Expire subset of keys in multiparty encryption scheme

Question

Assume a multi-party encryption scheme, similar to the answer to: Encryption with multiple different keys?. That is. A set of keys K can be used to decipher a ciphertext.

Is there a way to expire:

K'⊆ K

such that that K \ K' can still decipher the ciphertext, but no longer K'?

I'm of course assuming that the cipher text has been updated as a consequence of the expiration of K'. I'm not really sure how to attack this, or if it's even possible?

Answer 1

That is a problem studied by a specific branch of cryptography called Broadcast Encryption. In particular, it is also assumed that:

• the overhead for sending a message must be minimized
• the traffic for re-keying purposes is limited or even none
• a broadcast/multicast channel exists
• the storage each user has got is limited and sometimes cannot even be changed
• the protocol is safe even if two or more "expired" users collude together (e.g. by putting together their keys and see if together they can still access the data)
• the users have limited computational power

Several protocols exist, and each achieves a different trade-off for the conditions above. However, I am not aware of any standards around any of them.

Two very nice and seminal documents describing the problem and some solutions are:

• Broadcast Encryption by Fiat and Naor
• Key management for Multicast by Wallner and Harder

On the internet you can find much more material, but in most cases they trace back to such two articles.

Answer 2

Assuming a public-key cryptosystem like PGP/GPG the answer is "no." You'd have to somehow alter the cryptotext so that K' could no longer decrypt it, which means generating a new cryptotext.

Since there's no way to retract the original cryptotext, K' will always be able to decrypt it.