Open Access

Riding the saddle point: asymptotics of the capacity-achieving simple decoder for bias-based traitor tracing

EURASIP Journal on Information Security20142014:12

https://doi.org/10.1186/s13635-014-0012-6

Received: 27 January 2014

Accepted: 28 July 2014

Published: 15 August 2014

Abstract

We study the asymptotic-capacity-achieving score function that was recently proposed by Oosterwijk et al. for bias-based traitor tracing codes. For the bias function, we choose the Dirichlet distribution with a cutoff. Using Bernstein’s inequality and Bennett’s inequality, we upper bound the false-positive and false-negative error probabilities. From these bounds we derive sufficient conditions for the scheme parameters. We solve these conditions in the limit of large coalition size c0 and obtain asymptotic solutions for the cutoff, the sufficient code length, and the corresponding accusation threshold. We find that the code length converges to its asymptote approximately as c 0 1 / 2 , which is faster than the c 0 1 / 3 of Tardos’ score function.

MSC

94B60

Keywords

Traitor tracing; Fingerprinting

Introduction

1.1 Traitor tracing

Forensic watermarking is a means for tracing unauthorized redistribution of digital content. Before distribution, the content is modified by embedding an imperceptible watermark, which plays the role of a personalized identifier. When an unauthorized copy of the content is found, a tracing algorithm outputs a list of suspicious users, based on the watermark detected in this copy.

The most powerful attacks against watermarking are collusion attacks, in which multiple attackers (the ‘coalition’) combine their differently watermarked versions of the same content; the observed differences point to the locations of the hidden marks and allow for a targeted attack.

Collusion-resistant codes have been specifically designed as a defense against collusion attacks: when codewords from such a code are embedded into the content, the surviving parts of the watermark, after the collusion attack, still contain enough information to identify (some of the) attackers, provided that the coalition is not too large.

In the past two decades, several types of collusion-resistant codes have been developed. The most popular type in the recent literature is the class of bias-based codes. These were introduced by G. Tardos in 2003. The code construction consists of two steps: first, a sequence of biases is generated, one for each position in the content; then, the watermark symbols for each user are randomly drawn according to these biases. The original paper [1] was followed by a flurry of activity, e.g., improved analyses [2]-[7], code modifications [8]-[10], decoder modifications [11]-[14], and various generalizations [15]-[18]. The advantage of bias-based versus deterministic codes is that they can achieve the asymptotically optimal relationship c 0 2 between the sufficient code length and the coalition size c0 to be resisted.

1.2 Capacity-achieving simple decoder

Two kinds of tracing algorithm can be distinguished: (i) simple decoders, which assign a score to single users independent of the watermarks of other users, and (ii) joint decoders[11]-[13], which assign scores to sets of users and are typically more powerful but also require more computational resources. Efficient joint decoders typically employ a simple decoder as a bootstrapping step.

The performance of a traitor tracing code is often measured by looking at the sufficient code length as a function of the coalition size c0 to be resisted and the imposed low error rate. Equivalently, one can look at the fingerprinting rate, which is defined as the fraction log q n , where q is the size of the alphabet and n is the number of users. The numerator corresponds to the number of q-ary symbols needed to point out one of the n users; the denominator is the number of symbols used to convey this ‘message.’ Hence, the fingerprinting rate has a natural interpretation as the fraction of codeword symbols that actually encodes the ‘message,’ i.e., the identifying information that allows for tracing. The fingerprinting rate is a figure of merit that can be used to fairly compare codes which have different alphabet sizes. The fingerprinting capacity, which can be computed information-theoretically, is an upper bound on the fingerprinting rate that can be achieved against colluders who employ an optimal strategy against the tracing scheme. It was found by Boesten and Škorić [19] that the asymptotica capacity is given by
C = q 1 2 c 0 2 ln q .
(1)

Huang and Moulin [20] found the location of the corresponding asymptotic saddlepoint: the strongest attack is the so-called interleaving attack, and the best bias distribution is the Dirichlet distribution with concentration parameter one half. (See Section 2.) For the colluders as well as the tracer, it is bad to depart from the saddlepoint. If the colluders move away from it, the tracer can achieve a higher fingerprinting rate; if the tracer moves away, the colluders can launch a stronger attack which reduces the rate.

Oosterwijk et al. [21] devised a simple decoder that reaches asymptotic capacity. The possibility of such an achievement was foreseen in [20], where it was shown that the simple decoder capacity becomes equal to the joint decoder capacity as c0 goes to infinity.

1.3 Contributions and outline

In this paper we analyze the performance of the capacity-achieving simple decoder of [21] in the Restricted Digit Model:

• Following the approach of [22], we use Bernstein’s inequality and Bennett’s inequality to upper bound the false-positive and false-negative error probability, respectively. From these bounds, we derive conditions on the code parameters (code length, cutoff, threshold) such that the error probabilities are sufficiently low.

• We determine the asymptotics of the sufficient code length in the direct vicinity of the saddlepoint.

• We find that the optimal choice for the cutoff τ is given by τ c 0 γ , with γ slightly larger than one half. With this choice, the code length approaches its saddlepoint value with a correction term of order c 0 γ 1 c 0 1 / 2 . Thus, convergence to the limit is faster than in the case of the binary Tardos score, where the correction is of order c 0 1 / 3 [5].

• Our analysis yields a recipe for placing the accusation threshold as a function of the innocent user score variance. This differs from the case of the Tardos score function [1],[16], where the threshold is fixed.

In Section 2 we briefly review bias-based traitor tracing, the asymptotic saddlepoint, and the asymptotic-capacity-achieving score function. We also list the inequalities of Bernstein and Bennett. In Section 3 we study the statistical properties of an innocent user’s score and the coalition’s collective score. In Section 4 we derive the bounds on the error rates and the sufficient conditions on the code parameters. The asymptotics of the sufficient code length are treated in Section 5.

Preliminaries

2.1 Bias-based tracing using the asymptotically optimal simple decoder

2.1.1 Notation

The number of users is denoted as n, and the code length (the number of positions in the content) as . We define [ n]={1,…,n}. The alphabet is Q , with size | Q | = q . The symbols in the alphabet have no natural ordering. The bias in position i is denoted as p(i). The bias is a q-dimensional vector, with components p α ( i ) [ τ , 1 ( q 1 ) τ ] , α Q . The parameter τ1 is called the cutoff. For each i the bias satisfies |p(i)|=1, where || denotes the 1-norm, i.e., α Q p α ( i ) = 1 . We will often use multi-index notation: for a scalar z, the notation p z stands for α Q p α z ; for a vector m, the notation p m stands for α Q p α m α . We introduce the q-component vector 1 q =(1,1,…,1). The notation δ x y stands for the Kronecker delta.

2.1.2 Code generation

The bias vectors p(i) are drawn independently from a (truncated) Dirichlet distribution F with concentration parameter κ>0,
F ( p ) = p 1 + κ / B τ ( κ 1 q )
(2)
B τ ( κ 1 q ) = τ 1 ( q 1 ) τ d q p δ ( 1 | p | ) p 1 + κ .
(3)

The δ in the integral is a Dirac delta function; it ensures that the condition |p|=1 is enforced. The τ is called the cutoff parameter. Note that p α [ τ,1−(q−1)τ]. Therefore, τ≤1/q must hold, for otherwise the interval is empty (and we would get |p|>1).

For τ=0 the normalization constant (3) evaluates to a generalized beta function. Let z(0,) q be a vector; then the beta function B(z) is defined as B ( z ) = α Γ / Γ β z β , where Γ is the gamma function. Hence B0(κ 1 q )=B(κ 1 q )=[ Γ(κ)] q /Γ(q κ).

In the asymptotic saddlepoint, it holds that τ=0 and κ=1/2. For large but finite c0, the saddlepoint lies close to the asymptotic saddlepoint, but it is not known exactly where. It is known that for finite c0, the optimal bias distribution is a discrete distribution [8],[10],[23], with a number of discrete p α values proportional to c0. In spite of this, we will use the continuous probability density (2). Our motivation is that we only investigate asymptotics. The cutoff τ will depend on c0.

The code word assigned to user j is denoted as a row vector X j =(Xj 1,…,X j ). The set of codewords is arranged in a code matrix X. The elements of the code matrix are independently generated according to the biases p(1),…,p() as follows: Pr [ X ji = α ] = p α ( i ) .

2.1.3 Collusion attack

The coalition is a subset C [ n ] of users, with size | C | = c . We explicitly make the distinction between the actual coalition size c and the parameter c0 in the code construction, which is the maximum coalition size that can be resisted. The colluders see a submatrix X C of X. The symbol ‘tallies’ are defined as follows:
m ( i ) = m α ( i ) α Q ; m α ( i ) = | { j C : X ji = α } | .
(4)
In words, m α ( i ) is the number of colluders that received symbol α in position i. Based on X C , the colluders produce an output y=(y1,…,y ). For our analysis we adopt the Restricted Digit Model as the attack model: for any i[], the output y i is only allowed to be a symbol that the colluders have observed in position i. The strategy for choosing an output is allowed to be probabilistic. We adopt a number of frequently made assumptions about the attack strategy:
  1. 1.

    Symbol symmetry. The strategy is invariant under permutation of the alphabet for each position independently. This assumption is motivated by the lack of a natural ordering of the alphabet.

     
  2. 2.

    Colluder symmetry. The strategy is invariant under permutation of the colluders. (In other words, the colluders equally share the risk.) This assumption is motivated by the fact that breaking colluder symmetry will make it easier for the tracer to find at least one colluder.

     
  3. 3.

    Position symmetry. The same strategy is applied in each position i[], and it does not depend on any X j k values with ki. Motivation: asymptotically the optimal attack must be position-symmetric [24].

     
When assumptions 2 and 3 hold, the strategy can be parametrized by a set of probabilities that depend only on the ‘local’ tallies: in position i, the probability of outputting symbol y i is a function of only m(i). Omitting the position index, this is denoted as
θ y | m = Pr [ colluders output y | the tally is m ] .
(5)
Furthermore, if assumption 1 holds as well, it is possible [6] to re-parametrize this as
Ψ b ( x ) = θ y | m for { m y = b , and m without the y component is x } .
(6)

In other words, Ψ b (x) is the coalition’s probability of outputting a symbol given that it has tally b and that the other tallies are x. The probability Ψ b (x) is invariant under permutation of x.

2.1.4 Simple decoder

The tracer notices the pirated copy with watermark sequence y ‘in the wild’. Based on y and X, he tries to find at least one colluder. The asymptotic-capacity-achieving simple decoder of [21] works as follows: for each user j[ n], a score S j = i [ ] S j ( i ) is computed, where
S j ( i ) = h X ji , y i , p ( i ) with h ( x , y , p ) = δ xy p y 1 .
(7)
Note that we normalized the function h differently from [21], by a factor q 1 , for notational brevity. The score function (7) has the special property of being ‘strongly centered’: for any p and y (we are omitting the position index), the expected score of an innocent user is zero.
μ ~ inn = x Q p x h ( x , y , p ) = p y p y x Q p x = 0 .
(8)
The collective score of the coalition is written as S C ,
S C = j C S j .
(9)
The tracer makes a list of ‘suspicious’ users, whose score exceeds a threshold Z,
= { j [ n ] : S j > Z } .
(10)

Whereas the Tardos scheme uses a fixed threshold, the score function h leads to a more complicated scheme where Z must be chosen as a function of the biases and the observed tallies and colluder outputs (see Section 3.1).

2.1.5 Measuring the performance

Two types of error can occur: a false-positive, with PFP defined as the probability that a fixed innocent user gets added to , and a false-negative, with PFN defined as the probability that none of the colluders is found:
P FP = Pr [ j ] for fixed innocent j ; P FN = Pr [ C = ]
(11)

The tracer demands that PFPε1 and PFNε2, where ε1 and ε2 are constants, typically with ε1ε2.

The code length and threshold Z are often parametrized as
= A c 0 2 ln 1 ε 1 ; Z = B c 0 ln 1 ε 1 .
(12)

This parametrization is motivated by the fact that asymptotically, for the Tardos code, A and B can be considered as constants. The relationship between the code length parametrization (12) and the fingerprinting rate is as follows. The rate is R = ( log q n ) / = ( ln n ) / A c 0 2 ln q ln ε 1 1 . Let η = Pr [ C ] , i.e., the probability that at least one innocent user ends up in the list . The η is a fixed small number (e.g., 10−6) that does not depend on n. It can be shown (Lemma 6 in [22]) for n1, cn that ε1η/n. Then, ln ε 1 1 ln n ln η ln n . (In the last approximation, we used that η is fixed.) Asymptotically, the rate satisfies R 1 / A c 0 2 ln q .

Definition 1.
The variance of an innocent user’s score and the average and variance of the coalition score are written as
σ ~ inn 2 = 1 i 𝔼 ( S j ( i ) ) 2 μ ~ inn 2 for arbitrary j C
(13)
μ ~ = 1 i 𝔼 S C ( i )
(14)
σ ~ 2 = 1 i 𝔼 ( S C ( i ) ) 2 μ ~ 2 .
(15)

Here stands for the expectation over all the probabilistic degrees of freedom: the biases p(i), the code matrix X, and the coalition output y. (The ‘tilde’ notation indicates that there is an average over positions.) Note that μ ~ inn = 0 , as shown in (8).

Remark If assumption 3 holds (position symmetry, Section 2.1.3) then in Definition 1 the average over the positions is not necessary; in every position 𝔼 [ ] has the same value. In this paper, we introduce a rescaled version (β) of the threshold parameter B,
B = β σ ~ inn .
(16)

It will turn out that it is more natural to use the quantity β than B.

Asymptotically, the first and second moments completely determine the shape of the probability distribution of the score, for an innocent user as well as for the coalition score. (The distribution becomes Gaussian in accordance with the central limit theorem.) It was found [7] that the code length parameter (and hence the fingerprinting rate) then depends on μ ~ and σ ~ inn as follows:
A 2 σ ~ inn 2 μ ~ 2 ; R μ ~ 2 σ ~ inn 2 · 1 2 c 0 2 ln q .
(17)

In the asymptotic saddlepoint, the tracer uses the bias distribution (2) with τ=0, while the coalition strategy is the interleaving attack, θy|m=m y /c. In the asymptotic saddlepoint, it holds [21] that μ ~ 2 / σ ~ inn 2 = q 1 .

2.2 Computing expectations

Following the previous work [6],[16],[22], we define (conditional) expectations as shown below. We omit the position index and write x as shorthand for X j i for a fixed innocent user j C .
𝔼 p [ r ( p ) ] = τ 1 ( q 1 ) τ d q p δ ( 1 | p | ) F ( p ) r ( p )
(18)
𝔼 x | p [ r ( x ) ] = x Q p x r ( x )
(19)
𝔼 m | p [ r ( m ) ] = m 0 : | m | = c c m p m r ( m )
(20)
𝔼 y | m [ r ( y ) ] = y Q θ y | m r ( y )
(21)
𝔼 y | p [ r ( y ) ] = 𝔼 m | p 𝔼 y | m [ r ( y ) ] = y Q m 0 : | m | = c c m p m θ y | m r ( y )
(22)
𝔼 m [ r ( m ) ] = m 0 : | m | = c c m B τ ( κ 1 q + m ) B τ ( κ 1 q ) r ( m )
(23)
𝔼 m α [ r ( m α ) ] = b = 0 c P 1 ( b ) r ( b ) = b = 0 c c b B τ ( κ + b , [ q 1 ] κ + c b ) B τ ( κ , [ q 1 ] κ ) r ( b )
(24)
K b = 𝔼 x | b Ψ b ( x ) = x 0 : | x | = c b c b x B ( κ 1 q 1 + x ) B ( κ 1 q 1 ) Ψ b ( x ) .
(25)

Here P1(b) is a marginal probability for a single fixed symbol to have tally b. The quantity K b is the probability, given that a certain symbol has tally b, for the colluders to output that symbol; i.e., for arbitrary fixed α, we have K b = Pr[y=α|m α =b]. The sum rule b P 1 ( b ) K b = 1 / q holds [6], since the overall probability of outputting y=α is 1/q.

2.3 Concentration inequalities

Lemma 1 (Bernstein’s inequality [25]).

Let a>0 be a constant. Let U1,…,U be independent zero-mean random variables, with |U i |≤a for all i. Let Z≥0. Then,
Pr i = 1 U i > Z exp Z 2 / 2 i = 1 𝔼 [ U i 2 ] + aZ / 3 .
(26)

Lemma 2 (Bennett’s inequality [26]).

Let b>0 be a constant. Let Y1,…,Y be independent zero-mean random variables, with |Y i |≤b for all i. Let s 2 = 1 i = 1 𝔼 [ Y i 2 ] . Let the function ξ be defined as
ξ ( v ) = 0 v d x ln ( 1 + x ) = ( v + 1 ) ln ( v + 1 ) v.
(27)
Let T≥0. Then,
Pr i = 1 Y i > T exp s 2 b 2 ξ ( b s 2 T ) .
(28)

Property 1.

The function ξ in Lemma 2 can be lower bounded as
v > 0 ξ ( v ) > v ln v e .
(29)

Proof.

For v>0, we have ξ ( v ) = 0 v d x ln ( 1 + x ) > 0 v d x ln x = v ln v e .

Lemma 3 (weaker form of Bennett’s inequality).

Let b>0 be a constant. Let Y1,…,Y be independent zero-mean random variables, with |Y i |≤b for all i. Let s 2 = 1 i = 1 𝔼 [ Y i 2 ] . Let T>0. Then
Pr i = 1 Y i > T exp T b ln bT eℓ s 2 .
(30)

Proof.

We substitute Property 1 in Lemma 2. This is allowed since the argument of ξ is positive.

Statistics of the innocent score and coalition score

We study the moments of the innocent score and coalition score in two cases: (i) interleaving attack and arbitrary bias distribution and (ii) the bias distribution is the Dirichlet distribution with τ=0 and arbitrary concentration parameter κ; the attack is arbitrary.

These two scenarios represent two different ways of departing from the asymptotic saddlepoint. In the first one, the bias distribution is varied. In the second one, not only the attack is varied but also a limited change of the bias distribution is allowed (κ).

The results of this section do not all contribute directly to the analysis of the sufficient code length in Section 5, but they are important in their own right since they elucidate how the score moments behave in a variety of circumstances.

3.1 General result for the moments

We investigate the first and second moments of an innocent user’s score and of the coalition score. We begin with a general result for position-symmetric colluder strategies. Then, we look more specifically at the interleaving attack.

Lemma 4.

If the coalition is employing a position-symmetric strategy, then
σ ~ inn 2 = 1 + 𝔼 1 p y
(31)
μ ~ = c + 𝔼 m y p y
(32)
μ ~ 2 + σ ~ 2 = 𝔼 ( m y cp y ) 2 p y 2 .
(33)

Proof.

We start from Definition 1. In all three definitions, the summation over i merely yields a factor which cancels against the factor 1/ in front of the summation. Thus, for σ ~ inn 2 we can write, for arbitrary index i, and recalling that μ ~ inn = 0 , σ ~ inn 2 = 𝔼 S j ( i ) 2 = 𝔼 p 𝔼 y | p 𝔼 x | p ( 1 + δ xy / p y ) 2 = 𝔼 p 𝔼 y | p 𝔼 x | p 1 2 δ xy / p y + δ xy / p y 2 = 1 2 𝔼 p 𝔼 y | p 1 + 𝔼 p 𝔼 y | p 1 / p y = 1 + 𝔼 1 / p y . The results for μ ~ and σ ~ follow directly from the fact that S C ( i ) = ( m y / p y c ) = ( m y cp y ) / p y .

Note that Lemma 4 allows the tracer to obtain an estimate of the score moments: he can replace the by an empirical average over the codeword positions.

3.2 The case of the interleaving attack

Lemma 5.

If the coalition is using the interleaving attack, then
μ ~ Int = q 1 ; σ ~ inn 2 Int = q 1 ; μ ~ Int 2 + σ ~ Int 2 = c ( q 1 ) 3 q + 2 + q 𝔼 p 1 p α .
(34)

where α Q is arbitrary.

Proof.

For the interleaving attack, we have 𝔼 [ ] = 𝔼 p 𝔼 m | p y ( m y / c ) [ ] = y 𝔼 p 𝔼 m | p m y cp y c + p y [ ] .We will make use of the binomial properties 𝔼 m | p m α = cp α , 𝔼 m | p ( m α cp α ) 2 = cp α ( 1 p α ) and 𝔼 m | p ( m α cp α ) 3 = cp α ( 1 p α ) ( 1 2 p α ) .For μ ~ this gives μ ~ = y 𝔼 p 𝔼 m | p ( m y cp y ) 2 cp y + m y cp y = 𝔼 p y ( 1 p y ) + 0 = q 1 .Furthermore, σ ~ inn 2 = 1 + 𝔼 p y 𝔼 m | p m y cp y = 1 + 𝔼 p y 1 = q 1 .Finally, μ ~ 2 + σ ~ 2 = y 𝔼 p 𝔼 m | p ( m y cp y ) 3 c p y 2 + ( m y cp y ) 2 p y = 𝔼 p y ( 1 p y ) ( 1 2 p y ) p y + c ( 1 p y ) = c ( q 1 ) 3 q + 2 + y 𝔼 p 1 p y .

Remark 1.

Part of Lemma 5 ( μ ~ and σ ~ inn ) was already done in [21]. We show the proof again because of our modified normalization of the score function.

Remark 2.

The result for μ ~ Int and σ ~ inn 2 Int does not depend on the bias distribution F, but σ ~ Int does.

Remark 3.

In the large-c limit, the variance of the coalition score tends to be large due to the c(q−1) term as well as the expression 𝔼 [ 1 / p α ] which blows up when τ becomes small.

3.3 Taking the Dirichlet distribution with cutoff τ=0

Lemma 6.

Let τ=0. Let the coalition use a strategy that is colluder-symmetric and position-symmetric. Then the quantities μ ~ and σ ~ inn can be written as
μ ~ τ = 0 = c + ( + c 1 ) 𝔼 m y Q θ y | m 1 + 1 κ κ + m y 1
(35)
( σ ~ inn 2 ) τ = 0 = 1 + ( + c 1 ) 𝔼 m y Q θ y | m 1 κ + m y 1
(36)
Furthermore, if the colluder strategy is also symbol-symmetric, then
μ ~ τ = 0 = c + ( + c 1 ) q b = 1 c P 1 ( b ) K b b κ + b 1 ,
(37)
( σ ~ inn 2 ) τ = 0 = 1 + ( + c 1 ) q b = 1 c P 1 ( b ) K b 1 κ + b 1 .
(38)

Proof.

We start from the expressions μ ~ = c + 𝔼 [ m y / p y ] and σ ~ inn 2 = 1 + 𝔼 [ 1 / p y ] . For any function J(m y ), we can write 𝔼 [ J ( m y ) / p y ] = 𝔼 p m c m p m y θ y | m J ( m y ) p y = m c m y θ y | m J ( m y ) 𝔼 p p m / p y . For τ=0, we have
𝔼 p p m p y = B ( κ 1 q + m e y ) B ( κ 1 q ) = + c 1 κ + m y 1 · B ( κ 1 q + m ) B ( κ 1 q ) = + c 1 κ + m y 1 𝔼 p p m .
(39)

Setting J(m y )=m y for μ ~ and J(m y )=1 for σ ~ inn 2 yield (35) and (36). The final step is to notice that 𝔼 J ( m y ) / p y = 𝔼 m 𝔼 y | m + c 1 κ + m y 1 J ( m y ) which can be rewritten as q b P 1 ( b ) K b + c 1 κ + b 1 J ( b ) if the strategy is symbol-symmetric.

Theorem 1.

Let c1 and κ(0,1). Let the coalition use a strategy that is colluder-symmetric and position-symmetric. Then, both quantities μ ~ and σ ~ inn are maximized by the minority voting attack and minimized by the majority voting attack.

Proof.

For c1, we can use the τ=0 approximation for μ ~ and σ ~ inn , i.e., Lemma 6. In (35) and (36), the θy|m in the y summation multiplies a decreasing function of m y . Hence, the summand is maximized by outputting a symbol y with tally m y as small as possible (but nonzero because of the marking assumption) and, vice versa, minimized by outputting the symbol with the largest tally.

Theorem 1 gives insight into the trade-offs that the colluders have to deal with. They want to minimize μ ~ and to maximize σ ~ inn , since this leads to high error rates. However, the strategy that optimizes μ ~ for them is the worst possible strategy regarding σ ~ inn and vice versa. The interleaving attack at the saddlepoint is ‘in the middle’ between minority voting and majority voting.

Lemma 7.

Let τ=0. Let the coalition use a strategy that is colluder-symmetric and position-symmetric. Then μ ~ and σ ~ inn can be bounded as
( q 1 ) c 1 + κ μ ~ τ = 0 c 1 κ 1 + q 1 κ
(40)
κ ( q 1 ) c 1 + κ σ ~ inn 2 τ = 0 c κ + q 1 1 κ .
(41)

Proof.

For m y {1,…,c}, we have 1 κ + c 1 1 κ + m y 1 1 κ . We substitute these inequalities into (35) and (36). Finally, we use y θ y | m = 1 .

Remark It is possible to obtain a tighter upper bound by treating the m y =c term separately in (35),(36), since then θy|m=1. However, the improvement of the tightness is minimal.

Bounding the error probabilities

We use Bernstein’s inequality and Bennett’s inequality to upper bound the false-positive and false-negative error probability, respectively.

4.1 Bounding the false-positive probability

Theorem 2.

Let q≥2. Let the coalition use any attack strategy. Then the false-positive probability for a fixed innocent user can be bounded as
P FP exp ( ln ε 1 ) β 2 2 A 1 + β 3 A c 0 τ σ ~ inn 1 .
(42)

Proof.

For any coalition strategy, even one that breaks the position symmetry, the single-position scores S j ( i ) for the innocent user are mutually independent [1]. Hence, we are allowed to use Bernstein’s inequality. In Lemma 1 we set U i = S j ( i ) for the innocent user. This is allowed since S j ( i ) has zero expectation value. We have
| U i | max 1 p min 1 , | 1 | = max 1 τ 1 , 1 = 1 τ 1 < 1 τ .
(43)
In the last equality, we used τ≤1/q (see Section 2.1.2). Thus, we are allowed to set a=1/τ in Lemma 1. Furthermore, we note that by definition 𝔼 [ U i 2 ] = σ ~ inn 2 for all i. Lemma 1 then gives
Pr [ S j > Z ] exp Z 2 / 2 σ ~ inn 2 + aZ / 3 = exp Z 2 2 σ ~ inn 2 · 1 1 + aZ / ( 3 σ ~ inn 2 ) .
(44)

Substituting a=1/τ, = A c 0 2 ln 1 ε 1 and Z = β σ ~ inn c 0 ln 1 ε 1 finish the proof.

Remark In (42), we see that the bound on PFP is a decreasing function of the product c0τ. Hence, it is advantageous to set τ such that c0τ1.

Corollary 1.

Let q≥2 and τ≤1/2. Let the coalition use any attack strategy. Then, it holds that
A 1 2 β 2 β 3 c 0 τ σ ~ inn P FP ε 1 .
(45)

Proof.

The proof follows directly from Theorem 2.

4.2 Bounding the false-negative probability

Theorem 3.

Let q≥2. Let the coalition employ a position-symmetric strategy. Let μ ~ A c 0 σ ~ inn βc > 0 . Let τ satisfy
τ c / ( c + μ ~ ) .
(46)
Then the false-negative probability can be bounded as
P FN exp ( ln ε 1 ) c 0 τ c [ μ ~ Ac 0 σ ~ inn βc ] ln μ ~ Ac 0 σ ~ inn βc e ( σ ~ 2 / c ) A c 0 τ .
(47)

Proof.

We start from
P FN = Pr [ j C S j < Z ] < Pr [ S C < cZ ] = Pr [ μ ~ S C > μ ~ cZ ] = Pr i = 1 μ ~ S C ( i ) > μ ~ cZ .
(48)
Because of the assumption that the collusion attack is position-symmetric, the random variables S C ( i ) are mutually independent. We are then allowed to use Bennett’s inequality (we take the weaker form, Lemma 3), which we do with the following parameters: Y i = μ ~ S C ( i ) ; T = μ ~ cZ = ( μ ~ Ac 0 σ ~ inn βc ) c 0 ln 1 ε 1 ; s 2 = σ ~ 2 ; b=c/τ. The choice for b follows from
| Y i | = | S C ( i ) μ ~ | max c 1 τ 1 μ ~ , μ ~ + c max c τ , μ ~ + c = c τ ,
(49)

where the last equality is a consequence of the assumption (46). We can see that the T is positive from the assumption μ ~ A c 0 σ ~ inn βc > 0 .

Notice that at cc0 Theorem 3 no longer applies, because the condition μ ~ A c 0 σ ~ inn βc > 0 cannot be satisfied. In practical terms, this means that for c>c0, the FN probability is no longer under control, and the colluders may evade detection with high probability.

Theorem 4.

Let q≥2. Let the coalition employ a position-symmetric strategy. Let 2≤cc0. Let μ ~ A σ ~ inn β > 0 . Let τ 2 / ( 2 + μ ~ ) . Then the false-negative probability can be bounded as
P FN exp ( ln ε 1 ) c 0 τ [ μ ~ A σ ~ inn β ] ln μ ~ A σ ~ inn β e ( σ ~ 2 / c 0 ) .
(50)

Proof.

We start from Theorem 3. Due to the conditions cc0 and μ ~ A σ ~ inn β > 0 , the condition μ ~ A c 0 σ ~ inn βc > 0 in Theorem 3 holds. Due to c≥2 and τ < 2 / ( 2 + μ ~ ) , the condition (46) holds. Since all the conditions are satisfied, we are allowed to apply Theorem 3. Finally, we make use of the fact that the expression (47) is an increasing function of c for cc0.

Corollary 2.

Let q≥2. Let the coalition employ a position-symmetric strategy. Let 2≤cc0. Let μ ~ A σ ~ inn β > 0 . Let τ 2 / ( 2 + μ ~ ) . Then it holds that
c 0 τ [ ~ μA σ ~ inn β ] ln μ ~ A σ ~ inn β e ( σ ~ 2 / c 0 ) ln ε 2 ln ε 1 P FN ε 2 .
(51)

Proof.

Follows directly from Theorem 4.

Asymptotics of the sufficient code length

The main aim of this paper is to determine the performance of the score system (7) at large but finite c0. The performance at ‘ c0=’ is known: the saddlepoint is given by the interleaving attack, combined with the κ = 1 2 Dirichlet distribution (with τ=0) as the bias distribution; in this saddlepoint, the rate of the score system is equal to capacity. What we want to know is how the fingerprinting rate approaches capacity and how to optimally choose the cutoff τ as a function of c0.

5.1 Sufficient code length

We aim for an analysis in the (unknown!) large-but-finite- c0 saddlepoint:

- The saddlepoint (‘SP’) of the mutual information minimax game [20] is close to the asymptotic saddlepoint. The unknown strategy θSP is close to interleaving. The unknown bias distribution FSP(p) is some discrete distribution close to the Dirichlet distribution. We approximate F by the continuous Dirichlet distribution with cutoff τ because this is the only available constructive approach that we know of.

- A practical tracing system that uses the score function (7) cannot have a fixed threshold Z like the Tardos scheme, since the score statistics strongly depend on the colluder strategy. The threshold has to be chosen as a function of estimated values for σ ~ inn and μ ~ . (See Section 3.1 for the estimation method.) When attacking this tracing system, the best choice for the colluders is to use θSP as their strategy, for otherwise they get caught faster. We will assume that the colluders use θSP, which in the analysis leads to a ‘fixed’ threshold Z that only has meaning in this context.

- Hence, we analyze the tracing system consisting of the bias distribution (2) and the score system (7), when pitted against an unknown attack close to interleaving. Our starting point will be the ‘sufficient’ conditions given by Corollaries 1 and 2. We know that μ ~ SP = q 1 μ ~ and ( σ ~ inn 2 ) SP = q 1 + σ ~ inn 2 , and we have to carefully deal with the corrections μ ~ and σ ~ inn 2 . On the other hand, the σ ~ appears only in the logarithm in (51) and hence any corrections with respect to Lemma 5 can be neglected.

Corollary 1 and the condition μ ~ A σ ~ inn β > 0 together define an interval for the sufficient code length parameter ‘ Asuff,’
A suff σ ~ inn μ ~ β , 1 2 β 2 β 3 c 0 τ σ ~ inn .
(52)
This interval exists only if
β > 2 σ ~ inn μ ~ + 2 3 c 0 τ σ ~ inn ,
(53)
which yields
A suff > 2 σ ~ inn 2 μ ~ 2 + 2 3 c 0 τ μ ~ .
(54)
We must try to bring β and A as close as possible to the bounds (53, 54) while still satisfying the condition in the left hand side of (51). We introduce the following shorthand notation:
σ ~ inn μ ~ = 1 q 1 ( 1 + w ) , ψ = μ ~ A σ ~ inn β , σ ~ 2 c = q 1 + r ,
(55)

where w1, ψ1, r1. The w will be studied in the next section. The ψ we will solve approximately. The fact that r is small follows from Lemma 5. The expression 𝔼 [ 1 / p α ] in (34) is of order τκ−1; this leads to a contribution to σ ~ 2 / c of order τ κ /(c0τ), which is negligible compared to (q−1) since c0τ1 (see Section 4.1).

Theorem 5.

Let c0τ1 and c0τ21. Let the attackers employ a position-symmetric strategy close to interleaving. Let 2≤cc0. Then the following combination of a code length parameter A and threshold parameter β is sufficient to achieve PFPε1 and PFNε2.
β suff = 2 q 1 1 + w + 1 3 c 0 τ + O w c 0 τ
(56)
A suff = 2 q 1 1 + 2 w + 1 3 c 0 τ + ln ε 2 / ln ε 1 2 c 0 τ ln 1 c 0 τ 2 + O w 2 + O w c 0 τ .
(57)

Proof.

Using the parametrization (55), the condition in (51) can be written compactly as
c 0 τψ ln ψ e ( q 1 + r ) ln ε 2 ln ε 1 .
(58)
Taking the equal sign and solving for ψ gives (we denote the solution as ψ0)
ψ 0 = ln ε 2 ln ε 1 · 1 c 0 τ · 1 ln 1 e ( q 1 + r ) · ln ε 2 ln ε 1 · 1 c 0 τ ln ψ 0 e ( q 1 + r ) = ln ε 2 ln ε 1 · 1 c 0 τ · 1 ln 1 c 0 τ 2 + ln 1 e ( q 1 ) A ln ε 2 ln ε 1 O ( r ) + O ln ln ψ 0 τ = ln ε 2 ln ε 1 · 1 c 0 τ ln 1 c 0 τ 2 1 O ln ln 1 c 0 τ 2 ln 1 c 0 τ 2 < ln ε 2 ln ε 1 · 1 c 0 τ ln 1 c 0 τ 2 .
(59)
We take ψ = ln ε 2 ln ε 1 · 1 c 0 τ ln 1 c 0 τ 2 (last line of (59)), since it is a compact analytical expression that satisfies (58). We can now find the sufficient A and β. We write β suff = 2 σ ~ inn μ ~ + 2 3 c 0 τ σ ~ inn + λ , with λ arbitrarily close to zero. Solving A from β and ψ gives
A suff = β suff σ ~ inn μ ~ + ψ μ ~ = 2 q 1 1 + 2 w + 1 3 c 0 τ + ln ε 2 / ln ε 1 2 c 0 τ ln 1 c 0 τ 2 + O ( w 2 ) + O ( λ ) + O w c 0 τ ,
(60)

where we have used that μ ~ and σ ~ inn are of order w. Finally, we note that λ is much smaller than the other high-order correction terms.

Note that the condition c0τ21 is required in the above proof in order to make sure that the argument of the logarithm is well-behaved, i.e., larger than 1. Hence, when choosing τ we have to satisfy
Condition 1 c 0 τ 1 . Condition 2 c 0 τ 2 1 .
One way of satisfying these conditions is to set
τ c 0 γ with γ ( 1 2 , 1 ) .
(61)

5.2 Optimization of the cutoff τ as a function of c 0

Lemma 8 (adapted from [21]).

Let θy|m=θ y|m SP−m y /c. The first-order and second-order correction terms to μ ~ and σ ~ inn 2 in the vicinity of the saddle point are given by
μ ~ ( 1 ) = m c m y Q θ y | m m y B ( κ 1 q + m e y ) B ( κ 1 q ) = 𝔼 m y Q θ y | m ( 1 κ ) c + 1 m y ( 1 κ ) [ σ ~ inn 2 ] ( 1 ) = m c m y Q θ y | m B ( κ 1 q + m e y ) B ( κ 1 q ) = 𝔼 m y Q θ y | m c + 1 m y ( 1 κ ) μ ~ ( 2 ) = m c m y Q θ y | m m y B ( κ 1 q + m e y ) B ( κ 1 q ) B τ ( κ 1 q + m e y ) B τ ( κ 1 q ) [ σ ~ inn 2 ] ( 2 ) = m c m y Q θ y | m B ( κ 1 q + m e y ) B ( κ 1 q ) B τ ( κ 1 q + m e y ) B τ ( κ 1 q ) .
(62)
The first-order correction to μ ~ 2 / σ ~ inn 2 is zero because of the saddlepoint. The second-order correction to μ ~ 2 / σ ~ inn 2 is given by
μ ~ 2 σ ~ inn 2 ( 2 ) = 2 μ ~ ( 2 ) σ ~ inn 2 ( 2 ) + 1 q 1 μ ~ ( 1 ) [ σ ~ inn 2 ] ( 1 ) 2
(63)
= m c m y Q θ y | m ( 2 m y 1 ) B τ ( κ 1 q + m e y ) B τ ( κ 1 q ) + κ 2 q 1 ( [ σ ~ inn 2 ] ( 1 ) ) 2 .
(64)

Proof.

Equations 62 and 63 are a slight adaptation of the saddlepoint formulas in [21], where we have substituted the saddlepoint values μ ~ = q 1 and σ ~ inn 2 = q 1 . Note again that we have normalized the score function differently from [21] by a factor q 1 . Equation 64 follows from Equation 63 by using Equation 62.

Proposition 1.

The correction w is negligible compared to 1 c 0 τ .

Argumentation.

The w is proportional to (63) or, differently expressed, (64). In (64) we have the ( [ σ ~ inn 2 ] ( 1 ) ) 2 term which is of order (θ)2. The order of magnitude of the m contribution is more difficult to determine because the incomplete Dirichlet integral B τ (κ 1 q +me y ) is difficult to bound;b however, no matter how B τ (κ 1 q +me y ) is behaved, the m contribution is at most of order θ. Huang and Moulin [20] conjectured that θ = O ( 1 c ) , and this turned out to be consistent with their asymptotic saddlepoint analysis. If their conjecture is true, we have w 1 c 0 1 c 0 τ . Even if their conjecture is not true and θ scales as, for instance, 1 / c , then, w 1 / c 0 1 c 0 τ , i.e., w is still negligible. (The latter holds because τ scales as c 0 γ with γ > 1 2 .)

The consequences of Proposition 1 are the following: The optimal choice for the cutoff is to set
γ opt = 1 2 + ν
(65)
where ν denotes a very small positive number. The sufficient code length is then given by
A suff = 2 q 1 1 + O c 0 1 / 2 + ν .
(66)

Note that the correction term is smaller than the O c 0 1 / 3 that was found [5] for Tardos’s score function at q=2.

Conclusions

We have studied a q-ary bias-based collusion-resistant scheme where the score function (7) of Oosterwijk et al. [21] is used in combination with the Dirichlet distribution with a cutoff. We have used Bernstein’s inequality and Bennett’s inequality to upper bound the error rates. For large c0, this leads to a sufficient code length as specified in Theorem 5.

Then we adopted a conjecture (based on a conjecture by Huang and Moulin) that θ, the difference in strategy between the finite-c and infinite-c saddlepoint, is of order O ( 1 / c ) . This leads to an optimal cutoff choice τ = 1 / λ c 0 1 / 2 + ν , where λ>0 is a constant and ν is a very small positive constant. The sufficient code length is then
suff = 2 q 1 1 + λ c 0 1 2 + ν 1 3 + 1 4 ln ε 2 ln ε 1 1 ln ( c 0 ν λ ) + c 0 2 ln ε 1 1 ,
(67)
and the corresponding accusation threshold is
Z = 2 1 + 1 3 λ c 0 1 2 + ν + c 0 ln ε 1 1 .
(68)

From previous work on provable bounds for bias-based codes, it is clear that the bounds obtained from concentration inequalities (Markov, Bernstein, Bennett) are not tight.

As topics for future work, we mention the following: (i) obtaining tighter bounds - the CSE method [6] or similar techniques may yield more precise information about the error rates. (ii) Studying the performance of the score function (7) further away from the asymptotic saddlepoint. This would require locating (by numerical techniques) the saddlepoint for large but finite c. (iii) Applying the analysis in this paper in the context of dynamic traitor tracing, similar to the work in [27].

Endnotes

a Throughout this paper, the term asymptotic refers to the limit of large coalition size.

b The correction to the normalization factor is known. In [22] it was found that B τ ( κ 1 q ) = B ( κ 1 q ) [ 1 O ( τ κ ) ] .

Declarations

Acknowledgments

We thank Benne de Weger, Jeroen Doumen, and Thijs Laarhoven for useful discussions. Part of this work was supported by STW (project 10518).

Authors’ Affiliations

(1)
Eindhoven University of Technology

References

  1. G Tardos, in Proceedings of the 35th Annual ACM Symposium on Theory of Computing (STOC). Optimal probabilistic fingerprint codes, (2003), pp. 116–125.Google Scholar
  2. Blayer O, Tassa T: Improved versions of Tardos’ fingerprinting scheme. Des Codes Cryptography 2008, 48(1):79-103.MATHMathSciNetView ArticleGoogle Scholar
  3. T Furon, A Guyader, F Cérou, in Information Hiding, Lecture Notes in Computer Science, 5284. On the design and optimization of Tardos probabilistic fingerprinting codes (Springer, 2008), pp. 341–356.View ArticleGoogle Scholar
  4. Furon T, Pérez-Freire L, Guyader A, Cérou F: Estimating the minimal length of Tardos code. In Information Hiding, LNCS. Springer, Heidelberg; 2009:176-190.View ArticleGoogle Scholar
  5. Laarhoven T, de Weger BMM: Optimal symmetric Tardos traitor tracing schemes. Designs Codes Cryoptography 2011, 71: 83-103.MathSciNetView ArticleGoogle Scholar
  6. Simone A: Accusation probabilities in Tardos codes: beyond the Gaussian approximation. Des Codes Cryptography 2012, 63(3):379-412.MATHMathSciNetView ArticleGoogle Scholar
  7. Vladimirova TU, Celik MU, Talstra JC: Tardos fingerprinting is better than we thought. IEEE Trans. Inform. Theor 2008, 54(8):3663-3676.MathSciNetView ArticleGoogle Scholar
  8. YW Huang, P Moulin, in IEEE Workshop on Information Forensics and Security (WIFS). Capacity-achieving fingerprint decoding (London, 6–9 December 2009), pp. 51–55.Google Scholar
  9. K Nuida, in Information Hiding, LNCS, 6387. Short collusion-secure fingerprint codes against three pirates (Springer, 2010), pp. 86–102.View ArticleGoogle Scholar
  10. Nuida K, Fujitsu S, Hagiwara M, Kitagawa T, Watanabe H, Ogawa K, Imai H: An improvement of discrete Tardos fingerprinting codes. Des Codes Cryptography 2009, 52(3):339-362.MATHMathSciNetView ArticleGoogle Scholar
  11. E Amiri, G Tardos, in Proceedings of the 20th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA). High rate fingerprinting codes and the fingerprinting capacity (New York, 4–6 January 2009), pp. 336–345.View ArticleGoogle Scholar
  12. A Charpentier, F Xie, C Fontaine, T Furon, in SPIE Proceedings on Media Forensics and Security, 7254. Expectation maximization decoding of Tardos probabilistic fingerprinting code (SPIE, 2009), p. 72540.View ArticleGoogle Scholar
  13. P Meerwald, T Furon, in Information Hiding, LNCS, 6958. Towards joint Tardos decoding: the ‘Don Quixote’ algorithm (Springer, 2011), pp. 28–42.View ArticleGoogle Scholar
  14. J-J Oosterwijk, Škorić B, J Doumen, in Information Hiding & Multimedia Security 2013. Optimal suspicion functions for Tardos traitor tracing schemes (Montpellier, 17–19 June 2013).Google Scholar
  15. A Charpentier, C Fontaine, T Furon, IJ Cox, in Information Hiding, LNCS, 6958. An asymmetric fingerprinting scheme based on Tardos codes (Springer, 2011), pp. 43–58.View ArticleGoogle Scholar
  16. Katzenbeisser S, Celik MU: Symmetric Tardos fingerprinting codes for arbitrary alphabet sizes. Des Codes Cryptography 2008, 46(2):137-166.MathSciNetView ArticleGoogle Scholar
  17. Katzenbeisser S, Schaathun HG, Celik MU: Tardos fingerprinting codes in the combined digit model. IEEE Trans. Inf. Forensics Secur 2011, 6(3):906-919.View ArticleGoogle Scholar
  18. F Xie, T Furon, C Fontaine, in Proceedings of the 10th Workshop on Multimedia & Security (MM&Sec). On-off keying modulation and Tardos fingerprinting (ACM, 2008), pp. 101–106.Google Scholar
  19. D Boesten, Škorić B, in Information Hiding 2011, LNCS, 6958. Asymptotic fingerprinting capacity for non-binary alphabets (Springer, 2011), pp. 1–13.Google Scholar
  20. Y-W Huang, P Moulin, in IEEE International Symposium on Information Theory (ISIT) 2012. On fingerprinting capacity games for arbitrary alphabets and their asymptotics (Cambridge, 1–6 July 2012), pp. 2571–2575.View ArticleGoogle Scholar
  21. J-J Oosterwijk, Škorić B, J Doumen, A capacity-achieving simple decoder for bias-based traitor tracing schemes (2013). http://eprint.iacr.org/2013/389 Accessed 5 August 2014.Google Scholar
  22. Škorić B, J-J Oosterwijk, Binary and q-ary Tardos codes, revisited. Designs, Codes, and Cryptography (2012). http://eprint.iacr.org/2012/249 Accessed 5 August 2014.Google Scholar
  23. T Laarhoven, BMM de Weger, in Information Hiding & Multimedia Security 2013 Discrete Distributions in the Tardos Scheme, Revisited, (2013).Google Scholar
  24. P Moulin, Universal fingerprinting: capacity and random-coding exponents (2008). http://arxiv.org/abs/0801.3837.Google Scholar
  25. SN Bernstein, Theory of Probability, (1927).Google Scholar
  26. Bennett G: Probability inequalities for the sum of independent random variables. J. Am. Stat. Assoc 1962, 57(297):33-45.MATHView ArticleGoogle Scholar
  27. T Laarhoven, J Doumen, P Roelse, Škorić B, B de Weger, Dynamic Tardos traitor tracing schemes. IEEE Trans. Inf. Theory. 59(7), 4230–4242.Google Scholar

Copyright

© Ibrahimi et al.; licensee Springer. 2014

This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited.