Versatile and Sustainable Timed-Release Encryption and Sequential Time-Lock Puzzles (Extended Abstract)

Abstract

Timed-release encryption (TRE) makes it possible to send messages “into the future” such that a pre-determined amount of time needs to pass before a message can be accessed. Malavolta and Thyagarajan (CRYPTO’19) recently introduced an interesting variant of TRE called homomorphic time-lock puzzles (HTLPs), making TRE more versatile and greatly extending its applications. Here one considers multiple independently generated puzzles and the homomorphic evaluation of a circuit over these puzzles. Solving the so obtained puzzle yields the output of a circuit evaluated on the messages locked by the original puzzles.

We observe that viewing HTLPs more abstractly gives rise to a simple generic construction of homomorphic TRE (HTRE) that is not necessarily based on sequential squaring, but can be instantiated based on any TLP, e.g., from the LWE assumption (via randomized encodings). This construction has slightly different properties, but provides essentially the same functionality for applications. It makes TRE versatile and can be used beyond HTRE, for instance to construct timed-release functional encryption. Interestingly, it achieves a new “solve one, get many for free” property, which supports that an arbitrary number of independently time-locked (homomorphically evaluated) messages can all be obtained simultaneously after solving only a single puzzle. This puzzle is independent of the number of time-locked messages and thus achieves optimal amortized cost.

Moreover, we define and construct sequential TLPs as a particularly useful generalization of TLPs and TRE. Such puzzles can be solved sequentially in a way that solving a puzzle additionally considers the previous solution and the time required to solve the puzzle is determined by the difference in the time parameters. When instantiated from sequential squaring, this allows to realize public “sequential squaring services”, where everyone can time-lock messages, but only one entity needs to perform the computations required to solve puzzles. Thus, this removes the burden of wasting computational resources by every receiver and makes TRE economically and ecologically more sustainable.

This work was supported by the German Federal Ministry of Education and Research (BMBF) project REZEIVER, the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme, grant agreement n\(^\circ \)802823, the EU’s Horizon 2020 ECSEL Joint Undertaking under grant agreement n\(^\circ \)783119 (SECREDAS) and by the Austrian Science Fund (FWF) and netidee SCIENCE under grant agreement P31621-N38 (PROFET). This is an extended abstract, the full version of this paper is available at [11].

Appendices

A Concurrent and Independent Work

Recently, there have been some independent and concurrent works investigating different aspects of TLPs, which we want to briefly discuss. Most closely related to our work is the one of Katz et al. [19] who show that sequential squaring is as hard as factoring in the strong algebraic group model (SAGM) and construct non-malleable timed commitments based upon a novel building block called timed public-key encryption (TPKE). The similarities are that we will also rely on the SAGM to prove the generic hardness of our new gap sequential squaring assumption. However, their TRPKE approach is different to our TRE approach. Firstly, they support a fast and a slow decryption, where former uses the secret key and latter requires solving a TLP. Secondly, while in our setting encryption is efficient, in their TPKE which is constructed from sequential squaring and the Naor-Yung double encryption paradigm one has to compute twice a T-times sequential squaring. This construction achieves CCA security, but they also discuss a CPA secure version where encryption is equivalently expensive. Note that in contrast to our TRE, in their TPKE time starts running with encryption and not with parameter generation.

In [15] Ephraim et al. investigate efficient constructions of concurrent non-malleable TLPs in the auxiliary-input random oracle model (whereas previous constructions in the plain model [3] are not practically efficient). The idea, which is similar to our idea, is essentially to evaluate random oracle on hardness parameter T and solution s of a puzzle Z and use the output of the oracle as a randomness for \(\mathsf{Gen}\) algorithm of any TLP. An interesting property introduced and investigated in [15] is public verifiability of TLPs. As we have already discussed we can achieve public verifiability for our generic TRE when basing them on perfectly correct PKE schemes. We note however that while Ephraim et al. consider this notion in a setting with malicious puzzle generation, we consider a weaker notion with honest puzzle generation which is sufficient for our TRE.

Abadi and Kiayias [1] construct so-called Multi-Instance Time-Lock Puzzles (MITLPs) which are similar to our notion of sequential TRE. The crucial difference is that MILTPs allow to encrypt messages with respect to consecutive multiples of one hardness parameter by chaining TLPs which requires that all messages of interest must be known at the time when MITLP is generated.

B Applications: Simpler and More Efficient Instantiations

Subsequently, we discuss the applications in [24] when we use our (homomorphic) TRE approach in contrast to HTLPs of MT19. All the following application have in common that they require decrypting a set of encrypted messages at some required time. Our approach to TRE allows to decrypt arbitrary number of messages at the specified time by solving one puzzle. In [24] this is achieved by homomorphic evaluation of puzzles and then solving one or more resulting puzzles. The drawback of this solution is that one needs to wait until all puzzles of interest have been collected, then execute homomorphic evaluation and only after that the resulting puzzles can be solved. Our scheme allows to start to solve the puzzle immediately after \(\mathsf {Setup}\) is run. In all of this applications we are able to use our TRE approach without any homomorphic property.

E-voting. We focus on designing an e-voting protocol in absence of trusted party, where voters are able to cast their preference without any bias. Similarly to [24], we do not consider privacy nor authenticity of the votes. The crucial property of our \(\mathtt {TRE}\) is that setup can be reused for producing an arbitrary number of ciphertexts and for that reason it is enough to run \(\mathsf {Solve}\) only once. The output s of \(\mathsf {Solve}\) allows to obtain the secret key which is then used to decrypt all ciphertexts that have been produced using corresponding \(\mathsf {pp}_e\). Therefore, if we encrypt all votes using the same \(\mathsf {pp}_e\), we are able to decrypt all ciphertexts at the same time. Then it is easy to obtain final result by combining decrypted plaintexts. Notice that the security of the TRE scheme guarantees that all votes remain hidden during the whole voting phase. In the e-voting protocol proposed in [24], we have to wait until the voting phase is finished and then we can combine puzzles from voting phase to m resulting puzzles (one per candidate where votes are encoded as 0 and 1 respectively). Then, these m puzzles can be solved, which requires at least time T and solving m puzzles in parallel. Hence, it requires time T after the voting phase is over to be able to announce the results. This is in contrast to what we can do with our TRE, in which we can encrypt the respective encoding of the candidate, e.g., \(i\in [m]\) directly, and can start to solve a single puzzle immediately after \(\mathsf {Setup}\) is run and hence the results are available at the beginning of the counting phase.

Multi-party Coin Flipping. In multi-party coin flipping we assume n parties which want to flip a coin in the following way: 1) The value of the coin is unbiased even if \(n-1\) parties collude and 2) all parties agree on the same value for the coin. The approach proposed in [24] relies on HTLPs and their protocol consist of three phases: Setup, Coin Flipping and Announcement of the result. Similarly to the e-voting protocol, one is only able to start solving the puzzle in the last phase and hence obtains the results after time T. We are able to avoid this problem, by using our TRE approach, where we can start to solve the puzzle already after the Setup phase.

Sealed Bid Auctions. Here we consider an auction with n bidders. The protocol consist of two phases - the bidding phase and the opening phase. Bids should be kept secret during the bidding phase and later revealed in opening phase. Time-lock puzzles are used in this scenario to mitigate the issue that some bidders can go offline after the bidding phase. If we use only standard time-lock puzzles, then the number of puzzles which has to be solved in the opening phase is equal to number of bidders who went offline. In [24] this problem was resolved by using HLTPs. Again, this solution has the same issues as the ones discussed above and can be avoided using our TRE approach.

Multi-party Contract Signing. In multi-party contract signing we assume n parties which want to jointly sign a contract. The parties are mutually distrusting and the contract is valid only if it is signed by all parties. The protocol in [24] consists of four phases - Setup, Key Generation, Signing and Aggregation, and combines aggregate signatures from RSA with multiplicatively homomorphic time-lock puzzles with a setup that allows producing puzzles for multiple hardness parameters. We remark that this type of time-lock puzzles are in some sense equivalent to our sequential timed-release encryption.² The protocol runs in \(\ell \)-rounds and in the i-th round every party should create a puzzle with hardness \(T_{\ell -i+1}\) which contains a signature of the required message. Hence, the hardness of the puzzles decrease in every round. If some parties have not broadcasted their puzzles in any round, the parties will homomorphically evaluate puzzles from the previous round and solve the resulting puzzle.

Consider a scenario, where in the i-th round some party does not broadcast its puzzle. Then if we do not take into account time for homomorphic evaluation, we need time \(T_{\ell -i+1}\) to solve the resulting puzzle after this event happened. On the other hand, if we use sequential TRE, we are able to obtain result in time \(T_{\ell -i+1}\) after the setup was executed. Moreover, we can combine sequential TRE with an arbitrary aggregate signature scheme, because we do not need to perform any homomorphic evaluation.

C On the Necessity of the Gap Sequential Squaring Assumption

One might ask why the following seemingly simple solution does not yield a secure sequential TLP:

• Generate a set of (non-sequential) puzzles \((Z_1,s_1),...,(Z_n,s_n)\), such that the delay parameter for puzzle i is \(T_i-T_{i-1}\).

• Let \((\mathsf {Enc},\mathsf {Dec})\) be some CPA-secure symmetric encryption scheme.

• Publish \((Z_1,(\mathsf {Enc}_{s_{i-1}}(Z_i))_{i=2}^n)\).

Unfortunately, this approach does not work (see also page 16 of the full version [11]). Concretely, suppose we have an adversary which has sufficient running time to solve \(n-1\) puzzles, and then successfully attacks the n-th puzzle (say, with success probability 1, for instance). Now note that we cannot use the CPA security of any of the first \(n-1\) encryptions to “hide” any intermediate puzzle, because the adversary has enough time to notice this (as it has enough running time to solve all the first \(n-1\) puzzles). However, then, since we cannot use the CPA security as an argument in the proof, we can equivalently consider the first \(n-1\) encryption as completely insecure.

But if we have no security guarantees for the first \(n-1\) encryptions, this means that we also cannot argue that the adversary cannot obtain the n-th puzzle instance \(Z_n\) quickly, without solving \(n-1\) prior instances, because it could simply “break” the \((n-1)\)-th encryption to obtain \(Z_n\) (which might be very quick, e.g., in just a few computational steps, because we cannot argue that the scheme is secure in the sense of CPA or some other notion). And then an adversary with sufficient running time to solve \(n-1\) puzzles can simply solve only the last puzzle using the standard \(\mathsf {Solve}\) algorithm.

So in conclusion, we do not claim that the construction is insecure, but only that CPA security or a similar notion seems not sufficient, as we cannot perform a reduction to the CPA security in the usual way. It might be possible to prove security under a non-standard assumption (e.g., by essentially assuming that the proposed construction is secure), however, this would also be an additional assumption, which we want to avoid.