14.5.1. "Can anything like a "cryptographic time capsule" be built?"
- This would be useful for sealing diaries and records in
such a way that no legal bodies could gain access, that
even the creator/encryptor would be unable to decrypt the
records. Call it "time escrow." Ironically, a much more
correct use of the term "escrow" than we saw with the
government's various "key escrow" schemes.
- Making records undecryptable is easy: just use a one-way
function and the records are unreachable forever. The trick
is to have a way to get them back at some future time.
+ Approaches:
+ Legal Repository. A lawyer or set of lawyers has the key
or keys and is instructed to release them at some future
time. (The key-holding agents need not be lawyers, of
course, though that is the way things are now done.
- The legal system is a time-honored way of protecting
secrets of various kinds, and any system based on
cryptography needs to compete strongly with this simple
to use, well-established system.
- If the lawyer's identity is known, he can be
subpoenaed. Depends on jurisdictional issues, future
political climate, etc.
- But identity-hiding protocols can be used, so that the
lawyer cannot be reached. All that is know, for
example, is that "somewhere out there" is an agent who
is holding the key(s). Reputation-based systems should
work well here: the agent gains little and loses a lot
by releasing a key early, hence has no economic
motivation to do so. (Picture also a lot of "pinging"
going to "rate" the various ti<w agents.)
- Cryptography with Beacons. A "beacon agent" makes very
public a series of messages, somehow. Details fuzzy. [I
have a hunch that using digital time-stamping services
could be useful here.]
+ Difficulty of factoring, etc.
+ The idea here is to-use a function which is presently
hard to invert, but which may be easier in the future.
This is fraught with problems, including
unpredictability of the difficulty, imprecision in the
timing of release, and general clumsiness. As Hal
Finney notes:
- "There was an talk on this topic at either the Crypto
92 or 93 conference, I forget which. It is available
in the proceedings....The method used was similar to
the idea here of encrypting with a public key and
requiring factoring of the modulus to decrypt. But
the author had more techniques he used, iterating
functions forward which would take longer to iterate
backwards. The purpose was to give a more
predictable time to decrypt.....One problem with this
is that it does not so much put a time floor on the
decryption, but rather a cost floor. Someone who is
willing to spend enough can decrypt faster than
someone who spends less. Another problem is the
difficulty of forecasting the growth of computational
power per dollar in the future." [Hal Finney,
sci.crypt, 1994-8-04]
+ Tamper-resistant modules. A la the scheme to send the
secrets to a satellite in orbit and expect that it will
be prohibitively expensive to rendezvous and enter this
satellite.
- Or to gain access to tamper-resistant modules located
in bank vaults, etc.
- But court orders and black bag jobs still are factors.
14.5.2. Needs
- journalism
+ time-stamping is a kind of example
- though better seen in the conventional analysis
- persistent institutions
- shell games for moving money around, untraceably
14.5.3. How
- beacons
- multi-part keys
- contracted-for services (like publishing keys)
- Wayner, my proposal, Eric Hughes
By Tim May, see README
HTML by Jonathan Rochkind