fingerprinting and broadcast encryption multimedia security

Fingerprinting and Broadcast Encryption

Multimedia Security

2

Outline

• Introduction

• Collusion attack

• Traitor tracing for broadcast encryption

• Collusion-resilient fingerprinting

• Conclusions

3

Introduction

• Two types of fingerprinting– Type I: Embed fingerprints to contents

– Type II: Extract fingerprints from contents

…

…Embed

ExtractExtract

4

Introduction - Type I Fingerprinting

• What

– The process of assigning a unique key for each user' s content

• Why

– To identify the person who acquired a particular copy

– To prevent users from destroying the identification information

– To trace the traitors

• How– Watermarking the contents with the unique keys

5

Introduction - Type II Fingerprinting

• What– Extract unique and robust image descriptors from

contents

• Why– For the detection of replicas – For content-based image retrieval

• How– Select the features that best describe a given

content

6

Introduction

• Talk focus– Type I fingerprinting

• Some related terms– Collusion attack– Traitor tracing

7

Introduction

• Collusion attack– A coalition of traitors collude to destroy the identification

information and leak the content (keys)

1101110

Extraction

1001100 1101101 0001101 1001111….

Collusion attack

1101110

Pirate code

8

Introduction

• Traitor tracing– Find at least one of the colluders

{ , , ,…, }– Can not frame innocent users

{ ,…..}– Related researches:

From Broadcast Encryption to Fingerprinting

9

Collusion attack

• Broadcast encryption– e.g. u1: {k1,k3,k7} u2:{k3,k5,k7} pirate decoder box: {k1,k5,k7}

• Digital fingerprinting– Linear & non-linear collusion attacks

Copy-and-paste attack

10

Collusion attack

• Pd of the TN statistics under different attacks

– Z. J. Wang, M. Wu, H. Zhao, W. Trappe, & K. J. R. Liu, 2003

22/ ssyT

dsy

dT

N

11

Collusion attack

• Analyze the statistical features to improve the detection performance– H. V. Zhao, M. Wu, Z. J. Wang, & K. J. R. Liu, 2004

– e.g. Observe the histograms of sample means of extracted fingerprints under the average, minimum and randomized negative attacks, respectively

•

45 ,10000 ,912 KMW

12

Traitor tracing for broadcast encryption

• Broadcast encryption– Amos Fiat & Moni Naor, CRYPTO’93– Scenario of broadcast scheme

• A center and a set of users U• The center provides the users with prearranged keys

when they join the system• The center wishes to broadcast a message (e.g. a key)

to a dynamically changing privileged subset T in such a way that non-members cannot learn the message

– Goal• Securely transmit a message to all members of the

privileged subset

13


• Key management– How to assign and store the keys– How to save the key storage for both the server

and clients– A comprehensive survey

• A. Wool, 2000• A simple scheme

– The extended-header schemeSuppose that a program p belongs to t packages for t usersBroadcast ENCKp(p) to users Header: ID Key

1 Es1(Kp)

…. …

t Est(Kp)

14

• Resiliency– A broadcast scheme is called resilient to set

S if for every subset T (T∩S=Φ), no eavesdropper that has all secrets associated with members of S, can obtain knowledge of the secret common to T

– k-resilient• The scheme is resilient to any set S U of size k


T S kU

15

• The basic scheme– For every set BU, 0|B|k, define a key KB and give

KB to every user xU-B

– The common key to the privileged set T is the exclusive or of all keys KB, BU-T

– Every coalition S with less than k users will all be missing key KS and will therefore be unable to compute the common key for any privileged set T (T∩S=Φ)


B1

KB1

B2 Bj KBj

KB2

TS

16

• Tracing traitors– B. Chor, A. Fiat, M. Naor, & B. Pinkas,

CRYPTO’94 & 98– Confiscate a pirate decoder to determine

the identity of a traitor– Randomly assign the decryption keys to

users– Make the probability of exposing an

innocent user negligible


17


• A simple scheme– Keys

– l hash functions h1, h2, …, hl

hi: {1,…,n}{1,…,2k2}hi(u) the ith key for user u

…

…

… … … …

…

22,1 ka

22, kla

22,2 ka

2,1a

2,2a

2,la

1,1a

1,2a

1,la

l

2k2

18


– Personal key of user u

– 2k2l encrypted keys

– Decrypt si and compute secret s

},...,,{)( )(,)(,2)(,1 21 uhluhuh laaauP …

…

… … … …

…

22,1 ka

22, kla

22,2 ka

2,1a

2,2a

2,la

1,1a

1,2a

1,la

lssss ...21

)(),...,(),(

...

)(),...,(),(

22,1,1,

22,12,11,1 111

lalala

aaa

sEsEsE

sEsEsE

klll

kCipher block

s

Decrypt

Enabling block

19


• Tracing

{user 1, user 5}, {user 2, user 3, user 5}, {user5, user 6}, …,{user 2, user 7, user 9}, ….,{…}

user 1 x x

user 2 x

….

user 5 x x x x x

…

user n x x

},...}...{}{}{{

....

},...}...{}{}{{

},...}...{}{}{{

2

2

2

2,2,1,3,2,1,2,1,1,

2,22,21,23,22,21,22,21,21,22

2,12,11,13,12,11,12,11,11,11

kllllllllll

k

k

aaaaaaaaas

aaaaaaaaas

aaaaaaaaas

Faaa l },...,,{ 2,2,23,1

)2(),...,2(),3( Compute 112

11

lhhh

20

• Tracing algorithm– Static tracing– Dynamic tracing– Sequential tracing


21


• Static tracing– Confiscate a pirate decoder to determine the identity

of a traitor– Ineffective if the pirate were simply to rebroadcast the

original content– Use watermarking methods to allow the broadcaster

to generate different versions of the original content– Use the watermarks found in the pirate copy to trace

its supporting traitors– Drawback: requires one copy of content for each user

and so requires very high bandwidth

22


• Dynamic tracing (Fiat & Tassa, 2001)– The content is divided into consecutive segments– Embed one of the q marks in each segment

( q versions of the segment )• Need the watermarking scheme

– In each interval, the user group is divided into q subsets and each subset receives on version of the segment

– The subsets are varied in each interval using the rebroadcasted content

– Trace all colluders with lower bandwidth– Drawback:

• Vulnerable to a delayed rebroadcast attack• High real-time computation for regrouping the users and allocating

marks to subsets• Impractical in many scenarios

23


• Sequential tracing ( Reihaneh, 2003)– The channel feedback is only used for tracing

and not for allocation of marks to users– The mark allocation table is predefined and there

is no need for real-time computation to determine the mark allocation of the next interval

• The need for real-time computation will be minimized

• Protects against the delayed reboradcast attack

– The traitors are identified sequentially

24

Collusion-resilient fingerprinting

• Boneh-Shaw scheme– D. Boneh & J. Shaw, “Collusion-secure

fingerprinting for digital data”, CRYPTO’95– Watermarking the digital data (e.g. software,

documents, music, and videos) with fingerprints– Based on Marking Assumption– Too long (too many keys)

• B. Chor et al. claimed: “It is much less efficient than our schemes”

25


• Marking Assumption– Any coalition of c users is only capable of creating an

object whose fingerprint lies in the feasible set of the coalition

– Feasible set

( is the code, C is the collusion coalition, R is the set of undetectable positions, and w is the pirate code)

– e.g. A: 3 2 3 1 2 B: 1 2 2 1 2 F= ’2 ’ 1 2

);( CF

},|| s.t.{?}}({);( )( CuwwwCF Ru

Rl

26


• <Definition> c-Frame Proof Codes (c-FPC(l,n))

• <Definition>Totally c-secure code

).( a is say that We

.)( have we, such that

everyfor if, code frameproof- a called is code-)(A

l,nc-FPCΓ

CΓ CFcCΓC

cΓl,n

C cx

.)( then worda generates users

most at of coalition a if :condition following thesatisfying

algorithm tracinga exists thereif secure- totally is codeA

CxAx

c C

Ac

C cU x Ax UC

27


secure.-2 not toally is code thelemma,last by the

empty. is coalitions theofon intersecti theHowever,

}.{}{}{

coalitions threeallfor feasible is ordmajority w therify that readily vecan One

by )( ordmajority w thedefine

lyrespective , users toassigned codewordsdistinct threebe let

code-)(arbitrary an be let

codes. secure-2 totally no are e that thershow enough to isit Clearly,

323121

(3)(2)(2)

(3)(1)(2)(1)(1)

(3)(2)(1)

321(3)(2)(1)

Γ

,uu,,uu,,uu

M

wise. other ?,

w if w , w

w or ww if w, w

Mi

,w,wwMAJM

,u,uu,w,ww

l,n

iii

iiiii

Boneh & Shaw: “ There are no totally c-secure codes”each. users most at of ,... scolatiiton allfor

)(...)(... then code secure- totally a is If

1

11

cCC

CFCFCCc

r

rr Lemma

28


• n-secure code with -error 0(n,d): l=d(n-1)=O(n3log(n/ )) too long!

– e.g. 0(4,3) A: 111 111 111 111 111 111 B: 000 111 111 011 101 101 C: 000 000 111 000 001 101 D: 000 000 000 000 000 000

guilty" is user "output then 2

log22

)( if

.)(let :do 1 to2 allfor 3)

guilty" is user "output then )(if )2

guilty" is 1user "output then 0)( if 1)

. producedthat coalition theofsubset a find ,}10{Given

1

1

1B

snkk

xweight

xweightkn-s

ndx weight

xweight

x,x

s-

s

n-

B

B

B

l

Random permutation

29


• c-secure code with -error of log length ’(L,N,n,d)

– Compose 0(n,d) with an (L,N)-code Cx=((1) || (2) || … || (L)) (i)0 |0|=alphabet size of C

– l=O(c4log(N/ )log(1/ ))

guilty" is user "output

from derived is codeword user whose thebe Let 3)

y).arbitraritbroken are (tiesposition of

number most in the matches which word theFind 2)

. word theform Next, . and 1between number a is that

Note output.chosen thisbe toSet 1. algorithm of outputs

theof one choosey arbitraril 1component each for

. of components theofeach to1 algorithmApply 1)

. producedthat coalition theofmember a find ,}10{Given

1

u

Cwu

yCw

...yyyny

y

,...,Li

xL

x,x

Li

i

l

30


• Combinatorial designs– D. R. Stinson & R. Wei, “Combinatorial properties

and constructions of traceability schemes and frameproof codes”, 1997

– Give combinational descriptions of the following two objects in terms of set systems

• Traceability schemes for broadcast encryption• Frameproof codes for digital fingerprinting

31


– t-design (t-(v,k,))• 2-design : BIBD (Balanced incomplete block design)• (9,3,1)-BIBD

{0,1,6},{0,2,5},{0,3,4},{1,2,4},{3,5,6},{1,5,7},{5,4,8},{4,6,7},{6,2,8},{2,3,7},{3,1,8},{0,7,8}

• e.g. J. Dittmann, P. Schmitt, E. Saar and J. Ueberberg, “Combining Digital Watermarks and Collusion Secure Fingerprints for Digital Images”, 2000

2-detecting code

32


)1/()1( where

),),/()(,(design)1,,( Theorem

)1/()1( where

)),/()(,( design)1,,( Theorem

tkc

vkc-TSkvt

tkc

vc-FPCkvt

kt

vt

kt

vt

<Definition> c-Traceability Scheme (c-TS(l,n,q))

.k,n,lc-TS

ccC C

FCU

)(by denoted

isit and schemety traceabili- a called is scheme Then the . and by produced is

decoder pirate a whenever coalition theofmember a is user exposedany Suppose

C cU F

33


• <Theorem>

• <Theorem>

• It needs tricks to construct a suitable code

)20/)1(,(4 20mod5,1

)12/)1(,(3 12mod4,1

)6/)1(,(2 6mod3,1

vvvFPCv

vvvFPCv

vvvFPCv

)1,1,1( power prime 22 qqqqqTSqq

34


• Error correcting code (ECC) – Has systematic encoding and decoding

algorithms– Distance-based decoding criterion

• Resilient to attacks for multimedia data

Robust than the t-design codes

35


• <Definition> c-TA codes (c-traceability codes)

• <Theorem>

• Larger minimum distances imply higher tracing ability

i

ii

i

CCz

z,wIx,wICxCdescw

c CcC

allfor

)()(such that exists e then ther)( if

,most at size of coalitions allfor if codeTA - a is codeA

Ci cx w

z

code.TA - isThen ).11( distance

Hamming minimum having code-)(an is that Suppose2 cC /c-ld

l,nC

36


– e.g. 2-TA: (15,3,11)4-BCH (120,2,96)4-code

– It’s not easy to find practical ECCs with so large minimum distances

– Reed-Solomon code• (l,k,d)-RS over GF(qm) : d=l-k+1=qm-1-k+1=qm-k

– A code for sequential traitor tracing• R. Safavi-Naini & Y. Wang, 2003

)...)( ( ))(),...,(),((2

21

k

k

qqqs

q

ss xxxxxTrxTrxTrxTr

},...,,{,)( 21*

qkqGF

) (mod 1, such that and,,2 12/ sqtrrqstk rk

37


• Assign one of the q versions for each movie segment (q-ary code)– H. Jin, J. Lotspiech, & S. Nusser (IBM Almaden research),

2004

38


• Orthogonal signals– W. Trappe, M. Wu, Z. J. Wang, and K. J. R. Liu, “Anti-

collusion fingerprinting for multimedia”, 2003– Orthogonal fingerprint

• Orthogonal modulation wj=uj # of fingerprints=# of ortho. bases

• Modulate the code based on BIBD by noise-like signals

# of fingerprints>># of orthogonal bases

• (7,3,1)-BIBD{{0,1,3},{0,2,5},{0,4,6},{1,2,4},{1,5,6},{2,3,6},{3,4,5}}

B

iiijj ubw

1

39


• The bit-complement of the incidence matrix for a (7,3,1)-BIBD

• Modulate the codewords by 7 orthogonal bases

40


• If user 1 and user 2 are colluders

– Average attack: the pirate code is (w1+w2)/2

– The coefficient vector is (-1,0,0,0,1,0,1)– 1 occurs in the fifth and seventh location

uniquely identifies users 1 and 2 as colluders

• Experiments– (16,4,1)-BIBD– 20 users– c=3

41


– Tree-structured detection

22/ii UdU

TN ssyT

42


• Orthogonal signals– Z. J. Wang, M. Wu, H. Zhao, W. Trappe, and K. J. Liu, 2003~

– Gaussian signals (suitable for multimedia content)

– Performance is limited if the number of Gaussian signals is larger

43


• Joint fingerprint embedding and decryption based on coefficient set scrambling– D. Kundur & K. Karthik, 2004

44


Original, encrypted, and fingerprinted images

PSNR=22dB PSNR=34dB

45


• Make the colluded copy useless– U. Celik, G. Sharma, & A. M. Tekalp, “Collusion-

resilient fingerprinting by random pre-warping”, 2004– The host signal is warped randomly prior to

watermarking

46


47


• Fingerprint multicast in secure video streaming– H. V. Zhao & K. J. R. Liu, 2006– Tree-structure-based fingerprint scheme

48


• MPEG-2-based joint fingerprint design and distribution scheme for video on demand applications

The fingerprint embedding and distribution process at the server’s side

49

Possible future research

• Collusion-resilient fingerprint scheme– Robust against collusion attacks

• Fingerprint - Hard to be removed by collusion attacks• Content - Useless after being attacked

– Traceability code• Short l• Large n• Large c

– Tracing algorithm & detection strategy• High hit ratio• Low false alarm rate • Fast• Low computational overhead

50

Dynamic tracing

• q versions for every segment

fingerprinting and broadcast encryption multimedia security

Documents