Monday, July 19, 2010

[erggvstb] Cryptographic time capsule

Suppose you wish to keep a secret for, say 70 years, and then have it declassified, for the interest of historians; you'll be dead by then, or the statute of limitations has elapsed.  In other words, you are creating a time capsule.

A straightforward way of doing this is to encrypt it, and deposit the key with a key escrow service which releases the key after a specified number of years.  We need to avoid the possibility that authorities can force a private entity to release a key earlier, for example by subpoena or other "law enforcement" provisions.  Attorney-client communications might work.

The institution with which you deposit the key may not exist in 70 years, in which case your secret is lost forever.  Perhaps you may deposit keys with your census record, if you trust the government that much: but I suspect most of the reason the census has been generally successful in keeping secrets for 72 years is the information they hold is known not to be spectacularly valuable.

Another mechanism is to encrypt with a weak enough key so that it may be broken in 70 years.  Two problems: The obvious one is to predict that state of cryptanalysis and computational power over the next 70 years.  The other is predicting how much effort will be expended by "attackers" over 70 years.

Can cryptography help with the second?  Here is one mechanism.

Every, say 4 years, a trusted authority generates a public key and throws away the private key.  If it is possible to generate public keys without private keys, that would even be better.  The key is published with its expected security life span.  Older keys generated in previous cycles may have their life spans updated based on the latest cryptanalysis and perhaps known major efforts underway at cracking them.

Anyone who wishes to encrypt a time-release secret uses this public key (or an older one for a lesser lifespan).  Thus a great many secrets will be encrypted with a single key, ensuring that there will be large efforts to crack it: your "time capsule" will likely eventually be opened no matter how insignificant you are.

Encrypted data may be stored in a digital library for long term archiving.  Is there a way to set up the cryptography that the library can verify that the public key used was in fact one of these "history" keys?

As the originally estimated crackable-by date approaches, the public key creator may discover that it was too cautious in key strength.  Is there a mechanism that the key can be retroactively weakened without the key creator having to safeguard a subpoenable secret for decades?  I would be very surprised if this is possible, though cryptography has been able to come up with some marvelous things (e.g., zero knowledge proofs).

We leave unsolved the formidable problem 1: quantum computing makes me wonder if any public key cryptosystem can be safe for 70 years.

(Update) Also see: LCS35

1 comment :

Ken said...

See "Timed release cryptography"

Wenbo Mao