1. On a Traitor Tracing Scheme from ACISP 2003
Dongvu Tonien dongOuow.edu.au
Abstract
At ACISP 2003 conference, Narayanan, Rangan and Kim proposed a secret-key traitor tracing scheme used for pay TV system. In this note, we point out a flaw in their scheme.
1 The Narayanan-Rangan-Kim scheme
Let m be the number of services (data providers), n be the number of users, t be the collusion threshold, and S be the tolerance bound on accusing innocent users as traitors. Let e denote the Euler constant. The following describes main algorithms in the Narayanan-Rangan-Kim pay TV scheme.
Algorithm Setup: with security parameter le, the setup algorithm does the following.
Choose two large primes p, q and set N = pq such that N has £ bits;
Choose a random number R such that RO(N) + 1 has a divisor d of roughly £ bits;
Choose 2f-bit numbers d1, d2, d3 which are divisible by d and gcd(di, d3) = d;
Choose random numbers 4, d5, , dt+4 E {1,2, , 0(N)};
Runs the constraint generation algorithm:
Generate et logs constraints divided into h = e logs groups. A constraint -y
(Po, ul, it2, • • • , Pt, P) represents the equation EL0 tCixi = 0 (mod P) where P is a prime. Each constraint group contains t constraints of the same prime;
For each j = 1, , n, generate a vector x = (xo, , ...x1 , xt) = (e4J, e5j, . , et+4,i) as
follows: select each of the constraints with probability 1 — x is constructed so that it satisfies all the selected constraints.
Algorithm Add User: if a user Ui (1 < j < n) joins the system, do the following.
Select a random even number ei,j;
Retrieve vector (e4,i, e5,,... , et+4,i) from the Setup algorithm;
Choose e2 j and e3 j so that Ertl = RO(N) + 1;
Give user Ui the following (t 4)-tuple (ei,j, e2 j, e3 j, e4 j, e5 j• • • • , et+4,j) as his/her secret decryption key. 1

2. = e4,id4 + e5,id5 + • • • + et+4,idt+4 — (RO(N) + 1) = 0 (mod d).
Algorithm AddStream: if a data provider (or stream) Si joins the system, do the following.
Give t + 4 secret numbers d1, d2, , dt+4 to Si;
Choose a random g, E of high order modulo N;
Give Si the value g, as its secret encryption key.
Algorithm Subscribe: if a user Uj subscribes to a stream Si, do the following.
Set the subscribe matrix entry Subsc[i,j] = 1;
Give user Uj the value g71'' .
Algorithm Unsubscribe: if a user Uj unsubscribes to a stream Si, do the following.
Set the subscribe matrix entry Subsc[i, j] = 0;
Reset the value g, of the stream Si to a new value new g,;
Re-subscribes all users who are currently subscribing to Si (that is, give each user Uk that subscribes to Si the new value new giel'k).
Algorithm Broadcast: if a stream Si wants to broadcast a program M, then Si uses its secret encryption key g, to do the following.
Choose a random number z coprime to 0(N);
Calculate and broadcast the following ciphertext
(z, C2, C3, , Ct+4) (z mdi g md2 md3 mdt+4).
Algorithm Decryption: if user Uj subscribes stream Si, then Uj can use its secret encryption key (ei,j, e2,,... ,et+4,i) and the value giel' to decrypt a ciphertext (z, Cl, C2, C3, • • • , Ct+4) broad-casted by Si as follows
C2e2'j C3e3'j Ctet+44'i
Al1 .
(gr,i )z
2 A Flaw
This flaw is in the algorithm Add User. In the step 3 of this algorithm, two numbers e2,i, e3,i must be chosen so that
el,j dl + e2,id2 + e3,id3 + e4,id4 + e5,id5 et+4,idt+4 = RO(N) + 1.
Since d1, d2 and d3 are all divisible by d, the necessary condition for this equation is solvable for e2j, e3,i is
= e4,id4 + e5,id5 + • • • + et+4,idt+4 — (RO(N) + 1) = 0 (mod d). 2

3. Therefore, we have n equations on t + 1 numbers d4, d5, • • • , dt+4 as follows
Ai = e4,1d4 + e5,1d
+ et+4,idt+4 — (RO(M) + 1) =
(mod d)
02 = e4,2d4 + e5,2d5 + •
• + et+4,2dt+4 — (RO(M) + 1) =
An = e4,Thd4 + e5,Thd5 + • • • + et+4,ndt+4 — (RO(M) + 1) =
Since n is much larger than t, this is unlikely to be satisfied. Note that in the algorithm Setup, t + 1 numbers d4, d5, ... , dt+4 are randomly chosen independently with the generation of the n vectors (e4,1, • • • ,et+4,1), (e4,2, • • • ,et+4,2), • • • , (e4,n, • • • ,et+4,n)•
Since the flaw is in a crucial component, the Add User algorithm of the system, the pay TV scheme proposed by Narayanan, Rangan and Kim is unusable.
References
[1] A. Narayanan, C.P. Rangan and K. Kim, Practical Pay TV Schemes, ACISP'03, LNCS (2003), pp 3