A key escrow system with protecting user's privacy by blind decoding

We propose a new key recovery system with satisfying the following properties: 1. The court-authorized eavesdropping by the investigator is limited both in tapping time and in tapped conversation. 2. Trustees, who are cooperating with the investigator to eavesdrop a user's communication, cannot know whom the investigator is intercepting. 3. No investigator can obtain illegally the secret key of users against which no legitimate court order has been issued. Our system utilizes the blind decoding: a client has a message encrypted with a server's secret key and the client asks the server to decode the message without revealing what is the decoded plaintext nor learning the server's secret key. Our system also introduces two agencies besides the trustees. These are related to the mechanism of registering users and of distributing the user's escrowed keys, named "Key Producer," and "Registration Center." Our system can be implemented by using only the discrete-log based cryptosystems (the Diffie-Hellman and the ElGamal).