1.1  Our Contribution

To the best of our knowledge, the most efficient multi-round FT-AS scheme is the one proposed by Ishii et al. [12]. (In the following, we refer to this scheme as AS-FT-2, following the description in [12].) The first contribution of our work is that we measure the total processing time required for the feedback by implementing AS-FT-2. In order to realize an environment in cyberspace that is as close to a real system as possible, we implement this scheme in a simulation environment built on Amazon Web Services (AWS). We measure the performance of the algorithms, and find out that the feedback waiting time is \(605.3\) ms on average in the setting with the number of signers \(N=3000\) including \(d=5\) rogue signers (for which we have the above mentioned example of a factory in mind). The feedback waiting time is asymptotically proportional to \(N\). This indicates that in applications whose acceptable feedback time is significantly larger than a few hundred ms, the existing FT-AS scheme can be used without problems. However, these schemes cannot be used if applications require faster feedback time. For instance, the average requirement for the transmission interval is considered to be \(5\) seconds to an hour [15], whereas in some real-time communication systems, the data transmission interval for cooperative intelligent transportation systems is considered to be \(200\) ms [16]. The existing scheme would not be suitable for the latter case.

Our second contribution is that we propose a new variant of an ASIT scheme [12] that does not require a feedback, in anticipation of applications where the feedback waiting time is shorter so that existing schemes cannot be used. The idea behind our proposed scheme is that we let the aggregator decide how to generate aggregate signatures beforehand. More specifically, our scheme employs Sequential Traitor Tracing (STT) [17] as a tracing functionality, instead of DTT employed in the existing ASIT scheme (see Sect. 3 for the technical details). We also implement our new scheme, and compare the performances with AS-FT-2. The experiment reveals that the new scheme runs faster than the existing scheme, but requires more communication cost (i.e., the bandwidth for sending aggregate signatures). See Sect. 5 for the discussion.

1.2  Implications of Our Results: Suitable Schemes for Individual Applications

In this subsection, we discuss the implications of our results. In particular, we provide specific recommended multi-round FT-AS schemes for some applications. We illustrate this in Fig. 1. Note that this is a list of recommended schemes that seem to be most suitable, and other schemes can also be applied to the same applications. In addition, when an aggregator is sufficiently powerful in terms of computation or memory size, we can use the trivial method that the aggregator verifies all individual signatures before aggregation or store all individual signatures to trace invalid signatures. If the aggregator is sufficiently powerful then we can use this trivial method. Therefore, we only consider the case where such a powerful aggregator is not available.

Fig. 1  A map of the most suitable scheme in existing multi-round FT-AS schemes for a network where aggregators have small memory and low computational power.

Our results show that for applications where high communication rate (more than about 1 Mbps) is available but we need to transmit a new message in real time with an interval of less than 1 second (the left-upper region of Fig. 1), our proposed scheme (presented in Sect. 4) is recommended. Such applications include, for example, traffic monitoring.

For applications where the transmission rate is low (about 128 kbps) but it is sufficient to send the latest information at a relatively long interval of a few seconds or more (the right-lower region of Fig. 1), the schemes in [12] and [18] are recommended². Such applications include sensor networks.

For applications where high communication rate is available and where it is sufficient to transmit a new message at relatively long intervals of a few seconds or more (the right-upper region of Fig. 1), a variety of FT-AS schemes can naturally be applied. However, among those schemes, we recommend [12] and [18] as the most suitable schemes because of their very small size of data transmission. Of course, AS-SW-1 (presented in Sect. 4) is also applicable, but since the communication data size of AS-SW-1 is much larger than that of [12] and [18], there is no particular merit except for being able to accept a short interval.

For applications where only low transmission rate is available and the latest message must be transmitted in real time at intervals of less than 1 second (the left-lower region of Fig. 1), there are currently no recommended schemes. In such a situation, if it is necessary to use a FT-AS scheme, the only way is to use the trivial methods using a powerful aggregator as described above.

Note that our proposed scheme is not always the best for such time-constrained network settings. Our claim is that only our scheme is applicable to some networks where existing schemes have not been assumed.

1.3  Related Work

Boneh et al. [2] proposed the first aggregate signature scheme (together with its concept itself), which is secure in the random oracle model and based on the BLS signature [19] in groups with efficiently computable bilinear maps. Hohenberger et al. [20] gave an aggregate signature scheme using multilinear maps in the standard model. These schemes can aggregate individual signatures as well as already aggregated signatures in any order.

Hartung et al. [6] proposed fault-tolerant aggregate signature schemes. In their schemes, a cover-free family [7]-[9], which is a combinatorial scheme, is used to determine sets of individual signatures to be aggregated. Several works [13], [18], [21] proposed efficient aggregate signatures with a tracing functionality based on group testing [10], [11]. These schemes were shown to be secure against static attackers.

There are other types of aggregate signature schemes. One is sequential aggregate signature, which was first proposed by Lysyanskaya et al. [3] and shown to be secure in the random oracle model. Since then, a number of schemes have been proposed both in the random oracle model [3], [22], [23] and in the standard model [24], [25]. Another type is aggregate signature with synchronized aggregation, which was first proposed by Gentry and Ramzan [4] (in the identity-based setting) and shown to be secure in the random oracle model. Again, since then, several constructions have been proposed both in the random oracle model [4], [5] and in the standard model [5].

1.4  Paper Organization

In Sect. 2, we introduce notations and recall the definitions of ASIT. In Sect. 3, we review the ASIT scheme AS-FT-2 by Ishii et al. [12], observe the feedback waiting time of this scheme, and give a discussion on it. In Sect. 4, we propose a new ASIT scheme, called AS-SW-1, that does not require a feedback, based on a STT. In Sect. 5, we show the experimental results for the proposed scheme and discuss which of AS-FT-2 and AS-SW-1 is more suitable for some network systems. Finally, Sect. 6 concludes this work.

2.1  Notations

We let \([n]\mathop{\mathrm{:=}}\{1,\ldots, n\}\). We denote the empty string by \(\epsilon\), the empty set by \(\emptyset\), the message space (of a signature scheme) by \(\mathop{\mathrm{\mathcal{M}}}\), an unspecified polynomial by \(\mathsf{poly}(\cdot)\), an unspecified negligible function by \(\mathop{\mathrm{\mathrm{negl}}}(\cdot)\), and the security parameter by \(\lambda\). PPT stands for probalistic polynomial time. We say that \(P\) is a partition of a set \(U(\subseteq [n])\) if it satisfies the following conditions: \(P=(S_1, \ldots, S_p)\), \(p\in [|U|]\), \(S_1, \ldots, S_p \in 2^{U}\setminus \{\emptyset\}\), \(\bigcup_{i \in [p]} S_i = U\), and \(S_i \cap S_j = \emptyset\) for all \(i \neq j\) \((i, j \in [p])\).

2.2  Aggregate Signatures

Here, we recall an ordinary aggregate signature and its security definition. In this paper, for simplicity, we deal with aggregate signatures which aggregate only one message and signature pair under one verification key³.

An aggregate signature scheme consists of the five PPT algorithms (KeyGen, Sign, Verify, Agg, AggVerify).

Definition 2.1 (Correctness): An aggregate signature scheme \(\Sigma_{\mathrm{AS}} = (\mathop{\mathrm{\mathsf{KeyGen}}}, \mathop{\mathrm{\mathsf{Sign}}}, \mathop{\mathrm{\mathsf{Verify}}}, \mathop{\mathrm{\mathsf{Agg}}}, \mathop{\mathrm{\mathsf{AggVerify}}})\) satisfies correctness if for any \(\lambda \in \mathbb{N}\), any \(n = \mathsf{poly}(\lambda)\), and any \(m_1, \ldots, m_n\in \mathop{\mathrm{\mathcal{M}}}\), it holds that

For security aganist forgery, we consider EUF-CMA (Existential UnForgeability against Chosen Message Attacks) security in the model where all key pairs are generated honestly (honest-key model). The definition captures a situation where adversaries, including an aggregator, cannot forge a valid and fresh message-signature pair even if they acquired valid signatures of honest signers.

We define security using an experiment in which all signers and an aggregator except the first signer are considered as adversaries, and the adversary wins if it successfully forges a valid aggregate signature containing the first signer. The adversaries' acquisition of valid signatures is represented as oracle access.

Definition 2.2 (EUF-CMA security): An aggregate signature scheme \(\Sigma_{\mathrm{AS}} = (\mathop{\mathrm{\mathsf{KeyGen}}}, \mathop{\mathrm{\mathsf{Sign}}}, \mathop{\mathrm{\mathsf{Verify}}}, \mathop{\mathrm{\mathsf{Agg}}}, \mathop{\mathrm{\mathsf{AggVerify}}})\) satisfies EUF-CMA security if for any \(\lambda \in \mathbb{N}\), any \(n = \mathsf{poly}(\lambda)\) and any PPT adversary \(\mathop{\mathrm{\mathcal{A}}}\), it holds that \(\Pr\left[\mathop{\mathrm{\mathsf{ExpAS}}}_{\Sigma_{\mathrm{AS}}, \mathop{\mathrm{\mathcal{A}}}}^{EUF\text{-}CMA}(\lambda,n)=1\right] = \mathop{\mathrm{\mathrm{negl}}}(\lambda)\) where \(\mathop{\mathrm{\mathsf{ExpAS}}}_{\Sigma_{\mathrm{AS}}, \mathop{\mathrm{\mathcal{A}}}}^{EUF\text{-}CMA}(\lambda,n)\) is the following experiment:

where when \(\mathop{\mathrm{\mathcal{A}}}\) makes a query \(m\in \mathop{\mathrm{\mathcal{M}}}\) to the signing oracle \(\Sigma_{\mathrm{AS}}.\mathop{\mathrm{\mathsf{Sign}}}(\mathop{\mathrm{\mathsf{sk}}}_1, \cdot)\), it computes \(\sigma \leftarrow \Sigma_{\mathrm{AS}}.\mathop{\mathrm{\mathsf{Sign}}}(\mathop{\mathrm{\mathsf{sk}}}_1, m)\), sends \(\sigma\) to \(\mathop{\mathrm{\mathcal{A}}}\), and sets \(Q\leftarrow Q\cup \{m\}\).

Note that in the experiment, the user index \(1\) is used as the challenge user, whose secret key is unknown to an adversary, and the remaining keys \((\mathop{\mathrm{\mathsf{pk}}}_i, \mathop{\mathrm{\mathsf{sk}}}_i)_{i \in [n] \setminus \{1\}}\) are directly given to \(\mathop{\mathrm{\mathcal{A}}}\). Thus, the signing oracle is provided only for the index \(1\).

2.3  Aggregate Signatures with Interactive Tracing Functionality

Here we recall the formal definitions for an aggregate signature scheme with interactive tracing functionality (ASIT) in the form given in [12]. In Definition 2.3, \(\mathop{\mathrm{\mathsf{Trace}}}\) is an algorithm to trace adversaries from invalid aggregate signatures and generate partitions of the signer set, and \(\mathop{\mathrm{\mathsf{PartVerify}}}\) is an algorithm to verify an aggregate signature containing a specified signer.

Definition 2.3 (ASIT): An ASIT scheme consists of the PPT algorithms \((\mathsf{KeyGen}\), \(\mathsf{Sign}\), \(\mathsf{Agg}\), \(\mathsf{Verify}\), \(\mathsf{PartVerify}\), \(\mathsf{Trace})\) that work as follows.

Note that \(\mathop{\mathrm{\mathsf{PartVerify}}}\) is not part of the actual operation of an aggregator or a verifier but is introduced for the brevity of the EUF-CMA security of ASIT.

We also present the correctness of \(\mathop{\mathrm{\mathsf{Trace}}}\) and \(\mathop{\mathrm{\mathsf{PartVerify}}}\) as functional requirements of the ASIT algorithms. The correctness of \(\mathop{\mathrm{\mathsf{Trace}}}\) represents that any signer is not traced by \(\mathop{\mathrm{\mathsf{Trace}}}\) algorithm in any round if all users follow the ASIT algorithm.

Definition 2.4 (Correctness of \(\mathop{\mathrm{\mathsf{Trace}}}\)): Let \(\Sigma_{\mathrm{ASIT}}\) be an ASIT scheme. The algorithm \(\Sigma_{\mathrm{ASIT}}.\mathop{\mathrm{\mathsf{Trace}}}\) satisfies correctness if for any \(\lambda \in \mathbb{N}\), any \(n=\mathsf{poly}(\lambda)\), any \(t\in \mathbb{N}\), and any \(m_1, \ldots, m_n \in \mathcal{M}\), it holds that \(\Pr[V_t=\emptyset] = 1\) where \(V_t\) is the value in the experiment \(\mathop{\mathrm{\mathsf{ExpASIT}}}^{\mathrm{Trace}}_{\Sigma_{\mathrm{ASIT}}}(\lambda, n, \{m_i\}_{i \in [n]})\) described in Fig. 2 (left).

Fig. 2  The experiments used for defining the correctness of an ASIT scheme.

The correctness of \(\mathop{\mathrm{\mathsf{PartVerify}}}\) represents that if all users follow the ASIT algorithm, the \(\mathop{\mathrm{\mathsf{PartVerify}}}\) algorithm can show the correctness of an aggregate signature including a specified user.

Definition 2.5 (Correctness of \(\mathop{\mathrm{\mathsf{PartVerify}}}\)): Let \(\Sigma_{\mathrm{ASIT}}\) be an ASIT scheme. The algorithm \(\Sigma_{\mathrm{ASIT}}.\mathop{\mathrm{\mathsf{PartVerify}}}\) satisfies correctness if for any \(\lambda\in \mathbb{N}\), any \(n=\mathsf{poly}(\lambda)\), any possible form of internal state \(\beta\), any \(j \in [n]\), and any \(m_1, \ldots, m_n \in \mathcal{M}\), it holds that \(\Pr[v=1] = 1\) where \(v\) is an output of the experiment \(\mathop{\mathrm{\mathsf{ExpASIT}}}^{\mathrm{PartVrf}}_{\Sigma_{\mathrm{ASIT}}}(\lambda, n, \beta, j, \{m_i\}_{i \in [n]})\) described in Fig. 2 (right).

3.1  Existing Instantiations of DTT and ASIT

DTT is a method to trace piracy in a contents distributing service, which works as follows: Users are divided into several subgroups, and for each subgroup a content with a unique watermark is distributed. Once a piracy is found, the contents distributor checks the watermark, divides the corresponding subgroup into smaller subgroups, and repeats this procedure until it traces a piracy. We refer to the interval between the executions of tracing as 1 round. Fiat and Tassa [14] proposed two DTTs, and we recall one of them.

Figure 3 illustrates the instantiation of DTT proposed in [14], named FT-2. FT-2 is a method to trace traitors in a set of users similar to a binary search. Initially, all users are included in the set \(I\) (representing innocent), which is bisected into \(L_j\) and \(R_j\) when a piracy is detected. Then in the next round, when piracy is found from \(L_j\) (or \(R_j\)), \(L_j\) (or \(R_j\)) is divided in two. The process is repeated until the adversary is isolated. It is known that FT-2 traces all traitors in \(d(\log_2 N + 1)\) rounds, where the number of signers is \(N\) and the number of traitors is \(d\).

Fig. 3  The descriptions of the DTT (FT-2) by Fiat and Tassa [14] and the subroutine \(\mathsf{Halve}\) used in the scheme.

We recall the ASIT scheme proposed by Ishii et al. [12]. The idea behind the tracing functionality of this scheme is to regard rogue signers as pirates, and run FT-2 to trace them. Figure 4 illustrates the ASIT scheme \(\Sigma_{\mathrm{ASIT}}\) based on an aggregate signature scheme \(\Sigma_{\mathrm{AS}}\) and the DTT FT-2 \(\Sigma_{\mathrm{DTT}}\). We call this instantiation as AS-FT-2. For AS-FT-2, an aggregator aggregates all individual signatures into an aggregate signature in the first round. The verifier verifies it, and if it is invalid, the \(\mathop{\mathrm{\mathsf{Trace}}}\) algorithm of FT-2 is run to generate the next partition. This partition is sent as feedback to the aggregator. In the next round, aggregation is performed in part-by-part according to the partition in the feedback. Specifically, for each individual subset divided by the partition, only signatures in the same subset are aggregated (i.e., the number of aggregate signatures generated by the aggregator is as many as the number of subsets). Then the verifier verifies the signatures and if it finds an invalid one, it runs the \(\mathop{\mathrm{\mathsf{Trace}}}\) algorithm. These processes are repeated until all invalid signers are traced.

Fig. 4  The instantiation \(\Sigma_{\mathrm{ASIT}}\) of an ASIT scheme based on an aggregate signature scheme \(\Sigma_{\mathrm{AS}}\) and FT-2 \(\Sigma_{\mathrm{DTT}}\) by [12]. \({}^{(\dagger)}\) This command exits for and moves to the next line.

3.2  Evaluation of the Feedback Waiting Time of AS-FT-2

We evaluate the feedback waiting time of AS-FT-2, describe the implementation experiment of AS-FT-2 in detail and present the results. We also discuss whether the feedback waiting time meets the requirement for some applications.

3.2.1  Experimental Environment

We use a simulator implemented using Amazon Web Service (AWS) shown in [26]. For the devices, we use four Amazon EC2 instances, which are virtual devices provided by AWS. The EC2 instance types are all t3.micro (3.1 GHz Intel Xeon Scalable processor, baseline performance per virtual CPU: 10%, virtual CPU: 2, memory: 1 GiB, maximum bandwidth: 5 Gbps, baseline bandwidth: 87 Mbps). These four instances are managed by Amazon Elastic Kubernetes Service (EKS) as shown in Fig. 5 and each of them has a container image, which consists of alpine Linux 3.15 (latest) as the OS and g++ 10.3.1 as the C++ version.

Fig. 5  Device configuration in a cluster. The legitimate node sends \(N-d\) valid signatures and the rogue signer node sends \(d\) invalid signatures in each round, where \(N\) is the number of all signers and \(d\) is the number of rogue signers.

3.2.3  Experimental Results

Table 1 shows the simulation results of AS-FT-2 under the experimental conditions described above. Observe that the execution time of tracing occupies a large ratio of the feedback waiting time, which further increases when \(N\) becomes large. This is because the verifier requires \(N+1\) pairing operations and a pairing operation takes longer time than other group operations in our instantiation⁴. We observe that the execution time of tracing becomes less as \(d\) increases. In this experiment, each rogue signer always sends an invalid signature, so at least one of the splits out of two includes a rogue signer and an invalid signature can be found in two times of verifications. In addition, when \(d\) is large, the number of set partitions in tracing is also large and the number of signatures in each set becomes small, then the number of pairing operations executed to find an invalid aggregate signature becomes small⁵.

Table 1  Simulation results of AS-FT-2. Trace is the average execution time of the tracing algorithm, and Feedback is the average time from the time that the aggregator generates an aggregate signature to the time that the verifier returns a feedback. The feedback size of each round when \(N=1000\), \(3000\) are \(3.9\) kilobytes and \(11.9\) kilobytes respectively.

For the column Feedback, it becomes clear that when \((N,d)=(1000,5)\), \((3000,5)\), the aggregator needs to wait on average of \(233.3\) ms, \(605.3\) ms, respectively, and each signer needs to have a transmission interval longer than this. The time difference of the columns Trace and Feedback is due to the communication delay to the aggregator in addition to the time of tracing.

4.1  Sequential Traitor Tracing

As already mentioned, STT is a variant of a piracy tracing algorithm that predetermines the watermark assignment. The assignment is actually determined by an allocation matrix \(M\), whose entry is decided by a function family \(\Phi\). The column of \(M\) corresponds to the allocation of watermarks for each distribution. The time interval between each distribution is called segment. In this subsection, we introduce the allocation matrix and the function family along with several lemmas and an implementation of the function family. Then, we provide an implementation of the STT.

Let \(W\mathop{\mathrm{:=}}[q]\) be the set of watermarks, and \(b\) \((\leq q)\) and \(l\) be integers. We let \(\Phi=\{\phi_{i,j}:1\leq i\leq b, 1\leq j\leq l\}\), where \(\phi_{i,j}:W\rightarrow W\) is a function family that satisfies the following conditions:

Condition 1: For all \(x \in W\), any fixed \(j\) and a pair of the first indices \((i_1, i_2)\) where \(i_1 \neq i_2\), it holds that \(\phi_{i_1j}(x) \neq \phi_{i_2j}(x)\).

Condition 2: For any \((i_1,i_2)\) and \((j_1,j_2)\) where \(j_1\neq j_2\), and any \(x_1,x_2\in W\) such that \(x_1\neq x_2\), if \(\phi_{i_1,j_1}(x_1)=\phi_{i_2,j_1}(x_2)\) then \(\phi_{i_1,j_2}(x_1)\neq \phi_{i_2,j_2 }(x_2)\).

Now, we describe an allocation matrix \(M\). Let \(\Phi\) be a function family that satisfies the above conditions. Let \(M_0\) and \(\phi_{i,j}(M_0)\) (\(i\in [b]\), \(j\in [l]\)) be the following \(q\times 1\) matrices:

Then, the allocation matrix \(M\) is described as follows:

Note that \(M\) has \(b\) block rows and each block consists of \(q\) rows. The \(i\)-th row of \(M\) represents the watermark assigned to user \(i\) in order (thus, it is implicitly assumed that the number of users is \(bq\)), and \(j\)-th column represents the assignment of watermarks for each user at segment \(j\). Let \((r,k)\) denote the \(k\)-th row of the \(r\)-th block.

Here we explain how \(M\) is used to detect piracy in a content distribution service. The content distributor distributes a watermark of a content \(M(i, j)\) to the user \(i\) at the segment \(j\), with monitoring piracy. For ease of discussion, we assume that the distributor detects exactly one piracy in every segment. Let \(F_j=(f_1,\ldots,f_j)\) be the index sequence of the watermarks on the content detected by the distributor from segment \(1\) to segment \(j\). Furthermore, let

If there exists a user \(i\) such that \(\rho(F_j, i) \geq t\) for a threshold \(t\), then the distributor regards \(i\) as a pirate and eliminates it. Regarding the threshold, Safavi-Naini and Wang [17] showed the following lemmas.

Lemma 4.1 ([17]): Let \(C\) be the set of pirates where \(|C| = c\), and \(F_j=(f_1,\ldots,f_j)\) be the index sequence of the watermarks on the content detected by the distributor from segment \(1\) to segment \(j\). If there exists a user \(i\) such that \(\rho(F_j, i) \geq c+1\), then \(i \in C\).

Regarding how many segments are necessary to trace all pirates, they also showed the following lemma.

Lemma 4.2 ([17]): Let \(C\) be the set of pirates where \(|C| = c\). All pirates can be traced with at most \(c^2 + c\) segments.

Lemma 4.2 tells us the relation between the number of segments and the number of pirates.

Corollary 4.1 ([17]): Let \(M\) be an \(n \times (l+1)\) allocation matrix. The STT that employs this matrix can trace at most

pirates.

4.1.3  An Instantiation of STT

Here we provide an instantiation of STT based on the function family in Theorem 4.1. Let \(n \mathop{\mathrm{:=}}bq\) be the number of signers, \(C \subseteq [n]\) be a set of pirates where \(|C| = c \leq n\), and \(W \mathop{\mathrm{:=}}[q]\) be a set of watermarks that are assumed to be given to the distributor in advance. Let \(Q_{j,x}\) be the set of users to which the watermark \(x \in W\) is assigned at segment \(j\), i.e., \(Q_{j,x} = \{i\in [n] : M[i,j]=x\}\).

Figure 6 illustrates the construction \(c\)-SW-1 of the STT that uses the function family \(\Phi\) in Theorem 4.1. Note that in the subroutine GenMatrix, the prime \(p\) is chosen based on the above observation. We show the following lemma.

Fig. 6  The construction \(c\)-SW-1 of STT. GenMatrix is a subroutine that is used to generate the allocation matrix \(M\) based on the function family \(\Phi\) in Theorem 4.1.

Lemma 4.3: The algorithm \(c\)-SW-1 is a DTT.

The proof of 4.3 is presented in Appendix B.

4.2  The Construction of an ASIT Scheme without a Feedback

We demonstrate an ASIT scheme that does not require a feedback based on an aggregate signature and the STT \(c\)-SW-1 (hereinafter referred to as AS-SW-1). Figure 7 illustrates AS-SW-1, where \(c\) satisfies the Eq. (1). We assume without loss of generality that the number of users \(n\) and the number of rogue signers \(c\) are given to the algorithms. AS-SW-1 performs similarly to AS-FT-2 in that aggregation is performed in part-by-part according to the partition, but unlike AS-FT-2, AS-SW-1 avoids the feedback communication between an aggregator and a verifier. Specifically, the aggregator and the verifier both execute \(c\)-SW-1 to share how the signer set is divided in each round, and the partition \(P\) held by the aggregator and the verifier are stored in the internal states \(\alpha\) and \(\beta\), respectively.

Fig. 7  The proposed ASIT scheme AS-SW-1. \({}^{(\dagger)}\) This command exits for and moves to the next line.

Observe that both \(\mathop{\mathrm{\mathsf{Agg}}}\) and \(\mathop{\mathrm{\mathsf{Trace}}}\) run \(c\)-SW-1\(.\mathop{\mathrm{\mathsf{Initialize}}}\) when they are initiated. Because \(c\)-SW-1, including the subroutine \(\mathsf{GenMatrix}\), is deterministic, these algorithms share the same partition \(P\) (or the same allocation matrix). Note that the output \(f\) by \(\mathop{\mathrm{\mathsf{Trace}}}\) is an empty string (this feedback is put just to follow the syntax of ASIT, and thus \(\mathop{\mathrm{\mathsf{Agg}}}\) does not receive this \(f\) in an actual execution). Also, when the verifier identifies rogue signers, it sends the traced attacker set \(V\) to the aggregator.

5.1  Theoretical Evaluations

We theoretically evaluate a trivial scheme (i.e, no aggregation), an existing scheme AS-FT-2 and our proposed scheme AS-SW-1 with respect to the efficiency of the tracing functionality and the communication bandwidth of AS-FT-2 and AS-SW-1. To compare these metrics, we evaluate the maximum number of rounds required to trace all the rogue signers, the maximum number of signatures sent by the aggregator per round and the total number of signatures until all rogue signers are traced.

We firstly compare a trivial method and the other schemes. From Table 2, Trivial requires the least number of tracing rounds, while \(\mathrm{TotalSig}\) is linear to \(N\). When \(d(2N-d+1)/2<3d(d+1)\), i.e, \(N<4d+2\) or \(d(2N-d+1)/2<(d^2+d)(p-1)\), i.e, \(N<(d+1)(p-1)+(d-1)/2\), Trivial is the best scheme in terms of both tracing and bandwidth, otherwise, it requires huge communication cost in the whole tracing.

Table 2  Theoretical evaluations. Trivial denotes a trivial scheme. \(N\) and \(d\) are the numbers of all signers and rogue signers, respectively, and \(p\) is a prime number that satisfies \(p > \max (2d^2+2d, \lceil \frac{\sqrt{2N}}{2} \rceil)\). \(R_{\max}\) is the maximum number of rounds required to trace all the rogue signers. \(\mathrm{Sig}_{\max}\) is the maximum number of signatures sent by the aggregator per round. \(\mathrm{TotalSig}\) is the total number of signatures to trace all colluded rogue signers when there is a round to send \(\mathrm{Sig}_{\max}\) signatures.

Next, we compare AS-FT-2 and AS-SW-1. For the number of rounds \(R_{\max}\), when \(d<\log_2 N\), AS-SW-1 requires fewer rounds than AS-FT-2, otherwise AS-FT-2 requires fewer rounds than AS-SW-1. For \(\mathrm{Sig}_{\max}\), when \(2(d^2+d)< \frac{\sqrt{2N}}{2}\) and \(\frac{\sqrt{2N}}{2}-1 < 2d+1\), i.e., \(8(d^2+d)^2<N<8(d+1)^2\), the maximum number of signatures sent by the aggregator per round of AS-SW-1 is less than that of AS-FT-2, otherwise AS-FT-2 sends less signatures than AS-SW-1. Therefore, AS-SW-1 traces more efficiently when the number of rogue signers is quite much smaller compared to the number of all signers but requires more bandwidth than AS-FT-2.

5.2  Implementation Evaluations

Based on the theoretical evaluations, we concretely set the number of all signers and that of the rogue signers, and implement our scheme, and evaluate which of AS-FT-2 or AS-SW-1 is more effective based on experiments. The details of the experimental environment are the same as in Sect. 3.

5.2.2  Simulation Results

Table 3 shows our result. In this table, the prime \(p\) is the smallest one satisfying the condition in Table 2 for AS-SW-1. The most important part is the column non-FB, which indicates the necessity of a feedback. We confirm that AS-SW-1, which does not require a feedback, indeed works well. For tracing efficiency, the total time of tracing is almost proportional to \(d^2\) and \(N/p\) for AS-SW-1 when \(p<N\), while that of AS-FT-2 is almost proportional to \(d\log N\). This result is consistent with the theoretical evaluation shown in Table 2. From Table 3, the total time of tracing of AS-SW-1 is less than that of AS-FT-2 when \(200d<N\), otherwise that of AS-FT-2 is less. On the other hand, for bandwidth consumption, from Table 2, the column Sig is almost proportional to \(d^2\) for AS-SW-1 when \(p<N\) and otherwise it is the same as individual signature transmission, while AS-FT-2 is almost proportional to \(d\). Specifically, AS-SW-1 requires \(144.9\) times more signatures to trace rogue signers than AS-FT-2 when \((N,d)=(3000,40)\). Observe that this result indicates that AS-SW-1 requires more bandwidth consumption than AS-FT-2.

Table 3  Simulation results for AS-FT-2 and AS-SW-1. non-FB stands for no feedback (“\(\checkmark\)” means it does not require a feedback, and “-” means it does), Round is the total number of rounds to trace all attackers, Time is the total time from the start of the first round to the completion of tracing, and Sig is the average size of transmitted signatures per round.

• \((\alpha, P)\leftarrow\mathop{\mathrm{\mathsf{Initialize}}}(1^\lambda,1^n)\): Algorithm Initialize takes \(1^\lambda\), \(1^n\) as input and outputs a pair \((\alpha, P)\) of an internal state and a partition of the user set.
• \((\alpha', P', V)\leftarrow\mathop{\mathrm{\mathsf{Trace}}}(\alpha,i)\): Algorithm Trace takes as input an internal state \(\alpha\) and an index \(i\), and outputs the tuple of an internal state of the next round, a partition of the user set, and a traced user set, where the input index is the index of the watermark assigned to the redistributed content from the traitor.

A.1 Security Requirements

Here, we recall the security requirements of DTT. In the security model, an adversary declares a set \(C\) (where \(|C| \le d\)) of pirates at first. Furthermore, we assume that a pirate rebroadcasts the content that it receives. In other words, we do not consider the case where a pirate eavesdrops other user's content and rebroadcasts it. These are the restrictions implicitly put in [14].

As mentioned earlier, two security notions are considered for DTT: \(R\)-identifiability, which ensures that a distributor can identify all the pirates within \(R\) (or less) rounds, and completeness, which ensures that a distributor does not trace legitimate users as pirates. These are defined using the following experiment \(\mathop{\mathrm{\mathsf{ExpDTT}}}_{\Sigma_{\mathrm{DTT}}, \mathop{\mathrm{\mathcal{A}}}}(\lambda,n)\) in which a stateful adversary \(\mathop{\mathrm{\mathcal{A}}}\) is executed.

where \(\mathop{\mathrm{\mathcal{A}}}\) may adaptively make multiple queries \(i_t\) to the tracing oracle \(O_T\). However, \(\mathop{\mathrm{\mathcal{A}}}\)'s \(t\)-th \(O_T\) query \(i_t\) must satisfy \(i _t \in [|P_t|]\) and \(S_{i_t,t} \cap C \neq \emptyset\), where \(\alpha_t\) is the internal state and \(P_t=(S_{1,t}, \ldots, S_{p_t, t})\) (for some natural number \(p_t\)) denotes the partition after \(\mathop{\mathrm{\mathcal{A}}}\)'s \((t-1)\)-th \(O_T\) query is answered. Given the \(t\)-th \(O_T\) query \(i_t\) from \(\mathop{\mathrm{\mathcal{A}}}\), \(O_T\) runs \((\alpha_{t+1},P_{t+1},V_t) \leftarrow\Sigma_{\mathrm{DTT}}.\mathop{\mathrm{\mathsf{Trace}}}(\alpha_t, i_t)\), and returns \((\alpha_{t+1}, P_{t+1}, V_t)\) to \(\mathop{\mathrm{\mathcal{A}}}\). Then, \(O_T\) updates \(W \leftarrow W \cup V_t\) and \(t \leftarrow t+1\). We remark that \(W\) in the output of the experiment is that at the point \(\mathop{\mathrm{\mathcal{A}}}\) halts.

Definition Appendix A.2 (\(R\)-Identifiability): A DTT \(\Sigma_{\mathrm{DTT}}\) satisfies \(R\)-identifiability if for any \(\lambda \in \mathbb{N}\), any \(n=\mathsf{poly}(\lambda)\), and any PPT adversary \(\mathop{\mathrm{\mathcal{A}}}\), it holds that

where \(t\) is the value of the counter when \(\mathop{\mathrm{\mathcal{A}}}\) stops.

Definition Appendix A.3 (Completeness): A DTT \(\Sigma_{\mathrm{DTT}}\) satisfies completeness if for any \(\lambda \in \mathbb{N}\), any \(n=\mathsf{poly}(\lambda)\), and any PPT adversary \(\mathop{\mathrm{\mathcal{A}}}\), it holds that