Pure & Applied Research

Time-delayed decryption mechanisms for deploymentspecied secure message transmission

VIABILITY STUDIES OF CANDIDATE PROTOCOLS
Arjan Singh Puniani | Center for Theoretical Physics & Dept. of Physics, UC Berkeley, CA, USA | Lawrence Berkeley National Laboratory, Berkeley, CA, USA Vitaliy Kaurov | Wolfram Research, Champaign, IL, USA

Major motivations: why would we need this?

Govt. Accountability Trustworthy govts today replaced by untrustworthy govts tomorrow: private keys may be nationalized out of state interest Periodic dissemination of Congressional materials guaranteed to outlast lifetime of sovereignty Complete record of govt operations guaranteed disclosure regardless of regime installation Intelligence Agencies Sensitive data may not be suitable for dissemination after a certain time (Patriot Act) Permanent record of inquiries made by certain agencies Academics No more Library of Alexandria disasters Guarantee delivery of research articles designated for future open accessibility following 2-3yr paywall Corporations Listed co.'s may eventually be required to disclose all deal terms to protect investors/discourage impropriety Insider trading alibi Real Estate Encrypt mortgage payments now and time release to banks later Any escrow transactions (money held by trusted 3rdparties) Personal Release personal diary posthumously Write a letter to your future self Blackmail (malicious)

Economics Send a payment for future services rendered; estate planning Securely preserve bid identify until auction ends

Trustworthy 3rd party handlers may prove impossible to nd and guarantee

General

Physical implementations of storing secrets are out of the question

Several preliminary considerations: nave approaches

Bury a ash drive containing safe?
Physically-Vulnerable Explanation. Suppose your secret message is password-key encrypted. Why not bury your message in a safe?

Ask N law rms to guarantee delivery

Cost-Prohibitive Explanation. Hire law rms to store the message in condence and enough of them to ensure that at least one does their job. Why this is tempting. The best law rms will likely stick around on the order of decades and deliver the message, but it is expensive. Any partial solutions?
Assume you require exactly 1 to succeed, and no rehiring is done. Out of 1,300+ in the US, only 400 of size/resources. Assume only 50% want your business, another 10% are eliminated during selection, and around 3 fail/yr. For a 30yr transmission delay, ~80-90 rms must be hired. Avg. cost/yr.: $900,000*30yrs = $27mn

Partial key escrow amongst friends?

Excess 3rd-Party Trust Explanation. If you trust some people, just teach them the secret sharing protocol (e.g. XORing keys to attain master key). Whats the issue? Shredding the key into distributable fragments might protect against newlyinstalled tyrannical regiment; thats it. Seems better than the others It has some advantages, but a new problem: conspiratorial mutiny. We may be justied in predicting more powerful, more reliable technology, but we cannot say the same about people, unfortunately.

Millionaire Problem
EXP Time Complexity Explanation. Two millionaires can decide who is richer, without revealing their net worth thats multi-party computation (MPC). More details. Its quite complex: basically, you just have to establish the inequality I J, where I,J are fortunes of participants, not actually reveal amounts. That doesnt explain much A sends B random-looking m, but is actually encrypted, storing As secret x. B decrypts m, getting many Y. Any one of Y could be x, but after reducing Ys to the modulus prime, B selectively decrypts based on her wealth.

Who do you share the treasure map with? If you want your secret to outlive you, you need a trusted source (or heir, etc.).

Protection against the elements. The longevity of the protection scheme is a function of the environment: obviously, a cleanroom with round-the-clock armed guards would be ideal, but highly-impractical

Time-Delayed Encrypted Message Transmission

Generalized Process Flow Overview

1. Initialization

2. Encryption

3. Time Delay

4. Decryption

Compose message

Generate cipher-text

Cloud-based to minimize physical dependence

Maximize digital distance between content and key

Reunite key with cipher

Production

Selection

Implement some redundancy scheme

Consideration

Consumption

Specify decryption time

Associate decryption key with cipher

Compare program counter to trustworthy clock

Publish message

Specify deployment

Apply protection

Enforce data integrity

Ensure delivery

Governing Rules of the Time-Delayed Encryption Protocol

Desired Implementation Details & Axioms for All Proposed Systems

Decryption key must remain unknowable until the specified document/ message deployment time Must be possible to strongly verify authenticity and integrity of the message.

Cannot deny the contents once information sent through the encrypted message protocol NP-hard problems will remain computationally intractable on the order of centuries For any network system, malicious adversaries will never control >50% of the nodes

Computational Equivalence

Computational Document must trigger self- Irreducibility

destruct when compromised (cracked prematurely)

ry DE_draftv13_070430.ppt

Encryption Schemes: Rendering trust between obsolete

Key: Private Public

Proposed Cryptographic Protocol but (very) hard to invert

A trapdoor function (OWF), is easy to map; difcult to reverse .

Very easy to compute secrets and keys

Want to buy online from: They randomly select two huge primes: AMZN publishes a huge number (but keeps the prime factors private):

RSA for Dummies

Before RSA, people exchanged keys to the locks that contained secrets they wished to share

p, q

So how does AMZN get x?

Euclid taught us that the sequence below:

N = pq

x mod N , x 2 mod N , x 3 mod N is of periodicity: ( p ! 1)(q ! 1)

AMZN needs to nd integer, k, s.t.:

RSA Share open locks

This is the public key: people who want to send AMZN a secret (e.g. their payment information), use this key to encode their information
This is what you send back (your credit card = x) For 10,000-digit long :

3k = 1mod( p ! 1)(q ! 1)

( x 3 )k mod N = x 3k mod N = x mod N

Can this encryption system be cracked? Theoretically, yes. But our assumption of computational intractability persisting indenitely ignores nonzero probability of realizing quantum computers anytime soon
RSA is not the only cryptographic protocol (just most prevalent), and other equipotent encryption schemes derive security guarantees from similarly exploiting gulf between P/NP problems. We arrive at the conjecture:

x 3 mod N
10
6
Years required to compute roots of modulus N without p,q

p, q

Current public-key encryption protocols are sufcient to complement any TCP/IPbased proposal presented

Protocol I: Memory-Hard Functions to Compute [Part I]

Computations tend to vary in execution time considerably across architectures, but a certain class of problems, called time-lock problems, can be constructed so that a minimum amount of time is required to solve them. Each puzzle is easy to compute, but very hard to solve. In fact, the most famous example is:

Idea

Details

2 mod n
Which can only be solved by t squarings modulus n per second

2t

Calculating the Components to Instantiate a Time-Lock Puzzle

If an equation can be solved either only P or Alice () wants to send message, M, with a several NP ways, classical computers opt for time delay of T seconds for decryption the polynomial-time method, no matter the (n, a, t , CK , C M ) i n e f c i e n c y, t o r e a l i ze s o l u t i o n s i n Step 6 2t C = K + a (mod n ) reasonable time. K

C M = RC 5( K , M )

K
n = pq Step 2 ! (n ) = ( p " 1)(q " 1) calculates t;

Step 4 encrypts M with K and crypto-sys RC5 to generate ciphertext, CM

Step 1 ;large primes, p,q

generates random K, typically S = number of must be squarings >160bits to modulo n per guarantee second security

t = TS

Step 3

produces output in the selects form of a timerandom a lock puzzle, (mod n), discarding any where (1 < a < other n) and intermediate encrypts K as variables CK. [e, b are for conv.] e = 2 t (mod ! (n )) Step 5

b = a e (mod n )

Protocol I: Memory-Hard Functions to Compute [Part II]

Step How do you approach solution? Some Steps to Consider By explicit design, searching through RC5 for K is incomprehensibly difcult computationally-speaking. Knowledge of (n) reduces 2t efciently to e, modulo (n) Fastest known approach:

b = a (mod n )
This implies that b is computed via:

2t

Initial Considerations

b = a e (mod n )
there appears to be no faster way to compute b than to start with a and perform t squarings sequentially (as you must square the previous amount Repeated squaring is an intrinsically sequential computational process, and parallelizability algorithms are not evident for this particular case.

Warnings and Limitations

Computing n from (n) is provably hard, so once discards p,q, there is no avoiding the perception that that

Manipulability

Hence, the number t of squarings required to solve a particular instantiation of the puzzle can be precisely controlled

Primary Unanswered Question

Under what computing conditions or problems can we agree with condence on the equality existing between the two quantities?

CPU Time =?= Real Time

Protocol I: General Security Features Afforded Summary of Potential Risks

Possible Rectiers

Adversarial Botnet Swarms Assume that many, many more computers recruited to enhance negative objective, but ONLY brute force attacks possible: Compromised PK Production Malicious adversaries may conate users legal actions with commercially questionable tactics, reducing effectiveness Premature Reassembly of DK Stochastic Stimuli

One-way function that is extremely, extremely sequential (no parallelizability); hence innite resource scaling would not enhance time resolution for adversaries

A managerial layer of meta-nodes with intelligent task sheudlingA

FSSP solutions, proof-of-work

Delayed Reassembly of DK Stochastic Stimuli

FSSP solutions, proof-of-work

Protocol I : Memory-hard Problem Solving with Optimized Sorting

Solving Time-Lock Puzzles

Assume: nodes are designated workspaces to -- Veriable threshold secret sharing of private key through randomized distribution of shares -- Secure multi-party (consensus-based) reconstruction of private key components

Sorting and Bucketing(?)

-- Reconstruction of the shredded private keys occur thanks to block chain verication of uncompromised, continuously-run systems

Where is the encrypted document?

N secure buckets, where s buckets are secure vaults and f buckets are furnaces (permanent le deletion protocols)

Just as Julian Assange/ Wikileaks released a 1.45GB AES-256-encrypted insurance le over BitTorrent, the encryption key should be subject to maximum Decentralized Distribution economic protection

Optimized bucketing

Metadata + Content Recruiter

Translates to less collisions for bins with high incoming inventory velocity

Protocol II: Firing Squads & Polynomials: How do you share a secret?
Snapshot Situation: Time-delay Complication: Synchronization Question: NTP-independent? Dividing the message Proposal Cut the secret message in N strips. Distribute across network randomly. Base network protocol on ring squad synchronization problem (FSSP) solutions to ensure message is guaranteed simultaneous transmission. Example calculation Let secret, S, be 1371 (1) We have n=6 friends willing to keep a piece of our secret, but want to ensure only k=3 pieces necessary for reconstruction. (2) Choose k-1=2 random coefcients to construct: Synchronization rules FSSP Solutions as Protocol We can learn a lot from the problem ofcers face when trying get all the soldiers in the execution squad to re at the same time Recovering original

Lagrange Basis Polynomials

k numbers to uniquely determine degree-(k-1) polynomial E.g.

Polynomial Multiplication
Harvest 3 pairs from your group of friends, and compute the Lagrange basis polynomials:

Abstraction

(3) Resolve 6 unique points:

Major idea: Given a set of (k+1) data points:

Signal Speed: /3
(4) Distribute amongst your friends the 6 pairs (5) Designate a rally point after time t elapse (6) Note: if you have n nodes and you want to guarantee that only k many nodes are sufcient to recover the message, then true security means distributing only k-1 pieces of info Now, multiply each of the basis polynomials by the f(x) at that point:

The interpolation polynomial is:

Assuming no two xj are the same, L(x) resolves polynomial

x t

Protocol II: Visual Resolution of Firing Squad Synchronization

1st-Generation General 2nd-Generation General

Continued

3rd

4th

5th

Protocol III: Hashing Problem Solving

Crunching Hash Functions

Hash algorithms burn CPU cycles, which is a function of the architecture-dependent implementation, and may not always fully correspond to the Earth clock (which we call real-time).

Block chain verication can mitigate adversarial offensive on double spending

Combine with Tor-like pathway fold-in encryption to cover tracks

Initialization of Variables and Agent Responsibilities

Initializing the Protocols and Overview of Certain Assumptions

Distributed Private key generation

Veriable threshold secret sharing of the secret key (polynomials example) Secure multi-party reconstruction of private key components strategically as to not reveal private agents secret keys is non-trivial Reconstruction and controlled publication of the private key

Distributed key generation Public

Remember group G denitions in slides prior. Assume DKG/VSS on all generated keys performed to verify authenticity of generation

Network

Threshold trust system extended to network infrastructure

Node/server grabs data pushed from managerial layer (privileged metanodes) Provide task handling for project and load balancing for compromised nodes

Linked hash addresses to maintain a block chain of validity (hashing password caches, etc.) Decryption Key Deployment Date Original Shot

Public Key

PK

DK

T+

Exotica: Ideas meriting consideration whence traditional protocols fail Transmission to space. Exploit the nite speed of light and the astronomical distances of cosmic objects to guarantee some minimum amount of time the message (presumably, an encoding onto some coherent states prepared in a laboratory) is out of reach from terrestrial adversaries. Quantum time-bomb [Wolfram/Puniani]. Suppose we bury a quantum device in several sites around the world (presumably, around or in what you expect to be or already have been declared cultural landmarks and monuments) with a known, semi-controllable diffusion emission rate. The information bubbling up would probably recruit a type of Dirichlet tesselation, in which a message is realized once all the shards close the gaps. Biological timed-safe. Venous stasis, an accumulation of uids in poorlycirculating regions in the body, tends to intensify pigmentation. Tissues ll with uids from broken and leaky vessels, and the iron from released hemoglobin eventually stains the skin. Imagine if you could precisely tune the staining pattern to produce an imprint (tattoo) with the secret message at a specied time.

Appendix

ry DE_draftv13_070430.ppt

Virtual time-locks: proof of work driven implementation (bitcoin style)

Compose a Message Now but Ensure Deferred Consumption Content Hashing
Distribute encrypted message across nodes Share Share Share Share Share Share Share

Message Preparation
Encrypt Message (via RSA, ElGamal, etc.) Deploy Decryption Script, which explicates checkpoints

Redundancy avoids nave dependence on infallibility of singlemachine

Time-Delayed Decryption Private Key

Specify computationally-hard (but efciently-variable) problem to be solved by Decryption Script

Final State

Proof-of-work. Have a
trusted network of nodes verify that a certain number of well-characterized computational cycles were burned in order to advance through the script

Coordinated Reconstruction of Encrypted Message

17

Problem n

Problem 1

Problem 2

Meta-data for BitTorrent-like reassembly

General Encryption Schemata

K U1
E

RNG

K S1

K S1

...

K Sm

K Sm

K Um K UR

KSK

EM

...

...

Launch Quantum Timed-Bomb

REM

ry DE_draftv13_070430.ppt