Welcome to the resource topic for
**2003/095**

**Title:**

Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack

**Authors:**
Yevgeniy Dodis, Nelly Fazio

**Abstract:**

A (public key) Trace and Revoke Scheme combines the functionality

of broadcast encryption with the capability of traitor tracing.

Specifically, (1) a trusted center publishes a single public key

and distributes individual secret keys to the users of the system;

(2) anybody can encrypt a message so that all but a specified

subset of `revoked'' users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a `

pirate decoder’‘, the center can trace at least one of

the ``traitors’’ given access to this decoder.

We construct the first chosen ciphertext (CCA2) secure Trace and

Revoke Scheme based on the DDH assumption. Our scheme is also the

first adaptively secure scheme, allowing the adversary to corrupt

players at any point during execution, while prior works (e.g.,

[NP00,TT01]) only achieves a very weak form of non-adaptive

security even against chosen plaintext attacks. In fact, no CCA2

scheme was known even in the symmetric setting.

Of independent interest, we present a slightly simpler

construction that shows a ``natural separation’’ between the

classical notion of CCA2 security and the recently proposed

[Sho01,ADR02] relaxed notion of gCCA2 security.

**ePrint:**
https://eprint.iacr.org/2003/095

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

**Example resources include:**
implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .