Paper 2004/160

Scalable Public-Key Tracing and Revoking

Yevgeniy Dodis, Nelly Fazio, Aggelos Kiayias, and Moti Yung


Traitor Tracing Schemes constitute a very useful tool against piracy in the context of digital content broadcast. In such multi-recipient encryption schemes, each decryption key is fingerprinted and when a pirate decoder is discovered, the authorities can trace the identities of the users that contributed in its construction (called traitors). Public-key traitor tracing schemes allow for a multitude of non-trusted content providers using the same set of keys, which makes the scheme ``server-side scalable.'' To make such schemes also ``client-side scalable,'' i.e. long lived and usable for a large population of subscribers that changes dynamically over time, it is crucial to implement efficient Add-user and Remove-user operations. Previous work on public-key traitor tracing did not address this dynamic scenario thoroughly, and there is no efficient scalable public key traitor tracing scheme that allows an increasing number of Add-user and Remove-user operations. To address these issues, we introduce the model of Scalable Public-Key Traitor Tracing, and present the first construction of such a scheme. Our model mandates for deterministic traitor tracing and an unlimited number of efficient Add-user operations and Remove-user operations. A scalable system achieves an unlimited number of revocations while retaining high level of efficiency by dividing the run-time of the system into periods. Each period has a saturation level for the number of revocations. When a period becomes saturated, an _efficient_ New-period operation is issued by the system server that resets the saturation level. We present a formal adversarial model for our system taking into account its periodic structure, and we prove our construction secure, both against adversaries that attempt to cheat the revocation mechanism as well as against adversaries that attempt to cheat the traitor tracing mechanism.

Note: The present version corrects a flaw in the main scheme proposed in the extended abstract. Also, the presentation has been improved, and it now includes a detailed security analysis and proofs of all lemmata.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Extended abstract of this work appears in proceeding of PODC 2004
Digital Content DistributionTraitor TracingScalabilityBroadcast EncryptionMulticast
Contact author(s)
fazio @ cs nyu edu
2004-07-10: revised
2004-07-09: received
See all versions
Short URL
Creative Commons Attribution


      author = {Yevgeniy Dodis and Nelly Fazio and Aggelos Kiayias and Moti Yung},
      title = {Scalable Public-Key Tracing and Revoking},
      howpublished = {Cryptology ePrint Archive, Paper 2004/160},
      year = {2004},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.