Efficient Fingerprinting to Protect Digital Content Josh Benaloh Gideon Yuval Microsoft Research FingerMark Andrew Rosen Microsoft Studios
Fingerprinting of Content If protected content is somehow released from a playback device, it may be desirable to have a method to enable identification of the device from which the content was released.
Fingerprinting by the Device A simple approach to fingerprinting is have have each playback device insert a unique identifying signal into its output stream. Drawbacks … A compromised player can bypass this step. Deployed fingerprinting schemes are difficult to update.
Differential Decryption It would be nice if it were possible to give different keys to each playback device such that the content is slightly different when decrypted with distinct keys.
Differential Decryption Encrypted Content Decrypted Content Decrypted Content Key 2 Key 1
Differential Decryption A simple observation is that differential decryption is possible to achieve (although usually impractical) by creating two separate and slightly different copies of the original content.
Differential Decryption Encrypted Content Decrypted Content Decrypted Content Key 2 Key 1
Differential Decryption Encrypted Content Decrypted Content Decrypted Content Key 2 Key 1 Encrypted Content
Differential Decryption The efficiency and utility of differential decryption can be greatly enhanced by dividing content into clips and separately encrypting two slightly different versions of each clip.
Differential Decryption Encrypted Clip 1AEncrypted Clip 1B Encrypted Clip 2AEncrypted Clip 2B Encrypted Clip 3AEncrypted Clip 3B Encrypted Clip 4AEncrypted Clip 4B
Differential Decryption Encrypted Clip 1AEncrypted Clip 1B Encrypted Clip 2AEncrypted Clip 2B Encrypted Clip 3AEncrypted Clip 3B Encrypted Clip 4AEncrypted Clip 4B Key 1A Key 2A Key 3A Key 4A Key 1B Key 2B Key 3B Key 4B
Differential Decryption Clear Clip 1AClear Clip 1B Clear Clip 2AClear Clip 2B Clear Clip 3AClear Clip 3B Clear Clip 4AClear Clip 4B Key 1A Key 2A Key 3A Key 4A Key 1B Key 2B Key 3B Key 4B
Differential Decryption If each playback device is given exactly one of the two decryption keys for each clip, the output generated by that device will form a pattern that can be regarded as a fingerprint of the device.
Differential Decryption Clear Clip 1AEncrypted Clip 1B Encrypted Clip 2AClear Clip 2B Clear Clip 3AEncrypted Clip 3B Clear Clip 4AEncrypted Clip 4B Key 1A Key 3A Key 4A Key 2B
Differential Decryption Encrypted Clip 1AClear Clip 1B Clear Clip 2AEncrypted Clip 2B Clear Clip 3AEncrypted Clip 3B Encrypted Clip 4AClear Clip 4B Key 2A Key 3A Key 1B Key 4B
Differential Decryption The content need not be doubled! It is not necessary to divide the entire content into clips!!! It is only necessary to place these parallel clips into a small portion of the content.
Differential Decryption Even if the keys are removed from a playback device, content decrypted with its keys will retain its fingerprint. The fingerprint is dependent only upon the decryption keys used – not the hardware that held them.
Differential Decryption Any method (such as watermarking) can be used to distinguish the two versions of each clip. The differentiation scheme is dynamic and need not be fixed by the playback device.
Are More Keys a Problem? The number of content keys that must be transmitted to a playback device seems to grow with the number of clips.
More Keys are not a Problem As many keys as desired can be packed into the space of a single key. Either of two crypto tricks can be used. 1.Broadcast Encryption 2.A new application of a technique invented by Chick and Tavares
Broadcast vs. Narrowcast The method can be illustrated by showing a grid of participants against clips. Each participant is entitled to the keys for the clips shown in orange.
Broadcast vs. Narrowcast Recipients Clips
Broadcast vs. Narrowcast Recipients Clips
Broadcast Using Broadcast Encryption, for each clip, the set of participants entitled to that clip is determined, and a single encryption of that clips key is produced that enables those (and only those) participants to derive that clips key.
Broadcast Recipients Clips
Broadcast Encryption One encryption per clip key. Time to encrypt/decrypt each clip key is proportional to number of copies of content distributed. Collusion can allow recipients access to keys to which they are not entitled.
Narrowcast Using the technique of Chick and Tavares, for each participant, the set of clips to which that participant is entitled is determined, and a single value is produced that allows the participant to derive those (and only those) clip keys.
Narrowcast Recipients Clips
Narrowcast Recipients Clips
Narrowcast One encryption per recipient. Time to encrypt/decrypt each clip key is proportional to the number of clip keys. Collusion does not provide access to additional clip keys. Amortization and other efficiencies can significantly reduce encrypt/decrypt times.
Narrowcast Some details of the mathematics behind the narrowcast method are presented in the following slides.
Narrowcast Clip 1A Clip 1B Clip 2A Clip 2B Clip 3A Clip 3B Clip 4A Clip 4B
Small Prime Assignment Clip 1A Clip 1B Clip 2A Clip 2B Clip 3A Clip 3B Clip 4A Clip 4B Prime 1A Prime 2A Prime 3A Prime 4A Prime 1B Prime 2B Prime 3B Prime 4B
Clip Key Encryption Select a large composite integer N. Let y in Z N *. Compute each clip key as y 1/p mod N where p is the small prime associated with the clip.
Clip Key Encryption Select a large composite integer N. Randomly select an integer x in Z N *. Let P = (all small clip primes). Let y = x P mod N. Compute clip key k = Hash(y 1/p mod N) where p is the small prime associated with the clip.
Clip Key Distribution For a given recipient, define ρ to be the product of all small clip primes associated with clips to which that recipient is not entitled. Give that recipient the amalgamated key value x ρ mod N.
Clip Key Decryption To obtain a single clip key, a recipient can take amalgamated clip key x ρ mod N. and raise it to the power of all appropriate small primes except the small prime p associated with the desired clip.
Security of other Keys Shamirs Root Independence Lemma (1980) shows that given y 1/p mod N and y 1/q mod N, finding y 1/r mod N is as hard as computing arbitrary roots modulo N (RSA assumption) unless r|(pq).
Amortization A set of m keys can be decrypted using time m log m beyond the time to decrypt a single key. After an initial step linear in the number of keys, each of m subsequent keys can be delivered in log m time.
Amortized Decryption 1,8 1,4 1,2 1,12,2 3,4 3,34,4 5,8 5,6 5,56,6 7,8 7,78,8
Amortized Decryption 1,8 1,4 1,2 1,12,2 3,4 3,34,4 5,8 5,6 5,56,6 7,8 7,78,8 x
Amortized Decryption 1,8 1,4 1,2 1,12,2 3,4 3,34,4 5,8 5,6 5,56,6 7,8 7,78,8 x xp5p6p7p8xp5p6p7p8
Amortized Decryption 1,8 1,4 1,2 1,12,2 3,4 3,34,4 5,8 5,6 5,56,6 7,8 7,78,8 x xp5p6p7p8xp5p6p7p8 xp1p2p5p6p7p8xp1p2p5p6p7p8
Amortized Decryption 1,8 1,4 1,2 1,12,2 3,4 3,34,4 5,8 5,6 5,56,6 7,8 7,78,8 x xp5p6p7p8xp5p6p7p8 xp1p2p5p6p7p8xp1p2p5p6p7p8 xp1p2p4p5p6p7p8xp1p2p4p5p6p7p8
Amortized Decryption 1,8 1,4 1,2 1,12,2 3,4 3,34,4 5,8 5,6 5,56,6 7,8 7,78,8 m leaves
Amortized Decryption 1,8 1,4 1,2 1,12,2 3,4 3,34,4 5,8 5,6 5,56,6 7,8 7,78,8 m leaves log m levels
Amortized Decryption 1,8 1,4 1,2 1,12,2 3,4 3,34,4 5,8 5,6 5,56,6 7,8 7,78,8 m leaves log m levels m small prime exponentiations per level
Conclusions Flexible fingerprinting methods are an important tool in content protection. Large amounts of keying material may be required for such fingerprinting. The methods described minimize the bandwidth requirements for these schemes.