A Study of the Separating Property in Reed-Solomon Codes by Bounding the Minimum Distance

According to their strength, the tracing properties of a code can be categorized as frameproof, separating, IPP and TA. It is known that if the minimum distance of the code is larger than a certain threshold then the TA property implies the rest. Silverberg et al. ask if there is some kind of tracing capability left when the minimum distance falls below the threshold. Under different assumptions, several papers have given a negative answer to the question. In this paper further progress is made. We establish values of the minimum distance for which Reed-Solomon codes do not posses the separating property.


Introduction.
As a motivation for our work, consider the distribution of digital goods. In the trade of digital content, safe guarding ownership rights is certainly a critical issue. A way to protect copyright consists of making each copy of the content unique. This is done by embedding a different mark in each delivered item. These hidden marks are typically strings of symbols. However, since now all objects are different, traitor users can get together and by comparing their copies, they create a new copy that tries to disguise their identities. This is known as a collusion attack and the newly created copy is usually called a pirate copy.
A way to deal with collusion attacks is by taking the embedded symbol strings to be the code words of a code with tracing properties. There is a large literature about codes possessing different degrees of robustness against collusion attacks. Let us give a brief overview. Formal definitions will be done in subsequent sections. In a c-frameproof code [3], a coalition of at most c users can not create a pirate copy that contains the code word of another user not in the coalition. In c-secure frameproof codes two disjoint coalitions of at most c users can not create the same pirate copy. It has been shown [12], that the secure frameproof property is the same as the separating property [14]. Codes with the Identifiable Parent Property (IPP) were introduced in [10]. Informally, a code has the c-IPP property if all coalitions of at most c traitors that can generate the same pirate copy have a non-empty intersection, i.e. have a common user. The IPP has received considerable attention in the recent years, having been studied by several authors [1,2,17,4,9]. An even stronger property is the Traceability property (c-TA). In this case, it is guaranteed that the "closest" authorized copy to a given pirate copy belongs to one of the traitors. Sufficient conditions for a code to be a c-TA code are stated in [16].
The work in [15] discusses efficient algorithms for the identification of traitors in schemes that use c-TA codes. Let M denote the size of the code. For TA codes, tracing is an O(M) process, whereas for IPP codes tracing is more expensive since it is an O( M c ) process. Being the TA property stronger than the IPP, but being tracing more costly for the IPP, it seems reasonable to expect that by relaxing the TA requirements one is left with a code that, even though is no longer c-TA, still possesses IPP. In this regard, Silverberg et al. asked the following question: Question 1 [15]: Is it the case that all c-IPP Reed-Solomon codes are also c-TA?
Although intuition might lead us to give a negative answer, in that same paper the authors used truncated Reed-Solomon codes to credit the exact opposite, that is, if a Reed-Solomon code does not have the TA property then it neither has the IPP. Later, the work in [13] not only reinforced this conjecture, but proved a stronger fact, a Reed-Solomon code that is not c-TA it is neither c-secure-frameproof. Therefore, they generalized the above question to the following one: Question 2 [13]: Is it the case that all c-SEP Reed-Solomon codes are also c-TA?
In this paper, we supplement more evidence to this last question. The results we present will hopefully contribute to a complete understanding of the tracing properties in Reed-Solomon codes.

Definitions and previous results.
Let q be a prime power p s and let F q denote the finite field with q elements. Denoting by F n q the set of all n-tuples with elements from F q . We define a linear code of length n to be a vector subspace of F n q . Then, F q s is called the code alphabet, and the n-vectors in the code are called code words. The dimension of the code is defined as the dimension of the vector subspace. Let u, v ∈ IF n q be two words, then the Hamming distance d (u, v) between u and v is the number of positions where u and v differ. The minimum distance d, is defined as the smallest distance between two different code words. A linear code with length n, dimension k and minimum distance d is denoted as a [n, k, d]-code.
Reed-Solomon codes can be defined as follows. Let F q [x] be the ring of polynomials over F q . Take all polynomials of degree less than As in the previous definition, throughout the paper, and probably with an slight abuse of notation we will denote polynomials with an italic lowercase letter.
Reed-Solomon codes are maximum distance separable (MDS) [11]. That means they attain the Singleton bound with equality d = n−k+1.

2.1.
Definitions about codes with tracing properties. Let C be an [n, k, d] code over F q , let T = {t 1 , . . . , t c } ⊆ C with t i = (t i 1 , . . . , t i n ) be a subset of size c. Also, let T | i = {t j i |t j ∈ T }. The descendant set of T , is defined as desc(T ) = z = (z 1 , . . . , z n ) ∈ F n q |z i ∈ T | i }, 1 ≤ i ≤ n . Definition 2. A code C, defined over F q , has the c-separating property (denoted c-SEP), c > 0, if for any two disjoint subsets of C, U = (u 1 , . . . , u c ) and V = (v 1 , . . . , v c ), we have In the introduction we used the name secure frame-proof for the separating property.

Definition 4.
A code C is a c-traceability code (denoted c-TA), for c > 0, if for all subsets (coalitions) T ⊆ C of at most c code words, if z ∈ desc(T ), then there exists a t ∈ T such that d(z, t) < d(z, w) for all w ∈ C − T .
We will also have ocasion to link our discussion to a weaker tracing property called c-frameproof (FP).

Definition 5.
A code C, defined over F q , has the c-Frameproof Property (denoted c-FP), c > 0, if for any code word u and a subset of C of size at most c V = (v 1 , . . . , v c ), with u / ∈ V , we have Note that (c, 1)-SEP is equivalent to c-FP.

2.2.
Bezout identity. Some of the results in this paper, make extensive use of the Bezout identity. Intuitively, the Bezout identity is the ability to do the euclidean algorithm backwards. This is a very interesting question because a positive answer would mean that for Reed Solomon the c-IPP and c-TA properties are essentially the same.
This question has been addressed in [8,13]. We can summarize previous results Theorem 1 ([8], Theorem 6). Let RS[n, k] q be a Reed-Solomon code over F q such that k − 1 divides q − 1. Then, if d ≤ n − n c 2 the code is not c-SEP.
Theorem 2 ([13],Theorem 2). Let RS[n, k, d] q be a Reed-Solomon code over F q and c a divisor of q. Then, if d ≤ n − n c 2 the code is not c-SEP. It is worth noting that the proofs of these theorems are constructive in the sense that explicit disjoint sets U, V , such that are found. Therefore proving that for Reed-Solomon codes under the conditions of the theorems c-SEP, c-IPP and c-TA are in fact equivalent.
2.4. Our contribution. In this paper, progress in the understanding of the tracing properties in Reed-Solomon codes is made. In the flavour of Theorem 1 and Theorem 2 we use the structure of the finite field F q , over which the code is defined. In our particular case, we take advantage of the divisors of q − 1. With that, we are able to give a complete answer to Question 2 by proving, in a constructive way, that in Reed-Solomon codes c-IPP and c-TA properties are essentially the same when q ≡ 1 (mod c 2 ). More precisely, we set the minimum distance to d = ⌈n − n c 2 ⌉ which is the maximum allowed so the code is not c-TA and then find two disjoint sets of code words that are not separated. In the rest of the paper, although the proofs are also constructive, the approach is somehow different. We relax the distance condition and study whether a [n, k, d] Reed-Solomon code over F q with minimum distance d < (n−r) is c-SEP for some r > n/c 2 . To show the flavour of our approach, we start by proving a relaxed version of the question and state that Reed-Solomon codes are not c-SEP for r = n/c . Then, we proceed to strengthen this result. For the case c = 2, we answer the question for r = q 3 and for c = 3 we do so for r = 2 q 8 . We round up the paper using an elegant result of Cilleruelo [7] to give an alternate and more concise proof of known results.

A connection with the frameproof property.
We start our discussion by studying Reed-Solomon codes over F q with minimum distance d ≤ q − q c . Proof. Let F q = {α 1 , α 2 . . . , α q } and c ≥ 2 an integer. To construct the Reed Solomon code we consider any set of c distinct polynomials Since the case c|q is taken care of in Theorem 2, we consider c ∤ q and then r > 0. We take the maximum allowed minimum distance d = ⌊q − q c ⌋. Then, l = q c − r c < k − 1 and since l is an integer l ≤ k − 2 which means l + 1 ≤ k − 1.
We finally show that the constructed polynomials are all different. Observe that for any two polynomials f, g of degree smaller than q it is not possible that f (α) = g(α) for every α ∈ F q , since in that case (x q − x)|(f − g). Hence, taking f i = f j for any i = j, then for any 1 ≤ j, l ≤ c there exist an α ∈ F q such that g j (α) = f l (α) and also for any for i = j, there exist a β ∈ F q such that g i (β) = g j (β) since for any two polynomials in the code f, g we have deg(f −g) ≤ k−1 = q−d < q.
Finally, note that, since the code is MDS, taking n = q we have d = q − k + 1 and the condition d ≤ q − q/c 2 implies q ≤ c 2 (k − 1) which is true in our case since In Section 2.1 we defined c-frameproof codes. Take an [n, k, d] q code. It is well known, see proof of Lemma III.2 in [3], that if d > n − n c then the code is c-FP. In Theorem 3 we have also proved that a Reed-Solomon code with minimum distance d ≤ n − n c is not c-FP. Indeed, by taking f 1 = f 2 = · · · = f c = α, α ∈ F q in the proof of the theorem, for every α ∈ F q there is a g i such that g i (α) = α.

Increasing the minimum distance.
In the previous section we saw that a Reed Solomon code with a small distance is not separated. This is consistent with intuition since then the code has a higher dimension as a vector space then chances are code words are not "separated". In this section we discuss strategies to increase the minimum distance of the code and still keep non-separation.
4.1. The case c = 2. To show our approach we first deal with a particular case.
Proof. We will find polynomials f 1 ,f 2 and g 1 ,g 2 such that the corresponding pairs of codewords {f 1 , f 2 } and {g 1 , g 2 } are not separated.
Note that the previous lemma answers Question 2 for q = 11 and c = 2 and for these particular values improves Theorem 3. However this approach does not fully generalize. Fortunately, for general q we can give a fully explicit answer, by decreasing a bit the distance of the code.

Theorem 4. A Reed Solomon code over
Proof. Let q = 3l+r where 0 ≤ r ≤ 2, and consider for any 1 ≤ i, j ≤ 2, A i,j ⊂ F q disjoint sets such that A 2,2 = ∅, and |A i,j | = l+1 for r of them and |A i,j | = l for the remaining 3−r sets. Now let p i,j = α∈A i,j (x−α). Observe that ∪ i,j A i,j = F q . The following polynomials, of degree at most l + 1 define a code that is not 2-SEP.

4.2.
The case c = 3. Le us move to a larger value of c and deal with the case c = 3.
This representation of the Bezout identity in Definition 6 is not unique. For univariate polynomials we have the following lemma. We include proofs for clarity in the exposition.  Assume deg(â) ≥ deg(v). It is clear that the pair a =â+tv, b =b+tu also satisfy Bezout's identity for any t ∈ F q [x]. Dividingâ by v,we get a = q a v + r a with deg(r a ) < deg(v) and taking t = −q a , we have that a = r a , b =b − q a u and the result follows using the same reasoning as in (2), since a and b also satisfy Bezout's identity.
be two non constant polynomials relatively prime. Let z a polynomial such that deg(z) < deg(u) + deg(v). Then, we can express z as Proof. By the previous lemma we have that there existâ andb, such that satisfy (6) au − bv = z, . Now, since we can expressâz = vq a +r a , we substitute t = −q a in (5) obtaining, The polynomials a and b in (7)  We express our result in the form of a theorem.
Theorem 5. Let q be a power of a prime, c = 3 and d < q − 2 q 8 . A Reed Solomon code of length q over F q with distance d is not 3separating.
Then we proceed similarly to define v 2,1 , v 3,1 , v 1,2 and v 1,3 to be the solutions of smaller degree of the Bezout equations Again, by Corollary 2 the degree of v 2,1 , v 3,1 , v 1,2 and v 1,3 is less than l + 1. Finally, take v 1, By definition, we have By construction we see that deg(f i ) ≤ 2l + 1, deg(g i ) ≤ 2l + 1 and hence the result follows.

The general case.
In order to obtain stronger results we need to deal with larger values of both c and the minimum distance. The following theorem generalizes Theorem 4 for c ≥ 2.
Theorem 6. Let q be a power of a prime, c ≥ 2 and d < q − q 2c−1 . A Reed Solomon code over F q with distance d is not c-SEP.
Proof. Let q = (2c − 1)l + r where 0 ≤ r < 2c − 1, and consider for any 1 ≤ i ≤ 2c − 1, A i ⊂ F q disjoint sets such that: r of the sets are of size |A i | = l + 1 and the remaining 2c − r − 1 are of size |A i | = l.
The following polynomials, of degree at most l + 1 evaluate to code words of a code that is not c-SEP.
To cope with a larger minimum distance, we would like to extend Theorem 5. Unfortunately, the generalization is not immediate because when c grows, the degree of the polynomials v i,j blows up. To obtain stronger results we need to take advantage of the structure of the field over which the code is defined. In this case we are able to state a result for a minimum distance matching the conjectured one, but limited to certain parameters of the code.
Theorem 7. Let m 2 |q − 1. Then, for any c ≥ m, there exist a non extended Reed Solomon code over F q with distance d = q − q−1 m 2 that is not c-SEP.
Proof. Let α be a primitive root of the multiplicative group F * q .
. . , c − 1. Now, every element of F * q can be written as α r,s = α ld 2 +rd+s for some 0 ≤ s, r < d, and certain integer l. Then we have clearly f r (α r,s ) = g s , proving the result.
Corollary 3. Let c be any integer and q ≡ 1 (mod c 2 ). There exist a non extended Reed Solomon code with distance d = q − q c 2 over F q which is (c, c)− inseparable.
Proof. Simply note that if c 2 |q − 1, then q−1 c 2 = q c 2 Corollary 4. For any p and c there exist infinitely many q = p e such that F q admits a non extended Reed-Solomon code of distance d = q − q c 2 . Proof. Simply note that by Fermat's little theorem p ϕ(c 2 ) ≡ 1 (mod c 2 ), so the result follows for any e = kϕ(c 2 ), k ∈ N, applying the previous theorem.
The case presented in this section is already dealt with in Corollary 1. We include it here, because the proofs provide new ways to approach a complete solution to the problem.
The first result we prove is a straight forward application of the following theorem of J. Cilleruelo. Proof. Let us note first that, since c ≥ 2q 3/4 , then c 2 > q and then q − [q/c 2 ] − 1 = q − 1. So we need a code with distance d = q − 1. This means that we need to find two families of polynomials of size c each, with all polynomials of degree at most 1, such that for any α ∈ F q . This is the same as Now, let α be a generator of F * q , and consider and by the previous theorem we trivially have But we can make it better.
Theorem 10. Suppose that q − 1 = rs such that (r, s) = 1 and suppose c > max{r, s}. Then, [n, k, d] Reed Solomon codes with distance d = q − 1 over F q which is not c-SEP.
Proof. Let q − 1 = rs such that (r, s) = 1, α a generator of F q and consider the sets A = {1, α r , . . . , α r(s−1) } and B = {1, α s , . . . , α s(r−1) }. Then, all the quotients a/b with a ∈ A and b ∈ B are distinct. Indeed, suppose α ri /α sj = α rI /α sJ . Then α r(i−I) /α s(J−j) , and so α r(i−I)−s(J−j) = 1 but, since α is a generator, this is only possible either if r(i − I) − s(J −j) = 0 or else if (q −1)|r(i−I) −s(J −j). In any of the two cases, since r|q − 1, we have r|s(J − j) and since (r, s) = 1, then r|(J − j) but this is impossible, since |J − j| < r, unless J = j, and then i = I. Now, consider polynomials f i = α ri x, g j = α sj with 0 ≤ i ≤ s − 1 and 0 ≤ j ≤ r − 1. We can do that since l < c. By the previous argument, the roots of f i − g j are all distinct and we have rs = q − 1 distinct roots. Since r < c we can just add the root missing by adding a polynomial g r .
In general, the theorem provides a general bound on c, depending on the factorization on the exponent. However, in the case of a sophie germain prime, q − 1 = 2p where q and p are primes, then Theorem 10 only gives c ≥ q/2.

Conclusion
The aim of the paper is to find out whether or not there exist values of the minimum distance for which a Reed-Solomon is c-SEP but not c-TA. We start the presentation by considering a sufficiently small value to the minimum distance. For this much convenient value, we prove that codes do not posses the frameproof property, let alone the separating one. For the cases c = 2 and c = 3, we improve this almost naive result by introducing to our discourse both polynomial interpolation and Bezout's identity.
The approach for case c = 3 does not generalize to larger values of c. In order to deal with the general case, we resort to the structure of F q , the finite field over which the code is defined. This allows us to prove an assertion for all c, whenever q ≡ 1 (mod c 2 ). Along the same line of reasoning, we provide an alternative proof of existing results by applying an elegant theorem about the generator of the multiplicative group of F q .
Our presentation shows that for the general case, a constructive proof is by no means trivial. This is because, when using the structure of the field defining the code one can not encircle all cases and cases without "structure" do not seem to follow any common pattern. So, although the problem is algebraic in nature, it seems that an existence proof should be considered.