-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
1/33
Adaptive Traitor Tracing with
Bayesian Networks
Philip ZigorisUniversity of California
Santa Cruz, Ca
Hongxia JinIBM Almaden Research
San Jose, Ca
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
2/33
Broadcast Encryption
100101001011101
101101101100011
011010110100011
subscriber
non-subscriber
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
3/33
A Brief History of DRM
(wrt DVDs) 1996 - DVD format first available, just in
time for Christmas
1999 - 16 year old reveals first device
key
Within weeks, all device keys exposed
DVD distribution is no longer secure
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
4/33
Next Generation: AACS
Access, at the level of individual
players, is revocable Method for finding compromised keys
(traitor tracing)
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
5/33
AACS Broadcast Encryption
K1:4
K1:2 K3:4
K1:1 K2:2 K3:3 K4:4
1 2 3 4
Keys
Players
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
6/33
AACS Broadcast Encryption
K1:4
K1:2 K3:4
K1:1 K2:2 K3:3 K4:4
1 2 3 4
media
E(media,M) E(M, K1:4)
(Not to scale)
If the player has a key in the
MKB, it can decrypt media key
and then decrypt the media.
Media Key Block (MKB)
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
7/33
AACS Broadcast Encryption
K1:4
K1:2 K3:4
K1:1 K2:2 K3:3 K4:4
1 2 3 4
Suppose someone extracts
and publishes keys fromplayer 3
We can no longer use K1:4
to encode media key.
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
8/33
AACS Broadcast Encryption
K1:4
K1:2 K3:4
K1:1 K2:2 K3:3 K4:4
1 2 3 4
media
E(media,M) E(M, K1:2) E(M, K4:4)
Since player 3 cannot decrypt
media key, it is effectively disabled
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
9/33
Traitor Tracing
Key assumption: box is stateless
Use forensic tests to reveal information
about which keys a clone box contains
Goal: Confidently identify the
compromised keys.
Simplified goal: Identify at least one of
the compromised keys
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
10/33
Forensic Tests
Keys can be disabled in an MKB by
encrypting random bit strings instead of
media key
E(media,M) E(R, K1:2) E(M, K4:4)
Now, if the clone box only has K1:2, then it
will be unable to recover media.
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
11/33
Forensic Tests (example)
K1 K2 K3 K4
K1 K2 K3 K4
PLAY
PLAY
K1 K2 K3 K4 !PLAY
K1 K2 K3 K4 PLAY
K1 OR K2 OR K3 OR K4
K1 OR K2
K2 OR K3 OR K4
K1
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
12/33
Clone Box Strategy
If a box contains an enabled and
disabled key then it has the option to play
or not playStateless Plays each test T with a
fixed probability
If two tests play with a different probability, then
the clone box must contain one of the keys on
which they differ (w.r.t. disabling)
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
13/33
K3
NNL Tracing
K1 K2
K1 K2 K4 K5 K6
K1 K3 K4 K5 K6
K1 K2 K3 K4 K5 K6
K3 K4 K5 K6
K2
Pr(play)=1.0
Pr(play)=0.6
Pr(play)=0.1
Pr(play)=0.1
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
14/33
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
15/33
So a solution exists?
Not quite under reasonablecircumstances this could take
tens of years
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
16/33
Our Basic Approach
Strategy ~ Pr(clone plays | keys it contains)
Uniform choice:
Build explicit model about which keys
clone box contains Select most informative test at each
step
# enabled keys in clone
# keys in clond
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
17/33
The Cast
C: set of keys in clone box
F: the frontier, the complete set of keys
T: a test
K: a key or set of keys
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
18/33
Generic Algorithm
Loop
For all keys Ki
in frontier,
# Try to diagnose a compromised key
Return Kiif
Select test T
Submit to clone box, get response t{0,1}
# update beliefs
Pr(Ki C) >1- e
Pr(K1,K ,Kn ) Pr(K1,K ,Kn |T= t)
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
19/33
F
Bayesian Net: Nave
Approach
K1 K2 K3 K4 K5 K6
T1 T2 T3
Pr(T1) = 12
Pr(T2 ) =1
2Pr(T3 ) =1
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
20/33
Computational Bottlenecks
1. Inference is exponential in frontier
size.
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
21/33
Test Selection
In previous example, we learn nothing with
test T2
Quantify uncertainty about clone box withentropyand then choose test that maximizes
mutual information.
H(K|T) = - Pr(K' |TK' F
)log(Pr(K' |T))
I(K;T|T) = H(K|T) - H(K|T,T)
T* = argmax
T
I(K;T|T)
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
22/33
Computational Bottlenecks
Inference is exponential in frontier
size. Calculating entropy is exponential in
frontier size.
Number of possible tests isexponential in the frontier size.
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
23/33
Inference
Many approximate methods exist: belief
propagation, variational inference, mini-
buckets Somewhat unique requirements:
Marginal probabilities needed for diagnosis
must be exact Joint distribution needed for test selection
can be approximate
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
24/33
Key Observation
The probability of a test playing only
depends on the number of enabled and
disabled keys in the clone box.
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
25/33
F2F1
Partitioning Frontier
K1 K2 K3 K4 K5 K6
T
E1 E2 D2D1
Partitions are independent, given count nodes
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
26/33
Approximating Joint
Distribution
Pr(F) Pr(Fi)
i
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
27/33
Calculating Marginal
Probabilities Store joint distribution for each partition as a
table
Update table after each test.
Pr(Fi |T) = Pr(T| Fi)Pr(Fi)/Pr(T)
Pr(T| Fi) = Pr(Fi) Pr(T|
e,d E
j= e,
j D
j= d)
j
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
28/33
Space/Time Complexity
exp(|Fi|)O(|F|)+ O(|F|2)Running time
O(|F|2)Intermediate tablesexp(|F
i
|) O(|F|)Stored tables
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
29/33
Experiment: NNL Comparison
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
30/33
Experiment: Partition Size
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
31/33
Experiment: Watermarking
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
32/33
Take Aways
Exploited sufficient statistics in problem
specification
Marginal probabilities remain exact
Mutual information is a good measure
for test selection, but maybe not the
rightone
-
8/14/2019 Adaptive Traitor Tracing with Bayesian Networks (slides)
33/33
Thanks!