Recall that the broadcast encryption scheme BE based on a subset cover set

system Φ and transmits a vector of ciphertexts h E k j 1 (m),..., E k j s (m)i where

( E , D ) is the underlying symmetric encryption scheme of BE and the key k j i is

the key that corresponds to the subset S j i . We denote the tracer by T SC who

queries the transmissions of the form Encrypt v (ek,m,ψ) for v = 0,1,...,s

for which it holds that we have substituted the first v plaintexts with random

strings. Specifically,

Encrypt v (ek,m,ψ) = hj 1 ,..., j s , E k j 1 (R 1 ),..., E k j v (R v ), E k j 1 (m),..., E k j s (m)i

(4.1)

where R i is a random string of the same length as the message m. Given

that the adversary-tracer pair is σ-admissible the adversary will be required

to respond to the queries of type Encrypt 0 (ek,m,ψ) such that the predicate

R Encrypt is satisfied with probability at least σ. On the other hand note

that the predicate necessarily fails with overwhelming probability for queries

of type Encrypt s (ek,m,ψ). This suggests that the tracer can progressively

randomize the pattern of the ciphertext until a position is identified that

the pirate-box fails to decrypt successfully whenever it queries the tracing

ciphertext. In other words we can locate a subset that intersects with the

traitor coalition in this fashion.

The soundness of the above argumentation is supported by the following

lemma (which is similar to Lemma 3.17 ):

Lemma 4.4. Let ψ = {S j 1 ,...,S j s }. Assuming that C ∩ S j v = ∅, any prob-

abilistic polynomial-time adversary A, given {sk u } u∈C , distinguishes the dis-

tributions Encrypt v−1 (ek,m,ψ) and Encrypt v (ek,m,ψ) with probability at

most 2ε p where (ek,sk 1 ,...,sk n ) ←KeyDist(1 n ) and the underlying encryp-

tion scheme ( E , D ) is ε p -insecure in the sense of Definition 2.5 .

Proof. Consider the following CCA1 key encapsulation adversary B that will

be able to break the symmetric encryption scheme ( E , D ) in the sense of Defi-

nition 2.5 with probability at least ε p by simulating the adversary A.

To break the security claim of the underlying symmetric encryption scheme

( E , D ), B, is given access to encryption-decryption oracle of the primitive. B has

also access to the decryption/encryption under a key k that is unknown to her.

She is then challenged with a plaintext-ciphertext pair (c,m) for which either

c = E k (m) or c = E k (R) for some random string R that has the same length

with m. She is asked to decide if the pair is a correct plaintext-ciphertext pair.

B will simulate the distribution Encrypt v (ek,m,ψ) in a suitable way. Let

B be given the challenge (c,m) where either m is the proper plaintext of c or

it is randomly selected. B will prepare a ciphertext for A by setting the v-th

location of the challenge ciphertext with c and the remaining positions from

v + 1,...,s with encryptions of m.

Based on the assumption on the underlying encryption scheme we have

that |Prob[Exp kem

B

(1 n )]−1/2|≤ ε p . We observe that in the key encapsulation