Abstract
Timelock puzzle schemes allow one to encrypt messages for the future. More concretely, one can efficiently generate a timelock puzzle for a secret/solution s, such that s remains hidden until a specified time T has elapsed, even for any parallel adversaries. However, since computation on secrets within multiple puzzles can be performed only when all of these puzzles are solved, the usage of classical timelock puzzles is greatly limited. Homomorphic timelock puzzle (HTLP) schemes were thus proposed to allow evaluating functions over puzzles directly without solving them.
However, although efficient HTLP schemes exist, more improvements are still needed for practicability. In this paper, we improve HTLP schemes to broaden their application scenarios from the aspects of applicability and verifiability. In terms of applicability, we design the first multiplicatively HTLP scheme with the solution space over \(\mathbb {Z}_n^*\), which is more expressible than the original one, e.g., representing integers. Then, to fit HTLP into scenarios requiring verifiability that is missing in existing schemes, we propose three simple and fast protocols for both the additively HTLP scheme and our multiplicatively HTLP scheme, respectively. The first two protocols allow a puzzle solver to convince others of the correctness of the solution or the invalidity of the puzzle so that others do not need to solve the puzzle themselves. The third protocol allows a puzzle generator to prove the validity of his puzzles. It is shown that a puzzle in our scheme is only 1.25 KB, and one multiplication on puzzles takes simply 0.01 ms. Meanwhile, the overhead of each protocol is less than 0.6KB in communication and 40 ms in computation. Hence, HTLP still demonstrates excellent efficiency in both communication and computation with these versatile properties.
Keywords
 Publickey cryptography
 (Homomorphic) timelock puzzles
 Repeated modular squaring
 Zeroknowledge
The full version of this paper is available at https://eprint.iacr.org/2022/585.
This is a preview of subscription content, access via your institution.
Buying options
Notes
 1.
In this paper, “secret” and “solution” are the same concept and used interchangeably.
 2.
These two proofs can be aggregated, see [21] for more information.
 3.
The implementation is available at https://github.com/liuyi/HTLP.
References
Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/9783319968841_25
Boneh, D., Naor, M.: Timed commitments. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 236–254. Springer, Heidelberg (2000). https://doi.org/10.1007/3540445986_15
Brakerski, Z., Döttling, N., Garg, S., Malavolta, G.: Leveraging linear decryption: rate1 fullyhomomorphic encryption and timelock puzzles. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 407–437. Springer, Cham (2019). https://doi.org/10.1007/9783030360337_16
Chvojka, P., Jager, T., Slamanig, D., Striecks, C.: Versatile and sustainable timedrelease encryption and sequential timelock puzzles (extended abstract). In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021. LNCS, vol. 12973, pp. 64–85. Springer, Cham (2021). https://doi.org/10.1007/9783030884284_4
Damgård, I., Fujisaki, E.: A statisticallyhiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). https://doi.org/10.1007/3540361782_8
Dwork, C., Naor, M.: Zaps and their applications. SIAM J. Comput. 36(6), 1513–1543 (2007)
Faust, S., Hazay, C., Kretzler, D., Schlosser, B.: Generic compiler for publicly verifiable covert multiparty computation. In: Canteaut, A., Standaert, F.X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 782–811. Springer, Cham (2021). https://doi.org/10.1007/9783030778866_27
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3540477217_12
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). https://doi.org/10.1007/3540395687_2
Knapp, J., Quaglia, E.A.: Fair and sound secret sharing from homomorphic timelock puzzles. In: Nguyen, K., Wu, W., Lam, K.Y., Wang, H. (eds.) ProvSec 2020. LNCS, vol. 12505, pp. 341–360. Springer, Cham (2020). https://doi.org/10.1007/9783030625764_17
Lin, H., Pass, R., Soni, P.: Tworound and noninteractive concurrent nonmalleable commitments from timelock puzzles. SIAM J. Comput. 49(4) (2020)
Lindell, Y.: Parallel cointossing and constantround secure twoparty computation. J. Cryptology 16(3), 143–184 (2003)
Malavolta, G., Thyagarajan, S.A.K.: Homomorphic timelock puzzles and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 620–649. Springer, Cham (2019). https://doi.org/10.1007/9783030269487_22
Paillier, P.: Publickey cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/354048910X_16
Project, O.: Openssl project. https://www.openssl.org/
Rivest, R.L., Shamir, A., Wagner, D.A.: Timelock puzzles and timedrelease crypto. Technical report, Massachusetts Institute of Technology, USA (1996)
Scholl, P., Simkin, M., Siniscalchi, L.: Multiparty computation with covert security and public verifiability. IACR Cryptol. ePrint Arch. 2021, 366 (2021). https://eprint.iacr.org/2021/366
Shoup, V.: Ntl: A library for doing number theory. http://www.shoup.net/ntl
Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000). https://doi.org/10.1007/3540455396_15
Thyagarajan, S.A.K., Bhat, A., Malavolta, G., Döttling, N., Kate, A., Schröder, D.: Verifiable timed signatures made practical. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) CCS 2020: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9–13, 2020. pp. 1733–1750. ACM (2020)
Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/9783030176594_13
Acknowledgments
We thank the reviewers and the shepherd Steve Schneider for their detailed and helpful comments. Y. Liu and Q. Wang were partially supported by the Shenzhen fundamental research programs under Grant no. 20200925154814002 and Guangdong Provincial Key Laboratory (Grant No. 2020B121201001). Y. Liu and S.M. Yiu were partially supported by the themebased research project (T35710/20R) and the HKUSCF FinTech Academy.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A A Related Work
Besides the two partially HTLP schemes, a fully HTLP scheme based on indistinguishability obfuscation was proposed in [13], and another one based on fully homomorphic encryption was given in [3]. They are both based on costly primitives and are mostly of theoretical interest at present.
Very recently, a generic construction of HTLP schemes was proposed in [4]. This construction uses existing classical timelock puzzle schemes and homomorphic encryption schemes in a blackbox manner. Its setup algorithm generates a key pair of the homomorphic encryption scheme, together with a timelock puzzle for the random coins used in the key generation, and outputs the public key and puzzle as public parameters. Then homomorphic puzzles of this construction are ciphertexts encrypting secrets via the public key. Parties can solve the puzzle for random coins, derive the private key from random coins, and then decrypt puzzles (ciphertexts) using the private key. We remark that the setup is for onetime use, and all secrets are revealed after time T from the setup. Hence, it can only be applied to scenarios where all puzzles are generated simultaneously, and public parameters should be periodically reinitialized. Moreover, we often require a multiparty protocol to perform the setup, which is costly for onetime use and complicated to prevent malicious parties from obtaining public parameters in advance to gain advantages. Alternatively, HLTP schemes in [13] only need one setup of public parameters, and a secret within a puzzle is hidden for time T, starting from the generation of that puzzle.
B B Computational Assumptions
Definition 2
([13]). Let n be a randomly generated strong RSA modulus based on \(\kappa \), g be a generator of \(\mathbb {J}_n\), and \(T(\cdot )\) be a polynomial. The strong sequential squaring assumption is that there exists \(\varepsilon \) with \(0< \varepsilon < 1\), such that for all polynomialsize adversaries \((\mathcal {A}_1, \mathcal {A}_2) = \{(\mathcal {A}_1, \mathcal {A}_2)_{\kappa }\}_{\kappa \in \mathbb {N}}\), where the depth of \(\mathcal {A}_2\) is bounded from above by \(T^{\varepsilon }(\kappa )\), we have
Definition 3
Let n be a randomly generated strong RSA modulus based on \(\kappa \). Then the decisional composite residuosity (DCR) assumption is that for all probabilistic polynomialtime (PPT) adversaries \(\mathcal {A}\), we have
Definition 4
Let n be a randomly generated strong RSA modulus based on \(\kappa \). The strong RSA assumption is that for all PPT adversaries \(\mathcal {A}\), we have
C C Definition of Homomorphic TimeLock Puzzle Scheme
Definition 5
([13]). Let \(\mathcal {C} = \{\mathcal {C}_{\kappa }\}_{\kappa \in \mathbb {N}}\) be a class of circuits. An HTLP scheme with the solution space \(\mathbb {S}\) with respect to \(\mathcal {C}\) is a tuple of algorithms \((\textsf{Setup}, \textsf{Gen}, \textsf{Solve}, \textsf{Eval})\) defined as follows.

\(pp \leftarrow \textsf{Setup}(1^\kappa , T)\) a probabilistic algorithm that takes as input the security parameter \(1^\kappa \) and a time hardness parameter T and outputs the public parameter pp.

\(Z \leftarrow \textsf{Gen}(pp, s)\) a probabilistic algorithm that takes as input pp and a solution \(s \in \mathbb {S}\) and outputs a homomorphic timelock puzzle Z.

\(s \,/\perp \leftarrow \textsf{Solve}(pp, Z)\) a deterministic algorithm that takes as input pp and a puzzle Z, and outputs a solution \(s \in \mathbb {S}\) or an error message \(\perp \) indicating that Z is invalid.

\(Z \leftarrow \textsf{Eval}(pp, C, Z_1, \ldots , Z_N)\) an algorithm that takes as input pp, a circuit \(C \in \mathcal {C}_{\kappa }\), and a set of n puzzles \((Z_1, \ldots , Z_N)\) and outputs a puzzle Z. Note that this algorithm defines the homomorphic operations for the HTLP scheme.
It satisfies the following two properties.

Correctness. The scheme with respect to \(\mathcal {C}\) is correct if for all polynomials T in \(\kappa \), all \(C \in \mathcal {C}_{\kappa }\) and inputs \((s_1, \ldots , s_N) \in \mathbb {S}^n\), we have

Compactness. The scheme with respect to \(\mathcal {C}\) is compact if for all polynomials T in \(\kappa \), all \(C \in \mathcal {C}_{\kappa }\), and inputs \((s_1, \ldots , s_N) \in \mathbb {S}^n\), when compute \(pp \leftarrow \textsf{Setup}(1^\kappa , T)\), \(Z_i \leftarrow \textsf{Gen}(pp, s_i)\), and \(Z \leftarrow \textsf{Eval}(pp, C, Z_1, \ldots , Z_N)\), the following three properties are satisfied.

There exists a fixed polynomial \(p_1\), such that the running time of the algorithm \(\textsf{Solve}(pp, Z)\) is bounded by \(p_1(\kappa , T)\).

There exists a fixed polynomial \(p_2\), such that the length of Z is bounded by \(p_2(\kappa , C(s_1, \ldots , s_N))\), where \(C(s_1, \ldots , s_N)\) is the number of bits to represent \(C(s_1, \ldots , s_N)\).

There exists a fixed polynomial \(p_3\), such that the running time of the algorithm \(\textsf{Eval}(pp, C, Z_1, \ldots , Z_N)\) is bounded by \(p_3(\kappa , C)\), where C is the size of the circuit C.

Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Liu, Y., Wang, Q., Yiu, SM. (2022). Towards Practical Homomorphic TimeLock Puzzles: Applicability and Verifiability. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13554. Springer, Cham. https://doi.org/10.1007/9783031171406_21
Download citation
DOI: https://doi.org/10.1007/9783031171406_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783031171390
Online ISBN: 9783031171406
eBook Packages: Computer ScienceComputer Science (R0)