the secure embedding scheme (see Section II), it is hard to generate a watermarked version of c which has a low correlation with k0. An estimation attack usually yields a watermarked object that still correlates well with k0; a judge will reject the accusation on such an object, as it can only originate from a malicious seller (k0 is only available to the seller). • Finally, can attempt to cheat in step 6 by submitting the customer a wrongly encrypted watermark EK (nkw 8 k). However, this is detected by the client in step 7 by checking the integrity of the transaction number contained therein. IV. CONCLUSION In this correspondence, we proposed a buyer–seller protocol that utilizes the concepts of secure watermark embedding. In contrast to the known solutions, which use homomorphic public-key encryption on the content and impose unpractical constraints on computational resources and transmission bandwidth, our protocol is efficient due to the use of recent secure embedding algorithms.