1 An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes Ingemar Cox University College London

2 The story of this paper IEEE WIFS’2010, London. During the tutorial on Tardos Code, Ingemar asked “You always assume that the Provider is trusted. Why?” My Answers: “i) !?!, …Hmm… ii) Tardos code is not meant for asymmetric fingerprinting iii) asymmetric fingerprinting is not practical ”

Introduction TRADITIONAL ‘symmetric’ fingerprinting Huge improvements thanks to G. Tardos The length of codewords has been drastically reduced Industrial deployments are on their ways Requirements n number of users c size of the collusion P fa probability of accusing innocent users m code length m = O [ c 2. log( n / P fa ) ] Provider User € …

4 Introduction II ASYMMETRIC fingerprinting Different Trust Model: –Content Provider is untrustworthy –May want to frame an innocent user. Dates back to 1996 [Pfitzmann&Schunter] 4 actors: User, Provider, Certification Authority, and the Judge 4 steps: Key generation, Fingerprinting, Identification and Dispute. Provider User Judge CA pirated copy pirated copy fingerprinted copy fingerprinted copy

Tardos code construction Initialization: generate secret bias vector p p = (p 1, …,p m )0 < p i < 1 p i ~ f (p) i.i.d. Code: generate n x m binary matrix X Each row is a codeword X j = ( X j1, …, X jm ) s.t. Prob [ X ji = 1 ] = p i pp 1 = 0.8p 2 = 0.5p 3 = 0.7…p m = 0.1 X1X1 101…0 X2X2 110…1 X3X3 001…0 … XnXn 111…0

6 Tardos code accusation When a pirated copy is found… Extract binary sequence Y = (Y 1,…, Y m ) Y is a mixture of the colluders’ codewords Accusation (Single decoder) Compute a score per userS j = G (Y, X j, p) Accuse –users whose scores are above threshold T –user with maximum score if above threshold T

7 Threats on Tardos code I Provider User #j … Generate p Generate X Watermark and distribute P2P …

8 Threats on Tardos code II Content Provider Content Provider User #j … Generate p Generate X Trusted Tech. Provider Trusted Tech. Provider Watermark Distribute User #a 1 User #a 2 User #a K … … … Collusion XjXj K=3 accomplices frame innocent User #j

9 Threats on Tardos code III Content Provider Content Provider … Generate p Generate X Trusted Tech. Provider Trusted Tech. Provider Decode Watermark pirated copy pirated copy Y How to frame innocent user #j during the score computation? Y and X j are fixed The provider is the only one knowing p It is possible to tweak p into p’ s.t. Score S j = G (Y, X j, p’ ) > T p’ looks like drawn from f

10 Lessons learnt from the threats The provider Should not know the code X (or only a fraction) Should not change secret p between code generation and score computation The User Should know neither the secret p nor the fingerprint of any other user Should have a codeword drawn from the distribution induced by p Should not be able to modify his codeword

11 A protocol based on Oblivious Transfer OT - 1:N “Pick a card, any card!” Alice Bob A deck of N cards

12 OT based on commutative encryption Commutative encryption CE( k B, CE( k A, m)) = CE( k A, CE( k B, m)) Alice Bob u = CE( k B, d i )w = CE -1 ( k A, u) CE -1 ( k B, w)= k i c 1 = E( k 1, m 1 )c 2 = E( k 2, m 2 )c N = E( k N, m N )… d 1 = CE( k A, k 1 )d 2 = CE( k A, k 2 )d N = CE( k A, k N )… Oblivious transfer

13 Protocol: generation of codewords – Phase 1 Initialization - Provider Generate and quantize over P-1 values: p = (p 1, …,p m ) with p i = l i / P For all index i, create a list of P objects: list C i : c 1,i = E( k 1,i, m 1,i ), …, c 1,P = E( k 1,P, m 1,P ) There are only 2 versions of the message –For l i objects: m k,i = 1 || sk 1,i || ref_txt 1,i –For P-l i objects: m k,i = 0 || sk 0,i || ref_txt 0,i Publish these m lists on a WORM (Write Once Read Many) repository

14 Protocol: generation of codewords – Phase 1 Code construction: User #j registers Provider Randomly draw a permutation π j over [1, …, P] For all index i, create a list of P encrypted keys list D i,j : d 1 = CE( k A, π j (1) || k πj (1),i ), …, d P = CE( k A, π j (P) || k πj (P),i ) Send these m lists to user #j User - Provider Run the OT protocol Permutation π j prevents collusion at code generation –“Don’t pick this item, I already know that it is a 0”

Protocol: generation of codewords – Phase 1 Provider User #j list C 1 list C 2 … list C m X j = (0, 0, …,1) sk 0,1, sk 0,2, …, sk 1,m … … WORM p = (p 1 =0.8, p 2 =0.5,…,p m =0.1)

16 Protocol: generation of codewords – Phase 2

Protocol: generation of codewords – Phase 1 Provider User #j list C 1 list C 2 … list C m X j = (0, 0, …,1) sk 0,1, sk 0,2, …, sk 1,m … … WORM p = (p 1, …,p m ) X j = (?, 0, ?,…,1)

18 Accusation The scouting agency finds a pirated copy. The Technology Provider extracts sequence Y The Provider Compute scores restricted to halfwords Send a list of suspects with halfwords, secret p and Y The judge Verifies computation Ask Provider for the keys to decrypt C lists in the WORM p Ask suspected users for the keys to decrypt the OT X j Compute scores over the non-halfword codeword Compare to threshold T

19 Conclusion First asymmetric protocol specific to Tardos fingerprinting code. Generation of code without CA … but with a WORM Code length m h = O[ c 2 log (n/ P fs ) ]P fs = Prob of wrong suspicion m = O[ c 2 log ( n / (P fs. P fa ) 1/2 ) ] If P fs = P fa, the length is doubled List sizes: P > c, we recommend P = 100 Misc.: Discussion about security, efficiency and OT implementations Application to Buyer-Seller with homomorphic encryption watermarking

20 Fingerprinting in the industry The DNA approach Watermarking each block in super high quality … Content Provider Technology Provider … …

21 Threats on Tardos code Provider … XjXj User #j …