Add to collection(s) Add to saved
  1. No category

An Asymmetric Fingerprinting Scheme based on Tardos Codes

advertisement 
1
An Asymmetric Fingerprinting Scheme
based on Tardos Codes
Ana Charpentier
INRIA Rennes
Caroline Fontaine
CNRS Télécom Bretagne
Teddy Furon
INRIA Rennes
Ingemar Cox
University College London
2
The story of this paper
IEEE WIFS’2010, London.
During the tutorial on Tardos Code, Ingemar asked
“You always assume that the Provider is trusted. Why?”
My Answers:
“i) !?!, …Hmm…
ii) Tardos code is not meant for asymmetric fingerprinting
iii) asymmetric fingerprinting is not practical ”
Introduction
TRADITIONAL ‘symmetric’ fingerprinting
•
•
•
Huge improvements thanks to G. Tardos
The length of codewords has been drastically reduced
Industrial deployments are on their ways
Requirements
•
•
•
•
n
c
Pfa
m
number of users
size of the collusion
probability of accusing innocent users
code length
m = O [ c2 . log( n / Pfa ) ]
€
Provider
0
1
0
User
…
1
0
4
Introduction II
ASYMMETRIC fingerprinting
•
•
•
•
Different Trust Model:
– Content Provider is untrustworthy
– May want to frame an innocent user.
Dates back to 1996 [Pfitzmann&Schunter]
4 actors: User, Provider, Certification Authority, and the Judge
4 steps: Key generation, Fingerprinting, Identification and Dispute.
CA
pirated
copy
Provider
User
Judge
fingerprinted
copy
Tardos code construction
Initialization:
•
p = (p1, …,pm)
Code:
•
•
generate secret bias vector p
0 < pi < 1
pi ~ f (p) i.i.d.
generate n x m binary matrix X
Each row is a codeword
s.t. Prob [ Xji = 1 ] = pi
Xj = ( Xj1, …, Xjm )
p
p1 = 0.8
p2 = 0.5
p3 = 0.7
…
pm = 0.1
X1
1
0
1
…
0
X2
1
1
0
…
1
X3
0
0
1
…
0
1
1
1
…
0
…
Xn
6
Tardos code accusation
When a pirated copy is found…
•
•
Extract binary sequence
Y = (Y1,…, Ym)
Y is a mixture of the colluders’ codewords
Accusation (Single decoder)
•
•
Compute a score per user
Sj = G (Y, Xj , p)
Accuse
– users whose scores are above threshold T
– user with maximum score if above threshold T
7
Threats on Tardos code I
Provider
0
1
0
…
1
0
0
1
0
…
1
0
User #j
Generate p
Generate X
Watermark and distribute
P2P
8
Threats on Tardos code II
Content
Provider
Trusted
Tech. Provider
Generate p
Generate X
Watermark
Distribute
Xj
0
1
0
… 1
0
User #j
0
1
0
… 1
0
User #a1
0
1
0
… 1
0
User #a2
...
0
K=3 accomplices frame
innocent User #j
1
0
… 1
0
User #aK
Collusion
9
Threats on Tardos code III
Content
Provider
Generate p
Generate X
Y
Trusted
Tech. Provider
0
1
0
… 1
0
Decode
Watermark
How to frame innocent user #j during the score computation?
• Y and Xj are fixed
• The provider is the only one knowing p
It is possible to tweak p into p’ s.t.
• Score Sj = G (Y, Xj , p’ ) > T
• p’ looks like drawn from f
pirated
copy
10
Lessons learnt from the threats
• The provider
•
•
Should not know the code X (or only a fraction)
Should not change secret p between code generation and score
computation
•The User
•
•
•
Should know neither the secret p nor the fingerprint of any other user
Should have a codeword drawn from the distribution induced by p
Should not be able to modify his codeword
11
A protocol based on Oblivious Transfer
OT - 1:N “Pick a card, any card!”
Alice
A deck of N cards
Bob
12
OT based on commutative encryption
Commutative encryption
•
CE( kB, CE( kA, m)) = CE( kA, CE( kB, m))
Oblivious transfer
Alice
Bob
…
c1 = E( k1, m1)
c2 = E( k2, m2)
d1 = CE( kA, k1)
d2 = CE( kA, k2) …
cN = E( kN, mN)
dN = CE( kA, kN)
u = CE( kB, di)
w = CE-1( kA, u)
CE-1( kB, w)= ki
13
Protocol: generation of codewords – Phase 1
Initialization - Provider
•
Generate and quantize over P-1 values: p = (p1, …,pm) with pi = li / P
•
For all index i, create a list of P objects:
list C i :
c1,i = E( k1,i, m1,i),
…,
c1,P = E( k1,P, m1,P)
•
There are only 2 versions of the message
– For li objects:
mk,i = 1 || sk1,i || ref_txt1,i
– For P-li objects:
mk,i = 0 || sk0,i || ref_txt0,i
•
Publish these m lists on a WORM (Write Once Read Many) repository
14
Protocol: generation of codewords – Phase 1
Code construction: User #j registers
Provider
•
•
Randomly draw a permutation πj over [1, …, P]
For all index i, create a list of P encrypted keys
list D i,j :
d1 = CE( kA, πj (1) || kπj (1),i ), …, dP = CE( kA, πj (P) || kπj (P),i )
•
Send these m lists to user #j
User - Provider
•
•
Run the OT protocol
Permutation πj prevents collusion at code generation
– “Don’t pick this item, I already know that it is a 0”
Protocol: generation of codewords – Phase 1
WORM
list C
1
list C
list C
…
2
Provider
m
User #j
p = (p1=0.8, p2=0.5,…,pm=0.1)
Xj = (0, 0, …,1)
sk0,1, sk0,2, …, sk1,m
0
0
0
…
0
0
1
1
1
…
1
1
16
Protocol: generation of codewords – Phase 2
Provider needs a partial knowledge of the codewords
•
•
•
Allow the identification of suspects
Order User #j to reveal mh < m bits of codewords.
So-called halfword [Pfitzmann&Schunter96]
Xj = ( 0, 0 , 1, 0, 1, …, 0, 1 )
Colluders
•
Should not know the location of the
bits
Solution
•
•
•
•
•
Yet another Oblivious Transfer OT – mh : m
Alice = User #j
Bob = Provider
Objects = keys used during Phase 1: kB,i
Provider gets mh elements of the lists D i,j chosen by #j (specific to User #j)
Protocol: generation of codewords – Phase 1
WORM
list C
1
list C
list C
…
2
Provider
m
User #j
p = (p1, …,pm)
Xj = (0, 0, …,1)
sk0,1, sk0,2, …, sk1,m
Xj = (?, 0, ?,…,1)
0
0
0
…
0
0
1
1
1
…
1
1
18
Accusation
The scouting agency finds a pirated copy.
The Technology Provider extracts sequence Y
The Provider
•
•
Compute scores restricted to halfwords
Send a list of suspects with halfwords, secret p and Y
The judge
•
•
•
•
•
Verifies computation
Ask Provider for the keys to decrypt C lists in the WORM
Ask suspected users for the keys to decrypt the OT
Compute scores over the non-halfword codeword
Compare to threshold T
p
Xj
19
Conclusion
• First asymmetric protocol specific to Tardos fingerprinting code.
• Generation of code without CA … but with a WORM
• Code length
•
•
•
mh = O[ c2 log (n/ Pfs) ]
Pfs = Prob of wrong suspicion
m = O[ c2 log ( n / (Pfs. Pfa)1/2 ) ]
If Pfs = Pfa , the length is doubled
• List sizes: P > c , we recommend P = 100
• Misc.:
•
•
Discussion about security, efficiency and OT implementations
Application to Buyer-Seller with homomorphic encryption watermarking
20
Fingerprinting in the industry
The DNA approach
Watermarking each block in super high quality
Content Provider
Technology Provider
…
0
0
0
…
0
0
1
1
1
…
1
1
21
Threats on Tardos code
Provider
0
0
0
1
1
1
…
User #j
0
0
1
1
0
Xj
1
0
…
1
0
Related documents
MS Word
MS Word
Cryptology and Coding Theory
Cryptology and Coding Theory
Homework #1 Due
Homework #1 Due
Introduction
Introduction
The QZ Algorithm for the Calculation of the Eigenvalues of a Real
The QZ Algorithm for the Calculation of the Eigenvalues of a Real
DNA Fingerprinting Lab Report (Formal Grade)
DNA Fingerprinting Lab Report (Formal Grade)
DCFS FOSTER CARE / ADOPTION
DCFS FOSTER CARE / ADOPTION
COS 423 - Princeton University
COS 423 - Princeton University
A Dual Version of Tardos's by
A Dual Version of Tardos's by
Download
advertisement