Asymptotically false-positive-maximizing attack on non-binary Tardos codesAntonino Simone and Boris Škorić

Eindhoven University of Technology

IH 2011, May 2011

2

OutlineForensic watermarking

◦Collusion attacksq-ary Tardos schemeNew parameterization of attack

strategyAccusation-minimizing attackPerformance of the Tardos scheme

◦False accusation probabilityResults & Summary

3

Forensic Watermarking

Embedder Detector

originalcontent

payload

content withhidden payload

WM secrets

WM secrets

payload

originalcontent

Payload = some secret code indentifying the recipient

ATTACK

4

Collusion attacks

A B A CC A A AA B A B

AC

AB

A ABC

"Coalition of pirates"Symbols received by pirates

Symbols allowed

“Restricted Digit Model”

5

AimTrace at least one pirate from detected watermark

BUTResist large coalition

longer codeLow probability of innocent accusation (FP) (critical!)

longer codeLow probability of missing all pirates (FN) (not critical) longer codeANDLimited bandwidth available for watermarking code

6

n users

embeddedsymbols

m content segments

Symbols allowed

Symbol biases

drawn from distribution

F

watermarkafter attack

A B C BA C B AB B A CB A B AA B A CC A A AA B A B

biases

AC

AB

A ABC

p1Ap1Bp1C

p2Ap2Bp2C

piApiBpiC

pm

Apm

Bpm

C

c pirates

q-ary Tardos scheme (2008)

• Arbitrary alphabet size q

• Dirichlet distribution F

• Symbol-symmetric

A B C BA C B AB B A CB A B AA B A CC A A AA B A B

7

Tardos scheme (cont.)Accusation:• Every user gets a score

• User is accused if score > threshold

• Sum of scores per content segment

• Given that pirates create y in segment i:

• Symbol-symmetric

g0(p)

g1(p)

p

p

8

Accusation probabilitiesm = code lengthc = #piratesμ̃ = expected coalition

score per segment

Pirates want to minimize μ̃ and make the innocent tail longer

Curve shapes depend on: F, g0, g1 (fixed ‘a

priori’) Code length # pirates Pirate strategy

Method to compute innocent curve [Simone+Škorić 2010]Big m innocent curve goes to Gaussian

threshold

total score (scaled)

innocent guilty

9

New parameterization of attack strategySymbol-symmetric only symbol occurrences matter

Notation: α = # α in segmentc pirates α α = c

For every segment:

New attack parameterization that does not refer to symbols:

10

New parameterization of attack strategy (cont.)

Due to the marking assumption, K0=0 and Kc=1Kb can be pre-computed faster computation

Thanks to the new parameterization, we can write

Which strategy minimizes μ̃?

])1[()2/1]1[(

)()2/1()1(

21)(

)(]Pr[~1

qbcqbc

bbcq

cbbT

bTKbqc

bb

11

μ̃-minimizing attack

For each , the attack outputs the symbol y s. t. its occurrence value y minimizes T(b) (i. e. T(y)T() for each )

12

T(b) analysisStrong influence of parameter

More interesting case:

Majority voting

Minority voting

13

ResultsGaussian approximation

14

Results (cont.)Gaussian approximation

15

SummaryResults: simple decoder accusation method in the Restricted

Digit Model new parameterization of the attack strategy μ̃-minimizing attack is the strongest attack in

asymptotic regime◦ not optimal attack for small coalitions

parameter has a strong effect For q>2 code length becomes better than for q=2,

but only if c is large enough! The larger q is, the larger c must be to obtain a

code shorter than the case q=2

Thank you for your attention!