Patent Application
20230041340
The present invention relates to an electronic watermark embedding apparatus, an electronic watermark extraction apparatus, an electronic watermark embedding method, an electronic watermark extraction method, and a program.
Electronic watermarks are widely used for techniques for ensuring the authenticity by embedding information on a proprietor or a creator into contents such as images and music. In addition, in an extension of the electronic watermarks, research is also being conducted on a technique called “program electronic watermark” in which any information is unremovably embedded in a program, with an operation of the program remained unchanged.
There are electronic watermarks for cryptographic functions as a type of the program electronic watermark, and many electronic watermarks have been proposed for pseudo-random functions (for example, NPLs 1 to 4). With the use of these pseudo-random functions, it is possible to realize secret-key encryption allowing an electronic watermark to be embedded in a decoding circuit.
NPL 1: Aloni Cohen, Justin Holmgren, Ryo Nishimaki, Vinod Vaikuntanathan, and Daniel Wichs. Watermarking cryptographic capabilities. In Daniel Wichs and Yishay Mansour, editors, 48th ACM STOC, pages 1115-1127. ACM Press, June 2016.
NPL 2: Sam Kim and David J. Wu. Watermarking cryptographic functionalities from standard lattice assumptions. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, pages 503-536. Springer, Heidel-berg, August 2017.
NPL 3: Willy Quach, Daniel Wichs, and Giorgos Zirdelis. Watermarking PRFs under standard assumptions: Public marking and security with extraction queries. In Amos Beimel and Stefan Dziembowski, editors, TCC 2018, Part II, volume 11240 of LNCS, pages 669-698. Springer, Heidelberg, November 2018.
NPL 4: Sam Kim and David J. Wu. Watermarking PRFs from lattices: Stronger security via extractable PRFs. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part III, volume 11694 of LNCS, pages 335-366. Springer, Heidel-berg, August 2019.
However, for example, in the techniques proposed in NPLs 1 to 4, when an electronic watermark is embedded or an electronic watermark is extracted, it is necessary to use confidential information (for example, an embedded key and an extraction key) generated when the electronic watermark system is set up. Thus, for example, a user other than a system administrator with the confidential information cannot embed or extract the electronic watermark.
An embodiment of the present invention has been made in view of the above-described circumstances, and an object thereof is to realize secret-key encryption allowing any user to embed an electronic watermark.
To achieve the above object, an electronic watermark embedding apparatus according to an embodiment is an electronic watermark embedding apparatus capable of embedding an electronic watermark into a decoding circuit of secret-key encryption. The electronic watermark embedding apparatus includes an embedding unit configured to generate a decoding circuit The decoding circuit embedded with the electronic watermark by being input with a common parameter generated in a setup of the secret-key encryption, a secret key of the secret-key encryption, and the electronic watermark, and is capable of decoding an encrypted text encrypted using the secret-key encryption.
It is possible to realize secret-key encryption allowing any user to embed an electronic watermark.
Hereinafter, an embodiment of the present disclosure will be described. In the present embodiment, an electronic watermark embeddable encryption system 1 for realizing secret-key encryption allowing any user to embed an electronic watermark into a decoding circuit, will be described. Here, the user is a person, a program, or the like other than a system administrator of the electronic watermark embeddable encryption system 1. On the other hand, the system administrator is a person, a program, or the like to set up the electronic watermark embeddable encryption system 1.
Note that embedding an electronic watermark may be referred to as, for example, “insertion of an electronic watermark” and the like. Similarly, extracting an electronic watermark may be referred to as, for example, “detection of an electronic watermark”, and the like.
Preparation Firstly, several notations, concepts, and the like are prepared prior to describing secret key encryption allowing for embedding an electronic watermark.
Notations
represents a uniform random selection of an element x from a finite set X. This will be hereinafter described as “x<-rX” as used herein.
y<−A (x; r) represents an algorithm A outputting y for an input x and a random number r, and is represented by simple description of “y<-A (x)” if the random number used by A is not required to be explicitly expressed. Furthermore,
[Math. 2]
represents a set of integers:
[Math. 3]
{1, . . . ,}
λrepresents a security parameter. If a function f(λ) converges to 0 faster than1/XC for all constants c >0, then f is negligible. f(r)=negl (λ) is used to represent a certain function f being negligible. Also, a probabilistic polynomial time is abbreviated as PPT.
Decisional Diffie-Hellman Assumption Decisional Diffie-Hellman assumption, which is used as a basis for the safety of an electronic watermark embeddable secret key encryption, is defined as below.
G is a cyclic group of an order p and g is a generator of G. At this time, for all PPT algorithms A
[Math. 4]
|Pr[(
,p,g,gx,
,
)=1]−Pr [
(
,p,g,gx,
,gz)=1]=neg|(λ)|
holds. Here, x, y, z are selected randomly from Zp*. Note that ZP*is a set obtained by removing a zero element from Zp=Z/pZ, where Zp is a residue system of Z modulo a prime number p.
Secret Key Encryption
Secret-key encryption (hereinafter also abbreviated as “SKE”) is configured by four PPT algorithms (Setup, KG, Enc, and Dec). The setup algorithm Setup is input with a security parameter 1 λand outputs a common parameter pp. The key generation algorithm KG is input with the common parameter pp and outputs a key sk. The encryption algorithm Enc is input with the key sk and a plaintext:
[Math 5]
m∈
and outputs an encrypted text ct, where
[Math. 6]
a plaintext space. The decoding algorithm Dec is input with the key sk and the encrypted text ct and outputs a plaintext:
[Math. 7]
{tilde over (m)} ∈{⊥}∪.
The secret-key encryption requires that as a correctness, for all of
[Math. 8]
m∈
pp<-Setup (1λ), and sk<-KG (pp), Dec (sk, Enc (sk, m))=m holds.
Indistinguishability for Chosen Plaintext Attack (IND-CPA Security) SKE means the secret-key encryption. An IND-CPA game performed by a challenger and an attacker A is defined by the following (1-1) to (1-3).
(1-1) The challenger generates a random bit b<-r{0, 1}. The challenger then generates pp<-Setup (1λ) and sk<-KG (pp) and sends the common parameter pp to an attacker A.
(1-2) The attacker A can repeat a next encryption query. The attacker A sends
[Math. 9]
(m0,m1)∈2
as the encryption query to the challenger. For the encryption query, the challenger generates ct <-Enc (sk, mb) and returns an encrypted text ct to the attacker A.
(1-3) The attacker A outputs b′∈{0,1}.
At this time, if, for all PPT attackers A,
[Math. 10]
AdvSKE,Aindcpa(λ)=|Pr[b=b′]−½|=neg|(λ)
holds, then SKE is considered IND-CPA secure.
Theoretical Configuration of Electronic Watermark Embeddable Secret Key Encryption
Next, a theoretical configuration of the electronic watermark embeddable secret-key encryption (watermarkable SED, hereinafter also abbreviated as “WME”) will be described. Note that the electronic watermark will be simply referred to as “watermark” below.
Definition of WME
WME is configured by six PPT algorithms (Setup, KG, Enc, Dec, Mark, and Ext). Hereinafter,
[Math. 11]
are considered a watermark space, an encrypted text space, and a plaintext space of the WME, respectively.
[Math. 12]M∈
are input and a decoding circuit D embedded with the watermark is output.
[Math. 13]
C:→
∪{⊥}
are input, and
[Math. 14]
M∈
or a symbol “unmarked” representing that the watermark is not embedded is output. Note that more precisely, C represents a description as a circuit (electronic circuit).
The WME satisfies the following extraction correctness and functional conservation.
Extraction correctness: for all of
[Math. 15]
M∈
pp<-Setup (1λ), sk<-KG (pp), and D<-Mark (pp, sk, M), Ext (pp, D)=M holds.
Functional conservation: for all of
[Math. 16]
M∈
pp<-Setup (1)), sk<-KG (pp), and D<-Mark (pp, sk, m), D (Enc (sk, M))=m holds.
Note that the above extraction correctness intuitively ensures that it is possible to correctly extract, by Ext, a watermark embedded by Mark. Also, the above functional conservation ensures that it is possible to correctly decode the encrypted text generated using the Enc by the decoding circuit embedded with the watermark.
ε-Unremovability
The electronic watermark embeddable secret key encryption needs to satisfy e-unremovability defined below.
Here, the WME is the electronic watermark embeddable secret-key encryption. A removal game performed by the challenger and the attacker A is defined by the following (2-1) to (2-4).
[Math. 17]
enc
will be employed below for a random number space of the algorithm Enc.
(2-1) The challenger generates pp<-Setup (1λ) and sk<-KG (pp) and sends a common parameter pp to the attacker A.
(2-2) The attacker A can repeat a next encryption query. The attacker A sends
[Math. 18]
m∈
as the encryption query to the challenger. For the encryption query, the challenger generates ct <-Enc (sk, m) and returns an encrypted text ct to the attacker A.
(2-3) The attacker A sends
[Math. 19]
M∈
to the challenger. The challenger generates D<-Mark (pp, sk, M) and returns the decoding circuit D to the attacker A.
(2-4) The attacker A outputs a circuit:
[Math. 20]
C:→
∪{⊥}
The challenger outputs Ext (pp, C) as an output of the game. Note that more precisely, C represents a description as a circuit (electronic circuit).
It is required that the circuit C output by the attacker A in the above game satisfies the following condition:
[Math. 21]
Pr[C(Enc(sk, m; r))=m]≥ε
(that is, the circuit C is acceptable). Here, the above probability depends upon
[Math. 22]
m,r
enc,
which is a selection. At this time, for all the PPT attackers A, if the following:
[Math. 23]
A(λ)=Pr[Ext(pp, C)≠M]=negl(λ)
is true, it is said that the WEM satisfies the ε-unremovability.
Specific Configuration of WME according to Present Embodiment Four Parators:
[Math. 24]
ρ, ϵ,ω,
are each set to ρ=1/poly1(λ), ε=1/2+ρ, ε=λ/ρ2, and
[Math. 25]
=poly2(λ).
Here, poly1 and poly2 represent a polynomial.
At this time, in the present embodiment, an electronic watermark embeddable secret-key encryption WME=(Setup, KG, Enc, Dec, Mark, Ext) with the watermark space:
[Math. 26]
is configured as follows.
Setup (1λ): A cyclic group G of an order p and a generator g of the cyclic group G are generated, and a common parameter pp: =(G, p, g) is output.
KG (pp): Firstly, for all
[Math. 27]
i∈[+1]
ai<-rZp*is generated,
[Math. 28]
gi←gαi
is established. Also, x<-rZp is generated. Further, the secret key:
[Math. 29]
sk:=(g1, . . . ,g+1,x,α1, . . . ,α
+1)
is output.
Enc (sk, m): Firstly, sk is parsed as follows:
[Math. 30]
(g1, . . . ,g+1,x,α1, . . . ,αl+1)←sk.
Further, r<-rZp is generated. Subsequently, an encrypted text:
[Math. 31]
ct:=(g1r, . . . ,,m·
)
is output.
Dec (sk, ct): Firstly, sk and ct are parsed as follows:
[Math. 32]
(g1, . . . ,g+1,x,α1, . . . ,αl+1)←sk
(c1, . . . ,c
+1,d)←ct.
Further, a decoding result:
[Math. 33]
d·
is output.
Mark (pp, sk, M): Firstly, pp is parsed into (G, g, p)<-pp, and sk and M is parsed as follows:
[Math. 34]
(g1, . . . ,g+1,x,α1, . . . ,α
+1)←sk,
M=(M1, . . . ,Ml)
[Math. 35]
α+1·x=α
+1·{tilde over (x)}+
aiMi mod p
[Math. 36]satisfying the [Math. 35] is calculated. A symbol with “-” above x is hereinafter represented as “x” as used herein.
Thereafter, a decoding circuit D [M, ˜x] having the following description is output. Note that the decoding circuit D [M, ˜x] is a description in which the encrypted text ct is input and a decoding result is output (a description as an electronic circuit).
Description of Decoding Circuit D [M, ˜x]
A value stored in the decoding circuit D (that is, a hard-coded value) is considered
[Math. 37]
M=(M1, . . . ,Ml)∈{0,1,{tilde over (x)} ∈
At this time, the decoding circuit D [M, ˜x] parses the input encrypted text ct as follows:
[Math. 38]
(c1, . . . ,cl+1,d)←ct,
and outputs a decoding result:
[Math. 39]
Ext (pp, C): Firstly, pp is parsed into (G, p, g)<-pp. Next,
[Math. 40]
+1 random
generators ĝ1, . . . ,ĝ
+1
is generated, and
[Math. 41]
ĥ←Findpk(ĝ1, . . . ,ĝ+1,C)
is executed. A symbol with “∧” above h is hereinafter represented as “∧h” as used herein. Here, Findpk is a circuit that outputs either ∧h or ⊥(more accurately, a description as an electronic circuit). If Findpk outputs ⊥, then Ext outputs unmarked and the execution ends immediately.
Note that the description of the circuit Findpk will be described in detail later.
Subsequently, for all
[Math. 42]
i∈[]
[Math. 43]
Mi←Findmki(ĝ1, . . . ,ĝ+1,ĥ,C)
is executed. Here, Findmki is a circuit that outputs either Mi or I (more precisely, a description as an electronic circuit). If Findmki outputs 1, then Ext outputs unmarked and the execution ends immediately. Note that the description of the circuit Findmki will be described in detail later.
Subsequently, the watermark:
(M1, . . . ,)
is output.
Descriptions of Circuit Findpk
For all j∈[ω], mj <-rG and rj<-rZp*are generated, and
[Math. 45]
j←C(ĝ1rj, . . . ,,mj ĥj←(yj·j−1)1/rj
are calculated.
Then, in ωvalues {∧hj}j ∈[ω], if there is ∧h appearing ω/2 times or more, the ∧h is output, and if there is no such value, ⊥ is output.
Descriptions of Circuit Findmki
For all j∈[ω], mj<-rG and rj<-rZp*are generated, and
[Math. 46]
k←C(ĝ1rk, . . . ,ĝi−1rk,ĝirk+1,ĝi+1rk, . . . ,,mk)
k←
k ·(mk·ĥrk −15
are calculated.
Next, in ω values {zk}k∈[ω], a value z appearing ω/2 times or more is evaluated. If there is no such value, ⊥ is output.
Then, in the case where there is the value z appearing ω/2 times or more, if the value z =1, 0 is output, if the value z=∧ is output, and otherwise, 1 is output.
As described above, the WME=(Setup, KG, Enc, Dec, Mark, Ext) according to the present embodiment is configured. The WME thus configured is IND-CPA secure under the decisional Diffie-Hellman assumption. Under the decisional Diffie-Hellman assumption, e-unremovability is satisfied. Note that εis ε=1/2+ρ set above.
Entire Configuration
Next, an entire configuration of the electronic watermark embeddable encryption system 1 according to the present embodiment will be described with reference to
As illustrated in
The setup apparatus 10 is a computer or a computer system configured to set up a system. The setup apparatus 10 includes a setup processing unit 101 and a storage unit 102.
The setup processing unit 101 executes the setup algorithm Setup, and generates and outputs the common parameter pp. The storage unit 102 stores information necessary for the execution of the setup algorithm Setup, output results thereof, and the like.
The key generation apparatus 20 is a computer or a computer system configured to generate the secret key sk. The key generation apparatus 20 includes a key generation processing unit 201 and a storage unit 202.
The key generation processing unit 201 executes the key generation algorithm KG and outputs the secret key sk. The storage unit 202 stores information necessary for the execution of the key generation algorithm KG, output results thereof, and the like.
The encryption apparatus 30 is a computer or a computer system configured to generate an encrypted text ct obtained by encrypting a plaintext m. The encryption apparatus includes an encryption processing unit 301 and a storage unit 302.
The encryption processing unit 301 executes the encryption algorithm Enc and outputs the encrypted text ct. The storage unit 302 stores information necessary for the execution of the encryption algorithm Enc, output results thereof, and the like.
The decryption apparatus 40 is a computer or a computer system configured to decode the encrypted text ct. The decryption apparatus 40 includes a decryption processing unit 401 and a storage unit 402.
The decryption processing unit 401 executes the decoding algorithm Dec and outputs the plaintext m or L indicating a decoding failure. The storage unit 402 stores information necessary for the execution of the decoding algorithm Dec, output results thereof, and the like.
The watermark embedding apparatus 50 is a computer or a computer system configured to embed a watermark into the decoding circuit. The watermark embedding apparatus 50 includes an embedding processing unit 501 and a storage unit 502.
The embedding processing unit 501 executes the watermark embedding algorithm Mark, and outputs the decoding circuit D embedded with a watermark M. The storage unit 502 stores information necessary for the execution of the watermark embedding algorithm Mark, output results thereof, and the like.
The watermark extraction apparatus 60 is a computer or a computer system configured to extract the watermark from the decoding circuit. The watermark extraction apparatus 60 includes an extraction processing unit 601 and a storage unit 602.
The extraction processing unit 601 executes the watermark extraction algorithm Ext, and outputs the watermark M from the decoding circuit embedded with the watermark. The storage unit 602 stores information necessary for the execution of the watermark extraction algorithm Ext, the output result thereof, and the like.
Note that the configuration of the electronic watermark embeddable encryption system 1 illustrated in
Processing Flow Executed by Electronic Watermark Embeddable Encryption System 1 Next, a processing flow executed by the electronic watermark embeddable encryption system 1 according to the present embodiment will be described with reference to
Firstly, the setup processing unit 101 of the setup apparatus 10 executes the setup algorithm Setup (1λ) to generate and output a common parameter pp (step S101).
Next, the setup processing unit 101 of the setup apparatus 10 transmits the common parameter pp to the key generation apparatus 20, the watermark embedding apparatus 50, and the watermark extraction apparatus 60 (step S102 to step S104).
Next, the key generation processing unit 201 of the key generation apparatus 20 executes the key generation algorithm KG (pp) to generate and output a secret key sk (step S201).
Next, the key generation processing unit 201 of the key generation apparatus 20 transmits the secret key sk to the encryption apparatus 30, the decryption apparatus 40, and the watermark embedding apparatus 50 (step S202 to step S204). Note that in this case, the key generation processing unit 201 transmits the secret key sk through a secure communication method.
Subsequently, if an encryption function is utilized by the user, step S301 to step S303 are executed. That is, in this case, the encryption processing unit 301 of the encryption apparatus 30 executes the encryption algorithm Enc (sk, m) and outputs an encrypted text ct (step S301). Next, the encryption processing unit 301 of the encryption apparatus 30 transmits the encrypted text ct to the decryption apparatus 40 (step S302). Next, in receiving the encrypted text ct, the decryption processing unit 401 of the decryption apparatus 40 executes the decoding algorithm Dec (sk, ct) to decode the encrypted text ct (step S303).
On the other hand, if an electronic watermark function is utilized by the user, step S401 to step S403 are executed. That is, in this case, the embedding processing unit 501 of the watermark embedding apparatus 50 executes the watermark embedding algorithm Mark (pp, sk, M) and outputs a decoding circuit D embedded with a watermark M (step S401). Next, the embedding processing unit 501 of the watermark embedding apparatus 50 transmits the decoding circuit D to the watermark extraction apparatus 60 (step S402). Next, in receiving the decoding circuit D, the extraction processing unit 601 of the watermark extraction apparatus 60 executes the watermark extraction algorithm Ext (pp, D) to extract the watermark M from the decoding circuit D (step S403).
As described above, the electronic watermark embeddable encryption system 1 according to the present embodiment is capable of realizing the secret-key encryption allowing an electronic watermark to be embedded into the decoding circuit. Moreover, in the electronic watermark embeddable encryption system 1 according to the present embodiment, in both cases of embedding a watermark into the decoding circuit and extracting a watermark from the decoding circuit, it is possible to embed and extract the watermark without using the information possibly owned only by the system administrator. Thus, the electronic watermark embeddable encryption system 1 according to the present embodiment allows any user to embed and extract a watermark, and can be applied to a larger number of applications.
Hardware Configuration
Finally, a hardware configuration of the setup apparatus 10, the key generation apparatus 20, the encryption apparatus 30, the decryption apparatus 40, the watermark embedding apparatus 50, and the watermark extraction apparatus 60 included in the electronic watermark embeddable encryption system 1 according to the present embodiment will be described. The setup apparatus 10, the key generation apparatus 20, the encryption apparatus 30, the decryption apparatus 40, the watermark embedding apparatus 50, and the watermark extraction apparatus 60 may be realized by a hardware configuration of a computer 900 illustrated in
The computer 900 illustrated in
Each of the hardware devices is communicatively connected via a bus 907.
The input device 901 is a keyboard, a mouse, or a touch panel, for example. The display device 902 is, for example, a display. Note that the computer 900 does not necessarily include at least one of the input device 901 and the display device 902.
The external I/F 903 is an interface with an external device. The external device includes a recording medium 903a and the like. The computer 900 is capable of reading from and writing to the recording medium 903a via the external I/F 903. The recording medium 903a may store, for example, one or more programs for realizing the setup processing unit 101 or the key generation processing unit 201, the encryption processing unit 301, the decryption processing unit 401, the embedding processing unit 501, and the extraction processing unit 601.
Examples of the recording medium 903a include a compact disc (CD), a digital versatile disc (DVD), a secure digital memory card (SD memory card), and a universal serial bus (USB) memory card.
The communication I/F 904 is an interface for connection with the communication network 70. The one or more programs for realizing the setup processing unit 101 or the key generation processing unit 201, the encryption processing unit 301, the decryption processing unit 401, the embedding processing unit 501, and the extraction processing unit 601 may be acquired (downloaded) from a predetermined server apparatus and the like via the communication I/F 904.
The processor 905 is, for example, various calculation devices such as a central processing unit (CPU) or a graphics processing unit (GPU). In the setup processing unit 101, one or more programs stored in the memory device 906 of the setup apparatus 10 are realized by processing to be executed by the processor 905 of the setup apparatus 10. Similarly, in the key generation processing unit 201, one or more programs stored in the memory device 906 of the key generation apparatus 20 are realized by processing to be executed by the processor 905 of the key generation apparatus 20. In the encryption processing unit 301, one or more programs stored in the memory device 906 of the encryption apparatus 30 are realized by processing to be executed by the processor 905 of the encryption apparatus 30. In the decryption processing unit 401, one or more programs stored in the memory device 906 of the decryption apparatus 40 are realized by processing to be executed by the processor 905 of the decryption apparatus 40. In the embedding processing unit 501, one or more programs stored in the memory device 906 of the watermark embedding apparatus 50 are realized by processing to be executed by the processor 905 of the watermark embedding apparatus 50. In the extraction processing unit 601, one or more programs stored in the memory device 906 of the watermark extraction apparatus 60 are realized by processing to be executed by the processor 905 of the watermark extraction apparatus 60.
The memory device 906 is, for example, any storage device such as a hard disk drive (HDD), a solid state drive (SSD), a random access memory (RAM), a read only memory (ROM), or a flash memory. The storage unit 102 may be realized using, for example, the memory device 906 of the setup apparatus 10. Similarly, the storage unit 202 may be realized using, for example, the memory device 906 of the key generation apparatus 20. The storage unit 302 may be realized using, for example, the memory device 906 of the encryption apparatus 30. The storage unit 402 may be realized using, for example, the memory device 906 of the decryption apparatus 40. The storage unit 502 may be realized using the memory device 906 of the watermark embedding apparatus 50. The storage unit 602 may be realized using the memory device 906 of the watermark extraction apparatus 60.
The setup apparatus 10, the key generation apparatus 20, the encryption apparatus 30, the decryption apparatus 40, the watermark embedding apparatus 50, and the watermark extraction apparatus 60 included in the electronic watermark embeddable encryption system 1 according to the present embodiment can realize the above-described processing by the hardware configuration of the computer 900 illustrated in
The present invention is not limited to the above-described embodiment disclosed specifically, and various modifications or changes, combinations with known techniques, and the like can be made without departing from description of the claims.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2019/050987 | 12/25/2019 | WO |
