1 traitor tracing. 2 outline introduction state of the art traceability scheme frameproof code ...

11

Traitor TracingTraitor Tracing

22

OutlineOutline IntroductionIntroduction State of the artState of the art

Traceability schemeTraceability scheme Frameproof codeFrameproof code cc-secure code-secure code Combinatorial propertiesCombinatorial properties Tracing algorithmTracing algorithm Some useful propertiesSome useful properties

RephraseRephrase Encoding schemeEncoding scheme Decoding schemeDecoding scheme Watermarking schemeWatermarking scheme

ConclusionsConclusions

33

IntroductionIntroduction

FingerprintingFingerprinting Embed an unique key for each user to identify the Embed an unique key for each user to identify the

person who acquired a particular copyperson who acquired a particular copy Each user has his own decryption key to recover the Each user has his own decryption key to recover the

contentcontent Collusion attack Collusion attack

A group of malicious users (traitors) can collude by A group of malicious users (traitors) can collude by combining their keys to create a new pirate key (pirate combining their keys to create a new pirate key (pirate decoder)decoder)

Traitor tracing Traitor tracing A traitor tracing algorithm is used to trace at least one A traitor tracing algorithm is used to trace at least one

of the colludersof the colluders

44

State of the artState of the art

Traceability schemeTraceability scheme Frameproof codeFrameproof code cc-secure code-secure code Combinatorial propertiesCombinatorial properties Tracing algorithmTracing algorithm Some useful propertiesSome useful properties

55

State of the art -State of the art - Traceability schemes Traceability schemes

““Tracing Traitors”, B. Chor, A. Fiat, M. Naor, and B. Pinkas, 199Tracing Traitors”, B. Chor, A. Fiat, M. Naor, and B. Pinkas, 1994 (1998, 2000).4 (1998, 2000).

Traceability schemesTraceability schemes<Definition 1.1> Traitor tracing schemes<Definition 1.1> Traitor tracing schemes

A traitor tracing scheme consists of three components:A traitor tracing scheme consists of three components:

traitor.a ofidentity the

determine todecoder, pirate a ofon confiscatiupon used algorithm, tracingA traitor 3.

messages. those

decrypt user toevery by used 1010 scheme decryption a and messages

encrypt osupplier t data by the used1010 scheme encryptionAn 2.

gets. userseach key that personal in the bits ofnumber theis and users possible of

set theis where10 mapping a defines that key -meta a hassupplier

data The users. new add osupplier t data by the used scheme,tion initializauser A 1.

},{},:{D

},{},:{E

s

U},{:UP

*β

**α

sα

66

State of the art -State of the art -Traceability schemes (continue)Traceability schemes (continue)

<Definition 1.2> <Definition 1.2> fully (fully (p,kp,k)-resilient tracing scheme )-resilient tracing scheme Let Let TT be a coalition of at most be a coalition of at most kk users. Let users. Let A A be an adversary that hbe an adversary that has a subset as a subset FF of the keys of the users in of the keys of the users in TT, and that is able to decry, and that is able to decrypt the content sent in the tracing traitors scheme, in time pt the content sent in the tracing traitors scheme, in time tt and with p and with probability greater that robability greater that q’.q’. The scheme is called fully ( The scheme is called fully (p,kp,k)-resilient if it )-resilient if it satisfies the security assumption: one of the following two statementsatisfies the security assumption: one of the following two statements holds.s holds. GGiven iven FF the data supplier is able to trace with probability at least the data supplier is able to trace with probability at least 1-p1-p at l at l

east one of the users in east one of the users in TT.. There exists an adversary There exists an adversary A’A’ which uses which uses AA as a black box and whose in as a black box and whose in

put is only an enabling block and a cipher block of the tracing traitors scput is only an enabling block and a cipher block of the tracing traitors scheme. heme. A’A’ can reveal the content that is encrypted in the cipher block in ti can reveal the content that is encrypted in the cipher block in time which is linear in the length of its input and in me which is linear in the length of its input and in tt, and with probability , and with probability at least at least q’’=q’.q’’=q’.

77

State of the art –State of the art – Traceability schemes (continue)Traceability schemes (continue)

<Definition 1.3> fully <Definition 1.3> fully kk-resilient tracing scheme-resilient tracing schemeA scheme is called fully A scheme is called fully kk-resilient if it satisfies definition -resilient if it satisfies definition 1.2 and it further holds that 1.2 and it further holds that p=0p=0..

<Definition 1.4> <Definition 1.4> qq-threshold (-threshold (p,kp,k)-resilient tracing scheme)-resilient tracing scheme

A scheme is called A scheme is called qq-threshold (-threshold (p,kp,k)-resilient if it satisfies )-resilient if it satisfies definition 1.2 with definition 1.2 with q’’=q’-qq’’=q’-q..

88

State of the art –State of the art – Frameproof codesFrameproof codes

Frameproof codesFrameproof codes ““Collusion-secure fingerprinting for digital data”, Collusion-secure fingerprinting for digital data”, Dan BDan B

onehoneh and and James ShawJames Shaw, 1995 (1998), 1995 (1998) A fingerprint is a collection of marksA fingerprint is a collection of marks

A fingerprint can be thought of as a word of length A fingerprint can be thought of as a word of length LL over an al over an alphabet phabet ΣΣ of size of size ss

A distributor is the sole supplier of fingerprinted objectsA distributor is the sole supplier of fingerprinted objects A user is the registered owner of a fingerprinted objectsA user is the registered owner of a fingerprinted objects The process of fingerprinting an object involves assigning a unThe process of fingerprinting an object involves assigning a un

ique codeword over ique codeword over ΣΣLL to each user to each user

99

State of the art –State of the art – Frameproof codes (continue)Frameproof codes (continue)

<Definition 2.1> (<Definition 2.1> (ll,,nn)-code and codebook)-code and codebook

<Definition 2.2> undetectable positions<Definition 2.2> undetectable positions

codebook. theas in wordsofset therefer to We

.1for ,user toassigned be will codeword The

code.-),(an called be will},...,{set A )(

)()1(

Γ

Σ

niuw

nlwwΓ

ii

ln

.... if leundetectab is position Then

}.,...,{ suppose Formally, position.th in their match in

users toassigned words theif for leundetectab is

position say that we},...,1{For users. ofcoalition

a be and code-),(an be },...,{Let

)()()(

1

)()1(

21 cui

ui

ui

c

n

wwwi

uuCiC

Ci

li

Cnlww

Γ

1010


<Definition 2.3>feasible set<Definition 2.3>feasible set

e.g. A: 3 2 3 1 2e.g. A: 3 2 3 1 2

B: 1 2 2 1 2B: 1 2 2 1 2

).(by );(

denote and omit the e Usually wbits. leundetectab scoalition'

match the which wordsall containsset feasible theThus .in

user somefor } s.t. {?})({);( as ofset

feasible theDefine .for positions leundetectab ofset thebe Let

users. ofcoalition a be and code-),(an be },...,{Let

)(

)()1(

CFCF

Cu

wwwCFC

CR

Cnlww

Ru

Rl

n

212)( ABF

1111


<Definition 2.4> Marking Assumption<Definition 2.4> Marking Assumptionany coalition of any coalition of cc users is only capable of creating users is only capable of creating an object whose fingerprint lies in the feasible set an object whose fingerprint lies in the feasible set of the coalitionof the coalition

<Definition 2.5> c-frameproof<Definition 2.5> c-frameproof

WWFc

W

)( satisfies ,most at size of

,set every if frameproof-c is codeA

1212


Construction of Construction of cc-frameproof codes-frameproof codes(for binary alphabet)(for binary alphabet) <Claim 2.1> <Claim 2.1> 00 is a (is a (nn,,nn)-code which is )-code which is nn-frameproof-frameproof

The length of The length of 00 is linear in the number of use is linear in the number of use

rs and is therefore impracticalrs and is therefore impractical Use Use 00 to construct shorter codes to construct shorter codes

1313


<Definition 2.6> A set <Definition 2.6> A set CC of of NN words of length words of length LL o over an alphabet of p letters is said to be an (ver an alphabet of p letters is said to be an (LL,,NN,,DD)p-ECC, if the Hamming distance between ever)p-ECC, if the Hamming distance between every pair of words in y pair of words in CC is at least is at least DD..

The idea of the construction of n-frameproof codThe idea of the construction of n-frameproof code is to compose the code e is to compose the code 00 (n) with an error-cor (n) with an error-correcting code.recting code.

Let Let ={={ww((11)),…,,…,ww((pp))} be an (} be an (ll,,pp)-code and let )-code and let CC be be an (an (LL,,NN,,DD))pp-ECC.We denote the composition of -ECC.We denote the composition of and and CC by by ’.’.

1414


code-),(an is }|{

||...|||| ... codeword afor )()()(21

21

NlLCvW

wwwWvCvvvv

v

vvvL

L

<Lemma 2.1> Let be a be a cc-frameproof (-frameproof (ll,,pp)-code and C be an ()-code and C be an (LL,,NN,,DD)-ECC. )-ECC. Let Let ’ be the composition of ’ be the composition of and and CC. Then . Then ’ is a ’ is a cc-framepr-frameproof code, provided oof code, provided DD>>LL(1-(1/(1-(1/cc)).)).<proof>

1515


<Lemma 2.2> For any positive integers <Lemma 2.2> For any positive integers pp,,nn let let LL==8p8p log log NN. Then there exists a (. Then there exists a (L,N,L,N,DD))2p2p-ECC where -ECC where DD>>LL((11-(-(11//pp)).)).

<Theorem 2.1> For any integers <Theorem 2.1> For any integers n ,cn ,c>0 let >0 let ll==16c16c22 log log nn. Then there exists an (l, n)-cod. Then there exists an (l, n)-code which is c-frameproof.e which is c-frameproof.<proof><proof>

1616

State of the art –State of the art – cc-secure code-secure code

<Definition 2.7> totally <Definition 2.7> totally cc-secure code-secure code

<Lemma 2.3><Lemma 2.3>

. then worda generates users

most at of coalition a if :condition following thesatisfying

algorithm tracinga exists thereif secure- totally is codeA

CA(x)x

c C

Ac

each. users most at of ,..., coalitions allfor

0)(...)(0...

thencode secure- totally a is If

1

11

cCC

CFCFCC

c

r

rr

1717

State of the art –State of the art – cc-secure code (continue)-secure code (continue)

<Theorem 2.2> For <Theorem 2.2> For cc≥≥22 and and nn≥≥33 there are there are no totally no totally cc-secure (-secure (ll,,nn)-codes)-codes<proof><proof>

→→Unfortunately, when Unfortunately, when cc>1,totally >1,totally cc-secure c-secure codes do not exist.odes do not exist.

→→There is a way out of this trap: There is a way out of this trap: use randomness.use randomness.

1818


<Definition 2.8> <Definition 2.8> cc-secure with -secure with -error -error

The tracing algorithm The tracing algorithm A A on input on input xx outputs a outputs a member of the coalition member of the coalition CC that generated the that generated the word word xx with high probability. with high probability.

coalition. by the made choices random theand bits random over the taken isy probabilit thewhere

1])(Pr[

then worda generates users cmost at of coalition a if :condition following the

satisfying algorithm tracinga exists thereiferror - withesecure- is scheme tingfingerprinA

r

CxA

xC

Acr

1919


Construction of collusion-secure codesConstruction of collusion-secure codes Construct an (Construct an (l,nl,n)-code which is )-code which is nn-secure with -secure with -error for any -error for any >0 >0 →→length of this code is length of this code is nnOO((11))

→→too large to be practical too large to be practical <Theorem 2.3> <Theorem 2.3> <Algorithm 2.1><Algorithm 2.1>

Use the code to construct Use the code to construct cc-secure codes with -secure codes with -error for -error for nn users whose length is log users whose length is logOO((11))((nn) ) when when cc=O(log =O(log nn).).<Theorem 2.4> <Theorem 2.4> <Algorithm 2.2><Algorithm 2.2>

2020


A lower boundA lower bound<Theorem 2.5> Let <Theorem 2.5> Let be an ( be an (l,nl,n) fingerprint) fingerprinting scheme over a binary alphabet. Suppoing scheme over a binary alphabet. Suppose se is is cc-secure with -secure with -error. Then the cod-error. Then the code length is at least e length is at least l l ≥≥11//22((cc--33)log()log(11//cc).).<proof><proof>

2121

State of the art –State of the art – Combinatorial propertiesCombinatorial properties

““Combinatorial properties and constructionCombinatorial properties and constructions of traceability schemes and frameproof cs of traceability schemes and frameproof codes”, D. R. Stinson, R. Wei, 1997(2001)odes”, D. R. Stinson, R. Wei, 1997(2001)

Investigate combinatorial properties and cInvestigate combinatorial properties and constructions of two recent topics of cryptogonstructions of two recent topics of cryptographic interest: raphic interest: frameproof codesframeproof codes traceability schemetraceability scheme

2222

State of the art –State of the art – Combinatorial properties (continue)Combinatorial properties (continue)

<Definition 3.1> c-FPC(v,b)<Definition 3.1> c-FPC(v,b)

<Definition 3.2> c-TS(k,b,v)<Definition 3.2> c-TS(k,b,v)

. a is say that We

. have we, such that

everyfor if, code frameproof-c a called is code-A

c-FPC(v,b)Γ

WΓ F(w)cWΓW

Γ(v,b)

).c-TS(k,b,v

cC CF

CU

by

denoted isit and schemety traceabili-c a called is scheme the

Then . and by produced is decoder pirate awhenever

coalition theofmember a is user exposedany Suppose

2323


<Theorem 3.1><Theorem 3.1>

i

d

ii

d

d

BBB

},...,B,B\{BB

,,...,B,BBc db

v,)(c-FPC(v,b)

1

d

1i

21

21

such that block aexist not does there

blocks ofsubset any for and

such that systemset a a

B

BB

XΒX,

2424



dj for BFBF},...,B,B\{BB

,BFk-

,...,B,BBc d

k b

v,)(b,v)c-TS(k

jd

j

d

j

d

1such that

block aexist not does theresubset

any for and blocks of choiceevery for

hat property t with the,Bevery for B and

such that systemset a , a

21

1

21

B

B

BB

XΒX,

2525


<Theorem 3.3>If there exists a c-TS(k,b,v), th<Theorem 3.3>If there exists a c-TS(k,b,v), then there exists a c-FPC(v,b).en there exists a c-FPC(v,b).<proof><proof>

.1Then

.such that block a and

, blocks, exist e then therno; Suppose

. a is that prove We

. a toingcorrespond systemset thebe Let

121

21

dj for BBBB

BB},..., B, B\{BB

,..., B, BBcd

c-FPC(v,b)(

)c-TS(k,b,v)(

j

idid

d

Β

BΒ)X,

ΒX,

2626


Constructions using Constructions using tt-designs-designs <Definition> <Definition> tt-(v, k,-(v, k,λλ) design) design

BIBD’s are 2-(v, k,BIBD’s are 2-(v, k,λλ) design) design E.g. 2-(9, 3,1) design E.g. 2-(9, 3,1) design

{0,1,6},{0,2,5},{0,3,4},{1,2,4},{3,5,6},{1,5,7} {0,1,6},{0,2,5},{0,3,4},{1,2,4},{3,5,6},{1,5,7} {5,4,8},{4,6,7},{6,2,8},{2,3,7},{3,1,8},{0,7,8} {5,4,8},{4,6,7},{6,2,8},{2,3,7},{3,1,8},{0,7,8}

.in blocks exactly

in occurs ofsubset -every and ,Bevery for B

, where),( systemset a isdesign )A

B

XB

XBX,

tk

vt-(v,k,λ

2727




))/(t-(k-c)t

k/

t

vc-FPC(v,) t-(v,k, 11 where, adesign 1 a

))/(t-(k-cv)t

k/

t

vc-TS(k) t-(v,k, 11 where,,, adesign 1 a

2828

State of the art –State of the art – Tracing algorithmsTracing algorithms

scenarioscenario The center broadcasts the encrypted content tThe center broadcasts the encrypted content t

o userso users One encryption key and multiple distinct decryOne encryption key and multiple distinct decry

ption keysption keys One cannot compute a new decryption key froOne cannot compute a new decryption key fro

m a given set of keysm a given set of keys

2929

State of the art –State of the art – Tracing algorithms (continue)Tracing algorithms (continue)

Static tracingStatic tracing Used upon confiscation of a pirate decoder, to Used upon confiscation of a pirate decoder, to

determine the identity of a traitordetermine the identity of a traitor Such scheme would be ineffective if the pirate were Such scheme would be ineffective if the pirate were

simply to rebroadcast the original contentsimply to rebroadcast the original content Use watermarking methods to allow the broadcaster Use watermarking methods to allow the broadcaster

to generate different versions of the original contentto generate different versions of the original content Use the watermarks found in the pirate copy to trace Use the watermarks found in the pirate copy to trace

its supporting traitorsits supporting traitors Drawback: requires one copy of content for each user Drawback: requires one copy of content for each user

and so requires very high bandwidthand so requires very high bandwidth

3030


Dynamic tracing (Fiat & Tassa, 2001)Dynamic tracing (Fiat & Tassa, 2001) The content is divided into consecutive segmentsThe content is divided into consecutive segments Embed one of the q marks in each segment, hence creating q veEmbed one of the q marks in each segment, hence creating q ve

rsions of the segment rsions of the segment (watermarking method)(watermarking method)

In each interval, the user group is divided into q subsets and eacIn each interval, the user group is divided into q subsets and each subset receives on version of the segmenth subset receives on version of the segment

The subsets are varied in each interval using the rebroadcasted The subsets are varied in each interval using the rebroadcasted contentcontent

Trace all colluders with lower bandwidthTrace all colluders with lower bandwidth Drawback: Drawback:

Vulnerable to a delayed rebroadcast attackVulnerable to a delayed rebroadcast attack High real-time computation for regrouping the users and allocating High real-time computation for regrouping the users and allocating

marks to subsetsmarks to subsets

3131


Sequential tracing ( Reihaneh, 2003)Sequential tracing ( Reihaneh, 2003) The channel feedback is only used for tracing The channel feedback is only used for tracing

and not for allocation of marks to usersand not for allocation of marks to users The mark allocation table is predefined and thThe mark allocation table is predefined and th

ere is no need for real-time computation to detere is no need for real-time computation to determine the mark allocation of the next intervalermine the mark allocation of the next interval The need for real-time computation will be minimizThe need for real-time computation will be minimiz

eded Protects against the delayed reboradcast attackProtects against the delayed reboradcast attack

The traitors are identified sequentiallyThe traitors are identified sequentially

3232

State of the art –State of the art – Some useful propertiesSome useful properties

““Application of list decoding to tracing traitors”, A. SilverbApplication of list decoding to tracing traitors”, A. Silverberg, J. Staddon, 2001erg, J. Staddon, 2001

<Definition 3.3> <Definition 3.3> cc-TA (traceability)-TA (traceability)

<Definition 3.4> <Definition 3.4> cc-IPP (identifiable parent property) -IPP (identifiable parent property)

i

ii

i

CCzI(z,w)I(x,w)

Cx)desc(Cwc

CcC

allfor that

such exists e then ther if ,most at

size of coalitions allfor if codeTA - a is codeA

nonempty. is such that most at size of coalitions theof

onintersecti the, allfor if code IPP- a is codeA

)desc(CwcC

(C)descwcC

ii

c

3333

State of the art –State of the art – Some useful properties (continue) Some useful properties (continue)

<Lemma 3.1> Every <Lemma 3.1> Every cc-TA code is a -TA code is a cc-IPP -IPP code.code.

<proof><proof>

code. a a of definition by the s.t. then , if fact,In

.)(

, with any for that,show willWe

code. a of definition by the any for Thus

. allfor s.t. Let

.s.t. where if

code. a is Suppose

w-TAI(x,y)I(x,w)CwCy

CyCdescx

wCCC

w-TACzI(x,z)I(x,y)

CzI(x,z)I(x,y) Cy

)desc(Cxw,CCC(C), descx

w-TAC

jj

jj

jj

ii

iiiw

3434

State of the art –State of the art –Some useful properties (continue)Some useful properties (continue)


<Theorem 5.2> A sequential TA code is a <Theorem 5.2> A sequential TA code is a

c-TA code , Reihaneh, 2003c-TA code , Reihaneh, 2003

scheme

sequential a is )(Then function. tracinga is and

1

satisfying ECC-)(an from obtained

tableallocationmark a denote Γ integer,an beLet

112

c-TA

Γ,AA

)L-( D

L,N,D

c

cc

q

3535

State of the art –State of the art –Some useful properties (continue)Some useful properties (continue)

CF-11 a isThen .11

distance minimum having code-)(an is that Suppose2 /w)-(w,C )/w-N(d

N,n,qC

code.TA - wis CThen .11 distance

Hamming minimum having code-)(an is that Suppose2 )/w-N(d

N,n,qC


<Theorem 5.4> <Theorem 5.4>

3636

RephraseRephrase--Encoding schemeEncoding scheme

Find c-TA codeFind c-TA code ECCECC

(with D (with Dminmin>xxx , small codelength L and large code>xxx , small codelength L and large code

word number N)word number N) BCH code L=qBCH code L=qmm-1 e.g. GF(2-1 e.g. GF(244): (15,11,3) , (15,5,7)): (15,11,3) , (15,5,7) Reed-Solomon : L=q-1 D=L-k+1 N=qReed-Solomon : L=q-1 D=L-k+1 N=qkk

e.g. GF(256): (255,239) -> (204,188)e.g. GF(256): (255,239) -> (204,188)

Algebraic geometry codes Algebraic geometry codes

BIBD : given a constant k, L=v=O(nBIBD : given a constant k, L=v=O(n1/21/2) ) ……

Find key-assignment policyFind key-assignment policy

1

1

)1(4

1

)1(2

12

k

q

kkc

3737

RephraseRephrase--Decoding (tracing) schemeDecoding (tracing) scheme

ECC decodingECC decoding Minimum distance decodingMinimum distance decoding Syndrome decodingSyndrome decoding Viterbi algorithmViterbi algorithm List decodingList decoding

Tree-structured tracing (Liu, 2003)Tree-structured tracing (Liu, 2003) Tracing algorithms for broadcast environmTracing algorithms for broadcast environm

entent

3838

RephraseRephrase-Watermarking scheme-Watermarking scheme

Message mappingMessage mapping Direct message codingDirect message coding Multi-symbol message codingMulti-symbol message coding

Time and space division multiplexingTime and space division multiplexing Frequency division multiplexingFrequency division multiplexing Code division multiplexingCode division multiplexing

3939

ConclusionConclusion

4040

State of the art –State of the art –

00

<Definition> <Definition> 00

the (n,n)-code containing all n-bit binary wthe (n,n)-code containing all n-bit binary words with exactly one 1ords with exactly one 1

e.g. e.g. 00 (3)={100,010,001} (3)={100,010,001}

4141


Lemma 2.1Lemma 2.1

.; of subword a is

)

code frameproof-c a is Γ

let

1 1position a

) 11)( (since

positions than lessin match and words the,1 allfor

derived was which from codeword thebe let

user a tobelongswhich 10 worda contains )( assume

users. ofcoalition a be let

1

min

Γ')F(CWW w

;ΓF(Cw

},...,w{wC

,...,c for all kvs.t. zL)jj(

/c)-L(d

L/cvz,...,ck

Wz

Cu },{WΓC;F

cC

)(z

j)(z

)(v)(vj

kjj

k

lL

j

j

cjj

C

C

4242


Theorem 2.1Theorem 2.1 By lemma 2.2 we know that there exists a By lemma 2.2 we know that there exists a

((L,n,LL,n,L((1-1/c1-1/c))))22cc-ECC for -ECC for LL==8c8c log log nn. Combi. Combi

ning this with the code ning this with the code 00((2c2c) and lemma 2.) and lemma 2.

1 we get a 1 we get a cc-frameproof code for -frameproof code for nn users users whose length is whose length is 2cL2cL==16c16c22 log log nn

4343


Theorem 2.2Theorem 2.2

secure.-2 not toally is code the2.3, lemmaby

empty. is coalitions theofon intersecti theHowever,

.

coalitions threeallfor feasible is ordmajority w therify that readily vecan One

by ordmajority w thedefine

lyrespective , users toassigned codewordsdistinct threebe let

code-arbitrary an be let

codes. secure-2 totally no are e that thershow enough to isit Clearly,

323121

322

31211

321

321321

Γ

},u},{u,u},{u,u{u

M

wise. other ?,

w if w , w

w or ww if w, w

Mi

),w,wMAJ(wM

,u,uu,w,ww

(l,n)

)(i

)(i

)(i

)(i

)(i

)(i

)(i

)(i

)()()(

)()()(

Γ

4444



For For nn≥≥33 and and >>00 let let dd==2n2n22 log( log(2n2n/ / ). The ). The fingerprinting scheme fingerprinting scheme 00((n,dn,d) is ) is nn-secure -secure

with with -error.-error.

4545


Algorithm 2.1Algorithm 2.1

guilty" is user "output then 2

log22

if

.let :do 1 to2 allfor 3)

guilty" is user "output then if )2

guilty" is 1user "output then 0) if 1)

. producedthat coalition theofsubset a find ,10Given

1

1

1B

snkk

)weight(x

)weight(xkn-s

nd) weight(x

weight(x

x},{x

s-

s

n-

B

B

B

l

4646



Given integers Given integers N, cN, c, and , and >0 set >0 set nn==2c2c,,LL= = 2c2c log( log(2N2N//), and ), and dd==2n2n22 log(log(4nL4nL/ / ). The). Then, n, ’(’(L,N,n,dL,N,n,d) is a code which is ) is a code which is c-secure with c-secure with -error. The code contains -error. The code contains NN words and has lengthwords and has length

ll==OO((LdnLdn)=)=OO((cc44 log( log(NN//) log() log(11/ / ))))

4747


Algorithm 2.2Algorithm 2.2

guilty" is user "output

from derived is codeword user whose thebe Let 3)

y).arbitraritbroken are (tiesposition of

number most in the matches which word theFind 2)

. word theform Next, . and 1between number a is that

Note output.chosen thisbe toSet 1. algorithm of outputs

theof one choosey arbitraril 1component each for

. of components theofeach to1 algorithmApply 1)

. producedthat coalition theofmember a find ,10Given

1

u

Cwu

yCw

...yyyny

y

,...,Li

xL

x},{x

Li

i

l

1 traitor tracing. 2 outline introduction state of the art traceability scheme frameproof code ...

Documents