Public key trace and revoke scheme secure against adaptive chosen ciphertext attack

Yevgeniy Dodis, Nelly Fazio

Research output: Contribution to journalArticle

Abstract

A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption with the capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of "revoked" users can decrypt the resulting cipher text; and (3) if a (small) group of users combine their secret keys to produce a "pirate decoder", the center can trace at least one of the "traitors" given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adoptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a "natural separation" between the classical notion of CCA2-security and the recently proposed [15, 1] relaxed notion of gCCA2-security.

Original languageEnglish (US)
Pages (from-to)100-115
Number of pages16
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2567
StatePublished - 2003

Fingerprint

Public key
Trace
Attack
Cryptography
Traitor Tracing
Broadcast Encryption
Subset

ASJC Scopus subject areas

  • Computer Science(all)
  • Biochemistry, Genetics and Molecular Biology(all)
  • Theoretical Computer Science

Cite this

@article{fba3ed34c7934d1a99a48677f9118282,
title = "Public key trace and revoke scheme secure against adaptive chosen ciphertext attack",
abstract = "A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption with the capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of {"}revoked{"} users can decrypt the resulting cipher text; and (3) if a (small) group of users combine their secret keys to produce a {"}pirate decoder{"}, the center can trace at least one of the {"}traitors{"} given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adoptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a {"}natural separation{"} between the classical notion of CCA2-security and the recently proposed [15, 1] relaxed notion of gCCA2-security.",
author = "Yevgeniy Dodis and Nelly Fazio",
year = "2003",
language = "English (US)",
volume = "2567",
pages = "100--115",
journal = "Lecture Notes in Computer Science",
issn = "0302-9743",
publisher = "Springer Verlag",

}

TY - JOUR

T1 - Public key trace and revoke scheme secure against adaptive chosen ciphertext attack

AU - Dodis, Yevgeniy

AU - Fazio, Nelly

PY - 2003

Y1 - 2003

N2 - A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption with the capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of "revoked" users can decrypt the resulting cipher text; and (3) if a (small) group of users combine their secret keys to produce a "pirate decoder", the center can trace at least one of the "traitors" given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adoptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a "natural separation" between the classical notion of CCA2-security and the recently proposed [15, 1] relaxed notion of gCCA2-security.

AB - A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption with the capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of "revoked" users can decrypt the resulting cipher text; and (3) if a (small) group of users combine their secret keys to produce a "pirate decoder", the center can trace at least one of the "traitors" given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adoptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a "natural separation" between the classical notion of CCA2-security and the recently proposed [15, 1] relaxed notion of gCCA2-security.

UR - http://www.scopus.com/inward/record.url?scp=35248899841&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=35248899841&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:35248899841

VL - 2567

SP - 100

EP - 115

JO - Lecture Notes in Computer Science

JF - Lecture Notes in Computer Science

SN - 0302-9743

ER -