Privacy against Piracy: Protecting Two-Level Revocable P-K Traitor Tracing

  • Hyun-Jeong Kim
  • Dong Hoon Lee
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2384)


In known traitor tracing schemes, an enabling block is used for both secure broadcast of a session key and tracing traitors in pirate boxes. This paper suggests a new traitor tracing scheme that has two-levels for efficiency. In the more frequent level an enabling block is used only for a very efficient session key distribution, and a new block, less frequently used, called a renewal block is used for the renewal of the group key and for the detection and revocation of traitors. This organization increases efficiency: the computational complexity of encryption/decryption of the often employed enabling block is constant, while only that of the sporadically employed renewal block depends on the allowed revocations (as in earlier schemes). However, our saving has a price: in a two-level broadcasting scheme, the new danger is that rather than performing piracy by leaking the keys of the renewal block, the individual traitors may leak to pirates the means to decode the enabling blocks at the sessions. For example, if the enabling block is naively implemented as a single key-encrypting-key that is known to all— and this key is used to encrypt session keys, then any participant can leak this key without being detected. (Note that leaking the session keys themselves, constantly all the time, is typically considered in the literature not to be an economically viable option). In order to prevent this new potential leakage, a novel idea of personal enabling keys (used throughout) is suggested. In order to get a session key, a user will need access to the enabling block with his own personal key. To discourage leakage of the personal key (which would violate the service), a novel self-enforcement method is employed that ties “privacy” to “leakage”. The self-enforcement of personal keys uses the fact that if the key is leaked then the party which leaks may lose its private data to the party it leaks to (i.e. it is a privacy-based protection mechanism). In our self-enforcement, a subscriber’s private information is not embedded into his personal key directly (as was done earlier). Thus, if a subscriber’s important data is altered, his personal key needs not to be regenerated. The separation into two-level broadcast (for efficiency) together with the novel flexible self-enforcement (privacy-based protection of the enabling-block keys) is the central contribution of this work.


Encryption Algorithm Cipher Block Data Supplier Random Oracle Model Broadcast Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    J. Anzai, N. Matsuzaki and T. Matsumoto, “A Quick Group Key Distribution Scheme with Entity Revocation”, In Proc. Advances in Cryptology-Asiacrypt’ 99, Vol. 1716 of Lecture Notes in Computer Science, pp. 333–347, Springer Verlag, 1999.Google Scholar
  2. 2.
    M. Bellare and P. Rogaway, “Optimal Asymmetric Encryption — How to Encrypt with RSA.”, In Eurocypt’ 94, LNCS 950, pages 92–111. Springer Verlag, 1999.Google Scholar
  3. 3.
    D. Boneh and M. Franklin, “An Efficient Public Key Traitor Tracing Scheme”, In Proc. Advances in Cryptology-Crypto’ 99, Vol. 1666 of Lecture Notes in Computer Science, pp. 338–353. Springer Verlag, 1999.Google Scholar
  4. 4.
    D. Boneh, “The Decision Diffie-Hellman Problem”, In Proc. the Third Algorithmic Number Theory Symposium, Vol. 1423 of Lecture Notes in Computer Science, pp. 48–63. Springer Verlag, 1998.CrossRefGoogle Scholar
  5. 5.
    D. Chaum, A. Fiat, and M. Naor. “Untraceable electronic cash”, In Advances in Cryptology-Crypto’88, Lecture Notes in Computer Science, pp. 319–327. Springer-Verlag, 1990.Google Scholar
  6. 6.
    B. Chor, A. Fiat and M. Naor, “Tracing Traitors”, In Proc. Advances in Cryptology-Crypto’ 94, Vol. 839 of Lecture Notes in Computer Science, pp. 257–270, Springer Verlag, 1994.Google Scholar
  7. 7.
    C. Dwork, J. Lotspiech and M. Naor, “Digital Signets: Self-Enforcing Protection of Digital Information”, In 28th Symposium on the Theory of Computation’ 96, pp. 489–498, 1996.Google Scholar
  8. 8.
    K. Kurosawa and Y. Desmedt, “Optimum Traitor Tracing and Asymmetric Schemes”, In Proc. Advances in Cryptology-Eurocrypt’ 98, Vol. 1403 of Lecture Notes in Computer Science, pp. 145–157, Springer Verlag, 1998.CrossRefGoogle Scholar
  9. 9.
    A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, “Handbook of Applied Cryptography”, CRC Press, pp. 351–352, 1996.Google Scholar
  10. 10.
    M. Jakobsson, A. Juels and P. Nguyen, “Proprietary Certificates”, to appear in Topics in Cryptography CT-RSA 2002, 2002.Google Scholar
  11. 11.
    M. Naor and B. Pinkas, “Efficient Trace and Revoke Schemes”, In Proc. Financial Cryptography’ 00, Anguilla, February 2000.Google Scholar
  12. 12.
    T. Okamoto and D. Pointcheval, “The Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes”, In International Workshop on Practice and Theory in Public-Key Cryptography-PKC’ 01, Vol. 1992 of Lecture Notes in Computer Science, pp. 104–118, Springer Verlag, 2001.Google Scholar
  13. 13.
    T. Okamoto and D. Pointcheval, “REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform”, In The Cryptographers’ Track of the RSA Conference’ 2001, Vol. 2020 of Lecture Notes in Computer Science, pp. 159–175, Springer Verlag, 2001.CrossRefGoogle Scholar
  14. 14.
    B. Pfitzmann, “Trials of Traced Traitors”, In Proc. Workshop in Information Hiding, Vol. 1174 of Lecture Notes in Computer Science, pp. 49–64, Springer Verlag, 1996.Google Scholar
  15. 15.
    A. Shamir, “How to Share a Secret”, In Comm. ACM, Vol. 22, No. 11, pp. 612–613, 1979.zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    D. R. Stinson, “Cryptography Theory and Practice”, CRC Press, pp. 330–331, 1995.Google Scholar
  17. 17.
    W. Tzeng and Z. J. Tzeng, “A Public-Key Traitor Tracing Scheme with Revocation using Dynamic Shares”, In International Workshop on Practice and Theory in Public-Key Cryptography-PKC’ 01, Vol. 1992 of Lecture Notes in Computer Science, pp. 207–224, Springer Verlag, 2001.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Hyun-Jeong Kim
    • 1
  • Dong Hoon Lee
    • 1
  • Moti Yung
    • 2
  1. 1.CISTKorea UniversitySeoulKorea
  2. 2.CertCoUSA

Personalised recommendations