puniani, arjan singh - time-delayed decryption candidate protocols
TRANSCRIPT
-
7/27/2019 Puniani, Arjan Singh - Time-Delayed Decryption Candidate Protocols
1/18
Pure & AppliedResearch
Arjan Singh Puniani
Vitaliy Kaurov
| Center for Theoretical Physics & Dept. of Physics, UC Berkeley, CA, USA
| Lawrence Berkeley National Laboratory, Berkeley, CA, USA
| Wolfram Research, Champaign, IL, USA
VIABILITY STUDIES OF CANDIDATE PROTOCOLS
Time-delayed decryption
mechanisms for deployment-specified secure message
transmission
-
7/27/2019 Puniani, Arjan Singh - Time-Delayed Decryption Candidate Protocols
2/18
Major motivations: why would we need this?
Trustworthy govtstoday replaced byuntrustworthy govtstomorrow: private
keys may be
nationalized out ofstate interest
Periodicdissemination of
Congressional
materials guaranteedto outlast lifetime of
sovereignty
Complete record ofgovt operationsguaranteed disclosureregardless of regime
installation
Govt. Accountability Sensitive data may
not be suitable fordissemination after acertain time (Patriot
Act)
Permanent record ofinquiries made by
certain agencies
Listed co.'s mayeventually be requiredto disclose all dealterms to protect
investors/discourage
impropriety
Insider trading alibi
Encrypt mortgagepayments now andtime release to bankslater
Any escrowtransactions (money
held by trusted 3rd-
parties)
Intelligence Agencies Corporations Real Estate
No more Library ofAlexandria disasters
Guarantee delivery ofresearch articlesdesignated for future
open accessibility
following 2-3yr pay-wall
Academics Send a payment for
future services
rendered; estate
planning
Securely preserve bididentify until auction
ends
Release personaldiary posthumously
Write a letter to yourfuture self
Blackmail (malicious)
Trustworthy 3rd
party handlers may proveimpossible to find and guarantee
Economics Personal
Physical implementations of storing secretsare out of the questionGeneral
-
7/27/2019 Puniani, Arjan Singh - Time-Delayed Decryption Candidate Protocols
3/18
Several preliminary considerations: nave approaches
-
Physically-Vulnerable Cost-Prohibitive Excess 3rd-Party Trust EXP Time Complexity
Explanation.Suppose your secretmessage is password-keyencrypted. Why not buryyour message in a safe?
Explanation.Hire law firms to store themessage in confidenceand enough of them toensure that at leastonedoes their job.
Explanation.If you trust some people,just teach them the secretsharing protocol (e.g.XORing keys to attainmaster key).
Explanation.Two millionaires can decidewho is richer, withoutrevealing their net worththats multi-partycomputation (MPC).
Who do you share thetreasure map with?If you want your secret tooutlive you, you need atrusted source (or heir, etc.).
Why this is tempting.The best law firms will likelystick around on the order ofdecades and deliver themessage, but it isexpensive.
Whats the issue?Shredding the key intodistributable fragmentsmight protect against newly-installed tyrannicalregiment; thats it.
More details.Its quite complex: basically,you just have to establishthe inequality IJ, where I,Jare fortunes of participants,not actually reveal amounts.
Protection against theelements.The longevity of theprotection scheme is afunction of the environment:obviously, a cleanroom with
round-the-clock armedguards would be ideal, but
highly-impractical
Any partial solutions?Assume you require exactly 1 tosucceed, and no rehiring is done.Out of 1,300+ in the US, only 400
of size/resources. Assume only50% want your business, another10% are eliminated during
selection, and around 3 fail/yr. Fora 30yr transmission delay, ~80-90firms must be hired. Avg. cost/yr.:
$900,000*30yrs = $27mn
Seems better than theothersIt has some advantages, buta new problem:conspiratorial mutiny. Wemay be justified in
predicting more powerful,more reliable technology,
but we cannot say the sameabout people, unfortunately.
That doesnt explain muchA sends B random-lookingm, but is actually encrypted,storing As secret x. Bdecrypts m, getting manyY.Any one ofYcould be x, but
after reducingYsto themodulus prime, B selectively
decrypts based on herwealth.
Bury a flash drivecontaining safe? Ask N law firms toguarantee delivery Partial key escrowamongst friends? Millionaire Problem
-
7/27/2019 Puniani, Arjan Singh - Time-Delayed Decryption Candidate Protocols
4/18
Time-Delayed Encrypted Message TransmissionGeneralized Process Flow Overview
2. Encryption. Initialization
Composemessage
Implementsome
redundancyscheme
3. Time Delay 4. Decryption
Applyprotection
Specifydeployment
Enforce dataintegrity
Ensuredelivery
Specifydecryption time
Generatecipher-text
Associatedecryption key
with cipher
ConsumptionSelectionProduction
Cloud-basedto minimize
physical
dependence
Consideration
Maximize digitaldistance betweencontent and key
Reunite keywith cipher
Publish message
Compare programcounter to
trustworthy clock
-
7/27/2019 Puniani, Arjan Singh - Time-Delayed Decryption Candidate Protocols
5/18
Governing Rules of the Time-Delayed Encryption Protocol
ryDE
draftv
13
070430.ppt
- -
ComputationalEquivalence
Computational
Irreducibility
Must be possible to
strongly verify
authenticity and integrity
of the message.
Document must trigger self-destruct when
compromised (cracked
prematurely)
For any network system,malicious adversaries
will never control >50%
of the nodes
NP-hard problems will
remain computationally
intractable on the order
of centuries
Cannot deny the contents
once information sent
through the encrypted
message protocol
Desired Implementation Details & Axioms for All Proposed Systems
Decryption key must remain
unknowable until the
specified document/
message deployment time
-
7/27/2019 Puniani, Arjan Singh - Time-Delayed Decryption Candidate Protocols
6/18
Encryption Schemes: Rendering trust between obsolete
Can this encryption system becracked? Theoretically, yes.
RSA is not the only cryptographic protocol (justmost prevalent), and other equipotentencryption schemes derive security guaranteesfrom similarly exploiting gulf between P/NPproblems. We arrive at the conjecture:
Proposed Cryptographic Protocol
Want to buyonline from:
They randomlyselect two hugeprimes:
p,q
This is the public key: peoplewho want to send AMZN asecret (e.g. their paymentinformation), use this key toencode their information
AMZN publishes ahuge number (butkeeps the primefactors private):
N= pq
This is what yousend back (yourcredit card = x)
x3modN
Private PublicKey:
For 10,000-digit
long :p,q 10
6Years required tocompute roots of
modulus Nwithoutp,q
A trapdoor function (OWF), is easyto map; difficult to reverse.
So how does AMZN get x?
Euclid taught us that thesequence below:
xmodN,x2modN,x
3modN
is of periodicity: (p !1)(q !1)
AMZN needs to find integer, k, s.t.:
3k= 1mod(p !1)(q !1)
(x3
)k
modN=
x
3k
modN=
xmodN
But our assumption ofcomputational intractability
persisting indefinitely ignores
nonzero probability of realizingquantum computers anytime soon
Current public-key encryption protocols
are sufficient to complement any TCP/IP-based proposal presented
Very easy to compute secretsand keys but (very) hard to invert RSA for DummiesBefore RSA, peopleexchanged keys
to the locks thatcontained secrets
they wished toshare
! !
RSAShare open locks! !
!
-
7/27/2019 Puniani, Arjan Singh - Time-Delayed Decryption Candidate Protocols
7/18
Protocol I: Memory-Hard Functions to Compute [Part I]
Each puzzle is easy to compute,but very hard to solve. In fact, themost famous example is:
Idea
Computations tend to vary inexecution time considerably acrossarchitectures, but a certain class of
problems, called time-lock problems,can be constructed so that aminimum amount of time is requiredto solve them.
Details 22t
modnWhich can only be solved by tsquarings modulus n per second
If an equation can be solved either only P or
several NP ways, classical computers opt forthe polynomial-time method, no matter theinefficiency, to realize solutions inreasonable time.
Calculating the Components to Instantiate a Time-Lock Puzzle
Step 2Step 3
Step 4Step 5
Step 6
calculates t;S= number of
squaringsmodulo nper
second
generatesrandom K,
typically
must be
>160bits toguaranteesecurit
producesoutput in theform of a time-
lock puzzle,
discarding any
otherintermediate
variables
Step 1;large
primes, p,q
n = pq
!(n) = (p "1)(q "1)
t= TS
Alice () wants to send message, M, with a
time delay ofTseconds for decryption
encrypts Mwith Kandcrypto-sys
RC5 to
generate
ciphertext,
CM
K
CM= RC5(K,M)
CK= K+ a
2t
(modn)
selectsrandom a(mod n),
where (1 < a