puniani, arjan singh - time-delayed decryption candidate protocols

7/27/2019 Puniani, Arjan Singh - Time-Delayed Decryption Candidate Protocols

1/18

Pure & AppliedResearch

Arjan Singh Puniani

Vitaliy Kaurov

| Center for Theoretical Physics & Dept. of Physics, UC Berkeley, CA, USA

| Lawrence Berkeley National Laboratory, Berkeley, CA, USA

| Wolfram Research, Champaign, IL, USA

VIABILITY STUDIES OF CANDIDATE PROTOCOLS

Time-delayed decryption

mechanisms for deployment-specified secure message

transmission


2/18

Major motivations: why would we need this?

Trustworthy govtstoday replaced byuntrustworthy govtstomorrow: private

keys may be

nationalized out ofstate interest

Periodicdissemination of

Congressional

materials guaranteedto outlast lifetime of

sovereignty

Complete record ofgovt operationsguaranteed disclosureregardless of regime

installation

Govt. Accountability Sensitive data may

not be suitable fordissemination after acertain time (Patriot

Act)

Permanent record ofinquiries made by

certain agencies

Listed co.'s mayeventually be requiredto disclose all dealterms to protect

investors/discourage

impropriety

Insider trading alibi

Encrypt mortgagepayments now andtime release to bankslater

Any escrowtransactions (money

held by trusted 3rd-

parties)

Intelligence Agencies Corporations Real Estate

No more Library ofAlexandria disasters

Guarantee delivery ofresearch articlesdesignated for future

open accessibility

following 2-3yr pay-wall

Academics Send a payment for

future services

rendered; estate

planning

Securely preserve bididentify until auction

ends

Release personaldiary posthumously

Write a letter to yourfuture self

Blackmail (malicious)

Trustworthy 3rd

party handlers may proveimpossible to find and guarantee

Economics Personal

Physical implementations of storing secretsare out of the questionGeneral


3/18

Several preliminary considerations: nave approaches

-

Physically-Vulnerable Cost-Prohibitive Excess 3rd-Party Trust EXP Time Complexity

Explanation.Suppose your secretmessage is password-keyencrypted. Why not buryyour message in a safe?

Explanation.Hire law firms to store themessage in confidenceand enough of them toensure that at leastonedoes their job.

Explanation.If you trust some people,just teach them the secretsharing protocol (e.g.XORing keys to attainmaster key).

Explanation.Two millionaires can decidewho is richer, withoutrevealing their net worththats multi-partycomputation (MPC).

Who do you share thetreasure map with?If you want your secret tooutlive you, you need atrusted source (or heir, etc.).

Why this is tempting.The best law firms will likelystick around on the order ofdecades and deliver themessage, but it isexpensive.

Whats the issue?Shredding the key intodistributable fragmentsmight protect against newly-installed tyrannicalregiment; thats it.

More details.Its quite complex: basically,you just have to establishthe inequality IJ, where I,Jare fortunes of participants,not actually reveal amounts.

Protection against theelements.The longevity of theprotection scheme is afunction of the environment:obviously, a cleanroom with

round-the-clock armedguards would be ideal, but

highly-impractical

Any partial solutions?Assume you require exactly 1 tosucceed, and no rehiring is done.Out of 1,300+ in the US, only 400

of size/resources. Assume only50% want your business, another10% are eliminated during

selection, and around 3 fail/yr. Fora 30yr transmission delay, ~80-90firms must be hired. Avg. cost/yr.:

$900,000*30yrs = $27mn

Seems better than theothersIt has some advantages, buta new problem:conspiratorial mutiny. Wemay be justified in

predicting more powerful,more reliable technology,

but we cannot say the sameabout people, unfortunately.

That doesnt explain muchA sends B random-lookingm, but is actually encrypted,storing As secret x. Bdecrypts m, getting manyY.Any one ofYcould be x, but

after reducingYsto themodulus prime, B selectively

decrypts based on herwealth.

Bury a flash drivecontaining safe? Ask N law firms toguarantee delivery Partial key escrowamongst friends? Millionaire Problem


4/18

Time-Delayed Encrypted Message TransmissionGeneralized Process Flow Overview

2. Encryption. Initialization

Composemessage

Implementsome

redundancyscheme

3. Time Delay 4. Decryption

Applyprotection

Specifydeployment

Enforce dataintegrity

Ensuredelivery

Specifydecryption time

Generatecipher-text

Associatedecryption key

with cipher

ConsumptionSelectionProduction

Cloud-basedto minimize

physical

dependence

Consideration

Maximize digitaldistance betweencontent and key

Reunite keywith cipher

Publish message

Compare programcounter to

trustworthy clock


5/18

Governing Rules of the Time-Delayed Encryption Protocol

ryDE

draftv

13

070430.ppt

- -

ComputationalEquivalence

Computational

Irreducibility

Must be possible to

strongly verify

authenticity and integrity

of the message.

Document must trigger self-destruct when

compromised (cracked

prematurely)

For any network system,malicious adversaries

will never control >50%

of the nodes

NP-hard problems will

remain computationally

intractable on the order

of centuries

Cannot deny the contents

once information sent

through the encrypted

message protocol

Desired Implementation Details & Axioms for All Proposed Systems

Decryption key must remain

unknowable until the

specified document/

message deployment time


6/18

Encryption Schemes: Rendering trust between obsolete

Can this encryption system becracked? Theoretically, yes.

RSA is not the only cryptographic protocol (justmost prevalent), and other equipotentencryption schemes derive security guaranteesfrom similarly exploiting gulf between P/NPproblems. We arrive at the conjecture:

Proposed Cryptographic Protocol

Want to buyonline from:

They randomlyselect two hugeprimes:

p,q

This is the public key: peoplewho want to send AMZN asecret (e.g. their paymentinformation), use this key toencode their information

AMZN publishes ahuge number (butkeeps the primefactors private):

N= pq

This is what yousend back (yourcredit card = x)

x3modN

Private PublicKey:

For 10,000-digit

long :p,q 10

6Years required tocompute roots of

modulus Nwithoutp,q

A trapdoor function (OWF), is easyto map; difficult to reverse.

So how does AMZN get x?

Euclid taught us that thesequence below:

xmodN,x2modN,x

3modN

is of periodicity: (p !1)(q !1)

AMZN needs to find integer, k, s.t.:

3k= 1mod(p !1)(q !1)

(x3

)k

modN=

x

3k

modN=

xmodN

But our assumption ofcomputational intractability

persisting indefinitely ignores

nonzero probability of realizingquantum computers anytime soon

Current public-key encryption protocols

are sufficient to complement any TCP/IP-based proposal presented

Very easy to compute secretsand keys but (very) hard to invert RSA for DummiesBefore RSA, peopleexchanged keys

to the locks thatcontained secrets

they wished toshare

! !

RSAShare open locks! !

!


7/18

Protocol I: Memory-Hard Functions to Compute [Part I]

Each puzzle is easy to compute,but very hard to solve. In fact, themost famous example is:

Idea

Computations tend to vary inexecution time considerably acrossarchitectures, but a certain class of

problems, called time-lock problems,can be constructed so that aminimum amount of time is requiredto solve them.

Details 22t

modnWhich can only be solved by tsquarings modulus n per second

If an equation can be solved either only P or

several NP ways, classical computers opt forthe polynomial-time method, no matter theinefficiency, to realize solutions inreasonable time.

Calculating the Components to Instantiate a Time-Lock Puzzle

Step 2Step 3

Step 4Step 5

Step 6

calculates t;S= number of

squaringsmodulo nper

second

generatesrandom K,

typically

must be

>160bits toguaranteesecurit

producesoutput in theform of a time-

lock puzzle,

discarding any

otherintermediate

variables

Step 1;large

primes, p,q

n = pq

!(n) = (p "1)(q "1)

t= TS

Alice () wants to send message, M, with a

time delay ofTseconds for decryption

encrypts Mwith Kandcrypto-sys

RC5 to

generate

ciphertext,

CM

K

CM= RC5(K,M)

CK= K+ a

2t

(modn)

selectsrandom a(mod n),

where (1 < a

puniani, arjan singh - time-delayed decryption candidate protocols

Documents