therefore, a seller is responsible for the identification of colluders when a pirated copy is found. In this sense, a delegated server supports the seller to reduce the computational burden without getting useful information about innocent users as well as colluders.

C) Communication costs

When a ciphertext size is 4096 bits and the length of codeword is ℓ = 1024, the bit-length of $E(\vec {\bi U}_j,\, \vec {\bi r}_j)$ is 0.5 MBytes (=4 194 304 bits). As mentioned in Section 3.2, the total size is linearly increased with the number of users N _u. In case of N _u = 1000, the amount of data transmitted from a trusted center to a seller is 500 MBytes.

The size of all codewords is N _uℓ bits because each element X _j,i is binary. Because of the encryption, the size becomes 4096 times bigger than the original one. In order to suppress the increase, an alternative method is to assign an index. A trusted center generates 2ⁿ ciphertexts for i-th weight; $n_{p_i,0}$ ciphertexts $E(-\sqrt {p_i/(1-p_i)},\, r_{t, i})$, $(1\le t\le n_{p_i,0})$ and $n_{p_i,1}$ ciphertexts $E(\sqrt {(1-p_i)/p_i},\, r_{t, i})$, $(1\le t\le n_{p_i,1})$, where $2^n=n_{p_i,0}+n_{p_i,1}$ and $n_{p_i,1}= {\rm round}(2^np_i)$. Then, the total number of ciphertexts is 2ⁿℓ, whose size is 2ⁿ⁻¹ MBytes. In addition to these ciphertexts, the center generates a list of obfuscated codewords