Scribd
Upload
206 views33 pages

Adaptive Traitor Tracing With Bayesian Networks (Slides)

The document describes techniques for adaptive traitor tracing using Bayesian networks. It discusses using forensic tests to identify compromised keys in a stateless clone box by observing whether it can play encrypted content. A key assumption is that the clone box strategy is to play each test with a fixed probability based on the keys it possesses. The document proposes building a Bayesian network model to represent the keys in the clone box and select informative tests to iteratively update beliefs and identify compromised keys. It acknowledges computational bottlenecks in exact inference and proposes approximations by partitioning the key space and storing joint distributions in tables.

Uploaded by

philip zigoris
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
206 views33 pages

Adaptive Traitor Tracing With Bayesian Networks (Slides)

The document describes techniques for adaptive traitor tracing using Bayesian networks. It discusses using forensic tests to identify compromised keys in a stateless clone box by observing whether it can play encrypted content. A key assumption is that the clone box strategy is to play each test with a fixed probability based on the keys it possesses. The document proposes building a Bayesian network model to represent the keys in the clone box and select informative tests to iteratively update beliefs and identify compromised keys. It acknowledges computational bottlenecks in exact inference and proposes approximations by partitioning the key space and storing joint distributions in tables.

Uploaded by

philip zigoris
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 33

Adaptive Traitor Tracing with

Bayesian Networks

Philip Zigoris Hongxia Jin


University of California IBM Almaden Research
Santa Cruz, Ca San Jose, Ca
Broadcast Encryption
100101001011101
101101101100011
011010110100011

subscriber

non-subscriber
A Brief History of DRM
(wrt DVDs)
• 1996 - DVD format first available, just in
time for Christmas
• 1999 - 16 year old reveals first device
key
• Within weeks, all device keys exposed

DVD distribution is no longer secure


Next Generation: AACS

• Access, at the level of individual


players, is revocable
• Method for finding compromised keys
(traitor tracing)
AACS Broadcast Encryption

K1:4

K1:2 K3:4 Keys

K1:1 K2:2 K3:3 K4:4

1 2 3 4 Players
AACS Broadcast Encryption

K1:4 media
K1:2 K3:4 (Not to scale)
K1:1 K2:2 K3:3 K4:4
E(media,M) E(M, K1:4)

1 2 3 4
Media Key Block (MKB)

If the player has a key in the


MKB, it can decrypt media key
and then decrypt the media.
AACS Broadcast Encryption

K1:4 Suppose someone extracts


K1:2 K3:4 and publishes keys from
player 3
K1:1 K2:2 K3:3 K4:4
We can no longer use K1:4
1 2 3 4 to encode media key.
AACS Broadcast Encryption

K1:4 media
K1:2 K3:4

K1:1 K2:2 K3:3 K4:4


E(media,M) E(M, K1:2) E(M, K4:4)

1 2 3 4

Since player 3 cannot decrypt


media key, it is effectively disabled
Traitor Tracing
• Key assumption: box is stateless
• Use forensic tests to reveal information
about which keys a clone box contains
• Goal: Confidently identify the
compromised keys.
• Simplified goal: Identify at least one of
the compromised keys
Forensic Tests
• Keys can be disabled in an MKB by
encrypting random bit strings instead of
media key

E(media,M) E(R, K1:2) E(M, K4:4)

Now, if the clone box only has K1:2, then it


will be unable to recover media.
Forensic Tests (example)

K1 K2 K3 K4 PLAY K1 OR K2 OR K3 OR K4

K1 OR K2
K1 K2 K3 K4 PLAY

K1 K2 K3 K4 !PLAY K2 OR K3 OR K4

K1 K2 K3 K4 PLAY K1
Clone Box Strategy
•If a box contains an enabled and
disabled key then it has the option to play
or not play
•Stateless ⇒ Plays each test T with a
fixed probability
If two tests play with a different probability, then
the clone box must contain one of the keys on
which they differ (w.r.t. disabling)
NNL Tracing

K1 K2 K3 K4 K5 K6 Pr(play)=1.0

K1 K2 K3 K4 K5 K6 Pr(play)=0.6

K1 K2 K3 K4 K5 K6 Pr(play)=0.1

K1 K2 K3 K4 K5 K6 Pr(play)=0.1
NNL Tracing

• Binary search
• Difficult step is estimating Pr(play)
• Motivates (optimal?) adversarial
strategy: choose a key at random and
try to use it to play media (uniform
choice strategy)
So a solution exists?

Not quite… under reasonable


circumstances this could take
tens of years
Our Basic Approach

• Strategy ~ Pr(clone plays | keys it contains)


– Uniform choice: # enabled keys in clone
# keys in clond

• Build explicit model about which keys


clone box contains
• Select most informative test at each
step
The Cast

• C: set of keys in clone box


• F: the frontier, the complete set of keys
• T: a test
• K: a key or set of keys
Generic Algorithm

• Loop
– For all keys Ki in frontier,
# Try to diagnose a compromised key
• Return Ki if Pr(K i Î C) > 1- e
– Select test T
– Submit to clone box, get response t∈{0,1}
# update beliefs
– Pr(K1,K ,K n ) ¬ Pr(K1,K ,K n | T = t)
Bayesian Net: Naïve
Approach

T1 T2 T3
1
Pr(T1 ) =
2
1
Pr(T2 ) =
2
Pr(T3 ) = 1 K1 K2 K3 K4 K5 K6

F
Computational Bottlenecks
1. Inference is exponential in frontier
size.
Test Selection
• In previous example, we learn nothing with
test T2
• Quantify uncertainty about clone box with
entropy and then choose test that maximizes
mutual information.
H(K | T ) = - å Pr(K'| T )log(Pr(K'| T ))
K'Í F

I(K;T | T ) = H(K | T ) - H(K | T,T )


T = argmaxT I(K;T | T )
*
Computational Bottlenecks

• Inference is exponential in frontier


size.
• Calculating entropy is exponential in
frontier size.
• Number of possible tests is
exponential in the frontier size.
Inference
• Many approximate methods exist: belief
propagation, variational inference, mini-
buckets
• Somewhat unique requirements:
– Marginal probabilities needed for diagnosis
must be exact
– Joint distribution needed for test selection
can be approximate
Key Observation

The probability of a test playing only


depends on the number of enabled and
disabled keys in the clone box.
Partitioning Frontier

E1 D1 E2 D2

K1 K2 K3 K4 K5 K6
F1 F2

Partitions are independent, given count nodes


Approximating Joint
Distribution

i
Pr(F) » Õ Pr(F )
i
Calculating Marginal
Probabilities
• Store joint distribution for each partition as a
table
• Update table after each test….

Pr(F i | T) = Pr(T | F i )Pr(F i ) /Pr(T)


Pr(T | F ) = Pr(F )å Pr(T |å E = e,å D = d)
i i j j

e,d j j
Space/Time Complexity

Stored tables exp(|Fi|) O(|F|)


Intermediate tables O(|F|2)
Running time exp(|Fi|)O(|F|)+ O(|F|2)
Experiment: NNL Comparison
Experiment: Partition Size
Experiment: Watermarking
Take Aways

• Exploited sufficient statistics in problem


specification
• Marginal probabilities remain exact
• Mutual information is a good measure
for test selection, but maybe not the
right one
Thanks!

You might also like