Abstract It has been proven that the code lengths of Tardos’s collusion-secure fingerprint-ing codes are of theoretically minimal order with respect to the number of adversarial users(pirates). However, the code lengths can be further reduced as some preceding studies haverevealed. In this article we improve a recent discrete variant of Tardos’s codes, and give asecurity proof of our codes under an assumption weaker than the original Marking Assump-tion. Our analysis shows that our codes have significantly shorter lengths than Tardos’s codes.For example, when c = 8, our code length is about 4.94% of Tardos’s code in a practicalsetting and about 4.62% in a certain limit case. Our code lengths for large c are asymptoticallyabout 5.35% of Tardos’s codes.
Communicated by H. van Tilborg.
A part of this work was presented at 17th Applied Algebra, Algebraic Algorithms, and Error CorrectingCodes (AAECC-17), Bangalore, India, December 16–20, 2007.
K. Nuida (B) · M. Hagiwara · T. Kitagawa · H. Watanabe · H. ImaiResearch Center for Information Security (RCIS), National Institute of Advanced IndustrialScience and Technology (AIST), Akihabara-Daibiru Room 1003, 1-18-13 Sotokanda,Chiyoda-ku, Tokyo 101-0021, Japane-mail: [email protected]
S. Fujitsu · K. OgawaScience and Technical Research Laboratories, Japan Broadcasting Corporation (NHK),1-10-11 Kinuta, Setagaya-ku, Tokyo 157-8510, Japan
M. HagiwaraCenter for Research and Development Initiative, Chuo University, 1-13-27 Kasuga,Bunkyo-ku, Tokyo 112-8551, Japan
H. ImaiFaculty of Science and Engineering, Chuo University, 1-13-27 Kasuga,Bunkyo-ku, Tokyo 112-8551, Japan
Recent development of computer and network technology has promoted trades of digitalcontents. This has increased not only convenience for both content servers and users, butalso risks of the distributed contents being illegally copied and redistributed. Digital finger-printing scheme is a solution for such problems, in which the content server embeds someuser identification data into each content in advance and detect the redistributor (called apirate) from the data embedded into the redistributed content. The object of this article isfingerprinting codes used for encoding the user identification data.
A collusion attack by more than one pirates is a typical attack (modification and era-sure) to the embedded fingerprint codeword. A fingerprinting code is called c-secure, if it issecure against collusion attacks by at most c pirates, namely if it is equipped with a tracingalgorithm which can output a pirate correctly with an overwhelming probability. The firstconstruction of c-secure codes for every c was given by Boneh and Shaw [2], where theyintroduced a certain assumption on the pirates’ attack strategies called Marking Assumption.Then Tardos [9] proposed c-secure codes (under Marking Assumption) with highly proba-bilistic codeword generation algorithms. A characteristic of his codes is that by the tracingalgorithm, closeness of each user’s codeword to the codeword in the redistributed content isquantified as a “score” of each user and then users whose scores exceed a given thresholdare output. His work is a milestone in this area because of the fact that code lengths of hisc-secure codes are of theoretically minimal order (that is, �(c2)) with respect to c.
After Tardos’s work, there have been proposed several improvements of his codes. Adirection investigated by Skoric et al. [8] concerns reduction of the code lengths by modi-fying the scoring function and by sharpening evaluation of error probability of the tracingalgorithm. Another direction taken by Blayer and Tassa [1] concerns reduction of the codelengths by improving the parameter choice for Tardos codes. Moreover, a work by Nuidaet al. [6,7] (following Hagiwara et al. [5]) concerns implementation issues of the codes.Namely, they replaced the continuous probability distributions used in Tardos codes withcertain finite (hence discrete) probability distributions, and proposed an appropriate way ofapproximating the scoring function, so that the resulting codes can be implemented by usingsmaller amount of memory and numbers explicitly representable on computers (which theythought of as significant for security evaluation on practical use of the codes). In addition,their “discrete Tardos codes” also have shorter lengths than the original.
Our contribution in this article is a further improvement of the discrete Tardos codes [6,7]at the following points:
– Modification of the tracing algorithm: In contrast with preceding works [5–9], our trac-ing algorithm outputs precisely one user with highest score. This results in significantreduction of the error probability.
– Reduction of code lengths: Our code length formula implies that the code lengths arereduced to less than or almost equal to 1/20 of Tardos codes in many practical settings.
– Relaxation of Marking Assumption: To cover more practical cases, we give the securityproof under a somewhat weaker assumption than Marking Assumption. (Note that Guthand Pfitzmann [4] has also introduced similar relaxation, but that is not the same as ours.)
123
Tardos fingerprinting codes 341
This article is organized as follows. Section 2 summarizes our model for content distribu-tion systems based on fingerprinting codes, together with a class of fingerprinting codes. InSect. 3, we introduce the abovementioned relaxation of Marking Assumption, and describeour codeword generation algorithm and tracing algorithm. Section 4 gives our main resultson the bound of error probabilities and on the code length formula. Section 5 deals withnumerical examples of our codes and a comparison with preceding c-secure codes [7–9],and Sect. 6 discusses an asymptotic behavior of our code lengths. Arguments in these twosections show that our code lengths are significantly short. Finally, Sect. 7 is devoted to theproofs of our main results.
2 Preliminaries
2.1 A model for fingerprint content distribution systems
In this subsection, we present a model for content distribution systems using fingerprintingcodes. A class of fingerprinting codes relevant to our proposal will be shown in Sect. 2.2.
Our model M = (U,Par,Gen,Emb,Ext,A,Tr) consists of a set U of players, a randomvariable Par of an auxiliary parameter, a codeword generation algorithm Gen, a fingerprintembedding algorithm Emb, a fingerprint extraction algorithm Ext, pirates’ attack algorithmA, and a pirate tracing algorithm Tr. The set U consists of a content server, or a server inshort, and a number (denoted by N ) of users. Each user is either an adversarial user called apirate, or an innocent user. Let � ≥ 1 denote the number of pirates.
Before running the algorithm Gen, first the server chooses an auxiliary parameter P forthe remaining process according to Par (if not necessary, this phase can be skipped by lettingPar be a trivial random variable on a singleton {∗}). Then the server executes Gen with inputP to generate codewords for the users. In this article, the codeword wi = (wi,1, . . . , wi,m)
of i-th user ui is a binary sequence of the common length m. Each codeword wi is embed-ded into a content C by the algorithm Emb that outputs the resulting fingerprinted contentCi = Emb(C, wi ), and a codeword embedded into a content will be extracted by the algo-rithm Ext. For simplicity, in this article we assume that the embedding/extraction algorithmsare perfect, i.e., we always have Ext(Emb(C, w)) = w for appropriate C and w. After theembedding, each fingerprinted content Ci is sent to the corresponding user ui .
Given their contents, the pirates create a modified content C ′ called a pirated content byusing the algorithm A. The resulting modified codeword y = Ext(C ′) is called a piratedcodeword. It is generally not assured that C ′ corresponds to a valid codeword, thereforewe assume that y is also of the same length m but over a larger alphabet {0, 1, ?}, wherethe additional symbol ‘?’ signifies an undecodable bit. The following two assumptions areconventional in most of the preceding works in this area (for the former) or on several“Tardos-like” probabilistic fingerprinting codes (for the latter):
Definition 1 (Marking Assumption [2]) If all the j-th bits wi1, j , . . . , wi�, j in codewords ofthe pirates ui1 , . . . , ui� (1 ≤ j ≤ m) coincide (we call such a position undetectable), thenthe j-th bit y j of the pirated codeword y also coincides with the bit.
Definition 2 (No Leakage Assumption) The distribution of the pirated codeword y, condi-tioned on given pirates’ codewords, is independent of both innocent users’ codewords andthe parameter P .
Then the pirates distribute copies of the pirated content.
123
342 K. Nuida et al.
Finally, given a pirated content C ′, the server extracts the pirated codeword y = Ext(C ′),and then executes the algorithm Tr to output a (possibly empty) set of suspected users, withy, P and the users’ codewordswi as input. A tracing error, or an error in short, is defined asan event that the output of Tr contains either no pirates (false-negative) or an innocent user(false-positive).
In this article, a fingerprinting code signifies a triple (Par,Gen,Tr)where each element isdefined as above. We say that a fingerprinting code is c-secure (with ε-error) [2], if the tracingerror probability taken over the whole of the above process does not exceed a negligibly smallvalue ε whenever � ≤ c and the attack algorithm A satisfies the given assumptions.
2.2 A class of fingerprinting codes
Here we give a class of fingerprinting codes that includes codes of our proposal together withTardos codes [9] and their several variants [5–8].
In the class, the random variable Par is the direct product of m independent ones, eachof which follows the same probability distribution P over the open unit interval (0, 1),called a bias distribution. Thus the parameter P , called a bias parameter, is a sequence(p(1), . . . , p(m)) of random values 0 < p( j) < 1. Then the algorithm Gen generates eachbit wi, j of users’ codewords independently, with probability given by
The tracing algorithm Tr first calculates a “score” S( j)i ∈ R for j-th bit wi, j of i-th user
ui by a certain function, which may depend on the parameter P , and then calculates the totalscore Si of i-th user by Si = ∑m
j=1 S( j)i . The algorithm Tr decides the output users in a certain
way based on the scores. For example, in preceding Tardos-like codes [5–9] Tr outputs everyuser whose score exceeds a certain threshold Z (“threshold type”). See Example 1 below.On the other hand, our tracing algorithm proposed in later sections outputs precisely one ofthe users with highest score (“highest score type”). As mentioned in Remark 2 of [9, Section1.2], these two types are in the following relation:
Proposition 1 If all of the other characteristics are in common, the error probability of afingerprinting code with a tracing algorithm of highest score type is not higher than that ofthreshold type.
Example 1 In Tardos codes [9], the bias distribution is a certain continuous distribution (see[9] for the details). By using an auxiliary function σ(p) = √
(1 − p)/p, the scoring rule isdescribed by S( j)
i = σ(p( j)) if (y j , wi, j ) = (1, 1), S( j)i = −σ(1 − p( j)) if (y j , wi, j ) =
(1, 0), and S( j)i = 0 if y j ∈ {0, ?}. The tracing algorithm uses a threshold Z as mentioned
above. The code length and the threshold are determined by m = 100c2�log(1/εT)� andZ = 20c�log(1/εT)�, where εT is a bound of false-positive probability per one user. Onthe other hand, in a “discrete variant” of Tardos codes proposed by Hagiwara et al. [5], thebias distribution is a finite (hence discrete) probability distribution over a very small subsetof the interval (0, 1). Moreover, in a “symmetrized version” of Tardos codes proposed bySkoric et al. [8], the scoring function is modified so that S( j)
i = σ(1 − p( j)) if y j ∈ {0, ?}and wi, j = 0, S( j)
i = −σ(p( j)) if y j ∈ {0, ?} and wi, j = 1, and S( j)i remains unchanged
otherwise.
123
Tardos fingerprinting codes 343
3 Our proposal
In this section, we describe construction of fingerprinting codes of our proposal. A significantcharacteristic is that our codes are secure under a weaker assumption than Marking Assump-tion. We also present the relaxation of Marking Assumption in this section. Our results onevaluation of error probabilities and sufficient code lengths will be given in later sections.
3.1 A relaxation of marking assumption
It has been pointed out [4] that the conventional Marking Assumption (Definition 1) isimpractical, or at least inefficient, in viewpoints of design of fingerprint embedding/extractionschemes. Thus in this article, we put the following relaxed version of Marking Assumption:
Definition 3 (δ-Marking Assumption) The number of undetectable positions (see Definition1 for terminology) in which y differs from the pirates’ codewords is not larger than δm,where δ ≥ 0 is a fixed parameter.
This assumption includes the usual Marking Assumption (by putting δ = 0). Note that,although the motivations are in common, our assumption is described in a different formfrom [4] to make the analysis easier.
3.2 Our bias parameter and codeword generation algorithm
Our fingerprinting code belongs to the class given in Sect. 2.2, therefore the codeword gen-eration algorithm is determined by the bias distribution P . Our basic choice of P is thefollowing:
Definition 4 Let Lk(t) = ( ddt )
k(t2 − 1)k/(k! 2k) be the k-th Legendre polynomial, andput Lk(t) = Lk(2t − 1). Then we define PGL
2k−1 = PGL2k to be the finite probability dis-
tribution on the set of the k zeroes of Lk such that each value p is taken with probabilityγ(
p(1 − p))−3/2
Lk′(p)−2, where γ is the normalization constant making the sum of the
probabilities equal to 1.
The bias distributions PGLc were first introduced by a discrete variant [6,7] of Tardos codes,
where PGLc are called “Gauss-Legendre distributions” due to their deep relation to the Gauss-
Legendre quadrature in numerical approximation theory. These distributions are symmetricin the following sense:
Definition 5 We say that a bias distribution P is symmetric, if P outputs the values p and1 − p with the same probability for any 0 < p < 1.
It is shown in [6,7] that PGLc minimizes, among the bias distributions with a certain desirable
property, the memory amount required to record the bias parameter P , and that the codelengths are also reduced by using PGL
c instead of Tardos’s continuous bias distributions. Thisis the main reason of adopting PGL
c as our bias distribution.We should note that the output values of PGL
c and the corresponding output probabilitiesare not necessarily rational, therefore we need approximations for explicit implementationon computers. Effects of such approximations will also be considered in our security proof,where the approximated bias distribution is assumed to be symmetric.
123
344 K. Nuida et al.
3.3 Our tracing algorithm
By using an auxiliary function σ(p) = √(1 − p)/p, we define our basic scoring rule (which
is in fact the same as [8]) to calculate the bitwise scores S( j)i by
S( j)i =
⎧⎪⎪⎨
⎪⎪⎩
σ(p( j)) if y j = 1 and wi, j = 1,−σ(1 − p( j)) if y j = 1 and wi, j = 0,−σ(p( j)) if y j ∈ {0, ?} and wi, j = 1,σ (1 − p( j)) if y j ∈ {0, ?} and wi, j = 0.
(1)
It has been shown in [8] that this scoring rule is effective to reduce the code lengths. Thenour tracing algorithm simply outputs one of the users with highest score (see Proposition 1for the effectiveness). Note that the way of choosing one user from the users with highestscore is irrelevant to our security proof, hence it may be arbitrary.
Let p0, p1, . . . , pk denote the possible output values of the chosen symmetric bias dis-tribution P in increasing order. In general, the above scores are not necessarily explicitlyrepresentable on computers, therefore we also need approximations of these values. For thepurpose, first we fix an approximated value Ui of each σ(pi ). Since P is symmetric, we have1 − pi = pk−i , therefore Uk−i (denoted by U ′
i for simplicity) is also an approximated valueof σ(1 − pi ). Then we modify the above scoring rule (1) for bitwise scores as follows:
S( j)i =
⎧⎪⎪⎨
⎪⎪⎩
Uν if y j = 1 and wi, j = 1,−U ′
ν if y j = 1 and wi, j = 0,−Uν if y j ∈ {0, ?} and wi, j = 1,U ′ν if y j ∈ {0, ?} and wi, j = 0,
where p( j) = pν . (2)
Effects of this approximation will be considered in our security proof.
4 Code lengths and error probabilities of our codes
In this section, we give the main theorem of this article on a bound of error probabilitiesand a formula of code lengths for our fingerprinting codes proposed in Sect. 3. The theoremshows that our fingerprinting codes are c-secure. Proofs of the theorem will be demonstratedin Sect. 7.
For the purpose, first we present some auxiliary notations and terminology. Given a sym-metric bias distribution P , let p0, p1, . . . , pk , Ui , and U ′
i be as defined in the last paragraphof Sect. 3.3, and put
η = σ(p0).
Let
δ′ = max0≤i≤k
|σ(pi )− Ui | = max0≤i≤k
|σ(1 − pi )− U ′i |,
i.e., the bound of approximation errors of the bitwise scores. Then we define the tolerancerate of our code by
= δ′ + 2ηδ,
where δ is the same parameter as δ-Marking Assumption (Definition 3).
123
Tardos fingerprinting codes 345
From now, we introduce two auxiliary functions B1(t) and B2,�(t) that are closely relatedto the distributions of innocent users’ scores and of pirates’ scores, respectively (see Lemmas5 and 8 in Sect. 7 for the details). For the purpose, for each 1 ≤ � ≤ c and 0 ≤ x ≤ � put
R�,x = max{
0, E[
px (1 − p)�−x (xσ(p)− (�− x)σ (1 − p))]}
,
R� = �E[(1 − p)�−1/2 p1/2
]−�−1∑
x=1
(�
x
)
R�,x ,
where the expectation values E[·] are taken over the outputs p of P . Then fix an approximatedvalue R of Rmin = min1≤�≤c R� such that 2c ≤ R ≤ Rmin. Now the two functions aredefined as follows:
B1(t) = etη + η2e−t/η
η2 + 1, B2,�(t) = 1 + et�η − 1 − t�η
�η2 − 2tR,
where log denotes the natural logarithm.Moreover, to state the main theorem, we introduce the notation
(t) = t (1 − log t)
and put
T� = B1(β�)B2,�(β)e2β� for each 1 ≤ � ≤ c,
where β > 0 is an appropriately chosen parameter (see below). It can be shown that thevalues T� are all positive and bounded below from zero (see Sect. 7). Now we give the maintheorem of this article, whose proof will be demonstrated in Sect. 7:
Theorem 1 Let 0 < ε < 1, and choose β > 0 such that N Tcm < 1. Let � be the num-
ber of pirates. Under δ-Marking Assumption (Definition 3) and No Leakage Assumption(Definition 2) we have the followings:
1. If � ≤ c, then the tracing error probability of our code, with the approximated scoringrule (2) instead of (1), is not higher than (N Tc
m). Hence our code is c-secure withε-error if (N Tc
m) ≤ ε.2. Let a > 1 such that ε ≤ ae1−a. Then our code is c-secure with ε-error if the code length
satisfies that
m ≥ − 1
log Tc
(
logN
ε+ log
a
a − 1+ log log
a
ε
)
(3)
(note that Tc < 1 by the assumption, therefore −(log Tc)−1 = | log Tc|−1).
For example, when c = 8 and N = 106 the error probability of our code of lengthm = 11, 015 is slightly lower than 10−3 under δ-Marking Assumption with = 0.01,while Tardos code with error probability ≈ 10−3 under the conventional Marking Assump-tion has length 134, 400. See Sect. 5 for further numerical examples. On the other hand, theasymptotic behavior of our code lengths will be investigated in Sect. 6.
By the theorem, the optimal value βoptimal of the auxiliary variable β is the one thatminimizes Tc (note that (t) is an increasing function for 0 < t < 1). However, it seemsinfeasible to determine the optimal β in a closed form. Instead, a heuristic argument proposesthe following formula of pretty good values of β:
βformula = 1
η2 j1log
(
1 + 2η
c(R − η j1)
)
, (4)
123
346 K. Nuida et al.
Table 1 Values of the auxiliary variable a
a 2.678 4.889 7.638 10.233 17.688 24.939 29.720
ae1−a > 0.5 0.1 0.01 0.001 10−6 10−9 10−11
where
j1 = 2.40482 · · · (5)
denotes the smallest positive zero of the 0th-order Bessel function J0(t) = ∑∞i=0(−1)i
(t/2)2i/(i !)2 of the first kind. See Tables 4 and 5 in Sect. 5 for the pretty goodness of theFormula 4. On the other hand, the Formula 3 of sufficient code lengths becomes better asthe auxiliary variable a is getting larger. However, it also seems infeasible to determine theoptimal value of a in a closed form. Instead, we give a table (Table 1) of suitable values of athat satisfy the condition ε ≤ ae1−a for some typical ε.
5 Numerical examples
This section is devoted to show numerical examples of our c-secure codes, where c variesas c = 2, 3, 4, 6, and 8, and to compare our codes with previously proposed c-secure codes[6–9].
5.1 Approximated bias distributions and scoring functions
The first part of Table 2 gives an approximation P of the bias distribution PGLc for each c,
where columns ‘p’ and ‘q’ denote, respectively, the output values and their emerging proba-bilities. Note that these distributions P are symmetric in the sense of Definition 5. Moreover,approximations Ui of values of the function σ mentioned in Sect. 3.3 are given in the secondpart of Table 2. Now the bound δ′ of the approximation error is δ′ = 0 for c ≤ 2, andδ′ = 10−5 for c ≥ 3. Finally, Table 3 gives approximated values of R and η.
Table 2 Approximationsof the bias distributionsPGL
c and bitwise scores
c p q c p q
1, 2 0.50000 1.00000 7, 8 0.06943 0.24833
3, 4 0.21132 0.50000 0.33001 0.25167
0.78868 0.50000 0.66999 0.25167
5, 6 0.11270 0.33201 0.93057 0.24833
0.50000 0.33598
0.88730 0.33201
c U0 U1 U2 U3
2 1
4 1.93187 0.51763
6 2.80590 1 0.35639
8 3.66101 1.42485 0.70182 0.27314
123
Tardos fingerprinting codes 347
Table 3 Auxiliary valuesfor our examples
c 2 3 4 6 8
R 0.50000 0.40823 0.40823 0.37796 0.36291
η 1.00000 1.93188 1.93188 2.80591 3.66102
5.2 Calculation of code lengths
Table 4 shows the corresponding code lengths of our codes under δ-Marking Assumption(Definition 3). Here we set the tolerance rate = δ′ + 2ηδ to 0.01; namely, our codes arestill c-secure even if mδ ≈ m/(200η) bits in undetectable positions are flipped or erased.The values of δ used here are: δ = 0.005 for c = 2; δ ≈ 2.58556 × 10−3 for c = 3, 4;δ ≈ 1.78017 × 10−3 for c = 6; δ ≈ 1.36437 × 10−3 for c = 8. We consider the followingfour cases:
Table 4 Length comparison under δ-Marking Assumption (where = 0.01)
c Case 1 Case 2 Case 3 Case 4 βoptimal
2 Ours 403 444 273 0.16921
(404) (444) (274)
Tardos εT 9.99 × 10−23 9.43 × 10−16 9.69 × 10−10
Tardos m 20, 400 14, 000 8, 400
% 1.98 3.17 3.25 2.97
3 Ours 1, 514 1, 646 1, 014 0.057404
(1, 630) (1, 771) (1, 091)
Tardos εT 1.98 × 10−15 1.05 × 10−15 1.00 × 10−9
Tardos m 30, 600 31, 500 18, 900
% 4.95 5.23 5.37 4.89
4 Ours 2, 671 2, 879 1, 774 0.034093
(2, 672) (2, 880) (1, 775)
Tardos εT 2.51 × 10−14 1.05 × 10−15 1.00 × 10−9
Tardos m 51, 200 56, 000 33, 600
% 5.22 5.14 5.28 4.81
6 Ours 7, 738 8, 244 5, 079 0.013798
(7, 743) (8, 249) (5, 082)
Tardos εT 1.68 × 10−14 1.05 × 10−15 1.00 × 10−9
Tardos m 115, 200 126, 000 75, 600
% 6.72 6.54 6.72 6.13
8 Ours 16, 920 17, 879 11, 015 0.0071633
(16, 934) (17, 894) (11, 024)
Tardos εT 1.26 × 10−14 1.05 × 10−15 1.00 × 10−9
Tardos m 211, 200 224, 000 134, 400
% 8.01 7.98 8.20 7.47
Code lengths in the parentheses are calculated by using βformula instead of βoptimal
123
348 K. Nuida et al.
– Case 1: N = 100c and ε = 10−11,– Case 2: N = 109 and ε = 10−6,– Case 3: N = 106 and ε = 10−3,– Case 4: N/ε → ∞, i.e., N → ∞ or ε → 0.
In Cases 1–3, we determine the code lengths by numerical calculation using the first part ofTheorem 1 instead of a slightly looser Formula 3 in the second part of Theorem 1. The codelengths shown in the first row and the second row for each c in Table 4 are calculated byusing the optimal value βoptimal of β determined by a numerical search and the Formula 4of β, respectively. This table shows that the code lengths derived from (4) are not very apartfrom those derived from βoptimal. (Note that the values of Tc are in general not explicitlycomputable on computers, and in fact here we used slightly larger approximated values. Thisdoes not violate validity of the bound of error probability, since(t) is an increasing functionfor 0 < t < 1.) An explanation for Case 4 will be given in Sect. 5.3.
Table 5 is given in a similar manner under the conventional Marking Assumption, orequivalently, δ-Marking Assumption with δ = 0. Again, the code lengths derived from (4)are not very apart from those derived from βoptimal.
Code lengths in the parentheses are calculated by using βformula instead of βoptimal
123
Tardos fingerprinting codes 349
5.3 Comparison of our code lengths with other codes
Tables 4 and 5 also compare our code lengths with lengths of Tardos codes [9]. For thecomparison, recall that Tardos’s code length is defined by m = 100c2�log(1/εT)� whereεT is the bound of false-positive probability per one innocent user. Since the false-nega-tive probability is bounded by εT
c/4 [9], the two parameters ε and εT can be related byε = 1 − (1 − εT)
N−c + εTc/4, therefore the value of εT is derived for Cases 1–3 by numer-
ical calculation. (We use the above code lengths of Tardos codes for every c, though a partof the security proof for c < 7 is not given in a full version [10] of [9] and is left to thereader.) Note that Tardos’s code lengths are calculated under the Marking Assumption evenin Table 4 where our code lengths are derived under a weaker assumption. The rows ‘%’show the percentages of our code lengths relative to Tardos codes.
For Case 4, an inequality 1 − (1 − x)k ≥ kx − k(k − 1)x2/2 for 0 < x < 1 and k ≥ 2implies that ε ≥ (N − c)εT − (N − c)(N − c − 1)εT
2/2 when N ≥ c + 2, therefore undera practically reasonable assumptions εT ≤ 1/(N − c) and ε < 1/2 we have
εT ≤1 −
√1 − 2 N−c−1
N−c ε
N − c − 1
and
log(1/εT)
log(N/ε)≥
log(N − c − 1) − log(
1 −√
1 − 2 N−c−1N−c ε
)
log(N/ε)
=log(N/ε) + log((N − c − 1)/N ) − log
((1 −
√1 − 2 N−c−1
N−c ε)/ε
)
log(N/ε).
An elementary analysis shows that the right-hand side converges to 1 when N/ε → ∞.Similarly, if N = c + 1, then we have ε ≥ εT and
log(1/εT)
log(N/ε)≥ − log ε
log N − log ε→ 1 when N/ε → ∞.
Thus the code lengths of Tardos codes in Case 4 are asymptotically at least 100c2 log(N/ε).On the other hand, the Formula 3 implies that our code lengths are asymptotically −(log Tc)
−1
log(N/ε). Thus it follows that the percentages of our code lengths relative to Tardos codesin Case 4 are at most those shown in Tables 4 and 5. These two tables show that our codeshave much shorter code lengths than Tardos codes. Moreover, our code lengths are also sig-nificantly shorter than those in [6,7], since numerical examples in [6,7] show that their codelengths are larger than 30% of Tardos codes for c ≤ 8.
On the other hand, it is proven in [8] that the lengths of Tardos codes (under MarkingAssumption) can be reduced to π2/2% ≈ 4.93% by using the symmetric scoring rule (1),provided we put a certain statistical assumption on distributions of innocent users’ scores(see [8] for the details). It is worth noticing that, despite the unconditional security of ourcodes (i.e., security without any statistical assumption on the scores), our code lengths inTables 4 and 5 are almost the same as, or even shorter than, the lengths of [8] (≈ 4.93%of Tardos codes) for many cases. Moreover, for unconditionally c-secure codes their codelengths in [8] are π2% ≈ 9.87% of Tardos codes, therefore our code lengths are shorter thantheir code lengths in every case considered above.
123
350 K. Nuida et al.
6 Asymptotic behavior of our code lengths
In this section, we investigate the asymptotic behavior of code lengths m of our c-securecodes in the limit case c → ∞. More precisely, we show that m ∼ K c2 log(N/ε) for someK < ∞ when c → ∞, and determine the constant factor K (Theorem 2). Note that thefactor K is 100 for Tardos codes under a practically reasonable assumption (see below).
6.1 The results
In our analysis, we use the following asymptotic properties of the bias distributions PGLc that
are proven in [6]:
Lemma 1 ([6]) If P = PGLc , then R = min1≤�≤c R� → 1/π and η/c → 1/j1 when
c → ∞, where j1 is defined by (5) in Sect.4.
Following Lemma 1, we choose an approximation P of PGLc for each c such thatR → 1/π ,
η/c → 1/j1 and c → 0 when c → ∞, where 0 ≤ 0 < ∞. (Although the values R,η and depend on c, we omit subscripts ‘c’ in the notations for simplicity.) In particular,η → ∞ when c → ∞. Note that0 ≤ (2π)−1 by the assumption 2c ≤ R for each c (seeSect. 4).
We use the Formula 3 for code lengths and the Formula 4 for the parameterβ. Now we haveN/ε → ∞ when c → ∞, since ε ≤ 1 and N ≥ c. Thus by (3), the ratio m/
(c2 log(N/ε)
)
converges (when c → ∞) to the same value as the limit of −(c2 log Tc
)−1 whenever thelatter converges. Since
c2 log Tc = c2 log B1(βc)+ c2 log B2,c(β)+ 2βc3,
it suffices to calculate the limit of each term in the right-hand side. Now put
A = 1 + 2η
c(R − η j1) and A0 = 1 + 2
j1
(1
π−0
)
,
therefore A → A0 > 1 when c → ∞. Then for the third term, we have
2βc3 = c2
η2 · 2c
j1log A → 2 j10 log A0 when c → ∞
For the remaining two terms we use the following lemma, which will be proven in Sect. 6.2:
Lemma 2 Let f (c) and g(c) be real-valued functions.
1. If c2( f (c)− 1) → a ∈ R when c → ∞, then c2 log f (c) → a when c → ∞.2. If f (c) → a and g(c) → 0 when c → ∞, 0 < a < ∞, and g(c) = 0 for all sufficiently
large c, then ( f (c)g(c) − 1)/g(c) → log a when c → ∞.
Owing to the first part of Lemma 2, it now suffices to determine the limits of the valuesc2(B1(βc)− 1) and c2(B2,c(β)− 1). First, we have
c2(B1(βc)− 1) = c2
η2 · η2
η2 + 1
(
Ac/(η j1) − 1 − c
η j1· A−c/(η3 j1) − 1
−c/(η3 j1)
)
.
Since A → A0 > 1 when c → ∞, the second part of Lemma 2 implies that
limc→∞ c2(B1(βc)− 1) = j1
2 · 1 · (A01 − 1 − 1 · log A0) = j1
2(A0 − 1 − log A0)
123
Tardos fingerprinting codes 351
(recall that η → ∞ when c → ∞). On the other hand, we have
c2(B2,c(β)− 1) = c
η· 1
η
(
Ac/(η j1) − 1 − c
η j1log A
)
− c2
η2 · 2Rj1
log A
Since Ac/(η j1) − 1 − (η j1)−1c log A is bounded when c → ∞, we have
limc→∞ c2(B2,c(β)− 1) = 0 − j1
2 · 2/π
j1log A0 = −2 j1
πlog A0
Hence by the first part of Lemma 2, we have
limc→∞ c2 log Tc = j1
2(A0 − 1 − log A0)− 2 j1π
log A0 + 2 j10 log A0
= − j12(A0 log A0 − A0 + 1),
therefore limc→∞ m/(c2 log(N/ε)
) = j1−2(A0 log A0 − A0 + 1)−1. The right-hand side isa decreasing function of A0 > 1, therefore an increasing function of0 ≥ 0, hence0 = 0is optimal for decreasing this value.
Summarizing, we have the following result (assuming Lemma 2):
Theorem 2 In the above setting, by putting A0 = 1 + 2/( j1π) where j1 is defined in (5),the asymptotic behavior of our code lengths m is given by
m ∼ K c2 log(N/ε) where K = 1
j12(A0 log A0 − A0 + 1)≈ 5.35310 · · ·
For a comparison with other codes, note the following relation
ε ≤ (N − c)εT + εTc/4 ≤ (N − c + 1)εT for any c ≥ 4,
therefore the same argument as Sect. 5.3 implies that
log(N/ε) + log((N − c − 1)/N ) − log((
1 −√
1 − 2 N−c−1N−c ε
)/ε
)
log(N/ε)
≤ log(1/εT)
log(N/ε)≤ log(N/ε) + log((N − c + 1)/N )
log(N/ε)
when c ≥ 4, N ≥ c + 2, εT ≤ 1/(N − c) and ε < 1/2. Under a practically reasonableassumption lim supc→∞ c/N < 1 (namely, the coalition of pirates is asymptotically notoverwhelming among all users), both the left-hand side and the right-hand side converge to1 when c → ∞. Thus the constant factor K is K = 100 for Tardos codes. On the otherhand, we have K ≈ 20.6021 for codes in [6], K ≈ 20 for codes in [1], and K ≈ 9.87 forcodes in [8] (without any statistical assumption). Theorem 2 shows that our asymptotic codelengths are significantly shorter than these codes. Note also that K ≈ 4.93 for codes in [8]under a certain statistical assumption (cf. Sect. 5.3), and that our codes attain nearly the sameasymptotic value without such an additional assumption.
6.2 Proof of Lemma 2
Here we give a Proof of Lemma 2 to complete the Proof of Theorem 2.
Proof (of Lemma 2) For the first part, note that f (c) → 1 when c → ∞ since c2( f (c) −1) is bounded. First, if the subset f −1(1) = {c | f (c) = 1} of R is bounded, thenwe have c2 log f (c) = c2( f (c) − 1) · ( f (c) − 1)−1 log f (c) for all sufficiently large c,
123
352 K. Nuida et al.
while limc→∞( f (c)− 1)−1 log f (c) = 1 by L’Hôpital’s Rule, therefore our claim follows.Secondly, if f −1(1) is not bounded, then a should be 0 since there is an infinite sequencec1, c2, . . . diverging to ∞ such that f (ci ) = 1 for all i . Now we define another function f (c)by f (c) = f (c) if f (c) = 1 and f (c) = ec−3
if f (c) = 1. This function satisfies that f (c) =1 for any c and c2( f (c)− 1) → 0 when c → ∞, since c2(ec−3 − 1) = (ec−3 − 1)/c−2 → 0when c → ∞ by L’Hôpital’s Rule. Thus c2 log f (c) → 0 when c → ∞ by the aboveargument, while we have c2 log f (c) = 0 if f (c) = 1. Hence we have c2 log f (c) → 0when c → ∞, therefore our claim follows.
From now, we prove the second part of Lemma 2. First note that, if f (c) is constantlyequal to a, then we have
limc→∞( f (c)g(c) − 1)/g(c) = lim
x→0(ax − 1)/x = log a
by L’Hôpital’s Rule. Now for a general case, for any 0 < λ < a, we have 0 < a − λ <
f (c) < a + λ for all sufficiently large c since f (c) → a when c → ∞. This implies that
(a − λ)g(c) − 1
g(c)<
f (c)g(c) − 1
g(c)<(a + λ)g(c) − 1
g(c)(6)
for any sufficiently large c. By the above argument, the left-hand side and the right-hand sideof (6) converge to log(a − λ) and log(a + λ), respectively, when c → ∞. Thus
log(a − λ) ≤ lim infc→∞
f (c)g(c) − 1
g(c)≤ lim sup
c→∞f (c)g(c) − 1
g(c)≤ log(a + λ) (7)
By taking the limit λ → 0, both the left-hand side and the right-hand side converge to log a,therefore the middle two terms are both equal to log a. This means that ( f (c)g(c) − 1)/g(c)also converges to log a.
Hence the Proof of Lemma 2 is concluded. ��
7 Proofs of Theorem 1
This section is devoted to the Proof of Theorem 1 that is the main result of this article. Thefirst subsection (Sect. 7.1) presents the outline of the proof, which involves some lemmaswithout proofs, and in the following subsections (Sections 7.2–7.7) we give the proofs ofthose lemmas.
7.1 Outline of the proof
In this subsection, we present the outline of our Proof of Theorem 1. Our proof consists of foursteps. The first step reduces the analysis of our codes under δ-Marking Assumption to thatunder Marking Assumption. This enables us to apply some techniques in preceding workson Tardos codes to the analysis here. The second step derives a bound of error probability ofour code in terms of an integral of some function. The third step gives a further bound thatis more suitable for quantitative evaluation. By using the result we conclude the proof in thefourth step. Details of the proof will be supplied in the following subsections.
7.1.1 First step
For the first step, let A be an arbitrary pirates’ attack algorithm satisfying δ-Marking Assump-tion, and let y denote a pirated codeword generated by A. Then δ-Marking Assumption states
123
Tardos fingerprinting codes 353
that y differs from any pirate’s codeword in at most δm undetectable positions. Now wemodify the bits of y in those positions to satisfy Marking Assumption. Let y′ denote theresulting pirated codeword, and let A′ be the pirates’ attack algorithm that outputs y′.
In what follows, let Si denote the score of a user ui calculated from y by the scoringrule (2), and let S′
i denote the score of ui calculated from y′ by the rule (1). Let Simax andS′
imax denote, respectively, the maximum values of Si and of S′i among the innocent users
ui . We define Spmax and S′pmax similarly for the pirates instead of innocent users. Then by
the definition of our tracing algorithm, the error probability of our code against the attackalgorithm A is not higher than the probability Pr(Spmax ≤ Simax) regardless of the way ofchoosing one output user from the users with highest score. Now the definitions of Si and S′
iimply that, for each j
|S( j)i − S′
i( j)| ≤
{δ′ + η if y j = y′
j ,
δ′ if y j = y′j ,
therefore |Si − S′i | ≤ mδ′ + δmη = m since the first case above occurs at most δm times.
Thus we have
Pr(Spmax ≤ Simax) ≤ Pr(S′pmax ≤ S′
imax + 2m),
hence the analysis is reduced to the case under Marking Assumption.
7.1.2 Second step
In the second step, we bound the right-hand side. The key lemma in our argument here is thefollowing, which will be proven in Sect. 7.2:
Lemma 3 Let g1 and g2 be two real-valued random variables on the same probability space,and G(x) = Pr(g2 ≤ x) (x ∈ R) the distribution function of g2. Let ϕ : R → R≥0 be aweakly decreasing function, where R≥0 denotes the set of non-negative real numbers, suchthat for any x1, x2 ∈ R, we have
Then Pr(g1 ≥ g2) ≤ ∫Rϕ dG, where the integral in the right-hand side is the Lebesgue-
Stieltjes integral (see e.g., [3]) with respect to the function G.
We would like to apply Lemma 3 to g1 = S′imax + 2m and g2 = S′
pmax. For definingan appropriate function ϕ (as well as for the following arguments) we need the followinglemma, which will be proven in Sect. 7.3:
Lemma 4 Recall definitions and notations in Sect.4.
1. For t > 0, B1(t) is an increasing function and B1(t) > 1.2. For each 1 ≤ l ≤ c, the function B2,�(t) (t > 0) takes the minimum value at t =
(�η)−1 log(1 + 2Rη), and B2,�(t) > 1/2.
Note that the values T� defined in Sect. 4 are positive and bounded below from zero byLemma 4.
Now, given a value β > 0, we define the function ϕ(x) by
ϕ(x) ={
N B1(β�)me−β�x+2β�m if x ≥ Z1,
1 if x ≤ Z1,
123
354 K. Nuida et al.
where
Z1 = log N + m log B1(β�)
β�+ 2m.
Since B1(β�) > 0, Z1 is well defined and ϕ(x) is positive and weakly decreasing. To showthat ϕ satisfies the condition in Lemma 3 we need the following lemma, which will be provenin Sect. 7.4:
Lemma 5 Let ui be an innocent user, and z ∈ R. Then for any fixed bias parameter P, anypirated codeword y′, and any α > 0, the score S′
i of ui calculated by the rule (1) satisfies
Pr(S′i ≥ z | P, y′) = Pr(eαS′
i ≥ eαz | P, y′)
≤ E[eαS′
i | P, y′] e−αz ≤ B1(α)me−αz,
where the conditional probabilities and the conditional expectation are taken over the randomchoices of the codeword wi of the user ui .
Note that similar results have been given in [5,7,9] for their codes. By putting α = β�
and z = x − 2m, it follows that Pr(g1 ≥ x | P, y′) ≤ ϕ(x). Now we have the followingresult, which will be proven in Sect. 7.5:
Lemma 6 For any x1, x2 ∈ R, we have Pr(g1 ≥ x1 | x1 ≤ g2 < x2) ≤ ϕ(x1) wheneverPr(x1 ≤ g2 < x2) > 0.
Thus the conditions in Lemma 3 are satisfied, therefore
Pr(S′pmax ≤ S′
imax + 2m) ≤∫
R
ϕ dG,where G(x) = Pr(S′pmax ≤ x).
7.1.3 Third step
In the previous two steps, we have obtained a bound∫
Rϕ dG of the error probability. To
evaluate the bound we need the following lemma, which will be proven in Sect. 7.6:
Lemma 7 Let ϕ : R → R≥0 be an arbitrary weakly decreasing function. Let F(x) and G(x)be arbitrary weakly increasing right-continuous functions R → R≥0 such that G(x) ≤ F(x)for all x ∈ R and limx→−∞ F(x) = 0. Then
∫Rϕ dG ≤ ∫
Rϕ d F.
Note that the function G defined above satisfies the condition in Lemma 7 by the definition.Now given a value β > 0, we define the function F(x) by
F(x) ={
B2,�(β)meβ�x if x ≤ Z2,
1 if x ≥ Z2,
where
Z2 = − m
β�log B2,�(β)
(B2,�(β) ≥ 1/2 by Lemma 4, therefore Z2 is well defined). By the definition, F is a weaklyincreasing continuous function such that limx→−∞ F(x) = 0. Moreover, we have the fol-lowing result, which will be proven in Sect. 7.7:
123
Tardos fingerprinting codes 355
Lemma 8 Fix an arbitrary pirates’ attack algorithm satisfying Marking Assumption. Let S′i
denote the score of a pirate ui calculated by the rule (1). Let S′pmax denote the maximum of
the S′i among the � pirates, and S′
psum the sum of the S′i for the � pirates. Then for any z ∈ R
and any α > 0, we have
Pr(S′pmax ≤ z) ≤ Pr(S′
psum ≤ �z) = Pr(e−αS′psum ≥ e−α�z)
≤ E[e−αS′
psum
]eα�z ≤ B2,�(α)
meα�z,
where the probabilities and the expectation values are taken over random choices of the biasparameter, the pirates’ codewords, and the pirated codeword.
Again, similar results have been given in [5,7,9] for their codes. By putting z = x andα = β it follows that G(x) ≤ F(x) (note that G(x) ≤ 1 by the definition). Thus theconditions in Lemma 7 are satisfied, hence we have
∫Rϕ dG ≤ ∫
Rϕ d F .
7.1.4 Fourth step
From now, we conclude the Proof of Theorem 1 by using the bound∫
Rϕ d F of error prob-
ability derived above. To compute the integral, note that Z1 ≤ Z2 if and only if N T�m ≤ 1.Thus under the condition N T�m ≤ 1, we have
∫
R
ϕ d F =∫
(−∞,Z1]d F +
∫
(Z1,Z2]ϕ d F +
∫
(Z2,∞)
ϕ d F
(recall that ϕ = 1 on the interval (−∞, Z1]). Note also that F is differentiable on the interval(−∞, Z2 ], F is constant on (Z2,∞), and limx→−∞ F(x) = 0. Thus by the properties ofLebesgue-Stieltjes integral, we have
∫
R
ϕ d F =∫ Z1
−∞F ′(x) dx +
∫ Z2
Z1
ϕ(x)F ′(x) dx + 0
= F(Z1)+∫ Z2
Z1
β�N T�m dx
= N T�m + β�N T�
m(Z2 − Z1) = (N T�m)
Hence the error probability of our codes, under δ-Marking Assumption with the approx-imated scoring rule (2), is not higher than (N T�m) provided the number of pirates is �and N T�m ≤ 1. Moreover, an elementary analysis shows that B2,�(β) ≤ B2,�′(β) ande2β� ≤ e2β�′ for any � ≤ �′, while B1(β�) is an increasing function for � by Lemma 4.Thus we have T� ≤ Tc for any 1 ≤ � ≤ c, while(t) is an increasing function for 0 < t ≤ 1.Hence the error probability of our code against at most c pirates is not higher than(N Tc
m)
provided N Tcm < 1. This completes the proof of the first part of Theorem 1.
From now, we prove the second part of Theorem 1. Given 0 < ε < 1, we introducean auxiliary function ε(t) = (t) − ε that is increasing, continuous and concave up for0 < t < 1. Moreover, we have limt→+0 ε(t) = −ε < 0 and limt→1−0 ε(t) = 1 − ε > 0.Thus there exists a unique 0 < t0 < 1 such that ε(t0) = 0. Now if a > 1 and ε ≤ ae1−a ,then we have
ε(ε/a) = ε
a
(1 − log
ε
a
)− ε ≥ ε
a· a − ε ≥ 0,
123
356 K. Nuida et al.
therefore t0 ≤ ε/a < 1 since ε is increasing. Moreover, put
t1 = ε
a− ε(ε/a)
′ε(ε/a)
= a − 1
a
ε
log(a/ε)> 0,
which is the x-intercept of the tangent line of the curve y = ε(x) in the x-y plane atx = ε/a. Since ε/a ≥ t0, andε(t) is increasing and concave up, we have t1 ≤ t0, thereforeε(t1) ≤ 0. Thus we have (N Tc
m) ≤ (t1) ≤ ε provided N Tcm ≤ t1, or equiva-
lently, provided the inequality (3) is satisfied. This completes the proof of the second part ofTheorem 1.
Hence the proof is concluded, assuming the lemmas used in the proof. In the followingsubsections, we give the proofs of these lemmas.
7.2 Proof of Lemma 3
Our Proof of Lemma 3 uses the following well-known facts:
Proposition 2 If ϕ is a weakly decreasing function on R, then the number of points ofdiscontinuities of ϕ is either finite or countably infinite.
Theorem 3 (Monotone Convergence Theorem) Let (�,µ) be a measurable space, {ϕi }∞i=1a sequence of measurable functions on�, and ϕ a function on�. If 0 ≤ ϕn(ω) ≤ ϕn+1(ω) forany n and any ω ∈ �, and limn→∞ ϕn = ϕ, then limn→∞
∫�ϕn dµ = ∫
�ϕ dµ (including
the case that both terms are ∞).
We start the Proof of Lemma 3. We write the common underlying probability space forg1 and g2 as�, and the values of g1 and of g2 at ω ∈ � as g1(ω) and as g2(ω), respectively.Let A ⊂ R be the set of discontinuities of ϕ, which is either finite or countably infinite byProposition 2. Then for each integer k ≥ 1, put Dk = 2−k
Z∪ A, and enumerate the elementsof Dk as · · · < d(k)−1 < d(k)0 < d(k)1 < · · · (this is possible by the above property of A). These
sets Dk satisfy that Dk ⊂ Dk+1, limi→±∞ d(k)i = ±∞ and d(k)i − d(k)i−1 ≤ 2−k for any kand i . Now we give the following lemma:
Lemma 9 In this setting, we have
{ω ∈ � | g1(ω) < g2(ω)} = limk→∞
⊔
i∈Z
{ω ∈ � | g1(ω) < d(k)i−1 ≤ g2(ω) < d(k)i },
where the symbol ‘�’ in the right-hand side means the disjoint union.
Proof First, an easy argument shows that the disjoint union in the right-hand side for eachk is equal to the set of ω ∈ � such that g1(w) < g2(w) and the interval (g1(w), g2(w)]contains a point in Dk (the largest element of (g1(w), g2(w)] ∩ Dk corresponds to d(k)i−1).Now the equality in the statement follows, since each non-empty interval (g1(w), g2(w)]contains a point of Dk for any sufficiently large k. ��
(note that the sum of Pr(d(k)i−1 ≤ g2 < d(k)i ) and Pr(g1 ≥ d(k)i−1 ≤ g2 < d(k)i ) over i ∈ Z
converges absolutely, since∑
i∈ZPr(d(k)i−1 ≤ g2 < d(k)i ) = 1)
= limk→∞
∑
i∈Z
Pr(g1 ≥ d(k)i−1 ≤ g2 < d(k)i ) ≤ limk→∞
∑
i∈Z
ϕ(d(k)i−1)Pr(d(k)i−1 ≤ g2 < d(k)i )
(we used the assumption of Lemma 3 with x1 = d(k)i−1 and x2 = d(k)i )
= limk→∞
∑
i∈Z
ϕ(d(k)i−1)µG([ d(k)i−1, d(k)i )) = limk→∞
∫
R
ϕk dµG ,
where µG denotes the measure on R induced by the function G, namely µG((x1, x2]) =G(x2) − G(x1), and ϕk = ∑
i∈Zϕ(d(k)i−1)χ[d(k)i−1,d
(k)i )
, with χB being the characteristic func-
tion of a subset B of R (in the last equality we used the definition of Lebesgue integral andthe fact ϕ ≥ 0).
Finally, we use the following lemma:
Lemma 10 In the above setting, we have ϕk ≤ ϕk+1 and limk→∞ ϕk = ϕ.
Proof The monotonicity follows from the facts that ϕ is weakly decreasing and Dk ⊂ Dk+1.For the pointwise convergence, if ϕ is not continuous at x ∈ R, then x is contained in everyDk , therefore ϕk(x) = ϕ. On the other hand, if ϕ is continuous at x , then for any λ > 0 thereis a κ > 0 such that |ϕ(x ′) − ϕ(x)| < λ whenever |x ′ − x | < 2−κ . Now for any k > κ , bychoosing i such that d(k)i−1 ≤ x < d(k)i , we have |d(k)i−1 − x | < |d(k)i − d(k)i−1| < 2−κ , therefore
|ϕk(x) − ϕ(x)| = |ϕ(d(k)i−1) − ϕ(x)| < λ. This means that limk→∞ ϕk(x) = ϕ(x). HenceLemma 10 holds. ��
Now the Monotone Convergence Theorem (Theorem 3) implies that
limk→∞
∫
R
ϕk dµG =∫
R
ϕ dµG =∫
R
ϕ dG
(the last equality is the definition of Lebesgue-Stieltjes integral). Hence the Proof of Lemma3 is concluded.
7.3 Proof of Lemma 4
For the first part of Lemma 4, we have B ′1(t) = η(etη − e−t/η)/(η2 + 1) > 0 for t > 0 since
η > 0, therefore B1(t) is increasing and B1(t) > B1(0) = 1 for t > 0. From now, we provethe second part. A straightforward analysis shows that B2,�(t) takes the minimum value for
123
358 K. Nuida et al.
t > 0 at t = t0 = (�η)−1 log(1 + 2Rη), thus it suffices to show that B2,�(t0) > 1/2. Nowwe have
B2,�(t0) = 1 + 4R2
�f (s), where f (t) = t − (1 + t) log(1 + t)
t2 ands = 2Rη
Moreover, we have the following two Lemmas:
Lemma 11 We have f (t) > −1/2 for t > 0.
Proof First, by putting g(t) = (t +2) log(t +1)−2t , a direct calculation shows that f ′(t) =g(t)t−3. Now we have g′(t) = log(t+1)+(t+1)−1−1 and g′′(t) = (t+1)−1−(t+1)−2 > 0for t > 0, therefore g′(t) > g′(0) = 0 and g(t) > g(0) = 0 for t > 0. Thus f (t) is increas-ing for t > 0, while we have limt→0 f (t) = −1/2 by L’Hôpital’s Rule. Hence the lemmaholds. ��
Lemma 12 We have R ≤ 1/2.
Proof Recall the assumption given in Sect. 4 that 2c ≤ R ≤ R�′ for all 1 ≤ �′ ≤ c.In particular, R ≤ R1 = E
[(1 − p)1/2 p1/2
]. Now the claim follows from the fact that√
(1 − p)p ≤ 1/2 for any 0 < p < 1. ��
By these two lemmas, we have B2,�(t0) > 1+ (1/�) · (−1/2) ≥ 1/2 (note that 2Rη > 0).Hence the Proof of Lemma 4 is concluded.
7.4 Proof of Lemma 5
The first step of the target equation is obvious, and the second step follows fromMarkov’s Inequality. For the third step, the independence of bits in codewords implies that
E[ eαS′i | P, y′ ] = ∏m
j=1 E[ eαS′i( j) | P, y′ ]. We define a function f (t) = teα
√(1−t)/t +
(1 − t)e−α√t/(1−t) for 0 < t < 1. Now E[ eαS′
i( j) | P, y′ ] is equal to f (p( j)) if y′
j = 1 and
to f (1− p( j)) if y′j ∈ {0, ?}. By putting λ = α/
√t (1 − t) > 0, a straightforward calculation
shows that
f ′(t) = e−α√t/(1−t)
2
((2 − λ)eλ − 2 − λ
)
(note that√(1 − t)/t = λ/α − √
t/(1 − t)), while (2 − λ)eλ − 2 − λ < 0. Thus f ′(t) < 0for 0 < t < 1, therefore f (p( j)) ≤ f (p0) and f (1 − p( j)) ≤ f (p0) since p( j) ≥ p0 and1 − p( j) ≥ p0 by the assumption that P is symmetric. Finally, we have f (p0) = B1(α) bythe choice of η. Hence Lemma 5 holds.
7.5 Proof of Lemma 6
Let wp and wi denote the collections of codewords of the pirates and of the innocent users,respectively. Then we have Pr(y′ | P, wi, wp) = Pr(y′ | P, wp) by No Leakage Assump-tion (Definition 2), while Pr(wi | P, wp) = Pr(wi | P) by the independence of users’codewords. Thus we have
123
Tardos fingerprinting codes 359
Pr(g1 ≥ x1, x1 ≤ g2 < x2)
=∑
P,wp,wi,y′; g1≥x1, x1≤g2<x2
Pr(P, wp, wi, y′)
=∑
P,wp,wi,y′; g1≥x1, x1≤g2<x2
Pr(P)Pr(wp | P)Pr(wi | P)Pr(y′ | P, wp)
=∑
P,wp,y′; x1≤g2<x2
Pr(P)Pr(wp | P)Pr(y′ | P, wp)∑
wi; g1≥x1
Pr(wi | P)
=∑
P,wp,y′; x1≤g2<x2
Pr(P, wp, y′) · Pr(g1 ≥ x1 | P, y′)
≤∑
P,wp,y′; x1≤g2<x2
Pr(P, wp, y′)ϕ(x1) = ϕ(x1)Pr(x1 ≤ g2 < x2)
(recall that Pr(g1 ≥ x1 | P, y′) ≤ ϕ(x1) by the argument before Lemma 6). This means thatLemma 6 holds. Hence the proof is concluded.
7.6 Proof of Lemma 7
In this proof, H denotes either F or G, and we write H(−∞) = limx→−∞ H(x) andH(∞) = limx→∞ H(x). Then H(−∞) = 0 by the assumption (for H = G, note that 0 ≤G ≤ F). LetµH denote the measure on R induced by H , namelyµH ((a, b]) = H(b)−H(a)for any −∞ ≤ a < b ≤ ∞. Moreover, for any n ≥ 1, define In,i = {x ∈ R | i ≤ ϕ(x) <i + 2−n} for each i ∈ 2−n
Z, 0 ≤ i < 2n , and In,2n = {x ∈ R | ϕ(x) ≥ 2n}. Then, since ϕ isnon-negative and weakly decreasing, each In,i is a (possibly empty or infinite) interval, and(In,0, In,2−n , . . . , In,2n−2−n , In,2n ) is a partition of R in decreasing order.
Put ψn = ∑0≤i≤2n iχIn,i , which is a non-negative µH -measurable simple function on R.
Then∫
Rψn dµH = ∑
2−n≤i≤2n iµH (In,i ) (including the case that both terms are ∞) by thedefinition of the integral. Put αn,0 = ∞ and let αn,i (i > 0) denote the terminal point of In,i
in the right, including the case that In,i is a right-infinite interval and αn,i = ∞. If In,i isempty, then put αn,i = αn,i−2−n . Note that αn,i is also the terminal point of In,i−2−n in theleft, therefore µH (In,i ) = H(αn,i )− H(αn,i+2−n ) for any 0 ≤ i < 2n . If In,i is empty, thenwe interpret H(αn,i ) − H(αn,i+2−n ) as 0 even if H(αn,i ) = H(αn,i+2−n ) = ∞. Similarly,we have µH (In,2n ) = H(αn,2n ) since H(−∞) = 0. Thus we have
∫
R
ψn dµH =∑
2−n≤i≤2n−2−n
i(H(αn,i )− H(αn,i+2−n ))+ 2n H(αn,2n )
=∑
2−n≤i≤2n
H(αn,i )(i − (i − 2−n)) = 2−n∑
2−n≤i≤2n
H(αn,i )
(including the case that all the terms are ∞). Since G ≤ F by the assumption, it follows that∫Rψn dµG ≤ ∫
Rψn dµF .
To complete the proof, we need the following lemma:
Lemma 13 We have ψn ≤ ψn+1 for any n, and limn→∞ ψn = ϕ.
Proof The monotonicity follows from the definitions of ψn, ψn+1 and the fact that the par-tition of R into the intervals In+1,i is a refinement of the partition into the intervals In,i . Onthe other hand, for the pointwise convergence, note that 0 ≤ ϕ(x) − ψn(x) < 2−n by the
123
360 K. Nuida et al.
definition ofψn whenever ϕ(x) < 2n . Now for any x ∈ R and any λ > 0, we have ϕ(x) < 2n
and 2−n < λ for any sufficiently large n, therefore |ϕ(x)− ψn(x)| < λ for all such n. Thismeans that ψn(x) converges to ϕ(x) when n → ∞. Hence Lemma 13 holds. ��
This lemma and Monotone Convergence Theorem (Theorem 3) imply that∫
R
ϕ dµG = limn→∞
∫
R
ψn dµG ≤ limn→∞
∫
R
ψn dµF =∫
R
ϕ dµF .
Hence the Proof of Lemma 7 is concluded.
7.7 Proof of Lemma 8
First, all the steps in the target equation except the last one are derived from Markov’sInequality and an easy argument. Thus we evaluate the value E[ e−αS′
psum ] and prove thebound E[ e−αS′
psum ] ≤ B2,�(α)m from now. In this proof, we assume for simplicity that
u1, . . . , u� are the � pirates.By No Leakage Assumption (Definition 2), the fixed pirates’ attack algorithm satisfies
that Pr(y | w, P) = Pr(y | w), wherew denotes the collection of pirates’ codewords. Thuswe have Pr(P, w, y) = Pr(P)Pr(w | P)Pr(y | w), therefore
E[ e−αS′psum ] =
∑
w
∑
y
E(P)[ e−αS′psum Pr(w | P) ] Pr(y | w), (8)
where E(P)[·] denotes the expectation value taken over random choices of P .Put x j = #{1 ≤ i ≤ � | wi, j = 1} for each 1 ≤ j ≤ m. Then, since each wi, j depends
solely on p( j) and is chosen independently of each other, we have
e−αS′psum Pr(w | P) = e−α∑m
j=1∑�
i=1 S′i( j)
m∏
j=1
�∏
i=1
Pr(wi, j | p( j))
=∏
j
(e−α∑
i S′i( j)(p( j))x j (1 − p( j))�−x j
).
Since the j-th term of the product in the right-hand side depends on p( j) but not on p( j ′) forj ′ = j , and each p( j) is chosen independently according to the same bias distribution P , wehave (for any w and y)
E(P)[ e−αS′psum Pr(w | P) ] =
m∏
j=1
E(p( j))[ e−α∑i S′
i( j)(p( j))x j (1 − p( j))�−x j ] ,
where E(p( j))[·] denotes the expectation value taken over the random values p( j) of P . Now
note that∑
i S′i( j) = Lx j ,p( j) if y j = 1 and
∑i S′
i( j) = −Lx j ,p( j) if y j ∈ {0, ?}, where
Lx,p = xσ(p)− (�− x)σ (1 − p). Then we have
E(P)[ e−αS′psum Pr(w | P) ] ≤
m∏
j=1
max∗{N0,x j , N1,x j },
where
N0,x = E(p)[eαLx,p px (1 − p)�−x
], N1,x = E(p)
[e−αLx,p px (1 − p)�−x
]
123
Tardos fingerprinting codes 361
and max∗ takes the first value N0,x j if x j = 0, the second value N1,x j if x j = �, and themaximum of N0,x j and N1,x j if 1 ≤ x j ≤ �−1. This definition of max∗ reflects the MarkingAssumption, i.e., y j should be 0 if x j = 0, and y j should be 1 if x j = �. By introducingmax∗ we have removed the dependence on y from the bound, while both N0,x j and N1,x j
depend solely on x j . Thus by substituting it into (8) we have
E[ e−αS′psum ] ≤
∑
w
m∏
j=1
max∗{N0,x j , N1,x j }
=∑
x1,...,xm
m∏
j=1
(�
x j
) m∏
j=1
max∗{N0,x j , N1,x j }
=m∏
j=1
�∑
x j =0
(�
x j
)
max∗{N0,x j , N1,x j } =(
�∑
x=0
(�
x
)
Mx
)m
,
where M0 = N0,0, M� = N1,� and Mx = max{N0,x , N1,x } for 1 ≤ x ≤ �− 1.Since |Lx,p| ≤ �η for any value p of P and any 0 ≤ x ≤ �, an elementary analysis shows
that e±αLx,p ≤ 1 ± αLx,p + r(α�η)α2Lx,p2, respectively, where r(t) = (et − 1 − t)/t2
(note that this r(t) is an increasing function, where we put r(0) = limt→0 r(t) = 1/2). Thusfor 1 ≤ x ≤ �− 1 we have
Mx ≤ E(p)[
px (1 − p)�−x]
− αE(p)[
px (1 − p)�−xLx,p
]
+ r(α�η)α2 E(p)[
px (1 − p)�−xLx,p2]
+ 2αR�,x
(recall from Sect. 4 the definition of R�,x ), while
M0 ≤ E(p)[
p0(1 − p)�−0]
+ αE(p)[
p0(1 − p)�−0L0,p
]
+ r(α�η)α2 E(p)[
p0(1 − p)�−0L0,p2]
and
M� ≤ E(p)[
p�(1 − p)�−�]
− αE(p)[
p�(1 − p)�−�L�,p]
+ r(α�η)α2 E(p)[
p�(1 − p)�−�L�,p2].
Note that∑�
x=0
(�x
)px (1 − p)�−x = 1,
∑�x=0
(�x
)px (1 − p)�−xLx,p = 0, and
∑�x=0
(�x
)px
(1 − p)�−xLx,p2 = �. Then we have
�∑
x=0
(�
x
)
Mx ≤ 1 + 2αE(p)[
p0(1 − p)�−0L0,p
]+ r(α�η)α2�+ 2α
�−1∑
x=1
(�
x
)
R�,x
= 1 − 2α�E(p)[
p1/2(1 − p)�−1/2]
+ r(α�η)α2�+ 2α�−1∑
x=1
(�
x
)
R�,x
= 1 + r(α�η)α2�− 2αR� ≤ B2,�(α).
Hence we have E[ e−αS′psum ] ≤ B2,�(α)
m , therefore Lemma 8 holds.
123
362 K. Nuida et al.
8 Conclusion
In this article, we proposed a construction of c-secure fingerprinting codes for every c, whichimproves recent discrete variants [5–7] of Tardos’s c-secure codes [9]. Our security proofwas given under an assumption weaker than the usual Marking Assumption. If we write ourcode length as K c2 log(N/ε), where N is the number of users and ε is the error probability,then the factor K converges to approximately 5.35 when c goes to infinity, and K is furthersmaller in many practical settings for c ≤ 8. Thus we have shown that our code lengths aresignificantly shorter than the lengths of c-secure codes in [5–7,9], and also shorter than thelengths of recently proposed c-secure codes [8] without the additional statistical assumptionintroduced in [8].
Acknowledgements This study has been sponsored by the Ministry of Economy, Trade and Industry, Japan(METI) under contract, New-generation Information Security R&D Program. This study has also been sup-ported by 2007 Research Grants of the Science and Technology Foundation of Japan (JSTF).
References
1. Blayer O., Tassa T.: Improved versions of Tardos’ fingerprinting scheme. Des. Codes Cryptogr. 48, 79–103(2008).
2. Boneh D., Shaw J.: Collusion-secure fingerprinting for digital data. IEEE Trans. Inform. Theory 44(5),1897–1905 (1998).
3. Carter M., van Brunt B.: The Lebesgue-Stieltjes Integral: A Practical Introduction. Springer-Verlag, Berlin(2000).
4. Guth H.-J., Pfitzmann B.: Error- and collusion-secure fingerprinting for digital data. In: Proceedings ofInformation Hiding 1999 (IH’99), LNCS 1768, pp. 134–145 (2000).
5. Hagiwara M., Hanaoka G., Imai H.: A short random fingerprinting code against a small number ofpirates. In: Proceedings of 16th Applied Algebra, Algebraic Algorithms, and Error Correcting Codes(AAECC-16), LNCS 3857, pp. 193–202 (2006).
6. Nuida K., Hagiwara M., Watanabe H., Imai H.: Optimization of memory usage in Tardos’s fingerprintingcodes. Preprint at arXiv repository. http://www.arxiv.org/abs/cs/0610036 (2006).
7. Nuida K., Hagiwara M., Watanabe H., Imai H.: Optimization of Tardos’s fingerprinting codes in a view-point of memory amount. In: Proceedings of 9th Information Hiding (IH 2007), LNCS 4567, pp. 279–293(2007).
9. Tardos G.: Optimal probabilistic fingerprint codes. In: Proceedings of the 35th Annual ACM Symposiumon Theory of Computing (STOC), pp. 116–125 (2003).
10. Tardos G.: Optimal probabilistic fingerprint codes. To appear in: Journal of the ACM. Preprint availableonline at http://www.renyi.hu/~tardos/publications.html.
