Synonyms
Related Concepts
Definition
Traitor tracing is a method for providing personal decryption keys to users, such that (1) there is a single encryption key corresponding to all the decryption keys, and (2) any possible decryption key, even one that was generated by a coalition of corrupt users (traitors), identifies personal keys that were used to generate it.
Background
Tracing the source of illegitimate keys is important if these keys enable access to sensitive data. The data can be encrypted to keep its confidentiality but at some point it must be revealed in the clear to the parties that are allowed to use it. These parties must therefore have corresponding decryption keys. In some scenarios corrupt parties (traitors), which have legitimate access to decryption keys, wish to further distribute the decrypted data to other users. In many cases it is ineffective for the traitors to leak the decrypted data itself, since due to economics of scale the distribution of this data in a timely manner is much more expensive for them than to a legitimate distributor. This argument seems to hold in cases such as the distribution of encrypted pay-TV programs, access to online databases, or distribution of content in encrypted high-capacity media such as HD DVDs. An alternative and cheaper approach for the traitors is to further distribute the decryption keys that enable the decryption of the encrypted content. (These decryption keys are typically secured in tamper-resistant software or hardware, for example in a smartcard, but such security measures are often broken by dedicated hackers, for example by using reverse engineering or differential power analysis.) The decryption keys are much shorter than the encrypted data itself, and therefore it is easier to distribute them.
The concept of traitor tracing was introduced by Chor et al. in [6]. The purpose of traitor tracing is that given an illegitimate key, for example one found in a pirate decoding device, it would be possible to trace traitors whose keys were used to generate this key. Note that a coalition of several traitors might collude to generate an illegitimate key by mixing information from the different personal keys of the coalition members, and this tactic might make tracing harder.
Traitor tracing is different from fingerprinting or watermarking, whose goal is to trace illegitimate copies of the content itself. Those methods have better functionality than tracing, since they enable authorized parties to trace the source of content even after its decryption. On the down side, their overhead is much higher (especially that of fingerprinting), and their security guarantees are weaker as they depend on the assumption that it is possible to insert different marking information into different copies of the same data (e.g., for the purpose of watermarking). Traitor tracing also provides different functionality than broadcast encryption. Tracing enables the identification of the source of a piracy problem, that is, the parties whose keys are used to enable illegal usage of content. Broadcast encryption can then be used to take measures against the piracy by preventing further usage of these keys.
Theory
If different parties receive the same decryption key then it would be impossible to tell which of them leaked it. Each party must therefore receive a personal key, different from the key of any other party. A simple solution achieving this property is to provide each party with an independent personal key, encrypt each data block using a random key, and then separately encrypt this key using each of the different personal keys. The problem with this approach is that its overhead is linear in the number of users, that is, given N users the system needs to distribute N additional encrypted messages. Since N might be large (in the millions), the overhead is undesirable.
Tracing schemes are usually designed to be secure against coalitions that contain a limited number of traitors. Let us denote by k an upper bound on the size of a coalition of traitors. Following is a description of the basic tracing scheme suggested by Chor, Fiat, and Naor in [6], which is secure against coalitions of up to k parties. (In addition, [6] contains more efficient schemes. See also [7] for a more detailed discussion.)
-
Initialization: The system uses a table of ℓ rows and 2k 2 columns. Each table entry contains an independent key. Each user is mapped to a random location in every row. The user’s personal key contains the keys of the entries to which the user is mapped, a total of ℓ keys.
-
Encryption: The data is encrypted using a random key S. Then ℓ random shares S 1, S ℓ are generated, subject to the constraint that \({S}_{1} \oplus \cdots \oplus {S}_{\ell} = S\). Each share S i , for 1 ≤ i ≤ ℓ, is independently encrypted using every key in row i, giving a total of 2ℓk 2 encryptions for all the shares.
-
Decryption: Each user has a key from every row i, enabling it to decrypt the share S i . The user can then compute \(S = {S}_{1} \oplus \cdots \oplus {S}_{\ell}\), and decrypt the data.
-
Tracing: The tracing procedure is given a pirate decoder that was generated by a coalition of at most k traitors. This decoder must contain a key from every row. Assume, without loss of generality, that it contains one key from every row. Then at least one traitor contributed ℓ ∕ k or more of the keys in the decoder. On the other hand, the personal set of keys of each other user is expected to intersect with only ℓ ∕ (2k 2) keys of the decoder. The tracing algorithm therefore identifies the user whose personal set of keys has the largest intersection with the set of keys of the pirate decoder, and declares it to be a traitor. Setting the number of rows to be \(\ell = {k}^{2}\log N\) ensures that this user is a traitor with high probability.
Two major measures of the overhead of a tracing system are the size of the personal key of each user (\({k}^{2}\log N\) keys in the scheme described above), and the total communication overhead (\(2{k}^{4}\log N\) encryptions in this example). The overhead can be substantially improved using more advanced techniques, such as mapping users into smaller subsets and running a different tracing scheme for every subset.
A further significant improvement in the overhead is achieved using threshold tracing [9]. The difference between this method and basic tracing schemes is that the latter can trace the source of keys of any pirate decryption device that can decrypt content with non-negligible probability, whereas threshold tracing is only effective against pirate devices that succeed in the decryption with probability greater than a given threshold t, (e.g., t = 90%). The use of threshold tracing is quite appealing, however, since decryption devices that cannot decrypt a substantial fraction of the content are not very attractive, and threshold tracing is considerably more efficient than basic traitor tracing.
The tracing operation is based on examining a pirate decryption device. Conceptually, it is simpler to imagine that it is possible to apply reverse engineering to the device, find out exactly which keys it is using, and trace their source. In practice, however, the reverse engineering operation might be quite complex, and it is preferable to perform black-box tracing, which is based on the functionality of the decryption device, rather than on obtaining its keys. Specifically, the tracing procedure operates by sending specially crafted encrypted messages to the decoder and examining how it decrypts them. The tracing schemes in [6, 7, 9] support black-box tracing.
Many tracing schemes are based on combinatorial constructions, and there is considerable research on designing codes supporting tracing (see, e.g., [11]). There are also several “trace and revoke” schemes that support both tracing and broadcast encryption, enabling both the identification of traitors and the disabling of their keys (see, e.g., [10]).
Public-Key Traitor Tracing
The tracing methods of [6] and their like are based on combinatorial or probabilistic constructions, and can be used for either symmetric-key or public-key encryption. Boneh and Franklin [1] introduced an efficient public-key only tracing scheme that is based on an algebraic (number theoretic) construction. The security of this system is based on the decisional Diffie–Hellman assumption. Its overhead is linear in k, and does not depend on the number of users N. Furthermore, tracing is deterministic, and ensures that all parties who contributed their keys to the pirate devices are traced. On the downside, the system does not support full black-box tracing, except for some specific cases.
The system operates by using a fixed base of 2k field elements. Each user receives a private personal key, which is a solution to the discrete log problem of representing a known value relative to the base. The result shows that any useful pirate key must be a convex combination of private keys. However, the private personal keys are derived from a Reed–Solomon code in such a way that any 2k keys are linearly independent. Therefore, any convex combination of at most k of them can be efficiently traced to the keys that were used to generate it.
Advanced Schemes
Compared to encryption schemes with no tracing capabilities, traitor tracing schemes increase the sizes of the ciphertext and of the encryption and decryption keys. Kiayias and Yung [8] introduced a public-key traitor tracing scheme that has a constant transmission rate, namely, a scheme in which the lengths of the ciphertext, of the encryption key, and of the decryption keys, are only increased by a constant factor. The scheme additionally achieves efficient black-box traitor tracing. On the down side, when the parameters are set to achieve full collusion resistance (namely, k = N), the ciphertext size is linear in the number of users N. Subsequent work [5] reduced the transmission rate to be asymptotically close to 1, by using a tracing scheme based on bilinear maps. That scheme also had the additional desired property of “public traceability,” meaning that tracing can be done without using any private key. Therefore, the center can delegate the tracing task to parties which are not sufficiently trusted to know the private key.
A fully collusion-resistant tracing system with constant size private keys and sublinear size ciphertexts was introduced in [3]. That system, based on bilinear maps in groups of composite order, has private keys of length O(1), and a ciphertext and public key of length \(O\left (\sqrt{N}\right )\). A trace and revoke scheme that supports both broadcast encryption, traitor tracing and revocation, was shown in [4], based on similar assumptions as those used in [3]. The lengths of the ciphertext, the private decryption keys, and the encryption keys of that scheme are all \(O\left (\sqrt{N}\right )\). The system also supports the public traceability property, as well as security against adaptive adversaries. A newer scheme presented in [2] reduces the length of the ciphertext, and brings it to be a constant that depends only on a statistical security parameter λ, related to fingerprinting codes used in the construction of the system. The length of the ciphertext is therefore independent of the number of parties N or of the bound k on the number of colluders. The down side is that the length of the private keys is quadratic in the collusion bound, and is equal to \(({k}^{2}{\lambda }^{2}\log N)\).
Recommended Reading
Boneh D, Franklin MK (1999) An efficient public key traitor tracing scheme. In: Advances in cryptology - CRYPTO ’99, Proceedings of 19th annual international cryptology conference. Santa Barbara, California, USA, August 15–19, 1999. Lecture notes in computer science, vol 1666. Springer, pp 338–353
Boneh D, Naor M (2008) Traitor tracing with constant size ciphertext. In: Ning P, Syverson PF, Jha S (eds) Proceedings of the 2008 ACM conference on computer and communications security, CCS 2008, ACM, Alexandria, Virginia, USA, October 27–31, pp 501–510
Boneh D, Sahai A, Waters B (2006) Fully collusion resistant traitor tracing with short ciphertexts and private keys. In: Vaudenay S (ed) Advances in cryptology - EUROCRYPT 2006, Proceedings of 25th annual international conference on the theory and applications of cryptographic techniques, St. Petersburg, Russia, May 28–June 1, 2006. Lecture Notes in Computer Science, vol 4004. Springer, pp 573–592
Boneh D, Waters B (2006) A fully collusion resistant broadcast, trace, and revoke system. In: Juels A, Wright RN, De Capitani di Vimercati S (eds) Proceedings of the 13th ACM conference on computer and communications security, CCS 2006, ACM, Alexandria, VA, USA, October 30–November 3, 2006, pp 211–220
Chabanne H, Phan DH, Pointcheval D (2005) Public traceability in traitor tracing schemes. In: Cramer R (ed) Advances in cryptology - EUROCRYPT 2005, Proceedings of the 24th annual international conference on the theory and applications of cryptographic techniques. Aarhus, Denmark, May 22–26, 2005. Lecture notes in computer science, vol 3494. Springer, pp 542–558
Chor B, Fiat A, Naor M (1994) Tracing traitors. In: Desmedt Y (ed) Advances in cryptology - CRYPTO ’94, Proceedings of the 14th annual international cryptology conference, Santa Barbara, California, USA, August 21–25, 1994. Lecture notes in computer science, vol 839. Springer, pp 257–270, 1994
Chor B, Fiat A, Naor M, Pinkas B (2000) Tracing traitors. IEEE Trans Inform Theory 46(3):893–910
Kiayias A, Yung M (2002) Traitor tracing with constant transmission rate. In: Advances in cryptology - EUROCRYPT 2002, Proceedings of the international conference on the theory and applications of cryptographic techniques. Amsterdam, The Netherlands, April 28–May 2, 2002. Lecture notes in computer science, vol 2332. Springer, pp 450–465
Naor M, Pinkas B (1998) Threshold traitor tracing. In: Krawczyk H (ed) Advances in cryptology - CRYPTO ’98, Proceedings of the 18th annual international cryptology conference. Santa Barbara, California, USA, August 23–27, 1998. Lecture notes in computer science, vol 1462, pp 502–517
Naor M, Pinkas B (2000) Efficient trace and revoke schemes. In: Frankel Y (ed) Financial cryptography, Proceedings of the 4th international conference. FC 2000 Anguilla, British West Indies, February 20–24, 2000. Lecture notes in computer science, vol 1962. Springer, pp 1–20
Stinson DR, Wei R (1998) Combinatorial properties and constructions of traceability schemes and frameproof codes. SIAM J Discrete Math 11(1):41–53
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer Science+Business Media, LLC
About this entry
Cite this entry
Pinkas, B. (2011). Traitor Tracing. In: van Tilborg, H.C.A., Jajodia, S. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-5906-5_158
Download citation
DOI: https://doi.org/10.1007/978-1-4419-5906-5_158
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-5905-8
Online ISBN: 978-1-4419-5906-5
eBook Packages: Computer ScienceReference Module Computer Science and Engineering