An Asymmetric Fingerprinting Scheme based on Tardos Codes
21
1 An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes Ingemar Cox University College London
description
An Asymmetric Fingerprinting Scheme based on Tardos Codes. Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes Ingemar Cox University College London. The story of this paper. IEEE WIFS’2010, London. - PowerPoint PPT Presentation
Transcript of An Asymmetric Fingerprinting Scheme based on Tardos Codes
1
An Asymmetric Fingerprinting Scheme based on Tardos Codes
Ana Charpentier INRIA Rennes
Caroline Fontaine CNRS Télécom Bretagne
Teddy Furon INRIA Rennes
Ingemar Cox University College London
2
The story of this paper
IEEE WIFS’2010, London.
During the tutorial on Tardos Code, Ingemar asked
“You always assume that the Provider is trusted. Why?”
My Answers:
“i) !?!, …Hmm…
ii) Tardos code is not meant for asymmetric fingerprinting
iii) asymmetric fingerprinting is not practical ”
Introduction
TRADITIONAL ‘symmetric’ fingerprinting• Huge improvements thanks to G. Tardos• The length of codewords has been drastically reduced• Industrial deployments are on their ways
Requirements• n number of users• c size of the collusion• Pfa probability of accusing innocent users
• m code length
m = O [ c2 . log( n / Pfa ) ]
Provider User€
…0 0 01 1
4
Introduction II
ASYMMETRIC fingerprinting• Different Trust Model:
– Content Provider is untrustworthy– May want to frame an innocent user.
• Dates back to 1996 [Pfitzmann&Schunter]• 4 actors: User, Provider, Certification Authority, and the Judge• 4 steps: Key generation, Fingerprinting, Identification and Dispute.
Provider User
Judge
CA
piratedcopy
fingerprintedcopy
Tardos code construction
Initialization: generate secret bias vector p• p = (p1, …,pm) 0 < pi < 1 pi ~ f (p) i.i.d.
Code: generate n x m binary matrix X• Each row is a codeword Xj = ( Xj1, …, Xjm )
• s.t. Prob [ Xji = 1 ] = pi
p p1 = 0.8 p2 = 0.5 p3 = 0.7 … pm = 0.1
X1 1 0 1 … 0
X2 1 1 0 … 1
X3 0 0 1 … 0
…
Xn 1 1 1 … 0
6
Tardos code accusation
When a pirated copy is found…• Extract binary sequence Y = (Y1,…, Ym)• Y is a mixture of the colluders’ codewords
Accusation (Single decoder)• Compute a score per user Sj = G (Y, Xj , p)• Accuse
– users whose scores are above threshold T– user with maximum score if above threshold T
7
Threats on Tardos code I
Provider User #j…0 0 01 1
Generate pGenerate XWatermark and distribute
P2P…0 0 01 1
8
Threats on Tardos code II
ContentProvider User #j…0 0 01 1
Generate pGenerate X
TrustedTech. Provider
WatermarkDistribute
User #a1
User #a2
User #aK
…0 0 01 1
…0 0 01 1
…0 0 01 1
...
Collusion
Xj
K=3 accomplices frame innocent User #j
9
Threats on Tardos code III
ContentProvider
…0 0 01 1
Generate pGenerate X
TrustedTech. Provider
DecodeWatermark
piratedcopy
Y
How to frame innocent user #j during the score computation?• Y and Xj are fixed• The provider is the only one knowing p
It is possible to tweak p into p’ s.t.• Score Sj = G (Y, Xj , p’ ) > T• p’ looks like drawn from f
10
Lessons learnt from the threats
• The provider• Should not know the code X (or only a fraction)• Should not change secret p between code generation and score
computation
• The User• Should know neither the secret p nor the fingerprint of any other user• Should have a codeword drawn from the distribution induced by p• Should not be able to modify his codeword
11
A protocol based on Oblivious Transfer
OT - 1:N “Pick a card, any card!”
Alice Bob
A deck of N cards
12
OT based on commutative encryption
Commutative encryption• CE( kB, CE( kA, m)) = CE( kA, CE( kB, m))
Alice Bob
u = CE( kB, di)
w = CE-1( kA, u) CE-1( kB, w)= ki
c1 = E( k1, m1) c2 = E( k2, m2) cN = E( kN, mN)…
d1 = CE( kA, k1) d2 = CE( kA, k2) dN = CE( kA, kN)…
Oblivious transfer
13
Protocol: generation of codewords – Phase 1
Initialization - Provider
• Generate and quantize over P-1 values: p = (p1, …,pm) with pi = li / P
• For all index i, create a list of P objects: list C i : c1,i = E( k1,i, m1,i), …, c1,P = E( k1,P, m1,P)
• There are only 2 versions of the message– For li objects: mk,i = 1 || sk1,i || ref_txt1,i
– For P-li objects: mk,i = 0 || sk0,i || ref_txt0,i
• Publish these m lists on a WORM (Write Once Read Many) repository
14
Protocol: generation of codewords – Phase 1
Code construction: User #j registers
Provider• Randomly draw a permutation πj over [1, …, P]
• For all index i, create a list of P encrypted keyslist D i,j : d1 = CE( kA, πj (1) || kπj (1),i ), …, dP = CE( kA, πj (P) || kπj (P),i )
• Send these m lists to user #j
User - Provider• Run the OT protocol• Permutation πj prevents collusion at code generation
– “Don’t pick this item, I already know that it is a 0”
Protocol: generation of codewords – Phase 1
Provider User #j
list C 1 list C 2 … list C m
Xj = (0, 0, …,1)sk0,1, sk0,2, …, sk1,m
…
…
0 0 0 0 0
1 1 1 1 1
WORM
p = (p1=0.8, p2=0.5,…,pm=0.1)
16
Protocol: generation of codewords – Phase 2
Provider needs a partial knowledge of the codewords• Allow the identification of suspects• Order User #j to reveal mh < m bits of codewords.• So-called halfword [Pfitzmann&Schunter96]
Xj = ( 0, 0 , 1, 0, 1, …, 0, 1 )
Colluders• Should not know the location of the halfword bits
Solution• Yet another Oblivious Transfer OT – mh : m• Alice = User #j• Bob = Provider• Objects = keys used during Phase 1: kB,i
• Provider gets mh elements of the lists D i,j chosen by #j (specific to User #j)
Protocol: generation of codewords – Phase 1
Provider User #j
list C 1 list C 2 … list C m
Xj = (0, 0, …,1)sk0,1, sk0,2, …, sk1,m
…
…
0 0 0 0 0
1 1 1 1 1
WORM
p = (p1, …,pm)
Xj = (?, 0, ?,…,1)
18
Accusation
The scouting agency finds a pirated copy.
The Technology Provider extracts sequence YThe Provider
• Compute scores restricted to halfwords• Send a list of suspects with halfwords, secret p and Y
The judge• Verifies computation• Ask Provider for the keys to decrypt C lists in the WORM p• Ask suspected users for the keys to decrypt the OT Xj
• Compute scores over the non-halfword codeword• Compare to threshold T
19
Conclusion
• First asymmetric protocol specific to Tardos fingerprinting code.• Generation of code without CA … but with a WORM• Code length
• mh = O[ c2 log (n/ Pfs) ] Pfs = Prob of wrong suspicion
• m = O[ c2 log ( n / (Pfs. Pfa)1/2 ) ]
• If Pfs = Pfa , the length is doubled
• List sizes: P > c , we recommend P = 100• Misc.:
• Discussion about security, efficiency and OT implementations• Application to Buyer-Seller with homomorphic encryption watermarking
20
Fingerprinting in the industry
The DNA approach
Watermarking each block in super high quality
…
Content Provider Technology Provider
…
…
0 0 0 0 01 1 1 1 1
21
Threats on Tardos code
Provider
…
…
0 0 0 0 01 1 1 1 1 Xj
User #j
…0 0 01 1
