A Class of Traceability Codes with an Efficient Tracing Algorithm

Yizhou Ma, Chang-hui Choe, Moon Ho Lee Institute of Information and Communication

Chonbuk National University Jeonju, 561-756, Korea

{myzppp, nblue95, moonho}@chonbuk.ac.kr

Abstract—Traitor tracing is one kind of piracy deterrent schemes that helps trace the source of leaks when sensitive or proprietary data is made available to a large set of parties. In such schemes, error correcting codes can be applied for their natural properties, known as traceability codes. In this paper, we present Reed-Solomon codes as a kind of traceability codes and use list decoding algorithm to efficiently trace the traitors. We place our emphasis upon the conditions under which list decoding algorithm can be applied successfully for Reed-Solomon codes and the maximum numbers of users and traceable traitors for particular codes.

Keywords- Traitor Tracing; Traceability Codes; Reed-Solomon codes; List Decoding Algorithm

I. INTRODUCTION Traitor tracing schemes were first introduced in [1] and

have been extensively studied in the recent years for use as a piracy deterrent. In a typical model for traitor tracing schemes, a unique set (possibly ordered) of n symbols is associated with each user. For example, the set may be contained in a smartcard which the user has for the purpose of viewing encrypted pay-TV programs or associated with a user’s software CD (in the former case, the set corresponds to a set of keys). When a coalition forms to commit piracy, it must construct a set to associate with the pirate object. In the case of unordered sets, this pirate set consists of r symbols, each of which belongs to at least one coalition member’s set. If the sets are ordered, the coalition members must form an ordered pirate set in which the symbol in each position is identical to the symbol in the same position in the ordered set of some coalition member as Figure 1 shows.

Figure 1. An example of ordered pirate.

In this paper, we just focus on the ordered case in which a traitor tracing scheme can be applied to identify an actual traitor or traitors. The approach we take here is to use one kind of error correcting codes, Reed-Solomon codes, as traceability

codes to construct such scheme. However, the pirate set of coalition usually commits more so-called “errors” than the error correcting codes can correct using traditional decoding algorithms. In other words, the number of errors is beyond the correcting ability of the error correcting codes. To solve this problem, we apply the list decoding algorithm introduced by [2] and [3], and find out the conditions under which this algorithm can work properly in traceability codes and the maximum number of possible users and traitors that can be traced.

The paper is organized as follows. In Section Ⅱ, we recall traceability codes and prove Reed-Solomon codes one kind of them. In Section Ⅲ, list decoding algorithm is introduced. Next section we analyze the performance of traceability codes while using the list decoding algorithm. In Section Ⅴ, we discuss our results and propose possible extensions.

II. TRACEABILITY CODES In this section we present definitions, notation, and

background on traceability codes, see [4], and then prove Reed-Solomon Codes is one kind of such codes.

1. Definitions and Notation

Let Γ be a q-ary code of length n and size kq , nQΓ ∈ ,

where Q is a finite alphabet and Q q= , kqΓ = . Elements

of nQ are called words. An element of Γ , called a codeword,

can be written as ( )1 2, ,..., nw w w w= where iw Q∈ . For

example: { }0,1Q = , 2Q = . If 2n = ,

{ }2 00,01,10,11Q = . { }00,11Γ = is a subset of 2Q , and

( )0,0w = or ( )1,1w = is a codeword.

Let ( ) ( ) ( ){ }1 2, ,...w w w ωωΓ = ⊂ Γ be a subset of Γ ,

called a coalition. If ( ) ( ) ( )1 2 ...i i iw w w ω= = = , then the position i is called undetectable, otherwise it is called

0-7695-2703-5/06/$20.00 (c) IEEE

Proceedings of the International Conferenceon Software Engineering Advances (ICSEA'06)0-7695-2703-5/06 $20.00 © 2006

detectable. For any coalition ωΓ ⊆ Γ , we define the set of

descendants of ωΓ , denoted by

( ) ( ) ( ) ( )1 2{ : { , ,..., }ni i i iDesc w Q w w w w ω

ωΓ = ∈ ∈ ，

for all 1 }i n≤ ≤ .

The set ( )Desc ωΓ consists of the n-tuples that could be

produced by the coalition ωΓ . An element w of ( )Desc ωΓ is

called a descendant of ωΓ . For example:

Γ 3Γ ( )3Desc Γ

0000000 1001011 0101110 0111001 1100101 1011100 1110010

1001011 0111001 1011100

1001011 0011000 …….

and ( ) ( ) ( )1 2 34 4 4 1w w w= = = , so location 4 is undetectable,

while others are detectable. Let ( ) { }, : i iI x y i x y= = for , nx y Q∈ . For

example: ( )1001011x = , ( )1010001y = ,

( ) { }, 1, 2,5,7I x y = .

Definition 1. Γ is an ω - traceability code if for any subset ωΓ with ω codewords of Γ , if ( )x Desc ω∈ Γ ,

then there is at least one codeword y ω∈Γ such that

( ) ( ), ,I x y I x z> for any \z ω∈Γ Γ .

In other words, Γ is an ω - traceability code if, whenever a coalition of size at most ω produces a pirate word x , there is an element of the coalition which is closer to x than any codeword not in the coalition.

Theorem 1. If Γ is a ( ), kn q -code having length n ,

dimension k and minimum distance 2

11d nω

> −

, then

Γ is an ω - traceability code. Proof. Assume ( )x Dese ω∈ Γ , there is at least one y ω∈Γ , such that

( ), nI x yω

≥

(otherwise ( ), nI x yω

< , ( )1

, ii

I x y nω

=<∑ . It is a

contradiction with ( )x Dese ω∈ Γ ).

Since 2

11d nω

> −

, we have ( ) 2

1, 1d z y nω

> −

,

where \z ω∈Γ Γ , i.e.

( ) 2 2

1, 1 nI z y n nω ω

< − − =

therefore

( ) ( ) ( )1

, , , ii

I z x I z I z yω

ω=

≤ Γ ≤∑

( )2 ,n n I x yω

ω ω< ⋅ = ≤

, Γ is an ω - traceability code. □ 2. Reed-Solomon Codes

Reed-Solomon codes are one kind of most widely-used linear error correcting codes, having many useful applications (e.g., compact disks). In order to construct a Reed-Solomon code of length n and dimension k over the finite field qF ,

fix n distinct elements 1α ,…, nα of qF . The codewords are

exactly the n -tuple 1( ( ),..., ( ))nf fα α as f runs over (the

zero polynomial and ) all polynomials of degree less than k in [ ]qF x . Note that a basis for the code over qF is

2 2 1 11 1 1{(1,...,1), ( ,..., ), ( ,... ),..., ( ,..., )}k k

n n rα α α α α α− − .

Since two distinct polynomials of degree less than k agree on at most 1k − points, the minimum distance of the code is

1r k− + . Theorem 2. Let Γ be a Reed-Solomon code [ ], ,n k d , where

2

nkω =

, then Γ is a ω - traceability code.

Proof. Since Γ is a Reed-Solomon code[ ], ,n k d , minimum distance

2 2

11 1 1nd n k n nω ω = − + = − + > −

.

So, Γ is a ω - traceability code. □ As we know, a Reed-Solomon code [ ], ,n k d can correct

12

dτ − = errors. When it is used as an ω - traceability

code, where 2

11d nω

> −

, given a collusion

( )x Desc ω∈ Γ , we need to trace a traitor y ω∈Γ such

0-7695-2703-5/06/$20.00 (c) IEEE

Proceedings of the International Conferenceon Software Engineering Advances (ICSEA'06)0-7695-2703-5/06 $20.00 © 2006

that ( ), nI x yω

≥ , i.e., ( ) 1, 1d x y nω

≤ −

, which must

correct 11nω

−

errors. So

2

1 1 11 12 2

d n nτω ω

− = < − < − .

That means we need beyond minimum distance decoding to correct the errors and trace the traitors. Therefore, List decoding algorithm becomes one choice.

III. LIST DECODING ALGORITHM A list decoding algorithm for a code is an algorithm which,

for a given input vector, recovers all codewords within a given Hamming radius e from that vector, for a given integer e. Sudan’s algorithm was the first efficient list decoding algorithm for Reed-Solomon codes and also among the most efficient algorithms known to date for list decoding of algebraic codes, see [5]-[10]. Next, we will line out the Sudan’s algorithm without proof which can be found in [2] and [3], and then an example follows.

Difinition 2. (weighted degree) For weights

xw , yw Z +∈ , the ( ),x yw w - weighted degree of a

monomial i jijq x y is x yiw jw+ . The ( ),x yw w - weighted

degree of a monomial ( ), i jijij

Q x y q x y=∑ is the

maximum, over the monomials with non-zero coefficients, of

the ( ),x yw w - weighted degree of a monomial.

Algorithm: /* Inputs: , ,n d t ; ( ) ( ){ }1 1, ,..., ,n nx y x y */ A. /* Parameters l, m to be set later. */ B. Find any function 2:Q F F→ satisfying

( ),Q x y has ( )1,d - weighted degree at most m ld+ ,

[ ]i n∀ ∈ , ( ), 0i iQ x y = , Q is not identically zero.

C. Factor the polynomial Q into irreducible factors.

D. Output all the polynomials f such that ( )( )y f x− is a

factor of Q and ( )i if x y= for at least t values of i

from [ ]n . Note: Step C above can be solved in randomized polynomial time with zero-sided error. If F is of characteristic zero, or if the running time is allowed to be polynomial in F , then the solution can be obtained deterministically.

Following is a simplified example:

Let Γ be a Reed-Solomon code [ ]8,2,7 , and generator

matrix 2 62 8

1 1 1 1 ... 10 1 ...

Gα α α ×

=

, so the codeword

after encoding is

( ) ( )0 1 2 3 4 5 6 7 1 2c c c c c c c c c m m G= =

where ( )1 2m m is the information to be transmitted. Since

2k = , we assume ( )i i ic C x a bx= = + , i.e.,

( )C x a bx= + ,

where 2 3 60,1, , , ,...,x α α α α= . Suppose that four errors occur during the transmission in

channel, say ( )4 5 6 70 0 0 0e e e e e= , and the received code is

( )0 1 2 3 4 5 6 7y y y y y y y y y= ,

note that 1 7 1 3 4

2 2dτ − − = = = <

. Therefore,

( )j jC x y= for 0,1, 2,3j = and ( )h h h hC x y e y= − ≠

for 4,5,6,7h = . Then we construct following matrix: 2 2 3 2 2

2 2 3 2 20 0 0 0 0 0 0 0 0 0 0

2 2 3 2 21 1 1 1 1 1 1 1 1 1 1

2 2 3 2 22 2 2 2 2 2 2 2 2 2 2

2 2 3 2 23 3 3 3 3 3 3 3 3 3 3

2 2 3 2 24 4 4 4 4 4 4 4 4 4 4

2 2 3 25 5 5 5 5 5 5 5

1

111111

x y x xy y x x y xy

x y x x y y x x y x yx y x x y y x x y x yx y x x y y x x y x yx y x x y y x x y x yx y x x y y x x y x yx y x x y y x x y

− − − − − − − − − − − − − − − − − − − − −

25 5 5

2 2 3 2 26 6 6 6 6 6 6 6 6 6 6

2 2 3 2 27 7 7 7 7 7 7 7 7 7 7 8 9

11

x yx y x x y y x x y x yx y x x y y x x y x y

×

Since this is an 8 9× matrix, the 9 column vectors are always linear dependent. So, we can certainly find ( )D x , ( )N x and

( )R x such that

( ) ( ) ( ) ( ) 2, 0i i i i i i iQ x y D x N x y R x y= + + =

where 0,1,...,7i = . The degree of ( )D x

( )( )deg 3D x ≤ , ( )( )deg 2N x ≤ and ( )( )deg 1R x ≤ .

Substituting ix with jx and iy with ( )jC x , we have

( )( ) ( ) ( ) ( ),j j j j jQ x C x D x N x C x= +

( ) ( )20j jR x C x+ =

0-7695-2703-5/06/$20.00 (c) IEEE

Proceedings of the International Conferenceon Software Engineering Advances (ICSEA'06)0-7695-2703-5/06 $20.00 © 2006

for 0,1, 2,3j = . That means there are 4 roots.

And ( )( )deg 1C x = , so

deg( ( , ( ))) deg( ( ) ( ) ( )Q x C x D x N x C x= +

2( ) ( ) ) 3R x C x+ ≤ therefore, we can draw the conclusion that

( )( ), 0Q x C x ≡ . As a result, the decoding part changes into the problem to

solve the equations

( ) ( )( ) ( ), ,Q x y y C x q x y= − , which can be worked out with several methods and we are not going any further here.

IV. ANALYTICAL RESULTS In this section we will analyze the performance of

traceability codes while using the list decoding algorithm, including the conditions under which list decoding algorithm can be applied and the maximum numbers of users and traceable traitors for particular traceability codes.

For a Reed-Solomon Code [ , , ]n k d , let

( )deg 1y h k= = − , we can construct a relative ( )1n n× +

matrix for list decoding. For example, let 4k = , i.e., 3h = , and we can get

Note that the number of elements with degree form 0 to 2 is 3h = , from 3 to 5 is 2 6h = , and so on. So for general cases,

.

The order of the last column is 1n + , and assume its degree is in the range of ( )1 1h hλ λ + −∼ , so

( ) ( )( )1 1 21

2 2h n h

λ λ λ λ+ + +< + ≤

and the degree of the last column is

( )11

2deg 11

n hh

λ λ

λλ

+ + −

= − + +

.

Meanwhile, as an ω - traceability code, the R-S Code [ , , ]n k d is what we used to trace a traitor y ω∈Γ such that

( ), nI x yω

≥ . So the list decoding algorithm can be applied,

if the following inequality is satisfied:

( )11

211

n hn h

λ λ

λω λ

+ + −

> − + +

.

In other words, if the number of positions with the same value is greater than the maximum degree of the elements in the matrix, the tracing can be successful using the list decoding.

According to the result presented above, we make up Table 1 to summarize the relationship among n , h and ω :

0-7695-2703-5/06/$20.00 (c) IEEE

Proceedings of the International Conferenceon Software Engineering Advances (ICSEA'06)0-7695-2703-5/06 $20.00 © 2006

Table 1.

As we can see, the longer the codeword length is, the more combinations there are. For a particular group ( ), ,n h ω , the

number of codewords is 1hn + and the maximum number of traitors that can be traced is ω .

V. CONCLUSION We have reviewed the traceability codes and Sudan’s list

decoding algorithm and proved Reed-Solomon Codes is a kind of Traceability Codes. We demonstrate on the conditions that Sudan’s list decoding algorithm can be used to implement beyond minimum distance decoding and the numbers of total users and traitors that can be traced for particular traceability codes.

Our future work will focus on explorations of applications of other error correcting codes to traitor tracing and improve the list decoding algorithm in scenarios where additional

information has been obtained about the traitors or their mode of operation.

ACKNOWLEDGMENT This research was partially supported by the MIC (Ministry

of Information and Communication), Korea, under the ITFSIP (IT Foreign Specialist Inviting Program) supervised by the IITA (Institute of Information Technology Assessment), International Cooperative Research by Ministry f Science and Technology , KOTEF and 2nd stage Brain Korea 21.

REFERENCES [1] B. Chor, A. Fiat and M. Naor. Tracing traitors, in “Advances in

Cryptology – Crypto ‘94”, Lecture Notes in Computer 839 (1994),480-491.

[2] M. Sudan. Decoding of Reed-Solomon codes beyond the error-correction bound. Journal of Complexity, 13(1):180-193, 1997.

[3] V. Guruswami and M. Sudan. Improved decoding of Reed-Solomon codes and algebraic geometry codes. IEEE Trans. Inform. Theory, Vol. 45, 1999, 1757-1767

[4] Alice Silverberg , Jessica Staddon , Judy L. Walker, Efficient Traitor Tracing Algorithms Using List Decoding, Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p.175-192, December 09-13, 2001.

[5] G.-L. Feng. “A fast special factorization algorithm in the Sudan decoding procedure,” in Proceedings 31-th Allerton Conference, September 2000.

[6] R.R. Nielsen. and T. Hoholdt. Decoding Reed-Solomon codes beyond half the minimum distance. In Proceedings of the International Conference of Coding Theory and Cryptography, Mexico 1998. Springer-Verlag, 1998.

[7] E. Berlekamp, “Bounded Distance +1 Soft-Decision Reed-Solomon Decoding” IEEE Transactions on Information Theory, vol. 42, 1996, pp. 704-720.

[8] G.-L. Feng. Two Fast Algorithms in the Sudan Decoding Procedure. Proceeding s of the 37 Annual Allerton Conference on Communication, Control and Computing, pp. 545-554, 1999.

[9] Venkatesan Guruswami. List Decoding of Error-Correcting Codes. Ph.D. thesis, Massachusetts Institute of Technology, August 2001.

[10] V. Guruswami and M. Sudan. “List decoding algorithms for certain concatenated codes,” Proc. 32nd ACM Symp. On Theory of Computing, 2000, p. 181-190.

0-7695-2703-5/06/$20.00 (c) IEEE

Proceedings of the International Conferenceon Software Engineering Advances (ICSEA'06)0-7695-2703-5/06 $20.00 © 2006