arX

iv:1

111.

3597

v1 [

cs.C

R]

15 N

ov 2

011

Dynamic Tardos Traitor Tracing Schemes

Thijs Laarhoven∗ Jeroen Doumen† Peter Roelse† Boris Skoric∗ Benne de Weger∗

November 16, 2011

Abstract

We construct binary dynamic traitor tracing schemes, wherethenumber of watermark bits needed to trace and disconnect anycoalition of pirates is quadratic in the number of pirates, andlogarithmic in the total number of users and the error probabil-ity. Our results improve upon results of Tassa, and our schemeshave several other advantages, such as being able to generate allcodewords in advance, a simple accusation method, and flexibilitywhen the feedback from the pirate network is delayed.

1 Introduction

To protect digital content from unauthorized redistribution, dis-tributors embed watermarks in the content such that, if a cus-tomer distributes his copy of the content, the distributor can seethis copy, extract the watermark and see which user it belongsto. By embedding a unique watermark for each different user,the distributor can always determine from the detected watermarkwhich of the customers is guilty. However, several users couldcooperate to form a coalition, and compare their differently wa-termarked copies to look for the watermark. Assuming that theoriginal data is the same for all users, the differences theydetectare differences in their watermarks. The colluders can thendis-tort this watermark, and distribute a copy which matches alltheircopies on the positions where they detected no differences,andhas some possibly non-deterministic output on these detected wa-termark positions. Since the watermark does not match any user’swatermark exactly, finding the guilty users is non-trivial.

In this paper we focus on the problem of constructing effi-cient collusion-resistant schemes for tracing pirates, which in-volves finding a way to choose watermark symbols for each user(the traitor tracing code) and a way to trace a detected copy backto the guilty users (an accusation algorithm). In particular, wewill focus on the application of such schemes in a dynamic set-ting, where the pirate output is detected in real-time, before thenext watermark symbols are embedded in consecutive segmentsof the content. We will show that by building upon the Tardosscheme [8], we can construct efficient and flexible dynamic traitor

∗T. Laarhoven, B.Skoric, and B. de Weger are with the Department of Math-ematics and Computer Science, Eindhoven University of Technology, 5612 AZEindhoven, The Netherlands.E-mail: t.m.m.laarhoven,b.skoric,b.m.m.d.weger@tue.nl.

†J. Doumen and P. Roelse are with Irdeto BV, 5656 AE Eindhoven,TheNetherlands.E-mail: jdoumen,peter.roelse@irdeto.com.

tracing schemes. The number of watermark symbols needed inour schemes is a significant improvement compared to [9], andour schemes can be easily adjusted when the model is slightlydif-ferent from the standard dynamic traitor tracing model describedin [1,4,9].

1.1 Model

Let us first formally describe the mathematical model for theproblem discussed in this paper. First, some entity called the dis-tributor controls the database of watermarks and distributes thecontent. The recipients, each receiving a watermarked copyofthe content, are referred to as users. We writeU = 1, . . . ,n forthe set of all users, and we commonly use the symbolj for in-dexing these users. For the watermarks, we refer to the sequenceof watermarking symbols assigned to a userj by the vector~Xj ,which is also called a codeword. We writeℓ for the total num-ber of watermark symbols in a codeword, so that each codeword~Xj has lengthℓ, and we commonly use the symboli to index thewatermark positions. In this paper we only focus on watermarksymbols from a binary alphabet, so that(~Xj)i ∈ 0,1 for all i, j.The traitor tracing code, consisting of all watermark symbols foreach user, is denoted byX = ~X1, . . . ,~Xn. A more common wayto represent this code is by putting all codewords~Xj as rows in amatrixX, so thatXj ,i = (~Xj)i is the symbol on positioni of user j.

After assigning a codeword to each user, the codewords areembedded in the data as watermarks. The watermarked copiesare sent to the users, and some of the users (referred to as thepi-rates) collude to create a pirate copy. The pirates form a subsetC⊆U , and we usec= |C| for the number of pirates in the coali-tion. The pirate copy has some distorted watermark, denotedby~y. We assume that if on some positioni all pirates see the samesymbol, they output this symbol. This assumption is known inthe literature as the marking assumption. On other positions weassume pirates simply choose one of the two symbols to output.This choice of pirate symbols can be formalized by denoting apirate strategy by a functionρ , which maps a code matrixX (orthe part of the matrix visible to them) to a forgery~y. After thecoalition generates a pirate copy, we assume the distributor de-tects it and uses some accusation algorithmσ to map the forgery~y to some subsetσ(~y) = C⊆U of accused users. These users arethen disconnected from the system. IdeallyC = C, but this maynot always be achievable.

Static schemes. We distinguish between two types of schemes.In static schemes, the process ends after one run of the above

1

algorithm with a fixed codelengthℓ, and the setC is the final setof accused users. So the complete codewords are distributed, thepirates generate and distribute a pirate copy, and the distributordetects this output and calculates the set of accused users.In thiscase an elementary result is that one can never have any certaintyof catching all pirates. After all, the coalition could decide tosacrifice one of its members, so that~y= ~Xj for somej ∈C. Thenit is impossible to distinguish between other piratesj ′ ∈ C\ jand innocent usersj ′ ∈ U \C. However, static schemes do existthat achieve catching at least one guilty user and not accusing anyinnocent users with high probability. The original Tardos scheme[8] belongs to this class of schemes.

Dynamic schemes. The other type of scheme is the class of dy-namic schemes, where the process of sending out symbols, detect-ing pirate output and running an accusation algorithm is repeatedmultiple times. In this case, if a user is caught, he is immediatelycut off from the system and can no longer access the content.These dynamic scenarios for example apply to live broadcasts,such as pay-tv. The distributor broadcasts the content, while thepirates directly output a pirate copy of the content. The distributorthen listens in on this pirate broadcast, extracts the watermarks,and uses this information for the choice of watermarks for thenext segment of the content. We assume that the pirates alwaystry to keep their broadcast running, so we assume that if one ofthe pirates is disconnected, the other pirates will take over. Ideallyone demands that the set of accused users always matches the ex-act coalition, i.e.C =C, and with dynamic schemes we can alsoachieve this with high probability, as we will see later. Thenewschemes we present in this paper belong to this class of schemes.

As mentioned earlier, we call static schemes successful if withhigh probability, at least one guilty user is caught, and no inno-cent users are accused. With dynamic schemes one can catchall pirates, so we only call such schemes successful if with highprobability, all pirates are caught and no innocent users are ac-cused. This leads to the following definitions of soundness andstatic/dynamic completeness.

Definition 1 (Soundness and completeness). Let (X ,σ) be atraitor tracing scheme, let c≥ 2 and letε1,ε2 ∈ (0,1). Then ascheme has the soundness property with parameterε1, or is calledε1-sound, if for all coalitions C⊆ U and pirate strategiesρ , theprobability of accusing one or more innocent users is boundedfrom above as

P(C 6⊆C)≤ ε1.

A static traitor tracing scheme(X ,σ) has the static complete-ness property with parametersε2,c, or is called static(ε2,c)-complete, if for all coalitions C⊆ U of size at most c and forall pirate strategiesρ , the probability of not catching any piratesis bounded from above as

P(C∩C= /0)≤ ε2.

Finally, a dynamic traitor tracing scheme(X ,σ) has the dy-namic completeness property with parametersε2,c, or is calleddynamic(ε2,c)-complete, if for all coalitions C⊆ U of size at

most c and for all pirate strategiesρ , the probability of not catch-ing all pirates is bounded from above as

P(C 6⊆ C)≤ ε2.

In the following sections we will omit thec in the complete-ness property if the parameter is implicit. Similarly, whenε1 orε2 is implicit, we sometimes also simply call a scheme sound orcomplete. As we will see later, in the schemes discussed in thispaper,ε1/n andε2 are closely related. We will use the notationη = ln(ε2)/ ln(ε1/n) to denote the logratio of these error proba-bilities. In most practical scenarios we haveε1/n< ε2, so usuallyη ∈ (0,1).

1.2 Related work

The schemes in this paper all build upon the Tardos scheme, in-troduced in [8]. This is an efficient static traitor tracing scheme,and it was the first scheme to achieveε1-soundness and(ε2,c)-completeness with a codelength ofℓ = O(c2 ln(n/ε1)). In thesame paper it was also proved that this asymptotic behaviouris optimal. The original Tardos scheme had a codelength ofℓ = 100c2 ln(n/ε1), and several improvements for the Tardosscheme have been suggested to reduce the constant before thec2 ln(n/ε1). We mention two in particular: the improved anal-ysis done in [2]; and the introduction of a symmetric score func-tion in [7]. Combining these improvements led to even shortercodelength constants in [6]. Forc ≥ 2 andη ≤ 1 the construc-tion in [6] gives codelengths ofℓ < 24c2 ln(n/ε1), with the con-stant further decreasing asc increases orη decreases. For asymp-totically largec, the construction from [6] gives a codelength ofℓ= [π2

2 +O(c−1/3)]c2 ln(n/ε1). The scheme from [6] and its prop-erties are discussed in Section 2.

For the dynamic setting, we mention three papers. In [4] ascheme with no probability of error was introduced, which usesa large alphabet size. The number of symbols needed to catchpirates in that scheme isℓ = O(clog2(n)), but the alphabet sizeneeded isq= 2c+1. In [1] several schemes were suggested us-ing a smaller alphabet of sizeq = c+ 1, with codelengths rang-ing from O(c3 log2(n)) to O(c2 + clog2(n)). In [9] the dynamicscheme from [4] was combined with the static scheme from [3],giving a dynamic scheme using a binary alphabet with a to-tal codelength ofℓ = O(c4 log2(n) ln(c/ε1)). In the same paperthe author suggests that using the Tardos scheme instead of thescheme from [3] may decrease the codelength by a factorc, thuspossibly giving a codelength ofℓ=O(c3 log2(n) ln(c/ε1)). As de-tailed later, the schemes we present here are even more efficientthan this suggested improvement.

1.3 Contributions and outline

First we show that the static Tardos scheme can be extended toadynamic traitor tracing scheme in a very efficient way. This dy-namic scheme then has a codelength ofℓ=O(c2 ln(n/ε1)), wherethe constant only slightly increases compared to the schemefrom[6], while with this scheme we have certainty about catchingall pirates, instead of at least one pirate as in the static Tardos

2

scheme. These adjustments do not influence the codeword gener-ation of the Tardos scheme, so the codewords can still be gener-ated in advance. This is an advantage compared to the schemesfrom [1,4,9].

Since the value ofc is usually not known in advance, we thenshow how to create ac-independent “universal” dynamic schemethat does not requirec as input. The property that the code-words can be generated in advance is left unchanged, while thescheme also has several advantages with respect to flexibility,detailed in Section 6. The codelength of this scheme is alsoℓ = O(c2 ln(n/ε1)), thus improving upon the results from [9] byroughly a factorO(c2) and upon the suggested improvement in [9]by a factorO(c).

This paper is organized as follows. First, in Section 2 wepresent the construction of the static Tardos scheme with the im-proved analysis from [6]. This scheme and its results will beused as the foundation for the dynamic Tardos scheme, which wepresent in Section 3. Then, in Section 4 we present a modificationof the dynamic Tardos scheme when the setting is not fully dy-namic. In Section 5 we then present the universal Tardos scheme,which is an extension of the dynamic Tardos scheme that does notrequirec as input. In Section 6, we discuss the results and arguethat our schemes have several advantages with respect to flexi-bility as well. Finally, in Section 7 we list some open problemsraised by our work.

This paper is mainly based on results from the first author’sMaster’s thesis [5].

2 Preliminaries: The Tardos scheme

The results in the next sections all build upon results from thestatic Tardos scheme, so we first discuss this scheme here. Sincethe codeword generation of the schemes discussed in this paperall use (a variant of) the arcsine distribution, we also firstdescribethis distribution below.

2.1 Arcsine distribution

The standard arcsine distribution functionF(p), and its associatedprobability density functionf (p), are given by:

F(p) =2π

arcsin(√

p), f (p) =1

π√

p(1− p). (1)

This distribution function will be used in Section 5. In Sections 2,3 and 4 we will use a variant of this distribution function, wherethe values ofp cannot be arbitrarily close to 0 and 1, as this gener-ally leads to a high probability of accusing innocent users.In [8],Tardos therefore used the arcsine distribution with a certain smallcutoff parameterδ > 0, such thatp ∈ [δ ,1− δ ]. By scalingFand f appropriately on this interval, this leads to the distributionfunctionsFδ and associated density functionsfδ :

Fδ (p) =2arcsin(

√p)−2arcsin(

√δ )

π −4arcsin(√

δ ), (2)

fδ (p) =1

(π −4arcsin(√

δ ))√

p(1− p). (3)

Note that takingδ =0 (i.e. using no cutoff) leads toF0(p)≡F(p).

2.2 Construction

Here we describe the Tardos scheme, with parametersdℓ,dz,dδas introduced in [2], and with the symmetric score function intro-duced in [7]. If certain requirements on these constants aresatis-fied, one can prove soundness and static completeness, as in [6].

1. Initialization phase

(a) Take the codelength asℓ= dℓc2 ln(n/ε1).

(b) Take the accusation threshold asZ = dzcln(n/ε1).

(c) Take the cutoff parameter asδ = 1/(dδ c4/3). 1

2. Codeword generationFor each position 1≤ i ≤ ℓ:

(a) Selectpi ∈ [δ ,1− δ ] from the distribution functionFδ (p) defined in (2).

(b) For each userj ∈ U , generate theith entry of thecodeword of userj according toP(Xj ,i = 1) = pi andP(Xj ,i = 0) = 1− pi.

3. Distribution of codewords

(a) Send to each userj ∈ U their codeword~Xj =(Xj ,1, . . . ,Xj ,ℓ), embedded as a watermark in the con-tent.

4. Detection of pirate output

(a) Detect the pirate output, and extract the watermark~y=(y1, . . . ,yℓ).

5. Accusation phaseFor each userj ∈U :

(a) For each position 1≤ i ≤ ℓ, calculate the user’s scoreSji for this position according to:

Sj ,i =

+√

(1− pi)/pi if Xji = 1,yi = 1,

−√

(1− pi)/pi if Xji = 1,yi = 0,

−√

pi/(1− pi) if Xji = 0,yi = 1,

+√

pi/(1− pi) if Xji = 0,yi = 0.

(4)

(b) Calculate the user’s total scoreSj(ℓ) = ∑ℓi=1Sji .

(c) User j is accused (i.e.j ∈ C) if Sj(ℓ)> Z.

1Previously, in [2, 6–8], it was common to parametrize the offset δ as δ =1/(dδ c). However, in [6] it was shown that to get optimal results,δ should scale asc−4/3 rather thanc−1. Therefore we now useδ = 1/(dδ c4/3), with dδ convergingto a non-zero constant for asymptotically largec.

3

2.3 Soundness

For the above construction, one can prove soundness and staticcompleteness, provided the constantsdℓ,dz,dδ satisfy certain re-quirements. For soundness, in [6] the following lemma wasproved. Hereh(x) = (ex−1−x)/x2, which is a strictly increasingfunction from(0,∞) to (1

2,∞).

Lemma 1. [6, Lemma 1] Let the Tardos scheme be constructedas in Subsection 2.2. Let j be some arbitrary innocent user, andlet a> 0. Then

E(

eaSj (ℓ)c−1)

≤(ε1

n

)−aλadℓ,

whereλa = ah(a√

dδ c−1/3).

Now if the following condition of soundness is satisfied,

∃ a> 0 : a(dz−λadℓ)≥ 1, (S)

then using the Markov inequality and Lemma 1 with thisa, forinnocent usersj we get

P( j ∈ C) = P(Sj(ℓ)> Z)≤E(

eaSj (ℓ)c−1)

eaZc−1

≤(ε1

n

)a(dz−λadℓ) ≤ ε1

n.

So the probability that no innocent user is accused is at least (1−ε1n )

n ≥ 1− ε1, as was also shown in [6, Theorem 3].

2.4 Static completeness

To prove static completeness, in [6] the following lemma wasused. Below, and throughout the rest of this paper,S(ℓ) =∑ j∈C Sj(ℓ) represents the total coalition score, i.e. the sum of thescores of all piratesj ∈C.

Lemma 2. [6, Lemma 2] Let the Tardos scheme be constructedas in Subsection 2.2, and let b> 0. Then

E(

e−bS(ℓ)c−5/3)

≤(ε1

n

)bλbdℓc1/3

,

whereλb =2π − 4

dδ π c−1/3−bh(b√

dδ )c−2/3.

If the following condition of completeness is satisfied,

∃ b> 0 : b(λbdℓ−dz)≥ ηc−1/3, (C)

then using the pigeonhole principle, the Markov inequalityandLemma 2 with thisb we get

P(C∩C= /0)≤ P(S(ℓ)< cZ)≤E(

e−bS(ℓ)c−5/3)

e−bZc−2/3

≤(ε1

n

)b(λbdℓ−dz)c1/3

≤(ε1

n

)η= ε2.

So static completeness follows from Lemma 2 and condition (C),as was also shown in [6, Theorem 4].

2.5 Codelengths

In [2] and [6] a detailed analysis is given to go from require-ments (S) and (C) to the asymptotically optimal set of parametersthat satisfies the constraints and minimizesdℓ. Recall thatℓ =dℓc2 ln(n/ε1), so a smallerdℓ gives shorter codelengths, whereasthe parametersdz anddδ affect onlyZ andδ , which have no in-fluence on the efficiency of the scheme. In [6] the following resultwas obtained.

Lemma 3. [6, Theorem 6] Letγ =(

23π)2/3 ≈ 0.36. The optimal

asymptotic value for dℓ is

dℓ =π2

2+O(c−1/3),

the associated values for dz and dδ are

dz = π +O(c−1/3), dδ =4γ−O

( ηlnc

)

,

and the corresponding values for a,b,λa,λb are

a=2π−O(c−1/3), b=

lnc9πγ

−O

(

ln

(

lncη

))

,

λa =1π+O(c−1/3), λb =

2π−O(c−1/3).

A direct consequence of Lemma 3 is the following corollary,which gives the optimal asymptotic scheme parameters forc→∞.

Corollary 1. [6, Corollary 1] The construction from Subsection2.2 gives anε1-sound and static(ε2,c)-complete scheme withasymptotic scheme parameters

ℓ→ π2

2c2 ln(n/ε1), Z → πcln(n/ε1), δ → γ

4c−4/3.

For further details on the optimal first order constants, see[6].

2.6 Example

Let the scheme parameters be given byc = 25 pirates,n = 106

users, and error probabilitiesε1 = ε2 = 10−3. Thenη = 13, and

the optimal values ofdℓ,dz,dδ can be calculated numerically as

dℓ = 8.46, dz = 4.53, dδ = 14.36.

This leads to the scheme parameters

ℓ= 109585, Z = 2345, δ = 5.09·10−4.

So using these scheme parameters, we know that after 109585symbols, with probability at least 1− ε1 there are no false accu-sations, and with probability at least 1− ε2 at least one pirate isaccused. In Fig. 1 we show simulation results for these parame-ters. The curves in the figure are the pirate scoresSj(i) for eachpirate j ∈C, while the shaded area is bounded from above by thehighest score of an innocent user, and bounded from below by thelowest score of an innocent user in this simulation. In Fig. 1a wesimulated pirates using the interleaving attack (i.e. for each posi-tion, they choose a random pirate and output his symbol), andin

4

Z = 2345

=

109

585

0 20 000 40 000 60 000 80 000 100 000 120 000-2000

-1000

0

1000

2000

3000

4000

i

S

jHiL

(a) Interleaving attack

Z = 2345

=

109

585

0 20 000 40 000 60 000 80 000 100 000 120 000-2000

-1000

0

1000

2000

3000

4000

i

S

jHiL

(b) Scapegoat strategy

Figure 1: Simulations of the Tardos scheme, withc= 25 colluders,n= 106 users,and error probabilitiesε1 = ε2 = 10−3. In Fig. 1a the pirates used the interleavingattack, whereas in Fig. 1b they used the scapegoat strategy.In both cases, the totalcoalition scoreS(ℓ) at timeℓ is approximately 72000, but while in the first casethe score is evenly divided among the pirates, in the second case one pirate takesall the blame.

Fig. 1b they used the scapegoat strategy (i.e. one pirate, the scape-goat, always outputs his symbol, until he is caught and another pi-rate is picked as the scapegoat). With the scapegoat strategy, onlyone pirate is caught, while using the interleaving attack leads tomany accused pirates.

3 The dynamic Tardos scheme

Let us now explain how we create a dynamic scheme from thestatic Tardos scheme, such that with high probability we catch allcolluders, instead of at least one colluder. The change we makeis the following. Instead of only comparing scores withZ afterℓsymbols, we now compare the scores withZ after every positioni. If a user’s score exceedsZ at any point in time, then he is

disconnected immediately and can no longer access the content.His score is then necessarily betweenZ andZ := Z+

√dδ c2/3 >

Z+maxpi ,Xji ,yi Sji . The rest of the construction remains the same,except for the values ofdℓ,dz,dδ , which now have to be chosendifferently.

3.1 Construction

The scheme again depends on three constantsdℓ,dz,dδ . We showin Subsections 3.2 and 3.3 that if certain requirements on theseconstants are satisfied, we can prove soundness and dynamic com-pleteness. Below we say a user is active if he is not disconnectedin the scheme. We assume that the pirates always output some wa-termarked data, unless all of the pirates are disconnected.Thenthe traitor tracing scheme terminates.

1. Initialization phase

(a) Take the codelength asℓ= dℓc2 ln(n/ε1).

(b) Take the accusation threshold asZ = dzcln(n/ε1).

(c) Take the cutoff parameter asδ = 1/(dδ c4/3).

(d) Set initial user scores atSj(0) = 0.

2. Codeword generationFor each position 1≤ i ≤ ℓ:

(a) Selectpi ∈ [δ ,1− δ ] from Fδ (p) defined in (2).

(b) GenerateXj ,i ∈ 0,1 usingP(Xj ,i = 1) = pi .

3. Distribution/Detection/AccusationFor each position 1≤ i ≤ ℓ:

(a) Send to each active userj symbolXj ,i.

(b) Detect the pirate outputyi .(If there is no pirate output, terminate.)

(c) Calculate scoresSj ,i using (4).

(d) For active usersj, setSj(i) = Sj(i −1)+Sj ,i.(For inactive usersj, setSj(i) = Sj(i −1).)

(e) Disconnect all active usersj with Sj(i)> Z.

In the construction above, we separated the codeword genera-tion from the distribution, detection and accusation. These phasescan also be merged by generatingpi andXji once we need them.However, we present the scheme as above to emphasize the factthat these phases can indeed be executed sequentially instead ofsimultaneously, and that the codeword generation can thus bedone before the traitor tracing process begins.

3.2 Soundness

For the dynamic Tardos scheme as given above, we can prove thefollowing result regarding soundness.

Theorem 1. Consider the dynamic Tardos scheme in Subsection3.1. If the following condition is satisfied,

∃ a> 0 : a(dz−λadℓ)≥ 1+ln(2)

ln(n/ε1), (S’)

then the scheme isε1-sound.

5

To prove the theorem, we first prove a relative upper bound onthe probability that a single innocent user is accused and discon-nected. This bound relates the error probability in the dynamicTardos scheme to the probability that the user score at timeℓ isaboveZ. We then use the proof of the original Tardos scheme toget an absolute upper bound on the soundness error probability,and to prove Theorem 1. Since the relative upper bound gives usan extra factor 2, and since the terms in (S’) appear as exponentsin the proof, we get an additional term ln(2)/ ln(n/ε1) comparedto (S). Note that this term is small for reasonable values ofn andε1, so this only has a small impact on the right hand side of (S’),compared to (S).

In the following we writeSj(i) = ∑ik=1Sjk. If user j is still ac-

tive at timei, thenSj(i) =Sj(i), but whereasSj(i) does not changeanymore once userj is disconnected, the scoreSj(i) does changeon every position even if the user has already been disconnected,and calculates the user’s score as if he had not been disconnected.Similarly, we writeS(i) = ∑ j∈C Sj(i) for coalitionsC. Note that ifthe last pirate is disconnected at positioni0 < ℓ, thenSji andSj(i)are not defined fori0 < i ≤ ℓ.

Lemma 4. Let j ∈ U be an arbitrary innocent user, let C⊆U \ j be a pirate coalition and letρ be some pirate strategyemployed by this coalition. Then

P( j ∈ C)≤ 2 ·P(

Sj(ℓ)> Z)

.

Proof. Let us define eventsA andB as

A := j ∈ C= Sj(ℓ)> Z=ℓ⋃

i=1

Sj(i)> Z,

B := Sj(ℓ)> Z.

We trivially haveP(A | B) = 1. For P(B | A), note that underthe assumption thatA holds, the processSj(i)∞

i=i0starting at

positioni0 =mini : Sj(i)>Z≤ ℓ describes a symmetric randomwalk with no drift. So we then haveP(Sj(ℓ)≥ Sj(i0)) = 1/2, andsinceSj(i0) > Z it follows thatP(B | A)≥ 1/2. Finally we applyBayes’ Theorem toA andB to get

P(A) =P(A | B)P(B | A)

·P(B)≤ 2 ·P(B).

This completes the proof.

Proof of Theorem 1.First, we remark that the distribution ofSj(ℓ) is the same as the distribution of the scoresSj(ℓ) in theoriginal Tardos scheme, for the same parametersℓ,Z,δ . From theMarkov inequality, Lemma 1 and condition (S’) it thus followsthat

P(Sj(ℓ)> Z)≤E(

eaSj (ℓ)c−1)

eaZc−1 ≤(ε1

n

)a(dz−λadℓ) ≤ ε1

2n.

Using Lemma 4 the result follows.

3.3 Dynamic completeness

With the dynamic Tardos scheme, we get the following result re-garding dynamic completeness. Recall that here we require thatall pirates are caught, instead of at least one, as was the case inthe original Tardos scheme.

Theorem 2. Consider the dynamic Tardos scheme in Subsection3.1. If the following condition is satisfied,

∃ b> 0 : b(λbdℓ−dz)≥(

η +ln(2)+b

√dδ

ln(n/ε1)

)

c−1/3, (C’)

then the scheme is dynamic(ε2,c)-complete.

Similar to the proof of soundness, we prove dynamic complete-ness by relating the error probability to the static completenesserror probability of the static scheme from Section 2. Then weuse the results from the static scheme to complete the proof.Weagain see a factor 2 in the relative upper bound, which again ex-plains the additional term ln(2)/ ln(n/ε1) compared to (C). Theother termb

√dδ/ ln(n/ε1) is a consequence of usingZ instead of

Z in the proofs. Note that these two terms are small, compared tothe first termη .

Lemma 5. Let C be a coalition of size at most c, and letρ be anypirate strategy employed by this coalition. Then

P(C 6⊆ C)≤ 2 ·P(

S(ℓ)< cZ)

.

Proof. First we remark thatP(S(ℓ)< cZ |C 6⊆ C) ≥ 1/2. This isbecause ifC 6⊆ C, thenS(ℓ) < cZ, and sinceS(ℓ)−S(ℓ) = R(ℓ)is a symmetrical, unbiased random walk, with probability atleast1/2 we haveR(ℓ)< 0 andS(ℓ)< cZ. Next, we use the definitionof the conditional probability to get

P(C 6⊆ C)≤ 2 ·P(C 6⊆ C) ·P(S(ℓ)< cZ |C 6⊆ C)

= 2 ·P(S(ℓ)< cZ,C 6⊆ C)≤ 2 ·P(S(ℓ)< cZ).

This proves the result.

Proof of Theorem 2.First, note that in the dynamic Tardosscheme, the only extra information pirates receive compared tothe static Tardos scheme is the fact whether some of them aredisonnected. This information is certainly covered by the infor-mation contained in the values ofpi (if pirates knowpi , then theycan calculate their scoresSj(i) themselves and calculate whetherthey will be disconnected or not). Also note thatS(ℓ) behaves thesame asS(ℓ) in the static Tardos scheme, where the total coali-tion score is calculated for all pirates and all positions, regardlessof whether they contributed on that position or not. So if we canprove that even in the static Tardos scheme, and even if coalitionsget information about the values ofpi , the probability of keep-ing the coalition scoreS(ℓ) belowcZ is bounded byε2/2, then itfollows that alsoP(S(ℓ)< cZ)≤ ε2/2.

For the static Tardos scheme, note that the proof method forthe completeness property does not rely onpi being secret. Theonly assumption that is used in that proof is that the MarkingAs-sumption applies, which does apply here. So here we can also use

6

Η = 1

Η = 0.01

5 10 50 100 500 10000

5

10

15

20

25

30

c

d

Figure 2: Optimal values ofdℓ in the dynamic Tardos scheme. The dotted line

corresponds to the asymptotic optimal valuedℓ =π2

2 ≈ 4.93. The bold curvesshow the values ofdℓ in the static Tardos scheme forη = 1 (top) andη = 0.01(bottom) respectively. The five curves slightly above each of the bold curves showthe optimal values ofdℓ in the dynamic Tardos scheme forn/ε1 = 103k, for k= 1up to 5. Higher values ofk correspond to lower values ofdℓ.

the proof method of the static Tardos scheme. From the Markovinequality, Lemma 2 and condition (C’), it thus follows that

P(

S(ℓ)< cZ)

≤E(

e−bS(ℓ)c−5/3)

e−b(Z+√

dδ c2/3)c−2/3

≤(ε1

n

)b

(

λbdℓ−dz−√

dδln(n/ε1)

c−1/3)

c1/3

≤(ε1

n

)η+ ln2ln(n/ε1) =

ε2

2.

Using Lemma 5 the result then follows.

3.4 Codelengths

The requirements (S’) and (C’) are only slightly different fromrequirements (S) and (C). For asymptotically largec, these dif-ferences disappear, and thus the optimal asymptotic codelengthis the same as in the static Tardos scheme. In Fig. 2 we showthe optimal values ofdℓ in the dynamic Tardos scheme forη = 1andη = 0.01. The different curves correspond to different val-ues ofn/ε1, ranging fromn/ε1 = 103 (the highest values ofdℓ) ton/ε1 = 1015 (the lowest values ofdℓ).

Note that these values ofdℓ correspond to the theoretical code-lengths such that probability at least 1− ε1, by timeℓ all of thepirates have been disconnected. This however does not mean thatthe last pirate is caught exactly at timeℓ, only that he is caughtbefore or at timeℓ. So in practice the number of symbols neededto disconnect all traitors may be below this theoretical codelengthℓ, and may even decrease compared to the static Tardos scheme.

Furthermore, if the coalition size is not known, but only an up-per bound on the coalition size is known, i.e.c ≤ c0 for somec0, then one generally uses a traitor tracing scheme that is resis-tant against up toc0 colluders. In [7] it was shown that for the

Tardos scheme, the total coalition scoreS(i) = ∑ j∈C Sj(i) alwaysincreases linearly ini with approximately the same slope, regard-less of the coalition size. More precisely, the scoreS(i) behavesasS(i) ≈ iµ , with µ ≈ 2

π only slightly depending on the coali-tion sizec and the pirate strategyρ . Since one choosesℓ andZsuch thatS(ℓ)≈ ℓµ ≈ c0Z, it follows thatS( c

c0ℓ) ≈ cZ. In other

words, to catch a coalition of sizec≤ c0, the expected number ofsymbols needed is approximatelyℓ = O( c

c0ℓ) = O(cc0 ln(n/ε1)).

So compared to the static Tardos scheme, where the codelength isfixed in advance atO(c2

0 ln(n/ε1)), the codelength is reduced by afactor c

c0. In particular, small coalitions of few pirates are caught

up toO(c0) times faster.

3.5 Example

Let the scheme parameters be the same as in Section 2.6, i.e.c=25,n= 106 andε1 = ε2 = 10−3, so thatη = 1

3. The optimal valuesof dℓ,dz,dδ satisfying (S’) and (C’) can be calculated numericallyas

dℓ = 9.00, dz = 4.73, dδ = 13.44

This leads to the scheme parameters

ℓ= 116561, Z = 2448, δ = 1.02·10−3

In Fig. 3 we show some simulation results for these parameters.In Fig. 3a the pirates used the interleaving attack, and in Fig. 3bthey used the scapegoat strategy.

4 The semi-dynamic Tardos scheme

In the dynamic Tardos scheme, we need to disconnect users assoon as their scores exceed the thresholdZ. In some scenariosthis may not be feasible, and we may only be able to disconnectusers several positions later, say afterB more symbols. This canhave several reasons:

• The pirates transmit their content with a small delay, so thatthere is a delay ofB symbols between original broadcast andthe corresponding pirate output.

• Detecting the pirate output, extracting the watermark, updat-ing the scores and disconnecting users takes so much timethat a user is only disconnected afterB more symbols havealready been distributed.

For these cases, we present two different solutions. First,in Sec-tion 4.1 we present a scheme that achieves a codelength of atmostℓ = dℓc2 ln(n/ε1)+Bc, wheredℓ is the same as in the dy-namic Tardos scheme for the same parameters. For small val-ues ofB, this means that with codelength which is only slightlyhigher than in the dynamic Tardos scheme, we can also catch allpirates in a semi-dynamic setting. Then, in Section 4.2 we presenta scheme that achieves a codelength ofℓ= dℓ,Bc2 ln(n/ε1), wheredℓ,B increases withB. Since a small increase indℓ can alreadylead to a big increase in the codelength, the second scheme gen-erally has a larger codelength than the first scheme. Only forval-uesB with B> (dℓ,B−dℓ)cln(n/ε1) = Ω(cln(n/ε1)), the secondscheme achieves a shorter codelength than the first scheme.

7

Z = 2448

=

116

561

i=91

528

0 20 000 40 000 60 000 80 000 100 000 120 000-2000

-1000

0

1000

2000

3000

i

S

jHiL

(a) Interleaving attack

Z = 2448=

116

561

i=93

899

0 20 000 40 000 60 000 80 000 100 000 120 000-2000

-1000

0

1000

2000

3000

i

S

jHiL

(b) Scapegoat strategy

Figure 3: Simulations of the dynamic Tardos scheme, with parametersc = 25,n = 106 andε1 = ε2 = 10−3. In Fig. 3a the pirates used the interleaving attack,whereas in Fig. 3b they used the scapegoat strategy. In both cases, after less than95000 symbols all pirates have been caught, which is less than the theoreticalcodelengthℓ= 116561, and less than the codelength of the static Tardos schemewith the same parameters,ℓ= 109585.

4.1 First scheme:ℓ= dℓc2 ln(n/ε1)+Bc

The first scheme is based on the following modification to theaccusation algorithm of the dynamic Tardos scheme. Supposeauser’s score exceedsZ after i0 positions. At positioni0 we nowdisconnect this user. Since this user may have contributed to thenextB symbols of the pirate output~y, we disregard the followingB positions of the watermark, and do not update the scores forpositionsi ∈ i0 +1, . . . , i0 +B. After those positions we con-tinue the traitor tracing process as in the dynamic Tardos scheme,and we repeat the above procedure for each time a user’s scoreexceedsZ.

With this modification, the traitor tracing process on thosepo-sitions that were used for calculating scores is identical to thetraitor tracing process of the dynamic Tardos scheme. We can

32

16

8

42

1

5 10 50 100 500 10000

5

10

15

20

25

30

c

d

,B

Figure 4: Optimal values ofdℓ,B in the semi-dynamic Tardos scheme from Section4.2, for the parametersn= 106, ε1 = ε2 = 10−3, andη = 1

3 . The bold curve cor-responds to the values ofdℓ in the static Tardos scheme with the same parameters,while the six curves above this curve correspond to the optimal values ofdℓ,B forB = 1,2,4,8,16,32 respectively. The dotted line corresponds to the asymptotic

optimal valuedℓ =π2

2 ≈ 4.93. ForB= 1 we get exactly the codelengths of thedynamic Tardos scheme.

therefore use the analysis from Section 3 and conclude that withdℓc2 ln(n/ε1) positions for which we calculate scores, we catchany coalition of sizeℓ. Since we disregardedBc positions, thepirate broadcast will not last longer thanℓ = dℓc2 ln(n/ε1)+Bcpositions in total, wheredℓ,dz anddδ are as in the dynamic Tar-dos scheme for the same parameters. This means that with at mostBcmore symbols than in the dynamic Tardos scheme, we can alsocatch coalitions in this semi-dynamic traitor tracing setting.

4.2 Second scheme:ℓ= dℓ,Bc2 ln(n/ε1)

Instead of usingBc more symbols, we can also try to adjustthe analysis of the dynamic Tardos scheme to the semi-dynamictraitor tracing scenario. We can do this by following the proofmethods of the dynamic Tardos scheme, and by making one smalladjustment. The change we make in the analysis is to useZB :=Z+B

√dδ c2/3 > Z+BmaxpSji (p) instead ofZ = Z+

√dδ c2/3

as our new upper bound for the scores of users in the proofs. Thisresults in the following, slightly different condition fordynamiccompleteness:

∃ b> 0 : b(λbdℓ−dz)≥(

η +ln(2)+Bb

√dδ

ln(n/ε1)

)

c−1/3. (C”)

If some parametersdℓ,B,dz,B,dδ ,B satisfy (S’) and (C”), then us-ing these constants as our scheme parameters, we obtain aε1-sound and dynamic(ε2,c)-complete scheme with a codelength ofℓ = dℓ,Bc2 ln(n/ε1). In Fig. 4 we show the values ofdℓ,B for theparametersn= 106, ε1 = ε2 = 10−3, andη = 1

3, for several valuesof B. As the value ofB increases, the value ofdℓ,B increases aswell.

8

4.3 Example

As before, let the scheme parameters be given byc= 25,n= 106

andε1 = ε2 = 10−3, so thatη = 13, and let us useB= 8. For the

first scheme, the codelength then increases byBc= 200 comparedto the dynamic Tardos scheme, giving scheme parameters:

ℓ= 116761, Z = 2448, δ = 1.02·10−3

For the second scheme, the optimal values ofdℓ,B,dz,B,dδ ,B satis-fying (S’) and (C”) forB= 8 can be calculated numerically as

dℓ,B = 10.16, dz,B = 4.94, dδ ,B = 10.07.

This leads to the scheme parameters

ℓ= 131587, Z = 2561, δ = 1.36·10−3.

So in this case, using the first scheme leads to a shorter code-length.

5 The universal Tardos scheme

In this section we present a dynamic scheme that does not requirec as input. The name “universal” comes from the fact that forthe codeword generation, we now use a distribution functionFwhich does not depend onc, but is a universal distribution func-tion that can be used for all values ofc. Because of this, we canuse the same codewords for different values ofc. In particular,we will use the firstℓ(c) = O(c2 ln(n/ε1)) symbols to catch coali-tions of sizec, for c ≥ 2. We do this in such a way that if acoalition has some unknown sizec, then afterℓ(c) symbols, theprobability of not having caught all members of this coalition isat mostε2. Since we do this for each value ofc, we now onlyneedO(c2 ln(n/ε1)) symbols to catch a coalition of sizec.

The only problem with this new codeword generation methodis that a completely universal distribution function whichis opti-mally efficient for all values ofc does not exist. More precisely,the proof of soundness of the Tardos scheme requires that thecut-off parameterδ is sufficiently large in terms ofc, whereas forcompleteness we need thatδ approaches 0 asc → ∞. One wayto avoid this problem is the following. For generating the valuesof pi , we use the standard arcsine distribution function from (1).Then for any value ofc we simply disregard those valuespi whichare not between the corresponding cutoff parameterδ and 1− δ .The fraction of values ofpi that is disregarded can be estimatedeasily as follows:

1−∫ 1−δ (c)

δ (c)f (p)dp=

4π

arcsin(√

δ (c))

.

Since4π arcsin(

√δ (c)) = 4

π√

dδc−2/3+O(c−2), the right hand side

is small and decreasing inc, so the fraction of disregarded data issmall.

5.1 Construction

Basically we run several dynamic Tardos schemes simultaneouslywith shared codewords, so scheme parameters and scores now

have to be calculated for each of these schemes, i.e. for eachofthe values ofc. We introduce counterst(c) to keep track of thenumber of positions that are not disregarded, for each valueof c.For eachc we then basically run a dynamic Tardos scheme usingthe same codeX until t(c) = ℓ(c).

1. Initialization phaseFor eachc≥ 2:

(a) Take the codelength asℓ(c) = d(c)ℓ c2 ln(n/ε(c)1 ).

(b) Take the threshold asZ(c) = d(c)z cln(n/ε(c)1 ).

(c) Take the cutoff parameter asδ (c) = 1/(d(c)δ c4/3).

(d) Initialize the user scores atS(c)j (0) = 0.

(e) Initialize the counterst(c) at t(c)(0) = 0.

2. Codeword generationFor each positioni ≥ 1:

(a) Selectpi ∈ [0,1] from F(p) as defined in (1).

(b) GenerateXji ∈ 0,1 usingP(Xji = 1) = pi .

3. Distribution/Detection/AccusationFor each positioni ≥ 1:

(a) Send to each active userj symbolXji .

(b) Detect the pirate outputyi .(If there is no pirate output, terminate.)

(c) Calculate scoresSji using (4).

(d) For active usersj and valuesc such thatpi ∈ [δ (c),1−δ (c)], setS(c)j (i) = S(c)j (i −1)+Sji .

(Otherwise setS(c)j (i) = S(c)j (i −1).)

(e) For values ofc such that pi ∈ [δ (c),1 − δ (c)], sett(c)(i) = t(c)(i −1)+1.(Otherwise sett(c)(i) = t(c)(i −1).)

(f) Disconnect all active usersj with S(c)j (i) > Z(c) and

t(c)(i)≤ ℓ(c) for somec.

As was already mentioned in Section 3.1, if desiredthe codeword generation can be merged with the distribu-tion/detection/accusation phase. This depends on the scenario andthe exact implementation of the scheme.

Also note that in the above construction, no bounds oni andcare given. If we run the above scheme forever, we will eventu-ally catch any coalition of any size. In practice one may chooseto use some upper boundc0 on the size of any coalition (in theworst case:c0 ≤ n), and only keep scores for 2≤ c≤ c0. In thatcase, drawing valuespi from Fδ (c0) also makes more sense, as val-

uespi /∈ [δ (c0),1−δ (c0)] would be disregarded for all 2≤ c≤ c0.So while the construction given above is the theoretical solutionto catch arbitrary large coalitions, we can also construct an effi-cient scheme to catch coalitions of size at mostc0 from the abovescheme by making these small adjustments.

9

5.2 Soundness

For the universal Tardos scheme we prove the following resultregarding soundness.

Theorem 3. Consider the universal Tardos scheme in Sub-section 5.1. If (S’) is satisfied for each set of parameters

d(c)z ,d(c)

ℓ ,d(c)δ ,ε(c)1 , and if theε(c)1 satisfy the following require-

ment:∞

∑c=2

ε(c)1 ≤ ε1, (E)

then the scheme isε1-sound.

Proof. For eachc≥ 2, letC(c) be the set of users that are accusedbecause their scoresS(c)j exceededZ(c) beforet(c) > ℓ(c). Then

C =⋃∞

c=2C(c). For any fixedc, we can then apply Theorem 1 to

the parametersd(c)ℓ ,d(c)

z ,d(c)δ ,a(c) andε(c)1 so that we know that

the probability thatj ∈ C(c) for innocent usersj is at mostε(c)1 /n.So the probability that an innocent user is disconnected is thenbounded from above by

P( j ∈ C)≤∞

∑c=2

P( j ∈ C(c))≤∞

∑c=2

ε(c)1

n≤ ε1

n.

The result then follows.

Note that one can choose valuesε(c)1 satisfying (E) such

that O(c2 ln(n/ε(c)1 )) = O(c2 ln(n/ε1)), e.g. by takingε(c)1 =6ε1/(π2c2). If furthermore c2 = o(n), then it also follows

thatdℓc2 ln(n/ε(c)1 ) = dℓc2 ln(n/ε1)(1+o(1)) and we achieve thesame asymptotic codelength as in the static and dynamic Tardosschemes.

5.3 Dynamic completeness

Theorem 4. Consider the universal Tardos scheme in Sub-section 5.1. If (C’) is satisfied for each set of parameters

d(c)z ,d(c)

ℓ ,d(c)δ ,ε(c)1 ,η(c), whereη(c) = ln(1/ε2)/ ln(n/ε(c)1 ), then

for each c≥ 2 the scheme is dynamic(ε2,c)-complete.

Proof. This follows directly from applying Theorem 2 to

d(c)ℓ ,d(c)

z ,d(c)δ ,a(c) andε(c)1 , wherec is the actual (unknown) coali-

tion size.

To prove that the scheme catches a coalition of sizec, weonly argue that the coalition’s scoreS(c)(i) will exceedcZ(c) be-fore we have seenℓ(c) positions withδ (c) ≤ pi ≤ 1− δ (c). Inreality, the probability of catching the coalition is much largerthan this, since e.g. with high probability their scoreS(c−1) willalso exceedZ(c−1) before we have seenℓ(c−1) positions withpi ∈ [δ (c−1),1− δ (c−1)]. And if a pirate is disconnected becausehis score exceeded some thresholdZ(k), then we do not have towait untilS(i)> cZ(c) but only untilS(i)> (c−1)Z(c)+Z(k). AndsinceS(i)/c has a constant slope, as soon as a pirate is caught,the other pirates’ scores will increase even faster. In practice wetherefore also see that we usually need fewer thanℓ(c) useful po-sitions to catch a coalition of sizec.

5.4 Codelengths

The theoretical results from the previous subsections are not forexactlyℓ(c) watermark positions, but for some number of symbolsT(c) such that there areℓ(c) positionsi with pi ∈ [δ (c),1− δ (c)]by then. The differenceT(c) − ℓ(c) is a random variable, and isdistributed according to a negative binomial distributionwith pa-rametersr = ℓ(c) (the number of successes we are waiting for) andp= 1−P(pi ∈ [δ (c),1−δ (c)]) = 4

π arcsin(√

δ (c)) (the probabilityof a success). Because the parameterp= O(c−2/3) is very smallfor largec, the difference betweenT(c) andℓ(c) will also be small.More precisely,T(c) has meanℓ(c)/(1− p) = ℓ(c)(1+O(c−2/3))and varianceσ2 = ℓ(c)p/(1− p)2 = O(ℓ(c)c−2/3), and the proba-bility that T(c) exceeds its mean bym> 0 decreases exponentiallyin m.

Also note that if some upper boundc0 ≥ c is used for construct-ing the scheme as described earlier, then since the values ofpi aredrawn fromFδ (c0) we haveT(c0) = ℓ(c0), as no values ofpi aredisregarded forc= c0. So then the maximum codelength is fixedin advance, at the cost of possibly not catching coalitions of sizec> c0.

Finally, note that this scheme is constructed in such a waythat coalitions of any (small) size can be caught more efficiently.To catch a coalition of sizec we now only useO(c2 ln(n/ε1))symbols. This in comparison to the static and dynamic Tardosscheme, where we needO(c2

0 ln(n/ε1)) andO(cc0 ln(n/ε1)) sym-bols respectively, wherec0 is again some upper bound on thecoalition size used to construct the schemes. So while usingthedynamic Tardos scheme already reduces the codelength by a fac-tor c

c0, the universal Tardos scheme further reduces the codelength

by another factorcc0.

5.5 Example

As before, let the scheme parameters be given byc= 25,n= 106

and ε1 = ε2 = 10−3. Let us takec0 = 25, and useFδ (c0) for

generating values ofpi . Let us also useε(c)1 = 6ε1/(π2c2),

so that ∑c0c=2 ε(c)1 ≤ ∑∞

c=2 ε(c)1 ≤ ε1. The optimal values of

d(25)ℓ ,d(25)

z ,d(25)δ satisfying (S’) and (C’) can be calculated numer-

ically as

d(25)ℓ = 8.59, d(25)

z = 4.61, d(25)δ = 13.83.

Forc= 25, this leads to the scheme parameters

ℓ(25) = 148457, Z(25) = 3188, δ (25) = 9.89·10−4.

In Fig. 5 we show some simulation results for these parameters.In Fig. 5a we simulated pirates using the interleaving attack, andin Fig. 5b the pirates used the scapegoat strategy. As one cansee, in the universal Tardos scheme the scapegoat strategy is nota good strategy, as the whole coalition is caught sooner.

6 Discussion

Comparing the universal scheme to the static scheme, we see thatthe main advantages are that (a) we now have certainty about

10

ZH25L= 3188

H2

5L=

148

157

i=86

432

0 50 000 100 000 150 000-2000

-1000

0

1000

2000

3000

4000

i

S

jHiL

(a) Interleaving attack

ZH25L= 3188

H2

5L=

148

157

i=33

744

0 50 000 100 000 150 000-2000

-1000

0

1000

2000

3000

4000

i

S

jHiL

(b) Scapegoat strategy

Figure 5: Simulations of the universal Tardos scheme, with parametersc = 25,n = 106 andε1 = ε2 = 10−3. In Fig. 5a the pirates used the interleaving attack,whereas in Fig. 5b they used the scapegoat strategy. For eachpirate j we only

show the scoreS(c)j (i) which got him disconnected.

catching the whole coalition instead of at least one pirate,and (b)we no longer need the coalition sizec, or a sharp upper bound onthe coalition size as input. We do need to keep multiple scores peruser, namely one for each possible coalition sizec, so therefore inpractice one will in fact use some upper boundc0 on the coalitionsize, and keep scores for valuesc with 2 ≤ c ≤ c0 for somec0.But since the only disadvantage of a largec0 is a large numberof scores per user (which may not be an issue),c0 can easily bemuch higher than the expected coalition size. This in contrast tothe static and dynamic Tardos schemes, where an increase inc0

means an increase inℓ as well.

In Table 1 we list some of the differences between the static,dynamic, semi-dynamic and universal Tardos schemes. Here weassume that the upper boundc0 on the number of colluders isthe same for each scheme. The actual coalition size is denotedby c. The example referred to in the table is the example used

throughout this paper, withc= c0 = 25, n= 106, andε1 = ε2 =10−3. The practical codelengths are based on 1000 simulationsfor each scheme, where the pirates used the interleaving attack inall cases. For the semi-dynamic Tardos scheme we usedB= 8 inour example.

Since the scheme is a dynamic traitor tracing scheme, italso makes sense to compare it to other dynamic traitor tracingschemes from literature. The deterministic scheme of Fiat andTassa from [4] has a codelength ofℓ = O(clog2(n)) but an al-phabet size ofq = 2c+ 1. In [1], Berkman et al. studied deter-ministic schemes with slightly smaller alphabet sizes (q= c+1)leading to an algorithm usingℓ=O(c2+clog2(n)) symbols, with“large hidden constants”. Finally, in [9] Tassa investigated aprobabilistic binary (q = 2) dynamic traitor tracing scheme, buthis codelengthsℓ= O(c4 log2(n) ln(n/ε1)) are more than a factorO(c2) larger than the codelengths of the universal Tardos scheme.Furthermore, if we look at other properties of these dynamicschemes, we see that the universal Tardos scheme has some niceproperties. Most of these properties are inherited from thestaticTardos scheme, and we list some of them below.

Symbols are always taken from a small alphabet. This is anadvantage compared to the schemes of Fiat and Tassa [4] andBerkman et al. [1], which used alphabets of sizeq= 2c+1 andq= c+1 respectively.

Codewords of users are independent. This means that fram-ing a specific user is basically impossible, as the codewordsofthe pirates and the pirate output are independent of the innocentusers’ codewords. Also, a new user can be added to the systemeasily after the codewords of other users have already been gen-erated, since the codewords of other users then do not have tobeupdated.

Codewords positions are independent. In other words, thescheme does not make use of the information obtained from pre-vious pirate output for generating new symbols for each user.Therefore the codewords can all be generated in advance, andcaneven be stored at the client side. The security solely depends onthe marking assumption, so pirates are even allowed to learnthevalues ofpi . Furthermore this also allows us to effectively tacklesemi-dynamic traitor tracing scenarios, as described in Section 4,which is impossible for Fiat and Tassa’s scheme and Berkman etal.’s schemes. Without making changes to their schemes, theircodelengths would simply increase by a factorB.

The distribution of watermark symbols is identical for eachposition. This property offers new options, like tracing severalcoalitions simultaneously, using the same traitor tracingcode.This also means that multiple watermarks from several broadcastscan be concatenated and viewed as one long watermark from onelonger broadcast, allowing one to catch large coalitions with mul-tiple watermarked broadcasts.

11

Table 1: A comparison of the Tardos schemes discussed in thispaper.

static dynamic semi-dynamic semi-dynamic universal(Section 2) (Section 3) (Section 4.1) (Section 4.2) (Section 5)

scores per user 1 1 1 1 c0

density function f (c0) f (c0) f (c0) f (c0) f (c0)

blocks 1 of sizeℓ ℓ of size 1 ℓ/B of sizeB ℓ/B of sizeB ℓ of size 1guilty caught at least 1 allc all c all c all cexpected codelength O(c2

0 ln(n/ε1)) O(cc0 ln(n/ε1)) O(cc0 ln(n/ε1)) O(cc0 ln(n/ε1)) O(c2 ln(n/ε1))

asymptotic codelength π2

2 c2 ln(n/ε1)π2

2 c2 ln(n/ε1)π2

2 c2 ln(n/ε1)π2

2 c2 ln(n/ε1)π2

2 c2 ln(n/ε1)example, theoretical codelength 109585 116561 116761 131587 148457example, practical codelength 109585 92000 92000 96000 89000

The codeword generation and accusation algorithm are com-putationally and memory-wise efficient. Our scheme does notrequire any complicated data structures, and the only memoryneeded during the broadcast is the scores for each user at thattime, and the counterst(c). During the broadcast only simple cal-culations are needed: computingSji (which has to be calculated

only once), addingSji to those scoresS(c)j wherec satisfies a cer-

tain condition, and comparingS(c)j againstZ(c).

Several instances of the scheme with different parametersε1

can be run simultaneously. For example, by using parameters

ε(c)1 with ∑ε(c)1 ≤ 0.01 andε(c)1 with ∑ ε(c)1 ≤ 0.05 for twodifferent instances of the universal Tardos scheme (using the samecodewords), a pirate will first cross one of the thresholds associ-ated toε1, and only later cross one of the thresholds associatedto theε1. If we use theε1 for disconnecting users, then evenbefore a user is disconnected, we can give some sort of statisticto indicate the ‘suspiciousness of this user. If a user then doesnot cross the highest thresholds, one could still decide whether todisconnect him or not. After all, the choice ofε1 may be a bit arbi-trary, and a user which almost but not quite crosses the thresholdsZ(c) is probably guilty as well.

7 Open problems

The universal Tardos scheme has two minor drawbacks. First,wehave to keep multiple scores for each user, namely for each pos-sible coalition sizec, and secondly, part of the data is disregardedfor each value ofc. To address these issues, one could for exam-ple try adjusting the universal Tardos scheme, or start fromthedynamic Tardos scheme and build a new,c-independent traitortracing scheme. Below we present some ideas, which seem towork in practice, but for which rigorously proving soundness andcompleteness seems hard.

7.1 The queue Tardos scheme

One possible modification is the following. Instead of using“bad” values of pi early on in the broadcast, i.e. using val-ues of pi which are not betweenδ (c) and 1− δ (c) at positionsi ∈ 1, . . . , ℓ(c), we temporarily store those values ofpi in queues

Q3,Q4, . . ., wherepi gets stored in queueQc iff pi ∈ (δ (c),δ (c−1)]or pi ∈ [1− δ (c−1),1− δ (c)). After ℓ(c) positions, forc ≥ 2 wethen empty the queueQc+1 by using these values as the next val-ues ofpi for i ∈ ℓ(c)+ 1, . . . , ℓ(c) + |Qc+1|. Doing this for allvalues ofc, we get that allpi , for i ∈ 0, . . . , ℓ(c), are betweenδ (c) and 1−δ (c). So instead of disregarding data and using multi-ple scores, we can just use the traditional dynamic Tardos scoringsystem on all positions sequentially. This scheme seems to workwell in practice, but proving soundness and completeness seemshard. A further possible drawback is the fact that thepi are nowno longer universally distributed according toF for eachi ≥ 1,which makes it harder to efficiently concatenate multiple codes orcatch multiple coalitions simultaneously.

7.2 The staircase Tardos scheme

Similar to the above, one could try abolishing the whole queue-system, and simply generatepi according to density functionsin such a way that the overall distribution on[1, ℓ(c)] is f (c) foreachc. First, we simply usef (1) for i ∈ 1, . . . , ℓ(2). Nowto get an “average” distribution off (c) on the whole inter-val i ∈ 1, . . . , ℓ(c) for eachc ≥ 2, we use f (c) = (ℓ(c) f (c) −ℓ(c−1) f (c−1))/(ℓ(c)− ℓ(c−1)) as the density function for positions

i ∈ ℓ(c−1)+ 1, . . . , ℓ(c), so thatℓ(c) f (c) = ℓ(c−1) f (c−1) +(ℓ(c)−ℓ(c−1)) f (c). For c ≥ 3 we see thatf (c)(p) ≥ 0 for all p, so thatthese functions are indeed proper probability density functions.This scheme seems to work in practice as well, but to prove com-pleteness seems hard. Using the standard proof method does notwork here, as for that we need that allpi are generated using thedensity functionf (c). And again, a possible drawback of thisscheme is that the distribution of the values ofpi is not identi-cal for eachi, and so concatenating multiple codes may not bepossible anymore.

7.3 The continuous Tardos scheme

Looking at Fig. 5 suggests that a continuous threshold functionZ(i) might also be an option, withZ depending on the positioniinstead of on the possible coalition sizec. However, for the proofof soundness of the universal Tardos scheme we simply added upthe error probabilities for each threshold, and by scaling each er-ror probability with a factor 1/c2, the total soundness error prob-ability could be bounded byε1. If we use a continuousZ(i) and

12

use this same proof method, we would have to add upO(c2) ofthese error probabilities, leading to even smaller values of ε(i) andslightly longer codelengths. Theoretically it would be interestingto see if such a continuous threshold function is feasible.

7.4 Theq-ary dynamic Tardos scheme

Finally, one can try to generalize these results to higher alpha-bet sizesq > 2. In this paper we only used the binary alphabet,since we could then use the results from [6]. One could try togive a similar analysis for higher alphabet sizes, possiblyby us-ing results from [7]. This could lead to even shorter codelengthswith smaller constantsdℓ, although the codelength will still sat-isfy ℓ= O(c2 ln(n/ε1)).

References

[1] O. Berkman et al., “Efficient Dynamic Traitor Tracing,”SIAM J. Comput., vol. 30, no. 6, pp. 1802–1828, 2001.

[2] O. Blayer and T. Tassa, “Improved Versions of Tardos’ Fin-gerprinting Scheme,”Des. Codes Cryptogr., vol. 48, no. 1,pp. 79–103, 2008.

[3] D. Boneh and J. Shaw, “Collusion-Secure FingerprintingforDigital Data,” IEEE Trans. Inform. Theory, vol. 44, no. 5, pp.1897–1905, 1998.

[4] A. Fiat and T. Tassa, “Dynamic Traitor Tracing,”J. Cryptol-ogy, vol. 14, no. 3, pp. 211–223, 2001.

[5] T. Laarhoven, “Collusion-Resistant Traitor TracingSchemes,” M.Sc. thesis, Dept. Math. Comp. Sc., Eind-hoven Univ. Techn., Eindhoven, The Netherlands, July2011.

[6] T. Laarhoven and B. de Weger, “Optimal Symmetric TardosTraitor Tracing Schemes,” submitted for publication. Avail-able: http://arxiv.org/abs/1107.3441.

[7] B. Skoricet al., “Symmetric Tardos Fingerprinting Codes forArbitrary Alphabet Sizes,”Des. Codes Cryptogr., vol. 46, no.2, pp. 137–166, 2008.

[8] G. Tardos, “Optimal Probabilistic Fingerprint Codes,”Proc.35th ACM Symp. on Theory of Computing, 2003, pp. 116–125.

[9] T. Tassa, “Low Bandwidth Dynamic Traitor TracingSchemes,”J. Cryptology, vol. 18, no. 2, pp. 167–183, 2005.

13