- 72 Views
- Uploaded on
- Presentation posted in: General

Traitor Tracing

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Traitor Tracing

Papers

Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994)

Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998)

Presented By: Anukool Lakhina, Keren Pinkas and Scott Savarese

- First, we motivate and introduce the General Traitor Tracing problem that we want to solve.
- Next, we introduce two methods to solve this problem.
- We then analyze the efficiency of each method.
- We conclude with a concrete example.

We want to trace the source of leaks when sensitive or proprietary data is made available to a large set of parties.

- We are Cablevision. We only want to broadcast to legal subscribers (all of which have a special decrypting key).
- Suppose Professor Itkis is a subscriber who with other subscribers designs a device which will allow people to view our broadcasts without paying.
- The Goal: After confiscating this device, how do we figure out who supplied the keys which decrypt our broadcasts.
- This is the basic idea of Traitor Tracing.

- Data Provider: Cablevision (Us).
- Traitor (Pirate): Professor Itkis and his friends.
- Content: Our encrypted broadcasts.
- Pirate Decoder: Device used by the pirates to decrypt our encrypted broadcasts.

- Two types of pirate decoders:
- 1) Created by obtaining keys from legitimate users.
- 2) Created by breaking the underlying encryption.

- We assume that our encryption scheme is difficult to break. So, we only care about Type 1.
- We only want to find the traitor who contributed the largest number of keys.

- Two methods:
- 1) k-Resilient Traitor Tracing (Fully Resilient Traitor Tracing)
- 2) Threshold Traitor Tracing

- k-Resilient Traitor TracingScheme catches anyone who can illegally decrypt our encrypted broadcast.
- Threshold Traitor Tracing Scheme catches anyone who can illegally decrypt more than a specified fraction of our encrypted broadcast.

We measure the efficiency of these solutions in terms of the following parameters:

- (a) Memory and Computation requirements for the user.
- (b) Memory and Computation requirements for the Data Provider
- (c) Data Redundancy Overhead – How much more data do we need to broadcast in order to be trace traitors.

k-Resilient Traitor Tracing(Fully Resilient Traitor Tracing)

- A scheme is k-resilient if it can correctly identify a traitor and not an innocent user even if k traitors combine and collude.
- We are only able to catch the traitor who submits the most keys to the pirate decoder.

- Broadcast is broken up into pieces
- Each piece contains two parts: the enabling block and the cipher block.
Message = <Enabling Block, Cipher Block>

- Cipher Block is created using a secret key or one time pad obtained by decrypting the information in the enabling block.

- Maps n users into a set of 2k2encryption keys
- Users Keys, P(u) = O(k2log n)
- Enabling Block = O(k4 log n )

- We create l first-level hash functions <h1,h2,…hl>.
- Each hi maps a particular user, u into one of 2k2 sets.
- Thus the personal key for a user contains l keys <h1(u), h2(u), … hl(u)>

- The cipher block is encrypted with either a one time pad or secret key s.
- Key s is broken into l pieces such that
s = s1 XOR s2 XOR … si … XOR sl

- Each siis encrypted with each of the 2k2keys.

- Each user has a key for each row i in the enabling block.
- They are able to decrypt si and thus are able to obtain s
- With s they obtain the information in the cipher block

- At most k people get together.
- For each i from 1 to l, the create a set of keys F.
- Without keys for each of the l rows they are unable to decrypt the cipher block.
- With all l keys they are able to decrypt every secret they receive.

- Using black box techniques the set of keys F is determined.
- For each row i we perform h-1(fi). This gives us a set of users that map to that key. We mark each user.
- After obtaining the list of users for all l keys, the user seen the most is the traitor.

- Each traitor in coalition gives at most l/k keys.
- For each row i the coalition has at most k keys. The probability that a particular user’s key is one of the k keys is 1/2k.
- Must create l such that the number of an innocent user’s keys that are exposed is less than l/k.

- We determine l to be 4k2log n
- Thus, the number of keys a user has is
4k2log n

- The enabling block consists of 8k4 log n

- Keeps the hash mapping secret
- Lower costs then the one-level open scheme by a factor of k.
- Simpler construction
- Introduces a probability p which is the probability that pirates will create a device that is untraceable.

- Same as one-level open scheme exact that instead of 2k2 groups there are only4k.
- The number of keys that a user has is
(4/3)k log (n/p)

- The number of keys in the enabling block is
(16/3)k2 log (n/p)

Threshold Traitor Tracing

- Suppose Cablevision divides a program into 1 minute segments. An illegal decoder which can decrypt 90% of these segments will fail to decode one minute out of ten minutes. Will you pay for such a decoder?
- So, for many applications, a decoder which can decrypt with a low success probability is useless.
- So the real threat are decoders which can decrypt, say, 99% of all the segments. Threshold Traitor Tracing only concerns with these decoders.
- We want to be able to catch a true traitor with probability 1-p. (So ideally, we want p to be very very small.)

- We generate a meta-key which contains a base set A of random keys and we assign l keys to each user.
- These l keys form the user’s Personal Key. (Two users cannot have exactly the same set of keys.)
- A program is always broadcasted in segments. Each segment consists of two parts: an enabling block and a cipher block.
Message = <enabling block, cipher block>

- Cipher Block is the encrypted program segment, using some secret key s.
- Enabling Block allows authorized users to obtain the secret key, s.

- Specify our threshold by q. (That is, we want to catch all decoders that can decode q of the broadcast segments.)
- Let n be the number of legal subscribers.
- Let k be the number of traitors.

- Initialization
- Distribution of Secret
- Decryption Procedure
- Parameters Involved
- Tracing Procedure
- Analysis

- We have a set of l hash functions {h1, h2, … ,hl} which are chosen at random.
- Each hash functionmaps a particular user, u into one of a 4k random keys.
- So, user u receives l keys: {h1(u), h2(u), … , hl(u)}.
- All this can be represented very nicely in a l x 4k matrix A.

- Let s be the secret key to be distributed. We (The Data Provider) divide the secret key, into t shares, where t is random, and 0 < t <= l.
- We ensure that s = s0xor s1 xor … xor st
- Eachsi is encrypted using each of the 4k keys of the corresponding row in matrix A.
(continued…)

- Let w be a fraction such that q <= w < 1.
- The scheme divides the secret into t shares and ensures that a decoder which contain keys from a fraction of at least w of the l rows would be able to decrypt the secret with probability greater than q.

- Each authorized user has one key from every row and is therefore always able to decrypt every siand compute s.

- Memory Required per user is m=l keys.
- Amount of work that each user performs to reveal a key is O(t).
- Data Redundancy Overhead is r=4kt.

- We are only concerned with decoders that have keys from wl rows. (Since only these decoders can decrypt with probability q).
- Suppose we have the set of keys F that a pirate decoder uses to crack our encrypted broadcast. Suppose F contains at least one key from each of the wl rows of Matrix A. Denote these rows by r1, r2,…, rwlanddenote the key common to F and row rias fri. Since we know the hash function, hri we can compute its inverse and determine the users of that key .
- The user with the largest number of marks is our traitor.

- There are k traitors.
- On average, each traitor contributes wl/k keys to F.
- How do we know that an innocent user say, Alice, is not identified as a traitor?
- The probability that friequals the key mapped to Alice is 1/4k. So, the probability that at least wl/k of the keys of Alice are in F is at most 2^-3wl/4k. We choose an l such that the probability of this happening is very very small.

- Recall q is our threshold value. k is the number of traitors. n is the number of users. 1-p is the probability of catching a true traitor. We have the following:
- Personal Key, l, consists of (4k/3w) * log(n/p) keys.
- Data Redundancy Overhead, 4kt, is:
4k* log(1/q) / log (1/w) keys.

- Number of decryptions, that each user must performis log(1/q) / log (1/w) decryptions. (So if w=q, number of decryptions needed is 1.)

Two Level k-Resilient Traitor Tracing(Fully Resilient TraitorTracing)

- Much more complicated than a one-level scheme.
- More efficient by a factor of k.
- User has 2k2log2k log n keys.
- 4k3log4k log n keys in the enabling block.

Two Level Threshold Traitor Tracing

- Two-Level Threshold Schemes are constructed from One-Level Threshold Schemes by using many One-Level Schemes and applying a hash function to map users to schemes
- Advantages: Shorter key length than one-level
- Disadvantages: Higher Data Redundancy than one-level.
- In one-level, q is predefined. Two-level threshold schemes allow us to have q as a function of other parameters.

Results

- Suppose:
- number of users, n = 106
- number of traitors, k = 1000
- Our threshold,
- q = 0.75
- q = 0.95

- Probability of finding the true traitor is 1-p (where p=10-3)

- We have the following results

- For many applications, there is no need to have a fully resilient tracing scheme.
- Threshold Tracing Schemes are more efficient.