Traitor Tracing
description
Transcript of Traitor Tracing
![Page 1: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/1.jpg)
Traitor Tracing
Papers
Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994)
Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998)
Presented By: Anukool Lakhina, Keren Pinkas and Scott Savarese
![Page 2: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/2.jpg)
How this Presentation is Organized
First, we motivate and introduce the General Traitor Tracing problem that we want to solve.
Next, we introduce two methods to solve this problem.
We then analyze the efficiency of each method.
We conclude with a concrete example.
![Page 3: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/3.jpg)
Motivation
We want to trace the source of leaks when sensitive or proprietary data is made available to a large set of parties.
![Page 4: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/4.jpg)
Typical Scenario
• We are Cablevision. We only want to broadcast to legal subscribers (all of which have a special decrypting key).
• Suppose Professor Itkis is a subscriber who with other subscribers designs a device which will allow people to view our broadcasts without paying.
• The Goal: After confiscating this device, how do we figure out who supplied the keys which decrypt our broadcasts.
• This is the basic idea of Traitor Tracing.
![Page 5: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/5.jpg)
Basic Definitions
Data Provider: Cablevision (Us). Traitor (Pirate): Professor Itkis and his
friends. Content: Our encrypted broadcasts. Pirate Decoder: Device used by the pirates
to decrypt our encrypted broadcasts.
![Page 6: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/6.jpg)
Basic Assumptions
Two types of pirate decoders:– 1) Created by obtaining keys from legitimate users.
– 2) Created by breaking the underlying encryption.
We assume that our encryption scheme is difficult to break. So, we only care about Type 1.
We only want to find the traitor who contributed the largest number of keys.
![Page 7: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/7.jpg)
Addressing the Problem
Two methods:– 1) k-Resilient Traitor Tracing (Fully Resilient Traitor
Tracing)
– 2) Threshold Traitor Tracing
k-Resilient Traitor Tracing Scheme catches anyone who can illegally decrypt our encrypted broadcast.
Threshold Traitor Tracing Scheme catches anyone who can illegally decrypt more than a specified fraction of our encrypted broadcast.
![Page 8: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/8.jpg)
Efficiency Parameters
We measure the efficiency of these solutions in terms of the following parameters:
(a) Memory and Computation requirements for the user.
(b) Memory and Computation requirements for the Data Provider
(c) Data Redundancy Overhead – How much more data do we need to broadcast in order to be trace traitors.
![Page 9: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/9.jpg)
k-Resilient Traitor Tracing(Fully Resilient Traitor Tracing)
![Page 10: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/10.jpg)
k-Resilient Tracing
A scheme is k-resilient if it can correctly identify a traitor and not an innocent user even if k traitors combine and collude.
We are only able to catch the traitor who submits the most keys to the pirate decoder.
![Page 11: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/11.jpg)
How Data is Broadcasted
Broadcast is broken up into pieces Each piece contains two parts: the enabling
block and the cipher block.
Message = <Enabling Block, Cipher Block> Cipher Block is created using a secret key
or one time pad obtained by decrypting the information in the enabling block.
![Page 12: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/12.jpg)
One Level Open SchemeThe simplest Maps n users into a set of 2k2
encryption keys Users Keys, P(u) = O(k2log n) Enabling Block = O(k4 log n )
![Page 13: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/13.jpg)
Initialization
We create l first-level hash functions <h1,h2,…hl>.
Each hi maps a particular user, u into one of 2k2 sets.
Thus the personal key for a user contains l keys <h1(u), h2(u), … hl(u)>
![Page 14: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/14.jpg)
Distribution of Secret
The cipher block is encrypted with either a one time pad or secret key s.
Key s is broken into l pieces such that
s = s1 XOR s2 XOR … si … XOR sl
Each si is encrypted with each of the 2k2 keys.
![Page 15: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/15.jpg)
Decryption of Cipher Block
Each user has a key for each row i in the enabling block.
They are able to decrypt si and thus are able to obtain s
With s they obtain the information in the cipher block
![Page 16: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/16.jpg)
Creation of a Pirate Decoder
At most k people get together. For each i from 1 to l, the create a set of
keys F. Without keys for each of the l rows they are
unable to decrypt the cipher block. With all l keys they are able to decrypt
every secret they receive.
![Page 17: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/17.jpg)
Detection of Traitors
Using black box techniques the set of keys F is determined.
For each row i we perform h-1(fi). This gives us a set of users that map to that key. We mark each user.
After obtaining the list of users for all l keys, the user seen the most is the traitor.
![Page 18: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/18.jpg)
Proof
Each traitor in coalition gives at most l/k keys.
For each row i the coalition has at most k keys. The probability that a particular user’s key is one of the k keys is 1/2k.
Must create l such that the number of an innocent user’s keys that are exposed is less than l/k.
![Page 19: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/19.jpg)
Results
We determine l to be 4k2 log n Thus, the number of keys a user has is
4k2 log n The enabling block consists of 8k4 log n
![Page 20: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/20.jpg)
Secret One-Level Scheme
Keeps the hash mapping secret Lower costs then the one-level open scheme
by a factor of k. Simpler construction Introduces a probability p which is the
probability that pirates will create a device that is untraceable.
![Page 21: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/21.jpg)
Secret scheme (contd.)
Same as one-level open scheme exact that instead of 2k2 groups there are only4k.
The number of keys that a user has is
(4/3)k log (n/p) The number of keys in the enabling block is
(16/3)k2 log (n/p)
![Page 22: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/22.jpg)
Threshold Traitor Tracing
![Page 23: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/23.jpg)
Threshold Traitor Tracing Suppose Cablevision divides a program into 1 minute
segments. An illegal decoder which can decrypt 90% of these segments will fail to decode one minute out of ten minutes. Will you pay for such a decoder?
So, for many applications, a decoder which can decrypt with a low success probability is useless.
So the real threat are decoders which can decrypt, say, 99% of all the segments. Threshold Traitor Tracing only concerns with these decoders.
We want to be able to catch a true traitor with probability 1-p. (So ideally, we want p to be very very small.)
![Page 24: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/24.jpg)
How do we distribute the Content
We generate a meta-key which contains a base set A of random keys and we assign l keys to each user.
These l keys form the user’s Personal Key. (Two users cannot have exactly the same set of keys.)
A program is always broadcasted in segments. Each segment consists of two parts: an enabling block and a cipher block.
Message = <enabling block, cipher block> Cipher Block is the encrypted program segment, using
some secret key s. Enabling Block allows authorized users to obtain the
secret key, s.
![Page 25: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/25.jpg)
A One-Level q-Threshold Scheme Specify our threshold by q. (That is, we
want to catch all decoders that can decode q of the broadcast segments.)
Let n be the number of legal subscribers. Let k be the number of traitors.
![Page 26: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/26.jpg)
We address the following about One-
Level Threshold Traitor Tracing Initialization Distribution of Secret Decryption Procedure Parameters Involved Tracing Procedure Analysis
![Page 27: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/27.jpg)
1) Initialization:
We have a set of l hash functions {h1, h2, … ,hl} which are chosen at random.
Each hash function maps a particular user, u into one of a 4k random keys.
So, user u receives l keys: {h1(u), h2(u), … , hl(u)}.
All this can be represented very nicely in a l x 4k matrix A.
![Page 28: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/28.jpg)
2) Distribution of Secret Let s be the secret key to be distributed. We (The
Data Provider) divide the secret key, into t shares, where t is random, and 0 < t <= l.
We ensure that s = s0 xor s1 xor … xor st
Each si is encrypted using each of the 4k keys of the corresponding row in matrix A.
(continued…)
![Page 29: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/29.jpg)
Distribution of Secret (contd.)
Let w be a fraction such that q <= w < 1. The scheme divides the secret into t shares and
ensures that a decoder which contain keys from a fraction of at least w of the l rows would be able to decrypt the secret with probability greater than q.
![Page 30: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/30.jpg)
3) Decryption
Each authorized user has one key from every row and is therefore always able to decrypt every si and compute s.
![Page 31: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/31.jpg)
4) Parameters
Memory Required per user is m=l keys. Amount of work that each user performs to
reveal a key is O(t). Data Redundancy Overhead is r=4kt.
![Page 32: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/32.jpg)
5) Tracing We are only concerned with decoders that have keys from
wl rows. (Since only these decoders can decrypt with probability q).
Suppose we have the set of keys F that a pirate decoder uses to crack our encrypted broadcast. Suppose F contains at least one key from each of the wl rows of Matrix A. Denote these rows by r1, r2,…, rwl and denote the key common to F and row ri as fri. Since we know the hash function, hri we can compute its inverse and determine the users of that key .
The user with the largest number of marks is our traitor.
![Page 33: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/33.jpg)
6) Analysis of One-Level Threshold
There are k traitors. On average, each traitor contributes wl/k keys to
F. How do we know that an innocent user say, Alice,
is not identified as a traitor? The probability that fri equals the key mapped to
Alice is 1/4k. So, the probability that at least wl/k of the keys of Alice are in F is at most 2^-3wl/4k. We choose an l such that the probability of this happening is very very small.
![Page 34: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/34.jpg)
Results! Recall q is our threshold value. k is the number of traitors.
n is the number of users. 1-p is the probability of catching a true traitor. We have the following:
Personal Key, l, consists of (4k/3w) * log(n/p) keys. Data Redundancy Overhead, 4kt, is:
4k* log(1/q) / log (1/w) keys. Number of decryptions, that each user must perform is
log(1/q) / log (1/w) decryptions. (So if w=q, number of decryptions needed is 1.)
![Page 35: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/35.jpg)
Two Level k-Resilient Traitor Tracing
(Fully Resilient TraitorTracing)
![Page 36: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/36.jpg)
Two Level Open Scheme
Much more complicated than a one-level scheme.
More efficient by a factor of k. User has 2k2 log2 k log n keys. 4k3 log4 k log n keys in the enabling block.
![Page 37: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/37.jpg)
Two Level Threshold Traitor Tracing
![Page 38: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/38.jpg)
Two Level Threshold Scheme Two-Level Threshold Schemes are constructed
from One-Level Threshold Schemes by using many One-Level Schemes and applying a hash function to map users to schemes
Advantages: Shorter key length than one-level Disadvantages: Higher Data Redundancy than
one-level. In one-level, q is predefined. Two-level threshold
schemes allow us to have q as a function of other parameters.
![Page 39: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/39.jpg)
Results
![Page 40: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/40.jpg)
Some Numbers:
Suppose:– number of users, n = 106
– number of traitors, k = 1000– Our threshold,
• q = 0.75• q = 0.95
– Probability of finding the true traitor is 1-p (where p=10-3)
We have the following results
![Page 41: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/41.jpg)
ResultsPersonal
KeyData Redun. Decryption
Operations
Fully Resilient Open One-Level
80,000,000 1.6 x 1014 80,000,000
Fully Resilient Secret One-Level
40,000 160,000,000 40,000
Fully Resilient Secret Two Level
496 21,270,000 496
Threshold
One-Level (q = o.75)
53,000 4,000 1
Threshold
Two-Level (q = 0.75)
380 1,290,000 13
Threshold
One-Level (q = 0.95)
42,000 4,000 1
![Page 42: Traitor Tracing](https://reader035.fdocuments.us/reader035/viewer/2022062217/56814996550346895db6dadf/html5/thumbnails/42.jpg)
Conclusions:
For many applications, there is no need to have a fully resilient tracing scheme.
Threshold Tracing Schemes are more efficient.