##
###
Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack
[chapter]

Yevgeniy Dodis, Nelly Fazio

2002
*
Lecture Notes in Computer Science
*

A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption with the capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of "revoked" users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a "pirate decoder", the center can
## more »

... e at least one of the "traitors" given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [19, 21] ) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. In fact, no CCA2 scheme was known even in the symmetric setting. Of independent interest, we present a slightly simpler construction that shows a "natural separation" between the classical notion of CCA2 security and the recently proposed [20, 1] relaxed notion of gCCA2 security. Extended version of [10]. A related line of work concerns multicast security [22, 17, 23, 4, 5] . However, in this setting revoking a single user involves changing the keys for all the users, which makes it inapplicable to situations where the receivers are "stateless", do not always stay "on-line", or where the set of receivers can change rapidly. Most of the above works primarily concentrate on the centralized setting, where only the trusted center (the entity who generates all the secret keys) can send messages to the receivers. In the public key setting, studied in this paper, the center also prepares a fixed public key which allows any entity to play the role of the sender. Aside from achieving this extra functionality, the public key setting also allows the center to store secret keys in a more secure place than the station used for data transmission (e.g., off-line), and access this storage only for "system maintenance" (e.g., when a new user joins the system). In the public key setting, the only known Broadcast Encryption Schemes have been constructed by [19, 21] based on the DDH assumption, and achieve public key and message overhead O(z). In fact, these schemes are essentially identical: in the following we will refer to the work of [21], who emphasize more the public key nature of their scheme. Concurrently with the present work, Dodis and Fazio [9] extended the efficient scheme of [18] to the asymmetric setting. The resulting public key Broadcast Encryption Scheme achieves constant key size, while maintaining similar ciphertext expansion, but does not enjoy full CCA2 security: in fact, it seems hard to obtain such a high level of security within the Subset Cover framework of [18] . Some Criticism. Despite providing a simple and elegant scheme, the work of [21] has several noticeable shortcomings. First, the given (informal) notion of security does not address the peculiar features of the revocation setting. Indeed, to show the "security" of revocation, [21] shows the following two claims: (1) the scheme is semantically secure when no users are revoked; (2) no set of z a-priori fixed users can compute the secret key of another user. Clearly, these properties do not imply the security notion we really care about and which informally states: (3) if the adversary controls some set R of up to z revoked users, then the scheme remains semantically secure. Actually, the scheme of [21] can be shown to satisfy the needed property (3) only when the set R is chosen by the adversary non-adaptively, and in fact only if it is chosen before the adversary learns the public key. Such weak non-adaptive security is clearly insufficient for realistic usages of a public key revocation scheme. Most importantly, the extended scheme of [21] is proven to be CCA2-secure when none of the users is corrupted, but stops being such the moment just a single user is corrupted, even if this user is immediately revoked for the rest of the protocol. Again, this is too weak -the scheme should remain CCA2-secure even after many users have been revoked. As we will see, achieving this strong type of security is very non-trivial, and requires a much more involved scheme than the one proposed by [21] . Our Contributions. We introduce for the first time a precise formalization of an appropriate notion of adaptive security for public key Broadcast Encryption Schemes, for both the CPA and the CCA2 setting, which naturally models property (3) mentioned above. We construct the first adaptive chosen ciphertext (CCA2) secure public key Broadcast Encryption Scheme under the DDH assumption (with no random oracles). We remark that no CCA2-secure schemes were known even in the symmetric setting. Moreover, it doesn't seem obvious how to extend current symmetric schemes (e.g. [18] ) to meet the CCA2 notion. Our public key scheme is based on the regular Cramer-Shoup encryption [7, 8] , but our extension is non-trivial, as we have to resolve some difficulties inherent to the Broadcast Encryption setting. Our CCA2-secure scheme requires a constant user storage and a

doi:10.1007/3-540-36288-6_8
fatcat:upje6ra2ufertn37yowfx2u4ma