How to construct random functions
Journal of the ACM (JACM)
CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Secure group communications using key graphs
Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Combinatorial Properties and Constructions of Traceability Schemes and Frameproof Codes
SIAM Journal on Discrete Mathematics
An Efficient Public Key Traitor Tracing Scheme
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
Long-Lived Broadcast Encryption
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
Revocation and Tracing Schemes for Stateless Receivers
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Self Protecting Pirates and Black-Box Traitor Tracing
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
The LSD Broadcast Encryption Scheme
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Traitor Tracing with Constant Transmission Rate
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Efficient Trace and Revoke Schemes
FC '00 Proceedings of the 4th International Conference on Financial Cryptography
Proceedings of the First International Workshop on Information Hiding
Collusion Secure q-ary Fingerprinting for Perceptual Content
DRM '01 Revised Papers from the ACM CCS-8 Workshop on Security and Privacy in Digital Rights Management
On Crafty Pirates and Foxy Tracers
DRM '01 Revised Papers from the ACM CCS-8 Workshop on Security and Privacy in Digital Rights Management
Efficient Methods for Integrating Traceability and Broadcast Encryption
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Optimal probabilistic fingerprint codes
Proceedings of the thirty-fifth annual ACM symposium on Theory of computing
Number-theoretic constructions of efficient pseudo-random functions
FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
Scalable public-key tracing and revoking
Proceedings of the twenty-second annual symposium on Principles of distributed computing
Defending against the Pirate Evolution Attack
ISPEC '09 Proceedings of the 5th International Conference on Information Security Practice and Experience
Pirate evolution: how to make the most of your traitor keys
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Corrupting one vs. corrupting many: the case of broadcast and multicast encryption
ICALP'06 Proceedings of the 33rd international conference on Automata, Languages and Programming - Volume Part II
Generic construction of hybrid public key traitor tracing with full-public-traceability
ICALP'06 Proceedings of the 33rd international conference on Automata, Languages and Programming - Volume Part II
Public traceability in traitor tracing schemes
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
One-Way chain based broadcast encryption schemes
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Fully collusion resistant traitor tracing with short ciphertexts and private keys
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Collusion-secure fingerprinting for digital data
IEEE Transactions on Information Theory
IEEE Transactions on Information Theory
Combinatorial properties of frameproof and traceability codes
IEEE Transactions on Information Theory
New results on frame-proof codes and traceability schemes
IEEE Transactions on Information Theory
| Hi-index | 0.00 |
A cryptographic primitive that is widely deployed commercially for digital content distribution is the subset-difference (SD) method of Naor, Naor and Lotspiech that was introduced in Crypto 2001. This encryption mechanism, called a trace and revoke scheme, is part of the Advanced Access Content System (AACS), and is used for encrypting Blu-Ray movie disks and is based on an explicit combinatorial construction of an exclusive set system. At the time of its introduction the only attacks cryptographers considered against such schemes were against the revocation and tracing algorithms. The SD method defended against them successfully and provided a superior ciphertext length compared to other known techniques : the length of the ciphertext grew only linearly with the number of revocations r; in contrast, e.g., the simpler complete subtree (CS) method requires ciphertexts of length O(r ċ log N/r) where N is the total number of users. In Crypto 2007 a new class of attacks was discovered against trace and revoke schemes called "pirate evolution." Pirate evolution refers to the ability of the adversary to schedule the key material it possesses in such a way so that it can withstand a great number of rounds of tracing and revocation. With the introduction of pirate evolution, the reduction of the number of rounds of pirate evolution became a design consideration for trace and revoke schemes. In 2009, Jin and Lotspiech proposed a mechanism for defending against pirate evolution in the SD method that is a tradeoff between ciphertext size and the pirate evolution bound. In this article we provide a review of all the above results. Moreover, we compare the modified SD scheme to the CS method (similarly modified to address pirate evolution) and find that for many choices of the parameters that are relevant to practice SD can be a less preferable choice. This fact highlights the importance of considering all relevant attack scenarios when applying a specific cryptographic primitive to a certain application domain.