@Article{BR99,
author = { Mihir Bellare and Ronald L. Rivest },
title = { Translucent Cryptography---An Alternative to Key Escrow, and
Its Implementation via Fractional Oblivious Transfer },
journal = { Journal of Cryptology },
publisher = { Springer },
issn = { 0933-2790 },
OPTyear = { 1999 },
OPTmonth = { October },
date = { 1999-10 },
volume = { 12 },
number = { 2 },
pages = { 117--139 },
url = { http://dx.doi.org/10.1007/PL00003819 },
doi = { 10.1007/PL00003819 },
keywords = { key escrow, translucent, oblivious transfer, discrete
logarithms, communications policy },
abstract = {
We present an alternative to the controversial
``key-escrow'' techniques for enabling law
enforcement and national security access to
encrypted communications. Our proposal allows such
access with probability $p$ for each message, for a
parameter $p$ between $0$ and $1$ to be chosen (say, by
Congress) to provide an appropriate balance between
concerns for individual privacy, on the one hand,
and the need for such access by law enforcement and
national security, on the other. (For example, with
$p=0.4$ , a law-enforcement agency conducting an
authorized wiretap which records 100 encrypted
conversations would expect to be able to decrypt
(approximately) 40 of these conversations; the
agency would not be able to decrypt the remaining 60
conversations at all.) Our scheme is remarkably
simple to implement, as it requires no prior
escrowing of keys.
\par
We implement translucent
cryptography based on noninteractive oblivious
transfer. Extending the schemes of Bellare and
Micali [2], who showed how to transfer a message
with probability $\frac{1}{2}$, we provide schemes for
noninteractive fractional oblivious transfer, which
allow a message to be transmitted with any given
probability $p$ . Our protocol is based on the
Diffie-Hellman assumption and uses just one El Gamal
encryption (two exponentiations), regardless of the
value of the transfer probability $p$ . This makes the
implementation of translucent cryptography
competitive, in efficiency of encryption, with
current suggestions for software key escrow.
},
}