How to build time-lock encryption

Time-lock encryption is a method to encrypt a message such that it can only be decrypted after a certain deadline has passed. We propose a novel time-lock encryption scheme, whose main advantage over prior constructions is that even receivers with relatively weak computational resources should immediately be able to decrypt after the deadline, without any interaction with the sender, other receivers, or a trusted third party. We build our time-lock encryption on top of the new concept of computational reference clocks and an extractable witness encryption scheme. We explain how to construct a computational reference clock based on Bitcoin. We show how to achieve constant level of multilinearity for witness encryption by using SNARKs. We propose a new construction of a witness encryption scheme which is of independent interest: our scheme, based on Subset-Sum, achieves extractable security without relying on obfuscation. The scheme employs multilinear maps of arbitrary order and is independent of the implementations of multilinear maps.


Introduction
Alice has a document that she wants to make public in, say, a couple of days, but she is not willing to hand it out to anybody before this deadline. Therefore she puts the document into a box and attaches a "time-lock". The lock keeps the box securely sealed, and thus the document stays confidential, for the determined period of time. It will unlock automatically when the deadline has passed, which makes it possible for everyone to access the document easily, without any further interaction with Alice. Time-lock encryption is a digital equivalent of such time-locked boxes. It allows to encrypt data for a period of time, up to a certain deadline, such that even a computationally powerful adversary is not able to learn any nontrivial information about the data before the deadline. However, when the time is over, even parties with relatively weak computational resources should immediately be able to decrypt easily. Essentially, time-lock encryption allows to send a message "into the future". The key novelty of time-lock encryption is that it achieves the following properties simultaneously: (1) Non-interactive The sender Alice is not required to be available for decryption. (2) No trusted setup Time-lock encryption does not rely on trusted third parties. Thus, the sender is not required to trust any (set of) third parties to keep decryption keys (or shares of decryption keys) secret until the deadline has passed. (3) No resource restrictions Parties interested in decrypting a ciphertext are not forced to perform expensive computations until decryption succeeds. This means that a party which simply waits till the decryption deadline has passed will be able to decrypt the ciphertext at about the same time as another party who attempts to decrypt the ciphertext earlier by performing a large (but reasonably bounded) number of computations. Thus, all reasonably bounded parties will be able to decrypt a ciphertext at essentially the same time, regardless of their computational resources.
These features are achieved simultaneously which makes time-lock encryption a fascinating primitive, which enables applications that seem impossible to achieve with classical encryption schemes.
Efficient decryption without trusted third parties Time-lock encryption is related to timedrelease encryption, investigated by Rivest et al. [66]. However, timed-release encryption has some drawbacks. One line of research [15,17,27,66] realizes timed-release encryption by assuming a trusted third party (TTP), which reveals decryption keys at the right time. Therefore security relies crucially on the assumption that the TTP is trustworthy. In particular, it must not use its ability to allow decryption of ciphertexts earlier than desired by the sender in any malicious way, for instance by revealing a decryption key before the deadline. The other line of research [17,66,69] considers constructions that require the receiver of a ciphertext to perform a feasible, but computationally expensive search for a decryption key. This puts a considerable computational overhead on the receiver. It is particularly challenging when the ciphertext is made public and there are many different receivers, some of whom may be unknown to the sender. It seems impossible to encrypt with any known timed-release encryption scheme in a way, such that all receivers are able to decrypt at the same time, unless one relies on trusted third parties, or tight synchronicity. We think it an interesting theoretical question in its own to ask if it is possible to avoid this.

Contributions
We introduce a new primitive called computational reference clocks as an extension of the standard computational model, which provide a novel and very realistic method to "emulate" real-world time in a computational model. We show that the widely-used cryptocurrency Bitcoin provides a practical example of such a reference clock, which shows that the assumption that these objects exist in practice is reasonable.
As a first application of this extended computational model, we construct time-lock encryption schemes, a primitive which exhibits many interesting features that are impossible to achieve in a plain standard computational model. We give a proof-of-concept construction of encryption schemes, where a sender is able to encrypt a ciphertext, such that not even a computationally powerful (but reasonably bounded) adversary is able to learn any non-trivial information about the message before the deadline. Once the deadline has passed, even receivers with relatively limited computational resources are immediately able to decrypt. Decryption is non-interactive, in the sense that there is no communication between the sender and receivers except for the initial, unidirectional transmission of the ciphertext, or among receivers. We call encryption schemes with these properties time-lock encryption schemes.
Our time-lock encryption scheme is built on top of the computational reference clock and a generic witness encryption (WE) scheme that is extractable. We propose a new witness encryption scheme, which achieves extractable security without using obfuscation and which is more efficient than previously known schemes. The size of the ciphertext and running time for encryption and decryption of witness encryption is linear in terms of the size of witness. Usually the linear complexity is very natural and efficient. Unfortunately, this is not good enough for witness encryption because all the instantiations of witness encryption are based on multilinear maps [18]. The current instantiations of multilinear maps [31,32,40,54] are not yet practical regardless of recent lines of attacks. To mitigate this issue, we use SNARKs [12][13][14]44,49,55,56,62] to reduce the complexity of our time-lock encryption. We show that using SNARKs can achieve short ciphertext on witness encryption and constant multilinearity level regardless of the instance and witness.

Time-lock encryption
Computational reference clocks A first challenge in constructing time-lock encryption is to find a reasonable equivalent of real-world time in a computational model. Real-world time is usually determined by some physical reference, like the current state of atomic reference clocks. We do not see any reasonable way to mimic this notion of time in a computational model without trusted third parties.
Our main idea is to use the current state of an iterative, public computation as what we call a computational reference clock. The abstract notion of computational reference clocks stems from the concrete idea of using the popular digital cryptocurrency Bitcoin [61] as a reference clock. To clarify what we mean by this, consider the following concrete example. The Bitcoin system performs an iterative, very large-scale, public computation, where so-called miners are contributing significant computational resources to the gradual extension of the Bitcoin block chain. Essentially, this block chain consists of a sequence of hash values B 1 , . . . , B τ that satisfy certain conditions. 1 These conditions determine the difficulty of finding new blocks in the chain. The Bitcoin system adjusts the difficulty, depending on the computational resources currently contributing to the Bitcoin network, such that about every 10 minutes a new block B τ +1 is appended to the chain. Thus, the block chain can serve as a reference clock, where the current length τ of the chain tells the current "time", and there are about 10 minutes between each "clock tick".
A witness encryption scheme is associated with an NP-relation R (cf. Definition 1). For (x, w) ∈ R we say that x is a "statement" and w is a "witness". A witness encryption scheme for relation R allows to encrypt a message m with respect to statement x as c $ ← WE.Enc(x, m). Any witness w which satisfies (x, w) ∈ R can be used to decrypt this ciphertext c as m = WE.Dec(c, w). Intuitively, one may think of a statement x as a "public key", such that any witness w with (x, w) ∈ R can be used as a corresponding "secret key".
A secure witness encryption scheme essentially guarantees that no adversary is able to learn any non-trivial information about a message encrypted for statement x, unless it already "knows" a witness w for (x, w) ∈ R. Witness encryption schemes with this property are called extractable [7,21,48]. The notion of extractable security was first proposed in [48], along with a candidate construction, but there are no known constructions with a mathematical proof of extractable security. Zhandry constructs an extractable witness PRF in [71], but extractability is directly assumed. To the best of our knowledge, existing WE schemes [43,46,48,71] do not have efficient extraction methods (since extractors for these schemes appear to be superpolynomial). An exception is the scheme of Bellare and Hoang [8] which defers the issue of extractability to its underlying obfuscation scheme.

Construction of time-lock encryption
The key idea behind our construction of time-lock encryption is to combine a computational reference clock with witness encryption. For this introduction, let us consider time-lock encryption based on Bitcoin as one specific instantiation of a reference clock (we will consider more general constructions in the body of the paper). We define an NP-relation R such that (1) For x ∈ N, statements have the form 1 x , that is, x in unary representation.
(2) Any valid Bitcoin block chain w = (B 1 , . . . , B x ) of length at least x is a witness for Let (WE.Enc, WE.Dec) be a witness encryption scheme for this particular relation R. Suppose the current state of the Bitcoin blockchain is B 1 , . . . , B τ . Then the block chain contains a witness w for (1 x , w) ∈ R for all x ≤ τ . The Bitcoin blockchain is public. Therefore everybody is immediately able to decrypt any ciphertext c $ ← WE.Enc(1 x , m) with x ≤ τ , by using the witness from the public block chain as the "decryption key".
It is worth pointing out that the reference clock does not have to start with the genesis block of Bitcoin. We can set the clock's initial state w 0 to be the latest block and ignore older parts of the blockchain. In addition, the witness does not have to include all transaction data of the blockchain, as the hash chain of the block headers is sufficient for decryption. A block header is an 80-byte digest for each block. Our model can be viewed as a pruned and simplified version of the blockchain.
Security of this construction Let c = WE.Enc(1 x , m) be a ciphertext with x > τ. Under the assumption that the witness encryption scheme is secure, we will show that an adversary has only two possibilities to learn any non-trivial information about m.
(1) The adversary waits until the public Bitcoin block chain has reached length x. Then the chain contains a witness w for (1 x , w) ∈ R, which immediately allows to decrypt. However, note that then not only the adversary, but also everybody else is able to decrypt, by reading w from the public Bitcoin block chain and computing m = WE.Dec(c, w). Speaking figuratively, "the time-lock has opened". (2) The adversary tries to "put forward" the computational reference clock provided by the Bitcoin block chain, by computing the missing blocks B τ +1 , . . . , B x of the chain secretly on its own, faster than the public computation performed by the collection of all Bitcoin miners. Note that this means that the adversary would have to outperform the huge computational resources gathered in Bitcoin, which currently (August 2017) perform more than 6.6 × 10 18 ≈ 2 62 hash computations per second. Assuming that no adversary is able to perform this large amount of computation to learn the encrypted message earlier, the scheme is secure. A particularly interesting case is when the value of learning the message earlier than others is below the value of the computations an adversary would have to perform. For instance, in our Bitcoin-based instantiation, an adversary would earn Bitcoin for contributing its resources to the network. Then security is provided simply by the fact that there is no incentive for the adversary to attack the time-lock encryption.
The above description is slightly simplified. The actual Bitcoin block chain (described in Sect. 5.1) and our construction (in Sect. 5.3) are more complex, but the underlying principle is the same. In particular, we will have to describe slightly more complex relations, because of the variable difficulty parameter in Bitcoin.
We stress that we do not have to put any form of trust in Bitcoin miners. The intermediate states of their computations can be completely public, and they do not have to store any secrets.
Using SNARKs to reduce multilinearity level for witness encryption The size of the ciphertext and the running time for encryption and decryption is linear in terms of the size of witness. Usually the linear complexity is very natural and efficient. Unfortunately, this is not good enough for witness encryption because all the instantiations of witness encryption are based on multilinear maps [18]. The research on multilinear maps is still in its infancy [31,32,40,54] and is not yet practical regardless of recent lines of attacks. Most importantly, the existing implementations for multilinear maps are not compact, that is, the size of the group elements is polynomial in the multilinearity level (i.e., the maximum number of pairings). The multilinearity level is polynomial in the length of the witness. To mitigate this issue, we propose our second construction of time-lock encryption by using SNARKs [12][13][14]44,49,55,56,62] together with witness encryption. Instead of directly encrypting with an instance x in witness encryption, the idea is to encrypt with SNARKs verification procedure for the statement (x, w) ∈ R. This idea of using SNARKs to gain efficiency is not new [48,71]. However, we show that using SNARKs can achieve constant multilinearity level regardless of the instance and witness, rather than the previous linear complexity in [48,71].

Extractable witness encryption
Construction of extractable witness encryption We propose a new extractable witness encryption scheme based on a special Subset-Sum (described below). To encrypt with any NP language, we present a reduction from the NP-complete CNF-SAT to our special Subset-Sum problem. We prove the extractable security of this construction in the Idealised Graded Encoding Model [4,22,72]. To the best of our knowledge, this is the first construction of witness encryption to achieve extractable security, without the use of obfuscation.
We use a variant of multilinear maps where the groups are indexed by the integer vectors [4,19,40,72], which allows us to efficiently encode an instance of the special Subset-Sum problem. Suppose a u-linear map on groups {G w } w with w ≤ u (component-wise comparison). The pairing operation e w,w maps G w × G w into G w+w with w + w ≤ u by computing e w,w g a w , g b w = g ab w+w . The special Subset-Sum problem is: given a multi-set of positive integer vectors Δ = {(v i : i )} i∈I where (v i : i ) means v i occurs i times in the multiset and a target sum-vector s such that ( i +1)v i ≤ s and v i are pairwise-distinct, to decide whether there exists a subset of Δ that can sum up to s. The side condition ( i + 1)v i ≤ s is to guarantee the encoding of each integer vector v i can only be used for at most i times, in order to keep consistency between the encoding of the Subset-Sum and the original Subset-Sum problem. In multilinear maps, the vectors in Δ = {(v i : i )} i∈I are encoded as g α v i v i i∈I and the target vector is encoded as g α s s . Suppose the subset-sum exists, that is i∈I b i v i = s with b i positive integers and b i ≤ i . Then we compute the encoding of the target sum as below In this way, each vector v i only needs to be encoded once and the multiplication of the same encoding is in logarithm time which gains efficiency. To encrypt with any NP language, we present a reduction from CNF-SAT to our special Subset-Sum problem. We prove that our encoding achieves extractability in the generic model of multilinear maps. The main technical detail is to construct an efficient extractor to extract a witness from the adversary's group operations. Constructing a witness extractor for the existing witness encryption schemes [43,48,71] appears to be super-polynomial because of the expansion of adversary's query-polynomial. Soundness security [43] is a special case of the extractable security; for sanity of this work, we also give full discussion about the soundness security of our scheme in Appendix G.
Interestingly extractable witness encryption with arbitrary auxiliary inputs might be unattainable [42]. A simple counter example is the following: suppose the sampler has (x, w) ∈ R, then the sampler obfuscates the decryption algorithm of witness encryption z = O(WE.Dec(w, ·)) and gives z to the adversary; the adversary can decrypt WE.Enc(x, m) by using the backdoor z and does not have to know w.
To circumvent this issue, we define extractable security in an oracle model. The oracle is used to model the Bitcoin blockchain. The extractability is possible to achieve for most of the non-artificial oracles. In particular, when the oracle is instantiated with a decentralised cryptocurrency such as Bitcoin, this kind of backdoor is unlikely to exist since it is believed that no one can have a witness w in advance for each instance x.
Efficiency comparison Assume a CNF formula has n variables and k clauses, and m literals. The ciphertext size of our witness encryption scheme is 2n + 2k + 1 group elements. The evaluation time is n + O klog m 2k . The multilinearity level is n + m − k and can be optimised to n + O klog m 2k . The efficiency of encoding CNF-SAT in [43] depends on the reduction which is unspecified in [43]. As far as we know, the best reductions from CNF-SAT to Exact-Cover is CNF-SAT → 3-CNF-SAT → Exact-Cover (The details of the second reduction can be found in Appendix H). However, the reduction from CNF-SAT to 3-CNF-SAT increases the number of variables and clauses by the size of the original CNF formula, that is n = O(m) and k = O(m) while m is n · k in the worst case. The reduction from 3-CNF-SAT to Exact-Cover generates an instance of size 2n + 7k + 1. Hence the encoding produces O(m) group elements and the evaluation time and multilinearity level are also O(m) with m = n · k in the worst case. There are three instantiations of witness encryption for CNF formulas in [46]. Two of them are specific to the composite order multilinear groups. The prime-order groups are usually more natural and result in simpler security assumptions. The conversion from composite-order construction to prime-order multilinear groups (or more generally, groups of arbitrary order) is very expensive [46] and results in a ciphertext of O(n 5 k 2 ) group elements.
A direct encoding for Subset-Sum is given in [71] which encodes every integer vector in a different group. As a result, the encoding of the CNF formula is of the size of n + m − k group elements which is O(n · k) in the worst case. The multilinearity level and the evaluation time are both n + m − k. In comparison, our encoding for Subset-Sum only encodes the same integer vector once which results in 2n + 2k + 1 group elements. Although subgroups of multilinear maps used in [71] are indexed by numbers G 1 , . . . , G n , they have to be instantiated with integer vectors (Sect. 7 in [71]). In fact, subgroups indexed by integer vectors or integers do not affect the size of the group in the current instantiations of multilinear maps [31,32,40,54]. Our witness encryption scheme has the same level of mulitilinearity as [71], i.e., n + m − k, but we can further optimise this as stated above. Another main difference of our witness encryption scheme and the one in [71] is that we prove our scheme is extractable while [71] simply assumes its scheme is extractable.

Related work and further applications of time-lock encryption
Timed-release encryption was introduced by Rivest et al. [66] and considered in many followup works, including [15,23,27,69]. Our approach is fundamentally different from theirs. In particular, we neither need trusted third parties, nor have a considerable computational overhead for decryption. Time-lock puzzles and proofs of (sequential) work [24,29,34,35,58,59,65,66] are computational problems that can not be solved without running a computer continuously for a certain time. In a sense, our computational reference clocks can be seen as algorithms that continuously and publicly solve publicly verifiable [59] instances of an infinite sequence of time-lock puzzles. Essentially, we show how this computational effort, performed independently of any time-lock encryption scheme, can be "reused" to construct time-lock encryption with efficient decryption.
Time-lock encryption can be used to construct the first timed commitment scheme in the sense of Boneh and Naor [17] that does not require an inefficient forced opening. A clever idea to use Bitcoin deposits to facilitate fairness in multiparty computation was presented by Andrychowicz et al. [1,1,2]. Very recently, Azar et al. [3] construct "timed-delay" multi-party computation (MPC) protocols, where participating parties obtain the result of the computation only after a certain time, possibly some parties earlier than others. This is similar to the timedrelease schemes of [17,66,69], in particular it inherits the drawback of inefficient decryption and the assumption that all parties are able to solve the puzzles in about the same time.
Garay et al. [39] analyze the Bitcoin "backbone" protocol, and show how to realize Byzantine agreement on top of this protocol in a synchronous network. Pass et al. [64] formalises the blockchain consensus mechanism in an asynchronous network. Another recent work, which shows how to construct useful cryptographic primitives under the assumption that no adversary is able to outperform the huge computational resources of the collection of all Bitcoin miners, is due to Katz et al. [53], who show how to obtain secure computation and so-called pseudonymous authenticated communication from time-lock puzzles.
Formal computational models capturing "real-world time" were described for instance by Cathalo et al. [23], who gave a security model for timed-release encryption with a "time oracle" that sequentially releases specific information, and recently by Schwenk [67], who described a security model for time-based key exchange protocols. Both works [23,67] may assume that the party implementing the clock is honest. In contrast, we will have to deal with adversaries that may want to "put the clock forward", therefore we need to model the computational hardness of doing so in our setting.

Independent work
The idea of combining Bitcoin with witness encryption to construct timelock encryption was described independently in [51,57]. This paper is a merged version of these works. In March 2015, Andrew Miller sketched the basic idea of combining witness encryption with Bitcoin to get time-lock encryption in a public chat room [60]. The drafts of both [51,57] have been done before the end of 2014 and are independent of [60].

Preliminaries
Definition 1 Let R be a relation. We say that R is an NP-relation, if there exists a deterministic polynomial-time (in |x|) algorithm that, on input (x, w), outputs 1 if and only if (x, w) ∈ R.

Witness encryption
Syntax Witness encryption was originally proposed by Garg et al. [43]. It provides a means to encrypt to an instance, x, of an NP language and to decrypt by a witness w that x is in the language.
Definition 2 (Witness encryption (WE) [43]) A witness encryption scheme for an NP relation R consists of the following two polynomial-time algorithms: -WE.Enc 1 λ , x, m is an encryption algorithm that takes as input a security parameter 1 λ , an unbounded-length string x, and a message m ∈ M, and outputs a ciphertext c. -WE.Dec(c, w) is a decryption algorithm that takes as input a ciphertext c and a bit-vector w, and outputs a message m or the symbol ⊥. -Correctness. For any (x, w) ∈ R, we have that Security A strong security notion for witness encryption is called extractable security which is originally proposed in [48]. The extractability says that when the adversary can distinguish two ciphertext encrypting different messages by using the same instance, then it must know a witness of the instance. Below we give a variant of extractable security in an oracle model. Intuitively, the oracle models the Bitcoin blockchain and will be instantiated with a computational reference clock defined in the next Sect. 3 when modelling our time-lock encryption. The extractability is possible to achieve for most of the non-artificial oracles. We will show that this definition is sufficient for our application of time-lock encryption. In Sect. 6, we propose a novel witness encryption scheme and we prove our new scheme achieves this form of extractable security.
that performs at most t operations and queries the oracle for at most q times, there exists an extractor E that performs at most t operations and queries the oracle for at most q times, such that for all x ∈ {0, 1} * , the following holds: The above definition states that if an adversary that runs in time t and queries the oracle for at most q times can break the encryption scheme with probability more than ε, then there exists an extractor E that runs in time t and extracts a witness with probability more than ε . In the above definition, we give the adversary access to an oracle O. We do not yet specify what the oracle does. In the next section, we shall prove the extractable security w.r.t. an oracle in the generic model of multilinear maps. This is due to the fact that we have our proof in an idealised model, which allows us to circumvent the impossibility result [42].
on input a verification key vk, an input x, and a proof π, the verifier outputs b = 1 if he is convinced that (x, w) ∈ R.
A SNARK satisfies the following properties.
-Completeness For every security parameter λ, any instance x and its witness w such that (x, w) ∈ R, the hones prover can convince the verifier: -Succinctness An honestly-generated proof π has O λ (1) bits and SNARK.Verify runs in time O λ (|x|) -Proof of knowledge If the verifier accepts a proof output by a bounded prover, then the prover "knows" a witness for the given instance. Similarly as above, we consider the security definition in an oracle model. We say a SNARK is (t, t , q, q , ε, ε )-secure w.r.t. an oracle O if for every adversary A that performs at most t operations and queries the oracle for at most q times, there exists an extractor E that performs at most t operations and queries the oracle for at most q times, such that for all x ∈ {0, 1} * , the following holds:

Definitions of time-lock encryption
In this section we will formally define secure time-lock encryption, computational reference clocks, and their associated relations.
On formally defining time-lock encryption Defining security of time-lock encryption schemes will require a slightly more fine-grained notion of "computational hardness" than most other cryptographic primitives. We will consider two Turing machines A and C, which both attempt to solve the same super-polynomial-time computational problem. Although the computational problem is super-polynomial, its instances we consider are with a relatively small difficulty parameter which makes the problem solvable within a reasonable and practical time. We will assume that C has access to significantly more computational resources than A, such that it is infeasible for A to solve the problem faster than C. Clearly, modeling both A and C simply as polynomial-time algorithms is not useful here. We will overcome this by making the concrete bounds on the running times of algorithms A and C explicit.
A remark on nomenclature We will have to deal with two different notions of "time". First, the running time of algorithms, usually measured in the number of computational steps an algorithm performs. Second, our computational equivalent of physical time, measured in some abstract discrete time unit. To avoid ambiguity, we will use the word "time" only for our computational equivalent of physical time. Rather than specifying the "running time" of an algorithm, we will specify the "number of operations" performed by the algorithm, assuming that all algorithms are executed on universal Turing machines with identical instruction sets. For example, we will write "algorithm A performs t operations" instead of "algorithm A runs in time t".
Computational reference clocks (CRCs) The concepts of computational reference clocks and their associated relations will be necessary to define time-lock encryption.
Definition 5 A computational reference clock (CRC) is a stateful probabilistic machine C(1 κ ) that takes input a difficulty parameter κ and outputs an infinite sequence w 1 , w 2 , . . . in the following way. The initial state of C is w 0 . It runs a probabilistic algorithm f C which computes w τ = f C (w τ −1 ) and outputs w τ .
We write w τ $ ← C(1 κ , τ ) for τ ∈ N to abbreviate the process of executing the clock τ times in a row, starting from initial state w 0 , and outputting the state w τ of C after τ executions.
Intuition for Definition 5 The intuition behind this definition is that the machine C performs an iterative, public computation, which iteratively computes f C . It takes super-polynomial time T (κ) to compute each f C . C outputs its complete internal state after each execution, therefore no secret keys or other secret values can be hidden inside C. Algorithm f C is public, too. When executed for the τ -th time, the machine responds with the current state of the computation at "time" τ . Intuitively, w τ serves as a "witness" that the current time is "at least τ ". Definition 5 will be useful for the construction of secure time-lock encryption, whenever it is computationally very hard, but not completely infeasible (e.g., when κ is relatively small), to compute w τ from w τ −1 . Think of C as a very fast machine that works on solving an infinite sequence of computational puzzles. Jumping slightly ahead, we will later instantiate C with the collection of all Bitcoin miners that contribute to expanding the publicly known Bitcoin blockchain. When executed for the τ -th time, the machine returns the blockchain of length τ .

Definition 6
We say that relation R is associated to C, if R is an NP-relation, and for all x ≤ τ holds that Intuition for Definition 6 The purpose of the relation is to describe which values w τ are acceptable as a "witness for time τ ". Note that it makes sense to accept a witness w τ with "for time τ " also as a witness for any "earlier time" x with x ≤ τ . Hence we require that (1 x , w τ ) ∈ R holds for all x ≤ τ .
Definition 7 Let C be a computational reference clock. We say that an adversary A (t, τ, ε)breaks the security of C with respect to R, if it performs at most t operations and τ ∈ N such that Pr The adversary is allowed to make at most τ − 1 times queries to C in total.
Intuition for Definition 7 Definition 7 essentially requires a lower bound on the number of operations that have to be performed in order to compute the witness w τ for τ ∈ N. Even given witness w τ −1 for τ − 1, it should be unlikely for any adversary to output w τ by performing significantly less than t additional operations.
Time-lock encryption Based on the notion of computational reference clocks, we can now define time-lock encryption schemes and their security. Encryption The encryption algorithm c $ ← TL.Enc(1 λ , τ, m) takes as input the security parameter λ, an integer τ ∈ N, and a message m ∈ M. It computes and outputs a ciphertext c. Decryption The decryption algorithm TL.Dec(w, c) takes as input w ∈ {0, 1} * and ciphertext c, and outputs a message m ∈ M or a distinguished error symbol ⊥. Correctness For correctness we require that Remark 1 One may relax the correctness requirement from "perfect correctness" (as above) to correctness up to a negligible error term. We will work with the above perfect correctness condition for simplicity.

Definition 9 We say an adversary
We require that |m 0 | = |m 1 |. The adversary is allowed to make at most τ − 1 queries to C in total.
Intuition for Definition 9 The intuition behind this security definition is essentially that no adversary should be able to distinguish an encryption of m 0 from an encryption of m 1 by performing significantly less operations than the number of operations required to compute w with (1 τ , w) ∈ R. At a first glance it might appear that security in this sense is impossible to achieve, because C computes such values and it is a polynomial-time algorithm. Thus, the adversary is a polynomial-time algorithm, too, then it could simply perform the same computations as C. Therefore we put an explicit bound t on the number of operations that A may perform. This makes this definition useful when it is reasonable to assume that the number of operations t that can be performed within a certain time by the adversary is much smaller than the (also polynomially bounded, but much larger) number of operations t performed by C to compute w with (1 τ , w) ∈ R.

Constructing time-lock encryption from witness encryption
Construction 1 Let C be a computational reference clock and let R be an NP-relation, such that R is associated to C. Let (WE.Enc, WE.Dec) be a witness encryption scheme for R. Define algorithms (TL.Enc, TL.Dec) of a time-lock encryption scheme as Let us first prove correctness. We have to show that holds for all λ ∈ N, all τ ≥ τ dec , and all m ∈ M. The correctness of the witness encryption scheme guarantees that holds for all τ ≥ τ dec . Since R is associated to C, this follows by Definition 5.
Remark 2 If we use a witness encryption scheme and/or a computational reference with negligible correctness error in the same construction as above, then we obtain a time-lock encryption scheme with negligible correctness error.

Remark 3
When the CRCs are instantiated with Bitcoin, the size of witnesses grows linearly with τ . However, the Bitcoin blockchain generation time is O(τ · T (κ)) with T (κ) a superpolynomial, while the computational time of our witness encryption is O(τ ). In our time-lock encryption, the super-polynomial T (κ) computational work is done by the Bitcoin community which possesses the huge computational resources. The current block mining difficulty is about κ ≈ 71 which means the Bitcoin community needs to hash 2 71 (≈ 10 21 ) times on average to find a nonce for a new block. It is worth pointing out that size of witnesses growing linearly holds for Bitcoin, but not necessarily for any other instantiation of CRCs. Bitcoin is just one practical example that illustrates that the concept of CRCs indeed makes sense.
Moreover, we choose the concrete setting as the "right" setting for time-lock encryption, because it simplifies the treatment of "difficult, but not too difficult to compute functions" (such as computational reference clocks) very significantly, which would be much more difficult to express precisely with traditional asymptotic formulations.
Theorem 1 For each adversary A tl that (t tl , τ, ε tl )-breaks (TL.Enc, TL.Dec), we can construct an adversary A clk that (t , τ, ε )-breaks computational reference clock C, provided that the witness encryption scheme is Proof Consider the following adversary A clk against C, which runs A tl as a subroutine. A clk defines A we by setting A we Thus, by the (t tl , t , τ − 1, τ − 1, ε tl , ε )-security of (WE.Enc, WE.Dec), the extractor E (and therefore also A clk ) issues at most τ − 1 queries to C. It runs in time t , and computes a witness w with (1 τ , w) ∈ R with probability at least ε . Thus, A clk (t , τ, ε )-breaks C.

Reducing multilinearity level using SNARKs
For the existing constructions of witness encryption [7,21,41,43,46], as well as our proposed scheme in the following Sect. 6, the size of the ciphertext and the running time for encryption and decryption is linear in terms of the length of witness. Usually the linear complexity is very natural and efficient. Unfortunately, this is not good enough for witness encryption because all the instantiations of witness encryption are based on multilinear maps [18] of which the research is still in its infancy [31,32,40,54] and is not yet practical regardless of recent lines of attacks. Furthermore, the existing implementations for multilinear maps are not compact, that is, the size of the group elements is polynomial in the multilinearity level (i.e., the maximum number of pairings). The multilinearity level is polynomial in the length of the witness. To mitigate this issue, we propose our second construction of time-lock encryption by using SNARKs [12][13][14]44,49,55,56,62] together with witness encryption. The idea is to encrypt with SNARKs verification procedure for the statement (x, w) ∈ R, instead of directly encrypting with an instance x. This idea of using SNARKs to gain efficiency is not new [48,71]. However, we show that using SNARKs can achieve constant multilinearity level regardless of the instance and witness, rather than the previous linear complexity stated in [48,71]. (1) Run the SNARK prover to get π $ ← SNARK.Prove(ek, 1 τ , w) (2) Let w * = π. Compute and output WE.Dec(w * , ct) For correctness, we will show that

Construction 2 Let C be a computational reference clock and let R be an NP-relation that is associated to
holds for all λ ∈ N, all τ ≥ τ dec , and all m ∈ M. By Definition 2, we know that (1 τ dec , w τ ) ∈ R. By the completeness of SNARK, we have Let x * = SNARK.Verify(vk, 1 τ dec , ·) and w * = π. Then (x * , w * ) ∈ R * as defined above. The correctness of the witness encryption scheme guarantees that Hence we can easily see the correctness holds.

Theorem 2
For each adversary A tl that (t tl , τ, ε tl )-breaks (TL.Enc, TL.Dec), we can construct an adversary A clk that (t c , τ, ε c )-breaks computational reference clock C, provided that the witness encryption scheme is Proof Suppose an adversary A tl (t tl , τ, ε tl )-breaks time-lock encryption by querying the clock for at most τ − 1 times. The basic idea of the proof is: we construct a witness encryption adversary A we who uses A tl as a subroutine to break witness encryption and triggers the witness extractor to extract a valid SNARK proof. This extractor breaks the SNARK security and triggers the SNARK extractor to extract a witness for 1 τ which breaks the security of the computational reference clock.
First the SNARK challenger runs (ek, vk) $ ← SNARK.Gen 1 λ , 1 τ and gives (ek, vk, x) to a SNARK adversary A s . Then A s constructs a new instance x * = SNARK.Verify(vk, 1 τ , ·) and a challenge ciphertext c * = WE.Enc(1 λ , x * , m b ) of witness encryption and give them to a witness encryption adversary A we . Then A we forwards c * to A tl . A s queries to C and forwards the answers to A we and then A we forwards them to A tl . A we outputs whatever A tl outputs. By assumption, we know witness encryption scheme is (t tl , t e , τ − 1, τ − 1, ε tl , ε e )-secure. Therefore, there exists an extractor E that performs at most t e operations, queries to the oracle at most τ − 1 times and outputs a witness w * for x * with probability more than ε e . Recall that x * = SNARK.Verify(vk, 1 τ , ·). This means the extractor outputs a valid proof π such that SNARK.Verify(vk, 1 τ , π) = 1. This extractor is clearly a SNARK adversary with at most τ − 1 times queries from the oracle. Since the SNARK is (t e , t c , τ −1, τ −1, ε e , ε c )-secure, this gives us another extractor E that performs at most t c operations and queries the oracle at most τ − 1 times and outputs a witness w such that (1 τ , w) ∈ R with probability more than ε c . Therefore can see E is in fact a clock adversary who (t c , τ, ε c )breaks the clock C.
Constant level of multilinearity for witness encryption In Construction 2, the witness encryption encrypts to an instance x * = SNARK.Verify(vk, 1 τ , ·) which is the verification procedure of a SNARK proof. The only input of x * is a SNARK proof π which is succinct, i.e., a constant number of group elements. The original verification procedure SNARK.Verify(·, ·, ·) takes as input the verification key and the instance which means its size and computing time is at least linear in the description of the instance. Intuitively, x * has already been initialised with the verification key and the instance, and thus its size and running time can be constant.
We shall explain how the constant complexity can be achieved with the most recent implementations of SNARKs [12][13][14]16,44,56]. We first consider the SNARKs based on quadratic span programs [12,13,44,56] and we use the general notations from [44]. To verify a SNARK proof, the verifier processes the instance to obtain coefficients {a i } i∈I such that v in (x) = i∈I a i v i (x) and then computes an encoding E(v in (s)) of v in (s) = k∈I in a k · v k (s) by using the verification key. This is the only part of the verification that is linear in the instance and the rest of the verification can be done in a constant number of steps. Notice that verifying the instance becomes unnecessary when encrypting with witness encryption. This is because the verification of the instance can be pre-computed and hard-coded into the ciphertext of witness encryption. More specifically, when encrypting with the SNARK verification procedure with witness encryption, we can pre-compute those coefficients {a i } i∈I and the encoding E(v in (s)), then directly hard-code E(v in (s)) into the verification procedure and obtain SNARK.Verify(vk, 1 τ , ·). This reduces the size and computing time of x * into a constant, therefore the computing complexity of the ciphertext of witness encryption and the underlying multilinearity level become constant. The constant multilinearity level can also be achieved when using SNARKs from PCPs and linear-only encryption [14,16]. In this case, SNARK.Verify(vk, 1 τ , ·) consists of a decryption algorithm of linear-only encryption and an LPCP verification decision algorithm for the instance 1 τ . To discuss the complexity of the SNARK verification, we use the notations from Construction 4.5 from [16]. For an -query LPCP, the complexity of the decryption of the linear-only encryption is linear in , and the complexity of the LPCP verification decision algorithm depends on the size of the instance x. For boolean circuit and arithmetic circuit satisfaction, 3-query LPCPs are given in Appendix A in [14], where the computation on instance x in the LPCP decision algorithm can be easily pre-computed and removed when encrypting with witness encryption. Since = 3 and x is removed, the witness encryption for encrypting the SNARK verification is of constant complexity.
We note that using a third party to set up SNARK parameters is not necessary for our timelock encryption scheme. The party who produces the ciphertext can generate the SNARK parameters itself. This party can be assumed to be trusted, since it is the owner of the plaintext. The receiver of the ciphertext can outsource the computation of generating a SNARK proof from a blockchain to a third party, but this party does not have to be trusted either since the proof can be verified. The receiver can also do this computation himself, of course. There are practical implementations of SNARKs [13,63] and used in real-world applications, such as [11,33], in contrast to current multilinear maps. Introducing a third party to set up public parameters for using SNARK can further improve efficiency. One can generate these parameters e.g. by using multi-party protocols [10,20] that are tailored to support state-ofart SNARK constructions [13,63]. These multi-party protocols guarantee that even a party controlling all but one of the parties cannot construct fraudulent proofs. One has to run the set-up protocol only once and re-use the parameters across many ciphertexts.

Extension to adaptively-secure computational reference clocks
In our Bitcoin-based instantiation of a computational reference clock C described below, the adversary will also be able to modify the state of C to a certain degree (for instance, by executing Bitcoin transactions). This is not yet captured by Definitions 5 and 7 and the proof of Theorem 1. In this section, we extend the definitions and the security proof from the Sect. 3 to this case.

Definition 10
A computational reference clock with auxiliary input is a stateful probabilistic machine C that outputs an infinite sequence w 1 , w 2 , . . . in the following way. The initial state of C is w 0 . On input a string aux ∈ {0, 1} * , it runs a probabilistic algorithm f C which computes w τ = f C (w τ −1 , aux) and outputs w τ .
Intuition for Definition 10 The main difference to Definition 5 is that now we allow the output w τ to depend on some auxiliary input aux, which is motivated by the specific computational reference clock given by the Bitcoin blockchain. In Bitcoin the auxiliary input will consist of a list of Bitcoin transactions broadcasted by Bitcoin users in the network. An adversary may influence this list of transactions to some degree, by performing and broadcasting transactions. We will reflect this in the security definition given below, by letting the adversary choose the entire auxiliary input for each iteration of the f C -function.

Definition 11
We say that an adversary A adaptively (t, τ, ε)-breaks a computational reference clock C w.r.t. R , if A performs at most t operations and it holds that Pr[Exp C,R,A clk (1 κ , τ ) = 1] > ε and τ ∈ N, where Exp C,R,A clk is the following experiment.
Return w A may query C at most τ − 1 times.

Intuition for Definition 11
The main difference to Definition 7 is that now the adversary has access to a stateful oracle C, which takes as input aux chosen by the adversary (possibly adaptively and depending on previous oracle responses). The initial state of the oracle is equal to the initial state w 0 of reference clock C. When queried on input aux, the oracle computes f C (w, aux), using its internal state w and the adversarially-provided input aux. It updates its internal state by assigning w = f C (w, aux), and returns w.
Remark 4 Note that we do not have to adapt the security definition for time-lock encryption (Definition 9) to adaptive computational reference clocks, because Definition 9 already fits to the adaptive setting. Technically, we would have to adopt the correctness requirement in Definition 8 by adding the additional auxiliary inputs aux 1 , . . . , aux τ of each clock iteration. However, this is straightforward and therefore omitted. We only note that correctness should hold for all possible auxiliary inputs, of course.

Theorem 3 From each adversary A tl that (t tl , τ, ε tl )-breaks (TL.Enc, TL.Dec) in Construction 1 by querying C, we can construct an adversary A clk that adaptively (t , τ, ε )-breaks C, provided that the witness encryption scheme is
The proof is identical to the proof of Theorem 1 and therefore omitted.
The proof follows the same pattern as the proof of Theorem 2 and is therefore omitted.

Time-lock encryption based on bitcoin
In this section, we will first describe the necessary background on Bitcoin. Then we explain how the scheme from Sect. 4 can be instantiated based on Bitcoin. Finally, we discuss some engineering tasks that arise in the context of Bitcoin-based time-lock encryption.

The bitcoin blockchain
Cryptocurrencies are a cryptographic equivalent of regular currencies. The concept of decentralized cryptocurrencies has recently received a lot of attention, mostly motivated by the tremendous success of the most prominent decentralized cryptocurrency Bitcoin [61] and the emerge of a large number of alternative decentralized cryptocurrencies. 2 Using Bitcoin as an example, we will show how decentralized cryptocurrencies can be used as a concrete instantiation of the abstract concept of computational reference clocks. We stress, however, that Bitcoin serves merely as one concrete example. For instance, other decentralized cryptocurrencies also provide mechanisms that may be used to instantiate such reference clocks.
A complete description of the full Bitcoin system is out of scope of this paper. In particular, we omit all details about Bitcoin transactions, and give only a simplified description that captures the relevant features of Bitcoin. In the sequel we focus on one central building block of Bitcoin, the so-called Bitcoin blockchain. We refer to [61] for a description of the full system. r 1 , D 1 , B 1 ), . . . , (T s , r s , D s , B s ) that satisfies

The Bitcoin blockchain The blockchain is used in Bitcoin to prevent double-spending of Bitcoin (cf. Appendix B). It is a sequence of tuples
where H is a cryptographic hash function based on SHA-256 and B 1 , . . . , B s are called blocks. B 0 is a distinguished value, called the genesis block, which is a hard-coded constant in the Bitcoin software. The values T i , r i , D i are described below.
Bitcoin users may attempt to find the next block B s+1 in the chain, which is a computationally expensive (but feasible) task, because B s+1 must meet certain conditions that we will describe below. Users contributing to this search are called miners. The main incentive to contribute significant computational resources to the progress of the blockchain is that for each new block the respective miner is rewarded with a certain amount of Bitcoin. 3 Each miner keeps a full local copy of the blockchain, and collects all recent transactions broadcasted by other Bitcoin peers. For each transaction, the miner first checks if it is "malicious", that is, if it contains any coins that, according to the transaction ledger, are not in possession of the spending party. These transactions are discarded. T s+1 denotes the list of new transactions which are not discarded. The miner now attempts to approve these transactions, by finding that a new block B s+1 in the blockchain which includes these transactions. To this end, the miner increments a counter value r s+1 , until the hash satisfies B s+1 ≤ D s+1 , where the binary string B s+1 is interpreted canonically as an integer, and D s+1 is the current value of a variable public system parameter called the target. The size of the target determines the computational hardness of finding new blocks. It is related to the Bitcoin difficulty by the definition difficulty := σ target where σ = (2 16 − 1) × 2 208 is a constant, called the Bitcoin maximum target. Each new block B s+1 serves as a proof of work for the computational resources contributed by the miner that found B s+1 . New blocks are broadcasted to all other Bitcoin peers, along with their associated data (T s+1 , r s+1 , D s+1 , B s ). All miners receiving the new block B s+1 will then turn to searching for the next block B s+2 . It may happen that at some point the blockchain forks (for instance, if it happens that two miners simultaneously find a new block B s+1 ), such that different miners continue their work on different branches of the fork. This problem is resolved in Bitcoin by considering only these transactions as valid, which correspond to the longest branch of the fork. Only newly mined blocks that correspond to the longest branch are rewarded. This provides an incentive for miners to contribute only to the longest branch.
Remark 5 Actually, the "length" of a chain in Bitcoin is not determined by the number of blocks, but by sum of the difficulty of all blocks in the chain. This is done to prevent that an adversary forks the chain by appending some low-difficulty blocks. 4 This distinction is not relevant for our paper. As in [1], we will therefore assume that the longest chain also corresponds to the chain with the largest sum of difficulties. When referring to the Bitcoin blockchain" in the sequel, we will mean the longest chain.
Note that the complexity of the problem of finding a new block B s+1 with B s+1 ≤ D s+1 grows with decreasing D s+1 . 5 This allows to dynamically modify the complexity of finding a new block by modifying the difficulty. The Bitcoin system frequently adjusts the difficulty, depending on the computational power contributed by miners to the progress of the Bitcoin blockchain, 6 such that about every 10 minutes a new block is appended to the blockchain.

Important properties of the Bitcoin Blockchain
The Bitcoin blockchain has the following two properties, which are particularly relevant to our work.
-Bitcoin miners have an incentive to contribute significant computational resources to the progress of the blockchain, and to publish their solutions in order to get rewarded for their effort. The total computing power contributed to the Bitcoin blockchain is huge, as of August 2017 the network computes more than 6.6 × 10 18 ≈ 2 62 hashes per second. -The Bitcoin blockchain grows constantly and with predictable progress. The difficulty, and thus the size of the target, is frequently adjusted (about every two weeks) to the computational power currently available in the Bitcoin network, such that about every 10 minutes on average a new block is appended to the chain.  , r 1 , D 1 , B 1 ), . . . , (T τ , r τ , D τ , B τ )) and w satisfies all the following properties:

NP-relations based on hash blockchains
-|T i | and |r i | are polynomially bounded, and where we interpret bit strings B 1 , . . . , B x canonically as integers.
Note that R β,δ is an NP-relation, because there is an efficient deterministic algorithm that, given (1 x , w), β, and δ, verifies that (1 x , w) ∈ R β,δ by checking the conditions from Definition 12. Note also that the problem of finding a witness w for a given statement 1 x corresponds to the problem of finding a valid blockchain w of length x with respect to (β, δ), which gets increasingly difficult with decreasing δ.

Time-lock encryption from bitcoin
We will now describe the Bitcoin-based computational reference clock C btc along with a suitable associated relation R β,δ . As described in Sect. 3, we can then combine these building blocks with witness encryption, to obtain a Bitcoin-based time-lock encryption scheme. Bitcoin-based computational reference clock Let f btc be the function that expands the Bitcoin blockchain. That is, on input r 1 , D 1 , B 1

NP-relations based on the Bitcoin blockchain
and auxiliary input aux = T τ , it computes and outputs the new state w τ such that w τ = (T 1 , r 1 , D 1 , B 1 ), . . . , (T τ , r τ , D τ Let C btc denote the computational reference clock that computes f btc . Then the state of C btc at "time" τ consists of the first τ tuples of the Bitcoin blockchain. Recall that the progress of the chain is relatively predictable. Assuming that the current length of the chain is τ tuples, and that new blocks will continuously be found at a rate of approximately one block every 10 minutes, then we know that in approximately 10 · x minutes the blockchain will contain τ + x tuples. Note that the relations R β,δ from Definition 12 are associated to C btc in the sense of Definition 6, provided that β = B 0 and δ satisfies δ(i) ≥ B i for all i ∈ N. Unfortunately, the latter is not guaranteed, as it depends on the choice of the target bound function δ and the future development of the size of the Bitcoin target. Therefore δ must be chosen carefully. Choosing δ carefully. Let x such that x > τ, that is, no witness w for (1 x , w) ∈ R β,δ is yet contained in the Bitcoin blockchain. We note that any sequence w = ((T 1 , r 1 , D 1 , B 1 ), . . . , (T x , r x , D x , B x ) computed by the Bitcoin network in the future is only a potential witness for (1 x , w) ∈ R β,δ . This is because relation R β,δ depends on the target bound function δ. By definition, w will only be a witness for (1 x , w) ∈ R β,δ , if B i ≤ δ(i) holds for all i ∈ [1, x]. It might happen that at some point γ ∈ [τ + 1, x] in the future the Bitcoin target increases to a value D γ such that D γ ≥ δ(γ ). In this case we will have (1 x , w) / ∈ R β,δ . It is possible to overcome this by choosing δ carefully. To this end, consider the following observations.
-First, note that we must not choose δ too small More precisely, we must not choose δ such that there exists i ∈ N with δ(i) < B i . This is because then our reference clock C btc would not provide suitable witness w i for (1 i , w i ) ∈ R β,δ . Thus, the time-lock encryption scheme would not be correct. -Observe also that δ must not be too large For instance, recall that B i ∈ {0, 1} d . Thus, we could try to simply set δ such that δ(i) = 2 d for all i ∈ N. Then δ(i) > B i holds trivially for all i ∈ N. However, then it becomes very easy to compute witnesses w i for (i, w i ) ∈ R β,δ , by simply evaluating the hash function H i-times to build a chain of length i. Essentially, we have eliminated the size restriction on the B i values, such that breaking the security of clock C btc is clearly not hard for any such relation R β,δ and any reasonable t. The resulting time-lock encryption scheme would be trivially insecure.
Ideally, δ is chosen such that δ(i) = D i matches the Bitcoin target parameter D i for all future i > τ. However, since D i depends on the computational resources that currently contribute to the Bitcoin network, this would require to predict the amount of these resources. Therefore it seems impossible to predict D i exactly. But we can try to approximate D i with δ as closely as possible, such that it always holds that δ(i) = D i − ε i for small values ε i .
Dependence on the sender's preferences Note that the "right" choice of δ depends on the preference of the sender, which one of the following options is more desirable for the encrypted message.
-If δ is chosen too small, then the witness required to decrypt the message may never be contained in the public Bitcoin blockchain. This may happens if the Bitcoin difficulty decreases faster than expected by the encrypting party choosing δ. Thus, it may be infeasible to decrypt the ciphertext in reasonable time, such that nobody will ever learn the message (at least not within close time distance to the desired deadline). -If δ is chosen too large, then an adversary that is able to perform a very large number of computations within a short time may be able to decrypt the message before the deadline, even though its computational resources are significantly below the resources of all Bitcoin miners.
Since it is not clear which of the above options is preferable in general, we think it makes most sense to let the sender choose δ application-dependent, or possibly even individually for each encrypted message. If it is more desirable that an encrypted message remains secret (possibly for a much longer time than originally desired by the sender), rather than being decrypted before the deadline, then one would choose a very small target bound function δ. If it is preferred that the message is rather decrypted earlier than possibly never, then one would choose δ larger. The substantial computational resources currently contributed to the Bitcoin network provide a generous margin of error for the choice of δ.
We consider the "right" choice of δ as an application-dependent engineering problem, which we will discuss in Appendix C, along with other engineering questions arising from the Bitcoin-based instantiation of time-lock encryption.

Correctness of the Bitcoin-based time-lock encryption scheme
In order to argue correctness of the Bitcoin-based time-lock encryption scheme, we assume that R β,δ is associated to C in the sense of Definition 6. Note that this is implied by the assumption that Bitcoin is correct.

Security of the Bitcoin-based time-lock encryption scheme
The following theorem follows from Theorem 3.

Theorem 5
Let (TL.Enc, TL.Dec) be the time-lock encryption scheme obtained from combining computational reference clock C btc with a witness encryption scheme for relations R β,δ by applying the construction from Sect. 4. For each adversary A tl that (t tl , ε tl )-breaks (TL.Enc, TL.Dec) by querying C btc at most q times, we can construct an adversary A clk that adaptively (t , ε )-breaks C btc with at most q queries with q ≤ q, provided that the witness encryption scheme is (t tl , t , q, q , ε tl , ε )-secure.
The assumption that (t , ε )-breaking the security of C with respect to R β,δ and reasonable values of t and ε , can be analyzed in the Random Oracle Model [9]. To this end, consider the following lemma.

The Proof of this lemma can be found in Appendix D
Further game-theoretic aspects Ideally, the target bound function δ is chosen such that decrypting the ciphertext earlier would require so many computational resources, that from a game-theoretic perspective it is more reasonable to use these resources to perform a different computation. This is always the case when the value of learning the encrypted message before the deadline is below the revenue obtainable from the different computation.
In particular, an adversary might gain more revenue from mining Bitcoin directly than from trying to learn the time-lock encrypted message earlier than others. The revenue obtainable from Bitcoin mining is easily quantifiable, we think this is a very nice aspect of the Bitcoinbased instantiation of time-lock encryption.

Time-lock encryption beyond Bitcoin
In order to obtain a stable and robust time-lock encryption scheme from Bitcoin, it is required that Bitcoin miners will continue to contribute significant computational resources to the progress of the Bitcoin blockchain. It is conceivable that Bitcoin will be discontinued at some point in the future. This may happen, for instance, due to a market crash making Bitcoin worthless, or simply because its popularity decreases over time, possibly replaced by a different cryptocurrency. This is of course unpredictable.
Currently, there are several alternate cryptocurrencies, which are colloquially referred to as "altcoins", any of which could be used in place of Bitcoin in our construction. Of particular interest is the fact that a large number of these are either Bitcoin derivatives or are built using the same techniques. This means that our construction can be used almost directly for these "altcoins". Of course we can also replace Bitcoin with any other cryptocurrency.
In particular, one alternative is Ethereum [37,38], which is the most popular cryptocurrency after Bitcoin, at the time of writing. One particular advantage of Ethereum over Bitcoin is that the average block time is significantly shorter, with a new block every 25 seconds on average (September 2017). However on the other side, we do have a lower hashrate of approximately 9 × 10 4 ≈ 2 16.5 . As with Bitcoin, these figures are liable to change and would then affect the final construction.
We stress that the approach for constructing time-lock encryption described in Sect. 3 is generic. That is, it is motivated by, but not reliant on Bitcoin, nor on any other cryptocurrency for that matter. In principle, our approach can be used with completely different types of iterative, public, large-scale computations. For instance, time-lock encryption could be based on other decentralized cryptocurrencies, or even on completely different types of public computations. The construction from Sect. 5.3 is only one concrete application of the techniques developed in Sect. 3, motivated by the fact that Bitcoin currently seem to be the most interesting candidate instantiation, in particular due to their wide adoption and the significant computational resources contributed to the Bitcoin network.

Extractable witness encryption from SUBSET-SUM
In this section, we propose a construction for extractable witness encryption from a special Subset-Sum problem and we prove the extractable security in the generic model of multilinear maps. We will show that the CNF-SAT can be reduced to this special Subset-Sum problem in the next section.
We use notations u, v, w to represent integer vectors. We call a vector of n elements the n-vector. We define u ≤ v as the component-wise comparison. We denote by {(v i : i )} i∈I a multi-set in which the element v i occurs i times and v 1 , . . . , v |I | are pairwise-distinct. Let α : = (α 1 , . . . , α d ) and v := (v 1 , . . . , v d ).
Our witness encryption scheme makes use of asymmetric multilinear maps in which groups are indexed by integer vectors [19,40,72]. Suppose we have a s-multilinear group family consisting of groups {G v } v of the same order p and v ≤ s, where s, v ∈ Z are positive integer vectors and the comparison between the vectors holds component-wise. The groups are equipped with a set of multilinear maps, e u,v : We often omit the subscripts and just write e. The original Subset-Sum problem is: given a (multi)set of integer vectors and a target integer vector s, does there exist a subset of the integer vectors such that the sum of its elements is equal to s? To achieve extractability in witness encryption, our encoding will be performed on a special Subset-Sum problem defined as below: -Instance given a multi-set of d-vectors Δ = {(v i : i )} i∈I of positive integers, and a sum d-vector s of positive integers such that ( i + 1)v i s for each i ∈ I . -Decide is i∈I b i v i = s for some integers 0 ≤ b i ≤ i with i ∈ I ? Construction 1 (Extractable witness encryption) Suppose x is an instance of the above special Subset-Sum problem and we use the above notations in the following discussion. We construct a witness encryption scheme as below: In the above construction, each vector v i is only encoded once as a group element g α v i v i . The multiple usage of v i corresponds to the multiple pairing of g α v i v i . However, we cannot allow the encoded element to be used for more than i times. This is why we have the side condition ( i + 1)v i s. If g α v i v i is paired for more than i times, then the group index will be no longer smaller than the index of the target group s. Note that the encoding described above does not directly work for the general Subset-Sum problem. For example, given {1}, there is no subset-sum for 3, but we can obtain the encoding g α 3 3 for the sum by computing e g α 1 1 , g α 1 1 , g α 1 1 . The problem is caused by the fact that the encoding g α 1 1 can be used for multiple times but the element 1 can only be used for at most once in the Subset-Sum instance.

Theorem 6
Our Construction 1 of witness encryption achieves extractable security with t = poly(t · λ) and ε = ε and q ≤ q in the generic model of multilinear maps.
A proof of this theorem can be found in Appendix F Our special Subset-Sum problem can directly encode the Exact-Cover problem by representing each set of the instance of Exact-Cover as a vector and the side condition holds because each set can be used for at most once. This encoding converts the witness encryption scheme [43] into an extractable witness encryption scheme.
A weaker security guarantee for witness encryption is the soundness security. The soundness security states that if x / ∈ L then no polynomial-time algorithm can decrypt. An alternative definition for soundness security called adaptive soundness is given in [8]. In fact, the extractable security implies the soundness security since the probability that the extractor can extract a witness is 0 when x / ∈ L. We also give a discussion about the soundness security of our witness encryption scheme in the Appendix G.
Since the breakthrough construction of Garg et al. [40] in 2013, multilinear maps [31,32,40,45,54] becomes a very active research area, as well as its cryptanalysis [25,26,28,30,52,70]. Our design of witness encryption is independent of the underlying implementations of multilinear maps. In particular, our scheme seems not susceptible to the zeroising attacks since constructing top-level encodings of zeroes is difficult and requires the knowledge of a sufficient number of witnesses. We leave it as a future work to formally investigate the security of our scheme when instantiated with the current approximate multilinear maps.

Reducing CNF-SAT to Subset-Sum
In this section, we show how to construct an extractable witness encryption for any NP language. This is achieved by constructing an intuitive reduction from an instance of CNF-SAT to an instance of our special Subset-Sum. This results in a more efficient encoding for CNF formulas compared to the encoding in the existing witness encryption schemes.
The Boolean satisfiability problem (SAT) is, given a formula, to check whether it is satisfiable. Let B be a Boolean formula. A literal is either a variable x or the negation of a variable x. A clause is a disjunction of literals, e.g., The formula B is said to be in conjunctive normal form (CNF) if it is a conjunction of clauses C 1 ∧C 2 ∧· · ·∧C m . The SAT problem for CNF formulas is called CNF-SAT.
Definition 13 (Reduction from CNF-SAT to special Subset-Sum) Assume a CNF formula has n variables x 1 , x 2 , . . . , x n , and k clauses C 1 , C 2 , . . . , C k , each clause C j contains m j literals. The reduction to an instance of special Subset-Sum is performed as below: (1) For each variable x i with 1 ≤ i ≤ n, construct two vectors u i,0 and u i,1 of (n + 2k) integers as follows: -The i-th element of u i,0 and u i,1 is 1 -For 1 ≤ j ≤ k, the (n + j)-th element of u i,0 is 1 if x i is in clause C j -For 1 ≤ j ≤ k, the (n + j)-th element of u i,1 is 1 if x i is in clause C j -All other elements of u i,0 and u i,1 are 0 (2) For each clause C j with 1 ≤ j ≤ k, assume there are m j literals in the clause C j , construct vectors v j,1 , v j,2 , . . . , v j,m j −1 of n + 2k integers: -The (n + j)-th element and the (n + k + j)-th element of v j,1 , v j,2 , . . . , v j,m j −1 are equal to 1 -All other elements of v j,1 , v j,2 , . . . , v j,m j −1 are 0 (3) For each clause C j , we construct vectors z j,1 , z j,2 , . . . , z j,m j−1 of n + 2k integers as counters: -The (n + k + j)-th element of z j,1 , z j,2 , . . . , z j,m j−1 is equal to 1 -All other elements of z j is 0 (4) Finally, construct a target sum vector s of n + 2k integers: -For 1 ≤ j ≤ n, the j-th element of s is equal to 1 -For 1 ≤ j ≤ k, the (n + j)-th element of s is equal to m j .
-For 1 ≤ j ≤ k, the (n + k + j)-th element of s is equal to m j − 1.
Intuitively, the vector u i,0 corresponds to the negative occurrences of variable x i in the formula while the vector u i,1 corresponds to its positive occurrences. The vectors v j,1 , v j,2 , . . . , v j,m j −1 for each clause C j will sum to m j − 1 at most, but to complete the sum m j at least one will have to come from one of the u i,0 or u i,1 for 1 ≤ i ≤ n, which means the clause has to be satisfied by some literals. An example for explaining this reduction
We shall analyse that the above reduction transforms an instance of CNF-SAT into an instance of our special Subset-Sum, that is the side-condition ( i + 1)v i s is satisfied. Each vector u i,b can occur for at most once in the sum, otherwise the i-th element of the sum will be bigger than 1. The vectors v j,1 , . . . , v j,m j −1 are the same vectors and at most m j − 1 of them can occur in the sum, otherwise the n + k + j-th element of the sum will be bigger than m j − 1. Similarly the vectors z j,1 , . . . , z j,m j −1 are the same and at most m j − 1 of them can be used in the sum otherwise the n + k + j-th element of the sum will be bigger than m j − 1.

Theorem 7 The CNF formula is satisfiable iff subset sum exists.
Proof If there is a subsequence of integer vectors summing to the sum vector s, this must use exactly one of each of the pairs u i,0 , u i,1 (corresponding to each variable x i being either false or true but not both) to make the first n elements of the sum correct. Also, each clause of C j must have been satisfied by at least one variable, or the next k elements of the sum cannot be big enough. The last k elements of the vectors are the auxiliary counters that will be used for encoding.
When the CNF formula is satisfiable with assignment x 1 , x 2 , . . . , x n , then we can construct a sub-set sum. We first choose u 1,x 1 , u 2,x 2 , . . . , u n,x n . Then for each 1 ≤ j ≤ k, we compute the number of literals that evaluate to true in C j and denote it by j . For each 1 ≤ j ≤ k, we choose vectors v j,1 , . . . , v j,m j −1− j and z j,1 , z j,2 , . . . , z j, j −1 . It is easy to see that these vectors add up to the sum vector s.
Therefore, there is a satisfying assignment to C 1 ∧ C 2 ∧ · · · ∧ C k if and only if there is a subsequence of the numbers that sums to s.
The reduction of the CNF formula to an instance of the special Subset-Sum consists of 2n+m vectors. However, when we encrypt with Construction 1, the vectors v j,1 , . . . , v j,m j −1 are encoded as one group element g α v j,1 v j,1 since they are the same vectors. Similarly, the vectors z j,1 , . . . , z j,m j −1 are encoded as g α z j,1 z j,1 . The ciphertext for encrypting a message m is Hence the size of the ciphertext for the CNF formula is of 2n + 2k + 1 group elements. The decryption involves n + m − k mapping operations, that is the n maps to compute Hence the decryption has time complexity n + O klog m 2k . where m is the total number of literals occurred in the CNF formula. The multilinearity level is n + m − k and can be optimised to n + O klog m 2k as follows. Instead of encoding v j,1 as g α v j,1 v j,1 , we can encode v j,1 as 2 log m j elements: where d = 2 log(m j ) . As a result, this will keep the multilinearity as n + k j=1 log m j , instead of n + k j=1 m j − 1 , while the size of the encoding is of 2n + 2 k i=1 log m j group elements. This optimisation is helpful when the size of elements in the groups depends on the multilinearity in the instantiation of multilinear maps.

Conclusions and future work
We have proposed our novel time-lock encryption scheme, which in contrast to previous works requires neither a trusted third party, nor a large computation on the side of the receiver. Our construction leverages any large public computations, such as those involved in Bitcoin, to realise a computational reference clock. We then couple this with an extractable witness encryption to get our final time-lock encryption scheme. However, there is scope for improvement.
As this scheme is essentially the first of its kind, it is more of a proof of concept than a concrete proposal. The current parameters would make an implementation of this scheme quite cumbersome. Thus the first avenue for future work would be to try and find a more practical scheme based on our construction, or indeed a more practical specific construction. Additionally, we get immediate gains from any improvements to our underlying building blocks, or indeed from any new, more efficient building blocks.
This leads us to the first avenue for improvement, which lies in the primitives themselves. As immediate improvement could be realised if we could use a more efficient extractable witness encryption scheme. It would be of particular interest to see if one could realise witness encryption without the use of multilinear maps. Alternatively, one could consider witness encryptions for other languages and see if there are any gains to be made there.
Another potential for improvement would be investigating the possibility of other methods of realising our computational reference clock from other forms large public computations. Or indeed, one may consider what kinds of computation, if carried out on a large distributed scale would allow us a computational reference clock. Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Appendix A: Other approaches for time-lock encryption
A software published at Github [68] presents the idea of Bitcoin-incentivized timed-release encryption. The scheme in [68] is called "time-lock encryption", but it is not a time-lock encryption in our sense because it requires expensive exhaustive-search computations for both encryption and decryption, where encryption can be parallelized, but decryption (most likely) not. Moreover, their scheme essentially encrypts the message along with a secret key, which allows to retrieve Bitcoin published in a public deposit. The first party which successfully decrypts the ciphertext is able to collect the deposited coins, which serves as an additional incentive to perform expensive computations to decrypt the message. Therefore, in our terminology, the scheme from [68] is a timed-release encryption scheme in the classical sense of Rivest etr al. [66], where decryption is additionally incentivized by a Bitcoin deposit, but not a time-lock encryption scheme in our sense, where ciphertexts essentially decrypt "automatically" (given the public computational reference clock) and the plaintext becomes publicly available.
Among many examples of timed-release encryption schemes in the sense of Rivest et al. [66], the survey in [50] (referring to [47]) describes the idea to combine "public keys", which are generated from a public seed with a pseudorandom number generator, with a special-purpose cryptocurrency where "mining" of coins corresponds to computing the corresponding secret keys. As already mentioned in [47], we do not know how to make this idea work. The reason is that cryptocurrencies and time-lock encryption inherently require that progress in the underlying computations can be made only sequentially (in [47] this is called "progress-free"). For example, Bitcoin achieves sequentiality by making each block in the blockchain dependent on all previous blocks. Thus, the approach of [47] requires the existence of "progress-free sequences of public keys". We are not aware of any proof-of-concept construction of such sequences, and it is unclear whether these objects exists. Moreover, in order to encrypt with the approach described in [47,50] for "time τ ", one would already need to know at least the τ -th public key in the sequence, which clearly contradicts sequentiality.

Appendix B: The double-spending problem in cryptocurrencies
A central problem that a secure digital currency has to solve is to prevent double-spending of digital coins. It seems that this is only achievable by somehow keeping track of all previous transactions, in order to be able to determine whether a malicious party tries to spend the same digital coin more than once. There are essentially two approaches to prohibit doublespending: (1) A central trusted third party ("the bank") keeps a ledger, which contains all transactions executed in the past. This allows the trusted third party to keep track of which party is in possession of which coin. Coins can only be transferred from one party to another if the trusted third party approves the transaction. Note that this approach is inherently centralized, as it requires a central trustworthy instance that keeps track of all transactions. (2) The approach used by decentralized cryptocurrencies, like Bitcoin, is somewhat similar, however, the trusted third party is implemented by all (or most) parties simultaneously. Instead of a centralized ledger, the transaction ledger is distributed among all (or many) parties. Essentially, all transactions are broadcasted to all other parties and stored in the ledger, such that each party is able to check whether a given coin already appeared in a previous transaction, and if the claimed owner of a coin is still in possession of this coin. Thus, all parties jointly implement "the bank". All the recently successful cryptocurrencies, in particular Bitcoin, are decentralized.
The decentralized approach requires a mechanism that allows to find a mutual agreement on the sequence of approved transactions. In Bitcoin, this mechanism is implemented by the Bitcoin blockchain.
The first option is that A performs all its computations secretly. This means that it does not contribute any blocks to the public Bitcoin blockchain, but instead keeps all newly found block secret. This is the approach of an adversary which wants to be exclusively able to decrypt the ciphertext before the deadline. Note that in this case the adversary would have to compute all missing blocks to decrypt a ciphertext on its own. If the target bound function δ is chosen well, such that it closely approximates the actual Bitcoin target, then this essentially means that the adversary would have to perform about the same amount of computations as all Bitcoin miners together (unless it finds a better algorithm for solving the computational problem processed by the miners). Assuming that no single adversary is capable of performing this large amount of computations, this is infeasible.
Alternatively, an adversary might not be interested in being exclusively able to decrypt the ciphertext before the deadline. Instead, it might simply want that the ciphertext can be publicly decrypted earlier than desired by the sender. In this case, the adversary could contribute its computational resources to the public Bitcoin blockchain. Even though the Bitcoin system adjusts the difficulty of advancing the blockchain frequently by modifying the size of the target, note that this happens only relatively slowly, every 2016 blocks. Therefore the difficulty adjustment in Bitcoin is not able to completely prevent such attacks, it may only cushion its effectiveness. However, an adversary that aims at a speed-up by, say, 10% would have to contribute additional resources in the order of 10% of the resources of all other Bitcoin miners together. Thus, the larger the speedup desired by the adversary, the larger are the computational resources it would have to contribute. Moreover, the incentive of other Bitcoin miners to contribute their resources depends on the current difficulty. If this difficulty is too high, then the cost of contributing resources to Bitcoin mining exceeds the revenue obtainable from Bitcoin mining. This would deter other Bitcoin miners from further contributing to the Bitcoin blockchain, which cushions the effectiveness of the resources contributed by the adversary further.
A detailed analysis of adversarial strategies to advance the Bitcoin blockchain significantly faster than one block every ten minutes therefore needs to take such game-theoretic aspects into account, it is therefore out of scope of this paper. See [36] for a related work.
We will bound the probability that at least x of these t + x values satisfy H (h j ) ≤ δ max , j ∈ {1, . . . , t + x}.
Each output h j corresponds to an independent Bernoulli experiment, which evaluates to 1 if and only if H (h j ) ≤ δ max . Let be random variables, and let X denote the random variable X := t+x j=1 X j . In order to bound the probability that X ≥ x, we will apply the Chernoff bound. Note that the the probability that a single Bernoulli experiment outputs 1 is at most δ max /2 d , and the expected number X of experiments that output 1 after (t + x) trials is μ := (t + x) · δ max /2 d . Then we have where e is Euler's number, the first inequality is the Chernoff bound, 7 and the second inequality uses that μ > 0.
The zero-test is only available on the top-level index. The zeros on different index levels are different.

Appendix F: Extractability security
Theorem 6 Our Construction 1 of witness encryption achieves extractable security with t = poly(t · λ) and ε = ε and q ≤ q in the generic model of multilinear maps.
Proof of Theorem 6 Assume an adversary A = (A 0 , A 1 ) that run in time t, and an instance Then we shall prove there exists an extractor E that run in time Θ(t · λ 2 ) such that To ease the discussion, we consider the instances of the special Subset-Sum problem defined in Definition 15, rather than the original SAT problem.
We construct an extractor E by using A as subroutine to extract a witness. E queries to the oracle O and forwards the responses to the adversary whenever the adversary queries to O. E gives x to A. A chooses (m 0 , m 1 ) and sends them to E. Let x be the instance of special Subset-Sum: given a multi-set of d-vectors Δ = {(v i : i )} i∈I of positive integers and a target sum vector s of positive integers such that ( i + 1)v i s for each i ∈ I . Intuitively, y i represents α v i , y represents m b + α s , y represents m 0 and y represents m 1 . Those variables are used to keep track of adversary's computation. E gives those handles {h i } i∈I ∪ h, h , h to A. E answers the multilinear maps oracle queries for addition, subtraction and multiplication as defined in Appendix E. To answer the zero-test queries, E instantiates those variables with its real values and test whether the results are zeros.
Note that our proof also works when the handles for group generators h → [1] T and h i → [1] V i ) for i ∈ I are given to the adversary, although our scheme itself does not need to give the group generators. The elements of the other index level are hidden.
We define an extraction function ext over the polynomials z produced by the adversary. The ext(z) returns an |I |-vector of integers as follows: For i ∈ I, ext(y i ) = u with u a |I |-vector of 0 except a 1 on its i-th element ext(y) = ext y = ext y = 0 ext(z 1 · z 2 ) = ext(z 1 ) + ext(z 2 ) Apparently this extraction function can be efficiently computed for any polynomial z.
Lemma 2 For any formal polynomials z produced by A at an index level U := X u with U ⊆ T for some d-vector u (u ≤ s). Let ext(z) = δ 1 , . . . , δ |I | .
(1) ext(z) = 0 iff z is constructed by only using variable y, y , y .
(2) If ext(z) = 0, then i∈I δ i v i = u and 0 ≤ δ i ≤ i for each i ∈ I .
Proof The proof of the two results goes by induction on the structure of z.
(1) if z = y i , its index level is X v i and ext(z) = (δ 1 , . . . , δ |I | ) with δ i = 1 and δ j = 0 for j = i. Clearly we have j∈I δ j v j = v i . (2) if z is y, y , or y , we have ext(z) = 0.
(3) if z = z 1 + z 2 , according to the definition of M, we know z 1 , z 2 are both the polynomials of the same index level X u . By induction hypothesis, ext(z 1 ) = 0 (ext(z 2 ) = 0) iff z 1 (z 2 ) is constructed by only using y. By definition of ext, for ext(z) to be 0, it must be ext(z 1 ) and ext(z 2 ) are both 0, i.e., both z 1 and z 2 are constructed by only using y, y , y . That is to say ext(z) = 0 iff z is constructed by only using y, y , y . Hence the first result holds. W.l.o.g., assume ext(z 1 ) = 0. Let ext(z 1 ) = δ 1 , . . . , δ |I | . By induction hypothesis, we have i∈I δ i v i = u, and δ i ≤ i for each i ∈ I . By definition, ext(z) = (δ 1 , . . . , δ |I | ), and hence the second result holds. (4) if z = z 1 − z 2 , simiar as above. (5) if z = z 1 · z 2 , by definition of ext, for ext(z) to be 0, it must be ext(z 1 ) and ext(z 2 ) are both 0, i.e., both z 1 and z 2 are constructed by only using y, y , y . That is to say ext(z) = 0 iff z is constructed by only using y, y , y . Hence the first result holds.
Let ext(z 1 ) = δ 1 , . . . , δ |I | and ext(z 2 ) = δ 1 , . . . , δ |I | . Assume z 1 is a polynomial on index level X u and z 2 is a polynomial on index level X w . Then z is a polynomial on index level X u+w . By induction hypothesis, we know that i∈I δ i v i = u and δ i ≤ i for each i ∈ I , and i∈I δ i v i = w and δ i ≤ i for each i ∈ I . Since ext(z) = δ 1 + δ 1 , . . . , δ |I | + δ |I | , we have i∈I (δ i + δ i )v i = u + w.
We are now left to show that for any i ∈ I , δ i + δ i ≤ i . Assume for some i ∈ I , δ i + δ i > i . We shall show that U T . From the condition i v i s, we know that (u 1 , . . . , u d ) s. But this multiplication will be rejected by the multilinear map oracle. This contradicts the assumption.

Lemma 3
A formal polynomial z produced by the adversary A on the top index level s can be rewritten into z = f (y 1 , . . . , y |I | ) + a · y + a · y + a · y for some integers a, a , a by The soundness security states that if x / ∈ L then no adversary that runs in time t can break the scheme with probability more than ε. An alternative definition for soundness security called adaptive soundness is given in [8].
The soundness security of our scheme will be based on the following multilinear counting subset-sum Diffie-Hellman (mCSDH) assumption: