Conclusion - On codes for traceability schemes: constructions and bounds

As noted in [36,37], tracing traitors is a worthwhile addition to a system provided that the associated identification algorithms add sufficiently little cost. In this chapter we have shown the benefits of using the K¨otter-Vardy soft-decision decoding algorithm in the identification process when Reed-Solomon codes with tracing capabilities are used.

For TA Reed-Solomon codes, on one hand, we give conditions for unambiguous traitor identification. On the other hand, we show how the flexibility of the K¨otter- Vardy algorithm allows the reuse of information obtained in each loop of an iterative process, in which the identification of traitors is based on the previously identified ones. The use of feedback information from previous iterations of the algorithm improves the task, allowing it to run in polynomial time in the code length, rather than in the code size. We also discuss upper bounds of the needed cost in the K¨otter- Vardy algorithm so that at least one TA-parent always appears in the output list.

Moreover, we have also extended the work of [36, 37]. Again departing from the K¨otter-Vardy algorithm, for a c-IPP Reed-Solomon code, given a descendant we have presented a method to obtain all possible coalitions that are able to generate it. The use of the soft-decision decoding routine allows us to reduce the execution time, which in the general case is upper-bounded by O M_c, where M is the total number of codewords.

Finally, we have shown concatenated constructions of binary fingerprinting codes based on Reed-Solomon outer codes. The constructions have exponentially small error probability in the outer code length, and polynomial decoding time in the total code length. We use the K¨otter-Vardy soft-decision decoding algorithm in the outer code identification process. It is noticeable that even a sub-optimal setup of the reliability matrix achieves the same purposes than the matrix defined for the optimal case and with equivalent computational complexity.

The contents of this chapter have been published in [3], and also in the joint works [6] and [7].

Chapter 4 Almost Separating and Almost

Secure Frameproof Codes

Separating codes were introduced by Friedman et al. [20] more than 40 years ago. A separating code is a very natural combinatorial object that has found application in many areas. Fields such as automata synthesis, technical diagnosis, construction of hash functions and traitor-tracing schemes have benefited from codes with the separating property.

As commented in Section 2.1, separating codes have been subsequently investi- gated by many authors, e.g. in [21,22,23,24,25,26]. Nontrivial lower and upper bounds have been derived and relationships with similar notions have been established. See for instance the surveys [21, 25].

Recently, in connection with digital fingerprinting codes, a great deal of atten- tion has been paid to separating codes. In this new area of application, separating codes have been rediscovered under the names of frameproof and secure frameproof codes [13, 14, 27, 28].

The main note of this chapter is the fact that relaxing the definitions of separating and secure frameproof codes, by demanding that these properties (separating and secure frameproofness) hold with high probability, will bring us two different notions. We call these two new notions almost separating and almost secure frameproof property. As it will be shown, allowing a code that the separating property holds with high

probability, as opposed to absolute separation, allows us to obtain codes with better rates. Namely, we show existence bounds for almost separating and almost secure frameproof codes that are better than the current existence bounds for separating codes.

This chapter is organized as follows. In Section 4.1 we introduce the topic and present some previous results. In Section 4.2 and Section 4.3, we obtain lower bounds on the rate of the new codes introduced. Next, in Section 4.4 we compare the obtained results with the current known state of the art. Our motivation for studying separating codes is their application to fingerprinting schemes. In Section 4.5, we construct a family of fingerprinting codes with small error using almost separating and almost secure frameproof codes. Finally, the conclusions are drawn in Section 4.6.

4.1 Separating and Secure Frameproof Codes Re-

visited

Let C be an (n, M )-code. For a pair of (disjoint) subsets U, V ⊆ C, using the notation from (2.2), we say that a position i is separating if

Pi(U ) ∩ Pi(V ) = ∅.

A pair of c-subsets U, V are called separated if there exists a separating position 1 ≤ i ≤ n for them. Moreover, we say that a c-subset U is separated if U is separated from every other disjoint c-subset V ⊆ C.

Now, Definition 2.7 can be restated, and a code C can be defined as (c, c)- separating if every pair of disjoint c-subsets U, V ⊆ C are separated. Equivalently, a code is (c, c)-separating if every c-subset U ⊆ C is separated. We have the following definitions.

Definition 4.1. A code C is c-frameproof if every set U ⊆ C with |U | ≤ c satisfies desc(U ) ∩ C = U .

4.1. Separating and Secure Frameproof Codes Revisited 57

Definition 4.2. A code C is c-secure frameproof if for any U, V ⊆ C with |U | ≤ c, |V | ≤ c and U ∩ V = ∅, then desc(U ) ∩ desc(V ) = ∅.

The concepts of frameproof and secure frameproof codes were introduced in [13, 14,27,28]. It is easy to see, and it was clearly noticed, e.g. in [15], that a c-frameproof code is the same as a (c, 1)-separating code, and that a c-secure frameproof code is the same as a (c, c)-separating code.

Let Rsep q (n, c, c

0_{) denote the rate of an optimal (i.e., maximal) (c, c}0_)-separating

code of length n over a q-ary alphabet Q,

Rsep_q (n, c, c0)def= max

C ⊆ Qn_{s.t. C is}

(c, c0)-separating

R(C).

Also, consider the corresponding asymptotical rates

Rsep_q (c, c0)def= lim inf

n→∞ R sep q (n, c, c 0_), _Rsep q (c, c 0₎def = lim sup n→∞ Rsep_q (n, c, c0).

Lower bounds on (2, 2)-separating codes were studied in [20, 22]. For binary separating codes there are some important, well-known results that are worth mentioning. For example, from [21, 22] we have Rsep₂ (2, 2) ≥ 1 − log₂(7/8) = 0.0642, which also holds for linear codes [22]. Also, for the general case, it was shown in [15] that

Rsep₂ (c, c0) ≥ −log2(1 − 2

−c−c0₊₁

)

c + c0_{− 1} . (4.1)

Regarding the upper bounds, in [21, 24] it was shown that Rsep₂ (2, 2) < 0.2835 for arbitrary codes, and in [21] that Rsep₂ (2, 2) < 0.108 for linear codes.

In the following sections of this chapter, and unless otherwise stated, all random (n, M )-codes are considered to be chosen with uniform probability among the ensem- ble of all (n, M )-codes over a certain alphabet Q. That is, we generate M vectors of length n, where each entry is uniformly and independently chosen from Q.

4.2 Separating and Almost Separating Codes over

In document On codes for traceability schemes: constructions and bounds (Page 73-77)