Collusion Resistant Trace-and-Revoke for Arbitrary Identities from Standard Assumptions

Sam Kim; David J. Wu

Cryptology ePrint Archive: Report 2019/984

Collusion Resistant Trace-and-Revoke for Arbitrary Identities from Standard Assumptions

Sam Kim and David J. Wu

Abstract: A traitor tracing scheme is a multi-user public-key encryption scheme where each user in the system holds a decryption key that is associated with the user's identity. Using the public key, a content distributor can encrypt a message to all of the users in the system. At the same time, if a malicious group of users combine their respective decryption keys to build a "pirate decoder," there is an efficient tracing algorithm that the content distributor can use to identify at least one of the keys used to construct the decoder. A trace-and-revoke scheme is an extension of a standard traitor tracing scheme where there is an additional key-revocation mechanism that the content distributor can use to disable the decryption capabilities of compromised keys. Namely, during encryption, the content distributor can encrypt a message with respect to a list of revoked users such that only non-revoked users can decrypt the resulting ciphertext.

Trace-and-revoke schemes are challenging to construct. Existing constructions from standard assumptions can only tolerate bounded collusions (i.e., there is an a priori bound on the number of keys an adversary obtains), have system parameters that scale exponentially in the bit-length of the identities, or satisfy weaker notions of traceability that are vulnerable to certain types of "pirate evolution" attacks. In this work, we provide the first construction of a trace-and-revoke scheme that is fully collusion resistant and capable of supporting arbitrary identities (i.e., the identities can be drawn from an exponential-size space). Our scheme supports public encryption and secret tracing, and can be based on the sub-exponential hardness of the LWE problem (with a super-polynomial modulus-to-noise ratio). The ciphertext size in our construction scales logarithmically in the size of the identity space and linearly in the size of the revocation list. Our scheme leverages techniques from both combinatorial and algebraic constructions for traitor tracing.

Category / Keywords: public-key cryptography / traitor tracing, revocation

Original Publication (with major differences): IACR-ASIACRYPT-2020

Date: received 28 Aug 2019, last revised 26 Aug 2020

Contact author: skim13 at cs stanford edu, dwu4 at virginia edu

Available format(s): PDF | BibTeX Citation

Version: 20200826:164100 (All versions of this report)

Short URL: ia.cr/2019/984

[ Cryptology ePrint archive ]