Accusation probabilities in Tardos codes Antonino Simone and Boris Škorić Eindhoven University of Technology CWG, Dec 2010

Outline Introduction to forensic watermarking ◦ Collusion attacks ◦ Aim ◦ Attack models Tardos scheme ◦ Code length history ◦ q-ary version ◦ Properties New parameterization Majority voting effect Performance of the Tardos scheme ◦ False accusation probability Results & Summary

Forensic Watermarking EmbedderDetector original content payload content with hidden payload WM secrets payload original content Payload = some secret code indentifying the recipient ATTACK

Collusion attacks "Coalition of pirates" 1 pirate #1 Attacked Content / #2 #3 #4 = "detectable positions"

Aim Trace at least one pirate from detected watermark BUT Resist large coalition  longer code Low probability of innocent accusation (FP) (critical!)  longer code Low probability of missing all pirates (FN) (not critical)  longer code AND Limited bandwidth available for watermarking code

Attack models Once pirates detect watermark positions, what can they do? 1. Restricted digit model ◦ Choice from available symbols only 2. Unreadable digit model ◦ Erasure allowed 3. Arbitrary digit model ◦ Arbitrary symbol (but not erasure) 4. General digit model AABD BABB AACA ABAB ABCBC ABDABD Alphabet={A,B,C,D} AABD BABB AACA ?AB?AB A?BC?BC ?ABD?ABD AABD BABB AACA ABCDABCD AABCDABCD ABCDABCD AABD BABB AACA ?ABCD?ABCD A?ABCD?ABCD ?ABCD?ABCD More realistic scenario Simpler to analyze equivalent for binary symbols

Code length history Construction Boneh and Shaw 1998: Tardos 2003: Chor et al 2000: Staddon et al 2001: Huang + Moulin; Amiri + Tardos 2009: Lower bound c 0 = #pirates n = #users m = code length in symbols q = alphabet size  1 = Prob[accuse specific innocent]  = Prob[not all accused are guilty]  2 = False Negative prob.

n users embedded symbols m content segments Symbols allowed Symbol biases drawn from distribution F watermark after attack ABCB ACBA BBAC BABA ABAC CAAA ABAB biases ACAC ABAB AABCABC p 1A p 1B p 1C p 2A p 2B p 2C p iA p iB p iC p mA p mB p mC c pirates q-ary Tardos scheme (2008) Arbitrary alphabet size q Dirichlet distribution F Symbol-symmetric =y ABCB ACBA BBAC BABA ABAC CAAA ABAB

Tardos scheme continued Accusation: Every user gets a score User is accused if score > threshold Sum of scores per content segment Given that pirates have y in segment i: Symbol-symmetric g 0 (p) g 1 (p) p p

Properties of the Tardos scheme Asymptotically optimal Random code book No framing ◦ No risk to accuse innocent users if coalition is larger than anticipated F, g 0 and g 1 chosen ‘ad hoc’ (can still be improved)

Accusation probabilities m = code length c = #pirates μ ̃ = expected coalition score per segment Pirates want to minimize μ ̃ and make longer the innocent tail Curve shapes depend on:  F, g 0, g 1 (fixed ‘a priori’)  Code length  # pirates  Pirate strategy Central Limit Theorem  asymptotically Gaussian shape (how fast?) 2003  2010: innocent accusation curve shape unknown… till now! threshold total score (scaled) innocent guilty

New parameterization Necessary a new parameterization! K b =quantity depends on pirate strategy K b can be pre-computed Which strategy minimizes μ ̃ ? Symbol-symmetric  we take care only the symbol occurrences  = pirate occurrences vector   α = # α in segment c pirates   α  α = c W(b) b

Some attack definitions Majority voting ◦ y i = symbol that occurs most in segment i AABD BABB AACA ABAB ABCBC ABDABD AABP[A]=1/3 P[B]=1/3 P[D]=1/3 AABD BABB AACA ABAB ABCBC ABDABD P[A]=2/3 P[B]=1/3 AP[B]=2/3 P[C]=1/3 P[A]=1/3 P[B]=1/3 P[D]=1/3 Interleaving attack ◦ Prob[y i = α ] =  α /c Example:

Majority voting Theorem: Majority voting strategy minimizes μ ̃ Proof (intuitive): Case 1 : only 2 symbols detected c=19 Best choice W(b) b

Majority voting Theorem: Majority voting strategy minimizes μ ̃ Proof (intuitive): Case 2: more than two symbols detected one symbol occurs more than c/2 times c=19 Best choice W(b) b

Majority voting Theorem: Majority voting strategy minimizes μ ̃ Proof (intuitive): Case 3: more than two symbols detected all symbols occur less than c/2 times c=19 Best choice W(b) b

Innocent curve behaviour Motivations: ◦ Most critical part in the Tardos scheme (FP ≈ ) ◦ Still unknown ◦ Unknown innocent curve  unknown real code length ◦ Is Gaussian approximation good?

Approach Fourier transform property: Steps: 1.S =  i S i Si Si   = pdf of total score S S   = InverseFourier[ ] 2. 3.Compute Depends on strategy New parameterization for attack strategy 4.Compute 5. Taylor Trouble doing numerics (integral does not converge)

Main result: false accusation probability curve Example: interleaving attack threshold/√m exact FP log 10 FP Result from Gaussian

Main result: false accusation probability curve Example: interleaving attack Better than Gaussian! Conclusion: Gaussian approximation is worse for larger q

Main result: false accusation probability curve Example: majority voting attack threshold/√m exact FP Result from Gaussian FP is  70 times less than Gaussian approx in this example But  Code 2-5% shorter than predicted by Gaussian approx log 10 FP

Summary Results: introduced a new parameterization of the attack strategy majority voting minimizes μ ̃ first to compute the innocent score pdf ◦ quantified how close FP probability is to Gaussian ◦ sometimes better then Gaussian! ◦ safe to use Gaussian approx ◦ larger q  Gaussian approximation less good Future work: study more general attacks different parameter choices Thank you for your attention!