EFFICIENT TRAITOR TRACING FOR CONTENT PROTECTION
Hongxia Jin
IBM Almaden Research Center
San Jose, CA, U.S.A.
Keywords: Traitor tracing, Content protection, Anti-piracy, Broadcast encryption.
Abstract: In this paper we study the traitor tracing problem in the context of content protection. Traitor tracing is
a forensic technology that attempts to detect the users who have involved in the pirate attacks when pirate
evidences are recovered. There are different types of pirate attacks and each requires a different traitor tracing
mechanism. We studied different types of attacks, surveyed various traitor tracing schemes and analyzed
spectrum of traceabilities of different schemes using two representative schemes. We shall present some
observations on the designs and their impact on the efficiency of the schemes. We shall also present various
future directions that can lead to simpler and more efficient traitor tracing schemes for various pirate attacks.
1 INTRODUCTION
The goal of a content protection system for copy-
righted materials is to make sure the materials are
only accessible to user who are authorized to ac-
cess. Of course pirated attackers want to circum-
vent all the protections and get access to the con-
tent illegally. Broadcast encryption and traitor trac-
ing are two primary technologies used in a content
protection system. In a broadcast encryption (Fiat
and Naor, 1993) based content protection system,
each user (also called decoders, devices) is assigned
a unique set of secret keys (called device keys). Of-
tentimes the content is encrypted by a randomly cho-
sen session key (sometimes termed as “media key”)
once and only once. When a broadcast encryption
scheme is used for content protection, it uses a re-
vocation structure (termed as “Media Key Block”)
that contains the session key encrypted by and only
by privileged users’ secret device keys. MKB is dis-
tributed together with the encrypted content. During
playback, all privileged users can use their secret de-
vice keys to decrypt the structure although differently
but can obtain the same valid session key to access
the content; while all other excluding users can only
decrypt the structure to garbage strings. There can
exist different types of pirate attacks in this broadcast
encryption based content protection system.
1. Pirates disclose secret device keys by building a
clone pirate decoder.
2. Pirates disclose content encrypting key.
3. Pirates disclose (redistribute) decrypted content.
When the pirate evidences are found, traitor trac-
ing is a forensic technology that can defend against
piracy. The source devices (users) that involved in
piracy are called traitors.
In the first pirate attack, attackers compromise
several legitimate devices (decoders) and extract the
secret device keys from the compromised devices to
build a clone device which can be used to decrypt
and access the encrypted content. In second and third
type of attack, the attackers decrypt the MKB to get
the valid media key. They can choose to re-broadcast
the decrypted content or the media key. Because the
decrypted content and media key are same for every
user, this type of attack help attackers hide their iden-
tities, thus sometimes called anonymous attack.
In current state-of-art and state-of-practice, differ-
ent types of traitor tracing schemes have been de-
signed for different types of pirate attacks and dif-
ferent principles are used in the design in order to
achieve efficiency. We believe a more systematic
studying on those existing schemes are needed in or-
der to understand the pros and cons of each type of
design principles. This type of study can help shed
insights on new design principles that can help de-
sign simpler, more practical and efficient traitor trac-
ing schemes in future. This is what this paper is about.
In rest of the paper, in Section 2 we will give
more background details on existing traitor trac-
ing schemes. We believe designing traitor tracing
schemes follow some general steps. In Section 3 we
will use those general design steps to categorize ex-
270
Jin H. (2009).
EFFICIENT TRAITOR TRACING FOR CONTENT PROTECTION.
In Proceedings of the International Conference on Security and Cryptography, pages 270-273
DOI: 10.5220/0002235002700273
Copyright
c
SciTePress
isting tracing schemes and analyze its pros and cons
of those schemes. Based on our analysis, in Section 4
we will present new research directions that can im-
prove the efficiency, practicality and simplicity of the
traitor tracing scheme design.
2 TRACING SCHEMES FOR
PIRATE DEVICE ATTACK AND
ANONYMOUS ATTACK
There exist many broadcast encryption and traitor
tracing schemes (Naor et al., 2001; Fiat and Naor,
1993; Boneh et al., 2006) targeting on the “pirate de-
coder attack”. For pirate device attack, forensic test-
ing materials, including forensic MKBs, are fed into
the clone. When constructing a forensic MKB at fron-
tier F , one intentionally enables certain keys by using
them to encrypt a valid media key and disables certain
keys (not necessary traitorous) by encrypting a ran-
dom bit string instead of the media key. Based on the
keys inside the clone, the clone may or may not de-
crypt/play the content. Observing a series of response
from the clone, the tracing procedure can identify a
compromised key in current frontier. The tracing al-
gorithm starts from an initial frontier F and proceeds
by repeatedly using the subset tracing procedure to
identify a compromised key k F , removing it, and
adding to F k
1
and k
2
such that we can replace k with
k
1
and k
2
and still cover the same set of devices. This
process is reiterated until the detected compromised
key is at the lowest level or the clone box is unable to
play the MKB associated with F .
The traceability is defined to be the number of
testings needed to detect traitors. The state-of-art and
practice is the tree-based NNL scheme in (Naor et al.,
2001). Each node in the tree is associated with a key.
Each device is associated with a leaf node of the tree.
Each device is assigned a set of keys based on the
path from the leaf to the tree root. The NNL tracing
takes O(T
3
logT) number of tests to detect traitors in
a coalition of size T.
Schemes in (H. Jin and Nusser, 2004; J. N. Stad-
don and Wei, 2001) are designed to defend against
anonymousattack. In these schemes, content is differ-
ently watermarked and encrypted for different users.
Readers refer to (H. Jin and Nusser, 2004) for effi-
ciently prepare different versions. What is relevant
in this paper is that every device has only one key to
decrypt one version for each content.
The current state-of-art and practice traitor tracing
scheme for anonymous attack is the JL scheme shown
in (H. Jin, 2007) and deployed in AACS (AACS,
2006). In this scheme, each device is assigned a set of
tracing keys from a large matrix. The columns corre-
spond to the movie content in the sequence; the rows
correspond to different versions for each movie. For
example, the matrix might be 255 by 256. In a se-
quence of 255 movies, each movie has 256 movie ver-
sions. Each device is assigned exactly one key from
each column, 255 in totals. Each key is one of the
256 versions. The assignment is based on an error
correcting code, making any two devices as far apart
as possible to enhance its collusion resistance.
In the process of forensic analysis and traitor de-
tection, JL scheme employs a very different philos-
ophy. All other schemes focused on detecting one
traitor each time they incriminate the user who can
explain most of the recovered forensic evidences. On
contrast, JL traitor detection algorithm focused on
finding the entire coalition that can explain ALL re-
covered forensic evidences. With this detection phi-
losophy, JL scheme can detect traitors with much
fewer number of forensic evidences. In fact they
achieved a super-linear traceability. For details read-
ers are referred to (Jin et al., 2008).
JL scheme also allows revocation of a set of com-
promised tracing keys and supports multi-time trac-
ing when new attacks arise. Without needing to up-
date the tracing keys that are burned into devices dur-
ing manufacture time, the JL scheme employs a TKB
(Tracing Key Block) mechanism to revoke tracing
keys. It is similar to MKB but the JL scheme has more
than one correct K, (called variant data in AACS), one
for each version of the content. However, as shown in
(H. Jin, 2007), the traceability degrades with revoca-
tions with TKB. That puts a limit on the revocation
capability of the scheme. Indeed it has a finite revo-
cation capability and traceability degrades with revo-
cations.
3 DESIGNING A TRAITOR
TRACING SCHEME
Traditionally a traitor tracing scheme consists of two
basic steps. First, assign different keys/content ver-
sions to devices. Second, based on the recovered pi-
rated content/keys, trace to the traitors. As we have
seen, the spectrum of the traceability ranges from
O(T) to O(T
3
).
While NNL traceability does not change after re-
vocation, JL scheme indicates the traceability is pos-
sible to degrade. In other words in the lifetime of
a traitor tracing system, one must also consider the
continuous traceability after revocations. In light of
that, the design of a complete traitor tracing system
EFFICIENT TRAITOR TRACING FOR CONTENT PROTECTION
271
should consist of the following three steps instead of
two steps.
1. Assignment step: Assign versions of the con-
tent/key to currently known innocent devices
2. Forensic Analysis step: Based on the recovered
forensic evidences, trace to the traitors
3. Revocation step: loop to step 1 but exclude the
currently discovered traitors.
The newly added step 3 brings in differentrequire-
ments on the design. For the assignment task, now
one must consider new assignment after revocations.
For the second task, now one must consider traceabil-
ity after revocation, and the overall traceability over
the lifetime of the tracing system. We have stud-
ied carefully the NNL tracing and JL tracing scheme
and compare their differences on the design principles
when carrying out the above two tasks. Our studies
reveal fruitful insights on how to design a more effi-
cient traitor tracing system in the future.
3.1 Assignment: Tree vs. Matrix
Even though they were designed for two different at-
tacks, we believe there are other underlying reasons
why the tree-based NNL scheme has traceability of
O(T
3
) while the matrix-based JL scheme achieves su-
perlinear O(T) traceability.
As one can imagine, in a tree-based system, any
two devices may share many keys. For example,
any two neighboring devices share all the keys ex-
cept their leaf keys. During traitor detection process,
it takes many forensic testings in order to distinguish
two neighboring subsets (or devices). On contrast, in
a matrix-based system like JL scheme, any two de-
vices may share much fewer keys. For example, sup-
pose a Reed-Solomon code < n, k, d > is used to as-
sign the keys to devices, any two devices have at least
d different keys where d is the Hamming distance of
the Reed-Solomon code and d is made as big as pos-
sible. In this type of design, any two devices are as-
signed maximally apart. This contributes to the supe-
rior traceability achieved in JL scheme. As a design
principle, it seems an efficient tracing scheme needs
to assign the keys to devices in a way that makes any
two devices share as few key as possible.
3.2 Detection: Dynamic vs. Static
From traitor detection process point of view, it is easy
to see that NNL tracing process is dynamic in na-
ture while JL scheme is static in nature. In NNL
tracing, when it identifies the traitorous subset at the
current level, tracing moves down to the next lower
level. New forensic MKBs will be constructed based
on the new partition at the new level. This process is
repeated until it reaches the leaf level and an actual
traitor can be identified. As one can see, the tracing
reacts to the previous testing results.
On contrast, the matrix-based JL scheme is static.
In the matrix, each column corresponds to a movie
content. Different columns clump different devices
together. The tracing agency recovers a sequence of
pirated evidences from different columns, each pro-
viding to license agency some forensic information.
It is not required to react to the previous forensic re-
sults. As a result, MKBs can be produced way ahead
of time. All those MKBs are guaranteed to provide
forensic information. This provides some advantage
for operation in real world.
As to traitor detection at each step, NNL tracing
attempts to find one suspect subset and further split
into two smaller subsets. On contrast, JL scheme em-
ploys a detection algorithm which tries to detect a
coalition of suspects all together. As shown in (Jin
et al., 2008), it is a much more efficient detection ap-
proach than detecting traitors one by one.
3.3 Continuous Traceability and
Revocation Capacity
In a matrix-based tracing system, when there are revo-
cations, a licensing agency producing a multi-column
key block must spread the variant keys across all the
columns. For example, in a 256 X 255 matrix, sup-
pose the licensing agency has 256 variant keys (q =
256) that has to spread across 4 columns. So it would
encrypt only 64 unique movie variant keys in the 255
un-compromised key cells in the first column. In
other words, more than one cell (4 in this example)
would encrypt the same variant key. In effect, this re-
duces the original q; the effective q is q/c, where c is
the number of columns. In this example, the effective
q is reduced from 256 to 64. As shown in (H. Jin and
Nusser, 2004), in reality the extra bandwidth restrict
the number of variants. Here that number is reduced
even more by revocation. And our example has been
the minimal case; the situation gets much worse as re-
vocation continues over the life of the system and the
number of columns in the key blocks gets larger and
larger.
However, if the licensing agency can react to re-
sults from previously recovered movies, some of the
inefficiencies of multi-column key blocks can be re-
moved. For example, suppose the tracing agency has
recovered a pirated key (or content version) corre-
sponding to one media key variant and has deduced
that attackers have at least one tracing key in a four-
SECRYPT 2009 - International Conference on Security and Cryptography
272
key-cell clump that were assigned that variant. Then,
in a subsequent key block, those four keys could
each encrypt a unique media key variant. Of course,
this would mean other clumps would have to become
larger in that key block, but the attackers have a lim-
ited number of keys and eventually they will have to
identify an individual key. So, if the licensing agency
can react, the q/c problem, while not completely elim-
inated, can be greatly reduced.
As shown in (H. Jin, 2007), in order to re-
lieve the traceability degradation problem, even the
static matrix-based system would require at least two
phases to be effective under a reasonable amount of
revocation. On the other hand, for a same size MKB,
a tree-based system can use many more subsets in
the MKB. In other words, it can go down to a much
deeper level of the tree to speed up the tracing. With
the above observations, we realize, given revocation
which is a fact of life in the real world, it is no longer
clear that matrix-based systems provide better life-
long traceabilities.
4 FUTURE RESEARCH
DIRECTIONS AND
CONCLUSIONS
We know revocation-efficient tree-based NNL
scheme is not efficient on tracing while tracing
efficient matrix-based JL scheme is not efficient
on revocation. As shown above, faster tracing
requires any two devices be maximally apart, i.e.,
sharing minimal number of keys. In this way it is
easier to distinguish devices. On contrast, efficient
revocation (i.e., small MKB) requires any key to be
shared by many devices, so that one encryption in
MKB enables many devices. However, our analysis
above also reveals when taking into consideration
of revocation over lifetime of a trace-revoke system,
the matrix-based system traceability is not necessary
better than the tree-based system over its lifetime.
Our analysis and observations have led us to be-
lieve that a future simpler and more efficient trace-
revoke system design will need to combine the advan-
tage of the tree-based and matrix-based systems. For
example, adding some dynamics into the static tracing
in a matrix-based system can greatly reduce the q/c
problem, and thus improve revocation capability and
alleviate the traceability degradation problem. On the
other hand, we also believe it is possible to add some
statics into the mostly dynamic tree-based system to
improve its traceability. For example, when the trac-
ing reaches to any level of the tree, multiple MKBs at
the same level in the tree can be produced ahead of
time and each could provide forensic information. It
seems in either tree-based or matrix-based system, a
semi-static-dynamic tracing can achieve better trace-
ability but still balance off the degradation problem.
To further improve tree-based system NNL trac-
ing, at any level identifying a coalition of traitorous
subsets can make it much more efficient. When going
to next level, it provides an option to further split not
only one suspect subset, but rather multiple suspect
subsets.
In this paper, we have studied and compared dif-
ferent traitor tracing schemes that have followed dif-
ferent design principles. With our comparison and
analysis, we propose future research directions that
can lead to simpler and more efficient traitor tracing
schemes. As future work, we are interested in defin-
ing new traitor tracing model that takes advantage of
our observations and that can lead to series of more
efficient traitor tracing schemes.
REFERENCES
AACS (2006). Advanced access content system.
http://www.aacsla.com.
Boneh, D., Sahai, A., and Waters, B. (2006). Fully collu-
sion resistant traitor tracing with short ciphertexts and
private keys. In EuroCrypto 2006, Lecture Notes in
computer science, volume 4004, pages 573–592.
Fiat, A. and Naor, M. (1993). Broadcast encryption. In
Crypto 1993, Lecture Notes in computer science, vol-
ume 773, pages 480–491.
H. Jin, J. L. (2007). Renewable traitor tracing: A trace-
revoke-trace system for anonymous attack. In ES-
ORICS 2007, pages 563–577.
H. Jin, J. L. and Nusser, S. (2004). Traitor tracing for pre-
recorded and recordabe media. In ACM workshop on
Digital Rights Management, pages 83–90.
J. N. Staddon, D. S. and Wei, R. (2001). Combinato-
rial properties of frameproof and traceability codes.
In IEEE Transactions on Information Theory, vol-
ume 47, pages 1042–1049.
Jin, H., Lotspiech, J., and Megiddo, N. (2008). Efficient
coalition detection for traitor tracing. In IFIP Sec
2008, pages 365–380.
Naor, D., Naor, M., and Lotspiech, J. B. (2001). Revoca-
tion and tracing schemes for stateless receivers. In
CRYPTO ’01, Lecture Notes in Computer Science,
pages 41–62.
EFFICIENT TRAITOR TRACING FOR CONTENT PROTECTION
273