Timelo ck puzzles and timedrelease Crypto

  

Ronald L Rivest Adi Shamir and DavidAWagner

Revised March



MIT Lab oratory for

Technology Square Cambridge Mass



Weizmann Institute of Science

Applied Mathematics Department

Rehovot



Computer Science Department

UC Berkeley

Berkeley California

frivestshamirgtheorylcsmitedu dawcsberkeleyedu

Intro duction

Our motivation is the notion of timedrelease crypto where the goal is to encrypt a message

so that it can not b e decrypted byanyone not even the sender until a predetermined amount

of time has passed The goal is to send information into the future This problem was

rst discussed by TimothyMay

What are the applications of timedrelease crypto Here are a few p ossibilities some

due to May

A bidder in an auction wants to seal his bid so that it can only b e op ened after the

bidding p erio d is closed

A homeowner wants to give his mortgage holder a series of encrypted mortgage pay

ments These might b e encrypted digital cash with dierent decryption dates so that

one payment b ecomes decryptable and thus usable by the bank at the b eginning of

each successive month

An individual wants to encrypt his diaries so that they are only decryptable after fty

years

Akeyescrowscheme can b e based on timedrelease crypto so that the government

can get the message keys but only after a xed p erio d say one year

There are presumably many other applications

There are two natural approaches to implementing timedrelease crypto

Use timelo ck puzzlescomputational problems that can not b e solved without run

ning a computer continuously for at least a certain amountoftime

Use trusted agents who promise not to reveal certain information until a sp ecied date

Using trusted agents has the obvious problem of ensuring that the agents are trustworthy

secretsharing approaches can b e used to alleviate this concern Using timelo ck puzzles has

the problem that the CPU time required to solve a problem can dep end on the amount

and nature of the hardware used to solve the problem as well as the parallelizabilityofthe

computational problem b eing solved

In this note we explore b oth approaches We note that Tim May has suggested an

approach based on the use of trusted agents

Timelo ck puzzles

We rst explore an approach based on computational complexity we study the problem of

creating computational puzzles called timelo ck puzzles that require a precise amount

of time to solve The solution to the puzzle reveals a key that can b e used to decrypt the

encrypted information This approach has the obvious problem of trying to makeCPU

time and real time agree as closely as p ossible but is nonetheless interesting

The ma jor dicultytobeovercome as noted ab ove is that those with more compu

tational resources mightbeabletosolve the timelo ck puzzle more quicklyby using large

parallel computers for example Our goal is thus to design timelo ck puzzles that to the

greatest extent p ossible are instrinsically sequential in nature and can not b e solved

substantially faster with large investments in hardware In particular wewant our puzzles

to have the prop erty that putting computers to work together in parallel do esnt sp eed up

nding the solution Solving the puzzle should b e likehaving a baby twowomen cant

havea baby in months We prop ose an approach to building puzzles that app ears to b e

intrisically sequential in the desired manner

Of course our approach yields puzzles with a solution time that is only approximately

controllable since dierent computers work at dierentspeedsFor example the underlying

technology may b e dierent gallium arsenide gates are faster than silicon gates If precise

timing of the information release is essential an approach based on the use of trusted agents

is preferable

We also note that with our approach the puzzle do esnt automatically b ecome solvable

at a given time rather a computer needs work continuously on the puzzle until it is solved

A tenyear puzzle needs some dedicated workstation working away for ten years to solve

it If the computing do esnt start until veyears after the puzzle was made then the

solution wont b e found until ten years after that p erhaps a bit less if technology has

improved in the meantime Our approach therefore requires much more in the wayof

computational resources than an approach based on trusted agents and thus maybebest

suited for relatively simple puzzles with timetosolution under a month say Nonetheless

we feel that our approach has sucient utility to merit this exp osition

An unworkable approach

We b egin by presenting an approach that doesnt work well Let M denote the information

to b e encrypted for a p erio d of time Let S denote the sp eed of a workstation measured in

decryptions p er second Then to encrypt M to b e decryptable after T seconds wecho ose a

conventional cryptosystem sayRC with a key size of approximately k lgST bits

and encrypt M with a k bit keyWesave the ciphertext and throwawaythekey By using

exhaustive searchofthekey space a workstation will take ab out T seconds on the average

to nd the key

We note that Merkle was the rst to suggest this metho d of designing puzzles and

was also the rst to intro duce the notion of a puzzle in research that ultimately led to

the invention of the concept of publickey

There are two problems with this way of building a timelo ckpuzzleby encrypting M

with a conventional cipher

A bruteforce keysearch is trivially parallelizable so that N computers make the com

putation run N times faster

The computation time estimate of T seconds is only an exp ected running time the

actual running time could b e signicantly larger or smaller dep ending on the order in

which the keys are examined

These problems are xed in the prop osal given next

Creating a timelo ck puzzle

Wenow show a metho d for creating timelo ck puzzles based on rep eated squaring Our

approach can also b e viewed as an application of the randomaccess prop ertyofthe



BlumBlumShub x mo d n pseudorandom numb er generator We actually prop ose



ascheme that is a variation on the x mo d n generator but the dierences are nonessential

and the original scheme could have b een used as well here An early version of our pap er

suggested a dierent approach based on sup erencryption in RSA the current

approach is considerably simpler

Here is our approach Supp ose Alice has a message M that she wants to encrypt with a

timelo ck puzzle for a p erio d of T seconds

She generates a comp osite mo dulus

n pq

as the pro duct of two large randomlychosen secret primes p and q She also computes

np q

She computes

t TS

where S is the numb er of squarings mo dulo n p er second that can b e p erformed by

the solver

She generates a random key K for a conventional cryptosystem suchasRC This

key is long enough say bits or more that searching for it is infeasible even with

the advances in computing p ower exp ected during the lifetime of the puzzle

She encrypts M with key K and encryption RC to obtain the ciphertext

C RC K M

M

She picks a random a mo dulo n with an and encrypts K as

t



C K a mo d n

K

To do this eciently she rst computes

t

e mo d n

and then computes

e

b a mo d n

She pro duces as output the timelo ckpuzzlen a t C C and erases anyother

K M

variables suchas p q created during this computation

We add as a technical fo otnote here the remark that p q and a can b e chosen carefully

so that is guaranteed to have a large order mo dulo n and so that a is guaranteed to have

a large order mo dulo n See Blum Blum and Shub for some relevant discussion However

cho osing p q and a randomly should give the desired level of dicultywithoverwhelming

probability so that these precautions are not exp ected to b e necessary in practice Indeed

in practice cho osing a xed value a should b e safe with high probability Since there

are other risks in the whole approach eg an adversary could just guess K aiming for

p erfection in the numb ertheory is probably overkill

Solving the puzzle

By design searching for the RC key K directly is infeasible so the fastest known approach

to solving the puzzle is to determine

t



mo d n b a

t

somehow Knowing n enables to b e reduced eciently to e mo dulo n so that b

can b e computed eciently by equation However computing nfromn is provably as

hard as factoring n so that once Alice publishes the puzzle and throws away the key throws

away the factors p and q there seems to b e no faster way of computing b than to start with

a and p erform t squarings sequentially each time squaring the previous result

While factoring n is certainly an alternativeattack for solving the puzzle when p and q

are large enough the factoring approach is far less ecient than rep eated squaring

The number t of squarings required to solve the puzzle can b e exactly controlled Thus

we can create puzzles of various desired levels of diculty

More imp ortantly rep eated squaring seems to b e an intrinsically sequential pro cess

We knowofnoobvious way to parallelize it to any large degree A small amountof

parallelization may b e p ossible within each squaring Having many computers is no b etter

than having one But having one fast computer is b etter than one slow one The degree

of variation in how long it mighttaketosolve the puzzle dep ends on the variation in the

sp eed of single computers and not on ones total budget Since the sp eed of hardware

available to individual consumers is within a small constant factor of what is available to

large intelligence organizations the dierence in time to solution is reasonably controllable

We admit that more control here might b e desirable but with a complexitybased approach

such as this one there is not much that can b e done to comp ensate for dierent gate sp eeds

Using trusted agents

A natural approach is to use a trusted agent to store the message M until its desired release

time t As an extension of this idea the message M could b e shared among several agents

using standard secretsharing techniques such as the one prop osed by Shamir who all

agree to release their shares at time t The message M can then b e reconstructed from those

shares As a further renement the agents can b e asked to store shares of a cryptographic

key K instead of shares of M This reduces the storage demands on the agents Then the

encryption C E K M ofM with key K can b e keptinsomepubliclyavailable lo cation

At time tthekey K can b e reconstructed and C decrypted to yield M These ideas are

discussed briey byMay Related work on timelo ck puzzles and veriable partialkey

escrow has b een develop ed by Bellare and Goldwasser

We suggest here an alternative but related approachthathasthefollowing prop erties

and implementation

The agents are not escrowagents as they are in Mays prop osal they do not have

to store any information that is given to them by the user The amount of storage

required for an agent is xed and b ounded indep endentofthenumb er of timedrelease

user secrets that he has b een asked to help out with

The main task of an agent is to p erio dically say at the b eginning of each hour publish

a previously secret value Welets denote the secret published by agent i at time t

it

The agent will digitally sign all secrets s he publishes using some standard digital

it

signature scheme

The only other task that an agentmust p erform is to resp ond to requests of the form

Here are values for y and t please return E s y the encryption of y under the secret

it

key s that you will reveal at future time t The agent will only p erform encryptions

it

never decryptions It is assumed that the encryption algorithm is secure against

chosenmessage attacks so that an adversary can obtain many encryptions of various

y s with some future s and will not b e able to thereby deduce s Having received

it it

the request the agent will return an encrypted digitally signed copy of the message

i t t Es y

 it

where i is the index of the agent t is the future time requested t is the current



time by the agents clo ck and E s y is the requested ciphertext The message is

it

encrypted with the public key of the requestor and then signed with the agents private

key The agent need not require that t t although this will b e the normal case



Anyone can set himself up in business as a trusted agent without requiring co ordination

between himself and other agents More precisely the sequence of secrets published

by one agent is indep endent of the sequence of secrets published byany other agent

The sequence of secrets published byeach agent has the prop erty that from s one can

it





easily compute s for all t t The secret the agentreveals at time t can b e used to

it

compute all of his previously published secrets Thus it suces to ask an agent for

his latest secret in order to learn all of his previously published secrets This can b e

easily implemented byhaving the secrets satisfy a recurrence suchas

s f s

it it

for some suitable but otherwise arbitrary oneway function f Because f is oneway





publishing s do es not reveal any future secrets s for t t The agentmight

it it

precompute his sequence of secrets b eginning with a randomly chosen secret for some

point in the distant future and working backwards or he mightchose f as a trapdo or

oneway function so that only he can compute s from s

it

it

The message M to b e released at time t is encrypted with a randomly chosen key K

and a conventional encryption algorithm to yield a ciphertext C E K M The

user picks some number d of agents i i i and publishes

  d

C i i i r r r

  d   d

where r r r are d timedrelease shares of the key K that will allow K to b e

  d

reconstructed once time t is reached and the agents publish their secrets for time t

The user maypick a threshold where dsuch that one can reconstruct K

given or more timerelease shares and the corresp onding agents secrets for time t

To accomplish this the user splits K into d shares

y y y

  d

according some standard secretsharing scheme with threshold and then asks agent

i for j d to pro duce the value

j

r E s y

j i t j

j

the encryption of share y of K with the secret s of agent i that will b e revealed

j i t j

j

at time t This request should b e encrypted with the public key of the agent and the

reply should b e encrypted and signed as describ ed earlier

The agents in this scheme are extremely simple they only need

to pro duce an unpredictable sequence of secrets satisfying equation

to decrypt a message of the form y t e n encrypted with the public key of the

agent

to encrypt values y under the secret s to b e revealed by the agent at time t

it

to return the resulting ciphertext signed by the agent and then encrypted with the

public key e n of the requestor and

to publish a signed version of s at time t

it

Since such a simple agent could b e built into a small tamp erpro of device quite easilyone

can pro duce implementations of suchagents that are highly secure

The fact that the scheme is based on secretsharing with a threshold gives robustness

b oth against the p ossible corruption of one or more agents who might sell future values of

their secrets or the death or disapp earance of one or more agents As long as agents are

still around at time t the message M will b e reconstructable at time t and at anylater

time As long as fewer than agents have b een corrupted the message M will not b e

revealed b efore time t

This scheme is not veriable in the sense that an observer who sees the published

material of equation can not verify that it is the prop er encryption of anything particular

Only when the secrets of time t are published can he decrypt the shares r to obtain the

j

corresp onding y values that allow him to reconstruct K andthus obtain M Standard

j

veriable secretsharing techniques arent particularly applicable here since the message

M could b e junk even if K was veriably shared We note that in principle it is p ossible

alb eit dicult to prove certain prop erties of M to a verier without having to reveal K

or M

Because the agent includes the currenttimet in his signed reply to an encryption



request he acts as a simple timestamping service eg A user can give the agentthe

cryptographic hash value hM of some message M and ask the agent to sign and encrypt

it with s for some value of t The signed hash value b ecomes decryptable at time tthus

it

proving assuming that the agent is trustworthy that the do cument M existed at time t



Normally one mighthave t t but a user mightcho ose t t in some cases For example

 



in an auction it may b e required that the bids b e submitted b efore some time t and that



they b e op ened at time t The user would submit the encryption key K for his bid at

 

time t t and ask for it to b e encrypted with s where t t

 it

An oline version

The previous proto col can b e converted to an oine proto col as follows Each trusted

agent constructs a publicprivate keypair E D for each future time t The public key

it it

E is published immediately and the private key D is published at time t Of course a

it it

trusted agentalways digitally signs the published E s and D s under his master public key

to eliminate wouldb e imp osters

The E s and D s directly replace the ss now the user can p erform the encryption of

the y s himself without needing to invoke the trusted agent The trusted agent can nowbe

entirely oine except for the p erio dic publication of the D s

On the other hand in this oine formulation it seems hard to enco de any structure into

the agents keys so it seems to require more storage to store the list of public keys for the

future and the private keys revealed for the past Atbytes p er key storing one key for

eachday of the next ftyyears requires ab out megabytes

Another disadvantage of this oline approach is that the agents are no longer usable or

available as timestamping agents

Conclusions

Wehave suggested a way to create timelo ck puzzles which require approximately a

certain amount of time real time not total CPU time to solve Wehave also discussed a

way to use trusted agents to eciently enable timedrelease crypto

References

and Sha Goldwasser Veriable partial key escrow Technical Rep ort

CS Dept of Computer Science and Engineering UC San Diego Octob er

Shimshon Berkovits Factoring via sup erencryption Cryptologia July

L Blum M Blum and M Shub A simple unpredictable pseudorandom number

generator SIAM J Computing May

Sha Goldwasser Personal communication

S Hab er and WS Stornetta How to timestamp a digital do cument Journal of

Cryptology

Timothy C May Timedrelease crypto February

httpwwwhksnetcpunkscpunkshtml

R C Merkle Secure communications over insecure channels Communications of the

ACM April

Ronald L Rivest Remarks on a prop osed cryptanalytic attack of the MIT publickey

cryptosystem Cryptologia January

Ronald L Rivest The RC encryption algorithm In Bart Preneel editor Fast Software

Encryption pages Springer Pro ceedings Second International Workshop

Dec Leuven Belgium

Ronald L Rivest Adi Shamir and Leonard M Adleman A metho d for obtaining digital

signatures and publickey cryptosystems Communications of the ACM

A Shamir How to share a secret Communications of the ACM November

Gustavus J Simmons and Michael J Norris Preliminary comments on the MIT public

key cryptosystem Cryptologia Octob er

H C Williams and B Schmid Some remarks concerning the MIT publickey cryp

tosystem BIT