A public-key traitor tracing scheme with revocation using dynamic shares

A Public-Key Traitor Tracing Scheme with

Revocation Using Dynamic Shares

WEN-GUEY TZENG tzeng@cis.nctu.edu.tw

Department of Computer and Information Science, National Chiao Tung University, Hsinchu, Taiwan 30050

ZHI-JIA TZENG zjtzeng@cis.nctu.edu.tw

Department of Computer and Information Science, National Chiao Tung University, Hsinchu, Taiwan 30050

Communicated by: P. Wild

Received December 14, 2001; Revised April 23, 2003; Accepted May 19, 2003

Abstract. We proposed a new public-key traitor tracing scheme with revocation capability using dynamic

shares and entity revocation techniques. Our scheme’s traitor tracing and revocation programs cohere tightly. The size of the enabling block of our scheme is independent of the number of receivers. Each receiver holds one decryption key only. The distinct feature of our scheme is that when traitors are found, we can revoke their private keys (up to some threshold z) without updating the private keys of other receivers. In particular, no revocation messages are broadcast and all receivers do nothing. Previously proposed revocation schemes need update existing keys and entail large amount of broadcast messages. Our traitor tracing algorithm works in a black-box way. It is conceptually simple and fully k-resilient, that is, it can find all traitors if the number of them is k or less. The encryption algorithm of our scheme is semantically secure assuming that the decisional Diffie-Hellman problem is hard.

Keywords: broadcast encryption, traitor tracing, revocation

1. Introduction

A broadcast encryption scheme [9] involves a sender and multiple authorized receivers. The sender has an encryption key and each receiver has a decryption (private) key such that the sender can encrypt a message and broadcast the cipher-text so that only the authorized receivers can decrypt the ciphercipher-text. Broadcast encryption schemes have wide applications in multicast services, such as on web broadcast or pay-per-view systems, in which the system end broadcasts messages to a set of privileged receivers through a broadcast channel.

Consider a situation that a content supplier distributes digital content to its sub-scribers by a broadcast channel. To protect the data from eavesdropping, the con-tent supplier encrypts the data and broadcasts the ciphertext such that only its subscribers can decrypt the ciphertext. The content supplier gives each subscriber a decoder (decoding box) for decrypting the ciphertext. Each decoder consists of a tailored key and a decryption program. However, a traitor (malicious subscriber)

may clone his decoder (and the private key in it) and sell the pirate decoders for profits. The traitor may modify the private key and the decryption program in the pirate decoder to avoid leaking his identity. Furthermore, some traitors may together create new private keys and decryption programs. To deter the attack, when a pirate decoder is confiscated, the content supplier wants to reveal the pri-vate key in it and trace back to its original owners. A traitor tracing scheme is a broadcast encryption scheme with capability of dealing with the above scenario [6]. To enhance protection further, the content supplier wants to revoke the private keys of traitors without too much work, such as, updating each subscriber’s key. We focus on providing revocation capability to public-key traitor tracing schemes. A basic technique of broadcast encryption is as follows. First, the sender selects a session key s to encrypt the message M as the cipher block C and embeds s in the enabling block T ; then, the sender broadcasts
T , C. Any decoder with a legal private key can compute s from T and then uses s to compute M from C. A trai-tor tracing scheme tries to identify traitrai-tors by finding the private keys in the con-fiscated pirate decoder.

To revoke the keys of receivers, the sender broadcasts revocation messages such that only non-revoked receivers can compute their new private keys and the revoked receivers lose the decryption capability.

Efficiency consideration consists of the size of the private key that a receiver holds, the size of the enabling block, the size of revocation messages, and com-putation time of encryption, decryption and traitor tracing.

1.1. The Results

We propose a new public-key traitor tracing scheme with revocation capability using the dynamic share and entity revocation techniques of [2]. Our scheme’s trai-tor tracing and revocation programs cohere tightly1. The enabling block of our scheme is independent of the number of receivers, but dependent on the collusion and revocation thresholds, which are k and z, respectively. Each decoder stores only one private key.

Our traitor tracing algorithm works in a black-box way. It is conceptually sim-ple and fully k-resilient, that is, it can find all traitors if the number of them is k or less. The encryption algorithm of our scheme is semantically secure against the passive adversary assuming hardness of the decisional Diffie-Hellman problem.

The distinct feature of our scheme is that when the traitors are found, we can revoke their private keys (up to z keys totally) without updating the keys of other receivers. In particular, no revocation messages are broadcast and all receivers do nothing. Furthermore, we can restore a revoked private key later. We can actually increase the revocation capability beyond the threshold z with dynamic assignment of shares into the enabling blocks. This property makes our scheme highly practi-cal. The above method is suitable for fast revocation when the number of revoked receivers does not exceed the revocation capability of the system. If we need revoke more keys permanently, we can post some revocation messages on a bul-letin board. Each non-revoked receiver can update its private key at its convenient

time. To revoke mz receivers, the revocation messages are of size O(mz), which is very efficient.

Our scheme is as efficient as Boneh and Franklin’s public-key traitor tracing scheme in many aspects. For example, the encryption and decryption algorithms of our scheme take O(z) modular exponentiations. Our black-box tracing algorithm takes O(nk)time when kn. Note that the encryption key of our scheme dynam-ically depends on the revoked traitors, while that of Boneh and Franklin’s scheme is fixed.

1.2. Related Work

The secret-key and coding approach has each decoder holding a set of keys (or codewords) such that the keys in the pirate decoder can be identified by com-binatorial methods [1, 4, 6, 10, 15, 17–19]. There is a trade-off between the size of the enabling block and the number of keys held by each decoder [5, 14]. Gener-ally speaking, if the number of receivers is large, say millions, the schemes become impractical as one of the measures grows proportionally with the number of receivers.

The public-key approach tries to have the size of the enabling block independent of the number of receivers and each decoder holding one key only [3, 12]. Kurosa-wa and Desmedt [12] proposed a public-key traitor tracing scheme [12], on which our scheme is based. But, their scheme does not incorporate the revocation capa-bility. Boneh and Franklin’s traitor tracing scheme is algebraic with deterministic tracing such that k or less traitors who create a single-key pirate decoder can be traced efficiently. However, they have to embed a hidden trapdoor in the modulus so that the discrete logarithm problem over Z∗

N2 can be solved in polynomial time.

As to other directions, Naor and Pinkas [15] proposed a threshold traitor trac-ing scheme that can trace the private keys in a pirate decoder if the decoder’s decrypting probability is over some threshold. Fiat and Tassa’s dynamic traitor tracing scheme [8] uses the watermarking technique to trace traitors of a pirate decoder by observing the watermarks output by the pirate decoder on the fly.

For revocation capability, the revocation scheme of Kumar et al. [11] is based on cover-free sets. To revoke t receivers among n receivers, the scheme need broadcast

O(tlog n) revocation messages. The tree-based revocation scheme of Wong et al. [21] need broadcast O(2 log n) revocation messages. Naor and Pinkas [16] pro-posed a threshold secret sharing method to provide revocation capability to broad-cast encryption schemes. Its efficiency depends on the based broadbroad-cast encryption schemes.

Our scheme is an independent work done by Yoshida and Fujiwara [22]. They proposed a similar traitor tracing scheme that uses dynamic shares as well. In comparison, our revocation methods are more flexible. We have a revocation method that can revoke the number of traitors beyond the threshold set by the system.

Recently, Kurosawa and Yoshida [13] proposed a linear code-based scheme that generalizes the work of ours and that of Yoshida and Fujiwara [22].

2. Preliminaries

In this section we review the idea of our scheme, the polynomial interpolation method, the decisional Diffie-Hellman (DDH) problem and semantic security of an encryption scheme.

Polynomial interpolation. Let f (x)=
z_i=0aixi be a polynomial of degree z≥ 1.

Assume that each user i is given a share (xi, f (xi)). Then, a group of z+ 1 users,

say users 0, 1, . . . , z, can compute the polynomial f (x) by Lagrange’s interpolation method, or equivalently solving the system of equations:

     1 x0· · · x₀z 1 x1· · · x₁z .. . ... ... ... 1 xz· · · xzz           a0 a1 .. . az     =      f (x0) f (x1) .. . f (xz)     

Let XA= F denote the above system of equations. If det(X) = 0, we can solve all coefficients of f (x) by A= X−1F. The constant term a0 is equal to the first row

vector of X−1 multiplying F , which is

z  t=0  f (xt)· 0≤j=t≤z xj xj− xt   , where λt=

0≤j=t≤zxjx−xj t,0≤t ≤z, are Lagrange coefficients. Furthermore, for the

exponent case, if we are given (x0, grf (x0)), (x1, grf (x1)), . . . , (xz, grf (xz)), we can

compute gra0= z t=0 (grf (xt)₎λt_.

for arbitrary r. On the other hand, if det(X)= 0, we cannot get any information about a0 or gra0.

In traitor tracing, a set of legal users may combine their shares linearly to form a new “share”, which is the main threat that haunts some public-key based trai-tor tracing schemes [12]. For example, the legal users z+i and z +j, i =j ≥1, can combine their shares to form a new “share”

(a+ b, axz+i+ bxz+j, . . . , axzz+i+ bx z

z+j, af (xz+i)+ bf (xz+j)). (1)

By the new share and the shares (x0, f (x0)), (x1, f (x1)), . . . , (xz−1, f (xz−1)), one

can compute a0 by solving the system of equations:

       1 x₀ · · · x₀z 1 x₁ · · · x₁z .. . ... ... ... 1 xz−1 · · · x_zz₋₁ a+ b axz+i+ bxz+j · · · ax_zz_+i+ bx_zz_+j             a0 a1 .. . az     =        f (x0) f (x1) .. . f (xz−1) af (xz+i)+ bf (xz+j)       

We observe that if a pirate P gets a share by linear combination of m shares of traitors j1, j2, . . . , jm, m≤ z, then P and the traitors together cannot compute a0

or gra0_{. We base our traitor tracing algorithm on this observation. In our system,}

we give each user i a share (xi, f (xi)). If we suspect that users j1, j2, . . . , jm, m≤z,

are traitors, we broadcast the cipher block E(s, M) and the enabling block
sgra0_{, g}r_{, (x} j1, g rf (x_j1)_{), . . . , (x} jm, g rf (x_jm)_{), (l} 1, grf (l1)), . . . , (lz−m, grf (lz−m)),

where l1, l2, . . . , lz−m are arbitrarily chosen and different from xj1, xj2, . . . , xjm.

A user who is not a traitor can compute gra0 _{and thus s. We confirm that}

j₁, j₂, . . . , jm are traitors if they together cannot decrypt the cipher block properly. Decisional Diffie-Hellman problem. Let Gq be a group of a large prime order q.

Consider the following two distribution ensembles R and D: – R= (g1, g2, u1, u2)∈ G4q, where g1 and g2 are generators of Gq;

– D= (g1, g2, u1, u2), where g1 and g2 are generators of Gq and u1= g₁r and u2= g₂r for r∈ Zq.

The DDH problem is to distinguish the distribution ensembles R and D. That is, we would like to find a probabilistic polynomial-time algorithm A such that, for some positive constant c and all sufficiently large complexity parameter n,

|P r[A(Rn)= 1] − P r[A(Dn)= 1] | ≥ 1/nc,

where Rn and Dn are the size-n distributions of R and D, respectively.

Semantic security against passive adversary. Let P K be the public key of the

encryption scheme and m0 and m1 be any two messages. The encryption scheme

is semantic secure against passive adversary if there no probabilistic polynomial-time algorithm A that takes as input P K, m0, m1 and ciphertext c, and

deter-mines c’s source with a successful probability significantly better than 0.5, where

c is encrypted from m0 and m1 with equal probability. That is, for any

probabilis-tic polynomial-time algorithm A, any k > 0, and large enough security parameter

n, we have

P r b∈{0,1},c=E(P K,mb)

[A(P K, m0, m1, c)= b] ≤ 0.5 + 1/nk.

3. Definitions

A traitor tracing scheme consists of the following functions.

– System setup. The sender sets up system algorithms and parameters.

– Registration. After system setup, a receiver can register to the system and gets a decoder that contains a private key specific to the decoder. A decoder with a legal private key can decode the ciphertext broadcast by the sender.

– Encryption. When the sender wants to send M, it uses the secret-key cipher E and a session key s to encrypt M as a cipher block C= E(s, M) and embeds s into the enabling block T .

– Decryption. A decoder consists of a decryption program and a private key such that it can decrypt
T , C to get the message M.

– Traitor tracing. The sender wants to determine the original owner of the pri-vate key in a pirate decoder. It may be that some legal receivers conspire to compute some key that is not legal, but able to decrypt the ciphertext, maybe with a different decryption program. The traitor tracing algorithm need reveal at least one conspirator’s identity. If traitor tracing is done by observing the input-output relation of the decoder, it is called black-box tracing.

A traitor tracing scheme is k-resilient if it can find at least one traitor among the k or less traitors who create the pirate decoder. It is fully k-resilient if it can find all of them.

Note. In order to simplify presentation, we omit the security parameter (or

com-plexity measure) n from the related parameters. For example, when we say a prob-ability  is negligible, we mean that for any positive constant c, =(n)<1/nc for large enough n. A probability δ is overwhelming if δ= 1 −  for some negligible probability .

4. The Public-Key Traitor Tracing Scheme

In this section we present our traitor tracing scheme. Let k be the maximum num-ber of colluded receivers (traitors) and z be the revocation threshold, i.e., at most

z private keys of traitors can be revoked. We set z≥ 2k.

System setup. Let Gq be a group of a large prime order q. The sender selects

a degree-z polynomial f (x)=
z_t=0atxt (mod q) with coefficients over Zq. The

sender’s secret key is f (x) and his public key is
g, ga0_{, g}f (1)_{, . . . , g}f (z),

by which a receiver can verify his private key.

Registration. When a receiver i, i > z, registers, the sender gives the receiver i

a decoder with the share (private key) (i, f (i)). The receiver i verifies his key by checking ga0= z t=0 gf (xt)λt_,

where x0=1, x1=2, . . . , xz−1=z, xz=i. If it is so, the receiver i gets a decoder with

the private key (i, f (i)).

Hereafter, we call (j, f (j )) an unused share if it has not been assigned to any receiver. Sometimes, we refer “j ” as a share.

Encryption. The sender randomly selects z unused shares (j₁, f (j₁)), (j₂, f (j₂)), . . . , (jz, f (jz))

a random number r∈ Zq, and a session key s. The sender computes the enabling block

T=
sgra0_{, g}r_{, (j}

1, grf (j1)), (j2, grf (j2)), . . . , (jz, grf (jz)),

and broadcasts
T , E(s, M), where E is a secret-key cipher, such as DES.

Decryption. When receiving
T , E(s, M), the receiver i computes s by

sgra0_/[(gr₎f (i)λz·

z −1 t=0

(grf (xt)₎λt_]= sgra0_/gr(
zt=0−1f (xt)λt+f (i)λz)

= sgra0_/gra0= s,

where x0= j1, x1= j2, . . . , xz−1= jz and xz= i. He then uses s to decrypt E(s, M)

to obtain M.

Traitor tracing. We present two black box traitor tracing algorithms. Assume

that n receivers{t1, t2, . . . , tn}, n≤k, use their shares to create the confiscated pirate

decoder.

Our first black-box traitor tracing algorithm T1 is shown in Figure 1. For each

receiver set {c1, c2, . . . , cm}, m ≤ k, we use their shares to create an enabling block

sgra0_{, g}r_{, (c}

1, grf (c1)), . . . , (cm, grf (cm)), (j1, grf (j1)), . . . , (jz−m, grf (jz−m)),

where j1, j2, . . . , jz−m are unused shares. As long as {t1, t2, . . . , tn}⊆{c1, c2, . . . , cm},

the pirate decoder is not able to decode the enabling block to get s assuming that

computing the discrete logarithm over Gq is hard. For this case, {c1, c2, . . . , cm} is

a possible traitor set. Then, the smallest possible traitor set is {t1, t2, . . . , tn}.

Our second traitor tracing algorithm T2 works for the case that the pirate

decoder’s key is a linear combination of shares of t1, t2, . . . , tn. Let v be such

a linear combination, as in equation (1). T2 uses the opposite direction, that is,

the pirate decoder can compute s from the enabling block. For each receiver set {c1, c2, . . . , cm}, m ≤ k, we find a degree-z polynomial h(x) =

z

t=0btxt that passes

points (c1, f (c1)), (c2, f (c2)), . . . , (cm, f (cm)). Polynomials h(x) and f (x) have m

common points on c1, c2, . . . , cm only. We use h(x) to create a test enabling block T=
sgrb0_{, g}r_{, (j}

1, grh(j1)), (j2, grh(j2)), . . . , (jz, grh(jz)).

and feed it to the pirate decoder, where ji∈ {c1, c2, . . . , cm}, 1 ≤ i ≤ z. If some ti is

not in {c1, c2, . . . , cm}, the pirate decoder cannot compute correct s from T since

v consists of information from a share that is not from h(x). If {t1, t2, . . . , tn} ⊆

{c1, c2, . . . , cm}, the pirate decoder can compute s from T since v is made of the

information from shares of h(x). For this case, {c1, c2, . . . , cm} is a possible

trai-tor set. Then, the smallest possible traitrai-tor set is {t1, t2, . . . , tn}. The traitor tracing

algorithm T2 is shown in Figure 2.

It may be that the pirate decoder tells difference between the test enabling block and the real one and refuses to respond. Therefore, we cannot identify the traitors. We show that the test enabling block and the real one are computationally indis-tinguishable. Therefore, this traitor tracing strategy works.

Lemma 4.1. For degree-z polynomials f (x) and h(x), the distributions of the enabling blocks constructed by f (x) and h(x) are computationally indistinguishable assuming that the DDH problem is hard.

Proof. Note that the distinguisher does not know f (x) and h(x). Let g be a fixed generator of Gq and a∈RS denote that a is chosen from the set S uniformly and

independently. Consider the following 3 distributions:

1. D1=
S, gr, (c1, gr₁), (c2, gr₂), . . ., (cz, gzr), where r ∈RZq, S∈RGq, ci∈RGq, gi= gf (ci)_{. This is the enabling block constructed by f (x).}

2. R=
S, gr_{, (c}

1, u1), (c2, u2), . . . , (cz, uz), where r ∈RZq, S∈RGq, ci∈RGq, ui∈R Gq, 1≤ i ≤ z.

3. D2=
S, gr, (c1, h₁r), (c2, hr₂), . . ., (cz, hrz), where r ∈RZq, S∈RGq, ci∈RGq, hi= gh(ci)_{. This is the enabling block constructed by h(x).}

By the DDH assumption, there are no polynomial-time algorithms to distin-guish between D1and R (and R and D2). Therefore, D1 and D2 are

computation-ally indistinguishable.

Complexity. It takes O(z) modular exponentiations to create an enabling block.

This can be pre-computed by the sender. It takes also O(z) modular exponentia-tions to decrypt an enabling block by each receiver. The traitor tracing algorithm runs in O(C_kn) modular exponentiations, where n is the number of receivers. When

n k, the runtime is about O(nk).

Each receiver holds only one private key. The size of an enabling block is O(z), which is independent of the number of receivers.

4.1. Revocation of Traitors

After a pirate decoder is confiscated and the traitors are revealed, we would like to revoke the private keys of the traitors since thousands of copies of the pirate decoder may be sold.

Assume that C= {c1, c2, . . . , cm}, m ≤ z, is the set of found traitors. We can

revoke their shares without updating the private keys of receivers. To send out M to receivers, instead of randomly choosing m unused shares for the enabling block, the sender fixes the first m shares as

(c1, grf (c1)), (c2, grf (c2)), . . . , (cm, grf (cm))

and randomly chooses z− m unused shares

(j₁, grf (j1)_{), (j}

2, grf (j2)), . . . , (jz−m, grf (jz−m)).

to form the enabling block. The revoked traitors cannot decrypt the enabling block since their shares are in the enabling block. We can revoke at most z traitors totally before updating the shares of receivers.

We can see that to revoke receivers, the sender need not broadcast any revoca-tion message and the receivers do nothing.

4.2. Restoration of a Revoked Key

If for some reason we would like to restore the decryption privilege of a revoked receiver, we simply do not use his share in the enabling block. The restored key can decrypt the broadcast ciphertext again.

4.3. Revocation Beyond the Threshold

It is possible to revoke more than z traitors. Assume that each pirate decoder con-tains only one pirate share. The idea is that if a pirate decoder can get at most c% of M, the partial part of M is useless [1]. For example, if a pirate decoder can only decrypt 95% of a movie, the traitor is revoked de facto.

Assume that C= {c1, c2, . . . , cm}, m > z, is the set of found traitors. To

broad-cast M to non-revoked receivers, we partition M as M1||M2|| · · · ||Ml. For each Mi,

1≤ i ≤ l, we construct an enabling block Ti with shares (ci1, g rf (c_i1)_{), (c} i2, g rf (c_i2)_{), . . . , (c} ir, g rf (c_iz)_),

where ci1, ci2, . . . , ciz are chosen from C.

With appropriately chosen l and c, each traitor in C can decrypt at most c% of

M. If ci appears in (1− c%)l enabling blocks, the traitor ci can decrypt c% of M.

Therefore, we have lz/m≥ (1 − c%)l, where lz is the total number of shares that may appear in the enabling blocks. We have m≤ z/(1 − c%). In particular, when

c%=95%, we can increase the revocation capability by 20 folds by partitioning M into 20 blocks. That is, each revoked share appears in one enabling block. If we partition M into 20t blocks and put each revoked share into t enabling blocks, one in every 20 blocks, a revoked traitor cannot decrypt one block in every 20 blocks.

4.4. Further Revocation

If we want to permanently revoke more keys beyond the revocation capability of the system, we can update the private keys of non-revoked receivers. Though, this work may be costly. The idea is to update the system’s polynomial f (x) as f(x)= f (x)+ h(x), where h(x) is also a degree-z polynomial. Then, each non-revoked

receiver gets its new private key (i, f(i)) as follows. Assume that there is a public bulletin board and c1, c2, . . . , cmz are the receivers to be revoked.

1. The sender selects degree-z polynomials hj(x), 0≤ j ≤ m − 1, and sets the

sys-tem’s polynomial as f(x)= f (x) +
m_j=0−1hj(x).

2. The sender publishes the enabling blocks Tj, 0≤ j ≤ m − 1,

sjgrja0, grj, (cj z+1, grf (cj z+1)), (cj z+2, grf (cj z+2)), . . . , (cj z+z, grf (cj z+z))

3. Each non-revoked receiver i computes hj(x), 1≤ j ≤ m − 1, from the enabling

blocks in the bulletin board and computes its new private key f(i)= f (i) +

m−1 j=0hj(i).

We can see that the revoked receiver ci cannot compute h i/z−1(x),1≤ i ≤ mz.

Therefore, it cannot update its private key from (i, f (ci)) to (i, f(ci)). Thus, it is

revoked permanently.

The total messages in the bulletin board is of length O(mz).

4.5. Speedup of Tracing

Since the runtime of the traitor tracing algorithm is O(C_kn), when n or k is large, the algorithm is not efficient. In practice, we would like to have a more efficient traitor tracing algorithm.

A practical solution to this problem is to group receivers into classes C1, C2, . . . , Cr. Each class Ci consists of a reasonable number of receivers. For each class Ci,

the sender uses a different polynomial fi(x)as the secret key. A receiver j in class Ci is given the share (j, fi(j )). The sender encrypts message M using the secret

key fi(x). The decryption and tracing algorithms are the same as the original ones

except that the keys are different for different classes.

Grouping receivers can make our revocation mechanism more practical. It will be less frequent to revoke the receivers in a class since a class consists of less receivers. Even if the sender wants to revoke more than z receivers in a class, only the private keys of the non-revoked receivers in the class have to be updated.

5. Security Analysis

We consider both semantic security and security against the z-coalition attack, in which any coalition of z or less legal receivers cannot compute a legal private key for decryption.

Before we proceed, we first address the framing problem [3]. We show that it is not possible for two disjoint sets of k receivers to construct the same “new” share by linear combination. Therefore, framing is not possible by linear combination of shares in our scheme.

Lemma 5.1. Let C={c1, c2, . . . , ck} and D ={d1, d2, . . . , dk} be two disjoint receiver sets. All linear combination of shares of C and those of D are different except the zero point.

Proof. We can represent a share i as a z+ 2-dimensional vector

vi= (1, i, i2, . . . , iz, f (i)).

Since it is a point of a degree-z polynomial, any z+ 1 different shares are linearly independent. If one can use the shares of C and the shares of D to construct the same non-zero share by linear combination, we have

k  i=1 aivci= k  i=1 bivdi= 0. Therefore, we have k  i=1 aivc_i− k  i=1 bivd_i= 0.

This is a contradiction since not all ai’s and bi’s are zero and C∪ D is linearly

independent.

The encryption algorithm of our scheme is semantically secure against a pas-sive adversary if the DDH problem in Gq is hard (or computationally infeasible).

Recall that D=
g1, g2, gr₁, g₂r and R =
g1, g2, g₁a, gb₂, where g1, g2 are

genera-tors and a, b and r are randomly chosen over Zq.

Theorem 5.2. (Semantic security) Assume that the DDH problem is hard. The

encryption algorithm of our traitor tracing scheme is semantically secure against the passive adversary.

Proof. Suppose that our encryption algorithm is not semantically secure against the passive adversary. We show that there is a probabilistic polynomial-time algo-rithm B that distinguishes between D and R with a non-negligible advantage ε.

Assume that adversary A attacks our encryption algorithm successfully in terms of semantic security. A has two procedures A1 and A2. Given the public key

g, ga0_{, g}f (1)_{, . . . , g}f (z) of the sender, A

1 finds two session keys s0 and s1 in Gq

such that A₂ can distinguish them by observing the enabling block.

Let
g1, g2, u1, u2 be an input of the DDH problem. The following algorithm

B shall decide whether
g1, g2, u1, u2 is from D or R.

1. Randomly choose ai∈ Zq, 1≤ i ≤ z, and let f(x)=
_tz₌₁atxt. Let g= g1, ga0= g₂, gf (1)= g2gf ₍₁₎ 1 ,. . . , g f (z)_{= g} 2gf _(z)

1 , where f (x)= f(x)+ a0. Note that we

don’t know a0.

2. Feed the public key
g, ga0_{, g}f (1)_{, . . . , g}f (z) to A

1. A1 returns s0 and s1 in Gq.

3. Randomly select d∈ {0, 1} and encrypt sd as C=
sdu2, u1, (j1, u2uf

_(j1)

1 ), . . . , (jz, u2uf

(jz)

1 )

where j1, j2, . . . , jz are randomly chosen.

4. Feed C to A2 and get a return d. Then, the algorithm outputs 1 if and only if d= d.

If
g1, g2, u1, u2 is from D, g =g1, g2=ga0, u1=gr, u2=gr₂=gra0 and u2uf

_(ji)

1 =

grf (ji) _{for 1}≤ i ≤ z. Thus, C is the encryption of s

Pr[A2(C)=d]=1/2 +ε. Otherwise, since u1=g₁a and u2=g₂b, the distribution of C

is the same for d=0 and d =1. Thus, Pr[B(g1, g2, u1, u2)=1]=Pr[A2(C)=d]=1/2.

Therefore, B distinguishes D from R with a non-negligible advantage ε.

The encryption algorithm of our scheme is secure against z-coalition assuming that computing the discrete logarithm is hard.

Theorem 5.3. Assume that computing the discrete logarithm over Gq is hard. No coalition of z or less legal receivers can compute the private key of another legal receiver with a non-negligible probability.

Proof. Assume that the probabilistic polynomial-time algorithm A can compute a new share (private key) (xu, f (xu)) from the given public key
g, ga0,gf (1), gf (2), . . ., gf (z)_{ and z shares (x}

1, f (x1)),. . . , (xz, f (xz)) with a non-negligible

probabil-ity ε. We construct another probabilistic polynomial-time algorithm B to compute the discrete logarithm over Gq with an overwhelming probability.

Let (p, g, y) be the input of the discrete logarithm problem. The following algo-rithm B computes log_gy (mod p) with a non-negligible probability. Let y= ga0

and f (x) be the degree-z polynomial passing (0, a0) and (xi, f (xi)),1≤ i ≤ z.

Note that we don’t a0 yet. By Lagrange’s interpolation method, we can compute gf (i),1≤ i ≤ z, from ga0 _{and g}f (xi)_{, 1}≤ i ≤ z. We feed the public key
g, ga0_{, g}f (1)_,

gf (2),. . . , gf (z) and z shares (x1, f (x1)),. . . , (xz, f (xz)) to A and shall get a new

share (xu, f (xu)) with a non-negligible probability. With the given z shares and (xu, f (xu)), we can compute f (0)= a0.

By applying the randomized technique to B for a polynomial number of times, we get B.

6. Discussion

We can drop the sender’s public key from our traitor tracing schemes if verification of private keys by receivers is not necessary. This is indeed the case for practicality. Thus, only the sender can send messages to the receivers. Since the enabling blocks are computationally indistinguishable from each other due to the DDH assump-tion, our scheme should be more secure.

For practicality, we can set z= k. In this case, there may be framing problem. The probability that a set of k receivers can frame a specific set of k receivers is 1/q. Assume that there are m= 10, 000, 000 receivers and k is set as 20. Then, the probability that a set of k receivers can frame some set of k receivers is ≤ C_km/q≈ mk/q≈ 1/(10)168, for q being 1024-bit long.

7. Conclusion

In this work we have proposed a new public-key traitor tracing scheme with revo-cation capability using dynamic shares. Its distinct feature of revoking private keys

makes the protocol highly practical. The scheme’s traitor tracing algorithm is fully

k-resilient and conceptually simple. The size of the enabling block is independent of the number of receivers.

Our scheme is semantically secure against the passive adversary assuming that the DDH problem is hard. We also present a variant scheme that is semantically secure against the adaptive chosen ciphertext attack assuming that the DDH prob-lem is hard.

Acknowledgement

Research supported in part by the National Science Council grant NSC-89-2213-E-009-180 and by the Ministry of Education grant 89-E-FA04-1-4, Taiwan, ROC.

Notes

1. A preliminary version appeared in PKC 2001 [20].

References

1. M. Abdalla, Y. Shavitt and A. Wool, Key management for restricted multicast using broad-cast encryption, In Proc. of Financial Cryptology 99, Lecture Notes in Computer Science 1648, Springer-Verlag (1999).

2. J. Anzai, N. Matsuzaki and T. Matsumoto, A quick group key distribution scheme with “entity revocation”, In Proc. of Advances in Cryptology - Asiacrypt 99, Lecture Notes in Computer Science 1716, Springer-Verlag (1999) pp. 333–347.

3. D. Boneh and M. Franklin, An efficient public key traitor tracing scheme, Proceedings of Advances in Cryptology - Crypto 99, Lecture Notes in Computer Science 1666, Springer-Verlag (1999) pp. 338–353.

4. D. Boneh and J. Shaw, Collusion-secure fingerprinting for digital data, IEEE Transaction on Infor-mation Theory 44(5), 1998. In Proc. of Advances in Cryptology - Crypto 95, Lecture Notes in Com-puter Science 963, pp. 452–465, Springer-Verlag (1995) pp. 1897–1905.

5. R. Canetti, T. Malkin and K. Nissim, Efficient communication-storage tradeoffs for multicast encryption, In Proc. of Advances in Cryptology - Eurocrypt 99, Lecture Notes in Computer Science 1592 (1999) pp. 459–474.

6. B. Chor, A. Fiat and M. Naor, Tracing traitors, In Proc. of Advances in Cryptology - Crypto 94, Lecture Notes in Computer Science 839, Springer-Verlag (1994) pp. 257–270.

7. T. ElGamal, A public-key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory 31(4) (1985) pp. 469–472.

8. A. Fiat and T. Tassa, Dynamic traitor tracing, In Proc. of Advances in Cryptology - Crypto 99, Lec-ture Notes in Computer Science 1666, Springer-Verlag (1999) pp. 354–371.

9. A. Fiat and M. Naor, Broadcast encryption, In Proc. of Advances in Cryptology - Crypto 93, Lec-ture Notes in Computer Science 773, Springer-Verlag (1993) pp. 480–491.

10. E. Gafni, J. Staddon and Y. L. Yin, Efficient methods for integrating traceability and broadcast encryption, In Proc. of Advances in Cryptology - Crypto 99, Lecture Notes in Computer Science 1666, Springer-Verlag (1999) pp. 372–387.

11. R. Kumar, S. Rajagopalan and A. Sahai, Coding constructions for blacklisting problems with-out computational assumptions, In Proc. of Advances in Cryptology - Crypto 99, Lecture Notes in Computer Science 1666, Springer-Verlag (1999) pp. 609–623.

12. K. Kurosawa and Y. Desmedt, Optimum traitor tracing and asymmetric schemes, In Proc. of Advances in Cryptology - Eurocrypt 98, Lecture Notes in Computer Science 1403, Springer-Verlag (1998) pp. 145–157.

13. K. Kurosawa and Y. Yoshida, Linear code implies public-key traitor tracing, In Proc. of the 5th International Workshop on Practive and Theory in Public Key Cryptosystems (PKC 02), Lecture Notes in Computer Science 2274, Springer-Verlag (2002) pp. 172–187.

14. M. Luby and J. Staddon, Combinatorial bounds for braodcast encryption, In Proc. of Advances of Cryptology - Eurocrypt 98, Lecture Notes in Compouter Science 1403, Springer-Verlag (1998) pp. 512–526.

15. M. Naor and B. Pinkas, Threshold traitor tracing, In Proc. of Advances in Cryptology - Crypto 98, Lecture Notes in Computer Science 1462, Springer-Verlag (1998) pp. 502–517.

16. M. Naor and B. Pinkas, Efficient trace and revoke schemes, In Proc. of Financial Cryptography 00 (2000).

17. B. Pfitzmann, Trials of traced traitors, In Proc. of Workshop on Information Hiding, Lecture Notes in Computer Science 1174, Springer-Verlag (1996) pp. 49–64.

18. B. Pfitzmann and M. Waidner, Asymmetric fingerprinting for large collusions, In Proc. of ACM Conference on Computer and Communication Security, (1997) pp. 151–160.

19. D. R. Stinson and R. Wei, Combinatorial properties and constructions of traceability schemes and frameproof codes, SIAM J. on Discrete Math 11(1) (1998) pp. 41–53.

20. W.-G. Tzeng and Z.-J. Tzeng, A public-key traitor tracing scheme with revocation using dyanmic shares, In Proc. of the 4th International Workshop on Practive and Theory in Public Key Cryptosys-tems (PKC 01), Lecture Notes in Computer Science 1992, Springer-Verlag (2001) pp. 207–224. 21. C. K. Wong, M. Gouda and S. Lam, Secure group communications using key graphs, In Proc. of

ACM SIGCOMM ’98 (1998) pp. 68–79.

22. M. Yoshida and T. Fujiwara, An efficient traitor tracing scheme for broadcast encryption, In Proc. of 2000 IEEE International Symposium on Information Theory (2000) pp. 463.