Anonymous Fingerprinting Paper by: Birgit Pfitzmann, and Michael Waidner Presentation by: James Campbell

Fingerprinting? Fingerprinting Schemes: Cryptologic means by which sellers of digital data can find traitors Traitors? –Buyers who illegally redistribute copyrighted digital data … similar to pirates …

Fingerprinting Schemes Fingerprinting –Symmetric –Asymmetric Traitor Tracing –Symmetric –Asymmetric

Symmetric Fingerprinting Each buyer gets a slightly different version When an illegal redistribution is found, vender checks who bought that particular variant Problems: –Collusion –Proving Guilt

Collusion What if multiple traitors get together and compare their copies to find the variation? Collusion Tolerance: The ability of a scheme to avoid being compromised by conspiring traitors

Proving Guilt With Symmetric Fingerprinting The merchant cannot find anything in the redistributed copy that he could not have created by himself Other schemes we will see handle this problem

Asymmetric Fingerprinting Buyer inputs his own secret Merchant does not see the fingerprinted copy that the buyer receives If the copy is found, the merchant can extract the information Can prove guilt, since the merchant could not have produced the buyer’s secret

Traitor Tracing Analog to fingerprinting for cryptologic keys Introduced for broadcast encryption Used in cases where only the key to decrypt the information is sold –Each key is different, but all can decrypt the data Asymmetric forms exist which prove guilt

Trials 3-Party Trials: The accused buyer is needed for the merchant to prove guilt to an arbiter 2-Party Trials: The merchant can prove a traitor’s guilt to an arbiter without the traitor

Benefits of 2-Party Trials The traitor does not need to be found for their guilt to be proven –Unimportant … would need to be found anyway Traitor’s Memory – No worry of potential traitor forgetting password or dieing Traitor’s Secret – No worry of potential traitor divulging secrets possibly used elsewhere

Marketplace Anonymity Electronic marketplaces try to offer the same privacy (if not more) than real marketplaces –Anonymous networks, money, and exchanges exist All previous fingerprinting schemes destroys this privacy, since the buyer must somehow identify themselves

Anonymous Fingerprinting Each buyer must have a key pair for a digital signature scheme Each buyer must register for the fingerprinting scheme with their digital identity Registration is done at “Registration Centers” –Most likely the buyer’s bank Note: The registration center does not need to be trusted, worst they can do is deny registration

Anonymous Fingerprinting Four types of parties involved: –Merchants –Buyers –Registration Centers –Arbiters Arbiters should be able to be anyone Registration Centers should not have to be trusted

Anonymous Fingerprinting 7 Protocols makeup the anonymous fingerprinting scheme: –Registration Center Key Distribution –Registration –Data Initialization –Fingerprinting –Identification –Enforced Identification –Trial Can output failed at any point

Registration Center Key Distribution Registration center creates key pair (part of a signature scheme) Public key distributed to all –Merchants –Arbiters –Buyers that are or may register at that center

Registration Registers the buyer with the registration center Inputs: –Buyer  Buyer’s digital identity –Center  Registration Center’s public key  Maximum number of purchases  Registration Center’s secret key Outputs: –Buyer  Registration record –Center  Registration record

Data Initialization Merchant prepares each data item for sale Inputs: –Merchant  The data item to be sold  Maximum number of copies to sell Output: –Merchant  Merchant’s initial data record

Fingerprinting Merchant and buyer fingerprint the data Inputs: –Merchant  Data item Initial data record from buyer’s Registration Center –Buyer  Registration record –Both  Text describing the purchase Outputs: –Merchant  Purchase record –Buyer  Fingerprinted data Purchase record Secretly

Identification Merchant obtains who the original buyer is (may involve registration center) Inputs: –Merchant  A redistributed copy of some data item  An original copy of the same data item  All purchase records for that data item –Center  registration records Outputs: –Merchant  Identity of original buyer The description of the sale The string: Proof

Enforced Identification If the registration center is needed, but does not cooperate, then an arbiter is brought in Outputs: –Merchant  (same as in identification) –Arbiter  either center_guilt or ok Center_guilt indicates that the arbiter noticed the center has been misbehaving

Trial Tests if the accused buyer is at guilt involves: Merchant and Arbiter, or All Inputs: –Merchant  Identity of accused buyer Description of sale The string Proof –Center  Buyer’s registration record –Buyer  Current registration record Outputs: –Arbiter  guilty or not_guilty possibly center_guilty

Effectiveness Properties Correct Case: –If involved parties are honest: Registration and Data Initialization should not fail –If buyer, merchant and center are honest: Fingerprinting should succeed –Fingerprinted data should look sufficiently like original No Jamming by Registration Center: –The center cannot register a buyer such that later a transaction with a merchant will fail

Integrity Security for the Merchant: –If a traitor buys up to coll_size different copies of the same data item, and produces a similar copy: The merchant will still be able to identify the traitor –May get center_guilt if the center is cheating –Weaker version: only holds if the buyer’s registration center is honest

Integrity Protecting the merchant from making wrong accusations: –It should be infeasible for any number of traitors to create a copy of the data such that identification succeeds but trial fails Security for the Buyer: –No honest buyer should be able to be found guilty –Note: no weaker version should exist of this Security for Registration Centers: –Honest registration centers should never be deemed guilty by an honest arbiter

Anonymity Nobody should be able to know anything about the buyer’s behavior (without the center’s help) Implies that a merchant cannot unjustly accuse a person to determine if they were a buyer Assumes that the underlying communication channels are anonymous (ex. Using a mixnet)

Fingerprinting Issues Buyer must embed some information into the data: call it: emb The merchant must be able to validate emb The merchant must be able to extract emb (assumed to exist for the following) –In non-anonymous schemes, emb must be derived using information or interaction from the buyer

More Detail - Registration Buyer selects a “pseudonym” Buyer signs responsibility using normal identity Registration center gives buyer a certificate: Thus the registration center can link the buyer to the pseudonym

More Detail - Fingerprinting Buyer computes where text is the description of the sale Thus The buyer then hides emb in a commitment which is sent to the merchant Buyer uses zero-knowledge to prove the validity of the hidden signature

More Detail - Fingerprinting Alternate method: Rather than embedding emb as is … Buyer encrypts emb and commits the key, which is embedded, and the merchant holds onto emb

More Detail - Identification Merchant extracts emb and sends to the buyer’s registration center to get the buyer’s identity If the center refuses, the merchant shows proof 1 and cert B to the arbiter to show that the center knows the identity of the traitor In enforced Identification, either the center discloses the identity or is found guilty

More Detail - Identification In the alternate version: The merchant tries to decrypt all of the ciphertexts from the purchase records Rest follows as before

More Detail - Trial The arbiter checks the signature to ensure that the accused buyer claims responsibility for the pseudonym Then checks that sig is a valid signature of text

Provability of Security Theorem 1: If all the underlying primitives are secure, the construction framework yields a provably secure anonymous fingerprinting protocol. Paper claims the proof is straightforward …

Marking Schemes Way of hiding data within data, assumed to be used in fingerprinting schemes Individual bits are hidden in data items at random Each data item has two versions In initialization, the merchant selects l marks probabilistically and can then encode l bits Traitors can only find marks by comparing their copies

Marking Schemes If coll_size traitors produce a new redistribution, then at least l /coll_size marks will correspond to one of the traitor’s copies Error correction schemes can be used to fill in for any deleted marks

Symmetric Schemes Almost no collusion tolerance If there is no collusion, then can assume the traitor’s codeword still exists intact Thus the codeword can simply be extracted

Symmetric Collusion-Tolerant Schemes Merchant compares all possible codewords to the redistribution and looks for at least l /coll_size symbols in common Impractical to use for large quantities of data since the list of possible codewords would be rather large

Asymmetric Schemes with 3-Party Trials Merchant cannot know entire codewords, so only knows half of each Merchant searches a list of partial codewords to find whom to accuse, who shows his part to the arbiter Arbiter looks for sufficient common symbols Cannot be used for anonymous scheme since merchant does not know whom to accuse

Asymmetric Collusion-Tolerant Fingerprinting with 2-Party Trials Encoding Idea: –Use a concatenated code with Outer code words of length l over {1, …, q} Inner code is a fixed binary code  of length d(q-1) –L,d,q parameters – must have a decoding procedure where each symbol in an altered redistribution must be a symbol from one colluding traitor (with high probability) –Probability of this not being the case is if

Embedding / Extracting Data Data Initialization: –Merchant chooses marks for the data items in the marking scheme –For each of the l positions of the outer code, the merchant randomly chooses a substitution which is a permutation of the alphabet {1, …, q}

Embedding / Extracting Data Embedding: –Merchant picks k 1 random bits for each symbol in the outer code –ebm is encoded with EECC into l halfsymbols of k 2 bits each –Halfsymbols are combined and encoded –Thus giving an outer word of –Each symbol is then encoded with the inner code

Embedding / Extracting Data Extracting: –Each symbol of the outer code is identified by undoing the inner code, giving –Each symbol is decrypted using and is separated into halves of length k 1 and k 2 –Merchant then looks through purchase records for which has at least symbols in common with –Then tries to extract

The End Questions?