Correspondence is invited on the following problem, posed by Yongfei Han.
Suppose users A and B observe regulations and submit their private keys to the key escrow agents for escrow (No matter how they generate the keys).
Then A and B distribute their session key (SK1) encrypted under that private, escrowed key. If law enforcement agencies want to read the messages between A and B, the agencies retrieve the private key from the key escrow agents to obtain SK1, then decrypt the message.
Suppose A uses SK1 to encrypt a session key (SK2) in terms of a public agreement and then sends the encrypted SK2 to B, who decrypts it again. A and B start to communicate using SK2 to encrypt messages.
The method can be continued until A and B use SKn-1 to encrypt SKn and from now on use SKn to encrypt messages to each other.
If law enforcement agencies intercept messages between A and B when A and B have used SKn to encrypt them (n>2), how can those agencies decrypt that traffic? To obtain SKn, they need SK1, SK2, ..., SKn-1. But they cannot get the set of keys SKi (1 Key escrow schemes must sort out this problem; otherwise they will not be able to prevent criminals from using "legal means" to achieve secret communication.
The author would like to thank the editor for polishing the English.