top of page

Shredcryption

Intro and Context

Shredcryption is an additional privacy measure offered by Ankh.

 

It puts answers (and data) you select in an encrypted time capsule designed to not be accessible to anyone, including you, for 100 years or more. The original selected data is destroyed.

 

Use shredcryption when you want to sincerely answer tough or spicy questions without worrying that someone will compromise your device later and access them.

 

This supports the goal of making Ankh an efficient personality pump - many users would shy away from storing critical data about themselves due to privacy concerns. Hopefully shredcryption can help.

Key Ideas

Encryption as a time capsule

Data takes little time to encrypt compared to how long it takes to decrypt if the “keys” used to encrypt it are destroyed. This acts as a time capsule.

Multiple layers

Due to unpredictability in computer processor advancements as well as mathematical techniques (i.e. cryptanalysis), two conceptually different layers are used to protect the time capsule.

Eventual breakability and intentional weaknesses

Reality is not science fiction, where anything can be “hacked.” It may be in the very nature of our universe that today’s tough-to-crack encryption methods will remain uncrackable forever.

 

As a result, measured and intentional weaknesses are added to the encryption layers. We can’t simply encrypt “as hard as possible” because then those using shredcryption may never get digitally resurrected if that data is thought to be critical.

Shredcryption Summary

Layer 1

First encrypt the initial data with AES-128, creating the first ciphertext.

Save 40 of the 128 bits of the first key (these saved tails are the “intentional weakening”).

Layer 2a

Layer 1 data is collected and encrypted with a second AES-256 key, creating the second ciphertext.

Save 112 of the 256 bits of the second key.

Layer 2b

This second AES key is encrypted (“wrapped”) via argon2id with 256 bits of entropy.

Save 184 of the 256 bits of the argon2id key.

 

argon2id parameters: 8 MiB memory difficulty, 3 time difficulty (a.k.a. passes), 1 parallelism

Storage

The resulting Layer 2 data (the second ciphertext, wrapped second AES key, and the saved bits) are stored.

Outcome

Thus two primary weaknesses and one backup weakness are introduced to assist with decrypting the time capsule when advanced computation is available:

  • The outer Layer 2 requires brute-forcing the remaining 72 bits of the argon2id encryption

  • The inner Layer 1 requires brute-forcing the remaining 88 bits of the AES-128 encryption

  • As a backup, Layer 2 can also be bypassed by brute forcing 144 bits of the AES-256 encryption

Shredcryption Technical Specification

Preface

Where relevant, using CBC for the block cipher mode and PKCS 7 for padding.

Specification

Step 1 - First, weakened AES-128 encryption

  • Start with a "plaintext"

  • Create a 128 bit "first AES key", 128 bit "first AES IV" (initialization vector)

  • Separately store the first AES key's 40 bit tail, as the "first AES key tail"

  • Encrypt the "first AES IV" with the first key in ECB mode to create a "first AES KCV" (a key check value)

  • Encrypt the "plaintext" with AES-128 using the first key / iv, producing the "first ciphertext"

  • Compute a "first AES HMAC" with the first AES key over the IV, KCV, Tail, and ciphertext

  • Destroy the "first AES key"

 

Step 2a - Second, full AES-256 encryption

  • Concatenate the padded "first AES key tail", "first AES IV", "first AES KCV", "first AES HMAC", and the "first ciphertext" into a "second plaintext"

  • Destroy the "first AES key tail", "first AES IV", "first AES HMAC", and the "first ciphertext"

  • Create a 256 bit "second AES key" and 128 bit "second AES IV"

  • Separately store the second AES key’s 112 bit tail as the "second AES key tail"

  • Encrypt the "second AES IV" with the second key in ECB mode to create a "second AES KCV"

  • Encrypt the "second plaintext" with the second key / iv, producing the "second ciphertext"

  • Destroy the "second plaintext"

 

Step 3b - Weakened ECC (Elliptic curve cryptography) encryption

  • Create a 256 bit "argon2id key" and "argon2id salt"

  • Separately store the argon2id key’s 184 bit tail as the "argon2id key tail"

  • Take the "second AES key" and encrypt it via argon2id using the key, producing the "wrapped second AES key"

    • Argon2id difficulty settings: 3 time difficulty (a.k.a. passes), 8 MiB, 1 parallelism

  • Compute a "second AES HMAC" with the second AES key over the wrapped second AES key, second AES key tail, second IV, second KCV, argon2id key tail, argon2id salt, and second ciphertext

  • Destroy the "second AES key" and "argon2id key"

  • Store the "wrapped second AES key", "second AES key tail", "second AES IV", "second AES KCV", "argon2id key tail", "argon2id salt", "second AES HMAC", and the "second ciphertext" in long-term storage

    • The last of which contains an encrypted "first AES key tail", "first AES IV", "first AES KCV", and the "first ciphertext", which contains an encrypted "plaintext"

  • Destroy the "plaintext"

As a sanity check, observe the destroyed items: "first AES key" and "argon2id key" are what the decrypter needs to recompute to recover the plaintext. Furthermore, the "second AES key", which would be your alternative to decryption, is also destroyed.

Other Considerations

Error resistance

Due to Ankh’s super-long-term data storage needs, there's some motivation for making it resistant to errors, bit flips, etc.

 

Unfortunately, this scheme is not very resistant to errors in critical places, such as key tails, IVs, or KCVs - it can detect them via HMAC but not correct them. Instead, error correcting schemes should be used on the overall stored data, rather than per time capsule.

 

That said - the original answer or data bytes, which are the bulk of the data, are not terribly weak to errors: Error propagation due to the CBC encryption mode is fortunately very local (errors in the encrypted block only affect that plaintext block and the next plaintext block). One error in the bulk of the data doesn’t ruin the whole time capsule.

Balancing act, no guarantees

As mentioned, the time capsule can’t be made super-difficult, or else even a far future civilization or entity may never endeavor to crack them.

 

The time capsule is designed to withstand any attempt by an attacker within the next 100 years, with access to vast, future resources.

 

However, estimating advances in computation and cryptanalysis for 100 years is impossible, in spite of recent slowdowns in progress. Thus Ankh offers no guarantee shredcryption time capsules will remain uncrackable for 100 years.

 

On the other hand, the weakness introduced may not be enough. Ankh offers no guarantee that shredcrypted time capsules will ever be crackable by any far future civilization or entity.

See the Terms of Service​ for more details re: shredcryption (un)crackability.

Ankh ascii logo with text
bottom of page