Optimal symmetric Tardos traitor tracing schemes

For the Tardos traitor tracing scheme, we show that by combining the symbol-symmetric accusation function of Skoric et al. with the improved analysis of Blayer and Tassa we get further improvements. Our construction gives codes that are up to 4 times shorter than Blayer and Tassa's, and up to 2 times shorter than the codes from Skoric et al. Asymptotically, we achieve the theoretical optimal codelength for Tardos' distribution function and the symmetric score function. For large coalitions, our codelengths are asymptotically about 4.93% of Tardos' original codelengths, which also improves upon results from Nuida et al.

To be able to trace the watermarked data back to the user, we need that the embedded fingerprints for each user are different. However, by comparing their differently watermarked copies of the content, multiple malicious users can form a coalition and detect differences in their content. Assuming that besides the watermarks all copies are the same, this allows coalitions to detect part of the watermark. By editing this data, they can then create a forged copy, which contains the same digital content as their original copies, but has a forged fingerprint that cannot be traced back to them directly. Under the marking assumption, which says that colluders can only detect and edit fingerprint positions if their fingerprints do not all match on that position, there are ways to construct fingerprinting schemes such that any forged copy can be traced back to at least one of the colluders. This involves finding a construction for fingerprints for each of the users, and finding a way to trace back forged copies to guilty users.

Model
Let U = {1, . . . , n} denote the set of the n users that received watermarked content. Here, a user corresponds to one watermarked copy of the content, so a person who possesses several differently watermarked copies of the data is assumed to control multiple users. For each user j the distributor generates a fingerprint (also called a codeword), which is usually denoted by x j . This codeword is a vector of length (the codelength) of symbols from an alphabet Q of size q. The case q = 2 corresponds to the binary alphabet, which is usually taken as Q = {0, 1}. All fingerprints together form the fingerprinting code C = {x 1 , . . . , x n }. A common way of representing this code is by putting all codewords as rows in a matrix X according to X ji = (x j ) i .
After assigning codewords to users and distributing the watermarked copies, a subset C ⊆ U of c users (called colluders or pirates) may form a coalition to create a forged copy. Using some pirate strategy ρ, a function Q ×c → Q , they construct a forged copy, which has some unknown distorted fingerprint ρ(X ) = y called the forgery. For the pirate strategy ρ, we assume that the marking assumption holds, i.e. if for all j ∈ C the pirates have (x j ) i = ω for some position i and symbol ω ∈ Q, then the coalition is forced to output y i = ω. On other positions, we assume that colluders are free to choose any of the symbols from the alphabet.
Finally, after the coalition has created a forged copy, we assume the distributor intercepts it and extracts the forgery y from the data. He then runs some tracing algorithm σ on the forgery, to get a subset σ (y) ⊆ U of users that are accused. The accusation is said to be successful if no innocent users are accused (i.e. σ (y) ⊆ C) and at least one guilty user is accused (i.e. σ (y) ∩ C = ∅).
In the setting of probabilistic schemes, the code X and the tracing algorithm σ may depend on some random variables. The events of not accusing any innocent users (soundness) and accusing at least one guilty user (completeness) then also depend on these random variables. Then, instead of demanding that a fingerprinting scheme is always sound and complete, we may demand that the probability of failure is bounded by some small value ε, where the probability is taken over these random variables. This leads to the following definitions of ε 1 -soundness and ε 2 -completeness.
Definition 1 (Soundness and completeness) Let C ⊆ U be a coalition of size at most c, and let ρ be some pirate strategy employed by this coalition. Then a traitor tracing scheme (X, σ ) is called ε 1 -sound if Similarly, a fingerprinting scheme is called ε 2 -complete if As we will see later, ε 1 /n and ε 2 are closely related in the Tardos fingerprinting scheme. Therefore it is convenient to introduce the notation η = log(ε 2 )/ log(ε 1 /n) such that ε 2 = (ε 1 /n) η , which describes how large ε 2 is, compared to ε 1 /n. Also, we sometimes simply say that a scheme is secure, to denote that it is sound and complete for certain (implicit) parameters ε 1 and ε 2 .

Related work
In [1], Tardos investigated probabilistic binary fingerprinting schemes where small margins of error are allowed. He proved that a codelength of = (c 2 ln(n/ε 1 )) is necessary to achieve soundness and completeness, while in the same paper he also gave a construction with a codelength of = 100c 2 ln(n/ε 1 ). This construction is often referred to as the Tardos scheme. In [2,3] the lower bound on the codelength was further tightened, to show that one needs ≥ 2 ln(2)c 2 ln(n/ε 1 ) for sufficiently large c and q = 2, to achieve soundness and completeness.
We write d for the constant in front of the c 2 ln(n/ε 1 ) in the codelength. Since the scheme of Tardos had a codelength constant of d = 100, many papers focused on constructing a scheme with the same order codelength, but with a smaller constant. For example, using a discrete distribution function in the Tardos scheme, Nuida et al. showed in [4] that one can achieve codelengths of < 5c 2 ln(n/ε 1 ) in some cases with small c, while for large c they achieved an asymptotic codelength of ≈ 5.35c 2 ln(n/ε 1 ). In [5], Škorić et al. showed that by tightening the analysis, one can obtain smaller codelength constants in the original Tardos scheme while maintaining soundness and completeness. Using a completely different approach, Amiri and Tardos showed in [2] that with a computation-heavy accusation algorithm, one can approach the theoretical lower bound of = 2 ln(2)c 2 ln(n/ε 1 ) for large c.
In this paper we will focus on the binary Tardos scheme with the arcsine distribution function from [1], which was introduced in [1] and further analyzed and improved in e.g. [4][5][6][7]. We will focus on two improvements in particular. In [6], Blayer and Tassa made the proofs of [1] tighter by introducing several auxiliary variables which were to be optimized later, instead of fixing them in advance. In that paper the construction of the Tardos scheme essentially remained the same, but it was shown that a codelength of = 85c 2 ln(n/ε 1 ) for c ≥ 2, and < 25c 2 ln(n/ε 1 ) for large c is also sufficient to prove soundness and completeness. In [7], Škorić et al. did change the scheme, by making the score function used in the accusation phase of the Tardos scheme symmetric in y i = 0, 1. This also lead to shorter codelengths, giving asymptotic codelengths of = (π 2 + o(1))c 2 ln(n/ε 1 ) ≈ 9.87c 2 ln(n/ε 1 ) for large c, while maintaining soundness and completeness. Furthermore assuming that the accusation scores of innocent users and the joint coalition score are normally distributed, Škorić et al. showed in [7,Sect. 6] that an asymptotic codelength of = ( π 2 2 + o(1))c 2 ln(n/ε 1 ) is then both sufficient and necessary. Since by the Central Limit Theorem these accusation scores will in fact converge to normal distributions for asymptotically large c, this also provides a lower bound on the codelength, when using the arcsine distribution function and the symmetric score function.

Contributions and outline
Combining the symbol-symmetric score function from Škorić et al. with Blayer and Tassa's sharp analysis, we will prove ε 1 -soundness and ε 2 -completeness for all c ≥ 2 and η ≤ 1 with a codelength of ≥ 23.79c 2 ln(n/ε 1 ). This improves upon the codelength from Blayer and Tassa by a factor more than 3.5 at c = 2, and a factor between 3.5 and 4 for larger values of c (compare Fig. 1 to [6, Fig. 1]). It also improves upon the original Tardos scheme by a factor more than 4 for c = 2, and the improvement factor increases to more than 20 for large c.
Similar to work of Škorić et al., we also look at the asymptotics of our scheme, and show that for large c, we can prove soundness and completeness for a codelength of ≥ ( π 2 2 + O(c −1/3 ))c 2 ln(n/ε 1 ) ≈ 4.93c 2 ln(n/ε 1 ). This improves upon the asymptotic results from Škorić et al. by a factor 2, and we achieve the asymptotic optimal codelength which Škorić et al. proved to be sufficient and necessary under the added assumption that the distributions of scores are normal distributions. We therefore close the gap of a factor 2 between the best known provably secure codelength and the asymptotic optimal codelength, for Tardos' original arcsine distribution function and the symmetric score function. These results also improve upon the asymptotic codelengths from Nuida et al., who used different discrete distribution functions, by more than 7 %.
The paper is organized as follows. In Sect. 2 we give the construction of the (symmetric) Tardos scheme, and compare our results with earlier results from the literature. In Sects. 3 and 4 we prove that the soundness and completeness properties hold under our assumptions on the parameters. In Sect. 5 we show how to solve an often overlooked problem in the literature, to make sure that the codelength is integral. In Sect. 6 we give results similar to those in [6, Sect. 2.4.5] on how to find the optimal set of parameters that satisfies the conditions for our proof method to work, and minimizes the codelength. There we also give such minimal codelengths, for several values of c and η. In Sect. 7 we prove the results stated above for asymptotically large c, and show that the optimal rate of convergence is of order O(c −1/3 ). Finally, in Sect. 8 we give a brief summary of our contributions, and remaining open problems in this area.

Construction and results
First we present the construction of the Tardos traitor tracing scheme, as in [6], where we use auxiliary variables d , d z , d δ for the codelength , accusation offset Z and cutoff parameter δ respectively. The only difference between our construction and that of Blayer and Tassa is in the score function that we use. While Blayer and Tassa used the asymmetric score function from Tardos' original scheme, we use the symbol-symmetric score function from Škorić et al.

The Tardos traitor tracing scheme
Let n ≥ c ≥ 2 be positive integers, and let ε 1 , ε 2 ∈ (0, 1) be the desired upper bounds for the soundness and completeness error probabilities respectively. Let us write k = ln(n/ε 1 ) so that e −k = ε 1 /n. Let d , d z , d δ be positive constants, with d δ > 1. Then the symmetric Tardos fingerprinting scheme works as follows.

Initialization
the distribution defined by the following distribution function F( p) and probability density function f ( p): The function f ( p) is biased towards δ and 1 − δ and symmetric around 1/2.

Codeword generation
(a) For each position 1 ≤ i ≤ and for each user 1 ≤ j ≤ n, select the ith entry of the codeword of user j according to P[X ji = 1] = p i and P[X ji = 0] = 1 − p i .

Accusation
(a) For each position 1 ≤ i ≤ and for each user 1 ≤ j ≤ n, calculate the score S ji , based on the user's watermark symbol X ji and the pirate output y i , according to: In the construction above, the score S ji is positive iff X ji and y i are the same, while |S ji | is large iff the probability of outputting symbol X ji is small. Intuitively, unlikely matches and differences contribute more to the accusation sum S j than likely matches and differ-ences, while positive scores indicate guilt and negative scores indicate innocence. With a suitable choice of parameters, innocent users will have scores close to 0 (positive and negative) while at least one guilty user must have a large score exceeding Z . More precisely, under certain conditions on the parameters d , d z , d δ , which are specified in Sects. 2.2 and 2.3, one can prove soundness and completeness, using a modified version of Tardos' original proof construction. Apart from the score function, which satisfied S ji = 0 for y i = 0 in [1], the above construction is identical to the construction of Tardos' original scheme, for d = 100, d z = 20 and d δ = 300.

Results for the asymmetric Tardos scheme
In the original Tardos scheme, and in several papers discussing the Tardos scheme, the score function is asymmetric in y i , as only the positions with y i = 1 are taken into account for the accusations. The construction of this asymmetric Tardos scheme is the same as in Sect. 2.1, but with the scores from (2) replaced by: Blayer and Tassa performed an extensive analysis of this scheme in [6], and showed that under the following assumptions, one can prove soundness and completeness for given c and η. In these theorems, the function h −1 : denotes its inverse function as in [6], so that Theorem 1 [6, Theorem 1.1] Let the Tardos scheme be constructed as in Sect. 2.1, but with the asymmetric score function from (3). Let d α , r be positive constants, with r > 1 2 , such that d , d z , d δ , d α and r satisfy the following two requirements: Then the scheme is ε 1 -sound.
Then the scheme is ε 2 -complete.
Tardos' original choice of parameters was the following, which allowed him to prove that his scheme is ε 1 -sound and ε 2 -complete for all c ≥ 2 and η ≤ √ c/4 [1, Theorems 1 and 2]: Blayer and Tassa proved that to achieve ε 1 -soundness and ε 2 -completeness for all c ≥ 2 and η ≤ 1, the following choice of parameters is also provably secure [6, Sect. 2.4]: In [5, Corollary 1], Škorić et al. showed that the following choice of parameters suffices to prove soundness and completeness for asymptotically large c: 2 According to the Central Limit Theorem, the scores of innocent users and the total score of the coalition converge to certain normal distributions. Under the assumption that the scores behave exactly like these normal distributions, Škorić et al. showed in [5, Corollary 3] that the following choice of parameters is then sufficient and necessary to prove soundness and completeness: Applying our analysis from Sect. 7 to the asymmetric Tardos scheme, we can prove that the following choice of parameters is provably sufficient for large c: 3 So with Blayer and Tassa's proof construction, for the asymmetric Tardos scheme we obtain a two times shorter asymptotic codelength compared to the shortest provable codelength of Škorić et al. [5], and we achieve the asymptotic optimal codelength for the asymmetric Tardos scheme which Škorić et al. [5] only achieved when they added the assumption that scores behave like normal distributions.

Results for the symmetric Tardos scheme
We will prove in Sects. 3 and 4 that with the following assumptions on the parameters, we can also prove soundness and completeness for the symmetric Tardos scheme.
Then the scheme is ε 2 -complete. 2 In [5, Eq. 13], the parameters r and s were implicitly chosen as r = 1 and s = h(1), while in [5,Appendix II] they observed that L π = 1 πg ≥ 1 and for several values of c and η. 3 These results can be obtained by applying the asymptotic analysis from Sect. 7 to Blayer and Tassa's original analysis for the asymmetric Tardos scheme, using

123
Using the above results, in Sect. 6 we will prove ε 1 -soundness and ε 2 -completeness for all c ≥ 2 and η ≤ 1 for the following set of parameters: This improves upon the constants from Blayer and Tassa by a factor more than 3.5, and it improves upon the original Tardos scheme by a factor more than 4. Furthermore, for bigger c and smaller η the values of d further decrease, easily leading to a factor 10 improvement over the original Tardos scheme.
Škorić et al. [7,Corollary 1] showed that for asymptotically large c, the following set of parameters is sufficient for proving soundness and completeness in the symmetric Tardos scheme: 4 With the added assumption that the scores of innocent users and the joint score of guilty users are normally distributed, Škorić et al. [7,Corollary 2] also showed that the following set of parameters is sufficient for soundness and completeness, for asymptotically large c: Since by the Central Limit Theorem these scores will also converge to normal distributions, this shows that the asymptotic optimal codelength for the symmetric Tardos scheme is = ( π 2 2 + o(1))c 2 ln(n/ε 1 ). We show in Sect.7 that for asymptotically large c, we can actually prove soundness and completeness for this optimal codelength, without any added assumptions. In the asymptotic case of c → ∞, our construction gives the following parameters: Similar to the asymmetric case, we thus get a factor 2 improvement over the best provable asymptotic codelength of Škorić et al. [7], and we achieve the asymptotic optimal codelength which Škorić et al. [7] only proved with the added assumption that the scores behave like normal distributions. This also improves upon results from Nuida et al. [4], who showed that with certain discrete distribution functions F, one can prove soundness and completeness for ≈ 5.35c 2 ln(n/ε 1 ) for large c. With our construction, we show a codelength of ≈ 4.93c 2 ln(n/ε 1 ) is provably secure for large c.

Soundness
Here we will prove Theorem 3, i.e. prove the soundness property from Definition 1, under the assumptions (S1) and (S2). We will closely follow the proof of soundness of Blayer and Tassa of [6, Theorem 1.1]. We will first prove an upper bound on E y,X,p e αS j (the expected value with respect to all selections y, X, p), with α = 1/(d α c) and using only (S1), and then use this result together with (S2) to prove upper bounds on P[ j ∈ σ (y)] for innocent users j, and P[σ (ρ(X )) ⊆ C].
Lemma 1 Let d α and r be positive constants, with r > 1 2 , such that d δ , d α and r satisfy Eq. (S1). Let j be an innocent user, and let S j be the user's score in the Tardos scheme from Sect. 2.1. Let α = 1/(d α c). Then E y,X,p e αS j ≤ e r α 2 . (4) Proof First we fill in S j = i=1 S ji and use the fact that the S ji are pairwise independent for different i to get Since . From the definition of h we know that e x ≤ 1 + x + r x 2 exactly when x ≤ h(r ). Using this with x = αS ji we get We can easily calculate E[S ji ] and E[S 2 ji ], as y i and X ji are independent for innocent users j. As in [7, Lemmas 2 and 3], we first take the expected value over X ji for fixed values of y i and p i to obtain where the signs in the intermediate calculations depend on the value of y i . So it follows that E[S ji ] = 0 and E[S 2 ji ] = 1, so we get E e αS ji ≤ 1 + r α 2 ≤ e r α 2 , and E y,X,p e αS j ≤ e r α 2 , which was to be proven.
Proof (Theorem 3) We prove that the probability of accusing any particular innocent user is at most ε 1 /n. Since there are at most n innocent users, the probability of not accusing any innocent user is then at least (1 − ε 1 /n) n ≥ 1 − ε 1 , which then proves that the scheme is ε 1 -sound.
Since a user is accused if and only if his score S j exceeds Z , we need to prove that P[S j > Z ] ≤ ε 1 /n for innocent users j. First of all, we write α = 1/(d α c), and we use the Markov inequality and Lemma 1 to obtain Since we want to prove that P[ j ∈ σ (y)] ≤ ε 1 /n, the proof would be complete if e −α Z +r α 2 ≤ e −k = ε 1 /n, i.e. if −α Z + r α 2 ≤ −k. Filling in α = 1/(d α c), Z = d z ck and = d c 2 k, and dividing both sides by −k, we get This is exactly inequality (S2), which was assumed to hold. This completes the proof.
Compared to the original proof in [6], this proof has barely changed. The only difference is that now the scores are counted for all positions i, instead of only those positions where y i = 1. However, since in the proof in [6] this number of positions was bounded by , the result remains the same. This explains why we can prove ε 1 -soundness with the symmetric score function under the same assumptions (S1), (S2) as in [6].

Completeness
For the proof of Theorem 4, we will again closely follow the proof of Blayer and Tassa of [6, Theorem 1.2], and make changes where necessary to incorporate the symbol-symmetric score function. We first give a Lemma to bound the expectation value of E y,X,p e −β S with β = s √ δ/c and S = j∈C S j , and then use this Lemma to prove completeness.
The proof of Lemma 2 is quite lengthy and can be found in Appendix A. Using this Lemma we can easily prove Theorem 4.

Proof (Theorem 4)
We will prove that for a coalition of size c, with probability at least 1 − ε 2 the algorithm will accuse at least one of the colluders. Note that if no colluders are accused, then the score of each colluder is below Z . Hence if the total coalition score S exceeds cZ, then at least one of the pirates is accused. So to prove ε 2 -soundness, it suffices to prove that P[S < cZ] ≤ ε 2 .
Compared to [6], we see that instead of using (C1), we now need that inequality (C1 ) holds. Comparing these two inequalities, we see that a term 1 π has changed to a 2 π , and a term 2 d δ π has changed to a 4 d δ π . The most important change is the 1 π changing to a 2 π , since that term is the most dominant factor (and the only positive term) on the left hand side of (C1 ). By increasing this by a factor 2, we get that g ≤ 2 π instead of g ≤ 1 π . Especially for large c, this will play an important role, and it will basically be the reason why the required codelength can then be reduced by a factor 4, compared to Blayer and Tassa's analysis for the asymmetric scheme.
While the other change (the 2 d δ π changing to 4 d δ π ) does not have a big impact on the optimal choice of parameters for large c, this change does influence the required codelength for smaller c. Because of this change, we now subtract more from the left hand side of (C1 ), so that the value of g is bounded more sharply from above. This means that for finite c we cannot reduce the codelength of Blayer and Tassa by a factor 4, but only by a factor slightly less than 4.
Finally, after using (C1 ) in the proof above, the analysis remained the same as in [6]. So under the same assumption (C2) as in [6], we could also complete the proof for the symmetric Tardos scheme.

Integral codelengths
One detail we have not taken care of and which is often "swept under the carpet" in other literature, is that the codelength by definition has to be integral. In the construction of the Tardos scheme, we said we take = d c 2 ln(n/ε 1 ), while ln(n/ε 1 ) and d may not be integral. To solve this problem, Tardos rounded up ln(n/ε 1 ) and took d = 100 in his original scheme. Blayer and Tassa also rounded up ln(n/ε 1 ) and took d = 85, presumably also to guarantee that is integral. 5 However, rounding up d and ln(n/ε 1 ) could drastically increase the codelength. For example, suppose n = 10 6 , ε 1 = ε 2 = 0.01, and c = 25. Then η = 0.25 and ln(n/ε 1 ) ≈ 18.42, and numerical optimizations give d ≈ 8.18. Without rounding we would get a codelength of ≈ 94155, while with rounding we get = 106875. So then the codelength is more than 13.5 % higher than , only because we rounded up both ln(n/ε 1 ) and d .
Instead of rounding up inbetween, rounding up the entire codelength to = d c 2 ln(n/ε 1 ) makes more sense. The codelength is then increased by less than 1 symbol, so we hardly notice the difference in the codelength. However, the proofs we give in Sects. 3 and 4 are based on = d c 2 ln(n/ε 1 ), which corresponds to using d = /(c 2 ln(n/ε 1 )). If we take = , then we get d = /(c 2 ln(n/ε 1 )) > d (for / ∈ N), so that for the same parameters Z and δ we may not be able to prove soundness and completeness anymore. In particular, Eq. (S2) might not be satisfied if d is increased, since (S2) implies that 4rd ≤ d 2 z . Increasing the left hand side may violate this bound, if we do not also increase d z .
The following Theorem takes care of this minor problem, by showing that if we can find a solution to (S1), (S2), (C1 ), (C2) with a fractional codelength , then we can also find a solution to these inequalities with the integral codelength . In particular, we show which scheme parameters , Z and δ one could take to achieve this result. Sect. 2.1, and let (d , d z , d δ , d α ,  r, s, g) be a septuple satisfying conditions (S1), (S2), (C1 ), (C2) giving scheme parameters 0 = d c 2 ln(n/ε 1 ), Z 0 = d z c ln(n/ε 1 ) and δ 0 = 1/(d δ c). Then the Tardos scheme from Sect. 2.1 with parameters

Theorem 5 Let the Tardos scheme be constructed as in
is ε 1 -sound and ε 2 -complete.
Proof Let us write ω = d ( 0 − 0 )/ 0 . We prove that if the equations hold for (d , d z , d δ , d α , r, s, g), then they also hold for (d , d z , d δ , d α , r, s, g), Since for this set of parameters we get , Z and δ as in (8), the result then follows. First note that since d δ , s and g did not change, both sides of inequality (C1 ) remain the same and this inequality is still satisfied. For inequality (C2), note that both sides also remained the same, since gd − d z = g(d + ω) − (d z + gω) = gd − d z . For (S2), we rewrite this inequality as a quadratic inequality in d α : This inequality is satisfied if and only if d α lies between the two roots of x 2 +(−d z )x+rd = 0, which therefore must exist. These roots exist if and only if ( From (S2) and (C2) we know that g(d 2 z ) ≥ g(4rd ) ≥ 4rd z , i.e. gd z ≥ 4r . So it follows that 2gωd z + g 2 ω 2 ≥ 4r ω, which proves the second inequality. The third inequality then follows from (S2).
Finally for (S1), we prove that d α ≥ d α , while the right hand side remains the same, so that this inequality is still satisfied. Note that d α is also at most the largest root of (9), so d α − d α is bounded by Here the second inequality follows from earlier calculations that (d z ) 2 − 4rd ≥ d 2 z − 4rd . So this choice of d α is at least as high as d α , so inequality (S1) is satisfied. This completes the proof.

Optimization
Similar to the analysis done by Blayer and Tassa in [6,Sect. 2.4], we also investigate the optimal choice of parameters such that all requirements are satisfied, and d is minimized. As only one of the inequalities has changed, and it changed only on two positions, the formulas for the optimal values of d δ , d α , d z , d in the following theorem are almost the same as in [6,Sect. 2.4.5]. We do not give a proof here, as it would be nearly identical to the analysis done in [6, Sect. 2.4].
Example An optimal solution to (S1), (S2), (C1 ), (C2) for c ≥ 2 and η = 1, minimizing d , is given by This means that with these constants, we can prove soundness and completeness for all c ≥ 2 and η ≤ 1, with a codelength of ≥ 23.79c 2 ln(n/ε 1 ). Compared to the original Tardos scheme, which had a codelength of = 100c 2 ln(n/ε 1 ) , this gives an improvement of a factor more than 4. Furthermore we can prove that this scheme is ε 1 -sound and ε 2 -complete for any value of c ≥ 2 and η ≤ 1, while Tardos' original proof only works for c ≥ 2 and η ≤ √ c/4. Example In practice, one usually has η 1 instead of η = 1. For example, it could be that ε 2 = 1/2 is sufficient, while ε 1 = 10 −3 is desired and there are n = 10 6 users, so that η ≈ 0.033. Then the optimizations give us d ≈ 10.89 for c = 2. So with this larger value of ε 2 , a codelength of ≥ 10.89c 2 ln(n/ε 1 ) is sufficient to prove the soundness and completeness properties for any c ≥ 2. This is then already a factor more than 9 improvement compared to the original Tardos scheme.
If we let c increase in inequalities (O1),(O2),(O3),(O4), i.e. if we only want provable soundness and completeness for c ≥ c 0 for some c 0 > 2, then one can easily see that the inequalities become weaker and an even shorter codelength can be achieved. Figure 1 shows the optimal values of d against different values of c, for several values of η. One can see that for large c, a codelength of < 6c 2 ln(n/ε 1 ) can be sufficient. In the next Section, we will see that for large c, the optimal values of d will converge to π 2 2 ≈ 4.93.

Asymptotics
Here we show that with the symmetric Tardos construction, for c → ∞ we can prove soundness and completeness for d = π 2 2 + O c −1/3 . We calculate the optimal first order error term explicitly, and also show explicitly the dependence on η, as the choice of η may depend on the particular application. It is customary to assume that η ≤ 1, but smaller values of η are plausible and can lead to even shorter codelengths. 123 and the choices for g, r, s leading to them are given by Proof We introduce parameters K g , K r , K s , a priori depending on c, to enable us to write Clearly K g , K r , K s are positive, and we will assume that K g and K r are O(1) for c → ∞. This assumption will be validated later on. Note that we do not demand this for K s (and indeed, it will turn out that K s → ∞).
Next, for convenience we put D = d δ c , and then we have from (O1) that D = D 0 c −1/3 , where Note that D 0 is a decreasing function of K s , with limiting value 2 Note that where we used that η s = o (1). Note that (O3) and (O4) imply d = , and show that there is a solution to this with d α = x 0 , which then must be the optimum. For this optimal solution, by (16) and (17) we get To find the main terms in the optimal values for d , d z , d δ , for the moment we neglect error terms. The fact that d α = x 0 implies that D h(r ) ≤ x 0 , and this is asymptotically equivalent This can be expanded into 1 + 1 + 16 π K g K 2 s ≤ π K g K r K s , and this leads to (π 3 K g K 2 r − 16)K s ≥ 2π 2 K r , which actually is two conditions: This shows that it is impossible to choose both K g and K r close to 0, and that it is certainly possible to choose them O(1) as c → ∞. Note that optimizing η s implies taking s as large as possible, but this means taking K s as small as possible, which is limited by the above condition. Indeed, in minimizing L 0 we would like to minimize K g and K r , leading to growing K s , while also s preferably keeps growing. We will see that this is possible.
In optimizing L 0 , to find the main term we also neglect for the moment the term π D 0 η s , as it also tends to 0. So we optimize L 0 = π 3 2 K g + π 2 6 K r under the constraint K g K 2 r > 16 π 3 . The minimal value for L 0 is reached for K g → γ π ≈ 0.11325, K r → 6γ = 2.1346, where γ = ( 2 3π ) 2/3 ≈ 0.35577 is a convenience constant. In this case K g K 2 r → 16 π 3 , so K s → ∞, It follows that L 0 → 3π 2 2 γ ≈ 5.2670. Let us next be more careful, and not throw away the term π D 0 η s and the error terms. L 0 as in (18) is a priori a function of K g , K r and s. We can take for K s its exact optimal value according to (19), viz.
so that D 0 = π 2 K r . Note that (20) allows us to eliminate from L 0 the variable K g . This yields We now minimize L 0 by setting the partial derivatives w.r.t. s and K r to 0. Indeed, , and this being 0 implies Further, by 1 K r (s−1)e s +1 s 2 c −1/3 , and this being 0 implies From (21) and (22)

123
In turn this implies and Indeed we find that K s and s both tend to ∞.
To get the proper value for K r we turn to (21), and introduce θ such that K r = 6γ + θ , so that θ will tend to 0. Then (21) becomes a cubic equation in θ : When s → ∞ and K s → ∞, this ultimately becomes θ(θ 2 + 18γ θ + 108γ 2 ) = 0, with the quadratic term being positive definite, showing that (25) for finite large s has exactly one real solution, which will be close to 0. For this solution we have, using (23), (24), Putting everything together, using (23), we find (1)) .
The result now easily follows.
We have optimized for d , and one could get slightly better error terms for d z or d δ . For example, optimizing for d z yields an optimal value of π(1+(3γ +9γ η log c (1+o(1)))c −1/3 ), for a suboptimal d of π 2 2 (1 + (4γ + 15γ η log c (1 + o(1)))c −1/3 ), where γ = 2 −1/3 γ . It is remarkable that the error terms for d and d z scale with c −1/3 , while Škorić et al. found error terms scaling with c −1/2 . It turns out that in [7] an error term in μ was not taken into account, and if one does do, their analysis for the binary case will also yield error terms scaling with c −1/3 . Also note that d δ (related to the cutoff) scales with c 1/3 , i.e. the cutoff 1 d δ c scales with c −4/3 rather than with c −1 as one might have guessed.
An immediate consequence of Theorem 7 is the following result, which shows that asymptotically we will achieve codelengths of ≈ 4.93c 2 ln(n/ε 1 ), i.e. codelengths that are about 4.93 % of Tardos' original codelengths.
Remark In the proof of Theorem 7, we use that r can be taken in the neighborhood of 1 2 to get the final result, d = π 2 2 + O(c −1/3 ). In [7] however, no such variable r was used, as it was simply fixed at 1. If they had taken r as a parameter in their analysis and had taken it close to 1 2 in the asymptotic case, then they would have obtained the same asymptotic results as we did above, but still with different first order terms.

Summary
We have shown that by combining the symmetric score function of [7] with the improved analysis of [6], we get even shorter codelengths. Furthermore, the asymptotic codelength we obtain, = π 2 2 c 2 ln(n/ε 1 ), is optimal, which follows from an earlier result of [7]. We also investigated the first order behaviour of the codelengths for large c, and we have shown that = ( π 2 2 + O(c −1/3 ))c 2 ln(n/ε 1 ) is optimal for this construction, and is achieved by our analysis. With this we have thus closed the gap of a factor 2 between the best provably secure codelength and the required codelength, as existed in [7], for this construction, and we have established the order of the first order term (O(c −1/3 )), as well as the optimal first order constant.
An important open problem in this area is whether one can efficiently achieve even shorter asymptotic codelengths. We have shown that with the symmetric score function and the arcsine distribution function, the optimal asymptotic codelength is → π 2 2 c 2 ln(n/ε 1 ) ≈ 4.93c 2 ln(n/ε 1 ), and is achieved by our analysis. In [4], different distribution functions were considered, leading to shorter constants for small c but a larger asymptotic codelength of ≈ 5.35c 2 ln(n/ε 1 ). In [3] it was shown that the asymptotic codelength will always satisfy ≥ 2 ln(2)c 2 ln(n/ε 1 ) ≈ 1.39c 2 ln(n/ε 1 ), but it is unknown whether efficient schemes reaching such a codelength exist.
can bound the expectation value by where and, for some random variable p distributed according to F, Now, using β = s √ δ/c, we bound the exponents in E 0,x and E 1,x as follows.
So |β(xq − (c − x)/q)| ≤ s for our choice of β. So we can use the inequality e w ≤ 1 + w + h −1 (s)w 2 which holds for all w ≤ s, with w = ±β(xq − (c − x)/q), to obtain Introducing more notation, this can be rewritten to We first calculate F 1,x explicitly. Writing out the expectation value and using the definition of f ( p) from (1), we get The primitive of the integrand is given by I ( p) = p x (1 − p) c−x , so we get