Traitor Tracing

Vijay Ramachandran

CS 655: E-commerce Foundations

October 10, 2000

The Situation

• Mass distribution or broadcast of content

• Limited set of authorized users

• Threat of unauthorized users

Source

The Problems

• Cleartext leak

• Key leak

• Broadcast on a pirate network

The Goal

• Trace the source of piracy (the traitor)

• Prevent it and those relying on it from further access to the content

• Supply legal evidence of the traitor’s identity and take legal measures

• Do not harm or inconvenience legitimate users

The Idea

• Encrypt or modify the content in a different way for each authorized user (a variant)

• Figure out which variant the leaked or pirated content is

• Prosecute the traitor who received that variant

Obvious Solutions Have Obvious Problems

• Comparison of variants can reveal watermark

• Translation to cleartext creates leak opportunity

• Too much storage / transmission overhead

···001001010110011···

···001000100110011···

Important Papers

Chor, Fiat, Naor ’94

(key leak)

Fiat & Tassa ’99(cleartext rebroadcast)

Boneh & Shaw ’95(watermarking)

CFN ’94, Basic Idea

• Divide content into blocks and encrypt each block

• Create a set of keys that can be used to decrypt each block

• Map each user to a set of keys for each block (personal key) Personal

key

Decryptionkey

Content

Encrypted content

CFN ’94, Properties

• Content replication is “minimal”

• Pirate decoder capture reveals the keys it uses

• Users require keys for each block

• Traitors can be identified based on map from users to personal keys

CFN ’94, Issues

• Analysis is probabilistic– Chance of false incrimination is negligible, not

zero

• Requires an upper bound on the size of a colluding group of traitors– This bound, and the number of users, should be

set initially– Can guarantee finding one traitor

CFN ’94 Schemes

• Open scheme: algorithm is public but keys are secret

• Closed scheme: algorithm and keys are secret

• User/decryption scheme: part of algorithm that deals with distribution to authorized users

• Tracing algorithm: invoked when a pirate decoder is captured

An Open Scheme

• Choose l hash functions {hi} : {1, …, n} Si = {si1, …, si 2k

2} where |Si|= 2k2. These are keys for block i.

• Each user u gets a personal key{h1(u), h2(u), …, hl(u)}.

• Let the decryption key d be the XOR of l keys d1, …, dl. Encrypt each di with each key in Si.

An Open Scheme

• Each user has one key from each Si so they can decrypt each di and get d.

• k traitors can choose one key from each Si to form F for the decoder.

• When F is captured, for each i, mark all the users in the set hi

-1(fi) wherefi Si F. Most marks = traitor.

A Secret Scheme

• Mostly same as the open scheme

• Assign each user a secret “name”

• Choose random hash functions {hi} that map from names to sets Si, but|Si| = 4k, not 2k2. The hash functions are secret.

• The user still receives l keys.

Probability of False Incrimination

• Scheme can make mistakes• Open scheme: O(k2 log n) keys (l),

requiring O(k4 log n) encryptions.• Secret scheme: O(k log(n/p)) keys,

requiring O(k2 log (n/p)) encryptions.• p is a secret scheme parameter – (1-p) is the

success probability for p of the sets of k colluding traitors

Fiat & Tassa ’99, Overview

• Attacks problem of a pirate network• Considers difference between:

– Dynamic watermarking problem:can see pirate network and get continual feedback about leaks to adjust next broadcast

– Static watermarking problem:content is marked only once; tracing is done one piracy is found

Dynamic Watermarking

• Watermarking: produce different variants of the content for each user(in CFN ’94, the keys are the “watermark” portion)

• Detect which variant is leaked onto the pirate network

• Change variants to isolate the traitor and disconnect them during transmission

An EfficientDynamic Scheme

• Start with I = {all users}, P = {I}.• Repeat:

– For each S P, transmit a different variant.– From the pirate network, determine which

variant was leaked.– If the variant was sent to I then split I in half,

into Li and Ri. Add these to P and set I empty.

An EfficientDynamic Scheme

• If the variant was sent to some Li (or Ri, but then switch L and R):– Add the users in Ri to I

– If Li is a singleton, we have a traitor! Disconnect the user immediately.

– Otherwise split Li into two new halvesLj and Rj.

Performance Analysis

• p is the number of traitors we want to be able to capture

• The number of variants needed is at most 2p+1

• The amount of time needed to disconnect the p traitors is at mostp log n + p

Dynamic Scheme Issues

• We may still need to start with some bound on the number of traitors p, but this can be altered (unlike the static or CFN ’94 case)

• Limited by bandwidth, since variants of all the content must be sent multiple times

Watermarking Assumptions

• Similarity: All the variants must carry the same content without distortion, as far as the users can tell

• What happens if not?

• Robustness: With some set of variants, it is impossible to create some untraceable variant

The Static Case

• Before distribution, variants of the content are watermarked

• Determine the traitor by matching their variant to the pirate copy

• Use probabilistic algorithm – do deterministic algorithms use exponential resources?

Lower Bounds

• The pirate controls p traitors. There is a deterministic algorithm with the number of variants p + 1, but any algorithm using fewer variants cannot be deterministic.

• In the static case, there is a minimum number of blocks needed to capture a traitor with probability 1 – .

Open Problems

• Proofs for CFN traitor tracing are not constructive• Deterministic watermarking algorithm of size p+1

with convergence time polynomial in p• Probabilistic dynamic algorithms• Must deterministic static schemes be exponential?• Practical issues (CD-ROM copying, etc.)