Traitor tracing
This presentation is the property of its rightful owner.
Sponsored Links
1 / 42

Traitor Tracing PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

Traitor Tracing. Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented By: Anukool Lakhina, Keren Pinkas and Scott Savarese. How this Presentation is Organized.

Download Presentation

Traitor Tracing

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Traitor tracing

Traitor Tracing

Papers

Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994)

Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998)

Presented By: Anukool Lakhina, Keren Pinkas and Scott Savarese


How this presentation is organized

How this Presentation is Organized

  • First, we motivate and introduce the General Traitor Tracing problem that we want to solve.

  • Next, we introduce two methods to solve this problem.

  • We then analyze the efficiency of each method.

  • We conclude with a concrete example.


Motivation

Motivation

We want to trace the source of leaks when sensitive or proprietary data is made available to a large set of parties.


Typical scenario

Typical Scenario

  • We are Cablevision. We only want to broadcast to legal subscribers (all of which have a special decrypting key).

  • Suppose Professor Itkis is a subscriber who with other subscribers designs a device which will allow people to view our broadcasts without paying.

  • The Goal: After confiscating this device, how do we figure out who supplied the keys which decrypt our broadcasts.

  • This is the basic idea of Traitor Tracing.


Basic definitions

Basic Definitions

  • Data Provider: Cablevision (Us).

  • Traitor (Pirate): Professor Itkis and his friends. 

  • Content: Our encrypted broadcasts.

  • Pirate Decoder: Device used by the pirates to decrypt our encrypted broadcasts.


Basic assumptions

Basic Assumptions

  • Two types of pirate decoders:

    • 1) Created by obtaining keys from legitimate users.

    • 2) Created by breaking the underlying encryption.

  • We assume that our encryption scheme is difficult to break. So, we only care about Type 1.

  • We only want to find the traitor who contributed the largest number of keys.


Addressing the problem

Addressing the Problem

  • Two methods:

    • 1) k-Resilient Traitor Tracing (Fully Resilient Traitor Tracing)

    • 2) Threshold Traitor Tracing

  • k-Resilient Traitor TracingScheme catches anyone who can illegally decrypt our encrypted broadcast.

  • Threshold Traitor Tracing Scheme catches anyone who can illegally decrypt more than a specified fraction of our encrypted broadcast.


Efficiency parameters

Efficiency Parameters

We measure the efficiency of these solutions in terms of the following parameters:

  • (a) Memory and Computation requirements for the user.

  • (b) Memory and Computation requirements for the Data Provider

  • (c) Data Redundancy Overhead – How much more data do we need to broadcast in order to be trace traitors.


K resilient traitor tracing fully resilient traitor tracing

k-Resilient Traitor Tracing(Fully Resilient Traitor Tracing)


K resilient tracing

k-Resilient Tracing

  • A scheme is k-resilient if it can correctly identify a traitor and not an innocent user even if k traitors combine and collude.

  • We are only able to catch the traitor who submits the most keys to the pirate decoder.


How data is broadcasted

How Data is Broadcasted

  • Broadcast is broken up into pieces

  • Each piece contains two parts: the enabling block and the cipher block.

    Message = <Enabling Block, Cipher Block>

  • Cipher Block is created using a secret key or one time pad obtained by decrypting the information in the enabling block.


One level open scheme the simplest

One Level Open SchemeThe simplest

  • Maps n users into a set of 2k2encryption keys

  • Users Keys, P(u) = O(k2log n)

  • Enabling Block = O(k4 log n )


Initialization

Initialization

  • We create l first-level hash functions <h1,h2,…hl>.

  • Each hi maps a particular user, u into one of 2k2 sets.

  • Thus the personal key for a user contains l keys <h1(u), h2(u), … hl(u)>


Distribution of secret

Distribution of Secret

  • The cipher block is encrypted with either a one time pad or secret key s.

  • Key s is broken into l pieces such that

    s = s1 XOR s2 XOR … si … XOR sl

  • Each siis encrypted with each of the 2k2keys.


Decryption of cipher block

Decryption of Cipher Block

  • Each user has a key for each row i in the enabling block.

  • They are able to decrypt si and thus are able to obtain s

  • With s they obtain the information in the cipher block


Creation of a pirate decoder

Creation of a Pirate Decoder

  • At most k people get together.

  • For each i from 1 to l, the create a set of keys F.

  • Without keys for each of the l rows they are unable to decrypt the cipher block.

  • With all l keys they are able to decrypt every secret they receive.


Detection of traitors

Detection of Traitors

  • Using black box techniques the set of keys F is determined.

  • For each row i we perform h-1(fi). This gives us a set of users that map to that key. We mark each user.

  • After obtaining the list of users for all l keys, the user seen the most is the traitor.


Proof

Proof

  • Each traitor in coalition gives at most l/k keys.

  • For each row i the coalition has at most k keys. The probability that a particular user’s key is one of the k keys is 1/2k.

  • Must create l such that the number of an innocent user’s keys that are exposed is less than l/k.


Results

Results

  • We determine l to be 4k2log n

  • Thus, the number of keys a user has is

    4k2log n

  • The enabling block consists of 8k4 log n


Secret one level scheme

Secret One-Level Scheme

  • Keeps the hash mapping secret

  • Lower costs then the one-level open scheme by a factor of k.

  • Simpler construction

  • Introduces a probability p which is the probability that pirates will create a device that is untraceable.


Secret scheme contd

Secret scheme (contd.)

  • Same as one-level open scheme exact that instead of 2k2 groups there are only4k.

  • The number of keys that a user has is

    (4/3)k log (n/p)

  • The number of keys in the enabling block is

    (16/3)k2 log (n/p)


Threshold traitor tracing

Threshold Traitor Tracing


Threshold traitor tracing1

Threshold Traitor Tracing

  • Suppose Cablevision divides a program into 1 minute segments. An illegal decoder which can decrypt 90% of these segments will fail to decode one minute out of ten minutes. Will you pay for such a decoder?

  • So, for many applications, a decoder which can decrypt with a low success probability is useless.

  • So the real threat are decoders which can decrypt, say, 99% of all the segments. Threshold Traitor Tracing only concerns with these decoders.

  • We want to be able to catch a true traitor with probability 1-p. (So ideally, we want p to be very very small.)


How do we distribute the content

How do we distribute the Content

  • We generate a meta-key which contains a base set A of random keys and we assign l keys to each user.

  • These l keys form the user’s Personal Key. (Two users cannot have exactly the same set of keys.)

  • A program is always broadcasted in segments. Each segment consists of two parts: an enabling block and a cipher block.

    Message = <enabling block, cipher block>

  • Cipher Block is the encrypted program segment, using some secret key s.

  • Enabling Block allows authorized users to obtain the secret key, s.


A one level q threshold scheme

A One-Level q-Threshold Scheme

  • Specify our threshold by q. (That is, we want to catch all decoders that can decode q of the broadcast segments.)

  • Let n be the number of legal subscribers.

  • Let k be the number of traitors.


We address the following about one level threshold traitor tracing

We address the following about One-Level Threshold Traitor Tracing

  • Initialization

  • Distribution of Secret

  • Decryption Procedure

  • Parameters Involved

  • Tracing Procedure

  • Analysis


1 initialization

1) Initialization:

  • We have a set of l hash functions {h1, h2, … ,hl} which are chosen at random.

  • Each hash functionmaps a particular user, u into one of a 4k random keys.

  • So, user u receives l keys: {h1(u), h2(u), … , hl(u)}.

  • All this can be represented very nicely in a l x 4k matrix A.


2 distribution of secret

2) Distribution of Secret

  • Let s be the secret key to be distributed. We (The Data Provider) divide the secret key, into t shares, where t is random, and 0 < t <= l.

  • We ensure that s = s0xor s1 xor … xor st

  • Eachsi is encrypted using each of the 4k keys of the corresponding row in matrix A.

    (continued…)


Distribution of secret contd

Distribution of Secret (contd.)

  • Let w be a fraction such that q <= w < 1.

  • The scheme divides the secret into t shares and ensures that a decoder which contain keys from a fraction of at least w of the l rows would be able to decrypt the secret with probability greater than q.


3 decryption

3) Decryption

  • Each authorized user has one key from every row and is therefore always able to decrypt every siand compute s.


4 parameters

4) Parameters

  • Memory Required per user is m=l keys.

  • Amount of work that each user performs to reveal a key is O(t).

  • Data Redundancy Overhead is r=4kt.


5 tracing

5) Tracing

  • We are only concerned with decoders that have keys from wl rows. (Since only these decoders can decrypt with probability q).

  • Suppose we have the set of keys F that a pirate decoder uses to crack our encrypted broadcast. Suppose F contains at least one key from each of the wl rows of Matrix A. Denote these rows by r1, r2,…, rwlanddenote the key common to F and row rias fri. Since we know the hash function, hri we can compute its inverse and determine the users of that key .

  • The user with the largest number of marks is our traitor.


6 analysis of one level threshold

6) Analysis of One-Level Threshold

  • There are k traitors.

  • On average, each traitor contributes wl/k keys to F.

  • How do we know that an innocent user say, Alice, is not identified as a traitor?

  • The probability that friequals the key mapped to Alice is 1/4k. So, the probability that at least wl/k of the keys of Alice are in F is at most 2^-3wl/4k. We choose an l such that the probability of this happening is very very small.


Results1

Results!

  • Recall q is our threshold value. k is the number of traitors. n is the number of users. 1-p is the probability of catching a true traitor. We have the following:

  • Personal Key, l, consists of (4k/3w) * log(n/p) keys.

  • Data Redundancy Overhead, 4kt, is:

    4k* log(1/q) / log (1/w) keys.

  • Number of decryptions, that each user must performis log(1/q) / log (1/w) decryptions. (So if w=q, number of decryptions needed is 1.)


Two level k resilient traitor tracing fully resilient traitortracing

Two Level k-Resilient Traitor Tracing(Fully Resilient TraitorTracing)


Two level open scheme

Two Level Open Scheme

  • Much more complicated than a one-level scheme.

  • More efficient by a factor of k.

  • User has 2k2log2k log n keys.

  • 4k3log4k log n keys in the enabling block.


Two level threshold traitor tracing

Two Level Threshold Traitor Tracing


Two level threshold scheme

Two Level Threshold Scheme

  • Two-Level Threshold Schemes are constructed from One-Level Threshold Schemes by using many One-Level Schemes and applying a hash function to map users to schemes

  • Advantages: Shorter key length than one-level

  • Disadvantages: Higher Data Redundancy than one-level.

  • In one-level, q is predefined. Two-level threshold schemes allow us to have q as a function of other parameters.


Results2

Results


Some numbers

Some Numbers:

  • Suppose:

    • number of users, n = 106

    • number of traitors, k = 1000

    • Our threshold,

      • q = 0.75

      • q = 0.95

    • Probability of finding the true traitor is 1-p (where p=10-3)

  • We have the following results 


Results3

Results


Conclusions

Conclusions:

  • For many applications, there is no need to have a fully resilient tracing scheme.

  • Threshold Tracing Schemes are more efficient.


  • Login