Randomized Frameproof Codes: Fingerprinting Plus Validation Minus Tracing

Randomized Frameproof Codes: Fingerprinting Plus V alidati on Minu s T racing N. Prasanth Anthapad manabha n Dept. of Electrical and Comp uter Eng. University of Maryland College P ark, MD 207 42 Email: nagarajp@um d.edu Alexander Ba r g Dept. of ECE and In st. for Systems Research University of Maryland College P ark, MD 207 42 Email: abarg@umd .edu Abstract — W e propose randomized frameproof codes for con- tent p rotection, which arise b y stu dying a variation of the Boneh- Shaw fingerprinting problem. In the modified system, whenever a user tries to access h is fingerprinted copy , the fingerprint is submitted to a validation algorithm to verify that it is in deed permissible befor e the content can be executed. W e sh ow a n impro vement in the achievable rates compar ed to deterministic frameproo f codes and t raditional fi ngerprinting codes. For coalitions of an ar bitrary fixed size , we construct r andom- ized frame proof c odes which ha ve an O ( n 2 ) complexity validation algorithm and p robability of error exp ( − Ω( n )) , where n denotes the length of the fin gerprints. F inally , we present a connection between l inear frameproof codes and minimal v ectors f or size-2 coalitions. I . I N T R O D U C T I O N The av ailability of c ontent (e.g. , sof tware, movies, m usic etc.) in th e digital fo rmat, although with many adv antages, has the downside that it is n ow ea sy for users to make copies, perfor m alter ations, and share the con tent ille g ally . Thus th ere is a dire need for protectin g the content against un authorized redistribution, commonly termed as piracy . In this p aper, we con sider a variation of the Boneh- Shaw fingerpr inting schem e [ 6] f or content p rotection. W e start with an inform al description of the p roblem. W e will r efer to the legal co ntent o wner as the distributor an d the legitimate licen se holders as users . The distributor emb eds a unique hidden mark, called a fingerprint , which identifies each licensed copy . T he fingerpr int locations, h owe ver, rem ain th e same fo r all users. The collection of fin gerprin ts is called the co debook an d the distributor uses some form of randomizatio n in choosing the codebo ok. W e assume that changes to the actual content render it useless, while th e fingerp rint may be subject to alterations. This assumptio n is reasonable, for instance , in ap plications to software fingerprintin g. A single user is u nable to pin point an y of the fingerprint lo - cations. Howe ver, if a set o f users, called a co alition of pirates , compare th eir copies, they can inf er some of the fing erprint locations by identifying the differences. The c oalition now attempts to create a pirated co py with a fo rged fingerpr int. In order to d efine the coalition ’ s capability in creating th e forgery , B oneh and Shaw introd uced the marking assumption , which simply states that the coalition makes chan ges only in those positions whe re th ey find a d ifference (a nd hence a re definitely fingerprint lo cations) as the y d o not wish to damage the content perman ently . The ob jectiv e of th e distributor is to trace one of the guilty users whenever su ch a pirated co py is f ound. The m aximum coalition size is a parameter o f the problem. Such a collection of fin gerprin ts together with the tracing algorithm is called a fingerprinting code . This problem has b een stud ied in detail in [6], [4], [11], [2], wher e various con structions and upp er bound s have been p resented. Consider now th e modified system where each time a user accesses his fing erprinted co py , the fingerpr int is validated to verify wh ether it is in fact permissible in the c odebo ok being used and the execution continues only if the validation is successful. This limits the forgery possibilities for the pirates at the cost of an additional validation o peration ca rried out every time a user accesses his copy . The idea is that b y designing an efficient v alid ation algorith m, we do no t pay too high a price. The advantage of this scheme is demo nstrated b y a n im - provement in th e a chiev ab le rates compare d to traditional fingerpr inting co des, even though the ac tual pro perty (cf. Definition 2.2) is n ot in general weaker th an fingerprintin g. I n addition, since the pirates are limited to creating only a valid fingerpr int and because we are interested in uniqu e decod ing, there is no ad ditional tracing needed. Th e distributor simply accuses th e u ser co rrespon ding to the fing erprint in the pir ated copy as guilty . In this case, the coalition is successful if it is able to forge the fin gerprin t of a n in nocent user, thus “framing” him as th e pirate. The distributor’ s objective is to design codes for which the prob ability that this error event occurs is small, deriving the name framepr oof codes . In the determin istic case with zero-erro r probability , frame- proof codes arise as a sp ecial case of separating co des , which have been studied over many years since being introdu ced in [8]. For further referen ces on deterministic framep roof codes and separating co des, we refer the in terested r eader to [9], [7], [10], [5]. I n o rder to emphasize the dif ference th at we consider the rand omized setting, we ca ll our codes randomized framepr oof codes . The rest of the paper is organ ized as fo llows. In Section II, we g i ve a formal definition for ran domized fr amepro of codes. Ach iev able rates u nder no restriction s on validation complexity ar e presented in Section III. In Section IV, we show the existence of linear fr amepro of co des an d exhibit a connectio n to minimal vectors fo r size- 2 co alitions. Finally , we de sign a concatenated code with efficient validation for arbitrary coalition sizes in Section V. I I . P R O B L E M D E FI N I T I O N W e will use th e fo llowing notation. Boldface will d enote vectors. The Hammin g distance between vectors x 1 , x 2 will be deno ted by dist( x 1 , x 2 ) . W e also write s z ( x 1 , . . . , x t ) to denote the numb er of z T columns in the matrix fo rmed with the vectors x 1 , . . . , x t as the rows. For a positiv e integer n, the shorth and n otation [ n ] will stand for the set { 1 , . . . , n } . W e use h ( p ) := − p log 2 p − (1 − p ) log 2 (1 − p ) to denote th e binary entr opy function and D ( p || q ) := p log 2 ( p/q ) + (1 − p ) log 2 ((1 − p ) / (1 − q )) to de note the information di vergence. Let Q be a n alphabet (often a field ) of finite size q and let M be the numb er of user s in the sy stem. Assume that th ere is some o rdering of the users and denote th eir set by [ M ] . The fingerpr int f or each user is of length n. Consider the following r andom experimen t. W e h av e a family of q -ary co des { C k , k ∈ K} o f len gth n an d size M . In par ticular, here the cod e C k refers to an order ed set of M cod ew ords. W e pick one of the codes according to the pr obability distribution function ( π ( k ) , k ∈ K ) . For brevity , th e result of th is ran dom experim ent is called a randomized cod e and is denoted b y C . Th e r ate of this code is R = n − 1 log q M . W e will refer to elements o f the set K as ke y s . Note that the depend ence on n h as been suppr essed f or simplicity . The d istributor assigns th e fingerpr ints as f ollows. He chooses one of th e keys, say k , with pro bability π ( k ) , and assigns to user i the i th codew ord of C k , denoted b y C k ( i ) . Follo wing the standard cry ptograp hic prec ept that the adver- sary kn ows the system, we allow the user s to be aware of the family of codes { C k } and the d istribution π ( · ) , b u t the exact key ch oice is kept secret by the distributor . The finge rprints are assumed to be distrib u ted within the host message in som e fixed loc ations un known to the users. Before a u ser executes h is copy , h is fingerprint is submitted to a validation algorithm, which check s wh ether the fingerp rint is a valid codeword in the curr ent codebo ok. The execution continues only if the validation su cceeds. A co alition U o f t users is an ar bitrary t - subset o f [ M ] . The members of the co alition are commonly r eferred to as p irates . Suppose the collection of fin gerprin ts assigned to U, namely C k ( U ) , is { x 1 , . . . , x t } . The g oal of the pirates is to create a fo rged fingerp rint different from theirs wh ich is valid under the curre nt key choice. Coordinate i of the fingerp rints is called undetectable for the coalition U if x 1 i = x 2 i = · · · = x ti and is c alled d etectable otherwise. W e assum e that th e coalition follows the ma rking assumption [6] in creating the fo rgery . Definition 2.1: The marking a ssumption states tha t fo r any fingerpr int y crea ted by the co alition U , y i = x 1 i = x 2 i = · · · = x ti in e very coordinate i that is undetectab le. In other w ords, in cre ating y , the pirates can mo dify on ly detectable positions. For a given set of o bserved fingerprin ts { x 1 , . . . , x t } , the set of forgeries that can be created by the coalition is called the en velope . I ts definition depends on the e xact rule the coalition should follow to m odify the detectable positions [4]: • If th e co alition is restricted to use only a symbo l f rom their assigned finger prints in the dete ctable positions, we obtain the narr ow-sen se en velop e : e ( x 1 , . . . , x t ) = { y ∈ Q n | y i ∈ { x 1 i , . . . , x ti } , ∀ i ∈ [ n ] } ; (1) • If the coalition can use any sym bol fro m the alphabet in the dete ctable po sitions, we obtain the wide- sense en velope : E ( x 1 , . . . , x t ) = { y ∈ Q n | y i = x 1 i , ∀ i u ndetectable } . (2) For the bina ry a lphabet, b oth en velopes are exactly the same. In the following, we will use E ( · ) to denote the env elope from any of the rules mentioned above. Definition 2.2: A r andom ized code C is said to b e t - framepr oof with ε -err or if for all U ⊆ [ M ] such th at | U | ≤ t, it holds that Pr {E ( C ( U )) ∩ ( C \ C ( U )) 6 = ∅} ≤ ε, (3) where the probab ility is taken over th e distribution π ( · ) . Remark 2.3: Note th at the t -frameproo f property as d efined above is not in gen eral weaker than the t -fingerp rinting proper ty , i.e. , a cod e which is t -finge rprinting with ε -erro r [6, Defin ition IV .2] is not automa tically t -framep roof with ε ′ - error, for any 0 ≤ ε ′ < 1 . A straightfor ward extension of the fing erprinting definition yields a rand omized code which satisfies the fo llowing co ndi- tion: For any coalition of size at mo st t and any strategy they may use in de vising a f orgery , th e pro bability that the f orgery is v a lid is small. Ho wever , this definition would trivially enab le us to achieve arbitrarily hig h rates. Hence, we use the above (stronger ) definitio n. I I I . L OW E R B O U N D S F O R B I N A RY F R A M E P R O O F C O D E S Let us construct a binar y rando mized code C of length n and size M = 2 nR as follo w s. W e pick each entry in the M × n matrix ind ependen tly to be 1 with pro bability p, for some 0 ≤ p ≤ 1 . Theor em 3.1: The rando mized co de C is t -frameproo f with error probab ility d ecaying exponentially in n for any rate R < − p t log 2 p − (1 − p ) t log 2 (1 − p ) . (4) Pr oof: For γ > 0 , define the set of t -tu ples of vectors T t,γ :=  ( x 1 , . . . , x t ) : s 1 ( x 1 , . . . , x t ) ∈ I γ , s 0 ( x 1 , . . . , x t ) ∈ J γ  , where I γ := [ n ( p t − γ ) , n ( p t + γ )] and J γ := [ n ((1 − p ) t − γ ) , n ((1 − p ) t + γ )] . It is clear that f or any c oalition U o f size t, the observed fingerprints ( x 1 , . . . , x t ) belong to T t,γ with high probab ility 1 . He nce, we will refer to T t,γ as the set of typical fingerpr ints. For any coalition U of size t Pr {E ( C ( U )) ∩ ( C \ C ( U )) 6 = ∅} ≤ P r {C ( U ) / ∈ T t,γ } + Pr {∃ y ∈ C \ C ( U ) : y ∈ E ( C ( U )) |C ( U ) ∈ T t,γ } . (5) The first term in the above equation decays exponentially in n. It is left to prove that the second term is also exponentially decaying for R satisfying (4). A codew ord in C \ C ( U ) is a part of E ( C ( U )) if it co ntains a 1 (resp. 0) in all s 1 ( C ( U )) ( resp. s 0 ( C ( U )) ) positions. Since C ( U ) ∈ T t,γ , by taking a union bound the seco nd term in (5) is at most 2 nR p n ( p t − γ ) (1 − p ) n ((1 − p ) t − γ ) , which decays exponen tially in n for R < − ( p t − γ ) lo g 2 p − ((1 − p ) t − γ ) lo g 2 (1 − p ) . The pr oof is com pleted by taking γ to be arbitrar ily small. The bias p in the c onstruction of C can b e chosen o ptimally for each value o f t. Num erical values of the rate thus ob tained are shown in T able I, wh ere th ey a re compar ed with th e existence bounds for deterministic zero-error framep roof co des (from [7]) and rates o f finger printing cod es (f rom [2], [1]). Observe that there is a factor of t imp rovement compared to the rate of determin istic frameproof co des. T ABLE I C O M PA R I S O N O F R AT E S Rates t Randomize d Dete rministi c Finge rprinti ng Frameproof Frameproof 2 0.5 0.2075 0.25 3 0.25 0.0693 0.0833 4 0.1392 0.04 0.0158 5 0.1066 0.026 0.0006 I V . L I N E A R F R A M E P RO O F C O D E S Unlike fingerprin ting cod es, randomized framepro of cod es eliminate the need for a tracing algorithm, but th e fingerprints still need to be validated. As the validation algorithm is executed everytime a user ac cesses his copy , we req uire that this algo rithm h av e an efficient ru nning time. Althoug h the co des designe d in the previous sectio n have hig h rates, they com e at the p rice of an exp( n ) complexity validation algorithm . Line ar codes are an obviou s first cho ice in trying to de sign efficient framepro of co des as they can be v a lidated in O ( n 2 ) time by simply verifying the p arity-chec k equatio ns. 1 W e say that an e vent occurs with high probabil ity if the probab ility that it fails is at most exp( − cn ) , whe re c is a positi ve constan t. A. Linear construction for t = 2 W e now present a bin ary linear fr ameproo f cod e for t = 2 which achieves the ra te given by Theorem 3.1. Suppo se we have M = 2 nR users. W e constru ct a random ized linear c ode C as follows. Pick a random n (1 − R ) × n parity-check m atrix with ea ch entry c hosen in depend ently to be 0 or 1 with equal probab ility . Th e corre sponding set of binar y vectors which satisfy the p arity-chec k m atrix form a linear code of size 2 nR with high probability . Each user is then assigned a unique codeword selected uniformly at random from this collection. In the few cases that the code size exceeds 2 nR , we simply ign ore the r emaining cod ew o rds dur ing the assignment. Howe ver, note that since the validation algorithm simply verifies the parity-ch eck equation s, it will pr onou nce the ignored vectors also as valid. Theor em 4.1: The random ized l inear cod e C is 2 - framepr oof with error prob ability decaying expo nentially in n for any rate R < 0 . 5 . Pr oof: As in the p roof of Theorem 3 .1, we begin by defining the set o f ty pical pairs of fingerpr ints. For γ > 0 , define T γ := n ( x 1 , x 2 ) : s ij ( x 1 , x 2 ) ∈ I γ , ∀ i, j ∈ { 0 , 1 } o , where I γ := [ n ( 1 / 4 − γ ) , n ( 1 / 4 + γ )] . For any coa lition U of two users Pr {E ( C ( U )) ∩ ( C \ C ( U )) 6 = ∅} ≤ Pr {C ( U ) / ∈ T γ } + X ( x 1 , x 2 ) ∈T γ Pr {C ( U ) = ( x 1 , x 2 ) } × Pr {∃ y ∈ C : y ∈ E ( x 1 , x 2 ) \{ x 1 , x 2 }|C ( U ) = ( x 1 , x 2 ) } . It can be seen that the first term again decay s exponentially in n. W e now consider the term inside the summatio n Pr {∃ y ∈ C : y ∈ E ( x 1 , x 2 ) \{ x 1 , x 2 }|C ( U ) = ( x 1 , x 2 ) } . Observe that f or any two binar y vectors ( x 1 , x 2 ) ∈ T γ , the sum x 1 + x 2 / ∈ E ( x 1 , x 2 ) and also 0 / ∈ E ( x 1 , x 2 ) . The refore, ev ery vecto r in E ( x 1 , x 2 ) \{ x 1 , x 2 } is linearly independe nt from x 1 , x 2 . Thus for any y ∈ E ( x 1 , x 2 ) \{ x 1 , x 2 } , Pr { y ∈ C |C ( U ) = ( x 1 , x 2 ) } = Pr { y ∈ C } = 2 − n (1 − R ) . Since ( x 1 , x 2 ) ∈ T γ , |E ( x 1 , x 2 ) | ≤ 2 n ( 1 / 2 +2 γ ) . By takin g the union bo und and γ to be ar bitrarily small, we obtain the result. B. Connec tion to min imal vectors In this subsection, we show a connection betwe en lin ear 2-fram eproof codes and m inimal vectors. W e first recall the definition f or minimal vectors (see, for e.g., [3]). Let C b e a q -a ry [ n, k ] linear co de. The sup port of a vector c ∈ C is giv en by supp( c ) = { i ∈ [ n ] : c i 6 = 0 } . W e write c ′  c if supp( c ′ ) ⊆ supp( c ) . Definition 4.2: A non zero vector c ∈ C is called minimal if 0 6 = c ′  c imp lies c ′ = α c , whe re c ′ is anoth er cod e vector a nd α is a no nzero constant. Pr opo sition 4 .3: For any x 1 , x 2 ∈ C, x 1 6 = x 2 , if x 2 − x 1 is minimal then e ( x 1 , x 2 ) ∩ ( C \{ x 1 , x 2 } ) = ∅ . If q = 2 , the conv erse is also tru e. Pr oof: Consider any y ∈ Q n and define the translate y ′ := y − x 1 . It follows th at y ∈ C ⇔ y ′ ∈ C (6) y / ∈ { x 1 , x 2 } ⇔ y ′ / ∈ { 0 , x 2 − x 1 } . (7) Furthermo re, if y i ∈ { x 1 i , x 2 i } , then y ′ i ∈ { 0 , x 2 i − x 1 i } for all i ∈ [ n ] . Therefor e, y ∈ e ( x 1 , x 2 ) ⇒  y ′  x 2 − x 1 , y ′ 6 = α ( x 2 − x 1 ) , ∀ α / ∈ { 0 , 1 } . (8) Using ( 6), (7), (8), we ob tain that e ( x 1 , x 2 ) ∩ ( C \ { x 1 , x 2 } ) 6 = ∅ implies that x 2 − x 1 is non -minimal. For q = 2 , it is easily seen that the re verse statement also holds in (8) and thus the converse is also true. Recall the random line ar code constructed b y generating a rand om n (1 − R ) × n parity -check matrix in th e previous subsection. W ith some abuse of notation , let us denote the (unor dered) set of vectors satisfying the ran dom parity-che ck matrix also by C . Let M ( C ) denote the set of m inimal vectors in C . W e hav e the following companio n result to Corollary 2. 5 in [3]. Cor ollary 4. 4: As n → ∞ , E  |M ( C ) | |C |  =  1 , R < 1 / 2 0 , R > 1 / 2 Pr oof: As a consequen ce of Proposition 4.3, fo r a ny two users { u 1 , u 2 } , we obtain Pr {E ( C ( u 1 , u 2 )) ∩ ( C \C ( u 1 , u 2 )) 6 = ∅} = Pr {C ( u 2 ) − C ( u 1 ) / ∈ M ( C ) } =1 − E  |M ( C ) | |C | − 1  . The first part of the re sult is now true by Th eorem 4. 1. W e skip the details of the latter part which is easily p roved using Chernoff b ounds. C. Linear code s for lar ger t In the lig ht of Theo rem 4.1, a natu ral q uestion to ask is whether there exist ra ndomized lin ear fram eproof co des fo r t > 2 , perh aps allowing even a larger alpha bet. It turn s o ut that, just as in the determin istic case, lin ear fra meproo f codes do not always e xist in the rando mized setting too . Pr opo sition 4 .5: There do not exist q -ar y linea r t - framepr oof co des with ε -erro r , 0 ≤ ε < 1 , which are secur e with the wide-sense env elope if eith er t > q or q > 2 . Pr oof: Consider a coalition of q + 1 users. F o r an y linea r code realized fr om the family where the obser ved fing erprints are, say , x 1 , . . . , x q +1 , the forgery y = x 1 + · · · + x q +1 is a par t of E ( x 1 , . . . , x q +1 ) . In add ition, it is also a valid fingerpr int as th e code is linear . This pr oves the first part o f the prop osition. T o p rove the seco nd par t, consider an alphabet (a field) with q > 2 . For any two pirates with finger prints x 1 and x 2 , the forgery y = α x 1 + (1 − α ) x 2 , where α 6 = 0 , 1 , is a valid codeword ( by line arity) and is also a part of the wide-sense en velope. Consequently , in considering linear frame proof codes which are wide-sense secure, we are limited to t = 2 , q = 2 . V . P O L Y N O M I A L - T I M E V A L I DAT I O N F O R L A R G E R t Usually , the amo unt o f redund ancy needed increases with the alphabet size in fingerpr inting application s. Th us, we are mainly interested in constructin g binary frameproo f co des which have polyn omial-time validation. W ith the binary alpha- bet, there is no d istinction betwee n wide-sense and narrow- sense envelopes. Therefo re, ther e do no t exist binar y lin ear framepr oof codes for t > 2 by Pr oposition 4.5 . In this section, we u se the idea of cod e con catenation to constru ct a b inary framepr oof code with p olynom ial-time validation. In the case of deterministic codes, if both the inner an d outer codes are t -framep roof ( ( t, 1 ) -separating ) with zero- error, then the con catenated code is also t -fr amepro of. W e will now establish a similar resu lt whe n the inne r cod e is a random ized t -f ramepro of code. Let the outer code C out be a (deterministic) q -ary linear [ N , K , ∆] code. For each of the N coord inates of the outer code, generate an indep endent instance of a rand omized binary code C in of len gth m an d size q which is t -fra meproo f with ε -error . Th en the concatena ted cod e C with outer co de C out and inner code independen t instances of C in is a randomized binary code of length n = N m and size q K . Theor em 5.1: If the relati ve minimum distanc e of C out satisfies ∆ N ≥ 1 − 1 t (1 − ξ ) (9) and the erro r p robab ility ε < ξ for C in , then the c oncatenated code C is t - framepr oof with error pro bability 2 − N D ( ξ || ε ) and has a po ly( n ) v a lidation algorithm. Pr oof: In the pro of, all vectors are q -ary co rrespon ding to the outer alphab et. Define s ( y , { x 1 , . . . , x t } ) := |{ i ∈ [ N ] : y i ∈ { x 1 i , . . . , x ti }}| , d ( y , { x 1 , . . . , x t } ) := min i ∈ [ t ] dist( y , x i ) . Consider a co alition U ⊆ { 1 , . . . , q K } o f size t. For a ny coordin ate i ∈ [ N ] of the outer code, the coalition observes at most t different symbols of the ou ter alphabet, i.e., at most t different c odewords of the inner code. Thus if the t -frameproo f proper ty h olds for the ob served sym bols for the realiza tion of C in at coordinate i, th en at the outer level the co alition is restricted to output on e o f th e sym bols it observes, i.e. , the narrow-sense rule (1) ho lds. On th e o ther han d, a failure o f the t -framep roof pr operty at the inner level code implies tha t the coalition is a ble to cr eate a sym bol d ifferent from what they observe in th e correspo nding co ordinate at the outer level. According ly , let χ i , i = 1 , . . . , N , denote the indicator random variables (r .v .s) for failures at the inne r le vel with Pr { χ i = 1 } ≤ ε since the inner c ode has ε -erro r . Note that χ i are independe nt because w e hav e an ind ependen t instance of the ran domized code for ev ery i = 1 , . . . , N . Then Z = P N i =1 χ i is a Binomial r .v . d enoting the nu mber of coord inates wh ere the narrow-sense ru le fails at the outer lev el. For 0 ≤ z ≤ N , let e z ( · ) denote th e envelope when the narrow-sense rule is followed only in some N − z outer-le vel coordin ates, i.e ., e z ( x 1 , . . . , x t ) = { y : s ( y , { x 1 , . . . , x t } ) ≥ N − z } . For any y ∈ e z ( x 1 , . . . , x t ) , th ere exists some l ∈ { 1 , . . . , t } such that s ( y , x l ) ≥ ( N − z ) /t, i.e., dist( y , x l ) ≤ N − ( N − z ) /t. Therefor e, e z ( x 1 , . . . , x t ) ⊆  y : d ( y , { x 1 , . . . , x t } ) ≤ N − N − z t  . (10) The coalition U succeeds wh en it creates a fo rgery which is valid in th e o uter cod e. Th us th e pr obability of error is at most Pr {∃ y ∈ C out \ C out ( U ) : y ∈ e Z ( C out ( U )) } ≤ Pr  ∃ y ∈ C out \ C out ( U ) : d ( y , C out ( U )) ≤ N − N − Z t  (11) = Pr  N − N − Z t ≥ ∆  (12) ≤ Pr { Z ≥ N ξ } (13) ≤ 2 − N D ( ξ || ε ) , (14) where (11) fo llows from (10), ( 12) is becau se C out is a linear code with minimu m distance ∆ , (13) is due to the condition (9) and (14) is ob tained by standard large d eviation bo unds. The validation algo rithm op erates in tw o steps. In the first step, th e in ner co de is decoded/validated for every outer cod e coordin ate by exhau sti ve search over q codew o rds. W e th en check whether the resulting q - ary vector is a member of the outer code b y verifying the parity-ch eck equations. The claim about the po lynomial- time complexity is true by ch oosing an approp riate scaling for the inn er code leng th, for instance, m ∼ log 2 ( n ) . W e now make specific choices fo r the outer and inner codes in Theorem 5.1 to arr iv e at explicit constructions. W e take C in to be the bina ry rando mized t -framep roof code p resented in Theorem 3 .1 and with gr owing length. Th us we ha ve th e in ner code rate as R t = max p ∈ [0 , 1]  − p t log 2 p − (1 − p ) t log 2 (1 − p )  and erro r proba bility ε = 2 − mβ for some β > 0 . T he ou ter code C out is a [ q − 1 , K ] Reed -Solomon (RS) code w ith rate at mo st (1 − ξ ) /t in ord er to satisfy the cond ition (9) on the minimum distanc e. Observe that for ε appro aching 0 (for large m ) and ξ fixed, D ( ξ || ε ) ∼ ξ log 2 (1 /ε ) . Therefor e, with ε = 2 − mβ , the error pro bability of the concatenated code is at most 2 − n ( ξβ + o (1)) . By taking ξ arbitrarily small and m sufficiently large to satisfy ε < ξ , we obtain the following result. Cor ollary 5. 2: The binary r andomize d co de obtain ed by concatenatin g C out and C in is t - framepr oof with error pr ob- ability exp( − Ω( n )) , validation com plexity O ( n 2 ) and rate arbitrarily close to R t /t. V I . C O N C L U S I O N The question of upper bo unds o n th e ra te of ran domized framepr oof code s is open. A C K N O W L E D G M E N T S The research is supp orted in par t by NSF grants CCF0515124 and CCF0635271, and by NSA grant H98230 - 06-1- 0044. R E F E R E N C E S [1] N. P . Anth apadmana bhan and A. Barg, “Random binary fingerpri nting codes for arbi traril y sized coalitions, ” Proc. IEEE Int ernat. Sympos. Inform. Theory (ISIT 2006), pp. 351-355, 20 06. [2] N. P . Anthapa dmanabhan , A. Bar g a nd I. Dumer , “On the fingerpri nting capac ity under the marking assumption, ” IEEE T rans. on Inform. Theory - Speci al Issue on Information-The or etic Sec urity , Jun. 2008, to appear . A vailab le at http://arxi v .org/abs/cs.IT/0612 073 . [3] A. Ashikhmin and A. Bar g, “Minimal vect ors in linear codes, ” IEEE T rans. Inform. Theory , vol. 44, no. 5, pp. 2010-2017, Sep. 1998. [4] A. Barg, G. R. Blakley and G. Kaba tiansk y , “Dig ital fingerprinti ng code s: Problem statements, constructions, iden tificat ion of traitors, ” IEEE T rans. Inform. Theory , v ol. 4 9, no. 4, pp. 852-865, Apr . 2003. [5] S. R. Blackburn , “Combi natori al schemes for protect ing di gital content, ” Surve ys in combinat orics , 2003 (Bangor), L ondon Math . Soc. L ecture Note Ser . , v ol. 307, pp. 43-78, Cambridg e Uni v . Press, Cambridge, 2003. [6] D. Boneh and J. Shaw , “Collusion-se cure fingerp rinting for digital data, ” IEEE T rans. Inform. Theory , v ol. 44, no. 5, pp. 1897-1905, Sep . 1998. [7] G. Cohen and H. G. S chaat hun, “ Asymptotic overvie w of separating codes, ” Report no. 248, Depa rtment of Informatics, Univ ersity of Bergen, 52pp., May 2003. A vail able at www . ii.uib .no. [8] A. D. Friedman, R. L. Graham, and J. D. Ullman, “Uni versal single transiti on time asynchronous state assig nments, ” IEEE T rans. Comput. , vol. C-18, pp . 541-547, 1969. [9] Y . L. Sagalo vich, “Separa ting systems, ” Probl. Inform. T rans. , vol. 30, no. 2, pp. 105-123, 1994. [10] J. N. Staddon, D. R. Stinson and R. W ei, “ Combinato rial properties of frameproof and trace abili ty codes, ” IEE E T rans. Inform. The ory , vol. 47, no. 3, pp. 1042-1049, Mar . 2001. [11] G. T ardos, “Optimal probabili stic fingerprint codes, ” Journal of the ACM , to appear . Preliminary version in P r oc. 35th A nnual ACM Sym- posium on Theory of Comput ing (ST OC 2003), pp. 116-125, 2003.