We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [NP00,TT01]) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. In fact, no CCA2 scheme was known even in the symmetric setting.
Of independent interest, we present a slightly simpler construction that shows a ``natural separation'' between the classical notion of CCA2 security and the recently proposed [Sho01,ADR02] relaxed notion of gCCA2 security.
Category / Keywords: public-key cryptography / Broadcast Encryption, Adaptive CCA Security, Revocation, Traceability Publication Info: Appeared in Public Key Cryptography --- PKC '03 Date: received 14 May 2003 Contact author: fazio at cs nyu edu Available formats: Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation Note: Extended version. Version: 20030517:002818 (All versions of this report) Discussion forum: Show discussion | Start new discussion