Time-capsule crypto to help journalists protect their sources

Jonathan Zittrain writes, "I published an op-ed in the Boston Globe today musing on the prospects for 'time capsule encryption,' one of several ways of storing information that renders it inaccessible to anyone until certain conditions -- such as the passage of time -- are met. I could see libraries and archives offering such technology as part of accepting papers and manuscripts, especially in the wake of the "Belfast Project" situation, where a library promised confidentiality for accounts of the Troubles in North Ireland, and then found itself amidst subpoenas from law enforcement looking to solve long-cold cases. But the principle could apply to any person or company thinking that there's a choice between leaving information exposed to leakage, or destroying it entirely."

I'm less enthusiastic about this than Jonathan is. I think calibrating the strength of your time-capsule is very hard. If the NSA might be an order of magnitude faster than the rest of us at brute-force cryptanalysis, that means you need to make your 10-year capsule strong enough to last for 100 years just to be on the safe side. Same goes for proof-of-work.

There has been fitful research done on “time capsule cryptography,” by which something can be encoded so that not even its creator can access it until after a certain amount of time. Such cryptography might depend on the kinds of “proof of work” puzzles — which require vast computing power over an extended period — that undergird the operation of bitcoin and other cryptocurrencies. Cryptocurrencies, whose operations are distributed across a number of computers, use the puzzles to prevent any one entity from taking control of the system.

What works to prevent any one party from subverting a currency could also place some of the data increasingly comprising our lives beyond the reach of a simple subpoena, by forcing the curious to wait a designated period of time before they can see what they want — even if they have legal paperwork that purports to entitle them to it sooner.

Even without relying on such complicated technologies, sensitive material can be encrypted using a key that is split into fragments, the way that it can take two simultaneous keys to launch a missile. Imagine key fragments distributed around the world to, say, 10 parties, requiring the cooperation of at least six of them to reassemble the key needed to get the documents. The parties would be instructed only to announce the keys when the original owner’s specified conditions are met. Early disclosure wouldn’t be impossible, but it would require a sustained effort that would only be worth undertaking if the access were a genuine priority, and one justifiable to the authorities of several countries who could each in turn pressure their respective keyholders. That kind of encryption is easy to do.

Confidential info threatened, but technology can help [Jonathan Zittrain/Boston Globe]

(Thanks, Jonathan!)

(Image: time capsule on Alcatraz, Inajeep, CC-BY)

Notable Replies

  1. It's a fundamentally tricky problem:

    Proof-of-work/low-difficulty-brute-force is the obvious approach; but it's hard to calibrate: You don't know what advances in computing and cryptoanalysis may or may not be made (we aren't even talking sci-fi stuff here: In, say, 1995, 3dfx Interactive had been in business for about a year, rainbow tables wouldn't exist for another 8 years, Crack was still pure CPU and wouldn't support clustering until v.4. It's only 20 years on, and the situation has...changed a bit.)

    You can't control how the adversary will traverse the keyspace: on average you find the key about halfway through; but if you get really lucky it could be your first try, if you get really unlucky it could be your last, or anywhere in between. Even if you perfectly predict the future and calibrate the size of the keyspace properly, you still have an uncontrollable probabilistic element.

    Using some sort of tamper-resistant keystore with an RTC seems like an attractive option; but that has a fundamental weakness (in addition to any practical attacks that a given device may suffer from): In common use, tamper-resistant storage hardware has broad freedom to just blank the storage and thus frustrate an attacker. This is what they are supposed to do. Nobody cares about the lost data because they are either just authentication secrets(a shared secret seed on RSA fobs, a private key embedded or generated during manufacture for SIMs, CACs, chip-and-pin cards, and similar) or an offsite copy of something that is backed up in the locked datacenter back at the office(as with most Ironkey deployment scenarios). Authentication secrets are meaningless, IT can just issue you a new one and invalidate the old one at any time, no problem. Offsite files aren't meaningless; but the field copy is usually presumed to just be a convenience thing, and its destruction much preferable to its compromise.

    Things are more difficult in the 'time capsule crypto' scenario: If there is an authentication entity that can just issue new credentials, they'll just get the subpoena and the whole arrangement is for nothing. If there is not, you can't just blank the storage at the first sign of trouble; because what is being stored is either the data you wish to store and protect, or irreplaceable keys to that data. Unfortunately, this takes the greatest weapon a tamper-resistant system posesses right off the table. If the system is free to nuke the keys, the attacker has to sneak past or disable all the defenses and tripwires the designer adds to the system. If the attacker knows that the system can't nuke the keys, because they are valuable, he can do more or less anything he wishes, so long as he doesn't directly destroy the memory himself. Under such relaxed conditions, very few systems could resist for long, definitely not as long as you would want.

    The most theoretically elegant (but wildly impractical) solution I've seen proposed is to locate a reflector X/2 light years away from earth and optically transmit the key at it. Highest-latency delay-line-memory in the galaxy, and, unless you snagged a copy of the key as it was transmitted, you'll just have to wait X years for the reflection to come back to you.

    A much less satisfying; but probably more practical, approach would be to use one of the secret sharing schemes that allows you to chop the key into N parts and construct them such that reconstructing the key requires at least M of them, with M somewhere between 1 and N, inclusive. This provides no elegant theoretical solution; but it allows you to choose your own balance of risk of permanent loss vs. risk of premature disclosure, and makes it about as easy as it can be to distribute the keys across multiple institutions, jurisdictions, storage media, etc. so that any given adversary will have a hell of a time subpoenaing, hacking, stealing, coercing, etc. enough of the parts to reconstruct the key.

    You don't even need to tell the piece-holders who the others are, how many of them there are, or anything else. Just affix their chunk of data to a suitably durable storage medium with instructions to 'send to location X at time Y'. This isn't elegant; fundamentally you can roll the piece-holders one by one just as easily as you could a single keyholder; but in practice, especially if you don't know who all of them are, navigating a maze of different jurisdictions, some hostile or indifferent to your authority, is going to be much more of a challenge than just accessing a single one.

  2. It depends on what the data are, of course; but you do run the risk of making the proof of work so much work that you lose your secret permanently.

    In the case of the 'Belfast Project', say, you need something good enough to resist anything up to (and including) Her Majesty's Spy Nerds at the GCHQ being willing to burn a lot of CPU time to settle as many scores as possible from a conflict that remains relatively bitter in living memory. However, you also need something easy enough that, once the people directly involved are dead, somebody will spare enough CPU time to recover some niche historical material from a 20th century ethnic slugfest that (if it didn't involve people and countries about which a damn is given) would scarcely rise above the background noise(I don't wish to suggest that the 3,530 deaths weren't tragic; but that's a pretty small number by the standards of 'ugly 20th century ethnic nationalist conflict spanning several decades'.)

    That's potentially tricky: between just saving energy, and any number of philanthropic crunching exercises(folding at home, et al.) donor CPU time isn't necessarily going to be easy to come by for niche stuff that has cooled off enough that you now do want to release it; but quite substantial amounts of it may be available if some jurisdiction's feds think that you have the goods on people they want to get to (which, in the case of the Belfast project, is very, very, likely to be true.)

Continue the discussion bbs.boingboing.net

6 more replies