# Riding the saddle point: asymptotics of the capacity-achieving simple decoder for bias-based traitor tracing

- Sarah Ibrahimi
^{1}, - Boris Škorić
^{1}Email author and - Jan-Jaap Oosterwijk
^{1}

**2014**:12

https://doi.org/10.1186/s13635-014-0012-6

© Ibrahimi et al.; licensee Springer. 2014

**Received: **27 January 2014

**Accepted: **28 July 2014

**Published: **15 August 2014

## Abstract

We study the asymptotic-capacity-achieving score function that was recently proposed by Oosterwijk et al. for bias-based traitor tracing codes. For the bias function, we choose the Dirichlet distribution with a cutoff. Using Bernstein’s inequality and Bennett’s inequality, we upper bound the false-positive and false-negative error probabilities. From these bounds we derive sufficient conditions for the scheme parameters. We solve these conditions in the limit of large coalition size *c*_{0} and obtain asymptotic solutions for the cutoff, the sufficient code length, and the corresponding accusation threshold. We find that the code length converges to its asymptote approximately as ${c}_{0}^{-1/2}$, which is faster than the ${c}_{0}^{-1/3}$ of Tardos’ score function.

### MSC

94B60

## Keywords

## Introduction

### 1.1 Traitor tracing

Forensic watermarking is a means for tracing unauthorized redistribution of digital content. Before distribution, the content is modified by embedding an imperceptible watermark, which plays the role of a personalized identifier. When an unauthorized copy of the content is found, a tracing algorithm outputs a list of suspicious users, based on the watermark detected in this copy.

The most powerful attacks against watermarking are *collusion attacks*, in which multiple attackers (the ‘coalition’) combine their differently watermarked versions of the same content; the observed differences point to the locations of the hidden marks and allow for a targeted attack.

*Collusion-resistant codes* have been specifically designed as a defense against collusion attacks: when codewords from such a code are embedded into the content, the surviving parts of the watermark, after the collusion attack, still contain enough information to identify (some of the) attackers, provided that the coalition is not too large.

In the past two decades, several types of collusion-resistant codes have been developed. The most popular type in the recent literature is the class of *bias-based* codes. These were introduced by G. Tardos in 2003. The code construction consists of two steps: first, a sequence of biases is generated, one for each position in the content; then, the watermark symbols for each user are randomly drawn according to these biases. The original paper [1] was followed by a flurry of activity, e.g., improved analyses [2]-[7], code modifications [8]-[10], decoder modifications [11]-[14], and various generalizations [15]-[18]. The advantage of bias-based versus deterministic codes is that they can achieve the asymptotically optimal relationship $\ell \propto {c}_{0}^{2}$ between the sufficient code length *ℓ* and the coalition size *c*_{0} to be resisted.

### 1.2 Capacity-achieving simple decoder

Two kinds of tracing algorithm can be distinguished: (i) *simple decoders*, which assign a score to single users independent of the watermarks of other users, and (ii) *joint decoders*[11]-[13], which assign scores to sets of users and are typically more powerful but also require more computational resources. Efficient joint decoders typically employ a simple decoder as a bootstrapping step.

*ℓ*as a function of the coalition size

*c*

_{0}to be resisted and the imposed low error rate. Equivalently, one can look at the

*fingerprinting rate*, which is defined as the fraction $\frac{\underset{q}{log}n}{\ell}$, where

*q*is the size of the alphabet and

*n*is the number of users. The numerator corresponds to the number of

*q*-ary symbols needed to point out one of the

*n*users; the denominator is the number of symbols used to convey this ‘message.’ Hence, the fingerprinting rate has a natural interpretation as the fraction of codeword symbols that actually encodes the ‘message,’ i.e., the identifying information that allows for tracing. The fingerprinting rate is a figure of merit that can be used to fairly compare codes which have different alphabet sizes. The

*fingerprinting capacity*, which can be computed information-theoretically, is an upper bound on the fingerprinting rate that can be achieved against colluders who employ an optimal strategy against the tracing scheme. It was found by Boesten and Škorić [19] that the asymptotic

^{a}capacity is given by

Huang and Moulin [20] found the location of the corresponding asymptotic *saddlepoint*: the strongest attack is the so-called interleaving attack, and the best bias distribution is the Dirichlet distribution with concentration parameter one half. (See Section 2.) For the colluders as well as the tracer, it is bad to depart from the saddlepoint. If the colluders move away from it, the tracer can achieve a higher fingerprinting rate; if the tracer moves away, the colluders can launch a stronger attack which reduces the rate.

Oosterwijk et al. [21] devised a simple decoder that reaches asymptotic capacity. The possibility of such an achievement was foreseen in [20], where it was shown that the simple decoder capacity becomes equal to the joint decoder capacity as *c*_{0} goes to infinity.

### 1.3 Contributions and outline

In this paper we analyze the performance of the capacity-achieving simple decoder of [21] in the Restricted Digit Model:

• Following the approach of [22], we use Bernstein’s inequality and Bennett’s inequality to upper bound the false-positive and false-negative error probability, respectively. From these bounds, we derive conditions on the code parameters (code length, cutoff, threshold) such that the error probabilities are sufficiently low.

• We determine the asymptotics of the sufficient code length in the direct vicinity of the saddlepoint.

• We find that the optimal choice for the cutoff *τ* is given by $\tau \propto {c}_{0}^{-\gamma}$, with *γ* slightly larger than one half. With this choice, the code length approaches its saddlepoint value with a correction term of order ${c}_{0}^{\gamma -1}\approx {c}_{0}^{-1/2}$. Thus, convergence to the limit is faster than in the case of the binary Tardos score, where the correction is of order ${c}_{0}^{-1/3}$[5].

• Our analysis yields a recipe for placing the accusation threshold as a function of the innocent user score variance. This differs from the case of the Tardos score function [1],[16], where the threshold is fixed.

In Section 2 we briefly review bias-based traitor tracing, the asymptotic saddlepoint, and the asymptotic-capacity-achieving score function. We also list the inequalities of Bernstein and Bennett. In Section 3 we study the statistical properties of an innocent user’s score and the coalition’s collective score. In Section 4 we derive the bounds on the error rates and the sufficient conditions on the code parameters. The asymptotics of the sufficient code length are treated in Section 5.

## Preliminaries

### 2.1 Bias-based tracing using the asymptotically optimal simple decoder

#### 2.1.1 Notation

The number of users is denoted as *n*, and the code length (the number of positions in the content) as *ℓ*. We define [ *n*]={1,…,*n*}. The alphabet is $\mathcal{Q}$, with size $\left|\mathcal{Q}\right|=q$. The symbols in the alphabet have no natural ordering. The bias in position *i* is denoted as p^{(i)}. The bias is a *q*-dimensional vector, with components ${p}_{\alpha}^{\left(i\right)}\in [\phantom{\rule{0.3em}{0ex}}\tau ,1-(q-1\left)\tau \right]$, $\alpha \in \mathcal{Q}$. The parameter *τ*≪1 is called the cutoff. For each *i* the bias satisfies |p^{(i)}|=1, where |⋯| denotes the 1-norm, i.e., $\sum _{\alpha \in \mathcal{Q}}{p}_{\alpha}^{\left(i\right)}=1$. We will often use multi-index notation: for a scalar *z*, the notation p^{
z
} stands for $\prod _{\alpha \in \mathcal{Q}}{p}_{\alpha}^{z}$; for a vector m, the notation p^{
m
} stands for $\prod _{\alpha \in \mathcal{Q}}{p}_{\alpha}^{{m}_{\alpha}}$. We introduce the *q*-component vector **1**_{
q
}=(1,1,…,1). The notation *δ*_{
x
y
} stands for the Kronecker delta.

#### 2.1.2 Code generation

^{(i)}are drawn independently from a (truncated) Dirichlet distribution

*F*with concentration parameter

*κ*>0,

The *δ* in the integral is a Dirac delta function; it ensures that the condition |p|=1 is enforced. The *τ* is called the cutoff parameter. Note that *p*_{
α
}∈[ *τ*,1−(*q*−1)*τ*]. Therefore, *τ*≤1/*q* must hold, for otherwise the interval is empty (and we would get |p|>1).

For *τ*=0 the normalization constant (3) evaluates to a generalized beta function. Let z∈(0,*∞*)^{
q
} be a vector; then the beta function *B*(z) is defined as $B\left(\mathit{z}\right)=\left[\prod _{\alpha}\Gamma \right]/\Gamma \left(\sum _{\beta}{z}_{\beta}\right)$, where *Γ* is the gamma function. Hence *B*_{0}(*κ* **1**_{
q
})=*B*(*κ* **1**_{
q
})=[ *Γ*(*κ*)]^{
q
}/*Γ*(*q* *κ*).

In the asymptotic saddlepoint, it holds that *τ*=0 and *κ*=1/2. For large but finite *c*_{0}, the saddlepoint lies close to the asymptotic saddlepoint, but it is not known exactly where. It is known that for finite *c*_{0}, the optimal bias distribution is a *discrete* distribution [8],[10],[23], with a number of discrete *p*_{
α
} values proportional to *c*_{0}. In spite of this, we will use the continuous probability density (2). Our motivation is that we only investigate asymptotics. The cutoff *τ* will depend on *c*_{0}.

The code word assigned to user *j* is denoted as a row vector *X*_{
j
}=(*X*_{j 1},…,*X*_{
j
ℓ
}). The set of codewords is arranged in a code matrix *X*. The elements of the code matrix are independently generated according to the biases p^{(1)},…,p^{(ℓ)} as follows: $Pr[\phantom{\rule{0.3em}{0ex}}{X}_{\mathit{\text{ji}}}=\alpha ]={p}_{\alpha}^{\left(i\right)}$.

#### 2.1.3 Collusion attack

*c*and the parameter

*c*

_{0}in the code construction, which is the maximum coalition size that can be resisted. The colluders see a submatrix ${X}_{\mathcal{C}}$ of

*X*. The symbol ‘tallies’ are defined as follows:

*α*in position

*i*. Based on ${X}_{\mathcal{C}}$, the colluders produce an output y=(

*y*

_{1},…,

*y*

_{ ℓ }). For our analysis we adopt the Restricted Digit Model as the attack model: for any

*i*∈[

*ℓ*], the output

*y*

_{ i }is only allowed to be a symbol that the colluders have observed in position

*i*. The strategy for choosing an output is allowed to be probabilistic. We adopt a number of frequently made assumptions about the attack strategy:

- 1.
*Symbol symmetry*. The strategy is invariant under permutation of the alphabet for each position independently. This assumption is motivated by the lack of a natural ordering of the alphabet. - 2.
*Colluder symmetry*. The strategy is invariant under permutation of the colluders. (In other words, the colluders equally share the risk.) This assumption is motivated by the fact that breaking colluder symmetry will make it easier for the tracer to find at least one colluder. - 3.
*Position symmetry*. The same strategy is applied in each position*i*∈[*ℓ*], and it does not depend on any*X*_{ j k }values with*k*≠*i*. Motivation: asymptotically the optimal attack must be position-symmetric [24].

*i*, the probability of outputting symbol

*y*

_{ i }is a function of only m

^{(i)}. Omitting the position index, this is denoted as

In other words, *Ψ*_{
b
}(x) is the coalition’s probability of outputting a symbol given that it has tally *b* and that the other tallies are x. The probability *Ψ*_{
b
}(x) is invariant under permutation of x.

#### 2.1.4 Simple decoder

*X*, he tries to find at least one colluder. The asymptotic-capacity-achieving simple decoder of [21] works as follows: for each user

*j*∈[

*n*], a score ${S}_{j}=\sum _{i\in \left[\ell \right]}{S}_{j}^{\left(i\right)}$ is computed, where

*h*differently from [21], by a factor $\sqrt{q-1}$, for notational brevity. The score function (7) has the special property of being ‘strongly centered’: for any p and

*y*(we are omitting the position index), the expected score of an innocent user is zero.

*Z*,

Whereas the Tardos scheme uses a fixed threshold, the score function *h* leads to a more complicated scheme where *Z* must be chosen as a function of the biases and the observed tallies and colluder outputs (see Section 3.1).

#### 2.1.5 Measuring the performance

*P*

_{FP}defined as the probability that a fixed innocent user gets added to $\mathcal{\mathcal{L}}$, and a false-negative, with

*P*

_{FN}defined as the probability that none of the colluders is found:

The tracer demands that *P*_{FP}≤*ε*_{1} and *P*_{FN}≤*ε*_{2}, where *ε*_{1} and *ε*_{2} are constants, typically with *ε*_{1}≪*ε*_{2}.

*ℓ*and threshold

*Z*are often parametrized as

This parametrization is motivated by the fact that asymptotically, for the Tardos code, *A* and *B* can be considered as constants. The relationship between the code length parametrization (12) and the fingerprinting rate is as follows. The rate is $R=\left(\underset{q}{log}n\right)/\ell =(lnn)/\left(A\underset{0}{\overset{2}{c}}lnqln\underset{1}{\overset{-1}{\epsilon}}\right)$. Let $\eta =Pr[\phantom{\rule{0.3em}{0ex}}\mathcal{\mathcal{L}}\setminus \mathcal{C}\ne \varnothing ]$, i.e., the probability that at least one innocent user ends up in the list $\mathcal{\mathcal{L}}$. The *η* is a fixed small number (e.g., 10^{−6}) that does not depend on *n*. It can be shown (Lemma 6 in [22]) for *n*≫1, *c*≪*n* that *ε*_{1}≈*η*/*n*. Then, $ln\underset{1}{\overset{-1}{\epsilon}}\approx lnn-ln\eta \approx lnn$. (In the last approximation, we used that *η* is fixed.) Asymptotically, the rate satisfies $R\sim 1/\left(A{c}_{0}^{2}lnq\right)$.

##### Definition 1.

Here stands for the expectation over all the probabilistic degrees of freedom: the biases p^{(i)}, the code matrix *X*, and the coalition output y. (The ‘tilde’ notation indicates that there is an average over positions.) Note that ${\stackrel{~}{\mu}}_{\text{inn}}=0$, as shown in (8).

*Remark*If assumption 3 holds (position symmetry, Section 2.1.3) then in Definition 1 the average over the positions is not necessary; in every position $\mathbb{\mathbb{E}}[\cdots \phantom{\rule{0.3em}{0ex}}]$ has the same value. In this paper, we introduce a rescaled version (

*β*) of the threshold parameter

*B*,

It will turn out that it is more natural to use the quantity *β* than *B*.

In the asymptotic saddlepoint, the tracer uses the bias distribution (2) with *τ*=0, while the coalition strategy is the *interleaving attack*, *θ*_{y|m}=*m*_{
y
}/*c*. In the asymptotic saddlepoint, it holds [21] that ${\stackrel{~}{\mu}}^{2}/{\stackrel{~}{\sigma}}_{\text{inn}}^{2}=q-1$.

### 2.2 Computing expectations

*x*as shorthand for

*X*

_{ j i }for a fixed innocent user $j\notin \mathcal{C}$.

Here *P*_{1}(*b*) is a marginal probability for a single fixed symbol to have tally *b*. The quantity *K*_{
b
} is the probability, given that a certain symbol has tally *b*, for the colluders to output that symbol; i.e., for arbitrary fixed *α*, we have *K*_{
b
}= Pr[*y*=*α*|*m*_{
α
}=*b*]. The sum rule $\sum _{b}{P}_{1}\left(b\right){K}_{b}=1/q$ holds [6], since the overall probability of outputting *y*=*α* is 1/*q*.

### 2.3 Concentration inequalities

#### Lemma 1 (Bernstein’s inequality [25]).

*a*>0 be a constant. Let

*U*

_{1},…,

*U*

_{ ℓ }be independent zero-mean random variables, with |

*U*

_{ i }|≤

*a*for all

*i*. Let

*Z*≥0. Then,

#### Lemma 2 (Bennett’s inequality [26]).

*b*>0 be a constant. Let

*Y*

_{1},…,

*Y*

_{ ℓ }be independent zero-mean random variables, with |

*Y*

_{ i }|≤

*b*for all

*i*. Let ${s}^{2}=\frac{1}{\ell}\sum _{i=1}^{\ell}\mathbb{\mathbb{E}}\left[\phantom{\rule{0.3em}{0ex}}{Y}_{i}^{2}\right]$. Let the function

*ξ*be defined as

*T*≥0. Then,

#### Property 1.

*ξ*in Lemma 2 can be lower bounded as

#### Proof.

For *v*>0, we have $\xi \left(v\right)=\underset{0}{\overset{v}{\int}}\phantom{\rule{0.3em}{0ex}}\text{d}x\phantom{\rule{2.77626pt}{0ex}}ln(1+x)>\underset{0}{\overset{v}{\int}}\phantom{\rule{0.3em}{0ex}}\text{d}x\phantom{\rule{2.77626pt}{0ex}}lnx=vln\frac{v}{e}$.

#### Lemma 3 (weaker form of Bennett’s inequality).

*b*>0 be a constant. Let

*Y*

_{1},…,

*Y*

_{ ℓ }be independent zero-mean random variables, with |

*Y*

_{ i }|≤

*b*for all

*i*. Let ${s}^{2}=\frac{1}{\ell}\sum _{i=1}^{\ell}\mathbb{\mathbb{E}}\left[\phantom{\rule{0.3em}{0ex}}{Y}_{i}^{2}\right]$. Let

*T*>0. Then

#### Proof.

We substitute Property 1 in Lemma 2. This is allowed since the argument of *ξ* is positive.

## Statistics of the innocent score and coalition score

We study the moments of the innocent score and coalition score in two cases: (i) interleaving attack and arbitrary bias distribution and (ii) the bias distribution is the Dirichlet distribution with *τ*=0 and arbitrary concentration parameter *κ*; the attack is arbitrary.

These two scenarios represent two different ways of departing from the asymptotic saddlepoint. In the first one, the bias distribution is varied. In the second one, not only the attack is varied but also a limited change of the bias distribution is allowed (*κ*).

The results of this section do not all contribute directly to the analysis of the sufficient code length in Section 5, but they are important in their own right since they elucidate how the score moments behave in a variety of circumstances.

### 3.1 General result for the moments

We investigate the first and second moments of an innocent user’s score and of the coalition score. We begin with a general result for position-symmetric colluder strategies. Then, we look more specifically at the interleaving attack.

#### Lemma 4.

#### Proof.

We start from Definition 1. In all three definitions, the summation over *i* merely yields a factor *ℓ* which cancels against the factor 1/*ℓ* in front of the summation. Thus, for ${\stackrel{~}{\sigma}}_{\text{inn}}^{2}$ we can write, for arbitrary index *i*, and recalling that ${\stackrel{~}{\mu}}_{\text{inn}}=0$, ${\stackrel{~}{\sigma}}_{\text{inn}}^{2}=\mathbb{\mathbb{E}}{\left({S}_{j}^{\left(i\right)}\right)}^{2}={\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{y|\mathit{p}}{\mathbb{\mathbb{E}}}_{x|\mathit{p}}{(-1+{\delta}_{\mathit{\text{xy}}}/{p}_{y})}^{2}$$={\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{y|\mathit{p}}{\mathbb{\mathbb{E}}}_{x|\mathit{p}}\left(1-2{\delta}_{\mathit{\text{xy}}}/{p}_{y}+{\delta}_{\mathit{\text{xy}}}/{p}_{y}^{2}\right)$$=1-2{\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{y|\mathit{p}}1+{\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{y|\mathit{p}}1/{p}_{y}$$=-1+\mathbb{\mathbb{E}}1/{p}_{y}$. The results for $\stackrel{~}{\mu}$ and $\stackrel{~}{\sigma}$ follow directly from the fact that ${S}_{\mathcal{C}}^{\left(i\right)}=({m}_{y}/{p}_{y}-c)=({m}_{y}-{\mathit{\text{cp}}}_{y})/{p}_{y}$.

Note that Lemma 4 allows the tracer to obtain an estimate of the score moments: he can replace the by an empirical average over the codeword positions.

### 3.2 The case of the interleaving attack

#### Lemma 5.

where $\alpha \in \mathcal{Q}$ is arbitrary.

#### Proof.

For the interleaving attack, we have$\mathbb{\mathbb{E}}[\cdots \phantom{\rule{0.3em}{0ex}}]={\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{\mathit{m}|\mathit{p}}\sum _{y}({m}_{y}/c)[\cdots \phantom{\rule{0.3em}{0ex}}]=\sum _{y}{\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{\mathit{m}|\mathit{p}}\left(\frac{{m}_{y}-{\mathit{\text{cp}}}_{y}}{c}+{p}_{y}\right)[\cdots \phantom{\rule{0.3em}{0ex}}]$.We will make use of the binomial properties${\mathbb{\mathbb{E}}}_{\mathit{m}|\mathit{p}}{m}_{\alpha}={\mathit{\text{cp}}}_{\alpha}$, ${\mathbb{\mathbb{E}}}_{\mathit{m}|\mathit{p}}{({m}_{\alpha}-{\mathit{\text{cp}}}_{\alpha})}^{2}={\mathit{\text{cp}}}_{\alpha}(1-{p}_{\alpha})$ and ${\mathbb{\mathbb{E}}}_{\mathit{m}|\mathit{p}}{({m}_{\alpha}-{\mathit{\text{cp}}}_{\alpha})}^{3}={\mathit{\text{cp}}}_{\alpha}(1-{p}_{\alpha})(1-2{p}_{\alpha})$.For $\stackrel{~}{\mu}$ this gives $\stackrel{~}{\mu}=\sum _{y}{\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{\mathit{m}|\mathit{p}}\left[\frac{{({m}_{y}-{\mathit{\text{cp}}}_{y})}^{2}}{{\mathit{\text{cp}}}_{y}}+{m}_{y}-{\mathit{\text{cp}}}_{y}\right]$$={\mathbb{\mathbb{E}}}_{\mathit{p}}\sum _{y}(1-{p}_{y})+0=q-1$.Furthermore, ${\stackrel{~}{\sigma}}_{\text{inn}}^{2}=-1+{\mathbb{\mathbb{E}}}_{\mathit{p}}\sum _{y}{\mathbb{\mathbb{E}}}_{\mathit{m}|\mathit{p}}\left[\frac{{m}_{y}}{{\mathit{\text{cp}}}_{y}}\right]=-1+{\mathbb{\mathbb{E}}}_{\mathit{p}}\sum _{y}1=q-1$.Finally, ${\stackrel{~}{\mu}}^{2}+{\stackrel{~}{\sigma}}^{2}=\sum _{y}{\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathbb{\mathbb{E}}}_{\mathit{m}|\mathit{p}}\left[\frac{{({m}_{y}-{\mathit{\text{cp}}}_{y})}^{3}}{c{p}_{y}^{2}}+\frac{{({m}_{y}-{\mathit{\text{cp}}}_{y})}^{2}}{{p}_{y}}\right]$$={\mathbb{\mathbb{E}}}_{\mathit{p}}\sum _{y}\left[\frac{(1-{p}_{y})(1-2{p}_{y})}{{p}_{y}}+c(1-{p}_{y})\right]$$=c(q-1)-3q+2+\sum _{y}{\mathbb{\mathbb{E}}}_{\mathit{p}}\frac{1}{{p}_{y}}$.

#### Remark 1.

Part of Lemma 5 ($\stackrel{~}{\mu}$ and ${\stackrel{~}{\sigma}}_{\text{inn}}$) was already done in [21]. We show the proof again because of our modified normalization of the score function.

#### Remark 2.

The result for ${\stackrel{~}{\mu}}_{\text{Int}}$ and ${\left({\stackrel{~}{\sigma}}_{\text{inn}}^{2}\right)}_{\text{Int}}$ does not depend on the bias distribution *F*, but ${\stackrel{~}{\sigma}}_{\text{Int}}$ does.

#### Remark 3.

In the large-*c* limit, the variance of the coalition score tends to be large due to the *c*(*q*−1) term as well as the expression $\mathbb{\mathbb{E}}[\phantom{\rule{0.3em}{0ex}}1/{p}_{\alpha}]$ which blows up when *τ* becomes small.

### 3.3 Taking the Dirichlet distribution with cutoff τ=0

#### Lemma 6.

*τ*=0. Let the coalition use a strategy that is colluder-symmetric and position-symmetric. Then the quantities $\stackrel{~}{\mu}$ and ${\stackrel{~}{\sigma}}_{\text{inn}}$ can be written as

#### Proof.

*J*(

*m*

_{ y }), we can write $\mathbb{\mathbb{E}}\left[J\right({m}_{y})/{p}_{y}]={\mathbb{\mathbb{E}}}_{\mathit{p}}\sum _{\mathit{m}}\left(\genfrac{}{}{0ex}{}{c}{\mathit{m}}\right){\mathit{p}}^{\mathit{m}}\sum _{y}{\theta}_{y|\mathit{m}}\frac{J\left({m}_{y}\right)}{{p}_{y}}$$=\sum _{\mathit{m}}\left(\genfrac{}{}{0ex}{}{c}{\mathit{m}}\right)\sum _{y}{\theta}_{y|\mathit{m}}J\left({m}_{y}\right){\mathbb{\mathbb{E}}}_{\mathit{p}}{\mathit{p}}^{\mathit{m}}/{p}_{y}$. For

*τ*=0, we have

Setting *J*(*m*_{
y
})=*m*_{
y
} for $\stackrel{~}{\mu}$ and *J*(*m*_{
y
})=1 for ${\stackrel{~}{\sigma}}_{\text{inn}}^{2}$ yield (35) and (36). The final step is to notice that $\mathbb{\mathbb{E}}\left[J\left({m}_{y}\right)/{p}_{y}\right]={\mathbb{\mathbb{E}}}_{\mathit{m}}{\mathbb{\mathbb{E}}}_{y|\mathit{m}}\left[\frac{\mathrm{q\kappa}+c-1}{\kappa +{m}_{y}-1}J\left({m}_{y}\right)\right]$ which can be rewritten as $q\sum _{b}{P}_{1}\left(b\right){K}_{b}\frac{\mathrm{q\kappa}+c-1}{\kappa +b-1}J\left(b\right)$ if the strategy is symbol-symmetric.

#### Theorem 1.

Let *c*≫1 and *κ*∈(0,1). Let the coalition use a strategy that is colluder-symmetric and position-symmetric. Then, both quantities $\stackrel{~}{\mu}$ and ${\stackrel{~}{\sigma}}_{\text{inn}}$ are maximized by the minority voting attack and minimized by the majority voting attack.

#### Proof.

For *c*≫1, we can use the *τ*=0 approximation for $\stackrel{~}{\mu}$ and ${\stackrel{~}{\sigma}}_{\text{inn}}$, i.e., Lemma 6. In (35) and (36), the *θ*_{y|m} in the *y* summation multiplies a *decreasing* function of *m*_{
y
}. Hence, the summand is maximized by outputting a symbol *y* with tally *m*_{
y
} as small as possible (but nonzero because of the marking assumption) and, *vice versa*, minimized by outputting the symbol with the largest tally.

Theorem 1 gives insight into the trade-offs that the colluders have to deal with. They want to minimize $\stackrel{~}{\mu}$ and to maximize ${\stackrel{~}{\sigma}}_{\text{inn}}$, since this leads to high error rates. However, the strategy that optimizes $\stackrel{~}{\mu}$ for them is the worst possible strategy regarding ${\stackrel{~}{\sigma}}_{\text{inn}}$ and *vice versa*. The interleaving attack at the saddlepoint is ‘in the middle’ between minority voting and majority voting.

#### Lemma 7.

*τ*=0. Let the coalition use a strategy that is colluder-symmetric and position-symmetric. Then $\stackrel{~}{\mu}$ and ${\stackrel{~}{\sigma}}_{\text{inn}}$ can be bounded as

#### Proof.

For *m*_{
y
}∈{1,…,*c*}, we have $\frac{1}{\kappa +c-1}\le \frac{1}{\kappa +{m}_{y}-1}\le \frac{1}{\kappa}$. We substitute these inequalities into (35) and (36). Finally, we use $\sum _{y}{\theta}_{y|\mathit{m}}=1$.

*Remark* It is possible to obtain a tighter upper bound by treating the *m*_{
y
}=*c* term separately in (35),(36), since then *θ*_{y|m}=1. However, the improvement of the tightness is minimal.

## Bounding the error probabilities

We use Bernstein’s inequality and Bennett’s inequality to upper bound the false-positive and false-negative error probability, respectively.

### 4.1 Bounding the false-positive probability

#### Theorem 2.

*q*≥2. Let the coalition use any attack strategy. Then the false-positive probability for a fixed innocent user can be bounded as

#### Proof.

*any*coalition strategy, even one that breaks the position symmetry, the single-position scores ${S}_{j}^{\left(i\right)}$ for the

*innocent*user are mutually independent [1]. Hence, we are allowed to use Bernstein’s inequality. In Lemma 1 we set ${U}_{i}={S}_{j}^{\left(i\right)}$ for the innocent user. This is allowed since ${S}_{j}^{\left(i\right)}$ has zero expectation value. We have

*τ*≤1/

*q*(see Section 2.1.2). Thus, we are allowed to set

*a*=1/

*τ*in Lemma 1. Furthermore, we note that by definition $\mathbb{\mathbb{E}}\left[\phantom{\rule{0.3em}{0ex}}{U}_{i}^{2}\right]={\stackrel{~}{\sigma}}_{\text{inn}}^{2}$ for all

*i*. Lemma 1 then gives

Substituting *a*=1/*τ*, $\ell =A{c}_{0}^{2}ln\frac{1}{{\epsilon}_{1}}$ and $Z=\beta {\stackrel{~}{\sigma}}_{\text{inn}}{c}_{0}ln\frac{1}{{\epsilon}_{1}}$ finish the proof.

*Remark* In (42), we see that the bound on *P*_{FP} is a *decreasing* function of the product *c*_{0}*τ*. Hence, it is advantageous to set *τ* such that *c*_{0}*τ*≫1.

#### Corollary 1.

*q*≥2 and

*τ*≤1/2. Let the coalition use any attack strategy. Then, it holds that

#### Proof.

The proof follows directly from Theorem 2.

### 4.2 Bounding the false-negative probability

#### Theorem 3.

*q*≥2. Let the coalition employ a

*position-symmetric*strategy. Let $\stackrel{~}{\mu}A{c}_{0}-{\stackrel{~}{\sigma}}_{\text{inn}}\mathrm{\beta c}>0$. Let

*τ*satisfy

#### Proof.

*b*=

*c*/

*τ*. The choice for

*b*follows from

where the last equality is a consequence of the assumption (46). We can see that the *T* is positive from the assumption $\stackrel{~}{\mu}A{c}_{0}-{\stackrel{~}{\sigma}}_{\text{inn}}\mathrm{\beta c}>0$.

Notice that at *c*≫*c*_{0} Theorem 3 no longer applies, because the condition $\stackrel{~}{\mu}A{c}_{0}-{\stackrel{~}{\sigma}}_{\text{inn}}\mathrm{\beta c}>0$ cannot be satisfied. In practical terms, this means that for *c*>*c*_{0}, the FN probability is no longer under control, and the colluders may evade detection with high probability.

#### Theorem 4.

*q*≥2. Let the coalition employ a

*position-symmetric*strategy. Let 2≤

*c*≤

*c*

_{0}. Let $\stackrel{~}{\mu}A-{\stackrel{~}{\sigma}}_{\text{inn}}\beta >0$. Let $\tau \le 2/(2+\stackrel{~}{\mu})$. Then the false-negative probability can be bounded as

#### Proof.

We start from Theorem 3. Due to the conditions *c*≤*c*_{0} and $\stackrel{~}{\mu}A-{\stackrel{~}{\sigma}}_{\text{inn}}\beta >0$, the condition $\stackrel{~}{\mu}A{c}_{0}-{\stackrel{~}{\sigma}}_{\text{inn}}\mathrm{\beta c}>0$ in Theorem 3 holds. Due to *c*≥2 and $\tau <2/(2+\stackrel{~}{\mu})$, the condition (46) holds. Since all the conditions are satisfied, we are allowed to apply Theorem 3. Finally, we make use of the fact that the expression (47) is an *increasing* function of *c* for *c*≤*c*_{0}.

#### Corollary 2.

*q*≥2. Let the coalition employ a

*position-symmetric*strategy. Let 2≤

*c*≤

*c*

_{0}. Let $\stackrel{~}{\mu}A-{\stackrel{~}{\sigma}}_{\text{inn}}\beta >0$. Let $\tau \le 2/(2+\stackrel{~}{\mu})$. Then it holds that

#### Proof.

Follows directly from Theorem 4.

## Asymptotics of the sufficient code length

The main aim of this paper is to determine the performance of the score system (7) at large but finite *c*_{0}. The performance at ‘ *c*_{0}=*∞*’ is known: the saddlepoint is given by the interleaving attack, combined with the $\kappa =\frac{1}{2}$ Dirichlet distribution (with *τ*=0) as the bias distribution; in this saddlepoint, the rate of the score system is equal to capacity. What we want to know is how the fingerprinting rate approaches capacity and how to optimally choose the cutoff *τ* as a function of *c*_{0}.

### 5.1 Sufficient code length

We aim for an analysis in the (unknown!) large-but-finite- *c*_{0} saddlepoint:

- The saddlepoint (‘SP’) of the mutual information minimax game [20] is close to the asymptotic saddlepoint. The unknown strategy *θ*^{SP} is close to interleaving. The unknown bias distribution *F*^{SP}(p) is some *discrete* distribution close to the Dirichlet distribution. We approximate *F* by the continuous Dirichlet distribution with cutoff *τ* because this is the only available constructive approach that we know of.

- A practical tracing system that uses the score function (7) cannot have a fixed threshold *Z* like the Tardos scheme, since the score statistics strongly depend on the colluder strategy. The threshold has to be chosen as a function of estimated values for ${\stackrel{~}{\sigma}}_{\text{inn}}$ and $\stackrel{~}{\mu}$. (See Section 3.1 for the estimation method.) When attacking this tracing system, the best choice for the colluders is to use *θ*^{SP} as their strategy, for otherwise they get caught faster. We will assume that the colluders use *θ*^{SP}, which in the analysis leads to a ‘fixed’ threshold *Z* that only has meaning in this context.

- Hence, we analyze the tracing system consisting of the bias distribution (2) and the score system (7), when pitted against an unknown attack close to interleaving. Our starting point will be the ‘sufficient’ conditions given by Corollaries 1 and 2. We know that ${\stackrel{~}{\mu}}^{\text{SP}}=q-1-\u25b3\stackrel{~}{\mu}$ and ${\left({\stackrel{~}{\sigma}}_{\text{inn}}^{2}\right)}^{\text{SP}}=q-1+\u25b3{\stackrel{~}{\sigma}}_{\text{inn}}^{2}$, and we have to carefully deal with the corrections $\u25b3\stackrel{~}{\mu}$ and $\u25b3{\stackrel{~}{\sigma}}_{\text{inn}}^{2}$. On the other hand, the $\stackrel{~}{\sigma}$ appears only in the logarithm in (51) and hence any corrections with respect to Lemma 5 can be neglected.

*A*

_{suff},’

*β*and

*A*as close as possible to the bounds (53, 54) while still satisfying the condition in the left hand side of (51). We introduce the following shorthand notation:

where *w*≪1, *ψ*≪1, *r*≪1. The *w* will be studied in the next section. The *ψ* we will solve approximately. The fact that *r* is small follows from Lemma 5. The expression $\mathbb{\mathbb{E}}[1/{p}_{\alpha}]$ in (34) is of order *τ*^{κ−1}; this leads to a contribution to ${\stackrel{~}{\sigma}}^{2}/c$ of order *τ*^{
κ
}/(*c*_{0}*τ*), which is negligible compared to (*q*−1) since *c*_{0}*τ*≫1 (see Section 4.1).

#### Theorem 5.

*c*

_{0}

*τ*≫1 and

*c*

_{0}

*τ*

^{2}≪1. Let the attackers employ a position-symmetric strategy close to interleaving. Let 2≤

*c*≤

*c*

_{0}. Then the following combination of a code length parameter

*A*and threshold parameter

*β*is sufficient to achieve

*P*

_{FP}≤

*ε*

_{1}and

*P*

_{FN}≤

*ε*

_{2}.

#### Proof.

*ψ*gives (we denote the solution as

*ψ*

_{0})

*A*and

*β*. We write ${\beta}_{\text{suff}}=2\frac{{\stackrel{~}{\sigma}}_{\text{inn}}}{\stackrel{~}{\mu}}+\frac{2}{3{c}_{0}\tau {\stackrel{~}{\sigma}}_{\text{inn}}}+\lambda $, with

*λ*arbitrarily close to zero. Solving

*A*from

*β*and

*ψ*gives

where we have used that $\u25b3\stackrel{~}{\mu}$ and $\u25b3{\stackrel{~}{\sigma}}_{\text{inn}}$ are of order *w*. Finally, we note that *λ* is much smaller than the other high-order correction terms.

*c*

_{0}

*τ*

^{2}≪1 is required in the above proof in order to make sure that the argument of the logarithm is well-behaved, i.e., larger than 1. Hence, when choosing

*τ*we have to satisfy

### 5.2 Optimization of the cutoff τ as a function of c_{
0
}

#### Lemma 8 (adapted from [21]).

*θ*

_{y|m}=

*θ*

*y*|m SP−

*m*

_{ y }/

*c*. The first-order and second-order correction terms to $\stackrel{~}{\mu}$ and ${\stackrel{~}{\sigma}}_{\text{inn}}^{2}$ in the vicinity of the saddle point are given by

#### Proof.

Equations 62 and 63 are a slight adaptation of the saddlepoint formulas in [21], where we have substituted the saddlepoint values $\stackrel{~}{\mu}=q-1$ and ${\stackrel{~}{\sigma}}_{\text{inn}}^{2}=q-1$. Note again that we have normalized the score function differently from [21] by a factor $\sqrt{q-1}$. Equation 64 follows from Equation 63 by using Equation 62.

#### Proposition 1.

The correction *w* is negligible compared to $\frac{1}{{c}_{0}\tau}$.

#### Argumentation.

The *w* is proportional to (63) or, differently expressed, (64). In (64) we have the ${\left({\left[{\stackrel{~}{\sigma}}_{\text{inn}}^{2}\right]}_{\left(1\right)}\right)}^{2}$ term which is of order (△*θ*)^{2}. The order of magnitude of the $\sum _{\mathit{m}}$ contribution is more difficult to determine because the incomplete Dirichlet integral *B*_{
τ
}(*κ* **1**_{
q
}+m−e_{
y
}) is difficult to bound;^{b} however, no matter how *B*_{
τ
}(*κ* **1**_{
q
}+m−e_{
y
}) is behaved, the $\sum _{\mathit{m}}$ contribution is at most of order △*θ*. Huang and Moulin [20] conjectured that $\u25b3\theta =\mathcal{O}\left(\frac{1}{c}\right)$, and this turned out to be consistent with their asymptotic saddlepoint analysis. If their conjecture is true, we have $w\propto \frac{1}{{c}_{0}}\ll \frac{1}{{c}_{0}\tau}$. Even if their conjecture is not true and △*θ* scales as, for instance, $1/\sqrt{c}$, then, $w\propto 1/\sqrt{{c}_{0}}\ll \frac{1}{{c}_{0}\tau}$, i.e., *w* is still negligible. (The latter holds because *τ* scales as ${c}_{0}^{-\gamma}$ with $\gamma >\frac{1}{2}$.)

*ν*denotes a very small positive number. The sufficient code length is then given by

Note that the correction term is smaller than the $\mathcal{O}\left({c}_{0}^{-1/3}\right)$ that was found [5] for Tardos’s score function at *q*=2.

## Conclusions

We have studied a *q*-ary bias-based collusion-resistant scheme where the score function (7) of Oosterwijk et al. [21] is used in combination with the Dirichlet distribution with a cutoff. We have used Bernstein’s inequality and Bennett’s inequality to upper bound the error rates. For large *c*_{0}, this leads to a sufficient code length as specified in Theorem 5.

*θ*, the difference in strategy between the finite-

*c*and infinite-

*c*saddlepoint, is of order $O(1/\sqrt{c})$. This leads to an optimal cutoff choice $\tau =1/\left(\lambda {c}_{0}^{1/2+\nu}\right)$, where

*λ*>0 is a constant and

*ν*is a very small positive constant. The sufficient code length is then

From previous work on provable bounds for bias-based codes, it is clear that the bounds obtained from concentration inequalities (Markov, Bernstein, Bennett) are not tight.

As topics for future work, we mention the following: (i) obtaining tighter bounds - the CSE method [6] or similar techniques may yield more precise information about the error rates. (ii) Studying the performance of the score function (7) further away from the asymptotic saddlepoint. This would require locating (by numerical techniques) the saddlepoint for large but finite *c*. (iii) Applying the analysis in this paper in the context of *dynamic* traitor tracing, similar to the work in [27].

## Endnotes

^{a} Throughout this paper, the term asymptotic refers to the limit of large coalition size.

^{b} The correction to the normalization factor is known. In [22] it was found that ${B}_{\tau}\left(\kappa {\mathbf{1}}_{q}\right)=B\left(\kappa {\mathbf{1}}_{q}\right)[\phantom{\rule{0.3em}{0ex}}1-\mathcal{O}({\tau}^{\kappa}\left)\right]$.

## Declarations

### Acknowledgments

We thank Benne de Weger, Jeroen Doumen, and Thijs Laarhoven for useful discussions. Part of this work was supported by STW (project 10518).

## Authors’ Affiliations

## References

- G Tardos, in
*Proceedings of the 35th Annual ACM Symposium on Theory of Computing (STOC)*. Optimal probabilistic fingerprint codes, (2003), pp. 116–125.Google Scholar - Blayer O, Tassa T: Improved versions of Tardos’ fingerprinting scheme.
*Des Codes Cryptography*2008, 48(1):79-103.MATHMathSciNetView ArticleGoogle Scholar - T Furon, A Guyader, F Cérou, in
*Information Hiding, Lecture Notes in Computer Science*, 5284. On the design and optimization of Tardos probabilistic fingerprinting codes (Springer, 2008), pp. 341–356.View ArticleGoogle Scholar - Furon T, Pérez-Freire L, Guyader A, Cérou F: Estimating the minimal length of Tardos code. In
*Information Hiding, LNCS*. Springer, Heidelberg; 2009:176-190.View ArticleGoogle Scholar - Laarhoven T, de Weger BMM: Optimal symmetric Tardos traitor tracing schemes.
*Designs Codes Cryoptography*2011, 71: 83-103.MathSciNetView ArticleGoogle Scholar - Simone A: Accusation probabilities in Tardos codes: beyond the Gaussian approximation.
*Des Codes Cryptography*2012, 63(3):379-412.MATHMathSciNetView ArticleGoogle Scholar - Vladimirova TU, Celik MU, Talstra JC: Tardos fingerprinting is better than we thought.
*IEEE Trans. Inform. Theor*2008, 54(8):3663-3676.MathSciNetView ArticleGoogle Scholar - YW Huang, P Moulin, in
*IEEE Workshop on Information Forensics and Security (WIFS)*. Capacity-achieving fingerprint decoding (London, 6–9 December 2009), pp. 51–55.Google Scholar - K Nuida, in
*Information Hiding, LNCS*, 6387. Short collusion-secure fingerprint codes against three pirates (Springer, 2010), pp. 86–102.View ArticleGoogle Scholar - Nuida K, Fujitsu S, Hagiwara M, Kitagawa T, Watanabe H, Ogawa K, Imai H: An improvement of discrete Tardos fingerprinting codes.
*Des Codes Cryptography*2009, 52(3):339-362.MATHMathSciNetView ArticleGoogle Scholar - E Amiri, G Tardos, in
*Proceedings of the 20th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA)*. High rate fingerprinting codes and the fingerprinting capacity (New York, 4–6 January 2009), pp. 336–345.View ArticleGoogle Scholar - A Charpentier, F Xie, C Fontaine, T Furon, in
*SPIE Proceedings on Media Forensics and Security*, 7254. Expectation maximization decoding of Tardos probabilistic fingerprinting code (SPIE, 2009), p. 72540.View ArticleGoogle Scholar - P Meerwald, T Furon, in
*Information Hiding, LNCS*, 6958. Towards joint Tardos decoding: the ‘Don Quixote’ algorithm (Springer, 2011), pp. 28–42.View ArticleGoogle Scholar - J-J Oosterwijk, Škorić B, J Doumen, in
*Information Hiding & Multimedia Security 2013*. Optimal suspicion functions for Tardos traitor tracing schemes (Montpellier, 17–19 June 2013).Google Scholar - A Charpentier, C Fontaine, T Furon, IJ Cox, in
*Information Hiding, LNCS*, 6958. An asymmetric fingerprinting scheme based on Tardos codes (Springer, 2011), pp. 43–58.View ArticleGoogle Scholar - Katzenbeisser S, Celik MU: Symmetric Tardos fingerprinting codes for arbitrary alphabet sizes.
*Des Codes Cryptography*2008, 46(2):137-166.MathSciNetView ArticleGoogle Scholar - Katzenbeisser S, Schaathun HG, Celik MU: Tardos fingerprinting codes in the combined digit model.
*IEEE Trans. Inf. Forensics Secur*2011, 6(3):906-919.View ArticleGoogle Scholar - F Xie, T Furon, C Fontaine, in
*Proceedings of the 10th Workshop on Multimedia & Security (MM&Sec)*. On-off keying modulation and Tardos fingerprinting (ACM, 2008), pp. 101–106.Google Scholar - D Boesten, Škorić B, in
*Information Hiding 2011, LNCS*, 6958. Asymptotic fingerprinting capacity for non-binary alphabets (Springer, 2011), pp. 1–13.Google Scholar - Y-W Huang, P Moulin, in
*IEEE International Symposium on Information Theory (ISIT) 2012*. On fingerprinting capacity games for arbitrary alphabets and their asymptotics (Cambridge, 1–6 July 2012), pp. 2571–2575.View ArticleGoogle Scholar - J-J Oosterwijk, Škorić B, J Doumen, A capacity-achieving simple decoder for bias-based traitor tracing schemes (2013). http://eprint.iacr.org/2013/389 Accessed 5 August 2014.Google Scholar
- Škorić B, J-J Oosterwijk, Binary and q-ary Tardos codes, revisited. Designs, Codes, and Cryptography (2012). http://eprint.iacr.org/2012/249 Accessed 5 August 2014.Google Scholar
- T Laarhoven, BMM de Weger, in
*Information Hiding & Multimedia Security 2013*Discrete Distributions in the Tardos Scheme, Revisited, (2013).Google Scholar - P Moulin, Universal fingerprinting: capacity and random-coding exponents (2008). http://arxiv.org/abs/0801.3837.Google Scholar
- SN Bernstein,
*Theory of Probability*, (1927).Google Scholar - Bennett G: Probability inequalities for the sum of independent random variables.
*J. Am. Stat. Assoc*1962, 57(297):33-45.MATHView ArticleGoogle Scholar - T Laarhoven, J Doumen, P Roelse, Škorić B, B de Weger, Dynamic Tardos traitor tracing schemes. IEEE Trans. Inf. Theory. 59(7), 4230–4242.Google Scholar

## Copyright

This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited.