Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Like this presentation? Why not share!

- Indigenous Mind Dreamwork at the Ne... by WISNorg 174 views
- Creating Travelodge’s new Customer ... by Skyrocket Studios... 1120 views
- Mobile telephony in rural india by Sunil Vakayil Ph.D 590 views
- Accounting concepts by Saravanan Shankar 167 views
- Silver Centre - Shopping Mall commu... by Skyrocket Studios... 496 views
- Aditech panel pc by Vilas Fulsundar 273 views

917 views

Published on

Wolfram Research NKS 2013 Deliverable

No Downloads

Total views

917

On SlideShare

0

From Embeds

0

Number of Embeds

2

Shares

0

Downloads

0

Comments

0

Likes

1

No embeds

No notes for slide

- 1. Pure & Applied Research Arjan Singh Puniani Vitaliy Kaurov | Center forTheoretical Physics & Dept. of Physics, UC Berkeley, CA, USA | Lawrence Berkeley National Laboratory, Berkeley, CA, USA | Wolfram Research, Champaign, IL, USA VIABILITY STUDIES OF CANDIDATE PROTOCOLS Time-delayed decryption mechanisms for deployment- speciﬁed secure message transmission
- 2. Major motivations: why would we need this? ¡ Trustworthy gov’ts today replaced by untrustworthy gov’ts tomorrow: private keys may be “nationalized” out of state interest ¡ Periodic dissemination of Congressional materials guaranteed to outlast lifetime of sovereignty ¡ Complete record of gov’t operations guaranteed disclosure regardless of regime installation Gov’t. Accountability ¡ Sensitive data may not be suitable for dissemination after a certain time (Patriot Act) ¡ Permanent record of inquiries made by certain agencies ¡ Listed co.'s may eventually be required to disclose all deal terms to protect investors/discourage impropriety ¡ Insider trading “alibi” ¡ Encrypt mortgage payments now and time release to banks later ¡ Any escrow transactions (money held by trusted 3rd- parties) Intelligence Agencies Corporations Real Estate ¡ No more Library of Alexandria disasters ¡ Guarantee delivery of research articles designated for future open accessibility following 2-3yr pay- wall Academics ¡ Send a payment for future services rendered; estate planning ¡ Securely preserve bid identify until auction ends ¡ Release personal diary posthumously ¡ Write a letter to your future self ¡ Blackmail (malicious) Trustworthy 3rd party handlers may prove impossible to ﬁnd and guarantee Economics Personal Physical implementations of storing secrets are out of the question General
- 3. Several preliminary considerations: “naïve” approaches - Physically-Vulnerable Cost-Prohibitive Excess 3rd-PartyTrust EXP Time Complexity Explanation. Suppose your secret message is password-key encrypted. Why not bury your message in a safe? Explanation. Hire law ﬁrms to store the message in conﬁdence— and enough of them to ensure that at least one does their job. Explanation. If you trust some people, just teach them the secret sharing protocol (e.g. XOR’ing keys to attain master key). Explanation. Two millionaires can decide who is richer, without revealing their net worth— that’s multi-party computation (MPC). Who do you share the “treasure map” with? If you want your secret to outlive you, you need a trusted source (or heir, etc.). Why this is tempting. The best law ﬁrms will likely stick around on the order of decades and deliver the message, but it is expensive. What’s the issue? Shredding the key into distributable fragments might protect against newly- installed tyrannical regiment; that’s it. More details. It’s quite complex: basically, you just have to establish the inequality I ≤ J, where I,J are fortunes of participants, not actually reveal amounts. Protection against the elements. The longevity of the protection scheme is a function of the environment: obviously, a cleanroom with round-the-clock armed guards would be ideal, but highly-impractical Any partial solutions? Assume you require exactly 1 to succeed, and no rehiring is done. Out of 1,300+ in the US, only 400 of size/resources. Assume only 50% want your business, another 10% are eliminated during selection, and around 3 fail/yr. For a 30yr transmission delay, ~80-90 ﬁrms must be hired. Avg. cost/yr.: $900,000*30yrs = $27mn Seems better than the others… It has some advantages, but a new problem: conspiratorial mutiny. We may be justiﬁed in predicting more powerful, more reliable technology, but we cannot say the same about people, unfortunately. That doesn’t explain much… A sends B random-looking m, but is actually encrypted, storing A’s secret x. B decrypts m, getting manyY. Any one ofY could be x, but after reducingY’s to the modulus prime, B selectively decrypts based on her wealth. ☐ Bury a ﬂash drive containing safe? Ask N law ﬁrms to guarantee delivery Partial key escrow amongst friends? Millionaire Problem
- 4. Time-Delayed Encrypted Message Transmission Generalized Process Flow Overview 2. Encryption1. Initialization Compose message Implement some redundancy scheme 3.Time Delay 4. Decryption Apply protection Specify deployment Enforce data integrity Ensure delivery Specify decryption time Generate cipher-text Associate decryption key with cipher ConsumptionSelectionProduction Cloud-based to minimize physical dependence Consideration Maximize “digital distance” between content and key Reunite key with cipher Publish message Compare program counter to trustworthy clock
- 5. Governing Rules of the Time-Delayed Encryption Protocol ryDE_draftv13_070430.ppt Computational Equivalence Computational Irreducibility Must be possible to strongly verify authenticity and integrity of the message. Document must trigger self- destruct when compromised (cracked prematurely) For any network system, malicious adversaries will never control >50% of the nodes NP-hard problems will remain computationally intractable on the order of centuries Cannot deny the contents once information sent through the encrypted message protocol Desired Implementation Details & “Axioms” for All Proposed Systems Decryption key must remain unknowable until the specified document/ message deployment time
- 6. Encryption Schemes: Rendering trust between obsolete Can this encryption system be “cracked”?Theoretically, yes. RSA is not the only cryptographic protocol (just most prevalent), and other equipotent encryption schemes derive security guarantees from similarly exploiting gulf between P/NP problems. We arrive at the conjecture: Proposed Cryptographic Protocol Want to buy online from: They randomly select two huge primes: p,q This is the “public key”: people who want to send AMZN a “secret” (e.g. their payment information), use this key to encode their information AMZN publishes a huge number (but keeps the prime factors private): N = pq This is what you send back (your credit card = x) x3 mod N Private PublicKey: For 10,000-digit long :p,q 106 Years required to compute roots of modulus N without p,q A trapdoor function (OWF), is easy to map; difﬁcult to “reverse”. So how does AMZN get x? Euclid taught us that the sequence below: xmod N,x2 mod N,x3 mod N is of periodicity: (p !1)(q !1) AMZN needs to ﬁnd integer, k, s.t.: 3k =1mod(p!1)(q!1) (x3 )k modN = x3k modN = xmodN But our assumption of computational intractability persisting indeﬁnitely ignores nonzero probability of realizing quantum computers anytime soon Current public-key encryption protocols are sufﬁcient to complement anyTCP/IP- based proposal presented Very easy to compute secrets and keys… …but (very) hard to “invert” RSA for Dummies Before RSA, people exchanged “keys” to the locks that contained secrets they wished to share ! ! RSA àShare “open locks” ! ! !
- 7. Protocol I: Memory-Hard Functions to Compute [Part I] Each “puzzle” is easy to compute, but very hard to solve. In fact, the most famous example is: Idea Computations tend to vary in execution time considerably across architectures, but a certain class of problems, called time-lock problems, can be constructed so that a minimum amount of time is required to solve them. Details 22t modn Which can only be solved by t squarings modulus n per second If an equation can be solved either only P or several NP ways, classical computers opt for the polynomial-time method, no matter the inefﬁciency, to realize solutions in reasonable time. Calculating the Components to Instantiate aTime-Lock Puzzle Step 2 Step 3 Step 4 Step 5 Step 6 α calculates t; S = number of squarings modulo n per second α generates random K, typically must be >160bits to guarantee security α produces output in the form of a time- lock puzzle, discarding any other intermediate variables Step 1 α;large primes, p,q n = pq !(n) = (p "1)(q "1) t = TS Alice (α) wants to send message, M, with a time delay ofT seconds for decryption α encrypts M with K and crypto-sys RC5 to generate ciphertext, CM K CM = RC5(K,M ) CK = K + a2t (modn) α selects random a (mod n), where (1 < a < n) and encrypts K as CK. [e, b are for conv.] (n,a,t,CK ,CM ) e = 2t (mod!(n)) b = ae (modn)
- 8. Protocol I: Memory-Hard Functions to Compute [Part II] CPUTime =?= RealTime Step How do you approach solution? Initial Considerations Warnings and Limitations Manipulability Some Steps to Consider By explicit design, searching through RC5 for K is incomprehensibly difﬁcult computationally-speaking. Fastest known approach: Knowledge of ϕ(n) reduces 2t efﬁciently to e, modulo ϕ(n) This implies that b is computed via: Computing n from ϕ(n) is provably hard, so once α discards p,q, there is no avoiding the perception that that… …there appears to be no faster way to compute b than to start with a and perform t squarings sequentially (as you must square the previous amount Hence, the number t of squarings required to solve a particular instantiation of the puzzle can be precisely controlled Repeated squaring is an intrinsically sequential computational process, and parallelizability algorithms are not evident for this particular case. b = a2t (modn) b = ae (modn) Primary Unanswered Question Under what computing conditions or problems can we agree with conﬁdence on the equality existing between the two quantities?
- 9. Protocol I: General Security Features Afforded Summary of Potential Risks Justiﬁcation for Demonstrative Purposes Assume that many, many more computers recruited to enhance negative objective, but ONLY brute force attacks possible: Malicious adversaries may conﬂate user’s legal actions with commercially questionable tactics, reducing effectiveness Stochastic Stimuli Stochastic Stimuli One-way function that is extremely, extremely sequential (no parallelizability); hence inﬁnite resource scaling would not enhance time resolution A managerial layer of “meta-nodes” with intelligent task sheudling FSSP solutions, proof-of-work FSSP solutions, proof-of-work Adversarial Botnet Swarms Compromised PK Production Premature Reassembly of DK Delayed Reassembly of DK
- 10. Protocol I : Memory-hard Problem Solving with Optimized Sorting N secure buckets, where s buckets are secure vaults and f buckets are “furnaces” (permanent ﬁle deletion protocols) 1 Assume: nodes are designated workspaces to -- Veriﬁable threshold secret sharing of private key through randomized distribution of shares -- Secure multi-party (consensus-based) reconstruction of private key components SolvingTime-Lock “Puzzles” 2 Sorting and Bucketing(?) -- Reconstruction of the shredded private keys occur thanks to block chain veriﬁcation of uncompromised, continuously-run systems Just as Julian Assange/ Wikileaks released a 1.45GB AES-256-encrypted insurance ﬁle over BitTorrent, the encryption key should be subject to maximum economic protection Where is the encrypted document? Decentralized Distribution Metadata + Content Recruiter Optimized bucketing Translates to less collisions for bins with high incoming inventory velocity
- 11. ¡ k numbers to uniquely determine degree-(k-1) polynomial ¡ E.g. ¡ Major idea: Given a set of (k+1) data points: The interpolation polynomial is: Assuming no two xj are the same, L(x) resolves polynomial Protocol II: Firing Squads & Polynomials: How do you share a secret? ¡ We can learn a lot from the problem ofﬁcers face when trying get all the soldiers in the execution squad to ﬁre at the same time… ¡ Situation:Time-delay ¡ Complication: Synchronization ¡ Question: NTP-independent? Snapshot Cut the secret message in N strips. Distribute across network randomly. Base network protocol on ﬁring squad synchronization problem (FSSP) solutions to ensure message is guaranteed simultaneous transmission. Proposal Lagrange Basis Polynomials Dividing the message Let secret, S, be 1371 Example calculation FSSP Solutions as Protocol Synchronization rules Polynomial Multiplication Recovering original (1) We have n=6 friends willing to keep a piece of our secret, but want to ensure only k=3 pieces necessary for reconstruction. (2) Choose k-1=2 random coefﬁcients to construct: (3) Resolve 6 unique points: (4) Distribute amongst your friends the 6 pairs (5) Designate a rally point after time t elapse (6) Note: if you have n nodes and you want to guarantee that only k –many nodes are sufﬁcient to recover the message, then true security means distributing only k-1 pieces of info Abstraction Signal Speed: α/3 ¡ Harvest 3 pairs from your group of friends, and compute the Lagrange basis polynomials: Now, multiply each of the basis polynomials by the f(x) at that point:
- 12. Protocol II: Visual Resolution of Firing Squad Synchronization 1st-Generation General 2nd-Generation General 4th 3rd 5th x t Continued…
- 13. Protocol III: Hashing Problem Solving 1 Hash algorithms burn CPU cycles, which is a function of the architecture-dependent implementation, and may not always fully correspond to the “Earth” clock (which we call real-time). Crunching Hash Functions Block chain veriﬁcation can mitigate adversarial offensive on “double spending” Combine withTor-like pathway fold-in to cover tracks
- 14. Initialization of Variables and Agent Responsibilities Initializing the Protocols and Overview of Certain Assumptions Private Public Network § Distributed key generation § Veriﬁable threshold secret sharing of the secret key (polynomials example) § Secure multi-party reconstruction of private key components strategically as to not reveal private agents’ secret keys is non-trivial § Reconstruction and controlled publication of the private key § Distributed key generation § Remember group G deﬁnitions in slides prior. § Assume DKG/VSS on all generated keys performed to verify authenticity of generation § Threshold trust system extended to network infrastructure § Node/server grabs data pushed from managerial layer (privileged meta- nodes) § Provide task handling for project Public Key “PK” Decryption Key “DK” Deployment Date “T+δ” Original Shot “T” Linked hash addresses to maintain a block chain of validity (hashing password caches, etc.)
- 15. Exotica: Ideas meriting consideration whence traditional protocols fail ¡ Transmission to space. Exploit the ﬁnite speed of light and the astronomical distances of cosmic objects to guarantee some minimum amount of time the message (presumably, an encoding onto some coherent states prepared in a laboratory) is out of reach from terrestrial adversaries. ¡ Quantum time-bomb [Wolfram/Puniani]. Suppose we bury a quantum device in several sites around the world (presumably, around or in what you expect to be or already have been declared cultural landmarks and monuments) with a known, semi-controllable “diffusion” emission rate. The information bubbling up would probably recruit a type of Dirichlet tesselation, in which a message is realized once all the shards close the gaps. ¡ Biological timed-safe. Venous stasis, an accumulation of ﬂuids in poorly- circulating regions in the body, tends to intensify pigmentation. Tissues ﬁll with ﬂuids from broken and leaky vessels, and the iron from released hemoglobin eventually stains the skin. Imagine if you could precisely tune the staining pattern to produce an imprint (“tattoo”) with the secret message at a speciﬁed time.
- 16. Appendix ryDE_draftv13_070430.ppt
- 17. Virtual time-locks: proof of work driven implementation (bitcoin style) 17 ComposeaMessageNowbutEnsureDeferredConsumption CoordinatedReconstructionofEncryptedMessage Content Hashing Share Distribute encrypted message across nodes Share Share Share Share Share Share Encrypt Message (via RSA, ElGamal, etc.) Deploy Decryption Script, which explicates checkpoints Specify computationally-hard (but efﬁciently-variable) problem to be solved by Decryption Script Problem1 Meta-datafor BitTorrent-like reassembly Time-Delayed Decryption Private Key Redundancy avoids naïve dependence on infallibility of single- machine Proof-of-work. Have a trusted network of nodes verify that a certain number of well-characterized computational cycles were burned in order to advance through the script Final State Problem2 Problemn … Message Preparation
- 18. ryDE_draftv13_070430.ppt RNG E E E ...KU1 KUm KS1 KSm ... KS1 KSm ... KSKREM H KUREM E General Encryption Schemata Launch QuantumTimed-Bomb
- 19. Comparative summary of protocols discussed ryDE_draftv13_070430.ppt strong weak Complete? Provably Hard? Semantically Complete? Subhead Subhead Subhead Memory-Hard Algorithm Solving Partial Key Escrow Hashing Algorithms Row description Row description Major Appeal Criteria
- 20. Quantum Computing: we are still very far away from practical realization Fundamentals De-coherence Complex Amplitudes Speciﬁc Consequence ¡ Bullet – Dash § Subbullet ¡ Bullet – Dash § Subbullet ¡ Bullet – Dash § Subbullet ¡ Bullet – Dash § Subbullet Quantum Mechanics in ½ a Slide

No public clipboards found for this slide

×
### Save the most important slides with Clipping

Clipping is a handy way to collect and organize the most important slides from a presentation. You can keep your great finds in clipboards organized around topics.

Be the first to comment