Copyrighting Public-key Functions and Applications to Black-box Traitor Tracing

Copyrighting a function is the process of embedding hard-to-remove marks in the function’s implementation while retaining its original functionality. Here we consider the above problem in the context of public-key encryption and we parallel the process of copyrighting a function to the process of designing traitor tracing schemes. We derive two copyrighted public-key encryption functions for the 2-key setting, solving an open question left by earlier work with respect to copyrighting discrete-logarithm based functions. We then follow a modular design approach and show how to elevate the 2key case to the multi-user setting, employing collusion secure codes. Our methodology provides a general framework for constructing public-key traitor tracing schemes that has the interesting property that the transmission rate remains constant if the plaintext size can be calibrated to reach an appropriate minimal length. Achieving a constant rate, i.e., constant expansion in the size of ciphertexts and keys, is an important open problem in the area of traitor tracing schemes. Our design shows how one can solve it for settings that accommodate the required plaintext calibration (e.g., when a bulk of symmetric cipher keys can be encrypted in one message). Our constructions support “black-box traitor tracing”, the setting where the tracer only accesses the decryption box in input/output queries/responses. For the first time here we provide a modeling of black-box traitor tracing that takes into account adversarially chosen plaintext distributions, a security notion we call semantic black-box traceability. In order to facilitate the design of schemes with semantic black-box traceability we introduce as part of our modular design approach a simpler notion called semantic user separability and we show that this notion implies semantic black-box traceability. In the multi-user setting our constructions also demonstrate how one can derive public-key traitor tracing by reducing the required “marking assumption” of collusion-secure codes to cryptographic hardness assumptions. ∗Computer Science and Engineering Dept., University of Connecticut, Storrs, CT, USA, aggelos@cse.uconn.edu. Research partly supported by NSF CAREER Award CNS-0447808. †RSA Laboratories, Bedford, MA, USA and Computer Science Dept., Columbia University, NY, USA moti@cs.columbia.edu

[1]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[2]  NaorMoni,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004 .

[3]  Dongvu Tonien,et al.  Generic Construction of Hybrid Public Key Traitor Tracing with Full-Public-Traceability , 2006, ICALP.

[4]  Moni Naor,et al.  Efficient Trace and Revoke Schemes , 2000, Financial Cryptography.

[5]  Reihaneh Safavi-Naini,et al.  New results on frame-proof codes and traceability schemes , 2001, IEEE Trans. Inf. Theory.

[6]  Amos Fiat,et al.  Tracing traitors , 2000, IEEE Trans. Inf. Theory.

[7]  David Naccache,et al.  How to Copyright a Function? , 1999, Public Key Cryptography.

[8]  Brent Waters,et al.  Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys , 2006, EUROCRYPT.

[9]  Reihaneh Safavi-Naini,et al.  Collusion Secure q-ary Fingerprinting for Perceptual Content , 2001, Digital Rights Management Workshop.

[10]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[11]  Reihaneh Safavi-Naini,et al.  Traitor Tracing for Shortened and Corrupted Fingerprints , 2002, Digital Rights Management Workshop.

[12]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[13]  Moni Naor,et al.  Threshold Traitor Tracing , 1998, CRYPTO.

[14]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[15]  Aggelos Kiayias,et al.  On Crafty Pirates and Foxy Tracers , 2001, Digital Rights Management Workshop.

[16]  Dan Boneh,et al.  Collusion-Secure Fingerprinting for Digital Data , 1998, IEEE Trans. Inf. Theory.

[17]  Gábor Tardos,et al.  Optimal probabilistic fingerprint codes , 2003, STOC '03.

[18]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[19]  Hugo Krawczyk Advances in Cryptology - CRYPTO '98, 18th Annual International Cryptology Conference, Santa Barbara, California, USA, August 23-27, 1998, Proceedings , 1998, CRYPTO.

[20]  Rosario Gennaro,et al.  New Efficient and Secure Protocols for Verifiable Signature Sharing and Other Applications , 2000, J. Comput. Syst. Sci..

[21]  Tomas Sander Security and Privacy in Digital Rights Management : ACM CCS-8 Workshop DRM 2001, Philadelphia, PA, USA, November 5, 2001 : revised papers , 2002, CCS 2002.

[22]  Matthew K. Franklin,et al.  Joint Encryption and Message-Efficient Secure Computation , 1993, CRYPTO.

[23]  Yiannis Tsiounis,et al.  On the Security of ElGamal Based Encryption , 1998, Public Key Cryptography.

[24]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[25]  Aggelos Kiayias,et al.  Secure scalable group signature with dynamic joins and separable authorities , 2006, Int. J. Secur. Networks.

[26]  Jessica Staddon,et al.  Combinatorial properties of frameproof and traceability codes , 2001, IEEE Trans. Inf. Theory.

[27]  Matthew K. Franklin,et al.  An Efficient Public Key Traitor Tracing Scheme , 1999, CRYPTO.

[28]  Reihaneh Safavi-Naini,et al.  Sequential Traitor Tracing , 2000, CRYPTO.

[29]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[30]  Amos Fiat,et al.  Dynamic Traitor Tracing , 2001, Journal of Cryptology.

[31]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[32]  Yvo Desmedt,et al.  Optimum Traitor Tracing and Asymmetric Schemes , 1998, EUROCRYPT.

[33]  Jessica Staddon,et al.  Efficient Methods for Integrating Traceability and Broadcast Encryption , 1999, CRYPTO.

[34]  David Pointcheval,et al.  Public Traceability in Traitor Tracing Schemes , 2005, EUROCRYPT.

[35]  Douglas R. Stinson,et al.  Combinatorial Properties and Constructions of Traceability Schemes and Frameproof Codes , 1998, SIAM J. Discret. Math..

[36]  Gary L. Miller,et al.  Riemann's Hypothesis and tests for primality , 1975, STOC.

[37]  Michael J. Wiener,et al.  Advances in cryptology, CRYPTO '99 : 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999 : proceedings , 1999, CRYPTO 1999.

[38]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[39]  Birgit Pfitzmann,et al.  Trials of Traced Traitors , 1996, Information Hiding.