Practical tracing traitors

Abstract

In this paper we discuss tracing traitors systems, with a focus on a particular problem we have encountered in building a commercial system. "Tracing traitors" is a cryptographic technology that determines, when an unauthorized copy of copyrighted content is encountered, which user or users were the source of the copy by examining the copy itself. In tracing traitors systems, it has been widely assumed that any two devices in the system should have as few cryptographic keys in common as possible: then, when the variation the key decrypts is discovered in the unauthorized copy, the number of devices that could have produced that variation is minimal. This assumption is so pervasive it often is not even stated explicitly. However, tracing traitors schemes also often ignore the likely next step-once the compromised device(s) are identified, their keys must be revoked so they cannot be further used in the system. In this paper we will show that the traceability of any minimal-key-overlap system inevitably begins to degrade once some of the keys are revoked. This has caused us to question the basic value of minimal key overlap. In fact, we think that very revocation-efficient key schemes, like broadcast-encryption key trees, in which some keys are highly shared, might actually provide better traceability over the life of a practical system with actual revocation. © 2009 Copyright SPIE - The International Society for Optical Engineering.