Idea: Introduce an abstraction layer for access control to encrypted data using roles. Each role has its own secret key and public key, generated off-chain. Data is encrypted using the role's public key. When a role is granted to Alice, the smart contract encrypts the role's secret key with Alice's public key: encryptECIES(roleSecret, AlicePublicKey). Alice can then decrypt the role secret key off-chain and use it to decrypt the encrypted value.

Interface example

• createRole(rolePubKey, encryptedRoleSecret, roleID) – stores the role public key and the encrypted role secret
• grantRole(roleID, AlicePublicKey) – re-encrypts the role secret using Alice’s public key
• encryptForRole(encryptedValue, roleID) – encrypts the value using the role public key
• getValueForRole(roleID) – returns the value encrypted with the role public key

Decryption flow

1. Get encryptedRoleSecret for roleID
2. decrypt(encryptedRoleSecret, AlicePrivateKey) → decryptedRoleSecret
3. getValueForRole(roleID) → encryptedValue
4. decrypt(encryptedValue, decryptedRoleSecret) → decryptedValue