Re: expiration dates on cryptography

[tcmay@got.net (Timothy C. May)]

At 12:21 PM 11/8/95, John Curtis wrote:
>The discussion between Mr. May and Mr. Shields concerning
>time-release cryptograhy raised an interesting question in my
>mind.
>
>Given that trust is often of an ephemeral nature, it would be
>quite useful to set time limits on secrets.  Would it be possible
>to cryptographically protect a secret such that it could not be
>decrypted after a certain time?

An interesting twist.

There are two broad things to consider:

1. Cryptography, what can mathematically be done.

2. Economics and social systems, what "business ecologies" can do.

Pure cryptography is about #1, with minimal consideration of #2. Much of
what interests me involves #2.

How this relates to your interesting question goes as follows.

Even the "timed-release cryptography" is NOT a pure cryptographic system,
as the idea of "temporal state" in crypto is iffy. That is, clocks can be
jiggered. Even "sealed clocks" can be jiggered.

But just as Haber and Stornetta's "digital timestamps" use time, such a
thing is possible once _economic agents_ enter the picture. And once
economic considerations are used.

The "timed-release crypto" system depends for its security on the
likelihood that N agents holding pieces of something--something they don't
know the value of--will likely hold those pieces for as long as they are
being paid.

(If you want to discuss why this is likely, even in a world of mistrust and
malice, we can discuss it.)

"Self-destruct crypto" would work roughly the same way:

-- N agents holding pieces of puzzle, contracted to destroy those pieces on
such-and-such date.

It is likely that some or even all of them would comply, if properly paid.

Caveats:

1. Sure, they could make backups. Probably do. But just as archival files
are shredded, a system for eliminating "expired" files would be possible.

2. Sure, they could cheat. Ditto for "timed-release crypto." (Time is
symmetric for this problem.)

3. Again, the security of the system to a large extent depends on the N
agents not knowing what the pieces are part of, nor knowing who the other
holders are. They never know whether a given piece is part of an audit, a
test, etc.

4. There is a slight asymmetry, despite what I said, in that one can "test"
agents to see if they'll release their pieces as contractually obligated
to, but one can never be sure that agents have actually destroyed their
pieces.

5. Still, distributing a secret amongst, say, 30 agents and having them
"agree" to destroy their pieces on January 20, 2002, seems pretty likely to
result in the collective secret (n-out-of-m pieces) being recoverable after
that date.

Such a system would need more consideration of backup strategies, etc. (If
everyone is carefully backing up and the backup tapes are somewhere, then
quite clearly the secret would not be gone; hence the issue of backup
strategies.)


>I suspect that the laws of thermodynamics might prohibit this
>in classical cryptography because as a message expired the
>amount of entropy would decrease.  Quantum cryptography
>might work, but that will be science fiction for some time to
>come.

I'm always interested in the links between information theory, algorithmic
complexity, and notions of entropy, but I am skeptical in the extreme that
the "laws of thermodynamics" have anything to do with whether one can throw
away bits. If I make a list on my computer, and then erase it, have I
violated a "law of thermodynamics"? Of course not.

--Tim May

Views here are not the views of my Internet Service Provider or Government.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."