collect all coupons in at least β` ln` = ` ln`/ε 0

trials is at most

(`) 1−β = (`) − ln 1/ε 0

ln ` = (`) − log ` 1/ε 0 = ε 0

Hence a number λ ≥ ` log `/ε 0 of transmissions will be su cient to receive

a response from all ` columns with probability 1 −ε 0 . Let m 1 , m 2 ,... m λ be

the responses of the adversary in all these transmissions where a certain m j

might also be ⊥ standing for a refusal to decrypt or decrypting incorrectly.

Given a su ciently high σ and limited crossover with γ we can derive that

with high probability all the responses are consistent with the traitor coalition

keys and thus we identify a unique traitor key for each column. Subsequently

the fingerprinting code identification algorithm will provide a traitor identity.

Hence, we argue that it is possible to identify a traitor with failure probability

bounded by ε f + ε 0 .

In the next chapter in Section 4.3 we discuss a trace and revoke scheme

with a similar relation to the choice of γ and σ. We refer the reader there

for more insights in formulating the precise number of transmissions that are

required in terms of the bounds γ and σ.

3.5.3 Traceability of the Boneh-Franklin Scheme

We will first revisit the key space of the Boneh-Franklin scheme to elaborate

on the set of key material that is useful for decryption of a transmission.

Recall that the scheme is based on group generation algorithm Gen that

on input 1 k produces G,q,g where g ∈G is an element of order q where q is a

k-bit prime. The public-key of the scheme as sampled by KeyDist is an object

of the form G `+1 ×Z n× q . The space of secret-keys contains objects of the form

Z `+ q . Finally, K ek contains elements of Z q that satisfy the following: if the

tracing-key is tk = ha 0 ,a 1 ,...,a ` i and the encryption key is ek = hH,Γi with

H = hg a 0 ,...,g a ` i, it holds that δ ∈ K sk if and only if a 0 = δ ·ha 1 ,...,a ` i

(where “·” here stands for the inner product over Z q vectors).

We next consider what are the capabilities of an adversary to produce new

key material in K ek while in possession of some keys in K ek . In particular we

show that any probabilistic a lgorithm that is polynomial-time bounded and

is given a number of decryption keys cannot produce a new decryption-key

that is not a linear combination of the given keys. This restricts the search

space of possible keys that a tracer needs to take into account when trying to

win the tracing game.

Lemma 3.25. Let n ∈ N, and htk,ek,sk 1 ,...sk n i be distributed according

to KeyDist BF ` (1 n ) where tk = ha 0 ,a 1 ,...,a ` i and ek = hH,Γi with H =

(g a 0 ,...,g a ` ) where g ∈ G and (G,q,g) ← Gen(1 k ). Here Γ is an (`,n,q)-

code over an alphabet Z q for some k-bit prime number q. The secret key sk u is

computed as a vector δ u = b u ·γ u with b u = a 0 ( P i=1 a i γ i ) −1 for u = 1,...,n.