Comments on 'Identity-Based Revocation from Subset Difference Methods under Simple Assumptions'

Abstract

An identity-based revocation (IBR) scheme is a useful one-to-many cryptographic message transmission method in which a message can be encrypted using receivers' identities such as e-mail addresses as public keys and a trusted message sender who holds users' private keys is not required. Recently, a construction method for an IBR scheme was presented with symmetric broadcast encryption (SBE) schemes called SD or LSD. In this article we clarify that the SBE schemes are completely different from the original subset difference (SD) scheme by Naor, Naor, and Lotspietch or the layered SD (LSD) by Halevy and Shamir. To be precise, we show that the IBR schemes built on top of the original SD or the original LSD scheme is insecure so that even revoked users can easily decrypt a ciphertext generated for a user group excluding the revoked users.