Abstract
A traitor tracing scheme is a multiuser publickey encryption scheme where each user in the system holds a decryption key that is associated with the user’s identity. Using the public key, a content distributor can encrypt a message to all of the users in the system. At the same time, if a malicious group of users combine their respective decryption keys to build a “pirate decoder,” there is an efficient tracing algorithm that the content distributor can use to identify at least one of the keys used to construct the decoder. A traceandrevoke scheme is an extension of a standard traitor tracing scheme where there is an additional keyrevocation mechanism that the content distributor can use to disable the decryption capabilities of compromised keys. Namely, during encryption, the content distributor can encrypt a message with respect to a list of revoked users such that only nonrevoked users can decrypt the resulting ciphertext.
Traceandrevoke schemes are challenging to construct. Existing constructions from standard assumptions can only tolerate bounded collusions (i.e., there is an a priori bound on the number of keys an adversary obtains), have system parameters that scale exponentially in the bitlength of the identities, or satisfy weaker notions of traceability that are vulnerable to certain types of “pirate evolution” attacks. In this work, we provide the first construction of a traceandrevoke scheme that is fully collusion resistant and capable of supporting arbitrary identities (i.e., the identities can be drawn from an exponentialsize space). Our scheme supports public encryption and secret tracing, and can be based on the subexponential hardness of the LWE problem (with a superpolynomial modulustonoise ratio). The ciphertext size in our construction scales logarithmically in the size of the identity space and linearly in the size of the revocation list. Our scheme leverages techniques from both combinatorial and algebraic constructions for traitor tracing.
The full version of this paper is available at https://eprint.iacr.org/2019/984.pdf.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Traitor tracing schemes [CFN94] provide content distributors a way to identify malicious receivers and pirates. Specifically, a traitor tracing scheme is a publickey encryption scheme that is defined over a set of global public parameters \(\mathsf {pp}\) and many secret decryption keys \(\{ \mathsf {sk}_\mathsf {id} \}\). Each of the decryption keys \(\mathsf {sk}_\mathsf {id}\) is associated with an identifier \(\mathsf {id}\) (e.g., a user’s name or profile picture). Anyone is able to encrypt a message using the public parameters \(\mathsf {pp}\) and any user who holds a valid decryption key \(\mathsf {sk}_\mathsf {id}\) can decrypt the resulting ciphertext. The main security property is traceability, which says that if a coalition of users combine their respective decryption keys to create a new decryption algorithm (i.e., a “pirate decoder”), there is an efficient tracing algorithm that, given (blackbox) access to the decoder, will successfully identify at least one of the secret keys that was used to construct the pirate decoder. As such, traitor tracing schemes provide an effective way for content distributors to combat piracy.
In practice, simply identifying the keys that went into a pirate decoder is not enough; we also require a way for the content distributor to disable the decryption capabilities of a compromised key. Traitor tracing schemes that support efficient keyrevocation mechanisms are called traceandrevoke schemes [NP00]. In a traceandrevoke scheme, the encryption algorithm additionally takes in a list of revoked users \(\mathcal {L}\). A ciphertext that is generated with respect to a revocation list \(\mathcal {L}\) can only be decrypted by keys for identities \(\mathsf {id}\notin \mathcal {L}\). Furthermore, the revocation mechanism should remain compatible with tracing: namely, if an adversary builds a pirate decoder that can still decrypt ciphertexts encrypted with respect to a revocation list \(\mathcal {L}\), the tracing algorithm should successfully identify at least one of the nonrevoked decryption keys (i.e., some \(\mathsf {id}\notin \mathcal {L}\)) that went into the construction of the pirate decoder. We give the formal definition in Sect. 4.
Properties of TraceandRevoke Schemes. There are a number of possible properties that a traceandrevoke scheme could provide. We enumerate several important ones below:

Collusion resistance: A traceandrevoke scheme is tcollusion resistant if tracing works as long as the pirate obtains fewer than t decryption keys, and the scheme parameters are allowed to depend on t. When t can be an arbitrary polynomial, the scheme is fully collusion resistant.

A priori unbounded revocation: Some traceandrevoke schemes support bounded revocation where at setup time, there is an a priori bound r on the maximum number of revoked users the scheme supports. A scheme supports a priori unbounded revocation if the number of revoked users can be an arbitrary polynomial. We note here that while we can require an even stronger property that supports revoking a superpolynomial number of users, the scheme we develop in this work does not support this stronger property (except in certain restricted settings; see Sect. 1.1).

Black box tracing: A traceandrevoke scheme supports black box tracing if the tracing algorithm only requires oracle access to the pirate decoder. This means we do not need to impose any restrictions on the structure of the adversary’s decoder. Tracing must work on any decoder that is able to decrypt (or even better, distinguish) ciphertexts.

Identitybased: A traceandrevoke scheme is “identitybased” or supports arbitrary identities if the set of possible identities \(\mathcal {ID}\) the scheme supports can be exponential in size [NWZ16]. In most traceandrevoke schemes, the set of possible identities is assumed to have polynomial size (i.e., identities are represented by an element of the set \([N] = \{ 1, \ldots , N \}\)). This means that there is an a priori bound on the maximum number of users supported by the system, and moreover, in practical scenarios, the tracing authority needs to separately maintain a database mapping from a numeric index \(\mathsf {id}\in [N]\) to a user’s actual identifier (which may not fit into a string of length \(\log N\)). In addition, as noted in [NWZ16], an added benefit of traceandrevoke schemes that support arbitrary identities is anonymity: namely, a user can obtain a decryption key for their identity without needing to reveal their identity to the key issuer.
Our Results. In this work, we focus on constructing traceandrevoke schemes that provide each of the above guarantees. Namely, we seek schemes that are flexible (e.g., can support arbitrary identities of polynomial length and an arbitrary polynomial number of revocations) while providing strong security (i.e., full collusion resistance and security against arbitrary adversarial strategies). We achieve these properties assuming subexponential hardness of the learning with errors (LWE) assumption [Reg05]. Specifically, we show the following:
Theorem 1.1
(informal). Let \(\lambda \) be a security parameter and \(\mathcal {ID}= \{0,1\}^n\) be the set of possible identities. Assuming subexponential hardness of LWE, there exists a fully collusion resistant traceandrevoke scheme where the secret key for an identity \(\mathsf {id}\in \{0,1\}^n\) has size \(n \cdot \mathsf {poly}(\lambda , \log n)\) and a ciphertext encrypting a message m with respect to a revocation list \(\mathcal {L}\subseteq \{0,1\}^n\) has size \(\left m \right + \left \mathcal {L} \right \cdot \mathsf {poly}(\lambda , \log n)\). Encryption in our scheme is a public operation while tracing requires knowledge of a secret key.
Previous traceandrevoke constructions were either not collusion resistant [NWZ16, ABP+17], could only support a polynomialsize identity space [BW06, GKSW10, GQWW19], achieved weaker models of tracing [NNL01, DF02], or relied on strong assumptions such as indistinguishability obfuscation [NWZ16] or (positional) witness encryption [GVW19]. We refer to Sect. 1.2 for a more detailed comparison of our construction with existing ones.
Open Questions. Before giving an overview of our construction, we highlight several interesting directions to further improve upon our traceandrevoke scheme:

Public tracing: Our tracing algorithm requires a secret key. It is an interesting open problem to obtain fully collusion resistant traceandrevoke for arbitrary identities with public tracing from standard assumptions. In fact, even obtaining a collusion resistant traitor tracing scheme with succinct keys and public tracing from standard assumptions is currently open.

Succinct broadcast: The length of the ciphertexts in our construction scales linearly in the size of the revocation list, and as such, our scheme only supports revocation for a polynomial number of users. It is an open question is to develop an scheme that supports arbitrary identities and where the ciphertext size scales sublinearly in the number of revoked users (and more generally, where the ciphertext size scales with the description length of the revocation list rather than its size). Schemes with these properties are often called “broadcast, trace, and revoke” schemes [BW06] as they combine both the succinctness of a “broadcast encryption” [FN93] with the tracing capability of a traitor tracing scheme. Existing broadcast, trace, and revoke constructions [BW06, GKSW10, GQWW19] from standard assumptions can only handle a polynomial number of users. We provide a more thorough comparison in Sect. 1.2.

Polynomial hardness: Security of our tracing construction relies on the subexponential hardness of LWE. Our reliance on subexponential hardness assumptions is due to our use of complexity leveraging [BB04] to instantiate adaptivelysecure variants of the underlying cryptographic primitives we require in our construction. An important open problem is to base security on polynomial hardness. The work of Goyal et al. [GKW19] show how to obtain traitor tracing for an exponentialsize identity space from a polynomial hardness assumption, but their scheme does not support revocation.
1.1 Construction Overview
In this section, we provide a highlevel overview of our construction. Our approach combines an identitybased traitor tracing scheme based on the techniques developed in [NWZ16, GKW18] with the combinatorial revocation scheme from [NNL01]. We describe each of these components below.
Traitor Tracing from Private Linear Broadcast. Boneh et al. [BSW06] showed how to construct a collusion resistant traitor tracing scheme from a private linear broadcast encryption (PLBE) scheme. A PLBE scheme is an encryption scheme where decryption keys are associated with an index \(i \in [N]\), and ciphertexts are associated with a secret index \(j \in [N]\) and a message m. The correctness property guarantees that a decryption key \(\mathsf {sk}_i\) for index i can decrypt all ciphertexts encrypted to indices j where \(i \le j\). There are two ways to generate a ciphertext. The public encryption algorithm allows anyone to encrypt to the index N, which can be decrypted by secret keys \(\mathsf {sk}_i\) for all \(i \in [N]\). The secret encryption algorithm allows the tracing authority who holds a tracing key to encrypt to indices \(j \le N\). The “indexhiding” requirement guarantees that an adversary who does not have a key for index j cannot distinguish an encryption to index j from an encryption to index \(j + 1\). Finally, the “messagehiding” requirement says that ciphertexts encrypted to index 0 are semantically secure (given any subset of decryption keys for indices \(1 \le j \le N\)). These properties form the basis of the tracing algorithm described in [BSW06]. Boneh et al. showed how to construct PLBE from pairingbased assumptions where the ciphertexts have size \(O(\sqrt{N})\). Hence their scheme only supports a polynomialsize identity space.
Recently, Goyal et al. [GKW18] gave a new construction of a PLBE scheme from the LWE assumption by combining a new cryptographic notion called mixed functional encryption (mixed FE) with an attributebased encryption (ABE) scheme [SW05, GPSW06]. Their construction has the appealing property that the size of all of the system parameters (e.g., the public parameters, decryption keys, and ciphertexts) scale with \(\mathsf {poly}(\lambda , \log N)\). Thus, the construction of Goyal et al. [GKW18] can in principle support arbitrary set of identities. However, the tracing algorithm in the PLBE framework runs in time that scales linearly with the size of the identity space. As a result, the [GKW18] construction does not support tracing over an exponential space of identities.
IdentityBased TraitorTracing from Functional Encryption. In [NWZ16], Nishimaki et al. introduced a more general tracing algorithm for PLBE that supports an exponential identity space (by abstracting the tracing problem as an “oracle jumpfinding” problem). Their construction relies on a PLBE scheme that satisfies a more general notion of indexhiding security. Namely a ciphertext encrypted to index \(j_1\) should be indistinguishable from a ciphertext encrypted to index \(j_2\) as long as the adversary does not have any keys in the interval \((j_1, j_2]\).^{Footnote 1} A limitation of this construction is that the ciphertexts scale linearly in the bitlength of the identities. Nishimaki et al. then show how to construct a traitor tracing scheme with short ciphertexts (i.e., one where the ciphertext size scales with \(\mathsf {poly}(\log \log N)\)) from a private broadcast encryption scheme that support slightly more general broadcast sets. Finally, they note that private broadcast is just a special case of generalpurpose functional encryption which can be instantiated using indistinguishability obfuscation [GGH+13], or, in the boundedcollusion setting, from LWE [GKP+13] or even just publickey encryption [SS10, GVW12].
A More General View of [GKW18]. In this work, we take a more general view of the PLBE construction in [GKW18] and show that the construction in fact gives a secretkey predicate encryption scheme with a broadcast functionality. In turn, PLBE can be viewed as a specific instantiation of the predicate encryption scheme for the particular class of threshold predicates. This view will enable our generalization to identitybased traitor tracing with short ciphertexts (by following the approach of [NWZ16]) as well as enable an efficient mechanism for key revocation. Note that the “broadcast functionality” considered here refers to a method to publicly encrypt a message that can be decrypted by all secret keys in the system (i.e., broadcasting a message to all users in the system). We are not requiring the ability to succinctly broadcast messages to subsets of users (as in the setting of broadcast encryption [FN93]).
Specifically, in a secretkey (ciphertextpolicy) predicate encryption scheme, ciphertexts are associated with a predicate f and a message m, while decryption keys are associated with an attribute x. Decrypting a ciphertext \(\mathsf {ct}_{f,m}\) associated with a predicate f and a message m with a function key for an attribute x yields m if \(f(x) = 1\) and \(\bot \) otherwise. Moreover, the policy f associated with a ciphertext is hidden irrespective of whether decryption succeeds or not—this property is the analog of the “strong” attributehiding property considered in the study of keypolicy predicate encryption [BW07, KSW08, SBC+07]. Finally, while the predicate encryption scheme is secretkey, there exists a public encryption algorithm that allows anyone to encrypt a message with respect to the “alwaysaccept” policy (i.e., \(f(x) = 1\) for all inputs x). In Sect. 3.1, we show how to combine mixed FE (for general circuits) and attributebased encryption (for general circuits) to obtain a secretkey ciphertextpolicy predicate encryption scheme with broadcast. This construction is a direct analog of the [GKW18] construction of PLBE from the same set of underlying primitives. Next, we note that this type of predicate encryption directly implies a fully collusion resistant traitor tracing scheme with short ciphertexts via [NWZ16]. The one difference, however, is that since the predicate encryption scheme is in the secretkey setting, only the tracing authority who holds the master secret key is able to run the tracing algorithm. Thus in contrast to [NWZ16], our scheme only supports secret tracing. We note that working in the secretkey setting introduces some new challenges in the security analysis of the [NWZ16] construction. These can be handled using similar techniques as those developed in [GKW18], and we discuss this in greater detail in Sect. 4.1.
TraceandRevoke via Revocable Predicate Encryption. Thus far, we have shown how to combine ideas from [GKW18] and [NWZ16] to obtain a collusion resistant traitor tracing scheme for arbitrary identities. The next step is to develop a mechanism for key revocation. Previously, Nishimaki et al. showed how to use a revocable functional encryption scheme to construct a traceandrevoke scheme. In this work, we show that a revocable variant of our secretkey predicate encryption scheme with broadcast also suffices for this general transformation. Namely, in a revocable predicate encryption scheme, each decryption key is additionally tagged with an identity \(\mathsf {id}\), and at encryption time (both secret and public), the encrypter provides both the decryption policy f and the revocation list \(\mathcal {L}\). The resulting ciphertext can then be decrypted by all keys \(\mathsf {sk}_{\mathsf {id}, x}\) associated with an identity \(\mathsf {id}\) and an attribute x such that \(f(x) = 1\) and \(\mathsf {id}\notin \mathcal {L}\).
A natural approach to support revocation is to include the revocation list \(\mathcal {L}\) as part of the ciphertext policy in the predicate encryption scheme. We would then embed the identity \(\mathsf {id}\) as part of the decryption key, and the final decryption policy would first check that \(\mathsf {id}\notin \mathcal {L}\) and then check that \(f(x) = 1\). While this basic approach seems straightforward, it unfortunately does not apply in our setting. As noted above, the predicate encryption scheme we construct is a secretkey scheme, and the only public operation it supports is the broadcast functionality.^{Footnote 2} Obtaining a publickey analog of collusion resistant, strong attributehiding predicate encryption seems quite challenging (and in fact, implies publickey functional encryption). But as we note in Remark 3.3, even in the boundedcollusion setting (where we can construct publickey predicate encryption from standard assumptions), this basic approach seems to run into a barrier, and any such instantiation from standard assumptions would likely have to assume a bound on the maximum number of revoked users. In this work, we seek solutions from standard assumptions that are collusion resistant and support unbounded revocation.
Revocable Predicate Encryption via Subset Cover Set Systems. As we described above, constructing a collusion resistant traceandrevoke scheme for arbitrary identities reduces to constructing a secretkey revocable predicate encryption scheme with a broadcast functionality. To build the necessary revocable predicate encryption scheme, we leverage ideas from combinatorial constructions of traitor tracing. We note that while we rely on combinatorial ideas in our construction, we do not provide a generic transformation of any predicate encryption scheme into a revocable analog. Rather, our construction relies on a careful integration of the algebraic approach from [GKW18] with the combinatorial approach from [NNL01].
The core combinatorial ingredient that we use for our construction is a subsetcover set system, a notion that has featured in several traitor tracing constructions [NNL01, DF02, HS02]. Let [N] be the identity space. A subsetcover set system for [N] is a set of indices [K] with the following two properties. Each identity \(\mathsf {id}\in [N]\) is associated with a small number of indices \(\mathcal {I}_\mathsf {id}\subseteq [K]\). Moreover, given a revocation list \(\mathcal {L}\subseteq [N]\), there is an efficient algorithm to compute a “covering” set of indices \(\mathcal {J}_{\mathcal {L}} \subseteq [K]\) with the property that \(\mathsf {id}\in \mathcal {L}\) if and only if \(\mathcal {I}_{\mathsf {id}} \cap \mathcal {J}_{\mathcal {L}} = \varnothing \). If we instantiate using the subsetcover set system from [NNL01], then \(K = O(N)\), \(\left \mathcal {I}_\mathsf {id} \right = O(\log N)\), and \(\left \mathcal {J}_{\mathcal {L}} \right = O(\left \mathcal {L} \right \log (N / \left \mathcal {L} \right ))\).
Given a subsetcover set system, a first attempt to construct a revocable predicate encryption scheme is as follows. We associate a set of public parameters \(\mathsf {pp}_i\) and master secret key \(\mathsf {msk}_i\) with each index \(i \in [K]\). A key for an identity \(\mathsf {id}\in [N]\) and an attribute x would consist of predicate encryption keys \(\mathsf {sk}_{\mathsf {id}, x} \leftarrow \mathsf {KeyGen}(\mathsf {msk}_i, x)\) for all the predicate encryption schemes \(i \in \mathcal {I}_{\mathsf {id}}\) associated with \(\mathsf {id}\). Finally, an encryption of a message m with respect to the revocation list \(\mathcal {L}\subseteq [N]\) would consist of a collection of ciphertexts \(\{ \mathsf {ct}_i \}_{i \in \mathcal {J}_{\mathcal {L}}}\) where each \(\mathsf {ct}_i\) is an encryption of m with respect to \(\mathsf {pp}_i\) for \(i \in \mathcal {J}_{\mathcal {L}}\). By the property described above, if \(\mathsf {id}\notin \mathcal {L}\), then \(\mathcal {I}_{\mathsf {id}} \cap \mathcal {J}_{\mathcal {L}} \ne \varnothing \). This means that all nonrevoked users \(\mathsf {id}\notin \mathcal {L}\) will possess a key \(\mathsf {sk}_{i, x}\) for some \(i \in \mathcal {J}_{\mathcal {L}}\), and therefore, will be able to decrypt (provided that \(f(x) = 1\)). For a revoked user, it will be the case that \(i \notin \mathcal {J}_{\mathcal {L}}\) for all \(i \in \mathcal {I}_\mathsf {id}\), and they will be unable to decrypt. The problem though is that the size of the public parameters now scale linearly with K (which is as large as N). As such, this scheme only supports a polynomial number of identities. Thus, we need a different approach. We describe two candidate ideas below:

If the underlying predicate encryption scheme has the property where the master secret key \(\mathsf {msk}\) can be sampled after the public parameters \(\mathsf {pp}\), then in principle, the construction above would suffice. Namely, we would use a single set of public parameters for all of the predicate encryption schemes, and derive the master secret key \(\mathsf {msk}_i\) for each \(i \in [K]\) from a pseudorandom function (PRF). Unfortunately, such a predicate encryption scheme cannot be secure since the adversary can always generate for itself a master secret key and use it to decrypt.

If the scheme supports a public encryption algorithm, then we can support revocation by including the index \(i \in [K]\) as part of the policy associated with the ciphertext as well as the attribute in the decryption key. Then, the decryption policy would additionally check that the index associated with the key matched the index associated with the ciphertext. Essentially, we ensure that a decryption key for i can only be used to decrypt ciphertexts encrypted to index i. However, this revocation approach also does not seem to apply in our setting because our predicate encryption scheme is in the secretkey setting, and it is not clear how to generalize to a publickey encryption algorithm that can support more general policies (while retaining the same security properties).^{Footnote 3}
While neither of these approaches directly apply in our setting, we can combine both ideas in our construction to obtain a revocable predicate encryption scheme. As noted above, our basic secretkey predicate encryption scheme with broadcast combines a mixed FE scheme with an ABE scheme. Without getting into too many details, the construction has the following properties. Each ciphertext in the scheme consists of a mixed FE ciphertext and an ABE ciphertext, and analogously, each decryption key consists of a mixed FE decryption key and an ABE decryption key. The mixed FE scheme is a secretkey scheme that supports a broadcast mechanism while the ABE scheme is a standard publickey scheme. The key observation is that if both the underlying mixed FE scheme and the ABE scheme support revocation, then the resulting predicate encryption scheme also supports revocation. For our construction it is critical that both schemes support revocation as we rely on the mixed FE scheme to hide the ciphertext policy and the ABE scheme to hide the message. If only one of the underlying schemes supports revocation, then one or both of these security properties become incompatible with revocation. We now describe how we implement revocation for the underlying mixed FE and ABE schemes:

The mixed FE scheme is a secretkey scheme that supports public broadcast. Unlike standard predicate encryption, the security properties of mixed FE can be satisfied by schemes where the master secret key is sampled after the public parameters, and this property is satisfied by existing constructions [GKW18, CVW+18]. This means that we can associate a different mixed FE scheme with each index \(i \in [K]\) where the master secret key associated with each instance is derived from a PRF. All of the mixed FE schemes share a common set of public parameters. We can now use the first revocation idea described above to implement revocation for the mixed FE scheme.

Next, the ABE scheme is a publickey encryption scheme, and thus, we can use the second type of revocation described above. Namely, we require a single set of ABE parameters and simply include the index \(i \in [K]\) in both the decryption key and the ciphertext to identity which index is being targeted.
By combining these two approaches for revocation, we show in Sect. 3.1 how to construct a secretkey revocable predicate encryption with broadcast scheme from the subexponential hardness of LWE. Notably, our final revocation mechanism relies critically on both the combinatoric properties of the subsetcover set system as well as the specific algebraic nature of the predicate encryption construction. Together, this yields the first collusion resistant traceandrevoke scheme for arbitrary identities from the same underlying assumptions (Theorem 1.1).
A Simple Extension: More General Revocation Policies. While the basic scheme we described above supports revoking any polynomial number of identities, it naturally extends to support any revocation policy supported by the underlying subsetcover set system. Specifically, if we use the prefixbased subsetcover set system by Naor et al. [NNL01], our scheme supports revoking any number of identities that can be specified by a polynomial number of prefixbased patterns. For instance, we can revoke all users whose identity starts with a fixed prefix—which may consist of an exponential number of identities. In a concrete application, if the first few bits of a user’s identity specifies a region, then we can use prefixbased policies to efficiently revoke all of the users from one or more regions. We provide more discussion in Remark 3.10.
1.2 Related Work
In this section, we survey some of the related work on traitor tracing and traceandrevoke schemes and compare our results to existing notions.
Traitor Tracing and TraceandRevoke. Numerous works have studied constructions of both traitor tracing and traceandrevoke schemes from a wide range of assumptions and settings. Very broadly, most existing constructions can be categorized into two main categories: combinatorial approaches [CFN94, NP98, SSW01, CFNP00, NNL01, HS02, DF02, SSW01, BN08] and algebraic approaches [KD98, NP00, BSW06, BW06, GKSW10, LPSS14, KT15, NWZ16, ABP+17, GKW18, CVW+18, GVW19, GQWW19]. We refer to these works and the references therein for a survey of the field.
Many existing traitortracing and traceandrevoke schemes (from standard assumptions) are only secure against bounded collusions [CFN94, KD98, NP00, SSW01, LPSS14, KT15, NWZ16, ABP+17]. Other schemes are fully collusion resistant, but can only handle a polynomialsize identity space [BSW06, BW06, GKSW10, GKW18, CVW+18, GQWW19]. In this work, we focus on schemes that are fully collusion resistant and support arbitrary identity spaces. While there are schemes that are both collusion resistant and support a superpolynomial identity space [NWZ16, GVW19], these construction require strong assumptions such as indistinguishability obfuscation [BGI+12] or positional witness encryption and cannot currently be based on standard intractability assumptions.
Several of the aforementioned schemes from standard assumptions [BW06, GKSW10, GQWW19] additionally provide a succinct broadcast mechanism where anyone can encrypt a message to any subset of the users with a ciphertext whose size scales with \(N^{1/2}\) [BW06, GKSW10] or with \(N^\varepsilon \) [GQWW19] for any constant \(\varepsilon > 0\), where N is the total number of users in the system. Such schemes are commonly referred to as “broadcast, trace, and revoke” schemes. Notably, the ciphertext size in these constructions is independent of the number of revoked users and only depends on the total number of users. In our traceandrevoke construction (Theorem 1.1), the ciphertext size scales linearly with the number of revoked users (which can be \(\varOmega (N)\) in the worst case). Thus, in the setting where we have a polynomialsize identity space and when the number of revoked users is a sufficientlylarge fraction of the total number of users, existing broadcast, trace, and revoke constructions will have shorter ciphertexts. In the setting where there is an exponential identity space, the ciphertexts in these existing constructions are also exponential, and they do not provide a compelling solution.
Several works [NP98, CFNP00, BN08] consider a threshold notion of traitor tracing where the tracing algorithm is only guaranteed to work for decoders that succeed with probability at least \(\delta = 1/\mathsf {poly}(\lambda )\) (and the scheme parameters are allowed to depend on the parameter \(\delta \)). In this work, we focus on schemes that work for any decoder that succeeds with nonnegligible probability.
Some combinatorial constructions [NNL01, HS02, DF02] are fully collusion resistant, but they only satisfy a weaker notion of traceability where the tracing algorithm either succeeds in extracting a pirated key or identifies an encryption strategy that disables the pirate decoder (this latter strategy increases the ciphertext size). This weaker traceability notion has led to pirate evolution [KP07] and Pirate 2.0 attacks [BP09] on schemes satisfying this weaker security notion. In this work, we focus on the strong notion of traceability where the tracing algorithm always succeeds in extracting at least one pirate key from any functional decoder. This notion is not affected by the pirate evolution attacks.
Cryptographic Watermarking. A closelyrelated notion to traitor tracing is cryptographic watermarking [BGI+12, CHN+16]. Very briefly, a cryptographic watermarking scheme allows an authority to embed arbitrary data into the secret key of a cryptographic function such that the marked program preserves the original functionality, and moreover, it is difficult to remove the watermark from the program without destroying its functionality. A collusion resistant watermarking scheme for a publickey encryption scheme would imply a collusion resistant traitor tracing scheme. Existing constructions [KW17, QWZ18, KW19b] of watermarking from standard assumptions are not collusion resistant and they are also limited to watermarking PRFs, which are not sufficient for traitor tracing. The recent construction of watermarking for publickey primitives [GKM+19] does imply a traitor tracing scheme for general identities (with public tracing), but only provides bounded collusion resistance (in fact, in this setting, their construction precisely coincides with the bounded collusion resistant traitor tracing construction from [NWZ16]). Moreover, it is not clear that existing constructions of watermarking can be extended to support key revocation.
Concurrent Work. In a recent and concurrent work, Goyal et al. [GKW19] also study the problem of identitybased traitor tracing for arbitrary identities (i.e., which they call “traitor tracing with embedded identities”). Their focus is on traitor tracing (without revocation) and achieving security based on polynomial hardness assumptions. In contrast, our focus is on supporting both tracing and revocation while still supporting arbitrary identities. Security of our construction, however, does rely on making a stronger subexponential hardness assumption.
2 Preliminaries
We begin by introducing some notation. We use \(\lambda \) (often implicitly) to denote the security parameter. We write \(\mathsf {poly}(\lambda )\) to denote a quantity that is bounded by a fixed polynomial in \(\lambda \) and \(\mathsf {negl}(\lambda )\) to denote a function that is \(o(1/\lambda ^c)\) for all \(c \in \mathbb {N}\). We say that an event occurs with overwhelming probability if its complement occurs with negligible probability. We say an algorithm is efficient if it runs in probabilistic polynomial time in the length of its input. For two families of distributions \(\mathcal {D}_1 = \{ \mathcal {D}_{1, \lambda } \}_{\lambda \in \mathbb {N}}\) and \(\mathcal {D}_2 = \{ \mathcal {D}_{2,\lambda } \}_{\lambda \in \mathbb {N}}\), we write \(\mathcal {D}_1 \,{\mathop {\approx }\limits ^{c}}\,\mathcal {D}_2\) if the two distributions are computationally indistinguishable (i.e., no efficient algorithm can distribution \(\mathcal {D}_1\) from \(\mathcal {D}_2\) except with negligible probability).
For an integer \(n \ge 1\), we write [n] to denote the set of integers \(\{ 1, \ldots , n \}\). For integers \(1 \le m \le n\), we write [m, n] to denote the set of integers \(\{ m, m+1, \ldots , n \}\), and \([m, n]_{\mathbb {R}}\) to denote the closed interval between m and n (inclusive) over the real numbers. For a distribution \(\mathcal {D}\), we write \(x \leftarrow \mathcal {D}\) to denote that x is drawn from \(\mathcal {D}\). For a finite set S, we write \(x\, {\mathop {\leftarrow }\limits ^{\textsc {r}}}\, S\) to denote that x is drawn uniformly at random from S.
Cryptographic Primitives. We now recall the standard definition of pseudorandom functions and collisionresistant hash functions.
Definition 2.1
(Pseudorandom Function [GGM84]). A pseudorandom function (PRF) with keyspace \(\mathcal {K}= \{ \mathcal {K}_\lambda \}_{\lambda \in \mathbb {N}}\), domain \(\mathcal {X}= \{ \mathcal {X}_\lambda \}_{\lambda \in \mathbb {N}}\), and range \(\mathcal {Y}= \{ \mathcal {Y}_\lambda \}_{\lambda \in \mathbb {N}}\) is an efficientlycomputable function \(F :\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\) such that for all efficient adversaries \(\mathcal {A}\),
Definition 2.2
(Keyed CollisionResistant Hash Function). A keyed collisionresistant hash function with keyspace \(\mathcal {K}= \{ \mathcal {K}_\lambda \}_{\lambda \in \mathbb {N}}\), domain \(\mathcal {X}= \{ \mathcal {X}_\lambda \}_{\lambda \in \mathbb {N}}\), and range \(\mathcal {Y}= \{ \mathcal {Y}_\lambda \}_{\lambda \in \mathbb {N}}\) is an efficientlycomputable function \(H :\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\) such that for all efficient adversaries \(\mathcal {A}\) and sampling \(k \,{\mathop {\leftarrow }\limits ^{\textsc {r}}}\, \mathcal {K}\),
SubsetCover Set Systems. As discussed in Sect. 1.1, the subsetcover framework introduced by Naor et al. [NNL01] is the basis for many combinatorial traceandrevoke schemes. We provide the formal definition below:
Definition 2.3
(SubsetCover Set System [NNL01]). Let N be a positive integer. A subsetcover set system for [N] is a set of indices [K] where \(K = \mathsf {poly}(N)\) together with a pair of algorithms \((\mathsf {Encode}, \mathsf {ComputeCover})\) satisfying the following properties:

\(\mathsf {Encode}(x) \rightarrow \mathcal {I}_x\): On input an element \(x \in [N]\), the encoding algorithm outputs a set of indices \(\mathcal {I}_x \subseteq [K]\).

\(\mathsf {ComputeCover}(\mathcal {L}) \rightarrow \mathcal {J}_{\mathcal {L}}\): On input a revocation list \(\mathcal {L}\subseteq [N]\), the covercomputation algorithm outputs a collection of indices \(\mathcal {J}_{\mathcal {L}} \subseteq [K]\).
We require the following efficiency and security requirements for a subsetcover set system.

Efficiency: Take any element \(x \in [N]\) and any revocation list \(\mathcal {L}\subseteq [N]\). Then, \(\mathsf {Encode}(x)\) runs in time \(\mathsf {poly}(\log N)\) and \(\mathsf {ComputeCover}(\mathcal {L})\) runs in time \(\mathsf {poly}(\left \mathcal {L} \right , \log N)\).

Correctness: Take any element \(x \in [N]\) and revocation list \(\mathcal {L}\subseteq [N]\), and let \(\mathcal {I}_x \leftarrow \mathsf {Encode}(x)\), \(\mathcal {J}_{\mathcal {L}} \leftarrow \mathsf {ComputeCover}(\mathcal {L})\). Then, \(x \in \mathcal {L}\) if and only if \(\mathcal {I}_x \cap \mathcal {J}_{\mathcal {L}} = \varnothing \).
In this work, we will use the “complete subtree” system from [NNL01, §3.1]. The details of this construction are not essential to our construction, so we omit them and just summarize the main properties below:
Fact 2.4
(SubsetCover Set System [NNL01, §3.1]). Let N be a positive integer. Then there exists a subsetcover set system [K] for [N] where \(K = 2N  1\), and where the algorithms \((\mathsf {Encode}, \mathsf {ComputeCover})\) satisfy the following properties:

For all elements \(x \in [N]\), if \(\mathcal {I}_x \leftarrow \mathsf {Encode}(x)\), then \(\left \mathcal {I}_x \right = \log N + 1\).

For all revocation lists \(\mathcal {L}\subseteq [N]\), if \(\mathcal {J}_{\mathcal {L}} \leftarrow \mathsf {ComputeCover}(\mathcal {L})\), then \(\left \mathcal {J}_{\mathcal {L}} \right = O(\left \mathcal {L} \right \log (N / \left \mathcal {L} \right ))\).
The Generalized JumpFinding Problem. Next, we recall the generalized jumpfinding problem introduced by Nishimaki et al. [NWZ16, §3.1] for constructing identitybased traitor tracing schemes with succinct ciphertexts. We note that [NWZ16] also introduced a simpler variant of the jumpfinding problem that essentially abstracts out the algorithmic core of the traitor tracing construction from private linear broadcast. Here, we consider the generalized version because it enables shorter ciphertexts (where the ciphertext size scales logarithmically with the bitlength of the identities).
Definition 2.5
(Generalized JumpFinding Problem [NWZ16, Definition 3.9]). For positive integers \(N, r, q \in \mathbb {N}\) and \(\delta , \varepsilon > 0\), the \((N, r, q, \delta , \varepsilon )\) generalized jumpfinding problem is defined as follows. An adversary begins by choosing a set C of up to q tuples \((s, b_1, \ldots , b_r) \in [N] \times \{0,1\}^r\) where all of the s are distinct. Each tuple \((s, b_1, \ldots , b_r)\) describes a curve between grid points from the top to bottom of the grid \([1, r] \times [0, 2N]\), which oscillates about the column at position \(2s  1\), with \(b = (b_1, \ldots , b_r)\) specifying which side of the column the curve is on in each row. The curves divide the grid into \(\left C \right + 1\) contiguous regions. For each pair \((i, x) \in [1,r] \times [0,2N]\), the adversary chooses a probability \(p_{i, x} \in [0, 1]_{\mathbb {R}}\) with the following properties:

For any two pairs (i, 2x), \((j, 2x) \in [1,r] \times [0,2N]\), it holds that \(\left p_{i, 2x}  p_{j, 2x} \right < \delta \).

Let \(C_i = \{ (s, b_1, \ldots , b_r) \in C : 2s  b_i \}\) be the set of values \(2s  b_i\) for tuples in C. For any two pairs \((i, x), (i, y) \in [1,r] \times [0,2N]\) such that \((x, y] \cap C_i = \varnothing \), then \(\left p_{i, x}  p_{i, y} \right < \delta \).

For all \(i, j \in [r]\), it holds that \(p_{i, 0} = p_{j, 0}\) and \(p_{i, 2N} = p_{j, 2N}\). Define \(p_0 = p_{i, 0}\) and \(p_{2N} = p_{i, 2N}\).

Finally, \(\left p_{2N}  p_0 \right > \varepsilon \).
Next, define the oracle \(Q :[1,r] \times [0,2N] \rightarrow \{0,1\}\) to be a randomized oracle that on input (i, x) outputs 1 with probability \(p_{i, x}\). Repeated calls to Q on the same input (i, x) will yield a fresh and independentlysampled bit. The \((N, r, q, \delta , \varepsilon )\) generalized jumpfinding problem is to output some element in C given oracle access to Q.
Theorem 2.6
(Generalized JumpFinding Algorithm [NWZ16, Theorem 3.10]). There is an efficient algorithm \(\mathsf {QTrace}^{Q}(\lambda , N, r, q, \delta , \varepsilon )\) that runs in time \(t = \mathsf {poly}(\lambda , \log N, r, q, 1/\delta )\) and makes at most t queries to Q that solves the \((N, r, q, \delta , \varepsilon )\) generalized jumpfinding problem with probability \(1  \mathsf {negl}(\lambda )\) whenever \(\varepsilon \ge \delta (9 + 4(\left\lceil \log N \right\rceil  1) q)\). Moreover, any element \((s, b_1, \ldots , b_r) \in [N] \times \{0,1\}^r\) output by \(\mathsf {QTrace}^Q\) satisfies the following property (with overwhelming probability):

For all \(i \in [r]\), \(\left P(i, 2s  b_i)  P(i, 2s  1  b_i) \right \ge \delta \), where \(P(i,x) \mathrel {\mathop :}=\Pr [Q(i,x) = 1]\).
Remark 2.7
(Cheating Oracles [NWZ16, Remark 3.8]). The algorithm \(\mathsf {QTrace}^Q\) from Theorem 2.6 succeeds in solving the \((N, r, q, \delta , \varepsilon )\) generalized jumpfinding problem even if the oracle Q does not satisfy all of the requirements in Definition 2.5. As long as the first two properties hold for all pairs (i, x) and (j, y) queried by \(\mathsf {QTrace}^Q\), the algorithm succeeds in outputting an element in C.
2.1 Functional Encryption
In this section, we recall the notions of attributebased encryption (ABE) and mixed functional encryption (mixed FE) that we use in this work.
Mixed FE. A mixed FE scheme [GKW18] is a secretkey FE scheme (i.e., a secret key is needed to encrypt) where ciphertexts are associated with binaryvalued functions \(f :\mathcal {X}\rightarrow \{0,1\}\) and decryption keys are associated with inputs \(x \in \mathcal {X}\). When a secret key \(\mathsf {sk}_x\) associated with an input x is used to decrypt a ciphertext encrypting a message f, the decryption algorithm outputs f(x). The special property in a mixed FE scheme is that there additionally exists a publickey encryption algorithm that can be used to encrypt to the “alwaysaccept” function (i.e., the function f where \(f(x) = 1\) for all \(x \in \mathcal {X}\)). Moreover, ciphertexts encrypted using the public key are computationally indistinguishable from ciphertexts produced by using the secret key to encrypt the “alwaysaccept” function. Finally, for our constructions, we require an additional property where the master public key and the master secret key for the mixed FE scheme can be generated independently. This means that we can have a family of mixed FE schemes sharing a common set of public parameters. As we discuss in the full version of this paper [KW19a], all existing mixed FE schemes satisfy this requirement.
Definition 2.8
(Mixed Functional Encryption [GKW18]). A mixed functional encryption scheme \(\varPi _{\mathsf {MFE}}\) with domain \(\mathcal {X}\) and function family \(\mathcal {F}= \{ f :\mathcal {X}\rightarrow \{0,1\} \}\) is a tuple of algorithms \(\varPi _{\mathsf {MFE}}= (\mathsf {PrmsGen}, \mathsf {MSKGen}, \mathsf {KeyGen}, \mathsf {PKEnc}, \mathsf {SKEnc}, \mathsf {Dec})\) with the following properties:

\(\mathsf {PrmsGen}(1^\lambda ) \rightarrow \mathsf {pp}\): On input the security parameter \(\lambda \), the parameter generation algorithm outputs the public parameters \(\mathsf {pp}\).

\(\mathsf {MSKGen}(\mathsf {pp}) \rightarrow \mathsf {msk}\): On input the public parameters \(\mathsf {pp}\), the master secret key generation algorithm outputs a master secret key \(\mathsf {msk}\).

\(\mathsf {KeyGen}(\mathsf {msk}, x) \rightarrow \mathsf {sk}_x\): On input the master secret key \(\mathsf {msk}\) and an input \(x \in \mathcal {X}\), the keygeneration algorithm outputs a secret key \(\mathsf {sk}_x\).

\(\mathsf {PKEnc}(\mathsf {pp}) \rightarrow \mathsf {ct}\): On input the public parameters \(\mathsf {pp}\), the public encryption algorithm outputs a ciphertext \(\mathsf {ct}\).

\(\mathsf {SKEnc}(\mathsf {msk}, f) \rightarrow \mathsf {ct}_f\): On input the master secret key \(\mathsf {msk}\) and a function \(f \in \mathcal {F}\), the secret encryption algorithm outputs a ciphertext \(\mathsf {ct}_f\).

\(\mathsf {Dec}(\mathsf {sk}, \mathsf {ct}) \rightarrow b\): On input a secret key \(\mathsf {sk}\) and a ciphertext \(\mathsf {ct}\), the decryption algorithm outputs a bit \(b \in \{0,1\}\).
A mixed FE scheme should satisfy the following properties:

Correctness: For all functions \(f \in \mathcal {F}\) and all inputs \(x \in \mathcal {X}\), and setting \(\mathsf {pp}\leftarrow \mathsf {PrmsGen}(1^\lambda )\), \(\mathsf {msk}\leftarrow \mathsf {MSKGen}(\mathsf {pp})\), \(\mathsf {sk}_x \leftarrow \mathsf {KeyGen}(\mathsf {msk}, x)\), \(\mathsf {ct}\leftarrow \mathsf {PKEnc}(\mathsf {pp})\), \(\mathsf {ct}_f \leftarrow \mathsf {SKEnc}(\mathsf {msk}, f)\), it follows that
$$ \Pr [\mathsf {Dec}(\mathsf {sk}_x, \mathsf {ct}) = 1] = 1  \mathsf {negl}(\lambda ) \quad \text {and} \quad \Pr [\mathsf {Dec}(\mathsf {sk}_x, \mathsf {ct}_f) = f(x)] = 1  \mathsf {negl}(\lambda ). $$ 
Semantic security: For a bit \(b \in \{0,1\}\), we define the security experiment \(\mathsf {ExptMFE}_{\mathsf {SS}}[\lambda , \mathcal {A}, b]\) between a challenger and an adversary \(\mathcal {A}\). The challenger begins by sampling \(\mathsf {pp}\leftarrow \mathsf {PrmsGen}(1^\lambda )\), \(\mathsf {msk}\leftarrow \mathsf {MSKGen}(\mathsf {pp})\), and gives \(\mathsf {pp}\) to \(\mathcal {A}\). The adversary is then given access to the following oracles:

Keygeneration oracle: On input \(x \in \mathcal {X}\), the challenger replies with \(\mathsf {sk}_x \leftarrow \mathsf {KeyGen}(\mathsf {msk}, x)\).

Encryption oracle: On input \(f \in \mathcal {F}\), the challenger replies with \(\mathsf {ct}_f \leftarrow \mathsf {SKEnc}(\mathsf {msk}, f)\).

Challenge oracle: On input two functions \(f_0, f_1 \in \mathcal {F}\), the challenger replies with \(\mathsf {ct}\leftarrow \mathsf {SKEnc}(\mathsf {msk}, f_b)\).
At the end of the game, the adversary outputs a bit \(b' \in \{0,1\}\), which is also the output of the experiment. An adversary \(\mathcal {A}\) is admissible for the mixed FE semantic security game if it makes one challenge query \((f_0, f_1)\), and for all inputs \(x \in \mathcal {X}\) the adversary submits to the keygeneration oracle, \(f_0(x) = f_1(x)\). The mixed FE scheme satisfies (adaptive) semantic security if for all efficient and admissible adversaries \(\mathcal {A}\),
$$\begin{aligned} \left \Pr [\mathsf {ExptMFE}_{\mathsf {SS}}[\lambda , \mathcal {A}, 0] = 1]  \Pr [\mathsf {ExptMFE}_{\mathsf {SS}}[\lambda , \mathcal {A}, 1] = 1] \right = \mathsf {negl}(\lambda ). \end{aligned}$$ 

Public/secret key indistinguishability: For a bit \(b \in \{0,1\}\), we define the security experiment \(\mathsf {ExptMFE}_{\mathsf {PK/SK}}[\lambda , \mathcal {A}, b]\) between a challenger and an adversary \(\mathcal {A}\). The challenger begins by sampling \(\mathsf {pp}\leftarrow \mathsf {PrmsGen}(1^\lambda )\), \(\mathsf {msk}\leftarrow \mathsf {MSKGen}(\mathsf {pp})\), and gives \(\mathsf {pp}\) to \(\mathcal {A}\). The adversary is then given access to the following oracles:

Keygeneration oracle: On input \(x \in \mathcal {X}\), the challenger replies with \(\mathsf {sk}_x \leftarrow \mathsf {KeyGen}(\mathsf {msk}, x)\).

Encryption oracle: On input \(f \in \mathcal {F}\), the challenger replies with \(\mathsf {ct}_f \leftarrow \mathsf {SKEnc}(\mathsf {msk}, f)\).

Challenge oracle: On input a function \(f \in \mathcal {F}\), the challenger computes \(\mathsf {ct}_0 \leftarrow \mathsf {PKEnc}(\mathsf {pp})\) and \(\mathsf {ct}_1 \leftarrow \mathsf {SKEnc}(\mathsf {msk}, f)\) and gives \(\mathsf {sk}_b\) to the adversary.
At the end of the game, the adversary outputs a bit \(b' \in \{0,1\}\), which is also the output of the experiment. An adversary \(\mathcal {A}\) is admissible for the public/secret key indistinguishability game if it makes a single challenge query \(f \in \mathcal {F}\) and for all inputs \(x \in \mathcal {X}\) the adversary submits to the keygeneration oracle, \(f(x) = 1\). The mixed FE scheme satisfies (adaptive) public/secret key indistinguishability if for all efficient and admissible adversaries \(\mathcal {A}\), it holds that
$$\begin{aligned} \left \Pr [\mathsf {ExptMFE}_{\mathsf {PK/SK}}[\lambda , \mathcal {A}, 0] = 1]  \Pr [\mathsf {ExptMFE}_{\mathsf {PK/SK}}[\lambda , \mathcal {A}, 1] = 1] \right = \mathsf {negl}(\lambda ). \end{aligned}$$ 
We include additional preliminaries and discussion about mixed FE (e.g., imposing a bound on the number of encryption oracle queries the adversary can make in the security games) in the full version of this paper [KW19a].
3 Revocable Predicate Encryption
In this section, we introduce our notion of a secretkey revocable predicate encryption scheme that supports a public broadcast functionality (i.e., a publickey encryption algorithm that outputs ciphertexts that can be decrypted by all secret keys in the system). This will be the primary primitive we use to construct our identitybased traceandrevoke scheme (described in Sect. 4). Our definitions can be viewed as a special case of the more general notion of (publickey) revocable functional encryption from [NWZ16]. The advantage of considering this relaxed notion is that it enables constructions from standard assumptions (whereas we only know how to construct fully secure revocable functional encryption from indistinguishability obfuscation). We introduce our notion below and then show how to construct it by combining mixed FE, ABE, and a subsetcover set system in Sect. 3.1.
Definition 3.1
(SecretKey Revocable Predicate Encryption with Broadcast). A secretkey revocable predicate encryption scheme (RPE) scheme with broadcast for an identity space \(\mathcal {ID}\), an attribute space \(\mathcal {X}\), a function family \(\mathcal {F}= \{ f :\mathcal {X}\rightarrow \{0,1\} \}\), and a message space \(\mathcal {M}\) is a tuple of algorithms \(\varPi _{\mathsf {RPE}}= (\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Broadcast}, \mathsf {Enc}, \mathsf {Dec})\) defined as follows:

\(\mathsf {Setup}(1^\lambda ) \rightarrow (\mathsf {pp}, \mathsf {msk})\): On input the security parameter \(\lambda \), the setup algorithm outputs the public parameters \(\mathsf {pp}\) and the master secret key \(\mathsf {msk}\).

\(\mathsf {KeyGen}(\mathsf {msk}, \mathsf {id}, x) \rightarrow \mathsf {sk}_{\mathsf {id}, x}\): On input the master secret key \(\mathsf {msk}\), an identity \(\mathsf {id}\in \mathcal {ID}\), and an attribute \(x \in \mathcal {X}\), the keygeneration algorithm outputs a decryption key \(\mathsf {sk}_{\mathsf {id}, x}\).

\(\mathsf {Broadcast}(\mathsf {pp}, m, \mathcal {L}) \rightarrow \mathsf {ct}_{m,\mathcal {L}}\): On input the public key, a message m, and a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), the broadcast algorithm outputs a ciphertext \(\mathsf {ct}_{m, \mathcal {L}}\).

\(\mathsf {Enc}(\mathsf {msk}, f, m, \mathcal {L}) \rightarrow \mathsf {ct}_{f,m,\mathcal {L}}\): On input the master secret key \(\mathsf {msk}\), a function \(f \in \mathcal {F}\), a message \(m \in \mathcal {M}\), and a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), the encryption algorithm outputs a ciphertext \(\mathsf {ct}_{f, m, \mathcal {L}}\).

\(\mathsf {Dec}(\mathsf {sk}, \mathsf {ct}) \rightarrow m/\bot \): On input a decryption key \(\mathsf {sk}\) and a ciphertext \(\mathsf {ct}\), the decryption algorithm either outputs a message \(m \in \mathcal {M}\) or a special symbol \(\bot \).
A secretkey RPE scheme with broadcast should satisfy the following properties:

Correctness: For all functions \(f \in \mathcal {F}\), all identities \(\mathsf {id}\in \mathcal {ID}\), all attributes \(x \in \mathcal {X}\) where \(f(x) = 1\), all messages \(m \in \mathcal {M}\), and all revocation lists \(\mathcal {L}\subseteq \mathcal {ID}\) where \(\mathsf {id}\notin \mathcal {L}\), if we set \((\mathsf {pp}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )\), \(\mathsf {sk}_{\mathsf {id}, x} \leftarrow \mathsf {KeyGen}(\mathsf {msk}, \mathsf {id}, x)\), the following holds:

Broadcast correctness: If \(\mathsf {ct}_{m, \mathcal {L}} \leftarrow \mathsf {Broadcast}(\mathsf {pp}, m, \mathcal {L})\), then
$$\begin{aligned} \Pr [\mathsf {Dec}(\mathsf {sk}_{\mathsf {id}, x}, \mathsf {ct}_{m,\mathcal {L}}) = m] = 1  \mathsf {negl}(\lambda ). \end{aligned}$$ 
Encryption correctness: If \(\mathsf {ct}_{f, m, \mathcal {L}} \leftarrow \mathsf {Enc}(\mathsf {msk}, f, m, \mathcal {L})\), then
$$\begin{aligned} \Pr [\mathsf {Dec}(\mathsf {sk}_{\mathsf {id}, x}, \mathsf {ct}_{f, m, \mathcal {L}}) = m] = 1  \mathsf {negl}(\lambda ). \end{aligned}$$


Message hiding: For a bit \(b \in \{0,1\}\), we define the experiment \(\mathsf {ExptRPE}_{\mathsf {MH}}[\lambda , \mathcal {A}, b]\) between a challenger and an adversary \(\mathcal {A}\). The challenger begins by sampling \((\mathsf {pp}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )\) and gives \(\mathsf {pp}\) to \(\mathcal {A}\). The adversary is then given access to the following oracles:

Keygeneration oracle: On input an identity \(\mathsf {id}\in \mathcal {ID}\) and an attribute \(x \in \mathcal {X}\), the challenger replies with \(\mathsf {sk}_{\mathsf {id}, x} \leftarrow \mathsf {KeyGen}(\mathsf {msk}, \mathsf {id}, x)\).

Encryption oracle: On input a function \(f \in \mathcal {F}\), a message \(m \in \mathcal {M}\), and a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), the challenger replies with \(\mathsf {ct}_{f,m,\mathcal {L}} \leftarrow \mathsf {Enc}(\mathsf {msk}, f, m, \mathcal {L})\).

Challenge oracle: On input a function \(f \in \mathcal {F}\), two messages \(m_0, m_1 \in \mathcal {M}\), and a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), the challenger computes \(\mathsf {ct}_b \leftarrow \mathsf {Enc}(\mathsf {msk}, f, m_b, \mathcal {L})\) and gives \(\mathsf {ct}_b\) to the adversary.
At the end of the game, the adversary outputs a bit \(b' \in \{0,1\}\), which is the output of the experiment. An adversary \(\mathcal {A}\) is admissible for the message hiding game if it makes a single challenge query \((f, m_0, m_1, \mathcal {L})\) such that for all pairs \((\mathsf {id}, x)\) the adversary submitted to the keygeneration oracle, it holds that \(f(x) = 0\) or \(\mathsf {id}\in \mathcal {L}\). We say that \(\varPi _{\mathsf {RPE}}\) satisfies (adaptive) message hiding if for all efficient and admissible adversaries \(\mathcal {A}\),
$$\begin{aligned} \left \Pr [\mathsf {ExptRPE}_{\mathsf {MH}}[\lambda , \mathcal {A}, 0] = 1]  \Pr [\mathsf {ExptRPE}_{\mathsf {MH}}[\lambda , \mathcal {A}, 1] = 1] \right = \mathsf {negl}(\lambda ). \end{aligned}$$ 

Function hiding: For a bit \(b \in \{0,1\}\), we define the experiment \(\mathsf {ExptRPE}_{\mathsf {FH}}[\lambda , \mathcal {A}, b]\) between a challenger and an adversary \(\mathcal {A}\) exactly as \(\mathsf {ExptRPE}_{\mathsf {MH}}[\lambda , \mathcal {A}, b]\), except the challenge oracle is replaced with the following:

Challenge oracle: On input two functions \(f_0, f_1 \in \mathcal {F}\), a message \(m \in \mathcal {M}\), and a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), the challenger computes \(\mathsf {ct}_b \leftarrow \mathsf {Enc}(\mathsf {msk}, f_b, m, \mathcal {L})\) and gives \(\mathsf {ct}_b\) to the adversary.
We say an adversary \(\mathcal {A}\) is admissible for the functionhiding game if it makes a single challenge query \((f_0, f_1, m, \mathcal {L})\) such that for all pairs \((\mathsf {id}, x)\) the adversary submitted to the keygeneration oracle, either \(f_0(x) = f_1(x)\) or \(\mathsf {id}\in \mathcal {L}\). We say that \(\varPi _{\mathsf {RPE}}\) satisfies (adaptive) function hiding if for all efficient and admissible adversaries \(\mathcal {A}\),
$$\begin{aligned} \left \Pr [\mathsf {ExptRPE}_{\mathsf {FH}}[\lambda , \mathcal {A}, 0] = 1]  \Pr [\mathsf {ExptRPE}_{\mathsf {FH}}[\lambda , \mathcal {A}, 1] = 1] \right = \mathsf {negl}(\lambda ). \end{aligned}$$ 

Broadcast security: For a bit \(b \in \{0,1\}\), we define the security experiment \(\mathsf {ExptRPE}_{\mathsf {BC}}[\lambda , \mathcal {A}, b]\) between a challenger and an adversary \(\mathcal {A}\) exactly as \(\mathsf {ExptRPE}_{\mathsf {MH}}[\lambda , \mathcal {A}, b]\), except the challenge oracle is replaced with the following:

Challenge oracle: On input a message \(m \in \mathcal {M}\) and a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), the challenger computes \(\mathsf {ct}_0 \leftarrow \mathsf {Broadcast}(\mathsf {pp}, m, \mathcal {L})\) and \(\mathsf {ct}_1 \leftarrow \mathsf {Enc}(\mathsf {msk}, f, m, \mathcal {L})\) where \(f_{\mathsf {accept}}\) is the “alwaysaccept” function (i.e., \(f_{\mathsf {accept}}(x) = 1\) for all \(x \in \mathcal {X}\)). It gives \(\mathsf {ct}_b\) to the adversary.
At the end of the game, the adversary outputs a bit \(b' \in \{0,1\}\), which is the output of the experiment. We say that \(\varPi _{\mathsf {RPE}}\) satisfies (adaptive) broadcast security if for all efficient adversaries \(\mathcal {A}\) that make at most one challenge query,
$$\begin{aligned} \left \Pr [\mathsf {ExptRPE}_{\mathsf {BC}}[\lambda , \mathcal {A}, b] = 1]  \Pr [\mathsf {ExptRPE}_{\mathsf {BC}}[\lambda , \mathcal {A}, 1]] \right = \mathsf {negl}(\lambda ). \end{aligned}$$ 
Remark 3.2
(NonAdaptive qQuery Security). For each of the security notions in Definition 3.1 (message hiding, function hiding, and broadcast security), we define a notion of nonadaptive qquery security where the corresponding security notion only holds against all adversaries that make at most \(q \in \mathbb {N}\) queries to the encryption oracle, and moreover, all of the nonencryption queries occur before the encryption queries. Achieving this notion is easier and suffices for our main construction (adaptivelysecure traceandrevoke).
Remark 3.3
(Embedding the Revocation List in the Attribute). A natural approach for constructing a revocable predicate encryption scheme from any vanilla predicate encryption scheme is to include the revocation list \(\mathcal {L}\) as part of the function in the predicate encryption scheme. A decryption key for an identity \(\mathsf {id}\) would then check that \(\mathsf {id}\) is not contained in the revocation list \(\mathcal {L}\) associated with the ciphertext. This is the approach suggested in [NWZ16, Remark 6.2] in the context of constructing a revocable functional encryption scheme. While this approach may seem straightforward, it has a significant drawback in most settings. In existing predicate encryption schemes from standard assumptions, the decryption functionality is represented as a circuit, which takes fixedsize inputs. Thus, if the revocation list is embedded as part of the ciphertext, then a predicate encryption scheme for circuitbased predicates would only be able to support an a priori bounded number of revocations. In contrast, the our construction allows for revoking an arbitrary polynomial number of users (Sect. 3.1). Of course, if we can construct predicate or functional encryption for Turing machine or RAM computations, then this natural revocation approach would suffice. Existing constructions of functional encryption for Turing machine computations all rely on indistinguishability obfuscation [KLW15, AJS17, AS16, GS18].
3.1 Constructing SecretKey Revocable Predicate Encryption with Broadcast
In this section, we describe our construction of a secretkey revocable predicate encryption with broadcast scheme for general predicates by combining a mixed FE scheme, an ABE scheme, and a subsetcover set system. As discussed in Sect. 1.1, our core construction (without revocation) can be viewed as a direct generalization of the construction of private linear broadcast encryption from mixed FE and ABE from [GKW18]. We next augment our construction with a subset cover set system to support revocation. Our techniques allow revoking an arbitrary number of users (in contrast to previous traceandrevoke schemes from standard assumptions that could only handle bounded revocations [NWZ16, ABP+17]). We give our full construction and its analysis below:
Construction 3.4
(SecretKey Revocable Predicate Encryption with Broadcast). Fix an identity space \(\mathcal {ID}= \{0,1\}^{n}\), attribute space \(\mathcal {X}\), function family \(\mathcal {F}= \{ f :\mathcal {X}\rightarrow \{0,1\} \}\) and message space \(\mathcal {M}\), where \(n = n(\lambda )\).

Let [K] be the subsetcover set system for the set \(\mathcal {ID}= \{0,1\}^n\). Let \(\varPi _{\mathsf {SC}}= (\mathsf {Encode}, \mathsf {ComputeCover})\) be the algorithms associated with the set system.

Let \(\varPi _{\mathsf {MFE}}= (\mathsf {MFE}{.}\mathsf {PrmsGen}, \mathsf {MFE}{.}\mathsf {MSKGen}, \mathsf {MFE}{.}\mathsf {KeyGen}, \mathsf {MFE}{.}\mathsf {PKEnc}, \mathsf {MFE}{.}\mathsf {SKEnc}, \mathsf {MFE}{.}\mathsf {Dec})\) be a mixed FE scheme with domain \(\mathcal {X}\) and function family \(\mathcal {F}\). Let \(\rho = \rho (\lambda )\) be the randomness complexity of the master secret key generation algorithm \(\mathsf {MFE}{.}\mathsf {MSKGen}\), let \(\mathcal {C}\mathcal {T}\) denote the ciphertext space of \(\varPi _{\mathsf {MFE}}\) (i.e., the range of \(\mathsf {MFE}{.}\mathsf {PKEnc}\) and \(\mathsf {MFE}{.}\mathsf {SKEnc}\)), and let \(\mathcal {S}\mathcal {K}\) denote the secret key space of \(\varPi _{\mathsf {MFE}}\) (i.e., the range of \(\mathsf {MFE}{.}\mathsf {KeyGen}\)). We will require that \(\varPi _{\mathsf {MFE}}\) be subexponentially secure, so let \(\varepsilon > 0\) be a constant such that \(2^{\varOmega (\lambda ^{\varepsilon })}\) bounds the advantage of any efficient adversary \(\mathcal {A}\) for the security of \(\varPi _{\mathsf {MFE}}\).

For a secret key \(\mathsf {mfe{.}sk}\in \mathcal {S}\mathcal {K}\) and an index \(i^*\in [K]\), define the function \(g_{\mathsf {mfe{.}sk}, i^*} :\mathcal {C}\mathcal {T}\times [K] \rightarrow \{0,1\}\) to be the function
$$ g_{\mathsf {mfe{.}sk}, i^*}(\mathsf {ct}, i) = {\left\{ \begin{array}{ll} 1 &{} \mathsf {MFE}{.}\mathsf {Dec}(\mathsf {mfe{.}sk}, \mathsf {ct}) = 1 \text { and } i = i^*\\ 0 &{} \text {otherwise}. \end{array}\right. } $$ 
Let \(\varPi _{\mathsf {ABE}}= (\mathsf {ABE}{.}\mathsf {Setup}, \mathsf {ABE}{.}\mathsf {KeyGen}, \mathsf {ABE}{.}\mathsf {Enc}, \mathsf {ABE}{.}\mathsf {Dec})\) be an attributebased encryption scheme over message space \(\mathcal {M}\), attribute space \(\mathcal {X}' = \mathcal {C}\mathcal {T}\times [K]\) and function family \(\mathcal {F}' = \{ \mathsf {mfe{.}sk}\in \mathcal {S}\mathcal {K}, i^*\in [K] : g_{\mathsf {mfe{.}sk}, i^*} \}\).

Let \(F :\mathcal {K}\times [K] \rightarrow \{0,1\}^\rho \) be a pseudorandom function.
We construct a secretkey revocable predicate encryption scheme as follows:

\(\mathsf {Setup}(1^\lambda )\): On input the security parameter \(\lambda \), the setup algorithm sets \(\lambda ' = \max (\lambda , (\log K)^{2/\varepsilon })\). It then generates mixed FE public parameters \(\mathsf {mfe{.}pp}\leftarrow \mathsf {MFE}{.}\mathsf {PrmsGen}(1^{\lambda '})\). It also instantiates an attributebased encryption scheme \((\mathsf {abe{.}pp}, \mathsf {abe{.}msk}) \leftarrow \mathsf {ABE}{.}\mathsf {Setup}(1^\lambda )\), samples a PRF key \(k \,{\mathop {\leftarrow }\limits ^{\textsc {r}}}\, \mathcal {K}\), and outputs
$$\begin{aligned} \mathsf {pp}= (\mathsf {mfe{.}pp}, \mathsf {abe{.}pp}) \quad \text {and} \quad \mathsf {msk}= (\mathsf {pp}, \mathsf {abe{.}msk}, k) . \end{aligned}$$ 
\(\mathsf {KeyGen}(\mathsf {msk}, \mathsf {id}, x)\): On input a master secret key \(\mathsf {msk}\), an identity \(\mathsf {id}\in \mathcal {ID}\), and an attribute \(x \in \mathcal {X}\), the keygeneration algorithm does the following:

1.
Compute a subsetcover encoding of the identity \(\mathcal {I}_\mathsf {id}\leftarrow \mathsf {Encode}(\mathsf {id})\).

2.
For each index \(i \in \mathcal {I}_\mathsf {id}\), the algorithm samples randomness \(r_{i} \leftarrow F(k, i)\). It then generates a mixed FE master secret key \(\mathsf {mfe{.}msk}_i \leftarrow \mathsf {MFE}{.}\mathsf {MSKGen}(\mathsf {mfe{.}pp}; r_i)\) and a mixed FE decryption key \(\mathsf {mfe{.}sk}_{i,x} \leftarrow \mathsf {MFE}{.}\mathsf {KeyGen}(\mathsf {mfe{.}msk}_i, x)\).

3.
Finally, for each \(i \in \mathcal {I}_\mathsf {id}\), it constructs an ABE decryption key with respect to the function \(g_{\mathsf {mfe{.}msk}_{i,x}, i}\) as follows: \(\mathsf {abe{.}sk}_{i, x} \leftarrow \mathsf {ABE}{.}\mathsf {KeyGen}(\mathsf {abe{.}msk}, g_{\mathsf {mfe{.}sk}_{i, x}, i})\).

4.
It outputs the collection of keys \(\mathsf {sk}_{\mathsf {id}, x} = \{ (i, \mathsf {abe{.}sk}_{i,x}) \}_{i \in \mathcal {I}_\mathsf {id}}\).

1.

\(\mathsf {Broadcast}(\mathsf {pp}, m, \mathcal {L})\): On input the public parameters \(\mathsf {pp}= (\mathsf {mfe{.}pp}, \mathsf {abe{.}pp})\), a message m, and a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), the broadcast algorithm does the following:

1.
Obtain a cover for \(\mathcal {ID}{\setminus } \mathcal {L}\) by computing \(\mathcal {J}_{\mathcal {L}} \leftarrow \mathsf {ComputeCover}(\mathcal {L})\).

2.
For each \(i \in \mathcal {J}_{\mathcal {L}}\), it generates a mixed FE ciphertext \(\mathsf {mfe{.}ct}_i \leftarrow \mathsf {MFE}{.}\mathsf {PKEnc}(\mathsf {mfe{.}pp})\) and an ABE ciphertext \(\mathsf {abe{.}ct}_i \leftarrow \mathsf {ABE}{.}\mathsf {Enc}\)\((\mathsf {abe{.}pp}, (\mathsf {mfe{.}ct}_i, i), m)\).

3.
It outputs the ciphertext \(\mathsf {ct}_{m, \mathcal {L}} = \{ (i, \mathsf {abe{.}ct}_i) \}_{i \in \mathcal {J}_{\mathcal {L}}}\).

1.

\(\mathsf {Enc}(\mathsf {msk}, f, m, \mathcal {L})\): On input the master secret key \(\mathsf {msk}= (\mathsf {pp}, \mathsf {abe{.}msk}, k)\), a function \(f \in \mathcal {F}\), a message \(m \in \mathcal {M}\), and a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), where \(\mathsf {pp}= (\mathsf {mfe{.}pp}, \mathsf {abe{.}pp})\), the encryption algorithm does the following:

1.
Obtain a cover for \(\mathcal {ID}{\setminus } \mathcal {L}\) by computing \(\mathcal {J}_{\mathcal {L}} \leftarrow \mathsf {ComputeCover}(\mathcal {L})\).

2.
Then, for each \(i \in \mathcal {J}_{\mathcal {L}}\), it computes \(r_i \leftarrow F(k, i)\) and derives the corresponding mixed FE master secret key \(\mathsf {mfe{.}msk}_i \leftarrow \mathsf {MFE}{.}\mathsf {MSKGen}(\mathsf {mfe{.}pp}; r_i)\). It then encrypts \(\mathsf {mfe{.}ct}_i \leftarrow \mathsf {MFE}{.}\mathsf {SKEnc}(\mathsf {mfe{.}msk}_i, f)\).

3.
For each \(i \in \mathcal {J}_{\mathcal {L}}\), it computes \(\mathsf {abe{.}ct}_{i} \leftarrow \mathsf {ABE}{.}\mathsf {Enc}(\mathsf {abe{.}pp}, (\mathsf {mfe{.}ct}_i, i), m)\), and outputs the ciphertext \(\mathsf {ct}_{f, m, \mathcal {L}} = \{ (i, \mathsf {abe{.}ct}_i) \}_{i \in \mathcal {J}_{\mathcal {L}}}\).

1.

\(\mathsf {Dec}(\mathsf {sk}, \mathsf {ct})\): On input a key \(\mathsf {sk}= \{ (i, \mathsf {abe{.}sk}_{i}) \}_{i \in \mathcal {I}}\) and a ciphertext \(\mathsf {ct}= \{ (i, \mathsf {abe{.}ct}_i) \}_{i \in \mathcal {J}}\), the decryption algorithm first checks if \(\mathcal {I}\cap \mathcal {J}= \varnothing \). If so, it outputs \(\bot \). Otherwise, it chooses an arbitrary index \(i \in \mathcal {I}\cap \mathcal {J}\) and outputs \(m \leftarrow \mathsf {ABE}{.}\mathsf {Dec}(\mathsf {abe{.}sk}_{i}, \mathsf {abe{.}ct}_{i})\).
Correctness and Security Analysis. We state our main theorems on the properties of Construction 3.4 below, but defer their analysis to the full version of this paper [KW19a].
Theorem 3.5
(Correctness). Suppose that \(\varPi _{\mathsf {MFE}}\), \(\varPi _{\mathsf {ABE}}\), and \(\varPi _{\mathsf {SC}}\) are correct. Then, the predicate encryption scheme \(\varPi _{\mathsf {RPE}}\) from Construction 3.4 is correct.
Theorem 3.6
(Message Hiding). Suppose that \(\varPi _{\mathsf {MFE}}\) and \(\varPi _{\mathsf {SC}}\) are correct, and \(\varPi _{\mathsf {ABE}}\) satisfies semantic security. Then, the predicate encryption scheme \(\varPi _{\mathsf {RPE}}\) from Construction 3.4 satisfies message hiding.
Theorem 3.7
(Function Hiding). Suppose that \(\varPi _{\mathsf {MFE}}\) satisfies subexponential nonadaptive qquery (resp., adaptive) semantic security. Specifically, suppose that the advantage of any adversary running in time \(\mathsf {poly}(\lambda )\) in the semantic security game is bounded by \(2^{\varOmega (\lambda ^\varepsilon )}\). In addition, suppose that \(\varPi _{\mathsf {ABE}}\) is secure, F is a secure PRF, and \(\varPi _{\mathsf {SC}}\) is correct. Then, the predicate encryption scheme in Construction 3.4 satisfies nonadaptive qquery (resp., adaptive) function hiding security.
Theorem 3.8
(Broadcast Security). Suppose that \(\varPi _{\mathsf {MFE}}\) satisfies subexponential nonadaptive qquery (resp., adaptive) public/secret key indistinguishability. Specifically, suppose that the advantage of any adversary running in time \(\mathsf {poly}(\lambda )\) in the public/secret key indistinguishability game is bounded by \(2^{\varOmega (\lambda ^\varepsilon )}\). In addition, suppose that F is a secure PRF. Then the predicate encryption scheme \(\varPi _{\mathsf {RPE}}\) in Construction 3.4 satisfies nonadaptive qquery (resp., adaptive) broadcast security.
3.2 Instantiating SecretKey Revocable Predicate Encryption with Broadcast
In this section, we describe one possible instantiation of secretkey revocable predicate encryption with broadcast from Construction 3.4. In particular, combining Construction 3.4 with Theorems 3.5 through 3.8 yields the following corollary:
Corollary 3.9
(SecretKey Revocable Predicate Encryption from LWE). Take an identityspace \(\mathcal {ID}= \{0,1\}^n\), attribute space \(\mathcal {X}= \{0,1\}^\ell \), and message space \(\mathcal {M}= \{0,1\}^t\) where \(n = n(\lambda )\), \(\ell = \ell (\lambda )\), and \(t = t(\lambda )\). Let \(\mathcal {F}= \{ f :\mathcal {X}\rightarrow \{0,1\} \}\) be a function family where every function \(f \in \mathcal {F}\) can be specified by a string of length \(z = z(\lambda )\) and computed by a Boolean circuit of depth \(d = d(\lambda )\). Then, assuming subexponential hardness of LWE (with a superpolynomial modulustonoise ratio), there exists a nonadaptive 1key secure secretkey revocable predicate encryption scheme with broadcast \(\varPi _{\mathsf {RPE}}\) over the identity space \(\mathcal {ID}\), attribute space \(\mathcal {X}\), and function family \(\mathcal {F}\). Moreover, \(\varPi _{\mathsf {RPE}}\) satisfies the following properties:

Public parameter size: \(\left \mathsf {pp} \right = \ell \cdot \mathsf {poly}(\lambda , d, n, z)\).

Secret key size: The secret key \(\mathsf {sk}_{\mathsf {id}, x}\) for an identity \(\mathsf {id}\in \{0,1\}^n\) and an attribute \(x \in \{0,1\}^\ell \) has size \(\left \mathsf {sk}_{\mathsf {id}, x} \right = \ell + \mathsf {poly}(\lambda , d, n, z)\).

Ciphertext size: An encryption \(\mathsf {ct}_{m, \mathcal {L}}\) of a message \(m \in \{0,1\}^t\) with revocation list \(\mathcal {L}\) has size \(\left \mathsf {ct}_{m, \mathcal {L}} \right = t + \left \mathcal {L} \right \cdot \mathsf {poly}(\lambda , d, n, z)\).
Proof
We instantiate Construction 3.4 using the subsetcover set system from Fact 2.4, the mixed FE scheme using the construction of Chen et al. [CVW+18], the ABE scheme using the construction of Boneh et al. [BGG+14], and the PRF from any oneway function [GGM84]. We describe the exact instantiations in greater detail in the full version of this paper [KW19a]. The mixed FE scheme is instantiated with domain \(\mathcal {X}= \{0,1\}^\ell \) and function family \(\mathcal {F}\), while the ABE scheme is instantiated with message space \(\mathcal {M}\), attribute space \(\mathcal {X}' = \mathcal {C}\mathcal {T}\times [K]\) and function family \(\mathcal {F}' = \{ \mathsf {mfe{.}sk}\in \mathcal {S}\mathcal {K}, i^*\in [K] : g_{\mathsf {mfe{.}sk}, i^*} \}\). We will use the following bounds in our analysis:

From Fact 2.4, we have that \(K = O(N)\), and correspondingly, \(\log K = O(\log N) = O(n)\).

We have that the length of a mixed FE ciphertext \(\mathsf {mfe{.}ct}\in \mathcal {C}\mathcal {T}\) is bounded by \(\left \mathsf {mfe{.}ct} \right = \mathsf {poly}(\lambda , d, z)\). Correspondingly, this means that the length \(\ell _{\mathsf {ABE}}\) of an ABE attribute is bounded by \(\ell _{\mathsf {ABE}} = \mathsf {poly}(\lambda , d, z) + \log K = \mathsf {poly}(\lambda , d, n, z)\).

Each function \(g_{\mathsf {mfe{.}sk}, i^*}\) can be implemented by a circuit with depth at most \(\mathsf {poly}(\lambda , d) + \log \log K = \mathsf {poly}(\lambda , d, \log n)\). Specifically, the mixed FE decryption circuit can be evaluated by a circuit of depth \(\mathsf {poly}(\lambda ', d) = \mathsf {poly}(\lambda , d, n, z)\) and the equalitycheck circuit can be evaluated by a circuit of depth \(\log \log K\) (since each input to the equalitycheck circuit is a \((\log K)\)bit value). Thus, the functions in \(\mathcal {F}'\) can be computed by Boolean circuits with depth at most \(d_{\mathsf {ABE}} \le \mathsf {poly}(\lambda , d, n, z)\). The description length of functions in \(\mathcal {F}'\) is \(\left \mathsf {mfe{.}sk} \right + \log K = \ell + \mathsf {poly}(\lambda , n, z)\).
Putting all the pieces together, we now have the following:

Public parameter size: The public parameters \(\mathsf {pp}\) consist of the ABE public parameters \(\mathsf {abe{.}pp}\) and the mixed FE public parameters \(\mathsf {mfe{.}pp}\). Then,
$$\begin{aligned} \left \mathsf {abe{.}pp} \right = \mathsf {poly}(\lambda , d_{\mathsf {ABE}}, \ell _{\mathsf {ABE}}) = \mathsf {poly}(\lambda , d, n, z), \end{aligned}$$and correspondingly,
$$\begin{aligned} \left \mathsf {mfe{.}pp} \right = \ell \cdot \mathsf {poly}(\lambda ', d, z) = \ell \cdot \mathsf {poly}(\lambda , d, n, z), \end{aligned}$$since \(\lambda ' = \mathsf {poly}(\lambda , \log K) = \mathsf {poly}(\lambda , n)\). Thus, \(\left \mathsf {pp} \right = \ell \cdot \mathsf {poly}(\lambda , d, n, z)\).

Secret key size: The secret key \(\mathsf {sk}_{\mathsf {id}, x} = \{ (i, \mathsf {abe{.}sk}_{i,x}) \}_{i \in \mathcal {I}_\mathsf {id}}\) for an identity \(\mathsf {id}\) and attribute x consists of \(\left \mathcal {I}_{\mathsf {id}} \right \) ABE secret keys, where \(\left \mathcal {I}_\mathsf {id} \right \leftarrow \mathsf {Encode}(\mathsf {id})\). By Fact 2.4, \(\left \mathcal {I}_{id} \right = \log N + 1 = \mathsf {poly}(n)\). Finally,
$$\begin{aligned} \left \mathsf {abe{.}sk}_{i,x} \right = \left g_{\mathsf {mfe{.}sk}_{i,x}, i} \right + \mathsf {poly}(\lambda , d_{\mathsf {ABE}}, \ell _{\mathsf {ABE}}) = \ell + \mathsf {poly}(\lambda , d, n, z). \end{aligned}$$Thus, \(\left \mathsf {sk}_{\mathsf {id}, x} \right = \left \mathcal {I}_{\mathsf {id}} \right \cdot \left \mathsf {abe{.}sk}_{i,x} \right = \ell + \mathsf {poly}(\lambda , d, n, z)\).

Ciphertext size: Without loss of generality, we can always use hybrid encryption for the ciphertexts. Namely, the encryption algorithm samples a symmetric key k to encrypt the message and then encrypts k using the secretkey revocable predicate encryption scheme. The final ciphertext \(\mathsf {ct}_{m, \mathcal {L}}\) then consists of a symmetric encryption of the message m (which has size \(\left m \right + \mathsf {poly}(\lambda )\)) and a revocable predicate encryption ciphertext \(\widehat{\mathsf {ct}}\) of the key k. In this case, \(\left k \right = \mathsf {poly}(\lambda )\), and the overall ciphertext size is \(\left \mathsf {ct} \right = \left m \right + \mathsf {poly}(\lambda ) + \left \widehat{\mathsf {ct}} \right \), where \(\widehat{\mathsf {ct}}= \{ (i, \mathsf {abe{.}ct}_i) \}_{i \in \mathcal {J}_{\mathcal {L}}}\) is an encryption of k using \(\varPi _{\mathsf {RPE}}\). By construction, \(\widehat{\mathsf {ct}}\) consists of \(\left \mathcal {J}_{\mathcal {L}} \right \) ABE ciphertexts, where \(\mathcal {J}_{\mathcal {L}} \leftarrow \mathsf {ComputeCover}(\mathcal {L})\). By Fact 2.4, \(\left \mathcal {L} \right = O(\left \mathcal {L} \right \log (N / \left \mathcal {L} \right )) = \left \mathcal {L} \right \cdot \mathsf {poly}(n)\). Finally, \(\left \mathsf {abe{.}ct}_i \right = \left k \right + \ell _{\mathsf {ABE}} \cdot \mathsf {poly}(\lambda , d_{\mathsf {ABE}}, \ell _{\mathsf {ABE}}) = \mathsf {poly}(\lambda , d, n, z)\), and so
$$\begin{aligned} \left \mathsf {ct}_{m, \mathcal {L}} \right = \left m \right + \mathsf {poly}(\lambda ) + \left \widehat{\mathsf {ct}} \right = t + \left \mathcal {L} \right \cdot \mathsf {poly}(\lambda , d, n, z). \end{aligned}$$\(\square \)
Remark 3.10
(Handling More General Revocation Policies). Construction 3.4 naturally supports any revocation policy that can be described by a polynomialsize cover in the underlying subsetcover set system. In particular, the prefixbased subsetcover set system by Naor et al. [NNL01] from Fact 2.4 can compute a cover that excludes any polynomial number of prefixes (in addition to full identities). For instance, we can use the set system to revoke all users whose identities start with “000” or “01” (i.e., revoke all identities of the form 000*** and 01****). This way, the number of revoked users in the set \(\mathcal {L}\) can be exponential, as long as they can be described by a polynomialnumber of prefixbased clusters. Correspondingly, the traitor tracing scheme we construct in Sect. 4 will also support these types of revocation policies.
4 IdentityBased TraceandRevoke
In this section, we describe how to construct an identitybased traceandrevoke scheme using a secretkey revocable predicate encryption scheme with broadcast (Definition 3.1). We begin by recalling the formal definition of a traceandrevoke scheme. Our definitions are adapted from the corresponding ones in [BW06, NWZ16]. As we discuss in greater detail in Remark 4.2, our definition combines aspects of both definitions and is strictly stronger than both of the previous notions.
Definition 4.1
(TraceandRevoke [NWZ16, adapted]). A traceandrevoke scheme for a set of identities \(\mathcal {ID}\) and a message space \(\mathcal {M}\) is a tuple of algorithms \(\varPi _{\mathsf {TR}}= (\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec}, \mathsf {Trace})\) defined as follows:

\(\mathsf {Setup}(1^\lambda ) \rightarrow (\mathsf {pp}, \mathsf {msk})\): On input the security parameter \(\lambda \), the setup algorithm outputs the public parameters \(\mathsf {pp}\) and the master secret key \(\mathsf {msk}\).

\(\mathsf {KeyGen}(\mathsf {msk}, \mathsf {id}) \rightarrow \mathsf {sk}_{\mathsf {id}}\): On input the master secret key \(\mathsf {msk}\) and an identity \(\mathsf {id}\in \mathcal {ID}\), the keygeneration algorithm outputs a secret key \(\mathsf {sk}_{\mathsf {id}}\).

\(\mathsf {Enc}(\mathsf {pp}, m, \mathcal {L}) \rightarrow \mathsf {ct}_{m, \mathcal {L}}\): On input the public parameters \(\mathsf {pp}\), a message \(m \in \mathcal {M}\), and a list of revoked users \(\mathcal {L}\subseteq \mathcal {ID}\), the encryption algorithm outputs a ciphertext \(\mathsf {ct}_{m,\mathcal {L}} \).

\(\mathsf {Dec}(\mathsf {sk}, \mathsf {ct}) \rightarrow m/\bot \): On input a decryption key \(\mathsf {sk}\) and a ciphertext \(\mathsf {ct}\), the decryption algorithm either outputs a message \(m \in \mathcal {M}\) or a special symbol \(\bot \).

\(\mathsf {Trace}^{\mathcal {D}}(\mathsf {msk}, m_0, m_1, \mathcal {L}, \varepsilon ) \rightarrow \mathsf {id}/\bot \): On input the master secret key \(\mathsf {msk}\), two messages \(m_0, m_1 \in \mathcal {M}\), a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), a decodersuccess parameter \(\varepsilon > 0\), and assuming oracle access to a decoder algorithm \(\mathcal {D}\), the tracing algorithm either outputs an identity \(\mathsf {id}\in \mathcal {ID}\) or \(\bot \).
Moreover, a traceandrevoke scheme should satisfy the following properties:

Correctness: For all messages \(m \in \mathcal {M}\), all identities \(\mathsf {id}\in \mathcal {ID}\), and all revocation lists \(\mathcal {L}\subseteq \mathcal {ID}\) where \(\mathsf {id}\notin \mathcal {L}\), if we set \((\mathsf {pp}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )\), \(\mathsf {sk}_\mathsf {id}\leftarrow \mathsf {KeyGen}(\mathsf {msk}, \mathsf {id})\), and \(\mathsf {ct}_{m, \mathcal {L}} \leftarrow \mathsf {Enc}(\mathsf {pp}, m, \mathcal {L})\), then
$$\begin{aligned} \Pr [\mathsf {Dec}(\mathsf {sk}_{\mathsf {id}}, \mathsf {ct}_{m, \mathcal {L}}) = m] = 1  \mathsf {negl}(\lambda ). \end{aligned}$$ 
Semantic Security: For a bit \(b \in \{0,1\}\), we define the security experiment \(\mathsf {ExptTR}_{\mathsf {SS}}[\lambda , \mathcal {A}, b]\) between a challenger and an adversary \(\mathcal {A}\). The challenger begins by sampling \((\mathsf {pp}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )\) and gives \(\mathsf {pp}\) to \(\mathcal {A}\). The adversary is then given access to the following oracles:

Keygeneration oracle. On input an identity \(\mathsf {id}\in \mathcal {ID}\), the challenger replies with \(\mathsf {sk}_{\mathsf {id}} \leftarrow \mathsf {KeyGen}(\mathsf {msk}, \mathsf {id})\).

Challenge oracle. On input two messages \(m_0, m_1 \in \mathcal {M}\) and a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), the challenger replies with \(\mathsf {ct}_b \leftarrow \mathsf {Enc}(\mathsf {pp}, m_b, \mathcal {L})\).
At the end of the game, the adversary outputs a bit \(b' \in \{0,1\}\), which is the output of the experiment. An adversary \(\mathcal {A}\) is admissible for the semantic security game if it makes a single challenge query \((m_0, m_1, \mathcal {L})\), and moreover, for all keygeneration queries \(\mathsf {id}\) the adversary makes, \(\mathsf {id}\in \mathcal {L}\). We say that \(\varPi _{\mathsf {TR}}\) is semantically secure if for all efficient and admissible adversaries \(\mathcal {A}\),
$$\begin{aligned} \left \Pr [ \mathsf {ExptTR}_{\mathsf {SS}}[\lambda , \mathcal {A}, 0] = 1 ]  \Pr [ \mathsf {ExptTR}_{\mathsf {SS}}[\lambda , \mathcal {A}, 1] = 1 ] \right = \mathsf {negl}(\lambda ). \end{aligned}$$ 

Traceability: We define the experiment \(\mathsf {ExptTR}_{\mathsf {TR}}[\lambda , \mathcal {A}]\) between a challenger and an adversary \(\mathcal {A}\). The challenger begins by sampling \((\mathsf {pp}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )\) and gives \(\mathsf {pp}\) to \(\mathcal {A}\). The adversary is then given access to the keygeneration oracle:

Keygeneration oracle. On input an identity \(\mathsf {id}\in \mathcal {ID}\), the challenger replies with \(\mathsf {sk}_{\mathsf {id}} \leftarrow \mathsf {KeyGen}(\mathsf {msk}, \mathsf {id})\).
At the end of the game, the adversary outputs a decoder algorithm \(\mathcal {D}\), two messages \(m_0, m_1 \in \mathcal {M}\), a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), and a nonnegligible decodersuccess probability \(\varepsilon > 0\). Let \(\mathcal {R}\subseteq \mathcal {ID}\) be the set of identities the adversary submitted to the keygeneration oracle and let \(\mathsf {id}^{*}\leftarrow \mathsf {Trace}^{\mathcal {D}}(\mathsf {msk}, m_0, m_1, \mathcal {L}, \varepsilon )\). Then the output of the experiment is 1 if \(\mathsf {id}^{*}\notin \mathcal {R}{\setminus } \mathcal {L}\) and 0 otherwise. We say that an adversary \(\mathcal {A}\) is admissible for the traceability game if the decoder algorithm output by \(\mathcal {A}\) satisfies
$$\begin{aligned} \Pr [ b \,{\mathop {\leftarrow }\limits ^{\textsc {r}}}\, \{0,1\}: \mathcal {D}(\mathsf {Enc}(\mathsf {pp}, m_b, \mathcal {L})) = b ] \ge 1/2 + \varepsilon . \end{aligned}$$Finally, we say that \(\varPi _{\mathsf {TR}}\) satisfies traceability security if for all efficient and admissible adversaries \(\mathcal {A}\),
$$\begin{aligned} \Pr [ \mathsf {ExptTR}_{\mathsf {TR}}[\lambda , \mathcal {A}] = 1 ] = \mathsf {negl}(\lambda ). \end{aligned}$$ 
Remark 4.2
(Comparison to Previous Traceability Notions). Our notion of traceability in Definition 4.1 combines aspects of the notions considered in [BW06] and [NWZ16] and is stronger than both of these previous definitions. First, similar to [NWZ16], we only require that the decoder \(\mathcal {D}\) output by \(\mathcal {A}\) to be able to distinguish the encryptions of two adversariallychosen messages. The previous notion in [BW06] made the more stringent requirement that the adversary’s decoder must correctly decrypt a noticeable fraction of ciphertexts. Thus, our definitions enable tracing for much weaker decoders. Next, and similar to [BW06], our tracing definition naturally incorporates revocation. Namely, if an adversary constructs a decoder that is able to distinguish encryptions of two messages with respect to a revocation list \(\mathcal {L}\), then the tracing algorithm must identify a compromised key that is outside \(\mathcal {L}\). In contrast, the definition in [NWZ16] only considered tracing in a standalone setting: namely, while the scheme supports revocation, the tracing definition only considered decoders that can decrypt ciphertexts encrypted to an empty revocation list. Overall, our definition is stronger than the previous definitions and we believe provides a more realistic modeling of the security demands in applications of traceandrevoke systems.
Remark 4.3
(Adaptive Security). We note that all of the security requirements in Definition 4.1 are adaptive: namely, the adversary chooses its challenge messages and revocation list after seeing the public parameters and (adaptivelychosen) secret decryption keys. Our final construction is fully adaptive (Construction 4.4, Corollary 4.8), but we do rely on complexity leveraging and subexponential hardness assumptions. We remark here that a selective notion of security where the adversary commits to its revocation list ahead of time does not seem to directly imply adaptive security by the usual complexity leveraging technique [BB04] unless we additionally impose an a priori bound on the size of the revocation list (which we do not require in our analysis). It is an interesting problem to construct a fully collusion resistant traceandrevoke scheme for arbitrary identities from standard polynomial hardness assumptions.
4.1 Constructing an IdentityBased TraceandRevoke Scheme
Our construction follows the general highlevel schema as that by Nishimaki et al. [NWZ16], except our construction is secretlytraceable (but will provide full collusion resistance). Very briefly, we use a secretkey revocable predicate encryption scheme to embed an instance of the generalized jumpfinding problem (Definition 2.5) where the position of the “jumps” correspond to nonrevoked keys. The tracing algorithm relies on the generalized jumpfinding algorithm (Theorem 2.6) to identify the compromised keys. We give our construction below.
Construction 4.4
(IdentityBased TraceandRevoke). Let \(\mathcal {ID}= \{0,1\}^n\) be the identity space and let \(\mathcal {M}\) be a message space. We additionally rely on the following primitives:

Let \(H :\mathcal {K}\times \mathcal {ID}\rightarrow [2^\ell ]\) be a keyed collisionresistant hash function.

Let \(\mathcal {ID}_0 = [2^{\ell + 1}]\). For a pair \((i, u) \in [n] \times [0, 2^{\ell + 1}]\), define the function \(f_{i, u} :\mathcal {ID}_0^n \rightarrow \{0,1\}\) to be the function that takes as input \(v = (v_1, \ldots , v_n)\), where each \(v_i \in \mathcal {ID}_0\), and outputs 1 if \(v_i \le u\) and 0 otherwise. When \(u = 0\), \(f_{i, u}(v) = 0\) for all \(i \in [n]\) and \(v \in \mathcal {ID}_0^n\). Similarly, when \(u = 2^{\ell +1}\), \(f_{i, u}(v) = 1\) for all \(i \in [n]\) and \(v \in \mathcal {ID}_0^n\). We will use a canonical “allzeroes” function to represent \(f_{i, 0}\) and a canonical “allones” function to represent \(f_{i,2^{\ell +1}}\) for all \(i \in [n]\).

Let \(\varPi _{\mathsf {RPE}}= (\mathsf {RPE}{.}\mathsf {Setup}, \mathsf {RPE}{.}\mathsf {KeyGen}, \mathsf {RPE}{.}\mathsf {Broadcast}, \mathsf {RPE}{.}\mathsf {Enc}, \mathsf {RPE}{.}\mathsf {Dec})\) be a secretkey revocable predicate encryption scheme with broadcast with attribute space \(\mathcal {ID}_0^n\), label space \([2^\ell ]\), message space \(\mathcal {M}\), and function space \(\mathcal {F}= \{ i \in [n], u \in [0, 2^{\ell + 1}] : f_{i, u} \}\).
We construct a traceandrevoke scheme \(\varPi _{\mathsf {TR}}= (\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec}, \mathsf {Trace})\) with identity space \(\mathcal {ID}\) and message space \(\mathcal {M}\) as follows:

\(\mathsf {Setup}(1^\lambda )\): On input the security parameter \(\lambda \), the setup algorithm samples a key \(\mathsf {hk}\,{\mathop {\leftarrow }\limits ^{\textsc {r}}}\, \mathcal {K}\), parameters \((\mathsf {rpe}{.}\mathsf {pp}, \mathsf {rpe}{.}\mathsf {msk}) \leftarrow \mathsf {RPE}{.}\mathsf {Setup}(1^\lambda )\), and outputs
$$\begin{aligned} \mathsf {pp}= (\mathsf {hk}, \mathsf {rpe}{.}\mathsf {pp}) \quad \text {and} \quad \mathsf {msk}= (\mathsf {hk}, \mathsf {rpe}{.}\mathsf {msk}). \end{aligned}$$ 
\(\mathsf {KeyGen}(\mathsf {msk}, \mathsf {id})\): On input the master secret key \(\mathsf {msk}= (\mathsf {hk}, \mathsf {rpe}{.}\mathsf {msk})\) and an identity \(\mathsf {id}= (\mathsf {id}_1, \ldots , \mathsf {id}_n) \in \mathcal {ID}\), the keygeneration algorithm computes \(s_\mathsf {id}\leftarrow H(\mathsf {hk}, \mathsf {id})\) and defines the vector \(v_\mathsf {id}= (2s_\mathsf {id} \mathsf {id}_1, \ldots , 2s_\mathsf {id} \mathsf {id}_n) \in \mathcal {ID}_0^n\). It outputs \(\mathsf {sk}_{\mathsf {id}} \leftarrow \mathsf {RPE}{.}\mathsf {KeyGen}(\mathsf {rpe}{.}\mathsf {msk}, s_\mathsf {id}, v_\mathsf {id})\).

\(\mathsf {Enc}(\mathsf {pp}, m, \mathcal {L})\): On input the public parameters \(\mathsf {pp}= (\mathsf {hk}, \mathsf {rpe}{.}\mathsf {pp})\), a message m, and a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), the encryption algorithm first constructs a new list \(\mathcal {L}' \subseteq \{0,1\}^\ell \) where \(\mathcal {L}' = \{ \mathsf {id}\in \mathcal {L}: H(\mathsf {hk}, \mathsf {id}) \}\). Then, it outputs \(\mathsf {ct}_{m, \mathcal {L}} \leftarrow \mathsf {RPE}{.}\mathsf {Broadcast}(\mathsf {rpe}{.}\mathsf {pp}, m, \mathcal {L}')\).

\(\mathsf {Dec}(\mathsf {sk}, \mathsf {ct})\): On input a secret key \(\mathsf {sk}\) and a ciphertext \(\mathsf {ct}\), the decryption algorithm outputs \(m \leftarrow \mathsf {RPE}{.}\mathsf {Dec}(\mathsf {sk}, \mathsf {ct})\).

\(\mathsf {Trace}^{\mathcal {D}}(\mathsf {msk}, m_0, m_1, \mathcal {L}, \varepsilon )\): On input the decryption oracle \(\mathcal {D}\), the master secret key \(\mathsf {msk}= (\mathsf {hk}, \mathsf {rpe}{.}\mathsf {msk})\), messages \(m_0, m_1 \in \mathcal {M}\), a revocation list \(\mathcal {L}\subseteq \mathcal {ID}\), and a success probability \(\varepsilon \), the tracing algorithm begins by constructing the set \(\mathcal {L}' \subseteq \{0,1\}^\ell \) where \(\mathcal {L}' = \{ \mathsf {id}\in \mathcal {L}: H(\mathsf {hk}, \mathsf {id}) \}\). It then defines the following randomized oracle Q (Fig. 1): Let \(q = 1\), set \(\delta _q = \varepsilon / (9 + 4(\ell  1) q)\), and compute \(\mathcal {T}_q \leftarrow \mathsf {QTrace}^Q(\lambda , 2^\ell , n, q, \delta _q, \varepsilon )\). If \(\mathcal {T}_q\) is nonempty, take any element \((s_\mathsf {id}, \mathsf {id}_1, \ldots , \mathsf {id}_n) \in \mathcal {T}_q\), and output \(\mathsf {id}= (\mathsf {id}_1, \ldots , \mathsf {id}_n) \in \mathcal {ID}\). Otherwise, update \(q \leftarrow 2q\) and repeat this procedure.^{Footnote 4}
Correctness and Security Analysis. We now show that \(\varPi _{\mathsf {TR}}\) from Construction 4.4 satisfies correctness, semantic security, and traceability. We state the main theorems below, but defer their formal proofs to the full version of this paper [KW19a]. The analysis proceeds similarly to the corresponding analysis from [NWZ16], except we operate in the secrettraceability setting. The main challenge in the secretkey setting is that when the adversary in the traceability game outputs a pirate decoder, the reduction algorithm cannot easily tell whether the decoder is “useful” or not (where a “useful” decoder is one that can be leveraged to break the security of the underlying secretkey revocable predicate encryption scheme). The analysis in [NWZ16] solves this problem by having the reduction algorithm sample ciphertexts of its own and observe the decoder’s behavior on those ciphertexts. In this way, the reduction is able to estimate the decoder’s distinguishing advantage and identify whether the adversary produced a good decoder or not. In the secretkey setting, the reduction cannot sample ciphertexts of its own and as such, it cannot estimate the decoder’s success probability. To solve this problem, we adopt the approach taken in [GKW18] and allow the reduction algorithm to make a single encryption query to the secretkey predicate encryption scheme. Using the same type of analysis as in [GKW18], we then show that with just a single encryption query, the reduction can leverage the decoder output by the traceability adversary to break security of the underlying predicate encryption scheme. The full analysis is provided in the full version of this paper [KW19a].
Theorem 4.5
(Correctness). If H is collisionresistant and \(\varPi _{\mathsf {RPE}}\) is correct, then \(\varPi _{\mathsf {TR}}\) from Construction 4.4 is correct.
Theorem 4.6
(Semantic Security). If \(\varPi _{\mathsf {RPE}}\) satisfies broadcast security and message hiding (without encryption queries), then \(\varPi _{\mathsf {TR}}\) from Construction 4.4 is semantically secure.
Theorem 4.7
(Traceability). If H is collisionresistant and \(\varPi _{\mathsf {RPE}}\) satisfies nonadaptive 1query message hiding security, nonadaptive 1query function hiding, and nonadaptive 1query broadcast security, then \(\varPi _{\mathsf {TR}}\) is traceable. In particular, the tracing algorithm \(\mathsf {Trace}\) is efficient.
4.2 Instantiating the TraceandRevoke Scheme
In this section, we describe our instantiation of our resulting traceandrevoke scheme using the secretkey revocable predicate encryption scheme from Sect. 3.1 (Construction 3.4, Corollary 3.9). In particular, combining Construction 4.4 with Theorems 4.5 through 4.7 yields the following corollary:
Corollary 4.8
(IdentityBased TraceandRevoke from LWE). Assuming subexponential hardness of LWE (with a superpolynomial modulustonoise ratio), there exists a fully secure identitybased traceandrevoke scheme with identity space \(\mathcal {ID}= \{0,1\}^n\) and message space \(\mathcal {M}= \{0,1\}^t\) with the following properties:

Public parameter size: \(\left \mathsf {pp} \right = n \cdot \mathsf {poly}(\lambda , \log n)\).

Secret key size: The secret key \(\mathsf {sk}_\mathsf {id}\) for an identity \(\mathsf {id}\in \{0,1\}^n\) has size \(\mathsf {sk}_{\mathsf {id}} = n \cdot \mathsf {poly}(\lambda , \log n)\).

Ciphertext size: An encryption \(\mathsf {ct}_{m, \mathcal {L}}\) of a message \(m \in \{0,1\}^t\) with respect to a revocation list \(\mathcal {L}\) has size \(\mathsf {ct}_{m, \mathcal {L}} = t + \left \mathcal {L} \right \cdot \mathsf {poly}(\lambda , \log n)\).
Proof
The claim follows by instantiating Construction 4.4 with the following primitives:

We can instantiate the collisionresistant hash function H with the standard SISbased collisionresistant hash function [Ajt96, GGH96]. In this case, the hash key \(\mathsf {hk}\) has size \(\left \mathsf {hk} \right = \mathsf {poly}(\lambda )\) and the output length of the hash function is also \(\ell = \mathsf {poly}(\lambda )\).

We instantiate the secretkey revocable predicate encryption scheme with broadcast \(\varPi _{\mathsf {RPE}}\) with the construction from Corollary 3.9. For \(i \in [n]\) and \(u \in [0, 2^{\ell +1}]\), the description length z of the functions \(f_{i,u} \in \mathcal {F}\) satisfies
$$\begin{aligned} z = \left i \right + \left u \right \le \log n + \ell + 3 = \mathsf {poly}(\lambda , \log n). \end{aligned}$$Moreover, each function \(f_{i, u}\) is computing a comparison on \(\ell \)bit values and selecting one out of the n components of the vector. This can be computed by a Boolean circuit with depth \(d = \mathsf {poly}(\lambda , \log n)\)—\(\mathsf {poly}(\lambda )\) for the comparison and \(\mathsf {poly}(\log n)\) to select the element to compare. Finally, the identityspace for the underlying revocable predicate encryption scheme is \(\mathcal {ID}_0 = [2^{\ell + 1}]\) and the attribute space is \(\mathcal {ID}_0^n\).
We now verify the parameter sizes for the resulting construction:

Public parameters size: The public parameters \(\mathsf {pp}\) consists of the hash key \(\mathsf {hk}\) and the public parameters \(\mathsf {rpe}{.}\mathsf {pp}\) for the revocable predicate encryption scheme. Thus,
$$ \left \mathsf {pp} \right = \left \mathsf {hk} \right + \left \mathsf {rpe}{.}\mathsf {pp} \right = \mathsf {poly}(\lambda ) + n \ell \cdot \mathsf {poly}(\lambda , d, \ell , z) = n \cdot \mathsf {poly}(\lambda , \log n). $$ 
Secret key size: The secret key \(\mathsf {sk}_\mathsf {id}\) for an identity \(\mathsf {id}\in \{0,1\}^n\) consists of a secret key for the underlying revocable predicate encryption scheme. By Corollary 3.9, we have that \(\left \mathsf {sk}_\mathsf {id} \right = n \ell + \mathsf {poly}(\lambda , d, \ell , z) = n \cdot \mathsf {poly}(\lambda , \log n)\).

Ciphertext size: The ciphertext \(\mathsf {ct}_{m, \mathcal {L}}\) for a message \(m \in \{0,1\}^t\) with respect to a revocation list \(\mathcal {L}\) consists of a ciphertext for the underlying revocable predicate encryption scheme. By Corollary 3.9,
$$ \left \mathsf {ct}_{m, \mathcal {L}} \right = t + \left \mathcal {L} \right \cdot \mathsf {poly}(\lambda , d, \ell , z) = t + \left \mathcal {L} \right \cdot \mathsf {poly}(\lambda , \log n). $$\(\square \)
Notes
 1.
This property follows from the usual indexhiding security game by a standard hybrid argument when the indices are drawn from a polynomialsize space, but not when the indices are drawn from an exponentiallylarge one.
 2.
The recent work of Goyal et al. [GQWW19] introduces a notion of broadcast mixed FE that supports a succinct public broadcast to a restricted set of identities (of polynomial size). The notion we develop in this work supports an exponentialsized identity space, but in a nonsuccinct manner (i.e., the ciphertext size scales linearly with the size of the revocation list).
 3.
While the notion of attributebased mixed FE from [CVW+18] seems like it would also provide this functionality, this revocation approach only preserves the message hiding property and not the mixed FE attribute hiding property of the underlying attributebased mixed FE scheme. For our traceandrevoke scheme, we require both message hiding and attribute hiding (which we refer to as “function hiding”). Obtaining the latter property seemingly requires a way to revoke mixed FE decryption keys.
 4.
We will argue in the proof of Theorem 4.7 that this algorithm will terminate with overwhelming probability. Alternatively, we can set an upper bound on the maximum number of iterations \(q_{\mathsf {max}}\). In this case, the tracing algorithm succeeds as long as the total number of keys issued is bounded by \(2^{q_{\mathsf {max}}}\). Note that this is not an a priori bound on the number of keys that can be issued, just a bound on the number of iterations on which to run the tracing algorithm, which can be a flexible parameter (independent of other scheme parameters).
References
Agrawal, S., Bhattacherjee, S., Phan, D.H., Stehlé, D., Yamada, S.: Efficient public trace and revoke from standard assumptions: extended abstract. In: ACM CCS, pp. 2277–2293 (2017)
Ananth, P., Jain, A., Sahai, A.: Indistinguishability obfuscation for turing machines: constant overhead and amortization. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 252–279. Springer, Cham (2017). https://doi.org/10.1007/9783319637150_9
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108 (1996)
Ananth, P., Sahai, A.: Functional encryption for turing machines. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 125–153. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662490969_6
Boneh, D., Boyen, X.: Efficient selectiveid secure identitybased encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540246763_14
Boneh, D., et al.: Fully keyhomomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/9783642552205_30
Barak, B., et al.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6:1–6:48 (2012)
Boneh, D., Naor, M.: Traitor tracing with constant size ciphertext. In: ACM CCS, pp. 501–510 (2008)
Billet, O., Phan, D.H.: Traitors collaborating in public: pirates 2.0. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 189–205. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642010019_11
Boneh, D., Sahai, A., Waters, B.: Fully collusion resistant traitor tracing with short ciphertexts and private keys. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 573–592. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_34
Boneh, D., Waters, B.: A fully collusion resistant broadcast, trace, and revoke system. In: ACM CCS, pp. 211–220 (2006)
Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540709367_29
Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 257–270. Springer, Heidelberg (1994). https://doi.org/10.1007/3540486585_25
Chor, B., Fiat, A., Naor, M., Pinkas, B.: Tracing traitors. IEEE Trans. Inf. Theory 46(3), 893–910 (2000)
Cohen, A., Holmgren, J., Nishimaki, R., Vaikuntanathan, V., Wichs, D.: Watermarking cryptographic capabilities. In: STOC, pp. 1115–1127 (2016)
Chen, Y., Vaikuntanathan, V., Waters, B., Wee, H., Wichs, D.: Traitortracing from LWE made simple and attributebased. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 341–369. Springer, Cham (2018). https://doi.org/10.1007/9783030038106_13
Dodis, Y., Fazio, N.: Public key broadcast encryption for stateless receivers. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 61–80. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540449935_5
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). https://doi.org/10.1007/3540483292_40
Goldreich, O., Goldwasser, S., Halevi, S.: Collisionfree hashing from lattice problems. IACR Cryptology ePrint Archive 1996/9 (1996)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS, pp. 464–479 (1984)
Goyal, R., Kim, S., Manohar, N., Waters, B., Wu, D.J.: Watermarking publickey cryptographic primitives. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 367–398. Springer, Cham (2019). https://doi.org/10.1007/9783030269548_12
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC, pp. 555–564 (2013)
Garg, S., Kumarasubramanian, A., Sahai, A., Waters, B.: Building efficient fully collusionresilient traitor tracing and revocation schemes. In: ACM CCS, pp. 121–130 (2010)
Goyal, R., Koppula, V., Waters, B.: Collusion resistant traitor tracing from learning with errors. In: STOC, pp. 660–670 (2018)
Goyal, R., Koppula, V., Waters, B.: New approaches to traitor tracing with embedded identities. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 149–179. Springer, Cham (2019). https://doi.org/10.1007/9783030360337_6
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attributebased encryption for finegrained access control of encrypted data. In: ACM CCS, pp. 89–98 (2006)
Goyal, R., Quach, W., Waters, B., Wichs, D.: Broadcast and trace with \(N^{\varepsilon }\) ciphertext size from standard assumptions. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 826–855. Springer, Cham (2019). https://doi.org/10.1007/9783030269548_27
Garg, S., Srinivasan, A.: A simple construction of iO for turing machines. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 425–454. Springer, Cham (2018). https://doi.org/10.1007/9783030038106_16
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multiparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642320095_11
Goyal, R., Vusirikala, S., Waters, B.: Collusion resistant broadcast and trace from positional witness encryption. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 3–33. Springer, Cham (2019). https://doi.org/10.1007/9783030172596_1
Halevy, D., Shamir, A.: The LSD broadcast encryption scheme. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 47–60. Springer, Heidelberg (2002). https://doi.org/10.1007/3540457089_4
Kurosawa, K., Desmedt, Y.: Optimum traitor tracing and asymmetric schemes. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 145–157. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054123
Koppula, V., Lewko, A.B., Waters, B.: Indistinguishability obfuscation for turing machines with unbounded memory. In: STOC, pp. 419–428 (2015)
Kiayias, A., Pehlivanoglu, S.: Pirate evolution: how to make the most of your traitor keys. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 448–465. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540741435_25
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540789673_9
Kiayias, A., Tang, Q.: Traitor deterring schemes: using bitcoin as collateral for digital content. In: ACM CCS, pp. 231–242 (2015)
Kim, S., Wu, D.J.: Watermarking cryptographic functionalities from standard lattice assumptions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 503–536. Springer, Cham (2017). https://doi.org/10.1007/9783319636887_17
Kim, S., David, J.W.: Collusion resistant traceandrevoke for arbitrary identities from standard assumptions. IACR Cryptol. ePrint Arch. 2019/984 (2019)
Kim, S., Wu, D.J.: Watermarking PRFs from lattices: stronger security via extractable PRFs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 335–366. Springer, Cham (2019). https://doi.org/10.1007/9783030269548_11
Ling, S., Phan, D.H., Stehlé, D., Steinfeld, R.: Hardness of \(k\)LWE and applications in traitor tracing. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 315–334. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662443712_18
Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001). https://doi.org/10.1007/3540446478_3
Naor, M., Pinkas, B.: Threshold traitor tracing. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 502–517. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055750
Naor, M., Pinkas, B.: Efficient trace and revoke schemes. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 1–20. Springer, Heidelberg (2001). https://doi.org/10.1007/3540454721_1
Nishimaki, R., Wichs, D., Zhandry, M.: Anonymous traitor tracing: how to embed arbitrary information in a key. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 388–419. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662498965_14
Quach, W., Wichs, D., Zirdelis, G.: Watermarking PRFs under standard assumptions: public marking and security with extraction queries. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 669–698. Springer, Cham (2018). https://doi.org/10.1007/9783030038106_24
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)
Shi, E., Bethencourt, J., Chan, H.T.H., Song, D.X., Perrig, A.: Multidimensional range query over encrypted data. In: IEEE S&P, pp. 350–364 (2007)
Sahai, A., Seyalioglu, H.: Worryfree encryption: functional encryption with public keys. In: ACM CCS, pp. 463–472 (2010)
Staddon, J., Stinson, D.R., Wei, R.: Combinatorial properties of frameproof and traceability codes. IEEE Trans. Inf. Theory 47(3), 1042–1049 (2001)
Sahai, A., Waters, B.: Fuzzy identitybased encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Acknowledgments
We thank Ahmadreza Rahimi for helpful discussions on this work and the anonymous reviewers for useful suggestions on improving the exposition. S. Kim is supported by NSF, DARPA, a grant from ONR, and the Simons Foundation. D. J. Wu is supported by NSF CNS1917414 and a University of Virginia SEAS Research Innovation Award. Opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of DARPA.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 International Association for Cryptologic Research
About this paper
Cite this paper
Kim, S., Wu, D.J. (2020). Collusion Resistant TraceandRevoke for Arbitrary Identities from Standard Assumptions. In: Moriai, S., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2020. ASIACRYPT 2020. Lecture Notes in Computer Science(), vol 12492. Springer, Cham. https://doi.org/10.1007/9783030648343_3
Download citation
DOI: https://doi.org/10.1007/9783030648343_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030648336
Online ISBN: 9783030648343
eBook Packages: Computer ScienceComputer Science (R0)