最佳密文傳輸率的公開金鑰背叛者追蹤系統

國

立

交

通

大

學

資訊科學與工程研究所

碩

士

論

文

最 佳 密 文 傳 輸 率 的 公 開 金 鑰

背

叛

者

追

蹤

系

統

A Public-Key Traitor Tracing Scheme with Optimal

Transmission Rate

研 究 生：陳毅睿

最佳密文傳輸率的公開金鑰背叛者追蹤系統

A Public-Key Traitor Tracing Scheme with Optimal Transmission Rate

研 究 生：陳毅睿 Student：Yi-Ruei Chem

指導教授：曾文貴 Advisor：Wen-Guey Tzeng

國 立 交 通 大 學

資 訊 科 學 與 工 程 研 究 所

碩 士 論 文

A Thesis

Submitted to Institute of Computer Science and Engineering College of Computer Science

National Chiao Tung University in partial Fulfillment of the Requirements

for the Degree of Master

in

Computer Science June 2009

Hsinchu, Taiwan, Republic of China

最佳密文傳輸率的公開金鑰背叛者追蹤系統

學生: 陳毅睿 指導教授: 曾文貴 國立交通大學資訊科學與工程研究所碩士班 摘要 如何在廣播環境中傳送加密的數位內容給合法的訂閱者是一個在許多 的商業模式中 (像是付費電視、DVD等) 很廣泛的議題。而在這樣的環 境中，為了要能夠有效嚇阻合法的數位內容訂閱者將其所擁有合法解 密金鑰洩露出去，背叛者追蹤系統便因應而生了。在這篇論文中，我 們提出了一個背叛者追蹤系統，其所使用的廣播金鑰可以是公開的。 而且在我們的系統中，密文的傳輸率可以達到最佳 (也可以說是常數 密文傳輸量)，也就是說，幾乎不需要多餘的頻寬即可加密傳送數位內 容。而在追蹤背叛者的能力方面，我們提出的的系統可以支援黑盒追 蹤，也就是說，我們可以在不能直接察看非法解密器內部的情形下， 仍然可以成功追蹤出該非法解密器是使用哪些背叛者的金鑰。而跟之 前的所提出的一些相關系統相比，我們的系統在廣播金鑰以及使用者 解密金鑰上，皆可以達到較低的儲存空間需求。

A Public-Key Traitor Tracing Scheme with Optimal

Transmission Rate

Student: Yi-Ruei Chen Advisor: Dr. Wen-Guey Tzeng

Institute of Network Engineering College of Computer Science National Chiao Tung University

Abstract

The way of transmitting the encrypted digital contents to the legitimate subscribers in a broadcast environment is a wide application for many com-mercial transactions (e.g. pay-TV, DVD, etc.). In order to discourage the legitimate subscribers from giving away their decryption keys, the traitor tracing system is very useful. In this paper, we propose a traitor tracing scheme in which the encryption key for broadcasting can be published and our scheme has optimal transmission rate. In another word, while trans-mitting the digital contents, our scheme can encrypt nearly without any redundancy. As for tracing, our scheme can support black-box tracing, i.e., knowing the legitimate subscribers who leak their decryption keys out

with-comparing to the previous schemes, the storage requirements for legitimate subscribers and digital content broadcasters can be smaller.

誌謝 首先感謝我的指導老師曾文貴教授，在我碩士班兩年的學習過程中， 帶 領 我 深 入 密 碼 學 的 領 域， 老 師 認 真 積 極 的 教 學 態 度， 使 我 受 益 良 多。另外，我要感謝口試委員，中研院呂及人教授、交大謝續平教授 與交大蔡錫鈞教授，在論文上給我許多建議與指導，讓我的論文更加 完善。除此之外，我也要感謝博士班學長朱成康、學姊林孝盈在研究 上給我我很多實質上的幫助，也感謝碩士班的同學們以及學弟們讓我 的碩士班生活充滿歡樂。最後，我要感謝我的家人及身旁的朋友們， 不論在精神或物質上都給我極大的支持，讓我在無後顧之憂的情況下 可以順利完成學業。在此，謹以此文獻給所有我想要感謝的人。

Contents

Abstract in Chinese i

Abstract ii

Acknowledgement iv

Contents v

List of Figures vii

List of Tables viii

1 Introduction 1

2 Preliminaries 7

3 Our Construction 15 3.1 The Framework of Our Scheme . . . 15

3.2 Basic Traitor Tracing Scheme for Two Users . . . 18 3.3 Our Traitor Tracing Scheme for N Users . . . 22 3.4 Security Analysis of Our TTS-AONT . . . 25

4 Conclusion 31

Bibliography 33

A All-Or-Nothing Transform 38

B The Public-Key Cryptosystem with AONT 40

List of Figures

List of Tables

1.1 Scheme Comparison . . . 5

Chapter 1

Introduction

Considering the scenario of a data supplier distributes digital contents over a broadcast channel. A data supplier gives a secret key to each legitimate subscriber. Then the data supplier broadcasts the encrypted digital con-tents and the legitimate subscribers can decrypt the digital concon-tents by their secret keys. For example, pay-TV, CD-ROM, DVD, and online databases are based on this scenario. However, some malicious legitimate subscribers (called traitors) might give the copies of their secret keys to the illegitimate subscribers (called pirates). Then the pirates can decrypt the digital con-tents for free. In order to solve the problem above, the traitor tracing scheme comes up.

[10, 11]. Its goal is to discourage legitimate subscribers from giving away their secret keys. The approach gives each subscriber a unique set of secret keys that can both decrypt the encrypted digital contents and identify (”trace”) the subscribers. The traitors may collude to obfuscate their secret keys and trying to generate a new secret key set (called pirate key) that can still decrypt the encrypted digital contents but cannot be traced. We call a traitor tracing scheme t-collusion resistant if at least one of the traitors can always be identified when t traitors collude to generate a pirate key in this way. If t can reach the number of total legitimate users, the traitor tracing scheme will be called fully-collusion resistant. Note that the traitors may embed the pirate keys into a ”tamper-resistant” hardware (called pirate decoder ) to prevent the data supplier read any data inside. So, during the tracing, the data supplier has to treat the pirate decoder as a black box – it suffices to capture one pirate decoder and assumes that only the outcome of a pirate decoder can be examined.

In many approaches, the overhead of broadcasting the encrypted digital contents is proportional to the number of legitimate subscribers. But in some

upto millions. This will be a great burden for the data suppliers to broadcast the encrypted digital contents. The approach of public-key traitor tracing schemes proposed in Kurosawa and Desmedt [15], and Boneh and Franklin [3] eliminated this problem: it enables anyone (e.g. pay-TV stations) to broadcast the encrypted digital contents. Considering that there might be possible large number of pirate decoders, a bottleneck may appear if only the data supplier is able to run the tracing procedure. Thus, in [9], Chabanne, Phan, and Pointcheval first considered the concept of public traceability as an important estimate of the traitor tracing schemes. In order to measure the efficiency of the traitor tracing schemes, we consider the ”transmission rate” of encrypted digital contents (”ciphertexts”), that is, the ratio of the size of ciphertext to the size of the digital contents. We also care about the storage requirements of subscribers’ secret keys, and the broadcast keys.

Related work. The traitor tracing scheme was first introduced by Chor, Fiat and Naor in [10, 11], and was later to be refined in [16]. The concept of public-key traitor tracing schemes was proposed in Kurosawa and Desmedt [15], and Boneh and Franklin [3]. The traitor tracing schemes mentioned

[3, 4, 9, 13, 12, 15, 14, 17, 19, 22, 23] belong to this class. In this paper, we focus on the public-key traitor tracing schemes, and our scheme also belongs to this class. In [9], Chabanne, Phan, and Pointcheval first proposed the con-cept of public traceability. A class of traitor tracing schemes relying on the usage of fingerprinting codes [6, 21] was introduced by Kiayias and Yung in [14] – combining the fingerprinting codes defined by Boneh and Shaw [6] with the public-key traitor tracing schemes. Kiayias and Yung [14] showed that if the plaintexts to be distributed are large (e.g. multimedia contents), then it is possible to obtain constant transmission rate. For example, [9, 19, 18, 12] (including ours) belong to this class. When considering the transmission rate, we have two main categories in the traitor tracing schemes:

• Schemes with no constant transmission rate [3, 5]: These schemes are well-suited to encrypt small digital contents (usually using for the session-key exchanges in the ”hybrid encryption”). The user-key size and the public-key size are often relatively small in these schemes. But the transmission rate in these schemes is often linear or sublinear to the maximal number of colluders.

transmission user-key public-key black-box traceability

rate size size tracing

BF99 [3] 2t + 1 2t 2t + 1 X private BSW06 [5] 6√N 1 4√N + 2 O public KY02 [14] ∼ 3 2` 4` O private CPP05 [9] ∼ 1 2` ` + 1 X private FNP07 [12] ∼ 1 2` 10` O private Ours ∼ 1 ` + 1 ` + 2 O private

†_{`: the codeword lengh in fingerprinting code} †_{N : the total number of legitimate subscribers}

Table 1.1: Scheme Comparison

• Schemes with constant transmission rate [14, 9, 12] (including ours): These schemes are well-suited to encrypt large digital contents (e.g. multimedia contents). These schemes are all constructed by using the fingerprinting codes. The advantage in these schemes is that they of-ten have the efficient black-box tracing algorithms. But the user-key size and the public-key size are often relatively large (according to the codeword length in the fingerprinting codes) until now.

We give a comparison of these traitor tracing schemes in Table 1.

Our Contributions. We propose a framework of public-key traitor trac-ing schemes with efficient black-box tractrac-ing which has optimal transmission

rate. Our framework is based on the usage of fingerprinting codes, and the all-or-nothing transformation defined by Rivest in [20] (and refined by [7, 8]). In order to achieve the optimal transmission rate, we mainly use the cryp-tosystem (PKE-AONT) proposed in [24] that is semantically secure under the random oracle model.

Using this framework, we actually construct a traitor tracing scheme which has less storage requirements than previous schemes (see Table 1). Then we show that our traitor tracing scheme is semantically secure based on the DDH assumption and the semantic security of PKE-AONT. Finally, we show that our traitor tracing scheme is t-collusion resistant under the DDH assumption.

Chapter 2

Preliminaries

Notations. A function f : N → R is called negligible if for every constant c ∈ N, there exists an integer k0 ∈ N such that f(k) ≤ k−c for all k ≥ k0,

denoted by neg(k). We use x ←− X to denote that we choose x from the set$ X uniformly, and x ← X to denote that we set x to the output of X. Let M be the plaintext set.

Traitor Tracing Scheme. A traitor tracing scheme consists of four algo-rithms: Setup, Encrypt, Decrypt, and Trace. The Setup algorithm generates the system parameters such as the broadcast-key BK, the trace-key TK, and the user-key SKi for user i. The Encrypt algorithm encrypts the plaintext to

by taking SKi and the ciphertext as the inputs of Decrypt algorithm. The

most interesting one – Trace algorithm: by taking TK as an input and the black-box access with a pirate decoder, it outputs at least one of the traitors’ keys using in the pirate decoder. We follow the definition of the secure games of a traitor tracing scheme by Boneh, Sahai, and Waters in [5] as follows:

Semantic Secure Game:

• Setup. The challenger runs Setup, then it gives BK to the adver-sary.

• Challenge. The adversary chooses two plaintexts M0, M1 ∈ M to

the challenger. Then the challenger flips a coin b ∈ {0, 1}, and gives a ciphertext Cb

$

←− Encrypt(BK, Mb) to the adversary.

• Guess. The adversary returns a guess b0 _{∈ {0, 1} of b to the}

challenger.

The advantage of the adversary wins this game is AdvTTS_SS := | Pr[b0 = b] − 1₂|.

• Setup. The adversary chooses a traitor set T = {u1, ..., ut} ⊆

{1, ..., N } to the challenger. Then the challenger runs Setup, and gives BK and SKu1, ..., SKut to the adversary.

• Trace. The adversary produces a pirate decoder D. Then the challenger runs the algorithm TraceD(TK, δ) to obtain a traitor set S ⊆ {1, ..., N }.

The adversary wins this game if (1) D is δ-useful: D can decrypt all valid ciphertext with probability δ, i.e., Pr[D(Encrypt(BK, M )) = M ] ≥ δ, and (2) the set S = φ or S * T.

The probability of adversary wins this game is AdvTTS_TR .

Definition 1. An N -user traitor tracing scheme is semantic secure if for all polynomial time adversaries A, AdvTTS_SS is a negligible function of the security parameter.

Definition 2. An N -user traitor tracing scheme is traceable against t-collusion if for all polynomial time adversaries A of corrupting t users and any con-stant δ > 0, AdvTTS_TR is a negligible function of the security parameter.

Fingerprinting Codes. Fingerprinting (a cryptographic technique) with fingerprinting codes allows identifying a digital document among several copies by embedding a fingerprint (a codeword ). The codeword is a collec-tion of some alphabets. The traitors will collude and try to modify their codewords to prevent the identifications. However, the coalitions of the traitors are restricted by the marking assumption: the traitors are only able to compare their codewords and make a modification from their respective codewords differing in some positions. Under the marking assumption, the possible modified codeword set from a t traitor’s codewords set W is called a feasible set of W . Follow the definitions and notations in [4], we illustrate the concept as follows:

• For a codeword w ∈ {0, 1}`_{, we write w = w}

1w2...w`, where wi ∈ {0, 1}.

• Let W = {w(1)_{, ..., w}(t)_{} ⊆ {0, 1}}`_{. We say that a codeword ¯w is feasible}

for W if: ∀i ∈ {1, 2, ...`} ∃j ∈ {1, 2, ..., t} s.t. ¯wi = w (j)

i . For example,

if W = {01011, 11101}, then the codewords 0₁
1 0₁
0₁
1 are feasible for W .

denoted F (W ), is the set of all codewords that are feasible for W .

A fingerprinting code scheme consists of two algorithms: codeword generation algorithm G and codeword tracing algorithm T. The G algorithm generates codeword set {w(1)_{, ..., w}(N )_{} ∈ ({0, 1}}`<sub>)</sub>N <sub>(for some ` > 0) and the</sub>

trace-key tk. By taking an pirate codeword ¯w and tk as inputs, the T algorithm outputs at least one of the traitors that are collude to generate ¯w. We define the secure game of a fingerprinting code scheme as follows:

t-collusion Secure Game

• Setup. The adversary chooses a taitor set T = {u1, ..., ut} ⊆

{1, ..., N } to the challenger. Then the challenger runs G, and gives w(u1)_{, ..., w}(ut) _{to the adversary.}

• Trace. The adversary produces a pirate codeword ¯w. Then the challenger runs the algorithm T( ¯w, tk) to obtain a traitor set S ⊆ {1, ..., N }.

The adversary wins this game if S = ∅ or S * T. The probability of the adversary wins this game is AdvFC_CS.

t-collusion resistant fully-collusion resistant BS98 [6] ` = O(t4<sub>log(n/) log(1/)) ` = O(n</sub>3_log(n/))

T03 [21] ` = O(t2<sub>log(n/)) ` = O(n</sub>2_log(n/))

Table 2.1: Length of the Fingerprinting Codes

Definition 3. A fingerprinting code scheme is t-collusion secure if for all polynomial time adversary A of corrpting t users, AdvFC_CS is a negligible func-tion of the security parameter.

Boneh and Shaw [6] constructed a fully-collusion resistant fingerprinting code as well as t-collusion resistant secure codes. Tardos [21] proposed a shorter codes. We give a comparison of their codeword lengths in Table 2 (n is the number of codewords, and  is the security parameter).

All-Or-Nothing Transform Function. The concept of all-or-nothing transform functions was proposed in [20]. An all-or-nothing transform func-tion is an efficient, unkeyed, and randomized funcfunc-tion with the property that it is hard to invert unless the entire output is known. Boyko [7] defined the semantic security and indistinguishability of the all-or-nothing transform functions against adaptive and non-adaptive attacks. Then Boyko [7] also

proved that OAEP [1] is a secure implementation of all-or-nothing transform functions in the random oracle model. Simultaneously, Boyko [7] showed that the upper bounds of semantic security and indistinguishability against passive and adaptive attacks.

An all-or-nothing transform function AONT can mapping an `0-block sequence x with a random string ρ to an `-block sequence y with the following properties:

• Given x and ρ, y ←− AONT(x; ρ) can be computed efficiently.$

• Given all blocks of y, x ← AONT−1(y) can be computed efficiently.

• It is infeasible to get any information of any blocks of x if any of the blocks of y is missing.

Notice that the usage of all-or-nothing transform functions make an expan-sion in the plaintext size by roughly 1 + 1/`, which still results in an asymp-totical unitary ciphertext-to-plaintext ratio.

Decision Deffie-Hellman (DDH) Assumption. For a cyclic group G with a generator g. Let V be the distribution {(g, gu_{, g}v_{, g}uv_{)} and R be the}

distribution {(g, gu, gv, gw)}. For any polynomial time adversary A, A can distingish the two distributions V and R with negligible function of λ, i.e., | Pr[A(X) = 1 : X ∈ V] − Pr[A(X) = 1 : X ∈ R]| = neg(|G|).

Chapter 3

Our Construction

3.1

The Framework of Our Scheme

The Encryption Part. The most important system measure in traitor tracing schemes that we concern is the transmission rate. In order to acheve the ”optimal” transmission rate, we notice the cryptosystem proposed by Zhang, Hanaoka, and Imai [24]: it encrypts some bits of the outputs of all-or-nothing transform functions by a public-key encryption scheme. Given a public-key encryption scheme PKE = (G, E, D) and a all-or-nothing trans-form function AONT, the encryption scheme first runs the algorithm G to generate a public-key and secret-key pair (pk, sk). Then it inputs the plain-text M0 and a random bit string r to AONT to get M = m1||m2|| · · · ||m`.

Finally, the encryption scheme randomly chooses k-th block of M and en-crypts it. When decrypting the ciphertext C, the decryption algorithm first decrypts the k-th block by sk to recover M . Then it inputs M to the inverse of the all-or-nothing transform function to get M0. Notice that the usage of all-or-nothing transform functions make an expansion in the plaintext size by roughly 1 + 1/`, which guarantees that |M0|/|M | ∼ 1 when ` is large. And if the size of the redundance of encryption algorithm E is constant, the encryption scheme will have ”optimal” transmission rate.

The Tracing Part. The main idea of our scheme for tracing is the us-age of fingerprinting codes. We regard each codeword in a fingerprinting code as a legitimate subscriber. Then we assign an unique user-key set for each legitimate subscriber according to each codeword. The traitors may col-lude to create a new user-key set (can decrypt the broadcast digital contents success) and embed them in a pirate decoder. Then we have to recover the corresponding codewords (called pirate codeword ) by identifying the user-key set using in the pirate decoders. We construct our traitor tracing by the

• Construct a ”basic” 1-collusion resistant public-key traitor tracing scheme for two users, called 2-PK-TTS.

• Construct a fingerprinting code (fully-collusion or t-collusion resistant) of size N over {0, 1}: Γ = {w(1)_{, w}(2)_{, ..., w}(N )_{} ⊆ {0, 1}}`_{, for some}

` > 0.

• Construct ` components of 2-PK-TTS. We demonstrate such construc-tion in Figure 3.1. For each codeword w(i) _{= w}(i)

1 w (i)

2 · · · , w (i) ` , we

assign skj,0 to legitimate subscriber i if wj(i) = 0; else assign skj,1,

∀j ∈ {1, 2, ..., `}. For example, let ` = 3, if the codeword corre-sponding to legitimate subscriber u is (0, 1, 1), then its user-key set is (sk1,0, sk2,1, sk3,1).

• We replace the public-key encryption scheme PKE above by 2-PK-TTS.

• When we do the tracing procedures, we can use the i-th 2-PK-TTS to identify the i-th symbol of the pirate codeword, for all i ∈ {1, 2, ..., `}. Finally, by the tracing algorithm in the fingerprinting code, we can find the collusion codeword set for constructing a pirate codeword, i.e., we can find the collusion traitor set.

bk1 sk1,0   0   1 sk1,1 bk2 sk2,0   0   1 sk2,1 · · · bk` sk`,0   0   1 sk`,1 where   0   1 : 2-PK-TTS.

Figure 3.1: Tracing Part

In section 3.2, we construct the ”basic” scheme 2-PK-TTS. In section 3.3, we use 2-PK-TTS and the fingerprinting codes to construct our traitor tracing scheme TTS-ANOT for N legitimate subscribers. Finally, in section 3.4, we give the security proofs for TTS-ANOT.

3.2

Basic Traitor Tracing Scheme for Two Users

We modify the traitor tracing scheme in [23] as our basic scheme for two users: 2-PK-TTS = (2-Setup, 2-Encrypt, 2-Decrypt, 2-Trace), where

2-Setup: Given a security parameter λ, the algorihm generates a λ-bit prime q, a group G of order q, and a generator g of G . Then the algorithm chooses f (x) = a0+ a1x (mod q), where a0, a1

$

←_{− Z}∗

q and sets

• Secret trace-key tk := hf (x)i

• User-key skσ := hiσ, f (iσ)i, where iσ ∈ Z∗q, ∀σ ∈ {0, 1}

2-Encrypt: Given bk and a plaintext m ∈ M, the algorithm chooses an unused share j ←_{− Z}$ ∗

q and r $

←_{− Z}∗

q then outputs the ciphertext

c ← hmgra0_{, g}r_{, (j, g}rf (j)_)i.

2-Decrypt: Given a ciphertext c = hA, R, (j, W )i and user-key skσ, the

algoritm computes

m ← A/Wj−iσ−iσ · Rf (iσ) −j iσ −j.

2-Trace: Given a pirate decoder D that can decrypt all valid ciphertext perfectly as a decryption oracle. Then the algorithm does:

1. 2-TrEncrypt: Given bk and a plaintext m ←− M, the algorithm$ chooses the distinct r, ˆr ←_{− Z}$ ∗

q, and an unused share j $

←_{− Z}∗ q.

Then it computes a probe ciphertext

ˆ

c←− hA = mg$ a0_{, R = g}r_{, (j, ˆW = g}ˆrf (j)_)i.

2. For all σ ∈ {0, 1}, pre-compute

Vσ = ˆW

−iσ

j−iσ · Rf (iσ)· −j iσ −j_.

3. For all σ ∈ {0, 1}, if D(ˆc) = A/Vσ, then output S = {σ}; else

output S = {0, 1}.

Theorem 1. 2-PK-TTS is semantic secure under the DDH assumption.

Proof. It is a special case of the traitor tracing scheme describe in [23].

Theorem 2. 2-PK-TTS is traceable against 1-collusion under the DDH as-sumption.

Proof. By contradiction, assume that there exists an adversary A that given the public key and one of user-key in 2-TTS, A can produce a pirate decoder D that can decrypt all valid ciphertexts perfectly, i.e., Pr[D(2-Encrypt(bk, m)) = m : D ←− A(bk, sk$ σ), σ ∈ {0, 1}] = 1. But when given a probe ciphertext ˆc

to D, where ˆc←− hA, g$ r_{, (j, ˆW = g}rf (j)ˆ _{)i, it can output a different value than}

A/Vσ in 2-Trace algorithm of 2-TTS with non-negligible probabilistic  > 0,

i.e., Pr[D(ˆc) 6= A/Vσ : Vσ ← ˆW −iσ j−iσ · Rf (iσ)· −j iσ −j, ∀σ ∈ {0, 1}] = 

Then we can construct an algorithm B that can break the DDH assumption with non-negligble advantage ₄ as follows:

• Setup. Algorithm B is given as input an instance (g, gu_{, g}v_{, X) of DDH}

assumption, and it wants to determine whether X = guv _{or X is a}

random element in G . B chooses i, z ←_{− Z}$ ∗

q and sets sk = hi, zi,

bk = hg, (gu_{, g}a1 _{= (}gz

gu)i −1

)i, then gives (bk, sk) to A.

• Trace. Adversary produces a pirate decoder D that has the property above. Then B runs the modified 2-Trace as follows:

1. Choose A←_{− G , and j}$ ←_{− Z}$ ∗

q, where j 6= i. Set the ciphertext as

c ← hA, gv, (j, W = X((g

v₎z

X )

ji−1_))i.

2. Pre-compute V ← Wj−i−i · (gv₎z· −j i−j_.

3. If D(c) = A/V , then B answers that X = guv or X is a random el-ement in G randomly; else B answers that X is a random elel-ement in G .

If X = guv_{, then ciphertext c is a valid ciphertext, since}

X((g v₎z X ) ji−1 _{= g}uv₍(g v₎z guv ) ji−1 _{= g}uv₍₍g z gu) i−1₎vj _{= g}uv_(ga1₎vj _{= g}v(u+a1j)_.

In this case, D(c) = A/V , therefore B only can give the correct answer with probability 1

If X is a random element in G , then ciphertext c is a non-valid cipher-text. In this case, D(c) 6= A/V with probability , and D(c) = A/V with probability 1 − , therefore B can give the correct answer with probability  + 1₂(1 − ) = 1₂ +₂.

Hence, B can solve DDH problem with non-negligible advantage ₄, this is a contradiction to the DDH assumption, so we can conclude that such adversary A does not exist.

3.3

Our Traitor Tracing Scheme for N Users

Our traitor tracing scheme for N users follows the framework in previously section but replace the public-key encryption scheme PKE by 2-PK-TTS. For convience, we introduce some notations we use in our scheme:

• MINUSk(M ): Given an `λ-bit message M = m1||...||m` and a position

index k ∈ {1, ..., `}, the algorithm outputs M ”minus” k-th block of M of size λ, i.e., MINUSk(M ) = m1||...||mk−1||mk+1||...||m`.

• COMBk(Y, m): Given an (` − 1)λ-bit message Y = y1||...||y`−1,

first split Y to X1||X2, where X1 is the front (k − 1)λ bits of Y and

X2 is the rest bits of Y . Then the algorithm ”combines” and

out-put the messages with order X1, m, and X2, i.e. COMBk(Y, m) =

y1||...||yk−1||m||yk||...||y`−1.

Our traitor tracing scheme for N users TTS-AONT = (Setup, Encrypt, Decrypt, Trace)

Setup: Given a security parameter λ and user number N , the algorithm generates a fingerprinting code Γ = {w(1)_{, ..., w}(N )_{} over {0, 1}}` _{(can be}

public). Then it runs 2-Setup ` times to generate the keys h(bki, tki, (sk0,i, sk1,i))Ni=1i

(but use the same q, G , q, i0, i1, a0). Finally the algorithm picks a

ran-domized all-or-nothing transform function AONT and sets

• Public broadcast-key BK := hq, g, ga0_{, (g}a1,j₎`

j=1, AONTi

(we denote the k-th key of BK by BKk = (q, g, ga0, ga1,k))

• Secret trace-key TK := h(fj(x))`j=1i

• User-key SKσ := hw(σ), i0, i1, (fj(i_w(σ) j

)`_j=1i, ∀σ ∈ {1, 2, ..., N } (we denote k-th key of SKσ by SKσ,k = (i_w(σ)

k

, fk(i_w(σ) k

)))

Encrypt: Given BK and a plaintext M0 ∈ M`0_{, the algorithm chooses a}

it chooses a position k ←− {1, 2, ..., `}, and computes the ciphertext$

C ←− hk, 2-Encrypt(BK$ k, mk), MINUSk(M )i

Decrypt: Given a ciphertext C = hk, ck, Y i, user σ computes

M0 ← AONT−1(COMBk(Y, mk)), where mk ← 2-Decrypt(SKσ,k, ck)

Trace: Given a pirate decoder D that can decrypt all valid ciphertext per-fectly as a decryption oracle.

• For all position k ∈ {1, 2, ..., `}, do:

(1) Choose an M0 ←− M$ `0

, a random string ρ←− {0, 1}$ τ_{, and run}

AONT(M0; ρ) = M = m1||m2||...||m`.

(2) Call 2-TrEncrypt(BKk, mk) $

−

→ ˆc. Set the probe ciphertext as

ˆ C ←− hk, ˆ$ c, Y = MINUSk(M )i (3) ∀σ ∈ {0, 1}, pre-compute Mk,σ = COMBk(Y, ˆW −iσ j−iσ · Rfk(iσ)· −j iσ −j).

• Recover w∗ _{= (w}∗

1, w∗2, ..., w`∗), then call the tracing algorithm in

fingerprining code to obtain collude codewords in C. Finally, out-put the corresponding traitor set S.

3.4

Security Analysis of Our TTS-AONT

Theorem 3. TTS-AONT is semantic secure under the semantic secure of 2-PK-TTS and PKE-AONT.

Proof. For all position k ∈ {1, 2, ..., `}, we use two games to bound the ad-vantage of semantically secure in TTS-AONT with Adv2-TTS_SS and AdvPKE-AONT_ind as follows:

Game G0. Define G0 as the original semantic secure game and let S0 be

the event where b0 = b, i.e., AdvTTS-AONT_SS := | Pr[S0] −1₂|.

Game G1. This game is identical to G0, except that in the Encrypt

c1 $

←− hA←− {0, 1}$ λ_{, R = g}r_{, (j, W = g}rfk(j)_)i

and we let S1 be the event that b0 = b in this game.

By reduction, for all position k ∈ {1, 2, ..., `}, if there exists an adversary A that can distinguish the challenge of G0 and G1 with non-neglogible

prob-ability  > 0, then we can use A to construct a adversary B tha can break the semantic secure of 2-TTS with non-negligible advantage ₂ as follows:

• Setup. Algorithm B is given as input an instance bk = hg, ga0_{, g}a1i of

2-TTS, and it wants to determine whether the challenge C is construct by G0 or G1. B chooses aα,1

$

←_{− Z}∗

q, where α ∈ {1, 2, ..., `}\{k} and let

gak,1 _{= g}a1_{, then sets BK = hg, g}a0_{, (g}aα,1₎`

α=1)i to A.

• Challenge. A chooses two plaintexts M0, M1 ∈ M`

0

to B, then B flips a coin b0 ∈ {0, 1}, and it calls AONT(Mb0; ρ) = m_b0_,1||m_b0_,2||...||m_b0_,`,

lets m1−b0_,k ←− {0, 1}$ λ, and sends m_b0 = m_b0_,k, m_1−b0 = m_1−b0_,k to 2-TTS

challenger. Then 2-TTS challenger flips a a coin b ∈ {0, 1} and sets the challenge cb

$

←− 2-Encrypt(bk, mb) to B. Finally, B sends A the chllenge

Cb0 = hk, c_b, Y = m_b0_,1||...||m_b0_,k−1||m_b0_,k+1||...||m_b0_,`i.

• Guess. A outputs ˆb ∈ {0, 1} to B. Then B gives ˆb as its guess to 2-TTS challenger.

By construction above, we can see that B ’interpolate’ between G0 and G1

for A:

- If b0 = b, then A gets a challenge in G0;

- If b0 = 1 − b, then A gets a challenge in G1.

Thus, it holds that Pr[S0] = Pr[ˆb = b0|b0 = b] and Pr[S1] = Pr[ˆb = b0|b0 =

1 − b], and we get Pr[ˆb = b] = Pr[ˆb = b|b0 = b] · Pr[b0 = b] + Pr[ˆb = b|b0 = 1 − b] · Pr[b0 = 1 − b] = 1 2(Pr[ˆb = b|b 0 = b] + Pr[ˆb = b|b0 = 1 − b]) = 1 2(Pr[ˆb = b|b 0 = b] + 1 − Pr[ˆb = 1 − b|b0 = 1 − b]) = 1 2 + 1 2(Pr[ˆb = b 0_|b0 = b] − Pr[ˆb = b0|b0 = 1 − b]) = 1 2 + 1 2(Pr[S0] − Pr[S1])

It follows that | Pr[S0] − Pr[S1]| = 2| Pr[ˆb = b] −1₂| = 2Adv2-TTSSS , then we done

the claim.

Since PKE-AONT is semantic secure, that is, the adversary can dis-tinguish two ciphertexts in G1 with probability 1₂ + AdvPKE-AONTind , where

Hence, by the discussion above and the triangle inequality, | Pr[S0] − 1 2| = | Pr[S0] − Pr[S1] + Pr[S1] − 1 2| ≤ | Pr[S0] − Pr[S1]| + | Pr[S1] − 1 2| = 2Adv2-TTS_SS + AdvPKE-AONT_ind ,

and since Adv2-TTS_SS and AdvPKE-AONT_ind are two negligible functions of λ, so we can conclude that the advantage of A wins the semantic secure game is bounded by a negligible function of λ.

Theorem 4. TTS-AONT is traceable against t-collusion under the DDH assumption.

Proof. By contradiction, assume that there exist an adversary A that given the public key and one of user private keys and an all-or-nothing transform funtion in TTS-AONT, A can produce a pirate decoder D that can decrypt all valid ciphertexts perfectly, i.e., Pr[D(Encrypt(BK, AONT, M0)) = M0 : D ←− A(BK, SK$ σ), σ ∈ {1, 2, ..., N }] = 1. But when given a probe ciphertext

to D, it can output a different value than our expection in Trace algorithm of TTS-AONT with non-negligeble probabilistic  > 0, i.e.,

Then we can construct an algorithm B that can break the DDH assumption with advantage ₄ as follows:

• Setup. Algorithm B is given as input an instance (g, gu_{, g}v_{, X) of DDH}

assumption, and it wants to determine whether X = guv _{or X is a}

random element in G . B chooses k ←− {1, 2, ..., `}, w$ ←− {0, 1}$ `_{, and}

i0, i1, z1, z2, ..., z` $ ←<sub>− Z</sub>∗ q, then sets BK = hg, gu<sub>, (g</sub>aα,1 <sub>= (</sub>gzα gu)(iwα) −1 )` α=1i

SK = hw, i0, i1, (zα)`α=1i, and simple denote zk = z and iwk = i.

Then B picks a randomized all-or-nothing transform function AONT, and it gives (BK, SK, AONT) to A.

• Trace. Adversary produces a pirate decoder D to B that B has the property above. Then B runs the modified Trace algorithm as follows:

1. Compute M ←− AONT(M$ 0_{; ρ), where M}0 _{←− M}$ `0_{, ρ←− {0, 1}}$ τ_.

2. Choose j ←_{− Z}$ ∗ q, where j 6= i0 or i1. Compute c ← hA = mkX, R = gv, (j, W = X( (gv₎z X ) ji−1_))i

3. Pre-compute M_k,σ0 = COMBk( ˆW

−iσ

j−iσ · Rfk(iσ)·_{iσ −j}−j

).

4. ∀σ ∈ {0, 1}, if AONT(D(C); ρ) = M_k,σ0 , then B answers X = guv

or X is a random element in G randomly; else B answers X is a random element in G .

If X = guv_{, then ciphertext c is a valid ciphertext, since}

X((g v₎z X ) ji−1 = guv((g v₎z guv ) ji−1 = guv((g z gu) i−1 )vj = guv(gak,1₎vj _{= g}v(u+ak,1j)_.

In this case, AONT(D(C); ρ) = M_k,σ0 , therefore B only can give the correct answer with probability 1₂;

If X is a random element in G , then ciphertext C is a non-valid ci-phertext. In this case, AONT(D(C); ρ) 6= M_k,σ0 with probability , and AONT(D(C); ρ) = M_k,σ0 with probability 1 − , therefore B can give the correct answer with probability  + 1₂(1 − ) = 1₂ + ₂.

Hence, B can solve DDH problem with non-negligible advantage ₄, this is a contradiction to the DDH assumption, so we can conclude that such adversary A does not exist.

Chapter 4

Conclusion

We propose a framework of fully-collusion resistant public-key traitor tracing schemes with black-box tracing which has optimal transmission rate. Using this framework, we actually construct a traitor tracing scheme TTS-AONT with ` + 1 user-key size and ` + 1 public-key size, where ` is the codeword length of the fingerprinting codes. Then we show that our TTS-AONT is semantically secure based on the hardness of DDH assumption and the se-mantic secure of the cryptosystem PKE-AONT. Also, our TTS-AONT is t-collusion resistant or fully-collusion resistant based on the DDH assump-tion.

There are some open problems: (1) How to improve the storage require-ments of the user-key and public-key further? Maybe we can find a new

construction of fingerpriting codes with short length or use some tricks to decrease the storage requirements, etc. (2) In [2], Billet and Phan proposed a general attack ”Pirate 2.0” against the code-base traitor tracing schemes (including ours). In Pirate 2.0, traitors can give their ”part” of secret-key away but the data supplier can trace them with some uncertainties only. How to prevent such attack efficiently is also an important problem to make the code-base traitor tracing schemes more practical.

Bibliography

[1] Bellare, M., and Rogaway, P. Optimal asymmetric encryption. In EUROCRYPT (1994), pp. 92–111.

[2] Billet, O., and Phan, D. H. Traitors collaborating in public: Pirates 2.0. In EUROCRYPT (2009), A. Joux, Ed., vol. 5479 of Lecture Notes in Computer Science, Springer, pp. 189–205.

[3] Boneh, D., and Franklin, M. An efficient public key traitor tracing scheme. In CRYPTO (1999), Springer-Verlag, pp. 338–353.

[4] Boneh, D., and Naor, M. Traitor tracing with constant size cipher-text. In ACM Conference on Computer and Communications Security (2008), P. Ning, P. F. Syverson, and S. Jha, Eds., ACM, pp. 501–510.

[5] Boneh, D., Sahai, A., and Waters, B. Fully collusion resistant traitor tracing with short ciphertexts and private keys. In EUROCRYPT

(2006), S. Vaudenay, Ed., vol. 4004 of Lecture Notes in Computer Sci-ence, Springer, pp. 573–592.

[6] Boneh, D., and Shaw, J. Collusion-secure fingerprinting for digital data. IEEE Transactions on Information Theory 44, 5 (1998), 1897– 1905.

[7] Boyko, V. On the security properties of oaep as an all-or-nothing transform. In CRYPTO (1999), M. J. Wiener, Ed., vol. 1666 of Lecture Notes in Computer Science, Springer, pp. 503–518.

[8] Canetti, R., Dodis, Y., Halevi, S., Kushilevitz, E., and Sa-hai, A. Exposure-resilient functions and all-or-nothing transforms. In EUROCRYPT (2000), pp. 453–469.

[9] Chabanne, H., Phan, D. H., and Pointcheval, D. Public trace-ability in traitor tracing schemes. In EUROCRYPT (2005), R. Cramer, Ed., vol. 3494 of Lecture Notes in Computer Science, Springer, pp. 542– 558.

[10] Chor, B., Fiat, A., and Naor, M. Tracing traitors. In CRYPTO (1994), Y. Desmedt, Ed., vol. 839 of Lecture Notes in Computer Science, Springer, pp. 257–270.

[11] Chor, B., Fiat, A., Naor, M., and Pinkas, B. Tracing traitors. IEEE Transactions on Information Theory 46, 3 (2000), 893–910.

[12] Fazio, N., Nicolosi, A., and Phan, D. H. Traitor tracing with optimal transmission rate. In ISC (2007), J. A. Garay, A. K. Lenstra, M. Mambo, and R. Peralta, Eds., vol. 4779 of Lecture Notes in Computer Science, Springer, pp. 71–88.

[13] Furukawa, J., and Attrapadung, N. Fully collusion resistant black-box traitor revocable broadcast encryption with short private keys. In ICALP (2007), L. Arge, C. Cachin, T. Jurdzinski, and A. Tarlecki, Eds., vol. 4596 of Lecture Notes in Computer Science, Springer, pp. 496– 508.

[14] Kiayias, A., and Yung, M. Traitor tracing with constant transmis-sion rate. In EUROCRYPT (2002), L. R. Knudsen, Ed., vol. 2332 of Lecture Notes in Computer Science, Springer, pp. 450–465.

[15] Kurosawa, K., and Desmedt, Y. Optimum traitor tracing and asymmetric schemes. In EUROCRYPT (1998), pp. 145–157.

[16] Naor, M., and Pinkas, B. Threshold traitor tracing. In CRYPTO (1998), H. Krawczyk, Ed., vol. 1462 of Lecture Notes in Computer Sci-ence, Springer, pp. 502–517.

[17] Naor, M., and Pinkas, B. Efficient trace and revoke schemes. In Financial Cryptography (2000), Y. Frankel, Ed., vol. 1962 of Lecture Notes in Computer Science, Springer, pp. 1–20.

[18] Phan, D. H. Traitor tracing for stateful pirate decoders with constant ciphertext rate. In VIETCRYPT (2006), P. Q. Nguyen, Ed., vol. 4341 of Lecture Notes in Computer Science, Springer, pp. 354–365.

[19] Phan, D. H., Safavi-Naini, R., and Tonien, D. Generic construc-tion of hybrid public key traitor tracing with full-public-traceability. In ICALP (2) (2006), M. Bugliesi, B. Preneel, V. Sassone, and I. Wegener, Eds., vol. 4052 of Lecture Notes in Computer Science, Springer, pp. 264– 275.

[20] Rivest, R. L. All-or-nothing encryption and the package transform. In FSE (1997), E. Biham, Ed., vol. 1267 of Lecture Notes in Computer Science, Springer, pp. 210–218.

[21] Tardos, G. Optimal probabilistic fingerprint codes. In STOC (2003), ACM, pp. 116–125.

[22] Tˆo, V. D., Safavi-Naini, R., and Zhang, F. New traitor tracing schemes using bilinear map. In Digital Rights Management Workshop (2003), M. Yung, Ed., ACM, pp. 67–76.

[23] Tzeng, W.-G., and Tzeng, Z.-J. A public-key traitor tracing scheme with revocation using dynamic shares. Des. Codes Cryptography 35, 1 (2005), 47–61.

[24] Zhang, R., Hanaoka, G., and Imai, H. On the security of cryp-tosystems with all-or-nothing transform. In ACNS (2004), M. Jakobs-son, M. Yung, and J. Zhou, Eds., vol. 3089 of Lecture Notes in Computer Science, Springer, pp. 76–90.

Appendix A

All-Or-Nothing Transform

Let Ω be all mappings from infinite binary strings set {0, 1}∞ to finite binary strings set {0, 1}∗. Let H ← Ω denote that we choose a function from Ω uniformly. We define the secure game of an all-or-nothing transform function as follows:

Indistinguish.

• Setup. The challenger chooses a security parameter λ and con-structs an all-or-nothing transform function AONTΓ by the ran-dom oracle Γ ← Ω. Then it gives λ and AONTΓ to the adversary. • Challenge. The adversary selects a position set L ∈ {1, 2, ..., n0_}

Then the challenger flips a coin b ∈ {0, 1}, and generates C ← AONT(xb; ρ). After hiding the bits of C in position set L, send

the ciphertext CL to the adversary.

• Guess. The adversar retrns a guess b0 _{∈ {0, 1} of b to the}

chal-lenger.

We define the advantage of the adversary wins this game as AdvAONT_ind := | Pr[b0 _{= b] −} 1

2|.

Definition.We say that an all-or-nothing transform function is indistin-guishable if for all polynomial time adversary A, AdvAONT_ind is a negligible function of λ > 0, i.e., Pr      hΓ, λ, AONTΓi ← Setup, b0 = b L, x0, x1 ← A(λ, AONTΓ), b $ ←− {0, 1}, Cb,L ← AONT(xb; ρ), b0 ← A(Cb,L)      ≤ 1 2 + neg(λ).

Appendix B

The Public-Key Cryptosystem

with AONT

In [24], Rui Zhang, Goichiro Hanaoka, and Hideki Imai proposed a cryptosys-tem that combined the public-key encryption scheme and the all-or-nothing transform function. Let the key scheme PKE = (G, E, D). The public-key cryptosystem with AONT PKE-AONT = (Gen, Enc, Dec) is as follows

• Gen(1λ_{) → h(pk, sk), AONTi}

Given a security parameter λ, the algorithm calls G(1λ_{) to generate}

a public key and secret key pair (pk, sk), and it picks an randomized all-or-nothing transform function AONT.

Given the public key pk, the ll-or-nothing transform functon AONT and a plaintext M0 ∈ Mn0_{, the algorithm chooses a random string ρ ∈}

{0, 1}τ_{, it calls AONT(M}0_{; ρ) to generate M = m}

1||m2||...||mn ∈ Mn,

and chooses a position k←− {1, 2, ..., n}, then it outputs the ciphertext$

C := hk, c1, c2i $

←− hk, E(pk, mk), m1||...||mk−1||mk+1||...||mni.

• Dec(sk, AONT, C) → M0

Given the secret key sk and the ciphertext C =< k, c1, c2 >, the

algo-rithm calls D(sk, c1) to recover mk, then it puts mk into the k-th block

of c2 to recover M . Finally,

M0 ← AONT−1(M ).

We define the security of a public key encryption scheme with all-or-nothing transform functions as follows:

Semantic Secure.

• Setup. The challenger runs Gen, then it gives the public key pk and the function AONT to the adversary A.

• Chellenge. The adversary chooses two plaintexts M0

0, M10 ∈ Mn

0

to the challenger. Then the challenger filps a coin b ∈ {0, 1}, and it gives Cb

$

←− Enc(pk, M0

b) to A.

• Guess. The adversary returns a guess b0 _{∈ {0, 1} of b to the}

chellenger.

We define the advantage of A wins this game as AdvPKE-AONT_SS := | Pr[b0 = b] − 1₂|.

Definition. We say that a public key encryption scheme with all-or-nothing transform functions is semantic secure if for all polynomial time adversaries A, AdvPKE-AONT_SS is a negligible function of λ, i.e.

Pr      h(pk, sk), AONTi←− Gen(1$ λ₎ b0 = b (M₀0, M₁0) ← A(pk, AONT), b←− {0, 1},$ Cb $ ←− Enc(pk, AONT, M0 b), b0 ← A(Cb)      ≤ 1 2 + neg(λ).

Appendix C

The Traitor Tracing Scheme

In [23], Tzeng and Tzeng proposed a t-collusion resistant public key traitor tracing scheme TR = (Setup, Encrypt, Decrypt, Trace), and it can revoke at most z traitors (z ≥ 2k), where

Setup(1λ_{, n) → hbk, tk, (sk}

1, sk2, ..., skn)i

Given a security parameter λ and the number of users n, the algorithm generates a λ-bit prime q, a group G of order q, chooses a generator g of G and a0, a1, ..., az

$

←_{− Z}∗

q, then it lets f (x) = a0+ a1x + ... + azxz (

mod q). Sets

• Public broadcast key bk := hq, g, ga0_{, g}f (1)_{, g}f (2)_{, ..., g}f (z)i

• User private key skσ := hiσ, f (iσ)i, where σ $ ←_{− Z}∗ q, iσ > z ,∀σ ∈ {1, 2, ..., n} Encrypt(bk, m)−→ c$

Given the broadcast key bk and a plaintext m ∈ M, the algorithm chooses the unused shares j1, j2, ..., jz

$ ←_{− Z}∗ q, where ji 6= iσ, ∀i ∈ {1, 2, ..., z}, ∀σ ∈ {1, 2, ..., n}, and chooses r←_{− Z}$ ∗ q, then it computes c←− h(sg$ ra0_{, g}r_{, (j} 1, grf (j1)), ..., (jz, grf (jz)))i

Decrypt(skσ, c = hA, R, (j1, Y1), ..., (jz, Yz)i) → m

Given a user private key skσ and the ciphertext c, the algorithm

com-pute

s ← A/[Rf (iσ)λz _{· Π}z−1

i=0(Y λi

i )], where λi: largrange coefficients.

TraceD(tk, 1) → S

Given the tracing key tk and a pirate decoder D that can decrypt all valid ciphertexts perfectly as a decryption oracle.

• Randomly select z − m unused shares j1, j2, ..., jz−m, then set

the probe cihertext

c←− h(sg$ ra0_{, g}r_{, (u}

1, grf (u1)), ..., (um, grf (um)), (j1, grf (j1)), ..., (jz−m, grf (jz−m)))i

• If D(C) does not output m, then {u1, u2, ..., um} is a possible

traitor set.

(2) Output the smallest of all possible traitor sets found in (1).