Revocation and Tracing Schemes for Stateless Receivers

  • Dalit Naor
  • Moni Naor
  • Jeff Lotspiech
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2139)


We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the Subset-Cover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class.

We describe two explicit Subset-Cover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1/2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any Subset-Cover revocation scheme that satisfies a “bifurcation property”. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors.

The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user’s end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.


Broadcast Encryption Revocation scheme Tracing scheme Copyright Protection 


  1. 1.
    J. Anzai, N. Matsuzaki and T. Matsumoto, A Quick Group Key Distribution Sceheme with “Entity Revocation”, Advances in Cryptology-Asiacrypt’ 99, LNCS 1716, Springer, 1999, pp. 333–347.Google Scholar
  2. 2.
    O. Berkman, M. Parnas and J. Sgall, Efficient Dynamic Traitor Tracing, Proc. of the 11th ACM-SIAM Symp. on Discrete Algorithms (SODA), pp. 586–595, 2000.Google Scholar
  3. 3.
    D. Boneh and M. Franklin, An efficient public key traitor tracing scheme, Advances in Cryptology-Crypto’ 99, LNCS 1666, Springer, 1999, pp. 338–353.Google Scholar
  4. 4.
    D. Boneh, and J. Shaw, Collusion Secure Fingerprinting for Digital Data, IEEE Transactions on Information Theory, Vol 44, No. 5, pp. 1897–1905, 1998.zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor and B. Pinkas, Multicast Security: A Taxonomy and Some Efficient Constructions, Proc. of INFOCOM’ 99, Vol. 2, pp. 708–716, New York, NY, March 1999.Google Scholar
  6. 6.
    R. Canetti, T. Malkin, K. Nissim, Efficient Communication-Storage Tradeoffs for Multicast Encryption, Advances in Cryptology-EUROCRYPT’ 99, LNCS 1592, Springer, 1999, pp. 459–474.Google Scholar
  7. 7.
    R. Cramer and V. Shoup, A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. Advances in Cryptology-CRYPTO 1999, Lecture Notes in Computer Science 1462, Springer, pp. 13–25.Google Scholar
  8. 8.
    B. Chor, A. Fiat and M. Naor, Tracing traitors, Advances in Cryptology-CRYPTO’ 94, LNCS 839, Springer, pp. 257–270, 1994.Google Scholar
  9. 9.
    B. Chor, A. Fiat, M. Naor and B. Pinkas, Tracing traitors, IEEE Transactions on Information Theory, Vol. 46, No. 3, May 2000.Google Scholar
  10. 10.
    Content Protection for Recordable Media. Available:
  11. 11.
    C. Dwork, J. Lotspiech and M. Naor, Digital Signets: Self-Enforcing Protection of Digital Information, 28th Symp. on the Theory of Computing, 1996, pp. 489–498.Google Scholar
  12. 12.
    A. Fiat and M. Naor, Broadcast Encryption, Advances in Cryptology-CRYPTO’ 93, LNCS 773, Springer, 1994, pp. 480–491.Google Scholar
  13. 13.
    A. Fiat and T. Tassa, Dynamic Traitor Tracing Advances in Cryptology-CRYPTO’ 99, LNCS 1666, 1999, pp. 354–371.Google Scholar
  14. 14.
    E. Fujisaki and T. Okamoto, Secure Integration of Asymmetric and Symmetric Encryption Schemes, Advances in Cryptology-CRYPTO 1999, LNCS 1666, 1999, pp. 537–554.Google Scholar
  15. 15.
    E. Gafni, J. Staddon and Y. L. Yin, Efficient Methods for Integrating Traceability and Broadcast Encryption, Advances in Cryptology-CRYPTO’99, LNCS 1666, Springer, 1999, pp. 372–387.Google Scholar
  16. 16.
    J.A. Garay, J. Staddon and A. Wool, Long-Lived Broadcast Encryption. Advances in Cryptology-CRYPTO’2000, LNCS 1880, pp. 333–352, 2000.CrossRefGoogle Scholar
  17. 17.
    O. Goldreich, S. Goldwasser and S. Micali, How to Construct Random Functions. JACM 33(4): 792–807 (1986)CrossRefMathSciNetGoogle Scholar
  18. 18.
    R. Kumar, R. Rajagopalan and A. Sahai, Coding Constructions for blacklisting problems without Copmutational Assumptions. Advances in Cryptology-CRYPTO’ 99, LNCS 1666, 1999, pp. 609–623.Google Scholar
  19. 19.
    M. Luby and J. Staddon, Combinatorial Bounds for Broadcast Encryption. Advances in Cryptology-EUROCRYPT’ 98, LNCS vol 1403, 1998, pp. 512–526.CrossRefGoogle Scholar
  20. 20.
    D. McGrew, A. T. Sherman, Key Establishment in Large Dynamic Groups Using One-Way Function Trees, submitted to IEEE Transactions on Software Engineering (May 20, 1998).Google Scholar
  21. 21.
    D. Naor, M. Naor, J. Lotspiech, Revocation and Tracing Schemes for Stateless Receivers, full version available at the IACR Crypto Archive
  22. 22.
    M. Naor, Tradeoffs in Subset-Cover Revocation Schemes, manuscript, 2001.Google Scholar
  23. 23.
    M. Naor and B. Pinkas, Threshold traitor tracing, Advances in Cryptology-Crypto’ 98, LNCS 1462, pp. 502–517.CrossRefGoogle Scholar
  24. 24.
    M. Naor and B. Pinkas, Efficient Trace and Revoke Schemes Financial Cryptography’ 2000, LNCS, Springer.Google Scholar
  25. 25.
    B. Pfitzmann, Trials of Traced Traitors, Information Hiding Workshop, First International Workshop, Cambridge, UK, LNCS 1174, Springer, 1996, pp. 49–64.Google Scholar
  26. 26.
    R. Safavi-Naini and Y. Wang, Sequential Traitor Tracing, Advances in Cryptology-CRYPTO 2000, LNCS 1880, pp. 316–332, 2000.CrossRefGoogle Scholar
  27. 27.
    V. Shoup and R. Gennaro, Securing threshold cryptosystems against chosen ciphertext attack, Advances in Cryptology-EUROCRYPT’98, LNCS 1403, 1998, pp. 1–16.CrossRefGoogle Scholar
  28. 28.
    D.R. Stinson and R. Wei, Key Preassigned Traceability Schemes for Broadcast Encryption, Proc. Fifth Annual Workshop on Selected Areas in Cryptography, LNCS 1556 (1999), pp. 144–156.CrossRefGoogle Scholar
  29. 29.
    D.M. Wallner, E.J. Harder and R.C. Agee, Key Management for Multicast: Issues and Architectures, Internet Request for Comments 2627, June, 1999. Available:
  30. 30.
    C. K. Wong, M. Gouda and S. Lam, Secure Group Communications Using Key Graphs, Proc. ACM SIGCOMM’98, pp. 68–79.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Dalit Naor
    • 1
  • Moni Naor
    • 2
  • Jeff Lotspiech
    • 1
  1. 1.IBM Almaden Research CenterSan-Jose
  2. 2.Department of Computer Science and Applied MathWeizmann InstituteRehovotIsrael

Personalised recommendations