[Cryptography] My deployment plan for end-to-end secure email.

Tue Aug 31 19:45:30 EDT 2021

> > On Sunday, August 22nd, 2021 at 12:17 PM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> > > Threshold decryption allows encrypted documents to be shared
> > > and used with exactly the same ease as unencrypted documents,
> > > somewhat easier in fact as there is less need to be concerned
> > > about leaks on stolen laptops etc.

> On Tue, Aug 31, 2021 at 5:04 PM jrzx <jrzx at protonmail.ch> wrote:
> > As I understand your proposal, you are not actually threshold
> > encrypting the documents, but threshold encrypting the
> > permissions request to the master server on the cloud,
> > which holds secrets and whose operator has to manage those secrets.

Phillip Hallam-Baker <phill at hallambaker.com>
> ??? I am not sure what you are saying. First off, there is no threshold
> 'encryption' and it is only decryption that may be shared.
>
> The GroupW public key is {W, w}
>
> Alice holds w
> Bob holds w-b, service holds b
> Carol holds w-c, service holds c

> Alice can add doug by creating a share w-d, d and sending them to Doug
> and the service.

This is not what the phrase threshold cryptography normally refers to,
because there is no threshold. Rather unanimity between Bob and the
server. Hence my confusion.

Threshold cryptography refers to n of m schemes where n is
substantially less than m. This is a two of two scheme.

> Alice can remove Bob by telling the service to delete b.
>
> This is not a Snowden-is-my-keyserver-admin scheme. The service
> never sees w. In fact it never sees a value that even depends on w.

That is an elegant idea, and could be used to do a great many interesting
things, but you have left out the parts where stuff actually gets
encrypted and decrypted.

Attempting to fill the gaps in from my imagination, which doubtless
differs from your own.

Each document contains public key used once, a konce. Call the
corresponding transient secret key k, the corresponding public key K.

The corresponding transient private key k is thrown away after being
used for one document once.

The transient symmetric key that decrypts the document is kW=wK

Anyone can encrypt a document so that only he, or Alice, or one of the
holders of shares with the full cooperation of the server can decrypt it.

The documents at rest are stored in their encrypted form on Bob's
machine, and any time he wants to read one of them, he cooperates with
the server to construct wK, the transient symmetric secret for each
document he wants to read, without either party ever getting the full
value of w.

The transient symmetric secrets are stored on Bobs machine until he logs
off, unless he does something naughty to keep them around - or more
likely does something careless to keep the cleartext around.

If Alice gets fired, the secret key w is reconstructed by the cooperation of
the server and one of the shareholders, and documents at rest are
re-encrypted to a new key All the old shares are then thrown away
and old copies of the old documents become unreadable for most
people.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210831/a46c07f4/attachment.htm>