Paper 2013/844

A generic view on trace-and-revoke broadcast encryption schemes

Dennis Hofheinz and Christoph Striecks


At Eurocrypt 2011, Wee presented a generalization of threshold public key encryption, threshold signatures, and revocation schemes arising from threshold extractable hash proof systems. In particular, he gave instances of his generic revocation scheme from the DDH assumption (which led to the Naor-Pinkas revocation scheme), and from the factoring assumption (which led to a new revocation scheme). We expand on Wee's work in two directions: (a) We propose threshold extractable hash proof instantiations from the "Extended Decisional Diffie-Hellman" (EDDH) assumption due to Hemenway and Ostrovsky (PKC 2012). This in particular yields EDDH-based variants of threshold public key encryption, threshold signatures, and revocation schemes. In detail, this yields a DCR-based revocation scheme. (b) We show that our EDDH-based revocation scheme allows for a mild form of traitor tracing (and, thus, yields a new trace-and-revoke scheme). In particular, compared to Wee's factoring-based scheme, our DCR-based scheme has the advantage that it allows to trace traitors.

Available format(s)
Publication info
Published elsewhere. Minor revision. CT-RSA-2014
broadcast encryptionrevocation schemetraitor tracingtrace-and-revoke schemethreshold extractable hash proof systemextended decisional Diffie-Hellman
Contact author(s)
Christoph Striecks @ kit edu
2014-03-28: last of 2 revisions
2013-12-17: received
See all versions
Short URL
Creative Commons Attribution


      author = {Dennis Hofheinz and Christoph Striecks},
      title = {A generic view on trace-and-revoke broadcast encryption schemes},
      howpublished = {Cryptology ePrint Archive, Paper 2013/844},
      year = {2013},
      doi = {10.1007/978-3-319-04852-9_3},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.