Traceable and Revocable Broadcast Encryption Scheme for Preventing Malicious Encryptors
Abstract
1. Introduction
1.1. Contributions
- (1)
- BATR ensures resistance against malicious encryptors attacks and supports personalized message transmission, while user keys are jointly generated by users and a trusted authority, thereby avoiding key escrow issues and certificate management problems. Additionally, users communicate using pseudonyms to ensure that their real identities are not accessible to third parties, meeting the requirements for privacy protection.
- (2)
- With the assistance of blockchain, the scheme supports a dual tracing mechanism. When a data breach occurs, access records stored on the blockchain can be used to identify malicious users. In cases where user private keys are compromised, the tracking algorithm can be used to interact with the pirate decoder to get the malicious user information. Without compromising the decryption functionality of other legitimate users, BATR supports the dynamic revocation of malicious users’ access rights through de-anonymization.
- (3)
- The trusted authority and users can invoke smart contract interfaces to trigger blockchain peer nodes to execute smart contracts, enabling the retrieval or updating of identity authentication information stored on the blockchain, thereby achieving secure authentication.
- (4)
- BATR has a fixed decryption cost and storage overhead. Additionally, the scheme features compact communication bandwidth and high computing efficiency.
1.2. Related Works
1.3. Organization
2. Preliminary Backgrounds
2.1. Notations
2.2. Bilinear Pairings
- 1.
- Bilinearity: , , ;
- 2.
- Non-degeneracy: is the generator of and ;
- 3.
- Computability: The function e can be evaluated efficiently.
2.3. Cryptographic Hash Function
- 1.
- Unipolarity: Given a hash value y, the probability of finding an input x such that is negligible;
- 2.
- Weak collision resistance: Given a hash value , the probability of finding an input and such that is negligible;
- 3.
- Strong collision resistance: The probability of finding two different inputs and such that is negligible.
2.4. Zero-Knowledge Protocol
2.5. Complexity Assumption
2.6. Tardos Codes
- 1.
- : Input a safety parameter and an integer , the algorithm selects an error tolerance and a maximum collusion threshold to set and the code word length . It uniformly and randomly selects from with and . A matrix is generated, where any elements and with exhibit significant positive correlations, and the elements in the matrix tend to 1 when surpasses a predefined threshold. The code book is constructed, where represents the j-th row of code matrix . The watermarking master tracing key is .
- 2.
- : Input the master tracing key and a pirated code word w of length l. Let denote the set of colluders, and represents the feasible set of S containing w. The condition satisfied by is as follows: for , it holds that , where , and and denote the i-th bit of and respectively. The algorithm retrieves from the master tracing key to generate a matrix ,where the random variables are independent with an expected value of 0 and a variance of 1, as defined in Equation (2).Additionally, the algorithm extracts Z from WatMTK and evaluates whether the score computed via Equation (2) satisfies the threshold inequality holds. If the inequality is satisfied, the code word is considered to have participated in the creation of the pirated code word . The algorithm ultimately outputs the set of colluders T.
3. System and Security Models
3.1. System Model
- 1.
- Blockchain Nodes: Within blockchain systems, peer nodes are classified into two types: endorsing nodes (ENs) and ordering nodes (ONs). Endorsing nodes are primarily responsible for maintaining a complete copy of the distributed ledger and executing smart contracts. Specifically, ENs perform the following key functions: first, ENs validate the integrity of new blocks before they are appended to the blockchain; second, ENs receive transaction proposals from users and TA, execute the corresponding smart contract interfaces, and return the authenticated proposal responses to the requesters. Ordering nodes are responsible for transaction ordering and the generation of new blocks. Their main functions include collecting all validated transactions from ENs, ordering the transactions according to a predefined consensus algorithm, and packaging the ordered transactions into new blocks. This process ensures the eventual consistency of the blockchain network, meaning that all ENs maintain synchronized and consistent copies of the blockchain.
- 2.
- Smart Contracts: The Authentication Information Ledger (AIL) is utilized to implement authentication services, storing and managing relevant data such as the pseudonyms, , , and public key expiration times of legitimate users . The smart contract system includes four core API interfaces: saveInfo, deleteInfo, updateInfo, and queryInfo. saveInfo is exclusively accessible to TA and is used to write new identity authentication information into the AIL; deleteInfo is invoked by TA when a user is detected as disconnected or identified as a malicious node, removing the corresponding record from the AIL; updateInfo is called by TA to update public information such as user public keys, with all pseudonyms requiring periodic updates to ensure the timeliness of key information; queryInfo is open to all users, supporting queries for other users’ public keys and pseudonyms. Among these, saveInfo, deleteInfo, and updateInfo are only accessible to TA, and any invocation requests from ordinary users are automatically rejected by the smart contract. The execution of these APIs triggers state changes in the AIL, and the results are broadcast to all valid users through an event mechanism, ensuring global consistency of the system state. As a query interface, queryInfo returns results only to the requester, implementing fine-grained access control. In BATR, blockchain is not used merely as a generic storage platform. It serves as the infrastructure for maintaining the Authentication Information Ledger (AIL), which stores pseudonyms, public keys, registration information, key-update events, and revocation records. This design is necessary in our threat model. If such records were maintained by a traditional centralized database or cloud server, the system would have to rely on a fully trusted administrator, and a compromised or colluding server could secretly modify, delete, or selectively hide critical records. By contrast, blockchain provides decentralization, tamper resistance, traceability, and consensus-based consistency, thereby ensuring that authentication-related records remain auditable, verifiable, and non-forgeable.
- 3.
- Trusted Authority (TA): Responsible for system setup, generating system public parameters, and completing user registration. Upon successful registration, TA invokes the corresponding smart contract APIs to upload user information to the AIL. When a user is disconnected or detected for malicious behavior, TA calls the API to remove the corresponding record.
- 4.
- Authorized Users: After the user sends a registration request to TA, TA generates a pseudonym, public key, and partial private key. After obtaining the partial private key, the user completes subsequent private key generation process. Authorized users can decrypt broadcast ciphertexts by leveraging their assigned private keys, thereby obtaining the public broadcast message and the corresponding personalized message. This entity is untrusted and may leak the private key to attackers, who could then construct a decryption-capable pirated decoder.
- 5.
- Broadcasters: Used to generate and store broadcast ciphertexts for data owners, supporting personalized transmission. The tracing algorithm in BATR is of the public tracing type, so broadcasters can assume the role of the tracer.
- 6.
- Tracer (TT): If there is a data breach, TT can detect suspicious users by analyzing data access records within blockchain based systems, identify their pseudonyms, and send them to TA; when a pirated box is detected, TT executes the tracing algorithm to interact with the pirated decoder, trace malicious users, and submit malicious users to TA, which then revokes their decryption permissions.
3.2. Working Flow
3.3. Formal Definition
- 1.
- : TA executes this algorithm with a security parameter to generate the system master public key and the system master private key .
- 2.
- : TA inputs , and the identity information of the user , generating a public key and partial private key for . Then generates a complete and valid private key based on .
- 3.
- : The broadcaster injects , the set of authorized users and the broadcast message , generating the corresponding broadcast ciphertext
- 4.
- : User inputs the broadcast ciphertext , , and . If this user is authorized, this decryption algorithm returns the corresponding public encrypted data m and personalized key ; otherwise, it outputs ⊥.
- 5.
- : This is a public tracing algorithm. Any tracing entity equipped with the system public key and oracle access to the pirate decoder can execute the tracing procedure and output the set of malicious users involved in constructing the pirate decoder.
- 6.
- : TA executes the revocation algorithm to disable access for malicious users, and then the broadcaster completes the ciphertext update.
3.4. Security Models
- Game 1. The game involves two participants: the adversary A and the challenger C.
- Initialization Phase. The setup algorithm is executed by C to produce and , and then sends to A.
- Phase 1. A adaptively sends three types of queries to C. To process these requests, C sustains an initially empty list .
- 1.
- Public Key Query. The adversary A sends user identity information to initiate a query. If L contains the corresponding , C directly returns to A. If not, C executes the key generation algorithm to get the public–private key pair , returns to A, and then adds the record to L. We assume that for any , A must trigger a public key retrieval before initiating any other queries.
- 2.
- Private Key Query. The adversary A sends user identity information to initiate a query. C looks up the corresponding record in L and then returns to A.
- 3.
- Decryption Query. The adversary A sends ciphertext and to initiate a query. First, C looks up the corresponding record in L. Then C executes the decryption algorithm to get the decryption result and returns it to A.
- Challenge. When Phase 1 is confirmed to be complete, the adversary A submits a set and two equal-length messages to C. In Phase 1, A initiates no private key query for any user in . Then C randomly chooses and executes the encryption algorithm to get challenge ciphertext. Finally, C transmits to the adversary A.
- Phase 2. Similar to Phase 1, A initiates adaptive queries. A is forbidden to initiate private key queries or decryption queries for any user in .
- Guess. The adversary A outputs a guess for b. A wins this game if . The advantage of A in winning this security game is defined in Equation (3), where b is the hidden challenge bit chosen by the challenger and is the adversary’s output guess.
4. Proposed BATR Construction
4.1. System Setup
4.2. KeyGen
- (1)
- sends a registration request , where represents the real identity information of user .
- (2)
- Upon receiving the registration request, TA first verifies the validity of . If the identity verification fails, the request is terminated. Otherwise, randomly selects , computes , , , and sends and to TA through a Zero-Knowledge Proof process as shown in Figure 1. If the proof fails, the request is terminated.
- (3)
- Otherwise, TA computes the pseudonym and , where . TA computes the partial private key , and sets , , , , , . TA sends the obtained partial private key and public key as a response to user . Simultaneously, TA invokes saveInfo to upload ’s authentication information to AIL, which records the legitimate user’s pseudonym , , , and the public key expiration time.
- (4)
- User obtains the corresponding public key and private key .
4.3. Broadcast Encryption
- (1)
- It randomly selects , and the broadcast calculates the session key . It employs a hash function to calculate required for encryption, and computes , , and .
- (2)
- For each , the broadcast computes , and . For user , the personalized key is .
- (3)
- Finally, the broadcaster computes . The broadcast ciphertext header is , and the broadcast ciphertext is .
4.4. Broadcast Decryption
- (1)
- User computes , and . Let ; the user computes .
- (2)
- User computes , locates the corresponding in , then calculates and .
- (3)
- User computes . If holds, this algorithm returns the public message m and the personalized key for user . Otherwise, it outputs ⊥.
4.5. Public Tracing of Data Leakage and Pirate Decoders
- (1)
- Execute algorithm to get the code book and where k is the code length. Each user where corresponds to a code word , and the set of authorized users S corresponds to the code word set . Simultaneously, initialize the pirated code as .
- (2)
- For each , repeat the following steps.Step 1: Randomly select a broadcast message , execute the encryption algorithm, and generate the corresponding tracing ciphertext .Step 2: For each position , the tracer repeatedly interacts with the pirate decoder on independently generated tracing ciphertexts and estimates the success probability that the decoder outputs the correct decryption result. If the empirical estimate satisfies , the tracer sets ; otherwise, it keeps . We stress that this step is probabilistic rather than deterministic: the pirate code word is reconstructed from repeated sampling, and the final identification guarantee follows from the soundness of the Tardos-code tracing framework.
- (3)
- The tracer executes algorithm to obtain the result set . Finally, the tracing algorithm outputs the set of colluders , where the users in are the malicious users involved in constructing the pirated decoder D.
4.6. Revocation and De-Anonymization
5. Correctness and Security Analysis
5.1. Correctness of Decryption
5.2. IND-CCA Security Under the q-ABDHE Assumption
- (1)
- Public Key Query. A sends user identity information to initiate a query. B defines two -degree polynomial functions and . Then B computes the private key for user based on . Sinceis a valid private key for . The simulator B computes the public key elements ,,,,,. The public key is . Finally, B adds to L and returns to A. For all , A must initiate a public key query before initiating the following two types of queries.
- (2)
- Private Key Query. The adversary A sends to initiate a private key query. B looks up the corresponding record in L and returns the private key corresponding to .
- (3)
- Decryption Query. A sends ciphertext and to initiate a decryption query. Assume the broadcast ciphertext is , where . First, B looks up the corresponding record in L. Second, B executes the algorithm, computing , and where and . By computing , B locates the corresponding in . Then B calculates and . Finally, the algorithm computes . If holds, it outputs the public message m and the personalized key for user ; if not, it outputs ⊥. Finally, B transmits the result to A.
- -
- As a result, the challenge ciphertext generated based on Equations (6) and (7) is indistinguishable from a real ciphertext.When , and are valid values. Therefore, the broadcast ciphertext generated based on and is also valid. At this point, the success probability of A guessing b is .
- -
- If , then T is a random element in , so and are invalid values. Therefore, the broadcast ciphertext generated based on and is also invalid. At this point, the success probability of A guessing b is .Therefore, the advantage of B in solving the Decisional q-ABDHE hard problem is
6. Performance Evaluation
6.1. Functionality
6.2. Efficiency Analysis
6.2.1. Computation Cost
6.2.2. Communication Cost
6.2.3. Storage Cost
7. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Fiat, A.; Naor, M. Broadcast encryption. In Proceedings of the Advances in Cryptology—CRYPTO’93: 13th Annual International Cryptology Conference, Santa Barbara, CA, USA, 22–26 August 1993; Proceedings 13; Springer: Berlin/Heidelberg, Germany, 1994; pp. 480–491. [Google Scholar]
- Ohtake, G.; Hanaoka, G.; Ogawa, K. Efficient broadcast encryption with personalized messages. In Proceedings of the Provable Security: 4th International Conference, ProvSec 2010, Malacca, Malaysia, 13–15 October 2010; Proceedings 4; Springer: Berlin/Heidelberg, Germany, 2010; pp. 214–228. [Google Scholar]
- Chor, B. Tracing traitors. In Advances in Cryptology, Proceedings of the Crypto’94; Springer: Berlin/Heidelberg, Germany, 1994; pp. 480–491. [Google Scholar]
- Wang, X.A.; Pan, L.; Liu, H.; Yang, X. Traitor tracing revisited: New attackers, stronger security model and new construction. Cryptol. ePrint Arch. 2023. [Google Scholar]
- Berdik, D.; Otoum, S.; Schmidt, N.; Porter, D.; Jararweh, Y. A survey on blockchain for information systems management and security. Inf. Process. Manag. 2021, 58, 102397. [Google Scholar] [CrossRef]
- Cheng, L.; Liu, J.; Xu, G.; Zhang, Z.; Wang, H.; Dai, H.N.; Wu, Y.; Wang, W. SCTSC: A semicentralized traffic signal control mode with attribute-based blockchain in IoVs. IEEE Trans. Comput. Soc. Syst. 2019, 6, 1373–1385. [Google Scholar] [CrossRef]
- Boneh, D.; Sahai, A.; Waters, B. Fully collusion resistant traitor tracing with short ciphertexts and private keys. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 2006; pp. 573–592. [Google Scholar]
- Barth, A.; Boneh, D.; Waters, B. Privacy in encrypted content distribution using private broadcast encryption. In Proceedings of the International Conference on Financial Cryptography and Data Security; Springer: Berlin/Heidelberg, Germany, 2006; pp. 52–64. [Google Scholar]
- Fazio, N.; Perera, I.M. Outsider-anonymous broadcast encryption with sublinear ciphertexts. In Proceedings of the Public Key Cryptography–PKC 2012: 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, 21–23 May 2012; Proceedings 15; Springer: Berlin/Heidelberg, Germany, 2012; pp. 225–242. [Google Scholar]
- Lai, J.; Mu, Y.; Guo, F.; Susilo, W.; Chen, R. Anonymous identity-based broadcast encryption with revocation for file sharing. In Proceedings of the Information Security and Privacy: 21st Australasian Conference, ACISP 2016, Melbourne, VIC, Australia, 4–6 July 2016; Proceedings, Part II 21; Springer: Cham, Switzerland, 2016; pp. 223–239. [Google Scholar]
- Mandal, M.; Dutta, R. Identity-based outsider anonymous cloud data outsourcing with simultaneous individual transmission for IoT environment. J. Inf. Secur. Appl. 2021, 60, 102870. [Google Scholar] [CrossRef]
- Yao, S.; Zhang, D. BPRT: A blockchain-based privacy-preserving transaction scheme based on an efficient broadcast encryption with personalized messages. Trans. Emerg. Telecommun. Technol. 2023, 34, e4675. [Google Scholar] [CrossRef]
- Kiayias, A.; Pehlivanoglu, S. Pirate evolution: How to make the most of your traitor keys. In Proceedings of the Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2007; pp. 448–465. [Google Scholar]
- Libert, B.; Paterson, K.G.; Quaglia, E.A. Anonymous broadcast encryption: Adaptive security and efficient constructions in the standard model. In Proceedings of the Public Key Cryptography–PKC 2012: 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, 21–23 May 2012; Proceedings 15; Springer: Berlin/Heidelberg, Germany, 2012; pp. 206–224. [Google Scholar]
- Mandal, M.; Sarkar, R.; Hur, J.; Nuida, K. Efficient fully anonymous public-key trace and revoke with adaptive IND-cca security. In Proceedings of the Information Security Practice and Experience: 16th International Conference, ISPEC 2021, Nanjing, China, 17–19 December 2021; Proceedings 16; Springer: Cham, Switzerland, 2021; pp. 168–189. [Google Scholar]
- Liu, S.; Pan, H.; Wang, X.A.; Zhao, S.; Li, Q. A traceable and revocable broadcast encryption scheme for preventing malicious encryptors in Medical IoT. J. Syst. Archit. 2024, 149, 103100. [Google Scholar] [CrossRef]
- Liu, S.; Hu, Y.; Wang, X.A.; Liu, X.; Yin, Y.; Wang, T. Puncturable-based broadcast encryption with tracking for preventing malicious encryptors in cloud file sharing. J. Inf. Secur. Appl. 2024, 84, 103803. [Google Scholar] [CrossRef]
- Liu, Y.; Hu, Y.; Lv, X.; Zhou, S.; Li, J.; Liu, S. A blockchain and IPFS-Aided anonymous traitor tracing scheme based on puncturable encryption in Industrial Internet of Things. Comput. Electr. Eng. 2025, 122, 109896. [Google Scholar] [CrossRef]
- Coron, J.S.; Dodis, Y.; Malinaud, C.; Puniya, P. Merkle-Damgård revisited: How to construct a hash function. In Proceedings of the Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2005; pp. 430–448. [Google Scholar]
- Goldreich, O.; Micali, S.; Wigderson, A. Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 1991, 38, 690–728. [Google Scholar] [CrossRef]
- Camenisch, J. Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem. Ph.D. Thesis, ETH Zurich, Zurich, Switzerland, 1998. [Google Scholar]
- Gentry, C. Practical identity-based encryption without random oracles. In Proceedings of the Advances in Cryptology-EUROCRYPT 2006: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, 28 May–1 June 2006; Proceedings 25; Springer: Berlin/Heidelberg, Germany, 2006; pp. 445–464. [Google Scholar]
- Tardos, G. Optimal probabilistic fingerprint codes. J. ACM 2008, 55, 1–24. [Google Scholar] [CrossRef]
- Lynn, B. On the Implementation of Pairing-Based Cryptosystems. Ph.D. Thesis, Stanford University, Stanford, CA, USA, 2007. [Google Scholar]






| Notations | Meaning |
|---|---|
| Security parameter | |
| N | Total number of receivers |
| System public key | |
| System secret key | |
| User identity | |
| ’s public key | |
| ’s private key | |
| ’s pseudonym | |
| Hash functions | |
| S | A set of receive users |
| m | Common message |
| l | The bit length of message |
| K | Public Session Key |
| Personalized Session Key | |
| Trusted Authority | |
| Tracing entity | |
| Endorsing Node | |
| Broadcast ciphertext | |
| A set of traitors | |
| Ordering Node | |
| Authentication Information Ledger | |
| Tracing identity tag of user | |
| ciphertext header | |
| Data Outsourcing with Simultaneous Individual Transmission |
| Schemes | Anonymity | DOSIT | Traceability | Revocation | Resist Trapdoors |
|---|---|---|---|---|---|
| [10] | Yes | No | No | Yes | No |
| [11] | Yes | Yes | No | No | No |
| [15] | Yes | No | Yes | Yes | No |
| [16] | Yes | Yes | Yes | Yes | Yes |
| [18] | Yes | No | Yes | Yes | Yes |
| BATR | Yes | Yes | Yes | Yes | Yes |
| Notations | Description | Time (ms) |
|---|---|---|
| H | Hash operation | |
| P | Bilinear operation | |
| E | Exponential operation in G/ | |
| S | Exponential operation in |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Share and Cite
Yan, L.; Pan, H.; Sun, J.; Cui, M.; Liu, S. Traceable and Revocable Broadcast Encryption Scheme for Preventing Malicious Encryptors. Mathematics 2026, 14, 1632. https://doi.org/10.3390/math14101632
Yan L, Pan H, Sun J, Cui M, Liu S. Traceable and Revocable Broadcast Encryption Scheme for Preventing Malicious Encryptors. Mathematics. 2026; 14(10):1632. https://doi.org/10.3390/math14101632
Chicago/Turabian StyleYan, Lu, Hailun Pan, Jing Sun, Mengyuan Cui, and Shuanggen Liu. 2026. "Traceable and Revocable Broadcast Encryption Scheme for Preventing Malicious Encryptors" Mathematics 14, no. 10: 1632. https://doi.org/10.3390/math14101632
APA StyleYan, L., Pan, H., Sun, J., Cui, M., & Liu, S. (2026). Traceable and Revocable Broadcast Encryption Scheme for Preventing Malicious Encryptors. Mathematics, 14(10), 1632. https://doi.org/10.3390/math14101632

