Score:1

Public-Key Encryption with Privilege Access: is it possible?

es flag

Let be Alice, Bob, and David three people. They all have public-key cryptographic system: private key and public key.

Is there any way, in some known cryptographic system (RSA, Elliptic Curve, etc.), that satisfies the following three conditions:

  1. Alice, Bob, David don't know private keys from anyone
  2. David could see all encrypted message from and to Alice
  3. David is the only one person which is capable of doing the previous item

I'm thinking in some kind of organization in which David is the boss and wants to control the messages of their organization. So David needs to see all encrypted messages to and from Alice and assures he is the one.

In it is possible, is there any condition between public and private keys of Alice and David?

knaccc avatar
es flag
Why is it important that David does not know Alice's private key? If can you explain the reason, there may be a different way to achieve what you're looking for.
poncho avatar
my flag
To what extend are you assuming that Bob cooperates with David being able to listen in?
somenxavier avatar
es flag
David does not not Alice's private key because it's private. We need to assure that David could read Alice message without knowing her *private* key.
Score:1
ng flag

This is possible with attribute-based encryption. Per the description in the link, define a universe of attributes $\{A, B, D\}$, have Alice get a key with attribute $A$, Bob a key with attribute $B$, and David a key with attributes $\{A, D\}$. To encrypt to Alice, Bob, or David, encrypt a message with respect to $A$, $B$, or $D$. Then:

  • For messages encrypted to Bob or David, they are the only people who have keys with the corresponding attributes, so are the only ones who can decrypt, but
  • David and Alice have keys with Attribute $A$, so they both can decrypt any messages to Alice.

This causes a mild issue --- Alice can send messages to Bob that David cannot decrypt. One can fix this by modifying encryption slightly, namely Alice (or any other person in David's organization) should encrypt messages with respect to the policy $C\lor D$, where $C$ is the intended recipient, and $D$ is the attribute corresponding to David. In this particular case, Alice encrypts to Bob with attribute $B\lor D$.

Note that this doesn't require that Bob cooperate with David --- the system is setup such that anyone who communicates "in band" with Alice (encrypts using the attribute $A$) sends messages that David can decrypt as well. There are two caveats though:

  • Alice must cooperate (if she encrypts with respect to the policy $B$, David cannot decrypt). This is probably easier for David to enforce, with threats of firing Alice if she misbehaves.

  • ABE, as a stronger form of IBE, is subject to Rogaway's criticism of IBE (in The Moral Character of Cryptographic Work). Namely, a trusted third party must generate all keys. In particular, this means that Bob cannot generate his key independently of David, and therefore must trust David that his key was generated honestly (or both Bob and David must trust some independent third party). It is plausible one can replace this independent third party with an MPC computation, but I don't know details.

somenxavier avatar
es flag
Is this implemented in GNUPGP or some open-source software?
Mark avatar
ng flag
You might be able to find someone's implementation online, but I doubt it is in any large open-source libraries. Some view the threat model of ABE/IBE as problematic (it enables mass surveillance by whoever generates the master secret key --- this is what the last bullet point says), so I doubt OSS maintainers would prioritize implementing it, and this is verified via cursory searching through NaCl ,libsodium, and GNUPGP.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.