Abstract:
A (public key) Trace and Revoke Scheme combines the functionality of broadcast
encryption with the capability of traitor tracing. Specifically, (1) a
trusted center publishes a single public key and distributes
individual secret keys to the users of the system; (2) anybody can
encrypt a message so that all but a specified subset of “revoked”
users can decrypt the resulting ciphertext; and (3) if a (small) group
of users combine their secret keys to produce a “pirate decoder”,
the center can trace at least one of the “traitors” given access to
this decoder.
We construct the first chosen ciphertext (CCA2) secure
Trace and Revoke Scheme based on the DDH assumption. Our scheme is
also the first adaptively secure scheme, allowing the adversary
to corrupt players at any point during execution, while prior works
(e.g.,[NP00,TT01]) only achieves a very weak form of non-adaptive
security even against chosen plaintext attacks. In fact, no CCA2
scheme was known even in the symmetric setting.
Of independent interest, we present a slightly simpler construction
that shows a “natural separation” between the classical
notion of CCA2 security and the recently proposed [Sho01,ADR01]
relaxed notion of gCCA2 security.
Publication Info:
In the 6th IACR Practice and Theory of Public Key Cryptography (PKC
'03). Miami, FL, USA, January 6-8, 2003. Springer LNCS 2567, pages 100-115.
Download: [pdf] [bibtex entry]