Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anonymous Fingerprinting Paper by: Birgit Pfitzmann, and Michael Waidner Presentation by: James Campbell.

Published byAileen Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "Anonymous Fingerprinting Paper by: Birgit Pfitzmann, and Michael Waidner Presentation by: James Campbell."— Presentation transcript:

1 Anonymous Fingerprinting Paper by: Birgit Pfitzmann, and Michael Waidner Presentation by: James Campbell

2 Fingerprinting? Fingerprinting Schemes: Cryptologic means by which sellers of digital data can find traitors Traitors? –Buyers who illegally redistribute copyrighted digital data … similar to pirates …

3 Fingerprinting Schemes Fingerprinting –Symmetric –Asymmetric Traitor Tracing –Symmetric –Asymmetric

4 Symmetric Fingerprinting Each buyer gets a slightly different version When an illegal redistribution is found, vender checks who bought that particular variant Problems: –Collusion –Proving Guilt

5 Collusion What if multiple traitors get together and compare their copies to find the variation? Collusion Tolerance: The ability of a scheme to avoid being compromised by conspiring traitors

6 Proving Guilt With Symmetric Fingerprinting The merchant cannot find anything in the redistributed copy that he could not have created by himself Other schemes we will see handle this problem

7 Asymmetric Fingerprinting Buyer inputs his own secret Merchant does not see the fingerprinted copy that the buyer receives If the copy is found, the merchant can extract the information Can prove guilt, since the merchant could not have produced the buyer’s secret

8 Traitor Tracing Analog to fingerprinting for cryptologic keys Introduced for broadcast encryption Used in cases where only the key to decrypt the information is sold –Each key is different, but all can decrypt the data Asymmetric forms exist which prove guilt

9 Trials 3-Party Trials: The accused buyer is needed for the merchant to prove guilt to an arbiter 2-Party Trials: The merchant can prove a traitor’s guilt to an arbiter without the traitor

10 Benefits of 2-Party Trials The traitor does not need to be found for their guilt to be proven –Unimportant … would need to be found anyway Traitor’s Memory – No worry of potential traitor forgetting password or dieing Traitor’s Secret – No worry of potential traitor divulging secrets possibly used elsewhere

11 Marketplace Anonymity Electronic marketplaces try to offer the same privacy (if not more) than real marketplaces –Anonymous networks, money, and exchanges exist All previous fingerprinting schemes destroys this privacy, since the buyer must somehow identify themselves

12 Anonymous Fingerprinting Each buyer must have a key pair for a digital signature scheme Each buyer must register for the fingerprinting scheme with their digital identity Registration is done at “Registration Centers” –Most likely the buyer’s bank Note: The registration center does not need to be trusted, worst they can do is deny registration

13 Anonymous Fingerprinting Four types of parties involved: –Merchants –Buyers –Registration Centers –Arbiters Arbiters should be able to be anyone Registration Centers should not have to be trusted

14 Anonymous Fingerprinting 7 Protocols makeup the anonymous fingerprinting scheme: –Registration Center Key Distribution –Registration –Data Initialization –Fingerprinting –Identification –Enforced Identification –Trial Can output failed at any point

15 Registration Center Key Distribution Registration center creates key pair (part of a signature scheme) Public key distributed to all –Merchants –Arbiters –Buyers that are or may register at that center

16 Registration Registers the buyer with the registration center Inputs: –Buyer  Buyer’s digital identity –Center  Registration Center’s public key  Maximum number of purchases  Registration Center’s secret key Outputs: –Buyer  Registration record –Center  Registration record

17 Data Initialization Merchant prepares each data item for sale Inputs: –Merchant  The data item to be sold  Maximum number of copies to sell Output: –Merchant  Merchant’s initial data record

18 Fingerprinting Merchant and buyer fingerprint the data Inputs: –Merchant  Data item Initial data record from buyer’s Registration Center –Buyer  Registration record –Both  Text describing the purchase Outputs: –Merchant  Purchase record –Buyer  Fingerprinted data Purchase record Secretly

19 Identification Merchant obtains who the original buyer is (may involve registration center) Inputs: –Merchant  A redistributed copy of some data item  An original copy of the same data item  All purchase records for that data item –Center  registration records Outputs: –Merchant  Identity of original buyer The description of the sale The string: Proof

20 Enforced Identification If the registration center is needed, but does not cooperate, then an arbiter is brought in Outputs: –Merchant  (same as in identification) –Arbiter  either center_guilt or ok Center_guilt indicates that the arbiter noticed the center has been misbehaving

21 Trial Tests if the accused buyer is at guilt involves: Merchant and Arbiter, or All Inputs: –Merchant  Identity of accused buyer Description of sale The string Proof –Center  Buyer’s registration record –Buyer  Current registration record Outputs: –Arbiter  guilty or not_guilty possibly center_guilty

22 Effectiveness Properties Correct Case: –If involved parties are honest: Registration and Data Initialization should not fail –If buyer, merchant and center are honest: Fingerprinting should succeed –Fingerprinted data should look sufficiently like original No Jamming by Registration Center: –The center cannot register a buyer such that later a transaction with a merchant will fail

23 Integrity Security for the Merchant: –If a traitor buys up to coll_size different copies of the same data item, and produces a similar copy: The merchant will still be able to identify the traitor –May get center_guilt if the center is cheating –Weaker version: only holds if the buyer’s registration center is honest

24 Integrity Protecting the merchant from making wrong accusations: –It should be infeasible for any number of traitors to create a copy of the data such that identification succeeds but trial fails Security for the Buyer: –No honest buyer should be able to be found guilty –Note: no weaker version should exist of this Security for Registration Centers: –Honest registration centers should never be deemed guilty by an honest arbiter

25 Anonymity Nobody should be able to know anything about the buyer’s behavior (without the center’s help) Implies that a merchant cannot unjustly accuse a person to determine if they were a buyer Assumes that the underlying communication channels are anonymous (ex. Using a mixnet)

26 Fingerprinting Issues Buyer must embed some information into the data: call it: emb The merchant must be able to validate emb The merchant must be able to extract emb (assumed to exist for the following) –In non-anonymous schemes, emb must be derived using information or interaction from the buyer

27 More Detail - Registration Buyer selects a “pseudonym” Buyer signs responsibility using normal identity Registration center gives buyer a certificate: Thus the registration center can link the buyer to the pseudonym

28 More Detail - Fingerprinting Buyer computes where text is the description of the sale Thus The buyer then hides emb in a commitment which is sent to the merchant Buyer uses zero-knowledge to prove the validity of the hidden signature

29 More Detail - Fingerprinting Alternate method: Rather than embedding emb as is … Buyer encrypts emb and commits the key, which is embedded, and the merchant holds onto emb

30 More Detail - Identification Merchant extracts emb and sends to the buyer’s registration center to get the buyer’s identity If the center refuses, the merchant shows proof 1 and cert B to the arbiter to show that the center knows the identity of the traitor In enforced Identification, either the center discloses the identity or is found guilty

31 More Detail - Identification In the alternate version: The merchant tries to decrypt all of the ciphertexts from the purchase records Rest follows as before

32 More Detail - Trial The arbiter checks the signature to ensure that the accused buyer claims responsibility for the pseudonym Then checks that sig is a valid signature of text

33 Provability of Security Theorem 1: If all the underlying primitives are secure, the construction framework yields a provably secure anonymous fingerprinting protocol. Paper claims the proof is straightforward …

34 Marking Schemes Way of hiding data within data, assumed to be used in fingerprinting schemes Individual bits are hidden in data items at random Each data item has two versions In initialization, the merchant selects l marks probabilistically and can then encode l bits Traitors can only find marks by comparing their copies

35 Marking Schemes If coll_size traitors produce a new redistribution, then at least l /coll_size marks will correspond to one of the traitor’s copies Error correction schemes can be used to fill in for any deleted marks

36 Symmetric Schemes Almost no collusion tolerance If there is no collusion, then can assume the traitor’s codeword still exists intact Thus the codeword can simply be extracted

37 Symmetric Collusion-Tolerant Schemes Merchant compares all possible codewords to the redistribution and looks for at least l /coll_size symbols in common Impractical to use for large quantities of data since the list of possible codewords would be rather large

38 Asymmetric Schemes with 3-Party Trials Merchant cannot know entire codewords, so only knows half of each Merchant searches a list of partial codewords to find whom to accuse, who shows his part to the arbiter Arbiter looks for sufficient common symbols Cannot be used for anonymous scheme since merchant does not know whom to accuse

39 Asymmetric Collusion-Tolerant Fingerprinting with 2-Party Trials Encoding Idea: –Use a concatenated code with Outer code words of length l over {1, …, q} Inner code is a fixed binary code  of length d(q-1) –L,d,q parameters – must have a decoding procedure where each symbol in an altered redistribution must be a symbol from one colluding traitor (with high probability) –Probability of this not being the case is if

40 Embedding / Extracting Data Data Initialization: –Merchant chooses marks for the data items in the marking scheme –For each of the l positions of the outer code, the merchant randomly chooses a substitution which is a permutation of the alphabet {1, …, q}

41 Embedding / Extracting Data Embedding: –Merchant picks k 1 random bits for each symbol in the outer code –ebm is encoded with EECC into l halfsymbols of k 2 bits each –Halfsymbols are combined and encoded –Thus giving an outer word of –Each symbol is then encoded with the inner code

42 Embedding / Extracting Data Extracting: –Each symbol of the outer code is identified by undoing the inner code, giving –Each symbol is decrypted using and is separated into halves of length k 1 and k 2 –Merchant then looks through purchase records for which has at least symbols in common with –Then tries to extract

43 The End Questions?

Download ppt "Anonymous Fingerprinting Paper by: Birgit Pfitzmann, and Michael Waidner Presentation by: James Campbell."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Cryptography and Network Security

Cryptography and Network Security
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.

Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.

Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google