Abstract. A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing allor-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.

We address the problem of establishing a group key amongst a dynamic group of users over an unreliable, or Iossy, network. We term our key distribution mechanisms self-healing because users' are capable of recovering lost group keys on their own, without requesting additional transmissions from the group manager, thus cutting back on network traffic, decreasing the load on the group manager, and reducing the risk of user exposure through traffic analysis. A user must be a member both before and after the session in which a particular key is sent in order to be able to recover the key through self-healing. Binding the ability to recover keys' to membership status enables the group manager to use short broadcasts' to establish group keys', independent of the group size. In addition, the selfhealing approach to key distribution is stateless, meaning that a group member who has been off-line for some time is able to recover new session keys' immediately after coming back on-line.

Traitor tracing schemes as introduced by Chor, Fiat, and Naor at Crypto '94 are intended for tracing people who abuse a broadcast encryption scheme by allowing additional, illegitimate users to decrypt the data. The schemes should also provide legal evidence for such treachery. We discuss and improve the quality of such evidence, i.e., the security of trials that would be held about supposedly traced traitors. In particular, previous traitor tracing schemes are symmetric in the sense that legitimate users of the broadcast information share all their secrets with the information provider. Thus they cannot offer non-repudiation. We define asymmetric traitor tracing schemes, where the provider, confronted with treachery, obtains information that he could not have produced on his own, and that is therefore much better evidence. Examples of concrete...

. Fingerprinting schemes deter people from illegally redistributing digital data by enabling the original merchant of the data to identify the original buyer of a redistributed copy. So-called traitor-tracing schemes have the same goal for keys used to decrypt information that is broadcast in encrypted form. Recently, asymmetric fingerprinting and traitor-tracing schemes were introduced. Here, only the buyer knows the fingerprinted copy after a sale, and if the merchant finds this copy somewhere, he obtains a proof that he found the copy of this particular buyer. This gives both parties security in disputes. First constructions showed the validity of the concept. However, these constructions did not yet achieve much security against collusions, in contrast to known symmetric schemes. This paper presents asymmetric constructions without this restriction. 1 Introduction The main roles in a fingerprinting or traitor tracing scenario are: . merchants, who sell digital data, . buyers, w...

Abstract. The notion of traitor tracing was introduced by Chor, Fiat, and Naor [Tracing Traitors, Lecture Notes in Comput. Sci. 839, 1994, pp. 257–270] in order to combat piracy scenarios. Recently, Fiat and Tassa [Tracing Traitors, Lecture Notes in Comput. Sci. 1666, 1999, pp. 354–371] proposed a dynamic traitor tracing scenario, in which the algorithm adapts dynamically according to the responses of the pirate. Let n be the number of users and p the number of traitors. Our main result is an algorithm which locates p traitors, even if p is unknown, using a watermarking alphabet of size p + 1 and an optimal number of Θ(p 2 + p log n) rounds. This improves the exponential number of rounds achieved by Fiat and Tassa in this case. We also present two algorithms that use a larger alphabet: for an alphabet of size p + c +1, c ≥ 1, an algorithm that uses O(p 2 /c + p log n) rounds; for an alphabet of size pc + 1, an algorithm that uses O(p log c n) rounds. Our final result is a lower bound of Ω(p 2 /c + p log c+1 n) rounds for any algorithm that uses an alphabet of size p + c, assuming that p is not known in advance.

This work should show how traitor tracing can achieve the goal of piracy prevention and which measures can be taken against traitors and pirates in consideration of different assumptions. In the first part we define traitor tracing, its goals, usage and overview some of cryptographic schemes that help to trace the source of the leak. In the second part we go more detailed into asymmetric public-key traitor tracing, one of the techniques that support non-repudiation. Implementation of such scheme provides undeniable proof of the implication of the traitor subscribers. Therefore it gives the provider- in the context of pay television – more possibilities to take measures against the traitor/pirate.