Efficient Fingerprinting to Protect Digital Content Josh Benaloh Gideon Yuval Microsoft Research...

Efficient Fingerprinting toProtect Digital Content

Josh BenalohGideon Yuval

Microsoft Research

FingerMark

Andrew RosenMicrosoft Studios

Fingerprinting of Content

If protected content is somehow released from a playback device, it may be desirable to have a method to enable identification of the device from which the content was released.

Fingerprinting by the Device

A simple approach to fingerprinting is have have each playback device insert a “unique” identifying signal into its output stream.

Drawbacks …

• A compromised player can bypass this step.

• Deployed fingerprinting schemes are difficult to update.

Differential Decryption

It would be nice if it were possible to give different keys to each playback device such that the content is slightly different when decrypted with distinct keys.


EncryptedContent

DecryptedContent

Decrypted

Content

Key 2Key 1


A simple observation is that “differential decryption” is possible to achieve (although usually impractical) by creating two separate and slightly different copies of the original content.


EncryptedContent

DecryptedContent

Decrypted

Content

Key 2Key 1


EncryptedContent

DecryptedContent

Decrypted

Content

Key 2Key 1

Encrypted

Content


The efficiency and utility of differential decryption can be greatly enhanced by dividing content into “clips” and separately encrypting two slightly different versions of each clip.


Encrypted Clip 1A Encrypted Clip 1B









Key 1A

Key 2A

Key 3A

Key 4A

Key 1B

Key 2B

Key 3B

Key 4B


Clear Clip 1A Clear Clip 1B




Key 1A

Key 2A

Key 3A

Key 4A

Key 1B

Key 2B

Key 3B

Key 4B


If each playback device is given exactly one of the two decryption keys for each clip, the output generated by that device will form a pattern that can be regarded as a fingerprint of the device.


Clear Clip 1A Encrypted Clip 1B

Encrypted Clip 2A Clear Clip 2B



Key 1A

Key 3A

Key 4A

Key 2B






Key 2A

Key 3A

Key 1B

Key 4B


The content need not be doubled!

• It is not necessary to divide the entire content into clips!!!

• It is only necessary to place these parallel clips into a small portion of the content.


Even if the keys are removed from a playback device, content decrypted with its keys will retain its fingerprint.

The fingerprint is dependent only upon the decryption keys used – not the hardware that held them.


Any method (such as watermarking) can be used to distinguish the two versions of each clip.

The differentiation scheme is dynamic and need not be fixed by the playback device.

Are More Keys a Problem?

The number of content keys that must be transmitted to a playback device seems to grow with the number of clips.

More Keys are not a Problem

As many keys as desired can be packed into the space of a single key.

Either of two crypto tricks can be used.

1. Broadcast Encryption

2. A new application of a technique invented by Chick and Tavares

Broadcast vs. Narrowcast

The method can be illustrated by showing a grid of participants against clips. Each participant is entitled to the keys for the clips shown in orange.

Broadcast vs. Narrowcast

Recipients

Clips

Broadcast

Using Broadcast Encryption, for each clip, the set of participants entitled to that clip is determined, and a single encryption of that clip’s key is produced that enables those (and only those) participants to derive that clip’s key.

Broadcast

Recipients

Clips

Broadcast Encryption

• One encryption per clip key.

• Time to encrypt/decrypt each clip key is proportional to number of copies of content distributed.

• Collusion can allow recipients access to keys to which they are not entitled.

Narrowcast

Using the technique of Chick and Tavares, for each participant, the set of clips to which that participant is entitled is determined, and a single value is produced that allows the participant to derive those (and only those) clip keys.

Narrowcast

Recipients

Clips

Narrowcast

• One encryption per recipient.

• Time to encrypt/decrypt each clip key is proportional to the number of clip keys.

• Collusion does not provide access to additional clip keys.

• Amortization and other efficiencies can significantly reduce encrypt/decrypt times.

Narrowcast

Some details of the mathematics behind the narrowcast method are presented in the following slides.

Narrowcast

Clip 1A Clip 1B

Clip 2A Clip 2B

Clip 3A Clip 3B

Clip 4A Clip 4B

Small Prime Assignment

Clip 1A Clip 1B

Clip 2A Clip 2B

Clip 3A Clip 3B

Clip 4A Clip 4B

Prime 1A

Prime 2A

Prime 3A

Prime 4A

Prime 1B

Prime 2B

Prime 3B

Prime 4B

Clip Key Encryption

• Select a large composite integer N.

• Let y in ZN*.

• Compute each clip key as y1/p mod N where p is the small prime associated with the clip.

Clip Key Encryption

• Select a large composite integer N.

• Randomly select an integer x in ZN*.

• Let P = (all small clip primes).

• Let y = xP mod N.

• Compute clip key k = Hash(y1/p mod N) where p is the small prime associated with the clip.

Clip Key Distribution

• For a given recipient, define ρ to be the product of all small clip primes associated with clips to which that recipient is not entitled.

• Give that recipient the amalgamated key value xρ mod N.

Clip Key Decryption

To obtain a single clip key, a recipient can take amalgamated clip key xρ mod N. and raise it to the power of all appropriate small primes except the small prime p associated with the desired clip.

Security of other Keys

Shamir’s Root Independence Lemma (1980) shows that given y1/p mod N and y1/q mod N, finding y1/r mod N is as hard as computing arbitrary roots modulo N (RSA assumption) unless r|(pq).

Amortization

• A set of m keys can be decrypted using time m log m beyond the time to decrypt a single key.

• After an initial step linear in the number of keys, each of m subsequent keys can be delivered in log m time.

Amortized Decryption

1,8

1,4

1,2

1,1 2,2

3,4

3,3 4,4

5,8

5,6

5,5 6,6

7,8

7,7 8,8


1,8

1,4

1,2

1,1 2,2

3,4

3,3 4,4

5,8

5,6

5,5 6,6

7,8

7,7 8,8

x


1,8

1,4

1,2

1,1 2,2

3,4

3,3 4,4

5,8

5,6

5,5 6,6

7,8

7,7 8,8

x

xp5p6p7p8


1,8

1,4

1,2

1,1 2,2

3,4

3,3 4,4

5,8

5,6

5,5 6,6

7,8

7,7 8,8

x

xp5p6p7p8

xp1p2p5p6p7p8


1,8

1,4

1,2

1,1 2,2

3,4

3,3 4,4

5,8

5,6

5,5 6,6

7,8

7,7 8,8

x

xp5p6p7p8

xp1p2p5p6p7p8

xp1p2p4p5p6p7p8


1,8

1,4

1,2

1,1 2,2

3,4

3,3 4,4

5,8

5,6

5,5 6,6

7,8

7,7 8,8

m leaves


1,8

1,4

1,2

1,1 2,2

3,4

3,3 4,4

5,8

5,6

5,5 6,6

7,8

7,7 8,8

m leaves

log m levels


1,8

1,4

1,2

1,1 2,2

3,4

3,3 4,4

5,8

5,6

5,5 6,6

7,8

7,7 8,8

m leaves

log m levelsm small primeexponentiations per level

Conclusions

• Flexible fingerprinting methods are an important tool in content protection.

• Large amounts of keying material may be required for such fingerprinting.

• The methods described minimize the bandwidth requirements for these schemes.

Efficient Fingerprinting to Protect Digital Content Josh Benaloh Gideon Yuval Microsoft Research...

Documents

Transcript of Efficient Fingerprinting to Protect Digital Content Josh Benaloh Gideon Yuval Microsoft Research...