fingerprinting and broadcast encryption multimedia security
TRANSCRIPT
Fingerprinting and Broadcast Encryption
Multimedia Security
2
Outline
• Introduction
• Collusion attack
• Traitor tracing for broadcast encryption
• Collusion-resilient fingerprinting
• Conclusions
3
Introduction
• Two types of fingerprinting– Type I: Embed fingerprints to contents
– Type II: Extract fingerprints from contents
…
…Embed
ExtractExtract
4
Introduction - Type I Fingerprinting
• What
– The process of assigning a unique key for each user' s content
• Why
– To identify the person who acquired a particular copy
– To prevent users from destroying the identification information
– To trace the traitors
• How– Watermarking the contents with the unique keys
5
Introduction - Type II Fingerprinting
• What– Extract unique and robust image descriptors from
contents
• Why– For the detection of replicas – For content-based image retrieval
• How– Select the features that best describe a given
content
6
Introduction
• Talk focus– Type I fingerprinting
• Some related terms– Collusion attack– Traitor tracing
7
Introduction
• Collusion attack– A coalition of traitors collude to destroy the identification
information and leak the content (keys)
1101110
Extraction
1001100 1101101 0001101 1001111….
Collusion attack
1101110
Pirate code
8
Introduction
• Traitor tracing– Find at least one of the colluders
{ , , ,…, }– Can not frame innocent users
{ ,…..}– Related researches:
From Broadcast Encryption to Fingerprinting
9
Collusion attack
• Broadcast encryption– e.g. u1: {k1,k3,k7} u2:{k3,k5,k7} pirate decoder box: {k1,k5,k7}
• Digital fingerprinting– Linear & non-linear collusion attacks
Copy-and-paste attack
10
Collusion attack
• Pd of the TN statistics under different attacks
– Z. J. Wang, M. Wu, H. Zhao, W. Trappe, & K. J. R. Liu, 2003
22/ ssyT
dsy
dT
N
11
Collusion attack
• Analyze the statistical features to improve the detection performance– H. V. Zhao, M. Wu, Z. J. Wang, & K. J. R. Liu, 2004
– e.g. Observe the histograms of sample means of extracted fingerprints under the average, minimum and randomized negative attacks, respectively
•
45 ,10000 ,912 KMW
12
Traitor tracing for broadcast encryption
• Broadcast encryption– Amos Fiat & Moni Naor, CRYPTO’93– Scenario of broadcast scheme
• A center and a set of users U• The center provides the users with prearranged keys
when they join the system• The center wishes to broadcast a message (e.g. a key)
to a dynamically changing privileged subset T in such a way that non-members cannot learn the message
– Goal• Securely transmit a message to all members of the
privileged subset
13
Traitor tracing for broadcast encryption
• Key management– How to assign and store the keys– How to save the key storage for both the server
and clients– A comprehensive survey
• A. Wool, 2000• A simple scheme
– The extended-header schemeSuppose that a program p belongs to t packages for t usersBroadcast ENCKp(p) to users Header: ID Key
1 Es1(Kp)
…. …
t Est(Kp)
14
• Resiliency– A broadcast scheme is called resilient to set
S if for every subset T (T∩S=Φ), no eavesdropper that has all secrets associated with members of S, can obtain knowledge of the secret common to T
– k-resilient• The scheme is resilient to any set S U of size k
Traitor tracing for broadcast encryption
T S kU
15
• The basic scheme– For every set BU, 0|B|k, define a key KB and give
KB to every user xU-B
– The common key to the privileged set T is the exclusive or of all keys KB, BU-T
– Every coalition S with less than k users will all be missing key KS and will therefore be unable to compute the common key for any privileged set T (T∩S=Φ)
Traitor tracing for broadcast encryption
B1
KB1
B2 Bj KBj
KB2
TS
16
• Tracing traitors– B. Chor, A. Fiat, M. Naor, & B. Pinkas,
CRYPTO’94 & 98– Confiscate a pirate decoder to determine
the identity of a traitor– Randomly assign the decryption keys to
users– Make the probability of exposing an
innocent user negligible
Traitor tracing for broadcast encryption
17
Traitor tracing for broadcast encryption
• A simple scheme– Keys
– l hash functions h1, h2, …, hl
hi: {1,…,n}{1,…,2k2}hi(u) the ith key for user u
…
…
… … … …
…
22,1 ka
22, kla
22,2 ka
2,1a
2,2a
2,la
1,1a
1,2a
1,la
l
2k2
18
Traitor tracing for broadcast encryption
– Personal key of user u
– 2k2l encrypted keys
– Decrypt si and compute secret s
},...,,{)( )(,)(,2)(,1 21 uhluhuh laaauP …
…
… … … …
…
22,1 ka
22, kla
22,2 ka
2,1a
2,2a
2,la
1,1a
1,2a
1,la
lssss ...21
)(),...,(),(
...
)(),...,(),(
22,1,1,
22,12,11,1 111
lalala
aaa
sEsEsE
sEsEsE
klll
kCipher block
s
Decrypt
Enabling block
19
Traitor tracing for broadcast encryption
• Tracing
{user 1, user 5}, {user 2, user 3, user 5}, {user5, user 6}, …,{user 2, user 7, user 9}, ….,{…}
user 1 x x
user 2 x
….
user 5 x x x x x
…
user n x x
},...}...{}{}{{
....
},...}...{}{}{{
},...}...{}{}{{
2
2
2
2,2,1,3,2,1,2,1,1,
2,22,21,23,22,21,22,21,21,22
2,12,11,13,12,11,12,11,11,11
kllllllllll
k
k
aaaaaaaaas
aaaaaaaaas
aaaaaaaaas
Faaa l },...,,{ 2,2,23,1
)2(),...,2(),3( Compute 112
11
lhhh
20
• Tracing algorithm– Static tracing– Dynamic tracing– Sequential tracing
Traitor tracing for broadcast encryption
21
Traitor tracing for broadcast encryption
• Static tracing– Confiscate a pirate decoder to determine the identity
of a traitor– Ineffective if the pirate were simply to rebroadcast the
original content– Use watermarking methods to allow the broadcaster
to generate different versions of the original content– Use the watermarks found in the pirate copy to trace
its supporting traitors– Drawback: requires one copy of content for each user
and so requires very high bandwidth
22
Traitor tracing for broadcast encryption
• Dynamic tracing (Fiat & Tassa, 2001)– The content is divided into consecutive segments– Embed one of the q marks in each segment
( q versions of the segment )• Need the watermarking scheme
– In each interval, the user group is divided into q subsets and each subset receives on version of the segment
– The subsets are varied in each interval using the rebroadcasted content
– Trace all colluders with lower bandwidth– Drawback:
• Vulnerable to a delayed rebroadcast attack• High real-time computation for regrouping the users and allocating
marks to subsets• Impractical in many scenarios
23
Traitor tracing for broadcast encryption
• Sequential tracing ( Reihaneh, 2003)– The channel feedback is only used for tracing
and not for allocation of marks to users– The mark allocation table is predefined and there
is no need for real-time computation to determine the mark allocation of the next interval
• The need for real-time computation will be minimized
• Protects against the delayed reboradcast attack
– The traitors are identified sequentially
24
Collusion-resilient fingerprinting
• Boneh-Shaw scheme– D. Boneh & J. Shaw, “Collusion-secure
fingerprinting for digital data”, CRYPTO’95– Watermarking the digital data (e.g. software,
documents, music, and videos) with fingerprints– Based on Marking Assumption– Too long (too many keys)
• B. Chor et al. claimed: “It is much less efficient than our schemes”
25
Collusion-resilient fingerprinting
• Marking Assumption– Any coalition of c users is only capable of creating an
object whose fingerprint lies in the feasible set of the coalition
– Feasible set
( is the code, C is the collusion coalition, R is the set of undetectable positions, and w is the pirate code)
– e.g. A: 3 2 3 1 2 B: 1 2 2 1 2 F= ’2 ’ 1 2
);( CF
},|| s.t.{?}}({);( )( CuwwwCF Ru
Rl
26
Collusion-resilient fingerprinting
• <Definition> c-Frame Proof Codes (c-FPC(l,n))
• <Definition>Totally c-secure code
).( a is say that We
.)( have we, such that
everyfor if, code frameproof- a called is code-)(A
l,nc-FPCΓ
CΓ CFcCΓC
cΓl,n
C cx
.)( then worda generates users
most at of coalition a if :condition following thesatisfying
algorithm tracinga exists thereif secure- totally is codeA
CxAx
c C
Ac
C cU x Ax UC
27
Collusion-resilient fingerprinting
secure.-2 not toally is code thelemma,last by the
empty. is coalitions theofon intersecti theHowever,
}.{}{}{
coalitions threeallfor feasible is ordmajority w therify that readily vecan One
by )( ordmajority w thedefine
lyrespective , users toassigned codewordsdistinct threebe let
code-)(arbitrary an be let
codes. secure-2 totally no are e that thershow enough to isit Clearly,
323121
(3)(2)(2)
(3)(1)(2)(1)(1)
(3)(2)(1)
321(3)(2)(1)
Γ
,uu,,uu,,uu
M
wise. other ?,
w if w , w
w or ww if w, w
Mi
,w,wwMAJM
,u,uu,w,ww
l,n
iii
iiiii
Boneh & Shaw: “ There are no totally c-secure codes”each. users most at of ,... scolatiiton allfor
)(...)(... then code secure- totally a is If
1
11
cCC
CFCFCCc
r
rr Lemma
28
Collusion-resilient fingerprinting
• n-secure code with -error 0(n,d): l=d(n-1)=O(n3log(n/ )) too long!
– e.g. 0(4,3) A: 111 111 111 111 111 111 B: 000 111 111 011 101 101 C: 000 000 111 000 001 101 D: 000 000 000 000 000 000
guilty" is user "output then 2
log22
)( if
.)(let :do 1 to2 allfor 3)
guilty" is user "output then )(if )2
guilty" is 1user "output then 0)( if 1)
. producedthat coalition theofsubset a find ,}10{Given
1
1
1B
snkk
xweight
xweightkn-s
ndx weight
xweight
x,x
s-
s
n-
B
B
B
l
Random permutation
29
Collusion-resilient fingerprinting
• c-secure code with -error of log length ’(L,N,n,d)
– Compose 0(n,d) with an (L,N)-code Cx=((1) || (2) || … || (L)) (i)0 |0|=alphabet size of C
– l=O(c4log(N/ )log(1/ ))
guilty" is user "output
from derived is codeword user whose thebe Let 3)
y).arbitraritbroken are (tiesposition of
number most in the matches which word theFind 2)
. word theform Next, . and 1between number a is that
Note output.chosen thisbe toSet 1. algorithm of outputs
theof one choosey arbitraril 1component each for
. of components theofeach to1 algorithmApply 1)
. producedthat coalition theofmember a find ,}10{Given
1
u
Cwu
yCw
...yyyny
y
,...,Li
xL
x,x
Li
i
l
30
Collusion-resilient fingerprinting
• Combinatorial designs– D. R. Stinson & R. Wei, “Combinatorial properties
and constructions of traceability schemes and frameproof codes”, 1997
– Give combinational descriptions of the following two objects in terms of set systems
• Traceability schemes for broadcast encryption• Frameproof codes for digital fingerprinting
31
Collusion-resilient fingerprinting
– t-design (t-(v,k,))• 2-design : BIBD (Balanced incomplete block design)• (9,3,1)-BIBD
{0,1,6},{0,2,5},{0,3,4},{1,2,4},{3,5,6},{1,5,7},{5,4,8},{4,6,7},{6,2,8},{2,3,7},{3,1,8},{0,7,8}
• e.g. J. Dittmann, P. Schmitt, E. Saar and J. Ueberberg, “Combining Digital Watermarks and Collusion Secure Fingerprints for Digital Images”, 2000
2-detecting code
32
Collusion-resilient fingerprinting
)1/()1( where
),),/()(,(design)1,,( Theorem
)1/()1( where
)),/()(,( design)1,,( Theorem
tkc
vkc-TSkvt
tkc
vc-FPCkvt
kt
vt
kt
vt
<Definition> c-Traceability Scheme (c-TS(l,n,q))
.k,n,lc-TS
ccC C
FCU
)(by denoted
isit and schemety traceabili- a called is scheme Then the . and by produced is
decoder pirate a whenever coalition theofmember a is user exposedany Suppose
C cU F
33
Collusion-resilient fingerprinting
• <Theorem>
• <Theorem>
• It needs tricks to construct a suitable code
)20/)1(,(4 20mod5,1
)12/)1(,(3 12mod4,1
)6/)1(,(2 6mod3,1
vvvFPCv
vvvFPCv
vvvFPCv
)1,1,1( power prime 22 qqqqqTSqq
34
Collusion-resilient fingerprinting
• Error correcting code (ECC) – Has systematic encoding and decoding
algorithms– Distance-based decoding criterion
• Resilient to attacks for multimedia data
Robust than the t-design codes
35
Collusion-resilient fingerprinting
• <Definition> c-TA codes (c-traceability codes)
• <Theorem>
• Larger minimum distances imply higher tracing ability
i
ii
i
CCz
z,wIx,wICxCdescw
c CcC
allfor
)()(such that exists e then ther)( if
,most at size of coalitions allfor if codeTA - a is codeA
Ci cx w
z
code.TA - isThen ).11( distance
Hamming minimum having code-)(an is that Suppose2 cC /c-ld
l,nC
36
Collusion-resilient fingerprinting
– e.g. 2-TA: (15,3,11)4-BCH (120,2,96)4-code
– It’s not easy to find practical ECCs with so large minimum distances
– Reed-Solomon code• (l,k,d)-RS over GF(qm) : d=l-k+1=qm-1-k+1=qm-k
– A code for sequential traitor tracing• R. Safavi-Naini & Y. Wang, 2003
)...)( ( ))(),...,(),((2
21
k
k
qqqs
q
ss xxxxxTrxTrxTrxTr
},...,,{,)( 21*
qkqGF
) (mod 1, such that and,,2 12/ sqtrrqstk rk
37
Collusion-resilient fingerprinting
• Assign one of the q versions for each movie segment (q-ary code)– H. Jin, J. Lotspiech, & S. Nusser (IBM Almaden research),
2004
38
Collusion-resilient fingerprinting
• Orthogonal signals– W. Trappe, M. Wu, Z. J. Wang, and K. J. R. Liu, “Anti-
collusion fingerprinting for multimedia”, 2003– Orthogonal fingerprint
• Orthogonal modulation wj=uj # of fingerprints=# of ortho. bases
• Modulate the code based on BIBD by noise-like signals
# of fingerprints>># of orthogonal bases
• (7,3,1)-BIBD{{0,1,3},{0,2,5},{0,4,6},{1,2,4},{1,5,6},{2,3,6},{3,4,5}}
B
iiijj ubw
1
39
Collusion-resilient fingerprinting
• The bit-complement of the incidence matrix for a (7,3,1)-BIBD
• Modulate the codewords by 7 orthogonal bases
40
Collusion-resilient fingerprinting
• If user 1 and user 2 are colluders
– Average attack: the pirate code is (w1+w2)/2
– The coefficient vector is (-1,0,0,0,1,0,1)– 1 occurs in the fifth and seventh location
uniquely identifies users 1 and 2 as colluders
• Experiments– (16,4,1)-BIBD– 20 users– c=3
41
Collusion-resilient fingerprinting
– Tree-structured detection
22/ii UdU
TN ssyT
42
Collusion-resilient fingerprinting
• Orthogonal signals– Z. J. Wang, M. Wu, H. Zhao, W. Trappe, and K. J. Liu, 2003~
– Gaussian signals (suitable for multimedia content)
– Performance is limited if the number of Gaussian signals is larger
43
Collusion-resilient fingerprinting
• Joint fingerprint embedding and decryption based on coefficient set scrambling– D. Kundur & K. Karthik, 2004
44
Collusion-resilient fingerprinting
Original, encrypted, and fingerprinted images
PSNR=22dB PSNR=34dB
45
Collusion-resilient fingerprinting
• Make the colluded copy useless– U. Celik, G. Sharma, & A. M. Tekalp, “Collusion-
resilient fingerprinting by random pre-warping”, 2004– The host signal is warped randomly prior to
watermarking
46
Collusion-resilient fingerprinting
47
Collusion-resilient fingerprinting
• Fingerprint multicast in secure video streaming– H. V. Zhao & K. J. R. Liu, 2006– Tree-structure-based fingerprint scheme
48
Collusion-resilient fingerprinting
• MPEG-2-based joint fingerprint design and distribution scheme for video on demand applications
The fingerprint embedding and distribution process at the server’s side
49
Possible future research
• Collusion-resilient fingerprint scheme– Robust against collusion attacks
• Fingerprint - Hard to be removed by collusion attacks• Content - Useless after being attacked
– Traceability code• Short l• Large n• Large c
– Tracing algorithm & detection strategy• High hit ratio• Low false alarm rate • Fast• Low computational overhead
50
Dynamic tracing
• q versions for every segment