Aggelos Kiayias
ABSTRACT
We put forth a new cryptographic primitive called a Traitor Deterring Scheme (TDS). A TDS is a multi-recipient public-key encryption scheme where an authority issues decryption keys to a set of users. The distinguishing feature of a TDS is that secret-keys are issued only after the users provide some private information as a form of collateral. The traitor deterring property ensures that if a malicious coalition of users (aka "traitors") produces an unauthorized (aka "pirate") decryption device, any recipient of the device will be able to recover at least one of the traitors' collaterals with only black-box access to the device. On the other hand, honest users' collaterals are guaranteed to remain hidden. In this fashion a TDS deincentivizes malicious behavior among users.
We model, construct and analyze TDS's based on various cryptographic assumptions and we show how bitcoin can be used as collateral for real world deployment of TDS's for the distribution of digital content. Along the way, we present cryptographic building blocks that may be of independent interest, namely fuzzy lockers, and comparison predicate encryption schemes for exponentially large domains. We also compare TDS with previous primitives specifically traitor tracing schemes (TTS) introduced by Chor et al. [9] and digital signets for self enforcement introduced by Dwork et al. [12]. A TDS constitutes a strict strengthening of a TTS and, when modeled in what we call the "known ciphertext model", it is a reformulation of digital signets in the public-key, black-box secure setting. In digital signets the adversary attempts to transmit a pirate copy at a favorable "space rate", i.e., without having to send the whole plaintext (and without revealing the traitor collaterals). It is an open question from [12] to construct o(1) space rate schemes under a falsifiable assumption. With our TDS constructions we resolve this open question showing feasibility for space rates O(log λ / λ) and infeasibility for space rates Ω(log2λ/ λ).
- B. H. Bloom. Space/time trade-offs in hash coding with allowable errors. Commun. ACM, 13(7):422--426, July 1970. Google Scholar
Digital Library
- D. Boneh and M. K. Franklin. An efficient public key traitor tracing scheme. In Advances in Cryptology - CRYPTO '99, pages 338--353, 1999. Google ScholarCross Ref
- D. Boneh and M. Naor. Traitor tracing with constant size ciphertext. In ACM CCS 2008, pages 501--510. Google ScholarDigital Library
- D. Boneh, A. Sahai, and B. Waters. Fully collusion resistant traitor tracing with short ciphertexts and private keys. In EUROCRYPT 2006, pages 573--592. Google ScholarDigital Library
- D. Boneh and B. Waters. A fully collusion resistant broadcast, trace, and revoke system. In ACM CCS 2006, pages 211--220, 2006. Google ScholarDigital Library
- Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In FOCS 2011, pages 97--106. Google ScholarDigital Library
- L. Carter and M. N. Wegman. Universal classes of hash functions. J. Comput. Syst. Sci., 18(2):143--154, 1979.Google ScholarCross Ref
- H. Chabanne, D. H. Phan, and D. Pointcheval. Public traceability in traitor tracing schemes. In EUROCRYPT 2005, pages 542--558, 2005. Google ScholarDigital Library
- B. Chor, A. Fiat, and M. Naor. Tracing traitors. In CRYPTO 94, pages 257--270, 1994. Google ScholarDigital Library
- R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput., 33(1):167--226, 2004. Google ScholarDigital Library
- Y. Dodis, L. Reyzin, and A. Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In EUROCRYPT 2004, pages 523--540, 2004.Google ScholarCross Ref
- C. Dwork, J. B. Lotspiech, and M. Naor. Digital signets: Self-enforcing protection of digital information (preliminary version). In STOC, pages 489--498, 1996. Google ScholarDigital Library
- S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. In FOCS 2013, pages 40--49, 2013. Google ScholarDigital Library
- S. Goldwasser, Y. T. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich. Reusable garbled circuits and succinct functional encryption. In STOC'13, pages 555--564. Google ScholarDigital Library
- S. Gorbunov, V. Vaikuntanathan, and H. Wee. Functional encryption with bounded collusions via multi-party computation. In CRYPTO 2012, pages 162--179, 2012.Google ScholarDigital Library
- S. Gorbunov, V. Vaikuntanathan, and H. Wee. Predicate encryption for circuits from lwe. IACR Cryptology ePrint Archive, 2015.Google Scholar
- V. Guruswami and M. Sudan. Improved decoding of reed-solomon and algebraic-geometry codes. IEEE Trans on Information Theory, 45(6):1757--1767, 1999. Google ScholarDigital Library
- A. Juels and M. Sudan. A fuzzy vault scheme. Des. Codes Cryptography, 38(2):237--257, 2006. Google ScholarDigital Library
- J. Katz, A. Sahai, and B. Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner products. EUROCRYPT'08, pages 146--162. Google ScholarDigital Library
- A. Kiayias and S. Pehlivanoglu. Encryption for Digital Content, volume 52 of Advances in Information Security. Springer, 2010. Google ScholarCross Ref
- A. Kiayias and Q. Tang. How to keep a secret: leakage deterring public-key cryptosystems. In ACM CCS 2013, pages 943--954. Google ScholarDigital Library
- A. Kiayias and M. Yung. Traitor tracing with constant transmission rate. In EUROCRYPT'02, pages 450--465. Google ScholarDigital Library
- K. Kurosawa and Y. Desmedt. Optimum traitor tracing and asymmetric schemes. In Advances in Cryptology - EUROCRYPT '98, pages 145--157, 1998.Google ScholarCross Ref
- S. Micali, C. Peikert, M. Sudan, and D. A. Wilson. Optimal error correction against computationally bounded noise. In TCC 2005, pages 1--16, 2005. Google ScholarDigital Library
- S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2009.Google Scholar
- M. Naor. On cryptographic assumptions and challenges. In CRYPTO 2003, pages 96--109, 2003.Google ScholarCross Ref
- M. Naor and B. Pinkas. Efficient trace and revoke schemes. FC '00, pages 1--20. Google ScholarDigital Library
- A. Pagh, R. Pagh, and S. S. Rao. An optimal bloom filter replacement. In SODA 2005, pages 823--829. Google ScholarDigital Library
- O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6), 2009. Google ScholarDigital Library
- M. Sudan. Decoding of reed solomon codes beyond the error-correction bound. J. Complexity, 13(1):180--193, 1997. Google ScholarDigital Library
- G. Tardos. Optimal probabilistic fingerprint codes. J. ACM, 55(2), 2008. Google ScholarDigital Library
Index Terms
- Traitor Deterring Schemes: Using Bitcoin as Collateral for Digital Content
Recommendations
A Non-interactive Public-Key Distribution System
An identity-based non-interactive public key distribution system is presented that is based on a novel trapdoor one-way function allowing a trusted authority to compute the discrete logarithms modulo a publicly known composite number m while this is ...
Attribute-based encryption schemes with constant-size ciphertexts
Attribute-based encryption (ABE), as introduced by Sahai and Waters, allows for fine-grained access control on encrypted data. In its key-policy flavor (the dual ciphertext-policy scenario proceeds the other way around), the primitive enables senders to ...
Double-authentication-preventing signatures
Digital signatures are often used by trusted authorities to make unique bindings between a subject and a digital object; for example, certificate authorities certify a public key belongs to a domain name, and time-stamping authorities certify that a ...
Comments