Probabilistic Traitor Tracing - 智慧財產權保護碼

Probabilistic traitor tracing (PTT) is much more efficient in most of the cases.

In this scheme, we need not to identify colluders who have absolutely committed crime.^kInstead, we treat a couple of might-be-colluders as suspects, and compute the probability that they might be colluders. This may not deterministically tell us who is guilty for the first time. However, after several times of identification, some pirates will become more and more suspicious by accumulating their probabilities of being guilty. Such a strategy works particularly well for the applications such as pay-per-view movies that call for iterative retrievals of data.

Suppose a coalitionC of w users creates an illegal copy of an object. Finger-printing schemes that enable the capture of a member of the coalitionC with prob-ability at least1−ǫ are called w-secure codes with ǫ error. Namely, Pr [A(x) ∈ C] >

1−ǫ. In other words, The traitor tracing algorithm A on input x outputs a member of the coalitionC that generated the codeword x with high probability. To do so, we intend to allow the distributor to make some random choices when embedding the codewords in the objects. Our point is that the random choices will be kept hidden from the users.

We begin by considering an(N, n)-code which is n-secure with ǫ-error for any ǫ > 0. Let cm be a column of heightn in which the first m bits are 1 and the rest are 0. The code C (N = d(n− 1), n) consists of all columns c1, . . . , cn−1, each duplicatedd times. The amount of duplication determines the error probability ǫ.

Example 4.1. The codeC(16, 5) for five users A, B, C, D, E is

kMore generally speaking, we say they committed crime with probability1.

A :

An intuitive traitor tracing strategy is: if any of the first three positions of a pirated codeword is 1, then we know A must belong to the coalition. If we look at the other direction, we have that if any of the last three positions of a pirated codeword is0, then we know E must belong to the coalition. If A and B collude, C, D, and E are safe from being framed. However, if A and E collude, the de-scendance ofA and E could jeopardize legal users of B, C, and D. Nevertheless, this is very unlikely becauseA and E differ in 16 places and the probability for A and E to frame B, C, or D is barely ¹₂16

≈ 10⁻⁵. This gives a heuristics for probabilistic traitor tracing.

Consider, ifB is innocent, then what A, C, D, E could detect in the first eight positions is totally indifferent, namely, either 11111111 or 00000000. If some of A, C, D, or E collude, then the number of 0^′s and 1^′s should be evenly distributed inB₁ andB₂. If the number of1^′s tends to appear more in B₂ rather than inB₁, then we deduce thatB is highly suspicious.

Let w⁽¹⁾, . . . , w⁽ⁿ⁾ denote the codewords of C(N, n). Before the distributor embeds the codewords ofC(N, n) in an objects he picks a permutation π as ran-dom as possible. Useru_i’s copy of the object will be fingerprinted using the word πw⁽ⁱ⁾. Note that the same permutationπ is used for all users. The point is that π will be kept hidden from the user. Keeping the permutation hidden from the users is equivalent to hiding the information of which mark in the object encodes which bit in the code. This simple technique will be shown to be effective to overcome the barrier of unreadable marks.

Before going to the construction, we introduce some notation:

1. LetBmbe the set of all bit positions in which the users see columns of type cm. That is,Bmis the set of all bit positions in which the firstm users see a 1 and the rest see a 0. The number of elements in Bm isd.

CHAPTER 4. UNREADABLE MARKS AND PTT 23 2. For2 6 s 6 n− 1 define Rs = Bs−1∪ Bs.

3. For a binary string x, let weight(x) denote the number of 1^′s as a binary case of Hamming weight defined in Section2.1.2.

Theorem 4.2 (Boneh and Shaw [8]). Forn > 3 and ǫ > 0 let d = 2n²log ²ⁿ_ǫ . The fingerprinting schemeC(N, n) is n-secure with ǫ-error.

The argument has been literally treated above, but we formalize the language here. The length of this code isd(n− 1) = O n³logⁿ_ǫ

Intuitively, suppose user s is NOT a member of the coalition C0 which produced the wordx. The hidden permutationπ prevents the coalition from knowing which marks represent which bits in the codeC(N, n). The only information the coalition has is the value of the marks it can detect. Observe that without users a coalition sees exactly the same values for all bit positionsi∈ R^s. Hence, for a bit positioni∈ R^s, the coalitionC0

cannot tell if i lies in Bs or inBs−1. This means that whichever strategy they use to set the bits ofx|Rs, the1^′s in x|Rs will be roughly evenly distributed between x|Bs andx|Bs−1 with high probability. As a result, if the1^′s in x|Rs are not evenly distributed then, with high probability, user s is a member of the coalition that generatedx.

Algorithm for probabilistic traitor tracing will be stated accordingly. The input codewordx found in the illegal copy may contain some unreadable marks, call it

“?”. As a convention these bits are set to “0” before the word x is feed into the algorithm.

INPUT: x∈ {0, 1}^N.

AIM: Find a subset of the coalition that producedx.

Algorithm:

1. Ifweight (x|B1) > 0 then output “User 1 is guilty.”

2. Ifweight x|^Bn−1

< d then output “User n is guilty.”

3. Fors from 2 to n− 1 do:

Letk = weight (x|Rs).

Ifweight x|Bs−1

< ^k₂ −q

2log ²ⁿ_ǫ , then output “Users is guilty.”

The correctness of algorithm rely on the following theorem.

Theorem 4.3. Consider the codeC (N = d(n− 1), n) where d = 2n²log ²ⁿ_ǫ . Let S be the set of users which is declared as guilty on input x. Then with probability at least1− ǫ, the set S is a subset of the coalition C⁰that producedx.

Before the proof of the theorem we introduce two preliminary lemmas.

Lemma 4.2 (Chernoff Bound). Let X be a binomial random variable over k experiments with success probability1/2. Then,

X−k

2 < a

6e^−2a²^/k

The proof can be found in standard textbooks on probability theory.

Lemma 4.3. LetY follows a hyper-geometric distribution:

Pr[Y = r] =

d r

k−r

2d k

LetX follows a binomial distribution with success probability 1/2:

Pr[X = r] =k r

1 2

. Then, Pr[Y = r] 6 2Pr [X = r]

CHAPTER 4. UNREADABLE MARKS AND PTT 25 Proof. For the sake of brevity assumek is even. (The case for k odd is similar.)

Pr[Y = r] =

Note that the last inequality follows sincek 6 d.

The proof of Theorem4.3is now as follows:

Proof. Suppose user 1 was declared guilty, i.e., 1 ∈ S. Then weight (x|B1) > 0.

This tells us that user1 must be a member of C0 (otherwise, the bits inB1would appear undistinguishable forC0). Similarly, ifn∈ S then n ∈ C⁰.

Suppose the algorithm declared user1 < s < n as guilty. We show that the probability thats is not guilty is at most _n^ǫ. This will show that the probability that there exists a user inS which is not guilty is at most ǫ.

Lets be an innocent user, i.e., s 6∈ C0. As was discussed above, this means that the coalitionC0 cannot distinguish between the bit positions inRs. Because the permutation π was chosen uniformly at random from the set of all permu-tations, the 1^′s in x|Rs may be regarded as being randomly placed in x|Rs. Let k = weight (x|Rs). Define Y to be a random variable which counts the number of

1^′s in x|Bs−1 given thatx|Rs containsk 1^′s. For any integer r, 0 6 r 6 k:

follows a hyper-geometric distribution where d = 2n²log ²ⁿ_ǫ is the size of the block. The expectation ofY is ^k₂. To bound the probability thats was pronounced guilty we need to bound

from above. This can be done by comparingY to an appropriate binomial random variable.

LetX be a binomial random variable over k experiments with success proba-bility ¹₂. Lemma4.3tells us that for anyr we have that Pr [Y = r] 6 2Pr [X = r].

where the last inequality follows from the standard Chernoff bound of Lemma 4.2. Plugging ina =q

Hence, if users is innocent then the probability of her being declared guilty is at most _n^ǫ. This also means the probability that some innocent user will be declared guilty is at mostǫ, as desired.

Note that the code size is always smaller than the code length by a factor of d here, meaning a poor code size. This problem can be overcome with the concatenation method discussed in [8] in order to increase the code size and hence accommodate more users. We provide the sketch concept here. Recall in Section 2.1.5the definition of code composition. LetC^′(N^′, n^′) be an outer code over an alphabet size n, with code size n^′ and code lengthN^′, where the codewords are chosen independently and uniformly at random. The idea is to compose our n-secure inner codeC(N, n) with the outer code C^′(N^′, n^′). Then the concatenated

CHAPTER 4. UNREADABLE MARKS AND PTT 27 code will containn^′codewords and has lengthN^′N = N^′d(n−1). It is made up of N^′ copies ofC(N, n). The point is that the codewords of the code C^′ will be kept secret from the users. This is in addition to keeping hidden the N^′ permutations used when embedding theN^′copies ofC(N, n) in the products. A traitor tracing algorithm is also provided for this scheme which is similar to the original one.

Moreover, N and n can be chosen in such a way that n is exponential in N. For more details we refer the reader to their paper [8]. In the next chapter we will concentrate on the construction of secure frameproof codes.

Constructions of SFP Codes

This chapter discusses various constructions that meet the requirement of secure-frameproof property. The constructions can be classified into two classes. One of them is called direct construction which will be studied in the first half of this chapter. In such scheme, we construct directly without any help of previous exis-tential results. The other is recursive construction which will be investigated in the second half of this chapter. Given a code^‡‡ satisfying certain properties the recur-sive construction augments it to longer codewords and larger code size satisfying the original properties as well.

Part I: Direct Construction

5.1 Hadamard Matrices and Jacobsthal Matrices

Definition: A Hadamard matrix is ann× n real matrix H which satisfies HHT = nI. The name derives from a theorem of Hadamard.

Theorem 5.1. LetX = (xij) be an n×n real matrix whose entries satisfy |x^ij| 6 1 for all i and j. Then |det(X)| 6 n^n/2. Equality holds if and only if X is a Hadamard matrix.

‡‡We call it the initial seed.

CHAPTER 5. CONSTRUCTIONS OF SFP CODES 29 Letx1, x2, . . . , xn be the rows ofX. By Euclidean geometry,|det(X)| is the volume of the parallelepiped with sidesx₁, x₂, . . . , x_n; namely,

|det(X)| 6 |x¹| · |x²| · · · |xⁿ|

where|xi| is the Euclidean length of xi; equality holds if and only ifx1, x2, . . . , xn

are mutually perpendicular. By assumption,

|xⁱ| = x²i1+ x²_i2+· · · + x²in

1/2

6n^1/2, with equality if and only if|xij| = 1 for all j.

Subsequently, we focus on Hadamard matrices with all entries±1.

For which ordersn do Hadamard matrices exist? There is a well-known nec-essary condition:

Theorem 5.2. If a Hadamard matrix of ordern exists, then n = 1 or 2 or n ≡ 0 (mod 4).

To see this, we observe first that changing the sign of every entry in a column of a Hadamard matrix gives another Hadamard matrix. So changing the signs of all columns for which the entry in the first row is−, we may assume that all entries in the first row are+. (We abbreviate +1 and−1 to + and − respectively.)

Because every other row is orthogonal to the first, we see that each further row hasm entries + and −, where n = 2m. Moreover, if n > 2, the first three rows are displayed in the above figure withn = 4a. The most important open question in the theory of Hadamard matrices is that of existence (In other words, whether or not the above necessary condition could serve as a sufficient condition is not known).

Conjecture 5.1. A Hadamard matrix of order4n exists for every positive integer n.

The simplest construction comes from James Joseph Sylvester.

Theorem 5.3. Let H be a Hadamard matrix of order n. Then the partitioned

matrix

H H

H −H

is a Hadamard matrix of order2n.

This observation can be applied recursively and leads to the following series of matrices.

In this manner, Sylvester constructed Hadamard matrices of order2ⁿfor every non-negative integern. Sylvester’s matrices have a number of special properties.

They are symmetric. The elements in the first column and the first row are all pos-itive. The elements in all the other rows and columns are evenly divided between positive and negative.

Raymond Paley later showed how to construct a Hadamard matrix of order q + 1 where q is any prime power which is congruent to 3 modulo 4. He also constructed matrices of order2(q + 1) for prime powers q which are congruent to 1 modulo 4. His method uses finite fields.

Letq be a prime power congruent to 3 modulo 4. Recall that in the field GF(q), half of the nonzero elements are quadratic residues, and half are quadratic non-residues. The quadratic character of GF(q) is defined as:

χ(x) =







0 ifx = 0;

+1 ifx is a quadratic residue;

−1 ifx is a quadratic non-residue.

Definition: LetA be a matrix whose rows and columns are indexed by elements of GF(q), and has entries as axy = χ(y − x). Then, A is skew-symmetric, with zero diagonal and±1 elsewhere. Such matrix A is then called Jacobsthal matrix.

CHAPTER 5. CONSTRUCTIONS OF SFP CODES 31 Theorem 5.4. If we replace the diagonal zeros by −1s in the Jacobsthal matrix and augment it by a new row and a new column all of entries 1, we obtain a Hadamard matrix of orderq + 1 called Hadamard matrix of Paley type.

H =

1 1 1 A− I

Example 5.1. Forp = 7, we obtain the following matrix:

A =

A normalized Hadamard matrixH of order q + 1 of Paley type is now given as follows:

Example 5.2. Forp = 7, we obtain the following matrix over GF(3) by replacing -1 by 2 fromA:

LetH_4k be any Hadamard matrix of order 4k when +1s are replaced by 0s and−1s by 1s.

Theorem 5.5 (Encheva & Cohen [17]). H4kis a binary2−SF P (N, n) where N = n = 4k.

Proof. We show that there is a column like(0011)^⊤or(1100)^⊤for anyc1, c2, c3, c4 ∈ H4k. We consider a normalized Hadamard matrix where the first row is the all1s and firstly assume none ofc1, c2, c3, c4 is the all 1s codeword. Suppose the con-trary. The supports ofc1, c2, c3may be generalized as

c1 number of 0s as 1s, and every two rows should coincide in half of the positions and differ in the other half positions. Therefore,c₃should contain2k 1s, yielding:

a + (k− b) + (k − c) + d = 2k

Sincec3 should coincide withc2 in exactly2k positions, we have that:

a + b + (k− c) + (k − d) = 2k

Again sincec3 should coincide withc1 in exactly2k positions, we have that:

a + b + c + d = 2k which gives the following catastrophic patterns:

CHAPTER 5. CONSTRUCTIONS OF SFP CODES 33

However, this is impossible because c3 and c4 should coincide in 2k positions.

Moreover, if one of c1, c2, c3, c4 is the all 1s codeword then it is even easier for them to exhibit the2− SF P property. Hence, H4k is2− SF P .

Theorem 5.6. Jacobsthal matrices generate2− SF P over GF(3).

The proof is quite similar to the previous example and can be found in [17].

在文檔中智慧財產權保護碼 (頁 29-42)