Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.

Slides:



Advertisements
Similar presentations
Relations, Functions, and Matrices Mathematical Structures for Computer Science Chapter 4 Copyright © 2006 W.H. Freeman & Co.MSCS SlidesThe Mighty Mod.
Advertisements

Tests of Hypotheses Based on a Single Sample
Computer Security Set of slides 4 Dr Alexei Vernitski.
Visual Cryptography Moni Naor Adi Shamir Presented By:
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
An Approximate Truthful Mechanism for Combinatorial Auctions An Internet Mathematics paper by Aaron Archer, Christos Papadimitriou, Kunal Talwar and Éva.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
Section 3.8: More Modular Arithmetic and Public-Key Cryptography
Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000.
Broadcast Encryption and Traitor Tracing Jin Kim.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1.  The set N = {1,2,3,4,……..} is known as natural numbers or the set of positive integers  The natural numbers are used mainly for :  counting  ordering.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
Mar 25, 2003Mårten Trolin1 Previous lecture – smart-cards Card-terminal authentication Card-issuer authentication.
Ref. Cryptography: theory and practice Douglas R. Stinson
Establishment of Conference Keys in Heterogeneous Networks Wade Trappe, Yuke Wang, K. J. Ray Liu ICC IEEE International Conference.
Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.
Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.
Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …
August 6, 2003 Security Systems for Distributed Models in Ptolemy II Rakesh Reddy Carnegie Mellon University Motivation.
Copyright © Cengage Learning. All rights reserved.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Control Charts for Attributes
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
8. Data Integrity Techniques
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
The RSA Algorithm Rocky K. C. Chang, March
1 AN EFFICIENT METHOD FOR FACTORING RABIN SCHEME SATTAR J ABOUD 1, 2 MAMOUN S. AL RABABAA and MOHAMMAD A AL-FAYOUMI 1 1 Middle East University for Graduate.
Chapter 6 The Normal Probability Distribution
CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.
Fingerprinting & Broadcast Encryption for Content Protection.
Anti-collusion fingerprinting for Multimedia W. Trappe, M. Wu, J. Wang and K.J. R. Liu, IEEE Tran. Signal Processing, Vol. 51, No. 4, April 2003.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Section 4.4: The RSA Cryptosystem Practice HW Handwritten and Maple Exercises p at end of class notes.
Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.
Cryptography Lecture 2 Stefan Dziembowski
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
A secure re-keying scheme Introduction Background Re-keying scheme User revocation User join Conclusion.
Error Control Code. Widely used in many areas, like communications, DVD, data storage… In communications, because of noise, you can never be sure that.
Network Security – Special Topic on Skype Security.
Alternative Wide Block Encryption For Discussion Only.
Lecture 2: Introduction to Cryptography
Packet-Marking Scheme for DDoS Attack Prevention
CRYPTOGRAPHY. WHAT IS PUBLIC-KEY ENCRYPTION? Encryption is the key to information security The main idea- by using only public information, a sender can.
22C:19 Discrete Structures Integers and Modular Arithmetic Fall 2014 Sukumar Ghosh.
NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
1 Traitor Tracing. 2 Outline  Introduction  State of the art  Traceability scheme  Frameproof code  c-secure code  Combinatorial properties  Tracing.
Computer Science Revocation and Tracing Schemes for Stateless Receivers Dalit Naor, Moni Naor, Jeff Lotspiech Presented by Attila Altay Yavuz CSC 774 In-Class.
Network Security. Three tools Hash Function Block Cipher Public Key / Private Key.
The inference and accuracy We learned how to estimate the probability that the percentage of some subjects in the sample would be in a given interval by.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim
© 2010 Pearson Prentice Hall. All rights reserved Chapter Hypothesis Tests Regarding a Parameter 10.
Visual Cryptography Given By: Moni Naor Adi Shamir Presented By: Anil Vishnoi (2005H103017)
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Trigonometric Identities
Functions Defined on General Sets
Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp Multimedia Security.
Presentation transcript:

Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented By: Anukool Lakhina, Keren Pinkas and Scott Savarese

How this Presentation is Organized  First, we motivate and introduce the General Traitor Tracing problem that we want to solve.  Next, we introduce two methods to solve this problem.  We then analyze the efficiency of each method.  We conclude with a concrete example.

Motivation We want to trace the source of leaks when sensitive or proprietary data is made available to a large set of parties.

Typical Scenario We are Cablevision. We only want to broadcast to legal subscribers (all of which have a special decrypting key). Suppose Professor Itkis is a subscriber who with other subscribers designs a device which will allow people to view our broadcasts without paying. The Goal: After confiscating this device, how do we figure out who supplied the keys which decrypt our broadcasts. This is the basic idea of Traitor Tracing.

Basic Definitions  Data Provider: Cablevision (Us).  Traitor (Pirate): Professor Itkis and his friends.  Content: Our encrypted broadcasts.  Pirate Decoder: Device used by the pirates to decrypt our encrypted broadcasts.

Basic Assumptions  Two types of pirate decoders: –1) Created by obtaining keys from legitimate users. –2) Created by breaking the underlying encryption.  We assume that our encryption scheme is difficult to break. So, we only care about Type 1.  We only want to find the traitor who contributed the largest number of keys.

Addressing the Problem  Two methods: –1) k-Resilient Traitor Tracing (Fully Resilient Traitor Tracing) –2) Threshold Traitor Tracing  k-Resilient Traitor Tracing Scheme catches anyone who can illegally decrypt our encrypted broadcast.  Threshold Traitor Tracing Scheme catches anyone who can illegally decrypt more than a specified fraction of our encrypted broadcast.

Efficiency Parameters We measure the efficiency of these solutions in terms of the following parameters:  (a) Memory and Computation requirements for the user.  (b) Memory and Computation requirements for the Data Provider  (c) Data Redundancy Overhead – How much more data do we need to broadcast in order to be trace traitors.

k-Resilient Traitor Tracing (Fully Resilient Traitor Tracing)

k-Resilient Tracing  A scheme is k-resilient if it can correctly identify a traitor and not an innocent user even if k traitors combine and collude.  We are only able to catch the traitor who submits the most keys to the pirate decoder.

How Data is Broadcasted  Broadcast is broken up into pieces  Each piece contains two parts: the enabling block and the cipher block. Message =  Cipher Block is created using a secret key or one time pad obtained by decrypting the information in the enabling block.

One Level Open Scheme The simplest  Maps n users into a set of 2k 2 encryption keys  Users Keys, P(u) = O(k 2 log n)  Enabling Block = O(k 4 log n )

Initialization  We create l first-level hash functions.  Each h i maps a particular user, u into one of 2k 2 sets.  Thus the personal key for a user contains l keys

Distribution of Secret  The cipher block is encrypted with either a one time pad or secret key s.  Key s is broken into l pieces such that s = s 1 XOR s 2 XOR … s i … XOR s l  Each s i is encrypted with each of the 2k 2 keys.

Decryption of Cipher Block  Each user has a key for each row i in the enabling block.  They are able to decrypt s i and thus are able to obtain s  With s they obtain the information in the cipher block

Creation of a Pirate Decoder  At most k people get together.  For each i from 1 to l, the create a set of keys F.  Without keys for each of the l rows they are unable to decrypt the cipher block.  With all l keys they are able to decrypt every secret they receive.

Detection of Traitors  Using black box techniques the set of keys F is determined.  For each row i we perform h -1 (f i ). This gives us a set of users that map to that key. We mark each user.  After obtaining the list of users for all l keys, the user seen the most is the traitor.

Proof  Each traitor in coalition gives at most l/k keys.  For each row i the coalition has at most k keys. The probability that a particular user’s key is one of the k keys is 1/2k.  Must create l such that the number of an innocent user’s keys that are exposed is less than l/k.

Results  We determine l to be 4k 2 log n  Thus, the number of keys a user has is 4k 2 log n  The enabling block consists of 8k 4 log n

Secret One-Level Scheme  Keeps the hash mapping secret  Lower costs then the one-level open scheme by a factor of k.  Simpler construction  Introduces a probability p which is the probability that pirates will create a device that is untraceable.

Secret scheme (contd.)  Same as one-level open scheme exact that instead of 2k 2 groups there are only4k.  The number of keys that a user has is (4/3)k log (n/p)  The number of keys in the enabling block is (16/3)k 2 log (n/p)

Threshold Traitor Tracing

 Suppose Cablevision divides a program into 1 minute segments. An illegal decoder which can decrypt 90% of these segments will fail to decode one minute out of ten minutes. Will you pay for such a decoder?  So, for many applications, a decoder which can decrypt with a low success probability is useless.  So the real threat are decoders which can decrypt, say, 99% of all the segments. Threshold Traitor Tracing only concerns with these decoders.  We want to be able to catch a true traitor with probability 1-p. (So ideally, we want p to be very very small.)

How do we distribute the Content  We generate a meta-key which contains a base set A of random keys and we assign l keys to each user.  These l keys form the user’s Personal Key. (Two users cannot have exactly the same set of keys.)  A program is always broadcasted in segments. Each segment consists of two parts: an enabling block and a cipher block. Message =  Cipher Block is the encrypted program segment, using some secret key s.  Enabling Block allows authorized users to obtain the secret key, s.

A One-Level q-Threshold Scheme  Specify our threshold by q. (That is, we want to catch all decoders that can decode q of the broadcast segments.)  Let n be the number of legal subscribers.  Let k be the number of traitors.

We address the following about One- Level Threshold Traitor Tracing  Initialization  Distribution of Secret  Decryption Procedure  Parameters Involved  Tracing Procedure  Analysis

1) Initialization:  We have a set of l hash functions {h 1, h 2, …,h l } which are chosen at random.  Each hash function maps a particular user, u into one of a 4k random keys.  So, user u receives l keys: {h 1 (u), h 2 (u), …, h l (u)}.  All this can be represented very nicely in a l x 4k matrix A.

2) Distribution of Secret  Let s be the secret key to be distributed. We (The Data Provider) divide the secret key, into t shares, where t is random, and 0 < t <= l.  We ensure that s = s 0 xor s 1 xor … xor s t  Each s i is encrypted using each of the 4k keys of the corresponding row in matrix A. (continued…)

Distribution of Secret (contd.)  Let w be a fraction such that q <= w < 1.  The scheme divides the secret into t shares and ensures that a decoder which contain keys from a fraction of at least w of the l rows would be able to decrypt the secret with probability greater than q.

3) Decryption  Each authorized user has one key from every row and is therefore always able to decrypt every s i and compute s.

4) Parameters  Memory Required per user is m=l keys.  Amount of work that each user performs to reveal a key is O(t).  Data Redundancy Overhead is r=4kt.

5) Tracing  We are only concerned with decoders that have keys from wl rows. (Since only these decoders can decrypt with probability q).  Suppose we have the set of keys F that a pirate decoder uses to crack our encrypted broadcast. Suppose F contains at least one key from each of the wl rows of Matrix A. Denote these rows by r 1, r 2,…, r wl and denote the key common to F and row r i as f r i. Since we know the hash function, h r i we can compute its inverse and determine the users of that key.  The user with the largest number of marks is our traitor.

6) Analysis of One-Level Threshold  There are k traitors.  On average, each traitor contributes wl/k keys to F.  How do we know that an innocent user say, Alice, is not identified as a traitor?  The probability that f r i equals the key mapped to Alice is 1/4k. So, the probability that at least wl/k of the keys of Alice are in F is at most 2^-3wl/4k. We choose an l such that the probability of this happening is very very small.

Results!  Recall q is our threshold value. k is the number of traitors. n is the number of users. 1-p is the probability of catching a true traitor. We have the following:  Personal Key, l, consists of (4k/3w) * log(n/p) keys.  Data Redundancy Overhead, 4kt, is: 4k* log(1/q) / log (1/w) keys.  Number of decryptions, that each user must perform is log(1/q) / log (1/w) decryptions. (So if w=q, number of decryptions needed is 1.)

Two Level k-Resilient Traitor Tracing (Fully Resilient TraitorTracing)

Two Level Open Scheme  Much more complicated than a one-level scheme.  More efficient by a factor of k.  User has 2k 2 log 2 k log n keys.  4k 3 log 4 k log n keys in the enabling block.

Two Level Threshold Traitor Tracing

Two Level Threshold Scheme  Two-Level Threshold Schemes are constructed from One-Level Threshold Schemes by using many One-Level Schemes and applying a hash function to map users to schemes  Advantages: Shorter key length than one-level  Disadvantages: Higher Data Redundancy than one-level.  In one-level, q is predefined. Two-level threshold schemes allow us to have q as a function of other parameters.

Results

Some Numbers:  Suppose: –number of users, n = 10 6 –number of traitors, k = 1000 –Our threshold, q = 0.75 q = 0.95 –Probability of finding the true traitor is 1-p (where p=10 -3 )  We have the following results 

Results Personal Key Data Redun.Decryption Operations Fully Resilient Open One-Level 80,000, x ,000,000 Fully Resilient Secret One-Level 40,000160,000,00040,000 Fully Resilient Secret Two Level 49621,270, Threshold One-Level (q = o.75) 53,0004,0001 Threshold Two-Level (q = 0.75) 3801,290,00013 Threshold One-Level (q = 0.95) 42,000 4,0001

Conclusions:  For many applications, there is no need to have a fully resilient tracing scheme.  Threshold Tracing Schemes are more efficient.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.