Paper 2017/1117

Risky Traitor Tracing and New Differential Privacy Negative Results

Rishab Goyal and Venkata Koppula and Brent Waters

Abstract

In this work we seek to construct collusion-resistant traitor tracing systems with small ciphertexts from standard assumptions that also move toward practical efficiency. In our approach we will hold steadfast to the principle of collusion resistance, but relax the requirement on catching a traitor from a successful decoding algorithm. We define a $f$-risky traitor tracing system as one where the probability of identifying a traitor is $f(\lambda,n)$ times the probability a successful box is produced. We then go on to show how to build such systems from composite order bilinear groups with assumptions close to those used in prior works. Our core system achieves $f(\lambda,n) = \frac{1}{n}$ where ciphertexts consists of three group elements and decryption requires just two pairing operations. In addition, we show a generic way to increase $f$ by approximately a factor of $k$ if we increase the size of the ciphertext and decryption time also by a factor of $k$. At first glance the utility of such a system might seem questionable since the $f$ we achieve for short ciphertexts is relatively small. Indeed an attacker in such a system can more likely than not get away with producing a decoding box. However, we believe this approach to be viable for three reasons: 1. A risky traitor tracing system will provide deterrence against risk averse attackers. In some settings the consequences of being caught might bear a high cost and an attacker will have to weigh his utility of producing a decryption $D$ box against the expected cost of being caught. 2. One potential use of a risky traitor tracing system is to place it in a continual use situation where users will periodically receive fresh traitor tracing secret keys via a key refresh mechanism that is built using standard encryption. If an attacker wishes to produce a decoder $D$ that continues to work through these refreshes the decoder will be taking an $f$ risk of being caught after each key refresh, which presents a Russian roulette situation for the attacker. 2. Finally, we can capture impossibility results for differential privacy from risky traitor tracing. Since our ciphertexts are short ($O(\lambda)$), thus we get the negative result which matches what one would get plugging in the obfuscation based tracing system Boneh-Zhandry (CRYPTO 2014) solution into the prior impossibility result of Dwork et al. (STOC 2009).