Time Capsule cryptography?

Question

Does there exist any cryptographic algorithm which encrypts data in such a way that it can only be decrypted after a certain period of time?

The only idea that I can think of, is something like this: Seed a PRNG with a public value. Run the PRNG for a week and use the final value it produces to encrypt the message. Now anyone who runs that PRNG for a week starting from the seed value you made public can decrypt the message. Obviously this breaks down since they could use more computational power than you; if the time span was years then Moore's Law would apply, etc.

Is there anything like this other than physically burying a private key on a USB stick in a literal time capsule?

Answer 1

Yes.

There has been a lot of work on "proof of work" protocols or "time-lock puzzles." Typically in cryptography, functions are either easy to compute or intractable. These protocols look at functions that are moderately hard to compute.

To do time-release encryption, you need a puzzle with the following properties:

1. Difficulty of the puzzle can be monotonically increased according to some difficulty parameter
2. Best algorithm to solve it is intrinsically sequential (parallel computing doesn't help)
3. Amortized cost of solving a group of puzzles is the same as a single puzzle
4. There is a trapdoor (shortcut) that allows efficient evaluation of the puzzle

With time-release crypto, the idea is to generate a puzzle that will take a certain amount of time to solve based on an estimate of a person's computational power and how it will grow in the future (e.g., Moore's law). As you can tell, it only gives you a fuzzy indication of how long it will stay secret (see below for a real world example). Property 2 is very important because adding parallel computation is easy and it is hard to estimate how much parallelization is possible.

Note that most proof of work protocols do not care about property 2 because they are used in different ways. These might be based on finding partial collisions/preimages in hash functions or exhaustive search of a small space (e.g., bitcoin), however speedups with parallel computing is trivial in these examples. There are also a number of memory-based puzzles that require lots (more than can be cached) of memory accesses, which is a more predictable measure of time on computers.

Back to time-release crypto. The idea is to instantiate a puzzle $p$ with difficulty $d$: $p=\mathsf{Puzzle}(d)$. A trapdoor $t$ for efficiently solving it is known to the person who generates the puzzle. This person then encrypts her message under key $k$ with a normal encryption function: $c_1=\mathsf{Enc}_k(m)$. She then release an "encryption" of the key she used by combining the key with the solution to the puzzle. Note that she can efficiently solve the puzzle with trapdoor $t$ but the recipient can't. She computes: $c_2=k \oplus \mathsf{Solve}_t(p)$. The ciphertext is $c_1,c_2$ plus a description of the puzzle.

To decrypt, the recipient computes $s=\mathsf{Solve}(p)$, which should take a moderate amount of time. He then recovers the key by $k=c_2\oplus s$, and can then decrypt $c_1$.

The disadvantage to time-release cryptography is that the recipient must devote an entire processor to solving the problem for the period of time that it should remain secret.

The best proposal for a Puzzle with the right properties is due to Rivest, Shamir and Wagner in this paper. It is based on repeated squaring in RSA groups. A recent result precludes any intrinsically sequential time-lock puzzles in the random oracle model (e.g., based on hashing).

In 1999, Rivest created a time capsule message to commemorate the 35th anniversary of MIT's Laboratory for Computer Science. He talks about how he designed it to require 35 years to decrypt. It is an interesting read.

Answer 2

No.

See the following. http://www.gwern.net/Self-decrypting%20files

It has a decent list of ways you might try to do it. However, there is no guarantee that the desired amount of time would actually elapse until the "lock" was broken. In other words, significantly more or significantly less time might be required.

Now, some MIT guys did something in '99 that they hope will be opened in 2034. however, again, they do leave open the possibility that it could be broken earlier.. or not in anywhere near the amount of time they estimate.

http://people.csail.mit.edu/rivest/lcs35-puzzle-description.txt

Most of the ways available depend on needing to run an operation on a computer that will take a certain amount of time before the final decryption key can be obtained. However, you have no control over hardware. Ergo, you have no real control over the amount of time that would elapse before the final decryption key is acquired.

The MIT guys did mention that they took "Moore's Law" into account. However, most people would argue that Moore's Law has very little to do with overall processing performance. The law was about the doubling of transistor counts every two years; however processor performance has very much outstripped that.

The info on this site says pretty much the same thing: http://dl.acm.org/citation.cfm?id=888615

The secondary way is to give the key to a trusted third party who will only reveal it at a certain point in time. However, this is just as tricky because they may be forced using any number of mechanisms to release it earlier or they may even lose it somewhere along the way.

So, the answer is that there is no implementation accepted by anyone as "secure". There can't be.

Answer 3

Going with the theme of out-of-the-box solutions started by e501, I do recall at least a half-serious suggestion that, with a retransmitter (or just a big mirror) placed in outer space at a suitable distance from Earth, one could use light-speed lag as an effective time capsule mechanism — just encode the message as a laser pulse and send it out for a round trip of as many light years as you want to delay it by in years.

In principle, you could also do this just by bouncing the light off naturally occurring objects in space, like planets or stars or nebulae. However, the transmission losses involved in this would probably make it infeasible without extremely powerful transmitters and sensitive receivers, to the point where it's not at all clear whether it would actually be any more practical than just launching a huge retroreflector out into space. Also, the brighter the outgoing pulse is, the bigger the risk that scattering from gas and dust along the way might provide a side-channel attack.

Answer 4

No.

With neither a trusted third party nor trusted hardware, we know no system with an even mildly accurate delay of release.

If we accept a trusted third party, there are options. For example:
The trusted third party generates a public/private key pair per hour (for an asymmetric cipher such as RSA-OAEP), publish the public $Pub_t$ keys in advance (signed with the long-term public key of the third party), and publish a regularly updated list of all the past private keys $Priv_t$.
To time-lock some information $P$ until $t$: fetch $Pub_t$, and its signature, from the trusted third party; check the signature; draw a random key $K$ for a symmetric cipher such as AES-CTR; encipher $K$ using key $Pub_t$ giving $KT$; encipher $P$ using key $K$ giving $C$; forget $K$ and $P$; publish the time-locked information $KT||C$.
When time $t$ has come, anyone can fetch $Priv_t$ from the trusted third party; decipher $KT$ using key $Priv_t$ giving $K$; decipher $C$ using key $K$ giving $P$.
In a variant, the trusted third party generates deterministically the $Pub_t$/$Priv_t$ pairs from a master key and $t$; this allows arbitrary precision for $t$ with constant storage.

Trusted hardware with a trusted real-time clock (e.g. some HSM) can be used to implement the time lock (or to implement the above trusted third party).

With trusted hardware lacking a trusted real-time clock (e.g. a Smart Card), the clock can be delegated to a trusted third party. I believe (never done it) that buying a certificate from a certification authority also buys a free service, which answers unauthenticated queries "is this certificate still valid?" with a signed answer "this certificate was still valid at time $t$", which the trusted hardware can check (against the trusted third party's long term public key) to determine that the current time is at least $t$ (on the trusted third party's clock), regardless of how this signed answer has reached the trusted hardware.

Answer 5

Yes. The following paper looks at the question you asked about:

• Ronald Rivest, Adi Shamir, and David Wagner. Time-lock puzzles and timed-release Crypto. March 1996.

That paper describes how to encrypt a message $M$, so that decrypting $M$ requires a controlled amount of computation (say, $T$ CPU cycles).

---

Here is the gist of the main scheme. To encrypt, Alice chooses large primes $p,q$ and computes a RSA modulus $n=pq$. Alice also picks an integer $t$ large enough that performing $t$ modular squarings (modulo $n$) will take the decryptor about $T$ CPU cycles. Alice then picks a random value $a$ and computes $b = a^{2^t} \bmod n$; she then uses $b$ as a secret key to encrypt her message (e.g., with AES).

Alice gives the RSA modulus $n$ to the decryptor, and the number $t$. The decryptor can recompute $b$ by squaring $a$, repeatedly squaring $t$ times (modulo $n$ each time). Thus, it will take the decryptor about $T$ CPU cycles to decrypt.

In contrast, Alice can encrypt using much less than $T$ CPU cycles, using the following trick. Alice computes $e = 2^t \bmod \varphi(n)$. Here $\varphi(n) = (p-1)(q-1)$, so Alice can compute $\varphi(n)$, but no one else can. Moreover, Alice can compute $e$ using $2 \log t$ squarings and multiplications modulo $\varphi(n)$, which takes vastly less than $T$ CPU cycles. Alice then encrypts using $b = a^e \bmod n$. Thus, Alice can encrypt much more efficiently than the recipient can decrypt.

To put it another way, Alice can create a puzzle whose difficulty she can control very precisely. The only way to decrypt is to solve the puzzle. For instance, she can arrange that it will probably take about 20 years to decrypt. Moreover, creating the puzzle is much quicker than solving it (she can create the puzzle in seconds, even though it will take decades to solve it). This provides a way to send a message that can only be decrypted after performing a certain amount of computation, i.e., after a certain amount of time.

The paper also describes another way to solve the problem, if one has a trusted agent (perhaps implemented using TCG, or perhaps considered trustworthy for other reasons).

Answer 6

Because there's no inherent sense of time for a computer, there's not really any way to accomplish this. The best you could do would be to require a lot of computation and try to make it have to be as serial as possible. But even if there's a good way to do that, faster computers could do it more quickly.

If you want something to stay encrypted for a fixed amount of time, your best bet would be to encrypt it using any standard scheme and lock the key or keys in a time-lock safe.

Answer 7

I'm thinking some sort of Ironkey like device, where the crypto and clock are internal to the device and encapsulated in such a way that if they are physically tampered with, the chip (and the key) self-destructs.

Answer 8

There is such a kind of primitive in the article about timed commitments from Boneh and Naor. This is a kind of encryption scheme where decryption can be forced, but at a heavy non parallelizable cost, and such that it can be proven in advance, at low cost, that forced decryption will work. It relies on repeated squarings modulo a RSA modulus.

Answer 9

InfoBiology by printed arrays of microorganism colonies for timed and on-demand release of messages is a recently development method that leverages biological systems to create messages that impose a limit on the amount of time it takes to learn a message.

The idea is simply to encode a message in a pattern of e. coli colonies. The message is released after the e. coli colonies have been growing in a particular growth medium for a certain period of time (the phenotypic expression of the e. coli is designed to have a particular lag time).

Answer 10

Since there's no way to control your execution environment, there's no way to ensure your algorithm is executed as described, with the actual current time. Thus, the only way to ensure something like this is to make it computationally difficult to decrypt, which is a limit on the amount of computational effort spent, not on the amount of real time spent. The easiest way to do this would be to encrypt the data with a short private key, and require people to factor the public key in order to unlock it.

Answer 11

Check out "Time-Lapse Cryptography". Seems like a pretty good system. I doubt the infrastructure is currently in place to support it, but you never know what the authors have out there.

Answer 12

I would try an aproach with a web service. Once you own the server you can rely on the date it has. You crypto information should contain a date that the server validates an once this is reach you can provide real decryt key for user.

Answer 13

Quoting Rivest et al:

There are 2 natural approaches to implementing timed-release crypto:

• Use "time-lock puzzles" - computational problems that can not be solved without running a computer continuously for at least a certain amount of time.
• Use trusted agents who promise not to reveal certain information until a specified date.

So far, so good. Yet, it leaves the question if there's a cryptographic scheme that practically does the job.

Here are some interesting papers and slides on the subject, that haven't been mentioned yet:

• "Time-Lock Puzzle with Examinable Evidence of Unlocking Time" (2000, Mao)
• "Using timed-release cryptography to mitigate preservation risk of embargo periods" (2008, Haq)
• "Time-Lock Puzzles in the Random Oracle Model" (2011, Mahmoody, Moran, and Vadhan)

And — for what it's worth — there are also related discussions at Redit and at Hacker News too.

Answer 14

How about basing this on radioactive decay?

• You print the message on a film
• Encapsulate the film in some tamper-proof (or highly tamper-resistant) enclosure
• There is only one way to retrieve the film from the enclosure and in that path, put some radioactive material so that you can not retrieve the film without exposing the film to the radiation
• If one tries to retrieve the film before radioactive material has decayed, the film will be exposed blank by the radiation. After radioactive material has decayed, film can be retrieved safely.
• Tamper-proof enclosure also prevents removal of radioactive material without damaging the film
• (Several Challenges in enclosure design of course :-(

Answer 15

You might want to look at "The Burris Numerical System" there is a very good book on it. This numerical system encrypts data in theory in time with only the last number remaining in space. The rest of the number is in theory stored in time. The book is on Amazon and other places. This is the best I have found for using time to encrypt data.

Answer 16

Of all these systems, the only method that is time-proven, practical, and at least theoretically reliable, is to use a multi-part key, and distribute that key to separate [people, places] with the information necessary to put them together only available at a certain date.

It is still possible to find repositories that are immune from subpoena, with timed contracts or to be opened only posthumously. Even the government does not have lawful or Constitutional authority to breach attorney-client privilege, for example.

If secrecy is more important than reliability, then distribute your information among several attorney-client agreements. If reliability is more important than secrecy, then distribute all the information among several attorney-client agreements.

Always keep in mind that PEOPLE are the vastly more frequent (but not always) the point of failure. Even so, trying to take people out of the equation -- today -- has little probability of success.

Answer 17

How about encoding the data into a laser beam and shooting it out into space in a direction that would have it curve back towards a detector on earth/orbit/moon in 20 years? Kinda like how we know to expect Halley's comet to come around every 75 or so years.

I guess the fundamental here is that astral bodies don't change behavior unexpectedly (or, at least, they are sufficiently dependable), and also that the speed of light is constant in (normal, empty) space. If faster-than-light travel is achieved within the time-frame of your time capsule opening, well.. i guess you'll have bigger things to worry about than your time-encryption being broken.

Answer 18

Two big problem with the "it will take a computer 20 years to crack it" idea

1. It will only take 2 years for 10 computers to crack it

2. brute force cracking is a random process, so it could be cracked almost instantly, at very low admittedly, but not quite zero , probability.

Oh I suppose you could encode using a really really large key .The brute force crack techqnique might then have the expected crack time of 200 years. But the key is calculable, using a process that must be linearly done, so that no parallism is allowed, and it will take 20 years at 20 Gigaflops to process. Actually the speed limit is around 4 Ghz so recently cpu pwoer is coming from parallelism.. which cannot help a linear algorithm... But there is a risk that someone would divise a way to find the resulting key without doing all the intermediate calculations, and thus turn 20 years into a short time ..

Answer 19

Passcodes on iOS take 80 milliseconds to decrypt.

When you set up the passcode, it’s encrypted with a multi-round algorithm, measuring the time, so that decryption takes 80ms. More rounds on newer, faster hardware.

Decryption is done using a 256 bit key built into the CPU that cannot be extracted, so the decryption must be done on the same CPU. And instead of 80ms you could pick any time.

But it’s not really a solution. Say you want your data be decrypted in twelve months. Then you’d have to encrypt for six months, start decrypting, and the decryption takes another six months. If you decide in 24 months to decrypt the data, it will take six months again.

You need an algorithm that turns a time stamp into one key needed for encryption and one for decryption, and put them on a secure server. That server provides the encryption keys for a time stamp at any time, but the decryption keys only at times past the time stamp. And that server needs to be absolutely locked down. Importantly, the servers notion of “current time” must be unbreakable. Maybe connect it to a telescope and let it check locations of some stars. Or a hardware counter that cannot be advanced more than once per nanosecond without destroying it.

Answer 20

Use a dual radioactive decay key.

You have one element with say a 1000 year half life, and another with a 20-year half life.

You detector is programmed to see the decay products, and only produce the decryption key if the proper ratio of decay products are present.... and if at any time, an improper mix of decay products is present, it destroys the key.

Answer 21

Yes.

A solution is to choose an encryption method that inflates the number of bits in the encrypted message to a literally astronomical level.

By doing this, you can guarentee a lower bound on how long it will take to read the encrypted message.

The reason this works is that our universe has a limit on how many bits of info you can store in a given volume. The maximum information is the surface area of the volume measured in Plank areas. If you pick a number of bits that under the best packing scenario (a spherical black hole) would require a given amount of time for all bits to reach a person positioned at the center of the black hole, then there is no possible way that person can receive the encrypted message in under a given time. Eg, if the black hole had a radius of 1 light year, it would take at least a year to read all of the bits that comprise the sphere.

For an idea, the max info in a .5 meter radius sphere is 1.3 x 10^36 bits. That number of bits is astronomical, yet would only buy you an extremely short amount of time before the message could be read.

There may be ways to shave this number of bits down, ie if there are other physical laws that limit data transfer rates besides density packing, or if you can prove that a certain amount of computation must be done and if there is a physical limit on computation time.

Answer 22

All these comments and answers about outer space and light beams gave me an idea… To encrypt a message so that it is decoded after 1 year:

1. Choose a celestial body.
2. Encrypt the contents of the message with a key generated from the position of that celestial body.
3. Calculate the position at which the object will be in 1 year.
4. Provide the recipient with the encrypted message and the final position of the object.

After 1 year, the recipient of the message will see the celestial body in the indicated place. A short analysis of its trajectory will allow him to calculate the position at which the object was 1 year earlier, thus enabling him to decode the message.

Of course this is just the general idea, but with some research, this might actually be faisable, at reasonable cost!

Answer 23

Some answers suggest using the inherent speed-of-light limitation to introduce delays that can't be shortened. This is an excellent idea. However, for longer delays, these solutions have the problem of requiring very long distances. Fortunately, one can reduce those distances by using interactive protocols with a required large number of rounds between the parties to amplify the inter-party communications delay.

Suppose now that one party is located on a geosynchronous satellite, and the other parties are located on Earth. Every round-trip to the satellite party would linearly increase the time to execute the interactive protocol, and no advancements in computational power or transmission technology could shorten this delay. The only requirement being that the far-away party (the satellite) won't be tampered with, such as being moved closer to Earth, or being cloned (private keys and all). How this can be guaranteed is another question though.