Pirate decoder for the broadcast encryption schemes from Crypto 2005

In Crypto'05, Boneh et al. presented two broadcast encryption schemes. Their work has exciting achievements: the header (also called ciphertexts) and the private keys are of constant size. In their paper, they give an open question to construct a traitor tracing algorithm for their broadcast encryption schemes, and combine the two systems to obtain an efficient trace-and-revoke system. In this paper, we give a negative answer to their open question. More precisely, we show that three or more insider users are able to collude to forge a valid private key for pirate decoding against their schemes. Moreover, we prove that there exists no traitor tracing algorithm to identify the colluders. Our pirate decoding can also similarly be applied to Lee et al.'s broadcast encryption schemes in ISPEC'06.

Pirate decoder for the broadcast encryption schemes from Crypto 2005

In Crypto’05, Boneh et al. presented two broadcast encryption schemes. Their work has exciting achievements: the header (also called ciphertexts) and the private keys are of constant size. In their paper, they give an open question to construct a traitor tracing algorithm for their broadcast encryption schemes, and combine the two systems to obtain an efficient trace-and-revoke system. In this paper, we give a negative answer to their open question. More precisely, we show that three or more insider users are able to collude to forge a valid private key for pirate decoding against their schemes. Moreover, we prove that there exists no traitor tracing algorithm to identify the colluders. Our pirate decoding can also similarly be applied to Lee et al.’s broadcast encryption schemes in ISPEC’06. Supported by the National Natural Science Foundation of China (Grant Nos. 60303026, 60573030, and 60673077)