On Cryptographic Techniques for Digital Rights Management

With more and more content being produced, distributed, and ultimately rendered and consumed in digital form, devising effective Content Protection mechanisms and building satisfactory Digital Rights Management (DRM) systems have become top priorities for the Publishing and Entertaining Industries. To help tackle this challenge, several cryptographic primitives and constructions have been proposed, including mechanisms to securely distribute data over a unidirectional insecure channel (Broadcast Encryption), schemes in which leakage of cryptographic keys can be traced back to the leaker (Traitor Tracing), and techniques to combine revocation and tracing capabilities (Trace-and-Revoke schemes). In this thesis, we present several original constructions of the above primitives; which improve upon existing DRM-enabling cryptographic primitives along the following two directions: (1) Widening their scope of applicability e.g., by considering models taking into accounts usability issues typical of the DRM setting; and (2) Strengthening their security guarantees to higher levels that are standards, for example, in the case of standalone encryption. Our results along the first line of work include the following: (1) An efficient public-key broadcast encryption scheme, which allows mutually mistrusting content providers to leverage a common delivery infrastructure, and can cope with low-end, stateless receivers; (2) A traitor tracing scheme with optimal transmission rate, in which encryption does not cause a blow-up in the size of the content, thus allowing for optimal utilization of the broadcast channel; (3) A public-key tracing and revoking scheme that can deal with both server-side and client-side scalability issues, while preserving traceability. As for the second direction, our contribution can be divided as follows: (1) A forward-secure public-key broadcast encryption scheme, in which the unauthorized access resulting from cracking a user-key is constrained to a minimal time frame which is delimited, in the future, by the revocation mechanism, and in the past, by forward secrecy; (2) A precise formalization of the notion of adaptive chosen-ciphertext security for public-key broadcast encryption schemes, along with a modular and efficient construction. Overall, the cryptographic tools developed in this thesis provide more flexibility and more security than existing solutions, and thus offer a better match for the challenges of the DRM setting.

[1]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[2]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[3]  Pil Joong Lee,et al.  An Efficient Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack , 2003, ASIACRYPT.

[4]  Wen-Guey Tzeng,et al.  A Public-Key Traitor Tracing Scheme with Revocation Using Dynamic Shares , 2001, Public Key Cryptography.

[5]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[6]  Christoph G. Günther,et al.  An Identity-Based Key-Exchange Protocol , 1990, EUROCRYPT.

[7]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[8]  Jonathan Katz,et al.  Chosen-Ciphertext Security of Multiple Encryption , 2005, TCC.

[9]  Dong Hoon Lee,et al.  One-Way Chain Based Broadcast Encryption Schemes , 2005, EUROCRYPT.

[10]  Dong Hoon Lee,et al.  Generic Transformation for Scalable Broadcast Encryption Schemes , 2005, CRYPTO.

[11]  F. MacWilliams,et al.  The Theory of Error-Correcting Codes , 1977 .

[12]  Gábor Tardos,et al.  Optimal probabilistic fingerprint codes , 2003, STOC '03.

[13]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[14]  Gustavus J. Simmons,et al.  A survey of information authentication , 1988, Proc. IEEE.

[15]  Carlo Blundo,et al.  Space Requirements for Broadcast Encryption , 1994, EUROCRYPT.

[16]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[17]  V. Pan,et al.  Polynomial and Matrix Computations , 1994, Progress in Theoretical Computer Science.

[18]  Eyal Kushilevitz,et al.  Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[19]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[20]  Shouhuai Xu,et al.  Key-Insulated Public Key Cryptosystems , 2002, EUROCRYPT.

[21]  Amit Sahai,et al.  Coding Constructions for Blacklisting Problems without Computational Assumptions , 1999, CRYPTO.

[22]  Douglas R. Stinson,et al.  Trade-offs Between Communication and Storage in Unconditionally Secure Schemes for Broadcast Encryption and Interactive Key Distribution , 1996, CRYPTO.

[23]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[24]  Moni Naor,et al.  Threshold Traitor Tracing , 1998, CRYPTO.

[25]  Yevgeniy Dodis,et al.  ID-based encryption for complex hierarchies with applications to forward security and broadcast encryption , 2004, CCS '04.

[26]  Brent Waters,et al.  Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys , 2006, EUROCRYPT.

[27]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[28]  Amos Fiat,et al.  Dynamic Traitor Tracing , 2001, Journal of Cryptology.

[29]  Aggelos Kiayias,et al.  Breaking and Repairing Asymmetric Public-Key Traitor Tracing , 2002, Digital Rights Management Workshop.

[30]  Michael T. Goodrich,et al.  Efficient Tree-Based Revocation in Groups of Low-State Devices , 2004, CRYPTO.

[31]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[32]  Shimshon Berkovits,et al.  How To Broadcast A Secret , 1991, EUROCRYPT.

[33]  Aggelos Kiayias,et al.  Scalable public-key tracing and revoking , 2003, PODC '03.

[34]  Brent Waters,et al.  Privacy in Encrypted Content Distribution Using Private Broadcast Encryption , 2006, Financial Cryptography.

[35]  Craig Gentry,et al.  Hierarchical ID-Based Cryptography , 2002, ASIACRYPT.

[36]  Chanathip Namprempre,et al.  Forward-Secure Threshold Signature Schemes , 2001, CT-RSA.

[37]  Jirí Sgall,et al.  Efficient dynamic traitor tracing , 2000, SODA '00.

[38]  Avishai Wool,et al.  Long-Lived Broadcast Encryption , 2000, CRYPTO.

[39]  Douglas R. Stinson,et al.  Key Preassigned Traceability Schemes for Broadcast Encryption , 1998, Selected Areas in Cryptography.

[40]  Adi Shamir,et al.  The LSD Broadcast Encryption Scheme , 2002, CRYPTO.

[41]  Rafail Ostrovsky,et al.  How To Withstand Mobile Virus Attacks , 1991, PODC 1991.

[42]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[43]  Jessica Staddon,et al.  Combinatorial Bounds for Broadcast Encryption , 1998, EUROCRYPT.

[44]  Kaoru Kurosawa,et al.  Linear Code Implies Public-Key Traitor Tracing , 2002, Public Key Cryptography.

[45]  Matthew K. Franklin,et al.  An Efficient Public Key Traitor Tracing Scheme , 1999, CRYPTO.

[46]  Reihaneh Safavi-Naini,et al.  Sequential traitor tracing , 2003, IEEE Trans. Inf. Theory.

[47]  Birgit Pfitzmann,et al.  Trials of Traced Traitors , 1996, Information Hiding.

[48]  Dan Boneh,et al.  Collusion-Secure Fingerprinting for Digital Data , 1998, IEEE Trans. Inf. Theory.

[49]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[50]  Amos Fiat,et al.  Tracing traitors , 2000, IEEE Trans. Inf. Theory.

[51]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[52]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[53]  Yevgeniy Dodis,et al.  Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack , 2003, Public Key Cryptography.

[54]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[55]  Clifford C. Cocks An Identity Based Encryption Scheme Based on Quadratic Residues , 2001, IMACC.

[56]  David Pointcheval,et al.  Public Traceability in Traitor Tracing Schemes , 2005, EUROCRYPT.

[57]  Douglas R. Stinson,et al.  Combinatorial Properties and Constructions of Traceability Schemes and Frameproof Codes , 1998, SIAM J. Discret. Math..

[58]  Duong Hieu Phan,et al.  Traitor Tracing with Optimal Transmission Rate , 2007, ISC.

[59]  Venkatesan Guruswami,et al.  Improved decoding of Reed-Solomon and algebraic-geometric codes , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[60]  Tal Malkin,et al.  Efficient Generic Forward-Secure Signatures with an Unbounded Number Of Time Periods , 2002, EUROCRYPT.

[61]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[62]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[63]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[64]  Ben Lynn,et al.  Toward Hierarchical Identity-Based Encryption , 2002, EUROCRYPT.

[65]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[66]  Amos Fiat,et al.  Broadcast Encryption , 1993, CRYPTO.

[67]  Jonathan Katz,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[68]  Yevgeniy Dodis,et al.  Public Key Broadcast Encryption for Stateless Receivers , 2002, Digital Rights Management Workshop.

[69]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[70]  Jessica Staddon,et al.  Efficient Methods for Integrating Traceability and Broadcast Encryption , 1999, CRYPTO.