International Journal of Information Security

, Volume 9, Issue 6, pp 411–424 | Cite as

Efficient trace and revoke schemes

  • Moni Naor
  • Benny PinkasEmail author
Special Issue Paper


Our goal is to design encryption schemes for mass distribution of data , which enable to (1) deter users from leaking their personal keys, (2) trace the identities of users whose keys were used to construct illegal decryption devices, and (3) revoke these keys as to render the devices dysfunctional. We start by designing an efficient revocation scheme, based on secret sharing. It can remove up to t parties, is secure against coalitions of up to t users, and is more efficient than previous schemes with the same properties. We then show how to enhance the revocation scheme with traitor tracing and self-enforcement properties. More precisely, how to construct schemes such that (1) each user’s personal key contains some sensitive information of that user (e.g., the user’s credit card number), in order to make users reluctant to disclose their keys. (2) An illegal decryption device discloses the identity of users that contributed keys to construct the device. And, (3) it is possible to revoke the keys of corrupt users. For the last point, it is important to be able to do so without publicly disclosing the sensitive information.


User revocation Broadcast encryption Tracing traitors Self-enforcement Copyright protection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anzai, J., Matsuzaki, N., Matsumoto, T.: A quick group key distribution scheme with entity revocation. Adv. in Cryptology—Asiacrypt’99. LNCS 1716, pp. 333–347. Springer, Berlin (1999)Google Scholar
  2. 2.
    Blakley G.R.: Safeguarding cryptographic keys. AFIPS Conference Proceedings 48, 313–317 (1979)Google Scholar
  3. 3.
    Boneh, D.: The decision diffie-hellman problem. In Proceedings of the Third Algorithmic Number Theory Symposium. LNCS Vol. 1423, pp. 48–63. Springer, Berlin (1998)Google Scholar
  4. 4.
    Boneh, D., Franklin, M.: An efficient public key traitor tracing scheme. In: Adv. in Cryptology—Crypto ’99, Springer- LNCS 1666 (1999), pp. 338–353, and a full version available at
  5. 5.
    Boneh, D., Shaw, J.: Collusion-secure fingerprinting for digital date. In: Proceedings of Advances in Cryptology—Crypto ’95, pp. 452–465 (1995)Google Scholar
  6. 6.
    Canetti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M., Pinkas, B.: Multicast security: a taxonomy and some efficient constructions. In: Proceedings of INFOCOM ’99, vol. 2, pp. 708–716. New York, NY, March (1999)Google Scholar
  7. 7.
    Canetti, R., Malkin, T., Nissim, K.: Efficient communication-storage tradeoffs for multicast encryption. In: Proceedings of Advances in Cryptology—Eurocrypt ’99. LNCS 1592, pp. 459–474. Springer, Berlin (1999)Google Scholar
  8. 8.
    Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: Proceedings of Advances in Cryptology—Crypto ’94. LNCS vol. 839, pp. 257–270. Springer, Berlin (1994)Google Scholar
  9. 9.
    Chor B., Fiat A., Naor M., Pinkas B.: Tracing traitors. IEEE Trans. Inf. Theor. 46(3), 893–910 (2000)zbMATHCrossRefGoogle Scholar
  10. 10.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptove chosen ciphertext attacks. In: Proceedings of Advances in Cryptology—Crypto ’98. LNCS 1462, pp. 13–25. Springer, Berlin (1998)Google Scholar
  11. 11.
    Cohen H.: A Course in Computational Algebraic Number Theory. Springer, Berlin (1996)Google Scholar
  12. 12.
    Cox, I., Kilian, J., Leighton, T., Shamoon, T.: A secure, robust watermark for multimedia. Information Hiding Workshop, Cambridge, UK. LNCS 1174, pp. 185–206. Springer, Berlin (1996)Google Scholar
  13. 13.
    Diffie W., Hellman M.E.: New directions in cryptography. IEEE Trans. Inf. Theor. 22, 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Dwork, C., Lotspiech, J., Naor, M.: Digital signets: self-enforcing protection of digital information. In: 28th Symposium on the Theory of Computation, pp. 489–498 (1996)Google Scholar
  15. 15.
    ElGamal, T.: A public key cryptosystem a signature scheme based on discrete logarithms. In: Proceedings of Advances in Cryptology—Crypto ’84. LNCS 196, pp. 10–18. Springer, Berlin (1985)Google Scholar
  16. 16.
    Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: Proceedings of 28th IEEE Symposium on Foundations of Computer Science, pp. 427–437 (1987)Google Scholar
  17. 17.
    Fiat, A., Naor, M.: Broadcast encryption. Advances in Cryptology–CRYPTO ’93. LNCS 773, pp. 480–491. Springer, Berlin (1994)Google Scholar
  18. 18.
    Gafni, E., Staddon, J., Yin, Y.L.: Efficient methods for integrating traceability and broadcast encryption. In: Proceedings of Advances in Cryptology—Crypto ’99. LNCS 1666, pp. 372–387. Springer, Berlin (1999)Google Scholar
  19. 19.
    Goldreich O., Goldwasser S., Micali S.: How to construct random functions. J. ACM 33, 792–807 (1986)CrossRefMathSciNetGoogle Scholar
  20. 20.
    Kiayias, A., Yung, M.: Self protecting pirates and black-box traitor tracing. In: Adv. in Cryptology—Crypto ’2001. LNCS 2139, pp. 63–79. Springer, Berlin (2001)Google Scholar
  21. 21.
    Kumar, R., Rajagopalan, S., Sahai, A.: Coding constructions for blacklisting problems without computational assumptions. Adv. in Cryptology—Crypto ’99. LNCS 1666, pp. 609–623. Springer, Berlin (1999)Google Scholar
  22. 22.
    Kurosawa, K., Desmedt, Y.: Optimum traitor tracing and asymmetric schemes. In: Advances in Cryptology–Eurocrypt ’98. LNCS 1403, pp. 145–157. Springer, Berlin (1998)Google Scholar
  23. 23.
    Luby M.: Pseudo-Randomness and Applications. Princeton University Press, NJ (1996)Google Scholar
  24. 24.
    MacWilliams F.J., Sloane N.J.A.: The Theory of Error-Corecting Codes. North Holland, Amsterdam (1977)Google Scholar
  25. 25.
    Menezes A.J., van Oorschot P.C., Vanstone S.A.L.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  26. 26.
    Naor, D., Naor, M., Lotspiech, J.B.: Revocation and tracing schemes for stateless receivers. In: Proceedings of Advances in Cryptology—Crypto ’01. LNCS 2139, pp. 41–62. Springer, Berlin (2001)Google Scholar
  27. 27.
    Naor, M., Pinkas, B.: Threshold traitor tracing. In: Proceedings of Advances in Cryptology—Crypto ’98. LNCS 1462, pp. 502–517. Springer, Berlin (1998)Google Scholar
  28. 28.
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: Proceeding of 38th IEEE Symposium on Foundations of Computer Science, pp. 458–467 (1997)Google Scholar
  29. 29.
    Shamir A.: How to share a secret. Comm. ACM 22(11), 612–613 (1979)zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    Haber, S., Pinkas, B.: Combining Public Key Cryptosystems. In: Proceedings of the ACM Computer and Security Conference, Nov (2001)Google Scholar
  31. 31.
    Stinson, D.R., Wei, R.: Key preassigned traceability schemes for broadcast encryption, SAC’98. LNCS 1556, Springer, Berlin (1998)Google Scholar
  32. 32.
    Stinson D.R., Wei R.: Combinatorial properties and constructions of traceability schemes and frameproof codes. SIAM J Discret. Math. 11(1), 41–53 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  33. 33.
    Wallner, D.M., Harder, E.J., Agee, R.C.: Key Management for Multicast: Issues and Architectures, Internet Request for Comments 2627, June, 1999. Available:
  34. 34.
    Welch, L.R., Berlekamp, E.R.: Error Correction for Algebraic Blockcodes, U.S. Patent 4633470, issued Dec. 30 (1986)Google Scholar
  35. 35.
    Wong, C.K., Gouda, M., Lam, S.: Secure Group Communications Using Key Graphs. In: Proceeding of ACM Sigcomm ’98, Sept. 2–4, pp. 68–79. Vancouver, CanadaGoogle Scholar

Copyright information

© Springer-Verlag 2010

Authors and Affiliations

  1. 1.Department of Computer Science and Applied MathWeizmann Institute of ScienceRehovotIsrael
  2. 2.Department of Computer ScienceUniversity of HaifaHaifaIsrael

Personalised recommendations