Cryptographic methods for collusionsecure fingerprinting of digital data

1
Cryptographic methods for collusion-secure
fingerprinting of digital data

• Ingrid Biehl and Bernd Meyer

2
Overview

• Definitions
• Fingerprinting Requirements
• Symmetric Fingerprinting
• Model
• Definition
• Construction
• Limitations
• The Future
• Questions

3
Definitions

• Fingerprinting scheme
• Marks
• Collusions
• Code
• Binary code
• Marking pattern
• c-secure

4
Fingerprinting Requirements

• Guarantee security of the merchants
• Secure against c-collusions
• Protection of innocent buyers

5
Symmetric Fingerprinting

• Model
• True c-secure does not exist
• Therefore, c-secure with e-error

6
Symmetric Fingerprinting

• Definition of a c-secure symmetric fingerprinting
  scheme
• A pair (G,A) where
• There are some constants s,t that G(R,r) is a
  function which maps two bit strings R ? 0,1s
  and r ? 0,1t to a codeword in SL
• For each fixed R the set G(R,r) r ? 0,1t is
  the codebook of G(R)
• A is the tracing algorithm that traces a
  dishonest buyer with probability at least 1-e

7
Symmetric Fingerprinting

• Explanation of Definition
• Each buyer gets a marking pattern mi, may learn
  the value of ri, which was used to compute mi.
• Only R needs to be kept secret
• Buyers know that they got marking patterns
  m1,,mk corresponding to some values r1,,rk but
  still dont know what R was used

8
Symmetric Fingerprinting

• Explanation of Definition
• The cheaters need to find some marking pattern x
  that cant be used to trace them
• They can determine the values of R which satisfy
  the condition miG(R,ri) for 1 i k but they
  cant identify the actual R.
• Merchant will find cheaters with probability 1-e

9
Construction of a symmetric fingerprinting scheme

• n-secure fingerprinting scheme (with d-error) for
  a small set of n buyers
• For n 3, d gt 0, let d2n2log(2n/ d)
• n3, d3/4, d2(32)log((23)/(3/4)) 54
• Identify the bit strings r ? 0,1log2n1 with
  numbers in 1,,n and the bit strings R ?
  0,1log2((dn)!) 1 with permutations pR of
  the set 1,,dn.
• r bit strings n3, 2 bits are required
  (00,01,10,11)
• R bit strings n3, d2, (nd)! 720, 10 bits
  are required (0000000000,,1111111111)
• Given a string ww1,,wdn ? 0,1dn let
  pR(w)wpR(1),, wpR(dn) be the bit string formed
  by permuting the bits in w according to pR
• Let er 0dr1d(n-1-r) and F(R,r) pR(er) for
  0rltn

10
Construction of a symmetric fingerprinting scheme

• Example
• For d3/4, n3 we have d(2(32)log(2(3)/(3/4))
  54
• The codebook is constructed by permuting the bits
  in the following strings according to R
  (er0dr1d(n-1-r))
• e0 111111, e0 0(540)154(3-1-0), so there
  are 108 1s
• e1 000111, e1 0(541)154(3-1-1), so there
  are 54 1s and 0s
• e2 000000 e2 0(542)154(3-1-2), so there
  are 108 0s

11
A scheme for a larger set of buyers

• Let L ? N, 0lte1
• Let G be a d-secure symmetric fingerprinting
  scheme with n codewords, d-error, codeword length
  ll(n,d,d), and tracing algorithm A.
• If dc, de/2L, Nn2c, and L4(c-1)log(4N/e),
  then there is a c-secure symmetric fingerprinting
  scheme G with e-error, N codewords, and codeword
  length lLl(n,d,d)

12
A scheme for a larger set of buyers

• One chooses independently random bit strings
  R1,,RL identically for all users and random bit
  strings r1,,rL individually for each user and
  sets the codeword for the buyer to
• G(R1,,RL,r1,rL) G(R1,r1)??G(RL,rL)
• G is called the low-level code of the
  fingerprinting scheme
• Security is based on the random strings (R)

13
Tracing a dishonest buyer

• The tracing algorithm A first traces each pair of
  L pieces to a codeword in G(Ri).
• The result is a sequence of codewords Ww1,,wl
• High probability of finding traitor with at least
  L/c low-level codewords
• Low probability (at most e) that W matches an
  innocent person with at least L/c low-level
  codewords

14
Most efficient symmetric fingerprinting scheme
known so far

• Given N, c is a natural number, Ngtcgt1, 0lte1, let
  n2c, L4(c-1)log(4N/e), and d2n2log(4nL/e)
• Then there is a c-secure (symmetric)
  fingerprinting scheme with e-error for N buyers
  with marking pattern length
• l Ldnkc4log(N/e)log(1/e) (for some small
  constant k which does not depend on N,e, and c)

15
Limitations

• If the merchant finds an illegally distributed
  version of the data he can never decide whether
  it got distributed by some buyer of by one of his
  employees
• For similar reasons the merchant has no means to
  prove to a third party that a buyer distributed
  the data illegally

16
The Future

• Asymmetric fingerprinting
• Built on the symmetric model
• Merchant and buyer interactively compute a
  fingerprinted version of the data
• The buyer sees the complete fingerprinted version
  of the data but does not know the places and form
  of the marks
• The merchant only gets enough information to
  identify a suspicious buyer of the data and to
  convince an arbiter in a protocol in which the
  buyer may be involved in case an illegal copy is
  found

17
The Future

• Anonymous fingerprinting
• Takes asymmetric fingerprinting a step further
• Normal asymmetric techniques allow the merchant
  to know the identity of each buyer, which is
  necessary to trace dishonest buyers
• To keep privacy, anonymous fingerprinting schemes
  allow the buying of fingerprinted digital data
  without revealing the identity of the buyer to
  the merchant
• If an illegally distributed version of the data
  is found, the merchant is able to find some
  information in its marking pattern which
  identifies at least one traitor

18
Questions?