1

Is it possible to create a function that varies with time but is also useful when encrypting information that is meant to later be decrypted?

Or in other words, we have the function $T(t)$ where $t$ is the input and the output is a function $f(x)$ where $f$ is an encrypting function that takes $x$ as input, $x$ is the information we want to encrypt and the output of $f(x)$ is the encrypted information.

Is it possible to decrypt the output of $f(x)$ knowing function $T$ but not the input $t$ and $f(x)$?

By the way if it wasn't obvious already I’m far from knowledgeable about cryptography.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
Peter
  • 11
  • 2
  • Did you meant your last occurence of f(x) to be f (f(x) is a value, f is the function itself)? Also is what you describe the security property ("given f(x) and T, but not t nor f with the aforementioned relations, it is impossible to efficiently recover x") or a functional property ("given f(x) and T, but not t nor f with the aforementioned relations, it should be possible to efficiently recover x as the decryption operation")? – SEJPM Mar 28 '18 at 13:03
  • A cryptographic function is naturally going to be deterministic. The only way it could take into account time is if some representation of the current time is used as input. – forest Mar 28 '18 at 22:16
  • I guess using a nonce that depends on the current epoch time is pretty similar to what you're asking for, but you could only use $T(t)$ once for some fixed $t$. – Awn Mar 29 '18 at 16:59
  • Encryption needs to use a key. At which point does a key come into play in your idea? As an input to $T$ or as an input to $f$? It is also possible that - without realizing - you are looking for something other than encryption. Could you elaborate what should and shouldn't be possible in the system you envision? Should someone be able to "decrypt"? – Maeher Mar 29 '18 at 20:58

2 Answers2

1

Normally we don't keep functions secret (Kerckhoffs principle). But let's assume that $T$ depends on a secret key $s$ and that we keep that secret. See $s$ as a rather large constant within $T$ if you must.

In that case we can use $T_s(t) = \operatorname{KDF}(s, t)$ to derive a secret $k$ that depends on the time. We can use $k$ as input of a key pair generation function $\operatorname{Gen}(k)$ that outputs a private key $sk$ and public key $pk$. If we choose Elliptic Curve cryptography we could just use $sk = k$ and then calculate $pk$ by multiplication with base point $g$, an efficient calculation.

So now the function $f(p)$ could simply be $\operatorname{Enc}_{pk}(p)$, giving $c$. The function $f'(c)$ would be $\operatorname{Dec}_{sk}(c)$. Here $p = x$ is the plaintext message and $c$ is of course the ciphertext. For Elliptic Curves the $\operatorname{Enc}$ and $\operatorname{Dec}$ functions would be provided by the ECIES encryption / decryption scheme.

So we now have an $sk$ that can only be created if $s$ and $t$ are known. The function $f(x)$ is simply encryption with a public key that can be published - you don't even need $t$. And you can only decrypt if you know $s$ and $t$: otherwise you would not be able to calculate $sk$ required for decryption.

Of course having $T$ both create $f$ and perform the decryption is not really possible. You need a function $T$ to create the key pair and a function $f'$ to decrypt.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • The danger of falling into the XY problem trap is huge here, so I hope this matches your expectations. It does seem to match the requirements within the question though. – Maarten Bodewes Mar 29 '18 at 21:08
0

If values of $t$ are never repeated for multiple encryptions, then the already standard concepts of nonce-based encryption and pseudorandom function family (PRF) can be used to construct such an encryption function, by:

  1. Apply the PRF $F$ to compute a pseudorandom nonce $N = F_{K_1}(t)$. Because $F$ is a PRF, as long as the key $K_1$ is secret and chosen randomly, the output doesn't reveal $t$.
  2. Apply the nonce-based encryption to the plaintext $P$ to compute $C = E^N_{K_2}(P)$. (Note that $K_2$ is a second secret random key, and independent from $K_1$.)
  3. Output $(N, C)$ as the ciphertext. (Or some injective function of $N$ and $C$.)

To decrypt $(N, C)$, the recipient simply computes:

$$ P = D^N_{K_2}(C) $$

But note that the decryption doesn't need to know the value of the PRF key $K_1$. This is a hint that there's something subtly off with your idea: the output of the encryption is supposed to functionally depend on $t$ and yet not reveal its value. But this means we could in fact replace the computed nonce $N = F_{K_1}(t)$ with a randomly selected $N$ (chosen independently at random for each encryption call) and achieve the same effect—an encryption whose ciphertext depends on the time it was encrypted, but doesn't literally depend on the value $t$ of that time. We don't need to know the time, we just need to be able to generate random numbers (which was already a requirement for choosing the keys $K_1$ and $K_2$.)

See also: "What is the main difference between a key, an IV and a nonce?"

Luis Casillas
  • 14,468
  • 2
  • 31
  • 53