1

Is there a asymmetric encryption scheme that allows for multiple private decryption keys?

where m= plaintext message and c= cyphertext message

c = Ek(m) where K is the public encryption key.

and

m = Dj(c) where J is the private decryption key.

nothing out of the ordinary here, RSA satisfies this basic scenario.

In addition I also want the message to be decrypted by any number of additional keys, ( Dj1 ... Djn ) such that:

eg.

m = Djn(c)

does such a scheme exist?

note: I am NOT referring to the way GPG/PGP broadcasts a message to many parties.

edit: looks to be similar to One Encryption, Many Decryption Keys

in particular see D.W.'s answer https://crypto.stackexchange.com/a/39403/29315

Joshua Zeidner
  • 59
  • 5
  • If it is symmetric, then the holder of $k_1$ could also encrypt any message that the other $k, k_2, ..., k_n$ holders can decrypt. If this is what you're thinking about, then any symmetric cipher would satisfy this requirement where $k = k_x$ for $1\leq x \leq n$. What's the point of such a scheme? – Artjom B. Dec 02 '17 at 09:50
  • good question. It would provide traitor tracing. So for instance I encrypt with said scheme and produce K1,...,Kn keys. I encrypt those using recipients public keys. Each one now has knowledge of only one K. One person decides to break the secrecy and reveal the signed authorized document by revealing the key. The secrecy is broken but, I know who broke it. That's very useful to me, I can't prevent people from revealing the image of the document, but I can disincentivize them from sharing the signed document. – Joshua Zeidner Dec 02 '17 at 09:56
  • and I think you may not understand the OP. A typical symmetric scheme has key K and that is used to encrypt/decrypt however what I need is set of keys K1... Kn that can be used interchangeably. It's somewhat similar to Shamir Secrets however I don't need users to collaborate to unlock a secret. Metaphorically it would be like having a lock that can be unlocked by several keys. If someone copied the key, I know who is the culprit by looking at the key. – Joshua Zeidner Dec 02 '17 at 10:05
  • Even with traitor tracing, you can only know who broke the trust, if you find a decryption blackbox out on the internet or it is given to you by the police. Then you can run some tests and find the key id that is the culprit. This won't work for a decrypted and signed real-world document, because the culprit can always strip the document of any signature. This is not possible AFAIK and the fact that this is symmetric also doesn't help. – Artjom B. Dec 02 '17 at 10:09
  • Again I fully accept that I can't prevent someone from revealing the document image. They can strip the signature, but they don't have a provable document. It's their statement, not the author's. Not really looking for commentary on how valuable traitor tracing is in this case, I'm happy to talk about it elsewhere. I'm looking for a way to implement it. – Joshua Zeidner Dec 02 '17 at 10:17
  • 1
    just came across this: https://crypto.stackexchange.com/a/39403/29315 – Joshua Zeidner Dec 02 '17 at 10:26
  • 1
    "The key generation algorithm takes as input a security parameter s, a number l of private keys to generate, and a number k which we call the collusion bound. It outputs a public encryption key e and a list of distinct private decryption keys d1, . . . , dl. Any decryption key can be used to decrypt a ciphertext created using the encryption key."

    exactly what I was looking for. Found in the above link.

     – Joshua Zeidner Dec 02 '17 at 10:34

0 Answers0