• PDF / 466,317 Bytes
• 28 Pages / 439.37 x 666.142 pts Page_size
• 18 Downloads / 192 Views

DOWNLOAD

REPORT

2

University of Oxford, Oxford, UK [email protected] University of California, San Diego, USA [email protected]

Abstract. Reducibility between different cryptographic primitives is a fundamental problem in modern cryptography. As one of the primitives, traitor tracing systems help content distributors recover the identities of users that collaborated in the pirate construction by tracing pirate decryption boxes. We present the first negative result on designing efficient traitor tracing systems via black-box constructions from symmetric cryptographic primitives, e.g. one-way functions. More specifically, we show that there is no secure traitor tracing scheme in the random oracle  where k is the length of user key, c is model, such that k · 2c < Ω(n), the length of ciphertext and n is the number of users, under the assumption that the scheme does not access the oracle to generate private user keys. To our best knowledge, all the existing cryptographic schemes (not limited to traitor tracing systems) via black-box constructions from oneway functions satisfy this assumption. Thus, our negative results indicate that most of the standard black-box reductions in cryptography cannot help construct a more efficient traitor tracing system. We prove our results by extending the connection between traitor tracing systems and differentially private database sanitizers to the setting with random oracle access. After that, we prove the lower bound for traitor tracing schemes by constructing a differentially private sanitizer that only queries the random oracle polynomially many times. In order to reduce the query complexity of the sanitizer, we prove a large deviation bound for decision forests, which might be of independent interest.

1

Introduction

Traitor tracing systems, introduced by Chor et al. [11], are broadcast encryption schemes that are capable of tracing malicious “traitor” coalitions aiming at building pirate decryption devices. Such schemes are widely applicable to the distribution of digital commercial content (e.g. Pay-TV, news websites subscription, online stock quotes broadcast) for fighting against copyright infringement. In particular, consider a scenario where a distributor would like to send digital contents to n authorized users via a broadcast channel while users possess different secret keys that allow them to decrypt the broadcasts in a non-ambiguous J. Zhang—Research supported by NSF CAREER award 1350481. c International Association for Cryptologic Research 2017  Y. Kalai and L. Reyzin (Eds.): TCC 2017, Part I, LNCS 10677, pp. 3–30, 2017. https://doi.org/10.1007/978-3-319-70500-2_1

4

B. Tang and J. Zhang

fashion. Clearly, a pirate decoder, built upon a set of leaked secret keys, could also extract the cleartext content illegally. To discourage such piracy in a traitor tracing system, once a pirate decoder is found, the distributor can run a tracing algorithm to recover the identity of at least one user that collaborated in the pirate construction. As a cryptographic primitive, traitor tracing

Recommend Documents

Strong Hardness of Privacy from Weak Traitor Tracing

138 1 1MB

Automatic Verification of Regular Constructions in Dynamic Geometry Systems

158 84 407KB

Barriers to Change

209 62 6MB

Barriers to Organizational Learning

219 6 1MB

ISE Constructions

183 6 2MB

Tracing

186 26 47MB

Deep Graph Matching via Blackbox Differentiation of Combinatorial Solvers

149 73 150MB

Constructions of Strict Lyapunov Functions

174 44 3MB

Barriers to Managing for Change

122 53 7MB

Barriers to Adaptation of Climate-Smart Agriculture

206 23 6MB

Constructions of Limit State Functions

156 4 4MB

Modeling Pavement Constructions

151 37 10MB