TY - JOUR
T1 - A note on the security of KHL scheme
AU - Weng, Jian
AU - Zhao, Yunlei
AU - Deng, Robert H.
AU - Liu, Shengli
AU - Yang, Yanjiang
AU - Sakurai, Kouichi
N1 - Funding Information:
This work was supported by National Science Foundation of China (Grant Nos. 61272413 , 61133014 , 61472165 and 61272415 ), Fok Ying Tong Education Foundation (Grant No. 131066 ), Program for New Century Excellent Talents in University (Grant No. NCET-12-0680 ), Research Fund for the Doctoral Program of Higher Education of China (Grant No. 20134401110011 ), Foundation for Distinguished Young Talents in Higher Education of Guangdong (Grant No. 2012LYM 0027 ), the Fundamental Research Funds for the Central Universities (Grant No. 11613106 ) and SERC, A*STAR (Grant No. 102 101 0027 in Singapore). This work is also supported by China Scholarship Council and the Invitation Programs for Foreign-based Researchers provided by NICT (Grant No. 2014-001 ).
Publisher Copyright:
© 2015 Elsevier B.V.
PY - 2015/10/18
Y1 - 2015/10/18
N2 - A public key trace and revoke scheme combines the functionality of broadcast encryption with the capability of traitor tracing. In Asiacrypt 2003, Kim, Hwang and Lee proposed a public key trace and revoke scheme (referred to as KHL scheme), and gave the security proof to support that their scheme is z-resilient against adaptive chosen-ciphertext attacks, in which the adversary is allowed to adaptively issue decryption queries as well as adaptively corrupt up to z users. In the passed ten years, KHL scheme has been believed as one of the most efficient public key trace and revoke schemes with z-resilience against adaptive chosen-ciphertext attacks under the well-studied DDH assumption. However, in this paper, by giving a concrete attack, we indicate that KHL scheme is actually not secure against adaptive chosen-ciphertexts, even without corruption of any user. We then identify the flaws in the security proof for KHL-scheme, and discuss the consequences of the attack.
AB - A public key trace and revoke scheme combines the functionality of broadcast encryption with the capability of traitor tracing. In Asiacrypt 2003, Kim, Hwang and Lee proposed a public key trace and revoke scheme (referred to as KHL scheme), and gave the security proof to support that their scheme is z-resilient against adaptive chosen-ciphertext attacks, in which the adversary is allowed to adaptively issue decryption queries as well as adaptively corrupt up to z users. In the passed ten years, KHL scheme has been believed as one of the most efficient public key trace and revoke schemes with z-resilience against adaptive chosen-ciphertext attacks under the well-studied DDH assumption. However, in this paper, by giving a concrete attack, we indicate that KHL scheme is actually not secure against adaptive chosen-ciphertexts, even without corruption of any user. We then identify the flaws in the security proof for KHL-scheme, and discuss the consequences of the attack.
UR - http://www.scopus.com/inward/record.url?scp=84942196413&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84942196413&partnerID=8YFLogxK
U2 - 10.1016/j.tcs.2015.07.051
DO - 10.1016/j.tcs.2015.07.051
M3 - Article
AN - SCOPUS:84942196413
SN - 0304-3975
VL - 602
SP - 1
EP - 6
JO - Theoretical Computer Science
JF - Theoretical Computer Science
ER -