Download - Efficient Fair Content Exchange with Robust Watermark Ownership

International Journal of InnovativeComputing, Information and Control ICIC International c⃝2011 ISSN 1349-4198Volume 7, Number 8, August 2011 pp. 4653–4667

EFFICIENT FAIR CONTENT EXCHANGE WITH ROBUSTWATERMARK OWNERSHIP

Wen-Shenq Juang1, Chun-I Fan2,∗ and Ming-Te Chen2

1Department of Information ManagementNational Kaohsiung First University of Science and Technology

No. 2, Jhuoyue Road, Nanzih, Kaohsiung 811, [email protected]

2Department of Computer Science and EngineeringNational Sun Yat-sen University

No. 70, Lienhai Road, Kaohsiung 80424, Taiwan∗Corresponding author: [email protected]; [email protected]

Received April 2010; revised August 2010

Abstract. In recent years, the Internet is a major media to convey digital contents.Users can purchase or exchange the digital contents via the Internet. Due to the securityproblems of the Internet, mutual authentication between users must be ensured beforeexchanging digital contents. In addition, how to exchange the digital contents fairly viathe Internet is another major problem since users may not be honest. In some pro-posed methods, a copyright owner can use the digital watermark to claim the ownershipof her/his digital content by showing her/his personal digital watermark to other users.By using digital watermark, some buyer-seller watermarking schemes have been proposedto protect the ownership of digital content. In these schemes, if a buyer attempts topurchase digital contents, she/he can perform the watermarking protocol to obtain thedesired digital content. However, when a user attempts to exchange her/his digital con-tents with the others, none of them can efficiently and fairly offer the digital contentexchange function. In this paper, we propose our fair content exchange scheme to solveall the above problems. By using our proposed scheme, users can efficiently exchangetheir digital contents securely and fairly.Keywords: Digital content exchange, Digital watermark, Fair exchange, Mutual au-thentication

1. Introduction. To date, digital watermarking has become one of the famous meth-ods for data hiding. In digital watermarking, the watermark embedder often chooses thespecific digital string (or symbol) and embeds it into the purchased digital content im-perceptible. We call this specific digital string (or symbol) the digital watermark. Thedigital watermark can be used for claiming the ownership of some digital content andfinding the illegal distribution from the copyright violators.

For providing a good digital watermarking scheme, some researches focused on the wa-termark design. To date, many schemes have been proposed for the reversible watermark[11, 14, 19, 20, 22, 28, 33, 37]. In these schemes, the watermark recovery information isembedded into the host image and the resolution of the final host image is not affected.The other schemes [5, 6, 35, 39] focused on the embedded watermark protection and thetempered area detection. In the reversible watermark schemes, the watermark can be em-bedded and used to detect whether the transferred digital content was modified or not bythe attackers. It also can be used for guaranteeing the integrity of the digital content andmake sure that the original digital content can be recovered even if the transferred digitalcontent was modified by the attackers. In addition, the reversible watermark can recover

4653

4654 W.-S. JUANG, C.-I FAN AND M.-T. CHEN

the digital content without the help of the original content information. Therefore, thereversible watermark approach also can be used for the digital content protection in thee-commerce transaction.Due to the growing of the e-commerce on the Internet, users not only can purchase

or sell digital content on the Internet but also can exchange their digital content via theInternet. When users purchase digital contents from the shops on the Internet, theirpersonal watermarks are embedded into these contents with the help of the shops or thewatermark certificate authority (WCA for short). Users then can use their watermarksto claim their personal ownership.For providing a secure and efficient method to sell or buy digital content on the Internet,

some buyer-seller watermarking schemes were proposed [7, 15, 18, 27, 29, 40, 42, 43, 44].By using these schemes, a user can claim the ownership on her/his digital content byshowing the related signatures on the embedded watermark and also can prevent theframing from the malicious seller. Although these schemes can provide the ownershipprotection or solve the conspiracy problem, none of the above buyer-seller watermarkingschemes is suitable for providing the fair content exchange function and ownership trans-fer. If a user decides to exchange her/his digital contents by applying anyone of the abovebuyer-seller watermarking schemes, then she/he must communicate with the WCA firstand ask the WCA to extract her/his current watermark. Then, the WCA has to embedthe new watermark into the exchanged digital content for the user. At the same time,the shop also has to update the transaction records in the WCA. This simple approachcauses the inefficiency among these parties when the number of users is large. By theway, if a user just provides her/his personal digital content to the others directly, thedigital content may be illegal distributed by some malicious users. In addition, becausethe Internet is not secure, mutual authentication between users must be ensured beforeperforming the digital content exchange protocol. Moreover, the digital content exchangeprotocol must be guaranteed fairly between users.To solve all the above problems, we propose our novel fair content exchange scheme.

By our proposed scheme, users can securely exchange their original digital contents afterthe content exchange phase without the WCA’s help. Hence, we can efficiently performthe secure ownership transfer and also have the fair digital content delivery to each other.

2. Related Works. Digital watermarking becomes attentive in recent ten years. Mostof the proposed digital watermarking schemes focused on the watermark design and theownership protection. Based on these proposed watermark schemes, some buyer-sellerwatermarking schemes were proposed [7, 15, 18, 27, 29, 40, 42, 43, 44]. In most of thesebuyer-seller watermarking schemes, the seller (or the WCA) embeds the buyer’s digitalwatermark into the digital content and the buyer can claim her/his ownership by showingthe corresponding signature on the embedded watermark. However, although a user canpurchase the digital content via the above schemes, she/he can not efficiently exchangeher/his digital content fairly by these schemes. Also, the above buyer-seller watermarkingschemes can not offer the ownership transfer for users.In [40], a buyer can anonymously purchase the digital content with a seller and the

seller can trace the malicious distributor when a pirated copy was found. Nevertheless,the proposed method does not have the formal security analysis and the buyer cannotverify the originality of the purchased digital content without the embedded watermark.Moreover, it also excludes the digital content exchange property. In [29], the proposedmethod can solve the conspiracy problem and offer the buyer’s privacy protection byapplying the group signature. However, it is inefficient by using the group signaturefor protecting the buyer’s privacy and each buyer has to register the group manager first

EFFICIENT FAIR CONTENT EXCHANGE WITH ROBUST WATERMARK OWNERSHIP 4655

before running the watermarking protocol. By the way, it does not contain the fair contentexchange property.

In [18], the proposed scheme can solve the conspiracy problem with the help of thetrusted certification authority (CA). The CA can generate the corresponding signatureon the chosen watermark of the buyer. However, it does not offer the buyer’s anonymityrespect to the seller and the fair content exchange function.

In [42], the proposed scheme can provide the properties including the pirated copytracing, the protection of the customer’s right, the solution of the binding problem, theprovision of the buyer’s anonymity, and the solution of the dispute problem. However, eachbuyer has to apply a lot of watermarks from the WCA before performing the watermarkingprotocol. Moreover, if a buyer does not change her/his public key in the next transaction,the seller can link the related transaction record from the same public key. Thus, thebuyer is not completely anonymous to the seller after running the watermarking protocol.By the way, this scheme does not support the digital content exchange function.

In [27], the proposed scheme can satisfy the five properties in [42]. However, the schememust have an additional trust party, the notary authority, which guarantees the buyer’sprivacy protection. Each buyer has to apply an anonymous certificate from the notaryauthority first before running the watermarking protocol. If a pirated copy was found, thenotary authority will cooperate with the CA to find out the real identity of the distributor.Also, it does not offer the fair content exchange function.

In [43], the proposed approach can include the same properties in [42] by assuminga memoryless on-line TTP in the watermarking protocol. The memoryless on-line TTPonly engages in the situation when the arbiter asks what the buyer’s real identity is. Theauthors considered that a memoryless on-line TTP (ex: WCA) does not have to storeeach buyer’s watermark information in the watermark generation stage. The WCA doesnot have to participate in each transaction between the buyer and the seller and onlyengages in the dispute resolution stage. Nevertheless, each buyer also has to request alot of watermarks before performing the watermarking protocol. It is inefficient for thebuyers and still exists the same problems as mentioned in [42]. Also, their scheme doesnot include the fair content exchange function.

In [44], their goal did not focus on the watermarking ownership protection. Theypaid attention on the watermarking technique implementation and experiments. Theirmethod can efficiently trace the malicious distributor and detect the traitor in a higherprobability. In [15], the proposed method focused on the multi-right of multi-user in somespecial application environment and adopted the general secret-sharing method to solvethe joint ownership problem. Nevertheless, the method also does not offer the fair contentexchange function.

In [7], Lei et al. proposed their method to solve the binding problem that the maliciousseller can extract the buyer’s watermark, embed it into a higher price digital content,and fabricate this copy to get more benefit in the market. In order to solve the bindingproblem, they combined the digital content description with the buyer’s digital watermark.However, their scheme also can not deal with the fair content exchange problem.

In these schemes [7, 15, 18, 27, 29, 40, 42, 43, 44], none of them can not provide thefair content exchange function efficiently and some of them still exist some of the aboveproblems. If a user uses the above schemes to do the digital content exchange with otherusers directly, then these problems remain exist. Also, most of the above schemes usethe privacy homomorphism encryption for watermark embedding operation. The privacyhomomorphism encryption requires a lot of the modulo exponential operations and it isinefficient for the buyers exchanging their contents. Hence, we propose our novel fair


digital content scheme to provide the ownership transfer property efficiently and offermany extra nice properties.

3. Security Assumptions. First, we introduce the security assumptions as follows:

1. Decision Diffie-Hellman Assumption. Let G ∈ E and assume G ̸= 0. We saythat the Decision Diffie-Hellman assumption holds if for any probabilistic polynomialtime adversary A, the probability that A on input (G, aG, bG, cG) ∈ E for randomnumbers a, b, c ∈ Z∗

q , outputs c such that c = ab correctly is negligible.2. Elliptic Curve Computational Decision Diffie-Hellman Assumption [26].

Let G ∈ E and assume G ̸= 0. We say that the Elliptic Curve computationalDecision Diffie-Hellman assumption holds if for any probabilistic polynomial timeturing machine A, the probability of success SuccECDDHP

G,E(Fq)(A) in distinguishing the

distributions (G,R, S,Q) is negligible.

SuccECDDHPG,E(Fq) (A) = Pr

r, s, t

R←− [1, . . . , q − 1]R←− rG;S ←− sG;Q←− rsG;T ←− tG;

bR←− {0, 1};

(b = 0?U ←− T : U ←− Q) :A(q,G,R, S, U) = b

<1

2+ ε

where ε is the advantage of A and the probability is taken over the coin toss of Afor any random choices of r, s and t.

4. The Proposed Scheme. In this section, we propose our fair digital content exchangescheme. Our scheme is efficient and can ensure fair transaction between users. Our schemecontains many nice properties including fair ownership transfer, authentication and keyagreement, without WCA participation, low computation cost, and optional usage forrobust watermark or reversible watermark. In our scheme, there are four phases includingthe setup phase, the authentication and key agreement phase, the content exchange phaseand the recovery phase. The used notations are defined as follows.

• p: a prime number;• Fp: a finite field over a large prime number p;• Ep(a, b): y

2 = x3 + ax + b (mod p) with the prime order q over Fp, where a, b ∈ Fp

and 4a3 + 27b2 ̸= 0 (mod p);• q: the prime order of Ep(a, b);• G: a base point on E with the prime order q over Ep(a, b);• A: the user Alice;• B: the user Bob;• TS: the trusted server;• xi: a private key of party i, where 0 ≤ xi ≤ q − 1 and i ∈ {A, B, TS};• XA,TS: a temporary symmetric shared key between A and TS;• YB,TS: a temporary symmetric shared key between B and TS;• mi: the original digital content of party i without any watermark embedded, wherei ∈ {A, B};• Mi: the watermarked object of party i after the watermark embedding operation byperforming a reversible watermark/robust watermark method, where i ∈ {A, B};• Pi: the public key Pi = xG of party i, where i ∈ {A, B, TS};


• Wi: the watermark of party i for exchanging and embedding operation, where i ∈{A, B};• sski,j: the session key used in each transaction, where i, j ∈ {A, B, TS};• tpki,j: the temporary key used in each transaction, where i, j ∈ {A, B, TS};• h(·), H(·): two secure one-way hash functions;• Agri: the digital content exchange agreement information agreed of party i, wherei ∈ {A, B};• ETi,j

(·): the symmetric encrypting function with the shared key Ti,j, where Ti,j ∈{XA,TS, YB,TS} and i, j ∈ {A, B, TS};• DTi,j

(·): the symmetric decrypting function with the shared key Ti,j, where Ti,j ∈{XA,TS, YB,TS} and i, j ∈ {A, B, TS};• ⊕: the exclusive-or operation used for watermark encryption;• ⊗: the watermark embedding operation under the ⊕ operation.

4.1. The setup phase. In this phase, the system publishes {Ep(a, b), G} and generatesthe system parameters λ [8]. A and B prepare the exchange information including theexchange objects and the exchange agreements AgrA and AgrB at the same time. Theyalso publish their exchange agreements on the Internet. Each party selects xi ∈R Z∗

q

and computes Pi = xiG, where i ∈ {A, B, TS}, as her/his secret key and public key,respectively. After generating these key pairs, they register their public keys with CAand obtain their certificates certi, where i ∈ {A, B, TS}.

4.2. The authentication and key agreement phase. If A and B decide to exchangetheir digital content with each other, they perform in the following. Each party performsthe authentication with TS and generates the necessary parameters in the following steps.

1. A computes the shared key XA,TS = h(PA||PTS)⊕ h(xA ∗ PTS) using the secret keyxA. Let e = (AgrA, R1, H(R1||IDA||AgrA)) be the exchanging information of A,where R1 = r1 ∗ G and r1 ∈R Z∗

q . A prepares {certA, IDA, NA, EXA,TS(e)} with a

nonce NA and forwards it to TS.2. At the same time, B computes YB,TS = h(PB||PTS)⊕h(xB ∗PTS) using his secret key

xB. B generates his exchange argument ϕ = (AgrB, R2, H(R2||IDB||AgrB)), whereR2 = r2 ∗G and r2 ∈R Z∗

q . B forwards (certB, IDB, NB, EYB,TS(ϕ)) with a nonce NB

to TS.3. After TS received this information from A and B, TS performs the following steps.3.1. Derive the temporary shared key XA,TS = h(PA||PTS)⊕h(xTS ∗PA) and YB,TS =

h(PB||PTS)⊕ h(xTS ∗ PB) using its secret key xTS.3.2. Compute the ciphertextDXA,TS

(EXA,TS(AgrA, R1, H(IDA||R1||AgrA))) = (AgrA,

R1, H(IDA||R1||AgrA)).3.3. Decrypt the ciphertext DYB,TS

(EYB,TS(AgrB, R2, H(IDB||R2||AgrB))) = (AgrB,

R2, H(IDB||R2||AgrB)).3.4. Check H(IDA||R1||AgrA) and H(IDB||R2||AgrB) by using (AgrA, R1, IDA) and

(AgrB, R2, IDB). If they are valid, then TS derives the temporary key tpkA,TS =h(r′1 ∗ R1||xTS ∗ PA) and tpkB,TS = h(r′2 ∗ R2||xTS ∗ PB), where r′1, r

′2 ∈R Z∗

q .Otherwise, TS aborts this transaction with A and B.

3.5. Then, TS forwards two ciphertexts {EtpkA,TS(h(R′

1||R2||r′1∗R1)), NA+1, NTS1 , R′1,

R2} and {EtpkB,TS(h(R′

2||R1||r′2 ∗ R2)), NB + 1, NTS2 , R′2, R1} with the nonces

NTS1 , NTS2 and two random numbers R′1 = r′1 ∗G and R′

2 = r′2 ∗G to A and B.TS also forwards R2 and R1 to A and B, respectively.

3.6. After A and B receiving their ciphertexts, each of them performs decryptingand checking. If they are valid, A and B compute the responses H(NTS1 +


1||h(r1 ∗ R′1||xA ∗ PTS)) and H(NTS2 + 1||h(r2 ∗ R′

2||xB ∗ PTS)) back to TS, re-spectively. In addition, they prepare their exchanged digital content for askingthe corresponding signatures from TS. First, A encrypts her exchange contentEXA,TS

(α,H(α||AgrA)), where α = mA ⊕ h(R′1 ∗ r1). At the same time, B also

computes his exchange content EYB,TS(ε,H(ε||AgrB)), where ε = mB⊕h(R′

2∗r2).3.7. When TS receives EXA,TS

(α,H(α||AgrA)) and EYB,TS(ε,H(ε||AgrB)) from A and

B, it decrypts these two ciphertexts and checks if AgrA and AgrB are valid. Ifyes, it decrypts α and ε to obtain mA and mB by using the keys h(r′1 ∗R1) andh(r′2 ∗R2).

3.8. Then, TS computes the signatures SA1 and SB1 on A’s and B’s exchange objectsas follows, respectively.

3.8.1. First, TS computes two encrypted content Cα = (mA ⊕ k2) ∗ h(r2 ∗R′2) and

Cξ = (mB ⊕ k1) ∗ h(r1 ∗R′1) for A and B, where k1, k2 ∈R Z∗

q .3.8.2. Then it computes the new watermarksW ′

A = H(IDA||IDB||AgrA||AgrB||WA

||r3||xTS) and W ′B = H(IDA||IDB||AgrA||AgrB||WB||r4||xTS) for A and B,

where r3, r4 ∈R Z∗q .

3.8.3. It generates the hash value s1 = H(h(Cα)||H(W ′B ⊕ k2)||s2) and the hash

value s2 = H(W ′A⊕k1) for A. On the other hand, it produces the hash value

t1 = H(h(Cξ)||H(W ′A ⊕ k1)||t2) and the hash value t2 = H(W ′

B ⊕ k2) for B.3.8.4 Finally, TS computes the signatures SA1 = r′3 + s1xTS mod q and SB1 =

r′4 + t1xTS mod q to A and B, respectively, where r′3, r′4 ∈R Z∗

q .3.9. TS forwards these ciphertexts δ = EXA,TS

(s1, s2, SA1 , R′3, H(W ′

B ⊕ k2),W′A ⊕

k1, Cα) and ξ = EYB,TS(t1, t2, SB1 , R

′4, H(W ′

A ⊕ k1),W′B ⊕ k2, Cξ) to A and B,

where R′3 = r′3 ∗G, R′

4 = r′4 ∗G.4. After receiving ξ from TS, B decrypts ξ by using the shared key YB,TS and checks

if the tuple (t1, t2, SB1 , R′4, H(W ′

A ⊕ k1),W′B ⊕ k2, Cξ) is valid. Upon receiving δ, A

decrypts it and checks whether the (s1, s2, SA1 , R′3, H(W ′

B⊕k2),W′A⊕k1, Cα) is valid

or not. If yes, A can keep this information into her database and also compute thesession key sskA,B = h(r1 ∗R2||xA ∗ PB).

5. After A and B received the corresponding signatures from TS, A and B finish thisauthentication and key agreement phase with TS and they can derive the samesession key sskA,B = h(r1 ∗R2||xA ∗ PB) = h(r2 ∗R1||xB ∗ PA).

4.3. The content exchange phase. After authenticating with TS, A performs thecontent exchange with B.

1. First, A prepares the encrypted digital content Cα = (mA ⊕ k2) ∗ h(r2 ∗ R′′2). A

computes the hash value c = H(PA, PB, AgrA, AgrB, SA1 , s1, s2). Then A performsthe signing operation to generate the signature SA3 = ra + xA ∗ c, where ra ∈R Z∗

q

and Ra = ra ∗ G. Let U = {s1, s2, SA1 , h(Cα), c, SA3 , Ra, R′3, H(WB ⊕ k2)} be the

signature on the exchanged digital content α. Finally, A forwards the encryptedsignature EsskA,B

(U, PA, IDA) to B.2. Upon receiving EsskA,B

(U, PA, IDA) from A, B decrypts it by the session key sskA,B =h(r2∗R1||xB∗PA). Then, B can check U and c as follows. First, B computes two hashvalue s1 = H(h(Cα)||H(WB⊕k2)||s2) and c = H(PA, PB, AgrA, AgrB, SA1 , s1). Then,he verifies the corresponding signature SA1∗G = R′

3+PTS∗s1 and SA3∗G = Ra+PA∗con s1 and c, respectively. If SA3 and SA1 are valid, he prepares the encrypted digitalcontent Cξ and the signature (SB1 , t1, t2, H(W ′

A⊕k1), R′4). B forwards his ciphertext

EsskA,B(SB1 , t1, t2, Cξ, H(W ′

A ⊕ k1), R′4) to A by using the session key sskA,B.

3. After receiving the ciphertext from B, A decrypts EsskA,B(SB1 , t1, t2, Cξ, H(W ′

A ⊕k1), R

′4) and checks if they are valid. If yes, A decrypts Cξ by using h(r1 ∗R′

1)−1 and


can perform her watermark embedding operation on the decrypted content mB⊕k1.She inputs the encrypted watermark W ′

A ⊕ k1 and B’s digital content mB ⊕ k1 intoher watermarking embedding algorithm. It outputs the final result M ′

A = mB ⊗W ′A

generated by the watermarking operation ⊗ under the partial encryption ⊕ [36]. Theadopted watermarking technique under the partial encryption can be the robustwatermarking or the reversible watermarking method depending on the protocoldesign.

4. After watermark embedding operation, A forwards EsskA,B(Cα) to B. If B can not de-

crypt EsskA,B(Cα), then he can carry out the recovery phase to ask TS for performing

the dispute resolution on this exchanging transaction between A and him.

4.4. The recovery phase. In the content exchange phase, if A did not forward herexchange object Cα to B, then B could ask TS to perform the recovery phase. First,B forwards the exchange information EYB,TS

(U, PA, IDA) and the signature of A to TS.When receiving it from B, TS decrypts and checks whether it is valid or not. If not, TSterminates this phase. Otherwise, it computes mA ⊕ k2 and EYB,TS

(mA ⊕ k2) and sendsthem to B. When receiving EYB,TS

(mA⊕k2) from TS, Bob can decrypt the ciphertext andthen input mA ⊕ k2 and W ′

B ⊕ k2 into his watermarking algorithm under the embeddingoperation ⊗ and outputs the final result M ′

B = mA ⊗W ′B.

5. Security Analysis. We describe the security analysis of our proposed scheme in thefollowing.

4.1 Authentication. In the authentication phase, A and B both perform the challenge-response authentication with TS. If an attacker attempts to replay one of these noncevariables, then this replayed nonce can be detected by one of them in this phase.By the way, an attacker can not decrypt EXA,TS

(e) (or EYB,TS(ϕ)) without XA,TS

(or YB,TS) with the non-negligible probability. On the other hand, our scheme offersthe forward security that an attacker can not derive the session key sskA,B withoutr1 and r2 even if TS’s private key was compromised by an attacker. If an attackercan do this, it will cause the contradiction in our assumption. We have the formalsecurity proof of this property in the appendix.

4.2 Key-agreement. In this phase, we can find that A and B can compute the sessionkey sskA,B with r1 and r2. However, an attacker can not compute the session keysskA,B without having r1 or r2, respectively. The attacker can not guess the sessionkey correctly with non-negligible probability in the polynomial time. Hence, theauthentication and key agreement phase in our proposed scheme is secure.

4.3 Fair-exchange. After the authentication and key agreement phase, A and B havesent their exchange digital contents to TS for fair exchange usage. In this phase, ifthere is a dispute happened, B (or A) can ask TS to solve the dispute. There weremany schemes [1], [34] proposed to deal with these fair transaction problems. Theseschemes also can be directly used in our proposed scheme.

4.4 Content-exchange. We assume that the watermarking embedding function ⊗under the partial encryption ⊕ is a secure function as mentioned in [36]. In thisphase, after exchanging the digital contents, respectively, A and B can perform theirown watermark embedding algorithm ⊗ under the partial encryption ⊕ and get thefinal watermarked contents. In [44], their scheme can detect the malicious distributorin a higher detection probability efficiently. Their scheme also can be directly appliedto our proposed scheme for providing secure watermarking embedding functions.


6. Performance and Functionality Comparisons. We assume that p is of 1024 bitsand q is of 160 bits for security consideration [32]. Assume that H is the computationtime of one hashing operation, Exp is the computation time of one modular exponentialoperation in a 1024-bit modulo, M is the computation time of one modular multiplica-tion in a 1024-bit modulo, E is the computation time of one modular encryption in a1024-bit modulo, D is the computation time of one modular decryption in a 1024-bitmodulo, S is the computation time of one modular decryption in a 1024-bit modulo,ECA is the computation time of the addition of two elements over an elliptic curve andECM is the computation time of the multiplication of a number over an elliptic curve[2, 23, 30]. By the way, we assume that in these schemes [7, 18, 27, 29, 40, 42, 43], theencryptions/decryptions and signature operations are as the same as E, D and S as men-tioned above and let SymEnc and SymDec be the symmetric encryption and symmetricdecryption operations, respectively. Assume that an elliptic curve over a 163-bit field hasthe same security level of a 1024-bit public key cryptosystem such as the RSA or theDiffie-Hellman cryptosystem [23]. Assume that Exp ∼= 8.24ECM for the implementationwith the StrongARM processor in 200MHz as referenced in [23]. We also can find therelationship Exp ∼= 240M , Exp ∼= 600H ∼= 600SymEnc ∼= SymDec, Exp ∼= 3.2ECP andECA

∼= 5M in [3, 4, 9, 13, 24, 38, 45].In [40], we find that their scheme does not have the security analysis. The computation

cost of the watermarking protocol is about 1440M + 1W , where W is the computa-tion time of the watermark embedding operation. Also their scheme does not providethe fair content exchange property. In [29], the proposed scheme does not provide thebuyer’s watermark verification function for the judge. So the judge can not accuse thesuspected buyer even if she/he is guilty. On the other hand, the computation cost of thewatermarking protocol is about 1200M + 2W . It also does not offer the fair content ex-change property. In [18], their scheme also does not provide the buyer’s privacy protectionand content exchange property. The computation cost of their watermarking protocol isabout 2160M + 1W . The computation cost is higher than that of our proposed scheme.In [42], the buyer’s anonymity can not be protected and the computation cost is about(n+7)∗240M +2W , where n is the number of watermarks. In [27], the proposed scheme

Table 1. Efficiency comparisons among our scheme and related schemes

Authentication and Content ExchangeTotal Costs Approximation

Key Agreement Phase Phase

Ours

7ECM+19H+3H+4ECM+

11ECM+2ECA+16Sym+8⊕+

2ECA+4Sym+2W22H+20Sym+8⊕+ 347M+8⊕+2W

6M 6M+2W[18] 9Exp+1W N/A 9Exp+1W 2160M+1W[27] 6Exp+2W N/A 6Exp+2W 1440M+2W[29] 2S+3E+1W N/A 2S+3E+1W 1200M+2W[40] 3E+2D+2S+1W N/A 3E+2D+2S+1W 1440M+1W[42] (n+3)∗E+3S+1D+2W N/A (n+3)∗E+3S+1D+2W (n+7)∗240M+2W[43] (n+3)∗E+3S+1D+2W N/A (n+3)∗E+3S+1D+2W (n+7)∗240M+2W[7] 2E+3S+1D+2W N/A 2E+3S+1D+2W 1440M+2W

M : Modular Multiplication Operation; Exp: Exponential OperationE: Modular Encryption Operation; D: Modular Decryption OperationS: Modular Signature Operation; H: Hash OperationW : Watermark Embedding Operation ⊗; Sym: Symmetric Encryption/DecryptionECM : Scalar Multiplication of an Elliptic Curve Point; n: The Number of Watermarks and n ≥ 1ECA: Addition of Two Elements of Elliptic Curve⊕: The Exclusive-or Operation; N/A: Not Available


Table 2. Capability comparisons among our scheme and related schemes

P1 P2 P3 P4 P5 P6Ours Y es Y es Y es Low Optional Y es[18] No No No High Robust No[27] No No No High Robust No[29] No No No High Robust No[40] No No No High Robust No[42] No No No High Robust No[43] No No No High Robust No[7] No No No High Robust No[44] No No No N/A Robust No[15] No No No N/A Robust No

Y es: Satisfied; No: Not satisfiedP1: Ownership TransferP2: Authentication and Key AgreementP3: Without Watermark Certificate AuthorityP4: Computation Cost (Low: <500M/Medium: 500M ≤ and ≤1000M /High: > 1000M /N/A: Not Available)P5: Adopted Watermark (Robust/Fragile/Optional)P6: Fair Content Exchange

can not provide the content exchange property and the cost is about 1440M +2W . In [7],the computation cost is about 1440M+2W . In [43], the cost is about (n+7)∗240M+2W .However, these two schemes [7, 43] do not provide the content exchange property. Table 1and Table 2 show the functionality and the performance comparisons among our proposedscheme and related schemes.

7. Conclusions. In this paper, we have proposed a lightweight authentication methodcombining with the ownership transfer to provide fair and efficient digital content ex-change. In our proposed scheme, users can authenticate the other party via the Internetand exchange their digital content fairly. Our proposed scheme can offer an efficientapproach for fairly content exchange and also provide many extra nice properties.

Acknowledgment. This work was supported in part by the National Science Council ofTaiwan under the Grant NSC 99-2628-E-327-003 and NSC 99-2219-E-110-001.

REFERENCES

[1] A. Alaraj and M. Munro, An efficient e-commerce fair exchange protocol that encourages customerand merchant to be honest, Proc. of the 27th Int. Conf. on Computer Safety, Reliability, and Security,vol.5219, pp.193-206, 2008.

[2] A. Jurisic and A. J. Menezes, Elliptic Curves and Cryptography, Cambridge University Press, Cam-bridge, 1997.

[3] A. Ramachandran, Z. Zhou and D. Huang, Computing cryptographic algorithms in portable andembedded devices, Proc. of IEEE International Conference on Portable Information Devices, pp.1-7,2007.

[4] B. Schneier, Applied Cryptography, 2nd Edition, John Wiley and Sons Press, 1996.[5] C.-C. Chang, Y.-H. Chen and D. Kieu, A watermarking technique using synonym substitution for

integrity protection of XML documents, ICIC Express Letters, vol.4, no.1, pp.89-94, 2010.[6] C.-H. Lin, Multi-purpose digital watermarking method–integrating robust, fragile and semi-fragile

watermarking, International Journal of Innovative Computing, Information and Control, vol.6, no.7,pp.3023-3036, 2010.

[7] C. L. Lei, P. L. Yu, P. L. Tsai and M. H. Chan, An efficient and anonymous buyer-seller watermarkingprotocol, IEEE Trans. Image Processing, vol.13, no.12, pp.1618-1626, 2004.


[8] D. Hankerson, A. Menzes and S. Vanstone, Guide to Elliptic Curve Cryptography, 2nd Edition,Springer-Verlag, New York, 2004.

[9] D. Hankerson, A. Menezes and M. Scott, Software implementation of pairings, Identity-Based Cryp-tography, Cryptology and Information Security Series, vol.2, 2008.

[10] D. Pointcheval and J. Stern, Security arguments for digital signatures and blind signatures, J.Crypto., vol.13, pp.361-396, 2000.

[11] D. Xiao and F. Y. Shih, A reversible image authentication scheme based on chaotic fragile watermark,International Journal of Innovative Computing, Information and Control, vol.6, no.10, pp.4731-4742,2010.

[12] G. Arora, M. Hanneghan and M. Merabti, P2P commercial digital content exchange, J. ElectronicCommerce Research and Applications, vol.4, no.3, pp.250-263, 2005.

[13] G. Bertoni, L. Breveglieri, L. Chen, P. Fragneto, K. Harrison and G. Pelosi, A pairing SW imple-mentation for smart-cards, Journal of Systems and Software, vol.81, no.7, pp.1240-1247, 2008.

[14] H. L. Jin, M. Fujiyoshi and H. Kiya, Lossless data hiding in the spatial domain for high qualityimages, IEICE Trans. Fundamentals, vol.E90-A, no.4, pp.771-777, 2007.

[15] H. T. Poon, A. Miri and J. Zhao, An improved watermarking technique for multi-user, multi-rightenvironments, Multimedia Tools and Applications, vol.42, no.2, pp.161-181, 2009.

[16] IEEE P1363, Standard Specifications for Public-key Cryptography, Draft Version D22, 2005.[17] I. K. Jeong, O. Kwan and D. H. Lee, A Diffie-Hellman key exchange protocol without random oracles,

Proc. of the 5th Int. Conf. Cryptology and Network Security, LNCS, vol.4301, pp.37-54, 2006.[18] I. M. Ibrahim and S. H. N. El-Din, An effective and secure buyer-seller watermarking protocol, Proc.

of the 3rd Int. Symp. on Information Assurance and Security, pp.21-28, 2007.[19] I. Usman, A. Khan, A. Ali and T. S. Choi, Reversible watermarking based on intelligent coefficient

selection and integer wavelet transform, International Journal of Innovative Computing, Informationand Control, vol.5, no.12(A), pp.4675-4682, 2009.

[20] J. Fridrich, M. Goljan and R. Du, Lossless data embedding-new paradigm in digital watermarking,EURASIP J. Applied Signal Process, vol.2002, no.2, pp.185-196, 2002.

[21] J. Liu, R. Sun, W. Ma, Y. Li and X. Wang, Fair exchange signature schemes, Proc. of the 22nd Int.Conf. on Advanced Information Networking and Applications-Workshops, pp.422-427, 2008.

[22] J. Tian, Reversible data embedding using a difference expansion, IEEE Trans. Circuits Syst. VideoTechno., vol.13, no.8, pp.890-896, 2003.

[23] K. Lauter, The advantages of elliptic curve cryptography for wireless security, IEEE Wireless Com-munications, vol.11, no.1, pp.62-67, 2004.

[24] K. Takashima, Scaling security of elliptic curves with fast pairing using efficient endomorphisms,IEICE Trans. Fundamentals, vol.E90-A, no.1, pp.152-159, 2007.

[25] M. Abdalla, M. Bellare and P. Rogaway, The oracle Diffie-Hellman assumption and an analysis ofDHIES, Proc. of the Cryptographer’s Track at RSA Conf., LNCS, vol.2020, pp.143-158, 2001.

[26] M. A. Strangio, Effiecient Diffie-Hellman two-party key agreement protocols based on ellptic curves,Proc. of ACM Symp. on Applied Computing, pp.324-331, 2005.

[27] M. H. Shao, A privacy-preserving buyer-seller watermarking protocol with semi-trust third party,Proc. of the 4th Int. Conf. Trust, Privacy and Security in Digital Business, LNCS, vol.4657, pp.44-53,2007.

[28] M. U. Celik, G. Sharma, A. M. Teklp and E. Saber, Lossless generalized-LSB data embedding, IEEETrans. Image Process, vol.14, no.2, pp.253-266, 2005.

[29] M. Deng and B. Preneel, On secure and anonymous buyer-seller watermarking protocol, Proc. of the3rd Int. Conf. on Internet and Web Applications and Services, pp.524-529, 2008.

[30] N. Koblitz, A. Menezes and S. Vanstone, The state of elliptic curve cryptography, Designs, Codesand Cryptography, vol.19, pp.173-193, 2000.

[31] N. Hopper, D. Molnar and D. Wagner, From weak to strong watermarking, Proc. of Theory ofCryptography Conf., LNCS, vol.4392, pp.362-382, 2007.

[32] NIST FIPS PUB 186-2, Digital Signature Standard, National Institute of Standards and Technology,U. S. Department of Commerce, 2001.

[33] Q. Gu and T. Gao, A novel reversible watermarking algorithm based on wavelet lifting scheme, ICICExpress Letters, vol.3, no.3(A), pp.397-402, 2009.

[34] Q. Huang, G. Yang, D. S. Wong and W. Susilo, Ambiguous optimistic fair exchange, Proc. of the14th Int. Conf. on Theory and Application of Cryptology and Information Security, LNCS, vol.5350,pp.74-89, 2008.


[35] S. D. Lin and Y.-H. Huang, An integrated watermarking technique with tamper detection andrecovery, International Journal of Innovative Computing, Information and Control, vol.5, no.11(B),pp.4309-4316, 2009.

[36] S. Katzenbeisser, A. Lemma, M. U. Celik, M. van der Veen and M. Maas, A buyer-seller watermarkingprotocol based on secure embedding, IEEE Trans. on Forensics and Security, vol.3, no.4, pp.783-786,2008.

[37] S. Han, M. Fujiyoshi and H. Kiya, An efficient reversible image authentication method, IEICE Trans.Fundamentals, vol.E91-A, pp.1907-1914, 2008.

[38] S. Hohenberger, Advances in Signatures, Encryption, and E-Cash from Bilinear Groups, Ph.D. The-sis, Massachusetts Institute of Technology, 2006.

[39] T.-Y. Chen, V. Istanda, T.-H. Chen, D.-J. Wang and Y.-L. Lin, H.264 video authentication based onsemi-fragile watermarking, International Journal of Innovative Computing, Information and Control,vol.6, no.3(B), pp.1411-1420, 2010.

[40] V. V. Das, Buyer-seller watermarking protocol for an anonymous network transaction, Proc. of the1st Int. Conf. on Emerging Trends in Engineering and Technology, pp.807-812, 2008.

[41] W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. on Information Theory,vol.22, no.6, pp.644-654, 1976.

[42] Y. Hu, A watermarking protocol for privacy tracing, Proc. of Int. Symp. on Electronic Commerceand Security, pp.882-885, 2008.

[43] Y. Hu and J. Zhang, A secure and efficient buyer-seller watermarking protocol, Journal of Multime-dia, vol.3, no.4, pp.161-168, 2009.

[44] Y. Wu and H. Pang, A light weight buyer-seller watermarking protocol, Advances in Multimedia,vol.4, pp.1-7, 2008.

[45] Z. Li, J. Higgins and M. Clement, Performance of finite field arithmetic in an elliptic curve cryp-tosystem, Proc. of the 9th IEEE Int. Symp. on Modeling, Analysis, and Simulation of Computer andTelecommunications Systems, pp.249-256, 2001.

Appendix A. Security Analysis.We define the security of the proposed protocol. Assume that each party’s identity

is denoted as pi and each pi holds a pair of private/public keys, where 1 ≤ i ≤ I andI denotes the set of the identities of the parties who can participate in our proposedprotocol.

The key agreement protocol of our fair content exchange scheme will provide mutualauthentication between users and TS and establish a session key for content exchangeusage. We assume that a session identifier of the instance Πk

i denoted as sidki that presentsthe k-th session which is different from other sessions in the key agreement phase, wherek ∈ N and N being the set of positive integers. In the following, we model the capabilitiesof an adversary. We allow the adversary that she/he can control all communication in thekey agreement protocol via accessing to oracles. Let “Exp” be an “experiment” which isthe game that the adversary asks queries to the oracles and the oracles can answer backto the adversary. Following are the query types that an adversary queries in the protocol.

1. A query Send(i, k,M) is used to send a message M to the instance Πki , where i ∈ I

and k ∈ N . When Πki receives M , it responds the result according to the key

agreement protocol.2. A query Reveal(i, k) (or Reveal(j, k)) is used to expose a session key of Πk

i (or Πk′j )

to the adversary, where j ∈ I and k′ ∈ N .3. A query Corrupt(i) is used to expose the private key of the player pi.4. A query Test(i, k) is used to define the advantage of an adversary. When an adver-

sary A asks a Test query to an instance Πki , a coin b is flipped by the simulator. If

b is 1, then returns the real session key skki . Otherwise, it returns a random string

chosen uniformly from {0, 1}∗. The adversary is allowed to make a Test query tothe “fresh” instance.


Definition A.1. Partner. First, we define what is the partner function. We assumethat there exists an instance Πk

i of the player pi in the k-th session. Let the partner ofthis instance be the player pj( ̸= pi) who believes that it is interacting in the k′-th session,where i, j ∈ I and k, k′ ∈ N . We can say two instances Πk

i and Πk′j are partnered if the

following statements are true:

1. sidki = sidkj .

2. pj is the partner of Πki .

3. pi is the partner of Πk′j .

Definition A.2. Freshness. A instance Πki is “fresh” if the following conditions are

true at the end of the experiment described above:

1. If Πki has not been queried, Reveal(i, k).

2. If there exists a Πk′j partnered with Πk

i , where Πk′j has not been queried, Reveal(j, k′).

3. The partner of Πki is not an insider attacker generated by the adversary.

Definition A.3. Forward Security (FS). Our fair content exchange protocol is for-ward secure that if A can not compromise the past information even the Corrupt(i) (orCorrupt(j)) are queried.Definition A.4. Ind-cpa Secure. In our scheme, we assume that our symmetricencryption/decryption algorithm is SE = (ETi,j

, DTi,j), where Ti,j ∈ {Xi,j, Yi,j} and i, j ∈

{A, B, TS} and qm and qe are the number of the messages and the encryption queries,respectively. The attacker A can ask the encryption query on its chosen message (M0,M1).We assume that the encryption oracle is ETi,j

(·, θ) with the security parameter θ and takesMb as the input in the following, where b ∈ {0, 1}. If b = 1, then C ←− ETi,j

(Mb, θ).Otherwise, C ←− ETi,j

(M1−b, θ) and returns C. We consider the following experiment.

ExpInd−cpa−bA,SE (θ)

Ti,j ∈ {Xi,j, Yi,j}, {M0,M1} ←− AETi,j(·,θ)

b ∈ {0, 1}, C ←− ETi,j(Mb, θ)

b′ ←− AETi,j(·,θ)(C,M0,M1)

Return b′.

The advantage function of an adversary Aind−cpaSE (θ) is defined as:

AdvInd−cpaSE,A (θ) =

∣∣∣∣Pr[ExpInd−cpa−1

SE,A (θ) = 1]− Pr

[ExpInd−cpa−0

SE,A (θ) = 1] ∣∣∣∣ < ε′.

Let G be defined as the above and assume SE = (ETi,j, DTi,j

), where Ti,j ∈ {Xi,j, Yi,j}and i, j ∈ {A, B, TS}. Our proposed scheme is indistinguishable under the chosen plain-text attack if every probabilistic polynomial time adversary A only has negligible advan-tage in breaking the ind-cpa experiment.

Advind−cpaSE,A (θ) =

∣∣∣∣Pr[ExpInd−cpa−1

SE,A (θ) = 1]− Pr

[ExpInd−cpa−0

SE,A (θ) = 1] ∣∣∣∣ < ε′.

Theorem A.1. Assume SE is an Ind-cpa secure encryption scheme and G satisfiesthe DDHP and ECDDHP assumptions. Our proposed Efficient Fair Robust WatermarkExchange scheme (EFRWES for short) is a forward-secure ownership exchange scheme.In other words, if SE is (t′, ε′) ind-cpa secure and G is (t, ε, qs) secure with respect to theDDHP and ECDDHP assumptions, then

AdvFSEFRWES(θ, t) ≤ (I2qs(Adv

Ind−cpaSE (θ, t′) + 1))

+ 2I2qs(AdvECDDHPH,G (θ, t)) + ((Iqs)

2AdvDDHPH,G (θ, t) + 1),


where t is the maximum total experiment time including an adversary execution time, Iis an upper bound on the number of parties, and qs is an upper bound on the number ofinstances initiated in the experiment.

Proof: First, we consider an adversary A attacking EFRWES in the sense of theforward security. We take the security analysis in [17] as our reference. Let Dis be theevent that there exists at least one ciphertext that can be distinguished by the attackerin EFRWES. We can derive that

PrA[b = b′] ≤ PrA[Dis] + PrA[b = b′ ∧Dis],

where b and b′ are the coin flips chosen by the simulator and the attacker, respectively.Before this proof, we give three lemmas to complete this proof.Lemma A.1. We claim that there is no attacker A that can distinguish the ciphertextwith the non-negligible probability

PrA[Dis] ≤ I2qs(AdvECDDHP

H,G (θ, t))+

1

2

(I2qs

(AdvInd−cpa

SE (θ, t′))+ 1

)in the polynomial time bound t and t′ under the ECDDHP assumption and the Ind-cpadefinition, respectively.

In the following, we define several games Gamei,j,l, where Πli is the instance of pi, Π

lj

is the instance of pj and l is presented as the l-th session with 0 ≤ i, j ≤ I − 1 and0 ≤ l ≤ qs. Each Gamei,j,l can be simulated as the same execution of our protocol. Inthese games, we first define that Game0,0,0 is the first game of this sequence of games.In each Gamei,j,l, the difference of Gamei,j,l and Gamei,j′,l is that we only substitute thesession key sski,j′ ←− {0, 1}∗ as the random value generated by a random oracle, wherej < j′. The other parameters are unchanged in Gamei,j′,l as Gamei,j,l. By the way, weconsider two games Gamei′,j′,l′ and Gamei∗,j∗,l∗ in the l′-th and l∗-th sessions of this gamesequence. We assume that the probability of the attacker can distinguish that the partnerof Πl∗

i∗ is pj as the following equation.

Pr[Dis] = Pr[Dis|Πl∗

i∗ ’s partner is pj]+ Pr

[Dis|Πl∗

i∗ ’s partner is not pj].

We define these two adjacent games and assume that they are the same game. If Pr[Dis]is non-negligible differently, then Pr

[Dis|Πl∗

i∗ ’s partner is pj]is also non-negligible differ-

ent. First, let D be the simulator and it was given the tuple (G, p, q, R, S, T,Q) in theexperiment of the ECDDHP assumption. We define that Gamei∗,j∗,0 and Gamei∗,j∗,1 asGame0 and Game1 for short, respectively. Following are two lemmas that will be used toprove Lemma A.1.Lemma A.2. We claim that there is no attacker A that can distinguish the ciphertextwith the non-negligible probability

Pr[Dis|Game0]− Pr[Dis|Game1] ≤ I2qs(AdvECDDHP

H,G (θ, t))

in Game0 and Game1 under the ECDDHP assumption.Proof: First, we construct the simulator D and D is given the tuple (G, p, q, R, S,Q).

By the way, D chooses xi ∈ [1, . . . , q−1] and computes the public key/secret key pi = xiGfor each pi. After preparing all key pairs for each party, D prepares the watermarkedobjects α and ε for exchanging to Πi∗ and Πj∗ , respectively. By the way, the attacker Acan be allowed to ask the following queries.

1. Send(i, l,M) query: As receiving this query with M , if Pi is communicating withΠl

j, where i ̸= i∗ and j ̸= j∗, then D computes the shared key Xi,TS = h(Pi||PTS)⊕h(xTS ∗ Pi) or the shared key Yj,TS = h(Pj||PTS) ⊕ h(xTS ∗ Pj) for pi and pj. Ifi = i∗ or j = j∗, D computes the shared key Xi∗,TS = h(pi∗ ||PTS)⊕ h(xTS ∗ R) andthe shared key Yj∗,TS = h(pj∗||PTS)⊕ h(xTS ∗ S) for pi∗ and pj∗ , respectively. Then


D computes ETi,j(M), where Ti,j ∈ {Xi,j, Yi,j} and i, j ∈{A, B, TS}. The result

returns back to A.2. Corrupt(i) query: It returns xi back to A.3. Reveal query: In the Reveal query, if i ̸= i∗ or j ̸= j∗, then D computes the

session key sski,j = h(r1 ∗ R2||xi ∗ Pj) with two random numbers R1 = r1 ∗ G andR2 = r2 ∗ G ∈ Z∗

q for the instances Πli and Πl

j. If i = i∗ and j = j∗, then D setupsR1 = R and R2 = S and delays sski,j to response in the Test query. Finally, itreturns the session key sski,j to the attacker A.

4. Test query: In the Test query, if i = i∗ and Pi is communicating with Πlj, where

j = j∗, then D tosses a coin b to choose Gameb. If b=0, then it computes sski,j =h(Q||xi ∗ Pj). Otherwise, it computes sski,j ←− {0, 1}∗ from the random oracle inGame1.

If the attacker can distinguish one of these two games Game0 and Game1 with non-negligible probability AdvECDDHP

H,G (θ, t), then we can use it to break the ECDDHP as-sumption.

AdvECDDHPH,G (θ, t) ≥Pr[A(G, g, q, R = rG, S = sG,Q = rsG) = 1]

− Pr[A(G, g, q, R = rG, S = sG,Q = tG) = 1]

=Pr[Game0|partner is j∗]− Pr[Game1|partner is j∗]

=1

I2qs· (Pr[Game0 ∧ partner is j∗]− Pr[Game1 ∧ partner is j∗])

=1

I2qs· (Pr[Dis in Game0]− Pr[Dis in Game1]).

Then, we can derive the probability as follows:

Pr[Dis|Game0]− Pr[Dis|Game1] ≤ I2qs(AdvECDDHPH,G (θ, t)).

Lemma A.3. We claim that there is no attacker A that can distinguish the ciphertextwith the non-negligible probability

Pr[Dis in Game1] ≤1

2

(I2qs(Adv

Ind−cpaSE,A (θ, t′)) + 1

)in the polynomial time t′ under the Ind-cpa secure definition.Proof: If Pr[Dis] is non-negligible in Game1, we can construct a distinguisher D which

breaks the indistinguishability of the underlying symmetric encryption scheme SE and anattacker F which breaks the encryption of our proposed scheme. In the following game,D can simulate an encryption oracle ETi,j

(·, θ) and generate the ciphertext value C on

the plaintexts (M0,M1) chosen by the attacker A in the selected instance Πki∗ , where the

partner of Πki∗ is pj∗ .

1. First, F chooses a random xi ∈R Z∗q and Pi = xiG, where 1 ≤ i ≤ I. F also selects

i∗, j∗ ←− [1, . . . , I − 1] and l∗ ←− [1, . . . , qs].2. For each encryption query from F , D answers it as in Game1 of Lemma A.2. If Πl∗

i∗ ’spartner is pj∗ , D can generate C by using the oracle ETi∗,j∗ (Mb, θ) with the coin flipb. Otherwise, it produces C from ETi∗,j∗ (M1−b, θ). Then it returns the ciphertext Cto F .

3. If an event Dis is happened with respect to Πl∗i∗ , where the partner of Πl∗

i∗ is pj∗ , Foutputs the guessing bit b′. Otherwise, F aborts.

If F selects i∗, j∗, l∗ and D does not fail in the simulation process with correct guessing,where b = b′, then the following equation will hold:


AdvInd−cpaSE,A (θ, t′) ≥ 1

I2qs

(Pr

[ExpInd−cpa−1

SE,A (θ) = 1]− Pr

[ExpInd−cpa−0

SE,A (θ) = 1])

=1

I2qs

(Pr

[ExpInd−cpa−1

SE,A (θ) = 1]−(1− Pr

[ExpInd−cpa−1

SE,A (θ) = 1]))

=1

I2qs

(2(Pr

[ExpInd−cpa−1

SE,A (θ) = 1])− 1).

Lemma A.4. We claim that there is no attacker A that can guess the ciphertext correctlywith the non-negligible probability

Pr[b = b′ ∧Dis

]≤ 1

2

((Iqs)

2AdvDDHPA (θ, t) + 1

)in the polynomial time t under the DDHP assumption.

Proof: We construct the simulator D which can simulate the environment of A anduse A’s ability to break the DDHP assumption.

1. D is given the security parameters (G, g, q, aG, bG, cG) and it begins to choose the keypairs for all parties normally except Pi∗ and Pj∗ . D also selects i∗, j∗ ←− [1, . . . , I−1]and t1, t2 ←− [1, . . . , qs]. Let i

∗ and j∗ be the instance of A and B, respectively.2. For each query of A, D answers it as follows:

(a) First, D uses (G, g, q, aG, bG, cG) as its security parameters. D also prepares thenonce Ni∗ and Nj∗ in the t1-th and t2-th session, respectively.

(b) Corrupt(i) query: It returns xi back to A.(c) Reveal query: In the Reveal query, if i ̸= i∗ or j ̸= j∗, then D computes the

session key sski,j = h(r1 ∗R2||xi ∗Pj) with two random numbers R1 = r1 ∗G andR2 = r2 ∗G ∈ Z∗

q for the instances Πt1i and Πt2

j . If i = i∗, j = j∗ and t1 = t2 = l,then D setups R1 = aG and R2 = bG and delays sski,j to the response in theTest query. Then, it returns the session key sski,j to the attacker A.

(d) Test query: In the Test query, if i = i∗ and j = j∗, then D tosses a coin b toanswer the session key. If b=0, then it computes sski,j = h(U ||xi ∗ Pj), whereU = cG. Otherwise, it computes sski,j ←− {0, 1}∗ from the random oracle.

If D answers the Test query for Πt1i∗ and Πt2

j∗ by using (G, g, q, aG, bG, cG) and A doesnot fail in guessing b′, then A answers the session key depending on its coin flip b′. Wecan have

AdvDDHPA (θ, t) =Pr[D(G, g, q, aG, bG, cG) = 1|c = ab)]

− Pr[D(G, g, q, aG, bG, cG) = 1|c = t, t ∈ Z∗q )]

≥ 1

(Iqs)2(Pr[A(·) = 1|sski∗,j∗ is real in Test query]− Pr[A(·)

= 1|sski∗,j∗ is random in Test query])

=1

(Iqs)2(2PrA

[b = b′ ∧Dis

]− 1

).

After summarizing the above four lemmas, we can conclude that

AdvFSEFRWES(θ, t) ≤

(I2qs(Adv

Ind−cpaSE (θ, t′)) + 1

)+ 2I2qs(Adv

ECDDHPH,G (θ, t)) +

((Iqs)

2AdvDDHPH,G (θ, t) + 1

)