1 Traitor Tracing

2 Outline  Introduction  State of the art  Traceability scheme  Frameproof code  c-secure code  Combinatorial properties  Tracing algorithm  Some useful properties  Rephrase  Encoding scheme  Decoding scheme  Watermarking scheme  Conclusions

3 Introduction  Fingerprinting  Embed an unique key for each user to identify the person who acquired a particular copy  Each user has his own decryption key to recover the content  Collusion attack  A group of malicious users (traitors) can collude by combining their keys to create a new pirate key (pirate decoder)  Traitor tracing  A traitor tracing algorithm is used to trace at least one of the colluders

4 State of the art  Traceability scheme  Frameproof code  c-secure code  Combinatorial properties  Tracing algorithm  Some useful properties

5 State of the art - Traceability schemes  “Tracing Traitors”, B. Chor, A. Fiat, M. Naor, and B. Pinkas, 1994 (1998, 2000).  Traceability schemes Traitor tracing schemes A traitor tracing scheme consists of three components: A traitor tracing scheme consists of three components:

6 State of the art - Traceability schemes (continue)  fully (p,k)-resilient tracing scheme Let T be a coalition of at most k users. Let A be an adversary that has a subset F of the keys of the users in T, and that is able to decrypt the content sent in the tracing traitors scheme, in time t and with probability greater that q’. The scheme is called fully (p,k)- resilient if it satisfies the security assumption: one of the following two statements holds.  Given F the data supplier is able to trace with probability at least 1-p at least one of the users in T.  There exists an adversary A’ which uses A as a black box and whose input is only an enabling block and a cipher block of the tracing traitors scheme. A’ can reveal the content that is encrypted in the cipher block in time which is linear in the length of its input and in t, and with probability at least q’’=q’.

7 State of the art – Traceability schemes (continue)  fully k-resilient tracing scheme A scheme is called fully k-resilient if it satisfies definition 1.2 and it further holds that p=0.  q-threshold (p,k)-resilient tracing scheme A scheme is called q-threshold (p,k)-resilient if it satisfies definition 1.2 with q’’=q’-q.

8 State of the art – Frameproof codes  Frameproof codes  “Collusion-secure fingerprinting for digital data”, Dan Boneh and James Shaw, 1995 (1998)  A fingerprint is a collection of marks  A fingerprint can be thought of as a word of length L over an alphabet Σ of size s  A distributor is the sole supplier of fingerprinted objects  A user is the registered owner of a fingerprinted objects  The process of fingerprinting an object involves assigning a unique codeword over Σ L to each user

9 State of the art – Frameproof codes (continue)  (l,n)-code and codebook  undetectable positions

10 State of the art – Frameproof codes (continue)  feasible set e.g. A: B: B:

11 State of the art – Frameproof codes (continue)  Marking Assumption any coalition of c users is only capable of creating an object whose fingerprint lies in the feasible set of the coalition  c-frameproof

12 State of the art – Frameproof codes (continue)  Construction of c-frameproof codes (for binary alphabet)   0 is a (n,n)-code which is n-frameproof  0  0  The length of  0 is linear in the number of users and is therefore impractical  Use  0 to construct shorter codes

13 State of the art – Frameproof codes (continue)  A set C of N words of length L over an alphabet of p letters is said to be an (L,N,D)p-ECC, if the Hamming distance between every pair of words in C is at least D.  The idea of the construction of n-frameproof code is to compose the code  0 (n) with an error-correcting code.  Let  ={w (1),…,w (p) } be an (l,p)-code and let C be an (L,N,D) p -ECC.We denote the composition of  and C by  ’.

14 State of the art – Frameproof codes (continue)  be a c-frameproof (l,p)-code and C be an (L,N,D)-ECC. Let  ’ be the composition of  and C. Then  ’ is a c- frameproof code, provided D>L(1-(1/c)). Let  be a c-frameproof (l,p)-code and C be an (L,N,D)-ECC. Let  ’ be the composition of  and C. Then  ’ is a c- frameproof code, provided D>L(1-(1/c)).

15 State of the art – Frameproof codes (continue)  For any positive integers p,n let L=8p log N. Then there exists a (L,N,D) 2p -ECC where D>L(1-(1/p)).  For any integers n,c>0 let l=16c 2 log n. Then there exists an (l, n)- code which is c-frameproof.  For any integers n,c>0 let l=16c 2 log n. Then there exists an (l, n)- code which is c-frameproof.

16 State of the art – c-secure code  totally c-secure code  

17 State of the art – c-secure code (continue)  For c≥2 and n≥3 there are no totally c-secure (l,n)-codes  For c≥2 and n≥3 there are no totally c-secure (l,n)-codes →Unfortunately, when c>1,totally c-secure codes do not exist. →There is a way out of this trap: use randomness.

18 State of the art – c-secure code (continue)  c-secure with  -error The tracing algorithm A on input x outputs a member of the coalition C that generated the word x with high probability.

19 State of the art – c-secure code (continue)  Construction of collusion-secure codes  Construct an (l,n)-code which is n-secure with  -error for any  >0 →length of this code is n O(1) →too large to be practical  Construct an (l,n)-code which is n-secure with  -error for any  >0 →length of this code is n O(1) →too large to be practical <Theorem 2.3> <Algorithm 2.1> <Theorem 2.3> <Algorithm 2.1>  Use the code to construct c-secure codes with  -error for n users whose length is log O(1) (n) when c=O(log n).  Use the code to construct c-secure codes with  -error for n users whose length is log O(1) (n) when c=O(log n). <Theorem 2.4> <Algorithm 2.2> <Theorem 2.4> <Algorithm 2.2>

20 State of the art – c-secure code (continue)  A lower bound Let  be an (l,n) fingerprinting scheme over a binary alphabet. Suppose  is c-secure with  - error. Then the code length is at least l ≥1/2(c-3)log(1/  c).  A lower bound Let  be an (l,n) fingerprinting scheme over a binary alphabet. Suppose  is c-secure with  - error. Then the code length is at least l ≥1/2(c-3)log(1/  c).

21 State of the art – Combinatorial properties  “Combinatorial properties and constructions of traceability schemes and frameproof codes”, D. R. Stinson, R. Wei, 1997(2001)  Investigate combinatorial properties and constructions of two recent topics of cryptographic interest:  frameproof codes  traceability scheme

22 State of the art – Combinatorial properties (continue)  c-FPC(v,b)  c-TS(k,b,v)

23 State of the art – Combinatorial properties (continue)  

24 State of the art – Combinatorial properties (continue)  

25 State of the art – Combinatorial properties (continue)  If there exists a c-TS(k,b,v), then there exists a c-FPC(v,b).  If there exists a c-TS(k,b,v), then there exists a c-FPC(v,b).

26 State of the art – Combinatorial properties (continue)  Constructions using t-designs  t-(v, k,λ) design  BIBD’s are 2-(v, k,λ) design  E.g. 2-(9, 3,1) design {0,1,6},{0,2,5},{0,3,4},{1,2,4},{3,5,6},{1,5,7} {5,4,8},{4,6,7},{6,2,8},{2,3,7},{3,1,8},{0,7,8}

27 State of the art – Combinatorial properties (continue)  

28 State of the art – Tracing algorithms  scenario  The center broadcasts the encrypted content to users  One encryption key and multiple distinct decryption keys  One cannot compute a new decryption key from a given set of keys

29 State of the art – Tracing algorithms (continue)  Static tracing  Used upon confiscation of a pirate decoder, to determine the identity of a traitor  Such scheme would be ineffective if the pirate were simply to rebroadcast the original content  Use watermarking methods to allow the broadcaster to generate different versions of the original content  Use the watermarks found in the pirate copy to trace its supporting traitors  Drawback: requires one copy of content for each user and so requires very high bandwidth

30 State of the art – Tracing algorithms (continue)  Dynamic tracing (Fiat & Tassa, 2001)  The content is divided into consecutive segments  Embed one of the q marks in each segment, hence creating q versions of the segment (watermarking method)  In each interval, the user group is divided into q subsets and each subset receives on version of the segment  The subsets are varied in each interval using the rebroadcasted content  Trace all colluders with lower bandwidth  Drawback:  Vulnerable to a delayed rebroadcast attack  High real-time computation for regrouping the users and allocating marks to subsets

31 State of the art – Tracing algorithms (continue)  Sequential tracing ( Reihaneh, 2003)  The channel feedback is only used for tracing and not for allocation of marks to users  The mark allocation table is predefined and there is no need for real-time computation to determine the mark allocation of the next interval  The need for real-time computation will be minimized  Protects against the delayed reboradcast attack  The traitors are identified sequentially

32 State of the art – Some useful properties  “Application of list decoding to tracing traitors”, A. Silverberg, J. Staddon, 2001  c-TA (traceability)  c-IPP (identifiable parent property)

33 State of the art – Some useful properties (continue)  Every c-TA code is a c-IPP code.

34 State of the art – Some useful properties (continue)    A sequential TA code is a c-TA code, Reihaneh, 2003

35 State of the art – Some useful properties (continue)  

36 Rephrase - Encoding scheme  Find c-TA code  ECC (with D min >xxx, small codelength L and large codeword number N)  BCH code L=q m -1 e.g. GF(2 4 ): (15,11,3), (15,5,7)  Reed-Solomon : L=q-1 D=L-k+1 N=q k e.g. GF(256): (255,239) -> (204,188)  Algebraic geometry codes  BIBD : given a constant k, L=v=O(n 1/2 )  …  Find key-assignment policy

37 Rephrase - Decoding (tracing) scheme  ECC decoding  Minimum distance decoding  Syndrome decoding  Viterbi algorithm  List decoding  Tree-structured tracing (Liu, 2003)  Tracing algorithms for broadcast environment

38 Rephrase -Watermarking scheme  Message mapping  Direct message coding  Multi-symbol message coding  Time and space division multiplexing  Frequency division multiplexing  Code division multiplexing

39 Conclusion

40 State of the art –  0   0 the (n,n)-code containing all n-bit binary words with exactly one 1 the (n,n)-code containing all n-bit binary words with exactly one 1 e.g.  0 (3)={100,010,001} e.g.  0 (3)={100,010,001}

41 State of the art – Lemma 2.1

42 State of the art – Theorem 2.1  By lemma 2.2 we know that there exists a (L,n,L(1-1/c)) 2c -ECC for L=8c log n. Combining this with the code  0 (2c) and lemma 2.1 we get a c-frameproof code for n users whose length is 2cL=16c 2 log n

43 State of the art – Theorem 2.2

44 State of the art – Theorem 2.3  For n≥3 and  >0 let d=2n 2 log(2n/  ). The fingerprinting scheme  0 (n,d) is n-secure with  -error.

45 State of the art – Algorithm 2.1

46 State of the art – Theorem 2.4  Given integers N, c, and  >0 set n=2c, L= 2c log(2N/  ), and d=2n 2 log(4nL/  ). Then,  ’(L,N,n,d) is a code which is c-secure with  -error. The code contains N words and has length l=O(Ldn)=O(c 4 log(N/  ) log(1/  )) l=O(Ldn)=O(c 4 log(N/  ) log(1/  ))

47 State of the art – Algorithm 2.2