On Thu, Mar 28, 2019 at 08:28:41PM -0700, Max Skibinsky wrote: > As Ben mentioned, who encrypts the file is crucial differentiator. Either > you can accept one party knows contents of the file beforehand, or you need > to solve quite different challenge first — how file content is created in > the encrypted form without either party ever having full plaintext. > > If it is acceptable that one party does encryption as the first step, then > indeed *n/n* Shamir schema is the way to go. We did a lot of thinking how > an application for Shamir split/storage/restore of high-value files should > work, you can take a look at our whitepaper > <https://vault12.com/technology/> , section 4 outlines some practical > storage scenarios.
Why would you use Shamir for an "n/n" situation? You can use much simpler schemes if you don't need the flexibiliy and robustness of Shamir. In this particular case, you can even just do "encrypt the file with Alice's public key, and then that ciphertext (at least the part encrypting the underlying symmetric key) with Bob's public key", assuming the two parties allowed to decrypt are known at encryption time. Also unstated is whether it's important that, say, Alice be able to prove she performed her stage of the decryption successfully. That can also be pretty straighforward with ZKPs if the public-key encryption is something ElGamal based or similar. - Ian _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
