traitor tracing
Download
Skip this Video
Download Presentation
Traitor Tracing

Loading in 2 Seconds...

play fullscreen
1 / 42

Traitor Tracing - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

Traitor Tracing . Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented By: Anukool Lakhina, Keren Pinkas and Scott Savarese. How this Presentation is Organized.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Traitor Tracing ' - taima


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
traitor tracing

Traitor Tracing

Papers

Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994)

Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998)

Presented By: Anukool Lakhina, Keren Pinkas and Scott Savarese

how this presentation is organized
How this Presentation is Organized
  • First, we motivate and introduce the General Traitor Tracing problem that we want to solve.
  • Next, we introduce two methods to solve this problem.
  • We then analyze the efficiency of each method.
  • We conclude with a concrete example.
motivation
Motivation

We want to trace the source of leaks when sensitive or proprietary data is made available to a large set of parties.

typical scenario
Typical Scenario
  • We are Cablevision. We only want to broadcast to legal subscribers (all of which have a special decrypting key).
  • Suppose Professor Itkis is a subscriber who with other subscribers designs a device which will allow people to view our broadcasts without paying.
  • The Goal: After confiscating this device, how do we figure out who supplied the keys which decrypt our broadcasts.
  • This is the basic idea of Traitor Tracing.
basic definitions
Basic Definitions
  • Data Provider: Cablevision (Us).
  • Traitor (Pirate): Professor Itkis and his friends. 
  • Content: Our encrypted broadcasts.
  • Pirate Decoder: Device used by the pirates to decrypt our encrypted broadcasts.
basic assumptions
Basic Assumptions
  • Two types of pirate decoders:
    • 1) Created by obtaining keys from legitimate users.
    • 2) Created by breaking the underlying encryption.
  • We assume that our encryption scheme is difficult to break. So, we only care about Type 1.
  • We only want to find the traitor who contributed the largest number of keys.
addressing the problem
Addressing the Problem
  • Two methods:
    • 1) k-Resilient Traitor Tracing (Fully Resilient Traitor Tracing)
    • 2) Threshold Traitor Tracing
  • k-Resilient Traitor TracingScheme catches anyone who can illegally decrypt our encrypted broadcast.
  • Threshold Traitor Tracing Scheme catches anyone who can illegally decrypt more than a specified fraction of our encrypted broadcast.
efficiency parameters
Efficiency Parameters

We measure the efficiency of these solutions in terms of the following parameters:

  • (a) Memory and Computation requirements for the user.
  • (b) Memory and Computation requirements for the Data Provider
  • (c) Data Redundancy Overhead – How much more data do we need to broadcast in order to be trace traitors.
k resilient tracing
k-Resilient Tracing
  • A scheme is k-resilient if it can correctly identify a traitor and not an innocent user even if k traitors combine and collude.
  • We are only able to catch the traitor who submits the most keys to the pirate decoder.
how data is broadcasted
How Data is Broadcasted
  • Broadcast is broken up into pieces
  • Each piece contains two parts: the enabling block and the cipher block.

Message = <Enabling Block, Cipher Block>

  • Cipher Block is created using a secret key or one time pad obtained by decrypting the information in the enabling block.
one level open scheme the simplest
One Level Open SchemeThe simplest
  • Maps n users into a set of 2k2encryption keys
  • Users Keys, P(u) = O(k2log n)
  • Enabling Block = O(k4 log n )
initialization
Initialization
  • We create l first-level hash functions <h1,h2,…hl>.
  • Each hi maps a particular user, u into one of 2k2 sets.
  • Thus the personal key for a user contains l keys <h1(u), h2(u), … hl(u)>
distribution of secret
Distribution of Secret
  • The cipher block is encrypted with either a one time pad or secret key s.
  • Key s is broken into l pieces such that

s = s1 XOR s2 XOR … si … XOR sl

  • Each siis encrypted with each of the 2k2keys.
decryption of cipher block
Decryption of Cipher Block
  • Each user has a key for each row i in the enabling block.
  • They are able to decrypt si and thus are able to obtain s
  • With s they obtain the information in the cipher block
creation of a pirate decoder
Creation of a Pirate Decoder
  • At most k people get together.
  • For each i from 1 to l, the create a set of keys F.
  • Without keys for each of the l rows they are unable to decrypt the cipher block.
  • With all l keys they are able to decrypt every secret they receive.
detection of traitors
Detection of Traitors
  • Using black box techniques the set of keys F is determined.
  • For each row i we perform h-1(fi). This gives us a set of users that map to that key. We mark each user.
  • After obtaining the list of users for all l keys, the user seen the most is the traitor.
proof
Proof
  • Each traitor in coalition gives at most l/k keys.
  • For each row i the coalition has at most k keys. The probability that a particular user’s key is one of the k keys is 1/2k.
  • Must create l such that the number of an innocent user’s keys that are exposed is less than l/k.
results
Results
  • We determine l to be 4k2log n
  • Thus, the number of keys a user has is

4k2log n

  • The enabling block consists of 8k4 log n
secret one level scheme
Secret One-Level Scheme
  • Keeps the hash mapping secret
  • Lower costs then the one-level open scheme by a factor of k.
  • Simpler construction
  • Introduces a probability p which is the probability that pirates will create a device that is untraceable.
secret scheme contd
Secret scheme (contd.)
  • Same as one-level open scheme exact that instead of 2k2 groups there are only4k.
  • The number of keys that a user has is

(4/3)k log (n/p)

  • The number of keys in the enabling block is

(16/3)k2 log (n/p)

threshold traitor tracing1
Threshold Traitor Tracing
  • Suppose Cablevision divides a program into 1 minute segments. An illegal decoder which can decrypt 90% of these segments will fail to decode one minute out of ten minutes. Will you pay for such a decoder?
  • So, for many applications, a decoder which can decrypt with a low success probability is useless.
  • So the real threat are decoders which can decrypt, say, 99% of all the segments. Threshold Traitor Tracing only concerns with these decoders.
  • We want to be able to catch a true traitor with probability 1-p. (So ideally, we want p to be very very small.)
how do we distribute the content
How do we distribute the Content
  • We generate a meta-key which contains a base set A of random keys and we assign l keys to each user.
  • These l keys form the user’s Personal Key. (Two users cannot have exactly the same set of keys.)
  • A program is always broadcasted in segments. Each segment consists of two parts: an enabling block and a cipher block.

Message = <enabling block, cipher block>

  • Cipher Block is the encrypted program segment, using some secret key s.
  • Enabling Block allows authorized users to obtain the secret key, s.
a one level q threshold scheme
A One-Level q-Threshold Scheme
  • Specify our threshold by q. (That is, we want to catch all decoders that can decode q of the broadcast segments.)
  • Let n be the number of legal subscribers.
  • Let k be the number of traitors.
we address the following about one level threshold traitor tracing
We address the following about One-Level Threshold Traitor Tracing
  • Initialization
  • Distribution of Secret
  • Decryption Procedure
  • Parameters Involved
  • Tracing Procedure
  • Analysis
1 initialization
1) Initialization:
  • We have a set of l hash functions {h1, h2, … ,hl} which are chosen at random.
  • Each hash functionmaps a particular user, u into one of a 4k random keys.
  • So, user u receives l keys: {h1(u), h2(u), … , hl(u)}.
  • All this can be represented very nicely in a l x 4k matrix A.
2 distribution of secret
2) Distribution of Secret
  • Let s be the secret key to be distributed. We (The Data Provider) divide the secret key, into t shares, where t is random, and 0 < t <= l.
  • We ensure that s = s0xor s1 xor … xor st
  • Eachsi is encrypted using each of the 4k keys of the corresponding row in matrix A.

(continued…)

distribution of secret contd
Distribution of Secret (contd.)
  • Let w be a fraction such that q <= w < 1.
  • The scheme divides the secret into t shares and ensures that a decoder which contain keys from a fraction of at least w of the l rows would be able to decrypt the secret with probability greater than q.
3 decryption
3) Decryption
  • Each authorized user has one key from every row and is therefore always able to decrypt every siand compute s.
4 parameters
4) Parameters
  • Memory Required per user is m=l keys.
  • Amount of work that each user performs to reveal a key is O(t).
  • Data Redundancy Overhead is r=4kt.
5 tracing
5) Tracing
  • We are only concerned with decoders that have keys from wl rows. (Since only these decoders can decrypt with probability q).
  • Suppose we have the set of keys F that a pirate decoder uses to crack our encrypted broadcast. Suppose F contains at least one key from each of the wl rows of Matrix A. Denote these rows by r1, r2,…, rwlanddenote the key common to F and row rias fri. Since we know the hash function, hri we can compute its inverse and determine the users of that key .
  • The user with the largest number of marks is our traitor.
6 analysis of one level threshold
6) Analysis of One-Level Threshold
  • There are k traitors.
  • On average, each traitor contributes wl/k keys to F.
  • How do we know that an innocent user say, Alice, is not identified as a traitor?
  • The probability that friequals the key mapped to Alice is 1/4k. So, the probability that at least wl/k of the keys of Alice are in F is at most 2^-3wl/4k. We choose an l such that the probability of this happening is very very small.
results1
Results!
  • Recall q is our threshold value. k is the number of traitors. n is the number of users. 1-p is the probability of catching a true traitor. We have the following:
  • Personal Key, l, consists of (4k/3w) * log(n/p) keys.
  • Data Redundancy Overhead, 4kt, is:

4k* log(1/q) / log (1/w) keys.

  • Number of decryptions, that each user must performis log(1/q) / log (1/w) decryptions. (So if w=q, number of decryptions needed is 1.)
two level open scheme
Two Level Open Scheme
  • Much more complicated than a one-level scheme.
  • More efficient by a factor of k.
  • User has 2k2log2k log n keys.
  • 4k3log4k log n keys in the enabling block.
two level threshold scheme
Two Level Threshold Scheme
  • Two-Level Threshold Schemes are constructed from One-Level Threshold Schemes by using many One-Level Schemes and applying a hash function to map users to schemes
  • Advantages: Shorter key length than one-level
  • Disadvantages: Higher Data Redundancy than one-level.
  • In one-level, q is predefined. Two-level threshold schemes allow us to have q as a function of other parameters.
some numbers
Some Numbers:
  • Suppose:
    • number of users, n = 106
    • number of traitors, k = 1000
    • Our threshold,
      • q = 0.75
      • q = 0.95
    • Probability of finding the true traitor is 1-p (where p=10-3)
  • We have the following results 
conclusions
Conclusions:
  • For many applications, there is no need to have a fully resilient tracing scheme.
  • Threshold Tracing Schemes are more efficient.
ad