Threshold Traitor Tracing

Moni Naor and Benny Pinkas

Dept of Applied Mathematics and Science

Weizmann Institute of Science

Rehovot Israel

Abstract This work presents threshold tracing schemes Tracing schemes

trace the source of keys which are used in pirate deco ders for sensitive or

proprietary data such as payTV programs Previous tracing schemes

were designed to op erate against any deco der which decrypts with a non

negligible success probability We introduce threshold tracing schemes

which are only designed to trace the source of keys of deco ders which

decrypt with probability greater than some threshold q which is a pa

rameter These schemes present a dramatic reduction in the overhead

compared to the previous constructions of tracing schemes

We argue that in many applicati ons it is only required to protect against

pirate deco ders which have a decryption probability very close to for

example TV deco ders In such application s it is therefore very favorable

to use threshold tracing schemes

Introduction

We present very ecient tracing systems systems which allow data providers

to identify sources of leakage of their keys to illegitimate receivers Consider

for example a payTV provider which nds out that someone is selling pirate

deco ders which enable the deco ding of transmissions without paying the required

fees A tracing system enables the provider to identify which legitimate receivers

assisted in constructing the pirate deco ders

Tracing systems were rst presented by Chor Fiat and Naor They used

the following security requirement which in our view is to o stern for many

applications they required fullresiliency ie that the schemes should trace the

source of any deco der which deco des with a nonnegligible probability We claim

that for many very relevant applications a deco der with a success probability

which is nonnegligible but is not very close to is useless Assume for example

that a TV program is divided into one minute segments which are separately

encrypted A deco der which decrypts with probability is exp ected to fail in

the deco ding of one out of ten minutes Very few customers will b e willing to

pay for such a deco der

?

Research supp orted by BSF Grant Email naorwisdomweizmannacil

??

Supp orted by an Eshkol Fellowship from the Israeli Ministry of Science Email b ennypwisdomweizmannacil

We present threshold tracing schemes which dep end on a parameter q They

trace the source of keys of any deco der which deco des with success probability

not smaller than q but there is no guarantee for their success against deco ders

with success probability smaller than q The eciency of our threshold tracing

schemes is sup erior to that of the tracing schemes of see Section for a

numerical comparison for constructions of typical size We therefore claim that

applications which do not require fully resilient tracing should use threshold

tracing schemes

In order to use threshold tracing schemes the communicated content should

b e divided into blo cks which are indep endently encrypted A legitimate deco der

contains keys which enable it to decrypt every blo ck These keys identify that

deco der If a pirate deco der contains enough keys taken from the legitimate

deco ders of traitors to enable it to decrypt more than a q fraction of the blo cks

these keys are sucient to identify at least one of the traitors It is assumed that

a pirate deco der which decrypts less than a q fraction of the blo cks is not useful

and therefore it is not imp ortant to trace the source of its keys

In general it is always useful to recognize what is a success of the adversary

and design schemes which prevent such a success This pro cess may lead to very

ecient constructions with an overhead that is prop ortional to the severity of

the attack to which they are immune this is the case with the threshold

tracing schemes we present whose overhead is an inverse function of q Such

constructions can also serve to price the security by presenting the overhead

incurred by requiring a certain amount of security

Let us rst consider the scenario in which the schemes op erate A data

provider is distributing some content to legitimate receivers eg paying sub

scrib ers The content is typically distributed encrypted and each legitimate

receiver has a decryption key A traitor is a legitimate receiver who attempts

to enable unauthorized users to access the content A traitor can distribute a

copy of the cleartext of the content to other illegitimate receivers We do not

attempt to protect against such pirate distribution but claim that in many cases

the economy of scale makes such a distribution nonprotable or to o dangerous

Typical cases where this is true include

Payperview or subscription television broadcasts It is an exp ensive and a

risky business to start a pirate broadcast station A similar application is

the distribution of content over the using push technology

Online services or databases publicly accessible say on the Internet where

a charge may b e levied for access to all or certain records The pirate must

copy the entire information provided by the online service and maintain an

up dated copy This pro cess is nonecient and can b e easily detected

As piracy in these cases is a criminal commercial enterprise the riskb enet ratio

in distributing illegal copies of the content b ecomes unattractive A pirate can

sell illegal access to the content by providing its customers with much shorter data the decryption keys We therefore concentrate in this pap er in preventing

traitors from distributing their decryption keys to other users We construct

kqthreshold tracing schemes If an illegitimate user uses a pirate deco der

which was built using the keys of at most k legitimate users who are therefore

traitors and if the decoder can decrypt with probability at least q then our

schemes will identify with high probability at least one traitor given the pirate

deco der it cannot b e promised that the schemes identify more traitors since it

is p ossible that all the keys used in constructing the pirate deco der were taken

from a single traitor

We note that in fact our schemes have the very desirable prop erty that the

identity of the traitor can b e established by considering the pirate decryption

pro cess as a black box It suces to capture one pirate deco der and its b ehavior

will identify the traitor there is no need to break it op en or read any data

stored inside

The schemes can b e based on any symmetric system The security

parameter is the length of the key of that system We measure the eciency

of the solutions in terms of several p erformance parameters The memory and

communication parameters are measured in multiples of the size of the security

parameter The eciency parameters are

a The memory and computation requirements for an authorized user These

parameters are of sp ecial imp ortance if the user has limited computation

and storage capabilities as is the case with smartcards

b The memory and computation requirements for the data supplier These

parameters are typically less imp ortant since the data supplier can p erform

its computations oline and can use large storage space

c The data redundancy overhead ie the increase in data size that is needed

in order to enable the tracing This refers to the communication overhead in

broadcast or online systems or the additional wasted storage in CDROM

type systems

Our Results

Consider a tracing scheme for n users which should b e secure with probability

p against coalitions of up to k users

In practice to day it is often considered sucient to prevent piracy by supplyin g the

authorized parties with socalled secure hardware solutions smartcards and their

like that are designed to prevent interference and access to enclosed cryptographic

keys The assumptions ab out the security of these hardware mechanisms are not

always correct There are several metho ds that use hardware faults in the secure

hardware solutions in order to nd the keys that are enclosed inside Our

schemes obtain their claimed security without any secure hardware requirements

Should such devices b e used to store the keys they will undoubtedly make the

attack even more exp ensive but this is not a requirement

We use the term pirate deco der to represent the pirate decryption pro cess this may or may not b e a physical b ox and may simply b e some co de on a computer

Our schemes compare very well to the the b est tracing scheme of see

also table That scheme required each user to store a p ersonal key of length

O logp lognp This was also the running time required from the user

The communication overhead was O k logp lognp We remark that the

O notation hides considerable co ecients

For a threshold q our onelevel scheme has p ersonal keys of length

k

lognp and a communication overhead of only k The user is required to

q

p erform only a single decryption op eration

The length of the p ersonal keys of the simplest twolevel threshold scheme

k

is O logk p lognp and its communication overhead is O k log

q logk p

A user should p erform very few decryption op erations We remark that in this

case the co ecients of the O notation are very mo derate Table contains

a comparison for a reasonable size system in which all the parameters and

co ecients are plugged in

From now on we describ e the exact complexity of the schemes we present

We do not use an O notation but rather present all the constant co ecients

Content Distribution Schemes

The schemes which are used to distribute the content from the data provider

to the legitimate receivers are of the following general form The data supplier

generates a metakey which contains a base set A of random keys and assigns

subsets of these keys to users m keys p er user the parameters will b e sp ecied

later These m keys jointly form the users personal key Dierent p ersonal keys

may have a nonempty intersection We denote the p ersonal key for user u by

P u which is a subset of the base set A

A message in a traitor tracing message consists of pairs of the form henabling

block cipher blocki The cipher blo ck is the symmetric encryption of the actual

data say part of a video clip under some secret random key s Alternately it

could b e the exclusiveor of the message with s and we would get an information

theoretic secure version of the scheme although a very inecient one since as

with any onetimepad the size of the key should b e as long as the encrypted

data The enabling blo ck allows authorized users to obtain s The enabling

blo ck consists of encrypted values under some or all of the keys of the base set

A Every authorized user will b e able to compute s by decrypting the values for

which he has keys and then computing the actual key from these values For all

the schemes we present the computation on the user end is simply taking the

exclusiveor of values that the user is able to decrypt

A very simple scheme is to give each user a dierent key Then the enabling

blo ck includes an encryption of s with each of the users keys However the length

of the enabling blo ck is then linear in the number of legitimate users and might

b e to o large for many applications

Traitors may conspire and give an unauthorized user or users a subset of

their keys so that the unauthorized user will also b e able to compute the key

s from the values he has b een able to decrypt The goal of the system designer

is to assign keys to the users such that when a pirate deco der is captured it

would b e p ossible to detect at least one traitor sub ject to the limitation that

the number of traitors is at most k We remark that the overhead of b oth the

schemes of and of our threshold schemes dep ends on the parameter k Since

the overhead of our schemes is a considerably smaller function of k it is p ossible

to set this parameter to a higher value and protect against larger coalitions

Eliminating Piracy

Traitor tracing schemes help in three asp ects of piracy prevention they deter

users from co op erating with pirates they identify the pirates and enable to take

legal actions against them and they can b e used to disable active pirate users

The usage of traitor tracing schemes discourages users from helping pirates

and esp ecially from submitting their keys to b e used in pirate deco ders In par

ticular if the pro cess of a user obtaining a p ersonal key requires some sort of

registration and physical identication then it should b e hard for pirates to ob

tain a large number of p ersonal keys Consequently the tracing traitor scheme

can identify the source of keys which are used in pirate deco ders and this mere

fact should deter users from helping pirates

When a pirate deco der is found and a source of its keys is identied legal

activities should b e taken against this source Indeed as was p ointed by Ptz

mann in a corrupt data provider that wishes to incriminate an honest user

might construct a dummy pirate deco der containing this users keys reveal

it and claim that the user is a pirate Similar misb ehavior is p ossible though

with many current types of services and yet there is little evidence that service

providers have p erformed such illegal activities

The broadcast encryption schemes of Fiat and Naor deal very eciently

with disabling active pirate users ie preventing them from further decryption

These schemes allow one to broadcast messages to any dynamic subset of the user

set and are sp ecically suitable for payperview TV applications The schemes

require a single short transmission to disable all pirate deco ders if they were

manufactured via a collab orative eort of no more than k traitors Another

broadcast encryption scheme was suggested by Wallner et al and is secure

against any number of corrupt users It has b etter p erformance than if the

number of deletions is small In particular p ersonal keys are of length O log n

and there is no data redundancy in regular op eration

A combination of a traitor tracing scheme and a broadcast encryption scheme

is a very p owerful to ol When a traitor is traced the dynamic subset of users au

thorized to receive the broadcast should b e changed by simply excluding the

traced traitor This pro cedure should b e rep eated until the pirate b ox is ren

dered useless In it is describ ed how to combine a tracing traitor scheme

and a broadcast encryption scheme in order to achieve this capability Both the

data redundancy overhead and the key length of the resulting scheme are the

multiplication of the corresp onding overheads for the tracing and broadcast en

cryption schemes but used with the scheme of this do es not increase the total overhead to o much

Related Work

The work of Chor Fiat and Naor has introduced the concept of traitor

tracing and presented several tracing schemes We survey their results in section

A more complete and formal treatment of the problem is presented in which

is the full version of and of our pap er

Boneh and Shaw have suggested a scheme for marking dierent copies of

an electronic do cument by inserting a dierent ngerprint into each copy The

ngerprint is comp osed of a sequence of marks with each mark having one of two

values therefore the ngerprint corresp onds to a binary string The scheme is

based on a marking assumption which states that a coalition of users who each

have a copy with the same value for a certain mark cannot generate a copy with

a dierent value for that mark The scheme has the prop erty that using up to k

copies it is imp ossible to generate a new copy whose ngerprint do es not reveal

at least one of the k copies that were used It oers b etter security in the sense

that it enables to trace the leaked content itself and not just the key which

enables its decryption It can also b e used as a tracing traitors scheme but it

is much less ecient than the schemes of the number of keys that each user

should have is k times greater than in the most ecient scheme of

Another solution for protection is through self enforcement schemes

which were suggested by Dwork Lotspiech and Naor In these schemes the

content is encrypted and each legitimate user receives a dierent decryption key

which includes some sensitive information related to the user eg his credit card

number Users will b e reluctant to hand their keys to others since the keys con

tain this sensitive information The self enforcement schemes suggested in

use the same type of security as was used in Namely the system is se

cure against coalitions of less than k corrupt users and the systems complexity

dep ends on k

Ptzmann has suggested a tracing traitors metho d which yields a pro of

for the liability of the traced traitors In this scheme the issuing of keys from

the center to the users is p erformed by an interactive proto col At the end of

the proto col the center is not able to construct a pirate deco der that frames

a user but if a real pirate deco der is found the center is able to trace the source

of the keys the deco der contains However as this construction uses a relatively

complex primitive general secure multi party proto cols which is rather inef

cient eg it op erates on the circuit which evaluates the function its overall

complexity is high

Denitions

A traitor tracing scheme consists of three comp onents

A user initialization scheme used by the data supplier to add new users The

s

data supplier has a metakey that denes a mapping P U f g

See for instance for a metho d for inserting marks into a do cument

where U is the set of p ossible users and s is the number of bits in the p ersonal

key of each user When user u U joins he receives his p ersonal key P u

i i

In all of our constructions P u consists of a subset of m decryption keys

i

out of a larger set A of keys

 

An encryption scheme E f g f g used by the data supplier to

 

encrypt messages and a decryption scheme D f g f g used by

every user to decrypt those messages Let the p ersonal key of user u b e

i



P u then for any message M f g we have M D E M In our

i

schemes the messages are encrypted blo ck by blo ck where every encrypted

blo ck contains an enabling blo ck and a cipher blo ck The decryption pro cess

consists of a preliminary decryption of encrypted keys in the enabling blo ck

a pro cess which combines the results to obtain a common key and nally a

decryption of the cipher blo ck

A traitor tracing algorithm used up on conscation of a pirate deco der to

determine the identity of a traitor We do not assume that the contents of

a pirate deco der can b e viewed by the traitor tracing algorithm but rather

that the tracing algorithm can access it as a black b ox and test how if at

all it decrypts an input ciphertext We do assume however that the pirate

deco der can b e reset to its original state ie that there is no selfdestruction

mechanism when it detects a traitor tracing algorithm

The encryption of plaintext blo cks in our schemes results in a message which

consists of an enabling block and a cipher block The cipher blo ck contains the

plaintext blo ck encrypted by some encryption algorithm using some random block

key s which is unique to this blo ck The enabling blo ck contains of

shares of the blo ck key such that every legitimate user can use his p ersonal

key to decrypt enough shares to reconstruct the blo ck key An adversary who

wants to decrypt the message can either break the encryption scheme that was

used in the cipher blo ck without using any information from the enabling blo ck

or try to learn some information from the enabling blo ck that might help in

the decryption pro cess In this pap er we assume that it is hard to break the

underlying encryption scheme so we are only interested in preventing attacks of

the latter kind

Assume that an adversary has the co op eration of a coalition of at most k

legitimate users and uses their keys to construct a deco der We would like to

trace at least one of the coalition members Intuitively a scheme is called ful ly

resilient if it is p ossible to trace with high certainty at least one of the traitors

that help ed build a deco der which do es not break the underlying encryption

algorithms More accurately a system is fully resilient if for every pirate deco der

which runs in time t it either holds that it is p ossible to trace at least one of the

traitors which help ed its construction or that the deco der can break one of the

underlying encryption algorithms in time t

Fully resilient tracing schemes were suggested and constructed in There

are many applications for which the pirate deco der must decrypt with probability

close to like the TV broadcast example we presented in Section In such

scenarios we can concentrate on tracing the source of keys which were used to

build deco ders which decrypt with probability greater than some threshold A

scheme is called a q threshold scheme if for every deco der which do es not break

the underlying encryption algorithms and decrypts with probability greater than

q it is p ossible to trace at least one of the traitors that help ed building it

An obvious and preliminary requirement from the tracing traitors schemes

is that they supply secure encryption That is an adversary which has no infor

mation on the keys that are used should not b e able to decrypt the encrypted

content Intuitively our security denitions claim that if an adversary who

might have some of the keys is able to decrypt and escap e from b eing traced

then the scheme is insecure as an encryption scheme even against an adversary

who has no keys

Following we present an exact denition of fullyresilient and threshold trac

ing schemes

Denition Let T b e a coalition of at most k users Let A b e an adversary

who has a subset F of the values of the keys of the users in T and who is able

0

to decrypt in time t and with probability greater than q the content sent in the

tracing traitors scheme

The security assumption is that one of the following two statements holds

Given F the data supplier is able to trace with probability at least p at

least one of the users in T

0

There exists an adversary A which uses A as a black b ox and whose input

is only an enabling blo ck and a cipher blo ck of the tracing traitors scheme

0

A can reveal the content that is encrypted in the cipher blo ck in time which

00

is linear in the length of its input and in t and with probability at least q

00

q is dened in the next paragraph

The probability is taken over the random choices of the data supplier and

when appropriate over the random choices of the adversary or of the tracing

algorithm

The scheme is called fully p k resilient if the security assumption holds for

0 00

q q If the scheme further achieves p then it is called fully k resilient

The scheme is called q threshold p k resilient if the security assumption

0 00

holds for q q q

Since we assume the underlying encryption algorithms to b e secure we can

00 0

assume that the probability q with which an adversary A which knows noth

ing but the ciphertext can break the encryption is negligible Therefore in a

fully resilient scheme the data supplier can trace at least one traitor if it nds a

pirate deco der adversary A which decrypts with nonnegligible probability In

a threshold scheme the data supplier is able to do so if it nds a deco der which

decrypts with probability greater than q by a nonnegligible dierence but to

simplify the exp osition we often take the freedom to refer to threshold schemes

as secure against any pirate deco der which decrypts with probability greater

than q

FullyResilient Tracing Schemes

The fullyresilient tracing schemes of are based on applying hash functions

combined with any private key cryptosystems and do not require any public key

op erations Our threshold schemes will b e based on the same op erations The

hash functions are used to assign decryption keys from a base set of decryption

keys to authorized users The assignment guarantees that any combination of

keys taken from the p ersonal keys of any coalition of traitors has the following

prop erty If this combination enables decryption then it is far from the p ersonal

key of any inno cent nontraitor user For more information on hash functions

and their applications see

There are two types of traceability schemes dened in Open schemes

assume that the mapping is public and the indexes of the keys which are mapp ed

to any user are publicly known the only secret information is the content of the

keys Secret schemes are dened to op erate in cases where the mapping of keys is

secret and it is unknown which keys are used by every user The constructions of

secret schemes can b e more ecient than those of op en schemes and are therefore

recommended to b e used in practice The reason for the gain in eciency is that

traitors do not know which keys the other users received Therefore even if the

set of keys of a coalition of traitors includes a large part of the keys of an inno cent

user the traitors do not know which keys these are and cannot construct a pirate

deco der which incriminates a sp ecic user Our threshold tracing schemes are

secret schemes

Secret fullyresilient schemes were constructed for n users and at most k

traitors Two types of secret schemes were presented in

Secret fully p k resilient onelevel schemes required the p ersonal key of each

k lognp decryption keys and the enabling blo ck to user to consist of m

include k lognp key encryptions Each user should p erform k lognp

decryptions in order to reveal the broadcasted secret

Secret fully p k resilient twolevel schemes required the p ersonal key of each

user to consist of m b lognp decryption keys and the enabling blo ck

ln ek b

to include ek b lognp key encryptions where b

blnek b

b lognp decryptions in order to logp Each user should p erform

reveal the broadcasted secret Twolevel schemes are more ecient than one

level schemes if k logp

Threshold Tracing Schemes

Threshold tracing schemes are designed to trace the source of keys of any pirate

deco der whose advantage in decrypting the content compared to an adversary

who do es not have any of the keys is at least q

The complexity of q threshold schemes dep ends on q These schemes are more

ecient for larger values of q They are secret schemes in the sense that the set

of keys that each user receives is unknown to other users The design concept

of these schemes is as follows either the pirate decoder holds enough keys to

enable the tracing of at least one traitor or it does not contain enough keys to

ensure a decryption probability greater than q The security of tracing schemes is

reduced to the assumption that the encryption scheme that is used is secure and

therefore any adversary who do es not have the decryption keys cannot decrypt

with a nonnegligible success probability

The b enet of using threshold tracing schemes is a dramatic reduction in

the data redundancy overhead and in the number of op erations needed for de

cryption whereas the length of the p ersonal key is almost as short as in secret

fully resilient schemes We also present a threshold scheme which improves over

fullyresilient schemes in all complexity parameters Next we dene onelevel

and twolevel threshold tracing schemes The data redundancy overhead and

the p ersonal key length are parameterized and there is a tradeo b etween them

It is p ossible to set the parameter to a value which obtains the b est tradeo

b etween the two complexity measures for instance the last entry of Table

demonstrates a reasonable such tradeo

A OneLevel Threshold Scheme

The scheme uses a threshold parameter q against k traitors and for a total of n

users each with a unique identity u f ng

Initialization A set of hash functions h h h are chosen indep endently

at random Each hash function h maps f ng into a set of k random keys

i

A fa a a g The hash functions are kept secret User u receives

i i i ik

up on initialization the indices and values of keys fh u h u h ug

The keys can b e imagined as organized in a matrix of size k where each

user receives a single key from each row

Distributing a secret Let s b e the secret to b e distributed Let q w

and t b e two parameters which will b e dened later the scheme would

divide the secret into t shares and ensure that a deco der which contain keys

from fraction of at least w of the rows would b e able to decrypt the secret with

probability greater than q

t

The data provider chooses random values fs g sub ject to the constraint

i

i

t

s s and chooses t random rows r r For every i i t

i t

i

the data provider encrypts s under each of the k keys in row A

i r

i

and is Decryption Each authorized user has one key from every row A

r

i

therefore always able to decrypt every s and compute s

i

Parameters The memory required p er user is m keys The amount of

work that each user should p erform in order to reveal a key is O t The data

redundancy overhead used in distributing the key is r k t

The parameter t should b e set so that for t random rows it holds with prob

ability q that a pirate deco der which contains keys from less than a fraction w

of the rows do es not have a key from at least one of the t rows and therefore a

deco der which do es not have keys from a fraction w of the rows cannot decrypt

with probability b etter than q First observe that w q since otherwise the

probability is less than q even for t The probability of the deco der having

logq

t

keys from all t rows is at most w and therefore setting t log q

w

logw

suces to make the probability of correct decryption at most q For example

it is p ossible to set w q and t The broadcast center would only have to

broadcast the secret s encrypted by the keys of a single row which it chooses

randomly The data redundancy overhead is then only O k

Tracing We are only concerned with deco ders which include keys from at

least w rows Using the metho ds of it is p ossible to reveal the set of keys

F that a pirate deco der uses while treating the deco der as a black b ox Assume

wlog that F contains one key from each of w rows Denote these rows as

The b o dy that p erforms the as f r r and denote the key in F A

r w r

i i

and can therefore identify and mark traitor tracing knows the functions h

r

i

for every i The user with the largest number of marks is f the users in h

r

i r

i

exp osed as the traitor

Analysis Since there were at most k traitors it is obvious that one of them

contributed w k keys to F Consider the probability that an inno cent user say

are random user contributed w k keys to F Since the hash functions h

r

i

is random and indep endent of the mapping of the and secret the mapping h

r

i

equals the key mapp ed to user is k The probability that f traitors by h

r r

i i

An immediate application of the Cherno b ound shows that the probability that

w k

at least w k of the keys of user are in F is at most Cho osing an

w k

such that n p ensures a traitor is revealed with probability at least

k

lognp p The data provider should therefore set

w

For any practical purp ose the parameter q can b e set to b e a constant How

ever onelevel schemes are used in the next subsection as building blo cks for

twolevel schemes and there q should b e a function of other parameters The

results regarding onelevel threshold schemes are summed up in the following

theorem We rst state the results for a parameterized w As w increases the key

length decreases and the data redundancy overhead increases Then we state the

results for w q

Theorem There is a q threshold p k resilient scheme with a parameter

k

lognp keys w taking values in q in which a personal key consists of

w

logq

and the data redundancy overhead is of k keys A user should perform

logw

logq

decryptions in order to reveal the broadcasted secret

logw

k

lognp keys and the data redun When w q a personal key consists of

q

dancy overhead is of only k keys A user should only perform a single decryption

in order to decrypt the broadcasted secret

The scheme we presented displays a tremendous improvement in the data redun

dancy overhead but the length of the p ersonal key is a little larger than in the

k k

lognp compared to lognp in the onelevel fully resilient scheme it is

q

It is p ossible to prove as is done in that if a deco der has keys from less rows and

can decrypt with probabili ty b etter than the threshold then it can b e used to break the underlying encryption scheme

onelevel fully resilient scheme The next subsection presents twolevel thresh

old schemes which balance the two complexity parameters through a tradeo

b etween the key length and the data redundancy overhead

TwoLevel Threshold Schemes

Twolevel threshold schemes are constructed from onelevel threshold schemes

by using many onelevel schemes and applying a hash function to map users to

schemes We rst present a basic construction which displays a tradeo b etween

the p ersonal key lengths and the data redundancy overhead and which can

obtain shorter key length than the onelevel threshold scheme Then we change

the parameters of the construction to obtain schemes with an even shorter key

length in the price of increasing the data redundancy a little These schemes

p erform b etter than fullyresilient schemes in b oth the p ersonal key length and

the data redundancy overhead

The basic construction The construction uses a random mapping h from the

domain f ng to a range of size ek b It is required that for any xed set

of k traitors the probability that b or more traitors are mapp ed together by h is

less than p ie

b b b

b k ek b ek p

b

b ek b ek b

ek

satises the inequality Once such a mapping is Setting b log

p logp

chosen we continue by constructing threshold onelevel schemes for each set of

preimages h i for i ek b In the initialization phase each user u

receives his p ersonal key for the subscheme hu and the secret s is distributed

by each of the ek b subschemes

It is required that each subscheme has the following prop erty against b

traitors either the success probability of the traitors in decrypting the secret

q b

is greater by at mostq than the success probability of an adversary who

ek

do es not have any of the keys or the traitors can b e traced with probability at

least p If in no subscheme the traitors have an advantage greater than q

then the pirate deco der cannot decrypt with an advantage b etter than q

The initialization and secret distribution stages are straightforward The sub

schemes are built in the same way as the onelevel schemes of the previous sub

section As b efore w is a parameter that denes the minimal fraction of rows

such that with keys from less than w rows in a certain subscheme a deco der

cannot decrypt with probability b etter thanq If a pirate deco der decrypts with

probability greater than q it must contain keys from a w fraction of the rows in

one or more of the subschemes The tracing pro cess that was dened for the

onelevel scheme can then trace at least one of the traitors which contributed keys for this subscheme The following theorem therefore follows

Theorem There is a q threshold p k resilient scheme with the parameter

q b

ek

w taking values in where b log in which

ek p logp

b lognp basic keys The length of the personal key is m

w

ek

The data redundancy overhead is ek log basic encryptions

logw q b

logek q b

The receiver should perform decryptions in order to decrypt the

logw

secret

The key is longer than the key in the fully resilient secret twolevel scheme by

a factor of only w and the data redundancy overhead is substantially shorter

Comparing with the onelevel threshold scheme for the same value of the param

eter w the p ersonal key changes by a factor of bk and the data redundancy

overhead changes by a factor of e log ek b logq Therefore the key is

shorter and the data redundancy overhead is larger However the increase in the

data redundancy overhead is relatively mo derate if we denote the ratio b etween

the key length in this scheme and in the onelevel scheme as then the data

redundancy overhead increases by a factor of only e loge logq

q b

Note that the minimum value for w is q which is smaller than the

ek

minimum value for w in the onelevel scheme Setting w to this value yields the

minimum p ossible data redundancy overhead ek encryptions whereas the key

ek

lognp Both are longer than the values for the length is maximal m

q

onelevel scheme by a factor of exactly e

The twolevel scheme features a tradeo b etween the length of the p ersonal

key and the data redundancy overhead At one end of the curve there is a short

key but a longer data redundancy overhead and in the other end the key length

is maximal and the data redundancy overhead is minimal and b oth are equal

up to a constant factor to the p erformance of the onelevel threshold scheme

for minimal data redundancy overhead Note that as with the twolevel fully

resilient secret scheme the exp ected number of users that are mapp ed to each

subscheme is smaller than n by a factor of bek The subschemes can therefore

b e dened for a smaller set of users to achieve greater eciency

Shorter p ersonal keys The following variant of a threshold tracing scheme im

proves all the complexity parameters of the most ecient fullyresilient scheme

whereas the previous tracing scheme had a dramatic improvement in the data

redundancy and decryption overheads but increased the p ersonal key a lit

tle The decrease in the length of the p ersonal keys is enabled as follows

The same construction as b efore is used with ek b subschemes and it is

required that the probability that more than b users are mapp ed together is

at most p previously the values b and b were equal The p ersonal key

b lognp keys and the data redundancy overhead is of is comp osed of

w

b

ek

2

ek basic encryptions log

b logw q b

1 1

The values b b should satisfy the following inequality

b b b b

2 2 2 2

b ek b p ek b k

ek b ek b b b

Assume b b b The previous inequality is satised if b

q

logk p

The following theorem is therefore obtained

log logk p

Theorem For every there is a q threshold p k resilient scheme with

q

logk p

q b

the parameter w taking values in where b in

ek log logk p

which

b lognp basic keys The length of the personal key is m

w

ek

The data redundancy overhead is ek b log logw basic encryp

q b

tions

ek

logw decryptions in order to decrypt A receiver should perform log

q b

the secret

As increases the personal key length decreases and the data redundancy over

head increases The limits of these values as are

logk p

The limit of the length of the personal key is m lognp

w log logk p

basic keys

logk p

ek

log The limit of the data redundancy overhead is ek

log logk p q logw

basic encryptions

logek q

decryptions in order to decrypt the A receiver should perform

logw

secret

This scheme has the shortest p ersonal key among all the schemes we presented

The small p enalty for this is a data redundancy overhead which is longer than

in the other threshold twolevel scheme However the data redundancy is still

shorter than in the fully resilient schemes

An Example

Let us consider the following example in order to demonstrate the p erformance of

the dierent tracing schemes Supp ose that we would like to a traitor trac

ing scheme for up to one million authorized users so that for at most k

traitors the probability of false identication is at most We describ e in

Table the length of the p ersonal key of each user and the data redundancy

overhead b oth measured by the number of basic keys that they contain ie the

ratio b etween their size and the size of a key of the encryption scheme that is

used to encrypt the content The table also shows the number of decryption op

erations that should b e p erformed by the receiver We compare the p erformance

of threshold schemes to the p erformance of the b est fullyresilient scheme the

twolevel secret scheme describ ed in section The table refers to the section

in which each of the schemes is describ ed The rst result is for the most e

cient twolevel secret fully resilient scheme The other results are of threshold

schemes which were designed to trace only the source of keys of deco ders which

can decrypt with probability greater than This type of schemes allows for

Property Section Personal Data Decryption

Key Redun Operations

Secret twolevel b est fullyres

Threshold onelevel min

data redundancy

Threshold twolevel min

data redundancy w

Threshold twolevel

min key ! 1

Threshold tradeo

w

Table Examples of the complexity of dierent Tracing Traitors schemes

using n k p and q

a tradeo b etween the length of the p ersonal key and the data redundancy as

is demonstrated in the table

The secret twolevel scheme has a short key length but the data redundancy

overhead is large The threshold schemes feature a tradeo b etween the length of

the p ersonal key and the data redundancy overhead It is p ossible to make one

parameter very small by increasing the other parameter and it is also p ossible

to achieve very reasonable results for b oth measures as in the last entry The

scheme of Section is sup erior to the secret twolevel scheme in all the com

plexity parameters It should also b e noted that if we are only concerned with

deco ders which decrypt with probability close to it is p ossible to get more

ecient schemes by dening a scheme for q

Conclusions

We presented threshold tracing schemes which are considerably more ecient

than fullyresilient tracing schemes In many applications there is only need

for deco ders which decrypt with probability greater than some threshold and

these applications should use threshold tracing schemes to trace the source of

illegal deco ders The eciency of the threshold schemes as a function the size

of a corrupt coalition of users k allows for resiliency against rather large such

coalitions

We remark that in many dierent applications and scenarios other than

traitor tracing there is no need for security against adversaries which p erform

negligibly b etter than guessing the secret These applications call for threshold

security schemes similar to the schemes presented in this work These schemes

should dep end on a parameter q the threshold and only protect against adver

saries which achieve success greater than q

References

N Alon J Bruck J Naor M Naor and R Roth Construction of Asymptoti

cally Good LowRate ErrorCorrecting Codes through PseudoRandom Graphs IEEE

Transactions on Information Theory vol

N Alon and J Sp encer The Probabilistic Metho d Wiley

R Anderson and M Kuhn Tamper Resistance A Cautionary Note Usenix Elec

tronic Commerce Workshop Oakland

E Biham and A Shamir Dierential Fault Analysis of Secret Key Cryptosystems

Pro c Advances in Cryptology Crypto SpringrVerlag LNCS

D Boneh R A Demillo and R J Lipton On the Importance of Checking Compu

tations Pro c Advances in Cryptology Euro crypt

D Boneh and J Shaw Col lusionSecure Fingerprinting for Digital date Pro c Ad

vances in Cryptology Crypto

J L Carter and M N Wegman Universal Classes of Hash Functions Journal of

Computer and System Sciences

B Chor A Fiat and M Naor Tracing Traitors Pro c Advances in Cryptology

Crypto SpringrVerlag LNCS

B Chor A Fiat M Naor and B Pinkas Tracing Traitors manuscript

Cox I Kilian J Leighton T and Shamo on T A Secure Robust Watermark for

Multimedia Information Hiding Workshop Cambridge UK SpringerVerlag LNCS

C Dwork J Lotspiech and M Naor Digital Signets SelfEnforcing Protection of

Digital Information th Symp osium on the Theory of Computation

P ErdosP Frankl and Z F uredi Families of nite sets in which no set is covered

by the union of r others Israel J of math

A Fiat and M Naor Broadcast Encryption Pro c Advances in Cryptology Crypto

ML Fredman J Komlos and E Szemeredi Storing a Sparse Table with O

Worst Case Access Time Journal of the ACM Vol

K Mehlhorn Data Structures and Algorithms Sorting and Searching

SpringerVerlag

F J MacWilli ams and N J A Sloane The Theory of Error Correcting

Co des North Holland Amsterdam

B Ptzmann Trials of Traced Traitors Information Hiding Workshop Cambridge

UK SpringerVerlag LNCS

DM Wallner EJ Harder RC Agee Key Management for Multicast Issues and

Architectures internet draft draftwallnerkeyarchtxt Avaliable at

ftpietforginternetdraftsdraftwallnerkeyarchtxt

M N Wegman and J L Carter New Hash Functions and Their Use in Au

thentication and Set Equality Journal of Computer and System Sciences

A

This article was pro cessed using the L T X macro package with LLNCS style E