eWeek: Cryptography Guru Paul Kocher Speaks Out

Ronald L. Rivest rivest at mit.edu
Thu May 1 19:14:50 EDT 2003 

There is a _very_ relevant paper to this
discussion by Boneh and Shaw:
     http://crypto.stanford.edu/~dabo/abstracts/finger.html

Cheers,
         Ron Rivest

At 04:31 PM 4/30/2003, you wrote:


>On Wed, 30 Apr 2003, Nomen Nescio wrote:
>
> >Given that Kocher is one of the smartest and savviest security experts
> >out there, how can he make absurd statements like those above?  We've
> >discussed here how impractical these watermarking systems are, how easy
> >it is to identify and remove the watermarks, given just a few systems.
>
>Mmm, no.  In principle, this is not a bad idea.  He needs to use enough
>bits to make it resistant to the birthday paradox, and he needs to
>fix it so *every frame* will have subtle differences based on its key.
>
>But this isn't dismissable the way most of these systems have been;
>it doesn't give the attackers an oracle to tell when they've been
>successful at erasing their tracks.
>
> >His "provably secure" example worked fine with four conspirators, but
> >totally fell apart with five, as we saw.  This is a general property of
> >traitor tracing type watermarking schemes.  The provable security is
> >meaningless in the real world, because the limitations assumed in the
> >proofs are too easy to beat.
>
>The issue is that it takes work, and that the work can't easily be
>automated, and that it takes a reasonably substantial investment.  If
>you "hack" fifty or sixty players for fifty or sixty keys, you get
>fifty or sixty different versions of the work, which you can combine
>in some way to eliminate most, or maybe all, of the watermarks.  But
>its going to cost you substantial money to acquire those players, so
>you're not going to do it for no profit and you're not going to do it
>casually.  And if someone is paying you money, there's a money trail
>to follow back to you.
>
>On the other hand, any one of those fifty or sixty different versions
>of the work can serve for fair use or archival, watermarks and all, so
>in principle we have here the first example of a DRM scheme that
>doesn't necessarily, at least in principle, deprive the public domain
>from eventually inheriting the protected work, nor prevent people from
>exercising fair use.
>
>I don't think it's quite technically what he's claiming, but I do think
>it's less actively harmful than previous DRM proposals.
>
>                         Bear
>
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

Ronald L. Rivest
Room 324, 200 Technology Square, Cambridge MA 02139
Tel 617-253-5880, Fax 617-258-9738, Email <rivest at mit.edu>



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list