Traitor tracing refers to a class of encryption schemes that can be used to deter key-leakage. They apply to a setting that involves many receivers, each one receiving a fingerprinted decryption key. If a set of malicious receivers (also known as traitors) constructs an illicit decoder then a tracing mechanism enables an authority to identify at least one of the traitors. The very first traitor tracing scheme that has sublinear ciphertext size and is capable of tracing unambiguously illicit decoders that may shut-down (or employ some sort of self-defensive mechanism that would be adverse to tracing) was proposed in AsiaCrypt 2004 by Matsushita and Imai.
In this work we demonstrate that this scheme is susceptible to an attack by an illicit decoder that not only evades tracing but results with high likelihood in the incrimination of an innocent user. Our attack is based on the fact that an illicit decoder can decompose a ciphertext to a set of components that can be submitted to a statistical test which distinguishes between tracing and regular system operation. The statistical distance between the two distributions converges to 1 as the number of traitors grows with an exponential rate in the number of traitors. After demonstrating our attack we also present a way to repair the construction as long as the traitors are not spaced too far apart in the user population. In particular we devise a transmission mechanism that eliminates the discrepancies between the tracing operation and the regular operation in the system and works against illicit decoders that are correct with sufficiently high probability.
[1]
Moni Naor,et al.
Threshold Traitor Tracing
,
1998,
CRYPTO.
[2]
Aggelos Kiayias,et al.
Self Protecting Pirates and Black-Box Traitor Tracing
,
2001,
CRYPTO.
[3]
Adi Shamir,et al.
The LSD Broadcast Encryption Scheme
,
2002,
CRYPTO.
[4]
Moni Naor,et al.
Revocation and Tracing Schemes for Stateless Receivers
,
2001,
CRYPTO.
[5]
Satoshi Obana,et al.
Bounds and Combinatorial Structure of Multi-Receiver-Codes
,
2001,
Des. Codes Cryptogr..
[6]
Matthew K. Franklin,et al.
An Efficient Public Key Traitor Tracing Scheme
,
1999,
CRYPTO.
[7]
Aggelos Kiayias,et al.
On Crafty Pirates and Foxy Tracers
,
2001,
Digital Rights Management Workshop.
[8]
Yvo Desmedt,et al.
Optimum Traitor Tracing and Asymmetric Schemes
,
1998,
EUROCRYPT.
[9]
Hideki Imai,et al.
A Public-Key Black-Box Traitor Tracing Scheme with Sublinear Ciphertext Size Against Self-Defensive Pirates
,
2004,
ASIACRYPT.
[10]
Hideki Imai,et al.
Hierarchical Key Assignment for Black-Box Tracing with Efficient Ciphertext Size
,
2006,
ICICS.
[11]
Amos Fiat,et al.
Tracing traitors
,
2000,
IEEE Trans. Inf. Theory.
[12]
David Pointcheval,et al.
Public Traceability in Traitor Tracing Schemes
,
2005,
EUROCRYPT.
[13]
Satoshi Obana,et al.
Bounds and Combinatorial Structure of (k,n) Multi-Receiver A-Codes
,
2001
.
[14]
MoonShik Lee,et al.
Breaking Two k-Resilient Traitor Tracing Schemes with Sublinear Ciphertext Size
,
2009,
ACNS.