On a Traitor Tracing Scheme from ACISP 2003 Dongvu Tonien dongOuow.edu.au Abstract At ACISP 2003 conference, Narayanan, Rangan and Kim proposed a secret-key traitor tracing scheme used for pay TV system. In this note, we point out a flaw in their scheme. 1 The Narayanan-Rangan-Kim scheme Let m be the number of services (data providers), n be the number of users, t be the collusion threshold, and S be the tolerance bound on accusing innocent users as traitors. Let e denote the Euler constant. The following describes main algorithms in the Narayanan-Rangan-Kim pay TV scheme. Algorithm Setup: with security parameter le, the setup algorithm does the following. Choose two large primes p, q and set N = pq such that N has £ bits; Choose a random number R such that RO(N) + 1 has a divisor d of roughly £ bits; Choose 2f-bit numbers d1, d2, d3 which are divisible by d and gcd(di, d3) = d; Choose random numbers 4, d5, , dt+4 E {1,2, , 0(N)}; Runs the constraint generation algorithm: Generate et logs constraints divided into h = e logs groups. A constraint -y (Po, ul, it2, • • • , Pt, P) represents the equation EL0 tCixi = 0 (mod P) where P is a prime. Each constraint group contains t constraints of the same prime; For each j = 1, , n, generate a vector x = (xo, , ...x1 , xt) = (e4J, e5j, . , et+4,i) as follows: select each of the constraints with probability 1 — x is constructed so that it satisfies all the selected constraints. Algorithm Add User: if a user Ui (1 < j < n) joins the system, do the following. Select a random even number ei,j; Retrieve vector (e4,i, e5,,... , et+4,i) from the Setup algorithm; Choose e2 j and e3 j so that Ertl = RO(N) + 1; Give user Ui the following (t 4)-tuple (ei,j, e2 j, e3 j, e4 j, e5 j• • • • , et+4,j) as his/her secret decryption key. 1

= e4,id4 + e5,id5 + • • • + et+4,idt+4 — (RO(N) + 1) = 0 (mod d). Algorithm AddStream: if a data provider (or stream) Si joins the system, do the following. Give t + 4 secret numbers d1, d2, , dt+4 to Si; Choose a random g, E of high order modulo N; Give Si the value g, as its secret encryption key. Algorithm Subscribe: if a user Uj subscribes to a stream Si, do the following. Set the subscribe matrix entry Subsc[i,j] = 1; Give user Uj the value g71'' . Algorithm Unsubscribe: if a user Uj unsubscribes to a stream Si, do the following. Set the subscribe matrix entry Subsc[i, j] = 0; Reset the value g, of the stream Si to a new value new g,; Re-subscribes all users who are currently subscribing to Si (that is, give each user Uk that subscribes to Si the new value new giel'k). Algorithm Broadcast: if a stream Si wants to broadcast a program M, then Si uses its secret encryption key g, to do the following. Choose a random number z coprime to 0(N); Calculate and broadcast the following ciphertext (z, C2, C3, . . . , Ct+4) (z mdi g md2 md3 mdt+4). Algorithm Decryption: if user Uj subscribes stream Si, then Uj can use its secret encryption key (ei,j, e2,,... ,et+4,i) and the value giel' to decrypt a ciphertext (z, Cl, C2, C3, • • • , Ct+4) broad-casted by Si as follows C2e2'j C3e3'j Ctet+44'i Al1 . (gr,i )z 2 A Flaw This flaw is in the algorithm Add User. In the step 3 of this algorithm, two numbers e2,i, e3,i must be chosen so that el,j dl + e2,id2 + e3,id3 + e4,id4 + e5,id5 et+4,idt+4 = RO(N) + 1. Since d1, d2 and d3 are all divisible by d, the necessary condition for this equation is solvable for e2j, e3,i is = e4,id4 + e5,id5 + • • • + et+4,idt+4 — (RO(N) + 1) = 0 (mod d). 2

Therefore, we have n equations on t + 1 numbers d4, d5, • • • , dt+4 as follows Ai = e4,1d4 + e5,1d5 + ... + et+4,idt+4 — (RO(M) + 1) = (mod d) 02 = e4,2d4 + e5,2d5 + • • + et+4,2dt+4 — (RO(M) + 1) = An = e4,Thd4 + e5,Thd5 + • • • + et+4,ndt+4 — (RO(M) + 1) = Since n is much larger than t, this is unlikely to be satisfied. Note that in the algorithm Setup, t + 1 numbers d4, d5, ... , dt+4 are randomly chosen independently with the generation of the n vectors (e4,1, • • • ,et+4,1), (e4,2, • • • ,et+4,2), • • • , (e4,n, • • • ,et+4,n)• Since the flaw is in a crucial component, the Add User algorithm of the system, the pay TV scheme proposed by Narayanan, Rangan and Kim is unusable. References [1] A. Narayanan, C.P. Rangan and K. Kim, Practical Pay TV Schemes, ACISP'03, LNCS 2727 (2003), pp. 192-203. 3