A Watermarking Protocol Based on Blockchain

: Digital watermarking can be used to implement mechanisms aimed at protecting the copyright of digital content distributed on the Internet. Such mechanisms support copyright identification and content tracking by enabling content providers to embed perceptually invisible watermarks into the distributed copies of content. They are employed in conjunction with watermarking protocols, which deﬁne the schemes of the web transactions by which buyers can securely purchase protected digital content distributed by content providers. In this regard, the “buyer friendly” and “mediated” watermarking protocols can ensure both a correct content protection and an easy participation of buyers in the transactions by which to purchase the distributed content. They represent a valid alternative to the classic “buyer and seller” watermarking protocols documented in the literature. However, their protection schemes could be further improved and simpliﬁed. This paper presents a new watermarking protocol able to combine the “buyer friendly” and “mediated” design approach with the blockchain technology. The result is a secure protocol that can support a limited and balanced participation of both buyers and content providers in the purchase transactions of protected digital content. Moreover, the protocol can avoid the direct involvement of trusted third parties in the purchase transactions. This can reduce the actual risk that buyers or sellers can violate the protocol by illicitly interacting with trusted third parties. In fact, such peculiarities make the proposed protocol suited for the current web context.


Introduction
Social networks and user-generated content platforms have turned common web users into actual producers of multimedia digital content. Such content can be easily duplicated without reducing their perceptual quality. They can be also maliciously modified and/or re-distributed, thus damaging the reputation of their legitimate owners, or revealing their private information, or causing economic loss. In addition, current mechanisms implemented to protect the copyright of multimedia digital content cannot adequately meet the protection requirements needed to solve piracy problems on the Internet.
One of the technologies proposed to protect the users' copyrights on their multimedia digital content is "digital watermarking" [1,2] used in conjunction with "watermarking protocols" [3][4][5].
Digital watermarking makes it possible to insert hidden information, such as, for example, a "fingerprint" [6][7][8], within any copy of content that has to be protected. Such information, called a "watermark", can be used to identify the user who possesses the content, and makes the copy of the content unique and personalized.
However, to combat the unauthorized sharing of multimedia digital content on the Internet, it is necessary to distribute the watermarked content according to specific interaction schemes defined by watermarking protocols. Thus, whenever a copy of watermarked content is found in a suspicious location, such as in file repositories shared by peer-to-peer applications, the embedded watermark can be used as a proof of ownership to establish who has initially obtained the copy and then illegally shared it on the Internet.
The most relevant watermarking protocols documented in the literature enable the implementation of mechanisms for copyright protection based on content tracking by fingerprinting [3][4][5]8,9]. They mainly involve two parties: the "buyer" and the "seller". The former wishes to get content from a web content provider, whereas the latter wishes to release it in a digitally protected form obtained by inserting a watermark. In particular, the early experiences also involve specific trusted third parties (TTPs), called "watermark certification authorities" (WCAs), whose main function is to guarantee the correct execution of the protocols [4,[10][11][12][13][14][15]. However, the introduction of WCAs can reduce the security level of the protocols, since TTPs can give rise to potential collusive behaviors with buyers or sellers [2,16]. As a consequence, a number of watermarking protocols are based on "simplified" interaction schemes that do not exploit WCAs [17][18][19][20][21]. Such approaches appear to be more secure, but they turn out to be impracticable in the current web context, since they are characterized by interaction schemes that force buyers to perform complex security actions to complete content purchase transactions [22].
The watermarking protocols described in [22][23][24] attempt to overcome the drawbacks affecting previous solutions existing in the literature by proposing a new "buyer friendly" and "mediated" design approach. Such an approach reintroduces the TTP, but its role is carefully limited to a restricted part of the protocol, so as to enable a simplified participation of buyers in the content purchase transactions without reducing the security level of the protocol.
Although such experiences represent a good balance between security and easy participation of buyers in the protocol, further efforts are needed to simplify the interaction schemes of such watermarking protocols, so as to make them best suited to the current web context that does not like the presence of TTPs. In this regard, it is worth noting that blockchain technology has begun to be employed in the area of digital copyright protection [25][26][27][28][29]. In fact, blockchain belongs to the category of distributed ledger technologies that enable commercial or network transaction data to be recorded in cryptographic chained blocks by employing several security technologies, such as cryptographic hash, digital signature, and distributed consensus mechanism. When they are appended to a chain, blocks are timestamped and linked in a way that makes them resilient to modifications. Therefore, they are considered to be trusted for transactions among web entities, and can be verified in a decentralized way by exploiting multiple web nodes to form a consensus on whether a transaction is valid or not. In addition, blockchain supports the so-called "smart contracts", which represent a way to automatically execute the terms of an agreement reached between distinct web entities. More precisely, a smart contract encapsulates a number of preset rules in the form of code, and sets corresponding trigger events under specific conditions: when the conditions are met, the terms of the agreement are automatically executed without control from a central authority [26][27][28][29][30][31].
This paper presents a new watermarking protocol based on blockchain technology. The protocol is built on the experiences previously conducted with the protocols documented in [22][23][24], and follows the buyer friendly and mediated design approach. The main aim is to simplify the interaction scheme of the protocol by exploiting the blockchain technology, which makes it possible to better control the involvement of the TTP in the protocol. In fact, such an involvement has been further restricted in order to reduce the possibility of collusive actions from the TTP, making the developed protocol more secure and suited to the current web context. The paper is organized as follows. Section 2 reports on related work. Section 3 introduces the main challenges faced in developing the proposed protocol. Section 4 reports the basics of the proposed protocol, whereas Section 5 describes the protocol in detail. Section 6 analyzes the proposed protocol. Section 7 focuses on the main implementation aspects of the watermarking protocol. The final remarks are in Section 8.

Related Work
Most of the watermarking protocols documented in the literature do not exploit blockchain technology, but they are based on the well-known "buyer and seller" protection schemes and their variants characterized by the absence of TTPs. They are widely described and discussed in [5,[22][23][24]. Some of them also inspire the so-called DRM (digital rights management) systems, which are complex web platforms that adopt specific technologies and interaction schemes to enable the copyright protection of digital content on the Internet [32,33]. More precisely, DRM systems do not actually define watermarking protocols, but they still implement mechanisms by which to prevent the unauthorized use of protected digital content without payment. To achieve such a goal, DRM systems use technologies based on encryption and key management [34]. However, such technologies cannot inhibit legitimate users from illegally sharing their purchased content on the Internet.
To overcome the drawbacks reported above, a number of DRM systems implement protection schemes based on "trusted computing". They prevent the sharing of illegal keys and protected content by enabling the access to such content on the basis of the web users' biometric features [35,36]. In fact, such systems appear to be very promising, but they lack flexibility, since they need particular hardware, such as "trusted platform modules" (TPMs) or fingerprint recognizers, and cannot defend against specific attacks, such as screen recording or I/O monitoring.
The blockchain technology, in conjunction with digital watermarking, is employed in a number of DRM systems to provide some copyright management services, such as to keep track of possible and required content modifications, copyright transfers or other transaction trails related to the managed digital content [37][38][39]. In particular, digital watermarking is mainly used to provide content tracking by fingerprinting. However, such DRM systems do not implement protection schemes able to address the peculiar problems that affect watermarking protocols, such as the "customer's right problem" or the "unbinding problem" [4,11,22]. As a consequence, once content is downloaded and tampered, there is no legal way to prove the ownership of the content and to trace who should be responsible for copyright infringement. In fact, such considerations motivate the design of innovative watermarking protocols able to exploit the blockchain technology to overcome the limitations described above.

Main Challenges
One of the main challenges in designing watermarking protocols consists of accurately defining the role played by TTPs in the purchase transactions, since TTPs could collude with the other parties involved in the protocols [17,20,40] so as to impair them. In this regard, the best solution would be to totally eliminate TTPs from protocols. However, such a solution is not always possible, since protocols often need TTPs to validate specific data, or some phases of the protocol, or, for example, the plug-ins that have to be downloaded and installed in the buyers' web browsers to complete the purchase transactions [22,23]. Furthermore, when TTPs play a limited role in the protocols, buyers end up being forced to perform complex security actions to complete the purchase transactions, and this makes the protocols impractical for the web context [17][18][19][20][21][40][41][42][43][44].
The watermarking protocols presented in [22][23][24] do not completely eliminate the TTP, but they carefully exploit it without assigning it a central role in order to simplify the buyer participation in the protocols. In particular, the TTP participates only in the initial phase of the protocols and restricts its role to the generation of a number of tokens needed to unambiguously bind the chosen content to the buyer, the seller and the ongoing purchase transaction.
Although the role of the TTP is rather restricted in the protocols described in [22][23][24], it has to be further limited if the main goal is to develop an innovative watermarking protocol suited for the current web context. In this regard, blockchain technology represents a challenge to achieve such a goal. In fact, it can be exploited in the proposed protocol with the aim of securely tracking the purchase transactions in a public ledger that can be updated by automatically executing smart contracts without resorting to the control of a TTP [26][27][28][29]. Thus, the TTP involved in the proposed protocol can act as a simple and trusted web distributor of secure tokens needed to complete the purchase transactions of protected digital content. In fact, it is not a WCA, even though it has to behave as a TTP in the sense of a common certification authority (CA) [45][46][47].
The adoption of blockchain technology to strongly restrict the role of TTP makes it necessary to accurately design and code the smart contract that controls the execution of the proposed watermarking protocol and validates each purchase transaction. In fact, this represents a relevant practical challenge well documented in the literature, since the code that implements the contract, once it has been released, can no longer be modified or updated. Therefore, if the code of the contract is incorrect or gives rise to a problem during use, it ends up impairing the entire protocol [48].

Basics of the Protocol
The proposed watermarking protocol is based on a limited set of well-known security facilities: public key infrastructure (PKI), homomorphic cryptosystem [49], encrypted and signed tokens [4,5,22], and blind and readable watermarking scheme [1]. Furthermore, it exploits the public key and secure communication support implemented by the SSL/TLS protocol for all the messages exchanged among the web entities involved in the protocol [46].
In more detail, if a piece of content and a watermark can be described according to a block-wise representation in the form of X = {x 1 , x 2 , . . . x l } and W = {w 1 , w 2 , . . . w l } respectively, the watermark insertion adopted by the proposed protocol, denoted as ⊕, results in the following expression: since such an insertion is assumed to be based on linear watermarks [1,10,17,50]. Furthermore, if X = {x 1 , x 2 . . . x l } is a digital content, its encryption by means of the function E results in the following expression: since E is assumed to be a block-wise function [10,50].
Finally, the encryption function E is assumed to be "homomorphic" with respect to the watermark insertion. This means that any linear watermark can be embedded directly into the encrypted domain according to the following expression [10,50]: In fact, a cryptosystem E is homomorphic with respect to an operation if E pk (m 1 m 2 ) = E pk (m 1 ) E pk (m 2 ) for any two plain messages m 1 and m 2 [49]. As a consequence, homomorphic encryption makes it possible to perform operations by directly working on encrypted data.

Watermarking Protocol
The proposed watermarking protocol is an enhancement of the buyer friendly and mediated protocols presented in [22][23][24]. It has been designed and developed according to what is reported in Section 3. Therefore, it exploits the blockchain technology to avoid the participation of a TTP in the core of the protection phase so as to simplify and secure the basic interaction scheme characterizing the protocols described in [22][23][24]. The result is an innovative watermarking protocol in which the blockchain is employed to lock in a public ledger the main tokens characterizing purchase transactions. In fact, such tokens are collected and controlled by executing a specific smart contract: if they turn out to be correct, the ongoing purchase transaction is automatically validated and completed without the direct intervention of a TTP.
Even though the proposed protocol can run without a centralized control, it still needs a TTP acting as a trusted web distributor of security tokens, such as one-time public and private key pairs and encrypted "nonces" [51], needed to complete the purchase transactions of protected digital content according to the original buyer friendly and mediated approach [22]. Moreover, the proposed protocol needs a further TTP, called "judge". It does not participate in the phase of the protocol that applies the protection to the digital content distributed on the Internet. It only participates in the subsequent "identification and arbitration phase" needed to determine the identity of an illegal distributor of a copy of a protected digital content [22][23][24]. In fact, the TTP and the judge could even coincide, but conventional certification authorities do not usually implement the service performed by the judge [17,22].
More precisely, the proposed watermarking protocol is characterized by a protection scheme in which: (1) the seller or content provider CP releases content in an encrypted and watermarked form; (2) the buyer B can obtain the protected content by simply decrypting it; (3) the purchase transaction of a protected digital content occurring between the buyer and the content provider is validated by automatically executing a smart contract within a blockchain BC, which takes charge of controlling all the tokens generated by the transaction; (4) buyer and content provider take part in transactions that employ security tokens guaranteed by a "registration authority" RA [22][23][24]; (5) a judge J guarantees the dispute resolution protocol and determines if a buyer is guilty of having released pirated copies [22][23][24].
The protocol consists of two subprotocols: the protection protocol and the identification and arbitration protocol. The meanings of the symbols used to describe the protocol are reported in Table 1. one time public key generated by the entity Ent. in the transaction to watermark X sk X Ent.
one time secret key generated by the entity Ent. in the transaction to watermark X E key (. . .) token encrypted using the key key and a public key cryptosystem S key (. . .) token digitally signed using the secret key key and the SHA-1 secure hash algorithm E key (. . .) token encrypted using the key key and a cryptosystem that is privacy homomorphic with respect to the watermark insertion D key (. . .) decryption function corresponding to the encryption function E key (. . .)

Protection Protocol
The protocol, whose scheme is reported in Table 2, starts when B visits the CP's web site, chooses the content X, and sends the purchase request to CP in the message m 1 .

B
: visits the CP's web site and chooses the content X B → CP : : activates the smart contract BC : compares the tokens and verifies the signatures included in m 6 and m 7

BC
: generates a node in the blockchain by which to publish X d , T X , : saves a new entry in its databases composed of X d , T X , pk X RA , E pk X RA (N), Upon receiving the purchase request, CP contacts RA, by sending the message m 2 , in order to obtain the security tokens to complete the purchase transaction. In fact, RA is a TTP that publishes a list of pairs, each including a public key pk X RA and an encrypted token E pk X RA (N). In particular, pk X RA corresponds to the secret key sk X RA . They represent a one-time key pair that can be used only in the current transaction [52]. N is a "nonce" represented by a binary string. It is encrypted by employing the public key pk X RA and a cryptosystem that is "privacy homomorphic" [49] with respect to the subsequent watermark insertion. In fact, the resulting token E pk X RA (N) will be then used to generate the watermark to be inserted into the content X.
The chosen pair (pk X RA , E pk X RA (N)) is returned by RA in the message m 3 together with the signature S RA (pk X RA , E pk X RA (N)). Upon receiving m 3 , CP can confirm the purchase request made by B. In fact, CP generates two tokens, X d and T X . The former is a string that identifies the requested content X. It includes the name of the content and further data that can unambiguously describe it. The latter is a timestamp that is referred to the ongoing transaction. Then, CP generates the signature S CP (X d , T X , pk X RA , S RA (pk X RA , E pk X RA (N))) and sends the message m 4 to B, which includes X d , T X , pk X RA , S RA (pk X RA , E pk X RA (N)), and S CP (X d , T X , pk X RA , S RA (pk X RA , E pk X RA (N))). After having confirmed the purchase request, CP can apply the protection to X. Therefore, CP generates its part of watermark, denoted by W CP , which is a fingerprinting binary code obtained as an anti-collusion code [6,7,16] concatenated with an error correcting code used to address the problems of bit errors that can arise during the watermark verification process. Then, CP encrypts W CP and X using the public key pk X RA and the same homomorphic cryptosystem used by RA to encrypt N, thus generating E pk X RA (W CP ) and E pk X RA (X). Then, according to the basics reported in Section 4, CP concatenates E pk X RA (W CP ) and E pk X RA (N) to generate the encrypted watermark E pk X RA (W) according the following expression: Moreover, CP can embed the encrypted watermark E pk X RA (W) directly into the encrypted content E pk X RA (X) according to the following expression: since encryption is homomorphic with respect to watermark insertion [10,49,50]. The encrypted and watermarked content E pk X RA (X) can be thus sent by CP to B in the message m 5 . At this point, CP and B can activate the smart contract in the blockchain BC by sending the messages m 6 and m 7 , respectively.
In particular, the message m 6 is sent by CP to BC, and contains X d , T X , pk X RA , E pk X RA (N), S RA (pk X RA , E pk X RA (N)), and the signature S CP (X d , T X , pk X RA , E pk X RA (N), S RA (pk X RA , E pk X RA (N))).
The message m 7 is sent by B to BC, and includes X d , T X , pk X RA , and S RA (pk X RA , E pk X RA (N)). In addition, B also sends B id and B ad to BC in the message m 7 : the former is a token that unambiguously identifies B, whereas the latter represents his/her destination address. In particular, • B id is generated depending on the specific "negotiation mechanism" chosen by B among those ones supported by BC [4,5]. In this regard, in the proposed protocol BC is assumed to provide multiple negotiation mechanisms, which enable B to be identified, for example, using an anonymous digital certificate or a personal digital certificate or a credit card [4,5]. In fact, the last two mechanisms enable B to be directly identified. However, they are assumed to be implemented according to the concept of "multilateral security" applied to web transactions [53,54]. • B ad is the B's shipping address that will enable him/her to receive the secret key sk X RA corresponding to the public key pk X RA .
When the messages m 6 and m 7 are received by BC, the code associated to a specific smart contract is automatically executed. The code of the contract mainly compares the tokens, verifies the signatures contained in the two received messages, and checks whether the tokens pk X RA and E pk X RA (N), generated by RA, have been already used in a previous purchase transaction or not.
In fact, this means to check whether pk X RA and E pk X RA (N) have been already published in a node of the blockchain or not. If all data turn out to be correct, match, and the tokens generated by RA have not been used in previous transactions, the code enables the generation of a new node in BC, which makes some of the tokens identifying the ongoing transactions, such as X d , T X , pk X RA , E pk X RA (N), S RA (pk X RA , E pk X RA (N)), and S CP (X d , T X , pk X RA , E pk X RA (N), S RA (pk X RA , E pk X RA (N))), public. Moreover, the execution of the smart contract within BC takes also charge of implementing the payment phase. It ends by sending two messages, m 8 and m 9 , to RA and CP, respectively.
The message m 8 includes B ad and pk X RA , and enables RA to send the secret key sk X RA to B in the message m 10 . B can thus decrypt E pk X RA (X) and obtain the final protected content according to the following equalities: The message m 9 contains the security token E pk RA (B id , pk X RA , E pk X RA (N)). It is stored by CP in a new entry in its databases, whose search key is the watermark W CP . The entry also includes the following tokens: X d , T X , pk X RA , E pk X RA (N), and S RA (pk X RA , E pk X RA (N)). Such tokens are needed to prove that B is the legitimate owner of the protected contentX sold by CP through a transaction registered by a node published in the blockchain BC.

Identification and Arbitration Protocol
The protocol is run by CP to identify the responsible distributor of a pirated copy ofX, who was the legitimate copyright owner ofX, with undeniable evidence [4,5].
As shown in Table 3, the first step of the protocol consists of extracting the watermark W from the pirated copy ofX, denoted as X . After the extraction of W = W CP N , CP can access its databases and use W CP to search them for a match. If a possible match is found [11], CP can retrieve the tokens saved during the purchase transaction ofX, which are X d , T X , pk X RA , E pk X RA (N), S RA (pk X RA , E pk X RA (N)), and E pk RA (B id , pk X RA , E pk X RA (N)). Then, CP can send the tokens, together with W , to J in the message m 1 . Table 3. Identification and arbitration protocol.

CP
: finds X in the market and extracts W = W CP N CP : searches its databases for a possible match on W CP CP → J : m 1 = {W , X d , T X , pk X RA , E pk X RA (N), S RA (pk X RA , E pk X RA (N)), E pk RA (B id , pk X RA , E pk X RA (N))} J : searches BC for a node including pk X RA and E pk X RA (N) J : retrieves the tokens published in the node of BC, which are X d , T X , pk X RA , E pk X RA (N), S RA (pk X RA , E pk X RA (N)), S CP (X d , T X , pk X RA , E pk X RA (N), S RA (pk X RA , E pk X RA (N))) J : verifies if the tokens retrieved from BC match those ones received from CP J → RA : m 2 = {pk X RA , E pk X RA (N), E pk RA (B id , pk X RA , E pk X RA (N))}

RA
: decrypts E pk RA (B id , pk X RA , E pk X RA (N)) RA → J : m 3 = {B id , N} J : compares N with N and adjudicates J receives m 1 and verifies the signature S RA (pk X RA , E pk X RA (N)). Then, it searches the blockchain BC for a node using pk X RA and E pk X RA (N) as search keys. If a node is found, J can access the tokens published by the node, which are reported in Table 2, and compare them with those one received by CP. If all the tokens match, J can send pk X RA , E pk X RA (N), and E pk RA (B id , pk X RA , E pk X RA (N)) to RA in the message m 2 .
RA decrypts E pk RA (B id , pk X RA , E pk X RA (N)) and verifies the received tokens. If all data are correct, RA decrypts E pk X RA (N) and sends B id and N to J in the message m 3 . Upon receiving m 3 , J compares N and N. If N = N, the identity of the buyer B id is revealed, and J can adjudicate him/her to be a traitor, thus closing the case. Otherwise, the protocol ends without exposing any identity.

Protocol Analysis
In the conducted analysis, the ideal behavior of the proposed watermarking protocol can be modeled as follows: a content provider CP sells the digital content X to a buyer B; B obtains the protected digital contentX from CP; a blockchain BC is a ledger that publishes the tokens that identify each purchase transaction of digital content distributed on the web; a registration authority RA generates some specific data that have to be used by CP to protect X; a judge J decides whether B is guilty of releasing pirated copies.
The ideal behavior is modeled under the following assumptions: • J and RA cannot be corrupted. • CP and B can be only corrupted "statically", i.e., the set of the corrupt entities is decided at the beginning of the protocol execution and cannot be modified throughout the execution [55]. • BC is assumed to be characterized by an "honest-but-curious" behavior [55]. As a consequence, BC is obliged to follow the rules of the protocol, even though it can try its best to get information from the executed actions. This means that BC cannot collude with B or CP, and this is a reasonable assumption, since BC is assumed to limit its action to automatically executing a smart contract whose code is approved and accepted in advance and cannot be modified during the life of the blockchain [26][27][28][29][30].

•
Uncorrupt buyers and content providers are assumed to never release pirated copies.
The assumptions reported above ensure that, if CP and B are uncorrupt, B receives a unique and personalised protected contentX during the purchase transaction. Therefore, if a pirated copy ofX is found on the web, it can be always traced back to B and to the purchase transaction. On the contrary, if CP is corrupt, B receives a protected contentX that cannot be correctly tied to any buyer. As a consequence, nobody can be adjudicated to be a traitor, and the corruption of CP ends up being useless and pernicious just for CP. Likewise, if B is corrupt, CP can abort the purchase transaction without releasing any content.

Assumptions
The proposed protocol assumes that the watermark insertion technique employed to protect a digital content is robust against the most common and nonmalevolent manipulations, and survives the most relevant and intentional attacks, such as signal processing based attacks, geometric attacks, or collusion attacks [6,7,[56][57][58][59][60]. In fact, such an assumption is realistic since there is a vast literature on watermark insertion techniques that documents the existence of increasingly robust and secure watermarking algorithms [1,20,21,[61][62][63][64][65] together with a promising and increasing research activity in the development of new techniques and algorithms.
The protocol also assumes that the digital encryption applied within the context of a PKI is characterized by indistinguishability under chosen plaintext attack (IND-CPA). As a consequence, an adversary cannot get any knowledge about a plaintext message m from the corresponding ciphertext c.
Finally, the protocol assumes that the adopted cryptosystem is privacy homomorphic with respect to watermark insertion according to what is specified in Section 4 [49].

Analysis
The security analysis follows the scheme adopted in [22][23][24], and examines the behavior of the proposed watermarking protocol when corrupt entities make their strongest attacks [46,47,66,67]. Therefore, the analysis is restricted to two main attacks, which represent the two worst cases for security: (1) when CP is corrupt and tries to cheat B; (2) when B is corrupt and attempts to cheat CP. In both cases, according to what is reported in Sections 3 and 5, the analysis is conducted by assuming the presence of an honest-but-curious BC [55,68] and of a TTP RA.

CP is Corrupt
Consider the execution of the proposed protocol when a corrupt party CP c and an honest B are involved.
B chooses the content X and communicates the wish to buy it to CP c . CP c interacts with RA and obtains pk X RA and E pk X RA (N). During this preliminary phase, no corrupting actions may occur.

Lemma 1 (Basic Lemma).
Under the basic assumptions reported in Section 6.1, if CP c tries to embed a corrupt watermark W c into X in order to accuse an innocent buyer of illegal content distribution, such a corruption is disclosed by running the identification and arbitration protocol.
Proof. Since the watermark W is composed of N and W CP (see Expression (1)) , CP c can embed a corrupt watermark into X only if it can corrupt the part N of W. Therefore, consider the case in which CP c wants to embed a corrupt N c into the content X purchased by B. To achieve such a goal, CP c has to be able to: 1. embedd the watermark W c = W CP ||N c into the content X directly in the encrypted domain, according to the Expressions (1) and (2); 2.
obtain the generation of a node in the blockchain BC, which occurs only if BC can certify consistency between the security tokens sent in the messages m 6 and m 7 by CP c and B respectively (see Table 2).
The former condition is needed because B obtains the final and protected version of the purchased contentX by decrypting the content E pk X RA (X) with the secret key received by RA in the message m 10 (see Table 2), according to the Expression (3). This also means that, if CP c wants to use a corrupt key pk X c RA to encrypt the nonce N c , it has also to control the corresponding secret key sent by RA to B in the message m 10 , which has to necessarily become sk X c RA . The latter condition implies that CP c can obtain or generate a valid and verifiable signature S RA (pk X RA , E pk X RA (N c )) on the corrupt token E pk X RA (N c ). Furthermore, if CP c decides to also employ a corrupt key pk X c RA to encrypt N c , then the corrupt signature to obtain or generate becomes S RA (pk X c RA , E pk X c RA (N c )).
In this regard, it is worth noting that, under the assumptions reported in Section 6.1, CP c cannot generate a valid signature S RA (. . .) on corrupt tokens. This means that CP c cannot choose an arbitrary nonce N c or key pair (pk X c RA ,sk X c RA ) to conduct a purchase transaction, but it could only attempt to reuse tokens generated by RA in previous purchase transactions. However, the following considerations have to be taken into account:

1.
When a key pair (pk X RA ,sk X RA ) and an encrypted nonce E pk X RA (N) are employed in a valid purchase transaction, they are included and published in a node of BC, and can no longer be re-used, as reported in Section 5.1.

2.
Once the public key pk X RA has been chosen and sent to B in the message m 4 , it can no longer be corrupted by CP c , since it has to correspond to the secret key sk X RA released by RA in the message m 10 . Therefore, if CP c encrypts the watermark to be inserted into X using the corrupt key pk X c RA , it ends up generating the content E pk X c RA (X)). However, B will employ the secret key sk X RA to decrypt the received content E pk X c RA (X)) according to the Expression (3), thus generating a protected content containing an unknown and unpredictable watermark. In fact, this just damages CP c , which ends up releasing a piece of content including a watermark that cannot be linked to any buyer.

3.
If CP c receives the key pk X RA from RA in the message m 3 and forwards the corrupt key pk X c RA to B in the message m 4 , the key exchange is always disclosed by BC unless CP c generates a valid signature S RA (pk X c RA , . . .), which, as reported above, is impossible. This is because BC compares the tokens received in the messages m 6 and m 7 , and generates a new node in the blockchain only if the tokens turn out to be consistent.

4.
For the same reason reported at the previous point, if CP c receives the encrypted nonce E pk X RA (N) from RA in the message m 3 and forwards the corrupt nonce E pk X RA (N c ) to BC in the message m 6 , the nonce exchange is always disclosed by BC unless CP c generates a valid signature S RA (pk X RA , E pk X RA (N c )), which, as reported above, is impossible.
Therefore, suppose that B starts a purchase transaction and that CP c receives the message m 3 containing pk X RA , E pk X RA (N), and S RA (pk X RA , E pk X RA (N)) (see Table 2). Suppose also that CP c inserts a corrupt watermark W c = W CP ||N c into the content X, thus creating the protected copyX c , and suppose thatX c is found in the market. CP c starts the identification and arbitration protocol by extracting the watermark W c fromX c and by sending to J all the tokens existing in its databases and associated to W c , according to what is reported in Section 5.2. Suppose that CP c wants to cheat J in order to accuse a buyer of illegal content distribution. To achieve such a goal, CP c has to send, among the others, the following corrupt tokens pk X RA , E pk X RA (N c ), S RA (pk X RA , E pk X RA (N c )), E pk RA (B id , pk X RA , E pk X RA (N c )) to J (see Table 3), which have to be all coherent with N c . However, according to what is reported above and under the assumptions of Section 6.1, the following constraints have to be considered: • CP c cannot generate a valid signature S RA (. . .) on arbitrary security tokens; • the security tokens that can be employed in a valid purchase transaction have to be among those ones generated by RA; • CP c cannot reuse security tokens employed in previous purchase transactions and already published in the nodes of BC; As a consequence, if CP c attempts to accuse an innocent buyer of illegal content distribution by generating corrupt tokens coherent with the corrupt watermark W c = W CP ||N c embedded into the content X c found in the market, the attempt ends up being revealed by the execution of the identification and arbitration protocol, and this prevents the protocol from adjudicating anybody to be a traitor.

Lemma 2.
Under the assumptions reported in Section 6.1, if CP c tries to alter the tokens that are managed during the protection phase in order to accuse an innocent buyer of illegal content distribution, such a corruption is disclosed by the identification and arbitration protocol.
Proof. The basic lemma proves that the security tokens, such as pk X RA , E pk X RA (N), and S RA (pk X RA , E pk X RA (N)), generated by RA and associated to a valid purchase transaction registered by a node of BC, cannot be coherently corrupted by CP c to insert an arbitrary watermark into the content purchased by B without such a corruption being disclosed by running the identification and arbitration protocol. More precisely, the impossibility of corrupting the security tokens has been proved be the basic lemma independently of the corruption of the watermark to be inserted into X. In fact, the proof is mainly based on the general incapacity of CP c to alter or regenerate or reuse the tokens generated by RA for a given purchase transaction [22][23][24]. Therefore, the attempts of CP c to alter the tokens generated by RA can be always disclosed by running the identification and arbitration protocol, since such tokens either have been generated and employed during previous, valid purchase transactions by RA or are directly generated by CP c and so they cannot be registered in a node of BC.
The lemmas reported above prove that CP c cannot frame an innocent buyer, because every attempt to corrupt the security tokens that have to be registered in the nodes of BC is disclosed by the identification and arbitration protocol, and this prevents the watermarking protocol from adjudicating anybody to be a traitor.

B is Corrupt
Consider the execution of the proposed protocol when the involved parties are a corrupt buyer B c and an honest CP.
Suppose that B c contacts CP in order to buy the content X. B c receives the confirmation message m 4 from CP, which contains the following tokens: X d , T X , pk X RA , S RA (pk X RA , E pk X the tokens generated by CP during a purchase transaction causes the protection protocol to abort without releasing any protected content.
The lemmas reported above prove that the corrupt entity B c cannot cheat CP in order to release a piece of content not tied to any buyer, because every attempt to corrupt the tokens managed by the protection protocol is always disclosed by BC, which can thus abort the purchase transaction.

Implementation
The first prototype implementation of the proposed protocol is mainly based on the experiences documented in [22,24]. It consists of two parts.
The former comprises the same set of C++ separate programs that implement B, CP, RA, and J in [22,24]. The programs run on Linux operating system and communicate via TCP implemented by standard socket library. They implement the encryption/decryption and watermark insertion algorithms by exploiting the NTL library and the GNU Multi Precision Arithmetic library. In particular, watermark insertion is based on the "Quantization Index Modulation" algorithm [61] extended to the homomorphic cryptosystem proposed by Paillier [69] according to the main ideas reported in [9,63]. It follows the indications reported in [42], which successfully address a number of problems that tend to make watermark insertion directly into the encrypted domain inefficient. In this regard, in order to reduce both the number of encryptions and the operations performed on encrypted values, watermark insertion is carried out in the encrypted domain by exploiting the specific technique of the "composite signal representation" described in [42], also called "efficient composite embedding" [50].
The latter implements the blockchain BC according to the Figure 1. In particular, the blockchain can be classified as "public", with a fully decentralized architecture, and based on the classic "proof of work" consensus algorithm [27]. Furthermore, the nodes of the blockchain are implemented in Ethereum [70], whereas the smart contract employed by the proposed protocol is written in Solidity [71]. The performance of the proposed prototype implementation mainly depends on both the basic operations characterizing watermarking protocols and the overhead induced by the blockchain management. In fact, the former are the classic encryption/decryption and watermark insertion operations. Their performances are omitted because, as reported above, they are well documented by the results published in [22,24]. On the contrary, the latter depends on a number of factors, such as, for example, the Ethereum node implementation, the adopted consensus algorithm, and the number of nodes averagely involved in the blockchain, which are essentially independent of proposed watermarking protocol [28,29]. In this regard, it is worth noting that an Ethereum, public and decentralized blockchain, based on the "proof of work" consensus algorithm, is characterized by undoubted advantages, such as decentralization, lack of trusted third parties, and immutability [27][28][29], but it is also affected by low performance and efficiency levels caused by the time needed for propagating, processing, and validating the purchase transactions [72]. In fact, the higher the number of nodes participating in the blockchain is, the more limiting power consumption and block generation rate become. However, the main goals of the proposed protocols are to achieve high levels of robustness and security without reducing simplicity of the protection scheme. After all, it is not wrong to think that the proposed watermarking protocol will be able to take advantage of the next generation blockchains, which promise to achieve higher performance and efficiency levels, particularly in terms of power consumption, due the development of new consensus algorithms. Nevertheless, such performance aspects have not been investigated because they are out of the scope of this paper.

Conclusions
The main goal in developing the proposed protocol has been to simplify the basic interaction scheme that characterizes the previous protocols that adopt a "buyer friendly" and "mediated" design approach without compromising on their relevant achievements [22][23][24]. The solution has been found in the smart contracts to be exploited within the blockchain technology. In fact, a smart contract has been employed to simply validate the security tokens generated during purchase transactions and then published as immutable purchase information in the blocks maintained by the blockchain [27][28][29]31]. It has made it possible to avoid the direct involvement of a TTP in the protection scheme without forcing buyers to carry out complex actions to participate in the purchase transactions. In this way, the interaction scheme turns out to be simple while, at the same time, it strongly reduces the possibility of collusion actions among the parties participating in the protocol, thus making the protocol secure and suited to the current web context.
The proposed protocol also confirms the security achievements characterizing the previous similar protocols [22][23][24]: (1) CP keeps control on the content that it distributes on the Internet, since it never releases them in unprotected forms; (2) B is the only entity that gets access to the final watermarked contentX, and this makes it possible to trace back pirated copies ofX to B; (3) X is never released in a partially protected form, thus solving the specific problem arisen in the watermarking protocol proposed in [11] and discussed in [22,23]; (4) a suspected buyer is not required to cooperate in the "identification and arbitration protocol" to make appropriate adjudications.
Finally, it is worth noting that the adoption of blockchain technology represents a relevant step in the direction of secure and simplified buyer friendly and mediated watermarking protocols. Moreover, the performance achieved by the prototype implementation of the proposed protocol is overall good, even though it is penalised by the adopted consensus algorithm. However, this cannot be considered an actual problem, since next generations of blockchains will be able to implement improved algorithms and to provide better and better performances [73,74].
Funding: This research received no external funding.