Identifying Traitors Using the Koetter–Vardy Algorithm - IEEE Xplore

Download PDF
3 downloads 6045 Views 278KB Size Report
Comment
Jan 19, 2011 - DATA communication networks allow the delivery of “dig- ital goods” that ... Once a buyer has received the content, he is free to store it in the physical ... under the name of fingerprinting [1], [2]; see also the tutorial paper [3].
692

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 57, NO. 2, FEBRUARY 2011

Identifying Traitors Using the Koetter–Vardy Algorithm Marcel Fernández, José Moreira, and Miguel Soriano Dedicated to the memory of Ralf Koetter (1963–2009) Abstract—This paper deals with the use of the Koetter–Vardy soft-decision decoding algorithm to perform identification of guilty users in traitor tracing and fingerprinting schemes. In these schemes, each user is assigned a copy of an object with an embedded codeword. Placing different codewords in different copies makes each copy unique and at the same time allows unique identification of each user. The weakness of these schemes comes in the form of a collusion attack, where a group of dishonest users get together and, by comparing their copies, they create a pirate copy that tries to hide their identities. The concern of the paper is restricted to traitor tracing and fingerprinting schemes based on Reed–Solomon codes. By using the Koetter–Vardy soft-decision decoding algorithm as the core part of the tracing process, three different settings are approached: tracing in traceability codes, tracing in identifiable parent property codes and tracing in binary concatenated fingerprinting codes. It is also discussed how by a careful setting of a reliability matrix all possibly identifiable users can be found. Index Terms—Collusion-secure fingerprinting, identifiable parent property, list decoding, soft-decision decoding, traceability property.

I. INTRODUCTION

D

ATA communication networks allow the delivery of “digital goods” that are not even contained in a physical support. Once a buyer has received the content, he is free to store it in the physical support of his choice. Of course, he is also free to make as many (inexpensive) copies of the content as he wishes. This copying and storing easiness constitutes a severe threat to authorship and distribution rights. The mechanisms used in protecting intellectual property can be classified into two groups: copy prevention and copy detection mechanisms. The failure of copy prevention mechanisms, such as the DVD copy prevention system, has shifted many

Manuscript received April 15, 2010; revised October 31, 2010; accepted November 05, 2010. Date of current version January 19, 2011. This work was supported (in part) by the Spanish Research Council (CICYT) through Project TEC2008-06663-C03-01 (P2PSec), by the Spanish Ministry of Science and Education through Project CONSOLIDER CSD2007-00004 (ARES), and by the Catalan Government under Grant 2009 SGR 1362. This paper is part of the special issue on “Facets of Coding Theory: From Algorithms to Networks,” dedicated to the scientific legacy of Ralf Koetter. M. Fernández and J. Moreira are with the Department of Telematics Engineering, Universitat Politècnica de Catalunya (UPC), 08034 Barcelona, Spain (e-mail: [email protected]; [email protected]). M. Soriano is with the Department of Telematics Engineering, Universitat Politècnica de Catalunya (UPC), 08034 Barcelona, Spain, and the Centre Tecnològic de Telecomunicacions de Catalunya (CTTC), 08860 Castelldefels (Barcelona), Spain (e-mail: [email protected]). Communicated by A. Vardy, Associate Editor for the special issue on "Facets of Coding Theory: From Algorithms to Networks." Digital Object Identifier 10.1109/TIT.2010.2095194

research efforts towards the search of feasible copy detection mechanisms. Usually, these mechanisms of copy detection are grouped under the name of fingerprinting [1], [2]; see also the tutorial paper [3]. The essential idea in a fingerprinting scheme consists of embedding, in an imperceptible way, a different set of marks in each copy of a digital object, thus making each copy unique. It is clear that, thanks to the embedding, the users of the object are unambiguously identified in case of an illegal redistribution. The sets of marks assigned to the users are known as fingerprinting codes. Unfortunately, fingerprinting schemes suffer from the following weakness. Suppose that a group of dishonest users get together and compare their copies. Since they can detect the symbols where their copies differ, they are able to generate a new hybrid copy, called pirate copy, that tries to hide their identities. What is worse, the pirate copy could also incriminate an innocent user. The generation of the pirate copy by the dishonest users is called a collusion attack. Therefore, a proper fingerprinting scheme should protect the innocent users and allow the identification of dishonest users that are part of a collusion attack. This identification can be accomplished if the sets of marks embedded in each copy of the digital object are the codewords of a code with tracing capabilities. In a collusion attack by a certain coalition of dishonest users, we will call the colluders traitors or parents, and we will call the copy that the traitors generate a pirate or a descendant. Let be a code and let with . Let be a word that is a “combination” of the codewords in . Then is a descendant of and the codewords in are the parents of . The rules for this “combination” of codewords and the reason of the terms parent and descendant will be made precise in Section II. If is a -identifiable parent property (IPP) code [4], [5], then all coalitions of size at most that can create a given descendant have a non-empty intersection. If is a -traceability (TA) code [5], then, given a descendant, one of its parents is the closest codeword to it in terms of Hamming distance. In the binary case, that is, when the codewords contain symbols from an alphabet of size 2, it can be shown that there are no -IPP or -TA codes. Therefore, the tracing process is always subjected to a certain error probability . In this case, we will call these codes -secure with error. Often, -IPP or -TA codes are used as outer codes in concatenated fingerprinting codes [6]–[8], but they also have an important application in traitor tracing schemes [9], [10]. This connection was already pointed out in the seminal paper by Boneh and Shaw [7], [8]. As an example, we can consider pay-TV systems,

0018-9448/$26.00 © 2011 IEEE

FERNÁNDEZ et al.: IDENTIFYING TRAITORS USING THE KOETTER–VARDY ALGORITHM

where each authorized user is given a set of keys that allows him to decrypt the content. These keys are usually contained in a decoder box. In this case, in a collusion attack, the traitors combine some of their keys to construct a pirate decoder. If the pirate decoder is found, a traitor tracing scheme allows the distributor to identify at least one of the guilty users, using the keys inside the decoder. A key issue in any kind of code with tracing capabilities is the identification process. One can view the result of a collusion attack as a “transmission through” a noisy channel. In this case, the descendant is a corrupted version of the parents. To trace the parents one has to “correct” a large number of errors. In [11], [12] Silverberg, Staddon and Walker apply techniques that correct errors beyond the error-correction bound of the code to the tracing process in -TA and -IPP codes. The idea of correcting errors beyond the correcting capabilities of the code can be summarized as follows. In a code with minimum distance , if in the transmission of a codeword the , then there can be more number of errors is greater than than one codeword within distance from the received word and the decoder may either decode incorrectly or fail to decode. This leads to the concept of list decoding [13], [14], where the decoder outputs a list of all codewords within distance of the received word, thus offering a potential way to recover from errors beyond the error-correction bound of the code. Although the concept of list decoding was proposed in the 1950’s, for the case of Reed–Solomon codes no polynomial-time list-decoding algorithms were obtained until the breakthrough work presented , the by Sudan in 1997 [15]. For codes of rate greater than output list in the original work of Sudan has size 1. However, Guruswami and Sudan overcome the rate limitation in another milestone paper [16], [17]. In soft-decision decoding, the input to the decoder is a reliability matrix that indicates for each position the probability that a given alphabet symbol was sent. Using this side information, the soft-decision decoder estimates the sent codeword. Building from the results of Guruswami and Sudan, in [18], [19] Koetter and Vardy present a polynomial-time soft-decision decoding algorithm for Reed–Solomon codes. This list-decoding algorithm is algebraic in nature and significantly outperforms both the Guruswami–Sudan decoding and the generalized minimum distance decoding of Reed–Solomon codes.

693

possibility of having as input a reliability matrix by making the Koetter–Vardy algorithm the core part of the tracing process. As said before, in [11], [12] the authors use the Guruswami–Sudan list-decoding algorithm in the TA and IPP Tracing Algorithms. However, in the case of the TA Tracing Algorithm their approach is only optimal when all parents (traitors) contribute equally to the construction of the pirate, and there is no guarantee to find more than one parent. In case of the IPP Tracing Algorithm in order to find all coalitions that can generate a given pirate they have to puncture the code. In the TA Tracing Algorithm, we show how by setting up the entries of the reliability matrix with appropriate values, traitors can be identified in polynomial time in the length of the code. For Algebraic-Geometric codes, a similar approach is made in [20]. For the TA Tracing Algorithm, we also discuss an upper bound on the interpolation cost of the Koetter–Vardy algorithm. In the case of the IPP Tracing Algorithm we present a straightforward algorithm that finds all coalitions capable of creating a given descendant. We discuss how, thanks to the Koetter–Vardy algorithm, the results in [11], [12] can be extensively improved. To improve the rate of binary fingerprinting codes, many constructions [6]–[8] have used code concatenation [21], where the inner code is a binary code with some error probability . When the outer code is a Reed–Solomon code, we discuss generic constructions of such codes, equipped with a tracing routine that uses the Koetter–Vardy algorithm. In this case, we will show that even a suboptimal setting of the entries of the Koetter–Vardy algorithm suffices for our purposes. II. DEFINITIONS AND PREVIOUS RESULTS be the finite field of elements and let be Let two words. The (Hamming) distance between and is denoted . An -code is a block code over of length by with codewords. An -code is a linear code over of length , dimension and minimum distance . We will drop from the notation whenever the ground field is irrelevant or it is clear from the context. A well-known class of linear codes are Reed–Solomon codes [22], [23], that can be defined as follows. be a primitive element of . The Definition 1: Let and dimension over Reed–Solomon code of length , , is defined as the following vector subspace of :

A. Our Results In this paper we discuss the application of the Koetter–Vardy soft-decision decoding algorithm for the identification process in -TA codes, -IPP codes and binary concatenated fingerprinting codes. The -TA Tracing Algorithm consists of searching for a list of at most codewords that contains parents of a given descendant. On the other hand, the IPP Tracing Algorithm consists of finding all coalitions of size at most that can generate a given descendant. Finally, we deal with binary -secure codes with error. In this case, the construction that we discuss is based on code concatenation and the tracing algorithm consists of searching for the codewords that can be as parents of a given identified with probability at least descendant. In all three cases, we take full advantage of the

where is the ring of polynomials over of degree less than . Recall that Reed–Solomon codes are maximum distance separable (MDS) codes, since they meet the Singleton bound [24], . and hence they have minimum distance be any subset of codewords of an Let -code. Assume that . We say that position is undetectable if . By comparing the code, a word , called a descendant, words can be constructed according to the following rules. 1) For every undetectable position , there is no possible choice and hence .

694

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 57, NO. 2, FEBRUARY 2011

2) For the rest of positions ( is not an undetectable position), a choice can be made among the symbols , therefore . The set of descendants of , denoted by , is defined as

In this case the codewords in the set are called the parents of . Rule 2) above can be modified, in order to allow positions to be erased: 2’) For the rest of positions ( is not an undetectable position), we can either choose one of the symbols or erase the position, therefore . The symbol “ ” denotes an erasure. Then we can define the extended set of descendants of as

Also, given a code we denote by dant code of [5], defined as

the -descen-

where is the set of all coalitions in containing at most codewords. Note that obtaining a descendant from a set of parents models the situation of the collusion attack described in Section I, the descendant being the word in the pirate copy and the parents being the codewords of the traitors.

In [5] it is shown that a -TA code is a -IPP code. In general, the converse is false. However, it is conjectured that for Reed–Solomon codes the converse is true [11], [12]. It is obvious that in the context of digital content distribution the codes of interest are those defined over . Unfortunately, there are no -IPP codes (and hence, no -TA codes) over for [5]. This means that, except for the trivial case , there are no binary -IPP or -TA codes. In this case, the identification requirements must be relaxed and allow for some error probability in the outcome of the tracing process. In order to achieve an error probability as small as desired a single code is not sufficient and a family of codes is needed [6]–[8], [26]. We , where is denote such a family of codes as a finite set. Moreover, randomness is required in the following sense: the family is publicly known, but the specific code used is chosen at random from the codes in with probability and this choice is kept secret. In this paper we will assume for all . The elements in the set that are usually called keys. For a given family of codes to achieve exponential decline of the error probability, the number of keys must grow exponentially with the length of the code [6]. Together with the family of codes we need decision rules to be applied in the tracing process. For a family of binary fingerprinting codes , a tracing algorithm is a function from the Cartesian product of the set of descendants and the set of keys to the subsets of codewords (coalitions) of the codes in : (1) where

is defined as the set

is a -traceability (TA) Definition 2 ([9], [10]): A code , if for all subsets (coalitions) of at most code, for codewords, if , then there exists a such that for all . The result in the following theorem first appeared in [9].

It is clear that for a given pair the output of will lie . Note that we have only considered the case when erased in positions are not allowed in the pirate copy. This is because, for families of binary fingerprinting codes, the error probability remains the same even if erasures are allowed [6].

be an -code. If Theorem 1 ([9], [10]): Let , then is a -TA code. In [25], Definition 2 and Theorem 1 are extended for the case of erasure tolerance.

Definition 5 ([7], [8]): Let be a finite set of elements called keys. A family of binary fingerprinting codes , is -secure with -error, for , if there exists a tracing algorithm of the form (1) that satisfies the following condition: if a coalition of size at most creates a descendant , then

Definition 3 ([25]): A code is a -TA code tolerating erasures, for , if for all subsets (coalitions) of with no more than at most codewords, if erasures, then there exists a such that for all . Theorem 2 ([25]): Let be an -code. If , then is a -TA code tolerating s erasures. Definition 4 ([4], [5]): A code is a -identifiable parent , if for all it holds property (IPP) code, for that

where the probability is taken over the random choices made by the coalition when creating the descendant and over the keys . III. THE KOETTER–VARDY SOFT-DECISION DECODING ALGORITHM In this section we give a brief overview of the Koetter–Vardy soft-decision decoding algorithm presented in [18]. Recall that for a code of minimum distance , if the number , then there can be more than of errors is greater than one codeword within distance from the received word. In this

FERNÁNDEZ et al.: IDENTIFYING TRAITORS USING THE KOETTER–VARDY ALGORITHM

695

situation, a list-decoding algorithm [13], [14], [16]–[19] outputs a list of all codewords within distance of the received word. In soft-decision decoding, the decoding process takes advantage of “side information” generated by the receiver and instead of using the received word symbols, the decoder uses probabilistic reliability information about these received symbols. A discrete memoryless channel can be defined as two finite sets and , called the input alphabet and output alphabet refunctions spectively, and

. Here, is the evaluation point multiplicity at least of the Reed–Solomon code for the th position. 3) Factorization step: Find all the univariate polynomials such that divides . The output of . the algorithm are the codewords generated by every It is worth noting here that in the interpolation step each interimposes a set of linear conpolation point straints on the construction of . Hence, for a given multhe total number of linear constraints tiplicity matrix imposed on the interpolation polynomial is

where . We suppose that these functions are known to the decoder. If we see the input and the output of a discrete memoryless channel as random variables and , respectively, and we supis uniformly distributed over , then the decoder pose that was the transmitted can compute the probability that was observed as symbol given that

(5)

(2) For the case of Reed–Solomon codes where the input al, we take as the ordering of phabet is is received, then the elements of . If vector using (2) the following values can be computed: (3) These values are the entries of a matrix, called the reliability matrix and denoted by , which is the input to the Koetter–Vardy algorithm. We are interested in knowing what codewords the Koetter–Vardy algorithm will return. With this aim, given matrices and over the same field, the following two product is defined: (4) Also a word matrix by the

over . The entries

can be represented are defined as follows:

if otherwise. Finally, before describing the Koetter–Vardy algorithm, we recall that if is a bivariate polynomial , the -weighted degree of is defined in . as With this definitions in mind, we briefly outline the Koetter–Vardy algorithm. For a detailed description see [19]. mul1) Compute, using the reliability matrix , a using a multiplicity-assignment algotiplicity matrix rithm that maximizes the expectation of , where is the transmitted codeword. 2) Interpolation step: From the multiplicity matrix , compute a bivariate polynomial with minimum -weighted degree such that for it has a zero in the point of every nonzero

This value is referred in the literature as the interpolation cost, since it has a direct impact in both the outcome and the runtime of the interpolation process. In [19], Koetter and Vardy state the following theorem. is transmitted, Theorem 3 ([19]): If codeword word is received and the reliability matrix is constructed according to (3), then the Koetter–Vardy soft-decision decoding algorithm outputs a list that contains the transmitted codeword if (6) where is a function that tends to zero when the number of interpolation points counted with multiplicities (and hence, the interpolation cost) is taken to infinity. A. Performance of the Koetter–Vardy Algorithm for the -Ary Symmetric Channel The performance of the Koetter–Vardy algorithm can be improved for certain channels including the -ary symmetric erasure channel. A -ary symmetric erasure channel with error probability , erasure probability , input alphabet and output al, can be characterized as an phabet transition probability matrix . If the rows are indexed by , and the columns by , then the transition probability matrix has the following expression: if if otherwise. To construct the reliability matrix , suppose that codeword is transmitted and word is received. Then we have

where, in this case,

is the

matrix defined as if if otherwise

and is the all-one matrix. If we suppose that erasures and errors occurred during the transmission, then using the matrix product defined

696

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 57, NO. 2, FEBRUARY 2011

in (4) and Theorem 3, we have that the Koetter–Vardy algorithm will output codeword if (7) In the rest of the paper we will need to maximize the number of errors that the Koetter–Vardy algorithm can correct. To make matters worse, in the settings in which we will use the Koetter–Vardy algorithm the channel parameter will be unknown. This is due to the fact that will depend on the strategy of a coalition of traitors performing a collusion attack. Therefore, given the code parameters, we are free to choose the value of and it is clearly convenient to choose the one that maximizes the left-hand side of (7). According to [27], intuitively this corresponds to maximizing the left-hand side of (7) with respect to the worst channel that the Koetter–Vardy algorithm can still handle for a given code rate. This value is

in at least positions, then this codeword must be unique. Therefore belongs to all coalitions of size at most that are able to create . TA Tracing Algorithm Initial ordering of the elements of : Input: : maximum size of the coalition. : maximum number of erased positions in . :a code with minimum distance . : a descendant in , with . Output: A list of all TA-parents of , : 1) Initially set

.

.

(8) For this value of , (7) remains valid and it reduces to 2) Compute the

reliability matrix

(9) This means that if upon receiving a word , symbols have been erased, then for every value of that satisfies (9) the Koetter–Vardy algorithm will output codeword . Therefore the algorithm can handle erasures and errors. IV. THE TA TRACING ALGORITHM In this section we focus on the decoding of -TA Reed–Solomon codes using the Koetter–Vardy algorithm. We followed a similar approach for Algebraic-Geometric codes in [20]. For a -TA Reed–Solomon code tolerating erasures, the goal of the TA Tracing Algorithm is to output a list of size at most that contains as many parents of a given descendant as possible. One cannot expect to find all parents, since some of them may contribute with too few positions and cannot be identified. This happens, for example, when a parent contributes with no more positions. than We begin with the following proposition. Proposition 1: Let be a -TA -code with minimum distance tolerating erasures, and let be a descendant of some coalition of size at most . If a codeword agrees in at unerased positions with , then belongs to least all coalitions of size at most that are able to generate

Proof: If the code has minimum distance , then two positions. Therefore a codewords can agree in at most coalition of size is able to create a descendant that agrees in positions with any other codeword outside the at most coalition. Hence, if there exists a codeword that agrees with

where, for

and if if and otherwise,

using the error parameter

with

3) Plug the matrix into the Koetter–Vardy algorithm and, of all from the output list, take the set codewords that agree with in, at least, positions not in . Set . 4) Set

5) If or if or if and quit. Else go to Step 2).

, output

Corollary 1: Let be a -TA -code with minimum distance tolerating erasures, and let be a descendant of some coalition of size at most . Furthermore, assume that has at most positions erased. Let be already identified parents that lie in the intersection of all coalitions of size at most that are able to create :

FERNÁNDEZ et al.: IDENTIFYING TRAITORS USING THE KOETTER–VARDY ALGORITHM

If these parents jointly match less than positions of , then any codeword that agrees of the unmatched positions with in at least also lies in the intersection. We now have the following definition. Definition 6: Let be a -TA code tolerating erasures and let be a descendant of some coalition of size at most . We call the set of codewords satisfying the conditions of Proposition 1 . and Corollary 1 the set of TA-parents of , denoted by Based on the Koetter–Vardy algorithm, the key idea of the TA Tracing Algorithm is described in Corollary 1. Given a descendant , there is no side information available. Hence, in the first iteration, the Koetter–Vardy algorithm is executed, constructing the reliability matrix as if the channel were a -ary erasure channel. The error parameter is computed according to (7) and (8). When some TA-parents are identified, their matching positions with the descendant are treated as erased positions. Again, the reliability matrix and the error parameter are computed, now considering the minimum number of positions where a TA-parent and the descendant must agree, and the Koetter–Vardy algorithm is executed. The process continues until it becomes clear that there are no more TA-parents. A. Correctness of the Algorithm As mentioned above, we construct the reliability matrix as if the channel were a -ary symmetric erasure channel. This type of channel is memoryless by definition. Unfortunately, in their attack, the traitors are free to use any strategy of their choice. In particular, they can compute an output symbol based on the entire set of detected symbols. For instance, equal contribution of symbols from each traitor to the descendant can be seen as a strategy with memory. Nevertheless, even if memory is used by the traitors, once a descendant has been created, the positions in which this descendant and a TA-parent disagree can be treated as “errors in a transmission”. In the rest of this section, we show that ignoring the ability of the traitors to use memory is completely safe for our purposes. Initially, the “errors in the transmission” are the number of unerased positions where a TA-parent and the descendant differ. contains the poMoreover, the set of “erased positions” sitions that have been erased from the descendant. Since , and since for Reed–Solomon codes , one can check from (7) that is not empty after the first iteration. This is because one TA-parent matches the depositions. In iteration the set scendant in at least of erased positions is virtually augmented with the positions where the descendant coincides with some previously identified TA-parent. Note that in this iteration no TA-parent will be iden, and that at least one TA-parent tified if . This leaves open an will be identified if uncertainty interval

where the algorithm will output a codeword whenever its contribution satisfies the condition of Corollary 1. Note also that, within the uncertainty interval, the TA Tracing Algorithm exeand cutes the Koetter–Vardy algorithm with

697

hence, the decoding radius also satisfies the condition of Corollary 1. Lemma 1: The TA Tracing Algorithm identifies all TA-parents of a given descendant. Proof: We have to show that no TA-parent remains unidentified when the algorithm reaches a terminating condition. From Step 5) it is clear that the algorithm terminates in one of the , when or when following three cases: when . If , then we have that . This means that there are no unidentified TA-parents. , then by Corollary 1 there cannot be If any other TA-parent. Now, it is only left to show that if in iteration there are still unidentified TA-parents, then at least one of them will appear in the output list of the Koetter–Vardy algorithm. In other words, . Following the notation of Section III-B, we will have that we denote by the number of “unerased positions” in iteration , and by the number of “correct positions”, i.e., the number of unerased positions where a TA-parent and the descendant agree. In iteration there can be at most unidentified parents. We first suppose that .A TA-parent is a codeword that coincides with the descendant in unerased positions. For every TA-parent we have that

It follows that (9) is satisfied and, as a consequence, all TA-parents are returned by the Koetter–Vardy algorithm and can be identified. Now, suppose that the number of unerased positions . In this case, there exists a TA-parent such is . For this particular TA-parent, we have that that . Again, it follows that (9) is satisfied and therefore this TA-parent is identified. B. Bounding the Interpolation Cost In the TA Tracing Algorithm above, we have focused on the setup of the reliability matrix without taking into account the insights of the Koetter–Vardy algorithm. We have shown that all TA-parents can be traced, but at the expense of a very large and undetermined cost. In this section, we propose how to bound the interpolation cost for a practical execution of the Koetter–Vardy algorithm, ensuring that the set of TA-parents are still contained in the output list. The condition for successful tracing in the TA Tracing Algorithm is based on Theorem 3. Equation (6) implies an asymptotic performance of the Koetter–Vardy algorithm, so we have not been paying any attention to the cost of the algorithm. To introduce the cost into the discussion, we recall from Section III that the interpolation cost is the total number of linear restrictions imposed on the interpolation polynomial, computed according to (5). Suppose that codeword is a TA-parent. Then, according to [19], the Koetter–Vardy algorithm will return a list of codewords satisfies that contains if the computed multiplicity matrix (10)

698

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 57, NO. 2, FEBRUARY 2011

which for asymptotically large costs is reduced to (6). The mulis obtained from using a multiplicity astiplicity matrix signment scheme that, for every real value , allows to express . We take advantage of this expression to obtain a bound for which (10) is satisfied. Assuming that we construct the multiplicity matrix as , being a TA-parent in iteration of the TA Tracing Algorithm, the left-hand side of (10) is (11)

at most times. Therefore, the overall interpolation cost of the algorithm can be upper bounded by (15) taking the value of from Lemma 2. In other words, all TA-parents will be identified with a total interpolation cost given by (15), and one cannot expect to identify more TA-parents even allowing the instances of the Koetter–Vardy algorithm run with a global interpolation cost higher than (15). V. THE IPP TRACING ALGORITHM

and the interpolation cost is

(12) which, for reasonable values of the code parameters, is always upper bounded as (13) Since the cost is an increasing function of , we are interested in finding the minimum value of such that (10) is satisfied. This is equivalent to define the function

In this section, we focus on the use of the Koetter–Vardy algorithm as the underlying routine for the IPP tracing process in Reed–Solomon codes. From Definition 4, we have that in a -IPP code all coalitions of size at most that are able to generate a given descendant have a non-empty intersection. Clearly, the codewords that lie in the intersection are the only ones that can be accused with certainty as traitors. Definition 7: Let be a -IPP code and let be a descendant of some coalition of size at most . We define the set of IPP, as the set of codewords of parents of , denoted by that belong to all coalitions of size at most that are able to generate :

(14) for any . One can and find a bound such that by direct search. Note that we only always determine such have to test the values of that change the values of the floor . Such values are of the form functions of

A more straightforward approach to determine a bound for is presented in the following lemma. Lemma 2: Let

be the degree-2 polynomial constructed

as

where is the expression obtained by substituting the floor functions by on (11) and is the expression obby on (12), and tained by substituting the floor functions be the set of roots of . Then . let is a degree-2 polynomial lower Proof: Note that bound of the function defined in (14), with positive leading coefficient. Therefore, its largest root must occur bebecomes positive. yond the point where Hence, the cost of the interpolation process to find a TA-parent in the TA Tracing Algorithm is upper bounded by (13) substituting by the maximum root of the polynomial defined in Lemma 2. Note that the TA Tracing Algorithm loops

The proof of next lemma is immediate from the definitions. Lemma 3: Let be a -TA code and let be a descendant of . some coalition of size at most . Then Therefore, determining the set of -IPP parents of a -IPP code consists of searching for coalitions of size at most . If codewords, this task has a runtime complexity the code has . Below we discuss a tracing algorithm for -IPP of Reed–Solomon codes based on list decoding. As mentioned in Section II the characterization of -IPP Reed–Solomon codes is not clear, but fortunately, using the proven fact that any -TA code is a -IPP code, a Reed–Solomon code that satisfies the distance condition in Theorem 1 will suffice for our purposes. Note also that, for a -IPP Reed–Solomon code, there is more than one coalition that can generate a given . descendant only if Before discussing the IPP Tracing Algorithm at length, we first give some intuition. The algorithm that we present is recursive in nature. It receives as its input a list of codewords that (partially) “cover” . Then, for this received input list, the algorithm looks for an appropriate set of “candidate codewords” that cover positions not already covered by the codewords in . For each one of these candidates , the algorithm executes recursively, now using as its input list. Clearly, this process eventually returns all coalitions that can generate if a list that contains a subset of the IPP-parents is given in the initial call of the algorithm. This can be accomplished according to Lemma 3 by using, for example, the TA Tracing Algorithm discussed in Section IV.

FERNÁNDEZ et al.: IDENTIFYING TRAITORS USING THE KOETTER–VARDY ALGORITHM

with this situation, we use reencoding in the style of [28] in order to find the remaining codewords that can be part of a coalition.

IPP Tracing Algorithm Initial ordering of the elements of : . . A global variable is needed. Initially set . The initial call needs to be with Input: : maximum size of the coalition. :a code with minimum distance . : a descendant in , with . : a (partial) list of parents of . Output: The set of all coalitions with such . that : . 1) • If , then set and quit. and , then quit. • If reliability matrix 2) Compute the

where, for

699

and

,

if if and otherwise, using the error parameter

, with

3) Plug the matrix into the Koetter–Vardy algorithm and, of all from the output list, take the set codewords that agree with in at least positions not in . 4) If , Reencoding: . • Set of positions of not in , • For each subset — If , , • . • — Else, positions in . • Fix , • For all , , . , 5) For each . • Set . • Execute Also, as opposed to the case of the TA Tracing Algorithm, list decoding cannot offer a total solution to the IPP tracing problem. This is immediate to see by the following simple example. Take a 2-IPP Reed–Solomon code, . If a descendant consymbols from a given parent, say , then there are tains possibilities for the remaining parent. Moreover, in this case, the Koetter–Vardy algorithm should be able to correct erasures. From (9) it is clear that this is not possible. When faced

A. Considerations About the Reencoding Step In Step 3) of the IPP Tracing Algorithm, if the list returned by the Koetter–Vardy algorithm is empty or its elements do not cover any position not in , then we must devise a different method to find the remaining elements to complete the coalitions. As discussed above, the method that we use is based on reencoding [28]. Due to the MDS property, for a Reed–Solomon code of dimension , we can treat the symbols index positions as information symin any bols. This allows us to encapsulate the encoding steps into , where a routine are variables that take values from the elements . Therefore, of returns the unique codeword with symbols in , respectively. positions Assume that is the number of remaining traitors to complete a coalition. There are two different cases to be considered. . In this case, we The first case is when can assume that at least one remaining codeword can be found by taking all of its information positions not in . This is again due to the MDS property of Reed–Solomon codes. To do so, the algorithm runs over all the possible subsets of size among the unerased positions and by applying the reencoding routine to each subset obtains the corresponding codeword. Note that the maximum number of reencodings in this case is upper . bounded by . On the other hand, we can have that In this case, we cannot assume that any remaining coalition unerased positions with the descencodeword agrees in dant. Suppose that for positions outside say , the has symbols respectively. Hence, descendant in we need to search for all codewords that agree with positions these positions. To do so, we fix a set of in that we represent as . Let the variable take all possible values from . Then, for the routine with input each value of will return one of the desired codewords. In this case, the maximum . number of reencodings is upper bounded by Whenever one codeword is found, the remaining codewords to be added to a coalition, if any, are found by recursive executions of the algorithm. Below, we present a lemma that proves that, following this procedure, the output of the algorithm will eventually contain all the lists of codewords of size at most that are able to generate a given descendant. B. Correctness of the Algorithm Lemma 4: The IPP Tracing Algorithm identifies all coalitions of size at most that can generate a given descendant. Proof: Note that the algorithm is executed recursively. Let be the starting set of codewords at a certain invocation of the with algorithm. We first show that if there is a coalition that can generate and , then will eventually , it is obvious that be included in the global set . If will be included in in Step 1). Otherwise, by the pigeonhole

700

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 57, NO. 2, FEBRUARY 2011

principle, there is a codeword such that it agrees with in, at least, positions not in . In Steps 2) – 4) the algorithm identifies such codeword, either using the Koetter–Vardy algorithm or in the reencoding step. Now, the . It is algorithm is executed again using as input . Again, since can generate , we clear that or we can find a subset such that have that either . Because , there is only a finite number , such that of subsets, say . Therefore, the algorithm will eventually be executed with as input and, hence, will be included in . On the other hand, observe that the initial call of the algorithm is executed using the set of TA-parents, generated by the TA Tracing Algorithm. This set belongs to all coalitions that can generate . It follows that when the recursive executions of the algorithm of size at most that finish, will contain all coalitions can generate . To determine the running complexity of the IPP Tracing Algorithm, let be the size of the list returned by the TA Tracing Algorithm. We first consider the case that at each recursion the execution of the Koetter–Vardy algorithm is successful. In other words, we obtain the list of all codewords that agree in at least positions with the descendant. Then the total number of recursions is , with . Therefore, the runupper bounded by , where denotes the comning time is plexity of the Koetter–Vardy algorithm, which is polynomial in the code length. Hence, the algorithm offers a considerable improvement over both the brute force approach and the algorithm presented in [11] and [12]. On the other hand, it might be the case that the Koetter–Vardy algorithm does not return any appropriate codeword. If we take as the worst-case situation when the Koetter–Vardy algorithm fails in each recursion, then of course there is not much room for improvement. In this case, the number of executions of the , i.e., an IPP Tracing Algorithm will be upper bounded by execution time , as noted in [11], [12]. This is, however, a clear improvement over the brute-force method, since .

According to the discussion leading to Definition 5, for the inner code a single code is not sufficient, but a family of codes is required. We now show how to obtain a family of binary fingerprinting concatenated codes with probability of error decreasing exponentially with the code length. Definition 8: Take as outer code an -code over . Let be a family of binary -secure -codes with error, as in Definition 5. For every code , let denote a bijective mapping . Also, be the th vector in under an arbitrary let total-order relation, where . Denote by the code constructed in the following way:

(16) The set of all codes

constitutes the family ,

To use the family we take the code , where is chosen with probability . Note that this is , where each equivalent to obtain a vector of keys key is chosen independently and uniformly from , and with this vector construct the code as in (16). This choice of is , the kept secret. The set of keys , the family and the code are publicly known. We assign to mappings each user a codeword from . Moreover, since the number of codewords in and the number of codewords in coincide, we can also associate users to codewords of . Concatenated Tracing Algorithm 1 use the secret key to 1) For the binary inner code decode each block of the descendant by running the tracing algorithm . According . to Definition 5, we obtain at most codewords from 2) Using the inverse mapping

VI. CONCATENATED CONSTRUCTIONS In this section, we deal with the case of binary -secure fingerprinting codes with error. As said in Section II, in the binary case the identification process will always be subjected to a certain error probability. To construct practical (shorter) binary fingerprinting codes, many authors [6]–[8], [29] have used the idea of code concatenation [21]. -code over and let be an -code Let be an . Then the concateover . Consider a mapping nated code is the code obtained by taking each , and mapping every symbol codeword on a codeword , obtaining the codeword

of the concatenated code . The code and the inner code.

is called the outer code

obtain at most symbols from . We pick at random one of these symbols, say symbol . 3) For , we recover a pirate word . such that 4) Output the codeword

It is worth noting that for the inner codes in the concatenated constructions of Definition 8, we do not attach ourselves to any specific fingerprinting family of codes proposal. Instead, we let be any family of binary -secure -codes with error, as in Definition 5. Given a descendant

FERNÁNDEZ et al.: IDENTIFYING TRAITORS USING THE KOETTER–VARDY ALGORITHM

created by a traitor coalition of size at most , it is clear that in order to identify the traitors we first need to perform tracing in each inner code and from the obtained result perform tracing in the outer code. This is made precise in the Concatenated Tracing Algorithm 1. Below, we will see what conditions the family of codes needs to satisfy so that the output of the algorithm is a traitor codeword with high probability. We are now in position to state the following theorem. Theorem 4: Let be an -code over and let be a family of binary -secure -codes with error, as in Definition 5. Let be the family of concatenated codes constructed with outer code , , the mappings and the set of keys as the family , the family in Definition 8. For any , where of concatenated codes together with the Concatenated Tracing Algorithm 1 is a family of binary -secure fingerprinting codes , if with exponentially small error,

Proof: We first take a vector of keys where each key is chosen independently and uniformly from . This choice is kept secret. Following Definition 8 we obtain a is unknown to the traitors, code . It is clear that the code , the mappings but the set , the family and the code are all publicly known. be the codewords associated to a coaliLet and tion of size , where , for

. Let

701

Thus, after decoding the inner code, we recover a pirate , where word . That is, with , the number of incorrect error probability less than positions in is at most . We will denote this error probability by . Then with error probability , there exists some such that coalition codeword (17) Note that since we have that

, then for reasonable values of

From the hypothesis of the theorem, any two codewords satisfy

Recalling that reflects the number of possible incorrect positions in the pirate word, for any , not a coalition member codeword

Therefore, with error probability less than , such that is no innocent codeword . The theorem follows from (17).

, there

We would like to note that a related result has been obtained concurrently in [31]. See also [32]. A. Identification of Traitors

be a descendant created by coalition . We use the Concatenated Tracing Algorithm 1 to identify the traitors. By decoding , following Steps 1) and 2) of the each block . According to Definialgorithm, we obtain a symbol with probability at least . The tion 5, errors made in this inner code tracing algorithm can be modeled . The random variby Bernoulli random variables and 0 otherwise. able takes value 1 if For any given descendant the random variables are independent. To see this, we recall that the keys are chosen independently and uniformly. In other words, each inner is being chosen independently and uniformly from code of the codes in the family . Then, it is clear that the errors made in each inner code tracing algorithm are independent. Moreover, it we have that . is also clear that for Therefore, since the error probability of each symbol is independent, then using the Hoeffding’s inequality [30], the probability of the tail can be bounded as

We have just shown that there exists a family of binary fingerprinting codes, based on a concatenated construction, that together with the Concatenated Tracing Algorithm 1 can achieve identification of traitors with arbitrary small error probability. Now, we will show how the complexity of the tracing process can be reduced using the Koetter–Vardy algorithm. Similarly to the Concatenated Tracing Algorithm 1, the decoding process of concatenated codes is usually performed in two steps. In the first step, every inner code is decoded obtaining a word of symbols from the outer code alphabet. Then, this word is decoded using a decoding algorithm designed for the outer code. However, in a collusion attack, the output of the tracing algorithm of each inner code need not be a single symbol from the outer code alphabet. It can also be a set of multiple symbols. This fact depends on the nature of the inner family of codes and its tracing algorithm. See [7], [8], [26] for examples of families of binary -secure codes with -error with tracing algorithms that may produce more than one output codeword. All the (possible) multiple outputs are considered to have the same reliability. We will consider henceforth that the outer code from Definition 8 is a Reed–Solomon code, , over . In this case,

702

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 57, NO. 2, FEBRUARY 2011

through the use of the reliability matrix, the Koetter–Vardy algorithm provides a natural way to deal with all the information delivered by the inner tracing process. Using the same notation as above, we reflect this situation in the Concatenated Tracing Algorithm 2. Concatenated Tracing Algorithm 2

left-hand and the right-hand sides in the condition for successful decoding of the Koetter–Vardy algorithm stated in Theorem 3 (18) Suppose that codeword is part of the coalition that has created . Assuming again that in the inner tracing process we have errors with high probability, for this codeword made at most we have that

use the secret key to 1) For the binary inner code decode each block of the descendant by running the tracing algorithm . According . to Definition 5, we obtain at most codewords from 2) Using the inverse mapping

and since

obtain a set of at most symbols from reliability matrix 3) Compute the

then will appear in the output list of the Koetter–Vardy algorithm if

,

.

(19) where, for

and

, if otherwise

using the error parameter . 4) Plug the matrix into the Koetter–Vardy algorithm and for every codeword in the output list, compute the value

5) Output the set satisfy

The left-hand side of (19) is maximized by taking . This is intuitively very satisfactory. It says that, in the setup of the reliability matrix , the effect of the errors of the inner binary fingerprinting code has to be considered. Moreover, this effect has to be “spread” equally between all symbols that do not appear in the list returned by the inner tracing algorithm . From Theorem 4, note that is an upper-bound of the probability of error of each inner code, and represents a threshold that allows us to “differentiate” parents (traitors) from non-parents. Also, from the proof of Theorem 4, we have that the codewords that satisfy

of all codewords that

The reason for in the algorithm is to take into account the fact that the inner code tracing algorithm has a certain error probability. In this way, if in a given position an error is made, then in this position we will still have some “contribution” of the traitors. We now explain how to derive the appropriate value for . First, recall from the proof of Theorem 4 that we denote the codewords associated to a coalition by and of size , where , for . Hence, in Step 2) such that, by of the algorithm we recover a set of symbols construction

In this analysis, we will assume that for all . It is easy to see that, indeed, this is a worst-case situation. Namely, the one which minimizes the difference between the

are traitor codewords with high probability. Finally note that, if done by brute force, the tracing process , as in [7], [8], [26]. of each inner code is of complexity This means a decoding complexity of for all the entire inner decoding, where is the outer code length. Since the Koetter–Vardy algorithm is the core of the Concatenated Tracing Algorithm 2, and it is a polynomial-time algorithm in the code length [19], we conclude that the tracing process is also accomplished in polynomial time in the code length. Thus, we have proved the following proposition. be an -code over and let Proposition 2: Let be an family of binary -secure -codes with error, as in Definition 5. Let be the family of concatenated codes constructed with outer code , the family , the mappings and the set of keys as in Definition 8. For any , where , the family of concatenated codes together with the Concatenated Tracing Algorithm 2 is a family of binary -secure fingerprinting , if codes with exponentially small error,

FERNÁNDEZ et al.: IDENTIFYING TRAITORS USING THE KOETTER–VARDY ALGORITHM

Moreover, the tracing process is executed in polynomial time and its capacity is maximized by using as the input to the Koetter–Vardy algorithm a reliability matrix of the form

where is a matrix with binary entries having ones in each column. Suboptimal Setup of the Reliability Matrix: A clarification is probably in order. In the situation discussed above, we argued that the reason for was to take into account the errors made by the tracing process of the inner codes. At that point, the reader might have thought about what would happen if one had decided to ignore the fact that the family of inner codes has a probability of error. This would mean constructing the reliability matrix as

where, as before, we have that if otherwise. Again, we assume that the number of errors made by the with high probtracing process of the inner codes are at most ability. Then, for at least one of the codewords in the coalition, say , we have that

Since now

then, according to (18), the codeword will appear in the output list of the Koetter–Vardy algorithm if

703

VII. CONCLUSIONS As noted in [11], [12], tracing traitors is a worthwhile addition to a system provided the associated identification algorithms add sufficiently little cost. In this paper we have shown the benefits of using the Koetter–Vardy algebraic soft-decision decoding algorithm in the identification process when Reed–Solomon codes with tracing capabilities are used. For -TA Reed–Solomon codes, on one hand we give conditions for unambiguous traitor identification. On the other hand, we show how the flexibility of the Koetter–Vardy algorithm allows the reuse of information obtained in each loop of an iterative process, in which the identification of traitors is based on the previously identified ones. The use of feedback information from previous iterations of the algorithm improves the task, allowing it to run in polynomial time in the code length rather than in the code size. We also discuss upper bounds of the needed cost in the Koetter–Vardy algorithm so that at least one TA-parent always appears in the output list. Moreover, we have also extended the work of [11], [12]. Again departing from the Koetter–Vardy algorithm, for a -IPP Reed–Solomon code, given a descendant we have presented a method to obtain all possible coalitions that are able to generate it. The use of the soft-decoding routine allows us to reduce the execution time, which in the general case is upper-bounded by , where is the total number of codewords. Finally, we have shown concatenated constructions of fingerprinting binary codes based on Reed–Solomon outer codes. The constructions have exponentially small probability of error in the outer code length, and polynomial decoding time in the total code length. We use the Koetter–Vardy soft-decision decoding algorithm in the outer code tracing process. It is surprising that even a sub-optimal setup of the reliability matrix achieves the same purposes than the matrix defined for the optimal case and with equivalent computational complexity. ACKNOWLEDGMENT

This is the same as

that for is always satisfied. This means that even for a suboptimal setup of the reliability matrix, the Koetter–Vardy algorithm will output a codeword from the traitor coalition. In a way, this is a surprising result. Recall from Section IV that to find the TA-parents in the -TA Tracing Algorithm we had to push the Koetter–Vardy algorithm almost “to the edge”. This was due to the fact that every column of the reliability matrix only contained information from a single parent. On the other hand, here we are able to exploit the full power of the Koetter–Vardy algorithm. This is because, whenever it is possible, each column of the reliability matrix contains information from all parents. Somehow, it looks as if the Koetter–Vardy algorithm is tailor made for these concatenated constructions.

The authors wish to thank the anonymous referees, whose comments and observations have helped to improve the contents and presentation of the paper. The authors also wish to thank G. A. Kabatiansky for his insightful comments. They are also indebted to the following people, for many useful discussions: A. Alabert, P. Delicado, M. A. Fiol, R. Nonell, D. Rebollo-Monedero, C. Rovira, and J. L. Villar. REFERENCES [1] N. Wagner, “Fingerprinting,” in Proc. IEEE Symp. Security and Privacy, Oakland, CA, Apr. 1983, pp. 18–22. [2] P. Moulin and J. A. O’Sullivan, “Information-theoretic analysis of information hiding,” IEEE Trans. Inf. Theory, vol. 49, no. 3, pp. 563–593, Mar. 2003. [3] P. Moulin and R. Koetter, “Data-hiding codes,” Proc. IEEE, vol. 93, no. 12, pp. 2083–2127, Dec. 2005. [4] H. D. L. Hollmann, J. H. van Lint, J.-P. Linnartz, and L. M. G. M. Tolhuizen, “On codes with the identifiable parent property,” J. Comb. Theory, Ser. A, vol. 82, no. 2, pp. 121–133, May 1998. [5] J. Staddon, D. R. Stinson, and R. Wei, “Combinatorial properties of frameproof and traceability codes,” IEEE Trans. Inf. Theory, vol. 47, no. 3, pp. 1042–1049, Mar. 2001.

704

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 57, NO. 2, FEBRUARY 2011

[6] A. Barg, G. R. Blakley, and G. Kabatiansky, “Digital fingerprinting codes: Problem statements, constructions, identification of traitors,” IEEE Trans. Inf. Theory, vol. 49, no. 4, pp. 852–865, Apr. 2003. [7] D. Boneh and J. Shaw, “Collusion-secure fingerprinting for digital data,” in Proc. Advances in Cryptology—CRYPTO’95. Santa Barbara, CA: Springer-Verlag, 1995, vol. 963, Lecture Notes in Computer Science (LNCS), pp. 452–465. [8] D. Boneh and J. Shaw, “Collusion-secure fingerprinting for digital data,” IEEE Trans. Inf. Theory, vol. 44, no. 5, pp. 1897–1905, Sep. 1998. [9] B. Chor, A. Fiat, and M. Naor, “Tracing traitors,” in Proc. Advances in Cryptology—CRYPTO’94. Santa Barbara, CA: Springer-Verlag, 1994, vol. 839, Lecture Notes in Computer Science (LNCS), pp. 480–491. [10] B. Chor, A. Fiat, M. Naor, and B. Pinkas, “Tracing traitors,” IEEE Trans. Inf. Theory, vol. 46, no. 3, pp. 893–910, May 2000. [11] A. Silverberg, J. Staddon, and J. Walker, “Efficient traitor tracing algorithms using list decoding,” in Proc. Advances in Cryptology—ASIACRYPT 2001. Gold Coast, Australia: Springer-Verlag, 2001, vol. 2248, Lecture Notes in Computer Science (LNCS), pp. 175–192. [12] A. Silverberg, J. Staddon, and J. Walker, “Applications of list decoding to tracing traitors,” IEEE Trans. Inf. Theory, vol. 49, no. 5, pp. 1312–1318, May 2003. [13] P. Elias, “List Decoding for Noisy Channels”, Tech. Rep. MIT, Res. Lab. Electron., Cambridge, MA, 1957. [14] J. M. Wozencraft, “List Decoding”, Tech. Rep. MIT, Res. Lab. Electron., Cambridge, MA, 1958. [15] M. Sudan, “Decoding of Reed–Solomon codes beyond the error-correction bound,” J. Complexity, vol. 13, no. 1, pp. 180–193, Mar. 1997. [16] V. Guruswami and M. Sudan, “Improved decoding of Reed–Solomon and algebraic-geometry codes,” IEEE Trans. Inf. Theory, vol. 45, no. 6, pp. 1757–1767, Sep. 1999. [17] V. Guruswami, “List Decoding of Error-Correcting Codes,” Ph.D. dissertation, MIT, Dept. Elect. Eng. and Comp. Science, Cambridge, MA, 2001. [18] R. Koetter and A. Vardy, “Algebraic soft-decision decoding of Reed–Solomon codes,” in Proc. IEEE Int. Symp. Inf. Theory (ISIT), Sorrento, Italy, Jun. 2000, p. 61. [19] R. Koetter and A. Vardy, “Algebraic soft-decision decoding of Reed–Solomon codes,” IEEE Trans. Inf. Theory, vol. 49, no. 11, pp. 2809–2825, Nov. 2003. [20] M. Fernandez and M. Soriano, “Identification of traitors in algebraicgeometric traceability codes,” IEEE Trans. Signal Process., vol. 52, no. 10, pp. 3073–3077, Oct. 2004. [21] G. D. Forney, Concatenated Codes. Cambridge, MA: MIT Press, 1966. [22] I. S. Reed and G. Solomon, “Polynomial codes over certain finite fields,” SIAM J. Appl. Math., vol. 8, no. 2, pp. 300–304, Jun. 1960. [23] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. Amsterdam, The Netherlands: Elsevier/North-Holland, 1977. [24] J. van Lint, Introduction to Coding Theory (Graduate Texts in Mathematics), 3rd ed. Berlin, Germany: Springer-Verlag, 1999. [25] R. Safavi-Naini and Y. Wang, “Collusion secure q -ary fingerprinting for perceptual content,” in Proc. Security and Privacy in Digital Rights Management—DRM 2001. Philadelphia, PA: Springer-Verlag, 2002, vol. 2320, Lecture Notes in Computer Science (LNCS), pp. 57–75.

[26] G. Tardos, “Optimal probabilistic fingerprint codes,” J. ACM, vol. 55, no. 2, pp. 1–24, May 2008. [27] R. Koetter and A. Vardy, “Algebraic soft-decision decoding of Reed–Solomon codes,” Manuscript, 2000. [28] E. Berlerkamp, “Bounded distance+1 soft-decision Reed–Solomon decoding,” IEEE Trans. Inf. Theory, vol. 42, no. 3, pp. 704–720, May 1996. [29] J. Cotrina-Navau and M. Fernandez, “A family of asymptotically good binary fingerprinting codes,” IEEE Trans. Inf. Theory, vol. 56, no. 10, pp. 5335–5343, Oct. 2010. [30] W. Hoeffding, “Probability inequalities for sums of bounded random variables,” J. Amer. Statist. Assoc., vol. 58, no. 301, pp. 13–30, Mar. 1963. [31] N. P. Anthapadmanabhan, “Random Codes and Graphs for Secure Communication,” Ph.D., Univ. of Maryland, Dept. Elect. and Comp. Eng, College Park, MD, 2009. [32] N. Anthapadmanabhan and A. Barg, “Two-level fingerprinting: Stronger definitions and code constructions,” in Proc. IEEE Int. Symp. Inf. Theory (ISIT), Austin, TX, Jun. 2010, pp. 2528–2532.

Marcel Fernández received the M.S. and Ph.D degrees in telecommunication engineering from the Technical University of Catalonia (UPC), Barcelona, Spain. Currently, he is an Associate Professor at the Telecommunications Engineering School of Barcelona (ETSETB), UPC, where he teaches concurrent programming courses. His research interests are in information and coding theory and its applications in digital content protection.

José Moreira received the M.S. degree in telecommunication engineering from the Technical University of Catalonia (UPC), Barcelona, Spain. He is currently pursuing the Ph.D. degree in the Information Security Group, Department of Telematics Engineering, UPC. His research is mainly focused on coding theory, traceability, and fingerprinting codes.

Miguel Soriano received the M.S. degree in telecommunications engineering from the Technical University of Catalonia (UPC), Barcelona, Spain, in 1992, and the Ph.D. degree in 1996. In 1991, he joined the Cryptography and Network Security Group, Department of Applied Mathematics and Telematics. He is currently a Professor in the Telecommunications Engineering School of Barcelona (ETSETB), UPC, and leads the Information Security Group at the Department of Telematics Engineering. He is also an Associate Researcher at the Centre Tecnològic de Telecomunicacions de Catalunya (CTTC). His research interests encompass network security, electronic commerce, and information hiding for copyright protection. Dr. Soriano has been a member of the program committees of several security conferences, and he is the Editor of the International Journal of Information Security (Springer-Verlag).

Suggest Documents

A “Random Chemistry” Algorithm for Identifying ... - IEEE Xplore

A “Random Chemistry” Algorithm for Identifying ... - IEEE Xplore
Read more
The Viterbi Algorithm - IEEE Xplore

The Viterbi Algorithm - IEEE Xplore
Read more
(PSO) Algorithm - IEEE Xplore

(PSO) Algorithm - IEEE Xplore
Read more
EM algorithm - IEEE Xplore

EM algorithm - IEEE Xplore
Read more
The Critical Patients Localization Algorithm Using ... - IEEE Xplore

The Critical Patients Localization Algorithm Using ... - IEEE Xplore
Read more
Improving Convergence of the NLMS Algorithm Using ... - IEEE Xplore

Improving Convergence of the NLMS Algorithm Using ... - IEEE Xplore
Read more
Enhanced Kalman Filter Algorithm Using the Invariance ... - IEEE Xplore

Enhanced Kalman Filter Algorithm Using the Invariance ... - IEEE Xplore
Read more
Electrocardiographic Method for Identifying Moxifloxacin ... - IEEE Xplore

Electrocardiographic Method for Identifying Moxifloxacin ... - IEEE Xplore
Read more
Design Methodologyfor Identifying Optimum ... - IEEE Xplore

Design Methodologyfor Identifying Optimum ... - IEEE Xplore
Read more
IdentIfyIng explosIves at a dIstance - IEEE Xplore

IdentIfyIng explosIves at a dIstance - IEEE Xplore
Read more
trustworthy hardware: identifying and classifying ... - IEEE Xplore

trustworthy hardware: identifying and classifying ... - IEEE Xplore
Read more
Using Genetic Algorithm To Break A Mono- Alphabetic ... - IEEE Xplore

Using Genetic Algorithm To Break A Mono- Alphabetic ... - IEEE Xplore
Read more
A Fast Single Image Haze Removal Algorithm Using ... - IEEE Xplore

A Fast Single Image Haze Removal Algorithm Using ... - IEEE Xplore
Read more
Modified Firefly Algorithm Using Fuzzy Tuned Parameters - IEEE Xplore

Modified Firefly Algorithm Using Fuzzy Tuned Parameters - IEEE Xplore
Read more
A Moving Objects Detection Algorithm using Iterative ... - IEEE Xplore

A Moving Objects Detection Algorithm using Iterative ... - IEEE Xplore
Read more
Glioma Segmentation Using a Novel Unified Algorithm ... - IEEE Xplore

Glioma Segmentation Using a Novel Unified Algorithm ... - IEEE Xplore
Read more
Detection of SSDF Attack Using SVDD Algorithm in ... - IEEE Xplore

Detection of SSDF Attack Using SVDD Algorithm in ... - IEEE Xplore
Read more
Computer-Aided BSE Torso Tracking Algorithm Using ... - IEEE Xplore

Computer-Aided BSE Torso Tracking Algorithm Using ... - IEEE Xplore
Read more
data compression using shannon-fano algorithm ... - IEEE Xplore

data compression using shannon-fano algorithm ... - IEEE Xplore
Read more
Development of Insulator Diagnosis Algorithm Using ... - IEEE Xplore

Development of Insulator Diagnosis Algorithm Using ... - IEEE Xplore
Read more
Using Firefly Algorithm for Total ICI Cancellation of ... - IEEE Xplore

Using Firefly Algorithm for Total ICI Cancellation of ... - IEEE Xplore
Read more
A Real-Time Multiple Target Tracking Algorithm Using ... - IEEE Xplore

A Real-Time Multiple Target Tracking Algorithm Using ... - IEEE Xplore
Read more
Modified Krill Herd Optimization Algorithm using Chaotic ... - IEEE Xplore

Modified Krill Herd Optimization Algorithm using Chaotic ... - IEEE Xplore
Read more
Robust QAM modulation classification algorithm using ... - IEEE Xplore

Robust QAM modulation classification algorithm using ... - IEEE Xplore
Read more