Pirate Evolution: How to Make the Most of Your Traitor Keys

We introduce a novel attack concept against trace and revoke schemes called pirate evolution. In this setting, the attacker, called an evolving pirate, is handed a number of traitor keys and produces a number of generations of pirate decoders that are successively disabled by the trace and revoke system. A trace and revoke scheme is susceptible to pirate evolution when the number of decoders that the evolving pirate produces exceeds the number of traitor keys that were at his possession. Pirate evolution can threaten trace and revoke schemes even in cases where both the revocation and traceability properties are ideally satisfied: this is because pirate evolution may enable an attacker to "magnify" an initial key-leakage incident and exploit the traitor keys available to him to produce a great number of pirate boxes that will take a long time to disable. Even moderately successful pirate evolution affects the economics of deployment for a trace and revoke system and thus it is important that it is quantified prior to deployment. In this work, we formalize the concept of pirate evolution and we demonstrate the susceptibility of the trace and revoke schemes of Naor, Naor and Lotspiech (NNL) from Crypto 2001 to an evolving pirate that can produce up to t ċ log N generations of pirate decoders given an initial set of t traitor keys. This is particularly important in the context of AACS, the new standard for high definition DVDs (HD-DVD and Blue-Ray) that employ the subset difference method of NNL: for example using our attack strategy, a pirate can potentially produce more than 300 pirate decoder generations by using only 10 traitor keys, i.e., key-leakage incidents in AACS can be substantially magnified.

[1]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[2]  Amos Fiat,et al.  Dynamic Traitor Training , 1999, CRYPTO.

[3]  Brent Waters,et al.  Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys , 2006, EUROCRYPT.

[4]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[5]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[6]  Birgit Pfitzmann,et al.  Trials of Traced Traitors , 1996, Information Hiding.

[7]  Yvo Desmedt,et al.  Optimum Traitor Tracing and Asymmetric Schemes , 1998, EUROCRYPT.

[8]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[9]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[10]  Jessica Staddon,et al.  Efficient Methods for Integrating Traceability and Broadcast Encryption , 1999, CRYPTO.

[11]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[12]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[13]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[14]  Dan Collusion-Secure Fingerprinting for Digital Data , 2002 .

[15]  Reihaneh Safavi-Naini,et al.  Collusion Secure q-ary Fingerprinting for Perceptual Content , 2001, Digital Rights Management Workshop.

[16]  David Pointcheval,et al.  Public Traceability in Traitor Tracing Schemes , 2005, EUROCRYPT.

[17]  Douglas R. Stinson,et al.  Combinatorial Properties and Constructions of Traceability Schemes and Frameproof Codes , 1998, SIAM J. Discret. Math..

[18]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[19]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[20]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[21]  Adi Shamir,et al.  The LSD Broadcast Encryption Scheme , 2002, CRYPTO.

[22]  Matthew K. Franklin,et al.  An Efficient Public Key Traitor Tracing Scheme , 1999, CRYPTO.

[23]  Aggelos Kiayias,et al.  On Crafty Pirates and Foxy Tracers , 2001, Digital Rights Management Workshop.

[24]  Dong Hoon Lee,et al.  One-Way Chain Based Broadcast Encryption Schemes , 2005, EUROCRYPT.

[25]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[26]  Reihaneh Safavi-Naini,et al.  Traitor Tracing for Shortened and Corrupted Fingerprints , 2002, Digital Rights Management Workshop.

[27]  Reihaneh Safavi-Naini,et al.  Sequential Traitor Tracing , 2000, CRYPTO.

[28]  Reihaneh Safavi-Naini,et al.  New results on frame-proof codes and traceability schemes , 2001, IEEE Trans. Inf. Theory.

[29]  Aggelos Kiayias,et al.  Scalable public-key tracing and revoking , 2003, PODC.

[30]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[31]  Avishai Wool,et al.  Long-Lived Broadcast Encryption , 2000, CRYPTO.

[32]  Jessica Staddon,et al.  Combinatorial properties of frameproof and traceability codes , 2001, IEEE Trans. Inf. Theory.

[33]  Moni Naor,et al.  Threshold Traitor Tracing , 1998, CRYPTO.

[34]  Amos Fiat,et al.  Tracing traitors , 2000, IEEE Trans. Inf. Theory.

[35]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[36]  Daniele Micciancio,et al.  Corrupting One vs. Corrupting Many: The Case of Broadcast and Multicast Encryption , 2006, ICALP.

[37]  Amos Fiat,et al.  Dynamic Traitor Tracing , 2001, Journal of Cryptology.

[38]  Amos Fiat,et al.  Broadcast Encryption , 1993, CRYPTO.

[39]  Yevgeniy Dodis,et al.  Public Key Broadcast Encryption for Stateless Receivers , 2002, Digital Rights Management Workshop.

[40]  Dongvu Tonien,et al.  Generic Construction of Hybrid Public Key Traitor Tracing with Full-Public-Traceability , 2006, ICALP.

[41]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[42]  Gábor Tardos,et al.  Optimal probabilistic fingerprint codes , 2003, STOC '03.