# Multi signature encryption (multiple people can decrypt)

I understand that multi sig transactions exist so that X of N need to sign to release a transaction. If only 1 of N is required I guess any of the recipients can spend.

This made me wonder, is it possible to encrypt something, so that any one of a set of people can decrypt the data?

I suppose the data could be in the exponent or something, but also possibly going beyond bitcoin, would it be possible to do this with multiple Mb worth of data (stored off chain in this case)? I guess it would require some sort of script that means conditions have to be met to decrypt the data.

Cryptography Asked by besch on December 26, 2020

Sure. First of all, to encrypt a large amount of data you just require a single secret key. So now we've reduced the problem to a single small key instead of a large swath of data. Let's call this key the data key.

Now the easiest way of encrypting for multiple parties is for each party to send you their specific public key. Then you encrypt the data key with each public key and include the results with the ciphertext. This will increase your ciphertext of course, but you should be able to limit to N times the size of the encrypted data key.

There are also schemes such as Shamir's secret sharing where you can do M out of N encryption / decryption.

Answered by Maarten Bodewes on December 26, 2020

## Related Questions

### Binomial distribution sampling – concrete example

0  Asked on January 4, 2022

### Using xor encryption in the following use case

1  Asked on December 31, 2021 by kaa

### How to justify the lightweight symmetric PRESENT encryption algorithm is more secure?

0  Asked on December 31, 2021 by sunitha-tappari

### Difference Between an Authentication Token and an OTP (One Time Password)

0  Asked on December 28, 2021 by dawnforce

### Using XOR to derive a data key for ECIES

2  Asked on December 26, 2021 by maarten-bodewes

### Digital Signature or MAC Yielding Non-Binary Verification Predicate

0  Asked on December 24, 2021

### Computing PGP ed25519 and curve25519 keygrips?

2  Asked on December 21, 2021 by skaht

### Find Consecutive X-Coordinate algorithm

1  Asked on December 21, 2021 by kmart875

### Is there any proof for ECDSA signature algorithm?

1  Asked on December 19, 2021 by sanket1729

### What basic knowledge is required to understand SIKE?

1  Asked on December 19, 2021 by vivekanand-v

### Why we can’t implement AES 512 key size?

3  Asked on December 17, 2021 by hamedb71

### MD5 – Chosen Prefix Collision Attack

1  Asked on December 17, 2021

### Does selectively generating keypairs with particular public-key hash prefix weaken the security?

2  Asked on December 17, 2021

### Difference between polynomial embedding and canonical embedding

0  Asked on December 17, 2021

### How can Cipher Block Chaining (CBC) in SSL be attacked?

3  Asked on December 14, 2021 by antonpug

### Subset Sum Hashes

1  Asked on December 14, 2021 by lev-knoblock

### Why is this authenticated Diffie–Hellman key exchange insecure?

1  Asked on December 14, 2021 by beroal

### Homomorphic encryption scheme for modulo reduction

0  Asked on December 8, 2021

### Can we say that password authentication contains registration phase, authentication phase and authenticated key exchange phase?

0  Asked on December 6, 2021 by z-p

### LWR parameter estimation

0  Asked on December 4, 2021 by mev