Finding Key Leakage in Hierarchical Distribution of ... - IEEE Xplore

2013 5th International Conference on Intelligent Networking and Collaborative Systems

FINDING KEY LEAKAGE IN HIERARCHICAL DISTRIBUTION OF ENCRYPTED DATA Hua Deng∗† , Bo Qin‡ , Ruiying Du∗ , Huaguo Zhang∗, Lina Wang∗ , Jianwei Liu§ , Jian Mao§ ∗ School of Computer, Wuhan University, Wuhan, China Email: [email protected]; [email protected]; {huanguozhang,lnawang}@163.com † The State Key Laboratory of Integrated Services Networks, Xidian University, Xian, China ‡ School of Information, Remin University of China, Beijing, China Email: [email protected] § School of Electronic and Information Engineering, Beihang University, Beijing, China Email: {liujianwei,maojian}@buaa.edu.cn

Hierarchical Identity-Based Encryption (HIBE), where users are organized in a hierarchical system and the users at higher levels can replace PKG to generate keys for the users at lower levels. Since many receivers can decrypt the same encrypted message in broadcast encryption or IBBE, it is possible that some receiver may collude to leak their keys for some benefits. Consider in the DVD case, some users able to decrypt an encrypted DVD content may collude to create a pirate decoder and sell it for economic benefits and at the same time concealing their identifications. One of the countermeasures against this illegal behavior is to find out these colluders. Traitor Tracing is a means to help content distributors identify the illegal users who violate copyright restrictions. In 2008, Boneh and Naor proposed a traitor tracing scheme with constant-size ciphertext by applying fingerprint codes. Trados proposed the well-celebrated fingerprint codes in [14]. The codes for n users that are εsecure against t traitors have length O(t2 log(n/ε)), where ε denotes the probability that one innocent has been accused. Similar with the concept that develops IBE to HIBE, we want to alleviate the key generation burden of PKG in the IBBE case. That is, we can arrange all users in distinct groups and organize these groups in a hierarchical way. Users in higher level groups can replace PKG to delegate keys for the users in lower level groups. We note that this will greatly liberate the PKG from heavy key generation burden, but like the key leakage problem in broadcast encryption, it is a risk that some users may collude by using their keys to create a pirate decoder illegal decrypting the encrypted message. Motivated by these applications, we in this paper propose a key leakage discovering scheme which can protect data security and find the illegally users who leaked their keys. More precisely, each group has an identity vector denoting the path from the group at the first level to itself. Messages are encrypted with an identity vector and the encrypted messages can be decrypted by the users belonging to the groups

Abstract—In distribution of data encrypted to multiple users, there is a problem that the system will become low efficient if a single key center has to generate keys for a large number of users. Besides, it is a risk that some users could deliberately disclose their keys for some benefits. We in this paper give a key leakage discovering scheme where users are partitioned into groups and groups are hierarchically organized. In our scheme, users in upper-level groups can delegate keys for users in lowerlevel groups, which alleviates the key generation burden of the trusted third party. As an interesting feature, our scheme provide a key leakage discovering measure that if some users in groups leaked their decryption keys then at least one of them can be found out. This enables the data owners to accuse the illegal users when they infringed the copyright. At last, we analyze the performance of our system. Keywords-Key leakage, data security, hierarchical groups.

I. I NTRODUCTION In secure multi-user decoding setting (quite relevant in the distribution of priced multimedia, e.g., DVD, VCD, etc.), data should be encrypted to prevent any unauthorized accesses. When a new user subscribes the services, the system administrator generates a useful key for this user after he passed the authorization. In this system, the data are from one encryptor to many decryptors, meaning that one is able to share its data with others without encrypting its data for multiple times. In 2001, Boneh and Franklin [4] proposed the first Identity-Based Encryption (IBE) in which public keys can be arbitrary strings such as email addresses and telephone numbers and private keys are generated by a private key generator (PKG). Although IBE only allows a point-topoint communication, Identity-Based Broadcast Encryption (IBBE) [11] enables one to encrypt messages with its identity (arbitrary string) for one time and broadcast the encrypted content. The forms of public keys are very flexible in both IBE and IBBE. However, the generation of private keys cloud be a heavy burden if there are a huge number of users. To relieve the burden of PKG, Gentry and Silverberg [12] constructed a 978-0-7695-4988-0/13 $26.00 © 2013 IEEE DOI 10.1109/INCoS.2013.149

780

B. Complexity Assumptions

whose identity vectors are included in the encryption identity vector. If the content distributor finds a pirate decoder that can decrypt an encryption under a group identity vector, then he can trace at least one of the illegal users who involved in creating the pirate decoder and then accuse them. The rest of this paper is organized as follows: in Section 2, we introduce some preliminaries about mathematical backgrounds and security definitions. In Section 3, we present the proposed scheme and introduce security intuition. We analyze the computation complexity of the proposed scheme in Section 4 and conclude this paper in Section 5.

The security of our schemes rely on the following three static assumptions introduced by Lewko, et al [15]. $

Assumption 1: Let G = (N, G, GT , e) ← G(1λ ) where N = p1 p2 p3 and pi for i = 1, 2, 3 is a large prime. Define a distribution: $ $ g ← Gp1 ; X3 ← Gp3 ; D = (G, g, X3 ); $

$

T1 ← Gp1 p2 ; T2 ← Gp1 .

II. P RELIMINARIES

The advantage of an algorithm A in breaking Assumption 1 is defined as

In this section, we review the composite order bilinear groups and introduce the complexity assumptions that the security of our scheme relies on.

Adv1A (λ) = |Pr[A(D, T1 ) = 1] − Pr[A(D, T2 ) = 1]|. Assumption 1 holds if for any polynomial-time algorithm A, Adv1A (λ) is negligible in λ.

A. Bilinear Map Consider that there are two cyclic groups G and GT of the same order N = p1 p2 p3 , where p1 , p2 , p3 are three distinct prime. Assume there is an efficiently computable map e : G × G → GT such that:

$

Assumption 2: Let G = (N, G, GT , e) ← G(1λ ) where N = p1 p2 p3 and pi for i = 1, 2, 3 is a large prime. Define a distribution:

1) Bilinearity: for all a, b ∈ ZN and g, g  ∈ G, we have   e g a , g b = e(g, g  )ab ,

$

$

$

g, X1 ← Gp1 ; X2 , Y2 ← Gp2 ; X3 , Y3 ← Gp3 ; D = (G, g, X1 X2 , X3 , Y2 Y3 );

2) Non-degeneracy: ∃g ∈ G such that e(g, g) has order N in GT .

$

$

T1 ← G; T2 ← Gp1 p3 .

We define a generator G, an algorithm that takes the security parameter λ and outputs a description of a bilinear group G, such that G outputs (N, G, GT , e). We use Gp1 , Gp2 , Gp3 to denote the respective subgroups of order p1 , p2 and p3 of G. Our construction and security proofs exploit the orthogonality between any two subgroups. That is, for all gi ∈ Gpi , gj ∈ Gpj , it holds that

The advantage of an algorithm A in breaking Assumption 2 is defined as: Adv2A (λ) = |Pr[A(D, T1 ) = 1] − Pr[A(D, T2 ) = 1]| . Assumption 2 holds if for any polynomial-time algorithm A, Adv2A (λ) is negligible in λ. $

e(gi , gj ) = 1

Assumption 3: Let G = (N, G, GT , e) ← G(1λ ) where N = p1 p2 p3 and pi for i = 1, 2, 3 is a large prime. Define a distribution:

where i = j ∈ {1, 2, 3}. To see why, let us assume h1 ∈ Gp1 , h2 ∈ Gp2

α, s ← ZN ; g ← Gp1 ; X2 , Y2 , V2 ← Gp2 ; X3 ← Gp3 ;

and g is an generator of G. Then g p1 p2 generates Gp3 , g p1 p3 generates Gp2 , and g p2 p3 generates Gp1 . Thus, for some x1 , x2 , we can rewrite h1 , h2 as

D = (G, g, g α X2 , X3 , g s Y2 , V2 );

$

$

$

The advantage of an algorithm A in breaking Assumption 3 is defined as

Then we have that

Adv3A (λ) = |Pr[A(D, T1 ) = 1] − Pr[A(D, T2 ) = 1]|.

e(h1 , h2 ) = e (g p2 p3 x1 , g p1 p3 x2 ) p1 p2 p3

$

T1 = e(g, g)αs ; T2 ← GT .

h1 = (g p2 p3 )x1 , h2 = (g p1 p3 )x2 .

= e (g x1 , g p3 x2 )

$

Assumption 3 holds if for any polynomial-time algorithm A, Adv3A (λ) is negligible in λ.

= 1.

781

III. A K EY L EAKAGE D ISCOVERING S CHEME A. Basic Ideas and Notations

and

In our scheme, all users are partitioned into groups and all groups are hierarchically organized. Each group has an unique identity vector which denotes the path from the top node to itself. A trust private key generator(PKG) is employed to generate secret keys for users of groups. In order to move key leakage discovering functionality into encryption to hierarchical groups, we utilize HIBE primitive and Trados’ fingerprint codes [14]. The HIBE primitive fulfills encryption and key delegation parts and fingerprint codes help us to find the users who exposed their decryption keys. In this system, we focus on the binary codes, namely codes defined over {0, 1}. Suppose the maximum depth of the system is L. A group Ik at level k ∈ [1, L] has its identity vector as

The master public key is   L M P K = g, X3 , e(g, g)α , {hi }L i=1 , {ui,0 , ..., ui,l }i=1 .

g, h1 , ..., hL , {ui,0 , ..., ui,l }1iL ∈ Gp1 .

The master secret key is M SK = (α, {πk }).  k , ik ) wants to join User Grant: When a new user (ID the system and pass the identity authentication, PKG picks an unused codeword, denoted by ω π(ik ) , and then calls the KeyGen algorithm to generate a private key for this user.  SKID  k ,ik ← KeyGen(M SK, (ID k , ik )): The key generation first finds the masked codes ω (π(i1 )) , ..., ω (π(ik−1 ))

 k = (I1 , ..., Ik ). ID

 k , ik )’s ancestors. Then it randomly chooses of (ID

The number of users in a group is assumed to be n. The  k , ik ), where 1  ik -th user of group Ik is identified by (ID ik  n. This user also has a fingerprint codeword ω (ik ) . Due to key delegation, a user at some level needs to know the fingerprint codewords of its ancestors and children, but one’s code is private and should be kept secret. In order to conceal users’ codewords, we introduce a randomly chosen permutation on {1, ..., n} for each group, denoted by

r ∈ ZN ; R0 , R1 , Rk+1 , ..., RL ∈ Gp3 and for all z = 1, ..., k picks random elements tz ∈ ZN ; Vz ∈ Gp3 . Let

(π(iz ))

Jz = {j : 1  j  l, s.t. ωj

$

Finally, it computes:

πk ← P erm(n). Then the code of the ik -th user in group Ik is masked to be ω

(πk (ik ))

=

(π (i )) ω1 k k

= 1}.

K0 = g α (hI11 · · · hIkk )r

(π (i )) · · · ωl k k .

r

K1 = g R1 , Kk+1 =

To simplify notation, we just use ω (π(ik )) to denote this masking code.

k 

(uz,0

z=1

hrk+1 Rk+1 ,



uz,j )tz R0 ,

∀j∈Jz

..., KL = hrL RL ,

D1 = g t1 V1 , ..., Dk = g tk Vk .

B. The proposed scheme

It outputs

A key leakage discovering scheme mainly consists of the following five operations.

SKID  k ,ik = (K0 , K1 , Kk+1 , ..., KL , D1 , ..., Dk ).

System Setup. When the system is setup, a PKG is called to run the Setup algorithm to create system master public parameters (M P K) and master secret key (M SK) as well as a set of codewords for each group. M P K is public to other parties and M SK must be kept secretly.

 k , ik ) in group Ik can delegate Key Delegation: A user (ID  a key for a user (IDk+1 , ik+1 ) in group Ik+1 , where

(M P K, M SK) ← Setup: The setup algorithm first runs the generation algorithm of fingerprint codes to form a set of codewords. Let l be the length of the codeword. It chooses a secret random permutation for each group and then generates the masked codes. Let W denote the set of all masked codes. The setup algorithm then runs G(λ) to generate bilinear map

SKID  k+1 ,ik+1 ← Delegate(Ik+1 , ik+1 , SKID  k ,ik , M P K): The delegation algorithm inquires W to find the masked codes ω (π(i1 )) , ..., ω (π(ik ))

 k+1 = (ID  k , Ik+1 ). ID

 k+1 , ik+1 )’s ancestors and the masked code of (ID  k+1 , ik+1 ). It randomly chooses ω (π(ik+1 )) of (ID

e : G × G → GT

r , t1 , ..., tk+1 ∈ ZN

of order N = p1 p2 p3 . It randomly chooses

and

X3 ∈ Gp3 , α ∈ ZN

782

   , ..., RL , V1 , ...Vk+1 ∈ Gp3 . R0 , R1 , Rk+2

the decryption algorithm first computes: ⎛ ⎞s   C3,z,j = ⎝uz,0 uz,j ⎠ C3,z = C3,z,0

By using SKID  k ,ik = (K0 , K1 , Kk+1 , ..., KL , D1 , ..., Dk ), it computes: ⎛

∀j∈Jz

⎞tz

for all z = 1, ..., k. Then it computes:

 r k+1   Ik+1 ⎝uz,0 K0 = K0 Kk+1 hI11 · · · hk+1 uz,j ⎠ R0 , z=1

j∈Jz

A=



K1 = K1 g r R1 , 



k  e(Dz , C3,z ) e(K0 , C1 ) z=1

and



   = Kk+2 hrk+2 Rk+2 , ..., KL = KL hrL RL , Kk+2 

∀j∈Jz

B = e(K1 , C2 )A.



  D1 = D1 g t1 V1 , ..., Dk = Dk g tk Vk , Dk+1 = g tk+1 Vk+1 .

Finally, it recovers M = C0 B.

It outputs         SKID  k+1 ,ik+1 = K0 , K1 , Kk+2 , ..., KL , D1 , ..., Dk+1 .

•

Data Encryption: When a user wants to share his data with other users in groups I1 , ..., Ik , he first chooses random symmetric data encryption key

 k is a prefix of ID  k , the decryption algorithm can If ID also output M by delegating the secret key SKID  k ,ik for the identity vector  k = (I1 , ..., Ik , ..., Ik ). ID

•

$

DEK ← GT and then encrypt the data files with DEK by the Encrypt algorithm.

If k  > k, the decryption algorithm outputs a false symbol ⊥ because it cannot delegate secret key SKID  k ,ik .

Key Leakage Discovering: When a user finds that there exits a pirate decoder PD which can decrypt his data  k , he can call the Trace algorithm to try encrypted with ID to find out the user who colluded to create PD.

 k , M, M P K): The encryption algorithm CT ← Encrypt(ID takes as input the identity vector

 k , M SK): The trace algorithm works T ← Trace(PD, ID as follows. • From  = 1 to  = k and for each j = 1, 2, ..., l, define () experiment T Rj . It works as follows. – Chooses a random message Mj . – Encrypt Mj under the group identity vector

 k = (I1 , ..., Ik ), ID a symmetric key M and master public key M P K. It chooses random element s ∈ ZN and sets the ciphertext CT = (C0 , C1 , C2 , C3 ) as: C0 = M e(g, g)αs , C1 = g s , s  C2 = hI11 · · · hIkk , C3 = {C3,z,j }z=1,...,k;j=0,...,l ,

  = (I1 , ..., I ) ID to form a ciphertext CT = (C0 , C1 , C2 , C3 ) where

where

  , Mj , M P K). (C0 , C1 , C2 , C3 ) ← Encrypt(ID

C3,z,j = usz,j .

– Replace the C3,,j components with a random group element from Gp1 to form a altered ciphertext CT ∗ . – Query the pirate decoder PD on the altered ciphertext. Let the output of PD be Mj , define the bit ωj∗ as  0 if Mj = Mj , ωj∗ = 1 otherwise.

Data Decryption: When a user attempts to decrypt a encrypted data file, he first runs the Decrypt algorithm to recover the symmetric key and then uses this key to recover the data file.   M ← Decrypt CT, SKID   ,i  , M P K : The decryption k k algorithm takes as input ciphertext  k , M, M P K), CT = (C0 , C1 , C2 , C3 ) ← Encrypt(ID  a secret key SKID   ,i  of user (ID k , ik ) and master k k public key M P K.  k = ID  k , according to • If ID

Output the codeword ω ∗ = ω1∗ ω2∗ · · · ωl∗ . – Run the tracing algorithm of fingerprint codes on input ω ∗ and M SK to output a set S  .

ω (π(i1 )) , ..., ω (π(ik )) ,

783

  , i )}, the tracing algorithm ∗ If S   {(ID stops and outputs

belonging to a group in the collusion have a 1 at position j, the pirate decoder can not recover the message because it inevitably needs to use the tampered C3,z,j which will hinder decrypiton. Apart from these two situations, that is, all the codewords belonging to one group have 1 or 0 at position j, the perfect pirate decoder can always recover message because it can avoid using the tampered C3,z,j .

T() = π−1 (S  ) as the set of traitors.   , i )}, which means ∗ If S  = ∅ or S   {(ID that it finds no traitor in the group I , it then moves to the next group I+1 and runs the (+1) . experiment T Rj

C. Security Intuition In this section, we informally security analysis. The semantic security of our system relies on the assumptions 1, 2 and 3 and the proof is similar with [15]. Because of space limitations, we here present some security intuitions and the formal security proofs will be given in the full version of the paper. Recall that a symmetric data encryption key M is encrypted in the form of

Correctness We show that our scheme is workable. Suppose that CT = (C0 , C1 , C2 , C3 )  k . The decryption algorithm taking is an encryption to ID SKID as input finds  k ,ik ω (π(i1 )) , ..., ω (π(ik ))

C0 = M e(g, g)αs .

and recovers M since A=

An adversary needs to construct e(g, g)αs to decrypt C0 . The adversary is allowed to query for keys of his choice except the keys for

k 

e(Dz , C3,z )/e(K0 , C1 ) z=1 s    k tz ∀j∈Jz uz,j z=1 e g , uz,0  =  r  tz k s u e g α hI11 · · · hIkk u , g z,0 z,j ∀j∈Jz z=1 =

 ⊆ ID  k. ID For the challenge ciphertext, the adversary can assemble the C3,z,j components to generate C3,z corresponding to his codeword. Thus, he can compute A associated with his  However, since identity vector ID.

1 r ,   I1 α e g h1 · · · hIkk , g s

 ⊆ ID  k, ID

and B = e(K1 , C2 )A   s  1   = e g r , hI11 · · · hIkk I e g α (h11 · · · hIkk )r , g s =

the component C2 will not match this computed A, which means he can not compute 1/e(g, g)αs . Hence, he is able to recover M . Our system is a t-collusion resistant system defined by [5]. The proof is similar but we handle hierarchy in our system. Followed by [5], the t-collusion resistance of our system depends on its semantic security and the collusionresistance of the underlying fingerprint codes.

1 , e(g, g)αs

it follows that M = C0 B.

IV. P ERFORMANCE A NALYSIS

We next turn to showing that our tracing algorithm works. Intuitively, in order to make the tracing algorithm of fingerprint codes work, we need to restructure ω ∗ to fall within the feasible set of the codewords corresponding to the collusion. Thus, we have to find all the positions where all the codewords of a group in the collusion are the same (1 or 0). In our system, we run the tracing algorithm from the top group to the last group one by one, respectively  k . If it finds no traitor corresponding to I1 , ..., Ik in ID in one group, it moves to the next group at the lower level. In some group, if all the codewords belonging to this group in the collusion have a 0 at position j, then the ciphertext component C3,z,j that is being tampered dose not affect recovering message since this component will not be used in decryption. On the contrary, if all the codewords

In this section, we analyze theoretic computation complexity of the proposed scheme in each operation. System Setup: In this paper, we only use the fingerprint codes as a black-box, so here we do not evaluate the computation complexity of its algorithms. In the Setup algorithm, the computation cost for generating M P K involves one bilinear pairing computation and picking l·L+L+1 random group elements in Gp1 , thus the computation complexity of this operation is O(l · L). User Grant: In the KeyGen algorithm, to generate a key  k , ik ), it needs to compute K0 according to the for user (ID codewords of the user’s ancestors and generate L + 1 group elements. The computation complexity of this operation is O(k · l), where k is the depth of the user.

784

Key Delegation: When a user at level k calls the Delegate algorithm to delegate key for a user at level k + 1, it has to generate a new key and re-randomize it by its own key which generated by the KeyGen algorithm. Thus the operations of the Delegate algorithm are similar with the operations of the KeyGen algorithm and the computation complexity of this operation is O((k + 1) · l). Data Encryption: The computation complexity of encrypting data files with DEK depends on the size of the data files and the underlying symmetric key encryption algo k , M, M P K) includes rithm. The operations of Encrypt(ID k · L group exponentiation operation and the computation complexity is O(k · l). Data Decryption: This operation is dominated by the computation cost for running Decrypt algorithm, which depends on the codewords of the decryptor’s ancestors and the depth of it. Thus, the complexity computation of this operation is O(k · l). Key Leakage Discovering: For each level, Trace makes a total of O(l) queries on PD. At the worst case, it finds colluders until moving to the group at deepest level. The computation complexity of this operation is at most O(k · l).

[4] D. Boneh, M. Franklin, “Identity-based Encryption from the Weil Pairing”, in Proc. 21st Annual International Cryptology Conference (CRYPTO’01) , pp. 213-229, 2001. [5] D. Boneh, M. Naor, “Traitor Tracing with Constant Size Ciphertext”, in Proc. ACM Conf. Computer and Communications Security (CCS), Alexandria, Virginia, USA, 2008. [6] D. Boneh, J. Shaw, “Collusion-Secure Fingerprinting for Digital Data”, IEEE Transactions on Information Theory 44(5), pp. 1897 -1905 (1998) [7] D. Boneh, A. Sahai, B. Waters, “Fully Collusion Resistant Traitor Tracingwith Short Ciphertexts and Private Keys”, in Proc. EUROCRYPT 2006, LNCS, vol. 4004, pp. 573-592. Springer, Heidelberg (2006) [8] D. Boneh, B. Waters, “A Fully Collusion Resistant Broadcast, Trace, andRevoke System”, in Proc. ACM Conf. Computer and Communications Security (CCS), pp. 211-220. ACM Press (2006) [9] O. Billet, D.H. Phan, “Efficient Traitor Tracing from Collusion SecureCodes”, in Proc. ICITS 2008, LNCS, vol. 5155, pp. 171182. Springer, Heidelberg(1999) [10] B. Chor, A. Fiat, M. Naor, “Tracing Traitors”, in Proc. CRYPTO 1994, LNCS, vol. 839, pp. 257-270. Springer, Heidelberg (1994)

V. C ONCLUSION In this paper, we proposed a key leakage discovering scheme which incorporates HIBE primitive and fingerprint codes. This scheme provides an encryption mechanism aiming at sharing data among hierarchical groups, which can reduce the key generation burden of PKG. Moreover, this scheme offers a measure to find out the illegal users who leaked their keys. We analyzed the security of the proposed scheme and conducted the performance analysis of it at last.

[11] C. Delerabl´ ee, “Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys”, in Proc. 13th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’07), pp.200-215, 2007. [12] C. Gentry, A. Silverberg, “Hierarchical ID-based Cryptography”, in Proc. 8th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’02), pp. 548-566, 2002.

ACKNOWLEDGMENT This paper is partially supported by the Natural Science Foundation through projects 61173154, 61003214, 61272501 and 61202465, by the National Key Basic Research Program (973 program) through project 2012CB315905, by the Beijing Natural Science Foundation through project 4132056, and by the Fundamental Research Funds for the Central Universities through project 2012211020212.

[13] J.H. Seo, J.H. Cheon, “Fully Secure Anonymous Hierarchical Identity-Based Encryption with Constant Size Ciphertexts”, IACR ePrint Archive, Report 2011/021 (2009), http://eprint.iacr.org/2011/021.pdf. [14] G. Trados, “Optimal Probabilistic Fingerprint Codes”, in Proc. 35th Ann. ACM Symposium on Theory of Computing (STOC), pp.116-125, 2003. [15] A. Lewko, B. Waters, “New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts”, in in Proc. 7th Theory of Cryptography Conference(TCC’10), pp. 62-91.2010.

R EFERENCES [1] M. Abdalla, D. Catalano, A.W. Dent, J. Malone-Lee, J. Neven, N.P. Smart, “Identity-BasedEncryption Gone Wild”. in ICALP 2006, LNCS, vol. 4052, pp. 300-311. Springer, Heidelberg(2006)

[16] A. Lewko, B. Waters, “Unbounded HIBE and Attribute-Based Encryption”, in Proc. 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’11), pp. 547-567, 2011.

[2] M. Abdalla, A.W. Dent, J. Malone-Lee, J. Neven, D.H. Phan, N.P. Smart, “Identity-Based Traitor Tracing”, in PKC 2007, LNCS, vol. 4450, pp. 361-376. Springer, Heidelberg(2007)

[17] B. Waters, “Dual System Encryptiom: Realizing Fully Secure IBE and HIBE under Simple Assumptions”, in Proc. 29th Ann. International Cryptology Conf. Advances in Cryptology (CRYPTO’09), pp.619-636, 2009.

[3] D. Boneh, M. Franklin, “An Efficient Public Key Traitor Tracing Scheme”, in CRYPTO’99. LNCS, vol. 1666, pp. 338353. Springer, Heidelberg(1999)

785