Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000

The Situation Mass distribution or broadcast of content Limited set of authorized users Threat of unauthorized users Source

The Problems Cleartext leak Key leak Broadcast on a pirate network

The Goal Trace the source of piracy (the traitor) Prevent it and those relying on it from further access to the content Supply legal evidence of the traitor’s identity and take legal measures Do not harm or inconvenience legitimate users

The Idea Encrypt or modify the content in a different way for each authorized user (a variant) Figure out which variant the leaked or pirated content is Prosecute the traitor who received that variant

Obvious Solutions Have Obvious Problems Comparison of variants can reveal watermark Translation to cleartext creates leak opportunity Too much storage / transmission overhead ··· ··· ··· ···

Important Papers Chor, Fiat, Naor ’94 (key leak) Fiat & Tassa ’99 (cleartext rebroadcast) Boneh & Shaw ’95 (watermarking)

CFN ’94, Basic Idea Divide content into blocks and encrypt each block Create a set of keys that can be used to decrypt each block Map each user to a set of keys for each block (personal key) Personal key Decryption key Content Encrypted content

CFN ’94, Properties Content replication is “minimal” Pirate decoder capture reveals the keys it uses Users require keys for each block Traitors can be identified based on map from users to personal keys

CFN ’94, Issues Analysis is probabilistic –Chance of false incrimination is negligible, not zero Requires an upper bound on the size of a colluding group of traitors –This bound, and the number of users, should be set initially –Can guarantee finding one traitor

CFN ’94 Schemes Open scheme: algorithm is public but keys are secret Closed scheme: algorithm and keys are secret User/decryption scheme: part of algorithm that deals with distribution to authorized users Tracing algorithm: invoked when a pirate decoder is captured

An Open Scheme Choose l hash functions {h i } : {1, …, n}  S i = {s i1, …, s i 2k 2 } where |S i |= 2k 2. These are keys for block i. Each user u gets a personal key {h 1 (u), h 2 (u), …, h l (u)}. Let the decryption key d be the XOR of l keys d 1, …, d l. Encrypt each d i with each key in S i.

An Open Scheme Each user has one key from each S i so they can decrypt each d i and get d. k traitors can choose one key from each S i to form F for the decoder. When F is captured, for each i, mark all the users in the set h i -1 (f i ) where f i  S i  F. Most marks = traitor.

A Secret Scheme Mostly same as the open scheme Assign each user a secret “name” Choose random hash functions {h i } that map from names to sets S i, but |S i | = 4k, not 2k 2. The hash functions are secret. The user still receives l keys.

Probability of False Incrimination Scheme can make mistakes Open scheme: O(k 2 log n) keys (l), requiring O(k 4 log n) encryptions. Secret scheme: O(k log(n/p)) keys, requiring O(k 2 log (n/p)) encryptions. p is a secret scheme parameter – (1-p) is the success probability for p of the sets of k colluding traitors

Fiat & Tassa ’99, Overview Attacks problem of a pirate network Considers difference between: –Dynamic watermarking problem: can see pirate network and get continual feedback about leaks to adjust next broadcast –Static watermarking problem: content is marked only once; tracing is done one piracy is found

Dynamic Watermarking Watermarking: produce different variants of the content for each user (in CFN ’94, the keys are the “watermark” portion) Detect which variant is leaked onto the pirate network Change variants to isolate the traitor and disconnect them during transmission

An Efficient Dynamic Scheme Start with I = {all users}, P = {I}. Repeat: –For each S  P, transmit a different variant. –From the pirate network, determine which variant was leaked. –If the variant was sent to I then split I in half, into L i and R i. Add these to P and set I empty.

An Efficient Dynamic Scheme If the variant was sent to some L i (or R i, but then switch L and R): –Add the users in R i to I –If L i is a singleton, we have a traitor! Disconnect the user immediately. –Otherwise split L i into two new halves L j and R j.

Performance Analysis p is the number of traitors we want to be able to capture The number of variants needed is at most 2p+1 The amount of time needed to disconnect the p traitors is at most p log n + p

Dynamic Scheme Issues We may still need to start with some bound on the number of traitors p, but this can be altered (unlike the static or CFN ’94 case) Limited by bandwidth, since variants of all the content must be sent multiple times

Watermarking Assumptions Similarity: All the variants must carry the same content without distortion, as far as the users can tell What happens if not? Robustness: With some set of variants, it is impossible to create some untraceable variant

The Static Case Before distribution, variants of the content are watermarked Determine the traitor by matching their variant to the pirate copy Use probabilistic algorithm – do deterministic algorithms use exponential resources?

Lower Bounds The pirate controls p traitors. There is a deterministic algorithm with the number of variants p + 1, but any algorithm using fewer variants cannot be deterministic. In the static case, there is a minimum number of blocks needed to capture a traitor with probability 1 – .

Open Problems Proofs for CFN traitor tracing are not constructive Deterministic watermarking algorithm of size p+1 with convergence time polynomial in p Probabilistic dynamic algorithms Must deterministic static schemes be exponential? Practical issues (CD-ROM copying, etc.)