Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the Subset-Cover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class. We describe two explicit Subset-Cover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1 2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any Subset-Cover revocation scheme that satisfies a “bifurcation property”. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors. The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user’s end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.

We give cryptographic schemes that help trace the source of leaks when sensitive or proprietary data is made available to a large set of parties. A very relevant application is in the context of pay television, where only paying customers should be able to view certain programs. In this application the programs are normally encrypted and then the sensitive data is the decryption keys that are given to paying customers. If a pirate decoder is found it is desirable to reveal the source of its decryption keys. We describe fully resilient schemes which can be used against any decoder which decrypts with non-negligible probability. Since there is typically little demand for decoders which decrypt only a small fraction of the transmissions (even if it is non-negligible), we further introduce threshold tracing schemes which can only be used against decoders which succeed in decryption with probability greater than some threshold. Threshold schemes are considerably more efficient than fully resilient schemes.

In order to protect copyrighted material, codes may be embedded in the content or codes may be associated with the keys used to recover the content. Codes can oer protection by providing some form of traceability for pirated data. Several researchers have studied dierent notions of traceability and related concepts in recent years. \Strong" versions of traceability allow at least one member of a coalition that constructs a \pirate decoder" to be traced. Weaker versions of this concept ensure that no coalition can \frame" a disjoint user or group of users. All these concepts can be formulated as codes having certain combinatorial properties. In this paper, we study the relationships between the various notions, and we discuss equivalent formulations using structures such as perfect hash families. We use methods from combinatorics and coding theory to provide bounds (necessary conditions) and constructions (sucient conditions) for the objects of interest. 1 Introduction In...

We construct binary codes for fingerprinting. Our codes for n users that are #-secure against c pirates have length O(c log(n/#)). This improves the codes proposed by Boneh and Shaw [3] whose length is approximately the square of this length. Our codes use the full power of randomization. This improvement carries over to works using the BonehShaw code as a primitive, e.g. to the dynamic traitor tracing scheme of Tassa [16].

We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let N be the total number of users. Our system generates ciphertexts of size O( # N) and private keys of size O(1). We first introduce a simpler primitive we call private linear broadcast encryption (PLBE) and show that any PLBE gives a tracing traitors system with the same parameters. We then show how to build a PLBE system with O( # N) size ciphertexts. Our system uses bilinear maps in groups of composite order.

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author’s copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder. Copyright c○2002 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior

We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted, a user could store a small private (randomized) “fingerprint” on his own computer. This is the setting for the well-studied authentication problem in cryptography, and the required fingerprint size is well understood. We study the problem of sub-linear authentication: suppose the user would like to encode and store the file in a way that allows him to verify that it has not been corrupted, but without reading the entire file. If the user only wants to read q bits of the file, how large does the size s of the private fingerprint need to be? We define this problem formally, and show a tight lower bound on the relationship between s and q when the adversary is not computationally bounded, namely: s × q = Ω(n), where n is the file size. This is an easier case of the online memory checking problem, introduced by Blum et al. in 1991, and hence the same (tight) lower bound applies also to that problem. It was previously shown that when the adversary is computationally bounded, under the assumption that one-way functions exist, it is possible to construct much better online memory checkers. T he same is also true for sub-linear authentication schemes. We show that the existence of one-way functions is also a necessary condition: even slightly breaking the s × q = Ω(n) lower bound in a computational setting implies the existence of one-way functions. 1

Abstract. The notion of traitor tracing was introduced by Chor, Fiat, and Naor [Tracing Traitors, Lecture Notes in Comput. Sci. 839, 1994, pp. 257–270] in order to combat piracy scenarios. Recently, Fiat and Tassa [Tracing Traitors, Lecture Notes in Comput. Sci. 1666, 1999, pp. 354–371] proposed a dynamic traitor tracing scenario, in which the algorithm adapts dynamically according to the responses of the pirate. Let n be the number of users and p the number of traitors. Our main result is an algorithm which locates p traitors, even if p is unknown, using a watermarking alphabet of size p + 1 and an optimal number of Θ(p 2 + p log n) rounds. This improves the exponential number of rounds achieved by Fiat and Tassa in this case. We also present two algorithms that use a larger alphabet: for an alphabet of size p + c +1, c ≥ 1, an algorithm that uses O(p 2 /c + p log n) rounds; for an alphabet of size pc + 1, an algorithm that uses O(p log c n) rounds. Our final result is a lower bound of Ω(p 2 /c + p log c+1 n) rounds for any algorithm that uses an alphabet of size p + c, assuming that p is not known in advance.

Abstract. Traceability schemes allow detection of at least one traitor when a group of colluders attempt to construct a pirate decoder and gain illegal access to digital content.Fiat and Tassa proposed dynamic traitor tracing schemes that can detect all traitors if they attempt to rebroadcast the content after it is decrypted.In their scheme the content is broken into segments and marked so that a re-broadcasted segment can be linked to a particular subgroup of users.Mark allocation for a segment is determined when the re-broadcast from the previous segment is observed.They showed that by careful design of the mark allocation scheme it is possible to detect all traitors. We consider the same scenario as Fiat and Tassa and propose a new type of traceability scheme, called sequential traitor tracing, that can efficiently detect all traitors and does not require any real-time computation.That is, the marking allocation is pre-determined and is independent of the re-broadcasted segment.This is very attractive as it allows segments to be shortened and hence the overall convergence time reduced.We analyse the scheme and give two general constructions one based on a special type of function family, and the other on error correcting codes.We obtain the convergence time of these schemes and show that the scheme based on error correcting codes has a convergence time which is the same as the best known result for dynamic schemes. 1

We present a new dual watermarking-fingerprinting (WM/FP) system, where initially all copies of a protected object are identically watermarked using a secret key, but individual detection keys are distinct. By knowing a detection key, an adversary cannot recreate the original content from the watermarked content. However, knowledge of any one detection key is sufficient for modifying the object so that a detector using that key would fail to detect the marks. Detectors using other detection keys would not be fooled, and such a modified object necessarily contains enough information about the broken detector key – the fingerprint. Our dual WM/FP system limits the scope of possible attacks, when compared to classic fingerprinting systems. Under optimal attacks, the size of the collusion necessary to remove the marks without leaving a detectable fingerprint is superlinear in object size, whereas classic fingerprinting has a lower bound on collusion resistance that is approximately fourth root in object size. By using our scheme one can achieve collusion resistance of up to 100,000 users for a two hour high-definition video.