Traitor Tracing Revisited: New Attackers, Stronger Security Model and New Construction

In Crypto 94, Chor, Fiat, and Naor first introduced the traitor tracing (TT) systems, which aim at helping content distributors identify pirates. Since its introduction, many traitor tracing schemes have been proposed. However, we observe until now almost all the traitor tracing systems using probabilistic public key (and secret key) encryption as the the content distribution algorithm, they do not consider this basic fact: the malicious encrypter can plant some trapdoor in the randomness of the ciphertexts and later he can use this trapdoor or the delegation of the trapdoor to construct decoding pirates, He can sell them to the black market and get his own benefits. At first sight, this new attack model is too strong to capture the real attack scenarios. But we think it is valuable at least for the following two reasons: (1) Note in many modern content distribution systems, there are at least existing three different roles: { the content provider, the content distributer and the content consumer. In this framework, the encrypter is not necessarily the content provider (or content owner). It can be a malicious employee in the content provider corporation, it can also be the malicious content distributer or its malicious employee}. In all these cases, the encrypter has its own benefits and has the potential intention to plant some trapdoor in the randomness for generating ciphertexts. (2) Also note in the related work, there is a conclusion that traitor tracing and differential privacy can have directly influence on each other, while differential privacy (DP) is at the heart of constructing modern privacy preserving systems. But if we consider this new insider attacker (the encrypter), at least some part arguments on the relationship between traitor tracing and differential privacy need more consideration. Therefore in this paper we carefully describe this new insider attacker and investigate thoroughly on its effect. Our main research results are the following: (1) We show that many existing public key traitor tracing systems with probabilistic encryption algorithm are failing to work correctly when facing this malicious encrypter.They are including the BSW, BW, GKSW, LCZ and BZ traitor tracing systems. Furthermore, we conclude that most of the existing traitor tracing systems using probabilistic encryption algorithm can not resist this attack. (2) When considering the insider attacker (the encrypter), if the traitor tracing schemes using probabilistic encryption algorithms, the conclusion on tight relationship between traitor tracing and differential privacy may need more consideration. (3) By employing the technique of hash function, we show how to design TT+ system which can resist this type of attack based on the existing traitor tracing system. Compared with the old traitor tracing system, our new proposal does not add much overhead and thus is practical too

Dynamic Traitor Tracing for Arbitrary Alphabets: Divide and Conquer

We give a generic divide-and-conquer approach for constructing collusion-resistant probabilistic dynamic traitor tracing schemes with larger alphabets from schemes with smaller alphabets. This construction offers a linear tradeoff between the alphabet size and the codelength. In particular, we show that applying our results to the binary dynamic Tardos scheme of Laarhoven et al. leads to schemes that are shorter by a factor equal to half the alphabet size. Asymptotically, these codelengths correspond, up to a constant factor, to the fingerprinting capacity for static probabilistic schemes. This gives a hierarchy of probabilistic dynamic traitor tracing schemes, and bridges the gap between the low bandwidth, high codelength scheme of Laarhoven et al. and the high bandwidth, low codelength scheme of Fiat and Tassa.Comment: 6 pages, 1 figur

Dynamic Tardos Traitor Tracing Schemes

We construct binary dynamic traitor tracing schemes, where the number of watermark bits needed to trace and disconnect any coalition of pirates is quadratic in the number of pirates, and logarithmic in the total number of users and the error probability. Our results improve upon results of Tassa, and our schemes have several other advantages, such as being able to generate all codewords in advance, a simple accusation method, and flexibility when the feedback from the pirate network is delayed.Comment: 13 pages, 5 figure

Efficient Probabilistic Group Testing Based on Traitor Tracing

Inspired by recent results from collusion-resistant traitor tracing, we provide a framework for constructing efficient probabilistic group testing schemes. In the traditional group testing model, our scheme asymptotically requires T ~ 2 K ln N tests to find (with high probability) the correct set of K defectives out of N items. The framework is also applied to several noisy group testing and threshold group testing models, often leading to improvements over previously known results, but we emphasize that this framework can be applied to other variants of the classical model as well, both in adaptive and in non-adaptive settings.Comment: 8 pages, 3 figures, 1 tabl

Dynamic Traitor Tracing Schemes, Revisited

We revisit recent results from the area of collusion-resistant traitor tracing, and show how they can be combined and improved to obtain more efficient dynamic traitor tracing schemes. In particular, we show how the dynamic Tardos scheme of Laarhoven et al. can be combined with the optimized score functions of Oosterwijk et al. to trace coalitions much faster. If the attack strategy is known, in many cases the order of the code length goes down from quadratic to linear in the number of colluders, while if the attack is not known, we show how the interleaving defense may be used to catch all colluders about twice as fast as in the dynamic Tardos scheme. Some of these results also apply to the static traitor tracing setting where the attack strategy is known in advance, and to group testing.Comment: 7 pages, 1 figure (6 subfigures), 1 tabl

Optimal sequential fingerprinting: Wald vs. Tardos

We study sequential collusion-resistant fingerprinting, where the fingerprinting code is generated in advance but accusations may be made between rounds, and show that in this setting both the dynamic Tardos scheme and schemes building upon Wald's sequential probability ratio test (SPRT) are asymptotically optimal. We further compare these two approaches to sequential fingerprinting, highlighting differences between the two schemes. Based on these differences, we argue that Wald's scheme should in general be preferred over the dynamic Tardos scheme, even though both schemes have their merits. As a side result, we derive an optimal sequential group testing method for the classical model, which can easily be generalized to different group testing models.Comment: 12 pages, 10 figure

Discrete Distributions in the Tardos Scheme, Revisited

The Tardos scheme is a well-known traitor tracing scheme to protect copyrighted content against collusion attacks. The original scheme contained some suboptimal design choices, such as the score function and the distribution function used for generating the biases. Skoric et al. previously showed that a symbol-symmetric score function leads to shorter codes, while Nuida et al. obtained the optimal distribution functions for arbitrary coalition sizes. Later, Nuida et al. showed that combining these results leads to even shorter codes when the coalition size is small. We extend their analysis to the case of large coalitions and prove that these optimal distributions converge to the arcsine distribution, thus showing that the arcsine distribution is asymptotically optimal in the symmetric Tardos scheme. We also present a new, practical alternative to the discrete distributions of Nuida et al. and give a comparison of the estimated lengths of the fingerprinting codes for each of these distributions.Comment: 5 pages, 2 figure

A Secure Traitor Tracing Scheme against Key Exposure

Copyright protection is a major issue in distributing digital content. On the other hand, improvements to usability are sought by content users. In this paper, we propose a secure {\it traitor tracing scheme against key exposure (TTaKE)} which contains the properties of both a traitor tracing scheme and a forward secure public key cryptosystem. Its structure fits current digital broadcasting systems and it may be useful in preventing traitors from making illegal decoders and in minimizing the damage from accidental key exposure. It can improve usability through these properties.Comment: 5 pages, IEEE International Symposium on Information Theory 2005 (ISIT 2005

Capacities and Capacity-Achieving Decoders for Various Fingerprinting Games

Combining an information-theoretic approach to fingerprinting with a more constructive, statistical approach, we derive new results on the fingerprinting capacities for various informed settings, as well as new log-likelihood decoders with provable code lengths that asymptotically match these capacities. The simple decoder built against the interleaving attack is further shown to achieve the simple capacity for unknown attacks, and is argued to be an improved version of the recently proposed decoder of Oosterwijk et al. With this new universal decoder, cut-offs on the bias distribution function can finally be dismissed. Besides the application of these results to fingerprinting, a direct consequence of our results to group testing is that (i) a simple decoder asymptotically requires a factor 1.44 more tests to find defectives than a joint decoder, and (ii) the simple decoder presented in this paper provably achieves this bound.Comment: 13 pages, 2 figure