PERFORMANCE OF RANDOM FINGERPRINTING CODES UNDER ARBITRARY NONLINEAR ATTACKS Pierre Moulin and Negar Kiyavash Beckman Inst., Coord. Sci. Lab and ECE Department University of Illinois at Urbana-Champaign, USA ABSTRACT This paper analyzes the performance of arbitrary nonlinear collusion attacks on random fingerprinting codes. We derive the error exponent of the fingerprinting system, which determines the exponential decay of the error probability. A Gaussian ensemble and an expurgated Gaussian ensemble of codes are considered. The collusion attacks include order-statistics attacks as special cases. In our model, a correlation detector is used. The colluders create a noisefree forgery by applying an arbitrary nonlinear mapping to their individual copies, and next they add a Gaussian noise sequence to form the final forgery. The colluders are subject to a mean-squared distortion constraint between host and forgery. We prove that the uniform linear averaging attack outperforms all others.
Index Terms: Digital fingerprinting, coding, detection performance, nonlinear signal processing. 1. INTRODUCTION Digital fingerprinting systems can be used for traitor tracing or digital rights management applications. A length- realusers. valued signal is to be protected and distributed to Some of the users ( of them) may collude and process their copies to create a forgery that contains only weak traces of their fingerprints. This problem was first posed by Cox et al. [1] who proposed the use of Gaussian fingerprints for this purpose. Specifically, their fingerprints were drawn randomly from an i.i.d. Gaussian distribution; the fingerprint code is shared with the detector but not revealed to the users. A fundamental question is what are the optimal performance limits for detection of colluders. To make the problem nontrivial, one may assume embedding distortion constraints on the fingerprinter and the colluders. Example of this analysis include [2, 3] for the case of signals defined over finite alphabets, and [4, 5, 6] for the case of real-valued signals. In the latter case, an obvious (but not necessarily optimal) strategy for the colluders is to perform a uniform linear average of their copies and add i.i.d. Gaussian noise; this strategy was examined in the above papers. Possible improvements for the attackers consist of developing (nonlinear) order-statistics attacks, as proposed by Stone [7]. Computer simulation results
This research was supported in part by NSF grant CCR 03-25924.
1424407281/07/$20.00 ©2007 IEEE
for seven order-statistics collusion attacks have been reported in [7, 8, 9], sometimes with conflicting findings. Our study aims at developing a comprehensive detectiontheoretic analysis of collusion attacks and identifying an optimal strategy for the colluders. The analysis is rooted in largedeviations theory. Initial results were reported in [10] for the class of order-statistics attacks, assuming a correlation detector and constraining the mean-squared distance between the host and the forgery. Under those assumptions, we proved that the uniform linear averaging strategy is optimal for the colluders in the class of order-statistics attacks. The analysis is extended in this paper to a broader class of nonlinear attacks. In our problem setup, two random ensembles of fingerprinting codes are considered. The first one is the same as the one used by Cox [1] and other researchers and is shown to be less performant than the second one, which is an expurgated ensemble (bad codes are eliminated). The detector has access to a forgery as well as to the host signal (nonblind detection) and performs a binary hypothesis test on each user to determine whether that user was involved in the forgery. The cost functions in this problem are the detector’s type-I and type-II probabilities of error, which the colluders want to maximize. Throughout this paper, we use boldface uppercase letters to denote random vectors, uppercase letters for the components of the vectors, and calligraphic fonts for sets. We use the symbol to denote mathematical expectation. For any collection of samples , we denote by the restriction of this collection to its elements . and (asymptotic The symbols and equality) mean that , respectively. The symbol denotes asymp. totic equality on the exponential scale: Of course, one may have and simultaneously. The Gaussian distribution with mean zero is denoted by . and variance
$
!
&
(
"
$
$
"
!
0
,
-
/
0
2
4
6
*
(
$
"
"
:
0
8
=
,
-
/
0
2
4
6
;
:
8
;
0
:
0
$
(
:
$
@
8
!
8
"
"
$
,
$
&
(
A
!
*
(
"
,
$
$
A
"
(
$
$
!
"
"
!
"
"
$
E
F
G
"
=
E
F
2. PROBLEM STATEMENT The mathematical setup of the problem is diagrammed in Fig. 1.
II 157
ICASSP 2007
O
P
Q
R
S
T
V
T
P
Q
W
Y
is the -th order statistic of the -vector , where and is parameterized by the vector . The fairness and separation conditions (1) and (2) are satisfied and the sequence is symmetric. provided that The special case of reduces to the popular uniform linear averaging attack, $
i
j
"
«
j o
$
v
"
:
8
¦
M
!
W _
i
W
\
`
a
l
0
®
ª
b
c
\
Q
Q
S
]
ª
@
l o
°
^ M
@
d
T e
R
S
T
f
³
ª
ª
[
P
R
Q
\
]
h
±
ª
[
@
i
n
f (.) n
o
§
N
$
v
!
" 0
v
v
M
¶
If the attackers can retrieve the original signal , they will succeed in defeating the detector. It is therefore useful to view as an estimator of based on the copies available to the coalition . The mean-squared distortion of the forgery relative to is given by p
i
m
$
!
o m
0
"
v
p
M
p
Fig. 1. The fingerprinting process and the attack channel.
(4) ¸
F
p
¸
is the average distortion per sample introduced by where the coalition. Under the attack model (1) (2), we have
2.1. Fingerprint Generation and Embedding in , The host signal is a sequence viewed as deterministic but unknown to the colluders. Fingerprints are added to , and the marked copies of the signal users. Specifically, user is assigned a are distributed to marked copy where and is the fingerprint assigned to user . form a fingerprintThe fingerprints ing code . The code is selected independently of from a random ensemble of codes, , such that $
$
$
@
0
p
"
r
"
r
"
p
$
u
F
and thus
p
¸
!
0
"
|
F
z
. The difference
½
F E
F
@
@
v
w
p
z
|
w
¸
(5)
$
F
F
E
!
0
"
|
0
|
w
u
$
|
|
"
p
represents the mean-squared estimation error. For the Gaussian ensemble , the mean-squared estimation error (5) is minimized by the uniform linear averaging . In this case,
!
0
¸
(6)
F
F
v w
p
F
|
E
z
2.3. Detector
w
i.e., the expected mean-squared distortion is equal to . The of codes considered in this paper are random ensembles invariant to permutations of users ( ) and samples ( ).
2.2. Attack Model
We study the nonblind scenario where the host signal is available at the detector and can be subtracted from , to form the centered content . The detector performs a binary hypothesis test to determine whether a specific user’s mark is present. The detector knows neither the mapping nor even the number of colluders . When focused on user , our detector computes the correlation statistic below and compares it with a threshold : p
p
!
0
The attacks are of the form
(1)
$
!
" 0
v
z
À
w
$
"
Â
Å
where , the coalition, is the index set of the colluding users. . Moreover the noise The coalition has cardinality is i.i.d. and is independent of . in (1) is symmetric in The mapping its arguments, i.e., any permutation of the index set does not change the value of . We view as a “noise-free forgery” to which noise is added to form the actual forgery, . The symmetry requirement on represents a fairness condition: all members of the coalition incur equal risk. Ansatisfy the separation condition other requirement is that
$
"
"
ÆÇ
$
$
$
À
w
"
|
Ã
"
p
|
Ã
w
!
0
"
|
z
Â
w
$
Å
È
$
G
"
=
E
F
v
0
!
0
¢
0
u
u
!
0
!
0
!
!
0
0
(7) where and respectively denote the “guilty” and “innocent” hypotheses. The threshold trades off the type-I and type-II probabilities of error. The detector assumes on , and this is reflected in the choice an upper bound of (see below). The detector (7) does not know the mapping used by the colluders or even the exact number of colluders. However the detector’s performance generally depends on these quantities. For any given user , the possible error events are a false positive (incorrectly declaring the user to be guilty) or a false negative (incorrectly declaring the user to be innocent). For any fixed , the corresponding type-I and type-II Å
$
"
Å
È
$
"
Â
É
Ê
Ì
Â
!
$
!
" 0
v
(2)
$
!
" 0
|
z
p
An example is the order statistic attack
¦
§
$
$ $
@
!
0
"
v
"
« "
8
¨
:
(3)
ª
II 158
0
error probabilities are given by and , where the average is with respect to the random ensemble of codes and the noise . By our invariance assumptions, these probabilities are independent of and . The overall type-I and type-II error probabilities (worst case over all ) are given by $
$
Æ
Í
Î
"
!
Í
Ï
À
w
"
Ç
$
$
³
Â
Ñ
Í
Î
Î
"
!
Í
Ï
À
w
"
Â
Ñ
of the form for some . Lemma 2. Any mapping satisfying the fairness and separation conditions (1) and (2) is of the form where denotes the uniform linear averaging mapping, is the -vector of , , and centered order statistics: is an arbitrary mapping. $
$
$
$
$
@
!
0
"
«
!
"
«
"
!
"
«
"
¦
¢
!
u
u
!
$
!
"
«
$
(
$
$
¦
!
Ê
"
«
z
"
«
!
Ê
"
«
°
«
¶
«
@
«
«
«
:
¦
(
8
¢
$
$
Æ
Í
Î
"
!
Í
Ï
/
Õ
Ö
/
Õ
Ö
À
w
"
u
u
Â
×
w
¶
×
Example: for odd . Under the assumptions above, we define a compact set of feasible mappings ; this set is is convex. (
$
$
¦
"
«
"
«
z
(8) $
@
Ù
Ø
Í
Î
"
!
z
Ç
$
«
:
:
F
8
8
!
$
Í Î
" Î
!
Í
Ï
/
Õ
Ö
/
Õ
w
Ö
¶
À
" w
Â
3. GAUSSIAN ENSEMBLE
(9) $
Ù
Í Ø
Î
" Î
!
Consider the Gausssian ensemble , in which random codes are obtained by drawing fingerprint i.i.d. . Define the five random components variables
where the upper bounds follow from the union bound. Detection is said to be reliable if (8) and (9) are small enough.
@
|
w
$
"
w
G
"
=
$
2.4. Background on Large Deviations È
$
$
Consider a sequence of i.i.d. random variables , drawn from a distribution with zero mean and . Denote by the cumulantvariance generating function for . Recall that and . Of interest are limiting forms (as ) of the probability
w
!
"
"
$
@
Ú
Û
"
6
$
$
! w
"
"
6
Ü
$
Ü
w
E
F
Ü
Ý
"
Þ
,
A
à
á
Ü
$
Ú
Ü
Ý
"
È
È
$
=
Ý
â
"
=
Ú
z
=
Ü
$
¢
Ý
â
â
"
=
E
6
6
ä
F
Ü
Ü
0
Ú
z
6
6
By our assumptions on and , the distributions of these random variables do not depend on and . In particular, . It may be shown that !
§
$
ç
è
Ï
Ú å
"
(10)
ç
0 Æ
Í
à
ê
ëí
: Æ
é
8
=
î
æ
$
¨
Õ
where is the large deviations [11]. By Cramer’s theorem, the function associated with upper bound (10) is tight in the exponent as . If , then . Moreover, for any : ç
$
ç
$
"
E
F
$
È
Ý
ð
"
ñ
ò
ó
"
Þ
Ý
Ü
"
¢
G
"
=
ç
F
E
Ú
³
=
Ú
Ý
ð
ä
$
"
Û
î
Ü
Ü
õ
Ü
í
F
ö
ç
õ
ç
$
*
(11)
ç F
¢
ð
Ý
6
6 6
6
Ü
$
Ü
È
ô
Û
Û
Þ
Ü
á
È
"
Õ ÷
= ñ
Ü
Finally, note that , Gaussian, even if Proposition 1. Let ensemble , we have È
!
,
.
6
!
Ê
,
È
and
Ú
6
6
0
Â
. For the Gaussian
"
¦
=
are non
Ú
6
$
&
(
E F
Ü
$ Â
only via . i.e., the exponent in (10) depends on The upper bound (10) is an application of Markov’s inequality and remains valid if itself is a function of . When is small enough, specifically where , the Central Limit Theorem (CLT) applies, and we have a sharper Moreover these bounds are tight in the exponent as . result, namely, the asymptotic equality Proof. The test statistic in (7) takes the form of a sum of i.i.d. random variables and under hypotheses and , respectively. Therefore and satisfy the large-deviations bound (10). Proposition 2. In the limit as , where . we have the asymptotic equalities ð
Í
Î
"
!
û
Ö
ó
)
2
Ü
E
4
Ý
Ü
Û
+
-
/
0
Ü
$
Â
ç
Ù
ð
Í
Î
Î
"
!
û
Ö
ü
ó
Ý
Ø
Ü
ç
ç
5
-
/
&
×
×
ù
ý
F
é
¢
ª
ä
ª
À
w
$
"
È
$
Ú
"
Ú
$
"
0
Å
È
Å
$
6
6
§
$
*
è
ú
F
Í
"
!
Ç
Ù
Ú
å
"
×
$
$
$
³
F
Ï
Î
Æ
Í
Ø
û
Ö
ó
ü
÷
Æ
ª
ª
Í
Ü
E
Ï
À
w
"
Â
Ñ
Í
Î
Î
"
!
Í
Ï
À
w
"
E
F
Ü
ý
æ
¨
ª
Â
Ñ
7
8
½
¢
ú
$
þ
ÿ
4
÷
³
÷
×
"
ä
$
"
F
û
Ö
ó
F
É
Ê
Ì
é
2.5. Memoryless Attacks
$ $
"
³ ³
* Â
F Â
"
F Â
ð
$
-
÷
+ Ü
Lemma 1. For permutation-invariant and the correlation detector , there is no loss of optimality in restricting the colluders’ strategies to memoryless mappings, i.e., to
2
Ý
÷
÷
/ 0
Õ
" E
E F
F
F É
Ê
Ì
À
w
$
@
F
"
!
* Â
Â
Ù
Ù
ð
Ý Ø
Ü
5
-
Ø
÷
÷
/
0
E F
E F
É
II 159
F Ê
Ì
Proof. Recalling the range of in Prop. 1, we see that the arguments of the large-deviations functions and above vanish as . The claim follows from (11). Prop. 1 states that the error exponents depend on the nonlinear mapping selected by the colluders, and therefore . detection performance strongly depends on as However, as indicated by Prop. 2, that exponential depenand , dency vanishes for large . For fixed values of one can resort to numerical simulations [7, 8, 9]. However, for fixed , the Central Limit Theorem arguments advanced . We conclude this in [8, 9] are not applicable as section with Prop. 3 which establishes a fundamental relationship between , and , guaranteeing reliable detection for the random ensemble . Proposition 3. For the Gaussian ensemble , reliable detection is guaranteed provided that . Proof: follows from Props. 1, 2, and (8), (9). Â
Ý
Ý
ð
Ü
¢
+
-
ð
/
Ü
5
-
/
ä
7
!
¢
probability that the procedure is still unsuccessful after trials is only . and Proposition 4. Assume . For the expurgated ensemble , the type-I and type-II error probabilities satisfy ç
$
@
"
Û
0
î
&
"
0
¦
=
Â
$
&
(
=
,
É
Ê
A
Ì
ä
!
$
(14)
$ ú Â
@
Â
F
Ù
Í
Î
"
!
Ø
" B
<
0
û
Ö
ó
ü
÷
E E
F
ý
@
$
ú
D
$ @
¢
É
Ê
Í
Î
Î
"
!
"
<
0
Â
H
ä
E
F
F
@
F
L
(15)
Ì
Ù
û
Ö
ó
J
÷
Ø
Â
E
F
&
F
,
É
Ê
A
Ì
Proposition 5. For the expurgated ensemble , the error exponents in (14) and (15) are minimized by with . and , the detection bounds (14) and Proof. Given , it follows from (6) that (15) are independent of . Given with simultaneously maximizes and , and therefore minimizes the error exponents (14) and (15). For any fixed , the error exponents in (14) and (15) are uniformly better than those obtained by drawing codes from the Gaussian ensemble. The colluders can choose such . that the exponents in Prop. 1 are worse than those for
!
É
Ê
!
Ê
Ì
4. EXPURGATED GAUSSIAN ENSEMBLE
E
¸
!
The problem with the Gaussian ensemble of Sec. 3 is that error probability (which is obtained by averaging over all codes in ) may be dominated by bad codes. This is a standard problem in information theory for the design of low-rate codes, for which performance is dictated by minimum-distance considerations, and the bad codes are the ones with poor minimum distance [12]. Improvements can be obtained using expurgation techniques, i.e., removing bad codes from the random ensemble. We apply a similar idea to our fingerprinting problem and show that performance can indeed be improved for any finite if we pick judiciously rather than drawing it randomly from . The derivations are much more technical than the ones given in Sec. 3 and will be presented elsewhere. The basic ideas are sketched below. is known to the detector, the Since the code quantity in (7) may be viewed as a deterministic functional of the unknown rather than as a random variable. is the Gaussian The only source of randomness in noise which follows a distribution. . Let be the probability Choose a sequence that a code drawn from the iid Gaussian distribution satisfies the conditions below for all , and let be the ensemble of such codes, which we call the expurgated ensemble.
!
|
w
!
0
"
|
=
F
Ãw
&
@
<
0
Û
$
$
(12) [9] Z.J. Wang, M. Wu, H. Zhao, W. Trappe, and K.J.R. Liu, “Anti-
×
F
é
À
w
"
Ñ
Ñ
|
Ã
!
0
"
|
Ñ
<
0
Â
E
é
w
Collusion Forensics of Multimedia Fingerprinting Using Orthogonal Modulation,” IEEE T-IP, Vol. 14, No. 6, pp. 804—821, June 2005.
Ç
$
³
×
F
é
Ñ
À
w
"
Ñ
<
0
 E
é
(13)
We have proved that tends to 1 as , provided that . This suggests the following procedure for selecting a code from . Pick a code randomly from the iid Gaussian ensemble and check whether this code satisfies (12) and (13). If it does, use that code. If it does not, discard it and repeat the above procedure until the it is successful. The ¢
Û
0
&
=
É
,
Ê
A
Ê
[8] H. Zhao, M. Wu, Z. Wang and K. J. R. Liu, “Forensic Analysis of Nonlinear Collusion Attacks for Multimedia Fingerprinting,” IEEE TIP, Vol. 14, No. 5, pp. 646—661, May 2005.
[7] H. S. Stone, “Analysis of Attacks on Image Watermarks With Randomized Coefficients,” NEC TR 96-045, Princeton, NJ, 1996.
Ç
Ñ
0
[6] P. Moulin and A. Briassouli, “The Gaussian Fingerprinting Game,” Proc. CISS’02, Princeton, NJ, March 2002.
$
E
[5] F. Ergun, J. Kilian and R. Kumar, “A Note on the Bounds of Collusion Resistant Watermarks,” Proc. EUROCRYPT, pp. 140—149, 1999.
$
E
[4] J. Kilian, F. T. Leighton, L. R. Matheson, T. G. Shamoon, R. E. Tarjan, and F. Zane, “Resistance of digital watermarks to collusive attacks,” Proc. ISIT, p. 271, Cambridge, MA, 1998.
"
[3] A. Somekh-Baruch and N. Merhav, “On the Capacity Game of Private Fingerprinting Systems Under Collusion Attacks,” Proc. IEEE Int. Symp. on Information Theory, Yokohama, Japan, p. 191, July 2003.
"
G
Ì
[2] P. Moulin and J. A. O’Sullivan, “Information-Theoretic Analysis of Information Hiding,” IEEE T-IT, Vol. 49, No. 3, pp. 563—593, 2003.
!
|
Ê
[1] I. J. Cox, J. Killian, F. T. Leighton and T. Shamoon, “Secure Spread Spectrum Watermarking for Multimedia,” IEEE T-IP, Vol. 6, pp. 1673—1687, Dec. 1997. (Also NEC Tech. Rep. 95-10, 1995).
É
5. REFERENCES
Ãw
w
!
À
!
$
|
7
Ê
ä
[10] N. Kiyavash and P. Moulin, “A Framework for Optimizing Nonlinear Collusion Attacks on Fingerprinting Systems,” Proc. Conf. on Information Systems and Science, Princeton, NJ, March 2006.
Ì
[11] A. Dembo and O. Zeitouni, Large Deviations Techniques and Applications, 2nd ed., Springer-Verlag, New York, 1998. [12] R. G. Gallager, Information Theory and Reliable Communication, Wiley, NY, 1968.
II 160