A Public-Key Traitor Tracing Scheme with Revocation Using Dynamic Shares

Abstract: Abstract. We proposed a new public-key traitor tracing scheme with revocation capability using dynamic shares and entity revocation techniques. Our scheme's traitor tracing and revocation programs cohere tightly. The size of the enabling block of our scheme is independent of the number of receivers. Each receiver holds one decryption key only. The distinct feature of our scheme is that when traitors are found, we can revoke their private keys (up to some threshold z) without updating the private keys of other … Show more

“…Since it is often distributing information of its own choice, it is assumed to have control over the group membership, i.e., the center is allowed to make decisions about who can join the group and whose membership should be revoked. This is in line with almost all multicast schemes such as [25,4,26,27,22,23,24].…”

“…The price for this flexibility is the loss of the public key feature, which should not be a problem for many applications. However we observe that in many instantiations of our constructions, it is easy to "publicize" the encryption key, without affecting the security of the scheme, as demonstrated by works such as [22,23,24]. This effectively turns the scheme into a public key system and all the openness features are reinstalled.…”

“…This is different from the public key systems such as [17,22,23,24] where the information to encrypt a message is public. The openness is unnecessary for some applications and unacceptable for some others (e.g.…”

“…The Revocation method 1 in [17] and the group key distribution scheme in [14] are just Construction 1 instantiated with a special use of threshold ElGamal 3 . The basic scheme in [22], the "public key (multicast) encryption" from [17] and the CPA secure scheme from [23] can all be shown to be Construction 1 with a standard threshold ElGamal cryptosystem. These schemes are shown to be secure against chosen plaintext attacks in their individual papers.…”

“…[35,32,33,34] and the IND-CCA2 threshold ElGamal in [36]) and a multicast encryption constructed via Construction 1 using one of these schemes is therefore guaranteed to be CCA2 secure too. In addition, all existing ATD-based multicast encryption schemes [17,14,22,23,24] are based on discrete logarithm. Theorem 1 provides security guarantee for constructing multicast encryption using any other assumptions.…”

How to Construct Multicast Cryptosystems Provably Secure Against Adaptive Chosen Ciphertext Attack

“…Since it is often distributing information of its own choice, it is assumed to have control over the group membership, i.e., the center is allowed to make decisions about who can join the group and whose membership should be revoked. This is in line with almost all multicast schemes such as [25,4,26,27,22,23,24].…”

“…The price for this flexibility is the loss of the public key feature, which should not be a problem for many applications. However we observe that in many instantiations of our constructions, it is easy to "publicize" the encryption key, without affecting the security of the scheme, as demonstrated by works such as [22,23,24]. This effectively turns the scheme into a public key system and all the openness features are reinstalled.…”

“…This is different from the public key systems such as [17,22,23,24] where the information to encrypt a message is public. The openness is unnecessary for some applications and unacceptable for some others (e.g.…”

“…The Revocation method 1 in [17] and the group key distribution scheme in [14] are just Construction 1 instantiated with a special use of threshold ElGamal 3 . The basic scheme in [22], the "public key (multicast) encryption" from [17] and the CPA secure scheme from [23] can all be shown to be Construction 1 with a standard threshold ElGamal cryptosystem. These schemes are shown to be secure against chosen plaintext attacks in their individual papers.…”

“…[35,32,33,34] and the IND-CCA2 threshold ElGamal in [36]) and a multicast encryption constructed via Construction 1 using one of these schemes is therefore guaranteed to be CCA2 secure too. In addition, all existing ATD-based multicast encryption schemes [17,14,22,23,24] are based on discrete logarithm. Theorem 1 provides security guarantee for constructing multicast encryption using any other assumptions.…”

How to Construct Multicast Cryptosystems Provably Secure Against Adaptive Chosen Ciphertext Attack

Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys

An Efficient Single-Key Pirates Tracing Scheme Using Cover-Free Families