The entertainment industry is in the midst of a digital revolution. Music, television, and movies are increasingly becoming digital, offering new advantages to the consumer in quality and flexibility. At the same time, since digital data can be perfectly and quickly copied, the digital revolution also comprises a threat. If consumers may freely copy entertainment content and offer that content on the Internet, the market for entertainment content would evaporate.
To solve this problem, several content protection schemes have been devised and are in wide use in the market. For example, DVD video is protected by the Content Scrambling System (CSS), DVD audio is protected by Content Protection for Pre-recorded Media (CPPM), digital video and audio recorders are protected by Content Protection for Recordable Media (CPRM), and digital busses are protected by Digital Transmission Content Protection (DTCP). All these schemes are based on encryption of the content. The device manufacturer is given cryptographic keys to decrypt the content, and in return is obligated by the license to follow a set of rules limiting the physical copies that can be made from a single piece of content.
The cryptographic keys required to encrypt and decrypt the content are distributed from a key generation facility to various entities involved in the content distribution network: content creators, media duplication facilities, devices for playing content, content distribution facilities, etc. Maintaining the secrecy of the cryptographic keys is essential for maintaining the integrity of a secure content protection scheme. The consequences of accidental or malicious disclosure of the long-lived secret keys are grave; loss of these secrets can lead total breakdown of the copy protection schemes the secrets support, and ultimately, to huge monetary loss for the participants of the copy protection scheme.
In the event that a device (and its keys) becomes compromised, deliberately or by mistake, it is necessary to revoke the keys of that device. Revoking a set of keys effectively renders the compromised device (and any clones thereof) inoperable to play content that is produced after the revocation.
Content protection solutions such as CPRM have utilized broadcast encryption technologies. In these solutions, each device is assigned a set of device keys that can be indirectly used to decrypt the content. The device keys, owned by compliant devices, repeatedly encrypt the content encrypting key (called the media key) in a structure called a media key block (MKB). Each device uses its device key to decrypt the media key block to obtain a valid media key to decrypt the content.
To circumvent the content protection solutions, an adversary may break a device, extract the device keys, and build a circumvention device (also known as a clone device or a clone box) comprising the extracted device keys to decrypt protected content. To identify which original devices (called traitors) have donated their keys to the circumvention device, traitor-tracing technologies are used.
One conventional traitor-tracing technology uses forensic media key blocks. When a circumvention device is found, the license agency starts feeding forensic media key blocks to the device. These forensic media key blocks are different from normal media key blocks in that the forensic media key blocks only work correctly for a fraction of the devices in the system. By sending a sequence of forensic media key blocks to the circumvention device, the licensing agency can determine precisely which device keys the circumvention device comprises. The licensing agency can then produce new media key blocks that revoke those compromised device keys such that newly released content cannot be played by the circumvention device.
Another conventional traitor-tracing technology comprises a subset-difference method, that is described, for example, in “Naor D., et al., “Revocation and Tracing Schemes for Stateless Receivers”, Crypto 2001, LNCS Volume 2139, pages 41-62, 2001, which is incorporated in its entirety herein by reference. The subset-difference method comprises a “subset tracing” method as the basic building block for a traitor-tracing scheme. The subset tracing method has proven to be theoretically useful. A circumvention device may comprise many device keys, each obtained by reverse engineering a legitimate device. To determine the compromised keys, the subset tracing method requires on the order of T3 log(T) forensic media key blocks to test a circumvention device comprising T sets of compromised device keys. However, this method has not proven to be a completely practical solution, in that the measures taken by the circumvention device might slow down the testing process. For example, each testing iteration may take a minute or more. A circumvention device comprising 100 compromised keys (i.e., T=100) may require over 15 years to determine the device keys the circumvention device has compromised. In effect, such a circumvention device had defeated the content protection system.
What is therefore needed is a system, a service, a computer program product, and an associated method for tracing traitors from a content protection circumvention devices that reduces the number of forensic media key blocks (MKBs) required to detect traitors from the circumvention device. The need for such a solution has heretofore remained unsatisfied.