Was a mistake made in the design of AACS?

[Hal Finney]

Perry Metzger writes:
> I will again solicit suggestions about "optimal" strategies both for
> the attacker and defender for the AACS system -- I think we can learn
> a lot by thinking about it. It would be especially interesting if
> there were modifications of the AACS system that would be more hardy
> against "economic attacks" -- can you design the system so that slow
> key revelation is not an economic disaster while still maintaining an
> offline delivery model with offline players entirely in the enemy's
> control? I don't think you can, but it would be very interesting to
> consider the problem in detail.

Ed Felten has blogged a number of ideas along these lines:

http://www.freedom-to-tinker.com/?p=1111

"By this point in our series on AACS (the encryption scheme used in
HD-DVD and Blu-ray) it should be clear that AACS creates a nontrivial
strategic game between the AACS central authority (representing the
movie studios) and the attackers who want to defeat AACS. Today I want
to sketch a model of this game and talk about who is likely to win..."

Felten focuses on the loss of revenue due to extraction of device keys
and subsequent file sharing of decrypted content.  AACS has a mechanism
called sequence keys to watermark content and allow it to be traced
back to the player that created it.  Felten assumes that attackers would
publish decrypted movies, AACSLA would then trace them back to the broken
device, and revoke that device in future releases.

The optimal strategy depends on his parameters C, the cost in time it
takes for attackers to break into new devices and extract keys; and L,
the commercial lifetime of a new disk.  Felten writes:

"It turns out that the attacker's best strategy is to withhold any newly
discovered compromise until a 'release window' of size R has passed
since the last time the authority blacklisted a player. (R depends in
a complicated way on L and C.) Once the release window has passed,
the attacker will use the compromise aggressively and the authority
will then blacklist the compromised player, which essentially starts
the game over. The studio collects revenue during the release window,
and sometimes beyond the release window when the attacker gets unlucky
and takes a long time to find another compromise."

He estimates that C is measured in weeks and L in months, which bodes
ill for the studios, as his model predicts that studios will receive
the fraction C/(C+L) of their potential revenues if no piracy occured,
and C<<L makes this fraction small.

I see a couple of problems with his model.  First, it may be that by
publishing processing keys instead of device keys or movie content, it
will be harder to make the traitor tracing algorithm work and AACSLA may
be thwarted in their attempt to revoke the broken device.  I'm not sure
I understand the system well enough to know whether there are effective
countermeasures for AACSLA against this attacker strategy.  Threats of
legal action do not appear to be achieving much success.

Second, there is a long lead time between when AACSLA determines to
update the processing keys and other components of the subset difference
scheme, and when the disks actually reach the public.  This is bad for
the studios and probably effectively increases L.

On the other hand I suspect his L estimate of months is excessive;
8 of the Amazon's 10 top selling DVDs were released since April 24.
As with other media like CDs, it is likely that the bulk of revenues
arrive during the first few weeks of release.  If they can protect that
window then they might view the system as achieving at least some of
its goals.  But these other considerations will work against them.

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com