A note on the security of KHL scheme

Jian Weng, Yunlei Zhao, Robert H. Deng, Shengli Liu, Yanjiang Yang, Kouichi Sakurai

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

A public key trace and revoke scheme combines the functionality of broadcast encryption with the capability of traitor tracing. In Asiacrypt 2003, Kim, Hwang and Lee proposed a public key trace and revoke scheme (referred to as KHL scheme), and gave the security proof to support that their scheme is z-resilient against adaptive chosen-ciphertext attacks, in which the adversary is allowed to adaptively issue decryption queries as well as adaptively corrupt up to z users. In the passed ten years, KHL scheme has been believed as one of the most efficient public key trace and revoke schemes with z-resilience against adaptive chosen-ciphertext attacks under the well-studied DDH assumption. However, in this paper, by giving a concrete attack, we indicate that KHL scheme is actually not secure against adaptive chosen-ciphertexts, even without corruption of any user. We then identify the flaws in the security proof for KHL-scheme, and discuss the consequences of the attack.

Original languageEnglish
Pages (from-to)1-6
Number of pages6
JournalTheoretical Computer Science
Volume602
DOIs
Publication statusPublished - Oct 18 2015

Fingerprint

Cryptography
Concretes
Defects
Public key
Attack
Security Proof
Trace
Traitor Tracing
Broadcast Encryption
Resilience
Query

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

A note on the security of KHL scheme. / Weng, Jian; Zhao, Yunlei; Deng, Robert H.; Liu, Shengli; Yang, Yanjiang; Sakurai, Kouichi.

In: Theoretical Computer Science, Vol. 602, 18.10.2015, p. 1-6.

Research output: Contribution to journalArticle

Weng, Jian ; Zhao, Yunlei ; Deng, Robert H. ; Liu, Shengli ; Yang, Yanjiang ; Sakurai, Kouichi. / A note on the security of KHL scheme. In: Theoretical Computer Science. 2015 ; Vol. 602. pp. 1-6.
@article{4dcc4aa7a74c446182fcb5f0c794f00c,
title = "A note on the security of KHL scheme",
abstract = "A public key trace and revoke scheme combines the functionality of broadcast encryption with the capability of traitor tracing. In Asiacrypt 2003, Kim, Hwang and Lee proposed a public key trace and revoke scheme (referred to as KHL scheme), and gave the security proof to support that their scheme is z-resilient against adaptive chosen-ciphertext attacks, in which the adversary is allowed to adaptively issue decryption queries as well as adaptively corrupt up to z users. In the passed ten years, KHL scheme has been believed as one of the most efficient public key trace and revoke schemes with z-resilience against adaptive chosen-ciphertext attacks under the well-studied DDH assumption. However, in this paper, by giving a concrete attack, we indicate that KHL scheme is actually not secure against adaptive chosen-ciphertexts, even without corruption of any user. We then identify the flaws in the security proof for KHL-scheme, and discuss the consequences of the attack.",
author = "Jian Weng and Yunlei Zhao and Deng, {Robert H.} and Shengli Liu and Yanjiang Yang and Kouichi Sakurai",
year = "2015",
month = "10",
day = "18",
doi = "10.1016/j.tcs.2015.07.051",
language = "English",
volume = "602",
pages = "1--6",
journal = "Theoretical Computer Science",
issn = "0304-3975",
publisher = "Elsevier",

}

TY - JOUR

T1 - A note on the security of KHL scheme

AU - Weng, Jian

AU - Zhao, Yunlei

AU - Deng, Robert H.

AU - Liu, Shengli

AU - Yang, Yanjiang

AU - Sakurai, Kouichi

PY - 2015/10/18

Y1 - 2015/10/18

N2 - A public key trace and revoke scheme combines the functionality of broadcast encryption with the capability of traitor tracing. In Asiacrypt 2003, Kim, Hwang and Lee proposed a public key trace and revoke scheme (referred to as KHL scheme), and gave the security proof to support that their scheme is z-resilient against adaptive chosen-ciphertext attacks, in which the adversary is allowed to adaptively issue decryption queries as well as adaptively corrupt up to z users. In the passed ten years, KHL scheme has been believed as one of the most efficient public key trace and revoke schemes with z-resilience against adaptive chosen-ciphertext attacks under the well-studied DDH assumption. However, in this paper, by giving a concrete attack, we indicate that KHL scheme is actually not secure against adaptive chosen-ciphertexts, even without corruption of any user. We then identify the flaws in the security proof for KHL-scheme, and discuss the consequences of the attack.

AB - A public key trace and revoke scheme combines the functionality of broadcast encryption with the capability of traitor tracing. In Asiacrypt 2003, Kim, Hwang and Lee proposed a public key trace and revoke scheme (referred to as KHL scheme), and gave the security proof to support that their scheme is z-resilient against adaptive chosen-ciphertext attacks, in which the adversary is allowed to adaptively issue decryption queries as well as adaptively corrupt up to z users. In the passed ten years, KHL scheme has been believed as one of the most efficient public key trace and revoke schemes with z-resilience against adaptive chosen-ciphertext attacks under the well-studied DDH assumption. However, in this paper, by giving a concrete attack, we indicate that KHL scheme is actually not secure against adaptive chosen-ciphertexts, even without corruption of any user. We then identify the flaws in the security proof for KHL-scheme, and discuss the consequences of the attack.

UR - http://www.scopus.com/inward/record.url?scp=84942196413&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84942196413&partnerID=8YFLogxK

U2 - 10.1016/j.tcs.2015.07.051

DO - 10.1016/j.tcs.2015.07.051

M3 - Article

AN - SCOPUS:84942196413

VL - 602

SP - 1

EP - 6

JO - Theoretical Computer Science

JF - Theoretical Computer Science

SN - 0304-3975

ER -