Traitor tracing
1 / 42

Traitor Tracing - PowerPoint PPT Presentation

  • Uploaded on

Traitor Tracing . Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented By: Anukool Lakhina, Keren Pinkas and Scott Savarese. How this Presentation is Organized.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Traitor Tracing' - taima

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Traitor tracing

Traitor Tracing


Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994)

Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998)

Presented By: Anukool Lakhina, Keren Pinkas and Scott Savarese

How this presentation is organized
How this Presentation is Organized

  • First, we motivate and introduce the General Traitor Tracing problem that we want to solve.

  • Next, we introduce two methods to solve this problem.

  • We then analyze the efficiency of each method.

  • We conclude with a concrete example.


We want to trace the source of leaks when sensitive or proprietary data is made available to a large set of parties.

Typical scenario
Typical Scenario

  • We are Cablevision. We only want to broadcast to legal subscribers (all of which have a special decrypting key).

  • Suppose Professor Itkis is a subscriber who with other subscribers designs a device which will allow people to view our broadcasts without paying.

  • The Goal: After confiscating this device, how do we figure out who supplied the keys which decrypt our broadcasts.

  • This is the basic idea of Traitor Tracing.

Basic definitions
Basic Definitions

  • Data Provider: Cablevision (Us).

  • Traitor (Pirate): Professor Itkis and his friends. 

  • Content: Our encrypted broadcasts.

  • Pirate Decoder: Device used by the pirates to decrypt our encrypted broadcasts.

Basic assumptions
Basic Assumptions

  • Two types of pirate decoders:

    • 1) Created by obtaining keys from legitimate users.

    • 2) Created by breaking the underlying encryption.

  • We assume that our encryption scheme is difficult to break. So, we only care about Type 1.

  • We only want to find the traitor who contributed the largest number of keys.

Addressing the problem
Addressing the Problem

  • Two methods:

    • 1) k-Resilient Traitor Tracing (Fully Resilient Traitor Tracing)

    • 2) Threshold Traitor Tracing

  • k-Resilient Traitor TracingScheme catches anyone who can illegally decrypt our encrypted broadcast.

  • Threshold Traitor Tracing Scheme catches anyone who can illegally decrypt more than a specified fraction of our encrypted broadcast.

Efficiency parameters
Efficiency Parameters

We measure the efficiency of these solutions in terms of the following parameters:

  • (a) Memory and Computation requirements for the user.

  • (b) Memory and Computation requirements for the Data Provider

  • (c) Data Redundancy Overhead – How much more data do we need to broadcast in order to be trace traitors.

K resilient traitor tracing fully resilient traitor tracing

k-Resilient Traitor Tracing(Fully Resilient Traitor Tracing)

K resilient tracing
k-Resilient Tracing

  • A scheme is k-resilient if it can correctly identify a traitor and not an innocent user even if k traitors combine and collude.

  • We are only able to catch the traitor who submits the most keys to the pirate decoder.

How data is broadcasted
How Data is Broadcasted

  • Broadcast is broken up into pieces

  • Each piece contains two parts: the enabling block and the cipher block.

    Message = <Enabling Block, Cipher Block>

  • Cipher Block is created using a secret key or one time pad obtained by decrypting the information in the enabling block.

One level open scheme the simplest
One Level Open SchemeThe simplest

  • Maps n users into a set of 2k2encryption keys

  • Users Keys, P(u) = O(k2log n)

  • Enabling Block = O(k4 log n )


  • We create l first-level hash functions <h1,h2,…hl>.

  • Each hi maps a particular user, u into one of 2k2 sets.

  • Thus the personal key for a user contains l keys <h1(u), h2(u), … hl(u)>

Distribution of secret
Distribution of Secret

  • The cipher block is encrypted with either a one time pad or secret key s.

  • Key s is broken into l pieces such that

    s = s1 XOR s2 XOR … si … XOR sl

  • Each siis encrypted with each of the 2k2keys.

Decryption of cipher block
Decryption of Cipher Block

  • Each user has a key for each row i in the enabling block.

  • They are able to decrypt si and thus are able to obtain s

  • With s they obtain the information in the cipher block

Creation of a pirate decoder
Creation of a Pirate Decoder

  • At most k people get together.

  • For each i from 1 to l, the create a set of keys F.

  • Without keys for each of the l rows they are unable to decrypt the cipher block.

  • With all l keys they are able to decrypt every secret they receive.

Detection of traitors
Detection of Traitors

  • Using black box techniques the set of keys F is determined.

  • For each row i we perform h-1(fi). This gives us a set of users that map to that key. We mark each user.

  • After obtaining the list of users for all l keys, the user seen the most is the traitor.


  • Each traitor in coalition gives at most l/k keys.

  • For each row i the coalition has at most k keys. The probability that a particular user’s key is one of the k keys is 1/2k.

  • Must create l such that the number of an innocent user’s keys that are exposed is less than l/k.


  • We determine l to be 4k2log n

  • Thus, the number of keys a user has is

    4k2log n

  • The enabling block consists of 8k4 log n

Secret one level scheme
Secret One-Level Scheme

  • Keeps the hash mapping secret

  • Lower costs then the one-level open scheme by a factor of k.

  • Simpler construction

  • Introduces a probability p which is the probability that pirates will create a device that is untraceable.

Secret scheme contd
Secret scheme (contd.)

  • Same as one-level open scheme exact that instead of 2k2 groups there are only4k.

  • The number of keys that a user has is

    (4/3)k log (n/p)

  • The number of keys in the enabling block is

    (16/3)k2 log (n/p)

Threshold traitor tracing1
Threshold Traitor Tracing

  • Suppose Cablevision divides a program into 1 minute segments. An illegal decoder which can decrypt 90% of these segments will fail to decode one minute out of ten minutes. Will you pay for such a decoder?

  • So, for many applications, a decoder which can decrypt with a low success probability is useless.

  • So the real threat are decoders which can decrypt, say, 99% of all the segments. Threshold Traitor Tracing only concerns with these decoders.

  • We want to be able to catch a true traitor with probability 1-p. (So ideally, we want p to be very very small.)

How do we distribute the content
How do we distribute the Content

  • We generate a meta-key which contains a base set A of random keys and we assign l keys to each user.

  • These l keys form the user’s Personal Key. (Two users cannot have exactly the same set of keys.)

  • A program is always broadcasted in segments. Each segment consists of two parts: an enabling block and a cipher block.

    Message = <enabling block, cipher block>

  • Cipher Block is the encrypted program segment, using some secret key s.

  • Enabling Block allows authorized users to obtain the secret key, s.

A one level q threshold scheme
A One-Level q-Threshold Scheme

  • Specify our threshold by q. (That is, we want to catch all decoders that can decode q of the broadcast segments.)

  • Let n be the number of legal subscribers.

  • Let k be the number of traitors.

We address the following about one level threshold traitor tracing
We address the following about One-Level Threshold Traitor Tracing

  • Initialization

  • Distribution of Secret

  • Decryption Procedure

  • Parameters Involved

  • Tracing Procedure

  • Analysis

1 initialization
1) Initialization: Tracing

  • We have a set of l hash functions {h1, h2, … ,hl} which are chosen at random.

  • Each hash functionmaps a particular user, u into one of a 4k random keys.

  • So, user u receives l keys: {h1(u), h2(u), … , hl(u)}.

  • All this can be represented very nicely in a l x 4k matrix A.

2 distribution of secret
2) Distribution of Secret Tracing

  • Let s be the secret key to be distributed. We (The Data Provider) divide the secret key, into t shares, where t is random, and 0 < t <= l.

  • We ensure that s = s0xor s1 xor … xor st

  • Eachsi is encrypted using each of the 4k keys of the corresponding row in matrix A.


Distribution of secret contd
Distribution of Secret (contd.) Tracing

  • Let w be a fraction such that q <= w < 1.

  • The scheme divides the secret into t shares and ensures that a decoder which contain keys from a fraction of at least w of the l rows would be able to decrypt the secret with probability greater than q.

3 decryption
3) Decryption Tracing

  • Each authorized user has one key from every row and is therefore always able to decrypt every siand compute s.

4 parameters
4) Parameters Tracing

  • Memory Required per user is m=l keys.

  • Amount of work that each user performs to reveal a key is O(t).

  • Data Redundancy Overhead is r=4kt.

5 tracing
5) Tracing Tracing

  • We are only concerned with decoders that have keys from wl rows. (Since only these decoders can decrypt with probability q).

  • Suppose we have the set of keys F that a pirate decoder uses to crack our encrypted broadcast. Suppose F contains at least one key from each of the wl rows of Matrix A. Denote these rows by r1, r2,…, rwlanddenote the key common to F and row rias fri. Since we know the hash function, hri we can compute its inverse and determine the users of that key .

  • The user with the largest number of marks is our traitor.

6 analysis of one level threshold
6) Analysis of One-Level Threshold Tracing

  • There are k traitors.

  • On average, each traitor contributes wl/k keys to F.

  • How do we know that an innocent user say, Alice, is not identified as a traitor?

  • The probability that friequals the key mapped to Alice is 1/4k. So, the probability that at least wl/k of the keys of Alice are in F is at most 2^-3wl/4k. We choose an l such that the probability of this happening is very very small.

Results! Tracing

  • Recall q is our threshold value. k is the number of traitors. n is the number of users. 1-p is the probability of catching a true traitor. We have the following:

  • Personal Key, l, consists of (4k/3w) * log(n/p) keys.

  • Data Redundancy Overhead, 4kt, is:

    4k* log(1/q) / log (1/w) keys.

  • Number of decryptions, that each user must performis log(1/q) / log (1/w) decryptions. (So if w=q, number of decryptions needed is 1.)

Two level k resilient traitor tracing fully resilient traitortracing

Two Level k-Resilient TracingTraitor Tracing(Fully Resilient TraitorTracing)

Two level open scheme
Two Level Open Scheme Tracing

  • Much more complicated than a one-level scheme.

  • More efficient by a factor of k.

  • User has 2k2log2k log n keys.

  • 4k3log4k log n keys in the enabling block.

Two level threshold traitor tracing

Two Level Threshold TracingTraitor Tracing

Two level threshold scheme
Two Level Threshold Scheme Tracing

  • Two-Level Threshold Schemes are constructed from One-Level Threshold Schemes by using many One-Level Schemes and applying a hash function to map users to schemes

  • Advantages: Shorter key length than one-level

  • Disadvantages: Higher Data Redundancy than one-level.

  • In one-level, q is predefined. Two-level threshold schemes allow us to have q as a function of other parameters.


Results Tracing

Some numbers
Some Numbers: Tracing

  • Suppose:

    • number of users, n = 106

    • number of traitors, k = 1000

    • Our threshold,

      • q = 0.75

      • q = 0.95

    • Probability of finding the true traitor is 1-p (where p=10-3)

  • We have the following results 

Results Tracing

Conclusions: Tracing

  • For many applications, there is no need to have a fully resilient tracing scheme.

  • Threshold Tracing Schemes are more efficient.