Abstract
Time-lock encryption is a method to encrypt a message such that it can only be decrypted after a certain deadline has passed. We propose a novel time-lock encryption scheme, whose main advantage over prior constructions is that even receivers with relatively weak computational resources should immediately be able to decrypt after the deadline, without any interaction with the sender, other receivers, or a trusted third party. We build our time-lock encryption on top of the new concept of computational reference clocks and an extractable witness encryption scheme. We explain how to construct a computational reference clock based on Bitcoin. We show how to achieve constant level of multilinearity for witness encryption by using SNARKs. We propose a new construction of a witness encryption scheme which is of independent interest: our scheme, based on Subset-Sum, achieves extractable security without relying on obfuscation. The scheme employs multilinear maps of arbitrary order and is independent of the implementations of multilinear maps.
Highlights
Alice has a document that she wants to make public in, say, a couple of days, but she is not willing to hand it out to anybody before this deadline
We show that the widely-used cryptocurrency Bitcoin provides a practical example of such a reference clock, which shows that the assumption that these objects exist in practice is reasonable
We propose our second construction of time-lock encryption by using SNARKs [12,13,14,44,49, 55,56,62] together with witness encryption
Summary
Alice has a document that she wants to make public in, say, a couple of days, but she is not willing to hand it out to anybody before this deadline. All reasonably bounded parties will be able to decrypt a ciphertext at essentially the same time, regardless of their computational resources These features are achieved simultaneously which makes time-lock encryption a fascinating primitive, which enables applications that seem impossible to achieve with classical encryption schemes. The other line of research [17,66,69] considers constructions that require the receiver of a ciphertext to perform a feasible, but computationally expensive search for a decryption key This puts a considerable computational overhead on the receiver. It seems impossible to encrypt with any known timed-release encryption scheme in a way, such that all receivers are able to decrypt at the same time, unless one relies on trusted third parties, or tight synchronicity We think it an interesting theoretical question in its own to ask if it is possible to avoid this
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have