Perry Metzger writes: > I will again solicit suggestions about "optimal" strategies both for > the attacker and defender for the AACS system -- I think we can learn > a lot by thinking about it. It would be especially interesting if > there were modifications of the AACS system that would be more hardy > against "economic attacks" -- can you design the system so that slow > key revelation is not an economic disaster while still maintaining an > offline delivery model with offline players entirely in the enemy's > control? I don't think you can, but it would be very interesting to > consider the problem in detail.
Ed Felten has blogged a number of ideas along these lines: http://www.freedom-to-tinker.com/?p=1111 "By this point in our series on AACS (the encryption scheme used in HD-DVD and Blu-ray) it should be clear that AACS creates a nontrivial strategic game between the AACS central authority (representing the movie studios) and the attackers who want to defeat AACS. Today I want to sketch a model of this game and talk about who is likely to win..." Felten focuses on the loss of revenue due to extraction of device keys and subsequent file sharing of decrypted content. AACS has a mechanism called sequence keys to watermark content and allow it to be traced back to the player that created it. Felten assumes that attackers would publish decrypted movies, AACSLA would then trace them back to the broken device, and revoke that device in future releases. The optimal strategy depends on his parameters C, the cost in time it takes for attackers to break into new devices and extract keys; and L, the commercial lifetime of a new disk. Felten writes: "It turns out that the attacker's best strategy is to withhold any newly discovered compromise until a 'release window' of size R has passed since the last time the authority blacklisted a player. (R depends in a complicated way on L and C.) Once the release window has passed, the attacker will use the compromise aggressively and the authority will then blacklist the compromised player, which essentially starts the game over. The studio collects revenue during the release window, and sometimes beyond the release window when the attacker gets unlucky and takes a long time to find another compromise." He estimates that C is measured in weeks and L in months, which bodes ill for the studios, as his model predicts that studios will receive the fraction C/(C+L) of their potential revenues if no piracy occured, and C<<L makes this fraction small. I see a couple of problems with his model. First, it may be that by publishing processing keys instead of device keys or movie content, it will be harder to make the traitor tracing algorithm work and AACSLA may be thwarted in their attempt to revoke the broken device. I'm not sure I understand the system well enough to know whether there are effective countermeasures for AACSLA against this attacker strategy. Threats of legal action do not appear to be achieving much success. Second, there is a long lead time between when AACSLA determines to update the processing keys and other components of the subset difference scheme, and when the disks actually reach the public. This is bad for the studios and probably effectively increases L. On the other hand I suspect his L estimate of months is excessive; 8 of the Amazon's 10 top selling DVDs were released since April 24. As with other media like CDs, it is likely that the bulk of revenues arrive during the first few weeks of release. If they can protect that window then they might view the system as achieving at least some of its goals. But these other considerations will work against them. Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]