Auto-recoverable auto-certifiable cryptosystems

  • Adam Young
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1403)


In this paper we solve the open problem known as the “software key escrow” problem. To this end we develop a cryptographic notion of auto-recoverable auto-certifiable cryptosystems. We first present the exact specification of the problem, based on what software key escrow can hope to achieve. Then we develop our new scheme, which is an efficient reduction to a software key escrow system from a certified public key system. Namely, our scheme is as efficient for users to use as a public key infrastructure, it does not require a tamper-resistant hardware (i.e., it can be distributed in software to users), and the scheme is shadow public key resistant (does not allow the users to publish public keys other then the ones certified). The scheme enables the efficient verification of the fact that a given user's private key is escrowed properly.


Certification Authority Primitive Root NIZK Proof Escrow Encryption Escrow System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [DB96]
    D. Denning, D. Branstad. A Taxonomy for Key Escrow Encryption Systems. In volume 39, n. 3 of Communications of the ACM, 1996.Google Scholar
  2. [DDFY]
    A. De Santis, Y. Desmedt, Y. Frankel, M. Yung. How to Share a Function Securely. In ACM Symp. on Theory of Computing, pages 522–533, 1994.Google Scholar
  3. [DH76]
    W. Diffie, M. Hellman. New Directions in Cryptography. In volume IT-22, n. 6 of IEEE Transactions on Information Theory, pages 644–654, Nov. 1976.Google Scholar
  4. [Du78]
    U. Dudley. Elementary Number Theory. 2nd edition, pages 36, 37, 75, 1978. W. H. Freeman and Co.Google Scholar
  5. [ElG85]
    T. ElGamal. A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In CRYPTO '84, pages 10–18.Google Scholar
  6. [FD89]
    Y. Frankel, Y. Desmedt. Threshold Cryptosystems. In CRYPTO '89, pages 307–315.Google Scholar
  7. [Fr94]
    J. B. Fraleigh. A First Course in Abstract Algebra. 5th edition, Theorem 1.9, page 76, 1993. Addison Wesley.Google Scholar
  8. [FS86]
    A. Fiat, A. Shamir. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In CRYPTO '86, pages 186–194.Google Scholar
  9. [FY95]
    Y. Frankel, M. Yung. Escrow Encryption Systems Visited: Attacks, Analysis and Designs. In CRYPTO '95, pages 222–235Google Scholar
  10. [FY97]
    Y. Frankel, M. Yung. On characterization of Escrow Encryption Schemes. In ICALP '97.Google Scholar
  11. [GHY85]
    Z. Galil, S. Haber, M. Yung. Symmetric public-key encryption. In CRYPTO '85, pages 128–137.Google Scholar
  12. [GMR85]
    S. Goldwasser, S. Micali, C. Rackoff. The knowledge complexity of interactive proof-systems. In ACM Symp. Theory of Computing, 1985.Google Scholar
  13. [JMW96]
    N. Jefferies, C. Mitchell, M. Walker. A Proposed Architecture for Trusted Third Party Services. In Cryptography: Policy and Algorithms, LNCS 1029.Google Scholar
  14. [K-S]
    H. Abelson, R. Anderson, S. Bellovin, J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, P. Neumann, R. Rivest, J. Schiller, B. Schneier. The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption. available at Scholar
  15. [KL95]
    J. Kilian and F.T. Leighton. Fair Cryptosystems Revisited. In CRYPTO '95, pages 208–221, 1995. Springer-Verlag.Google Scholar
  16. [Koh78]
    L. Kohnfelder. A Method for Certification. MIT Lab. for Computer Science, Cambridge Mass., May 1978.Google Scholar
  17. [LMS]
    J. Lacy, D. Mitchell, W. Schell. CryptoLib: Cryptography in Software. AT&T Bell Laboratories, version 1.2.Google Scholar
  18. [LWY95]
    A. Lenstra, P. Winkler, Y. Yacobi. A Key Escrow System with Warrant Bounds. In CRYPTO '95, pages 197–207, 1995.Google Scholar
  19. [Mi92]
    S. Micali. Fair Public-Key Cryptosystems. In CRYPTO '92, pages 113–138, 1992. Springer-Verlag.Google Scholar
  20. [Ro93]
    K. R. Rosen. Elementary Number Theory and its Applications. 3rd edition, Theorem 8.14, page 295, 1993. Addison Wesley.Google Scholar
  21. [VT97]
    E. Verheul, H. van Tilborg. Binding ElGamal: A Fraud-Detectable Alternative to Key-Escrow Proposals. In Eurocrypt '97, pages 119–133, 1997.Google Scholar
  22. [YY96]
    A. Young, M. Yung. The Dark Side of Black-Box Cryptography. In CRYPTO '96, pages 89–103Google Scholar
  23. [YY97a]
    A. Young, M. Yung. Kleptography: Using Cryptography against Cryptography. In Eurocrypt '97, pages 62–74.Google Scholar
  24. [YY97b]
    A. Young, M. Yung. The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems. In CRYPTO '97, pages 264–276.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Adam Young
    • 1
  • Moti Yung
    • 2
  1. 1.Columbia UniversityUSA
  2. 2.CertCo LLCUSA

Personalised recommendations