Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes.

Published byBrendon Host Modified over 9 years ago

Similar presentations

Presentation on theme: "1 An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes."— Presentation transcript:

1 1 An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes Ingemar Cox University College London

2 2 The story of this paper IEEE WIFS’2010, London. During the tutorial on Tardos Code, Ingemar asked “You always assume that the Provider is trusted. Why?” My Answers: “i) !?!, …Hmm… ii) Tardos code is not meant for asymmetric fingerprinting iii) asymmetric fingerprinting is not practical ”

3 Introduction TRADITIONAL ‘symmetric’ fingerprinting Huge improvements thanks to G. Tardos The length of codewords has been drastically reduced Industrial deployments are on their ways Requirements n number of users c size of the collusion P fa probability of accusing innocent users m code length m = O [ c 2. log( n / P fa ) ] Provider User € … 0 0 0 0 0 0 1 1 1 1

4 4 Introduction II ASYMMETRIC fingerprinting Different Trust Model: –Content Provider is untrustworthy –May want to frame an innocent user. Dates back to 1996 [Pfitzmann&Schunter] 4 actors: User, Provider, Certification Authority, and the Judge 4 steps: Key generation, Fingerprinting, Identification and Dispute. Provider User Judge CA pirated copy pirated copy fingerprinted copy fingerprinted copy

5 Tardos code construction Initialization: generate secret bias vector p p = (p 1, …,p m )0 < p i < 1 p i ~ f (p) i.i.d. Code: generate n x m binary matrix X Each row is a codeword X j = ( X j1, …, X jm ) s.t. Prob [ X ji = 1 ] = p i pp 1 = 0.8p 2 = 0.5p 3 = 0.7…p m = 0.1 X1X1 101…0 X2X2 110…1 X3X3 001…0 … XnXn 111…0

6 6 Tardos code accusation When a pirated copy is found… Extract binary sequence Y = (Y 1,…, Y m ) Y is a mixture of the colluders’ codewords Accusation (Single decoder) Compute a score per userS j = G (Y, X j, p) Accuse –users whose scores are above threshold T –user with maximum score if above threshold T

7 7 Threats on Tardos code I Provider User #j … 0 0 0 0 0 0 1 1 1 1 Generate p Generate X Watermark and distribute P2P … 0 0 0 0 0 0 1 1 1 1

8 8 Threats on Tardos code II Content Provider Content Provider User #j … 0 0 0 0 0 0 1 1 1 1 Generate p Generate X Trusted Tech. Provider Trusted Tech. Provider Watermark Distribute User #a 1 User #a 2 User #a K … 0 0 0 0 0 0 1 1 1 1 … 0 0 0 0 0 0 1 1 1 1 … 0 0 0 0 0 0 1 1 1 1... Collusion XjXj K=3 accomplices frame innocent User #j

9 9 Threats on Tardos code III Content Provider Content Provider … 0 0 0 0 0 0 1 1 1 1 Generate p Generate X Trusted Tech. Provider Trusted Tech. Provider Decode Watermark pirated copy pirated copy Y How to frame innocent user #j during the score computation? Y and X j are fixed The provider is the only one knowing p It is possible to tweak p into p’ s.t. Score S j = G (Y, X j, p’ ) > T p’ looks like drawn from f

10 10 Lessons learnt from the threats The provider Should not know the code X (or only a fraction) Should not change secret p between code generation and score computation The User Should know neither the secret p nor the fingerprint of any other user Should have a codeword drawn from the distribution induced by p Should not be able to modify his codeword

11 11 A protocol based on Oblivious Transfer OT - 1:N “Pick a card, any card!” Alice Bob A deck of N cards

12 12 OT based on commutative encryption Commutative encryption CE( k B, CE( k A, m)) = CE( k A, CE( k B, m)) Alice Bob u = CE( k B, d i )w = CE -1 ( k A, u) CE -1 ( k B, w)= k i c 1 = E( k 1, m 1 )c 2 = E( k 2, m 2 )c N = E( k N, m N )… d 1 = CE( k A, k 1 )d 2 = CE( k A, k 2 )d N = CE( k A, k N )… Oblivious transfer

13 13 Protocol: generation of codewords – Phase 1 Initialization - Provider Generate and quantize over P-1 values: p = (p 1, …,p m ) with p i = l i / P For all index i, create a list of P objects: list C i : c 1,i = E( k 1,i, m 1,i ), …, c 1,P = E( k 1,P, m 1,P ) There are only 2 versions of the message –For l i objects: m k,i = 1 || sk 1,i || ref_txt 1,i –For P-l i objects: m k,i = 0 || sk 0,i || ref_txt 0,i Publish these m lists on a WORM (Write Once Read Many) repository

14 14 Protocol: generation of codewords – Phase 1 Code construction: User #j registers Provider Randomly draw a permutation π j over [1, …, P] For all index i, create a list of P encrypted keys list D i,j : d 1 = CE( k A, π j (1) || k πj (1),i ), …, d P = CE( k A, π j (P) || k πj (P),i ) Send these m lists to user #j User - Provider Run the OT protocol Permutation π j prevents collusion at code generation –“Don’t pick this item, I already know that it is a 0”

15 Protocol: generation of codewords – Phase 1 Provider User #j list C 1 list C 2 … list C m X j = (0, 0, …,1) sk 0,1, sk 0,2, …, sk 1,m … … 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 WORM p = (p 1 =0.8, p 2 =0.5,…,p m =0.1)

16 16 Protocol: generation of codewords – Phase 2

17 Protocol: generation of codewords – Phase 1 Provider User #j list C 1 list C 2 … list C m X j = (0, 0, …,1) sk 0,1, sk 0,2, …, sk 1,m … … 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 WORM p = (p 1, …,p m ) X j = (?, 0, ?,…,1)

18 18 Accusation The scouting agency finds a pirated copy. The Technology Provider extracts sequence Y The Provider Compute scores restricted to halfwords Send a list of suspects with halfwords, secret p and Y The judge Verifies computation Ask Provider for the keys to decrypt C lists in the WORM p Ask suspected users for the keys to decrypt the OT X j Compute scores over the non-halfword codeword Compare to threshold T

19 19 Conclusion First asymmetric protocol specific to Tardos fingerprinting code. Generation of code without CA … but with a WORM Code length m h = O[ c 2 log (n/ P fs ) ]P fs = Prob of wrong suspicion m = O[ c 2 log ( n / (P fs. P fa ) 1/2 ) ] If P fs = P fa, the length is doubled List sizes: P > c, we recommend P = 100 Misc.: Discussion about security, efficiency and OT implementations Application to Buyer-Seller with homomorphic encryption watermarking

20 20 Fingerprinting in the industry The DNA approach Watermarking each block in super high quality … Content Provider Technology Provider … … 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1

21 21 Threats on Tardos code Provider … 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 XjXj User #j … 0 0 0 0 0 0 1 1 1 1

Download ppt "1 An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts
Cryptography encryption authentication digital signatures

Cryptography encryption authentication digital signatures
RSA.

RSA.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
1 Pretty Good Privacy (PGP) Security for Electronic Email.

1 Pretty Good Privacy (PGP) Security for Electronic .
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Public Key Cryptosystem

Public Key Cryptosystem
Slide 1 Introduction to Quantum Cryptography Nick Papanikolaou

Slide 1 Introduction to Quantum Cryptography Nick Papanikolaou
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
The Racing Game of Knowledge Continue Questions – push on trees 1 2 3 4 5.

The Racing Game of Knowledge Continue Questions – push on trees
Capacity-Approaching Codes for Reversible Data Hiding Weiming Zhang, Biao Chen, and Nenghai Yu Department of Electrical Engineering & Information Science.

Capacity-Approaching Codes for Reversible Data Hiding Weiming Zhang, Biao Chen, and Nenghai Yu Department of Electrical Engineering & Information Science.

Similar presentations

Ads by Google