Cryptography Reference
In-Depth Information
L,hsk
1
,sk
2
,···sk
n
i←KeyGen(1
n
)
T ← Leaking(L,t,R)
MasterBox ←P
Encrypt()
(T,{sk
u
}
u∈T
,R)
` = 0; ψ ∈L encodes R to be revoked
repeat ` = ` + 1
B
`
←MasterBox(1
t+log n
,`)
Set ψ
0
= Disable(ψ,hB
1
,...,B
`−1
i,σ)
until Prob[B
`
(Encrypt(ek,m,ψ
0
)) = m] < σ with m ←M
output `.
Fig. 5.1. The attack game played with an evolving pirate.
Leaking, any set of revoked users R and any evolving pirate P; note that
evo[
TR
,Disable] is a function of t and possibly of other parameters as well
(such as n). A scheme accompanied with Disable is susceptible to pirate
evolution if its pirate evolution bound satisfies evo[
TR
,Disable] > t.
Note that immunity against pirate evolution attacks is potentially a strin-
gent property; even though we show that it is attainable (cf. the next section)
it could be sacrificed in favor of e
ciency. Naturally, using a trace and revoke
scheme that is susceptible to pirate evolution with a high pirate evolution
bound may put the system's managers at a perilous condition once a leaking
incident occurs; and it is worth noting here that current practice has shown
that leaking incidents are unavoidable.
We, now prove, in the next section that it is in fact possible to design
trace and revoke schemes that are immune to pirate evolution by presenting
a simple design that renders any evolving pirate incapable of producing more
pirate decoders than traitors. This result (albeit not e
cient as a trace and
revoke scheme) shows that immunity against pirate evolution is attainable in
principle.
5.2 A Trace and Revoke Scheme Immune to
Pirate-Evolution
In this section we show a simple trace and revoke design using an exclusive set
system that achieves immunity against pirate-evolution. The system simply
encrypts the message with the unique key of each user in the system that is
not revoked. It is related to the linear length multi-user encryption scheme in
chapter
3
. Formally it can be expressed as follows:
Definition 5.2. Consider the set system Φ
L
that consists of the subsets S
j
u
=
{u} for all u ∈ [n]. We define the scheme
BE
Φ
L
basic
according to the template of
Figure
2.2
.
