On the security of a public-key traitor tracing scheme with sublinear ciphertext size

Traitor tracing refers to a class of encryption schemes that can be used to deter key-leakage. They apply to a setting that involves many receivers, each one receiving a fingerprinted decryption key. If a set of malicious receivers (also known as traitors) constructs an illicit decoder then a tracing mechanism enables an authority to identify at least one of the traitors. The very first traitor tracing scheme that has sublinear ciphertext size and is capable of tracing unambiguously illicit decoders that may shut-down (or employ some sort of self-defensive mechanism that would be adverse to tracing) was proposed in AsiaCrypt 2004 by Matsushita and Imai. In this work we demonstrate that this scheme is susceptible to an attack by an illicit decoder that not only evades tracing but results with high likelihood in the incrimination of an innocent user. Our attack is based on the fact that an illicit decoder can decompose a ciphertext to a set of components that can be submitted to a statistical test which distinguishes between tracing and regular system operation. The statistical distance between the two distributions converges to 1 as the number of traitors grows with an exponential rate in the number of traitors. After demonstrating our attack we also present a way to repair the construction as long as the traitors are not spaced too far apart in the user population. In particular we devise a transmission mechanism that eliminates the discrepancies between the tracing operation and the regular operation in the system and works against illicit decoders that are correct with sufficiently high probability.