##
Translucent cryptography -- An alternative to key escrow, and its
implementation via fractional oblivious transfer

** Authors: M. Bellare and R. Rivest**
** Abstract: ** We present an alternative to the controversial ``key
escrow'' techniques for enabling law-enforcement and national security access
to encrypted communications. Our proposal allows such access with probability
p for each message, for a parameter p between 0 and 1 to be chosen
(say, by Congress) to provide an appropriate balance between concerns for
individual privacy, on the one hand, and the need for such access by
law-enforcement and national security, on the other. (For example, with p=0.4,
a law-enforcement agency conducting an authorized wiretap which records 100
encrypted conversations would expect to be able to decrypt (approximately) 40
of these conversations; the agency would not be able to decrypt the remaining
60 conversations at all.) Our scheme is remarkably simple to implement, as it
requires no prior escrowing of keys.

We implement translucent cryptography based on non-interactive oblivious
transfer. Extending the schemes of Bellare and Micali,
who showed how to transfer a message with probability 1/2, we provide schemes
for non-interactive fractional oblivious transfer, which allow a message to be
transmitted with any given probability p. Our protocol is based on the
Diffie-Hellman assumption and uses just one El Gamal encryption (two
exponentiations), regardless of the value of the transfer probability p.
This makes the implementation of translucent cryptography competitive, in
efficiency of encryption, with current suggestions for software key escrow.

** Ref:** Journal of Cryptology, Vol. 12, No. 2, 1999, pp. 117--140. (Early
version was MIT Laboratory for Computer Science Technical Memo No. 683,
February 1996.) Full paper of most recent version available below.

** Full paper: ** Available as compressed
postscript, postscript, or
pdf. ( Help if this doesn't work).

## Related work