Chameleon -- A New Kind of Stream Cipher Ross Anderson, Charalampos Manifavas Cambridge University Computer Laboratory Pembroke Street, Cambridge CB2 3QG, England (rjald, cm213) @el. cam. ac. uk Abstract. Stream cipher systems are used to protect intellectual prop- erty in pay-TV and a number of other applications. In some of these, it would be convenient if a single ciphertext could be broadcast, and subscribers given slightly different deciphering keys that had the effect of producing slightly different plaintexts. In this way, a subscriber who illegally resold material licensed to him could be traced. Previously, such tracing could be done using a one-time pad, or with complicated key management schemes. In this paper we show how to endow any stream cipher with this potentially useful property. We also present a simple traitor tracing scheme based on random coding with which it can be used. 1 Introduction The electronic distribution of intellectual property such as computer programs, clip art, databases, videos and music, often involves encryption followed by broad- cast, with decryption keys being supplied out of band to subscribers who have paid for a particular object. Computer programs and clip art are commonly distributed on CDs that con- tain extensive libraries, each item being typically encrypted using a different key. Customers purchase items by calling a service bureau and quoting a credit card number; a key is then read out to them over the phone. A number of firms sell encrypted databases: one is a compendium of building projects in certain counties of California, which is sold to building materials salesmen. Videos are broadcast encrypted on a number of satellite channels, and the decryption keys are sold to subscribers on smattcards. A common problem with such systems is that some subscribers re-sell the information they have licensed. This is against the terms of their licence, and if they are detected they may be sued. Technical measures may also be used, such as failing to renew their encryption keys. However, given that the available technical measures are imperfect, with pay-TV pirates forging each successive generation of subscriber smartcard [5], and given that strong protection mechanisms are often in conflict with exportability and functionality, there is a shift towards combining technical protection with legal sanctions. In any case, the important question is how cheaters can be detected.