Paper 2003/095

Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack

Yevgeniy Dodis and Nelly Fazio


A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption with the capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of ``revoked'' users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a ``pirate decoder'', the center can trace at least one of the ``traitors'' given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [NP00,TT01]) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. In fact, no CCA2 scheme was known even in the symmetric setting. Of independent interest, we present a slightly simpler construction that shows a ``natural separation'' between the classical notion of CCA2 security and the recently proposed [Sho01,ADR02] relaxed notion of gCCA2 security.

Note: Extended version.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Appeared in Public Key Cryptography --- PKC '03
Broadcast EncryptionAdaptive CCA SecurityRevocationTraceability
Contact author(s)
fazio @ cs nyu edu
2003-05-17: received
Short URL
Creative Commons Attribution


      author = {Yevgeniy Dodis and Nelly Fazio},
      title = {Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack},
      howpublished = {Cryptology ePrint Archive, Paper 2003/095},
      year = {2003},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.