1. Pure & Applied
Research
Arjan Singh Puniani
Vitaliy Kaurov
| Center forTheoretical Physics & Dept. of Physics, UC Berkeley, CA, USA
| Lawrence Berkeley National Laboratory, Berkeley, CA, USA
| Wolfram Research, Champaign, IL, USA
VIABILITY STUDIES OF CANDIDATE PROTOCOLS
Time-delayed decryption
mechanisms for deployment-
specified secure message
transmission
2. Major motivations: why would we need this?
¡ Trustworthy gov’ts
today replaced by
untrustworthy gov’ts
tomorrow: private
keys may be
“nationalized” out of
state interest
¡ Periodic
dissemination of
Congressional
materials guaranteed
to outlast lifetime of
sovereignty
¡ Complete record of
gov’t operations
guaranteed disclosure
regardless of regime
installation
Gov’t. Accountability
¡ Sensitive data may
not be suitable for
dissemination after a
certain time (Patriot
Act)
¡ Permanent record of
inquiries made by
certain agencies
¡ Listed co.'s may
eventually be required
to disclose all deal
terms to protect
investors/discourage
impropriety
¡ Insider trading “alibi”
¡ Encrypt mortgage
payments now and
time release to banks
later
¡ Any escrow
transactions (money
held by trusted 3rd-
parties)
Intelligence Agencies Corporations Real Estate
¡ No more Library of
Alexandria disasters
¡ Guarantee delivery of
research articles
designated for future
open accessibility
following 2-3yr pay-
wall
Academics
¡ Send a payment for
future services
rendered; estate
planning
¡ Securely preserve bid
identify until auction
ends
¡ Release personal
diary posthumously
¡ Write a letter to your
future self
¡ Blackmail (malicious)
Trustworthy 3rd party handlers may prove
impossible to find and guarantee
Economics Personal
Physical implementations of storing secrets
are out of the question
General
3. Several preliminary considerations: “naïve” approaches
-
Physically-Vulnerable Cost-Prohibitive Excess 3rd-PartyTrust EXP Time Complexity
Explanation.
Suppose your secret
message is password-key
encrypted. Why not bury
your message in a safe?
Explanation.
Hire law firms to store the
message in confidence—
and enough of them to
ensure that at least one
does their job.
Explanation.
If you trust some people,
just teach them the secret
sharing protocol (e.g.
XOR’ing keys to attain
master key).
Explanation.
Two millionaires can decide
who is richer, without
revealing their net worth—
that’s multi-party
computation (MPC).
Who do you share the
“treasure map” with?
If you want your secret to
outlive you, you need a
trusted source (or heir, etc.).
Why this is tempting.
The best law firms will likely
stick around on the order of
decades and deliver the
message, but it is
expensive.
What’s the issue?
Shredding the key into
distributable fragments
might protect against newly-
installed tyrannical
regiment; that’s it.
More details.
It’s quite complex: basically,
you just have to establish
the inequality I ≤ J, where I,J
are fortunes of participants,
not actually reveal amounts.
Protection against the
elements.
The longevity of the
protection scheme is a
function of the environment:
obviously, a cleanroom with
round-the-clock armed
guards would be ideal, but
highly-impractical
Any partial solutions?
Assume you require exactly 1 to
succeed, and no rehiring is done.
Out of 1,300+ in the US, only 400
of size/resources. Assume only
50% want your business, another
10% are eliminated during
selection, and around 3 fail/yr. For
a 30yr transmission delay, ~80-90
firms must be hired. Avg. cost/yr.:
$900,000*30yrs = $27mn
Seems better than the
others…
It has some advantages, but
a new problem:
conspiratorial mutiny. We
may be justified in
predicting more powerful,
more reliable technology,
but we cannot say the same
about people, unfortunately.
That doesn’t explain much…
A sends B random-looking
m, but is actually encrypted,
storing A’s secret x. B
decrypts m, getting manyY.
Any one ofY could be x, but
after reducingY’s to the
modulus prime, B selectively
decrypts based on her
wealth. ☐
Bury a flash drive
containing safe?
Ask N law firms to
guarantee delivery
Partial key escrow
amongst friends?
Millionaire Problem
4. Time-Delayed Encrypted Message Transmission
Generalized Process Flow Overview
2. Encryption1. Initialization
Compose
message
Implement
some
redundancy
scheme
3.Time Delay 4. Decryption
Apply
protection
Specify
deployment
Enforce data
integrity
Ensure
delivery
Specify
decryption time
Generate
cipher-text
Associate
decryption key
with cipher
ConsumptionSelectionProduction
Cloud-based
to minimize
physical
dependence
Consideration
Maximize “digital
distance” between
content and key
Reunite key
with cipher
Publish message
Compare program
counter to
trustworthy clock
5. Governing Rules of the Time-Delayed Encryption Protocol
ryDE_draftv13_070430.ppt
Computational
Equivalence
Computational
Irreducibility
Must be possible to
strongly verify
authenticity and integrity
of the message.
Document must trigger self-
destruct when
compromised (cracked
prematurely)
For any network system,
malicious adversaries
will never control >50%
of the nodes
NP-hard problems will
remain computationally
intractable on the order
of centuries
Cannot deny the contents
once information sent
through the encrypted
message protocol
Desired Implementation Details & “Axioms” for All Proposed Systems
Decryption key must remain
unknowable until the
specified document/
message deployment time
6. Encryption Schemes: Rendering trust between obsolete
Can this encryption system be
“cracked”?Theoretically, yes.
RSA is not the only cryptographic protocol (just
most prevalent), and other equipotent
encryption schemes derive security guarantees
from similarly exploiting gulf between P/NP
problems. We arrive at the conjecture:
Proposed Cryptographic Protocol
Want to buy
online from:
They randomly
select two huge
primes:
p,q
This is the “public key”: people
who want to send AMZN a
“secret” (e.g. their payment
information), use this key to
encode their information
AMZN publishes a
huge number (but
keeps the prime
factors private):
N = pq
This is what you
send back (your
credit card = x)
x3
mod N
Private PublicKey:
For 10,000-digit
long :p,q 106 Years required to
compute roots of
modulus N without
p,q
A trapdoor function (OWF), is easy
to map; difficult to “reverse”.
So how does AMZN get x?
Euclid taught us that the
sequence below:
xmod N,x2
mod N,x3
mod N
is of periodicity: (p !1)(q !1)
AMZN needs to find integer, k, s.t.:
3k =1mod(p!1)(q!1)
(x3
)k
modN = x3k
modN = xmodN
But our assumption of
computational intractability
persisting indefinitely ignores
nonzero probability of realizing
quantum computers anytime soon
Current public-key encryption protocols
are sufficient to complement anyTCP/IP-
based proposal presented
Very easy to compute secrets
and keys…
…but (very) hard to “invert” RSA for Dummies
Before RSA, people
exchanged “keys”
to the locks that
contained secrets
they wished to
share
! !
RSA àShare “open locks”
! !
!
7. Protocol I: Memory-Hard Functions to Compute [Part I]
Each “puzzle” is easy to compute,
but very hard to solve. In fact, the
most famous example is:
Idea
Computations tend to vary in
execution time considerably across
architectures, but a certain class of
problems, called time-lock problems,
can be constructed so that a
minimum amount of time is required
to solve them.
Details 22t
modn
Which can only be solved by t
squarings modulus n per second
If an equation can be solved either only P or
several NP ways, classical computers opt for
the polynomial-time method, no matter the
inefficiency, to realize solutions in
reasonable time.
Calculating the Components to Instantiate aTime-Lock Puzzle
Step 2
Step 3
Step 4
Step 5
Step 6
α calculates t;
S = number of
squarings
modulo n per
second
α generates
random K,
typically
must be
>160bits to
guarantee
security
α produces
output in the
form of a time-
lock puzzle,
discarding any
other
intermediate
variables
Step 1
α;large
primes, p,q
n = pq
!(n) = (p "1)(q "1)
t = TS
Alice (α) wants to send message, M, with a
time delay ofT seconds for decryption
α encrypts M
with K and
crypto-sys
RC5 to
generate
ciphertext,
CM
K
CM = RC5(K,M )
CK = K + a2t
(modn)
α selects
random a
(mod n),
where (1 < a <
n) and
encrypts K as
CK. [e, b are
for conv.]
(n,a,t,CK ,CM )
e = 2t
(mod!(n))
b = ae
(modn)
8. Protocol I: Memory-Hard Functions to Compute [Part II]
CPUTime =?= RealTime
Step
How do you
approach
solution?
Initial
Considerations
Warnings and
Limitations
Manipulability
Some Steps to Consider
By explicit design, searching through
RC5 for K is incomprehensibly difficult
computationally-speaking.
Fastest known approach:
Knowledge of ϕ(n) reduces 2t
efficiently to e, modulo ϕ(n)
This implies that b is computed via:
Computing n from ϕ(n) is provably
hard, so once α discards p,q, there is
no avoiding the perception that that…
…there appears to be no faster way to
compute b than to start with a and
perform t squarings sequentially (as
you must square the previous amount
Hence, the number t of squarings
required to solve a particular
instantiation of the puzzle can be
precisely controlled
Repeated squaring is an intrinsically
sequential computational process, and
parallelizability algorithms are not
evident for this particular case.
b = a2t
(modn)
b = ae
(modn)
Primary
Unanswered
Question
Under what computing conditions or problems
can we agree with confidence on the equality
existing between the two quantities?
9. Protocol I: General Security Features Afforded
Summary of Potential Risks Justification for Demonstrative Purposes
Assume that many, many more computers
recruited to enhance negative objective, but
ONLY brute force attacks possible:
Malicious adversaries may conflate user’s
legal actions with commercially questionable
tactics, reducing effectiveness
Stochastic Stimuli
Stochastic Stimuli
One-way function that is extremely, extremely
sequential (no parallelizability); hence infinite resource
scaling would not enhance time resolution
A managerial layer of “meta-nodes” with intelligent
task sheudling
FSSP solutions, proof-of-work
FSSP solutions, proof-of-work
Adversarial Botnet Swarms
Compromised PK Production
Premature Reassembly of DK
Delayed Reassembly of DK
10. Protocol I : Memory-hard Problem Solving with Optimized Sorting
N secure buckets, where s buckets are secure vaults and f
buckets are “furnaces” (permanent file deletion protocols)
1
Assume: nodes are designated
workspaces to
-- Verifiable threshold secret sharing of
private key through randomized
distribution of shares
-- Secure multi-party (consensus-based)
reconstruction of private key components
SolvingTime-Lock “Puzzles”
2 Sorting and Bucketing(?)
-- Reconstruction of the shredded
private keys occur thanks to block
chain verification of uncompromised,
continuously-run systems
Just as Julian Assange/
Wikileaks released a 1.45GB
AES-256-encrypted insurance
file over BitTorrent, the
encryption key should be
subject to maximum
economic protection
Where is the encrypted document?
Decentralized Distribution
Metadata +
Content
Recruiter
Optimized bucketing
Translates to less
collisions for bins
with high incoming
inventory velocity
11. ¡ k numbers to uniquely
determine degree-(k-1)
polynomial
¡ E.g.
¡ Major idea: Given a set
of (k+1) data points:
The interpolation polynomial is:
Assuming no two xj are the same,
L(x) resolves polynomial
Protocol II: Firing Squads & Polynomials: How do you share a secret?
¡ We can learn a lot from the
problem officers face when
trying get all the soldiers in
the execution squad to fire at
the same time…
¡ Situation:Time-delay
¡ Complication: Synchronization
¡ Question: NTP-independent?
Snapshot
Cut the secret message in N strips. Distribute across network randomly. Base network protocol on firing
squad synchronization problem (FSSP) solutions to ensure message is guaranteed simultaneous
transmission.
Proposal
Lagrange Basis Polynomials
Dividing the message
Let secret, S, be 1371
Example calculation
FSSP Solutions as Protocol
Synchronization rules
Polynomial Multiplication
Recovering original
(1) We have n=6 friends willing
to keep a piece of our secret,
but want to ensure only k=3
pieces necessary for
reconstruction.
(2) Choose k-1=2 random
coefficients to construct:
(3) Resolve 6 unique points:
(4) Distribute amongst your
friends the 6 pairs
(5) Designate a rally point after
time t elapse
(6) Note: if you have n nodes
and you want to guarantee
that only k –many nodes are
sufficient to recover the
message, then true security
means distributing only k-1
pieces of info
Abstraction
Signal Speed: α/3
¡ Harvest 3 pairs from your
group of friends, and
compute the Lagrange basis
polynomials:
Now, multiply each of the basis
polynomials by the f(x) at that
point:
12. Protocol II: Visual Resolution of Firing Squad Synchronization
1st-Generation General 2nd-Generation
General
4th
3rd
5th
x
t
Continued…
13. Protocol III: Hashing Problem Solving
1
Hash algorithms burn CPU cycles,
which is a function of the
architecture-dependent
implementation, and may not always
fully correspond to the “Earth” clock
(which we call real-time).
Crunching Hash Functions
Block chain verification can mitigate
adversarial offensive on “double
spending”
Combine withTor-like pathway fold-in to cover tracks
14. Initialization of Variables and Agent Responsibilities
Initializing the Protocols and Overview of Certain Assumptions
Private Public Network
§ Distributed
key generation
§ Verifiable threshold secret
sharing of the secret key
(polynomials example)
§ Secure multi-party
reconstruction of private
key components
strategically as to not
reveal private agents’
secret keys is non-trivial
§ Reconstruction and
controlled publication of
the private key
§ Distributed
key generation
§ Remember group G
definitions in slides prior.
§ Assume DKG/VSS on all
generated keys
performed to verify
authenticity of
generation
§ Threshold trust
system extended
to network
infrastructure
§ Node/server grabs data
pushed from managerial
layer (privileged meta-
nodes)
§ Provide task handling for
project
Public Key
“PK”
Decryption
Key
“DK”
Deployment
Date
“T+δ”
Original Shot
“T”
Linked hash addresses to maintain a block chain of
validity (hashing password caches, etc.)
15. Exotica: Ideas meriting consideration whence traditional protocols fail
¡ Transmission to space. Exploit the finite speed of light and the
astronomical distances of cosmic objects to guarantee some minimum
amount of time the message (presumably, an encoding onto some
coherent states prepared in a laboratory) is out of reach from terrestrial
adversaries.
¡ Quantum time-bomb [Wolfram/Puniani]. Suppose we bury a quantum
device in several sites around the world (presumably, around or in what
you expect to be or already have been declared cultural landmarks and
monuments) with a known, semi-controllable “diffusion” emission rate.
The information bubbling up would probably recruit a type of Dirichlet
tesselation, in which a message is realized once all the shards close the
gaps.
¡ Biological timed-safe. Venous stasis, an accumulation of fluids in poorly-
circulating regions in the body, tends to intensify pigmentation. Tissues fill
with fluids from broken and leaky vessels, and the iron from released
hemoglobin eventually stains the skin. Imagine if you could precisely tune
the staining pattern to produce an imprint (“tattoo”) with the secret
message at a specified time.
17. Virtual time-locks: proof of work driven implementation (bitcoin style)
17
ComposeaMessageNowbutEnsureDeferredConsumption
CoordinatedReconstructionofEncryptedMessage
Content Hashing
Share
Distribute encrypted
message across nodes
Share
Share
Share
Share
Share
Share
Encrypt Message (via RSA,
ElGamal, etc.)
Deploy Decryption Script,
which explicates
checkpoints
Specify computationally-hard (but
efficiently-variable) problem to be solved
by Decryption Script
Problem1
Meta-datafor
BitTorrent-like
reassembly
Time-Delayed Decryption
Private Key
Redundancy avoids naïve
dependence on infallibility of single-
machine
Proof-of-work. Have a
trusted network of nodes
verify that a certain number
of well-characterized
computational cycles were
burned in order to advance
through the script
Final State
Problem2
Problemn
…
Message Preparation