Improving the Boneh-Franklin Traitor Tracing Scheme [chapter]

Pascal Junod, Alexandre Karlov, Arjen K. Lenstra
2009 Lecture Notes in Computer Science  
Traitor tracing schemes are cryptographically secure broadcast methods that allow identification of conspirators: if a pirate key is generated by k traitors out of a static set of ℓ legitimate users, then all traitors can be identified given the pirate key. In this paper we address three practicality and security issues of the Boneh-Franklin traitor-tracing scheme. In the first place, without changing the original scheme, we modify its tracing procedure in the non-black-box model such that it
more » ... lows identification of k traitors in timeÕ(k 2 ), as opposed to the original tracing complexityÕ(ℓ). This new tracing procedure works independently of the nature of the Reed-Solomon code used to watermark private keys. As a consequence, in applications with billions of users it takes just a few minutes on a common desktop computer to identify large collusions. Secondly, we exhibit the lack of practical value of list-decoding algorithms to identify more than k traitors. Finally, we show that 2k traitors can derive the keys of all legitimate users and we propose a fix to this security issue. Fiat and Naor introduced the concept of broadcast encryption in [17] . In their model 4 , there exists a set of ℓ authorized users and the broadcasting center can dynamically specify a privileged subset of authorized users that can decrypt selected ciphertexts (like high-value content, for instance). Later, Chor, Fiat, and Naor [12] introduced the concept of traitor-tracing to overcome decryption key piracy in broadcast encryption schemes. Their scheme (which was improved by Naor and Pinkas in [13, 33] ) is k-collusion resistant (or k-resilient) in the sense that at least one traitor can be identified with high probability given a pirate key generated by up to k traitors. Naor, Naor and Lotspiech presented more efficient broadcast encryption schemes [32] with tracing capabilities; it was however demonstrated by Kiayias and Pehlivanoglu [21] that the iterative nature of the tracing procedure allows a pirate to significantly leverage the compromise of a few keys. Although broadcast encryption and traitor-tracing are orthogonal problems in nature, and thus frequently studied separately, they are in practice indivisible: some trace-and-revoke schemes have been proposed accordingly [15, 16] , culminating in [9] . The latter scheme, though resistant to any collusion size, is geared towards small-scale systems and impractical for the systems of tens of millions of users that we are dealing with and that inspired this paper; this is mainly due to the O( √ ℓ) complexity of [9] in terms of key storage and bandwidth requirements. Additionally, the tracing costs are O(ℓ 2 ), which also severely limits its applicability. Kurosawa and Desmedt [24] proposed a public-key traitor tracing scheme, which was later broken by Stinson and Wei [40]. Boneh and Shaw [8] discussed collusion-resistant schemes for fingerprinting digital data based on error-correcting codes. Boneh and Franklin [5] proposed a new public-key traitor-tracing scheme also based on error-correcting codes, more precisely on Reed-Solomon codes. Actually, the traitor-tracing problem can be interpreted as an application of watermarking to secret keys that are distributed among users. The Boneh-Franklin non-black-box traitor tracing scheme is k-collusion resistant and deterministic in the sense that all of the traitors are identified with probability 1 if at most k of them collude to derive new pirate keys. The fastest claimed running time of the non-black-box tracing algorithm is O(ℓ log ℓ log log ℓ) while the best known black-box tracing method has an exponential complexity O( ℓ k k 2 ). Kurosawa and Yoshida [25] have generalized the Kurosawa-Desmedt and Boneh-Franklin schemes. The technique used by Boneh and Franklin to watermark private keys has since been re-used by Kiayias and Yung [23] to design an asymmetric 5 public-key traitor tracing scheme; other examples of Reed-Solomon codes use include schemes designed by Dodis et al. [15, 16]. Recently, Boneh et al. [7] have presented a fully-collusion resistant traitor tracing scheme which has private keys of constant size and ciphertexts of size O( √ ℓ ) . Finally, the low efficiency of tracing procedures in traitor tracing schemes has been addressed by Silverberg et al. in [37, 38] . The authors present several schemes based on algebraic codes which enable traitors to be traced in time polynomial in k 2 log ℓ. Recently, Billet and Phan [2] and Boneh and Naor [6] have independently proposed traitor-tracing schemes with constant size ciphertexts and having a black-box tracing complexity of O(t 2 ℓ log ℓ) and O(t 4 log ℓ), respectively.
doi:10.1007/978-3-642-00468-1_6 fatcat:adnhpwi2nbejvoder6k2okqkdy