Databases Reference
In-Depth Information
non-watermarked data) is
B
(
;
ηϑ,
0
.
5). The false hit is monotonic de-
creasing with both watermark insertion parameter
ϑ
and detection parameter
τ
. On the one hand, the larger the insertion parameter
ϑ
, the more MSBs are
included in the watermark and the smaller the false hit. On the other hand,
the false hit can be decreased by increasing the detection parameter
τ
,which
is the least fraction of watermark bits required for ownership assertion.
Since both the watermark key and the watermark are public in our scheme,
an attacker can pinpoint the MSBs of the watermarked values. A simple attack
would be to flip some of those MSBs so that the watermark detection will
detect no match. In the presence of this attack, the false miss rate is 1 if
no less than
ϑη
τηϑ
watermarked MSBs are flipped, the false miss rate
is 0 otherwise. To achieve the best robustness, one may choose
ϑ
=
ν
and
τ
−
τϑη
0
.
5. (However, this would increase the false hit rate.) In this extreme case,
approximately 50% of the data values would have to be intolerably modified
so as to defeat the watermark detection.
While watermark detection can be performed by anyone who has access
to the public watermark key, the ownership is proven by further checking the
corresponding watermark certificate. A watermark certificate
C
of relation
R
is a tuple
≈
ID,
K
,
HASH
(
W
)
,HASH
(
R
),
T,
DB-CA,
Sig
, where
ID
is the
identity of the owner of
R
,
is the owner's watermark key,
W
is the public
watermark,
T
is the validity information, DB-CA is the trusted authority who
signs the certificate by generating a signature
Sig
. The validity information
is a triple
T
=
K
indicating the original time
T
origin
when
the DB relation is first certified, the starting time
T
start
, and the ending time
T
end
of this certificate in the current binding. When the DB relation is certified
for the first time,
T
origin
should be the same as
T
start
. Compared with the
identity certificate or attribute certificate, the watermark certificate not only
has a validity period defined by
T
start
and
T
end
, but also contains the original
time
T
origin
.
The original time
T
origin
can be used to thwart additive attacks. We as-
sume that the owner of the data will not make the data available to potential
attackers unless the data is watermarked and a valid watermark certificate is
obtained. Even if an attacker manages to obtain a valid watermark certificate
with
T
origin
for pirated data, one always has
T
origin
<T
origin
by which the
legitimate ownership can be proven in the case of an ownership dispute. The
attacker's valid certificate should be ocially revoked after dispute resolution.
In certain cases such as identity change, ownership change, validity pe-
riod change, DB-CA compromise, and database update, an existing certificate
needs to be renewed, updated, or revoked. In these cases, the original time
T
origin
must be kept unchanged in the renewed or updated certificates. To
ensure that a watermark certificate is valid in proving the ownership, the re-
vocation information of watermark certificates must be checked in an effective
and ecient manner (e.g., using certificate revocation status [18]).
T
origin
,T
start
,T
end
