Time Capsule cryptography?

Question

Does there exist any cryptographic algorithm which encrypts data in such a way that it can only be decrypted after a certain period of time?

The only idea that I can think of, is something like this: Seed a PRNG with a public value. Run the PRNG for a week and use the final value it produces to encrypt the message. Now anyone who runs that PRNG for a week starting from the seed value you made public can decrypt the message. Obviously this breaks down since they could use more computational power than you; if the time span was years then Moore's Law would apply, etc.

Is there anything like this other than physically burying a private key on a USB stick in a literal time capsule?

score 100 · Answer 1 · edited Jan 10 '25 at 05:10

Yes.

There has been a lot of work on "proof of work" protocols or "time-lock puzzles." Typically in cryptography, functions are either easy to compute or intractable. These protocols look at functions that are moderately hard to compute.

To do time-release encryption, you need a puzzle with the following properties:

Difficulty of the puzzle can be monotonically increased according to some difficulty parameter
Best algorithm to solve it is intrinsically sequential (parallel computing doesn't help)
Amortized cost of solving a group of puzzles is the same as a single puzzle
There is a trapdoor (shortcut) that allows efficient evaluation of the puzzle

With time-release crypto, the idea is to generate a puzzle that will take a certain amount of time to solve based on an estimate of a person's computational power and how it will grow in the future (e.g., Moore's law). It only gives you a fuzzy indication of how long it will stay secret (see below for a real world example). Property 2 is very important because adding parallel computation is easy and it is hard to estimate how much parallelization is possible.

Note that most proof of work protocols do not care about property 2 because they are used in different ways. These might be based on finding partial collisions/preimages in hash functions or exhaustive search of a small space (e.g., bitcoin), however speedups with parallel computing is trivial in these examples. There are also a number of memory-based puzzles that require lots (more than can be cached) of memory accesses, which is a more predictable measure of time on computers.

Back to time-release crypto. The idea is to instantiate a puzzle $p$ with difficulty $d$: $p=\mathsf{Puzzle}(d)$. A trapdoor $t$ for efficiently solving it is known to the person who generates the puzzle. This person then encrypts her message under key $k$ with a normal encryption function: $c_1=\mathsf{Enc}_k(m)$. She then release an "encryption" of the key she used by combining the key with the solution to the puzzle. Note that she can efficiently solve the puzzle with trapdoor $t$ but the recipient can't. She computes: $c_2=k \oplus \mathsf{Solve}_t(p)$. The ciphertext is $c_1,c_2$ plus a description of the puzzle.

To decrypt, the recipient computes $s=\mathsf{Solve}(p)$, which should take a moderate amount of time. He then recovers the key by $k=c_2\oplus s$, and can then decrypt $c_1$.

The disadvantage to time-release cryptography is that the recipient must devote an entire processor to solving the problem for the period of time that it should remain secret.

The best proposal for a Puzzle with the right properties is due to Rivest, Shamir and Wagner in this paper. It is based on repeated squaring in RSA groups. A recent result precludes any intrinsically sequential time-lock puzzles in the random oracle model (e.g., based on hashing).

In 1999, Rivest created a time capsule message to commemorate the 35th anniversary of MIT's Laboratory for Computer Science. He talks about how he designed it to require 35 years to decrypt (interesting read).

score 48 · Answer 2 · edited Jan 10 '25 at 05:10

No.

See https://gwern.net/self-decrypting

It has a decent list of ways you might try. However, there is no guarantee that the desired amount of time would actually elapse until the "lock" was broken; significantly more or significantly less time might be required.

MIT guys did something in '99 they hope will be opened in 2034. Again, they do leave open the possibility that it could be broken earlier.. or not in anywhere near the amount of time they estimate:

https://people.csail.mit.edu/rivest/pubs/Riv99b.lcs35-puzzle-description.txt

Most ways depend on needing to run an operation on a computer that will take a certain amount of time before the final decryption key can be obtained. However, you have no control over hardware. Ergo, you have no real control over the amount of time that would elapse before the final decryption key is acquired.

The MIT guys did mention that they took "Moore's Law" into account. However, most people would argue that Moore's Law has very little to do with overall processing performance. The law was about the doubling of transistor counts every two years; however processor performance has very much outstripped that.

The info on this site says pretty much the same thing: http://dl.acm.org/citation.cfm?id=888615

The secondary way is to give the key to a trusted third party who will only reveal it at a certain point in time. However, this is tricky because they may be forced to release it earlier or they may even lose it.

There is no implementation accepted by anyone as "secure". There can't be.

score 29 · Answer 3 · edited Apr 13 '17 at 12:48

Going with the theme of out-of-the-box solutions started by e501, I do recall at least a half-serious suggestion that, with a retransmitter (or just a big mirror) placed in outer space at a suitable distance from Earth, one could use light-speed lag as an effective time capsule mechanism — just encode the message as a laser pulse and send it out for a round trip of as many light years as you want to delay it by in years.

In principle, you could also do this just by bouncing the light off naturally occurring objects in space, like planets or stars or nebulae. However, the transmission losses involved in this would probably make it infeasible without extremely powerful transmitters and sensitive receivers, to the point where it's not at all clear whether it would actually be any more practical than just launching a huge retroreflector out into space. Also, the brighter the outgoing pulse is, the bigger the risk that scattering from gas and dust along the way might provide a side-channel attack.

fgrieu · Answer 4 · 2014-06-09T18:26:06.360

No.

With neither a trusted third party nor trusted hardware, we know no system with an even mildly accurate delay of release.

If we accept a trusted third party, there are options. For example:
The trusted third party generates a public/private key pair per hour (for an asymmetric cipher such as RSA-OAEP), publish the public $Pub_t$ keys in advance (signed with the long-term public key of the third party), and publish a regularly updated list of all the past private keys $Priv_t$.
To time-lock some information $P$ until $t$: fetch $Pub_t$, and its signature, from the trusted third party; check the signature; draw a random key $K$ for a symmetric cipher such as AES-CTR; encipher $K$ using key $Pub_t$ giving $KT$; encipher $P$ using key $K$ giving $C$; forget $K$ and $P$; publish the time-locked information $KT||C$.
When time $t$ has come, anyone can fetch $Priv_t$ from the trusted third party; decipher $KT$ using key $Priv_t$ giving $K$; decipher $C$ using key $K$ giving $P$.
In a variant, the trusted third party generates deterministically the $Pub_t$/$Priv_t$ pairs from a master key and $t$; this allows arbitrary precision for $t$ with constant storage.

Trusted hardware with a trusted real-time clock (e.g. some HSM) can be used to implement the time lock (or to implement the above trusted third party).

With trusted hardware lacking a trusted real-time clock (e.g. a Smart Card), the clock can be delegated to a trusted third party. I believe (never done it) that buying a certificate from a certification authority also buys a free service, which answers unauthenticated queries "is this certificate still valid?" with a signed answer "this certificate was still valid at time $t$", which the trusted hardware can check (against the trusted third party's long term public key) to determine that the current time is at least $t$ (on the trusted third party's clock), regardless of how this signed answer has reached the trusted hardware.

score 20 · Answer 5 · edited Jan 09 '25 at 08:23

Yes. The following paper looks at your question:

Ronald Rivest, Adi Shamir, and David Wagner. Time-lock puzzles and timed-release Crypto. March 1996.

That paper describes how to encrypt a message $M$, so that decrypting $M$ requires a controlled amount of computation (say, $T$ CPU cycles).

To encrypt, Alice chooses large primes $p,q$ and computes a RSA modulus $n=pq$. Alice also picks an integer $t$ large enough that performing $t$ modular squarings (modulo $n$) will take the decryptor about $T$ CPU cycles. Alice then picks a random value $a$ and computes $b = a^{2^t} \bmod n$; she then uses $b$ as a secret key to encrypt her message (e.g., with AES).

Alice gives the RSA modulus $n$ to the decryptor, and the number $t$. The decryptor can recompute $b$ by squaring $a$, repeatedly squaring $t$ times (modulo $n$ each time). Thus, it will take the decryptor about $T$ CPU cycles to decrypt.

In contrast, Alice can encrypt using much less than $T$ CPU cycles, using the following trick. Alice computes $e = 2^t \bmod \varphi(n)$. Here $\varphi(n) = (p-1)(q-1)$, so Alice can compute $\varphi(n)$, but no one else can. Moreover, Alice can compute $e$ using $2 \log t$ squarings and multiplications modulo $\varphi(n)$, which takes vastly less than $T$ CPU cycles. Alice then encrypts using $b = a^e \bmod n$. Thus, Alice can encrypt much more efficiently than the recipient can decrypt.

Alice can create a puzzle whose difficulty she can control very precisely. The only way to decrypt is to solve the puzzle. She can arrange that it will probably take about 20 years to decrypt. Creating the puzzle is much quicker than solving it (she can create the puzzle in seconds, even though it takes decades to solve). This provides a way to send a message that can only be decrypted after performing a certain amount of computation, i.e., after a certain amount of time.

The paper also describes another way to solve the problem, if one has a trusted agent (perhaps implemented using TCG, or perhaps considered trustworthy for other reasons).

score 16 · Answer 6 · answered Oct 22 '11 at 01:05

Because there's no inherent sense of time for a computer, there's not really any way to accomplish this. The best you could do would be to require a lot of computation and try to make it have to be as serial as possible. But even if there's a good way to do that, faster computers could do it more quickly.

If you want something to stay encrypted for a fixed amount of time, your best bet would be to encrypt it using any standard scheme and lock the key or keys in a time-lock safe.

score 12 · Answer 7 · answered Dec 21 '11 at 06:15

12

I'm thinking some sort of Ironkey like device, where the crypto and clock are internal to the device and encapsulated in such a way that if they are physically tampered with, the chip (and the key) self-destructs.

answered Dec 21 '11 at 06:15

Joe

121
1
2

score 10 · Answer 8 · answered Sep 03 '11 at 17:07

There is such a kind of primitive in the article about timed commitments from Boneh and Naor. This is a kind of encryption scheme where decryption can be forced, but at a heavy non parallelizable cost, and such that it can be proven in advance, at low cost, that forced decryption will work. It relies on repeated squarings modulo a RSA modulus.

Ethan Heilman · Answer 9 · 2011-09-28T16:45:58.390

InfoBiology by printed arrays of microorganism colonies for timed and on-demand release of messages is a recently development method that leverages biological systems to create messages that impose a limit on the amount of time it takes to learn a message.

The idea is simply to encode a message in a pattern of e. coli colonies. The message is released after the e. coli colonies have been growing in a particular growth medium for a certain period of time (the phenotypic expression of the e. coli is designed to have a particular lag time).

score 7 · Answer 10 · answered Jun 23 '11 at 01:18

Since there's no way to control your execution environment, there's no way to ensure your algorithm is executed as described, with the actual current time. Thus, the only way to ensure something like this is to make it computationally difficult to decrypt, which is a limit on the amount of computational effort spent, not on the amount of real time spent. The easiest way to do this would be to encrypt the data with a short private key, and require people to factor the public key in order to unlock it.

score 7 · Answer 11 · answered Sep 04 '11 at 22:38

7

Check out "Time-Lapse Cryptography". Seems like a pretty good system. I doubt the infrastructure is currently in place to support it, but you never know what the authors have out there.

answered Sep 04 '11 at 22:38

mikeazo

39,117
9
118
183

score 6 · Answer 12 · answered Jun 23 '11 at 07:28

I would try an aproach with a web service. Once you own the server you can rely on the date it has. You crypto information should contain a date that the server validates an once this is reach you can provide real decryt key for user.

score 5 · Answer 13 · answered Jan 02 '14 at 16:03

Quoting Rivest et al:

There are 2 natural approaches to implementing timed-release crypto:

Use "time-lock puzzles" - computational problems that can not be solved without running a computer continuously for at least a certain amount of time.

Use trusted agents who promise not to reveal certain information until a specified date.

So far, so good. Yet, it leaves the question if there's a cryptographic scheme that practically does the job.

Here are some interesting papers and slides on the subject, that haven't been mentioned yet:

And — for what it's worth — there are also related discussions at Redit and at Hacker News too.

score 5 · Answer 14 · answered Jun 09 '14 at 04:04

How about basing this on radioactive decay?

You print the message on a film
Encapsulate the film in some tamper-proof (or highly tamper-resistant) enclosure
There is only one way to retrieve the film from the enclosure and in that path, put some radioactive material so that you can not retrieve the film without exposing the film to the radiation
If one tries to retrieve the film before radioactive material has decayed, the film will be exposed blank by the radiation. After radioactive material has decayed, film can be retrieved safely.
Tamper-proof enclosure also prevents removal of radioactive material without damaging the film
(Several Challenges in enclosure design of course :-(

score 4 · Answer 15 · answered Jun 09 '14 at 03:21

Of all these systems, the only method that is time-proven, practical, and at least theoretically reliable, is to use a multi-part key, and distribute that key to separate [people, places] with the information necessary to put them together only available at a certain date.

It is still possible to find repositories that are immune from subpoena, with timed contracts or to be opened only posthumously. Even the government does not have lawful or Constitutional authority to breach attorney-client privilege, for example.

If secrecy is more important than reliability, then distribute your information among several attorney-client agreements. If reliability is more important than secrecy, then distribute all the information among several attorney-client agreements.

Always keep in mind that PEOPLE are the vastly more frequent (but not always) the point of failure. Even so, trying to take people out of the equation -- today -- has little probability of success.

score 4 · Answer 16 · answered Dec 25 '12 at 14:42

Two big problem with the "it will take a computer 20 years to crack it" idea

It will only take 2 years for 10 computers to crack it
brute force cracking is a random process, so it could be cracked almost instantly, at very low admittedly, but not quite zero , probability.

Oh I suppose you could encode using a really really large key .The brute force crack techqnique might then have the expected crack time of 200 years. But the key is calculable, using a process that must be linearly done, so that no parallism is allowed, and it will take 20 years at 20 Gigaflops to process. Actually the speed limit is around 4 Ghz so recently cpu pwoer is coming from parallelism.. which cannot help a linear algorithm... But there is a risk that someone would divise a way to find the resulting key without doing all the intermediate calculations, and thus turn 20 years into a short time ..

score 3 · Answer 17 · answered May 04 '14 at 09:22

You might want to look at "The Burris Numerical System" there is a very good book on it. This numerical system encrypts data in theory in time with only the last number remaining in space. The rest of the number is in theory stored in time. The book is on Amazon and other places. This is the best I have found for using time to encrypt data.

user76034 · Answer 18 · 2014-06-09T10:30:08.807

How about encoding the data into a laser beam and shooting it out into space in a direction that would have it curve back towards a detector on earth/orbit/moon in 20 years? Kinda like how we know to expect Halley's comet to come around every 75 or so years.

I guess the fundamental here is that astral bodies don't change behavior unexpectedly (or, at least, they are sufficiently dependable), and also that the speed of light is constant in (normal, empty) space. If faster-than-light travel is achieved within the time-frame of your time capsule opening, well.. i guess you'll have bigger things to worry about than your time-encryption being broken.

score 1 · Answer 19 · answered Jun 09 '14 at 01:00

Use a dual radioactive decay key.

You have one element with say a 1000 year half life, and another with a 20-year half life.

You detector is programmed to see the decay products, and only produce the decryption key if the proper ratio of decay products are present.... and if at any time, an improper mix of decay products is present, it destroys the key.

score 0 · Answer 20 · answered May 26 '23 at 06:41

Passcodes on iOS take 80 milliseconds to decrypt.

When you set up the passcode, it’s encrypted with a multi-round algorithm, measuring the time, so that decryption takes 80ms. More rounds on newer, faster hardware.

Decryption is done using a 256 bit key built into the CPU that cannot be extracted, so the decryption must be done on the same CPU. And instead of 80ms you could pick any time.

But it’s not really a solution. Say you want your data be decrypted in twelve months. Then you’d have to encrypt for six months, start decrypting, and the decryption takes another six months. If you decide in 24 months to decrypt the data, it will take six months again.

You need an algorithm that turns a time stamp into one key needed for encryption and one for decryption, and put them on a secure server. That server provides the encryption keys for a time stamp at any time, but the decryption keys only at times past the time stamp. And that server needs to be absolutely locked down. Importantly, the servers notion of “current time” must be unbreakable. Maybe connect it to a telescope and let it check locations of some stars. Or a hardware counter that cannot be advanced more than once per nanosecond without destroying it.

score 0 · Answer 21 · answered Jan 04 '25 at 00:12

It is surprising that no one actually answered the question.

Verifiable Delay Functions (VDF's): https://eprint.iacr.org/2018/601.pdf

It is possible to achieve with just a symmetric cryptographic primitive.

You may convert parallel effort into mandatory serial work: For example, you can get 10,000 core-hours in a single hour by using 10,000 cores but the person for whom the encrypted package is intended will have to spend 10,000 hours to recover the encryption key. You do this by daisy chaining the 10,000 hash chains, each result encrypting the start point of the next chain.

SHA256 is recommended for a serious effort at implementing this because SHA256 has dedicated CPU instructions on relatively recent hardware, making it likely the best choice as significant latency improvements are unlikely even in dedicated hardware. Latency is the only relevant metric for a VDF because parallel computing is useless for solving it.

score 0 · Answer 22 · answered May 12 '19 at 06:02

Yes.

A solution is to choose an encryption method that inflates the number of bits in the encrypted message to a literally astronomical level.

By doing this, you can guarentee a lower bound on how long it will take to read the encrypted message.

The reason this works is that our universe has a limit on how many bits of info you can store in a given volume. The maximum information is the surface area of the volume measured in Plank areas. If you pick a number of bits that under the best packing scenario (a spherical black hole) would require a given amount of time for all bits to reach a person positioned at the center of the black hole, then there is no possible way that person can receive the encrypted message in under a given time. Eg, if the black hole had a radius of 1 light year, it would take at least a year to read all of the bits that comprise the sphere.

For an idea, the max info in a .5 meter radius sphere is 1.3 x 10^36 bits. That number of bits is astronomical, yet would only buy you an extremely short amount of time before the message could be read.

There may be ways to shave this number of bits down, ie if there are other physical laws that limit data transfer rates besides density packing, or if you can prove that a certain amount of computation must be done and if there is a physical limit on computation time.

score 0 · Answer 23 · answered Apr 25 '20 at 05:27

Some answers suggest using the inherent speed-of-light limitation to introduce delays that can't be shortened. This is an excellent idea. However, for longer delays, these solutions have the problem of requiring very long distances. Fortunately, one can reduce those distances by using interactive protocols with a required large number of rounds between the parties to amplify the inter-party communications delay.

Suppose now that one party is located on a geosynchronous satellite, and the other parties are located on Earth. Every round-trip to the satellite party would linearly increase the time to execute the interactive protocol, and no advancements in computational power or transmission technology could shorten this delay. The only requirement being that the far-away party (the satellite) won't be tampered with, such as being moved closer to Earth, or being cloned (private keys and all). How this can be guaranteed is another question though.

score 0 · Answer 24 · answered Jan 16 '22 at 04:24

All these comments and answers about outer space and light beams gave me an idea… To encrypt a message so that it is decoded after 1 year:

Choose a celestial body.
Encrypt the contents of the message with a key generated from the position of that celestial body.
Calculate the position at which the object will be in 1 year.
Provide the recipient with the encrypted message and the final position of the object.

After 1 year, the recipient of the message will see the celestial body in the indicated place. A short analysis of its trajectory will allow him to calculate the position at which the object was 1 year earlier, thus enabling him to decode the message.

Of course this is just the general idea, but with some research, this might actually be faisable, at reasonable cost!

Time Capsule cryptography?

24 Answers24

Linked

Related