New traitor tracing schemes using bilinear map

ACM Digital Rights Management Workshop Pub Date : 2003-10-27 DOI:10.1145/947380.947389

Vu Dong Tô, R. Safavi-Naini, Fangguo Zhang

{"title":"New traitor tracing schemes using bilinear map","authors":"Vu Dong Tô, R. Safavi-Naini, Fangguo Zhang","doi":"10.1145/947380.947389","DOIUrl":null,"url":null,"abstract":"Mitsunari et al [15] presented a new traitor tracing scheme which uses Weil pairing in elliptic curves. To the best of our knowledge this is the first scheme that uses bilinear map. The claimed advantage of the scheme is that the ciphertext size is independent of the number of traitors. It is shown that the problem of constructing a pirate key by k colluders is as hard as the so-called \"k-weak Diffie-Hellman problem\".In this paper, we show an attack on this scheme in which traitors find a linear combination of their keys to construct a pirate key that can be used to decrypt the ciphertext. We identify a class of schemes, that includes MSK, with the property that correct tracing requires the ciphertext size to depend on the collusion threshold. We derive a lower bound on the size of the ciphertext that depends on the number of colluders.We propose a modification to MSK scheme, Scheme 1, which not only ensures constructing a pirate decoder is hard, but also has a number of significant advantages over the initial proposal. In particular, it is a public key traitor tracing scheme while the original scheme is a secret key traitor tracing scheme; it has a black box tracing algorithm while MSK scheme only has an open box tracing algorithm, and finally its security is provable (semantic secure against passive adversary) while there was no security proof for MSK.We also propose two other schemes based on bilinear pairing. Scheme~2, is a generic scheme and can be used with any linear error correcting code. Scheme~3 uses Shamir's secret sharing scheme and has the added property that the encrypted message can be targeted to a subset of users. This is by including user revocation property and allowing selected users to be revoked from the original set of users. We also give proof of security, similar to Scheme 1, and also a tracing algorithm for the two schemes. Finally we give an efficiency comparison for the three schemes against the most efficient schemes with similar security and traceability properties and show that all three schemes are the most efficient ones of their kind.","PeriodicalId":124354,"journal":{"name":"ACM Digital Rights Management Workshop","volume":"72 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2003-10-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"45","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Digital Rights Management Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/947380.947389","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 45

Abstract

Mitsunari et al [15] presented a new traitor tracing scheme which uses Weil pairing in elliptic curves. To the best of our knowledge this is the first scheme that uses bilinear map. The claimed advantage of the scheme is that the ciphertext size is independent of the number of traitors. It is shown that the problem of constructing a pirate key by k colluders is as hard as the so-called "k-weak Diffie-Hellman problem".In this paper, we show an attack on this scheme in which traitors find a linear combination of their keys to construct a pirate key that can be used to decrypt the ciphertext. We identify a class of schemes, that includes MSK, with the property that correct tracing requires the ciphertext size to depend on the collusion threshold. We derive a lower bound on the size of the ciphertext that depends on the number of colluders.We propose a modification to MSK scheme, Scheme 1, which not only ensures constructing a pirate decoder is hard, but also has a number of significant advantages over the initial proposal. In particular, it is a public key traitor tracing scheme while the original scheme is a secret key traitor tracing scheme; it has a black box tracing algorithm while MSK scheme only has an open box tracing algorithm, and finally its security is provable (semantic secure against passive adversary) while there was no security proof for MSK.We also propose two other schemes based on bilinear pairing. Scheme~2, is a generic scheme and can be used with any linear error correcting code. Scheme~3 uses Shamir's secret sharing scheme and has the added property that the encrypted message can be targeted to a subset of users. This is by including user revocation property and allowing selected users to be revoked from the original set of users. We also give proof of security, similar to Scheme 1, and also a tracing algorithm for the two schemes. Finally we give an efficiency comparison for the three schemes against the most efficient schemes with similar security and traceability properties and show that all three schemes are the most efficient ones of their kind.

查看原文本刊更多论文

利用双线性映射的叛徒追踪新方案

Mitsunari等人提出了一种在椭圆曲线上使用Weil配对的叛徒跟踪方案。据我们所知，这是第一个使用双线性映射的方案。该方案声称的优点是密文的大小与叛徒的数量无关。证明了由k个共谋者构造一个盗版密钥的问题与所谓的“k-弱Diffie-Hellman问题”一样困难。在本文中，我们展示了对该方案的攻击，其中叛徒找到他们的密钥的线性组合来构造可用于解密密文的盗版密钥。我们确定了一类方案，其中包括MSK，具有正确跟踪要求密文大小依赖于合谋阈值的特性。我们推导了密文大小的下界，该下界取决于共谋者的数量。我们提出了MSK方案的修改方案1，该方案不仅确保了构建盗版解码器的难度，而且比最初的提议具有许多显着的优势。特别地，它是一个公钥叛逆者跟踪方案，而原方案是一个密钥叛逆者跟踪方案;它有一个黑盒跟踪算法，而MSK方案只有一个开盒跟踪算法，最后它的安全性是可证明的(对被动对手的语义安全)，而MSK方案没有安全性证明。我们还提出了另外两种基于双线性配对的方案。方案2是一种通用方案，可用于任何线性纠错码。Scheme~3使用Shamir的秘密共享方案，并增加了加密消息可以针对用户子集的属性。这是通过包括用户撤销属性并允许从原始用户集中撤销选定的用户来实现的。我们还给出了类似方案1的安全性证明，并给出了两个方案的跟踪算法。最后，我们将这三种方案与具有相似安全性和可追溯性的最有效方案进行了效率比较，表明这三种方案都是同类方案中最有效的方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Digital Rights Management Workshop

自引率

0.00%

发文量