Results 1  10
of
31
Revocation and Tracing Schemes for Stateless Receivers
, 2001
"... Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their ..."
Abstract

Cited by 173 (4 self)
 Add to MetaCart
Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the SubsetCover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class. We describe two explicit SubsetCover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1 2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any SubsetCover revocation scheme that satisfies a “bifurcation property”. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors. The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user’s end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.
Tracing Traitors
, 1994
"... We give cryptographic schemes that help trace the source of leaks when sensitive or proprietary data is made available to a large set of parties. A very relevant application is in the context of pay television, where only paying customers should be able to view certain programs. In this application ..."
Abstract

Cited by 146 (10 self)
 Add to MetaCart
We give cryptographic schemes that help trace the source of leaks when sensitive or proprietary data is made available to a large set of parties. A very relevant application is in the context of pay television, where only paying customers should be able to view certain programs. In this application the programs are normally encrypted and then the sensitive data is the decryption keys that are given to paying customers. If a pirate decoder is found it is desirable to reveal the source of its decryption keys. We describe fully resilient schemes which can be used against any decoder which decrypts with nonnegligible probability. Since there is typically little demand for decoders which decrypt only a small fraction of the transmissions (even if it is nonnegligible), we further introduce threshold tracing schemes which can only be used against decoders which succeed in decryption with probability greater than some threshold. Threshold schemes are considerably more efficient than fully resilient schemes.
Optimal Probabilistic Fingerprint Codes
 In 35th ACM STOC
, 2003
"... We construct binary codes for fingerprinting. Our codes for n users that are #secure against c pirates have length O(c log(n/#)). This improves the codes proposed by Boneh and Shaw [3] whose length is approximately the square of this length. Our codes use the full power of randomization. Thi ..."
Abstract

Cited by 65 (1 self)
 Add to MetaCart
We construct binary codes for fingerprinting. Our codes for n users that are #secure against c pirates have length O(c log(n/#)). This improves the codes proposed by Boneh and Shaw [3] whose length is approximately the square of this length. Our codes use the full power of randomization. This improvement carries over to works using the BonehShaw code as a primitive, e.g. to the dynamic traitor tracing scheme of Tassa [16].
Combinatorial Properties of Frameproof and Traceability Codes
 IEEE Transactions on Information Theory
, 2000
"... In order to protect copyrighted material, codes may be embedded in the content or codes may be associated with the keys used to recover the content. Codes can oer protection by providing some form of traceability for pirated data. Several researchers have studied dierent notions of traceability a ..."
Abstract

Cited by 55 (10 self)
 Add to MetaCart
In order to protect copyrighted material, codes may be embedded in the content or codes may be associated with the keys used to recover the content. Codes can oer protection by providing some form of traceability for pirated data. Several researchers have studied dierent notions of traceability and related concepts in recent years. \Strong" versions of traceability allow at least one member of a coalition that constructs a \pirate decoder" to be traced. Weaker versions of this concept ensure that no coalition can \frame" a disjoint user or group of users. All these concepts can be formulated as codes having certain combinatorial properties. In this paper, we study the relationships between the various notions, and we discuss equivalent formulations using structures such as perfect hash families. We use methods from combinatorics and coding theory to provide bounds (necessary conditions) and constructions (sucient conditions) for the objects of interest. 1 Introduction In...
Fully collusion resistant traitor tracing with short ciphertexts and private keys
 In EUROCRYPT
, 2006
"... We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let N be the total number of users. Our system generates ciphertexts of size O ( √ N) and private keys of size O(1). We first introduce a simpler primitiv ..."
Abstract

Cited by 48 (9 self)
 Add to MetaCart
We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let N be the total number of users. Our system generates ciphertexts of size O ( √ N) and private keys of size O(1). We first introduce a simpler primitive we call private linear broadcast encryption (PLBE) and show that any PLBE gives a tracing traitors system with the same parameters. We then show how to build a PLBE system with O ( √ N) size ciphertexts. Our system uses bilinear maps in groups of composite order. 1
The complexity of online memory checking
 In Proceedings of the 46th Annual IEEE Symposium on Foundations of Computer Science
, 2005
"... We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted, a user could store a small private (randomized) “fingerprint” on his own computer. This is the setting for the wellstudied authentication problem in cryptography, and t ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted, a user could store a small private (randomized) “fingerprint” on his own computer. This is the setting for the wellstudied authentication problem in cryptography, and the required fingerprint size is well understood. We study the problem of sublinear authentication: suppose the user would like to encode and store the file in a way that allows him to verify that it has not been corrupted, but without reading the entire file. If the user only wants to read q bits of the file, how large does the size s of the private fingerprint need to be? We define this problem formally, and show a tight lower bound on the relationship between s and q when the adversary is not computationally bounded, namely: s × q = Ω(n), where n is the file size. This is an easier case of the online memory checking problem, introduced by Blum et al. in 1991, and hence the same (tight) lower bound applies also to that problem. It was previously shown that when the adversary is computationally bounded, under the assumption that oneway functions exist, it is possible to construct much better online memory checkers. T he same is also true for sublinear authentication schemes. We show that the existence of oneway functions is also a necessary condition: even slightly breaking the s × q = Ω(n) lower bound in a computational setting implies the existence of oneway functions. 1
Efficient tracing of failed nodes in sensor networks
 In Proceedings of the First ACM International Workshop on Wireless Sensor Networks and Applications
, 2002
"... This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author’s copyrig ..."
Abstract

Cited by 33 (0 self)
 Add to MetaCart
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author’s copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder. Copyright c○2002 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior
Efficient Dynamic Traitor Tracing
 Proc. of the 11th ACMSIAM Symp. on Discrete Algorithms (SODA
, 2000
"... Abstract. The notion of traitor tracing was introduced by Chor, Fiat, and Naor [Tracing Traitors, Lecture Notes in Comput. Sci. 839, 1994, pp. 257–270] in order to combat piracy scenarios. Recently, Fiat and Tassa [Tracing Traitors, Lecture Notes in Comput. Sci. 1666, 1999, pp. 354–371] proposed a d ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
Abstract. The notion of traitor tracing was introduced by Chor, Fiat, and Naor [Tracing Traitors, Lecture Notes in Comput. Sci. 839, 1994, pp. 257–270] in order to combat piracy scenarios. Recently, Fiat and Tassa [Tracing Traitors, Lecture Notes in Comput. Sci. 1666, 1999, pp. 354–371] proposed a dynamic traitor tracing scenario, in which the algorithm adapts dynamically according to the responses of the pirate. Let n be the number of users and p the number of traitors. Our main result is an algorithm which locates p traitors, even if p is unknown, using a watermarking alphabet of size p + 1 and an optimal number of Θ(p 2 + p log n) rounds. This improves the exponential number of rounds achieved by Fiat and Tassa in this case. We also present two algorithms that use a larger alphabet: for an alphabet of size p + c +1, c ≥ 1, an algorithm that uses O(p 2 /c + p log n) rounds; for an alphabet of size pc + 1, an algorithm that uses O(p log c n) rounds. Our final result is a lower bound of Ω(p 2 /c + p log c+1 n) rounds for any algorithm that uses an alphabet of size p + c, assuming that p is not known in advance.
A Dual Watermarking and Fingerprinting System
 ACM Multimedia
, 2002
"... We present a new dual watermarkingfingerprinting (WM/FP) system, where initially all copies of a protected object are identically watermarked using a secret key, but individual detection keys are distinct. By knowing a detection key, an adversary cannot recreate the original content from the waterm ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
We present a new dual watermarkingfingerprinting (WM/FP) system, where initially all copies of a protected object are identically watermarked using a secret key, but individual detection keys are distinct. By knowing a detection key, an adversary cannot recreate the original content from the watermarked content. However, knowledge of any one detection key is sufficient for modifying the object so that a detector using that key would fail to detect the marks. Detectors using other detection keys would not be fooled, and such a modified object necessarily contains enough information about the broken detector key – the fingerprint. Our dual WM/FP system limits the scope of possible attacks, when compared to classic fingerprinting systems. Under optimal attacks, the size of the collusion necessary to remove the marks without leaving a detectable fingerprint is superlinear in object size, whereas classic fingerprinting has a lower bound on collusion resistance that is approximately fourth root in object size. By using our scheme one can achieve collusion resistance of up to 100,000 users for a two hour highdefinition video.
Sequential Traitor Tracing
 in “Advances in Cryptology – CRYPTO 2000”, Lecture Notes in Computer Science 1880
, 2000
"... Abstract. Traceability schemes allow detection of at least one traitor when a group of colluders attempt to construct a pirate decoder and gain illegal access to digital content.Fiat and Tassa proposed dynamic traitor tracing schemes that can detect all traitors if they attempt to rebroadcast the co ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Abstract. Traceability schemes allow detection of at least one traitor when a group of colluders attempt to construct a pirate decoder and gain illegal access to digital content.Fiat and Tassa proposed dynamic traitor tracing schemes that can detect all traitors if they attempt to rebroadcast the content after it is decrypted.In their scheme the content is broken into segments and marked so that a rebroadcasted segment can be linked to a particular subgroup of users.Mark allocation for a segment is determined when the rebroadcast from the previous segment is observed.They showed that by careful design of the mark allocation scheme it is possible to detect all traitors. We consider the same scenario as Fiat and Tassa and propose a new type of traceability scheme, called sequential traitor tracing, that can efficiently detect all traitors and does not require any realtime computation.That is, the marking allocation is predetermined and is independent of the rebroadcasted segment.This is very attractive as it allows segments to be shortened and hence the overall convergence time reduced.We analyse the scheme and give two general constructions one based on a special type of function family, and the other on error correcting codes.We obtain the convergence time of these schemes and show that the scheme based on error correcting codes has a convergence time which is the same as the best known result for dynamic schemes. 1