Pure & Applied
Research
Arjan Singh Puniani
Vitaliy Kaurov
| Center forTheoretical Physics & Dept. of Physics, UC Berkeley...
Major motivations: why would we need this?
¡  Trustworthy gov’ts
today replaced by
untrustworthy gov’ts
tomorrow: private...
Several preliminary considerations: “naïve” approaches
-
Physically-Vulnerable Cost-Prohibitive Excess 3rd-PartyTrust EXP ...
Time-Delayed Encrypted Message Transmission
Generalized Process Flow Overview
2. Encryption1. Initialization
Compose
messa...
Governing Rules of the Time-Delayed Encryption Protocol
ryDE_draftv13_070430.ppt
Computational
Equivalence
Computational
I...
Encryption Schemes: Rendering trust between obsolete
Can this encryption system be
“cracked”?Theoretically, yes.
RSA is no...
Protocol I: Memory-Hard Functions to Compute [Part I]
Each “puzzle” is easy to compute,
but very hard to solve. In fact, t...
Protocol I: Memory-Hard Functions to Compute [Part II]
CPUTime =?= RealTime
Step
How do you
approach
solution?
Initial
Con...
Protocol I: General Security Features Afforded
Summary of Potential Risks Justification for Demonstrative Purposes
Assume t...
Protocol I : Memory-hard Problem Solving with Optimized Sorting
N secure buckets, where s buckets are secure vaults and f
...
¡  k numbers to uniquely
determine degree-(k-1)
polynomial
¡  E.g.
¡  Major idea: Given a set
of (k+1) data points:
The...
Protocol II: Visual Resolution of Firing Squad Synchronization
1st-Generation General 2nd-Generation
General
4th
3rd
5th
x...
Protocol III: Hashing Problem Solving
1
Hash algorithms burn CPU cycles,
which is a function of the
architecture-dependent...
Initialization of Variables and Agent Responsibilities
Initializing the Protocols and Overview of Certain Assumptions
Priv...
Exotica: Ideas meriting consideration whence traditional protocols fail
¡ Transmission to space. Exploit the finite speed ...
Appendix
ryDE_draftv13_070430.ppt
Virtual time-locks: proof of work driven implementation (bitcoin style)
17
ComposeaMessageNowbutEnsureDeferredConsumption
...
ryDE_draftv13_070430.ppt
RNG
E
E
E
...KU1
KUm
KS1
KSm
...
KS1
KSm
...
KSKREM
H
KUREM
E
General Encryption Schemata
Launch ...
Comparative summary of protocols discussed
ryDE_draftv13_070430.ppt
strong weak
Complete? Provably Hard?
Semantically
Comp...
Quantum Computing: we are still very far away from practical realization
Fundamentals
De-coherence
Complex
Amplitudes
Spec...
Upcoming SlideShare
Loading in …5
×

Puniani, Arjan Singh | Candidate Time-Delayed Decryption Protocols for Deployment-Specified Secure Message Transmission

917 views

Published on

Wolfram Research NKS 2013 Deliverable

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
917
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Puniani, Arjan Singh | Candidate Time-Delayed Decryption Protocols for Deployment-Specified Secure Message Transmission

  1. 1. Pure & Applied Research Arjan Singh Puniani Vitaliy Kaurov | Center forTheoretical Physics & Dept. of Physics, UC Berkeley, CA, USA | Lawrence Berkeley National Laboratory, Berkeley, CA, USA | Wolfram Research, Champaign, IL, USA VIABILITY STUDIES OF CANDIDATE PROTOCOLS Time-delayed decryption mechanisms for deployment- specified secure message transmission
  2. 2. Major motivations: why would we need this? ¡  Trustworthy gov’ts today replaced by untrustworthy gov’ts tomorrow: private keys may be “nationalized” out of state interest ¡  Periodic dissemination of Congressional materials guaranteed to outlast lifetime of sovereignty ¡  Complete record of gov’t operations guaranteed disclosure regardless of regime installation Gov’t. Accountability ¡  Sensitive data may not be suitable for dissemination after a certain time (Patriot Act) ¡  Permanent record of inquiries made by certain agencies ¡  Listed co.'s may eventually be required to disclose all deal terms to protect investors/discourage impropriety ¡  Insider trading “alibi” ¡  Encrypt mortgage payments now and time release to banks later ¡  Any escrow transactions (money held by trusted 3rd- parties) Intelligence Agencies Corporations Real Estate ¡  No more Library of Alexandria disasters ¡  Guarantee delivery of research articles designated for future open accessibility following 2-3yr pay- wall Academics ¡  Send a payment for future services rendered; estate planning ¡  Securely preserve bid identify until auction ends ¡  Release personal diary posthumously ¡  Write a letter to your future self ¡  Blackmail (malicious) Trustworthy 3rd party handlers may prove impossible to find and guarantee Economics Personal Physical implementations of storing secrets are out of the question General
  3. 3. Several preliminary considerations: “naïve” approaches - Physically-Vulnerable Cost-Prohibitive Excess 3rd-PartyTrust EXP Time Complexity Explanation. Suppose your secret message is password-key encrypted. Why not bury your message in a safe? Explanation. Hire law firms to store the message in confidence— and enough of them to ensure that at least one does their job. Explanation. If you trust some people, just teach them the secret sharing protocol (e.g. XOR’ing keys to attain master key). Explanation. Two millionaires can decide who is richer, without revealing their net worth— that’s multi-party computation (MPC). Who do you share the “treasure map” with? If you want your secret to outlive you, you need a trusted source (or heir, etc.). Why this is tempting. The best law firms will likely stick around on the order of decades and deliver the message, but it is expensive. What’s the issue? Shredding the key into distributable fragments might protect against newly- installed tyrannical regiment; that’s it. More details. It’s quite complex: basically, you just have to establish the inequality I ≤ J, where I,J are fortunes of participants, not actually reveal amounts. Protection against the elements. The longevity of the protection scheme is a function of the environment: obviously, a cleanroom with round-the-clock armed guards would be ideal, but highly-impractical Any partial solutions? Assume you require exactly 1 to succeed, and no rehiring is done. Out of 1,300+ in the US, only 400 of size/resources. Assume only 50% want your business, another 10% are eliminated during selection, and around 3 fail/yr. For a 30yr transmission delay, ~80-90 firms must be hired. Avg. cost/yr.: $900,000*30yrs = $27mn Seems better than the others… It has some advantages, but a new problem: conspiratorial mutiny. We may be justified in predicting more powerful, more reliable technology, but we cannot say the same about people, unfortunately. That doesn’t explain much… A sends B random-looking m, but is actually encrypted, storing A’s secret x. B decrypts m, getting manyY. Any one ofY could be x, but after reducingY’s to the modulus prime, B selectively decrypts based on her wealth. ☐ Bury a flash drive containing safe? Ask N law firms to guarantee delivery Partial key escrow amongst friends? Millionaire Problem
  4. 4. Time-Delayed Encrypted Message Transmission Generalized Process Flow Overview 2. Encryption1. Initialization Compose message Implement some redundancy scheme 3.Time Delay 4. Decryption Apply protection Specify deployment Enforce data integrity Ensure delivery Specify decryption time Generate cipher-text Associate decryption key with cipher ConsumptionSelectionProduction Cloud-based to minimize physical dependence Consideration Maximize “digital distance” between content and key Reunite key with cipher Publish message Compare program counter to trustworthy clock
  5. 5. Governing Rules of the Time-Delayed Encryption Protocol ryDE_draftv13_070430.ppt Computational Equivalence Computational Irreducibility Must be possible to strongly verify authenticity and integrity of the message. Document must trigger self- destruct when compromised (cracked prematurely) For any network system, malicious adversaries will never control >50% of the nodes NP-hard problems will remain computationally intractable on the order of centuries Cannot deny the contents once information sent through the encrypted message protocol Desired Implementation Details & “Axioms” for All Proposed Systems Decryption key must remain unknowable until the specified document/ message deployment time
  6. 6. Encryption Schemes: Rendering trust between obsolete Can this encryption system be “cracked”?Theoretically, yes. RSA is not the only cryptographic protocol (just most prevalent), and other equipotent encryption schemes derive security guarantees from similarly exploiting gulf between P/NP problems. We arrive at the conjecture: Proposed Cryptographic Protocol Want to buy online from: They randomly select two huge primes: p,q This is the “public key”: people who want to send AMZN a “secret” (e.g. their payment information), use this key to encode their information AMZN publishes a huge number (but keeps the prime factors private): N = pq This is what you send back (your credit card = x) x3 mod N Private PublicKey: For 10,000-digit long :p,q 106 Years required to compute roots of modulus N without p,q A trapdoor function (OWF), is easy to map; difficult to “reverse”. So how does AMZN get x? Euclid taught us that the sequence below: xmod N,x2 mod N,x3 mod N is of periodicity: (p !1)(q !1) AMZN needs to find integer, k, s.t.: 3k =1mod(p!1)(q!1) (x3 )k modN = x3k modN = xmodN But our assumption of computational intractability persisting indefinitely ignores nonzero probability of realizing quantum computers anytime soon Current public-key encryption protocols are sufficient to complement anyTCP/IP- based proposal presented Very easy to compute secrets and keys… …but (very) hard to “invert” RSA for Dummies Before RSA, people exchanged “keys” to the locks that contained secrets they wished to share ! ! RSA àShare “open locks” ! ! !
  7. 7. Protocol I: Memory-Hard Functions to Compute [Part I] Each “puzzle” is easy to compute, but very hard to solve. In fact, the most famous example is: Idea Computations tend to vary in execution time considerably across architectures, but a certain class of problems, called time-lock problems, can be constructed so that a minimum amount of time is required to solve them. Details 22t modn Which can only be solved by t squarings modulus n per second If an equation can be solved either only P or several NP ways, classical computers opt for the polynomial-time method, no matter the inefficiency, to realize solutions in reasonable time. Calculating the Components to Instantiate aTime-Lock Puzzle Step 2 Step 3 Step 4 Step 5 Step 6 α calculates t; S = number of squarings modulo n per second α generates random K, typically must be >160bits to guarantee security α produces output in the form of a time- lock puzzle, discarding any other intermediate variables Step 1 α;large primes, p,q n = pq !(n) = (p "1)(q "1) t = TS Alice (α) wants to send message, M, with a time delay ofT seconds for decryption α encrypts M with K and crypto-sys RC5 to generate ciphertext, CM K CM = RC5(K,M ) CK = K + a2t (modn) α selects random a (mod n), where (1 < a < n) and encrypts K as CK. [e, b are for conv.] (n,a,t,CK ,CM ) e = 2t (mod!(n)) b = ae (modn)
  8. 8. Protocol I: Memory-Hard Functions to Compute [Part II] CPUTime =?= RealTime Step How do you approach solution? Initial Considerations Warnings and Limitations Manipulability Some Steps to Consider By explicit design, searching through RC5 for K is incomprehensibly difficult computationally-speaking. Fastest known approach: Knowledge of ϕ(n) reduces 2t efficiently to e, modulo ϕ(n) This implies that b is computed via: Computing n from ϕ(n) is provably hard, so once α discards p,q, there is no avoiding the perception that that… …there appears to be no faster way to compute b than to start with a and perform t squarings sequentially (as you must square the previous amount Hence, the number t of squarings required to solve a particular instantiation of the puzzle can be precisely controlled Repeated squaring is an intrinsically sequential computational process, and parallelizability algorithms are not evident for this particular case. b = a2t (modn) b = ae (modn) Primary Unanswered Question Under what computing conditions or problems can we agree with confidence on the equality existing between the two quantities?
  9. 9. Protocol I: General Security Features Afforded Summary of Potential Risks Justification for Demonstrative Purposes Assume that many, many more computers recruited to enhance negative objective, but ONLY brute force attacks possible: Malicious adversaries may conflate user’s legal actions with commercially questionable tactics, reducing effectiveness Stochastic Stimuli Stochastic Stimuli One-way function that is extremely, extremely sequential (no parallelizability); hence infinite resource scaling would not enhance time resolution A managerial layer of “meta-nodes” with intelligent task sheudling FSSP solutions, proof-of-work FSSP solutions, proof-of-work Adversarial Botnet Swarms Compromised PK Production Premature Reassembly of DK Delayed Reassembly of DK
  10. 10. Protocol I : Memory-hard Problem Solving with Optimized Sorting N secure buckets, where s buckets are secure vaults and f buckets are “furnaces” (permanent file deletion protocols) 1 Assume: nodes are designated workspaces to -- Verifiable threshold secret sharing of private key through randomized distribution of shares -- Secure multi-party (consensus-based) reconstruction of private key components SolvingTime-Lock “Puzzles” 2 Sorting and Bucketing(?) -- Reconstruction of the shredded private keys occur thanks to block chain verification of uncompromised, continuously-run systems Just as Julian Assange/ Wikileaks released a 1.45GB AES-256-encrypted insurance file over BitTorrent, the encryption key should be subject to maximum economic protection Where is the encrypted document? Decentralized Distribution Metadata + Content Recruiter Optimized bucketing Translates to less collisions for bins with high incoming inventory velocity
  11. 11. ¡  k numbers to uniquely determine degree-(k-1) polynomial ¡  E.g. ¡  Major idea: Given a set of (k+1) data points: The interpolation polynomial is: Assuming no two xj are the same, L(x) resolves polynomial Protocol II: Firing Squads & Polynomials: How do you share a secret? ¡  We can learn a lot from the problem officers face when trying get all the soldiers in the execution squad to fire at the same time… ¡  Situation:Time-delay ¡  Complication: Synchronization ¡  Question: NTP-independent? Snapshot Cut the secret message in N strips. Distribute across network randomly. Base network protocol on firing squad synchronization problem (FSSP) solutions to ensure message is guaranteed simultaneous transmission. Proposal Lagrange Basis Polynomials Dividing the message Let secret, S, be 1371 Example calculation FSSP Solutions as Protocol Synchronization rules Polynomial Multiplication Recovering original (1)  We have n=6 friends willing to keep a piece of our secret, but want to ensure only k=3 pieces necessary for reconstruction. (2)  Choose k-1=2 random coefficients to construct: (3)  Resolve 6 unique points: (4)  Distribute amongst your friends the 6 pairs (5)  Designate a rally point after time t elapse (6)  Note: if you have n nodes and you want to guarantee that only k –many nodes are sufficient to recover the message, then true security means distributing only k-1 pieces of info Abstraction Signal Speed: α/3 ¡  Harvest 3 pairs from your group of friends, and compute the Lagrange basis polynomials: Now, multiply each of the basis polynomials by the f(x) at that point:
  12. 12. Protocol II: Visual Resolution of Firing Squad Synchronization 1st-Generation General 2nd-Generation General 4th 3rd 5th x t Continued…
  13. 13. Protocol III: Hashing Problem Solving 1 Hash algorithms burn CPU cycles, which is a function of the architecture-dependent implementation, and may not always fully correspond to the “Earth” clock (which we call real-time). Crunching Hash Functions Block chain verification can mitigate adversarial offensive on “double spending” Combine withTor-like pathway fold-in to cover tracks
  14. 14. Initialization of Variables and Agent Responsibilities Initializing the Protocols and Overview of Certain Assumptions Private Public Network §  Distributed key generation §  Verifiable threshold secret sharing of the secret key (polynomials example) §  Secure multi-party reconstruction of private key components strategically as to not reveal private agents’ secret keys is non-trivial §  Reconstruction and controlled publication of the private key §  Distributed key generation §  Remember group G definitions in slides prior. §  Assume DKG/VSS on all generated keys performed to verify authenticity of generation §  Threshold trust system extended to network infrastructure §  Node/server grabs data pushed from managerial layer (privileged meta- nodes) §  Provide task handling for project Public Key “PK” Decryption Key “DK” Deployment Date “T+δ” Original Shot “T” Linked hash addresses to maintain a block chain of validity (hashing password caches, etc.)
  15. 15. Exotica: Ideas meriting consideration whence traditional protocols fail ¡ Transmission to space. Exploit the finite speed of light and the astronomical distances of cosmic objects to guarantee some minimum amount of time the message (presumably, an encoding onto some coherent states prepared in a laboratory) is out of reach from terrestrial adversaries. ¡ Quantum time-bomb [Wolfram/Puniani]. Suppose we bury a quantum device in several sites around the world (presumably, around or in what you expect to be or already have been declared cultural landmarks and monuments) with a known, semi-controllable “diffusion” emission rate. The information bubbling up would probably recruit a type of Dirichlet tesselation, in which a message is realized once all the shards close the gaps. ¡ Biological timed-safe. Venous stasis, an accumulation of fluids in poorly- circulating regions in the body, tends to intensify pigmentation. Tissues fill with fluids from broken and leaky vessels, and the iron from released hemoglobin eventually stains the skin. Imagine if you could precisely tune the staining pattern to produce an imprint (“tattoo”) with the secret message at a specified time.
  16. 16. Appendix ryDE_draftv13_070430.ppt
  17. 17. Virtual time-locks: proof of work driven implementation (bitcoin style) 17 ComposeaMessageNowbutEnsureDeferredConsumption CoordinatedReconstructionofEncryptedMessage Content Hashing Share Distribute encrypted message across nodes Share Share Share Share Share Share Encrypt Message (via RSA, ElGamal, etc.) Deploy Decryption Script, which explicates checkpoints Specify computationally-hard (but efficiently-variable) problem to be solved by Decryption Script Problem1 Meta-datafor BitTorrent-like reassembly Time-Delayed Decryption Private Key Redundancy avoids naïve dependence on infallibility of single- machine Proof-of-work. Have a trusted network of nodes verify that a certain number of well-characterized computational cycles were burned in order to advance through the script Final State Problem2 Problemn … Message Preparation
  18. 18. ryDE_draftv13_070430.ppt RNG E E E ...KU1 KUm KS1 KSm ... KS1 KSm ... KSKREM H KUREM E General Encryption Schemata Launch QuantumTimed-Bomb
  19. 19. Comparative summary of protocols discussed ryDE_draftv13_070430.ppt strong weak Complete? Provably Hard? Semantically Complete? Subhead Subhead Subhead Memory-Hard Algorithm Solving Partial Key Escrow Hashing Algorithms Row description Row description Major Appeal Criteria
  20. 20. Quantum Computing: we are still very far away from practical realization Fundamentals De-coherence Complex Amplitudes Specific Consequence ¡  Bullet – Dash §  Subbullet ¡  Bullet – Dash §  Subbullet ¡  Bullet – Dash §  Subbullet ¡  Bullet – Dash §  Subbullet Quantum Mechanics in ½ a Slide

×