TRAITOR TRACING FOR SUBSCRIPTION-BASED SYSTEMS

Hongxia Jin and Jeffory Lotspiech

IBM Almaden Research Center

San Jose, CA, USA

Mario Blaum

Hitachi Global Storage Technologies

San Jose, CA, USA

Keywords:

Traitor tracing, error correcting code, traceability code.

Abstract:

In this paper we study the traitor tracing problem, which originates in attempting to combat piracy of copy-

righted materials. When a pirated copy of the material is observed, a traitor tracing scheme should allow to

identify at least one of the real subscribers (traitors) who participate in the construction of a pirated copy. In

this paper, we focus on the pay-per-view type of subscription-based scenarios, in which materials are divided

into multiple segments and each segment has multiple variations. We present a systematic way to assign the

variations for each segment and for each subscriber using an error-correcting code. We give sufﬁcient condi-

tions for a code to be able to trace at least a traitor when faced with a coalition of m traitors. We also prove

that these sufﬁcient conditions are also necessary when the code is an MDS code.

1 INTRODUCTION

This paper is concerned with the protection of copy-

righted materials. A number of business models

has emerged whose success hinges on the ability

to securely distribute digital content only to paying

customers. Examples of these business models in-

clude pay-TV systems and selling copyrighted mu-

sic content through the Web. This paper focuses on

subscription-based business models. Each subscriber

is allowed to decrypt the broadcast encrypted content

that he or she pays for. The security threat in this

scenario is that a group of subscribers resell the con-

tents by redistributing the decryption keys or the de-

coded contents over the Internet. This is a Napster-

style “anonymous” attack, and is the most urgent se-

curity concern for the content providers. The real sub-

scriber who participates in this piracy will be called

indistinctly either a traitor or a colluder. A traitor

tracing scheme allows to identify at least one of the

traitors. In this case the only way to trace traitors is to

use different versions of the content for different sub-

scribers (users). This allows the re-broadcasted de-

cryption keys or contents to be linked to the group of

users who were given that version.

The traitor tracing problem was ﬁrst deﬁned by

Chor, Fiat and Naor for a broadcast encryption sys-

tem (Fiat and Naor, 1993). This system allows en-

crypted contents to be distributed to a privileged

group of receivers (decoder boxes). Each decoder box

is assigned a unique set of decryption keys that al-

lows it to decrypt the encrypted content. The security

threat, which is different from the one we are dealing

in this paper, is that a group of colluders constructs

a clone pirate decoder that can decrypt the broadcast

content. The traitor tracing scheme proposed in (Chor

et al., 1994; B.Chor et al., 2000) randomly assigns the

decryption keys to users before the content is broad-

cast. The main goal of their scheme in this context is

to make the probability of exposing an innocent user

negligible under as many real traitors in the coalition

as possible.

The threat model that this paper is concerned with

is what we have called the “anonymous attack”. At-

tackers can construct a pirate copy of the content

(content attack) and try to resell the pirate copy over

the Internet. Or the attackers reverse-engineer the

devices and extract the decryption keys (key attack).

They can then set up a server and sell decryption keys

on demand, or build a circumvention device and put

the decryption keys into the device. There are two

well-known models for how a pirated copy (be it the

content or the key) can be generated:

1. Given two variants v

and v

of a segment, the pi-

rate can only use v

or v

, not any other valid vari-

ant.

223

Jin H., Lotspiech J. and Blaum M. (2006).

TRAITOR TRACING FOR SUBSCRIPTION-BASED SYSTEMS.

In Proceedings of the International Conference on Security and Cryptography, pages 223-228

DOI: 10.5220/0002097202230228

 SciTePress

2. Given two variants v

and v

of a movie segment

6= v

), the pirate can generate any valid variant

out of v

and v

The second model, of course, assumes the attack-

ers have more power. We believe it ﬁts documents,

texts better than media. Therefore in this paper, same

as other traitor tracing schemes shown in literatures,

we will be assuming that the attackers are restricted

to the ﬁrst model. When using watermark to create

variations, it is the watermark robustness assumption.

This is not an unreasonable assumption many real ap-

plication: ﬁrst of all, building a different variation

is a media-format-speciﬁc problem. Watermarking is

only one of the possible ways to create variations. In

a practical watermarking scheme, when given some

variants of a movie segment, it would be infeasible

for the colluders to come up with another valid vari-

ant because they do not have the essential information

to generate such a variant. If colluders manipulate

the watermarks, for example, by averaging two water-

marks v

and v

, we may detect both v

and v

in best

case; In worst case, however, if the watermark cannot

be recognized or simply removed, we may not gain

information and have to skip this particular variant.

This still ﬁts into our ﬁrst model. Of course, there are

ways as (I. Cox and Shamoon, 1997) to make it very

difﬁcult for colluders to remove the marks. We have

consulted industrial experts on the minimal durations

of the watermark in order to achieve the watermark

robustness assumption. However, in a DVD format

using Blue Laser, the variation can be simply a differ-

ent playlist. In this case, it may have nothing to do

with watermark; thus it is not restricted by the water-

mark robustness requirement.

Also, for the key attack, the traitors will need to re-

distribute at least one set of keys for each segment.

For cryptographic keys, it is impossible to generate a

valid third key from combining two valid other keys.

This is equivalent to the ﬁrst model.

In general, a deterministic traitor tracing scheme

incriminates traitors and only traitors. A probabilistic

scheme can sometimes have a small chance to incrim-

inate an innocent user. A tracing scheme is static if it

pre-determines the assignment of the decryption keys

for the decoder or the watermarked variations of the

content before the content is broadcast. The traitor

tracing schemes in (Chor et al., 1994; B.Chor et al.,

2000) are static and probabilistic. Fiat and Tassa in-

troduced a dynamic traitor tracing scheme (Fiat and

Tassa, 1999) to combat the same piracy under the

same business scenario considered in this paper. In

their scheme, each user gets one of the q variations

for each segment. However, the assignment of the

variation of each segment to a user is dynamically de-

cided based on the observed feedback from the previ-

ous segment. The scheme can detect up to m traitors.

Its main drawback is that doing this is impractical in

the scenario described above.

A practical traitor tracing scheme needs no more

than 10% of the extra bandwidth for the variations, to

accomodate billion users and to detect traitors under

large coalitions. We have designed a traitor tracing

scheme that attempts to meet all the practical require-

ments. The existing traitor tracing schemes either

need more bandwidth than the content provider can

economically afford, or the number of players their

schemes can accommodate is too few to be practical,

or the number of colluding traitors under which their

schemes can handle is too few.

Our scheme is static. Like all tracing schemes in

this category, it consists of two basic steps:

1. Assign a variation/key for each segment to devices.

2. Based on the observed re-broadcast keys or con-

tents, trace back the traitors.

In rest of the paper, we will present our two main

contributions of the paper. In Section 2, we focus

on the ﬁrst step, in other words, the key assignment

for the tracing. we will give intuitions why designing

a practical tracing scheme is inherently difﬁcult and

show how we overcome the difﬁculties and attempt to

meet the practical requirements. Then in Section 3,

we will give more in-depth analysis on traceability

codes, which is another contribution of this paper.

We present a sufﬁcient and necessary condition for

a MDS code to be a traceability code.

2 OUR SCHEMA

As shown above, the only way to trace traitors is

to use different versions of the content for different

users. This allows the re-broadcasted decryption keys

or contents to be linked to the group of users who

were given that version.

The ﬁrst problem to be solved is the overhead that a

tracing traitors scheme might require. This is a prob-

lem encountered in the ﬁrst step of a traitor tracing

scheme. If it was possible to send a different ver-

sion of the content to each user, the problem would be

solved. Unfortunately, in this case the bandwidth us-

age is extremely poor. While it is perfectly reasonable

in a theoretical context to talk about schemes that used

large number of variations and increased the space re-

quired by 200% or 300%, no movie studio would have

accepted this. Although the new generation of DVDs

has substantially more capacity, the studios want to

use that capacity to provide a high deﬁnition picture

and to offer increased features on the disc, not to pro-

vide better forensics. Most studios were willing, how-

ever, to accept some overhead for forensics, if it could

be kept below 10%. As a nominal ﬁgure, we began to

design assuming we had roughly 8 additional minutes

(480 seconds) of video strictly for forensic purposes.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

224

The cryptographic literature implied that we should

use our 480 seconds to produce the most variations

possible. For example, at one particular point in the

movie, we could have produced 960 variations of a

1/2 second duration. This clearly would not work.

The attackers could simply omit that 1/2 second in the

unauthorized copy without signiﬁcantly diminishing

the value of that copy. Instead, we settled on a model

where there were on the order of 15 carefully-picked

points of variation in the movie, each of duration 2

seconds, and each having 16 variations. Even then,

you could argue that the attackers can avoid these

30 or so seconds of the movie. As a result, when

we mapped our scheme to the actual disc format, we

made sure that the duration of the variations was not

pre-determined. Of course, longer durations require

more overhead. This is a tradeoff studios can make.

We should also mention that whether or not a given

movie uses tracing traitors technology is always the

studio’s choice. In the absence of attacks, they would

never use it, and the discs would have zero overhead

for this purpose.

In our model, assume that each content (for ex-

ample, a movie) is divided into multiple segments,

among which n segments are chosen to have differ-

ently marked variations. Each of these n segments

has q possible variations. Each user receives the

same bulk-encrypted content with all the small vari-

ations at chosen points in the content. However, each

user plays back the content through a different path,

which effectively create a different content version

copy. Each copy of the content contains one varia-

tion for each segment. Each version can be denoted

as an n-tuple (x

, x

, . . . , x

n−1

), where 0 ≤ x

≤

q − 1 for each 0 ≤ i ≤ n − 1. A coalition could

try to create a pirated copy based on all the varia-

tions broadcasted to them. For example, suppose that

there are m colluders. Colluder j receives a content

copy t

= (t

j,0

, t

j,1

, . . . , t

j,n−1

). The m colluders can

build a pirated copy (y

, y

, . . . , y

n−1

) where the ith

segment comes from a colluder t

, in other words,

= t

k,i

where 1 ≤ k ≤ m and 0 ≤ i ≤ n − 1.

It would be nice to be able to trace back the col-

luders (traitors) who have constructed a pirated copy

once such pirated copy is found. Unfortunately, the

variations (y

, y

, . . . , y

n−1

) associated with the pi-

rated copy could happen to belong to an innocent sub-

scriber. A weak traitor tracing scheme wants to pre-

vent a group of colluders from thus “framing” an in-

nocent user. A strong traitor tracing scheme allows at

least one of the colluders to be identiﬁed. In this pa-

per we deal only with strong traitor tracing schemes,

so, when we say “traitor tracing scheme,” we mean

strong traitor tracing scheme.

2.1 Basic Key Assignment

For the ﬁrst step, assume that each segment has q vari-

ations (symbols) and that there are n segments. We

represent the assignment of segments for each user us-

ing a codeword (x

, x

, . . . , x

n−1

), where 0 ≤ x

≤

q − 1 for each 0 ≤ i ≤ n − 1. The codewords as-

signment can be random or systematic using error-

correcting code. We have chosen to use the latter.

A practical scheme needs to have small extra disc

space overhead, accommodate a large number of de-

vices in the system, and be able to trace devices un-

der as large a coalition as possible. It is not hard to

see these requirements are inherently conﬂicting. We

will use error-correcting code to show some intuitions

on the conﬂicts between these parameters. q is the

number of variations, in other words, different sym-

bols that can be used in each coordinate of a code-

word. Take a look at a code [n, k, d], where n is

the length of the codewords, k is the source symbol

size, or the number of coordinates that can uniquely

identify a codeword.and d is the Hamming distance

of the code, namely, the mininum number of coordi-

nates by which any two codewords differ. Mathemat-

ically these parameters are connected to each other.

The number of codewords is q

, and Hamming dis-

tance has the property that d <= n − k + 1. q is

also related to n, for example, for a “maximal differ-

ence separable” (MDS) code, n <= q. We know the

number of variations q decides the extra bandwidth

needed for distributing the content. Without varia-

tions, q = 1. The extra bandwidth needed for the con-

tent is (q −1) ∗length

of each variation ∗n. The

Hamming distance d decides its traceability. To de-

fend against a collusion attack, intuitively we would

like the variant assignment to be as far apart as possi-

ble. In other words, the larger the Hamming distance

is, the better traceability of the scheme. On the other

hand, to accommodate a large number of devices, e.g.

billions, intuitively either q or k or both have to be

relatively big. Unfortunately a big q means big band-

width overhead and a big k means smaller Hamming

distance and thus weaker traceability. It is inherently

difﬁcult to defend against collusions.

In order to yield a practical scheme to meet all the

requirements, we concatenate codes. The number of

variations in each segment are assigned following a

code, namely the inner code, which are then encoded

using another code, namely the outer code. We call

the nested code the super code. The inner code ef-

fectively create multiple movie version for any movie

and the outer code assign different movie versions to

the user over a sequence of movies—hence the term

“sequence keys”. This super code avoids the overhead

problem by having a small number of variations at any

single point. For example, both inner and outer codes

can be Reed-Solomon (RS) codes. In a RS code, if

TRAITOR TRACING FOR SUBSCRIPTION-BASED SYSTEMS

225

q is the alphabet size, n ≤ q − 1 is the length of the

code. If k is its source symbol size, then its Hamming

distance is d = n−k+1 and the number of codewords

is q

. For example, for our inner code, we can choose

= 16, n

= 15 and k

= 2, thus d

= 14. For the

outer code, we can choose q

= 256, n

= 255 and

= 4, thus d

= 252. The number of codewords in

the outer code is 256

, which means that this example

can accommodate more than 4 billion devices. For the

super code which is the concatenation of the inner and

outer codes, q = 16, n = n

· n

= 15 ·255 = 3825,

k = k

· k

= 6, d = d

· d

= 14 · 252 = 3528.

Suppose each segment is a 2-second clip, the extra

video needed in this example is 450 seconds, within

the 10% contraint being placed on us by the studios.

So, both q, the extra bandwidth needed, and q

, the

number of devices our scheme can accommodate, ﬁt.

The actual choices of these parameters used in the

scheme depend on the requirements and are also con-

strained by the inherent mathematical relationship be-

tween the parameters q, n, k, d. In fact, there does

not exist a single MDS code that can satisfy all the

practical requirements. For a MDS code, n <= q,

d = n −k +1. An MDS code is, in general, too short.

For the second step, same as other tracing schemes

(Chor et al., 1994)(B.Chor et al., 2000)(Safani-Naini

and Wang, 2003)(Trung and Martirosyan, 2004), we

use a straightforward approach. For each user we

compute the number of segment variations that his

or her copy matches with the observed pirated copy.

The scheme incriminates the user who has the largest

matching with the pirated copy.

3 MATHEMATICAL ANALYSIS

Codes that can provide traceability have been exten-

sively studied in recent years. Weak form of such

codes are frameproof codes introduced by Boneh and

Shaw (Boneh and Shaw, 1998). Strong form of codes

called Identiﬁable Parent Property (IPP) and trace-

ability codes (TA). Combintatorial properties of IPP

codes and TA codes have been studied in (J. N. Stad-

don and Wei, 2001)(A. Barg and Kabatiansky, 2003).

In this section, we will give more in-depth analy-

sis on the combinaorial properties of the traceability

code for deterministic tracing. For reasons of space,

the results are given without proof. Deﬁnitions 3.1

and 3.2 and Lemma 3.1 are taken from (J. N. Staddon

and Wei, 2001).

Deﬁnition 3.1 Let C be a code of length n

over an alphabet Q of size q, and C

′

a sub-

set of C of size m, i.e., C

′

⊆ C and

′

|= m. Moreover, let C

′

= {t

, t

, . . . , t

}, where

= (t

i,0

, t

i,1

, . . . , t

i,n−1

) for 1 ≤ i ≤ m. We say

that a word v

∈ Q

, say, v = (v

, v

, . . . , v

n−1

), is a

descendant of C

′

if, for each 0 ≤ j ≤ n − 1, there

is an i, 1 ≤ i ≤ m, such that v

= t

i,j

. The set of

descendants of C

′

is denoted as desc(C

′

In a traitor tracing scheme in a static setting where

the assignment of variations is predetermined before

the content is broadcast, the rule used to determine

a traitor is to incriminate the user who has the maxi-

mum number of segments matching with the pirated

copy, i.e., the user whose codeword is at the smallest

Hamming distance from the pirated copy. We call this

rule the maximum selection rule.

Deﬁnition 3.2 A code C is called an m-traceability

code if, given any C

′

⊆ C with |C

′

| ≤ m and

∈ desc(C

′

), if there is a codeword c ∈ C such that

, t) ≤ d

′

, t

) for any c

′

∈ C, c

′

6= c

, then

∈ C

′

Given an m-traceability code, Deﬁnition 3.2 guar-

antees a deterministic tracing algorithm such that,

when inputed a pirated copy by a coalition C

′

with

′

| ≤ m, it always outputs an element of C

′

using

the maximum selection rule.

Lemma 3.1 Assume that a code C with length n and

distance d is used to assign the variations for each seg-

ment to each user and that there are m traitors. If code

C satisﬁes

d > (1 − 1/m

)n, (1)

then C is an m-traceability-code.

Is condition (1) also a necessary condition to yield

a deterministic tracing algorithm? As we will show

below, the answer is no. In order to come up with a

tighter condition, we will ﬁrst introduce a new con-

cept, namely, group distance, which is more relevant

than Hamming distance in the traitor tracing context

dealing with coalitions.

An [n, k, d] linear code C over a ﬁnite ﬁeld GF (q)

is a linear subspace of (GF (q))

with dimension k

and minimum distance d.

Deﬁnition 3.3 Assume that we have a code C over a

ﬁeld GF (q). Let u

be any codeword in C, and C

a set of m codewords in C not containing u

. We say

that D

, C

) is the number of coordinates in u that

are different to the corresponding coordinates of each

codeword in C

. We deﬁne the minimum group dis-

tance D

, C

for each possible codeword u

and m-set C

in C not

containing u

. When there is no ambiguity, we simply

denote D

The following condition on a code is sufﬁcient for a

deterministic tracing scheme.

Lemma 3.2 Consider a code C of length n. If

> (1 − 1/m)n, (2)

then C is an m-traceability code.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

226

We want to establish a relationship between D

and the minimum distance d of code C. Moreover,

we will show that an MDS code gives the best pos-

sible D

for any m. The next lemma connects the

sufﬁcient conditions (1) and (2) given by lemmas 3.1

and 3.2, respectively.

Lemma 3.3 Let C be a code of length n and mini-

mum distance d. If d > (1 − 1/m

)n, then D

(1 − 1/m)n.

The opposite direction in Lemma 3.3 does not hold

in general, but it does for MDS codes. We state this

result next, as well as further connections between the

group distance and the Hamming distance.

Lemma 3.4 Let U be a vector space of length n and

dimension k over a ﬁeld F . Then, given any k − 1

coordinates 0 ≤ i

< i

< ··· < i

k−1

≤ n −1, there

is a non-zero vector u

= (u

, u

, . . . , u

n−1

) in U such

that u

= 0 for 1 ≤ l ≤ k − 1.

Lemma 3.5 For any [n, k, d] linear code C over a

ﬁeld GF (q),

max{0 , d − (m − 1)(n − d)} ≤ D

≤

max{0 , d − (m − 1)(k − 1)}.

Lemma 3.6 For any [n, k, d] linear MDS code C over

a ﬁeld GF (q),

= max{0 , d − (m − 1)(k − 1)}=

max{0 , n − m(k − 1)}.

The next lemma, together with Lemma 3.3, shows

that conditions (1) and (2) are equivalent when the

lower bound in Lemma 3.5 is met with equality, i.e.,

= n − m(n − d), and hence for MDS codes.

Lemma 3.7 Let C be an [n, k, d] linear code such that

= n − m(n − d). If

> (1 − 1/m)n, then d > (1 −1/m

)n.

Corollary 3.1 Let C be an [n, k, d] linear MDS code.

If D

> (1 − 1/m)n, then

d > (1 −1/m

)n.

As shown in Lemmas 3.1 and 3.2, both D

(1 − 1/m)n and d > (1 − 1/m

)n are sufﬁcient

conditions for a deterministic tracing scheme. From

Lemmas 3.3 and 3.7, we know that these two condi-

tions are equivalent for codes satisfying with equality

the lower bound in Lemma 3.5 (in particular, MDS

codes). However, neither of these conditions is neces-

sary for an m-traceability code. In (J. N. Staddon and

Wei, 2001), it is listed as an open problem whether

or not having an [n, k, d] linear m−traceability code

implies d > (1 − 1/m

)n. The following trivial

example shows that the answer is no. In effect, as-

sume that we have a [4, 1, 4] repetition code over the

alphabet {0, 1, 2, 3}. It is clear that this code is an m-

traceability code for any 1 ≤ m ≤ 3. It is also clear

that d = D

= 4 for 1 ≤ m ≤ 3. Notice that both

conditions D

> (1 −1/m)n and d > (1 −1/m

are satisﬁed. Now, consider the [12,1,4] code that co-

incides with the previous one in the ﬁrst 4 coordinates

and is 0 in the last 8. It is clear that the new code

is also an m-traceability code for 1 ≤ m ≤ 3, but

conditions (1) and (2) are not satisﬁed.

We have shown that if d > (1 − 1/m

)n then

> (1 − 1/m)n (Lemma 3.3). We have also

shown that if the code satisﬁes with equality the lower

bound in Lemma 3.5 (like MDS codes) and if D

(1 − 1/m)n, then d > (1 − 1/m

)n (Lemma 3.7).

What happens if the code does not satisfy with equal-

ity the lower bound in Lemma 3.5? The same ex-

ample as above shows that D

> (1 − 1/m)n does

not necessarily imply that d > (1 − 1/m

)n. In ef-

fect, consider again the [4, 1, 4] repetition code, and

take the [5, 1, 4] code that consists of appending a 0 to

each of the four vectors of the [4, 1, 4] code. Then, for

m = 3, 4 = D

> (1−1/3)5, but 4 = d < (1−1/3

)5.

This example shows that in general, condition (2) is

stronger than condition (1) to check if a code C is an

m-traceability code.

Both conditions (1) and (2) imply that the code C is

an m-traceability code, but the examples above show

that they are not necessary. However, they are neces-

sary when C is an MDS code. We close this section

by stating this important fact.

Theorem 3.1 Let C be a linear [n, k, d] MDS code

over a ﬁnite ﬁeld GF (q) such that n ≤ q + 1. Then,

for m ≥ 2, C is an m-traceability code if and only if

> (1 − 1/m)n.

The condition n ≤ q + 1 seems somehow limiting

and arbitrary. However, this is the so called MDS con-

jecture. There are no known non-trivial MDS codes

violating this condition. Moreover, MDS codes used

in practice, like RS and extended RS codes, satisfy it.

So, in actual applications, the condition n ≤ q + 1 is

realistic.

Corollary 3.2 Let C be a linear [n, k, d] MDS code

over a ﬁnite ﬁeld GF (q) such that n ≤ q + 1. Then,

for m ≥ 2, C is an m-traceability code if and only if

d > (1 −1/m

)n.

3.1 Is an MDS Code Always the

Best?

Based on the deﬁnition of group distance D

, we

know that the larger D

is, the more traitors m un-

der which we can trace an actual traitor determinis-

tically. We have shown that an MDS code gives the

largest value of D

for any m. Does this mean that an

MDS code always gives the best deterministic tracing

scheme? In some realistic situations, given the size of

the ﬁeld, it might not. To be more precise, let us ﬁrst

TRAITOR TRACING FOR SUBSCRIPTION-BASED SYSTEMS

227

try to apply an actual MDS code, a Reed-Solomon

(RS) code, to a real application scenario.

Assume that each segment has q variations. The

parameter q determines how much extra bandwidth is

needed to broadcast the multiple variations of the seg-

ments. A practical solution requires a small extra per-

centage, like 5% of the normal bandwidth needs. This

implies that q cannot be too large. Since the number

of codewords (thus, the number of subscribers) that

the scheme can accommodate in the application is q

a small q requires a not too small k.

Assume that we choose k = 2. Let C be an [n, 2, d]

MDS code with n = q (like an extended RS code),

thus d = n − (k − 1) = q − 1. From Corollary 3.2,

we know that the condition d > (1 − 1/m

)n gives a

deterministic tracing scheme for up to m traitors. This

in turn means q −1 > (1 −1/m

)q for C, so q > m

Therefore, the maximum number of traitors a deter-

ministic tracing scheme can handle is

√

q. However,

if q is a small number (like 16), the total number of

subscribers that can be accomodated is q

, which will

also be a small number. A practical tracing scheme

may require the capability to deterministically trace

more traitors than

√

q or to accomodate more sub-

scribers than q

. So, there are no MDS codes that

can be directly applied here and still meet these re-

quirements. For that reason, the scheme in (Safani-

Naini and Wang, 2003) may not be practical. Are we

doomed not to have a better tracing scheme simply

because the best codes are MDS? In fact, our ques-

tion is very similar to one of the open problems listed

in (J. N. Staddon and Wei, 2001) asking whether or

not we can construct an m−traceability code with

q < m

and a > q, where a is the number of code-

words in the code (for an [n, k, d] linear code, no-

tice that a = q

). This question has been afﬁrmatively

answered in a recent paper (Trung and Martirosyan,

2004). However, the codes presented in (Trung and

Martirosyan, 2004) either have too few codewords or

the size q of the alphabet is too large for practical ap-

plications.

4 CONCLUSION

In this paper, we study the problem of tracing the le-

gitimate users (traitors) who instrument their devices

and illegally redistributing the pirated copies of the

contents or decryption keys on the Internet.

In our scheme, we systematically assign the varia-

tions for each segment to the movie and keys to the

devices. we use the two-level codes to overcome the

overhead problem to prepare the content and enable

tracing at the receipt end. Consider our concatenated

construction with parameters q = 16, n = 3825 and

k = 6. The choice of the parameters allows small ex-

tra bandwidth but large number of codewords (16 mil-

lion), much larger than q, meeting practical require-

ments.

We also provide formal analysis on traceability

code. we introduced a new concept, called ”group

distance”. We believe it is inherently more relevant

to measure the traceability of the codes. Using group

distance we showed a sufﬁcient condition 2 for trace-

ability code. We also showed this condition is neces-

sary for MDS codes. As future work we would like

to ﬁnd an efﬁcient traceability code that satisﬁes con-

dition 2 but not 1. Note when traitors become bigger,

the tracing has to be probabilistic. Our current trace-

ability analysis is based on a bruteforce step 2 and

deterministic tracing. As future work, we want to de-

velop a more efﬁcient step 2.

REFERENCES

A. Barg, R. B. and Kabatiansky, G. (2003). Digital ﬁn-

gerprinting codes: Problem statements, constructions,

identiﬁcation of traitors. In IEEE Transactions on In-

formation Theory, volume 49, pages 852–865.

B.Chor, A. Fiat, M. N., and Pinkas, B. (2000). Tracing

traitors. In IEEE Transactions on Information Theory,

volume 46, pages 893–910.

Boneh, D. and Shaw, J. (1998). Collusion-secure ﬁnger-

printing for digital data. In IEEE Trans. on Informa-

tion Theory, volume 44, No.5, pages 1897–1905.

Chor, B., Fiat, A., and Naor, M. (1994). Tracing traitors.

In Crypto 1994, Lecture Notes in computer science,

volume 839, pages 480–491.

Fiat, A. and Naor, M. (1993). Broadcast encryption. In

Crypto 1993, Lecture Notes in computer science, vol-

ume 773, pages 480–491.

Fiat, A. and Tassa, T. (1999). Dynamic traitor tracing. In

Crypto 1999, Lecture Notes in computer science, vol-

ume 1666, pages 354–371.

I. Cox, J. Killian, T. L. and Shamoon, T. (1997). Secure

spread spectrum watermarking for multimedia,. In

IEEE Transactions on Imaging Processing, volume

6(12), pages 1673–1687.

J. N. Staddon, D. S. and Wei, R. (2001). Combinato-

rial properties of frameproof and traceability codes.

In IEEE Transactions on Information Theory, vol-

ume 47, pages 1042–1049.

Safani-Naini, R. and Wang, Y. (2003). Sequential traitor

tracing. In IEEE Transactions on Information Theory,

volume 49, No.5, pages 1319–1326.

Trung, T. V. and Martirosyan, S. (2004). On a class of trace-

ability codes. In Design, Codes and Cryptography,

volume 31(2), pages 125–132.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

228