Cryptography Reference
In-Depth Information
In case the state is h⊥,0i, then W = {w
1
,...,w
s
}, with s = |ψ| is sampled
by running CodeGen
`
(1
s
) and l is set to be 1. Otherwise let the state be
σ = hW,li.
By employing the encryption scheme (
E
,
D
) the ciphertext is computed as
follows:
c ←hj
1
,..., j
s
,
E
k
j
1
(m
w
l
),...,
E
k
j
s
(m
w
l
)i
Finally, the state index is updated to be l = (l mod `) + 1.
• Decrypt
F
. Given the key-pair sk
u
= (J
u
,K
u
) for some u ∈ [n] and a
ciphertext of the form
c = hj
1
,..., j
s
,c
1
,...,c
s
i
it first searches for an encoding j
i
that satisfies j
i
∈ J
u
and then returns
D
k
j
i
(c
i
). If no such encoding is found it returns ⊥.
The scheme is a simple extension of the original broadcast encryption to
support transmitting an input vector in a stateful manner. Hence its correct-
ness and security can be proven in a similar fashion with the analysis as given
in Theorem
2.8
.
Given that there is a state involved now some comments are in place with
respect to the way the state is relevant in the security definition
2.2
. We assume
that the state is initialized with the first encryption query that is made by the
adversary and the state advances in the prescribed fashion as in the definition
of the scheme. The adversary will receive the challenge at the particular state
that it chooses to terminate its initial stage of her experimentation.
Theorem 4.7. The q-ary broadcast encryption scheme defined above satisfies
correctness (cf. Definition
2.1
) and it is secure with the same parameters of
the Theorem
2.8
.
Proof. The proof is very similar to the proof of Theorem
2.8
and is left as an
exercise for the reader. It should be noted that the scheme is q-ary therefore
the challenge plaintext will use plaintext vectors of length q (this differs from
Theorem
2.8
where the underlying scheme is unary).
We next claim that the above broadcast encryption, for the choice of a
subset cover scheme Φ, is in fact an alfresco trace and revoke scheme. As we
are now in the domain of alfresco revocation games we need to prepare tracer
queries that are statistically indistinguishable from regular transmissions. The
tracing queries will make use of the underlying fingerprinting code as in the
case of traceability of multiuser encryption schemes based on fingerprinting
that we have discussed in Chapter
3
.
Jumping ahead, we describe how tracing works for a given revocation is-
ntruction ψ: only one of the message from the input vector is made available to
each subset in the encoding ψ through the fingerprinting code that is retrieved
