eWeek: Cryptography Guru Paul Kocher Speaks Out

bear bear at sonic.net
Wed Apr 30 16:31:21 EDT 2003

On Wed, 30 Apr 2003, Nomen Nescio wrote:

>Given that Kocher is one of the smartest and savviest security experts
>out there, how can he make absurd statements like those above?  We've
>discussed here how impractical these watermarking systems are, how easy
>it is to identify and remove the watermarks, given just a few systems.

Mmm, no.  In principle, this is not a bad idea.  He needs to use enough
bits to make it resistant to the birthday paradox, and he needs to
fix it so *every frame* will have subtle differences based on its key.

But this isn't dismissable the way most of these systems have been;
it doesn't give the attackers an oracle to tell when they've been
successful at erasing their tracks.

>His "provably secure" example worked fine with four conspirators, but
>totally fell apart with five, as we saw.  This is a general property of
>traitor tracing type watermarking schemes.  The provable security is
>meaningless in the real world, because the limitations assumed in the
>proofs are too easy to beat.

The issue is that it takes work, and that the work can't easily be
automated, and that it takes a reasonably substantial investment.  If
you "hack" fifty or sixty players for fifty or sixty keys, you get
fifty or sixty different versions of the work, which you can combine
in some way to eliminate most, or maybe all, of the watermarks.  But
its going to cost you substantial money to acquire those players, so
you're not going to do it for no profit and you're not going to do it
casually.  And if someone is paying you money, there's a money trail
to follow back to you.

On the other hand, any one of those fifty or sixty different versions
of the work can serve for fair use or archival, watermarks and all, so
in principle we have here the first example of a DRM scheme that
doesn't necessarily, at least in principle, deprive the public domain
from eventually inheriting the protected work, nor prevent people from
exercising fair use.

I don't think it's quite technically what he's claiming, but I do think
it's less actively harmful than previous DRM proposals.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list