基于完全式公钥的叛徒追踪方案的密码分析

由于广播加密容易受到串谋攻击，叛徒追踪方案已成为版权保护的一个重要工具。利用中国剩余定理让用户自己生成私钥，Lyuu和Wu提出了面向无状态接收者的E1Gamal类广播加密算法及黑盒可追踪方案。本文首先从群编码和参数配置的角度考察对该方案的几种安全威胁。接着，利用解密预言机发起一种适应性选择密文攻击。最后，针对其密钥管理与追踪算法的特点提出一种串谋攻击方法，使其不能追踪出所有的叛徒和真正的盗版者，表明在实际应用中完全式公钥方法存在冤枉无辜用户的安全风险。

Cryptanalysis of Traitor-tracing Schemes Based on Fully Public Keys

As broadcast encryption is prone to collusion attacks,traitor-tracing schemes have become an important tool for copyright protection.Using the Chinese remainder theorem Lyuu and Wu proposed an EIGamal-type broadcast en- cryption algorithm and a black-box traceable scheme for stateless receivers,each of which generates its own private key.We first investigate several security threats to the scheme from the perspectives of group encoding and parameter configuration.Then an adaptive chosen-ciphertext attack is launched via a decryption oracle.Finally,in accordance with the characteristics of the key management and tracing algorithm a method of collusion attack is presented so that the scheme can trace down neither all traitors nor the factual pirate,indicating that there exists the security risk of wrongly accusing innocent users when applying the approach of fully public keys in the real world.