an asymmetric fingerprinting scheme based on tardos codes

1

An Asymmetric Fingerprinting Scheme based on Tardos Codes

Ana Charpentier INRIA Rennes

Caroline Fontaine CNRS Télécom Bretagne

Teddy Furon INRIA Rennes

Ingemar Cox University College London

2

The story of this paper

IEEE WIFS’2010, London.

During the tutorial on Tardos Code, Ingemar asked

“You always assume that the Provider is trusted. Why?”

My Answers:

“i) !?!, …Hmm…

ii) Tardos code is not meant for asymmetric fingerprinting

iii) asymmetric fingerprinting is not practical ”

Introduction

TRADITIONAL ‘symmetric’ fingerprinting• Huge improvements thanks to G. Tardos• The length of codewords has been drastically reduced• Industrial deployments are on their ways

Requirements• n number of users• c size of the collusion• Pfa probability of accusing innocent users

• m code length

m = O [ c2 . log( n / Pfa ) ]

Provider User€

…0 0 01 1

4

Introduction II

ASYMMETRIC fingerprinting• Different Trust Model:

– Content Provider is untrustworthy– May want to frame an innocent user.

• Dates back to 1996 [Pfitzmann&Schunter]• 4 actors: User, Provider, Certification Authority, and the Judge• 4 steps: Key generation, Fingerprinting, Identification and Dispute.

Provider User

Judge

CA

piratedcopy

fingerprintedcopy

Tardos code construction

Initialization: generate secret bias vector p• p = (p1, …,pm) 0 < pi < 1 pi ~ f (p) i.i.d.

Code: generate n x m binary matrix X• Each row is a codeword Xj = ( Xj1, …, Xjm )

• s.t. Prob [ Xji = 1 ] = pi

p p1 = 0.8 p2 = 0.5 p3 = 0.7 … pm = 0.1

X1 1 0 1 … 0

X2 1 1 0 … 1

X3 0 0 1 … 0

…

Xn 1 1 1 … 0

6

Tardos code accusation

When a pirated copy is found…• Extract binary sequence Y = (Y1,…, Ym)• Y is a mixture of the colluders’ codewords

Accusation (Single decoder)• Compute a score per user Sj = G (Y, Xj , p)• Accuse

– users whose scores are above threshold T– user with maximum score if above threshold T

7

Threats on Tardos code I

Provider User #j…0 0 01 1

Generate pGenerate XWatermark and distribute

P2P…0 0 01 1

8

Threats on Tardos code II

ContentProvider User #j…0 0 01 1

Generate pGenerate X

TrustedTech. Provider

WatermarkDistribute

User #a1

User #a2

User #aK

…0 0 01 1

…0 0 01 1

…0 0 01 1

...

Collusion

Xj

K=3 accomplices frame innocent User #j

9

Threats on Tardos code III

ContentProvider

…0 0 01 1

Generate pGenerate X

TrustedTech. Provider

DecodeWatermark

piratedcopy

Y

How to frame innocent user #j during the score computation?• Y and Xj are fixed• The provider is the only one knowing p

It is possible to tweak p into p’ s.t.• Score Sj = G (Y, Xj , p’ ) > T• p’ looks like drawn from f

10

Lessons learnt from the threats

• The provider• Should not know the code X (or only a fraction)• Should not change secret p between code generation and score

computation

• The User• Should know neither the secret p nor the fingerprint of any other user• Should have a codeword drawn from the distribution induced by p• Should not be able to modify his codeword

11

A protocol based on Oblivious Transfer

OT - 1:N “Pick a card, any card!”

Alice Bob

A deck of N cards

12

OT based on commutative encryption

Commutative encryption• CE( kB, CE( kA, m)) = CE( kA, CE( kB, m))

Alice Bob

u = CE( kB, di)

w = CE-1( kA, u) CE-1( kB, w)= ki

c1 = E( k1, m1) c2 = E( k2, m2) cN = E( kN, mN)…

d1 = CE( kA, k1) d2 = CE( kA, k2) dN = CE( kA, kN)…

Oblivious transfer

13

Protocol: generation of codewords – Phase 1

Initialization - Provider

• Generate and quantize over P-1 values: p = (p1, …,pm) with pi = li / P

• For all index i, create a list of P objects: list C i : c1,i = E( k1,i, m1,i), …, c1,P = E( k1,P, m1,P)

• There are only 2 versions of the message– For li objects: mk,i = 1 || sk1,i || ref_txt1,i

– For P-li objects: mk,i = 0 || sk0,i || ref_txt0,i

• Publish these m lists on a WORM (Write Once Read Many) repository

14

Protocol: generation of codewords – Phase 1

Code construction: User #j registers

Provider• Randomly draw a permutation πj over [1, …, P]

• For all index i, create a list of P encrypted keyslist D i,j : d1 = CE( kA, πj (1) || kπj (1),i ), …, dP = CE( kA, πj (P) || kπj (P),i )

• Send these m lists to user #j

User - Provider• Run the OT protocol• Permutation πj prevents collusion at code generation

– “Don’t pick this item, I already know that it is a 0”

Protocol: generation of codewords – Phase 1

Provider User #j

list C 1 list C 2 … list C m

Xj = (0, 0, …,1)sk0,1, sk0,2, …, sk1,m

…

…

0 0 0 0 0

1 1 1 1 1

WORM

p = (p1=0.8, p2=0.5,…,pm=0.1)

16

Protocol: generation of codewords – Phase 2

Provider needs a partial knowledge of the codewords• Allow the identification of suspects• Order User #j to reveal mh < m bits of codewords.• So-called halfword [Pfitzmann&Schunter96]

Xj = ( 0, 0 , 1, 0, 1, …, 0, 1 )

Colluders• Should not know the location of the halfword bits

Solution• Yet another Oblivious Transfer OT – mh : m• Alice = User #j• Bob = Provider• Objects = keys used during Phase 1: kB,i

• Provider gets mh elements of the lists D i,j chosen by #j (specific to User #j)

Protocol: generation of codewords – Phase 1

Provider User #j

list C 1 list C 2 … list C m

Xj = (0, 0, …,1)sk0,1, sk0,2, …, sk1,m

…

…

0 0 0 0 0

1 1 1 1 1

WORM

p = (p1, …,pm)

Xj = (?, 0, ?,…,1)

18

Accusation

The scouting agency finds a pirated copy.

The Technology Provider extracts sequence YThe Provider

• Compute scores restricted to halfwords• Send a list of suspects with halfwords, secret p and Y

The judge• Verifies computation• Ask Provider for the keys to decrypt C lists in the WORM p• Ask suspected users for the keys to decrypt the OT Xj

• Compute scores over the non-halfword codeword• Compare to threshold T

19

Conclusion

• First asymmetric protocol specific to Tardos fingerprinting code.• Generation of code without CA … but with a WORM• Code length

• mh = O[ c2 log (n/ Pfs) ] Pfs = Prob of wrong suspicion

• m = O[ c2 log ( n / (Pfs. Pfa)1/2 ) ]

• If Pfs = Pfa , the length is doubled

• List sizes: P > c , we recommend P = 100• Misc.:

• Discussion about security, efficiency and OT implementations• Application to Buyer-Seller with homomorphic encryption watermarking

20

Fingerprinting in the industry

The DNA approach

Watermarking each block in super high quality

…

Content Provider Technology Provider

…

…

0 0 0 0 01 1 1 1 1

21

Threats on Tardos code

Provider

…

…

0 0 0 0 01 1 1 1 1 Xj

User #j

…0 0 01 1