At 12:21 PM 11/8/95, John Curtis wrote:

The discussion between Mr. May and Mr. Shields concerning time-release cryptograhy raised an interesting question in my mind.

Given that trust is often of an ephemeral nature, it would be quite useful to set time limits on secrets. Would it be possible to cryptographically protect a secret such that it could not be decrypted after a certain time?

An interesting twist. There are two broad things to consider: 1. Cryptography, what can mathematically be done. 2. Economics and social systems, what "business ecologies" can do. Pure cryptography is about #1, with minimal consideration of #2. Much of what interests me involves #2. How this relates to your interesting question goes as follows. Even the "timed-release cryptography" is NOT a pure cryptographic system, as the idea of "temporal state" in crypto is iffy. That is, clocks can be jiggered. Even "sealed clocks" can be jiggered. But just as Haber and Stornetta's "digital timestamps" use time, such a thing is possible once _economic agents_ enter the picture. And once economic considerations are used. The "timed-release crypto" system depends for its security on the likelihood that N agents holding pieces of something--something they don't know the value of--will likely hold those pieces for as long as they are being paid. (If you want to discuss why this is likely, even in a world of mistrust and malice, we can discuss it.) "Self-destruct crypto" would work roughly the same way: -- N agents holding pieces of puzzle, contracted to destroy those pieces on such-and-such date. It is likely that some or even all of them would comply, if properly paid. Caveats: 1. Sure, they could make backups. Probably do. But just as archival files are shredded, a system for eliminating "expired" files would be possible. 2. Sure, they could cheat. Ditto for "timed-release crypto." (Time is symmetric for this problem.) 3. Again, the security of the system to a large extent depends on the N agents not knowing what the pieces are part of, nor knowing who the other holders are. They never know whether a given piece is part of an audit, a test, etc. 4. There is a slight asymmetry, despite what I said, in that one can "test" agents to see if they'll release their pieces as contractually obligated to, but one can never be sure that agents have actually destroyed their pieces. 5. Still, distributing a secret amongst, say, 30 agents and having them "agree" to destroy their pieces on January 20, 2002, seems pretty likely to result in the collective secret (n-out-of-m pieces) being recoverable after that date. Such a system would need more consideration of backup strategies, etc. (If everyone is carefully backing up and the backup tapes are somewhere, then quite clearly the secret would not be gone; hence the issue of backup strategies.)

I suspect that the laws of thermodynamics might prohibit this in classical cryptography because as a message expired the amount of entropy would decrease. Quantum cryptography might work, but that will be science fiction for some time to come.

I'm always interested in the links between information theory, algorithmic complexity, and notions of entropy, but I am skeptical in the extreme that the "laws of thermodynamics" have anything to do with whether one can throw away bits. If I make a list on my computer, and then erase it, have I violated a "law of thermodynamics"? Of course not. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."