Traitor Tracing Schemes Research Articles

Post-quantum identity-based traitor tracing

In the distribution of digital content, users may collude and utilize their secret keys to create pirate decoders which enable illegally users to receive the same service. As a useful countermeasure, the notion of identity-based traitor tracing (IBTT) scheme was introduced for the data owner to trace down pirates and simplify certificate management process. As far as we know, various IBTT schemes have been proposed in the literature and all of them are designed on classical hardness assumptions, which are believed to become broken in the coming post-quantum era. To address this issue, we propose the first post-quantum IBTT scheme in this work. The new IBTT scheme is proved to be secure in the quantum security model, assuming the quantum-resistant hardness of the underlying learning with errors problem. Notably, compared with other IBTT schemes, our construction has the minimal size increasing to make the underlying encryption scheme traitor tracing.

Ad Hoc Broadcast, Trace, and Revoke

Traitor tracing schemes [Chor–Fiat–Naor, Crypto ’94] help content distributors fight against piracy and are defined with the content distributor as a trusted authority having access to the secret keys of all users. While the traditional model caters well to its original motivation, its centralized nature makes it unsuitable for many scenarios. For usage among mutually untrusted parties, a notion of *ad hoc* traitor tracing (naturally with the capability of broadcast and revocation) is proposed and studied in this work. Such a scheme allows users in the system to generate their own public/secret key pairs, without trusting any other entity. To encrypt, a list of public keys is used to identify the set of recipients, and decryption is possible with a secret key for any of the public keys in the list. In addition, there is a tracing algorithm that given a list of recipients’ public keys and a pirate decoder capable of decrypting ciphertexts encrypted to them, identifies at least one recipient whose secret key must have been used to construct the said decoder. Two constructions are presented. The first is based on functional encryption for circuits (conceptually, obfuscation) and has constant-size ciphertext, yet its decryption time is linear in the number of recipients. The second is a generic transformation that reduces decryption time at the cost of increased ciphertext size. A matching lower bound on the trade-off between ciphertext size and decryption time is shown, indicating that the two constructions achieve all possible optimal trade-offs, i.e., they fully demonstrate the Pareto front of efficiency. The lower bound also applies to broadcast encryption (hence all mildly expressive attribute-based encryption schemes) and is of independent interest.

An Improved Encryption Scheme for Traitor Tracing from Lattice

This article first describes a paper by Ling, Phan, and Stehle at the CRYPTO 2014 which presented the first encryption scheme for traitor tracing from lattice, and the scheme is almost as efficient as the learning with errors (LWE) encryption. However, their scheme is not constructed on an efficient trapdoor, that is, the trapdoor generation and preimage sampling algorithms are rather complex and not suitable for practice. This article is considered to use the MP12 trapdoor to construct an improved traitor tracing scheme. First, by using batch execution method, this article proposes an improved extracting algorithm for the user's key. Then, this article combines that with multi-bit encryption system to construct an efficient one-to-many encryption scheme. Furthermore, it is presented that a novel projective sampling family has very small hidden constants. Finally, a comparative analysis shows that the parameters of the scheme such as lattice dimension, trapdoor size, and ciphertext expansion rate, etc., all decrease in some degree, and the computational cost is reduced.

Traitor Tracing Schemes: a Review

This paper provides a review on traitor tracing schemes that are developed to counter piracy strategies. The review starts with a formal definition of the traitor tracing schemes. The paper is then outlined based on two main strategies which may taken by digital content pirates. Mostly the pirates have strategy to make use leaked decryption key or leaked decrypted content. For each piracy strategy, we presents traitor tracing schemes that can be used to counter the piracy. We also analysis strength and weakness of each group of the schemes. At the end of this paper, we propose to combine some schemes for better protection.

How to Make Traitor Tracing Schemes Secure against a Content Comparison Attack in Actual Services

How to Make Traitor Tracing Schemes Secure against a Content Comparison Attack in Actual Services

Hardness of k-LWE and Applications in Traitor Tracing

We introduce the k- $$\mathrm {LWE}$$ problem, a Learning With Errors variant of the k-SIS problem. The Boneh-Freeman reduction from SIS to k-SIS suffers from an exponential loss in k. We improve and extend it to an LWE to k-LWE reduction with a polynomial loss in k, by relying on a new technique involving trapdoors for random integer kernel lattices. Based on this hardness result, we present the first algebraic construction of a traitor tracing scheme whose security relies on the worst-case hardness of standard lattice problems. The proposed $$\mathrm {LWE}$$ traitor tracing is almost as efficient as the $$\mathrm {LWE}$$ encryption. Further, it achieves public traceability, i.e., allows the authority to delegate the tracing capability to “untrusted” parties. To this aim, we introduce the notion of projective sampling family in which each sampling function is keyed and, with a projection of the key on a well chosen space, one can simulate the sampling function in a computationally indistinguishable way. The construction of a projective sampling family from k- $$\mathrm {LWE}$$ allows us to achieve public traceability, by publishing the projected keys of the users. We believe that the new lattice tools and the projective sampling family are quite general that they may have applications in other areas.

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: Our multiparty non-interactive key exchange protocol does not require a trusted setup. Moreover, the size of the published value from each user is independent of the total number of users. Our broadcast encryption schemes support distributed setup, where users choose their own secret keys rather than be given secret keys by a trusted entity. The broadcast ciphertext size is independent of the number of users. Our traitor tracing system is fully collusion resistant with short ciphertexts, secret keys, and public key. Ciphertext size is logarithmic in the number of users and secret key size is independent of the number of users. Our public key size is polylogarithmic in the number of users. The recent functional encryption system of Garg, Gentry, Halevi, Raykova, Sahai, and Waters also leads to a traitor tracing scheme with similar ciphertext and secret key size, but the construction in this paper is simpler and more direct. These constructions resolve an open problem relating to differential privacy. Generalizing our traitor tracing system gives a private broadcast encryption scheme (where broadcast ciphertexts reveal minimal information about the recipient set) with optimal size ciphertext. Several of our proofs of security introduce new tools for proving security using indistinguishability obfuscation.

A Capacity-Achieving Simple Decoder for Bias-Based Traitor Tracing Schemes

We investigate alternative suspicion functions for bias-based traitor tracing schemes, and present a practical construction of a simple decoder that attains capacity in the limit of large coalition size c. We derive optimal suspicion functions in both the restricted-digit model and the combined-digit model. These functions depend on information that is usually not available to the tracer-the attack strategy or the tallies of the symbols received by the colluders. We discuss how such results can be used in realistic contexts. We study several combinations of coalition attack strategy versus suspicion function optimized against some attack (another attack or the same). In many of these combinations, the usual codelength scaling ℓ ∝ c <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> changes to a lower power of c, e.g., c <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">3/2</sup> . We find that the interleaving strategy is an especially powerful attack. The suspicion function tailored against interleaving is the key ingredient of the capacity-achieving construction.

Fully Secure Codes Based Tracing and Revoking Scheme with Constant Ciphertext

In broadcast encryption system certain users may leak their decryption keys to build pirate decoders, so traitor tracing is quite necessary. There exist many codes based traitor tracing schemes. As pointed out by Billet and Phan in ICITS 2008, these schemes lack revocation ability. The ability of revocation can disable identified malicious users and users who fail to fulfill the payments, so that the broadcast encryption system can be more practical. Recently, Zhao and Li presented a construction of codes based tracing and revoking scheme which achieves user revocation as well as traitor tracing. However, their scheme is only secure against chosen plaintext attacks under selective-adversary model with random oracle. In this paper, we obtain a new construction of codes based tracing and revoking scheme which is proved secure against chosen ciphertext attacks under adaptive-adversary model without random oracle. Our idea is to insert codeword into Boneh and Hamburgs identity based broadcast encryption scheme to retain the ability of user revocation and use Boneh and Naors method to trace traitors. Our fully secure scheme is roughly as efficient as Zhao and Lis scheme while the security is enhanced.

Security analysis of two multi-oriented traitor tracing schemes

ZHANG Xue-jun et al.presented two multi-oriented traitor tracing schemes with full collusion resistance.They asserted that it was computationally infeasible for any number of users to get a different key by collusion.Here,these two schemes were cryptographically analyzed and a concrete collusion attack method was proposed based on simple linear combination which three or more traitors can build more than one valid decryption key.Further,these traitors cannot be identified by using black box tracing method.The result show that neither of the two traitor tracing schemes accomplish the full collusion resistance because of their intrinsic flaws.

Dynamic Tardos Traitor Tracing Schemes

We construct binary dynamic traitor tracing schemes, where the number of watermark bits needed to trace and disconnect any coalition of pirates is quadratic in the number of pirates, and logarithmic in the total number of users and the error probability. Our results improve upon results of Tassa, and our schemes have several other advantages, such as being able to generate all codewords in advance, a simple accusation method, and flexibility when the feedback from the pirate network is delayed.

Access control scheme with tracing for outsourced databases

To manage dynamic access control and deter pirate attacks on outsourced databases, a dynamic access control scheme with tracing is proposed. In our scheme, we introduce the traitor tracing idea into outsource databases, and employ a polynomial function and filter function as the basic means of constructing encryption and decryption procedures to reduce computation, communication, and storage overheads. Compared to previous access control schemes for outsourced databases, our scheme can not only protect sensitive data from leaking and perform scalable encryption at the server side without shipping the outsourced data back to the data owner when group membership is changed, but also provide trace-and-revoke features. When malicious users clone and sell their decryption keys for profit, our scheme can trace the decryption keys to the malicious users and revoke them. Furthermore, our scheme avoids massive message exchanges for establishing the decryption key between the data owner and the user. Compared to previously proposed publickey traitor tracing schemes, our scheme can simultaneously achieve full collusion resistance, full recoverability, full revocation, and black-box traceability. The proof of security and analysis of performance show that our scheme is secure and efficient.

Optimal symmetric Tardos traitor tracing schemes

For the Tardos traitor tracing scheme, we show that by combining the symbol-symmetric accusation function of Škorić et al. with the improved analysis of Blayer and Tassa we get further improvements. Our construction gives codes that are up to four times shorter than Blayer and Tassa’s, and up to two times shorter than the codes from Škorić et al. Asymptotically, we achieve the theoretical optimal codelength for Tardos’ distribution function and the symmetric score function. For large coalitions, our codelengths are asymptotically about 4.93% of Tardos’ original codelengths, which also improves upon results from Nuida et al.

Further analysis of pairing‐based traitor tracing schemes for broadcast encryption

ABSTRACTPairing‐based public key systems have recently received much attention because bilinear property contributes to the designs of many cryptographic schemes. In 2002, Mitsunari et al. proposed the first pairing‐based traitor tracing scheme with constant‐size ciphertexts and private keys. However, their scheme has been shown to be insecure for providing traitor tracing functionality. Recently, many researches still try to propose efficient pairing‐based traitor tracing schemes in terms of ciphertext and private key sizes. In this paper, we present a security claim for the design of pairing‐based traitor tracing schemes. For a pairing‐based traitor tracing scheme with constant‐size ciphertexts and private keys, if the decryption key is obtained by some pairing operations in pairing‐based public key systems, the scheme will suffer from a linear attack and cannot provide the traitor tracing functionality. Finally, we apply our security claim to attack a pairing‐based traitor tracing scheme proposed by Yang et al. to demonstrate our result. Our security claim can offer a notice and direction for designing pairing‐based traitor tracing schemes. Copyright © 2012 John Wiley &amp; Sons, Ltd.

개인키 업데이트가 가능한 공개키 기반 공모자 추적 암호 알고리즘

Traitor Tracing schemes are broadcast encryption systems where at least one of the traitors who were implicated in the construction of a pirate decoder can be traced. This traceability is required in various contents delivery system like satellite broadcast, DMB, pay-TV, DVD and so on. In this paper, we propose a public key traitor tracing scheme with key-update method. If the system manager can update a secret key which is stored in an authorized decode, it makes a pirate decoder useless by updating a secret key A pirate decoder which cannot update a secret key does not decrypt contents in next session or during tracing a traitor, this scheme has merits which will make a pirate decoder useless, therefore this scheme raises the security to a higher level.

Identifying Traitors Using the Koetter–Vardy Algorithm

This paper deals with the use of the Koetter-Vardy soft-decision decoding algorithm to perform identification of guilty users in traitor tracing and fingerprinting schemes. In these schemes, each user is assigned a copy of an object with an embedded codeword. Placing different codewords in different copies makes each copy unique and at the same time allows unique identification of each user. The weakness of these schemes comes in the form of a collusion attack, where a group of dishonest users get together and, by comparing their copies, they create a pirate copy that tries to hide their identities. The concern of the paper is restricted to traitor tracing and fingerprinting schemes based on Reed-Solomon codes. By using the Koetter-Vardy soft-decision decoding algorithm as the core part of the tracing process, three different settings are approached: tracing in traceability codes, tracing in identifiable parent property codes and tracing in binary concatenated fingerprinting codes. It is also discussed how by a careful setting of a reliability matrix all possibly identifiable users can be found.

An Improved Traitors Tracing Scheme Based on ELGamal

The flaw of traitor tracing schemes based on traditional ElGamal is that cannot resist convex combination attack. On this point this paper raises an improved ElGamal scheme, which shorten the length of the private key. The new scheme uses the users private key and the header h(s, r) to computer session keys. It is worth mentioning that the user's private key has relation with the header h(s, r), so the improved scheme has good revocability. The results show that the security of the improved scheme is enhanced in comparison with the traditional traitor tracing scheme.

Fully collusion-resistant traitor tracing scheme with shorter ciphertexts

A traitor tracing scheme allows a content distributor to detect at least one of the traitors whose secret key is used to create a pirate decoder. In building efficient traitor tracing schemes, reducing ciphertext size is a significant factor since the traitor tracing scheme must handle a larger number of users. In this paper, we present a fully collusion-resistant traitor tracing scheme where the ciphertext size is 2.8 times shorter and encryption time is 2.6 times faster, compared to the best cases of fully collusion-resistant schemes previously suggested. We can achieve these efficiency results without sacrificing other costs. Also, our scheme supports public tracing and black-box tracing. To achieve our goal, we use asymmetric bilinear maps in prime order groups, and we introduce a new cancellation technique that has the same effect as that in composite order groups.

Traceability codes

Traceability codes are combinatorial objects introduced by Chor, Fiat and Naor in 1994 to be used in traitor tracing schemes to protect digital content. A k-traceability code is used in a scheme to trace the origin of digital content under the assumption that no more than k users collude. It is well known that an error correcting code of high minimum distance is a traceability code. When does this ‘error correcting construction’ produce good traceability codes? The paper explores this question. Let ℓ be a fixed positive integer. When q is a sufficiently large prime power, a suitable Reed–Solomon code may be used to construct a 2-traceability code containing q ⌈ ℓ / 4 ⌉ codewords. The paper shows that this construction is close to best possible: there exists a constant c, depending only on ℓ, such that a q-ary 2-traceability code of length ℓ contains at most c q ⌈ ℓ / 4 ⌉ codewords. This answers a question of Kabatiansky from 2005. Barg and Kabatiansky (2004) asked whether there exist families of k-traceability codes of rate bounded away from zero when q and k are constants such that q ⩽ k 2 . These parameters are of interest since the error correcting construction cannot be used to construct k-traceability codes of constant rate for these parameters: suitable error correcting codes do not exist when q ⩽ k 2 because of the Plotkin bound. Kabatiansky (2004) answered Barg and Kabatiansky's question (positively) in the case when k = 2 . This result is generalised to the following: whenever k and q are fixed integers such that k ⩾ 2 and q ⩾ k 2 − ⌈ k / 2 ⌉ + 1 , or such that k = 2 and q = 3 , there exist infinite families of q-ary k-traceability codes of constant rate.

A Multi-Key Pirate Decoder Against Traitor Tracing Schemes

In this paper we introduce an architecture for a multi-key pirate decoder which employs decryption keys from multiple traitors. The decoder has built-in monitoring and self protection functionalities and is capable of defeating most multiple-round based traitor tracing schemes such as the schemes based on the black-box confirmation method. In particular, the proposed pirate decoder is customized to defeat the private key and the public key fully collusion resistant traitor tracing (FTT) schemes, respectively. We show how the decoder prolongs a trace process so that the tracer has to give up his effort. FTT schemes are designed to identify all the traitors. We show that decoder enables the FTT schemes to identify at most 1 traitors. Finally, assuming the decoder is embedded with several bytes of memory, we demonstrate how the decoder is able to frame innocent users at will.