Efficient Trace and Revoke Schemes

  • Moni Naor
  • Benny Pinkas
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1962)


Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional.

We start by designing an efficient revocation scheme, based on secret sharing. It can remove up to t parties and is secure against coalitions of size t. The performance of this scheme is more efficient than that of previous schemes with the same properties. We then show how to combine the revocation scheme with traitor tracing and self enforcement schemes. More precisely, how to construct schemes such that (1) Each user’s personal key contains some sensitive information of that user (e.g., the user’s credit card number), and therefore users would be reluctant to disclose their keys. (2) An illegal decryption device discloses the identity of users that contributed keys to construct the device. And, (3) it is possible to revoke the keys of corrupt users. For the last point it is important to be able to do so without publicly disclosing the sensitive information.


User revocation blacklisting broadcast encryption tracing traitors self enforcement copyright protection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    J. Anzai, N. Matsuzaki and T. Matsumoto, A Quick Group Key Distribution Scheme with Entity Revocation. Adv. in Cryptology-Asiacrypt’99, Springer-Verlag LNCS 1716 1999, pp. 333–347.Google Scholar
  2. 2.
    D. Boneh, The Decision Diffie-Hellman Problem, in Proceedings of the Third Algorithmic Number Theory Symposium, LNCS Vol. 1423, Springer-Verlag, pp. 48–63, 1998.CrossRefGoogle Scholar
  3. 3.
    D. Boneh and M. Franklin, An efficient public key traitor tracing scheme, Adv. in Cryptology-Crypto’ 99, Springr-Verlag LNCS 1666 (1999), 338–353.Google Scholar
  4. 4.
    D. Boneh and J. Shaw, Collusion-Secure Fingerprinting for Digital date, Proc. Advances in Cryptology-Crypto’ 95 (1995), 452–465.Google Scholar
  5. 5.
    R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor and B. Pinkas, Multicast Security: A Taxonomy and Some Efficient Constructions, In Proc. INFOCOM’ 99, Vol. 2, pp. 708–716, New York, NY, March 1999.Google Scholar
  6. 6.
    R. Canetti. T. Malkin and K. Nissim, Efficient Communication-Storage Tradeoffs for Multicast Encryption, Proc. Advances in Cryptology-Eurocrypt’ 99, Springr-Verlag LNCS 1592 (1999), 459–474.Google Scholar
  7. 7.
    B. Chor, A. Fiat and M. Naor, Tracing Traitors, Proc. Advances in Cryptology-Crypto’ 94, Springr-Verlag LNCS 839 (1994), 257–270.Google Scholar
  8. 8.
    R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptove chosen ciphertext attacks, Proc. Advances in Cryptology-Crypto’ 98, Springr-Verlag LNCS 1462 (1998), 13–25.CrossRefGoogle Scholar
  9. 9.
    H. Cohen, A course in computational algebraic number theory, Springer-Verlag, 1996.Google Scholar
  10. 10.
    I. Cox, J. Kilian, T. Leighton and T. Shamoon, A Secure, Robust Watermark for Multimedia, Information Hiding Workshop, Cambridge, UK, Springer-Verlag LNCS 1174, (1996), 185–206.Google Scholar
  11. 11.
    Dime W. and Hellman M. E., New Directions in Cryptography, IEEE Trans, on Information Theory, Nov. 1976, 644–654.Google Scholar
  12. 12.
    C. Dwork, J. Lotspiech and M. Naor, Digital Signets: Self-Enforcing Protection of Digital Information, 28th Symposium on the Theory of Computation (1996), 489–498.Google Scholar
  13. 13.
    T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, Proc. Advances in Cryptology-Crypto’ 84, Springr-Verlag LNCS 196 (1985), 10–18.Google Scholar
  14. 14.
    P. Feldman, A practical scheme for non-interactive verifiable secret sharing, Proc. 28th IEEE Symp. on Foundations of Computer Science, 1987, pp. 427–437.Google Scholar
  15. 15.
    A. Fiat and M. Naor, Broadcast Encryption, Advances in Cryptology-CRYPTO’ 93, Springer-Verlag LNCS vol. 773, 1994, pp. 480–491, 1994.Google Scholar
  16. 16.
    E. Gafni, J. Staddon and Y. L. Yin, Efficient methods for integrating traceability and broadcast encryption, Proc. Advances in Cryptology-Crypto’ 99, Springr-Verlag LNCS 1666 (1999), 372–387.Google Scholar
  17. 17.
    O. Goldreich, S. Goldwasser and S. Micali, How to construct random functions, J. of the ACM., vol. 33, 1986, pp. 792–807.CrossRefMathSciNetGoogle Scholar
  18. 18.
    R. Kumar, S. Rajagopalan and A. Sahai, Coding constructions for blacklisting problems without computational assumptions, Adv. in Cryptology-Crypto’ 99, Springr-Verlag LNCS 1666, pp. 609–623, 1999.Google Scholar
  19. 19.
    K. Kurosawa and Y. Desmedt, Optimum traitor tracing and asymmetric schemes, Adv. in Cryptology-Eurocrypt’ 98, Springr-Verlag LNCS 1403 (1998), 145–157.CrossRefGoogle Scholar
  20. 20.
    M. Luby, Pseudo-randomness and applications, Princeton University Press, 1996.Google Scholar
  21. 21.
    F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Corecting Codes, North Holland, Amsterdam, 1977.Google Scholar
  22. 22.
    Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996.Google Scholar
  23. 23.
    M. Naor and B. Pinkas, Threshold Traitor Tracing, Proc. Advances in Cryptology-Crypto’ 98, Springr-Verlag LNCS 1462 (1998), 502–517.CrossRefGoogle Scholar
  24. 24.
    M. Naor and O. Reingold, Number-Theoretic constructions of efficient pseudorandom functions, Proc. 38th IEEE Symp. on Foundations of Computer Science, 1997, pp. 458–467.Google Scholar
  25. 25.
    A. Shamir, How to share a secret, Comm. ACM, Vol. 22, No. 11, 1979, 612–613.MATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    D. R. Stinson and R. Wei, Combinatorial properties and constructions of trace-ability schemes and frameproof codes, SIAM J. on Discrete Math, Vol. 11, 1, 1998, 41–53.MATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    D.M. Wallner, E.J. Harder and R.C. Agee, Key Management for Multicast: Issues and Architectures, Internet Request for Comments 2627, June, 1999. Available: http://ftp.ietf.org/rfc/rfc2627.txt
  28. 28.
    C.K. Wong, M. Gouda and S. Lam, Secure Group Communications Using Key Graphs, Proc. of ACM Sigcomm’ 98, Sept. 2-4, Vancouver, Canada, pp. 68–79.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Moni Naor
    • 1
  • Benny Pinkas
    • 1
  1. 1.Dept. Computer Science and Applied MathWeizmann Institute of ScienceRehovotIsrael

Personalised recommendations