Anti-collusion fingerprinting for Multimedia W. Trappe, M. Wu, J. Wang and K.J. R. Liu, IEEE Tran. Signal Processing, Vol. 51, No. 4, April 2003

Outline  Previous works on anti-collusion fingerprinting  Traceability schemes  Frameproof codes  Combinatorial properties of c-TA and c-FPC  Tree-structured detection strategy  Code-modulation embedding and anti-collusion codes  Experiments  Conclusion

Previous works on anti-collusion fingerprinting- Traceability schemes  “Tracing Traitors”, B. Chor, A. Fiat, M. Naor, and B. Pinkas, 1994 (1998, 2000).  Traceability schemes Traitor tracing schemes A traitor tracing scheme consists of three components: A traitor tracing scheme consists of three components:

Previous works on anti-collusion fingerprinting- Traceability schemes (continue)  fully (p,k)-resilient tracing scheme Let T be a coalition of at most k users. Let A be an adversary that has a subset F of the keys of the users in T, and that is able to decrypt the content sent in the tracing traitors scheme, in time t and with probability greater that q’. The scheme is called fully (p,k)-resilient if it satisfies the security assumption: one of the following two statements holds.  Given F the data supplier is able to trace with probability at least 1-p at least one of the users in T.  There exists an adversary A’ which uses A as a black box and whose input is only an enabling block and a cipher block of the tracing traitors scheme. A’ can reveal the content that is encrypted in the cipher block in time which is linear in the length of its input and in t, and with probability at least q’’=q’.

Previous works on anti-collusion fingerprinting- Traceability schemes (continue)  fully k-resilient tracing scheme A scheme is called fully k-resilient if it satisfies definition 1.2 and it further holds that p=0.  q-threshold (p,k)-resilient tracing scheme A scheme is called q-threshold (p,k)-resilient if it satisfies definition 1 wither q’’=q’-q.

Previous works on anti-collusion fingerprinting- Frameproof codes  Frameproof codes  “Collusion-secure fingerprinting for digital data”, Dan Boneh and James Shaw, 1995 (1998)  A fingerprint is a collection of marks  A fingerprint can be thought of as a word of length L over an alphabet Σ of size s  A distributor is the sole supplier of fingerprinted objects  A user is the registered owner of a fingerprinted objects  The process of fingerprinting an object involves assigning a unique codeword over Σ L to each user

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  (l,n)-code and codebook  undetectable positions

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  feasible set e.g. A: B: B:

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  Marking Assumption any coalition of c users is only capable of creating an object whose fingerprint lies in the feasible set of the coalition  c-frameproof

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  Construction of c-frameproof codes (for binary alphabet)   0 is a (n,n)-code which is n-frameproof  0  0  The length of  0 is linear in the number of users and is therefore impractical  Use  0 to construct shorter codes

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  A set C of N words of length L over an alphabet of p letters is said to be an (L,N,D)p-ECC, if the Hamming distance between every pair of words in C is at least D.  The idea of the construction of n-frameproof code is to compose the code  0 (n) with an error-correcting code.  Let  ={w (1),…,w (p) } be an (l,p)-code and let C be an (L,N,D) p -ECC.We denote the composition of  and C by  ’.

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  be a c-frameproof (l,p)-code and C be an (L,N,D)-ECC. Let  ’ be the composition of  and C. Then  ’ is a c- frameproof code, provided D>L(1-(1/c)). Let  be a c-frameproof (l,p)-code and C be an (L,N,D)-ECC. Let  ’ be the composition of  and C. Then  ’ is a c- frameproof code, provided D>L(1-(1/c)).

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  For any positive integers p,n let L=8p log N. Then there exists a (L,N,D)2p-ECC where D>L(1-(1/p)).  For any integers n,c>0 let l=16c 2 log n.  For any integers n,c>0 let l=16c 2 log n.

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  totally c-secure code  

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  For c≥2 and n≥3 there are no totally c-secure (l,n)-codes  For c≥2 and n≥3 there are no totally c-secure (l,n)-codes →Unfortunately, when c>1,totally c-secure codes do not exist. →There is a way out of this trap: use randomness.

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  c-secure with  -error The tracing algorithm A on input x outputs a member of the coalition C that generated the word x with high probability.

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  Construction of collusion-secure codes  Construct an (l,n)-code which is n-secure with  -error for any  >0 →length of this code is n O(1) →too large to be practical  Construct an (l,n)-code which is n-secure with  -error for any  >0 →length of this code is n O(1) →too large to be practical <Theorem 2.3> <Algorithm 2.1> <Theorem 2.3> <Algorithm 2.1>  Use the code to constrct c-secure codes with  -error for n users whose length is log O(1) (n) when c=O(log n).  Use the code to constrct c-secure codes with  -error for n users whose length is log O(1) (n) when c=O(log n). <Theorem 2.4> <Algorithm 2.2> <Theorem 2.4> <Algorithm 2.2>

Previous works on anti-collusion fingerprinting- Frameproof codes (continue)  A lower bound Let  be an (l,n) fingerprinting scheme over a binary alphabet. Suppose  is c-secure with  - error. Then the code length is at least l≥1/2(c-3)log(1/  c).  A lower bound Let  be an (l,n) fingerprinting scheme over a binary alphabet. Suppose  is c-secure with  - error. Then the code length is at least l≥1/2(c-3)log(1/  c).

Previous works on anti-collusion fingerprinting- Combinatorial properties  “Combinatorial properties and constructions of traceability schemes and frameproof codes”, D. R. Stinson, R. Wei, 1997  Investigate combinatorial properties and constructions of two recent topics of cryptographic interest:  frameproof codes  traceability scheme

Previous works on anti-collusion fingerprinting- Combinatorial properties (continue)  If there exists a c-TS(k,b,v), then there exists a c-FPC(v,b).  If there exists a c-TS(k,b,v), then there exists a c-FPC(v,b).

Previous works on anti-collusion fingerprinting- Combinatorial properties (continue)  “Combinatorial properties of frameproof and traceability codes”, J. N. Staddon, D. R. Stinson, and R. Wei, 2001  c-TA (traceability)  c-IPP (identifiable parent property)

Previous works on anti-collusion fingerprinting- Combinatorial properties (continue)  Every c-TA code is a c-IPP code.

Tree-structured detection strategy

Tree-structured detection strategy (continue)  Tree-structured detection algorithm

Tree-structured detection strategy (continue)

 Experiments  Spread spectrum watermarking  A perceptually weighted watermark was added to DCT coefficients  512x512 Lenn  Avg(PSNR): 41.2 dB  n=8 c=1 #(correlation)=6 n=8 c=3 #(correlation)=8 n=128 c=1 #(correlation)=14 (128 correlations needed in a simple detection)

Tree-structured detection strategy (continue)

Code-modulation embedding and anti-collusion codes  Orthogonal modulation  n orthogonal signals  Drawback: the large number of orthogonal signals -> high computational complexity  Code modulation  The derived code matrix B=(b ij )  Code matrix C is used to derive B by using OOK or antipodal mapping derived code vector 1 derived code vector n

Code-modulation embedding and anti-collusion codes (continue)  Anti-collusion codes design a family of codevectors {c j } whose overlap with each other can identify groups of colluding users  AND-ACC Let G={0,1}. A code C={c 1,…,c n } of vectors belonging to G v is called a K-resilient AND anti-collusion code (AND- ACC) when any subset of K or fewer codevectors combined element-wise under AND is distinct from the element-wise AND of any other subset of K or fewer codevectors. Let G={0,1}. A code C={c 1,…,c n } of vectors belonging to G v is called a K-resilient AND anti-collusion code (AND- ACC) when any subset of K or fewer codevectors combined element-wise under AND is distinct from the element-wise AND of any other subset of K or fewer codevectors. e.g. a n-resilient AND-ACC -> Let C consist of all n-bit binary vectors that have only a single 0 bit. When n=4, C={1110,1101,1011,0111} e.g. a n-resilient AND-ACC -> Let C consist of all n-bit binary vectors that have only a single 0 bit. When n=4, C={1110,1101,1011,0111}

Code-modulation embedding and anti-collusion codes (continue)  BIBD A (v, k,λ) balanced incomplete block design (BIBD) is a pair (X,A), where A is a collection of k-element subsets (blocks) of a v-element set X, such that each pair of elements of X occur together in exactly λblocks.  Let (X,A) be a (v,k,1)-BIBD and M the corresponding incidence matrix. IF the codevectors are assigned as the bit comlement of the columns of M, then the resulting scheme is a (k-1)-resilient AND-ACC  Let (X,A) be a (v,k,1)-BIBD and M the corresponding incidence matrix. IF the codevectors are assigned as the bit comlement of the columns of M, then the resulting scheme is a (k-1)-resilient AND-ACC

Code-modulation embedding and anti-collusion codes (continue)  e.g. (7,3,1)-BIBD provides 2-resiliency w 1 =-u 1 -u 2 +u 3 -u 4 +u 5 +u 6 +u 7 w 2 =-u 1 +u 2 -u 3 +u 4 +u 5 -u 6 +u 7

Code-modulation embedding and anti-collusion codes (continue)   Comparison   (7,3,1)-BIBD AND-ACC: β=n/v=7/7=1 2-resiliency the trivial AND-ACC: β=n/v=7/7=1 7-resiliency   (v, k,λ)-BIBD AND-ACC: β>=1 β<<1   (v, k,λ)-BIBD AND-ACC: codelength=O(kn 1/2 ) k-1 resiliency Boneh & Shaw: codelength=O(log 4 nlog 2 (1/  ))  <1/n trace 1 colluder K-resiliency with K<=log n

Code-modulation embedding and anti-collusion codes (continue)  Detection strategies

Code-modulation embedding and anti-collusion codes (continue)  Goal: estimate Φ efficiently  Detection algorithm 1. hard detection 2. adaptive sorting approach 3. sequential algorithm hard detectionadaptive sorting approachsequential algorithmhard detectionadaptive sorting approachsequential algorithm

Experiments  ACC simulations with Gaussian signals  (16,4,1)-BIBD n=20 K=4-1=3  N=10000  Randomly select 3 users as colluders and averaged their marked content to produce y  放 C=

Experiments (continue)  Wnr 圖

Experiments (continue)  ACC experiments with images  Use spread spectrum watermarking  The perceptually weighted watermark is added to 8x8 DCT block coefficients  n=20 K=3 v=16  512x512 Lenna and Baboon images  Average PSNR of the fingerprinted images: Lenna: 41.2dB Baboon: 33.2dB

Experiments (continue) 圖圖圖圖

Conclusion  The tree-based detection algorithm reduce the amount of correlations from linear to logarithmic  Code modulation fingerprint does not require as many basis signals as orthogonal modulation  ACCs have the property that the composition of any subset of K or fewer codevectors is unique  Sequential detection scheme provides the most promising balance between capturing colluders and placing innocents

Previous works on anti-collusion fingerprinting-  0   0 the (n,n)-code containing all n-bit binary words with exactly one 1 the (n,n)-code containing all n-bit binary words with exactly one 1 e.g.  0 (3)={100,010,001} e.g.  0 (3)={100,010,001}

Previous works on anti-collusion fingerprinting-Lemma 2.1

Previous works on anti-collusion fingerprinting-Theorem 2.1  By lemma 2.2 we know that there exists a (L,n,L(1-1/c))2c-ECC for L=8c log n. Combining this with the code  0 (2c) and lemma 2.1 we get a c-frameproof code for n users whose length is 2cL=16c 2 log n

Previous works on anti-collusion fingerprinting-Theorem 2.2

Previous works on anti-collusion fingerprinting-Theorem 2.3  For n≥3 and  >0 let d=2n 2 log(2n/  ). The fingerprinting scheme  0 (n,d) is n-secure with  -error.

Previous works on anti-collusion fingerprinting-Algorithm 2.1

Previous works on anti-collusion fingerprinting-Theorem 2.4  Given integers N, c, and  >0 set n=2c, L= 2c log(2N/  ), and d=2n 2 log(4nL/  ). Then,  ’(L,N,n,d) is a code which is c-secure with  -error. The code contains N words and has length l=O(Ldn)=O(c 4 log(N/  ) log(1/  )) l=O(Ldn)=O(c 4 log(N/  ) log(1/  ))

Previous works on anti-collusion fingerprinting-Algorithm 2.2

Code-modulation embedding and anti-collusion codes- Theorem 4.1

Code-modulation embedding and anti-collusion codes-hard detection

Code-modulation embedding and anti- collusion codes-adaptive sorting approach

Code-modulation embedding and anti- collusion codes-sequential algorithm