Tracing Insider Attacks in the Context of Predicate Encryption Schemes

In a predicate encryption scheme an authority generates master public and secret keys, and uses the master secret key to derive personal secret keys for authorized users. Each user’s personal secret key SKf corresponds to a predicate f defining the access rights of that user, and each ciphertext is associated (by the sender) with an attribute. The security provided is that a ciphertext associated with attribute I can be decrypted only using a personal secret key SKf for which f(I) = 1, i.e., for which the given access rights f allow decryption of ciphertexts having attribute I . Predicate encryption generalizes identity-based encryption, broadcast encryption, attribute-based encryption, and more, and has been suggested as a mechanism for implementing secure information flow and distributed access control in scenarios involving multiple security domains. In this work, we introduce and study the notion of traceability for predicate encryption schemes, thus generalizing the analogous notion that has been defined in the specific context of broadcast encryption. Traceability allows a group manager to apprehend malicious insiders who leak their personal secret keys to an adversary, or to determine which authorized users’ keys have been compromised. In addition to defining the notion, we show how to add traceability to the most expressive predicate encryption scheme currently known.