6.2.1. CP is Corrupt

Consider the execution of the proposed protocol when a corrupt party CP*<sup>c</sup>* and an honest <sup>B</sup> are involved.

<sup>B</sup> chooses the content *<sup>X</sup>* and communicates the wish to buy it to CP*<sup>c</sup>* . CP*<sup>c</sup>* interacts with RA and obtains *pk<sup>X</sup>* RA and <sup>E</sup>*pk<sup>X</sup>* RA (*N*). During this preliminary phase, no corrupting actions may occur.

**Lemma 1** (Basic Lemma)**.** *Under the basic assumptions reported in Section 6.1, if* CP*<sup>c</sup> tries to embed a corrupt watermark W<sup>c</sup> into X in order to accuse an innocent buyer of illegal content distribution, such a corruption is disclosed by running the identification and arbitration protocol.*

**Proof.** Since the watermark *<sup>W</sup>* is composed of *<sup>N</sup>* and *<sup>W</sup>*CP (see Expression (1)) , CP*<sup>c</sup>* can embed a corrupt watermark into *X* only if it can corrupt the part *N* of *W*. Therefore, consider the case in which CP*<sup>c</sup>* wants to embed a corrupt *<sup>N</sup><sup>c</sup>* into the content *<sup>X</sup>* purchased by <sup>B</sup>. To achieve such a goal, CP*<sup>c</sup>* has to be able to:


The former condition is needed because B obtains the final and protected version of the purchased content *<sup>X</sup>*¯ by decrypting the content <sup>E</sup>*pk<sup>X</sup>* RA (*X*) with the secret key received by RA in the message *<sup>m</sup>*<sup>10</sup> (see Table 2), according to the Expression (3). This also means that, if CP*<sup>c</sup>* wants to use a corrupt key *pkX<sup>c</sup>* RA to encrypt the nonce *<sup>N</sup>c*, it has also to control the corresponding secret key sent by RA to <sup>B</sup> in the message *<sup>m</sup>*10, which has to necessarily become *skX<sup>c</sup>* RA.

The latter condition implies that CP*<sup>c</sup>* can obtain or generate a valid and verifiable signature <sup>S</sup>RA(*pk<sup>X</sup>* RA,E*pk<sup>X</sup>* RA (*Nc*)) on the corrupt token <sup>E</sup>*pk<sup>X</sup>* RA (*Nc*). Furthermore, if CP*<sup>c</sup>* decides to also employ a corrupt key *pkX<sup>c</sup>* RA to encrypt *<sup>N</sup>c*, then the corrupt signature to obtain or generate becomes <sup>S</sup>RA(*pkX<sup>c</sup>* RA,E*pkXc* (*Nc*)).

RA In this regard, it is worth noting that, under the assumptions reported in Section 6.1, CP*<sup>c</sup>* cannot generate a valid signature <sup>S</sup>RA(...) on corrupt tokens. This means that CP*<sup>c</sup>* cannot choose an arbitrary nonce *N<sup>c</sup>* or key pair (*pkX<sup>c</sup>* RA,*skX<sup>c</sup>* RA) to conduct a purchase transaction, but it could only attempt to reuse tokens generated by RA in previous purchase transactions. However, the following considerations have to be taken into account:


the tokens received in the messages *m*<sup>6</sup> and *m*7, and generates a new node in the blockchain only if the tokens turn out to be consistent.

4. For the same reason reported at the previous point, if CP*<sup>c</sup>* receives the encrypted nonce <sup>E</sup>*pk<sup>X</sup>* RA (*N*) from RA in the message *<sup>m</sup>*<sup>3</sup> and forwards the corrupt nonce <sup>E</sup>*pk<sup>X</sup>* RA (*Nc*) to BC in the message *<sup>m</sup>*6, the nonce exchange is always disclosed by BC unless CP*<sup>c</sup>* generates a valid signature <sup>S</sup>RA(*pk<sup>X</sup>* RA,E*pk<sup>X</sup>* RA (*Nc*)), which, as reported above, is impossible.

Therefore, suppose that <sup>B</sup> starts a purchase transaction and that CP*<sup>c</sup>* receives the message *<sup>m</sup>*<sup>3</sup> containing *pk<sup>X</sup>* RA, <sup>E</sup>*pk<sup>X</sup>* RA (*N*), and <sup>S</sup>RA(*pk<sup>X</sup>* RA,E*pk<sup>X</sup>* RA (*N*)) (see Table 2). Suppose also that CP*<sup>c</sup>* inserts a corrupt watermark *<sup>W</sup><sup>c</sup>* <sup>=</sup> *<sup>W</sup>*CP||*N<sup>c</sup>* into the content *<sup>X</sup>*, thus creating the protected copy *<sup>X</sup>*¯ *<sup>c</sup>*, and suppose that *<sup>X</sup>*¯ *<sup>c</sup>* is found in the market. CP*<sup>c</sup>* starts the identification and arbitration protocol by extracting the watermark *<sup>W</sup><sup>c</sup>* from *<sup>X</sup>*¯ *<sup>c</sup>* and by sending to <sup>J</sup> all the tokens existing in its databases and associated to *Wc*, according to what is reported in Section 5.2.

Suppose that CP*<sup>c</sup>* wants to cheat <sup>J</sup> in order to accuse a buyer of illegal content distribution. To achieve such a goal, CP*<sup>c</sup>* has to send, among the others, the following corrupt tokens *pk<sup>X</sup>* RA, <sup>E</sup>*pk<sup>X</sup>* RA (*Nc*), <sup>S</sup>RA(*pk<sup>X</sup>* RA,E*pk<sup>X</sup>* RA (*Nc*)), *Epk*RA (*Bid*, *pk<sup>X</sup>* RA,E*pk<sup>X</sup>* RA (*Nc*)) to <sup>J</sup> (see Table 3), which have to be all coherent with *Nc*. However, according to what is reported above and under the assumptions of Section 6.1, the following constraints have to be considered:


As a consequence, if CP*<sup>c</sup>* attempts to accuse an innocent buyer of illegal content distribution by generating corrupt tokens coherent with the corrupt watermark *<sup>W</sup><sup>c</sup>* <sup>=</sup> *<sup>W</sup>*CP||*N<sup>c</sup>* embedded into the content *X<sup>c</sup>* found in the market, the attempt ends up being revealed by the execution of the identification and arbitration protocol, and this prevents the protocol from adjudicating anybody to be a traitor.

**Lemma 2.** *Under the assumptions reported in Section 6.1, if* CP*<sup>c</sup> tries to alter the tokens that are managed during the protection phase in order to accuse an innocent buyer of illegal content distribution, such a corruption is disclosed by the identification and arbitration protocol.*

**Proof.** The basic lemma proves that the security tokens, such as *pk<sup>X</sup>* RA, <sup>E</sup>*pk<sup>X</sup>* RA (*N*), and <sup>S</sup>RA(*pk<sup>X</sup>* RA,E*pk<sup>X</sup>* RA (*N*)), generated by RA and associated to a valid purchase transaction registered by a node of BC, cannot be coherently corrupted by CP*<sup>c</sup>* to insert an arbitrary watermark into the content purchased by B without such a corruption being disclosed by running the identification and arbitration protocol. More precisely, the impossibility of corrupting the security tokens has been proved be the basic lemma independently of the corruption of the watermark to be inserted into *<sup>X</sup>*. In fact, the proof is mainly based on the general incapacity of CP*<sup>c</sup>* to alter or regenerate or reuse the tokens generated by RA for a given purchase transaction [22–24]. Therefore, the attempts of CP*<sup>c</sup>* to alter the tokens generated by RA can be always disclosed by running the identification and arbitration protocol, since such tokens either have been generated and employed during previous, valid purchase transactions by RA or are directly generated by CP*<sup>c</sup>* and so they cannot be registered in a node of BC.

The lemmas reported above prove that CP*<sup>c</sup>* cannot frame an innocent buyer, because every attempt to corrupt the security tokens that have to be registered in the nodes of BC is disclosed by the identification and arbitration protocol, and this prevents the watermarking protocol from adjudicating anybody to be a traitor.
