Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000
Traitor Tracing
Vijay Ramachandran
CS 655: E-commerce Foundations
October 10, 2000
The Situation
• Mass distribution or broadcast of content
• Limited set of authorized users
• Threat of unauthorized users
Source
The Problems
• Cleartext leak
• Key leak
• Broadcast on a pirate network
The Goal
• Trace the source of piracy (the traitor)
• Prevent it and those relying on it from further access to the content
• Supply legal evidence of the traitor’s identity and take legal measures
• Do not harm or inconvenience legitimate users
The Idea
• Encrypt or modify the content in a different way for each authorized user (a variant)
• Figure out which variant the leaked or pirated content is
• Prosecute the traitor who received that variant
Obvious Solutions Have Obvious Problems
• Comparison of variants can reveal watermark
• Translation to cleartext creates leak opportunity
• Too much storage / transmission overhead
···001001010110011···
···001000100110011···
Important Papers
Chor, Fiat, Naor ’94
(key leak)
Fiat & Tassa ’99(cleartext rebroadcast)
Boneh & Shaw ’95(watermarking)
CFN ’94, Basic Idea
• Divide content into blocks and encrypt each block
• Create a set of keys that can be used to decrypt each block
• Map each user to a set of keys for each block (personal key) Personal
key
Decryptionkey
Content
Encrypted content
CFN ’94, Properties
• Content replication is “minimal”
• Pirate decoder capture reveals the keys it uses
• Users require keys for each block
• Traitors can be identified based on map from users to personal keys
CFN ’94, Issues
• Analysis is probabilistic– Chance of false incrimination is negligible, not
zero
• Requires an upper bound on the size of a colluding group of traitors– This bound, and the number of users, should be
set initially– Can guarantee finding one traitor
CFN ’94 Schemes
• Open scheme: algorithm is public but keys are secret
• Closed scheme: algorithm and keys are secret
• User/decryption scheme: part of algorithm that deals with distribution to authorized users
• Tracing algorithm: invoked when a pirate decoder is captured
An Open Scheme
• Choose l hash functions {hi} : {1, …, n} Si = {si1, …, si 2k
2} where |Si|= 2k2. These are keys for block i.
• Each user u gets a personal key{h1(u), h2(u), …, hl(u)}.
• Let the decryption key d be the XOR of l keys d1, …, dl. Encrypt each di with each key in Si.
An Open Scheme
• Each user has one key from each Si so they can decrypt each di and get d.
• k traitors can choose one key from each Si to form F for the decoder.
• When F is captured, for each i, mark all the users in the set hi
-1(fi) wherefi Si F. Most marks = traitor.
A Secret Scheme
• Mostly same as the open scheme
• Assign each user a secret “name”
• Choose random hash functions {hi} that map from names to sets Si, but|Si| = 4k, not 2k2. The hash functions are secret.
• The user still receives l keys.
Probability of False Incrimination
• Scheme can make mistakes• Open scheme: O(k2 log n) keys (l),
requiring O(k4 log n) encryptions.• Secret scheme: O(k log(n/p)) keys,
requiring O(k2 log (n/p)) encryptions.• p is a secret scheme parameter – (1-p) is the
success probability for p of the sets of k colluding traitors
Fiat & Tassa ’99, Overview
• Attacks problem of a pirate network• Considers difference between:
– Dynamic watermarking problem:can see pirate network and get continual feedback about leaks to adjust next broadcast
– Static watermarking problem:content is marked only once; tracing is done one piracy is found
Dynamic Watermarking
• Watermarking: produce different variants of the content for each user(in CFN ’94, the keys are the “watermark” portion)
• Detect which variant is leaked onto the pirate network
• Change variants to isolate the traitor and disconnect them during transmission
An EfficientDynamic Scheme
• Start with I = {all users}, P = {I}.• Repeat:
– For each S P, transmit a different variant.– From the pirate network, determine which
variant was leaked.– If the variant was sent to I then split I in half,
into Li and Ri. Add these to P and set I empty.
An EfficientDynamic Scheme
• If the variant was sent to some Li (or Ri, but then switch L and R):– Add the users in Ri to I
– If Li is a singleton, we have a traitor! Disconnect the user immediately.
– Otherwise split Li into two new halvesLj and Rj.
Performance Analysis
• p is the number of traitors we want to be able to capture
• The number of variants needed is at most 2p+1
• The amount of time needed to disconnect the p traitors is at mostp log n + p
Dynamic Scheme Issues
• We may still need to start with some bound on the number of traitors p, but this can be altered (unlike the static or CFN ’94 case)
• Limited by bandwidth, since variants of all the content must be sent multiple times
Watermarking Assumptions
• Similarity: All the variants must carry the same content without distortion, as far as the users can tell
• What happens if not?
• Robustness: With some set of variants, it is impossible to create some untraceable variant
The Static Case
• Before distribution, variants of the content are watermarked
• Determine the traitor by matching their variant to the pirate copy
• Use probabilistic algorithm – do deterministic algorithms use exponential resources?
Lower Bounds
• The pirate controls p traitors. There is a deterministic algorithm with the number of variants p + 1, but any algorithm using fewer variants cannot be deterministic.
• In the static case, there is a minimum number of blocks needed to capture a traitor with probability 1 – .
Open Problems
• Proofs for CFN traitor tracing are not constructive• Deterministic watermarking algorithm of size p+1
with convergence time polynomial in p• Probabilistic dynamic algorithms• Must deterministic static schemes be exponential?• Practical issues (CD-ROM copying, etc.)