DOI:10.1007J.Cryptology(2001)14:211 - PDF document

DOI:10.1007J.Cryptology(2001)14:211Ð223 2001InternationalAssociationforCryptologicResearch DynamicTraitorTracingAmosFiatDepartmentofComputerScience,SchoolofMathematicalSciences,TelAvivUniversity,TelAviv,IsraelAlgorithmicResearchLtd.,10NevatimStreet,PetahTikva,IsraelTamirTassaAlgorithmicResearchLtd.,10NevatimStreet,PetahTikva,Israel A.FiatandT.TassaInthispaperweaddresstheissueofprotectingownershiprightsagainstpiracywherebyunauthorizedusersgetaccesstothecontent.Piratesmakeabusinessofbreakingthesecu-ritysafeguardsoftheconditionalaccesssystemandselldevicesthatallowunauthorizeduserstoviewthecontentillegally.Topreventsuchunauthorizedaccess,cryptographyisoftenused:theconditionalaccesssystemmakesuseofsecretkeysinordertoallowonlylegitimateusersaccesstothecontent.Theuseoftamper-resistantdevicesforconditionalaccesssystemsisthenorm,topreventaccesstotheunderlyingkeys.However,recentadvancesinattacksontamper-resistantdevices,rangingfromverysimpleattacks[1]tomoresophisticateddifferentialpoweranalysisandtimingattacks[12],havecompromisedunqualiÞedrelianceontamperresistance.Thus,amorerealisticmodelmustassumethatpiracywilloccurand,therefore,countermeasuresshouldbetakenoncepiracyhasbeenobserved.Suchcountermeasuresshouldbecapableofthefollowing:ÐTracethesourceofpiracy.ÐDisconnectitanditsdependentunauthorizedusersfromfurthertransmittalofin-ÐHarmnolegitimateusers.ÐSupplylegalevidenceofthepirateidentity.ThetraitortracingschemesofChoretal.[6]adoptthefollowingmodel:piratedecodersthatallowaccesstothecontentmaybemanufacturedbutsuchdecoders,ifcaptured,mustinherentlycontainidentifyinginformationthatwillallowthebroadcastertocutthemofffromfuturebroadcasts.Additionally,thesourceofpiracycanbedetectedandlegalmeanscanbetaken.Todoso,Choretal.introduceanewformofcryptographythatusesoneencryptionkeyandmultipledistinctdecryptionkeys,withthepropertythatonecannotcomputeanewdecryptionkeyfromagivensetofkeys.Thetraitortracingschemesof[6],[14],and[16]approximatesuchascheme.Twocostmeasuresaretobeconsideredwhenimplementingsuchschemes:storagerequirementsattheuserendandthenecessaryincreaseofbandwidth.TheAchillesÕheelofsuchtraitortracingschemesistheirunderlyingassumptionthatpiratesprovideunauthorizedsubscriberswithdecoderscapableofdecodingtheoriginalbroadcast.Suchschemeswouldbeineffectiveifthepirateweresimplytorebroadcasttheoriginalcontentusingapiratebroadcastsystem.Thispaperdealswiththelatterscenario:Evenifthepiraterebroadcaststheoriginalcontenttopirateusers,countermeasurescanbeactivatedinordertotraceanddisconnecttheso-calledtraitors,i.e.,therealsubscriberscontrolledbythepirate.Toaccomplishthis,watermarkingmethodsareimplemented,allowingthebroadcastertogeneratedifferentversionsoftheoriginalcontent,withnonoticeabledegradationinthecontentquality.Theschemeswhichweintroduceanddiscusshere,usethewatermarksfoundinthepiratecopytotraceitssupportingtraitors.Afundamentalassumptioninthis Deactiviatingapirateusercanbedonethroughtheuseofbroadcastencryptionschemes[10].Weremarkthatcombinedapproachestobroadcastencryptionandtheoriginal[6]conceptoftraitortracinghaveappearedin[3],[18],and[11]. DynamicTraitorTracingcontextisthatitispossibletogeneratetamper-resistantwatermarksthatapiratecouldnotremove.Coxetal.[8]haveintroducedmethodstocreatesuchsecureandrobustwatermarks.WatermarkingschemeswereintroducedanddiscussedbyBonehandShawin[4].Intheirstudytheyassumedthatthecontentiswatermarkedonce,priortoitsbroadcast.Theschemesof[4]weredesignedtotracethesourceofpiracyonceapiratecopyofthecontentiscaptured.Thetraitortracingschemesof[6]aresimilarinthatsense:eachdecoderispersonalizedbyauniqueallocationofdecryptionkeys,once,beforeitissoldtoasubscriber.Onlywhenapiratedecoderiscapturedarethetraitortracingschemesactivatedinordertotracealegaldecoderusedinbuildingthepirateunit.Boththewatermarkingschemesof[4]andthetraitortracingschemesof[6]areprobabilistic.Namely,theevidencetheyprovideagainstthesuspectedtraitorisaccompaniedbyasmallerrorprobability(thatcanbemadeassmallasdesired).Itshouldbenotedthateventhoughthewatermarkingcodesof[4]andthetraitortracingkeyassignmenttoolsof[6]have,seemingly,anentirelydifferentmotivation,traitortracingschemescanbetranslatedintowatermarkingcodesasdescribedin[4].Like[4]and[6],wemakeuseofmarkingcodesbut,unlike[4]and[6],ourcodesaregeneratedontheßy.InourmodelweusethefeedbackfromthepiratedistributionnetworkinordertolockontothetraitorsmuchmoreefÞciently.Werefertothislattermodelasthedynamicmodelwhiletheformerone[4],[6]isreferredtoasthestatic.Thedynamicmodelisverynaturalandhasgreatpracticalapplicationsinthecontextofprotectingintellectualrightsinbroadcastsystems.Thestaticmodel,ontheotherhand,issuitableforelectronicdatadistributionsystems.Tounderstandthefundamentalcontributionofthedynamicmodel,weconsiderthefollowingscenarios:1.Dynamicschemesdecideaboutthenumberofactivetraitorsontheßy,basedonthefeedbackfromthepiratenetwork,andadapttheirbehavioraccordingly.Thatisimpossibleinthestaticmodel,whereanaprioriboundonthenumberoftraitorsisrequired(thelackofsuchaboundrendersanystaticmethodcompletelyunreliable).2.Evenifanaprioriboundisknown,butfalseincriminationsofinnocentusersarestrictlyprohibited,thereisanexponentialperformanceimprovementofdynamicmethodsoverstaticones.Thisexponentialgapimpliesthatstaticschemesaresimplyimpossibleinsuchsettings.3.Ifanaprioriboundisknown,andoneallowsaconstantprobability,0,offalseincrimination,staticschemespayanadditionallog
factorinperformancethatisnotrequiredbydynamicmethods.OrganizationofthePaperThepaperisorganizedasfollows:inSection2weformalizethemodel,introducethebasicterminology,anddiscussrelevantimplementationissues.InSection2.3weproveafundamentalresultthatconnectsthesizeofthemarkingalphabettothenumberofactivetraitors.Abyproductofouranalysisisthattheprobabilisticnatureofthecodesin[4]isinherent,i.e.,nocodeofthatnaturecanavoidmakingerrors.InSection3threedeterministicalgorithmsinthedynamicsettingarepresentedand A.FiatandT.Tassacompared:twoofthemhaveoptimalspacialefÞciencywhiletheotheroneexcelsintemporalefÞciency.Finally,inSection4,welistseveralinterestingopenproblemsthatourstudyraises.RelatedWorkTheconceptsofframeproofcodesandsecurecodesweredeÞnedin[4].Additionalexplicitconstructionsofframeproofcodesweregivenin[17].ThereareavarietyofslightlydifferentdeÞnitionsofframeproofandsecurecodes.Generally,aframeproofcodeisanassignmentofcodewordstouserssothatnocoalitionwhosesizeisnomorethansomepresetlimitcanÒframeÓaninnocentuser.Acoalitionofsizecancomputenewcodewordsfromthesetofcodewordsassignedtoitsmembers.Therulesbywhichnewcodewordscanbecomputedvaryslightlyfrompapertopaper.ThedifferentrulesreferspeciÞcallytowhatispermissiblewhencombiningtwoormorecodewordstocreateanother.Forexample,giventwocodewordsthatdifferinthcoordinate,,onecangenerateanewcodewordforwhicheither(asintheCFN-model[6],whichcoincideswithours),oriseitheranarbitraryelementoftheunderlyingalphabetorsomethingentirelyunrecognizable(asintheBS-model[4],[17]).Ratherthantalkintermsofcodewords,wetranslatethesetwomodelstothewater-markingterminology:ÐGiventwovariantsofamoviesegment,,iftheonlypossiblechoiceforthepirateistotransmiteither,thenweareintheCFN-model.ÐGiventwovariantsofamoviesegment,),ifthepiratecanproduceanyvariantoutofallpossiblevariants,orsomethingentirelyunrecognizable,thenweareintheBS-model[4],[17].Wejustifyourchoiceofmodelbelow,butÞrstafewwordstoavoidconfusion.WeusethetermÒtheCFN-modelÓsomewhatmisleadinglybecause[6]doesnotdealwiththewatermarkingproblematall.Rather,[6]dealswiththeassignmentofkeystodecoderssoastorecognizethesourceofapirateddecoder.Oneofthepropertiesofcryptographickeysisthatgiventwodifferentsymmetrickeys,it(usually)makeslittlesensetotrytocombinetheminsomewayandobtainameaningfulthirdkey.Thus,ifthepiratehastochoosebetweenusingkeyorkey,hecanchooseeitheroneofthem,ornoneofthem,butwouldnotÞnditusefultouse,say,.Inthetranslationbetweenthetraitortracingschemesof[6]andwatermarkingschemes,thedifferentkeysareanalogoustodifferentvariantsofasegment,whencethetermÒtheCFN-modelÓinthecontextofwatermarking.Givensomevariantsofamoviesegment,itwouldseemmostinfeasibletocomputeanewvalidvariant.Thereasonforthatisthatinanyreasonablewatermarkingschemethepiratewouldnothavetheinformationessentialtogeneratesuchavariant.Itmaybepossible,however,toremoveallwatermarkinginformationwhilepayingthepriceofqualitydegradation.However,evenifthatispossible,itwouldbedifÞculttodoso,andthepiratewouldnotnecessarilyknowwhetherhewassuccessfulornot.ThisiswhyweÞndtheCFN-modelamorerealisticmodelinthiscontext.Itshouldbenotedthatinour DynamicTraitorTracingdynamicschemes,ifwecannotrecognizethevariantthatiscurrentlytransmittedbythepirate,wesimplyignorethecorrespondingsegmentandwaitforthenextone.Evenifthepirateissuccessfulinremovingthewatermarkingwithprobability(thevalueofwhichisdictatedbythetechnicaldifÞculties,aswellasbytheneedtohavearebroadcastwithareasonablequality),itimpliesa1constantfactorinconvergencetime.Finally,fromapracticalperspectiveontheimmediatefuture,wecanjustifyourmodelformuchthesamereasonsasin[6](seeSection2.2).InthestaticmodelarelatedpaperbyStinsonandWei[17]constructsframeproofschemesaswellastraceablityschemes.Inthiscontext,traceabilityschemescoincidewithsimplemajoritydeterministictracingalgorithmsthatarenotallowedtomakeanyerror.IntheirTheorem5.5theygiveaboundthatconnectsalltheparametersoftheproblem:thenumberofusers,thesizeofthecoalitionoftraitors,thesizeofthemarkingalphabet,andthelengthofthecodewords.Thatboundmaybetranslatedintoalowerboundonthelengthofcodewordswhichisproportionaltothenumberoftraitorstimesthelogofthenumberofusers.Weconjectureinthispaperthatthetruelowerboundismuchhigherandisinfactexponentialinthenumberofusers.Otherrelatedworkabouttraitortracingmaybefoundin[9],[11],and[13]Ð[15].2.TheModelInourmodelthecontentconsistsofmultiplesegments,e.g.,asegmentcouldbe1minuteÕsworthofvideo.Itispossibletogeneratemultipleofeachsegment.Thosevariantsmustmeetwiththefollowingtworequirements:Similarity.Fundamentally,allvariantscarrythesameinformationtotheextentthathumanscannotdistinguishbetweenthemeasily.Robustness.Givenanysetofvariants,,itisimpossibletogenerateanothervariantthatcannotbetracedbacktooneoftheoriginalvariants,Clearly,thoserequirementsplaceanupperboundonthenumberofvariantsthatcanbegeneratedfromasinglecontentsegment(thereaderisreferredto[8]wheremethodstogeneratesuchwatermarksareintroduced).ContentforwhichsomeorallofthesegmentshavebeenassignedvariantsiscalledawatermarkedcontentoraversionIngeneral,thewatermarkingproblemistogeneratemultipleversionsofwatermarkedcontentsothat,givenablackmarketcopyofthatcontent,thewatermarksembeddedinthatcopywouldleadtotheidentiÞcationofitssource.watermarkingschemefortracingtraitorsconsistsoftwoessentialparts:Watermarkdistribution:analgorithmthatassignseachsubscriberawatermarkedcopyofthecontent.Tracingandincrimination:analgorithmthat,givenanillegalcopyofthecontent,usesthewatermarksembeddedinitinordertotracebackatleastoneofthetraitorsthatparticipatedinproducingthatcopy.Awatermarkingschemeiscalledifittracesandincriminatesalltraitorsandnooneelsebutthetraitors.Ontheotherhand,schemesinwhichthereisasmallchanceoffalseincriminationarereferredtoasprobabilistic A.FiatandT.TassaThetwokeyperformanceparametersinthiscontextare,thenumberofdifferentvariantsusedpersegment,and,thenumberofcontentsegments.Onewaytoviewourmodelofwatermarkingisthatitisanembeddingofacodewordinthecontent,whereissimplythesizeofthemarkingalphabetandisthelengthofthecodeword.Thefollowingterminologyisusedthroughouttherestofthepaper:Thecenteristhesourceofthecontentanditswatermarkedcopies.Theusers,or,denotedby,arerecipientsofthe3.Someoftheusersmaycolludeinordertodistributeillegalcopiesofthecontenttopiratesubscribers.Werefertosuchusersasandtotheircoalitionasthepirate.Thenumberoftraitorsisdenotedhenceforthby,whilethepirateandtraitorsaredenotedbyThemarkingalphabetthatisusedtogeneratecodewordsisdenotedby5.Foragivensegment1andamarkdenotesthesubsetofsubscribersthatgotvariantofsegmentInthispaperwedistinguishbetweentwosettings:adynamicsettingandastaticone.Thedynamicsettingassumeson-linefeedbackfromthepiratesubscriberstothecen-ter.SuchascenarioisfeasibleincaseslikeaTVbroadcast,wherethepiraterebroadcaststhecontent,say,ontheInternet.ThecentercanthereforeseethecurrentpiratebroadcastandadaptitswatermarkdistributioninthenextsegmentsinordertotracethetraitorsefÞciently.Insuchascenario,thenumberofvariantsthataretransmittedsimultaneously,isproportionaltothebandwidthrequirements,while,thenumberofsegmentsorsearchsteps,isproportionaltothetimerequiredtotracethetraitors(theconvergencethestaticsettingthereisaonetimemarkingofthecontentperuser.Onlywhenablackmarketcopyisfoundisthetracingandincriminationalgorithmactivated.Thismodelissuitablefor,e.g.,DVDmovieprotection.Obviously,performanceinsucharigidsettingwithnoon-linefeedbackislessefÞcientthanthatinthedynamicsetting.Thissettingisalsosomewhatlessusefulthanthedynamicsettingbecausetherearefewereffectivecountermeasures:legalactionpost-factumistheonlyrecourse(asopposedtothedynamicsettingthatallowsimmediatedisconnectionofthetraitors).Asinthedynamicsetting,arerelevantperformancemeasures,buttheyhaveaslightlydifferentsigniÞcance.Here,determinestherelativeextraexpenserequiredforwatermarking,whileislimitedbythemaximalnumberofsegmentsthatcanÞtintothegivencontent.ControlOverheadAkeyissueistocontrolwhatusersgetwhatvariantofeverysegment.Thesimplestwaytodosoisasfollows:1.Everyuserhasauniquesymmetrickeyincommonwiththecenter.2.Priortoeverysegmenttransmission,thecenterdistributeskeystousers,usingindividuallyencryptedtransmissions:ifuseristogetvariantofsegment DynamicTraitorTracingthenthecentersendsanindividuallyencryptedtransmissiontouser,whereallsuchkeysaregeneratedatrandom.3.Thecenternowtransmitsmultiplevariantsofthethsegment,wherevariantencryptedunderkeyThebroadcastoverheadforimplementingsuchaschemeiscomposedoftwo1.Beforeeachsegment,thecenterneedstotransmitindividual(short)messagesthatcontaintherelevantkeystoeveryuser.2.Thecenterneedstobroadcastmultiplevariantsofeverysegment;thisisahighoverheadcomponentbecauseitmultipliesthetotalbandwidthbythenumberofdifferentvariants.Thereareanumberofmechanismsthatallowustoreducethisoverhead.First,ratherthanusingindividuallyencryptedmessageswecanusebroadcastencryptionschemes[10].AtÞrstglanceitseemsthatthiscreatesaproblembecausebroadcastencryptionschemesrequireanaprioriknowledgeofthenumberoftraitors,whereasweclaimthatwedonotneedtoknowthis.However,weneverkilloffasuspectuserunlessweknowforsurethatheisatraitor.Hence,wecanstartwithanestimateofthenumberoftraitors,andifthisestimateturnsouttobewrong,wecansimplyrestartwithahigherinitialestimateforthebroadcastencryptioncomponent.Next,wedonotnecessarilyhavetochangekeysbetweensegmentsforallusers.Infact,weonlyneedtochangekeysincasewhereasetofusersissplitupintotwoormoresubsets,orifweperformaunionbetweensetsofusers.Thus,evenifoneusesthenaiveapproach(individualtransmissionstoeveryuser)itturnsoutthatour21algorithm,Section3.3,onlyrequiresindividualtransmissionsforallsegments.However,themoreexpensiveoverheadisinthesimultaneoustransmissionofmultiplevariantsofasegment.Here,onecanmakeuseofthenatureoftheproblemtoreducebandwidthoverhead.Evenif,say,90%ofthemovieweretransmittedentirelyintheclear(andnotwatermarked),whileonlytheremaining10%weretobewatermarkedandprotected,thiswouldcreateproblemsforthepirate.Apiratecopythatmisses10%ofthemovieisnotveryvaluable.Thismeansthatwecantransmitmultiplevariantsforonlya(relatively)smallpartofthemovie,hencereducingthebandwidthoverheadconsiderably.Short-TermPracticalConsiderationsIntheimmediatefuture,itseemsratherunlikelythattheactualMPEG-IItransmis-sionwillberebroadcastovertheInternet(duetolackofbandwidth).Thus,itmaybethatthesettingdescribedinthispaperisnotrequiredintheimmediatefuture.Hence,webrießydescribehowtoadaptourschemesforconditionalaccessschemesusedto-day.Allconditionalaccessschemestodayuserapidlychangingsymmetrickeystoencryptthecontent.Thesesymmetrickeys,knownasÒcontrolwords,Óarereplaced(say,every5seconds)throughtheuseofso-calledÒEntitlementControlMessagesÓ(ECMs).Anunderlyinghiddenassumptionincommontoalltheseschemesisthatthecontrolwordswillnotberetransmittedbythepiratetohissubscribers. A.FiatandT.TassaThisassumptionistrueifthebandwidthavailabletothepirateforretransmissionislowerthanthatrequiredtoretransmitthecontrolwords.Thus,thecentermustsetthecontrolwordchangeratetoreßecttheboundsonthepiratetransmissioncapabilities.Nonetheless,theproblemwiththissettingisthatthepiratecouldstilltransmitthesecret(s)usedtoobtainthecontrolwordsfromtheECMs.Now,wecansimplymakeuseofdynamictraitortracingschemes,whereratherthanwatermarkingmultiplevariantsofthecontent,weencryptthecontrolwordsunderseveraldifferentkeys(analogoustovariants).Inthissettingthecontroloverheadismuchlower(multipleECMstreams)andourmodelthatdisallowscomputationofathirdvariantfromtwoexistingvariantsisobvi-ouslyjustiÞed.DeterministicLowerBoundThefollowingfundamentaltheoremappliesinboththedynamicandstaticsettings:Theorem1.IfthepiratecontrolsptraitorsthenThereexistsadeterministicwatermarkingschemewithNowatermarkingschemethatusesanalphabetofsizepcanbedetermin-Inotherwords,awatermarkingschememustuseanalphabetofsize1attheleastinordertotraceandincriminatealltraitorsandnoonebutthetraitors.Inthestaticsetting,thisrequireshavinganaprioriboundonthenumberoftraitors.Inthedynamicsetting,however,theschemecanlearnontheßywhatthenumberoftraitorsisandadaptitsalphabetsizeaccordingly;hence,noaprioriinformationaboutthenumberoftraitorsisrequired.ProofofTheorem1.Hereweprovepart(b)ofthetheorem.Asfortheproofofpart(a),seeSection3.2andSection3.4wheresuchschemesaredescribed.Givensomeinnocentsubscriberofthesystem,,wedeÞneforall1Inaddition,wedenote.Now,assumethatthepirateadoptsthefollowingstrategy:insegmentitrebroadcastsoneofthevariantsforwhich2.Theexistenceofsuchavariantisguaranteedbythepigeonholeprinciple,since.Clearly,thechosensubsetforall0.Hence,itisimpossibletodistinguishbetweentherealcoalitionof,andthecamoußagesets.Therefore,theschemecouldneverpointoutthetruetraitorsfromthe1subscribersin WewouldliketopointoutthatTheorem1isageneralizationofTheorem4.2of[4]whichwasrestrictedtothecase2.Inaddition,weprovedthislowerboundonthealphabetsizeunderthemoregeneralassumptionofrobustnessofthewatermarks(whereastheproofofTheorem4.2of[4]reliedontheabilityofthetraitorstodestroy DynamicTraitorTracing3.TraitorTracingSchemesintheDynamicSettingPreliminariesInthedynamicscenario,thepiratebroadcastsateverytimesegment1,oneofthevariantsownedbythetraitorscontrolledbyhim,.Wedenotethatvariantanddenotebythepiratetransmissionuptotime(thoseareavailable,say,byregisteringasapirateuser).Thegoalofthewatermarkingschemeistodisconnectallsubscribersin,thusrenderingthepirateinoperative.Additionally,itwouldbebadtodisconnectinnocent.Hence,onlydeterministicschemesareconsideredinthiscase.Formally,adynamicwatermarkingschemeisafunctionForallinducesapartitionofintothedisjointsetsThisisinterpretedasfollows:1.Attime1,users1,getvariantofcontentsegment2.Attime1,usersaredisconnected,i.e.,getnovariantofcontentseg-.Weassumethatforall1,i.e.,disconnectionispermanent.Inthefollowingsubsectionswedescribeseveraldeterministicschemesandstudytheirperformanceintermsof,thenumberofvariantsthattheyrequireineachsegment,and,thenumberofstepsrequiredtotraceanddisconnectalltraitors.Theseschemesdonotrequireanyaprioriknowledgeof;instead,eachoftheseschemeskeepstrackofalowerboundonthenumberoftraitors.Thatvalueisinitiallysettozeroandonlywhenpiracyisdetecteddoestheschemeincreaseittoone.ThelowerboundisincreasedonlywhentheÞndingsoftheschemeuptothatpointimplythatthisisvalid.ThelowerboundisdenotedbyintheÞrsttwoschemesSections3.2and3.3.Inthethirdscheme,Section3.4,anotherrelatedparameterappearsandhasaslightlydifferentinterpretationFirstSchemeImpracticalConvergenceTimeThefollowingstraightforwardschememakesuseof(nomorethan)1variantsineachsegment.Therefore,ithasanoptimalspacialefÞciency.However,itstemporalefÞciencyisverybadasitsconvergencetimeisexponentialinSettRepeatforeverForallselectionsoftusersoutofUproducetvariantsofthecurrentsegmentandtransmittheivarianttoandthevarianttoallotherusersuntilthepiratetransmitsoneoftheIfthepirateevertransmitsvariantiforsomeidisconnectthesingleuseranddecrementtbyoneincrementtbyone A.FiatandT.TassaThisalgorithmassociateseachsegmentwithonepossiblecoalitionofsize,foreachvalueof0.Clearly,thisalgorithmwilltraceanddisconnectalltraitors,,becausewhenreachesthevalueof,oneoftheselectionswillbethatin;whenthatselectionismade,eitherpiracystopsoroneofthetraitorswillincriminatehimself.Theconvergencetimeforthisalgorithm,though,maybeaslargeashenceitisimpractical.SecondSchemeEfÞcientConvergenceNext,wepresentanalgorithmthatrequires21keysbutremovesalltraitorswithinsteps.Wenotethatanybinarydecisiontreefordeterminingallwithinausergroupofsizehasadepthof,asimpliedfromtheinformationtheoreticbound.Throughoutthisalgorithm,thesetofsubscribers,,ispartitionedinto21subsets,,whereandeachofthosesetsreceivesauniquevariant.Hence,therearenevermorethan21simultaneousvariants;since-thelowerboundonthenumberoftraitors-neverexceeds-thetruenumberoftraitors,theupperboundonthesizeofthealphabet,1,isrespected.Aninvariantofthealgorithmisthattheunioncontainsatleastonetraitorforall1isthecomplementarysubsetofusersthatisnotknowntoincludeatraitor.SettRepeatforeverTransmitadifferentvariantforeverynonemptysetofusersSIfthepiratetransmitsavariantofthecurrentsegmentthenisassociatedwithIincrementtbyonesplitIintotwoequal-sizedsubsetsandRaddthosesetstoPandsetIisassociatedwithoneofthesetsLdoasfollowsAddtheelementsinRtothesetIIfLisasingletonsetdisconnectthesingletraitorinLfromtheusersetUdecrementtbyoneremoveRandLfromPandrenumbertheremainingRandLsetsinPisnotasingletonsetsplitLintotwoequal-sizedsetsgivingnewsetsLandRisassociatedwithoneofthesetsRdoasabovewhileswitchingtherolesofRandLTheorem2.ThewatermarkingschemewhichtheabovealgorithmimplementstracesallptraitorswithinmptimestepswhileusingnomorethanrsimultaneousvariantsProof.Itisclearthatatanygivenstage,theunion,containsatleastonetraitor(thisisaninvariantofthealgorithm).Hence,thenumberof,cannotexceedthetotalnumberoftraitors,.Sincetheschemeusesateachstagenomorethan21variants,theupperboundof21simultaneousvariantsisrespected. DynamicTraitorTracingAsfortheconvergencetime,considerasequenceoftracingstepsthroughwhichatraitorisisolatedinsuccessivelysmallersubsets,.Clearly,eachsingletraitorwillbeisolatedwithinlogsteps.Hence,alltraitorswillbeisolatedwithinsteps.Oncealltraitorsareisolated,thepirateÕsbroadcastmustincriminatethemallafter ThirdSchemeImprovedConvergenceTimeHere,wepresentanotheralgorithmthatusesanoptimalalphabetofsize1.ItsconvergencetimeisboundedbywhichisadramaticimprovementoveroftheschemeinSection3.2,thoughstillnonpolynomialin.Ournewalgorithmisverysimilartothepreviousone,Section3.3,inthesensethatthepartitionsthatitusesareofthesameform,andithasthesameinvariants:theunioncontainsatleastonetraitorforall1isnotknowntoincludeanytraitor.Thedifferencebetweenthetwoalgorithms(whichismanifestedmostnotablyintheirrunningtime)stemsfromthefactthatwemaynothavesufÞcientvariantsforallthe1setsin(duetothetighterrestrictiononthesimultaneousnumberofvariants).Hence,ifinthepreviousalgorithmwehadonlyonedynamicparameter,,thatindicatedboththenumberofpairsandthecurrentlowerboundonthenumberoftraitors,inthisalgorithmtherearetwodynamicparameters:,thecurrentlowerboundonthenumberoftraitors(i.e.,howmanytraitorsareknowntoexistatthisstageofthesearch),and,thenumberofpairsofsubsets,,inthepartition.Eachofthosepairsisknowntoincludeatleastonetraitor.Clearly,;later,weshallseethat.Hence,theknowledgethatthetracingschemeholdsineachstepmaybesummarizedasfollows:Inthe21algorithm,havingtheluxuryofassigningauniquevarianttoeach,wewereguaranteedtomakeprogressineverystep,whereprogressmeanssplittingoneofthesetsintowardsclosingonthetraitor(s)inthatset.Here,how-ever,wecannotdososincewearelimitedtousingnomorethan1differ-entvariantsineachstep.Hence,insteadofachievingprogressineachstep,thealgo-rithmthatwepresentbelowisguaranteedtoachieveprogresswithinaÞnitenumberofSettRepeatforeverForeveryselectionofPwhereSareanyotherktsetsfromPproducekTransmittoSforallwhileallremainingusersgetAssumethatthepiratetransmitsatsomestepavariantthatcorrespondstoasinglesetinPwhenktthosearethevariantswherewhenkontheotherhandallvariantscorrespondtoasingleset A.FiatandT.TassaisalsotransmittedtojustonesetInthatcasecorrespondstoanLthenthatsetmustcontainatraitorInthatcaseweaddthecorrespondingcomplementarysettoIandsplitLtwoequal-sizedsetsgivinganewInthiscaseneithertnorkchangesbuteventuallywhenthesizeoftheincriminatedsetisonewemaydisconnectthetraitorinthatsetWhenthishappenswerestarttheloopafterdecrementingkandtbyonecorrespondstoanRweactsimilarlycorrespondstoIitallowsustoincrementtbyoneandkaswellifkwasequaltotsplitIintoanewsetIandrestarttheIfktandthepiratealwaystransmitsthenaftercompletingtheentireloopwemayincrementkbyoneandthenrestarttheloopGiven,thebasicloopconsistsof2rounds.Since,intheworstcase,wemayneedtorepeattheloopfromuntilwesplitaset,weareguaranteedtomakeprogressintheformofsplittingasetwithinnomorethan1steps(whichequalsthesumoveroftheaboveterms).Thisisalwaysboundedby2.Hence,convergenceisguaranteedwithinnomorethansteps.Thisboundisnottight,but,ontheotherhand,itisclearthatanyupperboundontheconvergencetimecannotbelessthanrounds.Hence,thisalgorithmisexponentialinTosummarize:Theorem3.ThewatermarkingschemewhichtheabovealgorithmimplementstracesallptraitorswithinmptimestepswhileusingnomorethanrsimultaneousvariantsNotethatthisalgorithmactuallycombinesthetwopreviousones.Itusesthesamesearchtreeasthe21algorithmofSection3.3.However,whenagapiscreated,theprevious1algorithmofSection3.2isimplementedinordertotracetheadditionalsubsetsofthatcontainatraitor.Wecould,ofcourse,avoidtheinefÞcientalgorithmofSection3.2and,instead,implementagainthealgorithmofSection3.3inarecursivemanner.However,thatwouldmakethealgorithmquiteintricate,whilenotimprovingitsconvergencetimesubstantially.4.OpenProblemsItisimportanttounderstandtheunderlyingperformanceconsiderationswhichoneneedstoconsider:bandwidth,storage,andcomputationtime.Someofthepublishedresultsonvariousbroadcastproblemsareseeminglyirrelevantbecausetheydonotdealwiththeperformancecharacteristicsofthesolution.OneimportanttaskistogiveauniÞedanalysisofthevarioussolutionsproposedintheliterature.Asforthepresentstudy,theopenproblemsthatitraisesareasfollows:1.Devisingaprobabilisticalgorithminthedynamicmodel.Therearetwosettingstoconsiderinthiscontext:(a)knownallocationofcodewords(thepirateknows DynamicTraitorTracingthecodewordsofallusersandnotjustofthosehecontrols),and(b)obliviousallocationofcodewords.2.Findingadeterministicdynamicalgorithmbasedonaminimalalphabet,withaconvergencetimethatispolynomialin3.Provingordisprovingthatanydeterministicstaticschemeisexponential(inthenumberofsegmentsRecently,Berkmanetal.havesolvedsomeoftheseproblems.Thereaderisreferredto[2].AcknowledgmentsTheauthorsgratefullyacknowledgeinterestingandvaluableconversationswithOmerBerkman,JacobGoldberger,andBennyPinkas.References[1]R.Anderson,M.Kuhn,TamperResistance-aCautionaryNote,2ndUSENIXWorkshoponElectronicCommerceProceedings,Oakland,California,1996,pp.1Ð11.[2]O.Berkman,M.ParnasandJ.Sgall,EfÞcientDynamicTraitorTracing,Proc.11thAnnualACMÐSIAMSymposiumonDiscreteAlgorithmsSODA),(2000),pp.586Ð595.ToappearinSIAMJournalof[3]D.BonehandM.Franklin,AnEfÞcientPublicKeyTraitorTracingScheme,ProcCryptoÕ99,LNCS1666,Springer-Verlag,Berlin,1999,pp.338Ð353.[4]D.BonehandJ.Shaw,Collusion-SecureFingerprintingforDigitalData,IEEETransactionsonInforma-tionTheory,vol.44,no.5(1998),pp.1897Ð1905(seealsoProc95,LNCS963,Springer-Verlag,Berlin,1995,pp.452Ð465).[5]R.Canetti,J.Garay,G.Itkis,D.Micciancio,M.Naor,andB.Pinkas,MulticastSecurity:ATaxonomyandEfÞcientConstructions,ProcofINFOCOMÕ99,vol.2,NewYork,March1999,pp.708Ð716.[6]B.Chor,A.Fiat,andM.Naor,TracingTraitors,Proc94,LNCS839,Springer-Verlag,Berlin,1994,pp.257Ð270.Forafullversionsee[7].[7]B.Chor,A.Fiat,M.Naor,andB.Pinkas,TracingTraitors,IEEETransactionsonInformationTheoryvol.46,no.3(2000).[8]I.J.Cox,J.Kilian,T.Leighton,andT.Shamoon,ASecure,RobustWatermarkforMultimedia,Infor-mationHiding,LNCS1174,Springer-Verlag,Berlin,1996,pp.185Ð226.[9]C.Dwork,J.Lotspiech,andM.Naor,DigitalSignets:Self-EnforcingProtectionofDigitalInformation,Proc.28thSymposiumontheTheoryofComputation(1996),pp.489Ð498.[10]A.FiatandM.Naor,BroadcastEncryption,Proc93,LNCS773,Springer-Verlag,Berlin,1993,pp.480Ð491.[11]J.A.Garay,J.Staddon,andA.Wool,Long-LivedBroadcastEncryption,Proc[12]P.Kocher,CryptographyResearch,http://www.cryptography.com/dpa/index.html.[13]M.NaorandB.Pinkas,ThresholdTraitorTracing,Proc98,LNCS1462,Springer-Verlag,Berlin,1998,pp.502Ð517.[14]B.PÞtzmann,TrialsofTracedTraitors,InformationHiding,LNCS1174,Springer-Verlag,Berlin,1996,pp.49Ð64.[15]R.Safavi-NainiandY.Wang,SequentialTraitorTracing,Proc[16]J.SchwenkandJ.Ueberberg,TracingTraitorsusingFiniteGeometries,manuscript.[17]D.R.StinsonandR.Wei,CombinatorialPropertiesandConstructionsofTraceabilitySchemesandFrameproofCodes,SIAMJournalonDiscreteMathematics,vol.11,no.1(1998),pp.41Ð53.[18]KeyPreassignedTraceabilitySchemesforBroadcastEncryption,SelectedAreasinCryptography,LNCS1556,Springer-Verlag,Berlin,1999.