Collusion Resistant Trace-and-Revoke for Arbitrary Identities from Standard Assumptions

Kim, Sam; Wu, David J.

doi:10.1007/978-3-030-64834-3_3

Sam Kim¹⁰ &
David J. Wu¹¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12492))

Included in the following conference series:

International Conference on the Theory and Application of Cryptology and Information Security

1635 Accesses
4 Citations

Abstract

A traitor tracing scheme is a multi-user public-key encryption scheme where each user in the system holds a decryption key that is associated with the user’s identity. Using the public key, a content distributor can encrypt a message to all of the users in the system. At the same time, if a malicious group of users combine their respective decryption keys to build a “pirate decoder,” there is an efficient tracing algorithm that the content distributor can use to identify at least one of the keys used to construct the decoder. A trace-and-revoke scheme is an extension of a standard traitor tracing scheme where there is an additional key-revocation mechanism that the content distributor can use to disable the decryption capabilities of compromised keys. Namely, during encryption, the content distributor can encrypt a message with respect to a list of revoked users such that only non-revoked users can decrypt the resulting ciphertext.

Trace-and-revoke schemes are challenging to construct. Existing constructions from standard assumptions can only tolerate bounded collusions (i.e., there is an a priori bound on the number of keys an adversary obtains), have system parameters that scale exponentially in the bit-length of the identities, or satisfy weaker notions of traceability that are vulnerable to certain types of “pirate evolution” attacks. In this work, we provide the first construction of a trace-and-revoke scheme that is fully collusion resistant and capable of supporting arbitrary identities (i.e., the identities can be drawn from an exponential-size space). Our scheme supports public encryption and secret tracing, and can be based on the sub-exponential hardness of the LWE problem (with a super-polynomial modulus-to-noise ratio). The ciphertext size in our construction scales logarithmically in the size of the identity space and linearly in the size of the revocation list. Our scheme leverages techniques from both combinatorial and algebraic constructions for traitor tracing.

The full version of this paper is available at https://eprint.iacr.org/2019/984.pdf.

You have full access to this open access chapter, Download conference paper PDF

Key-Leakage Resilient Revoke Scheme Resisting Pirates 2.0 in Bounded Leakage Model

Broadcast, Trace and Revoke with Optimal Parameters from Polynomial Hardness

Traceable PRFs: Full Collusion Resistance and Active Security

1 Introduction

Traitor tracing schemes [CFN94] provide content distributors a way to identify malicious receivers and pirates. Specifically, a traitor tracing scheme is a public-key encryption scheme that is defined over a set of global public parameters $\mathsf {pp}$ and many secret decryption keys $\{ \mathsf {sk}_\mathsf {id} \}$. Each of the decryption keys $\mathsf {sk}_\mathsf {id}$ is associated with an identifier $\mathsf {id}$ (e.g., a user’s name or profile picture). Anyone is able to encrypt a message using the public parameters $\mathsf {pp}$ and any user who holds a valid decryption key $\mathsf {sk}_\mathsf {id}$ can decrypt the resulting ciphertext. The main security property is traceability, which says that if a coalition of users combine their respective decryption keys to create a new decryption algorithm (i.e., a “pirate decoder”), there is an efficient tracing algorithm that, given (black-box) access to the decoder, will successfully identify at least one of the secret keys that was used to construct the pirate decoder. As such, traitor tracing schemes provide an effective way for content distributors to combat piracy.

In practice, simply identifying the keys that went into a pirate decoder is not enough; we also require a way for the content distributor to disable the decryption capabilities of a compromised key. Traitor tracing schemes that support efficient key-revocation mechanisms are called trace-and-revoke schemes [NP00]. In a trace-and-revoke scheme, the encryption algorithm additionally takes in a list of revoked users $\mathcal {L}$. A ciphertext that is generated with respect to a revocation list $\mathcal {L}$ can only be decrypted by keys for identities $\mathsf {id}\notin \mathcal {L}$. Furthermore, the revocation mechanism should remain compatible with tracing: namely, if an adversary builds a pirate decoder that can still decrypt ciphertexts encrypted with respect to a revocation list $\mathcal {L}$, the tracing algorithm should successfully identify at least one of the non-revoked decryption keys (i.e., some $\mathsf {id}\notin \mathcal {L}$) that went into the construction of the pirate decoder. We give the formal definition in Sect. 4.

Properties of Trace-and-Revoke Schemes. There are a number of possible properties that a trace-and-revoke scheme could provide. We enumerate several important ones below:

Collusion resistance: A trace-and-revoke scheme is t-collusion resistant if tracing works as long as the pirate obtains fewer than t decryption keys, and the scheme parameters are allowed to depend on t. When t can be an arbitrary polynomial, the scheme is fully collusion resistant.
A priori unbounded revocation: Some trace-and-revoke schemes support bounded revocation where at setup time, there is an a priori bound r on the maximum number of revoked users the scheme supports. A scheme supports a priori unbounded revocation if the number of revoked users can be an arbitrary polynomial. We note here that while we can require an even stronger property that supports revoking a super-polynomial number of users, the scheme we develop in this work does not support this stronger property (except in certain restricted settings; see Sect. 1.1).
Black box tracing: A trace-and-revoke scheme supports black box tracing if the tracing algorithm only requires oracle access to the pirate decoder. This means we do not need to impose any restrictions on the structure of the adversary’s decoder. Tracing must work on any decoder that is able to decrypt (or even better, distinguish) ciphertexts.
Identity-based: A trace-and-revoke scheme is “identity-based” or supports arbitrary identities if the set of possible identities $\mathcal {ID}$ the scheme supports can be exponential in size [NWZ16]. In most trace-and-revoke schemes, the set of possible identities is assumed to have polynomial size (i.e., identities are represented by an element of the set $[N] = \{ 1, \ldots , N \}$). This means that there is an a priori bound on the maximum number of users supported by the system, and moreover, in practical scenarios, the tracing authority needs to separately maintain a database mapping from a numeric index $\mathsf {id}\in [N]$ to a user’s actual identifier (which may not fit into a string of length $\log N$). In addition, as noted in [NWZ16], an added benefit of trace-and-revoke schemes that support arbitrary identities is anonymity: namely, a user can obtain a decryption key for their identity without needing to reveal their identity to the key issuer.

Our Results. In this work, we focus on constructing trace-and-revoke schemes that provide each of the above guarantees. Namely, we seek schemes that are flexible (e.g., can support arbitrary identities of polynomial length and an arbitrary polynomial number of revocations) while providing strong security (i.e., full collusion resistance and security against arbitrary adversarial strategies). We achieve these properties assuming sub-exponential hardness of the learning with errors (LWE) assumption [Reg05]. Specifically, we show the following:

Theorem 1.1

(informal). Let $\lambda $ be a security parameter and $\mathcal {ID}= \{0,1\}^n$ be the set of possible identities. Assuming sub-exponential hardness of LWE, there exists a fully collusion resistant trace-and-revoke scheme where the secret key for an identity $\mathsf {id}\in \{0,1\}^n$ has size $n \cdot \mathsf {poly}(\lambda , \log n)$ and a ciphertext encrypting a message m with respect to a revocation list $\mathcal {L}\subseteq \{0,1\}^n$ has size $\left| m \right| + \left| \mathcal {L} \right| \cdot \mathsf {poly}(\lambda , \log n)$. Encryption in our scheme is a public operation while tracing requires knowledge of a secret key.

Previous trace-and-revoke constructions were either not collusion resistant [NWZ16, ABP+17], could only support a polynomial-size identity space [BW06, GKSW10, GQWW19], achieved weaker models of tracing [NNL01, DF02], or relied on strong assumptions such as indistinguishability obfuscation [NWZ16] or (positional) witness encryption [GVW19]. We refer to Sect. 1.2 for a more detailed comparison of our construction with existing ones.

Open Questions. Before giving an overview of our construction, we highlight several interesting directions to further improve upon our trace-and-revoke scheme:

Public tracing: Our tracing algorithm requires a secret key. It is an interesting open problem to obtain fully collusion resistant trace-and-revoke for arbitrary identities with public tracing from standard assumptions. In fact, even obtaining a collusion resistant traitor tracing scheme with succinct keys and public tracing from standard assumptions is currently open.
Succinct broadcast: The length of the ciphertexts in our construction scales linearly in the size of the revocation list, and as such, our scheme only supports revocation for a polynomial number of users. It is an open question is to develop an scheme that supports arbitrary identities and where the ciphertext size scales sublinearly in the number of revoked users (and more generally, where the ciphertext size scales with the description length of the revocation list rather than its size). Schemes with these properties are often called “broadcast, trace, and revoke” schemes [BW06] as they combine both the succinctness of a “broadcast encryption” [FN93] with the tracing capability of a traitor tracing scheme. Existing broadcast, trace, and revoke constructions [BW06, GKSW10, GQWW19] from standard assumptions can only handle a polynomial number of users. We provide a more thorough comparison in Sect. 1.2.
Polynomial hardness: Security of our tracing construction relies on the sub-exponential hardness of LWE. Our reliance on sub-exponential hardness assumptions is due to our use of complexity leveraging [BB04] to instantiate adaptively-secure variants of the underlying cryptographic primitives we require in our construction. An important open problem is to base security on polynomial hardness. The work of Goyal et al. [GKW19] show how to obtain traitor tracing for an exponential-size identity space from a polynomial hardness assumption, but their scheme does not support revocation.

1.1 Construction Overview

In this section, we provide a high-level overview of our construction. Our approach combines an identity-based traitor tracing scheme based on the techniques developed in [NWZ16, GKW18] with the combinatorial revocation scheme from [NNL01]. We describe each of these components below.

Traitor Tracing from Private Linear Broadcast. Boneh et al. [BSW06] showed how to construct a collusion resistant traitor tracing scheme from a private linear broadcast encryption (PLBE) scheme. A PLBE scheme is an encryption scheme where decryption keys are associated with an index $i \in [N]$, and ciphertexts are associated with a secret index $j \in [N]$ and a message m. The correctness property guarantees that a decryption key $\mathsf {sk}_i$ for index i can decrypt all ciphertexts encrypted to indices j where $i \le j$. There are two ways to generate a ciphertext. The public encryption algorithm allows anyone to encrypt to the index N, which can be decrypted by secret keys $\mathsf {sk}_i$ for all $i \in [N]$. The secret encryption algorithm allows the tracing authority who holds a tracing key to encrypt to indices $j \le N$. The “index-hiding” requirement guarantees that an adversary who does not have a key for index j cannot distinguish an encryption to index j from an encryption to index $j + 1$. Finally, the “message-hiding” requirement says that ciphertexts encrypted to index 0 are semantically secure (given any subset of decryption keys for indices $1 \le j \le N$). These properties form the basis of the tracing algorithm described in [BSW06]. Boneh et al. showed how to construct PLBE from pairing-based assumptions where the ciphertexts have size $O(\sqrt{N})$. Hence their scheme only supports a polynomial-size identity space.

Recently, Goyal et al. [GKW18] gave a new construction of a PLBE scheme from the LWE assumption by combining a new cryptographic notion called mixed functional encryption (mixed FE) with an attribute-based encryption (ABE) scheme [SW05, GPSW06]. Their construction has the appealing property that the size of all of the system parameters (e.g., the public parameters, decryption keys, and ciphertexts) scale with $\mathsf {poly}(\lambda , \log N)$. Thus, the construction of Goyal et al. [GKW18] can in principle support arbitrary set of identities. However, the tracing algorithm in the PLBE framework runs in time that scales linearly with the size of the identity space. As a result, the [GKW18] construction does not support tracing over an exponential space of identities.

Identity-Based Traitor-Tracing from Functional Encryption. In [NWZ16], Nishimaki et al. introduced a more general tracing algorithm for PLBE that supports an exponential identity space (by abstracting the tracing problem as an “oracle jump-finding” problem). Their construction relies on a PLBE scheme that satisfies a more general notion of index-hiding security. Namely a ciphertext encrypted to index $j_1$ should be indistinguishable from a ciphertext encrypted to index $j_2$ as long as the adversary does not have any keys in the interval $(j_1, j_2]$.^{Footnote 1} A limitation of this construction is that the ciphertexts scale linearly in the bit-length of the identities. Nishimaki et al. then show how to construct a traitor tracing scheme with short ciphertexts (i.e., one where the ciphertext size scales with $\mathsf {poly}(\log \log N)$) from a private broadcast encryption scheme that support slightly more general broadcast sets. Finally, they note that private broadcast is just a special case of general-purpose functional encryption which can be instantiated using indistinguishability obfuscation [GGH+13], or, in the bounded-collusion setting, from LWE [GKP+13] or even just public-key encryption [SS10, GVW12].

A More General View of [GKW18]. In this work, we take a more general view of the PLBE construction in [GKW18] and show that the construction in fact gives a secret-key predicate encryption scheme with a broadcast functionality. In turn, PLBE can be viewed as a specific instantiation of the predicate encryption scheme for the particular class of threshold predicates. This view will enable our generalization to identity-based traitor tracing with short ciphertexts (by following the approach of [NWZ16]) as well as enable an efficient mechanism for key revocation. Note that the “broadcast functionality” considered here refers to a method to publicly encrypt a message that can be decrypted by all secret keys in the system (i.e., broadcasting a message to all users in the system). We are not requiring the ability to succinctly broadcast messages to subsets of users (as in the setting of broadcast encryption [FN93]).

Specifically, in a secret-key (ciphertext-policy) predicate encryption scheme, ciphertexts are associated with a predicate f and a message m, while decryption keys are associated with an attribute x. Decrypting a ciphertext $\mathsf {ct}_{f,m}$ associated with a predicate f and a message m with a function key for an attribute x yields m if $f(x) = 1$ and $\bot $ otherwise. Moreover, the policy f associated with a ciphertext is hidden irrespective of whether decryption succeeds or not—this property is the analog of the “strong” attribute-hiding property considered in the study of key-policy predicate encryption [BW07, KSW08, SBC+07]. Finally, while the predicate encryption scheme is secret-key, there exists a public encryption algorithm that allows anyone to encrypt a message with respect to the “always-accept” policy (i.e., $f(x) = 1$ for all inputs x). In Sect. 3.1, we show how to combine mixed FE (for general circuits) and attribute-based encryption (for general circuits) to obtain a secret-key ciphertext-policy predicate encryption scheme with broadcast. This construction is a direct analog of the [GKW18] construction of PLBE from the same set of underlying primitives. Next, we note that this type of predicate encryption directly implies a fully collusion resistant traitor tracing scheme with short ciphertexts via [NWZ16]. The one difference, however, is that since the predicate encryption scheme is in the secret-key setting, only the tracing authority who holds the master secret key is able to run the tracing algorithm. Thus in contrast to [NWZ16], our scheme only supports secret tracing. We note that working in the secret-key setting introduces some new challenges in the security analysis of the [NWZ16] construction. These can be handled using similar techniques as those developed in [GKW18], and we discuss this in greater detail in Sect. 4.1.

Trace-and-Revoke via Revocable Predicate Encryption. Thus far, we have shown how to combine ideas from [GKW18] and [NWZ16] to obtain a collusion resistant traitor tracing scheme for arbitrary identities. The next step is to develop a mechanism for key revocation. Previously, Nishimaki et al. showed how to use a revocable functional encryption scheme to construct a trace-and-revoke scheme. In this work, we show that a revocable variant of our secret-key predicate encryption scheme with broadcast also suffices for this general transformation. Namely, in a revocable predicate encryption scheme, each decryption key is additionally tagged with an identity $\mathsf {id}$, and at encryption time (both secret and public), the encrypter provides both the decryption policy f and the revocation list $\mathcal {L}$. The resulting ciphertext can then be decrypted by all keys $\mathsf {sk}_{\mathsf {id}, x}$ associated with an identity $\mathsf {id}$ and an attribute x such that $f(x) = 1$ and $\mathsf {id}\notin \mathcal {L}$.

A natural approach to support revocation is to include the revocation list $\mathcal {L}$ as part of the ciphertext policy in the predicate encryption scheme. We would then embed the identity $\mathsf {id}$ as part of the decryption key, and the final decryption policy would first check that $\mathsf {id}\notin \mathcal {L}$ and then check that $f(x) = 1$. While this basic approach seems straightforward, it unfortunately does not apply in our setting. As noted above, the predicate encryption scheme we construct is a secret-key scheme, and the only public operation it supports is the broadcast functionality.^{Footnote 2} Obtaining a public-key analog of collusion resistant, strong attribute-hiding predicate encryption seems quite challenging (and in fact, implies public-key functional encryption). But as we note in Remark 3.3, even in the bounded-collusion setting (where we can construct public-key predicate encryption from standard assumptions), this basic approach seems to run into a barrier, and any such instantiation from standard assumptions would likely have to assume a bound on the maximum number of revoked users. In this work, we seek solutions from standard assumptions that are collusion resistant and support unbounded revocation.

Revocable Predicate Encryption via Subset Cover Set Systems. As we described above, constructing a collusion resistant trace-and-revoke scheme for arbitrary identities reduces to constructing a secret-key revocable predicate encryption scheme with a broadcast functionality. To build the necessary revocable predicate encryption scheme, we leverage ideas from combinatorial constructions of traitor tracing. We note that while we rely on combinatorial ideas in our construction, we do not provide a generic transformation of any predicate encryption scheme into a revocable analog. Rather, our construction relies on a careful integration of the algebraic approach from [GKW18] with the combinatorial approach from [NNL01].

The core combinatorial ingredient that we use for our construction is a subset-cover set system, a notion that has featured in several traitor tracing constructions [NNL01, DF02, HS02]. Let [N] be the identity space. A subset-cover set system for [N] is a set of indices [K] with the following two properties. Each identity $\mathsf {id}\in [N]$ is associated with a small number of indices $\mathcal {I}_\mathsf {id}\subseteq [K]$. Moreover, given a revocation list $\mathcal {L}\subseteq [N]$, there is an efficient algorithm to compute a “covering” set of indices $\mathcal {J}_{\mathcal {L}} \subseteq [K]$ with the property that $\mathsf {id}\in \mathcal {L}$ if and only if $\mathcal {I}_{\mathsf {id}} \cap \mathcal {J}_{\mathcal {L}} = \varnothing $. If we instantiate using the subset-cover set system from [NNL01], then $K = O(N)$, $\left| \mathcal {I}_\mathsf {id} \right| = O(\log N)$, and $\left| \mathcal {J}_{\mathcal {L}} \right| = O(\left| \mathcal {L} \right| \log (N / \left| \mathcal {L} \right| ))$.

Given a subset-cover set system, a first attempt to construct a revocable predicate encryption scheme is as follows. We associate a set of public parameters $\mathsf {pp}_i$ and master secret key $\mathsf {msk}_i$ with each index $i \in [K]$. A key for an identity $\mathsf {id}\in [N]$ and an attribute x would consist of predicate encryption keys $\mathsf {sk}_{\mathsf {id}, x} \leftarrow \mathsf {KeyGen}(\mathsf {msk}_i, x)$ for all the predicate encryption schemes $i \in \mathcal {I}_{\mathsf {id}}$ associated with $\mathsf {id}$. Finally, an encryption of a message m with respect to the revocation list $\mathcal {L}\subseteq [N]$ would consist of a collection of ciphertexts $\{ \mathsf {ct}_i \}_{i \in \mathcal {J}_{\mathcal {L}}}$ where each $\mathsf {ct}_i$ is an encryption of m with respect to $\mathsf {pp}_i$ for $i \in \mathcal {J}_{\mathcal {L}}$. By the property described above, if $\mathsf {id}\notin \mathcal {L}$, then $\mathcal {I}_{\mathsf {id}} \cap \mathcal {J}_{\mathcal {L}} \ne \varnothing $. This means that all non-revoked users $\mathsf {id}\notin \mathcal {L}$ will possess a key $\mathsf {sk}_{i, x}$ for some $i \in \mathcal {J}_{\mathcal {L}}$, and therefore, will be able to decrypt (provided that $f(x) = 1$). For a revoked user, it will be the case that $i \notin \mathcal {J}_{\mathcal {L}}$ for all $i \in \mathcal {I}_\mathsf {id}$, and they will be unable to decrypt. The problem though is that the size of the public parameters now scale linearly with K (which is as large as N). As such, this scheme only supports a polynomial number of identities. Thus, we need a different approach. We describe two candidate ideas below:

If the underlying predicate encryption scheme has the property where the master secret key $\mathsf {msk}$ can be sampled after the public parameters $\mathsf {pp}$, then in principle, the construction above would suffice. Namely, we would use a single set of public parameters for all of the predicate encryption schemes, and derive the master secret key $\mathsf {msk}_i$ for each $i \in [K]$ from a pseudorandom function (PRF). Unfortunately, such a predicate encryption scheme cannot be secure since the adversary can always generate for itself a master secret key and use it to decrypt.
If the scheme supports a public encryption algorithm, then we can support revocation by including the index $i \in [K]$ as part of the policy associated with the ciphertext as well as the attribute in the decryption key. Then, the decryption policy would additionally check that the index associated with the key matched the index associated with the ciphertext. Essentially, we ensure that a decryption key for i can only be used to decrypt ciphertexts encrypted to index i. However, this revocation approach also does not seem to apply in our setting because our predicate encryption scheme is in the secret-key setting, and it is not clear how to generalize to a public-key encryption algorithm that can support more general policies (while retaining the same security properties).^{Footnote 3}

While neither of these approaches directly apply in our setting, we can combine both ideas in our construction to obtain a revocable predicate encryption scheme. As noted above, our basic secret-key predicate encryption scheme with broadcast combines a mixed FE scheme with an ABE scheme. Without getting into too many details, the construction has the following properties. Each ciphertext in the scheme consists of a mixed FE ciphertext and an ABE ciphertext, and analogously, each decryption key consists of a mixed FE decryption key and an ABE decryption key. The mixed FE scheme is a secret-key scheme that supports a broadcast mechanism while the ABE scheme is a standard public-key scheme. The key observation is that if both the underlying mixed FE scheme and the ABE scheme support revocation, then the resulting predicate encryption scheme also supports revocation. For our construction it is critical that both schemes support revocation as we rely on the mixed FE scheme to hide the ciphertext policy and the ABE scheme to hide the message. If only one of the underlying schemes supports revocation, then one or both of these security properties become incompatible with revocation. We now describe how we implement revocation for the underlying mixed FE and ABE schemes:

The mixed FE scheme is a secret-key scheme that supports public broadcast. Unlike standard predicate encryption, the security properties of mixed FE can be satisfied by schemes where the master secret key is sampled after the public parameters, and this property is satisfied by existing constructions [GKW18, CVW+18]. This means that we can associate a different mixed FE scheme with each index $i \in [K]$ where the master secret key associated with each instance is derived from a PRF. All of the mixed FE schemes share a common set of public parameters. We can now use the first revocation idea described above to implement revocation for the mixed FE scheme.
Next, the ABE scheme is a public-key encryption scheme, and thus, we can use the second type of revocation described above. Namely, we require a single set of ABE parameters and simply include the index $i \in [K]$ in both the decryption key and the ciphertext to identity which index is being targeted.

By combining these two approaches for revocation, we show in Sect. 3.1 how to construct a secret-key revocable predicate encryption with broadcast scheme from the sub-exponential hardness of LWE. Notably, our final revocation mechanism relies critically on both the combinatoric properties of the subset-cover set system as well as the specific algebraic nature of the predicate encryption construction. Together, this yields the first collusion resistant trace-and-revoke scheme for arbitrary identities from the same underlying assumptions (Theorem 1.1).

A Simple Extension: More General Revocation Policies. While the basic scheme we described above supports revoking any polynomial number of identities, it naturally extends to support any revocation policy supported by the underlying subset-cover set system. Specifically, if we use the prefix-based subset-cover set system by Naor et al. [NNL01], our scheme supports revoking any number of identities that can be specified by a polynomial number of prefix-based patterns. For instance, we can revoke all users whose identity starts with a fixed prefix—which may consist of an exponential number of identities. In a concrete application, if the first few bits of a user’s identity specifies a region, then we can use prefix-based policies to efficiently revoke all of the users from one or more regions. We provide more discussion in Remark 3.10.

1.2 Related Work

In this section, we survey some of the related work on traitor tracing and trace-and-revoke schemes and compare our results to existing notions.

Traitor Tracing and Trace-and-Revoke. Numerous works have studied constructions of both traitor tracing and trace-and-revoke schemes from a wide range of assumptions and settings. Very broadly, most existing constructions can be categorized into two main categories: combinatorial approaches [CFN94, NP98, SSW01, CFNP00, NNL01, HS02, DF02, SSW01, BN08] and algebraic approaches [KD98, NP00, BSW06, BW06, GKSW10, LPSS14, KT15, NWZ16, ABP+17, GKW18, CVW+18, GVW19, GQWW19]. We refer to these works and the references therein for a survey of the field.

Many existing traitor-tracing and trace-and-revoke schemes (from standard assumptions) are only secure against bounded collusions [CFN94, KD98, NP00, SSW01, LPSS14, KT15, NWZ16, ABP+17]. Other schemes are fully collusion resistant, but can only handle a polynomial-size identity space [BSW06, BW06, GKSW10, GKW18, CVW+18, GQWW19]. In this work, we focus on schemes that are fully collusion resistant and support arbitrary identity spaces. While there are schemes that are both collusion resistant and support a super-polynomial identity space [NWZ16, GVW19], these construction require strong assumptions such as indistinguishability obfuscation [BGI+12] or positional witness encryption and cannot currently be based on standard intractability assumptions.

Several of the aforementioned schemes from standard assumptions [BW06, GKSW10, GQWW19] additionally provide a succinct broadcast mechanism where anyone can encrypt a message to any subset of the users with a ciphertext whose size scales with $N^{1/2}$ [BW06, GKSW10] or with $N^\varepsilon $ [GQWW19] for any constant $\varepsilon > 0$, where N is the total number of users in the system. Such schemes are commonly referred to as “broadcast, trace, and revoke” schemes. Notably, the ciphertext size in these constructions is independent of the number of revoked users and only depends on the total number of users. In our trace-and-revoke construction (Theorem 1.1), the ciphertext size scales linearly with the number of revoked users (which can be $\varOmega (N)$ in the worst case). Thus, in the setting where we have a polynomial-size identity space and when the number of revoked users is a sufficiently-large fraction of the total number of users, existing broadcast, trace, and revoke constructions will have shorter ciphertexts. In the setting where there is an exponential identity space, the ciphertexts in these existing constructions are also exponential, and they do not provide a compelling solution.

Several works [NP98, CFNP00, BN08] consider a threshold notion of traitor tracing where the tracing algorithm is only guaranteed to work for decoders that succeed with probability at least $\delta = 1/\mathsf {poly}(\lambda )$ (and the scheme parameters are allowed to depend on the parameter $\delta $). In this work, we focus on schemes that work for any decoder that succeeds with non-negligible probability.

Some combinatorial constructions [NNL01, HS02, DF02] are fully collusion resistant, but they only satisfy a weaker notion of traceability where the tracing algorithm either succeeds in extracting a pirated key or identifies an encryption strategy that disables the pirate decoder (this latter strategy increases the ciphertext size). This weaker traceability notion has led to pirate evolution [KP07] and Pirate 2.0 attacks [BP09] on schemes satisfying this weaker security notion. In this work, we focus on the strong notion of traceability where the tracing algorithm always succeeds in extracting at least one pirate key from any functional decoder. This notion is not affected by the pirate evolution attacks.

Cryptographic Watermarking. A closely-related notion to traitor tracing is cryptographic watermarking [BGI+12, CHN+16]. Very briefly, a cryptographic watermarking scheme allows an authority to embed arbitrary data into the secret key of a cryptographic function such that the marked program preserves the original functionality, and moreover, it is difficult to remove the watermark from the program without destroying its functionality. A collusion resistant watermarking scheme for a public-key encryption scheme would imply a collusion resistant traitor tracing scheme. Existing constructions [KW17, QWZ18, KW19b] of watermarking from standard assumptions are not collusion resistant and they are also limited to watermarking PRFs, which are not sufficient for traitor tracing. The recent construction of watermarking for public-key primitives [GKM+19] does imply a traitor tracing scheme for general identities (with public tracing), but only provides bounded collusion resistance (in fact, in this setting, their construction precisely coincides with the bounded collusion resistant traitor tracing construction from [NWZ16]). Moreover, it is not clear that existing constructions of watermarking can be extended to support key revocation.

Concurrent Work. In a recent and concurrent work, Goyal et al. [GKW19] also study the problem of identity-based traitor tracing for arbitrary identities (i.e., which they call “traitor tracing with embedded identities”). Their focus is on traitor tracing (without revocation) and achieving security based on polynomial hardness assumptions. In contrast, our focus is on supporting both tracing and revocation while still supporting arbitrary identities. Security of our construction, however, does rely on making a stronger sub-exponential hardness assumption.

2 Preliminaries

We begin by introducing some notation. We use $\lambda $ (often implicitly) to denote the security parameter. We write $\mathsf {poly}(\lambda )$ to denote a quantity that is bounded by a fixed polynomial in $\lambda $ and $\mathsf {negl}(\lambda )$ to denote a function that is $o(1/\lambda ^c)$ for all $c \in \mathbb {N}$. We say that an event occurs with overwhelming probability if its complement occurs with negligible probability. We say an algorithm is efficient if it runs in probabilistic polynomial time in the length of its input. For two families of distributions $\mathcal {D}_1 = \{ \mathcal {D}_{1, \lambda } \}_{\lambda \in \mathbb {N}}$ and $\mathcal {D}_2 = \{ \mathcal {D}_{2,\lambda } \}_{\lambda \in \mathbb {N}}$, we write $\mathcal {D}_1 \,{\mathop {\approx }\limits ^{c}}\,\mathcal {D}_2$ if the two distributions are computationally indistinguishable (i.e., no efficient algorithm can distribution $\mathcal {D}_1$ from $\mathcal {D}_2$ except with negligible probability).

For an integer $n \ge 1$, we write [n] to denote the set of integers $\{ 1, \ldots , n \}$. For integers $1 \le m \le n$, we write [m, n] to denote the set of integers $\{ m, m+1, \ldots , n \}$, and $[m, n]_{\mathbb {R}}$ to denote the closed interval between m and n (inclusive) over the real numbers. For a distribution $\mathcal {D}$, we write $x \leftarrow \mathcal {D}$ to denote that x is drawn from $\mathcal {D}$. For a finite set S, we write $x\, {\mathop {\leftarrow }\limits ^{\textsc {r}}}\, S$ to denote that x is drawn uniformly at random from S.

Cryptographic Primitives. We now recall the standard definition of pseudorandom functions and collision-resistant hash functions.

Definition 2.1

(Pseudorandom Function [GGM84]). A pseudorandom function (PRF) with key-space $\mathcal {K}= \{ \mathcal {K}_\lambda \}_{\lambda \in \mathbb {N}}$, domain $\mathcal {X}= \{ \mathcal {X}_\lambda \}_{\lambda \in \mathbb {N}}$, and range $\mathcal {Y}= \{ \mathcal {Y}_\lambda \}_{\lambda \in \mathbb {N}}$ is an efficiently-computable function $F :\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}$ such that for all efficient adversaries $\mathcal {A}$,

$$ \Pr [ k \,{\mathop {\leftarrow }\limits ^{\textsc {r}}}\, \mathcal {K}: \mathcal {A}^{F(k, \cdot )}(1^\lambda ) = 1 ] - \Pr [ f \,{\mathop {\leftarrow }\limits ^{\textsc {r}}}\, \mathsf {Funs}[\mathcal {X}, \mathcal {Y}] : \mathcal {A}^{f(\cdot )}(1^\lambda ) = 1 ] = \mathsf {negl}(\lambda ). $$

Definition 2.2

(Keyed Collision-Resistant Hash Function). A keyed collision-resistant hash function with key-space $\mathcal {K}= \{ \mathcal {K}_\lambda \}_{\lambda \in \mathbb {N}}$, domain $\mathcal {X}= \{ \mathcal {X}_\lambda \}_{\lambda \in \mathbb {N}}$, and range $\mathcal {Y}= \{ \mathcal {Y}_\lambda \}_{\lambda \in \mathbb {N}}$ is an efficiently-computable function $H :\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}$ such that for all efficient adversaries $\mathcal {A}$ and sampling $k \,{\mathop {\leftarrow }\limits ^{\textsc {r}}}\, \mathcal {K}$,

$$\begin{aligned} \Pr [ (x_0, x_1) \leftarrow \mathcal {A}(1^\lambda , k) : x_0 \ne x_1 \text { and } H(k, x_0) = H(k, x_1) ] = \mathsf {negl}(\lambda ). \end{aligned}$$

Subset-Cover Set Systems. As discussed in Sect. 1.1, the subset-cover framework introduced by Naor et al. [NNL01] is the basis for many combinatorial trace-and-revoke schemes. We provide the formal definition below:

Definition 2.3

(Subset-Cover Set System [NNL01]). Let N be a positive integer. A subset-cover set system for [N] is a set of indices [K] where $K = \mathsf {poly}(N)$ together with a pair of algorithms $(\mathsf {Encode}, \mathsf {ComputeCover})$ satisfying the following properties:

$\mathsf {Encode}(x) \rightarrow \mathcal {I}_x$: On input an element $x \in [N]$, the encoding algorithm outputs a set of indices $\mathcal {I}_x \subseteq [K]$.
$\mathsf {ComputeCover}(\mathcal {L}) \rightarrow \mathcal {J}_{\mathcal {L}}$: On input a revocation list $\mathcal {L}\subseteq [N]$, the cover-computation algorithm outputs a collection of indices $\mathcal {J}_{\mathcal {L}} \subseteq [K]$.

We require the following efficiency and security requirements for a subset-cover set system.

Efficiency: Take any element $x \in [N]$ and any revocation list $\mathcal {L}\subseteq [N]$. Then, $\mathsf {Encode}(x)$ runs in time $\mathsf {poly}(\log N)$ and $\mathsf {ComputeCover}(\mathcal {L})$ runs in time $\mathsf {poly}(\left| \mathcal {L} \right| , \log N)$.
Correctness: Take any element $x \in [N]$ and revocation list $\mathcal {L}\subseteq [N]$, and let $\mathcal {I}_x \leftarrow \mathsf {Encode}(x)$, $\mathcal {J}_{\mathcal {L}} \leftarrow \mathsf {ComputeCover}(\mathcal {L})$. Then, $x \in \mathcal {L}$ if and only if $\mathcal {I}_x \cap \mathcal {J}_{\mathcal {L}} = \varnothing $.

In this work, we will use the “complete subtree” system from [NNL01, §3.1]. The details of this construction are not essential to our construction, so we omit them and just summarize the main properties below:

Fact 2.4

(Subset-Cover Set System [NNL01, §3.1]). Let N be a positive integer. Then there exists a subset-cover set system [K] for [N] where $K = 2N - 1$, and where the algorithms $(\mathsf {Encode}, \mathsf {ComputeCover})$ satisfy the following properties:

For all elements $x \in [N]$, if $\mathcal {I}_x \leftarrow \mathsf {Encode}(x)$, then $\left| \mathcal {I}_x \right| = \log N + 1$.
For all revocation lists $\mathcal {L}\subseteq [N]$, if $\mathcal {J}_{\mathcal {L}} \leftarrow \mathsf {ComputeCover}(\mathcal {L})$, then $\left| \mathcal {J}_{\mathcal {L}} \right| = O(\left| \mathcal {L} \right| \log (N / \left| \mathcal {L} \right| ))$.

The Generalized Jump-Finding Problem. Next, we recall the generalized jump-finding problem introduced by Nishimaki et al. [NWZ16, §3.1] for constructing identity-based traitor tracing schemes with succinct ciphertexts. We note that [NWZ16] also introduced a simpler variant of the jump-finding problem that essentially abstracts out the algorithmic core of the traitor tracing construction from private linear broadcast. Here, we consider the generalized version because it enables shorter ciphertexts (where the ciphertext size scales logarithmically with the bit-length of the identities).

Definition 2.5

(Generalized Jump-Finding Problem [NWZ16, Definition 3.9]). For positive integers $N, r, q \in \mathbb {N}$ and $\delta , \varepsilon > 0$, the $(N, r, q, \delta , \varepsilon )$ generalized jump-finding problem is defined as follows. An adversary begins by choosing a set C of up to q tuples $(s, b_1, \ldots , b_r) \in [N] \times \{0,1\}^r$ where all of the s are distinct. Each tuple $(s, b_1, \ldots , b_r)$ describes a curve between grid points from the top to bottom of the grid $[1, r] \times [0, 2N]$, which oscillates about the column at position $2s - 1$, with $b = (b_1, \ldots , b_r)$ specifying which side of the column the curve is on in each row. The curves divide the grid into $\left| C \right| + 1$ contiguous regions. For each pair $(i, x) \in [1,r] \times [0,2N]$, the adversary chooses a probability $p_{i, x} \in [0, 1]_{\mathbb {R}}$ with the following properties:

For any two pairs (i, 2x), $(j, 2x) \in [1,r] \times [0,2N]$, it holds that $\left| p_{i, 2x} - p_{j, 2x} \right| < \delta $.
Let $C_i = \{ (s, b_1, \ldots , b_r) \in C : 2s - b_i \}$ be the set of values $2s - b_i$ for tuples in C. For any two pairs $(i, x), (i, y) \in [1,r] \times [0,2N]$ such that $(x, y] \cap C_i = \varnothing $, then $\left| p_{i, x} - p_{i, y} \right| < \delta $.
For all $i, j \in [r]$, it holds that $p_{i, 0} = p_{j, 0}$ and $p_{i, 2N} = p_{j, 2N}$. Define $p_0 = p_{i, 0}$ and $p_{2N} = p_{i, 2N}$.
Finally, $\left| p_{2N} - p_0 \right| > \varepsilon $.

Next, define the oracle $Q :[1,r] \times [0,2N] \rightarrow \{0,1\}$ to be a randomized oracle that on input (i, x) outputs 1 with probability $p_{i, x}$. Repeated calls to Q on the same input (i, x) will yield a fresh and independently-sampled bit. The $(N, r, q, \delta , \varepsilon )$ generalized jump-finding problem is to output some element in C given oracle access to Q.

Theorem 2.6

(Generalized Jump-Finding Algorithm [NWZ16, Theorem 3.10]). There is an efficient algorithm $\mathsf {QTrace}^{Q}(\lambda , N, r, q, \delta , \varepsilon )$ that runs in time $t = \mathsf {poly}(\lambda , \log N, r, q, 1/\delta )$ and makes at most t queries to Q that solves the $(N, r, q, \delta , \varepsilon )$ generalized jump-finding problem with probability $1 - \mathsf {negl}(\lambda )$ whenever $\varepsilon \ge \delta (9 + 4(\left\lceil \log N \right\rceil - 1) q)$. Moreover, any element $(s, b_1, \ldots , b_r) \in [N] \times \{0,1\}^r$ output by $\mathsf {QTrace}^Q$ satisfies the following property (with overwhelming probability):

For all $i \in [r]$, $\left| P(i, 2s - b_i) - P(i, 2s - 1 - b_i) \right| \ge \delta $, where $P(i,x) \mathrel {\mathop :}=\Pr [Q(i,x) = 1]$.

Remark 2.7

(Cheating Oracles [NWZ16, Remark 3.8]). The algorithm $\mathsf {QTrace}^Q$ from Theorem 2.6 succeeds in solving the $(N, r, q, \delta , \varepsilon )$ generalized jump-finding problem even if the oracle Q does not satisfy all of the requirements in Definition 2.5. As long as the first two properties hold for all pairs (i, x) and (j, y) queried by $\mathsf {QTrace}^Q$, the algorithm succeeds in outputting an element in C.

2.1 Functional Encryption

In this section, we recall the notions of attribute-based encryption (ABE) and mixed functional encryption (mixed FE) that we use in this work.

Mixed FE. A mixed FE scheme [GKW18] is a secret-key FE scheme (i.e., a secret key is needed to encrypt) where ciphertexts are associated with binary-valued functions $f :\mathcal {X}\rightarrow \{0,1\}$ and decryption keys are associated with inputs $x \in \mathcal {X}$. When a secret key $\mathsf {sk}_x$ associated with an input x is used to decrypt a ciphertext encrypting a message f, the decryption algorithm outputs f(x). The special property in a mixed FE scheme is that there additionally exists a public-key encryption algorithm that can be used to encrypt to the “always-accept” function (i.e., the function f where $f(x) = 1$ for all $x \in \mathcal {X}$). Moreover, ciphertexts encrypted using the public key are computationally indistinguishable from ciphertexts produced by using the secret key to encrypt the “always-accept” function. Finally, for our constructions, we require an additional property where the master public key and the master secret key for the mixed FE scheme can be generated independently. This means that we can have a family of mixed FE schemes sharing a common set of public parameters. As we discuss in the full version of this paper [KW19a], all existing mixed FE schemes satisfy this requirement.

Definition 2.8

(Mixed Functional Encryption [GKW18]). A mixed functional encryption scheme $\varPi _{\mathsf {MFE}}$ with domain $\mathcal {X}$ and function family $\mathcal {F}= \{ f :\mathcal {X}\rightarrow \{0,1\} \}$ is a tuple of algorithms $\varPi _{\mathsf {MFE}}= (\mathsf {PrmsGen}, \mathsf {MSKGen}, \mathsf {KeyGen}, \mathsf {PKEnc}, \mathsf {SKEnc}, \mathsf {Dec})$ with the following properties:

$\mathsf {PrmsGen}(1^\lambda ) \rightarrow \mathsf {pp}$: On input the security parameter $\lambda $, the parameter generation algorithm outputs the public parameters $\mathsf {pp}$.
$\mathsf {MSKGen}(\mathsf {pp}) \rightarrow \mathsf {msk}$: On input the public parameters $\mathsf {pp}$, the master secret key generation algorithm outputs a master secret key $\mathsf {msk}$.
$\mathsf {KeyGen}(\mathsf {msk}, x) \rightarrow \mathsf {sk}_x$: On input the master secret key $\mathsf {msk}$ and an input $x \in \mathcal {X}$, the key-generation algorithm outputs a secret key $\mathsf {sk}_x$.
$\mathsf {PKEnc}(\mathsf {pp}) \rightarrow \mathsf {ct}$: On input the public parameters $\mathsf {pp}$, the public encryption algorithm outputs a ciphertext $\mathsf {ct}$.
$\mathsf {SKEnc}(\mathsf {msk}, f) \rightarrow \mathsf {ct}_f$: On input the master secret key $\mathsf {msk}$ and a function $f \in \mathcal {F}$, the secret encryption algorithm outputs a ciphertext $\mathsf {ct}_f$.
$\mathsf {Dec}(\mathsf {sk}, \mathsf {ct}) \rightarrow b$: On input a secret key $\mathsf {sk}$ and a ciphertext $\mathsf {ct}$, the decryption algorithm outputs a bit $b \in \{0,1\}$.

A mixed FE scheme should satisfy the following properties:

Correctness: For all functions $f \in \mathcal {F}$ and all inputs $x \in \mathcal {X}$, and setting $\mathsf {pp}\leftarrow \mathsf {PrmsGen}(1^\lambda )$, $\mathsf {msk}\leftarrow \mathsf {MSKGen}(\mathsf {pp})$, $\mathsf {sk}_x \leftarrow \mathsf {KeyGen}(\mathsf {msk}, x)$, $\mathsf {ct}\leftarrow \mathsf {PKEnc}(\mathsf {pp})$, $\mathsf {ct}_f \leftarrow \mathsf {SKEnc}(\mathsf {msk}, f)$, it follows that
$$ \Pr [\mathsf {Dec}(\mathsf {sk}_x, \mathsf {ct}) = 1] = 1 - \mathsf {negl}(\lambda ) \quad \text {and} \quad \Pr [\mathsf {Dec}(\mathsf {sk}_x, \mathsf {ct}_f) = f(x)] = 1 - \mathsf {negl}(\lambda ). $$
Semantic security: For a bit $b \in \{0,1\}$, we define the security experiment $\mathsf {ExptMFE}_{\mathsf {SS}}[\lambda , \mathcal {A}, b]$ between a challenger and an adversary $\mathcal {A}$. The challenger begins by sampling $\mathsf {pp}\leftarrow \mathsf {PrmsGen}(1^\lambda )$, $\mathsf {msk}\leftarrow \mathsf {MSKGen}(\mathsf {pp})$, and gives $\mathsf {pp}$ to $\mathcal {A}$. The adversary is then given access to the following oracles:
- Key-generation oracle: On input $x \in \mathcal {X}$, the challenger replies with $\mathsf {sk}_x \leftarrow \mathsf {KeyGen}(\mathsf {msk}, x)$.
- Encryption oracle: On input $f \in \mathcal {F}$, the challenger replies with $\mathsf {ct}_f \leftarrow \mathsf {SKEnc}(\mathsf {msk}, f)$.
- Challenge oracle: On input two functions $f_0, f_1 \in \mathcal {F}$, the challenger replies with $\mathsf {ct}\leftarrow \mathsf {SKEnc}(\mathsf {msk}, f_b)$.
At the end of the game, the adversary outputs a bit $b' \in \{0,1\}$, which is also the output of the experiment. An adversary $\mathcal {A}$ is admissible for the mixed FE semantic security game if it makes one challenge query $(f_0, f_1)$, and for all inputs $x \in \mathcal {X}$ the adversary submits to the key-generation oracle, $f_0(x) = f_1(x)$. The mixed FE scheme satisfies (adaptive) semantic security if for all efficient and admissible adversaries $\mathcal {A}$,
$$\begin{aligned} \left| \Pr [\mathsf {ExptMFE}_{\mathsf {SS}}[\lambda , \mathcal {A}, 0] = 1] - \Pr [\mathsf {ExptMFE}_{\mathsf {SS}}[\lambda , \mathcal {A}, 1] = 1] \right| = \mathsf {negl}(\lambda ). \end{aligned}$$
Public/secret key indistinguishability: For a bit $b \in \{0,1\}$, we define the security experiment $\mathsf {ExptMFE}_{\mathsf {PK/SK}}[\lambda , \mathcal {A}, b]$ between a challenger and an adversary $\mathcal {A}$. The challenger begins by sampling $\mathsf {pp}\leftarrow \mathsf {PrmsGen}(1^\lambda )$, $\mathsf {msk}\leftarrow \mathsf {MSKGen}(\mathsf {pp})$, and gives $\mathsf {pp}$ to $\mathcal {A}$. The adversary is then given access to the following oracles:
- Key-generation oracle: On input $x \in \mathcal {X}$, the challenger replies with $\mathsf {sk}_x \leftarrow \mathsf {KeyGen}(\mathsf {msk}, x)$.
- Encryption oracle: On input $f \in \mathcal {F}$, the challenger replies with $\mathsf {ct}_f \leftarrow \mathsf {SKEnc}(\mathsf {msk}, f)$.
- Challenge oracle: On input a function $f \in \mathcal {F}$, the challenger computes $\mathsf {ct}_0 \leftarrow \mathsf {PKEnc}(\mathsf {pp})$ and $\mathsf {ct}_1 \leftarrow \mathsf {SKEnc}(\mathsf {msk}, f)$ and gives $\mathsf {sk}_b$ to the adversary.
At the end of the game, the adversary outputs a bit $b' \in \{0,1\}$, which is also the output of the experiment. An adversary $\mathcal {A}$ is admissible for the public/secret key indistinguishability game if it makes a single challenge query $f \in \mathcal {F}$ and for all inputs $x \in \mathcal {X}$ the adversary submits to the key-generation oracle, $f(x) = 1$. The mixed FE scheme satisfies (adaptive) public/secret key indistinguishability if for all efficient and admissible adversaries $\mathcal {A}$, it holds that
$$\begin{aligned} \left| \Pr [\mathsf {ExptMFE}_{\mathsf {PK/SK}}[\lambda , \mathcal {A}, 0] = 1] - \Pr [\mathsf {ExptMFE}_{\mathsf {PK/SK}}[\lambda , \mathcal {A}, 1] = 1] \right| = \mathsf {negl}(\lambda ). \end{aligned}$$

We include additional preliminaries and discussion about mixed FE (e.g., imposing a bound on the number of encryption oracle queries the adversary can make in the security games) in the full version of this paper [KW19a].

3 Revocable Predicate Encryption

In this section, we introduce our notion of a secret-key revocable predicate encryption scheme that supports a public broadcast functionality (i.e., a public-key encryption algorithm that outputs ciphertexts that can be decrypted by all secret keys in the system). This will be the primary primitive we use to construct our identity-based trace-and-revoke scheme (described in Sect. 4). Our definitions can be viewed as a special case of the more general notion of (public-key) revocable functional encryption from [NWZ16]. The advantage of considering this relaxed notion is that it enables constructions from standard assumptions (whereas we only know how to construct fully secure revocable functional encryption from indistinguishability obfuscation). We introduce our notion below and then show how to construct it by combining mixed FE, ABE, and a subset-cover set system in Sect. 3.1.

Definition 3.1

(Secret-Key Revocable Predicate Encryption with Broadcast). A secret-key revocable predicate encryption scheme (RPE) scheme with broadcast for an identity space $\mathcal {ID}$, an attribute space $\mathcal {X}$, a function family $\mathcal {F}= \{ f :\mathcal {X}\rightarrow \{0,1\} \}$, and a message space $\mathcal {M}$ is a tuple of algorithms $\varPi _{\mathsf {RPE}}= (\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Broadcast}, \mathsf {Enc}, \mathsf {Dec})$ defined as follows:

$\mathsf {Setup}(1^\lambda ) \rightarrow (\mathsf {pp}, \mathsf {msk})$: On input the security parameter $\lambda $, the setup algorithm outputs the public parameters $\mathsf {pp}$ and the master secret key $\mathsf {msk}$.
$\mathsf {KeyGen}(\mathsf {msk}, \mathsf {id}, x) \rightarrow \mathsf {sk}_{\mathsf {id}, x}$: On input the master secret key $\mathsf {msk}$, an identity $\mathsf {id}\in \mathcal {ID}$, and an attribute $x \in \mathcal {X}$, the key-generation algorithm outputs a decryption key $\mathsf {sk}_{\mathsf {id}, x}$.
$\mathsf {Broadcast}(\mathsf {pp}, m, \mathcal {L}) \rightarrow \mathsf {ct}_{m,\mathcal {L}}$: On input the public key, a message m, and a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, the broadcast algorithm outputs a ciphertext $\mathsf {ct}_{m, \mathcal {L}}$.
$\mathsf {Enc}(\mathsf {msk}, f, m, \mathcal {L}) \rightarrow \mathsf {ct}_{f,m,\mathcal {L}}$: On input the master secret key $\mathsf {msk}$, a function $f \in \mathcal {F}$, a message $m \in \mathcal {M}$, and a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, the encryption algorithm outputs a ciphertext $\mathsf {ct}_{f, m, \mathcal {L}}$.
$\mathsf {Dec}(\mathsf {sk}, \mathsf {ct}) \rightarrow m/\bot $: On input a decryption key $\mathsf {sk}$ and a ciphertext $\mathsf {ct}$, the decryption algorithm either outputs a message $m \in \mathcal {M}$ or a special symbol $\bot $.

A secret-key RPE scheme with broadcast should satisfy the following properties:

Correctness: For all functions $f \in \mathcal {F}$, all identities $\mathsf {id}\in \mathcal {ID}$, all attributes $x \in \mathcal {X}$ where $f(x) = 1$, all messages $m \in \mathcal {M}$, and all revocation lists $\mathcal {L}\subseteq \mathcal {ID}$ where $\mathsf {id}\notin \mathcal {L}$, if we set $(\mathsf {pp}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )$, $\mathsf {sk}_{\mathsf {id}, x} \leftarrow \mathsf {KeyGen}(\mathsf {msk}, \mathsf {id}, x)$, the following holds:
- Broadcast correctness: If $\mathsf {ct}_{m, \mathcal {L}} \leftarrow \mathsf {Broadcast}(\mathsf {pp}, m, \mathcal {L})$, then
  $$\begin{aligned} \Pr [\mathsf {Dec}(\mathsf {sk}_{\mathsf {id}, x}, \mathsf {ct}_{m,\mathcal {L}}) = m] = 1 - \mathsf {negl}(\lambda ). \end{aligned}$$
- Encryption correctness: If $\mathsf {ct}_{f, m, \mathcal {L}} \leftarrow \mathsf {Enc}(\mathsf {msk}, f, m, \mathcal {L})$, then
  $$\begin{aligned} \Pr [\mathsf {Dec}(\mathsf {sk}_{\mathsf {id}, x}, \mathsf {ct}_{f, m, \mathcal {L}}) = m] = 1 - \mathsf {negl}(\lambda ). \end{aligned}$$
Message hiding: For a bit $b \in \{0,1\}$, we define the experiment $\mathsf {ExptRPE}_{\mathsf {MH}}[\lambda , \mathcal {A}, b]$ between a challenger and an adversary $\mathcal {A}$. The challenger begins by sampling $(\mathsf {pp}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )$ and gives $\mathsf {pp}$ to $\mathcal {A}$. The adversary is then given access to the following oracles:
- Key-generation oracle: On input an identity $\mathsf {id}\in \mathcal {ID}$ and an attribute $x \in \mathcal {X}$, the challenger replies with $\mathsf {sk}_{\mathsf {id}, x} \leftarrow \mathsf {KeyGen}(\mathsf {msk}, \mathsf {id}, x)$.
- Encryption oracle: On input a function $f \in \mathcal {F}$, a message $m \in \mathcal {M}$, and a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, the challenger replies with $\mathsf {ct}_{f,m,\mathcal {L}} \leftarrow \mathsf {Enc}(\mathsf {msk}, f, m, \mathcal {L})$.
- Challenge oracle: On input a function $f \in \mathcal {F}$, two messages $m_0, m_1 \in \mathcal {M}$, and a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, the challenger computes $\mathsf {ct}_b \leftarrow \mathsf {Enc}(\mathsf {msk}, f, m_b, \mathcal {L})$ and gives $\mathsf {ct}_b$ to the adversary.
At the end of the game, the adversary outputs a bit $b' \in \{0,1\}$, which is the output of the experiment. An adversary $\mathcal {A}$ is admissible for the message hiding game if it makes a single challenge query $(f, m_0, m_1, \mathcal {L})$ such that for all pairs $(\mathsf {id}, x)$ the adversary submitted to the key-generation oracle, it holds that $f(x) = 0$ or $\mathsf {id}\in \mathcal {L}$. We say that $\varPi _{\mathsf {RPE}}$ satisfies (adaptive) message hiding if for all efficient and admissible adversaries $\mathcal {A}$,
$$\begin{aligned} \left| \Pr [\mathsf {ExptRPE}_{\mathsf {MH}}[\lambda , \mathcal {A}, 0] = 1] - \Pr [\mathsf {ExptRPE}_{\mathsf {MH}}[\lambda , \mathcal {A}, 1] = 1] \right| = \mathsf {negl}(\lambda ). \end{aligned}$$
Function hiding: For a bit $b \in \{0,1\}$, we define the experiment $\mathsf {ExptRPE}_{\mathsf {FH}}[\lambda , \mathcal {A}, b]$ between a challenger and an adversary $\mathcal {A}$ exactly as $\mathsf {ExptRPE}_{\mathsf {MH}}[\lambda , \mathcal {A}, b]$, except the challenge oracle is replaced with the following:
- Challenge oracle: On input two functions $f_0, f_1 \in \mathcal {F}$, a message $m \in \mathcal {M}$, and a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, the challenger computes $\mathsf {ct}_b \leftarrow \mathsf {Enc}(\mathsf {msk}, f_b, m, \mathcal {L})$ and gives $\mathsf {ct}_b$ to the adversary.
We say an adversary $\mathcal {A}$ is admissible for the function-hiding game if it makes a single challenge query $(f_0, f_1, m, \mathcal {L})$ such that for all pairs $(\mathsf {id}, x)$ the adversary submitted to the key-generation oracle, either $f_0(x) = f_1(x)$ or $\mathsf {id}\in \mathcal {L}$. We say that $\varPi _{\mathsf {RPE}}$ satisfies (adaptive) function hiding if for all efficient and admissible adversaries $\mathcal {A}$,
$$\begin{aligned} \left| \Pr [\mathsf {ExptRPE}_{\mathsf {FH}}[\lambda , \mathcal {A}, 0] = 1] - \Pr [\mathsf {ExptRPE}_{\mathsf {FH}}[\lambda , \mathcal {A}, 1] = 1] \right| = \mathsf {negl}(\lambda ). \end{aligned}$$
Broadcast security: For a bit $b \in \{0,1\}$, we define the security experiment $\mathsf {ExptRPE}_{\mathsf {BC}}[\lambda , \mathcal {A}, b]$ between a challenger and an adversary $\mathcal {A}$ exactly as $\mathsf {ExptRPE}_{\mathsf {MH}}[\lambda , \mathcal {A}, b]$, except the challenge oracle is replaced with the following:
- Challenge oracle: On input a message $m \in \mathcal {M}$ and a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, the challenger computes $\mathsf {ct}_0 \leftarrow \mathsf {Broadcast}(\mathsf {pp}, m, \mathcal {L})$ and $\mathsf {ct}_1 \leftarrow \mathsf {Enc}(\mathsf {msk}, f, m, \mathcal {L})$ where $f_{\mathsf {accept}}$ is the “always-accept” function (i.e., $f_{\mathsf {accept}}(x) = 1$ for all $x \in \mathcal {X}$). It gives $\mathsf {ct}_b$ to the adversary.
At the end of the game, the adversary outputs a bit $b' \in \{0,1\}$, which is the output of the experiment. We say that $\varPi _{\mathsf {RPE}}$ satisfies (adaptive) broadcast security if for all efficient adversaries $\mathcal {A}$ that make at most one challenge query,
$$\begin{aligned} \left| \Pr [\mathsf {ExptRPE}_{\mathsf {BC}}[\lambda , \mathcal {A}, b] = 1] - \Pr [\mathsf {ExptRPE}_{\mathsf {BC}}[\lambda , \mathcal {A}, 1]] \right| = \mathsf {negl}(\lambda ). \end{aligned}$$

Remark 3.2

(Non-Adaptive q-Query Security). For each of the security notions in Definition 3.1 (message hiding, function hiding, and broadcast security), we define a notion of non-adaptive q-query security where the corresponding security notion only holds against all adversaries that make at most $q \in \mathbb {N}$ queries to the encryption oracle, and moreover, all of the non-encryption queries occur before the encryption queries. Achieving this notion is easier and suffices for our main construction (adaptively-secure trace-and-revoke).

Remark 3.3

(Embedding the Revocation List in the Attribute). A natural approach for constructing a revocable predicate encryption scheme from any vanilla predicate encryption scheme is to include the revocation list $\mathcal {L}$ as part of the function in the predicate encryption scheme. A decryption key for an identity $\mathsf {id}$ would then check that $\mathsf {id}$ is not contained in the revocation list $\mathcal {L}$ associated with the ciphertext. This is the approach suggested in [NWZ16, Remark 6.2] in the context of constructing a revocable functional encryption scheme. While this approach may seem straightforward, it has a significant drawback in most settings. In existing predicate encryption schemes from standard assumptions, the decryption functionality is represented as a circuit, which takes fixed-size inputs. Thus, if the revocation list is embedded as part of the ciphertext, then a predicate encryption scheme for circuit-based predicates would only be able to support an a priori bounded number of revocations. In contrast, the our construction allows for revoking an arbitrary polynomial number of users (Sect. 3.1). Of course, if we can construct predicate or functional encryption for Turing machine or RAM computations, then this natural revocation approach would suffice. Existing constructions of functional encryption for Turing machine computations all rely on indistinguishability obfuscation [KLW15, AJS17, AS16, GS18].

3.1 Constructing Secret-Key Revocable Predicate Encryption with Broadcast

In this section, we describe our construction of a secret-key revocable predicate encryption with broadcast scheme for general predicates by combining a mixed FE scheme, an ABE scheme, and a subset-cover set system. As discussed in Sect. 1.1, our core construction (without revocation) can be viewed as a direct generalization of the construction of private linear broadcast encryption from mixed FE and ABE from [GKW18]. We next augment our construction with a subset cover set system to support revocation. Our techniques allow revoking an arbitrary number of users (in contrast to previous trace-and-revoke schemes from standard assumptions that could only handle bounded revocations [NWZ16, ABP+17]). We give our full construction and its analysis below:

Construction 3.4

(Secret-Key Revocable Predicate Encryption with Broadcast). Fix an identity space $\mathcal {ID}= \{0,1\}^{n}$, attribute space $\mathcal {X}$, function family $\mathcal {F}= \{ f :\mathcal {X}\rightarrow \{0,1\} \}$ and message space $\mathcal {M}$, where $n = n(\lambda )$.

Let [K] be the subset-cover set system for the set $\mathcal {ID}= \{0,1\}^n$. Let $\varPi _{\mathsf {SC}}= (\mathsf {Encode}, \mathsf {ComputeCover})$ be the algorithms associated with the set system.
Let $\varPi _{\mathsf {MFE}}= (\mathsf {MFE}{.}\mathsf {PrmsGen}, \mathsf {MFE}{.}\mathsf {MSKGen}, \mathsf {MFE}{.}\mathsf {KeyGen}, \mathsf {MFE}{.}\mathsf {PKEnc}, \mathsf {MFE}{.}\mathsf {SKEnc}, \mathsf {MFE}{.}\mathsf {Dec})$ be a mixed FE scheme with domain $\mathcal {X}$ and function family $\mathcal {F}$. Let $\rho = \rho (\lambda )$ be the randomness complexity of the master secret key generation algorithm $\mathsf {MFE}{.}\mathsf {MSKGen}$, let $\mathcal {C}\mathcal {T}$ denote the ciphertext space of $\varPi _{\mathsf {MFE}}$ (i.e., the range of $\mathsf {MFE}{.}\mathsf {PKEnc}$ and $\mathsf {MFE}{.}\mathsf {SKEnc}$), and let $\mathcal {S}\mathcal {K}$ denote the secret key space of $\varPi _{\mathsf {MFE}}$ (i.e., the range of $\mathsf {MFE}{.}\mathsf {KeyGen}$). We will require that $\varPi _{\mathsf {MFE}}$ be sub-exponentially secure, so let $\varepsilon > 0$ be a constant such that $2^{-\varOmega (\lambda ^{\varepsilon })}$ bounds the advantage of any efficient adversary $\mathcal {A}$ for the security of $\varPi _{\mathsf {MFE}}$.
For a secret key $\mathsf {mfe{.}sk}\in \mathcal {S}\mathcal {K}$ and an index $i^*\in [K]$, define the function $g_{\mathsf {mfe{.}sk}, i^*} :\mathcal {C}\mathcal {T}\times [K] \rightarrow \{0,1\}$ to be the function
$$ g_{\mathsf {mfe{.}sk}, i^*}(\mathsf {ct}, i) = {\left\{ \begin{array}{ll} 1 &{} \mathsf {MFE}{.}\mathsf {Dec}(\mathsf {mfe{.}sk}, \mathsf {ct}) = 1 \text { and } i = i^*\\ 0 &{} \text {otherwise}. \end{array}\right. } $$
Let $\varPi _{\mathsf {ABE}}= (\mathsf {ABE}{.}\mathsf {Setup}, \mathsf {ABE}{.}\mathsf {KeyGen}, \mathsf {ABE}{.}\mathsf {Enc}, \mathsf {ABE}{.}\mathsf {Dec})$ be an attribute-based encryption scheme over message space $\mathcal {M}$, attribute space $\mathcal {X}' = \mathcal {C}\mathcal {T}\times [K]$ and function family $\mathcal {F}' = \{ \mathsf {mfe{.}sk}\in \mathcal {S}\mathcal {K}, i^*\in [K] : g_{\mathsf {mfe{.}sk}, i^*} \}$.
Let $F :\mathcal {K}\times [K] \rightarrow \{0,1\}^\rho $ be a pseudorandom function.

We construct a secret-key revocable predicate encryption scheme as follows:

$\mathsf {Setup}(1^\lambda )$: On input the security parameter $\lambda $, the setup algorithm sets $\lambda ' = \max (\lambda , (\log K)^{2/\varepsilon })$. It then generates mixed FE public parameters $\mathsf {mfe{.}pp}\leftarrow \mathsf {MFE}{.}\mathsf {PrmsGen}(1^{\lambda '})$. It also instantiates an attribute-based encryption scheme $(\mathsf {abe{.}pp}, \mathsf {abe{.}msk}) \leftarrow \mathsf {ABE}{.}\mathsf {Setup}(1^\lambda )$, samples a PRF key $k \,{\mathop {\leftarrow }\limits ^{\textsc {r}}}\, \mathcal {K}$, and outputs
$$\begin{aligned} \mathsf {pp}= (\mathsf {mfe{.}pp}, \mathsf {abe{.}pp}) \quad \text {and} \quad \mathsf {msk}= (\mathsf {pp}, \mathsf {abe{.}msk}, k) . \end{aligned}$$
$\mathsf {KeyGen}(\mathsf {msk}, \mathsf {id}, x)$: On input a master secret key $\mathsf {msk}$, an identity $\mathsf {id}\in \mathcal {ID}$, and an attribute $x \in \mathcal {X}$, the key-generation algorithm does the following:
1. 1.
  Compute a subset-cover encoding of the identity $\mathcal {I}_\mathsf {id}\leftarrow \mathsf {Encode}(\mathsf {id})$.
2. 2.
  For each index $i \in \mathcal {I}_\mathsf {id}$, the algorithm samples randomness $r_{i} \leftarrow F(k, i)$. It then generates a mixed FE master secret key $\mathsf {mfe{.}msk}_i \leftarrow \mathsf {MFE}{.}\mathsf {MSKGen}(\mathsf {mfe{.}pp}; r_i)$ and a mixed FE decryption key $\mathsf {mfe{.}sk}_{i,x} \leftarrow \mathsf {MFE}{.}\mathsf {KeyGen}(\mathsf {mfe{.}msk}_i, x)$.
3. 3.
  Finally, for each $i \in \mathcal {I}_\mathsf {id}$, it constructs an ABE decryption key with respect to the function $g_{\mathsf {mfe{.}msk}_{i,x}, i}$ as follows: $\mathsf {abe{.}sk}_{i, x} \leftarrow \mathsf {ABE}{.}\mathsf {KeyGen}(\mathsf {abe{.}msk}, g_{\mathsf {mfe{.}sk}_{i, x}, i})$.
4. 4.
  It outputs the collection of keys $\mathsf {sk}_{\mathsf {id}, x} = \{ (i, \mathsf {abe{.}sk}_{i,x}) \}_{i \in \mathcal {I}_\mathsf {id}}$.
$\mathsf {Broadcast}(\mathsf {pp}, m, \mathcal {L})$: On input the public parameters $\mathsf {pp}= (\mathsf {mfe{.}pp}, \mathsf {abe{.}pp})$, a message m, and a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, the broadcast algorithm does the following:
1. 1.
  Obtain a cover for $\mathcal {ID}{\setminus } \mathcal {L}$ by computing $\mathcal {J}_{\mathcal {L}} \leftarrow \mathsf {ComputeCover}(\mathcal {L})$.
2. 2.
  For each $i \in \mathcal {J}_{\mathcal {L}}$, it generates a mixed FE ciphertext $\mathsf {mfe{.}ct}_i \leftarrow \mathsf {MFE}{.}\mathsf {PKEnc}(\mathsf {mfe{.}pp})$ and an ABE ciphertext $\mathsf {abe{.}ct}_i \leftarrow \mathsf {ABE}{.}\mathsf {Enc}$$(\mathsf {abe{.}pp}, (\mathsf {mfe{.}ct}_i, i), m)$.
3. 3.
  It outputs the ciphertext $\mathsf {ct}_{m, \mathcal {L}} = \{ (i, \mathsf {abe{.}ct}_i) \}_{i \in \mathcal {J}_{\mathcal {L}}}$.
$\mathsf {Enc}(\mathsf {msk}, f, m, \mathcal {L})$: On input the master secret key $\mathsf {msk}= (\mathsf {pp}, \mathsf {abe{.}msk}, k)$, a function $f \in \mathcal {F}$, a message $m \in \mathcal {M}$, and a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, where $\mathsf {pp}= (\mathsf {mfe{.}pp}, \mathsf {abe{.}pp})$, the encryption algorithm does the following:
1. 1.
  Obtain a cover for $\mathcal {ID}{\setminus } \mathcal {L}$ by computing $\mathcal {J}_{\mathcal {L}} \leftarrow \mathsf {ComputeCover}(\mathcal {L})$.
2. 2.
  Then, for each $i \in \mathcal {J}_{\mathcal {L}}$, it computes $r_i \leftarrow F(k, i)$ and derives the corresponding mixed FE master secret key $\mathsf {mfe{.}msk}_i \leftarrow \mathsf {MFE}{.}\mathsf {MSKGen}(\mathsf {mfe{.}pp}; r_i)$. It then encrypts $\mathsf {mfe{.}ct}_i \leftarrow \mathsf {MFE}{.}\mathsf {SKEnc}(\mathsf {mfe{.}msk}_i, f)$.
3. 3.
  For each $i \in \mathcal {J}_{\mathcal {L}}$, it computes $\mathsf {abe{.}ct}_{i} \leftarrow \mathsf {ABE}{.}\mathsf {Enc}(\mathsf {abe{.}pp}, (\mathsf {mfe{.}ct}_i, i), m)$, and outputs the ciphertext $\mathsf {ct}_{f, m, \mathcal {L}} = \{ (i, \mathsf {abe{.}ct}_i) \}_{i \in \mathcal {J}_{\mathcal {L}}}$.
$\mathsf {Dec}(\mathsf {sk}, \mathsf {ct})$: On input a key $\mathsf {sk}= \{ (i, \mathsf {abe{.}sk}_{i}) \}_{i \in \mathcal {I}}$ and a ciphertext $\mathsf {ct}= \{ (i, \mathsf {abe{.}ct}_i) \}_{i \in \mathcal {J}}$, the decryption algorithm first checks if $\mathcal {I}\cap \mathcal {J}= \varnothing $. If so, it outputs $\bot $. Otherwise, it chooses an arbitrary index $i \in \mathcal {I}\cap \mathcal {J}$ and outputs $m \leftarrow \mathsf {ABE}{.}\mathsf {Dec}(\mathsf {abe{.}sk}_{i}, \mathsf {abe{.}ct}_{i})$.

Correctness and Security Analysis. We state our main theorems on the properties of Construction 3.4 below, but defer their analysis to the full version of this paper [KW19a].

Theorem 3.5

(Correctness). Suppose that $\varPi _{\mathsf {MFE}}$, $\varPi _{\mathsf {ABE}}$, and $\varPi _{\mathsf {SC}}$ are correct. Then, the predicate encryption scheme $\varPi _{\mathsf {RPE}}$ from Construction 3.4 is correct.

Theorem 3.6

(Message Hiding). Suppose that $\varPi _{\mathsf {MFE}}$ and $\varPi _{\mathsf {SC}}$ are correct, and $\varPi _{\mathsf {ABE}}$ satisfies semantic security. Then, the predicate encryption scheme $\varPi _{\mathsf {RPE}}$ from Construction 3.4 satisfies message hiding.

Theorem 3.7

(Function Hiding). Suppose that $\varPi _{\mathsf {MFE}}$ satisfies sub-exponential non-adaptive q-query (resp., adaptive) semantic security. Specifically, suppose that the advantage of any adversary running in time $\mathsf {poly}(\lambda )$ in the semantic security game is bounded by $2^{-\varOmega (\lambda ^\varepsilon )}$. In addition, suppose that $\varPi _{\mathsf {ABE}}$ is secure, F is a secure PRF, and $\varPi _{\mathsf {SC}}$ is correct. Then, the predicate encryption scheme in Construction 3.4 satisfies non-adaptive q-query (resp., adaptive) function hiding security.

Theorem 3.8

(Broadcast Security). Suppose that $\varPi _{\mathsf {MFE}}$ satisfies sub-exponential non-adaptive q-query (resp., adaptive) public/secret key indistinguishability. Specifically, suppose that the advantage of any adversary running in time $\mathsf {poly}(\lambda )$ in the public/secret key indistinguishability game is bounded by $2^{-\varOmega (\lambda ^\varepsilon )}$. In addition, suppose that F is a secure PRF. Then the predicate encryption scheme $\varPi _{\mathsf {RPE}}$ in Construction 3.4 satisfies non-adaptive q-query (resp., adaptive) broadcast security.

3.2 Instantiating Secret-Key Revocable Predicate Encryption with Broadcast

In this section, we describe one possible instantiation of secret-key revocable predicate encryption with broadcast from Construction 3.4. In particular, combining Construction 3.4 with Theorems 3.5 through 3.8 yields the following corollary:

Corollary 3.9

(Secret-Key Revocable Predicate Encryption from LWE). Take an identity-space $\mathcal {ID}= \{0,1\}^n$, attribute space $\mathcal {X}= \{0,1\}^\ell $, and message space $\mathcal {M}= \{0,1\}^t$ where $n = n(\lambda )$, $\ell = \ell (\lambda )$, and $t = t(\lambda )$. Let $\mathcal {F}= \{ f :\mathcal {X}\rightarrow \{0,1\} \}$ be a function family where every function $f \in \mathcal {F}$ can be specified by a string of length $z = z(\lambda )$ and computed by a Boolean circuit of depth $d = d(\lambda )$. Then, assuming sub-exponential hardness of LWE (with a super-polynomial modulus-to-noise ratio), there exists a non-adaptive 1-key secure secret-key revocable predicate encryption scheme with broadcast $\varPi _{\mathsf {RPE}}$ over the identity space $\mathcal {ID}$, attribute space $\mathcal {X}$, and function family $\mathcal {F}$. Moreover, $\varPi _{\mathsf {RPE}}$ satisfies the following properties:

Public parameter size: $\left| \mathsf {pp} \right| = \ell \cdot \mathsf {poly}(\lambda , d, n, z)$.
Secret key size: The secret key $\mathsf {sk}_{\mathsf {id}, x}$ for an identity $\mathsf {id}\in \{0,1\}^n$ and an attribute $x \in \{0,1\}^\ell $ has size $\left| \mathsf {sk}_{\mathsf {id}, x} \right| = \ell + \mathsf {poly}(\lambda , d, n, z)$.
Ciphertext size: An encryption $\mathsf {ct}_{m, \mathcal {L}}$ of a message $m \in \{0,1\}^t$ with revocation list $\mathcal {L}$ has size $\left| \mathsf {ct}_{m, \mathcal {L}} \right| = t + \left| \mathcal {L} \right| \cdot \mathsf {poly}(\lambda , d, n, z)$.

Proof

We instantiate Construction 3.4 using the subset-cover set system from Fact 2.4, the mixed FE scheme using the construction of Chen et al. [CVW+18], the ABE scheme using the construction of Boneh et al. [BGG+14], and the PRF from any one-way function [GGM84]. We describe the exact instantiations in greater detail in the full version of this paper [KW19a]. The mixed FE scheme is instantiated with domain $\mathcal {X}= \{0,1\}^\ell $ and function family $\mathcal {F}$, while the ABE scheme is instantiated with message space $\mathcal {M}$, attribute space $\mathcal {X}' = \mathcal {C}\mathcal {T}\times [K]$ and function family $\mathcal {F}' = \{ \mathsf {mfe{.}sk}\in \mathcal {S}\mathcal {K}, i^*\in [K] : g_{\mathsf {mfe{.}sk}, i^*} \}$. We will use the following bounds in our analysis:

From Fact 2.4, we have that $K = O(N)$, and correspondingly, $\log K = O(\log N) = O(n)$.
We have that the length of a mixed FE ciphertext $\mathsf {mfe{.}ct}\in \mathcal {C}\mathcal {T}$ is bounded by $\left| \mathsf {mfe{.}ct} \right| = \mathsf {poly}(\lambda , d, z)$. Correspondingly, this means that the length $\ell _{\mathsf {ABE}}$ of an ABE attribute is bounded by $\ell _{\mathsf {ABE}} = \mathsf {poly}(\lambda , d, z) + \log K = \mathsf {poly}(\lambda , d, n, z)$.
Each function $g_{\mathsf {mfe{.}sk}, i^*}$ can be implemented by a circuit with depth at most $\mathsf {poly}(\lambda , d) + \log \log K = \mathsf {poly}(\lambda , d, \log n)$. Specifically, the mixed FE decryption circuit can be evaluated by a circuit of depth $\mathsf {poly}(\lambda ', d) = \mathsf {poly}(\lambda , d, n, z)$ and the equality-check circuit can be evaluated by a circuit of depth $\log \log K$ (since each input to the equality-check circuit is a $(\log K)$-bit value). Thus, the functions in $\mathcal {F}'$ can be computed by Boolean circuits with depth at most $d_{\mathsf {ABE}} \le \mathsf {poly}(\lambda , d, n, z)$. The description length of functions in $\mathcal {F}'$ is $\left| \mathsf {mfe{.}sk} \right| + \log K = \ell + \mathsf {poly}(\lambda , n, z)$.

Putting all the pieces together, we now have the following:

Public parameter size: The public parameters $\mathsf {pp}$ consist of the ABE public parameters $\mathsf {abe{.}pp}$ and the mixed FE public parameters $\mathsf {mfe{.}pp}$. Then,
$$\begin{aligned} \left| \mathsf {abe{.}pp} \right| = \mathsf {poly}(\lambda , d_{\mathsf {ABE}}, \ell _{\mathsf {ABE}}) = \mathsf {poly}(\lambda , d, n, z), \end{aligned}$$
and correspondingly,
$$\begin{aligned} \left| \mathsf {mfe{.}pp} \right| = \ell \cdot \mathsf {poly}(\lambda ', d, z) = \ell \cdot \mathsf {poly}(\lambda , d, n, z), \end{aligned}$$
since $\lambda ' = \mathsf {poly}(\lambda , \log K) = \mathsf {poly}(\lambda , n)$. Thus, $\left| \mathsf {pp} \right| = \ell \cdot \mathsf {poly}(\lambda , d, n, z)$.
Secret key size: The secret key $\mathsf {sk}_{\mathsf {id}, x} = \{ (i, \mathsf {abe{.}sk}_{i,x}) \}_{i \in \mathcal {I}_\mathsf {id}}$ for an identity $\mathsf {id}$ and attribute x consists of $\left| \mathcal {I}_{\mathsf {id}} \right| $ ABE secret keys, where $\left| \mathcal {I}_\mathsf {id} \right| \leftarrow \mathsf {Encode}(\mathsf {id})$. By Fact 2.4, $\left| \mathcal {I}_{id} \right| = \log N + 1 = \mathsf {poly}(n)$. Finally,
$$\begin{aligned} \left| \mathsf {abe{.}sk}_{i,x} \right| = \left| g_{\mathsf {mfe{.}sk}_{i,x}, i} \right| + \mathsf {poly}(\lambda , d_{\mathsf {ABE}}, \ell _{\mathsf {ABE}}) = \ell + \mathsf {poly}(\lambda , d, n, z). \end{aligned}$$
Thus, $\left| \mathsf {sk}_{\mathsf {id}, x} \right| = \left| \mathcal {I}_{\mathsf {id}} \right| \cdot \left| \mathsf {abe{.}sk}_{i,x} \right| = \ell + \mathsf {poly}(\lambda , d, n, z)$.
Ciphertext size: Without loss of generality, we can always use hybrid encryption for the ciphertexts. Namely, the encryption algorithm samples a symmetric key k to encrypt the message and then encrypts k using the secret-key revocable predicate encryption scheme. The final ciphertext $\mathsf {ct}_{m, \mathcal {L}}$ then consists of a symmetric encryption of the message m (which has size $\left| m \right| + \mathsf {poly}(\lambda )$) and a revocable predicate encryption ciphertext $\widehat{\mathsf {ct}}$ of the key k. In this case, $\left| k \right| = \mathsf {poly}(\lambda )$, and the overall ciphertext size is $\left| \mathsf {ct} \right| = \left| m \right| + \mathsf {poly}(\lambda ) + \left| \widehat{\mathsf {ct}} \right| $, where $\widehat{\mathsf {ct}}= \{ (i, \mathsf {abe{.}ct}_i) \}_{i \in \mathcal {J}_{\mathcal {L}}}$ is an encryption of k using $\varPi _{\mathsf {RPE}}$. By construction, $\widehat{\mathsf {ct}}$ consists of $\left| \mathcal {J}_{\mathcal {L}} \right| $ ABE ciphertexts, where $\mathcal {J}_{\mathcal {L}} \leftarrow \mathsf {ComputeCover}(\mathcal {L})$. By Fact 2.4, $\left| \mathcal {L} \right| = O(\left| \mathcal {L} \right| \log (N / \left| \mathcal {L} \right| )) = \left| \mathcal {L} \right| \cdot \mathsf {poly}(n)$. Finally, $\left| \mathsf {abe{.}ct}_i \right| = \left| k \right| + \ell _{\mathsf {ABE}} \cdot \mathsf {poly}(\lambda , d_{\mathsf {ABE}}, \ell _{\mathsf {ABE}}) = \mathsf {poly}(\lambda , d, n, z)$, and so
$$\begin{aligned} \left| \mathsf {ct}_{m, \mathcal {L}} \right| = \left| m \right| + \mathsf {poly}(\lambda ) + \left| \widehat{\mathsf {ct}} \right| = t + \left| \mathcal {L} \right| \cdot \mathsf {poly}(\lambda , d, n, z). \end{aligned}$$
$\square $

Remark 3.10

(Handling More General Revocation Policies). Construction 3.4 naturally supports any revocation policy that can be described by a polynomial-size cover in the underlying subset-cover set system. In particular, the prefix-based subset-cover set system by Naor et al. [NNL01] from Fact 2.4 can compute a cover that excludes any polynomial number of prefixes (in addition to full identities). For instance, we can use the set system to revoke all users whose identities start with “000” or “01” (i.e., revoke all identities of the form 000*** and 01****). This way, the number of revoked users in the set $\mathcal {L}$ can be exponential, as long as they can be described by a polynomial-number of prefix-based clusters. Correspondingly, the traitor tracing scheme we construct in Sect. 4 will also support these types of revocation policies.

4 Identity-Based Trace-and-Revoke

In this section, we describe how to construct an identity-based trace-and-revoke scheme using a secret-key revocable predicate encryption scheme with broadcast (Definition 3.1). We begin by recalling the formal definition of a trace-and-revoke scheme. Our definitions are adapted from the corresponding ones in [BW06, NWZ16]. As we discuss in greater detail in Remark 4.2, our definition combines aspects of both definitions and is strictly stronger than both of the previous notions.

Definition 4.1

(Trace-and-Revoke [NWZ16, adapted]). A trace-and-revoke scheme for a set of identities $\mathcal {ID}$ and a message space $\mathcal {M}$ is a tuple of algorithms $\varPi _{\mathsf {TR}}= (\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec}, \mathsf {Trace})$ defined as follows:

$\mathsf {Setup}(1^\lambda ) \rightarrow (\mathsf {pp}, \mathsf {msk})$: On input the security parameter $\lambda $, the setup algorithm outputs the public parameters $\mathsf {pp}$ and the master secret key $\mathsf {msk}$.
$\mathsf {KeyGen}(\mathsf {msk}, \mathsf {id}) \rightarrow \mathsf {sk}_{\mathsf {id}}$: On input the master secret key $\mathsf {msk}$ and an identity $\mathsf {id}\in \mathcal {ID}$, the key-generation algorithm outputs a secret key $\mathsf {sk}_{\mathsf {id}}$.
$\mathsf {Enc}(\mathsf {pp}, m, \mathcal {L}) \rightarrow \mathsf {ct}_{m, \mathcal {L}}$: On input the public parameters $\mathsf {pp}$, a message $m \in \mathcal {M}$, and a list of revoked users $\mathcal {L}\subseteq \mathcal {ID}$, the encryption algorithm outputs a ciphertext $\mathsf {ct}_{m,\mathcal {L}} $.
$\mathsf {Dec}(\mathsf {sk}, \mathsf {ct}) \rightarrow m/\bot $: On input a decryption key $\mathsf {sk}$ and a ciphertext $\mathsf {ct}$, the decryption algorithm either outputs a message $m \in \mathcal {M}$ or a special symbol $\bot $.
$\mathsf {Trace}^{\mathcal {D}}(\mathsf {msk}, m_0, m_1, \mathcal {L}, \varepsilon ) \rightarrow \mathsf {id}/\bot $: On input the master secret key $\mathsf {msk}$, two messages $m_0, m_1 \in \mathcal {M}$, a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, a decoder-success parameter $\varepsilon > 0$, and assuming oracle access to a decoder algorithm $\mathcal {D}$, the tracing algorithm either outputs an identity $\mathsf {id}\in \mathcal {ID}$ or $\bot $.

Moreover, a trace-and-revoke scheme should satisfy the following properties:

Correctness: For all messages $m \in \mathcal {M}$, all identities $\mathsf {id}\in \mathcal {ID}$, and all revocation lists $\mathcal {L}\subseteq \mathcal {ID}$ where $\mathsf {id}\notin \mathcal {L}$, if we set $(\mathsf {pp}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )$, $\mathsf {sk}_\mathsf {id}\leftarrow \mathsf {KeyGen}(\mathsf {msk}, \mathsf {id})$, and $\mathsf {ct}_{m, \mathcal {L}} \leftarrow \mathsf {Enc}(\mathsf {pp}, m, \mathcal {L})$, then
$$\begin{aligned} \Pr [\mathsf {Dec}(\mathsf {sk}_{\mathsf {id}}, \mathsf {ct}_{m, \mathcal {L}}) = m] = 1 - \mathsf {negl}(\lambda ). \end{aligned}$$
Semantic Security: For a bit $b \in \{0,1\}$, we define the security experiment $\mathsf {ExptTR}_{\mathsf {SS}}[\lambda , \mathcal {A}, b]$ between a challenger and an adversary $\mathcal {A}$. The challenger begins by sampling $(\mathsf {pp}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )$ and gives $\mathsf {pp}$ to $\mathcal {A}$. The adversary is then given access to the following oracles:
- Key-generation oracle. On input an identity $\mathsf {id}\in \mathcal {ID}$, the challenger replies with $\mathsf {sk}_{\mathsf {id}} \leftarrow \mathsf {KeyGen}(\mathsf {msk}, \mathsf {id})$.
- Challenge oracle. On input two messages $m_0, m_1 \in \mathcal {M}$ and a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, the challenger replies with $\mathsf {ct}_b \leftarrow \mathsf {Enc}(\mathsf {pp}, m_b, \mathcal {L})$.
At the end of the game, the adversary outputs a bit $b' \in \{0,1\}$, which is the output of the experiment. An adversary $\mathcal {A}$ is admissible for the semantic security game if it makes a single challenge query $(m_0, m_1, \mathcal {L})$, and moreover, for all key-generation queries $\mathsf {id}$ the adversary makes, $\mathsf {id}\in \mathcal {L}$. We say that $\varPi _{\mathsf {TR}}$ is semantically secure if for all efficient and admissible adversaries $\mathcal {A}$,
$$\begin{aligned} \left| \Pr [ \mathsf {ExptTR}_{\mathsf {SS}}[\lambda , \mathcal {A}, 0] = 1 ] - \Pr [ \mathsf {ExptTR}_{\mathsf {SS}}[\lambda , \mathcal {A}, 1] = 1 ] \right| = \mathsf {negl}(\lambda ). \end{aligned}$$
Traceability: We define the experiment $\mathsf {ExptTR}_{\mathsf {TR}}[\lambda , \mathcal {A}]$ between a challenger and an adversary $\mathcal {A}$. The challenger begins by sampling $(\mathsf {pp}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )$ and gives $\mathsf {pp}$ to $\mathcal {A}$. The adversary is then given access to the key-generation oracle:
- Key-generation oracle. On input an identity $\mathsf {id}\in \mathcal {ID}$, the challenger replies with $\mathsf {sk}_{\mathsf {id}} \leftarrow \mathsf {KeyGen}(\mathsf {msk}, \mathsf {id})$.
At the end of the game, the adversary outputs a decoder algorithm $\mathcal {D}$, two messages $m_0, m_1 \in \mathcal {M}$, a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, and a non-negligible decoder-success probability $\varepsilon > 0$. Let $\mathcal {R}\subseteq \mathcal {ID}$ be the set of identities the adversary submitted to the key-generation oracle and let $\mathsf {id}^{*}\leftarrow \mathsf {Trace}^{\mathcal {D}}(\mathsf {msk}, m_0, m_1, \mathcal {L}, \varepsilon )$. Then the output of the experiment is 1 if $\mathsf {id}^{*}\notin \mathcal {R}{\setminus } \mathcal {L}$ and 0 otherwise. We say that an adversary $\mathcal {A}$ is admissible for the traceability game if the decoder algorithm output by $\mathcal {A}$ satisfies
$$\begin{aligned} \Pr [ b \,{\mathop {\leftarrow }\limits ^{\textsc {r}}}\, \{0,1\}: \mathcal {D}(\mathsf {Enc}(\mathsf {pp}, m_b, \mathcal {L})) = b ] \ge 1/2 + \varepsilon . \end{aligned}$$
Finally, we say that $\varPi _{\mathsf {TR}}$ satisfies traceability security if for all efficient and admissible adversaries $\mathcal {A}$,
$$\begin{aligned} \Pr [ \mathsf {ExptTR}_{\mathsf {TR}}[\lambda , \mathcal {A}] = 1 ] = \mathsf {negl}(\lambda ). \end{aligned}$$

Remark 4.2

(Comparison to Previous Traceability Notions). Our notion of traceability in Definition 4.1 combines aspects of the notions considered in [BW06] and [NWZ16] and is stronger than both of these previous definitions. First, similar to [NWZ16], we only require that the decoder $\mathcal {D}$ output by $\mathcal {A}$ to be able to distinguish the encryptions of two adversarially-chosen messages. The previous notion in [BW06] made the more stringent requirement that the adversary’s decoder must correctly decrypt a noticeable fraction of ciphertexts. Thus, our definitions enable tracing for much weaker decoders. Next, and similar to [BW06], our tracing definition naturally incorporates revocation. Namely, if an adversary constructs a decoder that is able to distinguish encryptions of two messages with respect to a revocation list $\mathcal {L}$, then the tracing algorithm must identify a compromised key that is outside $\mathcal {L}$. In contrast, the definition in [NWZ16] only considered tracing in a standalone setting: namely, while the scheme supports revocation, the tracing definition only considered decoders that can decrypt ciphertexts encrypted to an empty revocation list. Overall, our definition is stronger than the previous definitions and we believe provides a more realistic modeling of the security demands in applications of trace-and-revoke systems.

Remark 4.3

(Adaptive Security). We note that all of the security requirements in Definition 4.1 are adaptive: namely, the adversary chooses its challenge messages and revocation list after seeing the public parameters and (adaptively-chosen) secret decryption keys. Our final construction is fully adaptive (Construction 4.4, Corollary 4.8), but we do rely on complexity leveraging and sub-exponential hardness assumptions. We remark here that a selective notion of security where the adversary commits to its revocation list ahead of time does not seem to directly imply adaptive security by the usual complexity leveraging technique [BB04] unless we additionally impose an a priori bound on the size of the revocation list (which we do not require in our analysis). It is an interesting problem to construct a fully collusion resistant trace-and-revoke scheme for arbitrary identities from standard polynomial hardness assumptions.

4.1 Constructing an Identity-Based Trace-and-Revoke Scheme

Our construction follows the general high-level schema as that by Nishimaki et al. [NWZ16], except our construction is secretly-traceable (but will provide full collusion resistance). Very briefly, we use a secret-key revocable predicate encryption scheme to embed an instance of the generalized jump-finding problem (Definition 2.5) where the position of the “jumps” correspond to non-revoked keys. The tracing algorithm relies on the generalized jump-finding algorithm (Theorem 2.6) to identify the compromised keys. We give our construction below.

Construction 4.4

(Identity-Based Trace-and-Revoke). Let $\mathcal {ID}= \{0,1\}^n$ be the identity space and let $\mathcal {M}$ be a message space. We additionally rely on the following primitives:

Let $H :\mathcal {K}\times \mathcal {ID}\rightarrow [2^\ell ]$ be a keyed collision-resistant hash function.
Let $\mathcal {ID}_0 = [2^{\ell + 1}]$. For a pair $(i, u) \in [n] \times [0, 2^{\ell + 1}]$, define the function $f_{i, u} :\mathcal {ID}_0^n \rightarrow \{0,1\}$ to be the function that takes as input $v = (v_1, \ldots , v_n)$, where each $v_i \in \mathcal {ID}_0$, and outputs 1 if $v_i \le u$ and 0 otherwise. When $u = 0$, $f_{i, u}(v) = 0$ for all $i \in [n]$ and $v \in \mathcal {ID}_0^n$. Similarly, when $u = 2^{\ell +1}$, $f_{i, u}(v) = 1$ for all $i \in [n]$ and $v \in \mathcal {ID}_0^n$. We will use a canonical “all-zeroes” function to represent $f_{i, 0}$ and a canonical “all-ones” function to represent $f_{i,2^{\ell +1}}$ for all $i \in [n]$.
Let $\varPi _{\mathsf {RPE}}= (\mathsf {RPE}{.}\mathsf {Setup}, \mathsf {RPE}{.}\mathsf {KeyGen}, \mathsf {RPE}{.}\mathsf {Broadcast}, \mathsf {RPE}{.}\mathsf {Enc}, \mathsf {RPE}{.}\mathsf {Dec})$ be a secret-key revocable predicate encryption scheme with broadcast with attribute space $\mathcal {ID}_0^n$, label space $[2^\ell ]$, message space $\mathcal {M}$, and function space $\mathcal {F}= \{ i \in [n], u \in [0, 2^{\ell + 1}] : f_{i, u} \}$.

We construct a trace-and-revoke scheme $\varPi _{\mathsf {TR}}= (\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec}, \mathsf {Trace})$ with identity space $\mathcal {ID}$ and message space $\mathcal {M}$ as follows:

$\mathsf {Setup}(1^\lambda )$: On input the security parameter $\lambda $, the setup algorithm samples a key $\mathsf {hk}\,{\mathop {\leftarrow }\limits ^{\textsc {r}}}\, \mathcal {K}$, parameters $(\mathsf {rpe}{.}\mathsf {pp}, \mathsf {rpe}{.}\mathsf {msk}) \leftarrow \mathsf {RPE}{.}\mathsf {Setup}(1^\lambda )$, and outputs
$$\begin{aligned} \mathsf {pp}= (\mathsf {hk}, \mathsf {rpe}{.}\mathsf {pp}) \quad \text {and} \quad \mathsf {msk}= (\mathsf {hk}, \mathsf {rpe}{.}\mathsf {msk}). \end{aligned}$$
$\mathsf {KeyGen}(\mathsf {msk}, \mathsf {id})$: On input the master secret key $\mathsf {msk}= (\mathsf {hk}, \mathsf {rpe}{.}\mathsf {msk})$ and an identity $\mathsf {id}= (\mathsf {id}_1, \ldots , \mathsf {id}_n) \in \mathcal {ID}$, the key-generation algorithm computes $s_\mathsf {id}\leftarrow H(\mathsf {hk}, \mathsf {id})$ and defines the vector $v_\mathsf {id}= (2s_\mathsf {id}- \mathsf {id}_1, \ldots , 2s_\mathsf {id}- \mathsf {id}_n) \in \mathcal {ID}_0^n$. It outputs $\mathsf {sk}_{\mathsf {id}} \leftarrow \mathsf {RPE}{.}\mathsf {KeyGen}(\mathsf {rpe}{.}\mathsf {msk}, s_\mathsf {id}, v_\mathsf {id})$.
$\mathsf {Enc}(\mathsf {pp}, m, \mathcal {L})$: On input the public parameters $\mathsf {pp}= (\mathsf {hk}, \mathsf {rpe}{.}\mathsf {pp})$, a message m, and a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, the encryption algorithm first constructs a new list $\mathcal {L}' \subseteq \{0,1\}^\ell $ where $\mathcal {L}' = \{ \mathsf {id}\in \mathcal {L}: H(\mathsf {hk}, \mathsf {id}) \}$. Then, it outputs $\mathsf {ct}_{m, \mathcal {L}} \leftarrow \mathsf {RPE}{.}\mathsf {Broadcast}(\mathsf {rpe}{.}\mathsf {pp}, m, \mathcal {L}')$.
$\mathsf {Dec}(\mathsf {sk}, \mathsf {ct})$: On input a secret key $\mathsf {sk}$ and a ciphertext $\mathsf {ct}$, the decryption algorithm outputs $m \leftarrow \mathsf {RPE}{.}\mathsf {Dec}(\mathsf {sk}, \mathsf {ct})$.
$\mathsf {Trace}^{\mathcal {D}}(\mathsf {msk}, m_0, m_1, \mathcal {L}, \varepsilon )$: On input the decryption oracle $\mathcal {D}$, the master secret key $\mathsf {msk}= (\mathsf {hk}, \mathsf {rpe}{.}\mathsf {msk})$, messages $m_0, m_1 \in \mathcal {M}$, a revocation list $\mathcal {L}\subseteq \mathcal {ID}$, and a success probability $\varepsilon $, the tracing algorithm begins by constructing the set $\mathcal {L}' \subseteq \{0,1\}^\ell $ where $\mathcal {L}' = \{ \mathsf {id}\in \mathcal {L}: H(\mathsf {hk}, \mathsf {id}) \}$. It then defines the following randomized oracle Q (Fig. 1): Let $q = 1$, set $\delta _q = \varepsilon / (9 + 4(\ell - 1) q)$, and compute $\mathcal {T}_q \leftarrow \mathsf {QTrace}^Q(\lambda , 2^\ell , n, q, \delta _q, \varepsilon )$. If $\mathcal {T}_q$ is non-empty, take any element $(s_\mathsf {id}, \mathsf {id}_1, \ldots , \mathsf {id}_n) \in \mathcal {T}_q$, and output $\mathsf {id}= (\mathsf {id}_1, \ldots , \mathsf {id}_n) \in \mathcal {ID}$. Otherwise, update $q \leftarrow 2q$ and repeat this procedure.^{Footnote 4}

Correctness and Security Analysis. We now show that $\varPi _{\mathsf {TR}}$ from Construction 4.4 satisfies correctness, semantic security, and traceability. We state the main theorems below, but defer their formal proofs to the full version of this paper [KW19a]. The analysis proceeds similarly to the corresponding analysis from [NWZ16], except we operate in the secret-traceability setting. The main challenge in the secret-key setting is that when the adversary in the traceability game outputs a pirate decoder, the reduction algorithm cannot easily tell whether the decoder is “useful” or not (where a “useful” decoder is one that can be leveraged to break the security of the underlying secret-key revocable predicate encryption scheme). The analysis in [NWZ16] solves this problem by having the reduction algorithm sample ciphertexts of its own and observe the decoder’s behavior on those ciphertexts. In this way, the reduction is able to estimate the decoder’s distinguishing advantage and identify whether the adversary produced a good decoder or not. In the secret-key setting, the reduction cannot sample ciphertexts of its own and as such, it cannot estimate the decoder’s success probability. To solve this problem, we adopt the approach taken in [GKW18] and allow the reduction algorithm to make a single encryption query to the secret-key predicate encryption scheme. Using the same type of analysis as in [GKW18], we then show that with just a single encryption query, the reduction can leverage the decoder output by the traceability adversary to break security of the underlying predicate encryption scheme. The full analysis is provided in the full version of this paper [KW19a].

Theorem 4.5

(Correctness). If H is collision-resistant and $\varPi _{\mathsf {RPE}}$ is correct, then $\varPi _{\mathsf {TR}}$ from Construction 4.4 is correct.

Theorem 4.6

(Semantic Security). If $\varPi _{\mathsf {RPE}}$ satisfies broadcast security and message hiding (without encryption queries), then $\varPi _{\mathsf {TR}}$ from Construction 4.4 is semantically secure.

Theorem 4.7

(Traceability). If H is collision-resistant and $\varPi _{\mathsf {RPE}}$ satisfies non-adaptive 1-query message hiding security, non-adaptive 1-query function hiding, and non-adaptive 1-query broadcast security, then $\varPi _{\mathsf {TR}}$ is traceable. In particular, the tracing algorithm $\mathsf {Trace}$ is efficient.

4.2 Instantiating the Trace-and-Revoke Scheme

In this section, we describe our instantiation of our resulting trace-and-revoke scheme using the secret-key revocable predicate encryption scheme from Sect. 3.1 (Construction 3.4, Corollary 3.9). In particular, combining Construction 4.4 with Theorems 4.5 through 4.7 yields the following corollary:

Corollary 4.8

(Identity-Based Trace-and-Revoke from LWE). Assuming sub-exponential hardness of LWE (with a super-polynomial modulus-to-noise ratio), there exists a fully secure identity-based trace-and-revoke scheme with identity space $\mathcal {ID}= \{0,1\}^n$ and message space $\mathcal {M}= \{0,1\}^t$ with the following properties:

Public parameter size: $\left| \mathsf {pp} \right| = n \cdot \mathsf {poly}(\lambda , \log n)$.
Secret key size: The secret key $\mathsf {sk}_\mathsf {id}$ for an identity $\mathsf {id}\in \{0,1\}^n$ has size $\mathsf {sk}_{\mathsf {id}} = n \cdot \mathsf {poly}(\lambda , \log n)$.
Ciphertext size: An encryption $\mathsf {ct}_{m, \mathcal {L}}$ of a message $m \in \{0,1\}^t$ with respect to a revocation list $\mathcal {L}$ has size $\mathsf {ct}_{m, \mathcal {L}} = t + \left| \mathcal {L} \right| \cdot \mathsf {poly}(\lambda , \log n)$.

Proof

The claim follows by instantiating Construction 4.4 with the following primitives:

We can instantiate the collision-resistant hash function H with the standard SIS-based collision-resistant hash function [Ajt96, GGH96]. In this case, the hash key $\mathsf {hk}$ has size $\left| \mathsf {hk} \right| = \mathsf {poly}(\lambda )$ and the output length of the hash function is also $\ell = \mathsf {poly}(\lambda )$.
We instantiate the secret-key revocable predicate encryption scheme with broadcast $\varPi _{\mathsf {RPE}}$ with the construction from Corollary 3.9. For $i \in [n]$ and $u \in [0, 2^{\ell +1}]$, the description length z of the functions $f_{i,u} \in \mathcal {F}$ satisfies
$$\begin{aligned} z = \left| i \right| + \left| u \right| \le \log n + \ell + 3 = \mathsf {poly}(\lambda , \log n). \end{aligned}$$
Moreover, each function $f_{i, u}$ is computing a comparison on $\ell $-bit values and selecting one out of the n components of the vector. This can be computed by a Boolean circuit with depth $d = \mathsf {poly}(\lambda , \log n)$—$\mathsf {poly}(\lambda )$ for the comparison and $\mathsf {poly}(\log n)$ to select the element to compare. Finally, the identity-space for the underlying revocable predicate encryption scheme is $\mathcal {ID}_0 = [2^{\ell + 1}]$ and the attribute space is $\mathcal {ID}_0^n$.

We now verify the parameter sizes for the resulting construction:

Public parameters size: The public parameters $\mathsf {pp}$ consists of the hash key $\mathsf {hk}$ and the public parameters $\mathsf {rpe}{.}\mathsf {pp}$ for the revocable predicate encryption scheme. Thus,
$$ \left| \mathsf {pp} \right| = \left| \mathsf {hk} \right| + \left| \mathsf {rpe}{.}\mathsf {pp} \right| = \mathsf {poly}(\lambda ) + n \ell \cdot \mathsf {poly}(\lambda , d, \ell , z) = n \cdot \mathsf {poly}(\lambda , \log n). $$
Secret key size: The secret key $\mathsf {sk}_\mathsf {id}$ for an identity $\mathsf {id}\in \{0,1\}^n$ consists of a secret key for the underlying revocable predicate encryption scheme. By Corollary 3.9, we have that $\left| \mathsf {sk}_\mathsf {id} \right| = n \ell + \mathsf {poly}(\lambda , d, \ell , z) = n \cdot \mathsf {poly}(\lambda , \log n)$.
Ciphertext size: The ciphertext $\mathsf {ct}_{m, \mathcal {L}}$ for a message $m \in \{0,1\}^t$ with respect to a revocation list $\mathcal {L}$ consists of a ciphertext for the underlying revocable predicate encryption scheme. By Corollary 3.9,
$$ \left| \mathsf {ct}_{m, \mathcal {L}} \right| = t + \left| \mathcal {L} \right| \cdot \mathsf {poly}(\lambda , d, \ell , z) = t + \left| \mathcal {L} \right| \cdot \mathsf {poly}(\lambda , \log n). $$
$\square $

Notes

1.
This property follows from the usual index-hiding security game by a standard hybrid argument when the indices are drawn from a polynomial-size space, but not when the indices are drawn from an exponentially-large one.
2.
The recent work of Goyal et al. [GQWW19] introduces a notion of broadcast mixed FE that supports a succinct public broadcast to a restricted set of identities (of polynomial size). The notion we develop in this work supports an exponential-sized identity space, but in a non-succinct manner (i.e., the ciphertext size scales linearly with the size of the revocation list).
3.
While the notion of attribute-based mixed FE from [CVW+18] seems like it would also provide this functionality, this revocation approach only preserves the message hiding property and not the mixed FE attribute hiding property of the underlying attribute-based mixed FE scheme. For our trace-and-revoke scheme, we require both message hiding and attribute hiding (which we refer to as “function hiding”). Obtaining the latter property seemingly requires a way to revoke mixed FE decryption keys.
4.
We will argue in the proof of Theorem 4.7 that this algorithm will terminate with overwhelming probability. Alternatively, we can set an upper bound on the maximum number of iterations $q_{\mathsf {max}}$. In this case, the tracing algorithm succeeds as long as the total number of keys issued is bounded by $2^{q_{\mathsf {max}}}$. Note that this is not an a priori bound on the number of keys that can be issued, just a bound on the number of iterations on which to run the tracing algorithm, which can be a flexible parameter (independent of other scheme parameters).

References

Agrawal, S., Bhattacherjee, S., Phan, D.H., Stehlé, D., Yamada, S.: Efficient public trace and revoke from standard assumptions: extended abstract. In: ACM CCS, pp. 2277–2293 (2017)
Google Scholar
Ananth, P., Jain, A., Sahai, A.: Indistinguishability obfuscation for turing machines: constant overhead and amortization. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 252–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_9
Chapter Google Scholar
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108 (1996)
Google Scholar
Ananth, P., Sahai, A.: Functional encryption for turing machines. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 125–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_6
Chapter Google Scholar
Boneh, D., Boyen, X.: Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Chapter Google Scholar
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Chapter Google Scholar
Barak, B., et al.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6:1–6:48 (2012)
Article MathSciNet Google Scholar
Boneh, D., Naor, M.: Traitor tracing with constant size ciphertext. In: ACM CCS, pp. 501–510 (2008)
Google Scholar
Billet, O., Phan, D.H.: Traitors collaborating in public: pirates 2.0. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 189–205. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_11
Chapter MATH Google Scholar
Boneh, D., Sahai, A., Waters, B.: Fully collusion resistant traitor tracing with short ciphertexts and private keys. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 573–592. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_34
Chapter Google Scholar
Boneh, D., Waters, B.: A fully collusion resistant broadcast, trace, and revoke system. In: ACM CCS, pp. 211–220 (2006)
Google Scholar
Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_29
Chapter Google Scholar
Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 257–270. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_25
Chapter Google Scholar
Chor, B., Fiat, A., Naor, M., Pinkas, B.: Tracing traitors. IEEE Trans. Inf. Theory 46(3), 893–910 (2000)
Article Google Scholar
Cohen, A., Holmgren, J., Nishimaki, R., Vaikuntanathan, V., Wichs, D.: Watermarking cryptographic capabilities. In: STOC, pp. 1115–1127 (2016)
Google Scholar
Chen, Y., Vaikuntanathan, V., Waters, B., Wee, H., Wichs, D.: Traitor-tracing from LWE made simple and attribute-based. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 341–369. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_13
Chapter Google Scholar
Dodis, Y., Fazio, N.: Public key broadcast encryption for stateless receivers. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 61–80. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-44993-5_5
Chapter Google Scholar
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_40
Chapter Google Scholar
Goldreich, O., Goldwasser, S., Halevi, S.: Collision-free hashing from lattice problems. IACR Cryptology ePrint Archive 1996/9 (1996)
Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)
Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS, pp. 464–479 (1984)
Google Scholar
Goyal, R., Kim, S., Manohar, N., Waters, B., Wu, D.J.: Watermarking public-key cryptographic primitives. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 367–398. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_12
Chapter Google Scholar
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC, pp. 555–564 (2013)
Google Scholar
Garg, S., Kumarasubramanian, A., Sahai, A., Waters, B.: Building efficient fully collusion-resilient traitor tracing and revocation schemes. In: ACM CCS, pp. 121–130 (2010)
Google Scholar
Goyal, R., Koppula, V., Waters, B.: Collusion resistant traitor tracing from learning with errors. In: STOC, pp. 660–670 (2018)
Google Scholar
Goyal, R., Koppula, V., Waters, B.: New approaches to traitor tracing with embedded identities. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 149–179. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_6
Chapter Google Scholar
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM CCS, pp. 89–98 (2006)
Google Scholar
Goyal, R., Quach, W., Waters, B., Wichs, D.: Broadcast and trace with $N^{\varepsilon }$ ciphertext size from standard assumptions. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 826–855. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_27
Chapter Google Scholar
Garg, S., Srinivasan, A.: A simple construction of iO for turing machines. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 425–454. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_16
Chapter MATH Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_11
Chapter Google Scholar
Goyal, R., Vusirikala, S., Waters, B.: Collusion resistant broadcast and trace from positional witness encryption. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 3–33. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_1
Chapter Google Scholar
Halevy, D., Shamir, A.: The LSD broadcast encryption scheme. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 47–60. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_4
Chapter Google Scholar
Kurosawa, K., Desmedt, Y.: Optimum traitor tracing and asymmetric schemes. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 145–157. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054123
Chapter Google Scholar
Koppula, V., Lewko, A.B., Waters, B.: Indistinguishability obfuscation for turing machines with unbounded memory. In: STOC, pp. 419–428 (2015)
Google Scholar
Kiayias, A., Pehlivanoglu, S.: Pirate evolution: how to make the most of your traitor keys. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 448–465. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_25
Chapter Google Scholar
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_9
Chapter Google Scholar
Kiayias, A., Tang, Q.: Traitor deterring schemes: using bitcoin as collateral for digital content. In: ACM CCS, pp. 231–242 (2015)
Google Scholar
Kim, S., Wu, D.J.: Watermarking cryptographic functionalities from standard lattice assumptions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 503–536. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_17
Chapter Google Scholar
Kim, S., David, J.W.: Collusion resistant trace-and-revoke for arbitrary identities from standard assumptions. IACR Cryptol. ePrint Arch. 2019/984 (2019)
Google Scholar
Kim, S., Wu, D.J.: Watermarking PRFs from lattices: stronger security via extractable PRFs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 335–366. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_11
Chapter Google Scholar
Ling, S., Phan, D.H., Stehlé, D., Steinfeld, R.: Hardness of $k$-LWE and applications in traitor tracing. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 315–334. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_18
Chapter MATH Google Scholar
Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_3
Chapter Google Scholar
Naor, M., Pinkas, B.: Threshold traitor tracing. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 502–517. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055750
Chapter Google Scholar
Naor, M., Pinkas, B.: Efficient trace and revoke schemes. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 1–20. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45472-1_1
Chapter Google Scholar
Nishimaki, R., Wichs, D., Zhandry, M.: Anonymous traitor tracing: how to embed arbitrary information in a key. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 388–419. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_14
Chapter MATH Google Scholar
Quach, W., Wichs, D., Zirdelis, G.: Watermarking PRFs under standard assumptions: public marking and security with extraction queries. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 669–698. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_24
Chapter Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)
Google Scholar
Shi, E., Bethencourt, J., Chan, H.T.-H., Song, D.X., Perrig, A.: Multi-dimensional range query over encrypted data. In: IEEE S&P, pp. 350–364 (2007)
Google Scholar
Sahai, A., Seyalioglu, H.: Worry-free encryption: functional encryption with public keys. In: ACM CCS, pp. 463–472 (2010)
Google Scholar
Staddon, J., Stinson, D.R., Wei, R.: Combinatorial properties of frameproof and traceability codes. IEEE Trans. Inf. Theory 47(3), 1042–1049 (2001)
Article MathSciNet Google Scholar
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Chapter Google Scholar

Download references

Acknowledgments

We thank Ahmadreza Rahimi for helpful discussions on this work and the anonymous reviewers for useful suggestions on improving the exposition. S. Kim is supported by NSF, DARPA, a grant from ONR, and the Simons Foundation. D. J. Wu is supported by NSF CNS-1917414 and a University of Virginia SEAS Research Innovation Award. Opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of DARPA.

Author information

Authors and Affiliations

Stanford University, Stanford, CA, USA
Sam Kim
University of Virginia, Charlottesville, VA, USA
David J. Wu

Authors

Sam Kim
View author publications
You can also search for this author in PubMed Google Scholar
David J. Wu
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Sam Kim or David J. Wu .

Editor information

Editors and Affiliations

Network Security Research Institute (NICT), Tokyo, Japan
Shiho Moriai
Nanyang Technological University, Singapore, Singapore
Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Kim, S., Wu, D.J. (2020). Collusion Resistant Trace-and-Revoke for Arbitrary Identities from Standard Assumptions. In: Moriai, S., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2020. ASIACRYPT 2020. Lecture Notes in Computer Science(), vol 12492. Springer, Cham. https://doi.org/10.1007/978-3-030-64834-3_3

Download citation

DOI: https://doi.org/10.1007/978-3-030-64834-3_3
Published: 05 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64833-6
Online ISBN: 978-3-030-64834-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Collusion Resistant Trace-and-Revoke for Arbitrary Identities from Standard Assumptions

Abstract

Similar content being viewed by others

Key-Leakage Resilient Revoke Scheme Resisting Pirates 2.0 in Bounded Leakage Model

Broadcast, Trace and Revoke with Optimal Parameters from Polynomial Hardness

Traceable PRFs: Full Collusion Resistance and Active Security

1 Introduction

Theorem 1.1

1.1 Construction Overview

1.2 Related Work

2 Preliminaries

Definition 2.1

Definition 2.2

Definition 2.3

Fact 2.4

Definition 2.5

Theorem 2.6

Remark 2.7

2.1 Functional Encryption

Definition 2.8

3 Revocable Predicate Encryption

Definition 3.1

Remark 3.2

Remark 3.3

3.1 Constructing Secret-Key Revocable Predicate Encryption with Broadcast

Construction 3.4

Theorem 3.5

Theorem 3.6

Theorem 3.7

Theorem 3.8

3.2 Instantiating Secret-Key Revocable Predicate Encryption with Broadcast

Corollary 3.9

Proof

Remark 3.10

4 Identity-Based Trace-and-Revoke

Definition 4.1

Remark 4.2

Remark 4.3

4.1 Constructing an Identity-Based Trace-and-Revoke Scheme

Construction 4.4

Theorem 4.5

Theorem 4.6

Theorem 4.7

4.2 Instantiating the Trace-and-Revoke Scheme

Corollary 4.8

Proof

Notes

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding authors

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation