Escrow guarantees ensure that an appropriately-authorized governmental agency or other party can decrypt messages that have been encrypted by a given user. The escrowing of secret keys used in the decryption process allows the appropriately-authorized party to in effect implement a “digital wiretap” of encrypted data. In a typical escrow arrangement, multiple designated authorities each store fragments of the secret key of the given user. Then, if a sufficient number of these escrow authorities agree that a digital wiretap must be performed, they can together reconstruct the secret key of the user in order to perform the required decryption operation. Typically, the functionality of the escrow authorities is combined with or otherwise related to the functionality of a public key certification authority. For example, users may be required to register with the escrow authorities before their public keys are certified by the certification authority. This ensures that only those users for whom the escrow authorities can recover a secret key are allowed to receive certificates. Criminals, while they can still use encryption for their communication, do not have access to the public key certification infrastructure provided to honest users. The criminals will instead have to establish their identities with each other using a designated side channel in order to avoid the threat of decryption of their ciphertexts.
Although it is beneficial to escrow secret keys used for decryption, it may not be advisable to escrow secret keys used for generation of digital signatures. The reason is that this would in theory make a signer not accountable for his signatures, as he could always argue that the signature could have been produced by the escrow authorities. On the other hand, the escrow authorities could in fact could forge signatures of users whose secret keys they hold, as long as a sufficient number of the escrow authorities collude. Therefore, the legality of a given digital signature may be questionable if the secret key used to generate it is escrowed.
A need therefore exists for a technique that allows escrowing of decryption secret keys but which does not escrow signature generation secret keys. A problem that must be overcome in providing such a technique is that since both the encryption public key and the signature verification public key would generally have to be certified in order to be useful, an attacker could use the signature verification public key to encrypt a message, and a recipient of the message could use the signature generation secret key to decrypt. This “sign-the-new-public-key” type of attack is made possible by well-known similarities in the structures of conventional encryption and signature generation techniques.