Future Generation Computer Systems 89 (2018) 746–764

Contents lists available at ScienceDirect

Future Generation Computer Systems

journal homepage: www.elsevier.com/locate/fgcs

Blockchain for digital rights management

Zhaofeng Ma a,b, *, Ming Jiang c , Hongmin Gao a,b , Zhen Wang a,b
a
School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
b
Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876, China
c
The Third Research Institute of China Electronics Technology Group Corporation, 100015, Beijing, China

highlights

• We proposed a new trusted model DRMChain for digital rights management based on blockchain.
• The DRMChain builds up an external flexible storage and internal blocks creation architecture.
• The DRMChain provides a DRM-protected scheme supporting for identity and privacy protection.
• The DRMChain innovates a violation tracing approach with conditional identity management.

article info a b s t r a c t
Article history: Online digital content service becomes more and more easily, however, free consumption and excessive
Received 25 January 2018 spreading without rights protection will hurt the content providers’ benefits and causes business loss,
Received in revised form 10 July 2018 another problem is once the content provider supply illegal or politically sensitive content such as
Accepted 14 July 2018
terroristic opinion or multimedia content, it will cause serious social problem such as fright or social
Available online 23 July 2018
crisis. To solve this problem, in this paper we proposed a blockchain-based scheme for digital rights
management(named DRMChain), which supports the right content serves the right users in a right
Keywords:
Digital rights management way, the DRMChain can provide trusted and high-level credible content protection and conditional
Blockchain traceability of violation content service. In the proposed DRMChain, we use two isolated blockchain
Content protection application interfaces (BAI) to respectively store plain and cipher summary information of original and
Privacy protection DRM-protected digital content, and considering large capacity of digital content such as image, audio
Conditional tracing or video, we proposed external flexible storage of plain/cipher digital content and creates hashID of the
Violation checkout content itself and links with the blockchain. In DRMChain scheme, we named the BAI plain interface as
BAIP for summary metadata storage of original content, and the BAI cipher interface as BAIC for DRM-
protected content service. In the DRMChain scheme we proposed efficient and secure authentication,
privacy protection and multi-signature-based conditional traceability approaches, and thus the DRM
license, usage control and constrain information can be easily retrieved form the blockchain, and customs
can query all the consumption transaction lists of free or paid consumption history to prevent baleful
fee-deduction. Analysis and performance evaluation manifest the DRMChain scheme provides a reliable,
secure, efficient and tamper-resistance digital content service and DRM practice.
© 2018 Elsevier B.V. All rights reserved.

1. Introduction solutions to prevent the data being stolen or being illegally used,
and together should enhance the usage control of content access.
Digital content consumption is now becoming popular, more In fact, digital rights management [5–9] is an important technol-
and more people often visit and watch videos or images resource
ogy for content protection of rights holder’s profits or business
through web browser or mobile App-based software. However
illegal content usage (such as illegal download and spread the stakeholder [1–3,6,9], upon which many institutes and researchers
right-reserved content) may do harm to content providers, or paid much attention and do more research work on DRM [1–5,10–
hurt the right-holder’s business stakeholder [1–4], upon the value- 20], however, current DRM technologies such Windows DRM,
added content or business data, it is necessary to use technique
Silverlight, RealNetworks, Flash AIR, Apple HLS DRM focused on
content encryption and license management, however it is obvi-
* Corresponding author at: School of Cyberspace Security, Beijing University of
Posts and Telecommunications, Beijing 100876, China.
ously lack of original content management violation checking and
E-mail address: mzf@bupt.edu.cn (Z. Ma). tracing of the one who should responsible for the violation [12–16].

https://doi.org/10.1016/j.future.2018.07.029
0167-739X/© 2018 Elsevier B.V. All rights reserved.
 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764 747

Upon the above problems, new DRM architecture should re- 2. DRM requirement and suitability
quire efficient and reliable technologies that can provide cred-
itable, tamper-resistant and high-level secure and flexible support- 2.1. DRM security requirement
ing [1–6]. Fortunately, blockchain is a decentralized, reliable and
secure computing paradigm in P2P network environment [21–24],
which provides distributed ledger technology (DLT) that store the In traditional case, DRM only considers how to protect the con-
completed blocks in chronological order with tamper-resistance tent from being illegally used such as consumed the content with-
and security, it allows participants to keep track of digital transac- out licensing or payment, however once the content is encrypted,
tions without central recordkeeping, Each node holds a copy of the it gets difficult to audit the content especially when the content
blockchain downloaded automatically, the record’s authenticity include illegal, sexual or bloodcurdling material. In this paper,
can be verified by the entire community using the blockchain we proposed new paradigm of the DRM for content protection in
instead of a single centralized system [25–28]. Blockchain can be an open and credible platform for DRM services such as provide
applied for IT asset management and supply chain management, content consumption, licensing purchase rather than in a private
trademarks copyrights protection, credit certificate proof [29– website. The new security and requirements include: (1) content
40]. The most famous and successful practice and applications of verifiability and tamper-resistance, (2) identity management and
blockchain are Bitcoin [21,22], Ethereum [23], Hyperledger [24] privacy protection of content provider, (3) Content protection, (4)
et al. Usage control, (5) Licensing, (6) Violation tracking.
As for recent research on blockchain [21–40], Wright A. sum-
marized decentralized blockchain technology and in the future
creation of the Internet, which has the potential to decentralize 2.1.1. Content verifiability and tamper-resistance
data management [34]. Zyskind G. proposed decentralizing pri- Before the content is uploaded the open and credible content
vacy protection method which used blockchain to protect personal platform, the content platform requires that the content source
data [35]. Kosba A. E. [36] studied blockchain model of cryptog- is verifiable and content is auditable and can find who should
raphy and privacy-preserving using smart contracts, in which a responsible for the content once the content is viewed as illegal
decentralized smart contract system that does not store financial that is the content is verifiable for auditing. Once the content is
transactions in the clear on the blockchain, thus retaining transac- uploaded in the open platform it should be stored as evidence and
tional privacy from the public’s view. Ao Lei [37] et al. proposed a should be tamper-resistant.
framework for providing secure key management within the het-
erogeneous network. The security managers (SMs) play a key role
2.1.2. Identity management and privacy protection
in the framework by capturing the vehicle departure information,
A good DRM scheme should have the attributes that can ensure
encapsulating block to transport keys and then executing rekey-
ing to vehicles within the same security domain. M Vukolić [38] the user’s privacy, and meanwhile can identify the user when
studied scalable blockchain fabric which compared the consensus he/she uploads or spreads illegal, ethical or political-related con-
Proof-of-Work vs. BFT Replication, and also discuss recent propos- tent. And together it is important to prevent the internal adminis-
als to overcoming these scalability limits and outline key outstand- trator from leaking users’ identity data or privacy.
ing open problems in the quest for the ‘‘ultimate’’ blockchain fab-
ric(s). Ali Dorri et al. [39] studied blockChain from cryptocurrencies
2.1.3. Content protection
to smart contracts, and then propose a blockchain-based architec-
Before the content provides service to public, it is necessary
ture to protect the privacy of the users and to increase the security
to protect the content from being freely used or spread, content
of the vehicular ecosystem. Remo Manuel Frey et al. [40] focused
encryption [1–4] is used to prevent the media being freely used,
on the effect of a blockchain-supported, privacy-preserving system
and watermarking [10–15] is usually adopted for content right
on disclosure of personal data from a psychological perspective.
tracing or confirmation.
To solve the security and reliability of the digital rights man-
agement, in this paper we proposed a blockchain-based scheme for
digital rights management (named DRMChain), which supports the 2.1.4. Usage control
right content serves the right users in a right way, the DRMChain Once the content is protected by encryption or watermarking
can provide trusted and high-level credible content protection approach, it should include abundant usage control rules such as
and conditional traceability of violation content service. In the constraints and conditions for content consumption.
proposed DRMChain, we use two isolated blockchain application
interfaces (BAI) to respectively store plain and cipher summary
information of original and DRM-protected digital content, and 2.1.5. DRM licensing
considering large capacity of digital content such as image, audio or When public users consume the protected content, he/she first
video, we proposed external flexible storage of plain/cipher digital buy or get its license for usage such as reading, listening, or playing
content and creates hashID of the content itself and links with the the content. The license declares the basic rights such as usage
blockchain, in which the DRMChain has the following advantages times, period, domain, rental, translation or compilation, or water-
and novelty: mark that defined the ownership of the content.
(1) We proposed a new trusted model DRMChain for digital
rights management based on blockchain.
(2) The DRMChain builds up an external flexible storage and 2.1.6. Violation tracking
internal blocks creation architecture. During the consumption, when the content is considered in-
(3) The DRMChain provides a DRM-protected scheme support- cluding illegal ownership violation or the content including sen-
ing for identity and privacy protection. sitive information or opinion or illegal data, thus the platform ad-
(4) The DRMChain innovates a violation tracing approach with ministrator then can track who should responsible for the content
conditional identity management. and trace the identity of the content provider.
748 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764

Table 1
Comparison of different blockchains.
Item Public blockchain Consortium blockchain Private blockchain

Topology

User range All public peer can join in the public Node Only Authorized Organization or team can Only authorized private peer such as an
join in the Consortium P2P Blockchain enterprise or organization can access the
Network. network.
Node rights All public peer has the equal rights such as All the operation such as write, read and The access and behavior is only open the
read, write, execute. query must obey the access control policy. private node.
Attribution The public peer can access the blockchain The consortium blockchain can support Private rights and high security, but limited
anonymously and the data and info are real identity and behavior and data usage value.
public to all auditing (AML/KYC).
Trans rate (times/s) 7–15 1000 More than 1000

2.2. Blockchain suitability for DRM application interfaces (BAI) to respectively store plain and cipher
summary information of original and DRM-protected digital con-
As for the blockchain classification [27–35], there are public tent, and considering large capacity of digital content such as
blockchain, consortium blockchain and private blockchain. The image, audio or video, we proposed external flexible storage of
comparison of each blockchain is listed in Table 1. Upon the digital plain/cipher digital content and creates hashID of the content itself
rights management requirement, considering the large capacity and links with the blockchain. In DRMChain scheme, we named
of multimedia content storage such as image, audio or video, the the BAI plain interface as BAIP for summary metadata storage of
suitable framework of the blockchain is ‘‘building up blocks in original content, and the BAI cipher interface as BAIC for DRM-
internal blockchain platform, but storing the content itself in ex- protected content service. In the DRMChain scheme we proposed
ternal database’’. The DRMChain scheme proposed efficient and se- efficient and secure authentication, privacy protection and multi-
cure authentication, privacy protection and multi-signature-based signature-based conditional traceability approaches, and thus the
conditional traceability approaches, and thus the DRM license, DRM license, usage control and constrain information can be easily
usage control and constrain information can be easily retrieved retrieved form the blockchain, and customs can query all the
form the blockchain, and customs can query all the consumption consumption transaction lists of free or paid consumption history
transaction lists of free or paid consumption history. to prevent baleful fee-deduction. We implemented the DRMChain
Upon the digital rights management requirement, the platform for digital right management in the based on Ethereum
blockchain should only be used for authorized or multipart admin- and IPFS P2P storage, performance evaluations manifest the DRM-
istrator to manage the content in a credible and tamper-resistant Chain is reliable, secure, efficient and tamper-resistance with high-
mode, which can provide trusted content violation traceability, level credibility, in which the authorization users can upload their
in which the reading, writing or auditing operation must obey right-reserved digital content, but once the content is suspected il-
the access control policy. Thus according to the above analysis in legal or rights infringement, the DRMChain can trace and checkout
this paper we select consortium blockchain for the digital rights the violation content and provider user, the DRMChain provides a
management, which is used to store the original content source for reliable and tamper-resistant DRM practice and can apply in many
tamper-resistant evidence and violation tracing, then the content fields. Analysis and performance evaluation manifest the DRM-
itself, the content ownership, rights holder, content obligation, Chain scheme provides a reliable, secure, efficient and tamper-
constraints, obligation and security requirements can be included resistance digital content service and DRM practice.
in the consortium blockchain for detailed and authorization oper-
ation. 3.2. The DRMChain trusted model

3. DRMChain: blockchain-based scheme for digital rights man- 3.2.1. The DRMChain external IPFS storage
agement In the DRMChain scheme, before the content is provided for
business consumption, the content provides original metadata
3.1. The proposed DRMChain scheme plaintext data, and stores the metadata in blockchain p2p network,
which is strictly limited for access or data obtain, which will be
In this paper we proposed a blockchain-based scheme for digital the original content as raw data for DRM processing and original
rights management (named DRMChain), which supports the right evidence for possible auditing and checking. The most important
digital rights-protected content serves the right users in a right advantage of the proposed scheme is to adopt blockchain for
way, the RightChain can provide trusted and high-level credible sensitive and tamper-resistant data storage, once the data was
content protection and conditional traceability of violation content storage into the blockchain it will permanently be stored in the
service. In the proposed DRMChain, we use two isolated blockchain P2P network and cannot modified or delete, which can provide
 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764 749

Fig. 1. The DRMChain trusted model.

strong and high level reliability and security. Even some blockchain 3.3.2. Content protection processing for DRM service
nodes deliberately announced or the nodes truly corrupted, the To ensure the security and availability of the data encryption
other nodes can provide strong and trusted service for evidences and authentication of scheme, we proposed efficient key agree-
and business-related service. While the large amount data can be ment protocol for secure communication between client users and
stored in external IPFS, and the DRMChain platform can provide blockchain nodes in DRMChain, and develop a mater/slavery key
trusted and tamper-resistance transaction data confirmation with management for content encryption. Before providing content ser-
unique block number and transactionID, by which user can query vice for consumption, the DRMChain scheme encrypts the content,
the transaction data by block number, block hash, transaction and then provides policy configuration, license management, and
hash in the blockchain platform, and by the IPFS hashID user usage control for independent users. Then public customers can
can query content summary, creationRecord, ContentRight, and get the ciphered content and achieves the DRM services from the
identity information in external IPFS, The DRMChain trusted model DRMChain platform for business benefits.
is described as Fig. 1.
3.3.3. Violation tracing
3.2.2. The DRMChain blockchain platform Once the content provider supplies illegal or politically sen-
For the constraint of the amount of multimedia content, it is not sitive content such as terroristic opinion or multimedia content,
the DRMChain will trace the content source and check the original
suitable for store full multimedia content in the blockchain plat-
content, and identifies the real identity and deals with the content,
form in the DRMChain scheme, the original plain content is hashed
and give corresponding punishment according to the violation
and stored in the DRMChain external IPFS p2p network, which
level, such as delete the DRM service content, or forbidden the
can retrieve all the original information of the digital content,
content provider from upload content again, or close the content
and the DRM-protected information is stored information in the
provider’s account for service.
DRMChain external IPFS network, which can provide DRM service
and security management, both of the original plain content and
4. Security infrastructure of DRMChain
DRM-protected content are respectively related by the content
hashID, and linked with the hashID, the content summary can be 4.1. The elliptic curve cryptosystems [41–43]
stored in the blockchain for permanent, reliable and secure data
service. An elliptic curve E defined over Fq is a set of points P = (xp , yp )
where xp and yp are elements of Fq that satisfy a certain equation,
3.3. The DRMChain external ipfs DRM if q = p is an odd prime and p >3, then a and b shall satisfy
4a3 + 27b2 ̸ = 0(mod p), and every point P = (xp , yp ) on E (other
3.3.1. DRMChain identity and privacy management than the point 2) shall satisfy the equation in Fp : yp 2 = xp 3 + axp + b.
To protect the core privilege and rights of content provider, and For further background of the case that q = 2m and other details
for possible violation in future usage and service, the DRMChain on elliptic curves, see [41–43].
scheme require effective and verifiable identity authentication, Supposing that GF(p) is a finite field with characters p ̸ = 2,3,
and collect basic and critical information of content provider. In for a, b ∈ GF(P) where 4a3 + 27b2 ̸ = 0 (mod p). Elliptic Curve
another side, because the scheme collects content provider’s iden- E(a,b) (GF(p)) in GF(p) is defined as the point set (x,y) ∈ GF(p) ×
tity information, in the proposed DRMChain, we proposed an entire GF(p) that satisfies the equation y2 = x3 + ax + b, where the
and secure approach to protect user’s privacy. infinite point O is included in E(a,b) (GF(p)). All points in GF(p) is an
750 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764

Abelian group, where the identical element is O. Supposing P and Compressed base point G:
Q are points in E(a,b) (GF(p)), if P = O, then −P = O, P + (−P) = O;
G = 02 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB
denote P = (x1 , y1 ), Q(x2 , Y2 ), then −P = (x1 , y1 ), and P +(−P) = O,
if Q ̸ = −P, P + Q = (x3 , y3 ), where P + Q = (x3 , y3 ) 2DCE28D9 59F2815B 16F81798

x 3 = u2 − x 1 − x 2 (1) Non-compressed base point G:

y3 = u(x1 − x3 ) − y1 (2) G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB
⎧y − y
2 1 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465
⎪
⎨ P ̸= Q
x2 − x1 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F
u= 2 (3)
⎩ 3x1 + a P = Q
⎪ FB10D4B8
2y1
The order of G:

4.2. Elliptic curve parameter n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6

AF48A03B BFD25E8C D0364141
Elliptic curve domain parameters over Fp consists of the follow-
Co-factor:
ing parameters:
(1) A field size q = p that defines the underlying finite field Fq , h = 01
where p > 3 should be a prime.
(2) If the elliptic curve was randomly generated, a bit string
4.5. Blockchain consensus mechanism
SEED with length at least 160 bits is needed (this is the Optional
parameters).
The main consensus mechanisms include proof of work (PoW),
(3) Two field parameters a and b in Fq which is used to define
proof of stack (PoS), distributed POS (DPoS) and practical Byzan-
the equation of the elliptic curve E:
tine Fault Tolerance (PBFT), other consensus mechanisms include
Paxos, Raft, and Ripple, which can satisfy different applications of
y2 = x3 + ax + b (4)
blockchain scenes.
(4) A point G = (xG , yG ) of prime order on E, where G ̸ = 0 is a
must condition. 5. Blockchain-based DRM data management
(5) The order n of the point G, should be satisfied n > 2160 and
√
n > 4 q; In the DRMChain scheme, the original DRM metadata include
(6) The cofactor h = #E (Fq )/n is an optional parameter. 3 kinds of core information, Content Metadata; CreationRecord
For convenience, Elliptic curve domain parameters over Fp can metadata; TransforRight metadata. et al., in which the DRM meta-
be written as: data describes basic and core content description, ownership,
rights, license, obligation and constraints. The early metadata is
PECC = (q, FR, a, b, G, n, h) (5) expressed as XrML, but later, the XrML is viewed as low efficient
way in implementation with SAX or DOM parsers. To improve the
efficiency and universality, in our proposed DRMChain scheme,
4.3. Content symmetric encryption we using JSON format as interface to store the DRM metadata, in
which the DRMChain scheme can build up the blocks in time-order
In the DRMChain scheme, the content protection we use sym- with tamper-resistance and security, by which once the providers
metric encryption AES algorithm for content encryption, and adopt or issuers published illegal or improper content such as political,
hash algorithm SHA1 for digest algorithm, and ECDSA for digital religious or ethical. In DRMChain we can easily trace who should
signature [41–47]. The Keccak-256 hash function (as per the win- responsible for the violation.
ning entry to the SHA-3 contest) is denoted KEC (and generally When the DRM-related data is verified and confirmed in the
referred to as plain Keccak). blockchain, then the DRMChain block data structure and transac-
tion are created as Fig. 2, in which the blockchain header includes
4.4. Algorithms in blockchain difficulty, extraData, gasLimit, gasUsed, hash, number, timestamp,
transactions, transactionsRoot and uncles, the users can query the
blockchain by hash, number, timestamp, transactions, transaction-
As for the blockchain itself [21–25], the platform is based on
sRoot to get all the information of the blockchain data. Once the
double SHA256, SHA3, RIPEMD160 and ECC-based public cryp-
block data is created, each transaction status in p2p-based network
tosystem ECDSA. Especially the public address of most blockchain
is transferred from one state to another, the DRMChain transaction
is based on BASE58. The ECC algorithm in blockchain system uses
status transfer is detailed in Fig. 3, in which each transaction can be
secp256k1 elliptic curve which is different to the ECDSA parame-
created a unique transactionID, in which the transaction data itself
ters. The Secp256k1 elliptic curve is defined by the 6 parameters D
can be plain or cipher-mode according to the service requirement.
= (p,a,b,G,n,h) where
In the DRMChain scheme, before the content is provided for
P = 2256 − 232 − 29 − 28 − 27 − 26− − 24−1 business consumption for benefits, the content provider should
store original plaintext content in the blockchain p2p network,
= FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
which is strictly limited for access, write, or data obtain, and will
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFC2F be the original content as raw data for DRM processing and original
A = 00000000 00000000 00000000 00000000 evidence for possible auditing and checking of violation.
00000000 00000000 00000000 00000000 The blockchain will permanently stores the DRM data in the
P2P network and cannot allow it be modified or deleted in a
b = 00000000 00000000 00000000 00000000 tamper-resistance mode, which can provide strong and high level
00000000 00000000 00000000 00000007 reliability and security. Even some blockchain nodes deliberately
 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764 751

Fig. 4. The DRM metadata structure of DRMChain.

Fig. 2. The DRMChain data structure.

based on Ellipse Curve Cryptosystem (ECC), which wed define the
protocol as SEKEC, in which during the client and server sides start
up the interaction, we adopt a session management mechanism
rather than the cookies mechanism in the negotiation procedure. In
fact, the cookies can be forbidden by different users’ client security
policy, once the cookie is forbidden, the OAKLEY protocol does
not work again. Comparing with the cookie approach, the session
mechanism is built up on the server side and can provide a flexible
and reliable management of interaction between client and server,
which can manage and keep the state and session status for current
and future interaction for convenient and efficient communication
and interaction.

5.1.1. SEKEC key agreement security foundation

The SEKEC key exchange protocol depends on 4 components of
the key determination protocol:
Fig. 3. The DRMChain transaction status transfer.
(a) Application-level user/client password authentication;
(b) Session mechanism based statue management between ini-
tiator and responder.
(c) Abel group based ECC half-key exchange with perfect for-
announced or the nodes truly corrupted, the most other nodes ward security.
can provide strong and trusted service for evidences. The DRM (d) Public key cryptosystem for identity hiding.
metadata structure is defined as bellows which is easy to convert
to JSON format. The DRMChain metadata [1–4,13] is described in
5.1.2. The SEKEC key agreement symbol definition
Fig. 4.
To comparing with the original OAKLEY protocol, we still in-
herit the symbol in OAKLEY protocol. The symbols in SEKEC key
5.1. DRMChain communication key agreement protocol
exchange protocol are listed in Table 2.
In the DRMChain scheme, we should ensure the communication
security that prevents the communication is hijacked by attackers. 5.1.3. The SEKEC key agreement in DRMChain
In fact, the Diffie–Hellman key exchange algorithm [48] provides Similar to the OAKLEY protocol, the SEKEC protocol will base on
a mechanism which allows two parties to agree on a shared value OAKLEY aggressive example with hidden identities. The following
without requiring encryption. However, it cannot resistant replay procedure indicates how SEKEC protocol two parties can com-
attack, man-in-the-middle attack and et al. [49], to improve the plete a key exchange without using digital signatures. Public key
security of Diffie–Hellman key exchange algorithm, The OAKLEY cryptography hides the identities during authentication. The group
protocol [50] is used to establish a shared key with an assigned exponentials are exchanged and authenticated, but the implied
identifier and associated authenticated identities for the two par- keying material (abG is not needed during the exchange).
ties, in which two authenticated parties can agree on secure and se- In the DRMChain scheme, we uses the multiplicative group of
cret keying material, both Diffie–Hellman key exchange algorithm integers modulo p, where p is prime, and g is a primitive root mod-
and the OAKLEY protocol are based on Discrete logarithm problem ulo p. These two values are chosen should ensure that the shared
(DLP), in current computing environment, based on the two proto- secret can take on any value from 1 to p-1. Alice and Bob agree on
col we proposed a more secure and efficient key exchange protocol a finite cyclic group G of order n and a generating element g in G,
752 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764

Table 2
The symbols in SEKEC key exchange protocol.
No. Field Expression
1 SESN-I originator session.
2 SESN-R Responder session.
3 MSGTYPE For key exchange, will be ISA_KE&AUTH_REQ or ISA_KE&AUTH_REP;
for new group definitions, will be ISA_NEW_GROUP_REQ or
ISA_NEW_GROUP_REP
4 GRP The name of the Diffie–Hellman group used for the exchange
5 aG, bG G representing group generator in ECC cryptosystem
6 EHAO EHAS Encryption, hash, authentication functions, offered and selected,
respectively
7 IDP An indicator as to whether or not encryption with abG follows (perfect
forward secrecy for ID’s)
8 ID(I) The identity for the Initiator
9 ID(R) The identity for the Responder
10 Ni Nonce supplied by the Initiator
11 Nr Nonce supplied by the Responder

And together randomly creates a Nonce NA , then organizes the

core data as (omits MSGTYPE, GRP, EHAO, EHAS, NIDP data):

MA = SIDA , UIDA , UIDB , NA , QA (8)

The use client signs the message MA as follows:
Client user A signs the message as follows:
A randomly selects kA computes:
kA G = (xA , yA ) (9)
rA = xA mod n (10)
eA = h(MA ) (11)
That is:

eA = h(SIDA , UIDA , UIDB , NA , QA ) (12)

Then user A computes:
sA = rA kA + eA dA mod n (13)
( )
K = H SK |Ua|Ub|Kgrp |SnID (14)
Then the client user A sends the message and its signature to server
B:
Fig. 5. The SEKEC protocol interaction procedure.
A → B : MA = SIDA , UIDA , UIDB , NA , QA , SigA (15)
Step 4: Once the server B receives the message MA from A, and
where the group G is written multiplicatively. The SEKEC protocol
then verifies the signature SigA as follows:
procedure is as Fig. 5.
Especially, for the symbol is described as in the OAKLEY proto- eA = h(SIDA , UIDA , UIDB , NA , (xQA , yQA )) (16)
col, to simplify the SEKEC in a clear mode, we omit some symbol
u = r A s, v = r A e
−1 −1
(17)
such as MSGTYPE, GRP, EHAO, EHAS, NIDP, and focus on the core
interaction steps and algorithms. X = uG − v Q = (x1 , y1 ) (18)
Step 1: the DRMChain client submits its username and pass- r1 = x1 mod n (19)
word and tries to login the system whether it can match the user
information and pass the verification or not: If r1 = rA is true, it manifests the signature of A is valid.
After verifies the message MA , the server B randomly selects an
bAuth = Auth(UID = UID ∥ H(psw d) = H(psw d ))
′ ′
integer b(1< b< p−1), and computes:
If bAuth = true, it manifests the current user is valid.
QB = bG = (xQB , yQB ) (20)
Step 2: the DRMChain client user requests DRMChain Node to
build up the key exchange in a session mode, The DRMChain Node And together randomly creates a Nonce NB , then organizes the
then creates a session for the current client user in the server core data as (as the above steps, here we also omit MSGTYPE, GRP,
side (instead of OAKLEY protocol in the client side), and keeps the EHAO, EHAS, NIDP data):
session in a whole transaction status, the session information is
described as follows: MB = SIDA , SIDB , UIDA , UIDB , NA , NB , QA , QB (21)
SESS − I , SESS − R, CreateTime, LifeTime,
{ }
SESS = (6) The server B signs the message MB as follows:
AccessTime, MaxActiv eInter v al The server B randomly selects kB computes:

Step 3: After creates the session, the client randomly selects a kB G = (xB , yB ) (22)
integer a(1< x< p−1), and then computes: rB = xB mod n (23)
QA = aG = (xQA , yQA ) (7) eB = h(MB ) (24)
 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764 753

That is:

eB = h(SIDA , SIDB , UIDA , UIDB , NA , NB , QA , QB ) (25)

Then the server B computes:
sB = rB kB + eB dB mod n (26)
SigB = (rB , sB ) (27)
Then the server B sends the message and its signature to client A:
B→A:
MB = SIDA , SIDB , UIDA , UIDB , (28)
NA , NB , QB , SigB
Step 5: When user client A receives the message from B, then
organizes the core data as:

MA = SIDA , SIDB , UIDA , UIDB , NA , NB , QA (29)

And signs the message MA using the private key used in step 3 Fig. 6. The DRMChain identity and privacy protection model.
as follows:
A→B:
MA = SIDA , SIDB , UIDA , UIDB , (30) scheme, we proposed encryption approach of identity informa-
NA , NB , QA , QB , SigA tion to prevent user’s privacy from being leakage including from
And client user A signs the message as follows: internal management member, such as internal administrators or
auditors.
kA G = (xA , yA ) (31) To securely manage the user’s sensitive privacy data, and to-
rA = xA mod n (32) gether for the later possible auditing behavior in case of user’s data
was deliberately modified or misused, the system can indepen-
eA = h(SIDA , SIDB , UIDA , UIDB , NA , NB , QA , QB ) (33)
dently recover and open the sensitive data for auditing and tracing.
sA = rA kA + eA dA mod n (34)
5.2.2. DRMChain multipart determined identity privacy protection
( )
K = H SK |Ua|Ub|Kgrp |SnID (35)
In the DRMChain scheme, we proposed a multiple-part deter-
When server B receives the message MA , then verifies the vali- mined privacy protection approach, in which the privacy data was
dation, if the signature is true. Then the key negotiation procedure encrypted by 3-parts-controlled symmetric key. In the DRMChain
finished. scheme, the 3 parts are:
Step 6: then user A and server B key exchange is deduced as (A) blockchain manage node.
follows: (B) blockchain audit node.
KAB = bQA = baG = abG = aQB = KBA (36) (C) the blockchain client user.
The DRMChain multipart determined identity protection pro-
KAB = (xKAB , yKAB ) (37) cedure is described as follows:
We define the keyID as: Step 1: The DRMChain platform manager selects a special sym-
bol as its blockchain identity, and defines another use case identity
KEYID = SIDA |SIDB (38) CaseID (such as different application platform), and computed the
Hash as its unique bcID, the bcID is defined as:
And then the key negotiated as follows:
bcID = Hash (BlockChainID, CaseID) (40)
K = H(SIDA |SIDB |UIDA |UIDB |NA |NB |xKAB |yKAB ) (39)
Step 2: The manage node control the administration control
According to the above negotiation the system then builds up word bcAdminCW, where the administration key KA is determined
the communication encryption key K. as follows:

5.2. DRMChain traceable identity management and privacy protec- KA = Hash(bcID ⊕ bcAd min CW ) (41)
tion
Step 3: The DRMChain audit node keeps the auditing control
word bcAuditCW, where the auditing key KD is determined as
5.2.1. DRMChain identity composition and management
follows:
In the DRMChain scheme, to identify the validation content
provider, we proposed an enhanced and traceable authentication KD = Hash(bcID ⊕ bcAuditCW ) (42)
and privacy management approach, in which the DRMChain man-
ager node can trace and confirm the real legal identity, the basic Step 4: The DRMChain client user controls his/her UID as his/her
identity includes: unique userID (UUID), user identity, network control word (here because the UID is determined and as con-
identity (IP), device identity (MAC), location information, social stant which will not allow change, whereas its password is often
network system (SNS) account (WeChat ID, Facebook ID, et al.) changed, thus here we adopt UID as the user control word).
other identity include mobile phone number or email account. The
KU = Hash(bcID ⊕ UID) (43)
DRMChain identity and privacy protection model is described in
Fig. 6. Step 5: The DRMChain super-administrator then creates the
In the DRMChain scheme, to protect the user’s identity informa- privacy data encryption key KAU as follows:
tion from being misused or arbitrarily spreading, the user’s identity
is strictly limited for usage without authorization. In the DRMChain KAU = Hash (KA ⊕ KU ) (44)
754 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764

Table 3
Development environment parameters.
OS Ubuntu16.0 4.2 X64 Server Hardware 8 GB RAM 500 GB disk
RAM 16 GB CPU Intel i7-8550U
Blockchain Ethereum Develop solc
Tool node-v6.9.4
React, Java
truffle testrpc
External DB js-ipfs 0.27.0 Nodes amount 12
Digital signature ECDSA AES 128-CTR
Key agreement SEKEC Privacy protection Multi-signature
based on ECDSA
DRM protection HTTP living stream, DRM server Nginx
DRM tool FFmpeg File extension M3U8, ts

Step 6: the DRMChain super-administrator encrypts the key by Step 2: the DRMChain encryption engine then packets the Li-
his/her public key Kpub: cense L and its signature into the cipher content:

CKD = EKpub (KD ) (45) DRMData = EKAU (C |L|Sig(L)) (56)

And the super-administrator signs the CkD . The signature pro- Step 3: when received the encryption data from the client user,
cedure is described as follows: the DRMChain node decrypts the cipher data as follows:
The DRMChain administrator randomly selects k computes:
b Result = Veri(Sig(L)) (57)
kG = (x, y) (46)
r = x mod n (47) Step 4: if bResult = True, then the DRMChain CryptoEngine
decrypts the cipher payload for memory content play:
e = h(KAU ) (48)
C = EKADU (M1 |M2 | . . . Mn ) (58)
and computes:
M = DKADU (EKADU (M1 |M2 | . . . Mn )) (59)
s = rk + ed mod n (49)
In the above section, the Mi (1 < i ≤ n) is the payload of con-
sig = (r , s) (50)
tent, which may be different data unit defined according to its data
Then (r, s) is the signature of KD . structure(such as MPEG-2, WMV, FLV, H.265, JPG et al.) network
Step 7: the DRMChain super-administrator stores the KD infor- protocol (such as RTP, RTSP, MMS, HTTP living streaming et al.),
mation and its signature as following: the encryption and decryption focus on the effective payload.

KDBKD = Store(CKD , sig(CKD )) (51) 5.3.2. Watermark embedding algorithm

Step 8: the user’s identity information then is encrypted as We select the M × N binary image as watermark W. W =
follows: {W (i, j)|0 ≤ i < M , 0 ≤ j < N }, and W (i, j) ∈ {0, 1}. For
security, we scramble the watermark and then scan the image into
C ′ Identity = EKAU (NetID, PhyID, LocID, SocialID, CommID) (52) one dimensional signal, namely W = {W }i , i = 1, 2, . . . , C ; C =
M × N , wi = 0 or 1.
Step 9: the DRMChain audit node then computes:
And we also select the P × Q image as host image.
CIdentity = EKD (C ′ Identity ) (53) The whole image is divided into 8 × 8 blocks, named Xi , xi (m, n)
Is the pixel value of (m, n) of Xi . After zig-zag the DCT
Step 10: the DRMChain securely stores the user’s identity infor- coefficients, the whole sequence is recorded as Ci (j), (j =
mation in a secure mode: 0, 1, 2, . . . , 63). i is the sequence number corresponding to the ith
block of the image. We select a continuum of values to embed
IdentityDB = Store UUID, CIdentity
( )
(54)
watermark, as
Ci (k − 2), Ci (k − 1), Ci (k), Ci (k + 1), Ci (k + 2), k = 2, 3, . . . , 61
5.3. DRMChain DRM processing for consumption The specific methods are as follows:
if wi = 0, then
5.3.1. Content encryption for usage control we can get
When the Data is stored in the DRMChain system, then ac- k+2
cording to the DRM policy, the DRM engine starts processing the 1 ∑
Ci (k)′ = Ci (l) − Qi (60)
content into a content-protected mode, such as content encryp- 5
l=k−2
tion, or content watermarking. In the proposed DRMChain scheme,
we adopt encryption approach for content protection from being else if wi = 1, then
illegal used. In the DRMChain, as for the content encryption effi- we can get
ciency, we adopt AES algorithm to encrypt the content itself, thus k+2
unauthorized user cannot access the protected content. 1 ∑
Ci (k)′ = Ci (l) + Qi (61)
Step 1: The DRMChain CryptoEngine in the blockchain side then 5
l=k−2
encrypts the content payload data as follows:
Di (k)′ is the modified coefficient, Qi is the factor for controlling
C = EKAU (M1 |M2 | . . . Mn ) (55) the watermark strength. Qi is defined as follows:
When creates the secure communication channel, the system Qi = aδi (62)
can work in a dynamic security mode, the sensitive data can be
transfer in the secure channel. where δi is the average energy value of block image i, a is constant.
 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764 755

For decreasing the quantization influence, the analysis of quan- 5.4. DRMChain multi-signature-based violation tracing
titative condition process is created to control the strength of
watermark. Once some content was considered as violation, then the DRM-
Analysis of the quantitative condition is as follow: Chain platform manager startups the investigation who should be
responsible for the content. To avoid arbitrary decision or judge,
when wi = 0, based on the study and research work [33–38], in the DRMChain
k+2
Ci (k)′
( ) ( )
1 ∑ Ci (l) scheme we proposed a multi-signature-based evaluation decision
while R · Q (k) ≥ R · Q (l) − q,
Q (k) 5 Q (l) (MSED) mechanism for multi-parts evaluation rather than one
l=k−2
k+2 unique judge.
1 ∑ (a) DRMChain Violation Evaluation Task Release: DRMChain
do Qi = Qi + 1, Ci (k)′ = Ci (l) − Qi ,
5 Manager Node responsible for the content violation task releasing,
l=k−2
(63) initializes, collects and verifies the multi-signature.
when wi = 1,
k+2 (b) DRMChain Peer Evaluation: respectively signs the blank
Ci (k)′
( ) ( )
1 ∑ Ci (l) evaluation decision table (BEDT) if and only if t-out-of –n parts sign
while R · Q (k) ≤ R · Q (l) + q,
Q (k) 5 Q (l) the BEDT as definite decision results, the DRMChain then accepts
l=k−2
k+2 the decision results as final evaluation result.
1 ∑
do Qi = Qi + 1, Ci (k)′ = Ci (l) + Qi , (c) DRMChain Conditional Violation Tracing: once t-out-of-n
5 decision results give the definite violation evaluation result, then
l=k−2
the DRMChain manager node starts up the tracing procedure for
Q (k) means the QP from the quantization table corresponds to user’s identity who to responsible the violation.
C (k). q is the controlling factor of analysis quantitative condition.
Qi increases with the increasing of q. R(·) indicates rounding down.
5.4.1. DRMChain violation evaluation task release
As JPEG compression may affect the tamper detecting water-
Once the content is considered as violation, the DRMChain
mark, the semi-fragile watermark should tolerate some common manager node sends each peer node pi the abstract of violation
image processing operations, such as JPEG compression. In order description (AVD), and a blank evaluation decision (BED) to be
to avoid affecting the robustness of copyright identification water- signed for the evaluation. The DRMChain manager node public
mark, the watermarks for tamper detecting are embedded in DC the common parameter p, g ZP , and H(.), and sends each node pi
coefficients using quantitative method. The Specific methods are signature timestamp T and require each node pi signs the message
as follows: in the specified time T0 , when pi receives the message, then deals
Cj (0) + 0.5step with the signature.
Cj (0)′ = R( ) × 2step + step/2 (64)
2step
5.4.2. DRMChain broadcast multi-signature
Cj (0) is the DC coefficient in 8 × 8 block image, Cj (0)′ is the Let m be the blank evaluation decision table (BEDT) as message
modified coefficient, R(·) indicates rounding down. step describes to be signed, here we suppose there are n members Ui (1 < i < n)
the quantization steps, j = 1, 2, . . . , P × Q. which can sign the message, to finish the blind multi-signature, for
each signature member Ui, he randomly selects a secret number
5.3.3. Watermark extracting algorithm di(di ∈ Zn) as his private key, and computes Qi = diG as his public
key. X(.) means the function that gets the X coordinate.
(1) Responsibility watermark extracting algorithm
(1) DRMChain broadcast multi-signature
During the embedding process, we obtain the same continuum
Step 1: each signature member Ui (1 < i < n) selects an integer
of values for watermark extraction:
ki, 1 ≤ ki ≤ n − 1, and computes:
Ci (k − 2), Ci (k − 1), Ci (k), Ci (k + 1), Ci (k + 2),
Ri = k i G (68)
k = 2, 3, . . . , 61 (65)
and sends the result Ri to signature collector.
Extracting method is as follow: Step 2: the signature collector computes:
k+2 n
1 ∑ ∑
if Ci (k) > Ci (l) R= Ri (69)
5 (66)
l=k−2 i=1
wi = 1, r = Rx mod n (70)
else wi = 0,
If (r, n) = 1, then send the result r to each signature member
where wi is the ith watermark bit. At last, anti-scramble the infor- Ui(i = 1,2,. . . ,n) and the message holder, otherwise, go to step1 to
mation to get the watermark extracted. reconstruct the signature.
(2) Tamper detecting algorithm Step 3: the message holder U randomly select an integerα ∈ Zq∗ ,
After dividing the watermarked JPEG image into 8 × 8 blocks, computes:
DCT each block. The specific tamper detect methods are as follows: n
∑
Ci (0) Q = Qi (71)
if mod(R( ), 2) == 0 no tamper
step (67) i=1

else tamper The message computes β = Qx

Ci (0) is the DC coefficient in 8 × 8 block image, R(·) indicates round- Step 4: the message holder computes:
ing down, step describes the quantization steps, i = 1, 2, . . . , P × Q.
e = H(α · m + β · (H(m, T )) mod n) (72)
If the block is tampered, location it with marks, such as black
block image. and sends e to each signature Ui (i = 1, 2, . . . , n).
756 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764

Step 5: each signature member Ui (i = 1, 2, . . . , n) computes: Step 6: and then constructs and recover the violation informa-
tion as follows:
si = ki e + rdi mod n (73)
Vinfo = {DCID, UID, NetID, PhyID,
Gi = si G (74) (84)
LocID, SocialID, CommID}
n
∑
S= si G (75)
i=1 6. Security analysis of DRMChain scheme
s = Sx (76)
6.1. Security analysis of SEKEC protocol
and sends the si to the message holder. Then (m, (r, s)) is the multi-
signature of the message m. 6.1.1. Message integrity of the 3 core procedure
(2) DRMChain multi-signature verification In fact, we during the 3 turns in the SEKEC protocol, we use
The signature collector can verify the signature by verifying the ECDSA as the signature algorithm for message signature. And the
equation as follows: verification can bed as follows (i = A, B):

rQ = sG − eR (77) X = ui G − v i Q
= ri−1 si G − ri−1 ei di G
If the above result is true, then the multi-signature is valid,
= ri−1 (ri ki + ei di )G − ri−1 ei dA G (85)
otherwise the signature is false.
= ki G + ri−1 ei di G − ri−1 ei di G
n
∑ = ki G
sG − eR = (ki e + rdi )G mod n − eR
i=1 Then Xi ′ = (xi ′ , yi ′ )modnri ′ = xi ′ modn there must exist ri ′ = ri .
n n
∑ ∑
= eki G + r di G − eR 6.1.2. Replay attack analysis
i=1 i=1 In the SEKEC protocol, in each step, we use Nonce number as
n n
∑ ∑ the fresh timestamp each step
=e ki G + r di G − eR
(78) A→B:
i=1 i=1 (86)
∑n
∑n MA = SIDA , UIDA , UIDB , NA , SigA
=e Ri + r Qi − eR B→A:
(87)
i=1
n
i=1 MB = SIDA , SIDB , UIDA , UIDB , NA , NB , xQB , yQB , SigB
∑
=r Qi If the attacker can forge a Nonce, and send the message and
i=1 Nonce to the receiver, however he can NOT pass the signature
= rQ verification, then the message’s freshness is ensured, thus the
SEKEC protocol is replay attack resistant.
5.4.3. DRMChain multipart-determined identity tracing
Once the content provider is found t content violation, then 6.1.3. Middle-man attack analysis
the arbitrator dynamically computes the privacy key and then Similar to replay attack analysis, although the message is not
decrypts and recovery the identity information and trace the con- encrypted in all the communication procedure, however because
tent provider accurately identity to deal with the content, which the final message send to the receiver is signed, once the message is
may give punishment decision. The DRMChain identity tracing replaced, it will NOT pass the validation in the signature validation
procedure is described as follows: stage.
Step 1: the DRMChain manage node computes the amount of
evaluation results from auditing nodes, if and only if more than t A → B : MA = SIDA , UIDA , UIDB , NA , SigA (88)
auditing nodes give the agreement decision as violation result, the Upon the message MA , if the middle-man tries to substitute the
computing procedure is described a follows: message MA :
n
MA = SIDA , UIDA , UIDB , NA , XA
∑
C = ci (ri ) > t0 (79) (89)
i=1
However, the session mechanism assures only valid session
1, ri = agreement
{
Where ci (ri ) = (80) user can access the conversation which creates by the server side
0, ri = disagreement and keep the conversation in a reasonable time interval that de-
Step 2: if the C > t0 then the DRMChain manage node finds the fined by MaxActiveInterval, which satisfies the following condi-
relationship R between the DCID and UID, and queries by the UID tion:
and return the identity cipher as follows:
CurrentTime − CreateTime < MaxActiv eTime (90)
R = DCID, UID, Cidentity
{ }
(81) Then the attacker cannot tamper the SIDA , or SIDB . The attacker
can only attack and substitute UIDA , UIDB , or NA.
Step 3: the DRMChain node then decrypts the cipher as follows:
Step 4: the DRMChain audit node then computes:
6.1.4. The session security
C ′ Identity = DKD (CIdentity ) (82) In the proposed SEKEC protocol, when the client user commu-
nicates with the server, the server creates session for the client,
Step 5: the DRMChain manage node decrypts the identity of UID and save the session for client access, and check the validation and
as follows: according to the following
IIdentity = DKAU (EKAU (NetID, PhyID, LocID, SocialID, CommID))
(83) CurrentTime − CreateTime < MaxActiv eTime
= NetID, PhyID, LocID, SocialID, CommID (91)
 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764 757

Table 4 Table 5
The genesis block configuration parameters. The blockchain information created from genesis block.

The session can save time and provide a controllable mode

without possible tamper by the client user, and can provide a
secure and efficient conversation between individual users from
client and server side; especially it provides a memory mode for
historical access records for existing and historical access user.

6.2. Privacy security and efficiency analysis

6.2.1. Multi-parts determined security analysis

Once the DRMChain content is doubt to be violation, whether
it is truly violated or not, the DRMChain provides multi-signature
decision mechanism [51–56]. The security and efficiency is based
on the following:
When the content is doubt violation, the DRMChain auditing
node will evaluates the content itself by checking the original the sole internal manager cannot recover the content provider’s
content, if and only if more than t auditing nodes give the agree- identity information for the DRMChain multiparts determined
ment decision as violation result, and the evaluation results will be multi-signature mechanism can prevent misuse or unauthorized
signed by more than t auditing nodes, that is: operation of sensitive data.
n
∑
C = ci (ri ) > t0 (92) 7. Implementation and evaluation of DRMChain scheme
i=1
7.1. Implementation & evaluation of DRMChain
In fact, the signature cannot cheat the manager node if one au-
diting node wants to cheat the manage node and provide the false
signature then the above equation will not pass the verification. Based on the DRMChain architecture, we developed and imple-
mented the DRMChain system as a blockchain application platform
6.2.2. Privacy protection and recovery for digital rights management. In the DRMChain system, we build
In the DRMChain scheme the identity privacy information of up the DRMChain platform based on Ethereum, and the js-ipfs
content provider is encrypted, once he/she is doubt as violation, 0.27.0 P2P network for external data storage, and the development
the identity information is decrypted and recovered by DCID. tools Solc, Node-v6.9.4, React, Java, truffle and Testrpc are used for
application development, the watermark-based and encryption-
R := DCID, UID, Cidentity
{ }
(93) based DRMChain was completely implemented, and the devel-
opment environment is listed in Table 3, and the main GUI of
and the identity information is related by DCID with UID as follows:
DRMChain is described as in Figs. 7 and 8.
We deployed 3 private Ethereum Nodes in Aliyun could plat-
Vinfo = {DCID, UID, NetID, PhyID, form that support for DRMChain management, which include
(94)
LocID, SocialID, CommID} nodes for BAIP for summary metadata storage of original content,
Thus In the proposed DRMChain the privacy security and effi- and the BAIC for DRM-protected content service, such as content
ciency is ensured, because the content provider’s identity is en- watermark, encryption, license, violation tracing. The DRMChain
crypted and stored in cipher mode, without authorization, even runtime environment is described as Table 3.
758 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764

Table 6
Instance of IPFS information in DRMChain.
Key Value
Ethereum contract address 0xb752ffa78d7634c0901df669d3f1fabab5057a76
ImageHash in IPFS QmYANV86z9hKRkb5GJcCG9X5tnE3kVWqw8hLnmNVkjJa1K
ImageHash in DRMChain QmYANV86z9hKRkb5GJcCG9X5tnE3kVWqw8hLnmNVkjJa1K
BlockHash in DRMChain 0xe0010353e960e50dcad4d1ca5f30b56fdf749212157402c722
e25b5385c1ab96

Fig. 7. DRMChain encryption-based license management in blockchain and IPFS information.

Fig. 8. DRMChain watermark-based rights information in blockchain and IPFS.

7.2. Experiments of DRMChain scheme instance information Of IPFS and DRMChain Instance information
of the DRMChain platform we have implemented for digital rights
An instance of image type content in DRMChain includes 3
management are listed as Tables 6 and 7, and 8 listed the water-
parts information: IPFS network, Blockchain platform, and digital
rights management platform. The genesis block configuration and mark rights information extracted from Lenna. The DRMChain is
its blockchain information are listed in Tables 4 and 5. And the suitable for ‘‘building up blocks in internal blockchain platform, but
 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764 759

Table 7
Instance of block information in DRMChain.

Fig. 9. Watermark embedding and extracting in DRMChain.

7.3. Experiments and analysis of watermark

7.3.1. Experiments of watermark algorithm

Various experiments are carried out to assess the performance
of the proposed scheme. PSNR (peak signal-to-noise ratio), is used
in this paper to analyze the visual quality of the watermarked
image Ŵ in comparison with the original image W . PSNR is defined
as:
2552
PSNR = 10 log10 ( )dB (95)
MSE
Table 8 where MSE is the mean squared error between the original image
Instance of rights information in DRMchain. W and the watermarked image Ŵ , given by
Key Value M −1 N −1
1 ∑∑
Platform DRMChain MSE = [W (i, j) − Ŵ (i, j)]2 (96)
Institute bupt.edu.cn MN
i=0 j=0
Author Ma Zhaofeng
Timestamp 2018-01-16 09:25:44 In this experiment, ‘Lenna’ image of size 512 × 512 is used.
A binary logo image of size 64 × 64 is used as watermark. Fig. 9
shows the host image, binary watermark and the corresponding
storing the content itself in external database’’ as described in our watermarked image. The PSNR value of watermarked image is
proposed trusted model. 38.96 dB.
We evaluated the DRMChain platform for content storage digi-
7.3.2. Attacks and evaluation of DRMchain watermark
tal rights management of video content protection based on HTTP
To evaluate the robustness and security of the scheme, we
living stream which can support iOS, Android, Windows appli-
considered 4 kinds of attacks including: (1) copy and paste attack;
cation with a wide range of user adaption, and the DRM server (2) insert a circle attack; (3) insert a picture; (4) color inverse
we used Nginx and the digital video and audio encode/decode attack.
tools we used FFmpeg 3.3 for the content processing. In which the In the experiments (see Fig. 10) we firstly attack the exported
media protection is based on Media Stream Segmenter, Media File image that had been embedded watermark, and then test whether
we can extract the watermark, and can trace where the attack
Segmenter, Media Stream Validator, Variant Playlist Creator, and
occurred. In the experiment, we gave the detailed experiments
Metadata Tag Generator. And the content is encrypted by AES-128, according to the 4 attacks: (1) copy and paste attack; (2) insert a
and the crypto-middleware we used OpenSSL [45]. Evaluations of circle attack; (3) insert a picture; (4) color inverse attack, where
the DRMChain are described as follows. NC = 0.9884, 0.9939, 0.9934, 0.9394.
760 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764

Fig. 11. Insert picture attack, NC = 0.9942.

Fig. 10. Copy and paste attack, NC = 0.9666.

Upon the implemented DRMChain platform we evaluated the

efficiency comparison of SEKEC and OAKLEY, efficiency compar-
ison of plain and cipher video playing, and efficiency of multi-
signature and its average signature, in which the video codec we
used H.264 video with profile Baseline and level: 2.1, and the codec
is avc1. The performance simulations and evaluations results of
DRMChain are described from Figs. 9–13. Fig. 9 described water-
mark embedding and extracting in DRMChain without attacks,
and Figs. 10–13 is the serial watermark attacks experiments of
DRMChain. While Fig. 14 is the efficiency comparison of SEKEC and
OAKLEY protocols, Fig. 15 is the efficiency comparison of plain and
cipher video playing, and Fig. 16 is the efficiency of multi-signature
and Its average signature, upon which the detailed evaluation and
analysis of the DRMchain scheme is described in Section 7.4.

7.4. Evaluation of the DRMchain scheme

7.4.1. Availability of DRMchain scheme

The DRMChain Scheme provides a flexible DRM approach that
enables user-controlled encryption but administrator and auditor
can decrypt and audit the content once the released content is
suspected violation or illegal usage, in the scheme, we proposed
3 parts control model trusted and creditable content encryption,
secure key management, multi-signature for violation appraisal. Fig. 12. Insert a circle attack, NC = 0.9951.

7.4.2. Extendibility of DRMchain scheme

We implemented the DRMChain platform for digital right man- 7.4.3. Security of DRMChain scheme
agement based on Ethereum blockchain platform. Large amounts In DRMChain we used DCT-based watermark algorithm for
of experiments manifest the DRMChain is reliable, secure, efficient image content rights protection and ownership confirmation. The
and tamper-resistance with high-level credibility, in which the algorithm is proposed and evaluated as efficient and secure for
authorization users can upload their right-reserved digital content, variant attacks in our another paper. And as for the video DRM
but once the content is suspected illegal or rights infringement, protection, we used Http Living Streaming DRM for video content
the DRMChain can trace and checkout the violation content and encryption and licensing service for playing times, exporting con-
provider user, the DRMChain provides an extendible, reliable and trol, which is efficient and secure without memory cache and leak-
tamper-resistant DRM practice and can apply in real scene for age in real application. In the proposed DRMChain the user’s iden-
content protection. tity management and privacy protection, multi-signature-based
 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764 761

Fig. 15. Efficiency comparison of plain and cipher video playing.

Fig. 13. Color reverse attack, NC = 0.9433.

Fig. 16. Efficiency of multi-signature and its average signature.

the proposed SEKEC key agreement is efficient than the OAKLEY

protocol, and the average time consumed in multi-signature is in
the range of 3.21–3.35 ∗ 10−2 ms, and average delay of ciphered
video content is 17.42%, and the efficiency is high and can satisfied
the speed of real-time application in blockchain platform.

7.5. Performance comparison with related work

Fig. 14. The efficiency comparison of SEKEC and OAKLEY.
Among the DRM research, the typical DRM scheme include [6–
9], which proposed detailed and practical DRM solutions, although
the work was based on mobile environments, the whole proce-
conditional traceability approaches, and thus the DRM license, dures and communications were still suitable for pervasive DRM
usage control and constraint are ensured, which provided a new protection. Thus we can compare the schemes with our proposed
paradigm for the digital rights management for content consump- DRMChain scheme. in 2008, Chen [17] proposed a secure and
tion and protection. traceable E-DRM system based on mobile device, in which the
scheme applied symmetrical cryptosystem, asymmetrical cryp-
7.4.4. Efficiency of DRMChain scheme tosystem, digital signature and one-way hash function mecha-
Upon the proposed DRMChain, external data storage in IPFS nisms for persistent content protection, integrity, authentication,
and blockchain internal block creation are evaluated in which we track usage of DRM work, changeable access right, however the
can find the common string, image, audio and video are easily in that time, the computing ability is limited by the mobile phone
and efficiently stored in IPFS network and blockchain nodes, the hardware, the scheme was not so efficient for multimedia content
time consumed from string and video are all in acceptable range protection, and the efficiency is low. In 2010, CC Chang [18] found
in DRMChain (in which the average time consumed in Ethereum that Chen’s scheme is insecure because the symmetric key can
is nearly about 12 s, and the other time consumed is mainly be easily computed by an attacker. In addition, tampering with
network traffic). And as for key agreement efficiency, plain/cipher the user’s password cannot be discovered by the mobile user.
video bitrate, and multi-signature efficiency are evaluated by large Moreover, there are some redundant computations for user au-
amounts experiments for performance evaluation, and we can see thentication in Chen’s scheme, then proposed a new scheme, in CC
762 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764

Table 9
DRMChain scheme comparison with related work [17–20].
No. Scheme Usage control Dynamic key Phase Client user side/P2P Server(s) side/P2P Total computation
agreement computation cost computation cost cost
1 Chen [17] N/A No • Package – Tsym + 5Tpub (8|F (·)| + 6)Th +
• Registration – – 2Tsym + 7Tpub
• Authorization (5|F (·)| + 3)Th + Tsym (3|F (·)| + 3)Th + 2Tpub
2 Chang et al. [18] No No • Package – Tsym + 5Tpub (6|F (·)| + 4)Th
• Registration – – +2Tsym + 7Tpub
• Authorization (3|F (·)| + 2)Th + Tsym (3|F (·)| + 2)Th + 2Tpub
3 Chang et al. [19] No No • Package – 2Th 14Th + 2Tsym + 6Tpub
• Registration – 8Th
• Authorization 4Th + Tsym Tsym + 2Tpub
4 A. K. Das et al. [20] Yes No • Package – Tsym + 2Tpub 2Tfe + 16Th + 4Tsym +
• Registration Tfe + 3Th Th + Tsym 2Tpub
• Authorization Tfe + 7Th + Tsym 5Th + Tsym
DRMChain video content Yes Yes • Package – Tipfs + Tsym 4Th + 4Tpub + 2Tipfs +
5
• Registration Th + Tpub Th + Tpub 2T sym + Tblk
• Authorization Th + Tpub + Tipfs + Tsym Th + Tpub + Tblk
DRMChain image content Yes Yes • Package – Tipfs + TDCT 4Th + 4Tpub + 2Tipfs +
• Registration Th + Tpub Th + Tpub 2T DCT + Tblk
• Authorization Th + Tpub + Tipfs + TDCT Th + Tpub + Tblk

Chang’s scheme, the symmetric key was protected by a one-way 8. Conclusion

hash function so it cannot be directly computed by an attacker. In
addition, tampering with the transmitted message can be detected Digital rights management is a traditional topic in network
by the mobile users in the proposed scheme. Besides, the proposed environment, in this paper we proposed a new paradigm based
scheme has no redundant computation for user authentication. on blockchain for digital rights management, which supports the
Therefore, the proposed scheme is more efficient and reliable right digital rights-protected content serves the right users in a
than Chen’s scheme. Later in 2013, CC Chang [19] proposed an right way (thus we named DRMChain), the DRMchain can pro-
improved secure and efficient E-DRM mechanism based on a one- vide trusted and high-level credible content protection and con-
way hash function and exclusive or, which declared to overcome ditional traceability of violation content service. In the proposed
the weaknesses in the scheme of Chang et al., and also can reduces DRMChain, we use two isolated blockchain application interfaces
computation costs. However, In 2015, A. K. Das identified that (BAI) to respectively store plain and cipher summary information
Chang’s scheme did not resist the insider attack and password- of original and DRM-protected digital content, and considering
guessing attack [20]. In addition, Chang et al.’s scheme has some large capacity of digital content such as image, audio or video,
design flaws in the authorization phase, based on the analysis of we proposed external flexible storage of plain/cipher digital con-
Chang’s scheme, A. K. Das proposed scheme supports the autho- tent and creates hashID of the content itself and links with the
rized content key distribution and satisfies the desirable security blockchain. In DRMChain scheme, we named the BAI plain inter-
attributes. Additionally, Das’ scheme offered low communication face as BAIP for summary metadata storage of original content,
and computation overheads and user’s anonymity as well. and the BAI cipher interface as BAIC for DRM-protected content
The common attribute of the above schemes are centralized service. In the DRMChain scheme we proposed efficient and se-
DRM solution, and provide fairly good security and performance of cure authentication, privacy protection and multi-signature-based
enterprise DRM solutions, however a most serious problems of the conditional traceability approaches, and thus the DRM license,
centralized DRM is once the DRM authorization server collapsed, usage control and constraint information can be easily retrieved
the DRM system will not work again for large amount client users’ form the blockchain, and customs can query all the consumption
request and cannot provide license and content services. While transaction lists of free or paid consumption history to prevent
our proposed DRMChain scheme not only provided secure DRM baleful fee-deduction. Analysis and performance evaluation man-
services such as authorization and license in P2P mode which ifest the DRMChain scheme provides a reliable, secure, efficient
can overcome the above risk, but can provide blockchain-based and tamper-resistance digital content service and DRM practice.
rights proof and confirmation for each content, which can prevent In future, we will enhance the work that support Ethereum-based
coin for digital rights management and trade that support the new
content being violated or misused. And moreover, our proposed
promising vision: The right content serves the right users in a right
DRMChain scheme’s total computation cost 4Th + 4Tpub + 2Tipfs +
way for the right value.
2T sym + Tblk (video), 4Th + 4Tpub + 2Tipfs + 2T DCT + Tblk (image) are
lower than the schemes [17–20], the detailed comparison with the
Acknowledgments
related scheme are listed as Table 9.
Let Th , Tpub , Tsym , TDCT and Tblk denote the time complex-
This work was supported by the National Natural Science Foun-
ity for computation of a one-way hash function H(.), a pub-
dation of China under Grant No. 61272519, No. 61472258 the
lic key encryption/decryption/digital signature, a symmetric
Research Funds of Blockchain Joint Lab between BUPT and BCT,
encryption/decryption, a watermark algorithm DCT transfer and a
China.
block creation respectively. From the comparison of variant DRM
schemes with our proposed DRMChain scheme, we can see our
References
proposed DRMChain supports usage control such as playing times,
usage domain control, and our scheme is available for dynamic [1] A. Foroughi, M. Albin, S. Gillard, Digital rights management: A delicate balance
key agreement, which is efficient and secure and extendible for between protection and accessibility, Inform. Sci. 28 (5) (2002) 389–395.
video and image content protection especially in P2P network [2] D. Kundur, K. Karthik, Video fingerprinting and encryption principles for digital
environment. rights management, Proc. IEEE 92 (6) (2004) 918–932.
 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764 763

[3] D. Lindsay, S. Ricketson, Copyright, privacy, and digital rights management [37] A. Lei, H. Cruickshank, Y. Cao, P. Asuquo, C.P.A. Ogah, Z. Sun, Blockchain-
(DRM), in: New Dimensions in Privacy Law: International and Comparative based dynamic key management for heterogeneous intelligent transportation
Perspectives, Cambridge Univ. Press, New York, NY, USA, 2006, pp. 121–153 systems, IEEE Internet Things J. 4 (6) (2017) 1832–1843.
Eds. [38] M. Vukolić, The quest for scalable Blockchain Fabric: Proof-of-Work vs. BFT
[4] P. Koster, W. Jonker, Digital Rights Management, Vol. 25, Springer Berlin replication, in: International Workshop on Open Problems in Network Secu-
Heidelberg, 2007, pp. 225–235 No. 1. rity, 2015, pp. 112–125.
[5] C.H. Huang, S.C. Chuang, Y.L. Huang, J.L. Wu, Unseen visible watermarking: a [39] A. Dorri, M. Steger, S.S. Kanhere, R. Jurdak, BlockChain: A distributed solution to
novel methodology for auxiliary information delivery via visual contents, IEEE automotive security and privacy, IEEE Commun. Mag. 55 (12) (2017) 119–125.
Trans. Inf. Forensics Secur. 4 (2) (2009) 193–206. [40] R.M. Frey, P. Buhler, A. Gerdes, T. Hardjono, K.L. Fuchs, A. Ilic, The effect of a
[6] Alessandro Basso, Davide Cavagnino, et al., Blind watermarking of color images blockchain-supported, privacy-preserving system on disclosure of personal
using Karhunen–Loève transform keying, Comput. J. 54 (7) (2011) 1076–1090. data, in: IEEE 16th International Symposium on Network Computing and
[7] Deepayan Bhowmik, Charith Abhayaratne, Quality scalability aware water- Applications, NCA, 2017, pp. 1–5.
marking for visual content, IEEE Trans. Image Process. 25 (11) (2016) 5158– [41] E. Rescorla, Diffie-Hellman Key Agreement Method, Network Working Group,
5172. RFC2631.
[8] Javier Franco-Contreras, Gouenou Coatrieux, Robust watermarking of rela- [42] N. Kaur, R. Nagpal, Authenticated Diffie-Hellman key exchange algorithm, Int.
tional databases with ontology-guided distortion control, IEEE Trans. Inf. J. Comput. Sci. Inf. Technol. 5 (4) (2014) 5404–5408.
Forensics Secur. 10 (9) (2015) 1939–1952. [43] H. Orman, the OAKLEY Key Determination Protocol, Network Working, Group
[9] Uhl Andreas, Andreas Pommer, Image and Video Encryption, Springer Press, Request for Comments:2412.
2005. [44] G. Ateniese, M. Steiner, G. Tsudikc, New multiparty authentication services and
[10] Lini Abraham, Neenu Daniel, Secure image encryption algorithms: A review, key agreement protocols, IEEE J. Commun. 18 (4) (2000) 628–639.
Int. J. Sci. Technol. 2 (4) (2013) 186–189. [45] O. Goldreich, Secure multi-party computation, Manuscript. Preliminary ver-
[11] N.K. Pareek, V. Patidar, K.K. Sud, Image encryption using chaotic logistic map, sion, 1998.
Image Vis. Comput. 24 (9) (2006) 926–934. [46] A. Boldyreva, Threshold signatures, multisignaturesand blind signatures based
[12] S.J. Shyu, Image encryption by random grids, Pattern Recognit. 40 (3) (2007) on the gap-diffiehellman-group signature scheme, in: Public Key
1014–1031. Cryptography—PKC 2003, Springer, 2002, pp. 31–46.
[13] R. Lukac, K.N. Plataniotis, Bit-level based secret sharing for image encryption, [47] S.S.M. Chow, L.C.K. Hui, S.M. Yiu, K.P. Chow, Forward-secure multisignature
Pattern Recognit. 38 (5) (2005) 767–772. and blind signature schemes, Appl. Math. Comput. 168 (2) (2005) 895–908.
[14] Chang’e Dong, Color image encryption using one-time keys and coupled [48] C. Claude, J. Stanisław, K. Jihye, T. Gene, Secure acknowledgment aggregation
chaotic systems, Signal Process., Image Commun. 29 (5) (2014) 628–640. and multisignatures with limited robustness, Comput. Netw. 50 (10) (2006)
[15] Osama Ahmed Khashan, Abdullah Mohd Zin, An efficient adaptive of transpar- 1639–1652.
ent spatial digital image encryption, Procedia Technol. 11 (1) (2013) 288–297. [49] T.S. Wu, C.L. Hsu, ID-based multi-signatures with distinguished signing au-
[16] Ferdinando Di Martino, Salvatore Sessa, Fragile watermarking tamper detec- thorities for sequential and broadcasting architectures, Appl. Math. Comput.
tion with images compressed by fuzzy transform, Inform. Sci. 195 (13) (2012) 131 (2) (2002) 349–356.
62–90. [50] N. Koblitz, Elliptic curve cryptosystems, Math. Comp. 48 (177) (1987) 203–209.
[17] C.L. Chen, A secure and traceable E-DRM system based on mobile device, [51] V.S. Miller, Use of elliptic curve in cryptography, in: Advances in Cryptology-
Expert Syst. Appl. 35 (3) (2008) 878–886. CRYPTO’85, in: Lecture Notes in Computer Science, vol. 218, 1986, pp. 417–
[18] C.C. Chang, J.H. Yang, D.W. Wang, An efficient and reliable E-DRM scheme for 426.
mobile environments, Expert Syst. Appl. 37 (9) (2008) 6176–6181. [52] D. Johnson, A. Menezes, S. Vanstone, The elliptic curve digital signature algo-
[19] C.C. Chang, S.C. Chang, J.H. Yang, A practical secure and efficient enterprise rithm (ECDSA), Int. J. Inf. Secur. 1 (1) (2001) 36–63.
digital rights management mechanism, Secur. Commun. Netw. 6 (8) (2013) [53] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in
972–984. C, second ed., John Wiley & Sons, Inc, 1995.
[20] A.K. Das, D. Mishra, S. Mukhopadhyay, An anonymous and secure biometric- [54] OpenSSL. URL https://www.openssl.org.
based enterprise digital rights management system, Secur. Commun. Netw. [55] ANSI X9.62. Public Key Cryptography for the Finacial Service Industry: The
8 (18) (2016) 3383–3404. Elliptic Curve Digital Signature Algorithm (ECDSA).1999.
[21] S. Nakamoto, Bitcoin: A peer-to-peer electronic cash system, 2008. URL https: [56] IEEE P1363. Standard Specifications for Public-Key Cryptography. IEEE. Stan-
//bitcoin.org/bitcoin.pdf. dard.P1363, 2000.
[22] The Bitcoin Project. URL https://bitcoin.org.
[23] The Ethereum Project. URL https://www.ethereum.org.
[24] The Hyperledger Project. URL http://www.hyperledger.org.
[25] M.B. Taylor, The evolution of bitcoin hardware, Computer 50 (9) (2017) 58–66. Zhaofeng Ma, Ph.D. Degree, IEEE Member, CCF member.
[26] S. Bag, S. Ruj, K. Sakurai, Bitcoin block withholding attack: Analysis and He engages in science research and education work in
mitigation, IEEE Trans. Inf. Forensics Secur. 12 (8) (2017) 1967–1978. School of Cyberspace Security, Beijing University of Posts
[27] F. Tschorsch, B. Scheuermann, Bitcoin and beyond: A technical survey on and Telecommunications, Beijing, China. He is now the
director of Blockchain Joint Lab between BUPT–BCT. He
decentralized digital currencies, IEEE Commun. Surv. Tutor. 18 (3) (2016)
received his Ph.D. degree from Xi’an Jiaotong University
2084–2123.
in 2004. He did his post-doctor research work in Tsinghua
[28] Matevž Pustišek, Andrej Kos, Approaches to front-end IoT application develop-
University during 2005–2007. Since 2007, he built up the
ment for the Ethereum Blockchain, Procedia Comput. Sci. 129 (2018) 410–419. research group and engaged in science research work in
[29] K. O’Hara, Smart contracts - dumb idea, IEEE Internet Comput. 21 (2) (2017) Beijing University of Posts and Telecommunications, His
97–101. research interests include blockchain, mobile Internet in-
[30] K. Alabi, Digital blockchain networks appear to be following metcalfe’s law, novation and security, digital rights management. He finished or presided over 12
Electron. Commer. Res. Appl. 24 (2017). research projects and built up 4 security-related Joint Labs (including BUPT–BCT
[31] E. Androulaki, A. Barger, V. Bortnikov, et al., Hyperledger Fabric: A Distributed Blockchain Joint Lab). He is now engaging in blockchain research and development
Operating System for Permissioned Blockchains, 2018. work based on the popular blockchain platforms including Bitcoin, Ethereum and
[32] V. Dhillon, D. Metcalf, M. Hooper, The Hyperledger Project, 2017. Hyperledger, and as the director, he guided and finished the 5 blockchain projects
[33] L. Luu, V. Narayanan, C. Zheng, K. Baweja, S. Gilbert, P. Saxena, A secure in BUPT–BCT Joint Lab. (Email: mzf@bupt.edu.cn).
sharing protocol for open blockchains, in: Proceedings of the 2016 ACM SIGSAC
Conference on Computer and Communications Security, 2016, pp. 17–30.
Ming Jiang received the Ph.D. degree from Beijing Uni-
[34] A. Wright, P.D. Filippi, Decentralized Blockchain Technology and the Rise of
versity of Posts and Telecommunications in 2012. He is
Lex Cryptographia, Social Science Electronic Publishing, 2015.
now an associate researcher in intelligent audio and video
[35] G. Zyskind, O. Nathan, A. Pentland, Decentralizing privacy: Using blockchain to
department and takes part in technological innovation in
protect personal data, in: IEEE symposium on Security and Privacy, 2015, pp.
the Third Research Institute of China Electronics Technol-
180–184. ogy Group Corporation. His research interests include dig-
[36] A.E. Kosba, A.J. Miller, E. Shi, Z. Wen, C. Papamanthou, Hawk: The Blockchain ital watermarking, digital rights management. He finished
model of cryptography and privacy-preserving smart contracts, in: IEEE sym- more than 10 research projects of digital watermarking.
posium on security and privacy, 2016, pp. 839–858. (Email: jiangandming@aliyun.com).
764 Z. Ma et al. / Future Generation Computer Systems 89 (2018) 746–764

Hong ming Gao is a Ph.D. candidate in School of Cyber Zheng Wang is a Ph.D. candidate in School of Cyber Secu-
Security, Beijing University of Posts and Telecommunica- rity, Beijing University of Posts and Telecommunications.
tions. His research interests include blockchain, applied His research interests include blockchain, mobile Internet
cryptography and digital rights management. He finished security and digital rights management. He participated
the Blockchain platform of BUPT–BCT Joint Lab. (Email: and finished the Blockchain platform of BUPT–BCT Joint
gaohm@bupt.edu.cn). LAB, and mobile internet security projects of BUPT. (Email:
wangzhen@bupt.edu.cn).