PERFORMANCE OF RANDOM FINGERPRINTING CODES UNDER ARBITRARY NONLINEAR ATTACKS Pierre Moulin and Negar Kiyavash Beckman Inst., Coord. Sci. Lab and ECE Department University of Illinois at UrbanaChampaign, USA ABSTRACT This paper analyzes the performance of arbitrary nonlinear collusion attacks on random ﬁngerprinting codes. We derive the error exponent of the ﬁngerprinting system, which determines the exponential decay of the error probability. A Gaussian ensemble and an expurgated Gaussian ensemble of codes are considered. The collusion attacks include orderstatistics attacks as special cases. In our model, a correlation detector is used. The colluders create a noisefree forgery by applying an arbitrary nonlinear mapping to their individual copies, and next they add a Gaussian noise sequence to form the ﬁnal forgery. The colluders are subject to a meansquared distortion constraint between host and forgery. We prove that the uniform linear averaging attack outperforms all others.
Index Terms: Digital ﬁngerprinting, coding, detection performance, nonlinear signal processing. 1. INTRODUCTION Digital ﬁngerprinting systems can be used for traitor tracing or digital rights management applications. A length realusers. valued signal is to be protected and distributed to Some of the users ( of them) may collude and process their copies to create a forgery that contains only weak traces of their ﬁngerprints. This problem was ﬁrst posed by Cox et al. [1] who proposed the use of Gaussian ﬁngerprints for this purpose. Speciﬁcally, their ﬁngerprints were drawn randomly from an i.i.d. Gaussian distribution; the ﬁngerprint code is shared with the detector but not revealed to the users. A fundamental question is what are the optimal performance limits for detection of colluders. To make the problem nontrivial, one may assume embedding distortion constraints on the ﬁngerprinter and the colluders. Example of this analysis include [2, 3] for the case of signals deﬁned over ﬁnite alphabets, and [4, 5, 6] for the case of realvalued signals. In the latter case, an obvious (but not necessarily optimal) strategy for the colluders is to perform a uniform linear average of their copies and add i.i.d. Gaussian noise; this strategy was examined in the above papers. Possible improvements for the attackers consist of developing (nonlinear) orderstatistics attacks, as proposed by Stone [7]. Computer simulation results
This research was supported in part by NSF grant CCR 0325924.
1424407281/07/$20.00 ©2007 IEEE
for seven orderstatistics collusion attacks have been reported in [7, 8, 9], sometimes with conﬂicting ﬁndings. Our study aims at developing a comprehensive detectiontheoretic analysis of collusion attacks and identifying an optimal strategy for the colluders. The analysis is rooted in largedeviations theory. Initial results were reported in [10] for the class of orderstatistics attacks, assuming a correlation detector and constraining the meansquared distance between the host and the forgery. Under those assumptions, we proved that the uniform linear averaging strategy is optimal for the colluders in the class of orderstatistics attacks. The analysis is extended in this paper to a broader class of nonlinear attacks. In our problem setup, two random ensembles of ﬁngerprinting codes are considered. The ﬁrst one is the same as the one used by Cox [1] and other researchers and is shown to be less performant than the second one, which is an expurgated ensemble (bad codes are eliminated). The detector has access to a forgery as well as to the host signal (nonblind detection) and performs a binary hypothesis test on each user to determine whether that user was involved in the forgery. The cost functions in this problem are the detector’s typeI and typeII probabilities of error, which the colluders want to maximize. Throughout this paper, we use boldface uppercase letters to denote random vectors, uppercase letters for the components of the vectors, and calligraphic fonts for sets. We use the symbol to denote mathematical expectation. For any collection of samples , we denote by the restriction of this collection to its elements . and (asymptotic The symbols and equality) mean that , respectively. The symbol denotes asymp. totic equality on the exponential scale: Of course, one may have and simultaneously. The Gaussian distribution with mean zero is denoted by . and variance
$
!
&
(
"
$
$
"
!
0
,

/
0
2
4
6
*
(
$
"
"
:
0
8
=
,

/
0
2
4
6
;
:
8
;
0
:
0
$
(
:
$
@
8
!
8
"
"
$
,
$
&
(
A
!
*
(
"
,
$
$
A
"
(
$
$
!
"
"
!
"
"
$
E
F
G
"
=
E
F
2. PROBLEM STATEMENT The mathematical setup of the problem is diagrammed in Fig. 1.
II 157
ICASSP 2007
O
P
Q
R
S
T
V
T
P
Q
W
Y
is the th order statistic of the vector , where and is parameterized by the vector . The fairness and separation conditions (1) and (2) are satisﬁed and the sequence is symmetric. provided that The special case of reduces to the popular uniform linear averaging attack, $
i
j
"
«
j o
$
v
"
:
8
¦
M
!
W _
i
W
\
`
a
l
0
®
ª
b
c
\
Q
Q
S
]
ª
@
l o
°
^ M
@
d
T e
R
S
T
f
³
ª
ª
[
P
R
Q
\
]
h
±
ª
[
@
i
n
f (.) n
o
§
N
$
v
!
" 0
v
v
M
¶
If the attackers can retrieve the original signal , they will succeed in defeating the detector. It is therefore useful to view as an estimator of based on the copies available to the coalition . The meansquared distortion of the forgery relative to is given by p
i
m
$
!
o m
0
"
v
p
M
p
Fig. 1. The ﬁngerprinting process and the attack channel.
(4) ¸
F
p
¸
is the average distortion per sample introduced by where the coalition. Under the attack model (1) (2), we have
2.1. Fingerprint Generation and Embedding in , The host signal is a sequence viewed as deterministic but unknown to the colluders. Fingerprints are added to , and the marked copies of the signal users. Speciﬁcally, user is assigned a are distributed to marked copy where and is the ﬁngerprint assigned to user . form a ﬁngerprintThe ﬁngerprints ing code . The code is selected independently of from a random ensemble of codes, , such that $
$
$
@
0
p
"
r
"
r
"
p
$
u
F
and thus
p
¸
!
0
"

F
z
. The difference
½
F E
F
@
@
v
w
p
z

w
¸
(5)
$
F
F
E
!
0
"

0

w
u
$


"
p
represents the meansquared estimation error. For the Gaussian ensemble , the meansquared estimation error (5) is minimized by the uniform linear averaging . In this case,
!
0
¸
(6)
F
F
v w
p
F

E
z
2.3. Detector
w
i.e., the expected meansquared distortion is equal to . The of codes considered in this paper are random ensembles invariant to permutations of users ( ) and samples ( ).
2.2. Attack Model
We study the nonblind scenario where the host signal is available at the detector and can be subtracted from , to form the centered content . The detector performs a binary hypothesis test to determine whether a speciﬁc user’s mark is present. The detector knows neither the mapping nor even the number of colluders . When focused on user , our detector computes the correlation statistic below and compares it with a threshold : p
p
!
0
The attacks are of the form
(1)
$
!
" 0
v
z
À
w
$
"
Â
Å
where , the coalition, is the index set of the colluding users. . Moreover the noise The coalition has cardinality is i.i.d. and is independent of . in (1) is symmetric in The mapping its arguments, i.e., any permutation of the index set does not change the value of . We view as a “noisefree forgery” to which noise is added to form the actual forgery, . The symmetry requirement on represents a fairness condition: all members of the coalition incur equal risk. Ansatisfy the separation condition other requirement is that
$
"
"
ÆÇ
$
$
$
À
w
"

Ã
"
p

Ã
w
!
0
"

z
Â
w
$
Å
È
$
G
"
=
E
F
v
0
!
0
¢
0
u
u
!
0
!
0
!
!
0
0
(7) where and respectively denote the “guilty” and “innocent” hypotheses. The threshold trades off the typeI and typeII probabilities of error. The detector assumes on , and this is reﬂected in the choice an upper bound of (see below). The detector (7) does not know the mapping used by the colluders or even the exact number of colluders. However the detector’s performance generally depends on these quantities. For any given user , the possible error events are a false positive (incorrectly declaring the user to be guilty) or a false negative (incorrectly declaring the user to be innocent). For any ﬁxed , the corresponding typeI and typeII Å
$
"
Å
È
$
"
Â
É
Ê
Ì
Â
!
$
!
" 0
v
(2)
$
!
" 0

z
p
An example is the order statistic attack
¦
§
$
$ $
@
!
0
"
v
"
« "
8
¨
:
(3)
ª
II 158
0
error probabilities are given by and , where the average is with respect to the random ensemble of codes and the noise . By our invariance assumptions, these probabilities are independent of and . The overall typeI and typeII error probabilities (worst case over all ) are given by $
$
Æ
Í
Î
"
!
Í
Ï
À
w
"
Ç
$
$
³
Â
Ñ
Í
Î
Î
"
!
Í
Ï
À
w
"
Â
Ñ
of the form for some . Lemma 2. Any mapping satisfying the fairness and separation conditions (1) and (2) is of the form where denotes the uniform linear averaging mapping, is the vector of , , and centered order statistics: is an arbitrary mapping. $
$
$
$
$
@
!
0
"
«
!
"
«
"
!
"
«
"
¦
¢
!
u
u
!
$
!
"
«
$
(
$
$
¦
!
Ê
"
«
z
"
«
!
Ê
"
«
°
«
¶
«
@
«
«
«
:
¦
(
8
¢
$
$
Æ
Í
Î
"
!
Í
Ï
/
Õ
Ö
/
Õ
Ö
À
w
"
u
u
Â
×
w
¶
×
Example: for odd . Under the assumptions above, we deﬁne a compact set of feasible mappings ; this set is is convex. (
$
$
¦
"
«
"
«
z
(8) $
@
Ù
Ø
Í
Î
"
!
z
Ç
$
«
:
:
F
8
8
!
$
Í Î
" Î
!
Í
Ï
/
Õ
Ö
/
Õ
w
Ö
¶
À
" w
Â
3. GAUSSIAN ENSEMBLE
(9) $
Ù
Í Ø
Î
" Î
!
Consider the Gausssian ensemble , in which random codes are obtained by drawing ﬁngerprint i.i.d. . Deﬁne the ﬁve random components variables
where the upper bounds follow from the union bound. Detection is said to be reliable if (8) and (9) are small enough.
@

w
$
"
w
G
"
=
$
2.4. Background on Large Deviations È
$
$
Consider a sequence of i.i.d. random variables , drawn from a distribution with zero mean and . Denote by the cumulantvariance generating function for . Recall that and . Of interest are limiting forms (as ) of the probability
w
!
"
"
$
@
Ú
Û
"
6
$
$
! w
"
"
6
Ü
$
Ü
w
E
F
Ü
Ý
"
Þ
,
A
à
á
Ü
$
Ú
Ü
Ý
"
È
È
$
=
Ý
â
"
=
Ú
z
=
Ü
$
¢
Ý
â
â
"
=
E
6
6
ä
F
Ü
Ü
0
Ú
z
6
6
By our assumptions on and , the distributions of these random variables do not depend on and . In particular, . It may be shown that !
§
$
ç
è
Ï
Ú å
"
(10)
ç
0 Æ
Í
à
ê
ëí
: Æ
é
8
=
î
æ
$
¨
Õ
where is the large deviations [11]. By Cramer’s theorem, the function associated with upper bound (10) is tight in the exponent as . If , then . Moreover, for any : ç
$
ç
$
"
E
F
$
È
Ý
ð
"
ñ
ò
ó
"
Þ
Ý
Ü
"
¢
G
"
=
ç
F
E
Ú
³
=
Ú
Ý
ð
ä
$
"
Û
î
Ü
Ü
õ
Ü
í
F
ö
ç
õ
ç
$
*
(11)
ç F
¢
ð
Ý
6
6 6
6
Ü
$
Ü
È
ô
Û
Û
Þ
Ü
á
È
"
Õ ÷
= ñ
Ü
Finally, note that , Gaussian, even if Proposition 1. Let ensemble , we have È
!
,
.
6
!
Ê
,
È
and
Ú
6
6
0
Â
. For the Gaussian
"
¦
=
are non
Ú
6
$
&
(
E F
Ü
$ Â
only via . i.e., the exponent in (10) depends on The upper bound (10) is an application of Markov’s inequality and remains valid if itself is a function of . When is small enough, speciﬁcally where , the Central Limit Theorem (CLT) applies, and we have a sharper Moreover these bounds are tight in the exponent as . result, namely, the asymptotic equality Proof. The test statistic in (7) takes the form of a sum of i.i.d. random variables and under hypotheses and , respectively. Therefore and satisfy the largedeviations bound (10). Proposition 2. In the limit as , where . we have the asymptotic equalities ð
Í
Î
"
!
û
Ö
ó
)
2
Ü
E
4
Ý
Ü
Û
+

/
0
Ü
$
Â
ç
Ù
ð
Í
Î
Î
"
!
û
Ö
ü
ó
Ý
Ø
Ü
ç
ç
5

/
&
×
×
ù
ý
F
é
¢
ª
ä
ª
À
w
$
"
È
$
Ú
"
Ú
$
"
0
Å
È
Å
$
6
6
§
$
*
è
ú
F
Í
"
!
Ç
Ù
Ú
å
"
×
$
$
$
³
F
Ï
Î
Æ
Í
Ø
û
Ö
ó
ü
÷
Æ
ª
ª
Í
Ü
E
Ï
À
w
"
Â
Ñ
Í
Î
Î
"
!
Í
Ï
À
w
"
E
F
Ü
ý
æ
¨
ª
Â
Ñ
7
8
½
¢
ú
$
þ
ÿ
4
÷
³
÷
×
"
ä
$
"
F
û
Ö
ó
F
É
Ê
Ì
é
2.5. Memoryless Attacks
$ $
"
³ ³
* Â
F Â
"
F Â
ð
$

÷
+ Ü
Lemma 1. For permutationinvariant and the correlation detector , there is no loss of optimality in restricting the colluders’ strategies to memoryless mappings, i.e., to
2
Ý
÷
÷
/ 0
Õ
" E
E F
F
F É
Ê
Ì
À
w
$
@
F
"
!
* Â
Â
Ù
Ù
ð
Ý Ø
Ü
5

Ø
÷
÷
/
0
E F
E F
É
II 159
F Ê
Ì
Proof. Recalling the range of in Prop. 1, we see that the arguments of the largedeviations functions and above vanish as . The claim follows from (11). Prop. 1 states that the error exponents depend on the nonlinear mapping selected by the colluders, and therefore . detection performance strongly depends on as However, as indicated by Prop. 2, that exponential depenand , dency vanishes for large . For ﬁxed values of one can resort to numerical simulations [7, 8, 9]. However, for ﬁxed , the Central Limit Theorem arguments advanced . We conclude this in [8, 9] are not applicable as section with Prop. 3 which establishes a fundamental relationship between , and , guaranteeing reliable detection for the random ensemble . Proposition 3. For the Gaussian ensemble , reliable detection is guaranteed provided that . Proof: follows from Props. 1, 2, and (8), (9). Â
Ý
Ý
ð
Ü
¢
+

ð
/
Ü
5

/
ä
7
!
¢
probability that the procedure is still unsuccessful after trials is only . and Proposition 4. Assume . For the expurgated ensemble , the typeI and typeII error probabilities satisfy ç
$
@
"
Û
0
î
&
"
0
¦
=
Â
$
&
(
=
,
É
Ê
A
Ì
ä
!
$
(14)
$ ú Â
@
Â
F
Ù
Í
Î
"
!
Ø
" B
<
0
û
Ö
ó
ü
÷
E E
F
ý
@
$
ú
D
$ @
¢
É
Ê
Í
Î
Î
"
!
"
<
0
Â
H
ä
E
F
F
@
F
L
(15)
Ì
Ù
û
Ö
ó
J
÷
Ø
Â
E
F
&
F
,
É
Ê
A
Ì
Proposition 5. For the expurgated ensemble , the error exponents in (14) and (15) are minimized by with . and , the detection bounds (14) and Proof. Given , it follows from (6) that (15) are independent of . Given with simultaneously maximizes and , and therefore minimizes the error exponents (14) and (15). For any ﬁxed , the error exponents in (14) and (15) are uniformly better than those obtained by drawing codes from the Gaussian ensemble. The colluders can choose such . that the exponents in Prop. 1 are worse than those for
!
É
Ê
!
Ê
Ì
4. EXPURGATED GAUSSIAN ENSEMBLE
E
¸
!
The problem with the Gaussian ensemble of Sec. 3 is that error probability (which is obtained by averaging over all codes in ) may be dominated by bad codes. This is a standard problem in information theory for the design of lowrate codes, for which performance is dictated by minimumdistance considerations, and the bad codes are the ones with poor minimum distance [12]. Improvements can be obtained using expurgation techniques, i.e., removing bad codes from the random ensemble. We apply a similar idea to our ﬁngerprinting problem and show that performance can indeed be improved for any ﬁnite if we pick judiciously rather than drawing it randomly from . The derivations are much more technical than the ones given in Sec. 3 and will be presented elsewhere. The basic ideas are sketched below. is known to the detector, the Since the code quantity in (7) may be viewed as a deterministic functional of the unknown rather than as a random variable. is the Gaussian The only source of randomness in noise which follows a distribution. . Let be the probability Choose a sequence that a code drawn from the iid Gaussian distribution satisﬁes the conditions below for all , and let be the ensemble of such codes, which we call the expurgated ensemble.
!

w
!
0
"

=
F
Ãw
&
@
<
0
Û
$
$
(12) [9] Z.J. Wang, M. Wu, H. Zhao, W. Trappe, and K.J.R. Liu, “Anti
×
F
é
À
w
"
Ñ
Ñ

Ã
!
0
"

Ñ
<
0
Â
E
é
w
Collusion Forensics of Multimedia Fingerprinting Using Orthogonal Modulation,” IEEE TIP, Vol. 14, No. 6, pp. 804—821, June 2005.
Ç
$
³
×
F
é
Ñ
À
w
"
Ñ
<
0
Â E
é
(13)
We have proved that tends to 1 as , provided that . This suggests the following procedure for selecting a code from . Pick a code randomly from the iid Gaussian ensemble and check whether this code satisﬁes (12) and (13). If it does, use that code. If it does not, discard it and repeat the above procedure until the it is successful. The ¢
Û
0
&
=
É
,
Ê
A
Ê
[8] H. Zhao, M. Wu, Z. Wang and K. J. R. Liu, “Forensic Analysis of Nonlinear Collusion Attacks for Multimedia Fingerprinting,” IEEE TIP, Vol. 14, No. 5, pp. 646—661, May 2005.
[7] H. S. Stone, “Analysis of Attacks on Image Watermarks With Randomized Coefﬁcients,” NEC TR 96045, Princeton, NJ, 1996.
Ç
Ñ
0
[6] P. Moulin and A. Briassouli, “The Gaussian Fingerprinting Game,” Proc. CISS’02, Princeton, NJ, March 2002.
$
E
[5] F. Ergun, J. Kilian and R. Kumar, “A Note on the Bounds of Collusion Resistant Watermarks,” Proc. EUROCRYPT, pp. 140—149, 1999.
$
E
[4] J. Kilian, F. T. Leighton, L. R. Matheson, T. G. Shamoon, R. E. Tarjan, and F. Zane, “Resistance of digital watermarks to collusive attacks,” Proc. ISIT, p. 271, Cambridge, MA, 1998.
"
[3] A. SomekhBaruch and N. Merhav, “On the Capacity Game of Private Fingerprinting Systems Under Collusion Attacks,” Proc. IEEE Int. Symp. on Information Theory, Yokohama, Japan, p. 191, July 2003.
"
G
Ì
[2] P. Moulin and J. A. O’Sullivan, “InformationTheoretic Analysis of Information Hiding,” IEEE TIT, Vol. 49, No. 3, pp. 563—593, 2003.
!

Ê
[1] I. J. Cox, J. Killian, F. T. Leighton and T. Shamoon, “Secure Spread Spectrum Watermarking for Multimedia,” IEEE TIP, Vol. 6, pp. 1673—1687, Dec. 1997. (Also NEC Tech. Rep. 9510, 1995).
É
5. REFERENCES
Ãw
w
!
À
!
$

7
Ê
ä
[10] N. Kiyavash and P. Moulin, “A Framework for Optimizing Nonlinear Collusion Attacks on Fingerprinting Systems,” Proc. Conf. on Information Systems and Science, Princeton, NJ, March 2006.
Ì
[11] A. Dembo and O. Zeitouni, Large Deviations Techniques and Applications, 2nd ed., SpringerVerlag, New York, 1998. [12] R. G. Gallager, Information Theory and Reliable Communication, Wiley, NY, 1968.
II 160