fingerprinting & broadcast encryption for content protection

Fingerprinting & Broadcast Fingerprinting & Broadcast Encryption for Content Encryption for Content

ProtectionProtection

2

OutlineOutline

IntroductionIntroduction Fingerprinting & Traitor TracingFingerprinting & Traitor Tracing Broadcast EncryptionBroadcast Encryption

3

IntroductionIntroduction

FingerprintingFingerprinting Traitor tracingTraitor tracing Broadcast encryptionBroadcast encryption

4

Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing

Marking assumptionMarking assumption Traceability schemeTraceability scheme Frameproof codeFrameproof code cc-secure code -secure code c-TA code & c-IPP codec-TA code & c-IPP code Combinatorial propertiesCombinatorial properties Fingerprinting methodsFingerprinting methods Tracing algorithmTracing algorithm

5


- Marking assumption- Marking assumption <Definition> undetectable positions<Definition> undetectable positions

<Definition> feasible set<Definition> feasible set

.... if leundetectab is position Then

}.,...,{ suppose Formally, position.th in their match in

users toassigned words theif for leundetectab is

position say that we},...,1{For users. ofcoalition

a be and code-),(an be },...,{Let

)()()(

1

)()1(

21 cui

ui

ui

c

n

wwwi

uuCiC

Ci

li

Cnlww

Γ

).(by );(

denote and omit the e Usually wbits. leundetectab scoalition'

match the which wordsall containsset feasible theThus .in

user somefor } s.t. {?})({);( as ofset

feasible theDefine .for positions leundetectab ofset thebe Let

users. ofcoalition a be and code-),(an be },...,{Let

)(

)()1(

CFCF

Cu

wwwCFC

CR

Cnlww

Ru

Rl

n

6


- Marking assumption- Marking assumptione.g. A: 3 2 3 1 2e.g. A: 3 2 3 1 2

B: 1 2 2 1 2B: 1 2 2 1 2

<Definition> Marking Assumption<Definition> Marking Assumption

any coalition of any coalition of cc users is only capable users is only capable of creating an object whose fingerprint of creating an object whose fingerprint lies in the feasible set of the coalitionlies in the feasible set of the coalition

212)( ABF

7

Fingerprinting & Traitor Fingerprinting & Traitor Tracing Tracing

- Traceability scheme- Traceability scheme <Definition> Traitor tracing schemes<Definition> Traitor tracing schemes

( B. Chor, A. Fiat, M. Naor, and B. Pinkas, ( B. Chor, A. Fiat, M. Naor, and B. Pinkas, 1994 )1994 )

A traitor tracing scheme consists of three A traitor tracing scheme consists of three components:components:

traitor.a ofidentity the

determine todecoder, pirate a ofon confiscatiupon used algorithm, tracingA traitor 3.

messages. those

decrypt user toevery by used 1010 scheme decryption a and messages

encrypt osupplier t data by the used1010 scheme encryptionAn 2.

gets. userseach key that personal in the bits ofnumber theis and users possible of

set theis where10 mapping a defines that key -meta a hassupplier

data The users. new add osupplier t data by the used scheme,tion initializauser A 1.

},{},:{D

},{},:{E

s

U},{:UP

*β

**α

sα

8

Fingerprinting & Traitor TraciFingerprinting & Traitor Tracingng

– Frameproof codes– Frameproof codes <Definition> <Definition> cc-Frameproof codes -Frameproof codes

((James ShawJames Shaw, 1995 (1998)), 1995 (1998))

WWFc

Wc

)( satisfies ,most at size of

,set every if frameproof- is codeA

9


– – cc-secure codes-secure codes <Definition> totally <Definition> totally cc-secure code-secure code

<Lemma><Lemma>

. then worda generates users

most at of coalition a if :condition following thesatisfying

algorithm tracinga exists thereif secure- totally is codeA

CA(x)x

c C

Ac

each. users most at of ,..., coalitions allfor

0)(...)(0...

thencode secure- totally a is If

1

11

cCC

CFCFCC

c

r

rr

10


- c-TA code & c-IPP code- c-TA code & c-IPP code A. Silverberg, J. Staddon, 2001A. Silverberg, J. Staddon, 2001 <Definition> <Definition> cc-TA (traceability)-TA (traceability)

<Definition > <Definition > cc-IPP -IPP (identifiable parent property) (identifiable parent property)

i

ii

i

CCzI(z,w)I(x,w)

Cx)desc(Cwc

CcC

allfor that

such exists e then ther if ,most at

size of coalitions allfor if codeTA - a is codeA

nonempty. is such that most at size of coalitions theof

onintersecti the, allfor if code IPP- a is codeA

)desc(CwcC

(C)descwcC

ii

c

11


- c-TA code & c-IPP code- c-TA code & c-IPP code <Lemma> Every <Lemma> Every cc-TA code is a -TA code is a cc-IPP -IPP

code.code.

<proof><proof>

code. a a of definition by the s.t. then , if fact,In

.)(

, with any for that,show willWe

code. a of definition by the any for Thus

. allfor s.t. Let

. s.t. where if

code. a is Suppose

c-TAI(w,y)I(w,z)CzCy

CyCdescw

cCCC

c-TACxI(w,x)I(w,y)

CxI(w,x)I(w,y) Cy

)desc(Cwc,CCC(C), descw

c-TAC

jj

jj

jj

ii

iiic

12


- Combinatorial properties- Combinatorial properties ““Combinatorial properties and constrCombinatorial properties and constr

uctions of traceability schemes and frauctions of traceability schemes and frameproof codes”, D. R. Stinson, R. Wei,meproof codes”, D. R. Stinson, R. Wei, 1997(2001) 1997(2001)

Investigate combinatorial properties aInvestigate combinatorial properties and constructions of two recent topics ond constructions of two recent topics of cryptographic interest: f cryptographic interest: frameproof codesframeproof codes traceability schemetraceability scheme

13


- Combinatorial properties- Combinatorial properties <Definition> <Definition> cc-FPC(-FPC(vv,,bb))

<Definition> <Definition> cc-TS(-TS(kk,,bb,,vv))

).( a is say that We

.)( have we, such that

everyfor if, code frameproof- a called is code-)(A

v,bc-FPCΓ

WΓ wFcWΓW

cΓv,b

. users allfor )( computingby done be woulddetection Traitor

)(by

denoted isit and schemety traceabili- a called is scheme the

Then . and by produced is decoder pirate awhenever

coalition theofmember a is user exposedany Suppose

user. exposedan be to

defined is then , users allfor )( )( If

UUPF

.k,b,vc-TS

c

cC CF

CU

UUVVPFUPF

14


- Combinatorial properties- Combinatorial properties <Theorem><Theorem>

i

d

ii

d

d

BBB

},...,B,B\{BB

,,...,B,BBc db

v,c-FPC(v,b)

1

d

1i

21

21

such that block aexist not does there

blocks ofsubset any for and

such that )( systemset a a

B

BB

XΒX,

15


- Combinatorial properties- Combinatorial properties <Theorem><Theorem>

dj for BFBF},...,B,B\{BB

,BFk-

,...,B,BBc d

k b

v,b,vkc-TS

jd

jd

j

d

1such that

block aexist not does theresubset

any for and blocks of choiceevery for

hat property t with the,Bevery for and

such that )( systemset a ),( a

21

1

21

B

B

BBB

XΒX

,

16


- Combinatorial properties- Combinatorial properties <Theorem>If there exists a <Theorem>If there exists a c-TSc-TS((k,b,vk,b,v), th), th

en there exists a en there exists a cc-FPC(-FPC(vv,,bb).).<proof><proof>

.1Then

.such that block a and

, blocks, exist e then therno; Suppose

).( a is )( that prove We

).( a toingcorrespond systemset thebe Let

121

21

dj for BBBB

BB},..., B, B\{BB

,..., B, BBcd

v,bc-FPC

k,b,vc-TS)(

j

idid

d

Β

B

ΒX

ΒX

,,

17


- Fingerprinting methods- Fingerprinting methods AND-resilient codesAND-resilient codes

Trivial AND-ACC Trivial AND-ACC 00

AND-ACC ( AND-ACC ( TrapeTrape et al., 2003 ) et al., 2003 ) The fingerprinting scheme based on projective The fingerprinting scheme based on projective

space ( space ( DittmamDittmam, 2000 ), 2000 )

Selection-resilient codesSelection-resilient codes 0 0 combined with combined with ((LL,,NN,,DD))qqECC, ECC, DDLL(1(1/(1(1/cc))))

((LL,,NN,,DD))qq-ECC with -ECC with DD>=>=LL(1-1/(1-1/cc22) (Staddon, 2001)) (Staddon, 2001)

18


- Tracing algorithms- Tracing algorithms scenarioscenario

The center broadcasts the encrypted contThe center broadcasts the encrypted content to usersent to users

One encryption key and multiple distinct One encryption key and multiple distinct decryption keysdecryption keys

One cannot compute a new decryption keOne cannot compute a new decryption key from a given set of keysy from a given set of keys

19


- Tracing algorithms- Tracing algorithms Static tracingStatic tracing

Used upon confiscation of a pirate decoder, to Used upon confiscation of a pirate decoder, to determine the identity of a traitordetermine the identity of a traitor

Such scheme would be ineffective if the pirate Such scheme would be ineffective if the pirate were simply to rebroadcast the original contentwere simply to rebroadcast the original content

Use watermarking methods to allow the Use watermarking methods to allow the broadcaster to generate different versions of broadcaster to generate different versions of the original contentthe original content

Use the watermarks found in the pirate copy to Use the watermarks found in the pirate copy to trace its supporting traitorstrace its supporting traitors

Drawback: requires one copy of content for Drawback: requires one copy of content for each user and so requires very high bandwidtheach user and so requires very high bandwidth

20


- Tracing algorithms- Tracing algorithms Dynamic tracing (Fiat & Tassa, 2001)Dynamic tracing (Fiat & Tassa, 2001)

The content is divided into consecutive segmentsThe content is divided into consecutive segments Embed one of the q marks in each segment, hence creEmbed one of the q marks in each segment, hence cre

ating q versions of the segment ating q versions of the segment (watermarking method)(watermarking method)

In each interval, the user group is divided into q subseIn each interval, the user group is divided into q subsets and each subset receives on version of the segmentts and each subset receives on version of the segment

The subsets are varied in each interval using the rebrThe subsets are varied in each interval using the rebroadcasted contentoadcasted content

Trace all colluders with lower bandwidthTrace all colluders with lower bandwidth Drawback: Drawback:

Vulnerable to a delayed rebroadcast attackVulnerable to a delayed rebroadcast attack High real-time computation for regrouping the users and allocatiHigh real-time computation for regrouping the users and allocati

ng marks to subsetsng marks to subsets

21


- Tracing algorithms- Tracing algorithms Sequential tracing ( Reihaneh, 2003)Sequential tracing ( Reihaneh, 2003)

The channel feedback is only used for traciThe channel feedback is only used for tracing and not for allocation of marks to usersng and not for allocation of marks to users

The mark allocation table is predefined anThe mark allocation table is predefined and there is no need for real-time computatiod there is no need for real-time computation to determine the mark allocation of the nn to determine the mark allocation of the next intervalext interval The need for real-time computation will be minThe need for real-time computation will be min

imizedimized Protects against the delayed reboradcast attackProtects against the delayed reboradcast attack

The traitors are identified sequentiallyThe traitors are identified sequentially

22

Broadcast EncryptionBroadcast Encryption

Key pre-distribution schemesKey pre-distribution schemes Key managementKey management

23

Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution

schemescheme In a key pre-distribution scheme, the In a key pre-distribution scheme, the

trusted authority (TA) generates and trusted authority (TA) generates and distributes keys to each userdistributes keys to each user

The goal is to allow TA to broadcast the The goal is to allow TA to broadcast the secure message to a dynamically secure message to a dynamically changing privileged subset of users in changing privileged subset of users in such a way that non-privileged users such a way that non-privileged users cannot learn the message while cannot learn the message while minimizing key management related-minimizing key management related-transmissions transmissions

24


schemescheme <Definition> (<Definition> (PP,,FF)-KPS )-KPS

((PP,,FF)-Key Predistribution Scheme)-Key Predistribution SchemeThe scheme is a (The scheme is a (PP,,FF)-Key Predistributi)-Key Predistribution Scheme if it satisfies:on Scheme if it satisfies: Each user Each user ii in any privileged set in any privileged set PPPP can c can c

ompute ompute kkPP

No forbidden subset No forbidden subset F F FF disjoint from an disjoint from any privileged subset y privileged subset PP has no information o has no information on n kkPP

25


schemescheme Trivial KPS Trivial KPS Shamir threshold KPS (Shamir, 1979)Shamir threshold KPS (Shamir, 1979) Blom KPS (1984)Blom KPS (1984) Fiat-Naor KPS (1993)Fiat-Naor KPS (1993)

26


schemescheme <Definition> (<Definition> (PP,,FF)-One-Time )-One-Time

Broadcast Encryption SchemeBroadcast Encryption Scheme

.on n informatioany has from

disjoint subset forbidden no broadcast, thereceivingAfter 3.

n.informatiosecret suser' theandbroadcast single the

by determineduniquely isuser privileged afor message 2.The

.n informatiosecret theallgiven even ,about n informatio

any has users ofsubset no broadcast, theknowing Without 1.

:satisfiesit if OTBES)-),(( Scheme Encryption

Broadcast Time-One-),( a is scheme hesay that t We

P

P

mP

F

Um U

FP

FP

27


schemescheme Beimel-Chor OTBES (1993)Beimel-Chor OTBES (1993)

28


schemescheme <Definition> (<Definition> (PP,,FF)-Key Distribution )-Key Distribution

PatternPattern (Mitchell & Piper, 1988) (Mitchell & Piper, 1988)

b

F∩P s.t. ∈F and ∈P∀

≠}B∩F and B⊆P :{B if

KDP)-),((

Pattern on DistributiKey -),( a is ),(

blocks called of subsets ofset a :}BB

users ofset a :

jjj

1

FP

FP

FPBU

UB

U

,...,{

29


schemescheme A KDP can be represented by an A KDP can be represented by an nnββ inciden inciden

ce matrix ce matrix AA=(=(aaijij) which is defined as follows:) which is defined as follows:

The KDP can be used to construct KPS.The KDP can be used to construct KPS.

otherwise. 0

if 1 jji

B ia

30


schemescheme <Theorem> Suppose (<Theorem> Suppose (UU,,BB) is a () is a (PP,,FF)-KDP, t)-KDP, t

hen exists a (hen exists a (PP,,FF)-KPS with information ra)-KPS with information rate te 1/ 1/maxmax{{rrii:1:1≤≤ii≤≤nn} } rrii=|{=|{BBjj::iiBBjj}|}|and total information rate and total information rate 1/ 1/ββ

The trivial KPS and Fiat-Naor KPS are botThe trivial KPS and Fiat-Naor KPS are both in fact KDPsh in fact KDPs The trivial KPS is obtained by taking The trivial KPS is obtained by taking BB to be al to be al

l l tt-subsets of -subsets of UU The Fiat-Naor KPS is produced by taking The Fiat-Naor KPS is produced by taking BB to to

be all subsets of be all subsets of UU of cardinality at least of cardinality at least n-wn-w

31


schemescheme OA KDP (Stinson, 1997)OA KDP (Stinson, 1997) PA KDP (Stinson, 1997)PA KDP (Stinson, 1997)

32

Broadcast EncryptionBroadcast Encryption- Key management- Key management

The purpose of key management is to The purpose of key management is to provide secure procedures for handling provide secure procedures for handling cryptographic keying material to be used cryptographic keying material to be used in symmetric or asymmetric in symmetric or asymmetric cryptographic mechanisms.cryptographic mechanisms.

The Open Systems Interconnection (OSI) The Open Systems Interconnection (OSI) Security Architecture defines key Security Architecture defines key management as “the generation, management as “the generation, storage, distribution, deletion, archiving storage, distribution, deletion, archiving and application of keys in accordance and application of keys in accordance with a security policy”.with a security policy”.

33


Access control schemesAccess control schemes The bit-vector schemeThe bit-vector scheme The block-by-block schemeThe block-by-block scheme The extended-header schemeThe extended-header scheme The VSPACE schemeThe VSPACE scheme The tree schemeThe tree scheme

34


The state update problem The state update problem Content is encrypted using a group key which is knoContent is encrypted using a group key which is kno

wn to a group of users in many scenarioswn to a group of users in many scenarios When users leave or join the group, the group key mWhen users leave or join the group, the group key m

ust be changedust be changed prevent leaving members from decrypting content in the fuprevent leaving members from decrypting content in the fu

tureture Prevent joining members from decrypting previous contentPrevent joining members from decrypting previous content

(backward secrecy)(backward secrecy) O(O(nn) messages) messages

How to reduce the overhead of the key update messaHow to reduce the overhead of the key update messages?ges?

35


The LKH (Logical Key Hierarchy) SchemeThe LKH (Logical Key Hierarchy) Scheme

36

Introduction-Introduction-FingerprintingFingerprinting

Fingerprinting is the process of Fingerprinting is the process of assigning an unique key for each userassigning an unique key for each user

The purpose is to identify the person The purpose is to identify the person who acquired a particular copy who acquired a particular copy

ImplementationImplementation Embed an unique key inside the content Embed an unique key inside the content

for each user for each user Encrypt the content and each user has his Encrypt the content and each user has his

own decryption key to recover the contentown decryption key to recover the content

37

Introduction-Traitor Introduction-Traitor TracingTracing

Collusion attack Collusion attack A group of malicious users (traitors) can A group of malicious users (traitors) can

collude by combining their keys to collude by combining their keys to create a new pirate key (pirate decoder)create a new pirate key (pirate decoder)

A traitor tracing algorithm is used to A traitor tracing algorithm is used to trace at least one of the colluders or trace at least one of the colluders or the group containing the colludersthe group containing the colluders

38

Introduction-Broadcast Introduction-Broadcast EncryptionEncryption

Broadcast encryption schemes Broadcast encryption schemes enable a trusted authority to enable a trusted authority to broadcast a message to the users in broadcast a message to the users in a network so that a certain specified a network so that a certain specified subset of authorized users can subset of authorized users can decrypt it decrypt it

It involves the problems of the key It involves the problems of the key pre-assignment, key management pre-assignment, key management and even the traceability schemes and even the traceability schemes

39


- Fingerprinting methods- Fingerprinting methods Consist of all n-bit binary vectors Consist of all n-bit binary vectors

that have only a single 0 bitthat have only a single 0 bit e.g. n=4e.g. n=4

C={1110,1101,1011,0111}C={1110,1101,1011,0111}

40


- Fingerprinting methods- Fingerprinting methods <Definition> <Definition> 00 the (n,n)-code containing all n-bit binathe (n,n)-code containing all n-bit bina

ry words with exactly one 1ry words with exactly one 1 e.g. e.g. 00 (3)={100,010,001} (3)={100,010,001}

41


- Fingerprinting methods- Fingerprinting methods Use BIBD to construct an AND-ACCUse BIBD to construct an AND-ACC <Theorem> Let (<Theorem> Let (XX,,AA) be a () be a (vv,,kk,1)-BIBD and ,1)-BIBD and

M the corresponding incidence matrix. If tM the corresponding incidence matrix. If the codevectors are assigned as the bit comhe codevectors are assigned as the bit complement of the columns of M, then the resuplement of the columns of M, then the resulting scheme is a (lting scheme is a (kk-1)-resilient AND-ACC.-1)-resilient AND-ACC.

e.g. (7,3,1)-BIBDe.g. (7,3,1)-BIBD

1001011

0101101

0110011

0011110

1010101

1100110

1111000

C

42


- Fingerprinting methods- Fingerprinting methods Constructions using Constructions using tt-designs-designs <Definition> <Definition> tt-(v, k,-(v, k,λλ) design) design

BIBD’s are 2-(v, k,BIBD’s are 2-(v, k,λλ) design) design e.g. 2-(9, 3,1) design e.g. 2-(9, 3,1) design

{0,1,6},{0,2,5},{0,3,4},{1,2,4},{3,5,6},{1,5,7} {0,1,6},{0,2,5},{0,3,4},{1,2,4},{3,5,6},{1,5,7} {5,4,8},{4,6,7},{6,2,8},{2,3,7},{3,1,8},{0,7,8} {5,4,8},{4,6,7},{6,2,8},{2,3,7},{3,1,8},{0,7,8}

.in blocks exactly

in occurs ofsubset -every and ,Bevery for B

, where),( systemset a isdesign )(A

B

XB

XBX

tk

vv,k,λt-

,

43


- Fingerprinting methods- Fingerprinting methods Use techniques from finite projective Use techniques from finite projective

geometry to construct d-detecting geometry to construct d-detecting fingerprinting schemefingerprinting scheme

e.g. PG(2,2) 2-detectinge.g. PG(2,2) 2-detecting

44


- Fingerprinting methods- Fingerprinting methods <Lemma > <Lemma >

Let Let be a be a cc-frameproof (-frameproof (ll,,pp)-code and )-code and CC be an ( be an (LL,,NN,,DD))pp-ECC. Let -ECC. Let ’ be the co’ be the composition of mposition of and and CC. Then . Then ’ is a ’ is a cc-fr-frameproof code, provided ameproof code, provided DD>>LL(1-(1/(1-(1/cc)).)).

45


- Fingerprinting methods- Fingerprinting methods

code.TA - is CThen .11 distance

Hamming minimum having ECC-)(an is that Suppose2

q

c)/c-L(D

L,N,DC

<Theorem><Theorem>

46


schemescheme Trivial KPS 1Trivial KPS 1

give every user give every user uuiiUU its own key and trans its own key and transmit an individually encrypted message Emit an individually encrypted message Euujj

(m) to every member (m) to every member uujjPP → long transmission time→ long transmission time

Trivial KPS 2Trivial KPS 2for every for every tt-subset -subset PPUU, the TA gives , the TA gives kkpp to e to every member of very member of PP →→ every user stores a huge number of keysevery user stores a huge number of keys

47


schemescheme Blom KPSBlom KPS

t=2 t=2

)()(

user to values1 thegivesTA The .4

)()(

polynimail thecomputesTA 3.The

s.t ),(in tscoefficien having

)(

polynomial random a constructsTA 2.The

secret. be toneednot do valuesThese ).1( user to

gives and ),(number randomdistinct n chooseTA 1.The

0

0 0

ijjiP

ij

w

j

jijii

jiij

w

i

w

j

jiij

i

i

sgsgk

i bw

xbx,sfxg

i,j aaqGF

yxax,yf

ni is

qGFs

48


schemescheme Blom KPS Blom KPS

e.g. e.g.

10,4,3

)9,15()(),4,6()(),14,7()(

915)(,46)(,147)(

2)(78),(

1,7,12,1,17,3

2

}3,2{}3,1{}2,1{

321

321

321

kkk

xuxuxu

xxgxxgxxg

xyyxyxf

ssswqn

t

49


schemescheme Fiat-Naor KPS Fiat-Naor KPS

φ}P:F{FFP

F

F

sk

P

Fs

qGFs

wFUF

F

U

be todefined is set privileged a with associatedkey The

.\ ofmember every to gives and

)( valuerandom a choosesTA the

, with subset every For

50


schemescheme Fiat-Naor KPSFiat-Naor KPS

e.g. e.g.

11

,2,14,2

,5,10,5

,13

8,3,8,11

1,17,3

}3,2,1{

}3,2{}3,1{}2,1{

}3{}2{}1{

}3{}2{}1{

k

kkk

kkk

k

ssss

wqn

51


schemescheme Beimel-Chor OTBESBeimel-Chor OTBES

)11( 3.

named are factors-one that theSuppose

scheme Blom by the determined key unique a and

it, containingfactor -one unique a }{

.matchings)(perfect factors-one into dpartitione becan

,set edge and set on vertext graph complete The

.set privileged that theSuppose 2.

up.set is )(in scheme Blom )22(A .1

2let ,mod0 Suppose

11

1

t-i,F:ekmb

.,...FF

k

Ei,je

EPK

},...i{iP

qGFw-,t

l l t

ieiP

t-

e

t

t

52


schemescheme Beimel-Chor OTBESBeimel-Chor OTBES

e.g.e.g.

),,

,,,(

),,(

}},{},,{{

}},{},,{{

}},{},,{{

},...,{,4

},{3},{3},{2

},{2},{1},{1

321

32413

42312

43211

41

324142

314321

iiiiii

iiiiiiP

p

kmkmkm

kmkmkmb

mmmm

iiiiF

iiiiF

iiiiF

iiPt

53


schemescheme Secret Sharing Schemes Secret Sharing Schemes

.user of share thecalled is

and denoted be willuser given ton informatiosecret The

.about n informatioany

hassubset edunauthoriz nobut hold,jointly they shares the

from computecan subset authorizedany way that asuch in

,in user each n toinformatiosecret distribute TA will The

key. thecalled ),( uesecret val one hasTA the

scheme, sharingsecret aIn

subsets. autorized called subsets ofset a is 2

users, ofset a :

i

ui

k

k

X

qGFk

Γ

nX

i

X

54


schemescheme Shamir threshold KShamir threshold K

PS PS

.user to gives and

)(

polynimail thecomputesTA The 3.

. ermconstant t theiskey The

).(in tscoefficien having

)(

1most at degree of polynomial random a constructsTA The 2.

secret. be toneednot do valuesThese

).1( user to gives and ),(

numbers random zero-nondistinct n choosesTA The 1.

power prime a be 1Let

0

1

0

iy

xfy

a

qGF

xaxf

t-

ni ixqGFx

nq

i

ii

t-

iii

ii

55


schemescheme Shamir threshold KPSShamir threshold KPS

e.g. e.g.

. polynomial t thereconstruc

toused becan (5,11)(4,0),(3,10),(2,7),(1,8),

pairs ordered theof 3Any

11)5(0)4(

10)3(7)2(8)1(

are ddistribute are that shares The

13. iskey theso

,21013)(

polynomail thechoosesTA that theSuppose

51 are valuespublic the

and )17(in scheme aconstruct weSuppose

54

321

2

f

f,yfy

,f,yf, yfy

xxxf

.ii,x

GF

i

56


schemescheme <Definition> Orthogonal Array<Definition> Orthogonal Array

s.ii

uA

,...γγAs

s.tYvaA

nλvs,n,vOA

ii

s

j,i

sλ

1 , allfor

column in occurs entry hein which t of rows

exactly are there,say , of columnsany for

, . ,say set,- a from entries with ),(

array, a is )(array orthogonalAn

1

57


schemescheme <Theorem> OA KDP<Theorem> OA KDP

.)]([set key having

users,n ofset afor KPS-)( a exists Then there

.1)( s.t.power prime a is that Suppose

.)( define and ,12 and 11

thatSuppose 3. with an is thereSuppose

m

wt

wt

λ

qGF

t,s-t

λvv-zqq

λzv-zms-tv-z

s(s,n,v)OA

58


schemescheme <Definition> Perpendicular Arrays<Definition> Perpendicular Arrays

order). some(in columnsgiven in theoccur

elementsgiven hein which t of rows exactly are there

, of columns any for and , ofsubset -any for 2.

, of elementsdifferent contains of roweach 1.

:satisfied are properties following

the ,say set,- a from entries with ),(

array, a is )(array lar perpendicuA

s

sA

AsYs

YnA

s.t.YvaA

ns

vλs,n,vPA

j,i

λ

59


schemescheme <Theorem> PA KDP <Theorem> PA KDP

.)]([set key having

users, ofset afor KDP-)( a exists Then there

.1)1(

,12 and 11 that Suppose

.213 with )( a is thereSuppose

0

λ

m

t

s

t

zv

ts

tvλs-t

i it

s

it

zv

i

ts

its

itvλ

i

qGF

nt,s-t

,qm

s-tv-z

)/(nss,n,vPA

60


schemescheme PA KPSPA KPS

e.g.e.g.

134052

102364

306125

426501

031546

562043

245163

6543210

:7 modulo rows following thedevelopingby obtained isA array The

}.6,5,4,3,2,1,0,{Sset thefrom symbols array with 756 a isA

(3,7,8). heconsider t We 1PA

61


schemescheme PA KDPPA KDP

e.g.e.g.

7 3 2

7 6 3

7 6 3 1

7 6 5 1

7 5 4 1

7 5 4 2

7 4 2

6 5 2

7 6 5 2

7 6 5 4

7 6 4 3

6 4 3 1

6 3 1

6 2 1

6 5 4 1

6 5 4 3

6 5 3 2

7 5 3 2

7 5 2

7 5 1

5 4 1

5 4 3 2

5 4 2 1

6 4 2 1

6 4 1

7 6 4

7 4 3

7 5 4 3

7 4 3 1

7 5 3 1

7 5 3

6 5 3

6 3 2

6 4 3 2

4 3 2 1

7 6 4 2

6 4 2

5 4 2

5 2 1

5 3 2 1

7 3 2 1

7 6 3 2

5 3 1

4 3 1

7 4 1

7 4 2 1

7 6 2 1

6 5 2 1

6 5 3 1

7 6 1

7 2 1

3 2 1

4 3 2

5 4 3

6 5 4

7 6 5

blow.given are of blocks 56 theand ,6,7}{1,2,3,4,5 where

, from ),( KDP-(2,1) aconstruct can Then we {0,1,2,3}. Suppose

BU

BU

AZ

62


The bit-vector schemeThe bit-vector scheme Popular access control schemePopular access control scheme

(analog European satellite TV system,(analog European satellite TV system, Sky VideoCrypt systems,…)Sky VideoCrypt systems,…) All the programs are encrypted with the sAll the programs are encrypted with the s

ame key, witch is stored in every set-top teame key, witch is stored in every set-top terminal (STT)rminal (STT)

The STT decrypts a program The STT decrypts a program pp only if the only if the pp-th bit of bit-vector b[-th bit of bit-vector b[pp]=1.]=1.

63


The block-by-block schemeThe block-by-block scheme The programs are split into n disjoint The programs are split into n disjoint

blocks, and all the programs belonging blocks, and all the programs belonging to a block are encrypted using the same to a block are encrypted using the same keykey

The STT stores the keys for each block The STT stores the keys for each block that the user buysthat the user buys

64


The extended-header schemeThe extended-header scheme Attach cryptographic header Attach cryptographic header

information to each programinformation to each program Arrange the programs into predefined Arrange the programs into predefined

packages, and each package has a keypackages, and each package has a key Need large headers to each program in Need large headers to each program in

order to achieve flexibility in packaging order to achieve flexibility in packaging the programs the programs

65


The VSPACE schemeThe VSPACE scheme Attach only the single n-bit cryptographic Attach only the single n-bit cryptographic

identifier (CID) to a programidentifier (CID) to a program The encryption key of a program is functiThe encryption key of a program is functi

on of its CID on of its CID pp : : Key( Key(pp)=)=MpMp

The columns of M are master keys, which The columns of M are master keys, which are linearly independent vectors.are linearly independent vectors.

fingerprinting & broadcast encryption for content protection

Documents

ta code cipp codea

fingerprinting scheme

coalition of c users

copy of content

encrypted content

traitorsuch scheme

q versions

q subsets