## Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack (2003)

### Cached

### Download Links

- [www.mathmagic.cn]
- [eprint.iacr.org]
- [theory.lcs.mit.edu]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In Public Key Cryptography — PKC ’03, volume 2567 of LNCS |

Citations: | 37 - 8 self |

### BibTeX

@INPROCEEDINGS{Dodis03publickey,

author = {Yevgeniy Dodis and Nelly Fazio},

title = {Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack},

booktitle = {In Public Key Cryptography — PKC ’03, volume 2567 of LNCS},

year = {2003},

pages = {100--115},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of “revoked” users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a “pirate decoder”, the center can trace at least one of the “traitors ” given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a “natural separation ” between the classical notion of CCA2security and the recently proposed [15, 1] relaxed notion of gCCA2security. 1

### Citations

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...symmetric setting. Moreover, it doesn't seem obvious how to extend current symmetric schemes (e.g. [18]) to meet the CCA2 notion. Our public key scheme is based on the regular Cramer-Shoup encryption =-=[7, 8]-=-, but our extension is non-trivial, as we have to resolve some di#culties inherent to the Broadcast Encryption setting. Our CCA2-secure scheme requires a constant user storage and a 2 public key size ... |

430 | Secure group communications using key graphs
- Wong, Gouda, et al.
- 1998
(Show Context)
Citation Context ...3], and, more recently, [18, 14] which show how to achieve linear message overhead O(z) and #(log N) storage per user. # Extended version of [10]. 1 A related line of work concerns multicast security =-=[22, 17, 23, 4, 5]. However, in t-=-his setting revoking a single user involves changing the keys for all the users, which makes it inapplicable to situations where the receivers are "stateless", do not always stay "on-li... |

352 | A concrete security treatment of symmetric encryption: Analysis of DES modes of operation
- Bellare, Desai, et al.
(Show Context)
Citation Context ...ry the Encryption Oracle (sometimes also called the left-or-right oracle) E PK,R,# (, ) on any pair of session keys s 0 , s 1 . 1 This oracle returns Enc(PK, s # , R). Without loss of generality (see =-=[2]-=-), we can assume that the encryption oracle is called exactly once, and returns to A the challenge enabling block T # . At the end of this second stage, A outputs a bit # # which she thinks is equal t... |

250 | Broadcast encryption
- Fiat, Naor
- 1994
(Show Context)
Citation Context ...s numerous applications, including pay-TV systems, distribution of copyrighted material, streaming audio/video and many others. The formal study of broadcast encryption was initiated by Fiat and Naor =-=[11]-=-, who showed a scheme with message overhead roughly O(z 2 log 2 z log N ), where z is the maximum number of excluded users (so called revocation threshold) and N is the total number of users. Subseque... |

245 | Key management for multicast: Issues and architectures
- Wallner, Harder, et al.
- 1998
(Show Context)
Citation Context ...3], and, more recently, [18, 14] which show how to achieve linear message overhead O(z) and !(log N ) storage per user. ?Extended version of [10]. 1sA related line of work concerns multicast security =-=[22, 17, 23, 4, 5]-=-. However, in this setting revoking a single user involves changing the keys for all the users, which makes it inapplicable to situations where the receivers are "stateless", do not always stay "on-li... |

197 | Multicast security: a taxonomy and some efficient constructions
- Canetti, Garay, et al.
- 1999
(Show Context)
Citation Context ...3], and, more recently, [18, 14] which show how to achieve linear message overhead O(z) and ω(log N) storage per user. ⋆ Extended version of [10]. 1sA related line of work concerns multicast security =-=[22, 17, 23, 4, 5]-=-. However, in this setting revoking a single user involves changing the keys for all the users, which makes it inapplicable to situations where the receivers are “stateless”, do not always stay “on-li... |

196 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ...he group G: namely, it is computationally hard to distinguish a random tuple (g1, g2, u1, u2) of four independent elements in G from a random tuple satisfying log g1 u1 = log g2 u2 (for a survey, see =-=[3]-=-). 3sA Probabilistic Lemma. The following useful lemma states that to estimate the difference between two related experiments U1 and U2, it is sufficient to bound the probability of some event F which... |

190 | Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. Cryptology ePrint Archive, Report 2001/108
- Cramer, Shoup
- 2001
(Show Context)
Citation Context ...AC-ing something that depends on the MAC key k, which could be a problem. Luckily, the Information-Theoretic nature of the structural approach to the security analysis that we are pursuing (following =-=[8]-=-) allows us to prove that actually k is completely hidden within S, so that MAC-ing the resulting tag with k is still secure. The solution to the CCA2 problem for Broadcast Encryption Schemes and the ... |

177 | Key establishment in large dynamic groups using one-way functiontrees
- McGrew, Sherman
- 2003
(Show Context)
Citation Context ...3], and, more recently, [18, 14] which show how to achieve linear message overhead O(z) and #(log N) storage per user. # Extended version of [10]. 1 A related line of work concerns multicast security =-=[22, 17, 23, 4, 5]. However, in t-=-his setting revoking a single user involves changing the keys for all the users, which makes it inapplicable to situations where the receivers are "stateless", do not always stay "on-li... |

174 | Revocation and tracing schemes for stateless receivers
- Naor, Naor, et al.
(Show Context)
Citation Context ... O(z 2 log 2 z log N ), where z is the maximum number of excluded users (so called revocation threshold) and N is the total number of users. Subsequent works include [16, 15, 13], and, more recently, =-=[18, 14]-=- which show how to achieve linear message overhead O(z) and #(log N) storage per user. # Extended version of [10]. 1 A related line of work concerns multicast security [22, 17, 23, 4, 5]. However, in ... |

146 | Tracing traitors
- Chor, Fiat, et al.
- 1994
(Show Context)
Citation Context ...ing of broadcast public key encryption. A Note on Traitor Tracing. As first explicitly noticed by Gafni et al. [12], Broadcast Encryption is most useful when combined with a Traitor Tracing mechanism =-=[6] by which the center-=- can extract the identity of (at least one) "pirate" from any illegal decoder produced combining decryption equipments of a group of legal members (the "traitors"). By slightly mod... |

139 | On the security of joint signature and encryption
- An, Dodis, et al.
- 2002
(Show Context)
Citation Context ...in the symmetric setting. Of independent interest, we present a slightly simpler construction that shows a "natural separation" between the classical notion of CCA2 security and the recently=-= proposed [20, 1]-=- relaxed notion of gCCA2 security. 1 Introduction A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. Namely, i... |

111 | A proposal for the ISO standard for public-key encryption (version 2.0). Available from http://shoup.net
- Shoup
(Show Context)
Citation Context ... chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a “natural separation” between the classical notion of CCA2security and the recently proposed =-=[15, 1]-=- relaxed notion of gCCA2security. 1 Introduction A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. Namely, it... |

90 | The LSD broadcast encryption scheme
- Halevy, Shamir
(Show Context)
Citation Context ... O(z 2 log 2 z log N ), where z is the maximum number of excluded users (so called revocation threshold) and N is the total number of users. Subsequent works include [16, 15, 13], and, more recently, =-=[18, 14]-=- which show how to achieve linear message overhead O(z) and #(log N) storage per user. # Extended version of [10]. 1 A related line of work concerns multicast security [22, 17, 23, 4, 5]. However, in ... |

67 | Efficient communication-storage tradeoffs for multicast encryp-tion
- Canetti, Malkin, et al.
- 1999
(Show Context)
Citation Context ...3], and, more recently, [18, 14] which show how to achieve linear message overhead O(z) and ω(log N) storage per user. ⋆ Extended version of [10]. 1sA related line of work concerns multicast security =-=[22, 17, 23, 4, 5]-=-. However, in this setting revoking a single user involves changing the keys for all the users, which makes it inapplicable to situations where the receivers are “stateless”, do not always stay “on-li... |

55 | Combinatorial bounds for broadcast encryption
- Luby, Staddon
- 1998
(Show Context)
Citation Context ...heme with message overhead roughly O(z 2 log 2 z log N ), where z is the maximum number of excluded users (so called revocation threshold) and N is the total number of users. Subsequent works include =-=[16, 15, 13]-=-, and, more recently, [18, 14] which show how to achieve linear message overhead O(z) and #(log N) storage per user. # Extended version of [10]. 1 A related line of work concerns multicast security [2... |

52 | Efficient trace and revoke schemes
- Naor, Pinkas
- 2000
(Show Context)
Citation Context ...and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., =-=[19, 21]-=-) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. In fact, no CCA2 scheme was known even in the symmetric setting. Of independent interest, we present a ... |

42 | Long-lived broadcast encryption
- Garay, Staddon, et al.
(Show Context)
Citation Context ...heme with message overhead roughly O(z 2 log 2 z log N ), where z is the maximum number of excluded users (so called revocation threshold) and N is the total number of users. Subsequent works include =-=[16, 15, 13]-=-, and, more recently, [18, 14] which show how to achieve linear message overhead O(z) and #(log N) storage per user. # Extended version of [10]. 1 A related line of work concerns multicast security [2... |

38 |
The Decision Die-Hellman Problem
- Boneh
- 1998
(Show Context)
Citation Context ...namely, it is computationally hard to distinguish a random tuple (g 1 , g 2 , u 1 , u 2 ) of four independent elements in G from a random tuple satisfying log g 1 u 1 = log g 2 u 2 (for a survey, see =-=[3]-=-). 3 A Probabilistic Lemma. The following useful lemma states that to estimate the di#erence between two related experiments U 1 and U 2 , it is su#cient to bound the probability of some event F which... |

36 | Coding constructions for blacklisting problems without computational assumptions
- Kumar, Rajagopalan, et al.
- 1999
(Show Context)
Citation Context ...heme with message overhead roughly O(z 2 log 2 z log N ), where z is the maximum number of excluded users (so called revocation threshold) and N is the total number of users. Subsequent works include =-=[16, 15, 13]-=-, and, more recently, [18, 14] which show how to achieve linear message overhead O(z) and #(log N) storage per user. # Extended version of [10]. 1 A related line of work concerns multicast security [2... |

32 |
Efficient methods for integrating traceability and broadcastencryption
- Gafni, Staddon, et al.
- 1999
(Show Context)
Citation Context ...g CCA2-secure encryption. Our work shows the first "natural" separation, but for the setting of broadcast public key encryption. A Note on Traitor Tracing. As first explicitly noticed by Gaf=-=ni et al. [12], Broadcas-=-t Encryption is most useful when combined with a Traitor Tracing mechanism [6] by which the center can extract the identity of (at least one) "pirate" from any illegal decoder produced combi... |

16 | W.G.: A public-key traitor tracing scheme with an optimal transmission rate
- Chen, Tzeng
(Show Context)
Citation Context ...and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., =-=[19, 21]-=-) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. In fact, no CCA2 scheme was known even in the symmetric setting. Of independent interest, we present a ... |

10 |
Multicast Security: A Taxonomy and Some Ecient Constructions
- Canetti, Garay, et al.
- 1999
(Show Context)
Citation Context ...3], and, more recently, [18, 14] which show how to achieve linear message overhead O(z) and #(log N) storage per user. # Extended version of [10]. 1 A related line of work concerns multicast security =-=[22, 17, 23, 4, 5]. However, in t-=-his setting revoking a single user involves changing the keys for all the users, which makes it inapplicable to situations where the receivers are "stateless", do not always stay "on-li... |

7 |
Ecient Communication-Storage Tradeos for Multicast Encryption
- Canetti, Malkin, et al.
- 1999
(Show Context)
Citation Context |

5 |
Public Key Broadcast Encryption for Statless Receivers
- Dodis, Fazio
- 2002
(Show Context)
Citation Context ...se schemes are essentially identical: in the following we will refer to the work of [21], who emphasize more the public key nature of their scheme. Concurrently with the present work, Dodis and Fazio =-=[9]-=- extended the e#cient scheme of [18] to the asymmetric setting. The resulting public key Broadcast Encryption Scheme achieves constant key size, while maintaining similar ciphertext expansion, but doe... |

1 |
E#cient Trace and Revoke Schemes
- Naor, Pinkas
- 2000
(Show Context)
Citation Context ...and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., =-=[19, 21]-=-) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. In fact, no CCA2 scheme was known even in the symmetric setting. Of independent interest, we present a ... |