Defending against the pirate evolution attack

Abstract

A trace and revoke scheme is an encryption scheme for secure content distribution so that only authorized users can access the copyrighted content. When a clone device is recovered, the "trace" component detects the pirate users that have compromised the secret keys in their devices and participated in the construction of the clone device. The "revoke" component excludes the pirate users from accessing the future content. The state-of-art trace-revoke scheme is the very efficient subset difference based NNL scheme [11] which is also deployed in AACS [1], the industry new content protection standard for high definition DVDs. While its revocation and tracing are both very efficient, as pointed out by Kiayias and Pehlivanoglu from Crypto 2007, in its deployment NNL scheme may suffer from a new attack called pirate evolution attack . In this attack attackers reveal the compromised secret keys to the clone decoder very slowly through a number of generations of pirate decoders that will take long time to disable them all. They showed in a system with N users, the attacker can produce up to t *logN generations of pirate decoders given t sets of keys. In AACS context, that means a pirate can produce more than 300 generations of decoders by compromising only 10 devices. If this happens, it will indeed be a nightmare. In this paper we are interested in practical solutions that can defend well against the pirate evolution attack in practice. In particular we devise an easy and efficient approach for the subset difference based NNL scheme [11] to defend well against the potential pirate evolution attack. Indeed it takes as small as 2 generations to detect and disable a traitor in a coalition. This can be achieved by only negligibly increasing the cipher text header size in an application like AACS. The simplicity, efficiency and practicality of our approach has made AACS to adopt it to defend against the pirate evolution attack.