Bounds and Combinatorial Structure of (k,n)Multi-Receiver A-Codes
Designs, Codes and Cryptography
The LSD Broadcast Encryption Scheme
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
On Crafty Pirates and Foxy Tracers
DRM '01 Revised Papers from the ACM CCS-8 Workshop on Security and Privacy in Digital Rights Management
Hierarchical key assignment for black-box tracing with efficient ciphertext size
ICICS'06 Proceedings of the 8th international conference on Information and Communications Security
Public traceability in traitor tracing schemes
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Attacking traitor tracing schemes using history recording and abrupt decoders
ISC'11 Proceedings of the 14th international conference on Information security
Hi-index | 0.00 |
Traitor tracing refers to a class of encryption schemes that can be used to deter key-leakage. They apply to a setting that involves many receivers, each one receiving a fingerprinted decryption key. If a set of malicious receivers (also known as traitors) constructs an illicit decoder then a tracing mechanism enables an authority to identify at least one of the traitors. The very first traitor tracing scheme that has sublinear ciphertext size and is capable of tracing unambiguously illicit decoders that may shut-down (or employ some sort of self-defensive mechanism that would be adverse to tracing) was proposed in AsiaCrypt 2004 by Matsushita and Imai. In this work we demonstrate that this scheme is susceptible to an attack by an illicit decoder that not only evades tracing but results with high likelihood in the incrimination of an innocent user. Our attack is based on the fact that an illicit decoder can decompose a ciphertext to a set of components that can be submitted to a statistical test which distinguishes between tracing and regular system operation. The statistical distance between the two distributions converges to 1 as the number of traitors grows with an exponential rate in the number of traitors. After demonstrating our attack we also present a way to repair the construction as long as the traitors are not spaced too far apart in the user population. In particular we devise a transmission mechanism that eliminates the discrepancies between the tracing operation and the regular operation in the system and works against illicit decoders that are correct with sufficiently high probability.