Abstract
Active fingerprinting schemes were originally invented to deter malicious users from illegally releasing an item, such as a movie or an image. To achieve this, each time an item is released, a different fingerprint is embedded in it. If the fingerprint is created from an anticollusion code, the fingerprinting scheme can trace colluding buyers who forge fake copies of the item using their own legitimate copies. Charpentier, Fontaine, Furon and Cox were the first to propose an asymmetric fingerprinting scheme based on Tardos codes – the most efficient anticollusion codes known to this day. However, their work focuses on security but does not preserve the privacy of buyers. To address this issue, we introduce the first privacypreserving asymmetric fingerprinting protocol based on Tardos codes. This protocol is optimal with respect traitor tracing. We also formally define the properties of correctness, antiframing, traitor tracing, as well as buyerunlinkability. Finally, we prove that our protocol achieves these properties and give exact bounds for each of them.
Caroline Fontaine—This work has received a French governmental support granted to the COMIN Labs excellence laboratory and managed by the National Research Agency in the “Investing for the Future” program under reference ANR10LABX0701.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
 1.
In particular, we need to provide the buyers with transactionspecific pseudonyms during the buying phase of our protocol, rather than assuming than these pseudonyms are inherited from the payment scheme. This property is achieved through the use of a group signature scheme. The only assumption that we make on the payment protocol is that it preserves the anonymity of the buyer.
 2.
In both [9] and in our work, only binary Tardos codes are used. We therefore just describe the parameters used in the binary case.
 3.
By “global false alarm” we refer to the probability that any innocent buyer (rather than merely a particular one) is falsely accused.
 4.
 5.
This NIZK is a proof of correctness in which the witness consists of the maximum number \(c\) of detected colluders, the probability \(\delta \) that an innocent is wrongly accused, the accusation threshold \(Z\), and probabilities \(p_{i}\) for \(i \in \{1, \dots , m\}\). The statement proved by the NIZKPK consists of the following conditions: \(m= 2 \pi c^2 [\ln {\frac{1}{\delta }}]\) and that \(p_{i} = (\sin r_i)^2\) for some random \(r_i\) uniformly picked in a specific interval (see [9]).
 6.
For the purpose of attaining the exact bounds of the Theorem in Sect. 4.2, we additionally assume that buyers only have blackbox access to the protocols during the buying process. For a detailed discussion of this assumption, see the remark on privacy versus traitortracing.
 7.
The witness for this NIZKPK consists of the transaction transcripts for the guilty parties (including the group signatures for the 1outof2 OT rounds), their scores (computed as in [32]) and the threshold. The NIZKPK statement is that the scores are correctly computed, that they are higher than the threshold, and that the signed messages sent along with the proof are indeed the ones associated to the transactions.
References
Abdul, W., Gaborit, P., Carré, P.: Private anonymous fingerprinting for color images in the wavelet domain. In: Proceedings of SPIE Multimedia on Mobile Devices, vol. 7542 (2010)
Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) Advances of Cryptology EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. SpringerVerlag, Heidelberg (2003)
Blum, M., Feldman, P., Micali, S.: Noninteractive zeroknowledge and its applications. In: Proceedings of the Annual Symposium on the Theory of Computing (STOC), pp. 103–112 (1988)
Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)
Brassard, G., Crépeau, C., Robert, J.M.: Allornothing disclosure of secrets. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 234–238. Springer, Heidelberg (1987)
Camenisch, J.L.: Efficient anonymous fingerprinting with group signatures. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 415–428. Springer, Heidelberg (2000)
Camenisch, J.L., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Heidelberg (2007)
Cérou, F., Furon, T., Guyader, A.: Experimental assessment of the reliability for watermarking and fingerprinting schemes. EURASIP J. Inf. Secur. 2008, 12 (2008). Article ID 414962
Charpentier, A., Fontaine, C., Furon, T., Cox, I.: An asymmetric fingerprinting scheme based on tardos codes. In: Filler, T., Pevný, T., Craver, S., Ker, A. (eds.) IH 2011. LNCS, vol. 6958, pp. 43–58. Springer, Heidelberg (2011)
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)
Chu, C.K., Tzeng, W.G.: Efficient koutofn oblivious transfer schemes with adaptive and nonadaptive queries. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 172–183. Springer, Heidelberg (2005)
Gambs, S., Onete, C., Robert, J.: Prover anonymous and deniable distancebounding authentication. In: Proceedings of ACM AsiaCCS 2014, Accepted for publication. ACM Press (2014)
Green, M., Hohenberger, S.: Blind identitybased encryption and simulatable oblivious transfer. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 265–282. Springer, Heidelberg (2007)
Green, M., Hohenberger, S.: Universally composable adaptive oblivious transfer. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 179–197. Springer, Heidelberg (2008)
Groth, J., Ostrovsky, R., Sahai, A.: Perfect noninteractive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006)
Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)
Hermans, J., Pashalidis, A., Vercauteren, F., Preneel, B.: A new RFID privacy model. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 568–587. Springer, Heidelberg (2011)
Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: Anonymitypreserving publickey encryption: a constructive approach. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 19–39. Springer, Heidelberg (2013)
Lindell, A.Y.: Efficient fullysimulatable oblivious transfer. In: Malkin, T. (ed.) CTRSA 2008. LNCS, vol. 4964, pp. 52–70. Springer, Heidelberg (2008)
Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Proceedings of the 12th ACMSIAM Symposium on Discrete Algorithms (SODA 2001), pp. 448–457. SIAM (2001)
Oprea, A., Bowers, K.D.: Authentic timestamps for archival storage. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 136–151. Springer, Heidelberg (2009)
Pfitzmann, B., Sadeghi, A.R.: Coinbased anonymous fingerprinting. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 150–164. Springer, Heidelberg (1999)
Pfitzmann, B., Sadeghi, A.R.: Anonymous fingerprinting with direct nonrepudiation. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 401–414. Springer, Heidelberg (2000)
Pfitzmann, B., Schunter, M.: Asymmetric fingerprinting. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 84–95. Springer, Heidelberg (1996)
Pfitzmann, B., Waidner, M.: Anonymous fingerprinting. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 88–102. Springer, Heidelberg (1997)
Pfitzmann, B., Waidner, M.: Asymmetric fingerprinting for larger collusions. In: Proceedings of the 4th ACM conference on Computer and Communications Security (ACM CCS 1997), pp. 151–160. ACM Press (1997)
Rabin, M.: How to exchange secrets with oblivious transfer. Harvard University Technical Report and IACR Eprint archive, report 187/2005 (1981). http://eprint.iacr.org/2005/187
Rial, A., Deng, M., Bianchi, T., Piva, A., Preneel, B.: A provably secure anonymous buyerseller watermarking protocol. IEEE Trans. Inf. Forensics Secur. 5, 920–9310 (2010). IEEE
Stern, J.P.: A new and efficient allornothing disclosure of secrets protocol. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 357–371. Springer, Heidelberg (1998)
Tardos, G.: Optimal probabilistic fingerprint codes. In: Proceedings of the 35th ACM Symposium on Theory of Computing (STOC 2003), pp. 116–125. ACM Press (2003)
Vaudenay, S.: On privacy models for RFID. In: Kurosawa, K. (ed.) Advances in Cryptology–ASIACRYPT 2007. LNCS, vol. 4833, pp. 68–87. Springer, Heidelberg (2007)
Škorić, B., Katzenbeisser, S., Celik, M.: Symmetric tardos fingerprinting codes for arbitrary alphabet sizes. Des. Codes Crypt. 46, 137–166 (2008). SpringerVerlag
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A The Full Security Model
A The Full Security Model
1.1 A.1 Watermarking and Fingerprinting Assumptions
Watermarking and fingerprinting assumptions. In our context, a protocol is run between a buyer and the merchant each time the former wants to recover a specific item. At the end of the protocol, the buyer can retrieve the item such that each block of the item is fingerprinted with exactly one bit. Thus, each buyer’s version of the item is personalized with a unique fingerprint. We assume that the fingerprint is embedded in the item by means of a watermarking technique, which is imperceptible to humans and robust with respect to certain attacks. More specifically:

1.
The watermarking function, denoted by \(\mathsf {W}\), does not allow an adversary to recover even a single bit of the fingerprint.

2.
The watermarking technique is robust with respect to signal attacks, such as compressing, printing, scanning, resizing or cropping of the digital medium representing the item.

3.
A collusion of malicious users can combine parts of their copies to create a forged item. However, they are restricted by the fact that if they have the same fingerprint block recurring at the same position in all their watermarked copies, they cannot output a copy in which the fingerprint bit at that specific position is different than the one they have in all their copies. This wellknown assumption is called the marking assumption in the literature. Note that, if the collusion only involves a single buyer, this assumption precludes this buyer from producing a different (forged) fingerprint of the item.
In a collusion attack, several buyers combine parts of the legitimate fingerprinted items they own in order to forge an illegitimate copy. More precisely, they may combine the bits of their watermarks in an arbitrary manner, even adding erasures or errors, under the sole restriction of the marking assumption (see above). Examples of collusion attacks include the majority and minority rules, as well as the random choice. In the majority rule, the colluders choose for each block the most frequent fingerprint block in their copies (without necessarily knowing the value of this block) while in the minority rule, the less frequent fingerprinted block is chosen. Finally, in the random choice strategy, a random fingerprint is chosen amongst the available ones. A quite different strategy is a fusion of blocks. In this attack, the marking assumption has for consequence that for some blocks the fingerprint generated will be an error or an erasure, but never a valid fingerprinted block. The objective of the Tardos code is precisely to guarantee that in case of a collusion, with high probability at least one of its member will be traced.
1.2 A.2 A Formal Description of \(\mathtt {PFP\text {}TT}\) Schemes
Definition. A Privacypreserving Fingerprinted Protocol with TraitorTracing capacities is a tuple of algorithms \(\mathtt {PFP\text {}TT}= (\mathtt {Setup}, \mathtt {BReg}, \mathtt {IPrep}, \mathtt {IBuy}, \mathtt {IRecover}, \mathtt {Open})\) such that:

\(\mathtt {Setup}\): when given as input a security parameter \(1^\lambda \), this algorithm returns secret parameters \(\mathsf {spar}\) (to be divided between the \(\mathsf {CA}\) and the \(\mathsf {OA}\)) and the public parameters \(\mathsf {ppar}\) that are available to all parties. We assume that the remaining algorithms all implicitly take as input the public parameters \(\mathsf {ppar}\).

\(\mathtt {BReg}\): when given as input \(\mathsf {spar}\) and a buyer’s identity \(B_{}\), the buyer registration algorithm outputs either a secret key \(\mathsf {sk_{B_{}}}\) for \(B_{}\), or \(\bot \).

\(\mathtt {IPrep}\): when given as input an item \(I_{}\), the item preparation algorithm outputs the prepared item \(\tau _{\mathsf {I_{}}}\) (in our case, a WriteOnceReadMany WORM table [21]), a proof \(\pi _{\mathsf {I_{}}}\) that the item has been correctly formed, a matrix of keys \({\kappa }_{I_{I_{}}}\) and a matrix \(\mathcal {F}_{I_{}}\) of fingerprints used for the preparation.

\(\mathtt {IBuy}\): the interactive buyermerchant algorithm takes as input an item \(I_{}\), the secret key \(\mathsf {sk_{B_{}}}\) of a buyer, and a keymatrix \({\kappa }_{I_{I_{}}}\) generated at item preparation. The output is a set \(\mathbf {KI}_{B_{},I_{}}\) and some auxiliary information \(\mathsf {aux_{B_{},I_{}}}\) (in our case a halfword).

\(\mathtt {IRecover}\): when given as input the key set \(\mathbf {KI}_{B_{},I_{}}\), the prepared item \(\tau _{\mathsf {I_{}}}\) and the proof \(\pi _{\mathsf {I_{}}}\), the recovery algorithm returns a fingerprinted item \(\mathsf {FI_{B_{}, I_{}}}\) or the symbol \(\bot \).

\(\mathtt {Open}\): when given as input a (merchantgenerated) proof \(\pi _{\mathsf {M}}\) and \(\mathsf {spar}\), this algorithm outputs a set of buyer identities, denoted \(\{B_{i}\}_{i=1}^d\) or an error symbol \(\bot \). The value \(d\) is at most equals to the number of buyers \(c\) running a collusion attack.

\(\mathtt {Accuse}\): the accusation algorithm takes as input a fingerprinted copy \(\mathsf {FI_{, }}\) and the set of all auxiliary information \(\mathsf {aux_{B_{},I_{}}}\) obtained from honest transactions, and outputs a proof \(\pi _{\mathsf {}}\).
Formal Oracles. Adversary interaction is captured by the following oracles:

\(\mathsf {Buy}^*(I_{},B_{},\mathsf {input^*})\): This oracle allows an adversary (in particular a malicious merchant) to deviate from protocol and execute the \(\mathtt {IBuy}\) algorithm for item \(I_{}\) and buyer \(B_{}\) with malicious input \(\mathsf {input^*}\). It returns the full output of the \(\mathtt {IBuy}\) algorithm and the transcript of the transaction.

\(\mathsf {Execute}(I_{}, B_{})\): This oracle takes as input an item identifier \(I_{}\) and a buyer identifier \(B_{}\), and simulates the execution of the \(\mathtt {IBuy}\) algorithm for buyer \(B_{}\) and item \(I_{}\) for an honest merchant input. The oracle outputs the two values produced by the buying algorithm: the keys \(\mathbf {KI}_{B_{},I_{}}\) and the auxiliary information \(\mathsf {aux_{B_{},I_{}}}\), as well as the transcript of the transaction.

\(\mathsf {BBuy}(I_{}, \mathsf {sk_{B_{}}})\): This oracle takes as input a buyer’s secret key \(\mathsf {sk_{B_{}}}\) and an item \(I_{}\) and runs the \(\mathtt {IBuy}\) algorithm, returning \(\mathbf {KI}_{B_{},I_{}}\) and the full transcript.

\(\mathsf {Open}(\pi _{\mathsf {M}})\): This oracle takes as input a proof \(\pi _{\mathsf {M}}\) and runs the opening algorithm \(\mathtt {Open}\) on input \(\pi _{\mathsf {M}}\) and the secret parameters \(\mathsf {spar}\), outputting a set of identities \(\{B_{i}\}_{i=1}^d\). The oracle \(\mathsf {Open}\) returns this set of identities.

\(\mathsf {Corrupt}(B_{})\): This oracle takes as input a buyer identifier \(B_{}\) and outputs the buyer’s secret key \(\mathsf {sk_{B_{}}}\).

\(\mathsf {Collude}(\{{\mathsf {FI_{B_{i}, I_{}}}}\}_{i=1}^k, \mathsf {strategy})\): This oracle takes as inputs a set of at most \(k \le c\) legitimatelybought fingerprinted copies \(\{{\mathsf {FI_{B_{i}, I}}}\}_{i=1}^k\), and a strategy \(\mathsf {strategy}\) outputs a forged fingerprinted copy, \(\mathsf {FI_{\tilde{B_{}}, \tilde{I_{}}}}\). The strategy can be arbitrary with the following restriction: if for some block \(i\) of the item the recovered fingerprinted block \(\mathsf {fb}^{i, j}_{I_{}}\) of all the colluding users embeds the \(\gamma \)bit fingerprint \(f^{i,j}_{I_{}}\), then the corresponding fingerprinted block of the forged item \(\mathsf {FI_{B_{}^*, I_{}^*}}\) must embed the fingerprint \(f^{i,j}_{I_{}}\) (this is a consequence of the marking assumption).

\(\mathsf {Accuse}(\mathsf {FI_{, }})\): This oracle runs \(\mathtt {Accuse}\) on input the fingerprinted copy \(\mathsf {FI_{,, a}}\) matrix of keys \({\kappa }_{I_{I_{}}}\), and a matrix of fingerprints \(\mathcal {F}_{I_{}}\), outputting the proof \(\pi _{\mathsf {}}\).
The \(\mathsf {Test}\) oracles We proceed by listing the formal \(\mathsf {Test}\) oracles for each property.

Correctness: when given as input a product identifier \(I_{}\) and a buyer identifier \(B_{}\), \(\mathsf {Test}^\mathsf{Corr }\) runs \(\mathsf {Execute}(I_{}, B_{})\), outputting the keys \(\mathbf {KI}_{B_{},I_{}}= \{(j, \tilde{\mathsf {k}^{i, j}_{I_{}}}\}_{j \in \{1, \dots , N\}}\), for consecutive values of \(i\) (if the values are not consecutive or have the wrong format, \(\mathsf {Test}^\mathsf{Corr }\) returns \(0\)). The algorithm \(\mathtt {IRecover}\) is subsequently run on input the keys \(\mathbf {KI}_{B_{},I_{}}\), the table \(\tau _{\mathsf {I_{}}}\), and the proof \(\pi _{\mathsf {I_{}}}\), outputting the series of blocks \(\mathsf {FI_{B_{}, I_{}}}\) (else, if \(\bot \) is output, the oracle \(\mathsf {Test}^\mathsf{Corr }\) returns \(0\)). The oracle tests if for each entry \([\mathsf {FI_{B_{}, I_{}}}]_{i,j}\), it holds that \([\tau _{\mathsf {I_{}}}]_{i,j} = \mathsf {P}([\mathsf {FI_{B_{}, I_{}}}]_{i,j}, [{\kappa }_{I_{I_{}}}]_{i,j})\) for some oneway trapdoor preparation function \(\mathsf {P}\). If this last check fails, the oracle outputs \(0\) while otherwise it outputs \(1\).

Buyerunlinkability: when given as input two buyer identities \(B_{i}\) and \(B_{j}\), and a text parameter \(\mathsf {text} \in \{\mathsf {draw}, \mathsf {free}\}\), the \(\mathsf {Test}^\mathsf{BUnlink }_b\) oracle, which keeps an internal database \(\mathcal {D}_{\mathsf {Test}^\mathsf{BUnlink }}\), consistently associates either the first or the second input buyer identities with a handle \(\mathsf {handle}\) depending on an input bit \(b\). In this mode, once the \(\mathsf {Test}^\mathsf{BUnlink }(\cdot , \cdot , \mathsf {draw})\) query is run, the adversary may interact with the anonymized buyer by means of the \(\mathsf {Execute}\) and respectively \(\mathsf {Buy}^*\) oracles (we modify these oracles to take as input the handle \(\mathsf {handle}\) instead of the identifier of the buyer). The adversary may also choose to interact with other buyers or corrupt them. Finally, the adversary will free the two buyers by means of a \(\mathsf {Test}^\mathsf{BUnlink }(\cdot , \cdot , \mathsf {free})\) query. If the adversary queries the Test oracle with text input \(\mathsf {draw}\) while the current handle has not been released, this oracle returns \(\bot \). Similarly, trying to free a handle while no handle is currently associated to any buyer will yield the output \(\bot \).

Antiframing: when given as input a proof \(\pi _{\mathsf {M}}\), \(\mathsf {Test}^\mathsf{NoFrame }\) runs the \(\mathsf {Open}\) oracle as a black box, receiving the set of identities \(\{B_{i}\}_{i=1}^d\). The oracle checks if at least one identity output by \(\mathsf {Open}\) is uncorrupted at the time of the \(\mathsf {Test}^\mathsf{NoFrame }\) query. If this statement is true, the oracle outputs \(1\) while otherwise it returns \(0\).

Traitortracing: when given as input a set of honest fingerprinted copies \(\{\mathsf {FI_{B_{i}, I_{}}}\}_{i=1}^k\) and a strategy \(\mathsf {strategy}\), \(\mathsf {Test}^\mathsf{TT }\) internally runs \(\mathsf {Collude}\), outputting a forged copy \(\mathsf {FI_{, }}\). Subsequently, it runs \(\mathsf {Accuse}\) on input \(\mathsf {FI_{, }}\), receiving the proof \(\pi _{\mathsf {}}\). This proof is given as input to the \(\mathsf {Open}\) oracle, which returns a set of identities \(\{B_{j}\}_{j=1}^d\). If there exists some buyer \(B_{}^*\) such that one of the inputs was \(\mathsf {FI_{B_{}^*, I_{}}}\) and \(B_{}^*\) is amongst the outputs of the \(\mathsf {Open}\) query, then the oracle \(\mathsf {Test}^\mathsf{TT }\) returns \(1\) and the proof \(\pi _{\mathsf {}}\), while otherwise it returns \(0\).
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Fontaine, C., Gambs, S., Lolive, J., Onete, C. (2015). Private Asymmetric Fingerprinting: A Protocol with Optimal Traitor Tracing Using Tardos Codes. In: Aranha, D., Menezes, A. (eds) Progress in Cryptology  LATINCRYPT 2014. LATINCRYPT 2014. Lecture Notes in Computer Science(), vol 8895. Springer, Cham. https://doi.org/10.1007/9783319162959_11
Download citation
DOI: https://doi.org/10.1007/9783319162959_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783319162942
Online ISBN: 9783319162959
eBook Packages: Computer ScienceComputer Science (R0)