The present disclosure relates to the field of systems for secure communication and distribution of digital content in any of its various forms, including, but not limited to text, information, software, images, video, sound, music and combinations thereof, through communication and distribution methodologies that utilize the Internet and other telecommunications technologies. More particularly, the present disclosure relates to systems, methods and articles to tracing rebroadcast transmission by unauthorized distributors, and revoking keys previously assigned to such unauthorized distributors.
In a broadcast encryption setting, a transmission center transmits (e.g., broadcasts) content to a number N of recipients. An objective of such content transmission is to use the broadcast medium in such a way so that the center can revoke at will any subset of size R recipient from the population of recipients. To achieve this objective, the same decryption key cannot be provided to all the recipients. Two possible solutions that may be used to the broadcast encryption problem exhibit trade-offs between the receiver storage requirement and the ciphertext length. In a first such solution, each receiver (or recipient) obtains a personal key and subsequently the transmission center can use the broadcast medium to simulate a unicast by transmitting a (vector) ciphertext of length N-R. While this solution is optimal from the receiver storage point of view, this solution, on the other hand, results in a substantial waste of bandwidth. In a second solution, the center assigns a different key to any subset of receivers and each receiver is handed the keys for all the subsets it belongs to. In this case the ciphertext has a more optimal length, but each receiver is required to store 2N-1 keys, which is an exponential blow-up of storage requirements. Other solutions offering improved trade-offs have been proposed, including the solution described by in Naor et al., “Revocation and Tracing Schemes for Stateless Receivers”, CRYPTO 20001, LNCS 2139, Spring 2001, pp. 41-62, the content of which is hereby incorporated by reference in its entirety, in which a procedure that used a ciphertext with a length proportional to the number of revoked users R, enabled unlimited number of revocations.
One form of unauthorized distribution of content is the so-called Pirate Rebroadcast Attack in which traitors (adversarial receivers that enable content they receive to be provided to non-subscribers) first decrypt the content by using their key material and then, once the content data is in clear text form, they rebroadcast the content. In this form of unauthorized distribution the rebroadcast data generally does not provide information about the traitor keys used to decode the transmissions from the transmission center. A solution to this problem would be the use of digital marking (e.g., watermarking) techniques where the content itself becomes varied over the user population. One form of this solution would be to mark the content individually so that each user has its own copy. However, this particular solution requires too much bandwidth. Two techniques that relax the bandwidth requirement include dynamic traitor tracing and sequential traitor tracing. In both these approaches the transmission center controls the marking of content, and by observing the feedback from the pirate rebroadcast it can identify the traitors. In the dynamic traitor tracing approach the center obtains feedback for every transmission and tries to localize the suspect list by reassigning the marks adaptively. The number of traitors is not known beforehand and the system adjusts itself after each feedback. In sequential traitor tracing, the assignment of marks to the variations is predetermined (hence the transmission mechanism is not adaptive to the feedback). The above tracing techniques do not provide revocation capabilities.
Another conventional tracing approach is the Advanced Access Content System (AACS) (as described, for example, in “AACS Specification”, 2006, the content of which is hereby incorporated by reference in its entirety) which is the current standard for content scrambling of Blu-Ray disks and HD-DVDs and offers a trace and revoking mechanism for pirate rebroadcasts. However, the AACS scheme is generally found to enable a limited number of revocations that is typically limited by the number of stored keys in a receiver. The AACS scheme generally also has a limit on the maximum number of traitors that can be identified.