Black-Box Trace&Revoke Codes

Abstract

We address the problem of designing an efficient broadcast encryption scheme which is also capable of tracing traitors. We introduce a code framework to formalize the problem. Then, we give a probabilistic construction of a code which supports both traceability and revocation. Given N users with at most r revoked users and at most t traitors, our code construction gives rise to a Trace&Revoke system with private keys of size O((r+t)logN) (which can also be reduced to constant size based on an additional computational assumption), ciphertexts of size O((r+t)logN), and O(1) decryption time. Our scheme can deal with certain classes of pirate decoders, which we believe are sufficiently powerful to capture practical pirate strategies.

In particular, our code construction is based on a combinatorial object called (r,s)-disjunct matrix, which is designed to capture both the classic traceability notion of disjunct matrix and the new requirement of revocation capability. We then probabilistically construct (r,s)-disjunct matrices which help design efficient Black-Box Trace&Revoke systems. For dealing with “smart” pirates, we introduce a tracing technique called “shadow group testing” that uses (close to) legitimate broadcast signals for tracing. Along the way, we also proved several bounds on the number of queries needed for black-box tracing under different assumptions about the pirate’s strategies.

Appendix A: Definitions

1.1 A.1 Basic Definition

Definition 36

(Broadcast Encapsulation)

A broadcast encapsulation scheme is a 3-tuple of algorithms \(\mathcal{DBE}= (\textsf{Setup}, \textsf{Encaps}, \textsf{Decaps})\):

• Setup(1^k,N), where k is the security parameter, and N the number of users, it generates the global parameters param of the system (omitted in the following); and returns a master secret key MSK and an encryption key EK. It also generates users’ keys upk _i , for i=1,…,N.

• Encaps(EK,R) takes as input a revoked set R and outputs a key header H and a session key K∈{0,1}^k.

• Decaps(usk _i ,R,H) takes as input the revoked set R and a user secret key. If i∈[N]−R, outputs the session key K.

The correctness requirement is that for any revoked set R and for any user i∈[N]−R then the decapsulation algorithm gives back the ephemeral session key.

Definition 37

(Trace&Revoke Encapsulation)

A trace&revoke encapsulation scheme is a broadcast encapsulation scheme with an additional tracing algorithm \({\mathbf{Trace}}^{\mathbb{D}}(R_{\mathbb{D}}, \textsf{pk} ,\textsf{msk})\): the traitor tracing algorithm interacts in a black-box manner with a pirate decoder \(\mathbb{D}\) that is built from a certain set T of traitors. The algorithm takes as input a subset \(R_{\mathbb{D}}\subset[N]\) (could be adversarially chosen), the public key pk, the master key msk and outputs a set \(T_{\mathbb{D}} \subseteq[N]\).

More precisely, under the conditions:

• there are at most t traitors: |T|≤t;

• The minimal revoked set does not contain all the traitors: \(T \not\subseteq R_{\mathbb{D}}\), or equivalently \(S_{\mathbb{D}}= ([N] - R_{\mathbb{D}})\) contains at least a traitor;

• \(\mathbb{D}\) is “efficient” to decrypt ciphertexts (i.e., decrypts with some non-negligible probability) for some revoked sets R that include the minimal revoked set \(R_{\mathbb{D}}\) but do not contain all the traitors (\(R_{\mathbb{D}}\subseteq R\) but T⊈R);

then the tracing algorithm outputs at least a traitor in \(S_{\mathbb{D}}\), i.e., : \(\emptyset\neq T_{\mathbb{D}}\subseteq T \cap S_{\mathbb{D}}\).

Definition 38

(Public-Key Encryption Scheme)

\(\mathcal{PKE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\):

• Setup(1^k), where k is the security parameter, generates the global parameters param of the system;

• KeyGen(param) generates a pair of keys, the public (encryption) key ek and the associated private (decryption) key dk;

• Enc(ek,m;r) produces a ciphertext c on the input message m and the public key ek, using the random coins r (we may omit r when the notation is obvious);

• Dec(dk,c) decrypts the ciphertext c under the private key dk. It outputs the plaintext, or ⊥ if the ciphertext is invalid.

Definition 39

(Secret Sharing Scheme)

\(\mathcal{SSS}= (\textsf{Share}, \textsf{Combine})\):

• Share(k,m,n), outputs a secret bit string K of length k, as well as n shares s ₁,…,s _n , so that any m of them will allow to recover K.

• Combine({(i,s _i )}), from m pairs (i,s _i ), it recovers the bit string K.

The correctness requirement is that from any m-subset of {(i,s _i )} generated by Share(k,m,n), the Combine algorithm outputs the bit string K generated by Share. Furthermore, the bit string K must be perfectly uniformly distributed.

Definition 40

(Constant Size Private Key)

Suppose there exists an algorithm that generates 1-Conjunction (r,s)-Revocable (ℓ,N)-Code.We build a BE scheme Π that can revoke up to r users in the following way.

• Setup(1^λ,N)

  1. 1.

     Run the Code generating algorithm on (N,r,d) to obtain a 1-Conjunction (r,s)-Revocable (ℓ,N)-Code Γ.

  2. 2.

     Generate two large primes of the same size p,q and publish M=pq

  3. 3.

     Generate ℓ pairs \((\textsf{dk}_{i}, \textsf{ek}_{i}), i\hspace{-0.5pt}=\hspace{-0.5pt}1,\ldots ,\ell\) such that \(e_{k} d_{k} \hspace{-0.5pt}=\hspace{-0.5pt}1\ (\operatorname{mod}(p-1)(q-1))\);

  4. 4.

     Choose a random \(X \stackrel{\$}{\leftarrow}\mathbb{Z}^{*}_{M}\)

  5. 5.

     Set MSK=(Γ,X,{dk _i }), EK=(N,{ek _i }), and Reg=∅.

• Join(MSK,i)

  1. 1.

     The user i is associated with the codeword w ⁱ∈Γ.

  2. 2.

     Set \(\textsf{usk}_{i} \leftarrow X^{\prod_{j=1}^{\ell}\textsf {dk}_{j}^{w^{i}_{j}}} ; \textsf{upk}_{i} \leftarrow i\); Reg←Reg∪{i}.

• Encaps(EK,R):

  1. 1.

     The revoked set R should contain at most r users;

  2. 2.

     Because Γ is 1-conjunction (r,s)-revocable, one can find out an word c such that D ₁(R,c)=0 and D ₁(u,c)=1 for any u∈[N]−R, and m=H(c)≤d.

  3. 3.

     Denote by i ₁,…,i _m the positions of m bits 1 in c, i.e., \(c_{i_{j}} =1\), for j=1,…,m

  4. 4.

     Set \(e_{i_{j}} = X^{\textsf{dk}_{i_{j}}}\), for j=1,…,m.

  5. 5.

     Output \(\mathcal{K}_{e}\) and \(\mathit{Header} = (c,(e_{i_{j}}), {j= 1,\dots,m})\).

• Decaps(usk _j ,R,Header):

  1. 1.

     If j is in [N]−R, then D ₁(w ^j,c)=1. There exists thus an index 1≤z≤m such that \(c_{i_{z}} = w^{j}_{i_{z}} = 1\)

  2. 2.

     Compute \(s_{i_{z}}= \textsf{usk}_{j}^{\prod_{s=1, s \neq i_{z} }^{\ell }\textsf{ek}_{j}^{w^{i}_{s}}} \). From the \(s_{i_{z}}\), reconstruct \(\mathcal{K}_{e}\)

Definition 41

(Trace&Revoke System from 1-Conjunction Trace&Revoke Codes)

Let us be given a generator of \((r,s,\mathcal{Q},p,\delta ,t)\)-blackbox Trace&Revoke 1-Conjunction (ℓ,N)-Codes, and a secure public-key encryption scheme \(\mathcal{PKE}\). We build a Trace&Revoke encapsulation scheme Π that can revoke up to r users, and tracing traitor for a pirate decoder having up to t traitors’ keys, in the following way.

• Setup(1^λ,N)

  1. 1.

     Run the code generating algorithm on \((\mathcal{Q},N,k,r,t,s)\) to obtain an \((r,s,\mathcal{Q},p, \delta,t)\)-blackbox Trace&Revoke 1-Conjunction (ℓ,N)-Codes.

  2. 2.

     Run \(\mathcal{PKE}.\textsf{Setup}(1^{\lambda})\) to get the public parameters param for the encryption scheme;

  3. 3.

     For i=1,…,ℓ, run the key generation algorithm \(\mathcal{PKE} .\textsf{KeyGen}(\textsf{param})\) to get the pair (dk _i ,ek _i ).

  4. 4.

     Set MSK=(Γ,{dk _i }), and EK={ek _i }.

  5. 5.

     For i=1,…,N, the user i is associated with the codeword w ⁱ∈Γ: we set \(\textsf{usk}_{i} \leftarrow\{\textsf{dk}_{j} / w^{i}_{j}=1, j=1,\ldots ,\ell\}\).

• Encaps(EK,R):

  1. 1.

     For a revoked set R of size at most r, since the code Γ is efficiently (r,s)-revocable, one can find out a signal c of weight at most s, such that D ₁(u,c)=0, for any u∈F(R), and D ₁(u,c)=1 for any u∈[N]−R. We denote by m=w _H (c) this weight;

  2. 2.

     Denote by i ₁,…,i _m the positions of m 1-bits in c, i.e., \(c_{i_{j}} =1\), for j=1,…,m;

  3. 3.

     Choose a random session key \(K\stackrel{\$}{\leftarrow}\{0,1\}^{\kappa}\).

  4. 4.

     Set \(e_{i_{j}} = \mathcal{PKE}.\textsf{Enc}(\textsf {pk}_{i_{j}},K)\), for j=1,…,m.

  5. 5.

     Output K and \(H = (c,(e_{i_{j}}), {j=1,\dots,m})\).

• Decaps(usk _j ,R,H):

  1. 1.

     If j is in [N]−R, then D ₁(w ^j,c)=1. This means w _H (w ^j∧c)≥1 and there exists thus i _j in w ^j∧c

  2. 2.

     Compute \(K= \mathcal{PKE}.\textsf{Enc}(\textsf{sk}_{i_{j}},e_{i_{j}})\).

• \({\mathbf{Trace}}^{\mathbb{D}}(R_{\mathbb{D}}, \textsf{pk},\textsf {msk})\): Running the tracing algorithm for the code, each time the tracer asks a qualified query c to the pirate decoder, we do as follows: run Encaps(EK,R) but directly use the signal c (in fact, the revoked set R in this case corresponds to the set of the users that cannot decrypt c) and query the pirate decoder on the R,H. If the pirate decoder exactly recovers the session key K, we return 1 to the tracer for the code, and otherwise we return 0.