[messaging] Two-party consensual file access
Ian Goldberg
iang at cs.uwaterloo.ca
Fri Mar 29 10:27:45 PDT 2019
On Thu, Mar 28, 2019 at 08:28:41PM -0700, Max Skibinsky wrote:
> As Ben mentioned, who encrypts the file is crucial differentiator. Either
> you can accept one party knows contents of the file beforehand, or you need
> to solve quite different challenge first — how file content is created in
> the encrypted form without either party ever having full plaintext.
>
> If it is acceptable that one party does encryption as the first step, then
> indeed *n/n* Shamir schema is the way to go. We did a lot of thinking how
> an application for Shamir split/storage/restore of high-value files should
> work, you can take a look at our whitepaper
> <https://vault12.com/technology/> , section 4 outlines some practical
> storage scenarios.
Why would you use Shamir for an "n/n" situation? You can use much
simpler schemes if you don't need the flexibiliy and robustness of
Shamir. In this particular case, you can even just do "encrypt the file
with Alice's public key, and then that ciphertext (at least the part
encrypting the underlying symmetric key) with Bob's public key",
assuming the two parties allowed to decrypt are known at encryption
time.
Also unstated is whether it's important that, say, Alice be able to
prove she performed her stage of the decryption successfully. That can
also be pretty straighforward with ZKPs if the public-key encryption is
something ElGamal based or similar.
- Ian
More information about the Messaging
mailing list