In the debates that followed Snowden’s revelations, many policymakers embraced a familiar narrative. Strong encryption allegedly creates a “going dark” problem, and the solution should be some form of “good backdoor” that lets authorities access encrypted communications when the law so requires.
A recent paper by Francesco Bruschi, Marco Esposito, Andrea Rizzini and Ivan Visconti, Deflating Mass-Surveillance Attempts in the Post-Snowden Era Publicly-Traceable Conditional Decryptions (p. 1), challenges this narrative head-on. The authors argue that the very idea of a “good backdoor” is structurally flawed, and they propose a different model: conditional backdoors, where lawful access is treated as a cryptographic condition, not as an informal promise of good behaviour by authorities.
From “good backdoors” to strong privacy
Traditional lawful-access proposals often rely on some variant of key escrow or mandatory backdoors. Encryption keys are stored with a trusted third party, or systems are designed so that authorities can bypass encryption under certain legal preconditions. On paper, these mechanisms are supposed to be used only in exceptional cases and under strict oversight.
The authors make two basic points that should resonate with any lawyer familiar with surveillance law. First, once an authority controls an escrowed key or a built-in backdoor, that authority can technically decrypt any relevant data, regardless of whether the legal conditions are actually satisfied. The technical system does not “know” about the warrant; it only knows that a privileged key exists. Second, this access is typically invisible. The decryption process leaves no cryptographic trace that could be audited by courts, regulators, or affected individuals.
Even if one assumes benevolent institutions, these properties remain problematic. Administrations change, insiders may abuse their privileges, security breaches happen, and legal standards evolve. A backdoor that depends entirely on institutional trust is, in the authors’ terminology, a form of weak privacy. It protects rights only as long as everyone behaves, and it offers no technical guarantee that legal limits on access are actually enforced.
The paper instead advocates a notion of strong privacy. A system offers strong privacy if:
- its outputs (ciphertexts, statistics, logs) do not reveal protected information beyond what is strictly allowed;
- the risk of abuse is quantifiable and subject to deterrence;
- every authorized access is observable and attributable within the system;
- the guarantees remain robust over time, even as new information and new attack capabilities emerge.
This framing is deeply legal, even if it is expressed in cryptographic language. The key question becomes: who can decrypt what, under which conditions, and with which form of accountability?
What is a “conditional backdoor”?
A conditional backdoor is a mechanism that allows a designated authority to decrypt a ciphertext only if a certain publicly verifiable condition is satisfied. Instead of saying “the police can decrypt when they have a warrant”, the system encodes that requirement as a predicate over public data.
In simplified terms, the authors define a conditional backdoor through four main properties:
- Conditionality. Decryption is possible only if a specific condition holds. This condition can be very expressive: it may involve a valid court order, a time delay, multi-party approval, or combinations of these elements. Anyone can check whether the condition is satisfied.
- No arbitrary access. No efficient attacker, not even one colluding with infrastructure providers, should be able to decrypt without satisfying the condition.
- No silent access. Any attempt to enable decryption must leave a trace that is publicly observable, timestamped, and attributable to a specific requester. There is, by design, no invisible use of the backdoor.
- Robustness. The system must resist attempts to manipulate the underlying state (for example, by rewriting parts of the blockchain) in order to fabricate or erase authorization conditions.
The crucial step is that lawful access becomes a computable predicate. What counts as “lawful” is not left to the goodwill of an operator but is encoded in the very structure of the system.
Witness encryption and blockchains: how the scheme works
To move from principle to mechanism, the paper uses a powerful cryptographic tool: witness encryption. Instead of encrypting a message “to a key”, witness encryption encrypts it “to a statement”. Anyone who later holds a witness that the statement is true can decrypt; anyone else learns nothing.
The authors sketch a construction where a user encrypts their data in two layers:
- The actual message is encrypted under a symmetric key.
- That symmetric key is then encrypted for the authority, but only in a form that can be opened if a specific public condition is satisfied (for example: a particular blockchain includes a transaction representing a valid judicial authorization for that user).
Formally, the lawful-access condition is captured by a predicate ( P(s, w) ), where:
- ( s ) encodes the public state (the “statement”): a blockchain prefix, the identity of the authority, the user identifier, and a commitment to the details of the request;
- ( w ) is the witness: the authority’s signature on the request, the proof that a court has authorised the access, and the on-chain transaction that logs this request.
Only if ( P(s, w) = 1 ) – that is, only if the public state and the witness actually match a valid, authorized request – does the system allow the key to be recovered. Crucially, the blockchain transaction that forms part of the witness is itself the audit trail. Anyone can later check that, at a specific time, a specific authority requested access to data protected under a specific condition.
The authors also discuss existing systems that approximate this ideal, using trusted hardware (TEEs), smart contracts, secret sharing, and verifiable delay mechanisms. A table in the paper compares these implementations against the four core properties of conditional backdoors and shows that each current approach achieves only a subset of them, typically because some off-chain collusion or early decryption remains possible.
Why lawyers should care
For legal audiences, this work is interesting for at least three reasons.
First, the paper reframes the encryption debate in terms that align closely with principles of legality and accountability. Lawful access is not an informal constraint on behaviour; it is a predicate that can and should be enforced cryptographically. This resonates with ideas such as “privacy by design” and “accountability by design” in EU data protection law, but it pushes them into the deeper layer of how encryption itself is built.
Second, the authors explicitly connect conditional backdoors to regulatory contexts such as KYC frameworks and other identification-heavy regimes. The model allows systems where identifiability is treated as a special case of conditional decryption, rather than as a default. In other words, identification becomes something that must be positively justified by a computable policy and leaves a public footprint, not an ever-present possibility.
Third, the paper sets out a research and policy agenda that lawyers can engage with. The authors call for:
- mechanisms that decouple access to data from immediate disclosure of personal identities;
- anchoring access conditions to public blockchains so that authorisation can be independently verified;
- techno-legal pilots that rely on economic constraints (for example, staking and slashing) to deter abuse;
- further work on cryptographic primitives that support fine-grained, programmable access control;
- legal regimes that mandate traceable and contestable access, so that every authorised action leaves a verifiable trail.
For lawyers, this kind of work suggests that the encryption debate does not have to be framed as a stark trade-off between privacy and security. If lawful access is reimagined as a public, auditable and formally specified condition, backed by cryptographic enforcement, the law can move away from blind trust in “good backdoors” and towards systems where both rights and powers are technically constrained.