Adaptive Traitor Tracing with

Bayesian Networks

Philip Zigoris Hongxia Jin

University of California IBM Almaden Research
Santa Cruz, Ca San Jose, Ca
Broadcast Encryption
100101001011101
101101101100011
011010110100011

subscriber

non-subscriber
 A Brief History of DRM
(wrt DVDs)
• 1996 - DVD format first available, just in
time for Christmas
• 1999 - 16 year old reveals first device
key
• Within weeks, all device keys exposed

DVD distribution is no longer secure

 Next Generation: AACS

• Access, at the level of individual

players, is revocable
• Method for finding compromised keys
(traitor tracing)
 AACS Broadcast Encryption

K1:4

K1:2 K3:4 Keys

K1:1 K2:2 K3:3 K4:4

1 2 3 4 Players
 AACS Broadcast Encryption

K1:4 media
K1:2 K3:4 (Not to scale)
K1:1 K2:2 K3:3 K4:4
E(media,M) E(M, K1:4)

1 2 3 4
Media Key Block (MKB)

If the player has a key in the

MKB, it can decrypt media key
and then decrypt the media.
 AACS Broadcast Encryption

K1:4 Suppose someone extracts

K1:2 K3:4 and publishes keys from
player 3
K1:1 K2:2 K3:3 K4:4
We can no longer use K1:4
1 2 3 4 to encode media key.
 AACS Broadcast Encryption

K1:4 media
K1:2 K3:4

K1:1 K2:2 K3:3 K4:4

E(media,M) E(M, K1:2) E(M, K4:4)

1 2 3 4

Since player 3 cannot decrypt

media key, it is effectively disabled
 Traitor Tracing
• Key assumption: box is stateless
• Use forensic tests to reveal information
about which keys a clone box contains
• Goal: Confidently identify the
compromised keys.
• Simplified goal: Identify at least one of
the compromised keys
 Forensic Tests
• Keys can be disabled in an MKB by
encrypting random bit strings instead of
media key

E(media,M) E(R, K1:2) E(M, K4:4)

Now, if the clone box only has K1:2, then it

will be unable to recover media.
 Forensic Tests (example)

K1 K2 K3 K4 PLAY K1 OR K2 OR K3 OR K4

K1 OR K2
K1 K2 K3 K4 PLAY

K1 K2 K3 K4 !PLAY K2 OR K3 OR K4

K1 K2 K3 K4 PLAY K1
 Clone Box Strategy
•If a box contains an enabled and
disabled key then it has the option to play
or not play
•Stateless ⇒ Plays each test T with a
fixed probability
If two tests play with a different probability, then
the clone box must contain one of the keys on
which they differ (w.r.t. disabling)
 NNL Tracing

K1 K2 K3 K4 K5 K6 Pr(play)=1.0

K1 K2 K3 K4 K5 K6 Pr(play)=0.6

K1 K2 K3 K4 K5 K6 Pr(play)=0.1

K1 K2 K3 K4 K5 K6 Pr(play)=0.1
 NNL Tracing

• Binary search
• Difficult step is estimating Pr(play)
• Motivates (optimal?) adversarial
strategy: choose a key at random and
try to use it to play media (uniform
choice strategy)
So a solution exists?

Not quite… under reasonable

circumstances this could take
tens of years
 Our Basic Approach

• Strategy ~ Pr(clone plays | keys it contains)

– Uniform choice: # enabled keys in clone
# keys in clond

• Build explicit model about which keys

clone box contains
• Select most informative test at each
step
 The Cast

• C: set of keys in clone box

• F: the frontier, the complete set of keys
• T: a test
• K: a key or set of keys
 Generic Algorithm

• Loop
– For all keys Ki in frontier,
# Try to diagnose a compromised key
• Return Ki if Pr(K i Î C) > 1- e
– Select test T
– Submit to clone box, get response t∈{0,1}
# update beliefs
– Pr(K1,K ,K n ) ¬ Pr(K1,K ,K n | T = t)
 Bayesian Net: Naïve
Approach

T1 T2 T3
1
Pr(T1 ) =
2
1
Pr(T2 ) =
2
Pr(T3 ) = 1 K1 K2 K3 K4 K5 K6

F
 Computational Bottlenecks
1. Inference is exponential in frontier
size.
 Test Selection
• In previous example, we learn nothing with
test T2
• Quantify uncertainty about clone box with
entropy and then choose test that maximizes
mutual information.
H(K | T ) = - å Pr(K'| T )log(Pr(K'| T ))
K'Í F

I(K;T | T ) = H(K | T ) - H(K | T,T )

T = argmaxT I(K;T | T )
*
 Computational Bottlenecks

• Inference is exponential in frontier

size.
• Calculating entropy is exponential in
frontier size.
• Number of possible tests is
exponential in the frontier size.
 Inference
• Many approximate methods exist: belief
propagation, variational inference, mini-
buckets
• Somewhat unique requirements:
– Marginal probabilities needed for diagnosis
must be exact
– Joint distribution needed for test selection
can be approximate
 Key Observation

The probability of a test playing only

depends on the number of enabled and
disabled keys in the clone box.
 Partitioning Frontier

E1 D1 E2 D2

K1 K2 K3 K4 K5 K6
F1 F2

Partitions are independent, given count nodes

Approximating Joint
Distribution

i
Pr(F) » Õ Pr(F )
i
 Calculating Marginal
Probabilities
• Store joint distribution for each partition as a
table
• Update table after each test….

Pr(F i | T) = Pr(T | F i )Pr(F i ) /Pr(T)

Pr(T | F ) = Pr(F )å Pr(T |å E = e,å D = d)
i i j j

e,d j j
 Space/Time Complexity

Stored tables exp(|Fi|) O(|F|)

Intermediate tables O(|F|2)
Running time exp(|Fi|)O(|F|)+ O(|F|2)
Experiment: NNL Comparison
Experiment: Partition Size
Experiment: Watermarking
 Take Aways

• Exploited sufficient statistics in problem

specification
• Marginal probabilities remain exact
• Mutual information is a good measure
for test selection, but maybe not the
right one
Thanks!