(iii) Induction step: Let ψ k = GenDisable(ψ,hB i ,B i 1 ,B i 2 ,···B i k−1 i,σ)

be the the revocation instruction containing the subset S j k as given in the

induction assumption. The pirate box B i k = CSBox j k is capable of decrypt-

ing ciphertexts distributed according to Encrypt(ek,·,ψ k ) with probability

greater than the threshold σ. The revocation algorithm of Figure 4.2 against

the pirate box B i k with respect to ψ k will output S j k as the subset con-

taining the traitor. The algorithm will then partition S j k into two equally-

sized subsets where one of it is S j k+1 . The decoder B i k will no more be able

to decrypt the encryption due to the partition in Revocation(ψ k ,B i k ,σ).

Hence, the final outcome partition that disables all boxes will satisfy fol-

lowing: S j k+1 ∈ GenDisable(ψ,hB i ,B i 1 ,B i 2 ,···B i k i,σ) as the statement of

induction step.

Using the claim we now conclude that

S j s ∈GenDisable(ψ,hB i ,B i 1 ,B i 2 ,···B i s−1 i,σ)

Given that S j = S j s we have that the box B v+1 will be able to decrypt such

revocation instructions.

Claim 2: We next claim that revoking all the other boxes in the sequence

of {B 1 ,···B v }\{B i ,B i 1 ,B i 2 ,···B i s−1 } will not hurt the capability of B v+1 to

decrypt. This would be the case as long as revoking those boxes will not result

in splitting the subset S j . The proof of claim follows easily by the fact that

revoking any of those boxes does not affect S j since each one corresponds to

a subset key disjoint from S j .

We conclude, as a consequence of the above,

S j s = S j ∈GenDisable(ψ,hB 1 ,B 2 ,···B v i,σ) = ψ 0

Recall that B i s = B v+1 = CSBox j , we finally obtain

Prob[B v+1 (Encrypt(ek,m,ψ 0 )) = m] ≥ σ

(2) Suppose that j is an encoding of root(S) that is a root of one of the

trees in the forest {Steiner(T,S) | S ∈ ψ}, i.e. it holds that S ∈ ψ. Because

all the Steiner trees are disjoint, with a similar argument as claim 2 before,

S ∈ GenDisable(ψ,hB 1 ,B 2 ,···B v i,σ) since S was never split while tracing

all previous boxes. From the definition of B v+1 , we can conclude

Prob[B v+1 (Encrypt(ek,m,ψ 0 )) = m] ≥ σ

where ψ 0 = GenDisable(ψ,hB 1 ,B 2 ,···B v i,σ).

We next study the classes of leaking incidents and the number of boxes

they produce. For the polynomial time adversary P described in Figure 5.3 ,

PE R,GenDisable

P,Leaking (t) is the number of nodes in the forest of the Steiner trees of

the traitors. Theorem 5.7 and Theorem 5.8 give some bounds on this quantity

for different leaking incidents.