A common approach to demands for lawful access to encrypted data is to allow a trusted third party (TTP) to gain access to private data. However, there is no way to verify that this trust is well placed as the TTP may open all messages indiscriminately. Moreover, existing approaches do not scale well when, in addition to the content of the conversation, one wishes to hide one’s identity. Given the importance of metadata this is a major problem. We propose a new approach in which users can retroactively verify cryptographically whether they were wiretapped. As a case study, we propose a new signature scheme that can act as an accountable replacement for group signatures, accountable forward and backward tracing signatures.
 Masayuki Abe, Melissa Chase, Bernardo David, Markulf Kohlweiss, Ryo Nishimaki, and Miyako Ohkubo. Constant-size structure-preserving signatures: Generic constructions and simple assumptions. In Advances in Cryptology - ASIACRYPT 2012 - 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2-6, 2012. Proceedings, pages 4–24, 2012.
 Masayuki Abe, Bernardo David, Markulf Kohlweiss, Ryo Nishimaki, and Miyako Ohkubo. Tagged one-time signatures: Tight security and optimal tag size. In Public-Key Cryptography - PKC 2013 - 16th International Conference on Practice and Theory in Public-Key Cryptography, Nara, Japan, February 26 - March 1, 2013. Proceedings, pages 312–331, 2013.
 Masayuki Abe, Jens Groth, Kristiyan Haralambiev, and Miyako Ohkubo. Optimal structure-preserving signatures in asymmetric bilinear groups. In Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings, pages 649–666, 2011.
 Masayuki Abe, Kristiyan Haralambiev, and Miyako Ohkubo. Signing on elements in bilinear groups for modular protocol design. Cryptology ePrint Archive, Report 2010/133, 2010.
 Mihir Bellare, Alexandra Boldyreva, Anand Desai, and David Pointcheval. Key-privacy in public-key encryption. In Advances in Cryptology—ASIACRYPT 2001, pages 566–582. Springer, 2001.
 Mihir Bellare, Daniele Micciancio, and Bogdan Warinschi. Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In Advances in Cryptology—Eurocrypt 2003, pages 614–629. Springer, 2003.
 Jan Camenisch, Nishanth Chandran, and Victor Shoup. A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In Advances in Cryptology - EUROCRYPT 2009, volume 5479, pages 351–368, 2009.
 David Chaum and Eugène van Heyst. Group signatures. In EUROCRYPT, volume 547 of Lecture Notes in Computer Science, pages 257–265, 1991.
 Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud. Transferable constant-size fair e-cash. In Juan A. Garay, Atsuko Miyaji, and Akira Otsuka, editors, CANS, volume 5888 of Lecture Notes in Computer Science, pages 226–247. Springer, 2009.
 Georg Fuchsbauer and Damien Vergnaud. Fair blind signatures without random oracles. In AFRICACRYPT, volume 6055 of Lecture Notes in Computer Science, pages 16–33, 2010.
 Philippe Golle, Markus Jakobsson, Ari Juels, and Paul F. Syverson. Universal re-encryption for mixnets. In CT-RSA, volume 2964 of Lecture Notes in Computer Science, pages 163–178, 2004.
 Matthew Green. Secure blind decryption. In Dario Catalano, Nelly Fazio, Rosario Gennaro, and Antonio Nicolosi, editors, Public Key Cryptography, volume 6571 of Lecture Notes in Computer Science, pages 265–282. Springer, 2011.
 Dennis Hofheinz and Tibor Jager. Tightly secure signatures and public-key encryption. In CRYPTO. Springer, 2012.
 Aggelos Kiayias, Yiannis Tsiounis, and Moti Yung. Traceable signatures. In Advances in Cryptology-EUROCRYPT 2004, pages 571–589. Springer, 2004.
 Dennis Kügler and Holger Vogt. Auditable tracing with unconditional anonymity. 2001.
 Dennis Kügler and Holger Vogt. Offline payments with auditable tracing. In Financial Cryptography, pages 269–281. Springer, 2003.
 Kaoru Kurosawa. Multi-recipient public-key encryption with shortened ciphertext. In Public Key Cryptography, pages 48–63. Springer, 2002.
 Jia Liu, Mark D Ryan, and Liqun Chen. Balancing societal security and individual privacy: Accountable escrow system. In 27th IEEE Computer Security Foundations Symposium (CSF), 2014.
 Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. Pinocchio: Nearly practical verifiable computation. In IEEE Symposium on Security and Privacy, pages 238–252. IEEE Computer Society, 2013.