Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000.

Published byMarlene Reed Modified over 9 years ago

Similar presentations

Presentation on theme: "Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000."— Presentation transcript:

1 Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000

2 The Situation Mass distribution or broadcast of content Limited set of authorized users Threat of unauthorized users Source

3 The Problems Cleartext leak Key leak Broadcast on a pirate network

4 The Goal Trace the source of piracy (the traitor) Prevent it and those relying on it from further access to the content Supply legal evidence of the traitor’s identity and take legal measures Do not harm or inconvenience legitimate users

5 The Idea Encrypt or modify the content in a different way for each authorized user (a variant) Figure out which variant the leaked or pirated content is Prosecute the traitor who received that variant

6 Obvious Solutions Have Obvious Problems Comparison of variants can reveal watermark Translation to cleartext creates leak opportunity Too much storage / transmission overhead ···0010010101 10011··· ···0010001001 10011···

7 Important Papers Chor, Fiat, Naor ’94 (key leak) Fiat & Tassa ’99 (cleartext rebroadcast) Boneh & Shaw ’95 (watermarking)

8 CFN ’94, Basic Idea Divide content into blocks and encrypt each block Create a set of keys that can be used to decrypt each block Map each user to a set of keys for each block (personal key) Personal key Decryption key Content Encrypted content

9 CFN ’94, Properties Content replication is “minimal” Pirate decoder capture reveals the keys it uses Users require keys for each block Traitors can be identified based on map from users to personal keys

10 CFN ’94, Issues Analysis is probabilistic –Chance of false incrimination is negligible, not zero Requires an upper bound on the size of a colluding group of traitors –This bound, and the number of users, should be set initially –Can guarantee finding one traitor

11 CFN ’94 Schemes Open scheme: algorithm is public but keys are secret Closed scheme: algorithm and keys are secret User/decryption scheme: part of algorithm that deals with distribution to authorized users Tracing algorithm: invoked when a pirate decoder is captured

12 An Open Scheme Choose l hash functions {h i } : {1, …, n}  S i = {s i1, …, s i 2k 2 } where |S i |= 2k 2. These are keys for block i. Each user u gets a personal key {h 1 (u), h 2 (u), …, h l (u)}. Let the decryption key d be the XOR of l keys d 1, …, d l. Encrypt each d i with each key in S i.

13 An Open Scheme Each user has one key from each S i so they can decrypt each d i and get d. k traitors can choose one key from each S i to form F for the decoder. When F is captured, for each i, mark all the users in the set h i -1 (f i ) where f i  S i  F. Most marks = traitor.

14 A Secret Scheme Mostly same as the open scheme Assign each user a secret “name” Choose random hash functions {h i } that map from names to sets S i, but |S i | = 4k, not 2k 2. The hash functions are secret. The user still receives l keys.

15 Probability of False Incrimination Scheme can make mistakes Open scheme: O(k 2 log n) keys (l), requiring O(k 4 log n) encryptions. Secret scheme: O(k log(n/p)) keys, requiring O(k 2 log (n/p)) encryptions. p is a secret scheme parameter – (1-p) is the success probability for p of the sets of k colluding traitors

16 Fiat & Tassa ’99, Overview Attacks problem of a pirate network Considers difference between: –Dynamic watermarking problem: can see pirate network and get continual feedback about leaks to adjust next broadcast –Static watermarking problem: content is marked only once; tracing is done one piracy is found

17 Dynamic Watermarking Watermarking: produce different variants of the content for each user (in CFN ’94, the keys are the “watermark” portion) Detect which variant is leaked onto the pirate network Change variants to isolate the traitor and disconnect them during transmission

18 An Efficient Dynamic Scheme Start with I = {all users}, P = {I}. Repeat: –For each S  P, transmit a different variant. –From the pirate network, determine which variant was leaked. –If the variant was sent to I then split I in half, into L i and R i. Add these to P and set I empty.

19 An Efficient Dynamic Scheme If the variant was sent to some L i (or R i, but then switch L and R): –Add the users in R i to I –If L i is a singleton, we have a traitor! Disconnect the user immediately. –Otherwise split L i into two new halves L j and R j.

20 Performance Analysis p is the number of traitors we want to be able to capture The number of variants needed is at most 2p+1 The amount of time needed to disconnect the p traitors is at most p log n + p

21 Dynamic Scheme Issues We may still need to start with some bound on the number of traitors p, but this can be altered (unlike the static or CFN ’94 case) Limited by bandwidth, since variants of all the content must be sent multiple times

22 Watermarking Assumptions Similarity: All the variants must carry the same content without distortion, as far as the users can tell What happens if not? Robustness: With some set of variants, it is impossible to create some untraceable variant

23 The Static Case Before distribution, variants of the content are watermarked Determine the traitor by matching their variant to the pirate copy Use probabilistic algorithm – do deterministic algorithms use exponential resources?

24 Lower Bounds The pirate controls p traitors. There is a deterministic algorithm with the number of variants p + 1, but any algorithm using fewer variants cannot be deterministic. In the static case, there is a minimum number of blocks needed to capture a traitor with probability 1 – .

25 Open Problems Proofs for CFN traitor tracing are not constructive Deterministic watermarking algorithm of size p+1 with convergence time polynomial in p Probabilistic dynamic algorithms Must deterministic static schemes be exponential? Practical issues (CD-ROM copying, etc.)

Download ppt "Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000."

Similar presentations

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Channel Allocation Protocols. Dynamic Channel Allocation Parameters Station Model. –N independent stations, each acting as a Poisson Process for the purpose.

Channel Allocation Protocols. Dynamic Channel Allocation Parameters Station Model. –N independent stations, each acting as a Poisson Process for the purpose.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Segmented Hash: An Efficient Hash Table Implementation for High Performance Networking Subsystems Sailesh Kumar Patrick Crowley.

Segmented Hash: An Efficient Hash Table Implementation for High Performance Networking Subsystems Sailesh Kumar Patrick Crowley.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.

Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.
Broadcast Encryption and Traitor Tracing 2001. 12. 2001507 Jin Kim.

Broadcast Encryption and Traitor Tracing Jin Kim.
Fingerprinting and Broadcast Encryption Multimedia Security.

Fingerprinting and Broadcast Encryption Multimedia Security.
Common approach 1. Define space: assign random ID (160-bit) to each node and key 2. Define a metric topology in this space,  that is, the space of keys.

Common approach 1. Define space: assign random ID (160-bit) to each node and key 2. Define a metric topology in this space,  that is, the space of keys.
Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.

Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Content Protection for Recordable Media Florian Pestoni IBM Almaden Research Center.

Content Protection for Recordable Media Florian Pestoni IBM Almaden Research Center.
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.

Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
PRIAM: PRivate Information Access Management on Outsourced Storage Service Providers Mark Shaneck Karthikeyan Mahadevan Jeff Yongdae Kim.

PRIAM: PRivate Information Access Management on Outsourced Storage Service Providers Mark Shaneck Karthikeyan Mahadevan Jeff Yongdae Kim.

Similar presentations

Ads by Google