Towards Practical Homomorphic Time-Lock Puzzles: Applicability and Verifiability

Abstract

Time-lock puzzle schemes allow one to encrypt messages for the future. More concretely, one can efficiently generate a time-lock puzzle for a secret/solution s, such that s remains hidden until a specified time T has elapsed, even for any parallel adversaries. However, since computation on secrets within multiple puzzles can be performed only when all of these puzzles are solved, the usage of classical time-lock puzzles is greatly limited. Homomorphic time-lock puzzle (HTLP) schemes were thus proposed to allow evaluating functions over puzzles directly without solving them.

However, although efficient HTLP schemes exist, more improvements are still needed for practicability. In this paper, we improve HTLP schemes to broaden their application scenarios from the aspects of applicability and verifiability. In terms of applicability, we design the first multiplicatively HTLP scheme with the solution space over \(\mathbb {Z}_n^*\), which is more expressible than the original one, e.g., representing integers. Then, to fit HTLP into scenarios requiring verifiability that is missing in existing schemes, we propose three simple and fast protocols for both the additively HTLP scheme and our multiplicatively HTLP scheme, respectively. The first two protocols allow a puzzle solver to convince others of the correctness of the solution or the invalidity of the puzzle so that others do not need to solve the puzzle themselves. The third protocol allows a puzzle generator to prove the validity of his puzzles. It is shown that a puzzle in our scheme is only 1.25 KB, and one multiplication on puzzles takes simply 0.01 ms. Meanwhile, the overhead of each protocol is less than 0.6KB in communication and 40 ms in computation. Hence, HTLP still demonstrates excellent efficiency in both communication and computation with these versatile properties.

Keywords

The full version of this paper is available at https://eprint.iacr.org/2022/585.

Appendices

A A Related Work

Besides the two partially HTLP schemes, a fully HTLP scheme based on indistinguishability obfuscation was proposed in [13], and another one based on fully homomorphic encryption was given in [3]. They are both based on costly primitives and are mostly of theoretical interest at present.

Very recently, a generic construction of HTLP schemes was proposed in [4]. This construction uses existing classical time-lock puzzle schemes and homomorphic encryption schemes in a black-box manner. Its setup algorithm generates a key pair of the homomorphic encryption scheme, together with a time-lock puzzle for the random coins used in the key generation, and outputs the public key and puzzle as public parameters. Then homomorphic puzzles of this construction are ciphertexts encrypting secrets via the public key. Parties can solve the puzzle for random coins, derive the private key from random coins, and then decrypt puzzles (ciphertexts) using the private key. We remark that the setup is for one-time use, and all secrets are revealed after time T from the setup. Hence, it can only be applied to scenarios where all puzzles are generated simultaneously, and public parameters should be periodically re-initialized. Moreover, we often require a multi-party protocol to perform the setup, which is costly for one-time use and complicated to prevent malicious parties from obtaining public parameters in advance to gain advantages. Alternatively, HLTP schemes in [13] only need one setup of public parameters, and a secret within a puzzle is hidden for time T, starting from the generation of that puzzle.

B B Computational Assumptions

Definition 2

([13]). Let n be a randomly generated strong RSA modulus based on \(\kappa \), g be a generator of \(\mathbb {J}_n\), and \(T(\cdot )\) be a polynomial. The strong sequential squaring assumption is that there exists \(\varepsilon \) with \(0< \varepsilon < 1\), such that for all polynomial-size adversaries \((\mathcal {A}_1, \mathcal {A}_2) = \{(\mathcal {A}_1, \mathcal {A}_2)_{\kappa }\}_{\kappa \in \mathbb {N}}\), where the depth of \(\mathcal {A}_2\) is bounded from above by \(T^{\varepsilon }(\kappa )\), we have

Definition 3

Let n be a randomly generated strong RSA modulus based on \(\kappa \). Then the decisional composite residuosity (DCR) assumption is that for all probabilistic polynomial-time (PPT) adversaries \(\mathcal {A}\), we have

Definition 4

Let n be a randomly generated strong RSA modulus based on \(\kappa \). The strong RSA assumption is that for all PPT adversaries \(\mathcal {A}\), we have

C C Definition of Homomorphic Time-Lock Puzzle Scheme

Definition 5

([13]). Let \(\mathcal {C} = \{\mathcal {C}_{\kappa }\}_{\kappa \in \mathbb {N}}\) be a class of circuits. An HTLP scheme with the solution space \(\mathbb {S}\) with respect to \(\mathcal {C}\) is a tuple of algorithms \((\textsf{Setup}, \textsf{Gen}, \textsf{Solve}, \textsf{Eval})\) defined as follows.

• \(pp \leftarrow \textsf{Setup}(1^\kappa , T)\) a probabilistic algorithm that takes as input the security parameter \(1^\kappa \) and a time hardness parameter T and outputs the public parameter pp.

• \(Z \leftarrow \textsf{Gen}(pp, s)\) a probabilistic algorithm that takes as input pp and a solution \(s \in \mathbb {S}\) and outputs a homomorphic time-lock puzzle Z.

• \(s \,/\perp \leftarrow \textsf{Solve}(pp, Z)\) a deterministic algorithm that takes as input pp and a puzzle Z, and outputs a solution \(s \in \mathbb {S}\) or an error message \(\perp \) indicating that Z is invalid.

• \(Z \leftarrow \textsf{Eval}(pp, C, Z_1, \ldots , Z_N)\) an algorithm that takes as input pp, a circuit \(C \in \mathcal {C}_{\kappa }\), and a set of n puzzles \((Z_1, \ldots , Z_N)\) and outputs a puzzle Z. Note that this algorithm defines the homomorphic operations for the HTLP scheme.

It satisfies the following two properties.

• Correctness. The scheme with respect to \(\mathcal {C}\) is correct if for all polynomials T in \(\kappa \), all \(C \in \mathcal {C}_{\kappa }\) and inputs \((s_1, \ldots , s_N) \in \mathbb {S}^n\), we have

  

• Compactness. The scheme with respect to \(\mathcal {C}\) is compact if for all polynomials T in \(\kappa \), all \(C \in \mathcal {C}_{\kappa }\), and inputs \((s_1, \ldots , s_N) \in \mathbb {S}^n\), when compute \(pp \leftarrow \textsf{Setup}(1^\kappa , T)\), \(Z_i \leftarrow \textsf{Gen}(pp, s_i)\), and \(Z \leftarrow \textsf{Eval}(pp, C, Z_1, \ldots , Z_N)\), the following three properties are satisfied.

  • There exists a fixed polynomial \(p_1\), such that the running time of the algorithm \(\textsf{Solve}(pp, Z)\) is bounded by \(p_1(\kappa , T)\).

  • There exists a fixed polynomial \(p_2\), such that the length of Z is bounded by \(p_2(\kappa , |C(s_1, \ldots , s_N)|)\), where \(|C(s_1, \ldots , s_N)|\) is the number of bits to represent \(C(s_1, \ldots , s_N)\).

  • There exists a fixed polynomial \(p_3\), such that the running time of the algorithm \(\textsf{Eval}(pp, C, Z_1, \ldots , Z_N)\) is bounded by \(p_3(\kappa , |C|)\), where |C| is the size of the circuit C.