Broadcast Encryption

1
Broadcast Encryption

• The scenario A center and a set of n users.
• It is necessary to broadcast messages in a secure
  manner so that only a subset of the users could
  decrypt it.
• The privileged subset is dynamically changing.
• Typical scenario Pay TV systems where the access
  rights to each program have been purchased by a
  different subset of the subscribers.

2
Broadcast Encryption

• The goal To devise a scheme that allocates to
  each user decryption keys upon joining the
  system, so that it is then possible to access any
  subset of the users as the privileged subset.

3
Broadcast Encryption

• The solution must be efficient
• Storage and computation at the user end.
• Length of transmission.
• Another requirement is resiliency to coalitions
  of non-authorized subsets.

4
Broadcast Encryption

• The most interesting result
• A scheme that is k-resilient where the storage is
  O(k log k log n) and the transmission length is
  O(k2 log2k log n).
• Another scheme offers resiliency in probability p
  against a random coalition of k users. The
  storage that it imposes is O(log k log 1/p) and
  the transmission length is O(k log2k log 1/p).

5
Revocation and Tracing Schemes for Stateless
Receivers

• The terms revocation schemes and broadcast
  encryption schemes refer to closely related
  problems
• In broadcast encryption schemes one thinks of how
  to control the access of subscribers to the
  viewing packages that they purchased.
• In revocation schemes one aims at revoking
  decoders that were involved in illegal piracy.

6
Revocation and Tracing Schemes for Stateless
Receivers

• There are two important parameters in this
  context
• r the number of revoked users.
• k the upper bound on the size of the coalition
  that cooperates in order to break the system.
• Broadcast encryption schemes depend on k only (r
  may be very large).
• Revocation schemes depend on r only (and assume
  that kr).

7
Revocation and Tracing Schemes for Stateless
Receivers

• Stateless receivers the receivers do not update
  their state from session to session.
• NNL introduce the framework of Subset-Cover that
  encapsulates a variety of broadcast encryption
  schemes.

8
Revocation and Tracing Schemes for Stateless
Receivers

• In the subset cover framework one defines a
  basis of subsets that span the entire power
  set of the set of users.
• Each such basic subset is assigned a key.
• The keys that every user get enable him to derive
  the key of each basic subset to which it belongs.
• The idea is to express the privileged subset as a
  union of basic subsets.

9
Revocation and Tracing Schemes for Stateless
Receivers

• They introduce two explicit schemes.
• The performance parameters of the first scheme
  are log n (Storage) and rlog n (Message Length).
• The performance parameters of the second scheme
  are (log2 n)/2 (Storage) and 2r (Message Length).

10
The LSD Broadcast Encryption Scheme

• Improve the Subset Difference method by
  introducing the Layered Subset Difference method.
• Relying upon a simple observation, they are able
  to reduce the number of keys that each user get
  from O(log2 n) to O(log1? n), ?gt0, while
  increasing the message length from 2r to 4r.

11
The LSD Broadcast Encryption Scheme

• Another substantial improvement offered by HS
• They showed how to make the message length
  dependent on the complexity of the privileged
  subset rather than the size of its complement
  (r).
• The complexity of a subset of users is defined by
  representing the users as the leaves in a
  complete binary tree and then using the operators
  of Inclusion and Exclusion in order to express
  the corresponding subset of the leaves.

12
Efficient Trace and Revoke Schemes

• NP begin by introducing revocation schemes that
  are based on secret sharing techniques.
• Their methods may be implemented in the stateless
  scenario as well as in the modifiable scenario.
• They then show how to enhance the revocation
  scheme by traitor tracing capabilities.

13
Improved Efficiency for Revocation Schemes via
Newton Interpolation

• KT improve on the techniques offered by NP by
  implementing Newton rather than Lagrange
  interpolation.
• This offers the following advantages
• Shorter revocation messages (factor of almost 2).
• A substantial reduction of computational overhead
  at the user end.
• More efficient transition between revocation
  rounds.

14
Tracing Traitors

• If only one person is told about some secret and
  this next appears on the evening news, then the
  guilty party is evident. A more complex situation
  arises if the set of people that have access to
  the secret is large. The problem of determining
  guilt or innocence is (mathematically)
  insurmountable if all people get the exact same
  data and one of them behaves treacherously and
  reveals the secret.

15
Tracing Traitors

• Whenever data is to be available to some and
  unavailable to others, it is customary to use
  encryption in order to protect the data.
• (In the context of Pay-TV such systems are called
  Conditional Access).
• The traitor may decrypt the context and
  distribute the cleartext to pirates.

16
Tracing Traitors

• However, in many contexts such piracy is
  ineffective or too risky.
• CFN consider the scenario in which each of the
  legal users receives a decoder (a physical one or
  a computer program) with a different personal key
  in order to decrypt the ciphertext.
• They devised Traitor Tracing Schemes that, given
  an illegal and functioning decoder, are capable
  of identifying at least one of the personal keys
  that were involved in creating that decoder.

17
Tracing Traitors

• The schemes do not rely on any hardware security
  assumptions (namely, tamper-resistant devices).
• The relevant cost parameters are
• Storage and computation at the users end.
• Storage and computation at the data supliers
  end.
• Communication overhead.
• Another crucial parameter is resiliency.

18
Tracing Traitors

• All schemes have the following general form
• The center generates a base set R of r keys.
• Each user u is assigned a subset of m keys,
• P(u)? R. P(u) is the personal key of u.
• Each message is encrypted by a session key S.
• An enabling block that accompany each message
  contains encrypted values that allow the users to
  determine S by decrypting some of these values
  and then Xoring them.

19
Tracing Traitors

• Some of the users may collude and produce an
  illegal decoder that has keys from among the
  corresponding union of personal keys.
• The traitor tracing schemes are designed so that
  if such an illegal decoder is captured, at least
  one of the colluding traitors will be identified
  (either correctly, or with a small error
  probability).

20
Tracing Traitors

• One of the deterministic schemes entails
• m2k2 log2k log n keys per user and
• an enabling block of r4k3log4k log n key
  encryptions.
• Another scheme is probabilistic and requires
• m4k log (n/p) / 3
• r16k2log (n/p) / 3

21
Dynamic Tracing Traitors

• In a typical conditional access system there are
  several levels of keys
• The rapidly changing keys that encrypt the actual
  video and audio streams. Such keys (called
  Control Words) change every few seconds.
• The slowly changing keys that encrypt the control
  words. Such keys are necessary in order to
  deliver the control words to all users before
  they become effective.
• The fixed personal keys, that are used in order
  to communicate to all users the value of the
  slowly changing keys.

22
Dynamic Tracing Traitors

• The scenario with which CFN dealt was the one in
  which the last level is attacked.
• FT were concerned with the scenario in which the
  middle level is attacked assume that capable
  traitors were able to tamper with their smartcard
  and read the slowly changing keys. (Important
  note those keys are the same for all users!).
  Then they publish those keys over the Internet.
  How can we trace the source of such piracy and
  stop it?

23
Dynamic Tracing Traitors

• The suggested schemes implement kind-of-a
  hide-and-seek game
• Whenever such piracy is detected, the center
  starts using more than one key is the middle
  level.
• Based on the feedback from the traitors
  distribution network, the center decides on the
  allocation of keys in the next round.
• The goal is to slowly close on the subset of
  traitors until one of them will incriminate
  himself by publishing a key that was given only
  to him (or, alternatively, to make them stop
  their activity).

24
Dynamic Tracing Traitors

• The most efficient scheme reaches a
  multiplication factor of 2p1 , where p is the
  actual number of active traitors, and detects and
  disconnects all p traitors in p (log n 1)
  rounds.
• Another schemes uses the minimal multiplication
  factor of p1. Alas, it converges in an
  unacceptable time of 23pp log n p time steps.

25
Efficient Dynamic Tracing Traitors

• BPS brilliantly improve the FT scheme of
  multiplicity p1 and construct two schemes with
  that minimal multiplicity one that converges in
  O(p3 log n) rounds and one that converges in
• O(p2 p log n) rounds. The latter is even
  shown to be optimal.
• We shall discuss here only the first scheme which
  is sufficiently complicated.

26
Low Bandwidth Dynamic Tracing Traitors

• Even the minimal multiplication factor of p1 may
  be too large because
• p may be well into the hundreds.
• The multiplication factor is applied to the
  stream of so-called ECMs (Entitlement Control
  Messages), i.e., the encrypted messages that
  convey to the users the value of the rapidly
  changing keys the control words. That stream is
  wide since those messages must be repeated
  frequently.

27
Low Bandwidth Dynamic Tracing Traitors

• The suggested solution is a hybrid scheme that
  uses the basic 2p1 deterministic scheme of FT,
  on top of a fingerprinting scheme such as that by
  Boneh and Shaw.
• This results in a scheme that uses a binary
  marking alphabet (namely, a multiplication factor
  of 2 rather than 2p1). The convergence time,
  however, is much longer.
• Another penalty is the inevitable probabilistic
  nature of the scheme (however, this disadvantage
  is of much less concern).

28
An Efficient Pubic Key Traitor Tracing Scheme

• BF design a public key encryption scheme where
  there is one public encryption key but many
  private decryption keys.
• If a coalition of users collude to create a new
  decryption key, the efficient tracing algorithm
  is capable to trace the creators of that key.

29
An Efficient Pubic Key Traitor Tracing Scheme

• Previous approaches were combinatorial and
  probabilistic and could be either public-key or
  symmetric-key.
• The BF approach is algebraic and deterministic.
  It is inherently public-key and it is much more
  efficient than public-key instantiations of
  previous combinatorial constructions.
• It is based on Reed-Solomon codes and its
  security follows from the Decision Diffie-Hellman
  assumption.

30
Collusion-Secure Fingerprinting for Digital Data

• This paper offers an innovative technique to
  embed binary fingerprinting in data of any sort
  for the sake of tracing traitors.
• It is a purely combinatorial study no assumption
  is made on the type of data, nor regarding the
  means in which the bit information may be hidden
  in the data.

31
Collusion-Secure Fingerprinting for Digital Data

• The cover story speaks of a film that is being
  filmed by two adjacent cameras. The picture that
  one camera sees is almost identical to, yet
  different from what the other sees.
• The two versions of the movie are cut into, say,
  m equal length segments.
• Each user is assigned a unique codeword from
  0,1m. Then, each user gets a unique copy of the
  movie that is composed of different selection of
  segments from either the first cameras output or
  the seconds, as dictated by the binary codeword.

32
Collusion-Secure Fingerprinting for Digital Data

• Assumptions
• The transition between one cameras output and
  the other is imperceptive.
• It is impossible to remove a bit-mark without
  removing the entire segment (and thus damaging
  the copy).
• A coalition of traitors may combine their copies
  and create an illegal copy whose codeword is in
  the convex hull of the original codewords.

33
Collusion-Secure Fingerprinting for Digital Data

• With those assumptions, we have a purely
  combinatorial question. Given n users, a bound c
  on the size of the coalition of traitors, and an
  error probability ?, one needs to devise
• a scheme of allocating codewords to the users,
  and
• a tracing algorithm that, given a pirate copy,
  can find at least one of the traitors that
  created it with probability at least 1- ?.

34
Collusion-Secure Fingerprinting for Digital Data

• The crucial performance parameter here is the
  number of segments.
• The best scheme of BS, that is based on one of
  the schemes of CFN, does the trick with
• O(c4 log(n/?) log(1/?)) segments.

35
Optimal Probabilistic Fingerprint Code

• In a recent paper from STOC 2003, Tardos improves
  the BS code substantially. In his scheme, the
  codeword length reduces to only O(c2 log(n/?)).
• This is even shown to be optimal, modulo a
  constant factor.
• In addition, it is shown that there is no
  advantage in working over larger constant size
  alphabets, compared to binary alphabets.

36
A Secure, Robust Watermark for Multimedia

• CKLS describe a digital watermark method for use
  in audio, image and video.
• Watermarking such data is necessary in order to
  place an ownership identification in the data
  itself, or in order to personalize data by
  placing in it fingerprinting that could be later
  used in order to trace the source of piracy.
• Namely, the work of CKLS is orthogonal to that of
  BS and complements it.

37
A Secure, Robust Watermark for Multimedia

• Such watermarks must satisfy two conditions
• They should not be perceptive.
• They must be secure in the sense that an
  attacker, or even a coalition of attackers that
  combine their different copies, could not remove
  the watermark without seriously damaging the
  quality of the copy.

38
A Secure, Robust Watermark for Multimedia

• The suggested method inserts the watermark in the
  frequency domain.
• The method offers several ways of inserting
  unique noise in the data that will serve for
  identification.
• Additionally, it is described how to extract the
  watermark from a given watermarked copy.

39
A Secure, Robust Watermark for Multimedia

• Experiments show that the watermark does not
  degrade the quality of the image.
• It is also shown that the watermark is robust in
  the sense that it survives common signal
  processing operations (D2A, A2D, resampling,
  requantization, contrast enhancement etc.),
  common geometric image operations (rotation,
  cropping and scaling) and coalition attacks.