On the security of time-lock puzzles and timed commitments
Theory of Cryptography: 18th International Conference, TCC 2020, Durham, NC …, 2020•Springer
Time-lock puzzles—problems whose solution requires some amount of sequential effort—
have recently received increased interest (eg, in the context of verifiable delay functions).
Most constructions rely on the sequential-squaring conjecture that computing g^ 2^ T\bmod
N for a uniform g requires at least T (sequential) steps. We study the security of time-lock
primitives from two perspectives: 1. We give the first hardness result about the sequential-
squaring conjecture in a non-generic model of computation. Namely, in a quantitative …
have recently received increased interest (eg, in the context of verifiable delay functions).
Most constructions rely on the sequential-squaring conjecture that computing g^ 2^ T\bmod
N for a uniform g requires at least T (sequential) steps. We study the security of time-lock
primitives from two perspectives: 1. We give the first hardness result about the sequential-
squaring conjecture in a non-generic model of computation. Namely, in a quantitative …
Abstract
Time-lock puzzles—problems whose solution requires some amount of sequential effort—have recently received increased interest (e.g., in the context of verifiable delay functions). Most constructions rely on the sequential-squaring conjecture that computing for a uniform g requires at least T (sequential) steps. We study the security of time-lock primitives from two perspectives:
- 1. We give the first hardness result about the sequential-squaring conjecture in a non-generic model of computation. Namely, in a quantitative version of the algebraic group model (AGM) that we call the strong AGM, we show that any speed up of sequential squaring is as hard as factoring N.
- 2. We then focus on timed commitments, one of the most important primitives that can be obtained from time-lock puzzles. We extend existing security definitions to settings that may arise when using timed commitments in higher-level protocols, and give the first construction of non-malleable timed commitments. As a building block of independent interest, we also define (and give constructions for) a related primitive called timed public-key encryption.
Springer
