[Cryptography] End-to-End, One-to-Many, Encryption Question

Peter Fairbrother zenadsl6186 at zen.co.uk
Sun Jun 15 05:28:09 EDT 2014 

On 12/06/14 03:37, Jerry Leichter wrote:
> On Jun 11, 2014, at 8:49 PM, Kent Borg <kentborg at borg.org> wrote:
>> Alice lives on the far end of a single DSL line, and produces data
>> on a regular basis, she encrypts it with a key only she knows, and
>> she sends it to Bob.
>>
>> Bob lives in the cloud (and so has lots of bandwidth), but Bob is
>> in the cloud, and therefore is only partially trusted, so he is
>> given no ability to directly decrypt the data. There is also lot of
>> data accumulated, he doesn't can't store unique copies for each
>> client.
>>
>> Charley is a client, one of many (Charley-1, Charley-2, Charley-3,
>> etc., clients can come and go), he lives in a smart phone, say. He
>> asks Bob for a specific piece of data, Bob encrypts it with a
>> Charley-1-specific key and sends it off.
>>
>> Charley-1 decrypts the data with a key that Bob does not know.
>>
>> If Alice discovers Charley-1 is compromised, she can instruct Bob
>> to delete Charley-1-specific data, destroying his ability to read
>> data from Bob. Alice probably knows everyone's keys, but Bob and
>> Charley do not know each other's keys, and again only Alice knows
>> her key....
 >
> The problem as described to this point has an easy solution:  Alice
> encrypts the data with a key K.  She then appends to it a bunch of
> pairs of the form (Charley-1, Enc(C1, K)) (Charley-2, Enc(C2, K)),
> and so on, where Cn is a key unique to Charley-n and known to him and
> Alice (but not Bob).  Charley-n can look for a pair with his name on
> it, decrypt it using Cn, then use the resulting key K to decrypt all
> the data.
>
> Bob learns nothing about the data.
>
> To remove Charley-n's access, simply remove the name/encrypted key
> pair with his name on it.

Here lies a greater problem - the secure deletion of data once stored in 
a cloud is practically impossible. The user does not know how many 
copies have been made, so he can't be sure they have all been deleted.

I say practically impossible rather than actually impossible only 
because a user can upload ciphertext only, and not upload the key, and 
on deletion of the key that deletion can be secure (for some value of 
"secure"). But then if eg you want perfect security and use an OTP, is 
the data actually stored in the cloud?


-- Peter Fairbrother

More information about the cryptography mailing list