1 / 48

Efficient Fingerprinting to Protect Digital Content

FingerMark. Efficient Fingerprinting to Protect Digital Content. Josh Benaloh Gideon Yuval Microsoft Research. Andrew Rosen Microsoft Studios. Fingerprinting of Content.

bernad
Télécharger la présentation

Efficient Fingerprinting to Protect Digital Content

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. FingerMark Efficient Fingerprinting toProtect Digital Content Josh Benaloh Gideon Yuval Microsoft Research Andrew Rosen Microsoft Studios

  2. Fingerprinting of Content If protected content is somehow released from a playback device, it may be desirable to have a method to enable identification of the device from which the content was released.

  3. Fingerprinting by the Device A simple approach to fingerprinting is have have each playback device insert a “unique” identifying signal into its output stream. Drawbacks … • A compromised player can bypass this step. • Deployed fingerprinting schemes are difficult to update.

  4. Differential Decryption It would be nice if it were possible to give different keys to each playback device such that the content is slightly different when decrypted with distinct keys.

  5. Key 2 Key 1 Decrypted Content Decrypted Content Differential Decryption Encrypted Content

  6. Differential Decryption A simple observation is that “differential decryption” is possible to achieve (although usually impractical) by creating two separate and slightly different copies of the original content.

  7. Key 2 Key 1 Decrypted Content Decrypted Content Differential Decryption Encrypted Content

  8. Differential Decryption Encrypted Content Encrypted Content Key 2 Key 1 Decrypted Content Decrypted Content

  9. Differential Decryption The efficiency and utility of differential decryption can be greatly enhanced by dividing content into “clips” and separately encrypting two slightly different versions of each clip.

  10. Differential Decryption

  11. Differential Decryption Key 1B Key 1A Key 2A Key 2B Key 3A Key 3B Key 4A Key 4B

  12. Differential Decryption Key 1B Key 1A Key 2A Key 2B Key 3A Key 3B Key 4A Key 4B

  13. Differential Decryption If each playback device is given exactly one of the two decryption keys for each clip, the output generated by that device will form a pattern that can be regarded as a fingerprint of the device.

  14. Differential Decryption Key 1A Key 2B Key 3A Key 4A

  15. Differential Decryption Key 1B Key 2A Key 3A Key 4B

  16. Differential Decryption The content need not be doubled! • It is not necessary to divide the entire content into clips!!! • It is only necessary to place these parallel clips into a small portion of the content.

  17. Differential Decryption Even if the keys are removed from a playback device, content decrypted with its keys will retain its fingerprint. The fingerprint is dependent only upon the decryption keys used – not the hardware that held them.

  18. Differential Decryption Any method (such as watermarking) can be used to distinguish the two versions of each clip. The differentiation scheme is dynamic and need not be fixed by the playback device.

  19. Are More Keys a Problem? The number of content keys that must be transmitted to a playback device seems to grow with the number of clips.

  20. More Keys are not a Problem As many keys as desired can be packed into the space of a single key. Either of two crypto tricks can be used. • Broadcast Encryption • A new application of a technique invented by Chick and Tavares

  21. Broadcast vs. Narrowcast The method can be illustrated by showing a grid of participants against clips. Each participant is entitled to the keys for the clips shown in orange.

  22. Broadcast vs. Narrowcast Recipients Clips

  23. Broadcast vs. Narrowcast Recipients Clips

  24. Broadcast Using Broadcast Encryption, for each clip, the set of participants entitled to that clip is determined, and a single encryption of that clip’s key is produced that enables those (and only those) participants to derive that clip’s key.

  25. Broadcast Recipients Clips

  26. Broadcast Encryption • One encryption per clip key. • Time to encrypt/decrypt each clip key is proportional to number of copies of content distributed. • Collusion can allow recipients access to keys to which they are not entitled.

  27. Narrowcast Using the technique of Chick and Tavares, for each participant, the set of clips to which that participant is entitled is determined, and a single value is produced that allows the participant to derive those (and only those) clip keys.

  28. Narrowcast Recipients Clips

  29. Narrowcast Recipients Clips

  30. Narrowcast • One encryption per recipient. • Time to encrypt/decrypt each clip key is proportional to the number of clip keys. • Collusion does not provide access to additional clip keys. • Amortization and other efficiencies can significantly reduce encrypt/decrypt times.

  31. Narrowcast Some details of the mathematics behind the narrowcast method are presented in the following slides.

  32. Narrowcast

  33. Small Prime Assignment Prime 1B Prime 1A Prime 2A Prime 2B Prime 3A Prime 3B Prime 4A Prime 4B

  34. Clip Key Encryption • Select a large composite integer N. • Let y in ZN*. • Compute each clip key as y1/p mod N where p is the small prime associated with the clip.

  35. Clip Key Encryption • Select a large composite integer N. • Randomly select an integer x in ZN*. • Let P =(all small clip primes). • Let y = xP mod N. • Compute clip key k = Hash(y1/p mod N) where p is the small prime associated with the clip.

  36. Clip Key Distribution • For a given recipient, define ρ to be the product of all small clip primes associated with clips to which that recipient is not entitled. • Give that recipient the amalgamated key value xρ mod N.

  37. Clip Key Decryption To obtain a single clip key, a recipient can take amalgamated clip key xρ mod N. and raise it to the power of all appropriate small primes except the small prime p associated with the desired clip.

  38. Security of other Keys Shamir’s Root Independence Lemma (1980) shows that given y1/p mod N and y1/q mod N, finding y1/r mod N is as hard as computing arbitrary roots modulo N (RSA assumption) unless r|(pq).

  39. Amortization • A set of m keys can be decrypted using time m log m beyond the time to decrypt a single key. • After an initial step linear in the number of keys, each of m subsequent keys can be delivered in log m time.

  40. Amortized Decryption 1,8 1,4 5,8 1,2 3,4 5,6 7,8 1,1 2,2 3,3 4,4 5,5 6,6 7,7 8,8

  41. Amortized Decryption x 1,8 1,4 5,8 1,2 3,4 5,6 7,8 1,1 2,2 3,3 4,4 5,5 6,6 7,7 8,8

  42. Amortized Decryption x 1,8 xp5p6p7p8 1,4 5,8 1,2 3,4 5,6 7,8 1,1 2,2 3,3 4,4 5,5 6,6 7,7 8,8

  43. Amortized Decryption x 1,8 xp5p6p7p8 1,4 5,8 xp1p2p5p6p7p8 1,2 3,4 5,6 7,8 1,1 2,2 3,3 4,4 5,5 6,6 7,7 8,8

  44. Amortized Decryption x 1,8 xp5p6p7p8 1,4 5,8 xp1p2p5p6p7p8 1,2 3,4 5,6 7,8 1,1 2,2 3,3 4,4 5,5 6,6 7,7 8,8 xp1p2p4p5p6p7p8

  45. Amortized Decryption 1,8 1,4 5,8 1,2 3,4 5,6 7,8 1,1 2,2 3,3 4,4 5,5 6,6 7,7 8,8 m leaves

  46. Amortized Decryption 1,8 log m levels 1,4 5,8 1,2 3,4 5,6 7,8 1,1 2,2 3,3 4,4 5,5 6,6 7,7 8,8 m leaves

  47. Amortized Decryption m small prime exponentiations per level 1,8 log m levels 1,4 5,8 1,2 3,4 5,6 7,8 1,1 2,2 3,3 4,4 5,5 6,6 7,7 8,8 m leaves

  48. Conclusions • Flexible fingerprinting methods are an important tool in content protection. • Large amounts of keying material may be required for such fingerprinting. • The methods described minimize the bandwidth requirements for these schemes.

More Related