220 likes | 337 Views
An Asymmetric Fingerprinting Scheme based on Tardos Codes. Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes Ingemar Cox University College London. The story of this paper. IEEE WIFS’2010, London.
E N D
An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana CharpentierINRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy FuronINRIA Rennes Ingemar Cox University College London
The story of this paper • IEEE WIFS’2010, London. • During the tutorial on Tardos Code, Ingemar asked • “You always assume that the Provider is trusted. Why?” • My Answers: • “i)!?!, …Hmm… • ii) Tardos code is not meant for asymmetric fingerprinting • iii) asymmetric fingerprinting is not practical ”
Introduction 1 1 … • TRADITIONAL ‘symmetric’ fingerprinting • Huge improvements thanks to G. Tardos • The length of codewords has been drastically reduced • Industrial deployments are on their ways • Requirements • n number of users • c size of the collusion • Pfa probability of accusing innocent users • m code length m = O [ c2 . log( n / Pfa)] 0 0 0 € Provider User
Introduction II • ASYMMETRIC fingerprinting • Different Trust Model: • Content Provider is untrustworthy • May want to frame an innocent user. • Dates back to 1996 [Pfitzmann&Schunter] • 4 actors: User, Provider, Certification Authority, and the Judge • 4 steps: Key generation, Fingerprinting, Identification and Dispute. CA pirated copy fingerprinted copy Provider User Judge
Tardos code construction • Initialization: generate secret bias vector p • p = (p1, …,pm) 0 < pi < 1 pi ~ f (p) i.i.d. • Code: generate nxm binary matrix X • Each row is a codeword Xj = ( Xj1, …, Xjm) • s.t. Prob [ Xji= 1 ] = pi
Tardos code accusation • When a pirated copy is found… • Extract binary sequence Y = (Y1,…, Ym) • Y is a mixture of the colluders’ codewords • Accusation (Single decoder) • Compute a score per user Sj = G (Y,Xj,p) • Accuse • users whose scores are above threshold T • user with maximum score if above threshold T
Threats on Tardos code I 1 1 1 1 … … 0 0 0 0 0 0 Provider User #j Generate p Generate X Watermark and distribute P2P
Threats on Tardos code II 1 1 1 1 1 1 1 1 … … … … 0 0 0 0 0 0 0 0 0 0 0 0 Content Provider Trusted Tech. Provider User #j Generate p Generate X Watermark Distribute User #a1 User #a2 Xj ... User #aK K=3 accomplices frame innocent User #j Collusion
Threats on Tardos code III 1 1 … 0 0 0 Y Content Provider Trusted Tech. Provider pirated copy Generate p Generate X Decode Watermark • How to frame innocent user #j during the score computation? • Y and Xj are fixed • The provider is the only one knowing p • It is possible to tweak p into p’s.t. • Score Sj = G (Y,Xj,p’ ) > T • p’ looks like drawn from f
Lessons learnt from the threats • The provider • Should not know the code X (or only a fraction) • Should not change secret p between code generation and score computation • The User • Should know neither the secret p nor the fingerprint of any other user • Should have a codeword drawn from the distribution induced by p • Should not be able to modify his codeword
A protocol based on Oblivious Transfer • OT - 1:N“Pick a card, any card!” Alice Bob A deck of N cards
OT based on commutative encryption • Commutative encryption • CE( kB, CE( kA, m)) = CE( kA, CE( kB, m)) Oblivious transfer Alice Bob c1 = E( k1, m1) c2 = E( k2, m2) … cN = E( kN, mN) d1 = CE( kA, k1) d2 = CE( kA, k2) … dN = CE( kA, kN) u = CE( kB, di) w = CE-1( kA, u) CE-1( kB, w)= ki
Protocol: generation of codewords – Phase 1 • Initialization - Provider • Generate and quantize over P-1 values: p = (p1, …,pm) with pi= li/ P • For all index i, create a list of P objects: listCi: c1,i = E( k1,i, m1,i), …, c1,P = E( k1,P, m1,P) • There are only 2 versions of the message • For li objects: mk,i= 1 || sk1,i || ref_txt1,i • For P-li objects: mk,i= 0 || sk0,i || ref_txt0,i • Publish these m lists on a WORM (Write Once Read Many) repository
Protocol: generation of codewords – Phase 1 • Code construction: User #j registers • Provider • Randomly draw a permutation πj over [1, …, P] • For all index i, create a list of P encrypted keys listDi,j : d1 = CE( kA, πj(1) || kπj(1),i), …, dP = CE( kA, πj(P) || kπj(P),i) • Send these m lists to user #j • User - Provider • Run the OT protocol • Permutation πj prevents collusion at code generation • “Don’t pick this item, I already know that it is a 0”
Protocol: generation of codewords – Phase 1 listC1 listC2 … listCm WORM Provider User #j p = (p1=0.8, p2=0.5,…,pm=0.1) Xj = (0, 0, …,1) sk0,1, sk0,2, …, sk1,m … 0 0 0 0 0 1 1 1 … 1 1
Protocol: generation of codewords – Phase 2 • Provider needs a partial knowledge of the codewords • Allow the identification of suspects • Order User #j to reveal mh < m bits of codewords. • So-called halfword[Pfitzmann&Schunter96] Xj = ( 0, 0 , 1, 0, 1, …, 0, 1 ) • Colluders • Should not know the location of the halfword bits • Solution • Yet another Oblivious Transfer OT – mh: m • Alice = User #j • Bob = Provider • Objects = keys used during Phase 1: kB,i • Provider gets mh elements of the listsDi,jchosen by #j(specific to User #j)
Protocol: generation of codewords – Phase 1 listC1 listC2 … listCm WORM Provider User #j p = (p1, …,pm) Xj = (?, 0, ?,…,1) Xj = (0, 0, …,1) sk0,1, sk0,2, …, sk1,m … 0 0 0 0 0 1 1 1 … 1 1
Accusation • The scouting agency finds a pirated copy. • The Technology Provider extracts sequence Y • The Provider • Compute scores restricted to halfwords • Send a list of suspects with halfwords, secret pand Y • The judge • Verifies computation • Ask Provider for the keys to decrypt Clistsin the WORM p • Ask suspected users for the keys to decrypt the OT Xj • Compute scores over the non-halfword codeword • Compare to threshold T
Conclusion • First asymmetric protocol specific to Tardos fingerprinting code. • Generation of code without CA … but with a WORM • Code length • mh = O[ c2 log (n/ Pfs) ] Pfs= Prob of wrong suspicion • m = O[ c2 log ( n/ (Pfs. Pfa)1/2) ] • If Pfs=Pfa,the length is doubled • List sizes: P > c , we recommend P = 100 • Misc.: • Discussion about security, efficiency and OT implementations • Application to Buyer-Seller with homomorphic encryption watermarking
Fingerprinting in the industry … … … • The DNA approach • Watermarking each block in super high quality 1 0 0 1 0 1 0 1 0 1 Content Provider Technology Provider
Threats on Tardos code 1 1 … … … 0 0 1 0 1 1 0 0 0 1 1 0 0 Provider User #j Xj