Revocation and Tracing Schemes for Stateless Receivers
We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the Subset-Cover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class.
We describe two explicit Subset-Cover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1/2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any Subset-Cover revocation scheme that satisfies a “bifurcation property”. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors.
The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user’s end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.
KeywordsBroadcast Encryption Revocation scheme Tracing scheme Copyright Protection
- 1.J. Anzai, N. Matsuzaki and T. Matsumoto, A Quick Group Key Distribution Sceheme with “Entity Revocation”, Advances in Cryptology-Asiacrypt’ 99, LNCS 1716, Springer, 1999, pp. 333–347.Google Scholar
- 2.O. Berkman, M. Parnas and J. Sgall, Efficient Dynamic Traitor Tracing, Proc. of the 11th ACM-SIAM Symp. on Discrete Algorithms (SODA), pp. 586–595, 2000.Google Scholar
- 3.D. Boneh and M. Franklin, An efficient public key traitor tracing scheme, Advances in Cryptology-Crypto’ 99, LNCS 1666, Springer, 1999, pp. 338–353.Google Scholar
- 5.R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor and B. Pinkas, Multicast Security: A Taxonomy and Some Efficient Constructions, Proc. of INFOCOM’ 99, Vol. 2, pp. 708–716, New York, NY, March 1999.Google Scholar
- 6.R. Canetti, T. Malkin, K. Nissim, Efficient Communication-Storage Tradeoffs for Multicast Encryption, Advances in Cryptology-EUROCRYPT’ 99, LNCS 1592, Springer, 1999, pp. 459–474.Google Scholar
- 7.R. Cramer and V. Shoup, A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. Advances in Cryptology-CRYPTO 1999, Lecture Notes in Computer Science 1462, Springer, pp. 13–25.Google Scholar
- 8.B. Chor, A. Fiat and M. Naor, Tracing traitors, Advances in Cryptology-CRYPTO’ 94, LNCS 839, Springer, pp. 257–270, 1994.Google Scholar
- 9.B. Chor, A. Fiat, M. Naor and B. Pinkas, Tracing traitors, IEEE Transactions on Information Theory, Vol. 46, No. 3, May 2000.Google Scholar
- 10.Content Protection for Recordable Media. Available: http://www.4centity.com/4centity/tech/cprm
- 11.C. Dwork, J. Lotspiech and M. Naor, Digital Signets: Self-Enforcing Protection of Digital Information, 28th Symp. on the Theory of Computing, 1996, pp. 489–498.Google Scholar
- 12.A. Fiat and M. Naor, Broadcast Encryption, Advances in Cryptology-CRYPTO’ 93, LNCS 773, Springer, 1994, pp. 480–491.Google Scholar
- 13.A. Fiat and T. Tassa, Dynamic Traitor Tracing Advances in Cryptology-CRYPTO’ 99, LNCS 1666, 1999, pp. 354–371.Google Scholar
- 14.E. Fujisaki and T. Okamoto, Secure Integration of Asymmetric and Symmetric Encryption Schemes, Advances in Cryptology-CRYPTO 1999, LNCS 1666, 1999, pp. 537–554.Google Scholar
- 15.E. Gafni, J. Staddon and Y. L. Yin, Efficient Methods for Integrating Traceability and Broadcast Encryption, Advances in Cryptology-CRYPTO’99, LNCS 1666, Springer, 1999, pp. 372–387.Google Scholar
- 18.R. Kumar, R. Rajagopalan and A. Sahai, Coding Constructions for blacklisting problems without Copmutational Assumptions. Advances in Cryptology-CRYPTO’ 99, LNCS 1666, 1999, pp. 609–623.Google Scholar
- 20.D. McGrew, A. T. Sherman, Key Establishment in Large Dynamic Groups Using One-Way Function Trees, submitted to IEEE Transactions on Software Engineering (May 20, 1998).Google Scholar
- 21.D. Naor, M. Naor, J. Lotspiech, Revocation and Tracing Schemes for Stateless Receivers, full version available at the IACR Crypto Archive http://eprint.iacr.org/.
- 22.M. Naor, Tradeoffs in Subset-Cover Revocation Schemes, manuscript, 2001.Google Scholar
- 24.M. Naor and B. Pinkas, Efficient Trace and Revoke Schemes Financial Cryptography’ 2000, LNCS, Springer.Google Scholar
- 25.B. Pfitzmann, Trials of Traced Traitors, Information Hiding Workshop, First International Workshop, Cambridge, UK, LNCS 1174, Springer, 1996, pp. 49–64.Google Scholar
- 29.D.M. Wallner, E.J. Harder and R.C. Agee, Key Management for Multicast: Issues and Architectures, Internet Request for Comments 2627, June, 1999. Available: ftp://.ietf.org/rfc/rfc2627.txt
- 30.C. K. Wong, M. Gouda and S. Lam, Secure Group Communications Using Key Graphs, Proc. ACM SIGCOMM’98, pp. 68–79.Google Scholar