How to build timelock encryption
 442 Downloads
Abstract
Timelock encryption is a method to encrypt a message such that it can only be decrypted after a certain deadline has passed. We propose a novel timelock encryption scheme, whose main advantage over prior constructions is that even receivers with relatively weak computational resources should immediately be able to decrypt after the deadline, without any interaction with the sender, other receivers, or a trusted third party. We build our timelock encryption on top of the new concept of computational reference clocks and an extractable witness encryption scheme. We explain how to construct a computational reference clock based on Bitcoin. We show how to achieve constant level of multilinearity for witness encryption by using SNARKs. We propose a new construction of a witness encryption scheme which is of independent interest: our scheme, based on SubsetSum, achieves extractable security without relying on obfuscation. The scheme employs multilinear maps of arbitrary order and is independent of the implementations of multilinear maps.
Keywords
Timelock encryption Timedrelease encryption Bitcoin Witness encryption SNARKs Timelock puzzles Timed commitmentsMathematics Subject Classification
68P25 94A601 Introduction
 (1)
Noninteractive The sender Alice is not required to be available for decryption.
 (2)
No trusted setup Timelock encryption does not rely on trusted third parties. Thus, the sender is not required to trust any (set of) third parties to keep decryption keys (or shares of decryption keys) secret until the deadline has passed.
 (3)
No resource restrictions Parties interested in decrypting a ciphertext are not forced to perform expensive computations until decryption succeeds. This means that a party which simply waits till the decryption deadline has passed will be able to decrypt the ciphertext at about the same time as another party who attempts to decrypt the ciphertext earlier by performing a large (but reasonably bounded) number of computations. Thus, all reasonably bounded parties will be able to decrypt a ciphertext at essentially the same time, regardless of their computational resources.
Efficient decryption without trusted third parties Timelock encryption is related to timedrelease encryption, investigated by Rivest et al. [66]. However, timedrelease encryption has some drawbacks. One line of research [15, 17, 27, 66] realizes timedrelease encryption by assuming a trusted third party (TTP), which reveals decryption keys at the right time. Therefore security relies crucially on the assumption that the TTP is trustworthy. In particular, it must not use its ability to allow decryption of ciphertexts earlier than desired by the sender in any malicious way, for instance by revealing a decryption key before the deadline.
The other line of research [17, 66, 69] considers constructions that require the receiver of a ciphertext to perform a feasible, but computationally expensive search for a decryption key. This puts a considerable computational overhead on the receiver. It is particularly challenging when the ciphertext is made public and there are many different receivers, some of whom may be unknown to the sender. It seems impossible to encrypt with any known timedrelease encryption scheme in a way, such that all receivers are able to decrypt at the same time, unless one relies on trusted third parties, or tight synchronicity. We think it an interesting theoretical question in its own to ask if it is possible to avoid this.
1.1 Contributions
We introduce a new primitive called computational reference clocks as an extension of the standard computational model, which provide a novel and very realistic method to “emulate” realworld time in a computational model. We show that the widelyused cryptocurrency Bitcoin provides a practical example of such a reference clock, which shows that the assumption that these objects exist in practice is reasonable.
As a first application of this extended computational model, we construct timelock encryption schemes, a primitive which exhibits many interesting features that are impossible to achieve in a plain standard computational model. We give a proofofconcept construction of encryption schemes, where a sender is able to encrypt a ciphertext, such that not even a computationally powerful (but reasonably bounded) adversary is able to learn any nontrivial information about the message before the deadline. Once the deadline has passed, even receivers with relatively limited computational resources are immediately able to decrypt. Decryption is noninteractive, in the sense that there is no communication between the sender and receivers except for the initial, unidirectional transmission of the ciphertext, or among receivers. We call encryption schemes with these properties timelock encryption schemes.
Our timelock encryption scheme is built on top of the computational reference clock and a generic witness encryption (WE) scheme that is extractable. We propose a new witness encryption scheme, which achieves extractable security without using obfuscation and which is more efficient than previously known schemes. The size of the ciphertext and running time for encryption and decryption of witness encryption is linear in terms of the size of witness. Usually the linear complexity is very natural and efficient. Unfortunately, this is not good enough for witness encryption because all the instantiations of witness encryption are based on multilinear maps [18]. The current instantiations of multilinear maps [31, 32, 40, 54] are not yet practical regardless of recent lines of attacks. To mitigate this issue, we use SNARKs [12, 13, 14, 44, 49, 55, 56, 62] to reduce the complexity of our timelock encryption. We show that using SNARKs can achieve short ciphertext on witness encryption and constant multilinearity level regardless of the instance and witness.
1.1.1 Timelock encryption
Computational reference clocks A first challenge in constructing timelock encryption is to find a reasonable equivalent of realworld time in a computational model. Realworld time is usually determined by some physical reference, like the current state of atomic reference clocks. We do not see any reasonable way to mimic this notion of time in a computational model without trusted third parties.
Our main idea is to use the current state of an iterative, public computation as what we call a computational reference clock. The abstract notion of computational reference clocks stems from the concrete idea of using the popular digital cryptocurrency Bitcoin [61] as a reference clock. To clarify what we mean by this, consider the following concrete example. The Bitcoin system performs an iterative, very largescale, public computation, where socalled miners are contributing significant computational resources to the gradual extension of the Bitcoin block chain. Essentially, this block chain consists of a sequence of hash values \(B_1,\ldots ,B_\tau \) that satisfy certain conditions.^{1} These conditions determine the difficulty of finding new blocks in the chain. The Bitcoin system adjusts the difficulty, depending on the computational resources currently contributing to the Bitcoin network, such that about every 10 minutes a new block \(B_{\tau +1}\) is appended to the chain. Thus, the block chain can serve as a reference clock, where the current length \(\tau \) of the chain tells the current “time”, and there are about 10 minutes between each “clock tick”.
Witness encryption In order to be able to sketch our construction of timelock encryption from computational reference clocks, let us briefly recap witness encryption [43]. Witness encryption for all NPrelations was introduced by Garg et al. [43]. Known constructions [7, 21, 41, 43, 46] are based on multilinear maps [18, 40], or obfuscation [5, 6, 41].
A witness encryption scheme is associated with an NPrelation R (cf. Definition 1). For \((x,w) \in R\) we say that x is a “statement” and w is a “witness”. A witness encryption scheme for relation R allows to encrypt a message m with respect to statement x as Open image in new window . Any witness w which satisfies \((x,w) \in R\) can be used to decrypt this ciphertext c as Open image in new window . Intuitively, one may think of a statement x as a “public key”, such that any witness w with \((x,w) \in R\) can be used as a corresponding “secret key”.
A secure witness encryption scheme essentially guarantees that no adversary is able to learn any nontrivial information about a message encrypted for statement x, unless it already “knows” a witness w for \((x,w) \in R\). Witness encryption schemes with this property are called extractable [7, 21, 48]. The notion of extractable security was first proposed in [48], along with a candidate construction, but there are no known constructions with a mathematical proof of extractable security. Zhandry constructs an extractable witness PRF in [71], but extractability is directly assumed. To the best of our knowledge, existing WE schemes [43, 46, 48, 71] do not have efficient extraction methods (since extractors for these schemes appear to be superpolynomial). An exception is the scheme of Bellare and Hoang [8] which defers the issue of extractability to its underlying obfuscation scheme.
 (1)
For \(x \in \mathbb {N} \), statements have the form \(1^x\), that is, x in unary representation.
 (2)
Any valid Bitcoin block chain \(w = (B_1,\ldots ,B_x)\) of length at least x is a witness for statement \(1^x\), that is \((1^x,w) \in R\).
It is worth pointing out that the reference clock does not have to start with the genesis block of Bitcoin. We can set the clock’s initial state \(w_0\) to be the latest block and ignore older parts of the blockchain. In addition, the witness does not have to include all transaction data of the blockchain, as the hash chain of the block headers is sufficient for decryption. A block header is an 80byte digest for each block. Our model can be viewed as a pruned and simplified version of the blockchain.
 (1)
The adversary waits until the public Bitcoin block chain has reached length x. Then the chain contains a witness w for \((1^x,w) \in R\), which immediately allows to decrypt. However, note that then not only the adversary, but also everybody else is able to decrypt, by reading w from the public Bitcoin block chain and computing Open image in new window . Speaking figuratively, “the timelock has opened”.
 (2)
The adversary tries to “put forward” the computational reference clock provided by the Bitcoin block chain, by computing the missing blocks \(B_{\tau +1},\ldots ,B_x\) of the chain secretly on its own, faster than the public computation performed by the collection of all Bitcoin miners. Note that this means that the adversary would have to outperform the huge computational resources gathered in Bitcoin, which currently (August 2017) perform more than \(6.6 \times 10^{18} \approx 2^{62}\) hash computations per second. Assuming that no adversary is able to perform this large amount of computation to learn the encrypted message earlier, the scheme is secure.
A particularly interesting case is when the value of learning the message earlier than others is below the value of the computations an adversary would have to perform. For instance, in our Bitcoinbased instantiation, an adversary would earn Bitcoin for contributing its resources to the network. Then security is provided simply by the fact that there is no incentive for the adversary to attack the timelock encryption.
We stress that we do not have to put any form of trust in Bitcoin miners. The intermediate states of their computations can be completely public, and they do not have to store any secrets.
Using SNARKs to reduce multilinearity level for witness encryption The size of the ciphertext and the running time for encryption and decryption is linear in terms of the size of witness. Usually the linear complexity is very natural and efficient. Unfortunately, this is not good enough for witness encryption because all the instantiations of witness encryption are based on multilinear maps [18]. The research on multilinear maps is still in its infancy [31, 32, 40, 54] and is not yet practical regardless of recent lines of attacks. Most importantly, the existing implementations for multilinear maps are not compact, that is, the size of the group elements is polynomial in the multilinearity level (i.e., the maximum number of pairings). The multilinearity level is polynomial in the length of the witness. To mitigate this issue, we propose our second construction of timelock encryption by using SNARKs [12, 13, 14, 44, 49, 55, 56, 62] together with witness encryption. Instead of directly encrypting with an instance x in witness encryption, the idea is to encrypt with SNARKs verification procedure for the statement \((x,w)\in R\). This idea of using SNARKs to gain efficiency is not new [48, 71]. However, we show that using SNARKs can achieve constant multilinearity level regardless of the instance and witness, rather than the previous linear complexity in [48, 71].
1.1.2 Extractable witness encryption
Construction of extractable witness encryption We propose a new extractable witness encryption scheme based on a special SubsetSum (described below). To encrypt with any NP language, we present a reduction from the NPcomplete CNFSAT to our special SubsetSum problem. We prove the extractable security of this construction in the Idealised Graded Encoding Model [4, 22, 72]. To the best of our knowledge, this is the first construction of witness encryption to achieve extractable security, without the use of obfuscation.
We use a variant of multilinear maps where the groups are indexed by the integer vectors [4, 19, 40, 72], which allows us to efficiently encode an instance of the special SubsetSum problem. Suppose a \({\mathbf u}\)linear map on groups \({\left\{ \mathbb {G}_{{\mathbf w}} \right\} }_{{\mathbf w}}\) with \({\mathbf w}\le {\mathbf u}\) (componentwise comparison). The pairing operation \(\mathsf{e}_{{\mathbf w},{\mathbf w^\prime }}\) maps \(\mathbb {G}_{{\mathbf w}}\times \mathbb {G}_{{\mathbf w^\prime }}\) into \(\mathbb {G}_{{\mathbf w} + {\mathbf w^\prime }}\) with \({\mathbf w} + {\mathbf w^\prime }\le {\mathbf u}\) by computing \(\mathsf{e}_{{\mathbf w},{\mathbf w^\prime }}{\left( g_{{\mathbf w}}^a, g_{{\mathbf w^\prime }}^b \right) } = g_{{\mathbf w}+{\mathbf w^\prime }}^{ab}\).
We prove that our encoding achieves extractability in the generic model of multilinear maps. The main technical detail is to construct an efficient extractor to extract a witness from the adversary’s group operations. Constructing a witness extractor for the existing witness encryption schemes [43, 48, 71] appears to be superpolynomial because of the expansion of adversary’s querypolynomial. Soundness security [43] is a special case of the extractable security; for sanity of this work, we also give full discussion about the soundness security of our scheme in Appendix G.
Interestingly extractable witness encryption with arbitrary auxiliary inputs might be unattainable [42]. A simple counter example is the following: suppose the sampler has \((x,w)\in R\), then the sampler obfuscates the decryption algorithm of witness encryption \(z=\mathcal{O}(\mathsf{WE.Dec}{\left( w,\cdot \right) })\) and gives z to the adversary; the adversary can decrypt \(\mathsf{WE.Enc}{\left( x,m \right) }\) by using the backdoor z and does not have to know w.
To circumvent this issue, we define extractable security in an oracle model. The oracle is used to model the Bitcoin blockchain. The extractability is possible to achieve for most of the nonartificial oracles. In particular, when the oracle is instantiated with a decentralised cryptocurrency such as Bitcoin, this kind of backdoor is unlikely to exist since it is believed that no one can have a witness w in advance for each instance x.
Efficiency comparison Assume a CNF formula has n variables and k clauses, and m literals. The ciphertext size of our witness encryption scheme is \(2n+2k+1\) group elements. The evaluation time is \(n+\mathcal{O}{\left( k\mathsf{log}\frac{m}{2k} \right) }\). The multilinearity level is \(n+mk\) and can be optimised to \(n+\mathcal{O}{\left( k\mathsf{log}\frac{m}{2k} \right) }\).
The efficiency of encoding CNFSAT in [43] depends on the reduction which is unspecified in [43]. As far as we know, the best reductions from CNFSAT to ExactCover is CNFSAT \(\rightarrow \) 3CNFSAT \(\rightarrow \) ExactCover (The details of the second reduction can be found in Appendix H). However, the reduction from CNFSAT to 3CNFSAT increases the number of variables and clauses by the size of the original CNF formula, that is \(n^\prime = \mathcal{O}(m)\) and \(k^\prime = \mathcal{O}(m)\) while m is \(n\cdot k\) in the worst case. The reduction from 3CNFSAT to ExactCover generates an instance of size \(2n^\prime +7k^\prime +1\). Hence the encoding produces \(\mathcal{O}{\left( m \right) }\) group elements and the evaluation time and multilinearity level are also \(\mathcal{O}{\left( m \right) }\) with \(m=n\cdot k\) in the worst case. There are three instantiations of witness encryption for CNF formulas in [46]. Two of them are specific to the composite order multilinear groups. The primeorder groups are usually more natural and result in simpler security assumptions. The conversion from compositeorder construction to primeorder multilinear groups (or more generally, groups of arbitrary order) is very expensive [46] and results in a ciphertext of \(O(n^5 k^2)\) group elements.
A direct encoding for SubsetSum is given in [71] which encodes every integer vector in a different group. As a result, the encoding of the CNF formula is of the size of \(n+mk\) group elements which is \(O(n\cdot k)\) in the worst case. The multilinearity level and the evaluation time are both \(n+mk\). In comparison, our encoding for SubsetSum only encodes the same integer vector once which results in \(2n+2k+1\) group elements. Although subgroups of multilinear maps used in [71] are indexed by numbers \(G_1,\ldots , G_n\), they have to be instantiated with integer vectors (Sect. 7 in [71]). In fact, subgroups indexed by integer vectors or integers do not affect the size of the group in the current instantiations of multilinear maps [31, 32, 40, 54]. Our witness encryption scheme has the same level of mulitilinearity as [71], i.e., \(n+mk\), but we can further optimise this as stated above. Another main difference of our witness encryption scheme and the one in [71] is that we prove our scheme is extractable while [71] simply assumes its scheme is extractable.
1.2 Related work and further applications of timelock encryption
Timedrelease encryption was introduced by Rivest et al. [66] and considered in many followup works, including [15, 23, 27, 69]. Our approach is fundamentally different from theirs. In particular, we neither need trusted third parties, nor have a considerable computational overhead for decryption. Timelock puzzles and proofs of (sequential) work [24, 29, 34, 35, 58, 59, 65, 66] are computational problems that can not be solved without running a computer continuously for a certain time. In a sense, our computational reference clocks can be seen as algorithms that continuously and publicly solve publicly verifiable [59] instances of an infinite sequence of timelock puzzles. Essentially, we show how this computational effort, performed independently of any timelock encryption scheme, can be “reused” to construct timelock encryption with efficient decryption.
Timelock encryption can be used to construct the first timed commitment scheme in the sense of Boneh and Naor [17] that does not require an inefficient forced opening. A clever idea to use Bitcoin deposits to facilitate fairness in multiparty computation was presented by Andrychowicz et al. [1, 1, 2]. Very recently, Azar et al. [3] construct “timeddelay” multiparty computation (MPC) protocols, where participating parties obtain the result of the computation only after a certain time, possibly some parties earlier than others. This is similar to the timedrelease schemes of [17, 66, 69], in particular it inherits the drawback of inefficient decryption and the assumption that all parties are able to solve the puzzles in about the same time.
Garay et al. [39] analyze the Bitcoin “backbone” protocol, and show how to realize Byzantine agreement on top of this protocol in a synchronous network. Pass et al. [64] formalises the blockchain consensus mechanism in an asynchronous network. Another recent work, which shows how to construct useful cryptographic primitives under the assumption that no adversary is able to outperform the huge computational resources of the collection of all Bitcoin miners, is due to Katz et al. [53], who show how to obtain secure computation and socalled pseudonymous authenticated communication from timelock puzzles.
Formal computational models capturing “realworld time” were described for instance by Cathalo et al. [23], who gave a security model for timedrelease encryption with a “time oracle” that sequentially releases specific information, and recently by Schwenk [67], who described a security model for timebased key exchange protocols. Both works [23, 67] may assume that the party implementing the clock is honest. In contrast, we will have to deal with adversaries that may want to “put the clock forward”, therefore we need to model the computational hardness of doing so in our setting.
Independent work The idea of combining Bitcoin with witness encryption to construct timelock encryption was described independently in [51, 57]. This paper is a merged version of these works. In March 2015, Andrew Miller sketched the basic idea of combining witness encryption with Bitcoin to get timelock encryption in a public chat room [60]. The drafts of both [51, 57] have been done before the end of 2014 and are independent of [60].
2 Preliminaries
Definition 1
Let R be a relation. We say that R is an NPrelation, if there exists a deterministic polynomialtime (in x) algorithm that, on input (x, w), outputs 1 if and only if \((x,w) \in R\).
2.1 Witness encryption
Syntax Witness encryption was originally proposed by Garg et al. [43]. It provides a means to encrypt to an instance, x, of an NP language and to decrypt by a witness w that x is in the language.
Definition 2

\(\mathsf{WE.Enc}{\left( 1^\lambda , x, m \right) }\) is an encryption algorithm that takes as input a security parameter \(1^\lambda \), an unboundedlength string x, and a message Open image in new window , and outputs a ciphertext c.

\(\mathsf{WE.Dec}{\left( c, {w} \right) }\) is a decryption algorithm that takes as input a ciphertext c and a bitvector w, and outputs a message m or the symbol \(\perp \).
 Correctness. For any \({\left( x,w \right) }\in R\), we have that$$\begin{aligned} \Pr {\left[ \mathsf{WE.Dec}{\left( \mathsf{WE.Enc}{\left( 1^{\lambda }, x, m \right) }, w \right) } = m \right] } = 1 \end{aligned}$$
Security A strong security notion for witness encryption is called extractable security which is originally proposed in [48]. The extractability says that when the adversary can distinguish two ciphertext encrypting different messages by using the same instance, then it must know a witness of the instance. Below we give a variant of extractable security in an oracle model. Intuitively, the oracle models the Bitcoin blockchain and will be instantiated with a computational reference clock defined in the next Sect. 3 when modelling our timelock encryption. The extractability is possible to achieve for most of the nonartificial oracles. We will show that this definition is sufficient for our application of timelock encryption. In Sect. 6, we propose a novel witness encryption scheme and we prove our new scheme achieves this form of extractable security.
Definition 3
The above definition states that if an adversary that runs in time t and queries the oracle for at most q times can break the encryption scheme with probability more than \(\varepsilon \), then there exists an extractor E that runs in time \(t^\prime \) and extracts a witness with probability more than \(\varepsilon ^\prime \). In the above definition, we give the adversary access to an oracle Open image in new window . We do not yet specify what the oracle does. In the next section, we shall prove the extractable security w.r.t. an oracle in the generic model of multilinear maps. This is due to the fact that we have our proof in an idealised model, which allows us to circumvent the impossibility result [42].
2.2 SNARKs
Definition 4

Open image in new window takes as input a security parameter \(\lambda \) and an instance x. It computes and outputs a public evaluation key ek and public verification key vk.

Open image in new window : on input \((x,w)\in R\), the prover outputs a noninteractive proof \(\pi \)

Open image in new window : on input a verification key vk, an input x, and a proof \(\pi \), the verifier outputs \(b=1\) if he is convinced that \((x,w)\in R\).
 Completeness For every security parameter \(\lambda \), any instance x and its witness w such that \((x,w)\in R\), the hones prover can convince the verifier:

Succinctness An honestlygenerated proof \(\pi \) has \(O_{\lambda }(1)\) bits and Open image in new window runs in time \(O_{\lambda }(\left x \right )\)
 Proof of knowledge If the verifier accepts a proof output by a bounded prover, then the prover “knows” a witness for the given instance. Similarly as above, we consider the security definition in an oracle model. We say a SNARK is \((t,t^\prime ,q,q^\prime ,\varepsilon , \varepsilon ^\prime )\)secure w.r.t. an oracle Open image in new window if for every adversary \(\mathcal{A}\) that performs at most t operations and queries the oracle for at most q times, there exists an extractor E that performs at most \(t^\prime \) operations and queries the oracle for at most \(q^\prime \) times, such that for all \(x\in {\left\{ 0,1 \right\} }^*\), the following holds:
3 Definitions of timelock encryption
In this section we will formally define secure timelock encryption, computational reference clocks, and their associated relations.
On formally defining timelock encryption Defining security of timelock encryption schemes will require a slightly more finegrained notion of “computational hardness” than most other cryptographic primitives. We will consider two Turing machines Open image in new window and Open image in new window , which both attempt to solve the same superpolynomialtime computational problem. Although the computational problem is superpolynomial, its instances we consider are with a relatively small difficulty parameter which makes the problem solvable within a reasonable and practical time. We will assume that Open image in new window has access to significantly more computational resources than Open image in new window , such that it is infeasible for Open image in new window to solve the problem faster than Open image in new window . Clearly, modeling both Open image in new window and Open image in new window simply as polynomialtime algorithms is not useful here. We will overcome this by making the concrete bounds on the running times of algorithms Open image in new window and Open image in new window explicit.
A remark on nomenclature We will have to deal with two different notions of “time”. First, the running time of algorithms, usually measured in the number of computational steps an algorithm performs. Second, our computational equivalent of physical time, measured in some abstract discrete time unit. To avoid ambiguity, we will use the word “time” only for our computational equivalent of physical time. Rather than specifying the “running time” of an algorithm, we will specify the “number of operations” performed by the algorithm, assuming that all algorithms are executed on universal Turing machines with identical instruction sets. For example, we will write “algorithm Open image in new window performs t operations” instead of “algorithm Open image in new window runs in time t”.
Computational reference clocks (CRCs) The concepts of computational reference clocks and their associated relations will be necessary to define timelock encryption.
Definition 5
A computational reference clock (CRC) is a stateful probabilistic machine Open image in new window that takes input a difficulty parameter \(\kappa \) and outputs an infinite sequence \(w_1, w_2,\ldots \) in the following way. The initial state of Open image in new window is \(w_0\). It runs a probabilistic algorithm Open image in new window which computes Open image in new window and outputs \(w_\tau \).
We write Open image in new window for \(\tau \in \mathbb {N} \) to abbreviate the process of executing the clock \(\tau \) times in a row, starting from initial state \(w_0\), and outputting the state \(w_\tau \) of Open image in new window after \(\tau \) executions.
Intuition for Definition 5 The intuition behind this definition is that the machine Open image in new window performs an iterative, public computation, which iteratively computes Open image in new window . It takes superpolynomial time \(T(\kappa )\) to compute each Open image in new window . Open image in new window outputs its complete internal state after each execution, therefore no secret keys or other secret values can be hidden inside Open image in new window . Algorithm Open image in new window is public, too. When executed for the \(\tau \)th time, the machine responds with the current state of the computation at “time” \(\tau \). Intuitively, \(w_\tau \) serves as a “witness” that the current time is “at least \(\tau \)”.
Definition 5 will be useful for the construction of secure timelock encryption, whenever it is computationally very hard, but not completely infeasible (e.g., when \(\kappa \) is relatively small), to compute \(w_\tau \) from \(w_{\tau 1}\). Think of Open image in new window as a very fast machine that works on solving an infinite sequence of computational puzzles. Jumping slightly ahead, we will later instantiate Open image in new window with the collection of all Bitcoin miners that contribute to expanding the publicly known Bitcoin blockchain. When executed for the \(\tau \)th time, the machine returns the blockchain of length \(\tau \).
Definition 6
Intuition for Definition 6 The purpose of the relation is to describe which values \(w_\tau \) are acceptable as a “witness for time \(\tau \)”. Note that it makes sense to accept a witness \(w_\tau \) with “for time \(\tau \)” also as a witness for any “earlier time” x with \(x \le \tau \). Hence we require that \((1^{x},w_\tau ) \in R\) holds for all \(x \le \tau \).
Definition 7
Intuition for Definition 7 Definition 7 essentially requires a lower bound on the number of operations that have to be performed in order to compute the witness \(w_\tau \) for \(\tau \in \mathbb {N} \). Even given witness \(w_{\tau 1}\) for \(\tau 1\), it should be unlikely for any adversary to output \(w_\tau \) by performing significantly less than t additional operations.
Timelock encryption Based on the notion of computational reference clocks, we can now define timelock encryption schemes and their security.
Definition 8
 Encryption
The encryption algorithm Open image in new window takes as input the security parameter Open image in new window , an integer \(\tau \in \mathbb {N} \), and a message Open image in new window . It computes and outputs a ciphertext c.
 Decryption
The decryption algorithm Open image in new window takes as input Open image in new window and ciphertext c, and outputs a message Open image in new window or a distinguished error symbol \(\bot \).
 CorrectnessFor correctness we require that for all Open image in new window , all \(\tau \in \mathbb {N} \) with Open image in new window , and all Open image in new window .
Remark 1
One may relax the correctness requirement from “perfect correctness” (as above) to correctness up to a negligible error term. We will work with the above perfect correctness condition for simplicity.
Definition 9
Intuition for Definition 9 The intuition behind this security definition is essentially that no adversary should be able to distinguish an encryption of \(m_0\) from an encryption of \(m_1\) by performing significantly less operations than the number of operations required to compute w with \((1^{\tau },w) \in R\). At a first glance it might appear that security in this sense is impossible to achieve, because Open image in new window computes such values and it is a polynomialtime algorithm. Thus, the adversary is a polynomialtime algorithm, too, then it could simply perform the same computations as Open image in new window . Therefore we put an explicit bound t on the number of operations that Open image in new window may perform. This makes this definition useful when it is reasonable to assume that the number of operations t that can be performed within a certain time by the adversary is much smaller than the (also polynomially bounded, but much larger) number of operations \(t^\prime \) performed by Open image in new window to compute w with \((1^\tau ,w) \in R\).
4 Constructing timelock encryption
We first construct a timelock encryption using witness encryption, then we show how to reduce ciphertext size and multilinearity level using SNARKs.
4.1 Constructing timelock encryption from witness encryption
Construction 1
Remark 2
If we use a witness encryption scheme and/or a computational reference with negligible correctness error in the same construction as above, then we obtain a timelock encryption scheme with negligible correctness error.
Remark 3
When the CRCs are instantiated with Bitcoin, the size of witnesses grows linearly with \(\tau \). However, the Bitcoin blockchain generation time is \(O(\tau \cdot T(\kappa ))\) with \(T(\kappa )\) a superpolynomial, while the computational time of our witness encryption is \(O(\tau )\). In our timelock encryption, the superpolynomial \(T(\kappa )\) computational work is done by the Bitcoin community which possesses the huge computational resources. The current block mining difficulty is about \(\kappa \approx 71\) which means the Bitcoin community needs to hash \(2^{71}\) (\(\approx 10^{21}\)) times on average to find a nonce for a new block. It is worth pointing out that size of witnesses growing linearly holds for Bitcoin, but not necessarily for any other instantiation of CRCs. Bitcoin is just one practical example that illustrates that the concept of CRCs indeed makes sense.
Moreover, we choose the concrete setting as the “right” setting for timelock encryption, because it simplifies the treatment of “difficult, but not too difficult to compute functions” (such as computational reference clocks) very significantly, which would be much more difficult to express precisely with traditional asymptotic formulations.
Theorem 1
For each adversary Open image in new window that \((t_\mathsf {tl},\tau ,\varepsilon _\mathsf {tl})\)breaks Open image in new window , we can construct an adversary Open image in new window that \((t^\prime ,\tau ,\varepsilon ^\prime )\)breaks computational reference clock Open image in new window , provided that the witness encryption scheme is \((t_\mathsf {tl},t^\prime ,\tau 1,\tau 1,\varepsilon _\mathsf {tl},\varepsilon ^\prime )\)secure w.r.t. Open image in new window .
Proof
Consider the following adversary Open image in new window against Open image in new window , which runs Open image in new window as a subroutine. Open image in new window defines Open image in new window by setting Open image in new window and Open image in new window . Then it runs the extractor algorithm E for Open image in new window on Open image in new window , and outputs whatever E outputs.
4.2 Reducing multilinearity level using SNARKs
For the existing constructions of witness encryption [7, 21, 41, 43, 46], as well as our proposed scheme in the following Sect. 6, the size of the ciphertext and the running time for encryption and decryption is linear in terms of the length of witness. Usually the linear complexity is very natural and efficient. Unfortunately, this is not good enough for witness encryption because all the instantiations of witness encryption are based on multilinear maps [18] of which the research is still in its infancy [31, 32, 40, 54] and is not yet practical regardless of recent lines of attacks. Furthermore, the existing implementations for multilinear maps are not compact, that is, the size of the group elements is polynomial in the multilinearity level (i.e., the maximum number of pairings). The multilinearity level is polynomial in the length of the witness. To mitigate this issue, we propose our second construction of timelock encryption by using SNARKs [12, 13, 14, 44, 49, 55, 56, 62] together with witness encryption. The idea is to encrypt with SNARKs verification procedure for the statement \((x,w)\in R\), instead of directly encrypting with an instance x. This idea of using SNARKs to gain efficiency is not new [48, 71]. However, we show that using SNARKs can achieve constant multilinearity level regardless of the instance and witness, rather than the previous linear complexity stated in [48, 71].
Construction 2
 Open image in new window :
 (1)
Run the SNARK generator to get Open image in new window .
 (2)
Let Open image in new window and define a relation \(R^* = {\left\{ (x^*,w^*): x^*(w^*) = 1 \right\} }\). Compute Open image in new window for the relation \(R^*\).
 (3)
Output \(c := (\tau , ek,ct)\).
 (1)
 Open image in new window where \(c= (\tau , ek,ct)\):
 (1)
Run the SNARK prover to get Open image in new window
 (2)
Let \(w^* = \pi \). Compute and output Open image in new window
 (1)
Theorem 2
For each adversary Open image in new window that \((t_\mathsf {tl},\tau ,\varepsilon _\mathsf {tl})\)breaks Open image in new window , we can construct an adversary Open image in new window that \((t_\mathsf{c},\tau ,\varepsilon _\mathsf{c})\)breaks computational reference clock Open image in new window , provided that the witness encryption scheme is \((t_\mathsf {tl}, t_\mathsf{e}, \tau 1, \tau 1,\varepsilon _\mathsf {tl},\varepsilon _\mathsf{e})\)secure w.r.t. Open image in new window and SNARK is \((t_\mathsf{e}, t_\mathsf{c}, \tau 1, \tau 1, \varepsilon _\mathsf{e}, \varepsilon _\mathsf{c})\)secure w.r.t. Open image in new window .
Proof
Suppose an adversary Open image in new window \((t_\mathsf {tl},\tau ,\varepsilon _\mathsf {tl})\)breaks timelock encryption by querying the clock for at most \(\tau 1\) times. The basic idea of the proof is: we construct a witness encryption adversary \(\mathcal{A}_\mathsf{we}\) who uses Open image in new window as a subroutine to break witness encryption and triggers the witness extractor to extract a valid SNARK proof. This extractor breaks the SNARK security and triggers the SNARK extractor to extract a witness for \(1^\tau \) which breaks the security of the computational reference clock.
First the SNARK challenger runs Open image in new window and gives (ek, vk, x) to a SNARK adversary \(\mathcal{A}_\mathsf{s}\). Then \(\mathcal{A}_s\) constructs a new instance Open image in new window and a challenge ciphertext Open image in new window of witness encryption and give them to a witness encryption adversary \(\mathcal{A}_\mathsf{we}\). Then \(\mathcal{A}_\mathsf{we}\) forwards \(c^*\) to Open image in new window . \(\mathcal{A}_\mathsf{s}\) queries to Open image in new window and forwards the answers to \(\mathcal{A}_\mathsf{we}\) and then \(\mathcal{A}_\mathsf{we}\) forwards them to Open image in new window . \(\mathcal{A}_\mathsf{we}\) outputs whatever Open image in new window outputs. By assumption, we know witness encryption scheme is \((t_\mathsf {tl},t_\mathsf{e},\tau 1,\tau 1,\varepsilon _\mathsf {tl},\varepsilon _\mathsf{e})\)secure. Therefore, there exists an extractor E that performs at most \(t_\mathsf{e}\) operations, queries to the oracle at most \(\tau 1\) times and outputs a witness \(w^*\) for \(x^*\) with probability more than \(\varepsilon _\mathsf{e}\). Recall that Open image in new window . This means the extractor outputs a valid proof \(\pi \) such that Open image in new window . This extractor is clearly a SNARK adversary with at most \(\tau 1\) times queries from the oracle. Since the SNARK is \((t_\mathsf{e}, t_\mathsf{c}, \tau 1,\tau 1, \varepsilon _\mathsf{e}, \varepsilon _\mathsf{c})\)secure, this gives us another extractor \(E^\prime \) that performs at most \(t_\mathsf{c}\) operations and queries the oracle at most \(\tau 1\) times and outputs a witness w such that \((1^\tau , w)\in R\) with probability more than \(\varepsilon _\mathsf{c}\). Therefore can see \(E^\prime \) is in fact a clock adversary who \((t_\mathsf{c}, \tau , \varepsilon _\mathsf{c})\) breaks the clock Open image in new window . \(\square \)
Constant level of multilinearity for witness encryption In Construction 2, the witness encryption encrypts to an instance Open image in new window which is the verification procedure of a SNARK proof. The only input of \(x^*\) is a SNARK proof \(\pi \) which is succinct, i.e., a constant number of group elements. The original verification procedure Open image in new window takes as input the verification key and the instance which means its size and computing time is at least linear in the description of the instance. Intuitively, \(x^*\) has already been initialised with the verification key and the instance, and thus its size and running time can be constant.
We shall explain how the constant complexity can be achieved with the most recent implementations of SNARKs [12, 13, 14, 16, 44, 56]. We first consider the SNARKs based on quadratic span programs [12, 13, 44, 56] and we use the general notations from [44]. To verify a SNARK proof, the verifier processes the instance to obtain coefficients \({\left\{ a_i \right\} }_{i\in \mathcal{I}}\) such that \(v_\mathsf{in}(x) = \sum _{i\in \mathcal{I}} a_i v_i(x)\) and then computes an encoding \(E(v_\mathsf{in}(s))\) of \(v_\mathsf{in}(s) = \sum _{k\in \mathcal{I}_\mathsf{in}} a_k \cdot v_k(s)\) by using the verification key. This is the only part of the verification that is linear in the instance and the rest of the verification can be done in a constant number of steps. Notice that verifying the instance becomes unnecessary when encrypting with witness encryption. This is because the verification of the instance can be precomputed and hardcoded into the ciphertext of witness encryption. More specifically, when encrypting with the SNARK verification procedure with witness encryption, we can precompute those coefficients \({\left\{ a_i \right\} }_{i\in I}\) and the encoding \(E(v_\mathsf{in}(s))\), then directly hardcode \(E(v_\mathsf{in}(s))\) into the verification procedure and obtain Open image in new window . This reduces the size and computing time of \(x^*\) into a constant, therefore the computing complexity of the ciphertext of witness encryption and the underlying multilinearity level become constant. The constant multilinearity level can also be achieved when using SNARKs from PCPs and linearonly encryption [14, 16]. In this case, Open image in new window consists of a decryption algorithm of linearonly encryption and an LPCP verification decision algorithm for the instance \(1^\tau \). To discuss the complexity of the SNARK verification, we use the notations from Construction 4.5 from [16]. For an \(\ell \)query LPCP, the complexity of the decryption of the linearonly encryption is linear in \(\ell \), and the complexity of the LPCP verification decision algorithm depends on the size of the instance x. For boolean circuit and arithmetic circuit satisfaction, 3query LPCPs are given in Appendix A in [14], where the computation on instance x in the LPCP decision algorithm can be easily precomputed and removed when encrypting with witness encryption. Since \(\ell = 3\) and x is removed, the witness encryption for encrypting the SNARK verification is of constant complexity.
We note that using a third party to set up SNARK parameters is not necessary for our timelock encryption scheme. The party who produces the ciphertext can generate the SNARK parameters itself. This party can be assumed to be trusted, since it is the owner of the plaintext. The receiver of the ciphertext can outsource the computation of generating a SNARK proof from a blockchain to a third party, but this party does not have to be trusted either since the proof can be verified. The receiver can also do this computation himself, of course. There are practical implementations of SNARKs [13, 63] and used in realworld applications, such as [11, 33], in contrast to current multilinear maps. Introducing a third party to set up public parameters for using SNARK can further improve efficiency. One can generate these parameters e.g. by using multiparty protocols [10, 20] that are tailored to support stateofart SNARK constructions [13, 63]. These multiparty protocols guarantee that even a party controlling all but one of the parties cannot construct fraudulent proofs. One has to run the setup protocol only once and reuse the parameters across many ciphertexts.
4.3 Extension to adaptivelysecure computational reference clocks
In our Bitcoinbased instantiation of a computational reference clock Open image in new window described below, the adversary will also be able to modify the state of Open image in new window to a certain degree (for instance, by executing Bitcoin transactions). This is not yet captured by Definitions 5 and 7 and the proof of Theorem 1. In this section, we extend the definitions and the security proof from the Sect. 3 to this case.
Definition 10
A computational reference clock with auxiliary input is a stateful probabilistic machine Open image in new window that outputs an infinite sequence \(w_1, w_2,\ldots \) in the following way. The initial state of Open image in new window is \(w_0\). On input a string Open image in new window , it runs a probabilistic algorithm Open image in new window which computes Open image in new window and outputs \(w_\tau \).
Intuition for Definition 10 The main difference to Definition 5 is that now we allow the output \(w_\tau \) to depend on some auxiliary input Open image in new window , which is motivated by the specific computational reference clock given by the Bitcoin blockchain. In Bitcoin the auxiliary input will consist of a list of Bitcoin transactions broadcasted by Bitcoin users in the network. An adversary may influence this list of transactions to some degree, by performing and broadcasting transactions. We will reflect this in the security definition given below, by letting the adversary choose the entire auxiliary input for each iteration of the Open image in new window function.
Definition 11
Intuition for Definition 11 The main difference to Definition 7 is that now the adversary has access to a stateful oracle Open image in new window , which takes as input Open image in new window chosen by the adversary (possibly adaptively and depending on previous oracle responses). The initial state of the oracle is equal to the initial state \(w_0\) of reference clock Open image in new window . When queried on input Open image in new window , the oracle computes Open image in new window , using its internal state w and the adversariallyprovided input Open image in new window . It updates its internal state by assigning Open image in new window , and returns w.
Remark 4
Note that we do not have to adapt the security definition for timelock encryption (Definition 9) to adaptive computational reference clocks, because Definition 9 already fits to the adaptive setting. Technically, we would have to adopt the correctness requirement in Definition 8 by adding the additional auxiliary inputs Open image in new window of each clock iteration. However, this is straightforward and therefore omitted. We only note that correctness should hold for all possible auxiliary inputs, of course.
Theorem 3
From each adversary Open image in new window that \((t_\mathsf {tl},\tau ,\varepsilon _\mathsf {tl})\)breaks Open image in new window in Construction 1 by querying Open image in new window , we can construct an adversary Open image in new window that adaptively \((t^\prime ,\tau ,\varepsilon ^\prime )\)breaks Open image in new window , provided that the witness encryption scheme is \((t_\mathsf {tl},t^\prime ,\tau 1,\tau 1,\varepsilon _\mathsf {tl},\varepsilon ^\prime )\)secure w.r.t. Open image in new window .
The proof is identical to the proof of Theorem 1 and therefore omitted.
Theorem 4
For each adversary Open image in new window that \((t_\mathsf {tl},\varepsilon _\mathsf {tl})\)breaks Open image in new window in Construction 2, we can construct an adversary Open image in new window that adaptively \((t^\prime ,\tau ,\varepsilon ^\prime )\)breaks Open image in new window , provided that the witness encryption scheme is \((t_\mathsf {tl},t_\mathsf{e},\tau 1, \tau 1,\varepsilon _\mathsf {tl},\varepsilon _\mathsf{e})\)secure w.r.t. Open image in new window and SNARKs is \((t_e, t^\prime , \tau 1, \tau 1,\varepsilon _\mathsf {e},\varepsilon ^\prime )\)secure w.r.t. Open image in new window .
The proof follows the same pattern as the proof of Theorem 2 and is therefore omitted.
5 Timelock encryption based on bitcoin
In this section, we will first describe the necessary background on Bitcoin. Then we explain how the scheme from Sect. 4 can be instantiated based on Bitcoin. Finally, we discuss some engineering tasks that arise in the context of Bitcoinbased timelock encryption.
5.1 The bitcoin blockchain
Cryptocurrencies are a cryptographic equivalent of regular currencies. The concept of decentralized cryptocurrencies has recently received a lot of attention, mostly motivated by the tremendous success of the most prominent decentralized cryptocurrency Bitcoin [61] and the emerge of a large number of alternative decentralized cryptocurrencies.^{2}
Using Bitcoin as an example, we will show how decentralized cryptocurrencies can be used as a concrete instantiation of the abstract concept of computational reference clocks. We stress, however, that Bitcoin serves merely as one concrete example. For instance, other decentralized cryptocurrencies also provide mechanisms that may be used to instantiate such reference clocks.
A complete description of the full Bitcoin system is out of scope of this paper. In particular, we omit all details about Bitcoin transactions, and give only a simplified description that captures the relevant features of Bitcoin. In the sequel we focus on one central building block of Bitcoin, the socalled Bitcoin blockchain. We refer to [61] for a description of the full system.
Bitcoin users may attempt to find the next block \(B_{s+1}\) in the chain, which is a computationally expensive (but feasible) task, because \(B_{s+1}\) must meet certain conditions that we will describe below. Users contributing to this search are called miners. The main incentive to contribute significant computational resources to the progress of the blockchain is that for each new block the respective miner is rewarded with a certain amount of Bitcoin.^{3}
It may happen that at some point the blockchain forks (for instance, if it happens that two miners simultaneously find a new block \(B_{s+1}\)), such that different miners continue their work on different branches of the fork. This problem is resolved in Bitcoin by considering only these transactions as valid, which correspond to the longest branch of the fork. Only newly mined blocks that correspond to the longest branch are rewarded. This provides an incentive for miners to contribute only to the longest branch.
Remark 5
Actually, the “length” of a chain in Bitcoin is not determined by the number of blocks, but by sum of the difficulty of all blocks in the chain. This is done to prevent that an adversary forks the chain by appending some lowdifficulty blocks.^{4} This distinction is not relevant for our paper. As in [1], we will therefore assume that the longest chain also corresponds to the chain with the largest sum of difficulties. When referring to the Bitcoin blockchain” in the sequel, we will mean the longest chain.
Note that the complexity of the problem of finding a new block \(B_{s+1}\) with \(B_{s+1} \le D_{s+1}\) grows with decreasing \(D_{s+1}\).^{5} This allows to dynamically modify the complexity of finding a new block by modifying the difficulty. The Bitcoin system frequently adjusts the difficulty, depending on the computational power contributed by miners to the progress of the Bitcoin blockchain,^{6} such that about every 10 minutes a new block is appended to the blockchain.

Bitcoin miners have an incentive to contribute significant computational resources to the progress of the blockchain, and to publish their solutions in order to get rewarded for their effort.
The total computing power contributed to the Bitcoin blockchain is huge, as of August 2017 the network computes more than \(6.6 \times 10^{18} \approx 2^{62}\) hashes per second.

The Bitcoin blockchain grows constantly and with predictable progress. The difficulty, and thus the size of the target, is frequently adjusted (about every two weeks) to the computational power currently available in the Bitcoin network, such that about every 10 minutes on average a new block is appended to the chain.
5.2 NPrelations based on hash blockchains
Let Open image in new window be a hash function for some constant d. Let Open image in new window , and let \(\delta : \mathbb {N} \rightarrow [0,2^d1]\) be a function with polynomiallybounded description. We will call \(\beta \) the starting block and \(\delta \) the target bound function.
Definition 12

\(T_i\) and \(r_i\) are polynomially bounded, and \(D_i \in [0,2^d1]\)

w contains at least x tuples \((T_i,r_i,D_i,B_i)\)

\(B_1 = H(T_1,r_1,D_1,\beta )\)

\(B_i = H(T_i,r_i,D_i,B_{i1})\) for all \(i \in [2,x]\)

\(\delta (i) \ge B_i\) for all \(i \in [1,x]\), where we interpret bit strings \(B_1,\ldots ,B_x\) canonically as integers.
Note that Open image in new window is an NPrelation, because there is an efficient deterministic algorithm that, given \((1^x,w)\), \(\beta \), and \(\delta \), verifies that Open image in new window by checking the conditions from Definition 12. Note also that the problem of finding a witness w for a given statement \(1^x\) corresponds to the problem of finding a valid blockchain w of length x with respect to \((\beta ,\delta )\), which gets increasingly difficult with decreasing \(\delta \).
5.3 Timelock encryption from bitcoin
We will now describe the Bitcoinbased computational reference clock Open image in new window along with a suitable associated relation Open image in new window . As described in Sect. 3, we can then combine these building blocks with witness encryption, to obtain a Bitcoinbased timelock encryption scheme.

Set \(\beta := B_0\), where \(B_0\) is the Bitcoin genesis block.

Fix a target bound function \(\delta : \mathbb {N} \rightarrow [0,2^{256}1]\).
Let Open image in new window denote the computational reference clock that computes Open image in new window . Then the state of Open image in new window at “time” \(\tau \) consists of the first \(\tau \) tuples of the Bitcoin blockchain. Recall that the progress of the chain is relatively predictable. Assuming that the current length of the chain is \(\tau \) tuples, and that new blocks will continuously be found at a rate of approximately one block every 10 minutes, then we know that in approximately \(10 \cdot x\) minutes the blockchain will contain \(\tau +x\) tuples.
Note that the relations Open image in new window from Definition 12 are associated to Open image in new window in the sense of Definition 6, provided that \(\beta = B_0\) and \(\delta \) satisfies \(\delta (i) \ge B_i\) for all \(i \in \mathbb {N} \). Unfortunately, the latter is not guaranteed, as it depends on the choice of the target bound function \(\delta \) and the future development of the size of the Bitcoin target. Therefore \(\delta \) must be chosen carefully.

First, note that we must not choose \(\delta \) too small More precisely, we must not choose \(\delta \) such that there exists \(i\in \mathbb {N} \) with \(\delta (i) < B_i\). This is because then our reference clock Open image in new window would not provide suitable witness \(w_i\) for Open image in new window . Thus, the timelock encryption scheme would not be correct.

Observe also that \(\delta \) must not be too large For instance, recall that Open image in new window . Thus, we could try to simply set \(\delta \) such that \(\delta (i) = 2^d\) for all \(i \in \mathbb {N} \). Then \(\delta (i) > B_i\) holds trivially for all \(i \in \mathbb {N} \).
However, then it becomes very easy to compute witnesses \(w_i\) for Open image in new window , by simply evaluating the hash function H itimes to build a chain of length i. Essentially, we have eliminated the size restriction on the \(B_i\) values, such that breaking the security of clock Open image in new window is clearly not hard for any such relation Open image in new window and any reasonable t. The resulting timelock encryption scheme would be trivially insecure.

If \(\delta \) is chosen too small, then the witness required to decrypt the message may never be contained in the public Bitcoin blockchain. This may happens if the Bitcoin difficulty decreases faster than expected by the encrypting party choosing \(\delta \). Thus, it may be infeasible to decrypt the ciphertext in reasonable time, such that nobody will ever learn the message (at least not within close time distance to the desired deadline).

If \(\delta \) is chosen too large, then an adversary that is able to perform a very large number of computations within a short time may be able to decrypt the message before the deadline, even though its computational resources are significantly below the resources of all Bitcoin miners.
We consider the “right” choice of \(\delta \) as an applicationdependent engineering problem, which we will discuss in Appendix C, along with other engineering questions arising from the Bitcoinbased instantiation of timelock encryption.
Correctness of the Bitcoinbased timelock encryption scheme In order to argue correctness of the Bitcoinbased timelock encryption scheme, we assume that Open image in new window is associated to Open image in new window in the sense of Definition 6. Note that this is implied by the assumption that Bitcoin is correct.
Security of the Bitcoinbased timelock encryption scheme The following theorem follows from Theorem 3.
Theorem 5
Let Open image in new window be the timelock encryption scheme obtained from combining computational reference clock Open image in new window with a witness encryption scheme for relations Open image in new window by applying the construction from Sect. 4. For each adversary Open image in new window that \((t_\mathsf {tl},\varepsilon _\mathsf {tl})\)breaks Open image in new window by querying Open image in new window at most q times, we can construct an adversary Open image in new window that adaptively \((t^\prime ,\varepsilon ^\prime )\)breaks Open image in new window with at most \(q^\prime \) queries with \(q^\prime \le q\), provided that the witness encryption scheme is \((t_\mathsf {tl},t^\prime ,q,q^\prime ,\varepsilon _\mathsf {tl},\varepsilon ^\prime )\)secure.
The assumption that \((t^\prime ,\varepsilon ^\prime )\)breaking the security of Open image in new window with respect to Open image in new window and reasonable values of \(t^\prime \) and \(\varepsilon '\), can be analyzed in the Random Oracle Model [9]. To this end, consider the following lemma.
Lemma 1
The Proof of this lemma can be found in Appendix D
Further gametheoretic aspects Ideally, the target bound function \(\delta \) is chosen such that decrypting the ciphertext earlier would require so many computational resources, that from a gametheoretic perspective it is more reasonable to use these resources to perform a different computation. This is always the case when the value of learning the encrypted message before the deadline is below the revenue obtainable from the different computation.
In particular, an adversary might gain more revenue from mining Bitcoin directly than from trying to learn the timelock encrypted message earlier than others. The revenue obtainable from Bitcoin mining is easily quantifiable, we think this is a very nice aspect of the Bitcoinbased instantiation of timelock encryption.
Timelock encryption beyond Bitcoin In order to obtain a stable and robust timelock encryption scheme from Bitcoin, it is required that Bitcoin miners will continue to contribute significant computational resources to the progress of the Bitcoin blockchain. It is conceivable that Bitcoin will be discontinued at some point in the future. This may happen, for instance, due to a market crash making Bitcoin worthless, or simply because its popularity decreases over time, possibly replaced by a different cryptocurrency. This is of course unpredictable.
Currently, there are several alternate cryptocurrencies, which are colloquially referred to as “altcoins”, any of which could be used in place of Bitcoin in our construction. Of particular interest is the fact that a large number of these are either Bitcoin derivatives or are built using the same techniques. This means that our construction can be used almost directly for these “altcoins”. Of course we can also replace Bitcoin with any other cryptocurrency.
In particular, one alternative is Ethereum [37, 38], which is the most popular cryptocurrency after Bitcoin, at the time of writing. One particular advantage of Ethereum over Bitcoin is that the average block time is significantly shorter, with a new block every 25 seconds on average (September 2017). However on the other side, we do have a lower hashrate of approximately \(9 \times 10^4 \approx 2^{16.5}\). As with Bitcoin, these figures are liable to change and would then affect the final construction.
We stress that the approach for constructing timelock encryption described in Sect. 3 is generic. That is, it is motivated by, but not reliant on Bitcoin, nor on any other cryptocurrency for that matter. In principle, our approach can be used with completely different types of iterative, public, largescale computations. For instance, timelock encryption could be based on other decentralized cryptocurrencies, or even on completely different types of public computations. The construction from Sect. 5.3 is only one concrete application of the techniques developed in Sect. 3, motivated by the fact that Bitcoin currently seem to be the most interesting candidate instantiation, in particular due to their wide adoption and the significant computational resources contributed to the Bitcoin network.
6 Extractable witness encryption
6.1 Extractable witness encryption from SubsetSum
In this section, we propose a construction for extractable witness encryption from a special SubsetSum problem and we prove the extractable security in the generic model of multilinear maps. We will show that the CNFSAT can be reduced to this special SubsetSum problem in the next section.
We use notations \({\mathbf u}, {\mathbf v}, {\mathbf w}\) to represent integer vectors. We call a vector of n elements the nvector. We define \({\mathbf u}\le {\mathbf v}\) as the componentwise comparison. We denote by \({\left\{ {\left( {\mathbf v}_i : \ell _i \right) } \right\} }_{i\in I}\) a multiset in which the element \({\mathbf v}_i\) occurs \(\ell _i\) times and \({\mathbf v}_1,\ldots , {\mathbf v}_{{\left I \right }}\) are pairwisedistinct. Let \({\alpha } := {\left( \alpha _1, \ldots , \alpha _d \right) }\) and \({\mathbf v} := {\left( v_1,\ldots ,v_d \right) }\). We write \(\alpha ^{{\mathbf v}}\) for \(\alpha _1^{v_{1}} \alpha _2^{v_{2}}\ldots \alpha _d^{v_{d}}\).
Our witness encryption scheme makes use of asymmetric multilinear maps in which groups are indexed by integer vectors [19, 40, 72]. Suppose we have a \({\mathbf s}\)multilinear group family consisting of groups \({\left\{ G_{{\mathbf v}} \right\} }_{\mathbf v}\) of the same order p and \({\mathbf v}\le {\mathbf s}\), where \({\mathbf s}, {\mathbf v}\in \mathbb {Z}^\ell \) are positive integer vectors and the comparison between the vectors holds componentwise. The groups are equipped with a set of multilinear maps, \(\mathsf{e}_{{\mathbf u}, {\mathbf v}}: G_{{\mathbf u}} \times G_{{\mathbf v}} \rightarrow G_{{\mathbf u} + {\mathbf v}}\) for \({\mathbf u} + {\mathbf v} \le {\mathbf s}\), satisfying \(\mathsf{e}_{\scriptscriptstyle {{\mathbf u}, {\mathbf v}}}{\left( {{g}_{{{\mathbf u}}}^{\alpha }},{{g}_{{{\mathbf v}}}^{\beta }} \right) } = {{g}_{{{\mathbf u}+ {\mathbf v}}}^{\alpha \beta }}\). We often omit the subscripts and just write \(\mathsf{e}\).

Instance given a multiset of dvectors \(\varDelta = {\left\{ {\left( {\mathbf v}_i : \ell _i \right) } \right\} }_{i\in I}\) of positive integers, and a sum dvector \({\mathbf s}\) of positive integers such that \((\ell _i +1) {\mathbf v}_i \not \le {\mathbf s}\) for each \(i\in I\).

Decide is \(\sum _{i\in I} b_i {\mathbf v}_i = {\mathbf s}\) for some integers \(0\le b_i\le \ell _i\) with \(i\in I\)?
Construction 1

\(\mathsf{WE.Enc}{\left( 1^\lambda , x, m \right) }\): run Open image in new window to get the description of a set of multilinear maps \(\mathsf{e}_{{\mathbf u}, {\mathbf v}}: G_{{\mathbf u}} \times G_{{\mathbf v}} \rightarrow G_{{\mathbf u} + {\mathbf v}}\) for \({\mathbf u} + {\mathbf v} \le {\mathbf s}\), together with group generators \({\left\{ g_{{\mathbf v}} \right\} }_{{\mathbf v}\le {\mathbf s}}\). Choose a random vector \({\alpha } := \langle \alpha _1,\ldots ,\alpha _d \rangle \). The ciphertext is \(c:= {\left( \mathsf{param}, {\left\{ g_{{\mathbf v}_i}^{\alpha ^{{\mathbf v}_i}} \right\} }_{i\in I}, m\cdot g_{{\mathbf s}}^{\alpha ^{{\mathbf s}}} \right) }\).
 \(\mathsf{WE.Dec}{\left( c, {\mathbf w} \right) }\): let \({\mathbf w} := (b_1, b_2,\ldots , b_{{\left I \right }})\). Compute the decryption key by If \(\sum _{i\in I} b_i {\mathbf v}_i = {\mathbf s}\), then \(K = g_{\sum _{i\in I} b_i {\mathbf v}_i}^{\alpha ^{\sum _{i\in I} b_i {\mathbf v}_i}} = g_{{\mathbf s}}^{\alpha ^{{\mathbf s}}}\).
In the above construction, each vector \({\mathbf v}_i\) is only encoded once as a group element \(g_{{\mathbf v}_i}^{\alpha ^{{\mathbf v}_i}}\). The multiple usage of \({\mathbf v}_i\) corresponds to the multiple pairing of \(g_{{\mathbf v}_i}^{\alpha ^{{\mathbf v}_i}}\). However, we cannot allow the encoded element to be used for more than \(\ell _i\) times. This is why we have the side condition \((\ell _i+1){\mathbf v}_i\not \le {\mathbf s}\). If \(g_{{\mathbf v}_i}^{\alpha ^{{\mathbf v}_i}}\) is paired for more than \(\ell _i\) times, then the group index will be no longer smaller than the index of the target group \({\mathbf s}\). Note that the encoding described above does not directly work for the general SubsetSum problem. For example, given \({\left\{ 1 \right\} }\), there is no subsetsum for 3, but we can obtain the encoding \({{g}_{{3}}^{\alpha ^3}}\) for the sum by computing \(\mathsf{e}{\left( {{g}_{{1}}^{\alpha ^1}}, {{g}_{{1}}^{\alpha ^1}}, {{g}_{{1}}^{\alpha ^1}} \right) }\). The problem is caused by the fact that the encoding \({{g}_{{1}}^{\alpha ^1}}\) can be used for multiple times but the element 1 can only be used for at most once in the SubsetSum instance.
Theorem 6
Our Construction 1 of witness encryption achieves extractable security with \(t^\prime =\mathsf{poly}(t\cdot \lambda )\) and \(\varepsilon ^\prime = \varepsilon \) and \(q^\prime \le q\) in the generic model of multilinear maps.
A proof of this theorem can be found in Appendix F
Our special SubsetSum problem can directly encode the ExactCover problem by representing each set of the instance of ExactCover as a vector and the side condition holds because each set can be used for at most once. This encoding converts the witness encryption scheme [43] into an extractable witness encryption scheme.
A weaker security guarantee for witness encryption is the soundness security. The soundness security states that if \(x\notin L\) then no polynomialtime algorithm can decrypt. An alternative definition for soundness security called adaptive soundness is given in [8]. In fact, the extractable security implies the soundness security since the probability that the extractor can extract a witness is 0 when \(x\notin L\). We also give a discussion about the soundness security of our witness encryption scheme in the Appendix G.
Since the breakthrough construction of Garg et al. [40] in 2013, multilinear maps [31, 32, 40, 45, 54] becomes a very active research area, as well as its cryptanalysis [25, 26, 28, 30, 52, 70]. Our design of witness encryption is independent of the underlying implementations of multilinear maps. In particular, our scheme seems not susceptible to the zeroising attacks since constructing toplevel encodings of zeroes is difficult and requires the knowledge of a sufficient number of witnesses. We leave it as a future work to formally investigate the security of our scheme when instantiated with the current approximate multilinear maps.
6.2 Reducing CNFSAT to SubsetSum
In this section, we show how to construct an extractable witness encryption for any NP language. This is achieved by constructing an intuitive reduction from an instance of CNFSAT to an instance of our special SubsetSum. This results in a more efficient encoding for CNF formulas compared to the encoding in the existing witness encryption schemes.
The Boolean satisfiability problem (SAT) is, given a formula, to check whether it is satisfiable. Let B be a Boolean formula. A literal is either a variable x or the negation of a variable \({\overline{x}}\). A clause is a disjunction of literals, e.g., \(C = x_1\vee {\overline{x_2}} \vee {\overline{x_3}} \vee x_4\). The formula B is said to be in conjunctive normal form (CNF) if it is a conjunction of clauses \(C_1\wedge C_2 \wedge \cdots \wedge C_m\). The SAT problem for CNF formulas is called CNFSAT.
Definition 13
 (1)For each variable \(x_i\) with \(1\le i\le n\), construct two vectors \({\mathbf u}_{i,0}\) and \({\mathbf u}_{i,1}\) of \((n + 2k)\) integers as follows:

The ith element of \({\mathbf u}_{i,0}\) and \({\mathbf u}_{i,1}\) is 1

For \(1 \le j \le k\), the \((n+j)\)th element of \({\mathbf u}_{i,0}\) is 1 if \({\overline{x_i}}\) is in clause \(C_{j}\)

For \(1 \le j \le k\), the \((n+j)\)th element of \({\mathbf u}_{i,1}\) is 1 if \(x_i\) is in clause \(C_{j}\)

All other elements of \({\mathbf u}_{i,0}\) and \({\mathbf u}_{i,1}\) are 0

 (2)For each clause \(C_j\) with \(1\le j\le k\), assume there are \(m_j\) literals in the clause \(C_j\), construct vectors \({\mathbf v}_{j,1}, {\mathbf v}_{j,2},\ldots ,{\mathbf v}_{j,m_j1}\) of \(n + 2k\) integers:

The \({\left( n + j \right) }\)th element and the \({\left( n+k+j \right) }\)th element of \({\mathbf v}_{j,1}, {\mathbf v}_{j,2},\ldots ,{\mathbf v}_{j,m_j1}\) are equal to 1

All other elements of \({\mathbf v}_{j,1}, {\mathbf v}_{j,2},\ldots , {\mathbf v}_{j,m_j1}\) are 0

 (3)For each clause \(C_j\), we construct vectors \({\mathbf z}_{j,1}, {\mathbf z}_{j,2},\ldots ,{\mathbf z}_{j,m_{j1}}\) of \(n+2k\) integers as counters:

The \({\left( n + k + j \right) }\)th element of \({\mathbf z}_{j,1}, {\mathbf z}_{j,2},\ldots ,{\mathbf z}_{j,m_{j1}}\) is equal to 1

All other elements of \({\mathbf z}_{j}\) is 0

 (4)Finally, construct a target sum vector \({\mathbf s}\) of \(n + 2k\) integers:

For \(1 \le j \le n\), the jth element of \({\mathbf s}\) is equal to 1

For \(1 \le j \le k\), the \({\left( n+j \right) }\)th element of \({\mathbf s}\) is equal to \(m_j\).

For \(1 \le j \le k\), the \({\left( n+k+j \right) }\)th element of \({\mathbf s}\) is equal to \(m_j1\).

Intuitively, the vector \({\mathbf u}_{i,0}\) corresponds to the negative occurrences of variable \(x_i\) in the formula while the vector \({\mathbf u}_{i,1}\) corresponds to its positive occurrences. The vectors \({\mathbf v}_{j,1}, {\mathbf v}_{j,2},\ldots ,{\mathbf v}_{j,m_j1}\) for each clause \(C_j\) will sum to \(m_j1\) at most, but to complete the sum \(m_j\) at least one will have to come from one of the \({\mathbf u}_{i,0}\) or \({\mathbf u}_{i,1}\) for \(1\le i\le n\), which means the clause has to be satisfied by some literals. An example for explaining this reduction is given in the following example. Notice that when adding these integer vectors, there is no “carry” between adjacent columns.
Example 1
\({\left( x_1\vee {\overline{x_2}} \right) }\wedge {\left( {\overline{x_1}} \vee {\overline{x_2}} \vee x_3 \vee {\overline{x_4}} \right) } \wedge {\left( x_1 \vee x_2\vee x_3 \right) }\) is encoded in Figure 1. The assignment \(x_1= 1, x_2 = 0, x_3 = 1, x_4 =0\) evaluates the formula to true, and it corresponds to the subset sum \({\mathbf u}_{1,1} + {\mathbf u}_{2,0} + {\mathbf u}_{3,1} + {\mathbf u}_{4,0} + {\mathbf v}_{2,1} + {\mathbf v}_{2,2} + {\mathbf v}_{3,1} + {\mathbf z}_{1,1} + {\mathbf z}_{2,1} + {\mathbf z}_{2,2} + {\mathbf z}_{3,1} = {\mathbf s}\).
We shall analyse that the above reduction transforms an instance of CNFSAT into an instance of our special SubsetSum, that is the sidecondition \((\ell _i+1){\mathbf v}_i\not \le {\mathbf s}\) is satisfied. Each vector \({\mathbf u}_{i,b}\) can occur for at most once in the sum, otherwise the ith element of the sum will be bigger than 1. The vectors \({\mathbf v}_{j,1},\ldots ,{\mathbf v}_{j,m_j1}\) are the same vectors and at most \(m_j1\) of them can occur in the sum, otherwise the \(n+k+j\)th element of the sum will be bigger than \(m_j1\). Similarly the vectors \({\mathbf z}_{j,1},\ldots ,{\mathbf z}_{j,m_j1}\) are the same and at most \(m_j1\) of them can be used in the sum otherwise the \(n+k+j\)th element of the sum will be bigger than \(m_j1\).
Theorem 7
The CNF formula is satisfiable iff subset sum exists.
Proof
If there is a subsequence of integer vectors summing to the sum vector \({\mathbf s}\), this must use exactly one of each of the pairs \({\left( {\mathbf u}_{i,0}, {\mathbf u}_{i,1} \right) }\) (corresponding to each variable \(x_i\) being either false or true but not both) to make the first n elements of the sum correct. Also, each clause of \(C_j\) must have been satisfied by at least one variable, or the next k elements of the sum cannot be big enough. The last k elements of the vectors are the auxiliary counters that will be used for encoding.
When the CNF formula is satisfiable with assignment \(x_1,x_2,\ldots ,x_n\), then we can construct a subset sum. We first choose \({\mathbf u}_{1, x_1}, {\mathbf u}_{2, x_2},\ldots ,{\mathbf u}_{n, x_n}\). Then for each \(1\le j\le k\), we compute the number of literals that evaluate to true in \(C_j\) and denote it by \(\ell _j\). For each \(1\le j\le k\), we choose vectors \({\mathbf v}_{j,1},\ldots ,{\mathbf v}_{j,m_j1\ell _j}\) and \({\mathbf z}_{j,1},{\mathbf z}_{j,2},\ldots ,{\mathbf z}_{j,\ell _j1}\). It is easy to see that these vectors add up to the sum vector \({\mathbf s}\).
Therefore, there is a satisfying assignment to \(C_1\wedge C_2 \wedge \cdots \wedge C_k\) if and only if there is a subsequence of the numbers that sums to \({\mathbf s}\). \(\square \)
7 Conclusions and future work
We have proposed our novel timelock encryption scheme, which in contrast to previous works requires neither a trusted third party, nor a large computation on the side of the receiver. Our construction leverages any large public computations, such as those involved in Bitcoin, to realise a computational reference clock. We then couple this with an extractable witness encryption to get our final timelock encryption scheme. However, there is scope for improvement.
As this scheme is essentially the first of its kind, it is more of a proof of concept than a concrete proposal. The current parameters would make an implementation of this scheme quite cumbersome. Thus the first avenue for future work would be to try and find a more practical scheme based on our construction, or indeed a more practical specific construction. Additionally, we get immediate gains from any improvements to our underlying building blocks, or indeed from any new, more efficient building blocks.
This leads us to the first avenue for improvement, which lies in the primitives themselves. As immediate improvement could be realised if we could use a more efficient extractable witness encryption scheme. It would be of particular interest to see if one could realise witness encryption without the use of multilinear maps. Alternatively, one could consider witness encryptions for other languages and see if there are any gains to be made there.
Another potential for improvement would be investigating the possibility of other methods of realising our computational reference clock from other forms large public computations. Or indeed, one may consider what kinds of computation, if carried out on a large distributed scale would allow us a computational reference clock.
Footnotes
 1.
Section 5.1 contains a more detailed background on Bitcoin.
 2.
See http://altcoins.com/ for an overview of Bitcoin alternatives.
 3.
12.5 bitcoins per block, at a value of approximately 2378 US$ per Bitcoin, in July 2017.
 4.
 5.
Under the assumption that H is a sufficiently secure hash function.
 6.
See https://bitcoinwisdom.com/bitcoin/difficulty for a chart depicting the recent development of the difficulty in Bitcoin.
 7.
Obtained from the classical formulation \(\Pr [X \ge (1+\ell )\mu ] \le e^{\ell \mu } / (1+\ell )^{\mu (1+\ell )}\) by substituting \(x := (1+\ell )\mu \) and \(\ell := x/\mu 1\).
Notes
Acknowledgements
Jia Liu’s work has been funded by the UK EPSRC as part of the PETRAS IoT Research Hub Cybersecurity of the Internet of Things grant no: EP/N02334X/1. Tibor Jager and Saqib A. Kakvi were supported by the Federal Ministry of Education and Research, Germany, project REZEIVER, funding code 16K1S0711. Part of this work was done while Jia Liu and Saqib A. Kakvi were employed at the University of Bristol.
References
 1.Andrychowicz M., Dziembowski S., Malinowski D., Mazurek L.: Secure multiparty computations on Bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 443–458, Berkeley, May 18–21, IEEE Computer Society Press (2014).Google Scholar
 2.Andrychowicz M., Dziembowski S., Malinowski D., Mazurek Ł.: Fair twoparty computations via Bitcoin deposits. Cryptology ePrint Archive, Report 2013/837, http://eprint.iacr.org/ (2013).
 3.Azar P., Goldwasser S., Park S.: On time and order in multiparty computation. Cryptology ePrint Archive, Report 2015/178, http://eprint.iacr.org/ (2015).
 4.Barak B., Garg S., Kalai Y.T., Paneth O., Sahai A.: Protecting obfuscation against algebraic attacks. In: EUROCRYPT, pp. 221–238 (2014).Google Scholar
 5.Barak B., Goldreich O., Impagliazzo R., Rudich S., Sahai A., Vadhan S.P., Yang K.: On the (im)possibility of obfuscating programs. In: Kilian J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Berlin (2001).Google Scholar
 6.Barak B., Goldreich O., Impagliazzo R., Rudich S., Sahai A., Vadhan S.P., Yang K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012).MathSciNetCrossRefMATHGoogle Scholar
 7.Bellare M., Hoang V.T.: Adaptive witness encryption and asymmetric passwordbased cryptography. Cryptology ePrint Archive, Report 2013/704, http://eprint.iacr.org/ (2013).
 8.Bellare M., Hoang V.T.: Adaptive witness encryption and asymmetric passwordbased cryptography. In: PKC, pp. 308–331 (2015).Google Scholar
 9.Bellare M., Rogaway P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby V. (ed). ACM CCS 93, pp. 62–73, Fairfax, November 3–5, ACM Press (1993).Google Scholar
 10.Sasson E.B., Chiesa A., Green M., Tromer E., Virza M.: Secure sampling of public parameters for succinct zero knowledge proofs. In: 2015 IEEE Symposium on Security and Privacy, pp 287–304 (2015).Google Scholar
 11.BenSasson E., Chiesa A., Garman C., Green, M., Miers I., Tromer E., Virza M.: Zerocash: danonymous payments from Bitcoin. In: IEEE Symposium on Security and Privacy, pp. 459–474 (2014).Google Scholar
 12.BenSasson E., Chiesa A., Genkin D., Tromer E., Virza M.: Snarks for C: verifying program executions succinctly and in zero knowledge. CRYPTO 2, 90–108 (2013).MathSciNetMATHGoogle Scholar
 13.BenSasson E., Chiesa A., Tromer E., Virza M.: Succinct noninteractive zero knowledge for a von neumann architecture. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 781–796 (2014).Google Scholar
 14.Bitansky N., Chiesa A., Ishai Y., Ostrovsky R., Paneth O.: Succinct noninteractive arguments via linear interactive proofs. In: TCC, pp. 315–333 (2013).Google Scholar
 15.Boneh D., Boyen X., Goh E.J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Berlin (2005).Google Scholar
 16.Boneh D., Ishai Y., Sahai A., Wu D.J.: Latticebased SNARGs and their application to more efficient obfuscation, pp. 247–277. Cham (2017).Google Scholar
 17.Boneh D., Naor M.: Timed commitments. In: Bellare M. (ed). CRYPTO 2000. LNCS, vol. 1880, pp. 236–254. Springer, Berlin (2000).Google Scholar
 18.Boneh D., Silverberg A.: Applications of multilinear forms to cryptography. Contemp. Math. 324, 71–90 (2003).MathSciNetCrossRefMATHGoogle Scholar
 19.Boneh D., Waters B., Zhandry M.: Low overhead broadcast encryption from multilinear maps. In: CRYPTO, pp. 206–223 (2014).Google Scholar
 20.Bowe S., Gabizon A., Green M.D.: A multiparty protocol for constructing the public parameters of the pinocchio zksnark. The 5th Workshop on Bitcoin and Blockchain Research (BITCOIN’18) (2018).Google Scholar
 21.Boyle E., Chung K.M., Pass R.: On extractability obfuscation. In: Lindell, Yehuda (ed)., TCC 2014. LNCS, vol. 8349, pp. 52–73. Springer, Berlin (2014).Google Scholar
 22.Brakerski Z., Rothblum G.N.: Virtual blackbox obfuscation for all circuits via generic graded encoding. IACR Cryptology ePrint Archive, vol. 2013, p. 563 (2013).Google Scholar
 23.Cathalo J., Libert B., Quisquater J.J.: Efficient and noninteractive timedrelease encryption. In: Qing S., Mao W., López J., Wang G. (eds). ICICS 05. LNCS, vol. 3783, pp. 291–303. Springer, Berlin (2005).Google Scholar
 24.Chalkias K., HristuVarsakelis D., Stephanides G.: Improved anonymous timedrelease encryption. Comput. Secur. 2007, 311–326 (2007).MATHGoogle Scholar
 25.Chen Y., Gentry C., Halevi S.: Cryptanalyses of zcandidate branching program obfuscators, pp. 278–307 (2017).Google Scholar
 26.Cheon J.H., Han K., Lee C., Ryu H., Stehlé D.: Cryptanalysis of the multilinear map over the integers. In: EUROCRYPT, pp. 3–12 (2015).Google Scholar
 27.Cheon J.H., Hopper N., Kim Y., Osipkov I.: Provably secure timedrelease public key encryption. ACM Trans. Inf. Syst. Secur. 11(2), 4 (2008).CrossRefMATHGoogle Scholar
 28.Cheon J.H., Lee C., Ryu H.: Cryptanalysis of the new clt multilinear maps. Cryptology ePrint Archive, Report 2015/934, http://eprint.iacr.org/ (2015)
 29.Sherman S.M., Chow V.R., Rieffel E.G.: General certificateless encryption and timedrelease encryption, In: SCN, pp. 126–143.Google Scholar
 30.Coron J.S., Gentry C., Halevi S., Lepoint T., Maji H.K., Miles E., Raykova M., Sahai A., Tibouchi M.: Zeroizing without lowlevel zeroes: new MMAP attacks and their limitations, pp. 247–266 (2015).Google Scholar
 31.Coron J.S., Lepoint T., Tibouchi M.: Practical multilinear maps over the integers. In: CRYPTO, pp. 476–493 (2013).Google Scholar
 32.Coron J.S., Lepoint T., Tibouchi M.: New multilinear maps over the integers. In: CRYPTO, pp. 267–286 (2015).Google Scholar
 33.Danezis G., Fournet C., Kohlweiss M., Parno B.: Pinocchio coin: building zerocoin from a succinct pairingbased proof system. In: PETShop, pp. 27–30 (2013).Google Scholar
 34.Dwork C., Naor M.: Pricing via processing or combatting junk mail. In: Brickell E.(ed.) CRYPTO’92. LNCS, vol. 740, pp. 139–147. Springer, Berlin (1993).Google Scholar
 35.Dwork C., Naor M., Wee H.: Pebbling and proofs of work. In: Shoup V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 37–54. Springer, Berlin (2005).Google Scholar
 36.Eyal I., Sirer E.G.: Majority is not enough: Bitcoin mining is vulnerable. In: Christin N., SafaviNaini R. (eds.) FC 2014. LNCS, vol. 8437, pp. 436–454. Springer, Berlin (2014).Google Scholar
 37.Ethereum Foundation. Ethereum documentation. http://www.ethdocs.org/en/latest Retrieved (2017).
 38.Ethereum Foundation. Ethereum white paper. http://www.ethdocs.org/en/latest Retrieved (2017).
 39.Garay J., Kiayias A., Leonardos, N.: The Bitcoin backbone protocol: analysis and applications. Cryptology ePrint Archive, Report 2014/765, http://eprint.iacr.org/, accepted to EUROCRYPT 2015 (2014).
 40.Garg S., Gentry C., Halevi S.: Candidate multilinear maps from ideal lattices. In: EUROCRYPT. pp. 1–17 (2013).Google Scholar
 41.Garg S., Gentry C., Halevi S., Raykova M., Sahai A., Waters B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press (2013)Google Scholar
 42.Garg S., Gentry C., Halevi S., Wichs D.: On the implausibility of differinginputs obfuscation and extractable witness encryption with auxiliary input. In: CRYPTO, pp. 518–535 (2014).Google Scholar
 43.Garg S., Gentry C., Sahai A., Waters B.: Witness encryption and its applications. STOC ’13, pp. 467–476 (2013).Google Scholar
 44.Gennaro R., Gentry C., Parno B., Raykova M.: Quadratic span programs and succinct NIZKs without PCPs. In: EUROCRYPT, pp. 626–645 (2013).Google Scholar
 45.Gentry C., Gorbunov S., Halevi S.: Graphinduced multilinear maps from lattices, pp. 498–527 (2015).Google Scholar
 46.Gentry C., Lewko A.B., Waters B.: Witness encryption from instance independent assumptions. In: CRYPTO, pp. 426–443 (2014).Google Scholar
 47.Gmaxwell. Gmaxwell/alt ideas. https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas (2014).
 48.Goldwasser S., Kalai Y.T., Popa R.A., Vaikuntanathan V., Zeldovich N.: How to run turing machines on encrypted data. In: CRYPTO, pp. 536–553 (2013).Google Scholar
 49.Groth J.: Short pairingbased noninteractive zeroknowledge arguments. In: ASIACRYPT, pp. 321–340 (2010).Google Scholar
 50.gwern.net. Timelock encryption. http://www.gwern.net/Selfdecrypting (2015).
 51.Jager T.: How to build timelock encryption. Cryptology ePrint Archive, Report 2015/478. http://eprint.iacr.org/ (2015).
 52.Coron J.S., Lepoint T., Tibouchi M.: Cryptanalysis of two candidate fixes of multilinear maps over the integers. https://eprint.iacr.org/2014/975.pdf.
 53.Katz J., Miller A., Shi E.: Pseudonymous secure computation from timelock puzzles. Cryptology ePrint Archive, Report 2014/857, http://eprint.iacr.org/ (2014)
 54.Langlois A., Stehlé D., Steinfeld R.: GGHLite: more efficient multilinear maps from ideal lattices. In: EUROCRYPT, pp. 239–256 (2014).Google Scholar
 55.Lipmaa H.: Progressionfree sets and sublinear pairingbased noninteractive zeroknowledge arguments. In: TCC, pp. 169–189 (2012).Google Scholar
 56.Lipmaa H.: Succinct noninteractive zero knowledge arguments from span programs and linear errorcorrecting codes. ASIACRYPT 1, 41–60 (2013).MATHGoogle Scholar
 57.Liu J., Kakvi S.A., Warinschi B.: Timerelease protocol from Bitcoin and witness encryption for sat. Cryptology ePrint Archive, Report 2015/482, http://eprint.iacr.org/ (2015)
 58.Mahmoody M., Moran T., Vadhan S.P.: Timelock puzzles in the random oracle model. In: Rogaway P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 39–50, Springer, Berlin (2011).Google Scholar
 59.Mahmoody M., Moran T., Vadhan S.P.: Publicly verifiable proofs of sequential work. In: Kleinberg, R.D. (ed), ITCS 2013, pp. 373–388. ACM, Berkeley (2013)Google Scholar
 60.Miller A.: #bitcoinwizards chat forum. 2015. https://botbot.me/freenode/bitcoinwizards/20150313/?msg=34092097&page=3.
 61.Nakamoto S.: Bitcoin: a peertopeer electronic cash system. http://www.bitcoin.org/bitcoin.pdf (2009).
 62.Parno B., Howell J., Gentry C., Raykova M.: Pinocchio: nearly practical verifiable computation. In: IEEE Symposium on Security and Privacy, pp. 238–252 (2013).Google Scholar
 63.Parno B., Howell J., Gentry C., Raykova M.: Pinocchio: nearly practical verifiable computation. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP ’13, pp. 238–252 (2013).Google Scholar
 64.Pass R., Seeman L., Shelat A.: Analysis of the blockchain protocol in asynchronous networks, pp. 643–673. Cham (2017).Google Scholar
 65.Paterson K.G., Quaglia E.A.: Timespecific encryption. In: Proceedings of the 7th International Conference on Security and Cryptography for Networks, SCN’10, pp. 1–16 (2010).Google Scholar
 66.Rivest, Ronald L., Shamir A., Wagner D.A .: Timelock puzzles and timedrelease crypto. Technical report, Massachusetts Institute of Technology (1996).Google Scholar
 67.Schwenk J.: Modelling time for authenticated key exchange protocols. In: Kutylowski M., Vaidya J. (eds.) ESORICS 2014, Part II. LNCS, vol. 8713, pp. 277–294, Springer, Berlin (2014).Google Scholar
 68.Todd, P.: Timelock encryption incentivised by Bitcoin. https://github.com/petertodd/timelock (2014).
 69.Unruh D.: Revocable quantum timedrelease encryption. In: Nguyen P.Q., Oswald E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 129–146, Springer, Berlin (2014).Google Scholar
 70.Hu Y., Jia H.: Cryptanalysis of GGH map. https://eprint.iacr.org/2015/301.pdf.
 71.Zhandry M.: How to avoid obfuscation using witness PRFs. In: Proceedings of TCC (2016).Google Scholar
 72.Zimmerman J.: How to obfuscate programs directly. EUROCRYPT Part 9057, 439–467 (2015).MathSciNetMATHGoogle Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.