adaptive traitor tracing with bayesian networks (slides)

8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)

1/33

Adaptive Traitor Tracing with

Bayesian Networks

Philip ZigorisUniversity of California

Santa Cruz, Ca

Hongxia JinIBM Almaden Research

San Jose, Ca


2/33

Broadcast Encryption

100101001011101

101101101100011

011010110100011

subscriber

non-subscriber


3/33

A Brief History of DRM

(wrt DVDs) 1996 - DVD format first available, just in

time for Christmas

1999 - 16 year old reveals first device

key

Within weeks, all device keys exposed

DVD distribution is no longer secure


4/33

Next Generation: AACS

Access, at the level of individual

players, is revocable Method for finding compromised keys

(traitor tracing)


5/33

AACS Broadcast Encryption

K1:4

K1:2 K3:4

K1:1 K2:2 K3:3 K4:4

1 2 3 4

Keys

Players


6/33


K1:4

K1:2 K3:4

K1:1 K2:2 K3:3 K4:4

1 2 3 4

media

E(media,M) E(M, K1:4)

(Not to scale)

If the player has a key in the

MKB, it can decrypt media key

and then decrypt the media.

Media Key Block (MKB)


7/33


K1:4

K1:2 K3:4

K1:1 K2:2 K3:3 K4:4

1 2 3 4

Suppose someone extracts

and publishes keys fromplayer 3

We can no longer use K1:4

to encode media key.


8/33


K1:4

K1:2 K3:4

K1:1 K2:2 K3:3 K4:4

1 2 3 4

media

E(media,M) E(M, K1:2) E(M, K4:4)

Since player 3 cannot decrypt

media key, it is effectively disabled


9/33

Traitor Tracing

Key assumption: box is stateless

Use forensic tests to reveal information

about which keys a clone box contains

Goal: Confidently identify the

compromised keys.

Simplified goal: Identify at least one of

the compromised keys


10/33

Forensic Tests

Keys can be disabled in an MKB by

encrypting random bit strings instead of

media key

E(media,M) E(R, K1:2) E(M, K4:4)

Now, if the clone box only has K1:2, then it

will be unable to recover media.


11/33

Forensic Tests (example)

K1 K2 K3 K4

K1 K2 K3 K4

PLAY

PLAY

K1 K2 K3 K4 !PLAY

K1 K2 K3 K4 PLAY

K1 OR K2 OR K3 OR K4

K1 OR K2

K2 OR K3 OR K4

K1


12/33

Clone Box Strategy

If a box contains an enabled and

disabled key then it has the option to play

or not playStateless Plays each test T with a

fixed probability

If two tests play with a different probability, then

the clone box must contain one of the keys on

which they differ (w.r.t. disabling)


13/33

K3

NNL Tracing

K1 K2

K1 K2 K4 K5 K6

K1 K3 K4 K5 K6

K1 K2 K3 K4 K5 K6

K3 K4 K5 K6

K2

Pr(play)=1.0

Pr(play)=0.6

Pr(play)=0.1

Pr(play)=0.1


14/33


15/33

So a solution exists?

Not quite under reasonablecircumstances this could take

tens of years


16/33

Our Basic Approach

Strategy ~ Pr(clone plays | keys it contains)

Uniform choice:

Build explicit model about which keys

clone box contains Select most informative test at each

step

# enabled keys in clone

# keys in clond


17/33

The Cast

C: set of keys in clone box

F: the frontier, the complete set of keys

T: a test

K: a key or set of keys


18/33

Generic Algorithm

Loop

For all keys Ki

in frontier,

# Try to diagnose a compromised key

Return Kiif

Select test T

Submit to clone box, get response t{0,1}

# update beliefs

Pr(Ki C) >1- e

Pr(K1,K ,Kn ) Pr(K1,K ,Kn |T= t)


19/33

F

Bayesian Net: Nave

Approach

K1 K2 K3 K4 K5 K6

T1 T2 T3

Pr(T1) = 12

Pr(T2 ) =1

2Pr(T3 ) =1


20/33

Computational Bottlenecks

1. Inference is exponential in frontier

size.


22/33

Computational Bottlenecks

Inference is exponential in frontier

size. Calculating entropy is exponential in

frontier size.

Number of possible tests isexponential in the frontier size.


23/33

Inference

Many approximate methods exist: belief

propagation, variational inference, mini-

buckets Somewhat unique requirements:

Marginal probabilities needed for diagnosis

must be exact Joint distribution needed for test selection

can be approximate


24/33

Key Observation

The probability of a test playing only

depends on the number of enabled and

disabled keys in the clone box.


25/33

F2F1

Partitioning Frontier

K1 K2 K3 K4 K5 K6

T

E1 E2 D2D1

Partitions are independent, given count nodes


26/33

Approximating Joint

Distribution

Pr(F) Pr(Fi)

i


27/33

Calculating Marginal

Probabilities Store joint distribution for each partition as a

table

Update table after each test.

Pr(Fi |T) = Pr(T| Fi)Pr(Fi)/Pr(T)

Pr(T| Fi) = Pr(Fi) Pr(T|

e,d E

j= e,

j D

j= d)

j


28/33

Space/Time Complexity

exp(|Fi|)O(|F|)+ O(|F|2)Running time

O(|F|2)Intermediate tablesexp(|F

i

|) O(|F|)Stored tables


29/33

Experiment: NNL Comparison


30/33

Experiment: Partition Size


31/33

Experiment: Watermarking


32/33

Take Aways

Exploited sufficient statistics in problem

specification

Marginal probabilities remain exact

Mutual information is a good measure

for test selection, but maybe not the

rightone


33/33

Thanks!

adaptive traitor tracing with bayesian networks (slides)

Documents