Time-Lock Puzzles in the Random Oracle Model
A time-lock puzzle is a mechanism for sending messages “to the future”. The sender publishes a puzzle whose solution is the message to be sent, thus hiding it until enough time has elapsed for the puzzle to be solved. For time-lock puzzles to be useful, generating a puzzle should take less time than solving it. Since adversaries may have access to many more computers than honest solvers, massively parallel solvers should not be able to produce a solution much faster than serial ones.
To date, we know of only one mechanism that is believed to satisfy these properties: the one proposed by Rivest, Shamir and Wagner (1996), who originally introduced the notion of time-lock puzzles. Their puzzle is based on the serial nature of exponentiation and the hardness of factoring, and is therefore vulnerable to advances in factoring techniques (as well as to quantum attacks).
In this work, we study the possibility of constructing time-lock puzzles in the random-oracle model. Our main result is negative, ruling out time-lock puzzles that require more parallel time to solve than the total work required to generate a puzzle. In particular, this should rule out black-box constructions of such time-lock puzzles from one-way permutations and collision-resistant hash-functions. On the positive side, we construct a time-lock puzzle with a linear gap in parallel time: a new puzzle can be generated with one round of n parallel queries to the random oracle, but n rounds of serial queries are required to solve it (even for massively parallel adversaries).
- 2.Back, A.: Hashcash — a denial of service counter-measure (2002), http://www.hashcash.org/papers/hashcash.pdf
- 3.Barak, B., Mahmoody, M.: Lower bounds on signatures from symmetric primitives. In: FOCS 2007, pp. 680–688. IEEE Computer Society, Los Alamitos (2007)Google Scholar
- 7.Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004)Google Scholar
- 10.Brassard, G., Salvail, L.: Quantum merkle puzzles. In: ICQNM, pp. 76–79. IEEE Computer Society, Los Alamitos (2008)Google Scholar
- 14.Di Crescenzo, G., Ostrovsky, R., Rajagopalan, S.: Conditional oblivious transfer and timed-release encryption. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 74–89. Springer, Heidelberg (1999)Google Scholar
- 15.Dagdelen, O., Fischlin, M., Lehmann, A., Schaffner, C.: Random oracles in a quantum world. Cryptology ePrint Archive, Report 2010/428 (2010), http://eprint.iacr.org/2010/428.pdf
- 17.Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993)Google Scholar
- 18.Dwork, C., Naor, M., Wee, H.: Pebbling and proofs of work. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 37–54. Springer, Heidelberg (2005)Google Scholar
- 22.May, T.C.: Timed-release crypto (February 1993), http://www.hks.net/cpunks/cpunks-0/1460.html
- 24.Rivest, R.L., Shamir, A.: Payword and micromint: Two simple micropayment schemes. In: Lomas, M. (ed.) Security Protocols 1996. LNCS, vol. 1189, pp. 69–87. Springer, Heidelberg (1997)Google Scholar
- 25.Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical Report MIT/LCS/TR-684, MIT (February 1996)Google Scholar