| Title | : | Broadcast, Trace and Revoke with Optimal Parameters from Polynomial Hardness |
| Speaker | : | Ms.Simran Kumari (IITM) |
| Details | : | Tue, 21 Mar, 2023 4:00 PM @ SSB 233 |
| Abstract: | : | The notion of Broadcast, Trace and Revoke (or simply “Trace and Revokeâ€, w hich we denote by TR), introduced by Naor and Pinaki in 2000, is the combination of two well-known primitives, broadcast encryption and traitor tracing, in a way more than just their union. In a TR scheme for a system of N users, the content provider includes a list L of revoked users in the ciphertext, and ski works to decrypt ctL if i L. Moreover, it is required that revocation remain compatible with tracing, so that if if we have a set of users T ⊆ [N] who colluded to design a decoder D, that can decrypt the ciphertexts computed with respect to the revoke list L, then we can trace at least one non revoked user in the system who participated in designing D, even if users in the set L colluded to form D. In designing a TR scheme, we mainly focus on optimizing the ciphertext size and the size of user’s keys. Specifically, we want that the size of ciphertext, public keys and the user secret keys should be independent of the number of users in the system. We also focus on embeddin g the user identity in the user specific secret keys, so that we can get rid of storing the user index and user identity mapping, primarily for the sake of anonymity of the users. We study TR for both public trace setting, where the tracing key is public, as well as secret trace setting, where tracing key is secret..
Focus of this talk is the construction of an optimal TR scheme with embedded identities from our recent work †Broadcast, Trace and Revoke with Optimal Parameters from Polynomial Hardness†with Shweta Agrawal, Anshu Yadav, and Shota Yamada. In this work we make the following contributions: 1. Public Trace Setting: We provide a construction which (i) achieves optimal parameters, (ii) supports embedding identities (from an exponential space) in user secret keys, (iii) relies on polynomial hardness assumptions, namely compact functional encryption (FE) and a key-policy attribute based encryption (ABE) with special efficiency properties, and (iv) enjoys adaptive security with respect to the revocation list. The previous best known construction by Nishimaki, Wichs and Zhandry (Eurocrypt 2016) which achieved optimal parameters and embedded identities, relied on indistinguishability obfuscation, which is considered an inherently subexponential assumption and achieved only selective security with respect to the revocation list. 2. Secret Trace Setting: We provide the first construction with optimal ciphertext, public and secret key sizes and embedded identities from any assumption outside Obfustopia. In detail, our construction relies on Lockable Obfuscation which can be constructed using LWE (Goyal, Koppula, Waters and Wichs, Zirdelis, Focs 2017) and two ABE schemes: (i) the key-policy scheme with special efficiency properties by Boneh et al. (Eurocrypt 2014) and (ii) a ciphertext-policy ABE for P which was recently constructed by Wee (Eurocrypt 2022) using a new assumption called evasive and tensor LWE. This assumption, introduced to build an ABE, is believed to be much weaker than lattice based assumptions underlying FE or iO – in particular it is required even for lattice based broadcast, without trace. Moreover, by relying on subexponential security of LWE, both our constructions can also support a super-polynomial sized revocation list, so long as it allows efficient representation and membership testing. Ours is the first work to achieve this, to the best of our knowledge. |
