Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the Subset-Cover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class. We describe two explicit Subset-Cover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1 2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any Subset-Cover revocation scheme that satisfies a “bifurcation property”. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors. The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user’s end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.

We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers.

Abstract. Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internet-connected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of key-insulated security whose goal is to minimize the damage caused by secret-key exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via interaction with a physically-secure — but computationally-limited — device which stores a “master key”. All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t, N)-keyinsulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N − t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physically-secure device. We focus primarily on key-insulated public-key encryption. We construct a (t, N)key-insulated encryption scheme based on any (standard) public-key encryption scheme, and give a more ef£cient construction based on the DDH assumption. The latter construction is then extended to achieve chosen-ciphertext security. 1

In order to protect copyrighted material, codes may be embedded in the content or codes may be associated with the keys used to recover the content. Codes can oer protection by providing some form of traceability for pirated data. Several researchers have studied dierent notions of traceability and related concepts in recent years. \Strong" versions of traceability allow at least one member of a coalition that constructs a \pirate decoder" to be traced. Weaker versions of this concept ensure that no coalition can \frame" a disjoint user or group of users. All these concepts can be formulated as codes having certain combinatorial properties. In this paper, we study the relationships between the various notions, and we discuss equivalent formulations using structures such as perfect hash families. We use methods from combinatorics and coding theory to provide bounds (necessary conditions) and constructions (sucient conditions) for the objects of interest. 1 Introduction In...

Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start by designing an efficient revocation scheme, based on secret sharing. It can remove up to t parties and is secure against coalitions of up to t users. The performance of this scheme is more efficient than that of previous schemes with the same properties. We then show how to enhance the revocation scheme with traitor tracing and self enforcement properties. More precisely, how to construct schemes such that (1) Each user's personal key contains some sensitive information of that user (e.g., the user's credit card number), in order to make users would be reluctant to disclose their keys. (2) An illegal decryption device discloses the identity of users that contributed keys to construct the device. And, (3) it is possible to revoke the keys of corrupt users. For the last point it is important to be able to do so without publicly disclosing the sensitive information.

Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of “revoked” users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a “pirate decoder”, the center can trace at least one of the “traitors ” given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a “natural separation ” between the classical notion of CCA2security and the recently proposed [15, 1] relaxed notion of gCCA2security. 1

We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let N be the total number of users. Our system generates ciphertexts of size O( # N) and private keys of size O(1). We first introduce a simpler primitive we call private linear broadcast encryption (PLBE) and show that any PLBE gives a tracing traitors system with the same parameters. We then show how to build a PLBE system with O( # N) size ciphertexts. Our system uses bilinear maps in groups of composite order.

Abstract. A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated through the lifetime of the system. This setting was considered by Naor, Naor and Lotspiech [17], who also present a very efficient “subset difference ” (SD) method for solving this problem. The efficiency of this method was recently improved by Halevi and Shamir [12], who called their refinement the “Layered SD ” (LSD) method. Both of the above methods were originally designed to work in the symmetric key setting, where only the trusted designer of the system can encrypt messages to users. On the other hand, in many applications it is desirable not to store the secret keys “on-line”, or to allow untrusted users to broadcast information. This leads to the question of building a public key broadcast encryption scheme for stateless receivers; in particular, of extending the elegant SD/LSD methods to the public key setting. Naor et al. [17] notice that the natural technique for doing so will result in an enormous public key and very large storage for every user. In fact, [17] pose this question of reducing the public key size and user’s storage as the first open problem of their paper. We resolve this question in the affirmative, by demonstrating that an O(1) size public key can be achieved for both of SD/LSD methods, in addition to the same (small) user’s storage and ciphertext size as in the symmetric key setting. 1

Traitor tracing schemes constitute a useful tool against piracy in the context of digital content distribution. They are encryption schemes that can be employed by content providers that wish to deliver content to an exclusive set of users. Each user holds a decryption key that is fingerprinted and bound to his identity. When a pirate decoder is discovered, it is possible to trace the identities of the users that contributed to its construction. In most settings, both the user population and the set of content providers are dynamic, thus scalable user management and scalable provider management are crucial. Previous work on public-key traitor tracing did not address the dynamic scenario thoroughly: no efficient scalable public-key traitor tracing scheme has been proposed, in which the populations of providers and users can change dynamically over time without incurring substantial penalty in terms of system performance and management complexity. To address these issues, we introduce a formal model for Scalable Public-Key Traitor Tracing, and present the first construction of such a scheme. Our model mandates for deterministic traitor tracing and unlimited number of efficient provider and user management operations. We present a formal adversarial model for our system and we prove our construction secure, against both adversaries that attempt to cheat the provider and user management mechanism, and adversaries that attempt to cheat the traitor tracing mechanism.

Abstract. We use powerful new techniques for list decoding errorcorrecting codes to efficiently trace traitors. Although much work has focused on constructing traceability schemes, the complexity of the tracing algorithm has received little attention. Because the TA tracing algorithm has a runtime of O(N) in general, where N is the number of users, it is inefficient for large populations. We produce schemes for which the TA algorithm is very fast. The IPP tracing algorithm, though less efficient, can list all coalitions capable of constructing a given pirate. We give evidence that when using an algebraic structure, the ability to trace with the IPP algorithm implies the ability to trace with the TA algorithm. We also construct schemes with an algorithm that finds all possible traitor coalitions faster than the IPP algorithm. Finally, we suggest uses for other decoding techniques in the presence of additional information about traitor behavior. 1