Attack on Sebe, Domingo-Ferrer and Herrera-Joancomarti ... - CiteSeerX

Attack on Sebe´, Domingo-Ferrer and Herrera-Joancomarti fingerprinting schemes M. Burmester and Tri Le Sebe´ and Domingo-Ferrer proposed in a recent Letter a fingerprinting scheme that exploits the properties of dual binary Hamming codes to reduce the length of fingerprints. The authors show that this scheme is subject to an attack in which a collusion of (any) three buyers can frame an innocent buyer.

Introduction: Piracy of digital assets, and in particular multimedia data, is a major concern to industry, particularly since access to such data via the internet is readily available. Protection usually involves the insertion of a digital copyright in the form of a fingerprint. Fingerprinting algorithms introduce a small number of imperceptible errors, called marks, in specified positions of the data. The positions marked and their values are kept secret. It should not be possible for a buyer to remove the fingerprint without affecting significantly the quality of the copy. However, a collusion of buyers can detect some of the marks of their copies by comparing them. These marks can then be deleted or flipped. The goal of a (malicious) collusion is to make pirate copies that either cannot be linked to any particular buyer (e.g. by erasing most of the fingerprint), or that are linked to other buyers. Such buyers are said to be framed. A fingerprinting scheme in which innocent buyers are framed is of no practical use. This applies even if the set of buyers that are linked to pirate copy includes some of the colluding buyers, provided it is not possible to distinguish the innocent buyers. S-DF fingerprinting scheme [1, 2]: This is based on a fingerprinting code proposed by Domingo-Ferrer and Herrera-Joancomarti in a recent Letter [3]. The S-DF scheme combines two codes: an outer code, which is a dual binary Hamming code Hn of length N ¼ 2n
1 [5], and an inner scattering code SC(s,t) of length (2t þ 1)s which is used to encode the bits of the outer code. The inner codewords used to encode bit 1 are of type: 1s 0si 1s 0s(2t
i
1), where 1k (0k) is a block of k ones (k zeros) and i is selected at random from {0,1, . . . ,t
1}. The inner codewords used to encode bit 0 are of type: 0s 0s(tþi) 1s 0s(t
i
1). Observe that an inner encoding of bit 1 differs in the first s places from an inner encoding of 0. The decoding rules stipulate that a (2t þ 1)s-tuple with pattern 1s    0st (0s0st    ) is decoded to bit 1 (0). There are also rules for the other cases, but these will not concern us in our attack. To trace a colluder from a confiscated pirate copy, the forged fingerprint is first decoded using the inner decoding rules described above; then any user whose fingerprint (codeword) has minimal Hamming distance from the decoded fingerprint is denounced as a colluder. With the S-DF scheme up to N copies can be marked, each with a fingerprint of length (2t þ 1)sN. It is shown in [1] that this length is significantly less than the length of the Boneh and Shaw [4] codes, when N is relatively small. However we shall show below that the S-DF scheme is flawed: a collusion of 3 buyers can make a pirate copy that will frame an innocent buyer.

c

Attack: Let X, Y, Z be three malicious buyers whose copies have outer codewords x, y, z 2 Hn. Let inv(x, y, z) ¼ {i, 1  i  Njxi ¼ yi ¼ zi} be the set of positions in which x, y, z have the same values and var(x, y, z) ¼ {i, 1  i  Nj (xi ¼ yi ¼ zi)} the set of positions in which x, y, z do not have the same values. We have jinv(x, y, z)j ¼ 2n
2
1 [2] and consequently jvar(x, y, z) ¼ 3  2n
2. We use the invariant positions of x, y, z to partition the representation of tuples u 2 {0,1}N as follows. Each u is represented by (u1, u2), where u1 ¼ uinv(x,y,z) is the tuple of bits of u in inv(x, y, z) and u2 ¼ uvar(x,y,z) the tuple in var(x, y, z). It is easy to see that if u 2 Hn then u1 belongs to the dual Hamming Code Hn
2 of length 2n
2
1. The attack has as follows: From their copies, the colluders X, Y, Z can find the positions of the inner marks of

x2, y2, z2 (but not those of x1 ¼ y1 ¼ z1), X, Y, Z use this information to make a pirate copy in which the bit value 0 is assigned to all positions in their copies which have different values. Then the inner codewords corresponding to the bits in var(x, y, z) will each be 0(2tþ1)s, which is decoded to 0 when using the S-DF decoding rule described above. As for the inner codewords corresponding to the bits in inv(x, y, z), these will be of type 0s    or 1s    , depending on whether the outer bit is 0 or 1; so the S-DF decoding rule will leave the corresponding outer bits invariant. Therefore the outer code of the fingerprint of the n
2 pirate copy will be w ¼ (w1, 032 ), where w1 ¼ x1 ¼ y1 ¼ z1. We shall now show that w has the same (Hamming) distance [5] from each one of the codewords x, y, z and x þ y þ z. In particular: d(w, x) ¼ d(w, y) ¼ d(w, z) ¼ d(w, x þ y þ z) ¼ 3  2n
2. First observe that d(w, x) ¼ d(w1, x1) þ d(w2, x2) ¼ 3  2n
2, since d(w1, x1) ¼ 0 and d(w2, x2) ¼ n
2 wt(x2) ¼ wt(x)
wt(x1) ¼ 2n
1
2n
3 ¼ 3  2n
3, because w2 ¼ 032 n
1 and the weight wt(u) [5] of any codeword u 2 Hn (u 2 Hn
2 is 2 (2n
3). A similar argument applies to d(w, y) and d(w, z). Next, d(w, x þ y þ z) ¼ d(w1, x1 þ y1 þ z1) þ d(w2, x2 þ y2 þ z2) ¼ 0 þ 3  2n
2, n
2 since w1 ¼ x1 þ y1 þ z1, w2 ¼ 032 and d(w2, x2 þ y2 þ z2) ¼ wt(x2 þ y2 þ z2) ¼ wt(x þ y þ z)
wt(x1 þ y1 þ z1) ¼ 2n
1
2n
3 ¼ 3  2n
3. It follows that it is impossible to decide which 3 of the 4 outer codewords x, y, z, x þ y þ z have been used to make the pirate copy with fingerprint w. Consequently, if U is the (innocent) buyer assigned x þ y þ z, then it is not possible to trace the three colluders X, Y, Z without framing U with probability 1=3.

Remark: Dual Hamming codes can be used to design fingerprinting schemes which are secure against c ¼ 2 collusions. Although the code proposed in [3] is also flawed (in this case, if x, y 2 Hn are assigned to 2 colluding buyers then the buyers assigned x þ y will be framed), it is easy to fix it by using the scattering inner code of [1], or by using a simple (deterministic) 2-bit inner code. However if dual Hamming codes are used with c ¼ 3 colluders, then the number of hidden marks is less than a quarter of the total number of marks of the fingerprint. This is not sufficient to prevent framing with our fix. Recently a probabilistic fingerprinting scheme has been proposed [6] which, when the number of colluders c is constant, is significant shorter than the Boneh-Shaw scheme when the error is negligible. For this code, the fraction of hidden marks is approximately 1=e.

Acknowledgment: This material is based upon work supported in part by the U.S. Army Research Laboratory and U.S. Army Research Office under grant number DAAD19-02-1-0235. # IEE 2004 Electronics Letters online no: 20040174 doi: 10.1049/el:20040174

5 August 2003

M. Burmester and Tri Le (Department of Computer Science, Florida State University, Tallahassee, Florida 32306, USA) E-mail: [email protected] References 1 2 3 4 5 6

Sebe´, F., and Domingo-Ferrer, J.: ‘Short 3-secure fingerprinting codes for copyright protection’ in Batten, L., Seberry, J. (Eds.): ‘ACISP 2002’ (Springer, 2002), vol. LNCS 2384, pp. 316–327 Sebe´, F., and Domingo-Ferrer, J.: ‘Scattering codes to implement short 3-secure fingerprinting for copyright protection’, Electron. Lett., 2002, 38, (17), pp. 958–959 Domingo-Ferrer, J., and Herrera-Joancomarti, J.: ‘Short collusion-secure fingerprints based on dual binary Hamming codes’, Electron. Lett., 2000, 36, (20), pp. 1697–1699 Boneh, D., and Shaw, J.: ‘Collusion-secure fingerprinting for digital data’, IEEE Trans. Inf. Theory, 1998, IT-44, (95), pp. 1897–1905 MacWilliams, F.J., and Sloane, N.J.A.: ‘The theory of error correcting codes’ (North-Holland, 1977) Van Le, T., Burmester, M., and Hu, J.: ‘Short c-secure Fingerprinting Codes’. Proceedings of the 6th Information Security Conference (ISC’03), Bristol, UK, 1–3 October 2003

ELECTRONICS LETTERS 5th February 2004 Vol. 40 No. 3