 Research
 Open Access
 Published:
Riding the saddle point: asymptotics of the capacityachieving simple decoder for biasbased traitor tracing
EURASIP Journal on Information Security volume 2014, Article number: 12 (2014)
Abstract
We study the asymptoticcapacityachieving score function that was recently proposed by Oosterwijk et al. for biasbased traitor tracing codes. For the bias function, we choose the Dirichlet distribution with a cutoff. Using Bernstein’s inequality and Bennett’s inequality, we upper bound the falsepositive and falsenegative error probabilities. From these bounds we derive sufficient conditions for the scheme parameters. We solve these conditions in the limit of large coalition size c_{0} and obtain asymptotic solutions for the cutoff, the sufficient code length, and the corresponding accusation threshold. We find that the code length converges to its asymptote approximately as {c}_{0}^{1/2}, which is faster than the {c}_{0}^{1/3} of Tardos’ score function.
MSC
94B60
Introduction
1.1 Traitor tracing
Forensic watermarking is a means for tracing unauthorized redistribution of digital content. Before distribution, the content is modified by embedding an imperceptible watermark, which plays the role of a personalized identifier. When an unauthorized copy of the content is found, a tracing algorithm outputs a list of suspicious users, based on the watermark detected in this copy.
The most powerful attacks against watermarking are collusion attacks, in which multiple attackers (the ‘coalition’) combine their differently watermarked versions of the same content; the observed differences point to the locations of the hidden marks and allow for a targeted attack.
Collusionresistant codes have been specifically designed as a defense against collusion attacks: when codewords from such a code are embedded into the content, the surviving parts of the watermark, after the collusion attack, still contain enough information to identify (some of the) attackers, provided that the coalition is not too large.
In the past two decades, several types of collusionresistant codes have been developed. The most popular type in the recent literature is the class of biasbased codes. These were introduced by G. Tardos in 2003. The code construction consists of two steps: first, a sequence of biases is generated, one for each position in the content; then, the watermark symbols for each user are randomly drawn according to these biases. The original paper [1] was followed by a flurry of activity, e.g., improved analyses [2][7], code modifications [8][10], decoder modifications [11][14], and various generalizations [15][18]. The advantage of biasbased versus deterministic codes is that they can achieve the asymptotically optimal relationship \ell \propto {c}_{0}^{2} between the sufficient code length ℓ and the coalition size c_{0} to be resisted.
1.2 Capacityachieving simple decoder
Two kinds of tracing algorithm can be distinguished: (i) simple decoders, which assign a score to single users independent of the watermarks of other users, and (ii) joint decoders[11][13], which assign scores to sets of users and are typically more powerful but also require more computational resources. Efficient joint decoders typically employ a simple decoder as a bootstrapping step.
The performance of a traitor tracing code is often measured by looking at the sufficient code length ℓ as a function of the coalition size c_{0} to be resisted and the imposed low error rate. Equivalently, one can look at the fingerprinting rate, which is defined as the fraction \frac{\underset{q}{log}n}{\ell}, where q is the size of the alphabet and n is the number of users. The numerator corresponds to the number of qary symbols needed to point out one of the n users; the denominator is the number of symbols used to convey this ‘message.’ Hence, the fingerprinting rate has a natural interpretation as the fraction of codeword symbols that actually encodes the ‘message,’ i.e., the identifying information that allows for tracing. The fingerprinting rate is a figure of merit that can be used to fairly compare codes which have different alphabet sizes. The fingerprinting capacity, which can be computed informationtheoretically, is an upper bound on the fingerprinting rate that can be achieved against colluders who employ an optimal strategy against the tracing scheme. It was found by Boesten and Škorić [19] that the asymptotic^{a} capacity is given by
Huang and Moulin [20] found the location of the corresponding asymptotic saddlepoint: the strongest attack is the socalled interleaving attack, and the best bias distribution is the Dirichlet distribution with concentration parameter one half. (See Section 2.) For the colluders as well as the tracer, it is bad to depart from the saddlepoint. If the colluders move away from it, the tracer can achieve a higher fingerprinting rate; if the tracer moves away, the colluders can launch a stronger attack which reduces the rate.
Oosterwijk et al. [21] devised a simple decoder that reaches asymptotic capacity. The possibility of such an achievement was foreseen in [20], where it was shown that the simple decoder capacity becomes equal to the joint decoder capacity as c_{0} goes to infinity.
1.3 Contributions and outline
In this paper we analyze the performance of the capacityachieving simple decoder of [21] in the Restricted Digit Model:
• Following the approach of [22], we use Bernstein’s inequality and Bennett’s inequality to upper bound the falsepositive and falsenegative error probability, respectively. From these bounds, we derive conditions on the code parameters (code length, cutoff, threshold) such that the error probabilities are sufficiently low.
• We determine the asymptotics of the sufficient code length in the direct vicinity of the saddlepoint.
• We find that the optimal choice for the cutoff τ is given by \tau \propto {c}_{0}^{\gamma}, with γ slightly larger than one half. With this choice, the code length approaches its saddlepoint value with a correction term of order {c}_{0}^{\gamma 1}\approx {c}_{0}^{1/2}. Thus, convergence to the limit is faster than in the case of the binary Tardos score, where the correction is of order {c}_{0}^{1/3}[5].
• Our analysis yields a recipe for placing the accusation threshold as a function of the innocent user score variance. This differs from the case of the Tardos score function [1],[16], where the threshold is fixed.
In Section 2 we briefly review biasbased traitor tracing, the asymptotic saddlepoint, and the asymptoticcapacityachieving score function. We also list the inequalities of Bernstein and Bennett. In Section 3 we study the statistical properties of an innocent user’s score and the coalition’s collective score. In Section 4 we derive the bounds on the error rates and the sufficient conditions on the code parameters. The asymptotics of the sufficient code length are treated in Section 5.
Preliminaries
2.1 Biasbased tracing using the asymptotically optimal simple decoder
2.1.1 Notation
The number of users is denoted as n, and the code length (the number of positions in the content) as ℓ. We define [ n]={1,…,n}. The alphabet is \mathcal{Q}, with size \left\mathcal{Q}\right=q. The symbols in the alphabet have no natural ordering. The bias in position i is denoted as p^{(i)}. The bias is a qdimensional vector, with components {p}_{\alpha}^{\left(i\right)}\in [\phantom{\rule{0.3em}{0ex}}\tau ,1(q1\left)\tau \right], \alpha \in \mathcal{Q}. The parameter τ≪1 is called the cutoff. For each i the bias satisfies p^{(i)}=1, where ⋯ denotes the 1norm, i.e., \sum _{\alpha \in \mathcal{Q}}{p}_{\alpha}^{\left(i\right)}=1. We will often use multiindex notation: for a scalar z, the notation p^{z} stands for \prod _{\alpha \in \mathcal{Q}}{p}_{\alpha}^{z}; for a vector m, the notation p^{m} stands for \prod _{\alpha \in \mathcal{Q}}{p}_{\alpha}^{{m}_{\alpha}}. We introduce the qcomponent vector 1_{ q }=(1,1,…,1). The notation δ_{ x y } stands for the Kronecker delta.
2.1.2 Code generation
The bias vectors p^{(i)} are drawn independently from a (truncated) Dirichlet distribution F with concentration parameter κ>0,
The δ in the integral is a Dirac delta function; it ensures that the condition p=1 is enforced. The τ is called the cutoff parameter. Note that p_{ α }∈[ τ,1−(q−1)τ]. Therefore, τ≤1/q must hold, for otherwise the interval is empty (and we would get p>1).
For τ=0 the normalization constant (3) evaluates to a generalized beta function. Let z∈(0,∞)^{q} be a vector; then the beta function B(z) is defined as B\left(\mathit{z}\right)=\left[\prod _{\alpha}\Gamma \right]/\Gamma \left(\sum _{\beta}{z}_{\beta}\right), where Γ is the gamma function. Hence B_{0}(κ 1_{ q })=B(κ 1_{ q })=[ Γ(κ)]^{q}/Γ(q κ).
In the asymptotic saddlepoint, it holds that τ=0 and κ=1/2. For large but finite c_{0}, the saddlepoint lies close to the asymptotic saddlepoint, but it is not known exactly where. It is known that for finite c_{0}, the optimal bias distribution is a discrete distribution [8],[10],[23], with a number of discrete p_{ α } values proportional to c_{0}. In spite of this, we will use the continuous probability density (2). Our motivation is that we only investigate asymptotics. The cutoff τ will depend on c_{0}.
The code word assigned to user j is denoted as a row vector X_{ j }=(X_{j 1},…,X_{ j ℓ }). The set of codewords is arranged in a code matrix X. The elements of the code matrix are independently generated according to the biases p^{(1)},…,p^{(ℓ)} as follows: Pr[\phantom{\rule{0.3em}{0ex}}{X}_{\mathit{\text{ji}}}=\alpha ]={p}_{\alpha}^{\left(i\right)}.
2.1.3 Collusion attack
The coalition is a subset \mathcal{C}\subset \left[\phantom{\rule{0.3em}{0ex}}n\right] of users, with size \left\mathcal{C}\right=c. We explicitly make the distinction between the actual coalition size c and the parameter c_{0} in the code construction, which is the maximum coalition size that can be resisted. The colluders see a submatrix {X}_{\mathcal{C}} of X. The symbol ‘tallies’ are defined as follows:
In words, {m}_{\alpha}^{\left(i\right)} is the number of colluders that received symbol α in position i. Based on {X}_{\mathcal{C}}, the colluders produce an output y=(y_{1},…,y_{ ℓ }). For our analysis we adopt the Restricted Digit Model as the attack model: for any i∈[ℓ], the output y_{ i } is only allowed to be a symbol that the colluders have observed in position i. The strategy for choosing an output is allowed to be probabilistic. We adopt a number of frequently made assumptions about the attack strategy:

1.
Symbol symmetry. The strategy is invariant under permutation of the alphabet for each position independently. This assumption is motivated by the lack of a natural ordering of the alphabet.

2.
Colluder symmetry. The strategy is invariant under permutation of the colluders. (In other words, the colluders equally share the risk.) This assumption is motivated by the fact that breaking colluder symmetry will make it easier for the tracer to find at least one colluder.

3.
Position symmetry. The same strategy is applied in each position i∈[ℓ], and it does not depend on any X _{ j k } values with k≠i. Motivation: asymptotically the optimal attack must be positionsymmetric [24].
When assumptions 2 and 3 hold, the strategy can be parametrized by a set of probabilities that depend only on the ‘local’ tallies: in position i, the probability of outputting symbol y_{ i } is a function of only m^{(i)}. Omitting the position index, this is denoted as
Furthermore, if assumption 1 holds as well, it is possible [6] to reparametrize this as
In other words, Ψ_{ b }(x) is the coalition’s probability of outputting a symbol given that it has tally b and that the other tallies are x. The probability Ψ_{ b }(x) is invariant under permutation of x.
2.1.4 Simple decoder
The tracer notices the pirated copy with watermark sequence y ‘in the wild’. Based on y and X, he tries to find at least one colluder. The asymptoticcapacityachieving simple decoder of [21] works as follows: for each user j∈[ n], a score {S}_{j}=\sum _{i\in \left[\ell \right]}{S}_{j}^{\left(i\right)} is computed, where
Note that we normalized the function h differently from [21], by a factor \sqrt{q1}, for notational brevity. The score function (7) has the special property of being ‘strongly centered’: for any p and y (we are omitting the position index), the expected score of an innocent user is zero.
The collective score of the coalition is written as {S}_{\mathcal{C}},
The tracer makes a list \mathcal{\mathcal{L}} of ‘suspicious’ users, whose score exceeds a threshold Z,
Whereas the Tardos scheme uses a fixed threshold, the score function h leads to a more complicated scheme where Z must be chosen as a function of the biases and the observed tallies and colluder outputs (see Section 3.1).
2.1.5 Measuring the performance
Two types of error can occur: a falsepositive, with P_{FP} defined as the probability that a fixed innocent user gets added to \mathcal{\mathcal{L}}, and a falsenegative, with P_{FN} defined as the probability that none of the colluders is found:
The tracer demands that P_{FP}≤ε_{1} and P_{FN}≤ε_{2}, where ε_{1} and ε_{2} are constants, typically with ε_{1}≪ε_{2}.
The code length ℓ and threshold Z are often parametrized as
This parametrization is motivated by the fact that asymptotically, for the Tardos code, A and B can be considered as constants. The relationship between the code length parametrization (12) and the fingerprinting rate is as follows. The rate is R=\left(\underset{q}{log}n\right)/\ell =(lnn)/\left(A\underset{0}{\overset{2}{c}}lnqln\underset{1}{\overset{1}{\epsilon}}\right). Let \eta =Pr[\phantom{\rule{0.3em}{0ex}}\mathcal{\mathcal{L}}\setminus \mathcal{C}\ne \varnothing ], i.e., the probability that at least one innocent user ends up in the list \mathcal{\mathcal{L}}. The η is a fixed small number (e.g., 10^{−6}) that does not depend on n. It can be shown (Lemma 6 in [22]) for n≫1, c≪n that ε_{1}≈η/n. Then, ln\underset{1}{\overset{1}{\epsilon}}\approx lnnln\eta \approx lnn. (In the last approximation, we used that η is fixed.) Asymptotically, the rate satisfies R\sim 1/\left(A{c}_{0}^{2}lnq\right).
Definition 1.
The variance of an innocent user’s score and the average and variance of the coalition score are written as
Here stands for the expectation over all the probabilistic degrees of freedom: the biases p^{(i)}, the code matrix X, and the coalition output y. (The ‘tilde’ notation indicates that there is an average over positions.) Note that {\stackrel{~}{\mu}}_{\text{inn}}=0, as shown in (8).
Remark If assumption 3 holds (position symmetry, Section 2.1.3) then in Definition 1 the average over the positions is not necessary; in every position \mathbb{\mathbb{E}}[\cdots \phantom{\rule{0.3em}{0ex}}] has the same value. In this paper, we introduce a rescaled version (β) of the threshold parameter B,
It will turn out that it is more natural to use the quantity β than B.
Asymptotically, the first and second moments completely determine the shape of the probability distribution of the score, for an innocent user as well as for the coalition score. (The distribution becomes Gaussian in accordance with the central limit theorem.) It was found [7] that the code length parameter (and hence the fingerprinting rate) then depends on \stackrel{~}{\mu} and {\stackrel{~}{\sigma}}_{\text{inn}} as follows:
In the asymptotic saddlepoint, the tracer uses the bias distribution (2) with τ=0, while the coalition strategy is the interleaving attack, θ_{ym}=m_{ y }/c. In the asymptotic saddlepoint, it holds [21] that {\stackrel{~}{\mu}}^{2}/{\stackrel{~}{\sigma}}_{\text{inn}}^{2}=q1.
2.2 Computing expectations
Following the previous work [6],[16],[22], we define (conditional) expectations as shown below. We omit the position index and write x as shorthand for X_{ j i } for a fixed innocent user j\notin \mathcal{C}.
Here P_{1}(b) is a marginal probability for a single fixed symbol to have tally b. The quantity K_{ b } is the probability, given that a certain symbol has tally b, for the colluders to output that symbol; i.e., for arbitrary fixed α, we have K_{ b }= Pr[y=αm_{ α }=b]. The sum rule \sum _{b}{P}_{1}\left(b\right){K}_{b}=1/q holds [6], since the overall probability of outputting y=α is 1/q.
2.3 Concentration inequalities
Lemma 1 (Bernstein’s inequality [25]).
Let a>0 be a constant. Let U_{1},…,U_{ ℓ } be independent zeromean random variables, with U_{ i }≤a for all i. Let Z≥0. Then,
Lemma 2 (Bennett’s inequality [26]).
Let b>0 be a constant. Let Y_{1},…,Y_{ ℓ } be independent zeromean random variables, with Y_{ i }≤b for all i. Let {s}^{2}=\frac{1}{\ell}\sum _{i=1}^{\ell}\mathbb{\mathbb{E}}\left[\phantom{\rule{0.3em}{0ex}}{Y}_{i}^{2}\right]. Let the function ξ be defined as
Let T≥0. Then,
Property 1.
The function ξ in Lemma 2 can be lower bounded as
Proof.
For v>0, we have \xi \left(v\right)=\underset{0}{\overset{v}{\int}}\phantom{\rule{0.3em}{0ex}}\text{d}x\phantom{\rule{2.77626pt}{0ex}}ln(1+x)>\underset{0}{\overset{v}{\int}}\phantom{\rule{0.3em}{0ex}}\text{d}x\phantom{\rule{2.77626pt}{0ex}}lnx=vln\frac{v}{e}.
Lemma 3 (weaker form of Bennett’s inequality).
Let b>0 be a constant. Let Y_{1},…,Y_{ ℓ } be independent zeromean random variables, with Y_{ i }≤b for all i. Let {s}^{2}=\frac{1}{\ell}\sum _{i=1}^{\ell}\mathbb{\mathbb{E}}\left[\phantom{\rule{0.3em}{0ex}}{Y}_{i}^{2}\right]. Let T>0. Then
Proof.
We substitute Property 1 in Lemma 2. This is allowed since the argument of ξ is positive.
Statistics of the innocent score and coalition score
We study the moments of the innocent score and coalition score in two cases: (i) interleaving attack and arbitrary bias distribution and (ii) the bias distribution is the Dirichlet distribution with τ=0 and arbitrary concentration parameter κ; the attack is arbitrary.
These two scenarios represent two different ways of departing from the asymptotic saddlepoint. In the first one, the bias distribution is varied. In the second one, not only the attack is varied but also a limited change of the bias distribution is allowed (κ).
The results of this section do not all contribute directly to the analysis of the sufficient code length in Section 5, but they are important in their own right since they elucidate how the score moments behave in a variety of circumstances.
3.1 General result for the moments
We investigate the first and second moments of an innocent user’s score and of the coalition score. We begin with a general result for positionsymmetric colluder strategies. Then, we look more specifically at the interleaving attack.
Lemma 4.
If the coalition is employing a positionsymmetric strategy, then
Proof.
We start from Definition 1. In all three definitions, the summation over i merely yields a factor ℓ which cancels against the factor 1/ℓ in front of the summation. Thus, for {\stackrel{~}{\sigma}}_{\text{inn}}^{2} we can write, for arbitrary index i, and recalling that {\stackrel{~}{\mu}}_{\text{inn}}=0, {\stackrel{~}{\sigma}}_{\text{inn}}^{2}=\mathbb{\mathbb{E}}{\left({S}_{j}^{\left(i\right)}\right)}^{2}={\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{y\mathit{p}}{\mathbb{\mathbb{E}}}_{x\mathit{p}}{(1+{\delta}_{\mathit{\text{xy}}}/{p}_{y})}^{2}={\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{y\mathit{p}}{\mathbb{\mathbb{E}}}_{x\mathit{p}}\left(12{\delta}_{\mathit{\text{xy}}}/{p}_{y}+{\delta}_{\mathit{\text{xy}}}/{p}_{y}^{2}\right)=12{\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{y\mathit{p}}1+{\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{y\mathit{p}}1/{p}_{y}=1+\mathbb{\mathbb{E}}1/{p}_{y}. The results for \stackrel{~}{\mu} and \stackrel{~}{\sigma} follow directly from the fact that {S}_{\mathcal{C}}^{\left(i\right)}=({m}_{y}/{p}_{y}c)=({m}_{y}{\mathit{\text{cp}}}_{y})/{p}_{y}.
Note that Lemma 4 allows the tracer to obtain an estimate of the score moments: he can replace the by an empirical average over the codeword positions.
3.2 The case of the interleaving attack
Lemma 5.
If the coalition is using the interleaving attack, then
where \alpha \in \mathcal{Q} is arbitrary.
Proof.
For the interleaving attack, we have\mathbb{\mathbb{E}}[\cdots \phantom{\rule{0.3em}{0ex}}]={\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{\mathit{m}\mathit{p}}\sum _{y}({m}_{y}/c)[\cdots \phantom{\rule{0.3em}{0ex}}]=\sum _{y}{\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{\mathit{m}\mathit{p}}\left(\frac{{m}_{y}{\mathit{\text{cp}}}_{y}}{c}+{p}_{y}\right)[\cdots \phantom{\rule{0.3em}{0ex}}].We will make use of the binomial properties{\mathbb{\mathbb{E}}}_{\mathit{m}\mathit{p}}{m}_{\alpha}={\mathit{\text{cp}}}_{\alpha}, {\mathbb{\mathbb{E}}}_{\mathit{m}\mathit{p}}{({m}_{\alpha}{\mathit{\text{cp}}}_{\alpha})}^{2}={\mathit{\text{cp}}}_{\alpha}(1{p}_{\alpha}) and {\mathbb{\mathbb{E}}}_{\mathit{m}\mathit{p}}{({m}_{\alpha}{\mathit{\text{cp}}}_{\alpha})}^{3}={\mathit{\text{cp}}}_{\alpha}(1{p}_{\alpha})(12{p}_{\alpha}).For \stackrel{~}{\mu} this gives \stackrel{~}{\mu}=\sum _{y}{\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{\mathit{m}\mathit{p}}\left[\frac{{({m}_{y}{\mathit{\text{cp}}}_{y})}^{2}}{{\mathit{\text{cp}}}_{y}}+{m}_{y}{\mathit{\text{cp}}}_{y}\right]={\mathbb{\mathbb{E}}}_{\mathit{p}}\sum _{y}(1{p}_{y})+0=q1.Furthermore, {\stackrel{~}{\sigma}}_{\text{inn}}^{2}=1+{\mathbb{\mathbb{E}}}_{\mathit{p}}\sum _{y}{\mathbb{\mathbb{E}}}_{\mathit{m}\mathit{p}}\left[\frac{{m}_{y}}{{\mathit{\text{cp}}}_{y}}\right]=1+{\mathbb{\mathbb{E}}}_{\mathit{p}}\sum _{y}1=q1.Finally, {\stackrel{~}{\mu}}^{2}+{\stackrel{~}{\sigma}}^{2}=\sum _{y}{\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{\mathit{m}\mathit{p}}\left[\frac{{({m}_{y}{\mathit{\text{cp}}}_{y})}^{3}}{c{p}_{y}^{2}}+\frac{{({m}_{y}{\mathit{\text{cp}}}_{y})}^{2}}{{p}_{y}}\right]={\mathbb{\mathbb{E}}}_{\mathit{p}}\sum _{y}\left[\frac{(1{p}_{y})(12{p}_{y})}{{p}_{y}}+c(1{p}_{y})\right]=c(q1)3q+2+\sum _{y}{\mathbb{\mathbb{E}}}_{\mathit{p}}\frac{1}{{p}_{y}}.
Remark 1.
Part of Lemma 5 (\stackrel{~}{\mu} and {\stackrel{~}{\sigma}}_{\text{inn}}) was already done in [21]. We show the proof again because of our modified normalization of the score function.
Remark 2.
The result for {\stackrel{~}{\mu}}_{\text{Int}} and {\left({\stackrel{~}{\sigma}}_{\text{inn}}^{2}\right)}_{\text{Int}} does not depend on the bias distribution F, but {\stackrel{~}{\sigma}}_{\text{Int}} does.
Remark 3.
In the largec limit, the variance of the coalition score tends to be large due to the c(q−1) term as well as the expression \mathbb{\mathbb{E}}[\phantom{\rule{0.3em}{0ex}}1/{p}_{\alpha}] which blows up when τ becomes small.
3.3 Taking the Dirichlet distribution with cutoff τ=0
Lemma 6.
Let τ=0. Let the coalition use a strategy that is colludersymmetric and positionsymmetric. Then the quantities \stackrel{~}{\mu} and {\stackrel{~}{\sigma}}_{\text{inn}} can be written as
Furthermore, if the colluder strategy is also symbolsymmetric, then
Proof.
We start from the expressions \stackrel{~}{\mu}=c+\mathbb{\mathbb{E}}[\phantom{\rule{0.3em}{0ex}}{m}_{y}/{p}_{y}] and {\stackrel{~}{\sigma}}_{\text{inn}}^{2}=1+\mathbb{\mathbb{E}}[\phantom{\rule{0.3em}{0ex}}1/{p}_{y}]. For any function J(m_{ y }), we can write \mathbb{\mathbb{E}}\left[J\right({m}_{y})/{p}_{y}]={\mathbb{\mathbb{E}}}_{\mathit{p}}\sum _{\mathit{m}}\left(\genfrac{}{}{0ex}{}{c}{\mathit{m}}\right){\mathit{p}}^{\mathit{m}}\sum _{y}{\theta}_{y\mathit{m}}\frac{J\left({m}_{y}\right)}{{p}_{y}}=\sum _{\mathit{m}}\left(\genfrac{}{}{0ex}{}{c}{\mathit{m}}\right)\sum _{y}{\theta}_{y\mathit{m}}J\left({m}_{y}\right){\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathit{p}}^{\mathit{m}}/{p}_{y}. For τ=0, we have
Setting J(m_{ y })=m_{ y } for \stackrel{~}{\mu} and J(m_{ y })=1 for {\stackrel{~}{\sigma}}_{\text{inn}}^{2} yield (35) and (36). The final step is to notice that \mathbb{\mathbb{E}}\left[J\left({m}_{y}\right)/{p}_{y}\right]={\mathbb{\mathbb{E}}}_{\mathit{m}}{\mathbb{\mathbb{E}}}_{y\mathit{m}}\left[\frac{\mathrm{q\kappa}+c1}{\kappa +{m}_{y}1}J\left({m}_{y}\right)\right] which can be rewritten as q\sum _{b}{P}_{1}\left(b\right){K}_{b}\frac{\mathrm{q\kappa}+c1}{\kappa +b1}J\left(b\right) if the strategy is symbolsymmetric.
Theorem 1.
Let c≫1 and κ∈(0,1). Let the coalition use a strategy that is colludersymmetric and positionsymmetric. Then, both quantities \stackrel{~}{\mu} and {\stackrel{~}{\sigma}}_{\text{inn}} are maximized by the minority voting attack and minimized by the majority voting attack.
Proof.
For c≫1, we can use the τ=0 approximation for \stackrel{~}{\mu} and {\stackrel{~}{\sigma}}_{\text{inn}}, i.e., Lemma 6. In (35) and (36), the θ_{ym} in the y summation multiplies a decreasing function of m_{ y }. Hence, the summand is maximized by outputting a symbol y with tally m_{ y } as small as possible (but nonzero because of the marking assumption) and, vice versa, minimized by outputting the symbol with the largest tally.
Theorem 1 gives insight into the tradeoffs that the colluders have to deal with. They want to minimize \stackrel{~}{\mu} and to maximize {\stackrel{~}{\sigma}}_{\text{inn}}, since this leads to high error rates. However, the strategy that optimizes \stackrel{~}{\mu} for them is the worst possible strategy regarding {\stackrel{~}{\sigma}}_{\text{inn}} and vice versa. The interleaving attack at the saddlepoint is ‘in the middle’ between minority voting and majority voting.
Lemma 7.
Let τ=0. Let the coalition use a strategy that is colludersymmetric and positionsymmetric. Then \stackrel{~}{\mu} and {\stackrel{~}{\sigma}}_{\text{inn}} can be bounded as
Proof.
For m_{ y }∈{1,…,c}, we have \frac{1}{\kappa +c1}\le \frac{1}{\kappa +{m}_{y}1}\le \frac{1}{\kappa}. We substitute these inequalities into (35) and (36). Finally, we use \sum _{y}{\theta}_{y\mathit{m}}=1.
Remark It is possible to obtain a tighter upper bound by treating the m_{ y }=c term separately in (35),(36), since then θ_{ym}=1. However, the improvement of the tightness is minimal.
Bounding the error probabilities
We use Bernstein’s inequality and Bennett’s inequality to upper bound the falsepositive and falsenegative error probability, respectively.
4.1 Bounding the falsepositive probability
Theorem 2.
Let q≥2. Let the coalition use any attack strategy. Then the falsepositive probability for a fixed innocent user can be bounded as
Proof.
For any coalition strategy, even one that breaks the position symmetry, the singleposition scores {S}_{j}^{\left(i\right)} for the innocent user are mutually independent [1]. Hence, we are allowed to use Bernstein’s inequality. In Lemma 1 we set {U}_{i}={S}_{j}^{\left(i\right)} for the innocent user. This is allowed since {S}_{j}^{\left(i\right)} has zero expectation value. We have
In the last equality, we used τ≤1/q (see Section 2.1.2). Thus, we are allowed to set a=1/τ in Lemma 1. Furthermore, we note that by definition \mathbb{\mathbb{E}}\left[\phantom{\rule{0.3em}{0ex}}{U}_{i}^{2}\right]={\stackrel{~}{\sigma}}_{\text{inn}}^{2} for all i. Lemma 1 then gives
Substituting a=1/τ, \ell =A{c}_{0}^{2}ln\frac{1}{{\epsilon}_{1}} and Z=\beta {\stackrel{~}{\sigma}}_{\text{inn}}{c}_{0}ln\frac{1}{{\epsilon}_{1}} finish the proof.
Remark In (42), we see that the bound on P_{FP} is a decreasing function of the product c_{0}τ. Hence, it is advantageous to set τ such that c_{0}τ≫1.
Corollary 1.
Let q≥2 and τ≤1/2. Let the coalition use any attack strategy. Then, it holds that
Proof.
The proof follows directly from Theorem 2.
4.2 Bounding the falsenegative probability
Theorem 3.
Let q≥2. Let the coalition employ a positionsymmetric strategy. Let \stackrel{~}{\mu}A{c}_{0}{\stackrel{~}{\sigma}}_{\text{inn}}\mathrm{\beta c}>0. Let τ satisfy
Then the falsenegative probability can be bounded as
Proof.
We start from
Because of the assumption that the collusion attack is positionsymmetric, the random variables {S}_{\mathcal{C}}^{\left(i\right)} are mutually independent. We are then allowed to use Bennett’s inequality (we take the weaker form, Lemma 3), which we do with the following parameters: {Y}_{i}=\stackrel{~}{\mu}{S}_{\mathcal{C}}^{\left(i\right)}; T=\ell \stackrel{~}{\mu}\mathit{\text{cZ}}=(\stackrel{~}{\mu}{\mathit{\text{Ac}}}_{0}{\stackrel{~}{\sigma}}_{\text{inn}}\mathrm{\beta c}){c}_{0}ln\frac{1}{{\epsilon}_{1}}; {s}^{2}={\stackrel{~}{\sigma}}^{2}; b=c/τ. The choice for b follows from
where the last equality is a consequence of the assumption (46). We can see that the T is positive from the assumption \stackrel{~}{\mu}A{c}_{0}{\stackrel{~}{\sigma}}_{\text{inn}}\mathrm{\beta c}>0.
Notice that at c≫c_{0} Theorem 3 no longer applies, because the condition \stackrel{~}{\mu}A{c}_{0}{\stackrel{~}{\sigma}}_{\text{inn}}\mathrm{\beta c}>0 cannot be satisfied. In practical terms, this means that for c>c_{0}, the FN probability is no longer under control, and the colluders may evade detection with high probability.
Theorem 4.
Let q≥2. Let the coalition employ a positionsymmetric strategy. Let 2≤c≤c_{0}. Let \stackrel{~}{\mu}A{\stackrel{~}{\sigma}}_{\text{inn}}\beta >0. Let \tau \le 2/(2+\stackrel{~}{\mu}). Then the falsenegative probability can be bounded as
Proof.
We start from Theorem 3. Due to the conditions c≤c_{0} and \stackrel{~}{\mu}A{\stackrel{~}{\sigma}}_{\text{inn}}\beta >0, the condition \stackrel{~}{\mu}A{c}_{0}{\stackrel{~}{\sigma}}_{\text{inn}}\mathrm{\beta c}>0 in Theorem 3 holds. Due to c≥2 and \tau <2/(2+\stackrel{~}{\mu}), the condition (46) holds. Since all the conditions are satisfied, we are allowed to apply Theorem 3. Finally, we make use of the fact that the expression (47) is an increasing function of c for c≤c_{0}.
Corollary 2.
Let q≥2. Let the coalition employ a positionsymmetric strategy. Let 2≤c≤c_{0}. Let \stackrel{~}{\mu}A{\stackrel{~}{\sigma}}_{\text{inn}}\beta >0. Let \tau \le 2/(2+\stackrel{~}{\mu}). Then it holds that
Proof.
Follows directly from Theorem 4.
Asymptotics of the sufficient code length
The main aim of this paper is to determine the performance of the score system (7) at large but finite c_{0}. The performance at ‘ c_{0}=∞’ is known: the saddlepoint is given by the interleaving attack, combined with the \kappa =\frac{1}{2} Dirichlet distribution (with τ=0) as the bias distribution; in this saddlepoint, the rate of the score system is equal to capacity. What we want to know is how the fingerprinting rate approaches capacity and how to optimally choose the cutoff τ as a function of c_{0}.
5.1 Sufficient code length
We aim for an analysis in the (unknown!) largebutfinite c_{0} saddlepoint:
 The saddlepoint (‘SP’) of the mutual information minimax game [20] is close to the asymptotic saddlepoint. The unknown strategy θ^{SP} is close to interleaving. The unknown bias distribution F^{SP}(p) is some discrete distribution close to the Dirichlet distribution. We approximate F by the continuous Dirichlet distribution with cutoff τ because this is the only available constructive approach that we know of.
 A practical tracing system that uses the score function (7) cannot have a fixed threshold Z like the Tardos scheme, since the score statistics strongly depend on the colluder strategy. The threshold has to be chosen as a function of estimated values for {\stackrel{~}{\sigma}}_{\text{inn}} and \stackrel{~}{\mu}. (See Section 3.1 for the estimation method.) When attacking this tracing system, the best choice for the colluders is to use θ^{SP} as their strategy, for otherwise they get caught faster. We will assume that the colluders use θ^{SP}, which in the analysis leads to a ‘fixed’ threshold Z that only has meaning in this context.
 Hence, we analyze the tracing system consisting of the bias distribution (2) and the score system (7), when pitted against an unknown attack close to interleaving. Our starting point will be the ‘sufficient’ conditions given by Corollaries 1 and 2. We know that {\stackrel{~}{\mu}}^{\text{SP}}=q1\u25b3\stackrel{~}{\mu} and {\left({\stackrel{~}{\sigma}}_{\text{inn}}^{2}\right)}^{\text{SP}}=q1+\u25b3{\stackrel{~}{\sigma}}_{\text{inn}}^{2}, and we have to carefully deal with the corrections \u25b3\stackrel{~}{\mu} and \u25b3{\stackrel{~}{\sigma}}_{\text{inn}}^{2}. On the other hand, the \stackrel{~}{\sigma} appears only in the logarithm in (51) and hence any corrections with respect to Lemma 5 can be neglected.
Corollary 1 and the condition \stackrel{~}{\mu}A{\stackrel{~}{\sigma}}_{\text{inn}}\beta >0 together define an interval for the sufficient code length parameter ‘ A_{suff},’
This interval exists only if
which yields
We must try to bring β and A as close as possible to the bounds (53, 54) while still satisfying the condition in the left hand side of (51). We introduce the following shorthand notation:
where w≪1, ψ≪1, r≪1. The w will be studied in the next section. The ψ we will solve approximately. The fact that r is small follows from Lemma 5. The expression \mathbb{\mathbb{E}}[1/{p}_{\alpha}] in (34) is of order τ^{κ−1}; this leads to a contribution to {\stackrel{~}{\sigma}}^{2}/c of order τ^{κ}/(c_{0}τ), which is negligible compared to (q−1) since c_{0}τ≫1 (see Section 4.1).
Theorem 5.
Let c_{0}τ≫1 and c_{0}τ^{2}≪1. Let the attackers employ a positionsymmetric strategy close to interleaving. Let 2≤c≤c_{0}. Then the following combination of a code length parameter A and threshold parameter β is sufficient to achieve P_{FP}≤ε_{1} and P_{FN}≤ε_{2}.
Proof.
Using the parametrization (55), the condition in (51) can be written compactly as
Taking the equal sign and solving for ψ gives (we denote the solution as ψ_{0})
We take \psi =\frac{ln{\epsilon}_{2}}{ln{\epsilon}_{1}}\xb7\frac{1}{{c}_{0}\tau ln\frac{1}{{c}_{0}{\tau}^{2}}} (last line of (59)), since it is a compact analytical expression that satisfies (58). We can now find the sufficient A and β. We write {\beta}_{\text{suff}}=2\frac{{\stackrel{~}{\sigma}}_{\text{inn}}}{\stackrel{~}{\mu}}+\frac{2}{3{c}_{0}\tau {\stackrel{~}{\sigma}}_{\text{inn}}}+\lambda, with λ arbitrarily close to zero. Solving A from β and ψ gives
where we have used that \u25b3\stackrel{~}{\mu} and \u25b3{\stackrel{~}{\sigma}}_{\text{inn}} are of order w. Finally, we note that λ is much smaller than the other highorder correction terms.
Note that the condition c_{0}τ^{2}≪1 is required in the above proof in order to make sure that the argument of the logarithm is wellbehaved, i.e., larger than 1. Hence, when choosing τ we have to satisfy
One way of satisfying these conditions is to set
5.2 Optimization of the cutoff τ as a function of c_{ 0 }
Lemma 8 (adapted from [21]).
Let △θ_{ym}=θ ym SP−m_{ y }/c. The firstorder and secondorder correction terms to \stackrel{~}{\mu} and {\stackrel{~}{\sigma}}_{\text{inn}}^{2} in the vicinity of the saddle point are given by
The firstorder correction to {\stackrel{~}{\mu}}^{2}/{\stackrel{~}{\sigma}}_{\text{inn}}^{2} is zero because of the saddlepoint. The secondorder correction to {\stackrel{~}{\mu}}^{2}/{\stackrel{~}{\sigma}}_{\text{inn}}^{2} is given by
Proof.
Equations 62 and 63 are a slight adaptation of the saddlepoint formulas in [21], where we have substituted the saddlepoint values \stackrel{~}{\mu}=q1 and {\stackrel{~}{\sigma}}_{\text{inn}}^{2}=q1. Note again that we have normalized the score function differently from [21] by a factor \sqrt{q1}. Equation 64 follows from Equation 63 by using Equation 62.
Proposition 1.
The correction w is negligible compared to \frac{1}{{c}_{0}\tau}.
Argumentation.
The w is proportional to (63) or, differently expressed, (64). In (64) we have the {\left({\left[{\stackrel{~}{\sigma}}_{\text{inn}}^{2}\right]}_{\left(1\right)}\right)}^{2} term which is of order (△θ)^{2}. The order of magnitude of the \sum _{\mathit{m}} contribution is more difficult to determine because the incomplete Dirichlet integral B_{ τ }(κ 1_{ q }+m−e_{ y }) is difficult to bound;^{b} however, no matter how B_{ τ }(κ 1_{ q }+m−e_{ y }) is behaved, the \sum _{\mathit{m}} contribution is at most of order △θ. Huang and Moulin [20] conjectured that \u25b3\theta =\mathcal{O}\left(\frac{1}{c}\right), and this turned out to be consistent with their asymptotic saddlepoint analysis. If their conjecture is true, we have w\propto \frac{1}{{c}_{0}}\ll \frac{1}{{c}_{0}\tau}. Even if their conjecture is not true and △θ scales as, for instance, 1/\sqrt{c}, then, w\propto 1/\sqrt{{c}_{0}}\ll \frac{1}{{c}_{0}\tau}, i.e., w is still negligible. (The latter holds because τ scales as {c}_{0}^{\gamma} with \gamma >\frac{1}{2}.)
The consequences of Proposition 1 are the following: The optimal choice for the cutoff is to set
where ν denotes a very small positive number. The sufficient code length is then given by
Note that the correction term is smaller than the \mathcal{O}\left({c}_{0}^{1/3}\right) that was found [5] for Tardos’s score function at q=2.
Conclusions
We have studied a qary biasbased collusionresistant scheme where the score function (7) of Oosterwijk et al. [21] is used in combination with the Dirichlet distribution with a cutoff. We have used Bernstein’s inequality and Bennett’s inequality to upper bound the error rates. For large c_{0}, this leads to a sufficient code length as specified in Theorem 5.
Then we adopted a conjecture (based on a conjecture by Huang and Moulin) that △θ, the difference in strategy between the finitec and infinitec saddlepoint, is of order O(1/\sqrt{c}). This leads to an optimal cutoff choice \tau =1/\left(\lambda {c}_{0}^{1/2+\nu}\right), where λ>0 is a constant and ν is a very small positive constant. The sufficient code length is then
and the corresponding accusation threshold is
From previous work on provable bounds for biasbased codes, it is clear that the bounds obtained from concentration inequalities (Markov, Bernstein, Bennett) are not tight.
As topics for future work, we mention the following: (i) obtaining tighter bounds  the CSE method [6] or similar techniques may yield more precise information about the error rates. (ii) Studying the performance of the score function (7) further away from the asymptotic saddlepoint. This would require locating (by numerical techniques) the saddlepoint for large but finite c. (iii) Applying the analysis in this paper in the context of dynamic traitor tracing, similar to the work in [27].
Endnotes
^{a} Throughout this paper, the term asymptotic refers to the limit of large coalition size.
^{b} The correction to the normalization factor is known. In [22] it was found that {B}_{\tau}\left(\kappa {\mathbf{1}}_{q}\right)=B\left(\kappa {\mathbf{1}}_{q}\right)[\phantom{\rule{0.3em}{0ex}}1\mathcal{O}({\tau}^{\kappa}\left)\right].
References
G Tardos, in Proceedings of the 35th Annual ACM Symposium on Theory of Computing (STOC). Optimal probabilistic fingerprint codes, (2003), pp. 116–125.
Blayer O, Tassa T: Improved versions of Tardos’ fingerprinting scheme. Des Codes Cryptography 2008, 48(1):79103.
T Furon, A Guyader, F Cérou, in Information Hiding, Lecture Notes in Computer Science, 5284. On the design and optimization of Tardos probabilistic fingerprinting codes (Springer, 2008), pp. 341–356.
Furon T, PérezFreire L, Guyader A, Cérou F: Estimating the minimal length of Tardos code. In Information Hiding, LNCS. Springer, Heidelberg; 2009:176190.
Laarhoven T, de Weger BMM: Optimal symmetric Tardos traitor tracing schemes. Designs Codes Cryoptography 2011, 71: 83103.
Simone A: Accusation probabilities in Tardos codes: beyond the Gaussian approximation. Des Codes Cryptography 2012, 63(3):379412.
Vladimirova TU, Celik MU, Talstra JC: Tardos fingerprinting is better than we thought. IEEE Trans. Inform. Theor 2008, 54(8):36633676.
YW Huang, P Moulin, in IEEE Workshop on Information Forensics and Security (WIFS). Capacityachieving fingerprint decoding (London, 6–9 December 2009), pp. 51–55.
K Nuida, in Information Hiding, LNCS, 6387. Short collusionsecure fingerprint codes against three pirates (Springer, 2010), pp. 86–102.
Nuida K, Fujitsu S, Hagiwara M, Kitagawa T, Watanabe H, Ogawa K, Imai H: An improvement of discrete Tardos fingerprinting codes. Des Codes Cryptography 2009, 52(3):339362.
E Amiri, G Tardos, in Proceedings of the 20th Annual ACMSIAM Symposium on Discrete Algorithms (SODA). High rate fingerprinting codes and the fingerprinting capacity (New York, 4–6 January 2009), pp. 336–345.
A Charpentier, F Xie, C Fontaine, T Furon, in SPIE Proceedings on Media Forensics and Security, 7254. Expectation maximization decoding of Tardos probabilistic fingerprinting code (SPIE, 2009), p. 72540.
P Meerwald, T Furon, in Information Hiding, LNCS, 6958. Towards joint Tardos decoding: the ‘Don Quixote’ algorithm (Springer, 2011), pp. 28–42.
JJ Oosterwijk, Škorić B, J Doumen, in Information Hiding & Multimedia Security 2013. Optimal suspicion functions for Tardos traitor tracing schemes (Montpellier, 17–19 June 2013).
A Charpentier, C Fontaine, T Furon, IJ Cox, in Information Hiding, LNCS, 6958. An asymmetric fingerprinting scheme based on Tardos codes (Springer, 2011), pp. 43–58.
Katzenbeisser S, Celik MU: Symmetric Tardos fingerprinting codes for arbitrary alphabet sizes. Des Codes Cryptography 2008, 46(2):137166.
Katzenbeisser S, Schaathun HG, Celik MU: Tardos fingerprinting codes in the combined digit model. IEEE Trans. Inf. Forensics Secur 2011, 6(3):906919.
F Xie, T Furon, C Fontaine, in Proceedings of the 10th Workshop on Multimedia & Security (MM&Sec). Onoff keying modulation and Tardos fingerprinting (ACM, 2008), pp. 101–106.
D Boesten, Škorić B, in Information Hiding 2011, LNCS, 6958. Asymptotic fingerprinting capacity for nonbinary alphabets (Springer, 2011), pp. 1–13.
YW Huang, P Moulin, in IEEE International Symposium on Information Theory (ISIT) 2012. On fingerprinting capacity games for arbitrary alphabets and their asymptotics (Cambridge, 1–6 July 2012), pp. 2571–2575.
JJ Oosterwijk, Škorić B, J Doumen, A capacityachieving simple decoder for biasbased traitor tracing schemes (2013). http://eprint.iacr.org/2013/389 Accessed 5 August 2014.
Škorić B, JJ Oosterwijk, Binary and qary Tardos codes, revisited. Designs, Codes, and Cryptography (2012). http://eprint.iacr.org/2012/249 Accessed 5 August 2014.
T Laarhoven, BMM de Weger, in Information Hiding & Multimedia Security 2013 Discrete Distributions in the Tardos Scheme, Revisited, (2013).
P Moulin, Universal fingerprinting: capacity and randomcoding exponents (2008). http://arxiv.org/abs/0801.3837.
SN Bernstein, Theory of Probability, (1927).
Bennett G: Probability inequalities for the sum of independent random variables. J. Am. Stat. Assoc 1962, 57(297):3345.
T Laarhoven, J Doumen, P Roelse, Škorić B, B de Weger, Dynamic Tardos traitor tracing schemes. IEEE Trans. Inf. Theory. 59(7), 4230–4242.
Acknowledgments
We thank Benne de Weger, Jeroen Doumen, and Thijs Laarhoven for useful discussions. Part of this work was supported by STW (project 10518).
Author information
Authors and Affiliations
Corresponding author
Additional information
Competing interests
The authors declare that they have no competing interests.
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License ( https://creativecommons.org/licenses/by/2.0 ), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
About this article
Cite this article
Ibrahimi, S., Škorić, B. & Oosterwijk, JJ. Riding the saddle point: asymptotics of the capacityachieving simple decoder for biasbased traitor tracing. EURASIP J. on Info. Security 2014, 12 (2014). https://doi.org/10.1186/s1363501400126
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s1363501400126
Keywords
 Traitor tracing; Fingerprinting