An Asymmetric Fingerprinting Scheme based on Tardos Codes
description
Transcript of An Asymmetric Fingerprinting Scheme based on Tardos Codes
1
An Asymmetric Fingerprinting Scheme based on Tardos Codes
Ana Charpentier INRIA Rennes
Caroline Fontaine CNRS Télécom Bretagne
Teddy Furon INRIA Rennes
Ingemar Cox University College London
2
The story of this paper
IEEE WIFS’2010, London.
During the tutorial on Tardos Code, Ingemar asked
“You always assume that the Provider is trusted. Why?”
My Answers:
“i) !?!, …Hmm…
ii) Tardos code is not meant for asymmetric fingerprinting
iii) asymmetric fingerprinting is not practical ”
Introduction
TRADITIONAL ‘symmetric’ fingerprinting• Huge improvements thanks to G. Tardos• The length of codewords has been drastically reduced• Industrial deployments are on their ways
Requirements• n number of users• c size of the collusion• Pfa probability of accusing innocent users
• m code length
m = O [ c2 . log( n / Pfa ) ]
Provider User€
…0 0 01 1
4
Introduction II
ASYMMETRIC fingerprinting• Different Trust Model:
– Content Provider is untrustworthy– May want to frame an innocent user.
• Dates back to 1996 [Pfitzmann&Schunter]• 4 actors: User, Provider, Certification Authority, and the Judge• 4 steps: Key generation, Fingerprinting, Identification and Dispute.
Provider User
Judge
CA
piratedcopy
fingerprintedcopy
Tardos code construction
Initialization: generate secret bias vector p• p = (p1, …,pm) 0 < pi < 1 pi ~ f (p) i.i.d.
Code: generate n x m binary matrix X• Each row is a codeword Xj = ( Xj1, …, Xjm )
• s.t. Prob [ Xji = 1 ] = pi
p p1 = 0.8 p2 = 0.5 p3 = 0.7 … pm = 0.1
X1 1 0 1 … 0
X2 1 1 0 … 1
X3 0 0 1 … 0
…
Xn 1 1 1 … 0
6
Tardos code accusation
When a pirated copy is found…• Extract binary sequence Y = (Y1,…, Ym)• Y is a mixture of the colluders’ codewords
Accusation (Single decoder)• Compute a score per user Sj = G (Y, Xj , p)• Accuse
– users whose scores are above threshold T– user with maximum score if above threshold T
7
Threats on Tardos code I
Provider User #j…0 0 01 1
Generate pGenerate XWatermark and distribute
P2P…0 0 01 1
8
Threats on Tardos code II
ContentProvider User #j…0 0 01 1
Generate pGenerate X
TrustedTech. Provider
WatermarkDistribute
User #a1
User #a2
User #aK
…0 0 01 1
…0 0 01 1
…0 0 01 1
...
Collusion
Xj
K=3 accomplices frame innocent User #j
9
Threats on Tardos code III
ContentProvider
…0 0 01 1
Generate pGenerate X
TrustedTech. Provider
DecodeWatermark
piratedcopy
Y
How to frame innocent user #j during the score computation?• Y and Xj are fixed• The provider is the only one knowing p
It is possible to tweak p into p’ s.t.• Score Sj = G (Y, Xj , p’ ) > T• p’ looks like drawn from f
10
Lessons learnt from the threats
• The provider• Should not know the code X (or only a fraction)• Should not change secret p between code generation and score
computation
• The User• Should know neither the secret p nor the fingerprint of any other user• Should have a codeword drawn from the distribution induced by p• Should not be able to modify his codeword
11
A protocol based on Oblivious Transfer
OT - 1:N “Pick a card, any card!”
Alice Bob
A deck of N cards
12
OT based on commutative encryption
Commutative encryption• CE( kB, CE( kA, m)) = CE( kA, CE( kB, m))
Alice Bob
u = CE( kB, di)
w = CE-1( kA, u) CE-1( kB, w)= ki
c1 = E( k1, m1) c2 = E( k2, m2) cN = E( kN, mN)…
d1 = CE( kA, k1) d2 = CE( kA, k2) dN = CE( kA, kN)…
Oblivious transfer
13
Protocol: generation of codewords – Phase 1
Initialization - Provider
• Generate and quantize over P-1 values: p = (p1, …,pm) with pi = li / P
• For all index i, create a list of P objects: list C i : c1,i = E( k1,i, m1,i), …, c1,P = E( k1,P, m1,P)
• There are only 2 versions of the message– For li objects: mk,i = 1 || sk1,i || ref_txt1,i
– For P-li objects: mk,i = 0 || sk0,i || ref_txt0,i
• Publish these m lists on a WORM (Write Once Read Many) repository
14
Protocol: generation of codewords – Phase 1
Code construction: User #j registers
Provider• Randomly draw a permutation πj over [1, …, P]
• For all index i, create a list of P encrypted keyslist D i,j : d1 = CE( kA, πj (1) || kπj (1),i ), …, dP = CE( kA, πj (P) || kπj (P),i )
• Send these m lists to user #j
User - Provider• Run the OT protocol• Permutation πj prevents collusion at code generation
– “Don’t pick this item, I already know that it is a 0”
Protocol: generation of codewords – Phase 1
Provider User #j
list C 1 list C 2 … list C m
Xj = (0, 0, …,1)sk0,1, sk0,2, …, sk1,m
…
…
0 0 0 0 0
1 1 1 1 1
WORM
p = (p1=0.8, p2=0.5,…,pm=0.1)
16
Protocol: generation of codewords – Phase 2
Provider needs a partial knowledge of the codewords• Allow the identification of suspects• Order User #j to reveal mh < m bits of codewords.• So-called halfword [Pfitzmann&Schunter96]
Xj = ( 0, 0 , 1, 0, 1, …, 0, 1 )
Colluders• Should not know the location of the halfword bits
Solution• Yet another Oblivious Transfer OT – mh : m• Alice = User #j• Bob = Provider• Objects = keys used during Phase 1: kB,i
• Provider gets mh elements of the lists D i,j chosen by #j (specific to User #j)
Protocol: generation of codewords – Phase 1
Provider User #j
list C 1 list C 2 … list C m
Xj = (0, 0, …,1)sk0,1, sk0,2, …, sk1,m
…
…
0 0 0 0 0
1 1 1 1 1
WORM
p = (p1, …,pm)
Xj = (?, 0, ?,…,1)
18
Accusation
The scouting agency finds a pirated copy.
The Technology Provider extracts sequence YThe Provider
• Compute scores restricted to halfwords• Send a list of suspects with halfwords, secret p and Y
The judge• Verifies computation• Ask Provider for the keys to decrypt C lists in the WORM p• Ask suspected users for the keys to decrypt the OT Xj
• Compute scores over the non-halfword codeword• Compare to threshold T
19
Conclusion
• First asymmetric protocol specific to Tardos fingerprinting code.• Generation of code without CA … but with a WORM• Code length
• mh = O[ c2 log (n/ Pfs) ] Pfs = Prob of wrong suspicion
• m = O[ c2 log ( n / (Pfs. Pfa)1/2 ) ]
• If Pfs = Pfa , the length is doubled
• List sizes: P > c , we recommend P = 100• Misc.:
• Discussion about security, efficiency and OT implementations• Application to Buyer-Seller with homomorphic encryption watermarking
20
Fingerprinting in the industry
The DNA approach
Watermarking each block in super high quality
…
Content Provider Technology Provider
…
…
0 0 0 0 01 1 1 1 1
21
Threats on Tardos code
Provider
…
…
0 0 0 0 01 1 1 1 1 Xj
User #j
…0 0 01 1