Identity-Based Trace and Revoke Schemes

Trace and revoke systems allow for the secure distribution of digital content in such a way that malicious users, who collude to produce pirate decoders, can be traced back and revoked from the system. In this paper, we consider such schemes in the identity-based setting, by extending the model of identity-based traitor tracing scheme by Abdalla et al. to support revocation. The proposed constructions rely on the subset cover framework. We first propose a generic construction which transforms an identity-based encryption with wildcard (WIBE) of depth log(N) (N being the number of users) into an identity-based trace and revoke scheme by relying on the complete subtree framework (of depth log(N)). This leads, however, to a scheme with log(N) private key size (as in a complete subtree scheme). We improve this scheme by introducing generalized WIBE (GWIBE) and propose a second construction based on GWIBE of two levels. The latter scheme provides the nice feature of having constant private key size (3 group elements). In our schemes, we also deal with advanced attacks in the subset cover framework, namely pirate evolution attacks (PEvoA) and pirates 2.0. The only known strategy to protect schemes in the subset cover framework against pirate evolution attacks was proposed by Jin and Lotspiech but decreases seriously the efficiency of the original schemes: each subset is expanded to many others subsets; the total number of subsets to be used in the encryption could thus be O(N-1/b) to prevent a traitor from creating more than b generations. Our GWIBE based scheme, resisting PEvoA better than the Jin and Lotspiech's method. Moreover, our method does not need to change the partitioning procedure in the original complete subtree scheme and therefore, the resulted schemes are very competitive compared to the original scheme, with r log(N/r) log N-size ciphertext and constant size private key.