Time-Lock Puzzle with Examinable Evidence of Unlocking Time

Good afternoon. I’ll be sticking to the auditability theme. This is about a protocol which was proposed by Rivest, Shamir and Wagner. It’s a timelock puzzle and to start with I will look at what is a timelock puzzle and what is its use, and then look at the RSW scheme, and then it will be an obvious requirement for auditability, to establish that the puzzle can really be solved within the stated time. Before going into details I look at what the puzzle actually is. It is timedrelease cryptography, which takes a very long time, or any specifiable length of time, to solve. Once it’s solved you then know some bits of crypto. It is based on RSA, and now there is argument about how to name RSA, somebody says it’s the alleged trademark of the cryptography used, so somebody else says it’s secret order, like discrete logarithm, address the problem rather than the inventor’s name. Now the applications of time-release cryptography. Obviously there are several, say a bidder wants to seal a bid for a bidding period, another thing is sending messages to the future, a secret to be read in 50 years’ time, and another thing is key escrow architecture. Key escrow is this thing where there is a requirement to escrow some keys so that they can be recovered, and the danger is vast scale intrusion. So with timed-release cryptography it will take some time to produce a key, although we mustn’t waste a tremendous amount of time, but vast scale penetration becomes infeasible, becomes an individual criminal does not have the resources, so this is an example of a real application. Now look at the RSW scheme. It is based on a secret order to an element. Suppose Alice has a secret to encrypt with a timelock puzzle for t units of time to solve. She generates two big primes p, q and multiplies them to obtain n, and then picks a random session key K and encrypts with this the message M using conventional key cryptography to get CM . Then she encrypts the session key K using RSA, by adding a modulo n to give CK . Here a is a random element and this exponent e is defined as 2 mod φ(n) where t is the number of timesteps needed to solve the puzzle. Since Alice generated p and q she can compute this e easily, whereas without knowing the factorization you cannot compute φ(n). Now CM and a and CK are published, so this triple becomes the timelock puzzle. So if we analyse it we know that to decrypt messageM from CM you need obviously the correct key, assume this, and to decrypt K from CK you need to compute a mod n. Without knowing the factorization of n it seems that the only known way to compute a is by a repeated squaring of a, so that is t multiplications.