I recently learned of the McCallum-Relyea exchange which allows for a method of key escrow without actually transmitting the key.
It was developed at RedHat and is used by the tang and clevis utilities (and further described here) to allow for automated decryption, in particular for an encrypted root partition for Linux machines. So a client machine could only boot and decrypt its disk if it is on a network where it can access the server machine.
I haven't found any analysis of this protocol so I was wondering what level of security it offers compared to a more conventional method such as the server storing the key and transmitting it over a TLS channel, and also if there are any flaws in the exchange that might be exploited.
The exchange is a modified / extended version of ECDH which functions as follows:
The server side first generates a long-lived EC key pair with private key $s$ and public key $S = [s]G$.
The client, wanting to protect a message $M$, generates private key $c$ and public key $C = [c]G$. The client then requests a key from the server over a plaintext channel. The server responds with $S$ signed with $s$. The client-side user validates the server key via some out-of-band method and records the hash of the server key. The client then performs half of an ECDH exchange to yield $K = [c]S = [cs]G$. $K$ is then used (either directly or indirectly) to encrypt $M$ via a symmetric cipher, after which the client discards $K$ and $c$ and retains only $C$. At this point, the client is unable to decrypt $M$ without the server.
When the client wants to decrypt $M$, it creates an ephemeral keypair $e$ and $E = [e]G$, then calculates $X = C + E$ and sends $X$ to the server. The server then performs half of an ECDH exchange with $X$ and $s$ to generate $Y = [s]X$ and transmits $Y$ back to the client, using $S$ to sign the message.
Having received $Y$ from the server and validating the server's signature, the client then performs another ECDH half with $S$ and $e$ to calculate $Z = [e]S$. The client then calculates:
Y - Z = sX - eS
= s(C + E) - eS
= sC + sE - eS
= scG + seG - esG
= scG
= K
To recover $K$ and decrypt $M$.