On characterizations of escrow encryption schemes

Abstract

Designing escrow encryption schemes is an area of much recent interest. However, the basic design issues, characterizations and difficulties of escrow systems are not fully understood or specified yet. This paper demonstrates that in public-key based escrow, the combination of (1) two different receivers (intended receiver and potentially law enforcement); and (2) on-line verified compliance assurance by the sender which ensures that law enforcement can decrypt ciphertext upon court order, is equivalent to a “chosen ciphertext secure public-key system” (i.e., one secure against an adversary who uses the decryption oracle before trying to decipher a target ciphertext). If we further add measures to ensure that law enforcement is given access to messages only within an authorized context and law enforcement is assured to comply as well (i.e., it cannot frame users), then the escrow system is equivalent to “non-malleable encryption schemes”. The characterizations provide a theoretical underpinning for escrow encryption and also lead us to new designs.