Joe Kilian

Secure spread spectrum watermarking for multimedia

This paper presents a secure (tamper-resistant) algorithm for watermarking images, and a methodology for digital watermarking that may be generalized to audio, video, and multimedia data. We advocate that a watermark should be constructed as an independent and identically distributed (i.i.d.) Gaussian random vector that is imperceptibly inserted in a spread-spectrum-like fashion into the perceptually most significant spectral components of the data. We argue that insertion of a watermark under this regime makes the watermark robust to signal processing operations (such as lossy compression, filtering, digital-analog and analog-digital conversion, requantization, etc.), and common geometric transformations (such as cropping, scaling, translation, and rotation) provided that the original image is available and that it can be successfully registered against the transformed watermarked image. In these cases, the watermark detector unambiguously identifies the owner. Further, the use of Gaussian noise, ensures strong resilience to multiple-document, or collusional, attacks. Experimental results are provided to support these claims, along with an exposition of pending open problems.

Founding crytpography on oblivious transfer

Suppose your netmail is being erratically censored by Captain Yossarian. Whenever you send a message, he censors each bit of the message with probability 1/2, replacing each censored bit by some reserved character. Well versed in such concepts as redundancy, this is no real problem to you. The question is, can it actually be turned around and used to your advantage? We answer this question strongly in the affirmative. We show that this protocol, more commonly known as oblivious transfer, can be used to simulate a more sophisticated protocol, known as oblivious circuit evaluation([Y]). We also show that with such a communication channel, one can have completely noninteractive zero-knowledge proofs of statements in NP. These results do not use any complexity-theoretic assumptions. We can show that they have applications to a variety of models in which oblivious transfer can be done.

The Security of the Cipher Block Chaining Message Authentication Code

Let F be some block cipher (eg., DES) with block length l. The cipher block chaining message authentication code (CBC MAC) specifies that an m-block message x=x1?xm be authenticated among parties who share a secret key a for the block cipher by tagging x with a prefix of ym, where y0=0l and yi=Fa(mi?yi?1) for i=1, 2, ?, m. This method is a pervasively used international and U.S. standard. We provide its first formal justification, showing the following general lemma: cipher block chaining a pseudorandom function yields a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a random ml-bit to l-bit function and the CBC MAC of a random l-bit to l-bit function.

A Secure, Robust Watermark for Multimedia

We describe a digital watermarking method for use in audio, image, video and multimedia data. We argue that a watermark must be placed in perceptually significant components of a signal if it is to be robust to common signal distortions and malicious attack. However, it is well known that modification of these components can lead to perceptual degradation of the signal. To avoid this, we propose to insert a watermark into the spectral components of the data using techniques analogous to spread sprectrum communications, hiding a narrow band signal in a wideband channel that is the data. The watermark is difficult for an attacker to remove, even when several individuals conspire together with independently watermarked copies of the data. It is also robust to common signal and geometric distortions such as digital-to-analog and analog-to-digital conversion, resampling, and requantization, including dithering and recompression and rotation, translation, cropping and scaling. The same digital watermarking algorithm can be applied to all three media under consideration with only minor modifications, making it especially appropriate for multimedia products. Retrieval of the watermark unambiguously identifies the owner, and the watermark can be constructed to make counterfeiting almost impossible. Experimental results are presented to support these claims.

Zero Knowledge and the Chromatic Number

We present a new technique, inspired by zero-knowledge proof systems, for proving lower bounds on approximating the chromatic number of a graph. To illustrate this technique we present simple reductions frommax-3-coloringandmax-3-sat, showing that it is hard to approximate the chromatic number within?(N?) for some?>0. We then apply our technique in conjunction with the probabilistically checkable proofs of Hastad and show that it is hard to approximate the chromatic number to within?(N1??) for any?>0, assuming NP?ZPP. Here, ZPP denotes the class of languages decidable by a random expected polynomial-time algorithm that makes no errors. Our result matches (up to low order terms) the known gap for approximating the size of the largest independent set. PreviousO(N?) gaps for approximating the chromatic number (such as those by Lund and Yannakakis, and by Furer) did not match the gap for independent set nor extend beyond?(N1/2??).

Multi-prover interactive proofs: how to remove intractability assumptions

Quite complex cryptographic machinery has been developed based on the assumption that one-way functions exist, yet we know of only a few possible such candidates. It is important at this time to find alternative foundations to the design of secure cryptography. We introduce a new model of generalized interactive proofs as a step in this direction. We prove that all NP languages have perfect zero-knowledge proof-systems in this model, without making any intractability assumptions. The generalized interactive-proof model consists of two computationally unbounded and untrusted provers, rather than one, who jointly agree on a strategy to convince the verifier of the truth of an assertion and then engage in a polynomial number of message exchanges with the verifier in their attempt to do so. To believe the validity of the assertion, the verifier must make sure that the two provers can not communicate with each other during the course of the proof process. Thus, the complexity assumptions made in previous work, have been traded for a physical separation between the two provers. We call this new model the multi-prover interactive-proof model, and examine its properties and applicability to cryptography.

The Security of Cipher Block Chaining

The Cipher Block Chaining - Message Authentication Code (CBC MAC) specifies that a, message x = x1 ... xm be authenticated among parties who share a secret key a by tagging x with a prefix of fa(m)(x) def = fa(fa(... fa(fa(x1)?x2)?...?xm-1)?xm), where f is some underlying block cipher (eg. f = DES). This method is a pervasively used international and U.S. standard. We provide its first formal justification, showing the following general lemma: that cipher block chaining a pseudorandom function gives a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a random ml-bit to l-bit function and the CBC MAC of a random l-bit to l-bit function.

Extending Oblivious Transfers Efficiently

We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers “for free,” can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a one-way function. However, this protocol is inefficient in practice, in part due to its non-black-box use of the underlying one-way function.

A note on efficient zero-knowledge proofs and arguments (extended abstract)

In this note, we present new zero-knowledge interactive proofs and arguments for languages in <italic>NP</italic>. To show that <italic>x ε L</italic>, with an error probability of at most 2<supscrpt>-<italic>k</italic></supscrpt>, our zero-knowledge proof system requires <italic>O</italic>(|<italic>x</italic>|<supscrpt><italic>c</italic><subscrpt>1</subscrpt></supscrpt>)+<italic>O</italic>(lg<supscrpt><italic>c</italic><subscrpt>2</subscrpt></supscrpt>|<italic>x</italic>|)<italic>k</italic> ideal bit commitments, where <italic>c</italic><subscrpt>1</subscrpt> and <italic>c</italic><subscrpt>2</subscrpt> depend only on <italic>L</italic>. This construction is the first in the ideal bit commitment model that achieves large values of <italic>k</italic> more efficiently than by running <italic>k</italic> independent iterations of the base interactive proof system. Under suitable complexity assumptions, we exhibit zero knowledge arguments that require <italic>O</italic>(lg<supscrpt>c</supscrpt>|<italic>x</italic>|<italic>kl</italic> bits of communication, where <italic>c</italic> depends only on <italic>L</italic>, and <italic>l</italic> is the security parameter for the prover. This is the first construction in which the total amount of communication can be less than that needed to transmit the <italic>NP</italic> witness. Our protocols are based on efficiently checkable proofs for <italic>NP</italic>[4].

Achieving oblivious transfer using weakened security assumptions

The authors present some general techniques for establishing the cryptographic strength of a wide variety of games. As case studies, they analyze some weakened versions of the standard forms of oblivious transfer. They also consider variants of oblivious transfer that are motivated by coding theory and physics. Among their results, they show that a noisy telephone line is in fact a very sophisticated cryptographic device. They also present an application to quantum cryptography.<<ETX>>