Timelo ck puzzles and timedrelease Crypto Ronald L Rivest Adi Shamir and DavidAWagner Revised March MIT Lab oratory for Computer Science Technology Square Cambridge Mass Weizmann Institute of Science Applied Mathematics Department Rehovot Israel Computer Science Department UC Berkeley Berkeley California frivestshamirgtheorylcsmitedu dawcsberkeleyedu Intro duction Our motivation is the notion of timedrelease crypto where the goal is to encrypt a message so that it can not b e decrypted byanyone not even the sender until a predetermined amount of time has passed The goal is to send information into the future This problem was rst discussed by TimothyMay What are the applications of timedrelease crypto Here are a few p ossibilities some due to May A bidder in an auction wants to seal his bid so that it can only b e op ened after the bidding p erio d is closed A homeowner wants to give his mortgage holder a series of encrypted mortgage pay ments These might b e encrypted digital cash with dierent decryption dates so that one payment b ecomes decryptable and thus usable by the bank at the b eginning of each successive month An individual wants to encrypt his diaries so that they are only decryptable after fty years Akeyescrowscheme can b e based on timedrelease crypto so that the government can get the message keys but only after a xed p erio d say one year There are presumably many other applications There are two natural approaches to implementing timedrelease crypto Use timelo ck puzzlescomputational problems that can not b e solved without run ning a computer continuously for at least a certain amountoftime Use trusted agents who promise not to reveal certain information until a sp ecied date Using trusted agents has the obvious problem of ensuring that the agents are trustworthy secretsharing approaches can b e used to alleviate this concern Using timelo ck puzzles has the problem that the CPU time required to solve a problem can dep end on the amount and nature of the hardware used to solve the problem as well as the parallelizabilityofthe computational problem b eing solved In this note we explore b oth approaches We note that Tim May has suggested an approach based on the use of trusted agents Timelo ck puzzles We rst explore an approach based on computational complexity we study the problem of creating computational puzzles called timelo ck puzzles that require a precise amount of time to solve The solution to the puzzle reveals a key that can b e used to decrypt the encrypted information This approach has the obvious problem of trying to makeCPU time and real time agree as closely as p ossible but is nonetheless interesting The ma jor dicultytobeovercome as noted ab ove is that those with more compu tational resources mightbeabletosolve the timelo ck puzzle more quicklyby using large parallel computers for example Our goal is thus to design timelo ck puzzles that to the greatest extent p ossible are instrinsically sequential in nature and can not b e solved substantially faster with large investments in hardware In particular wewant our puzzles to have the prop erty that putting computers to work together in parallel do esnt sp eed up nding the solution Solving the puzzle should b e likehaving a baby twowomen cant havea baby in months We prop ose an approach to building puzzles that app ears to b e intrisically sequential in the desired manner Of course our approach yields puzzles with a solution time that is only approximately controllable since dierent computers work at dierentspeedsFor example the underlying technology may b e dierent gallium arsenide gates are faster than silicon gates If precise timing of the information release is essential an approach based on the use of trusted agents is preferable We also note that with our approach the puzzle do esnt automatically b ecome solvable at a given time rather a computer needs work continuously on the puzzle until it is solved A tenyear puzzle needs some dedicated workstation working away for ten years to solve it If the computing do esnt start until veyears after the puzzle was made then the solution wont b e found until ten years after that p erhaps a bit less if technology has improved in the meantime Our approach therefore requires much more in the wayof computational resources than an approach based on trusted agents and thus maybebest suited for relatively simple puzzles with timetosolution under a month say Nonetheless we feel that our approach has sucient utility to merit this exp osition An unworkable approach We b egin by presenting an approach that doesnt work well Let M denote the information to b e encrypted for a p erio d of time Let S denote the sp eed of a workstation measured in decryptions p er second Then to encrypt M to b e decryptable after T seconds wecho ose a conventional cryptosystem sayRC with a key size of approximately k lgST bits and encrypt M with a k bit keyWesave the ciphertext and throwawaythekey By using exhaustive searchofthekey space a workstation will take ab out T seconds on the average to nd the key We note that Merkle was the rst to suggest this metho d of designing puzzles and was also the rst to intro duce the notion of a puzzle in research that ultimately led to the invention of the concept of publickey cryptography There are two problems with this way of building a timelo ckpuzzleby encrypting M with a conventional cipher A bruteforce keysearch is trivially parallelizable so that N computers make the com putation run N times faster The computation time estimate of T seconds is only an exp ected running time the actual running time could b e signicantly larger or smaller dep ending on the order in which the keys are examined These problems are xed in the prop osal given next Creating a timelo ck puzzle Wenow show a metho d for creating timelo ck puzzles based on rep eated squaring Our approach can also b e viewed as an application of the randomaccess prop ertyofthe BlumBlumShub x mo d n pseudorandom numb er generator We actually prop ose ascheme that is a variation on the x mo d n generator but the dierences are nonessential and the original scheme could have b een used as well here An early version of our pap er suggested a dierent approach based on sup erencryption in RSA the current approach is considerably simpler Here is our approach Supp ose Alice has a message M that she wants to encrypt with a timelo ck puzzle for a p erio d of T seconds She generates a comp osite mo dulus n pq as the pro duct of two large randomlychosen secret primes p and q She also computes np q She computes t TS where S is the numb er of squarings mo dulo n p er second that can b e p erformed by the solver She generates a random key K for a conventional cryptosystem suchasRC This key is long enough say bits or more that searching for it is infeasible even with the advances in computing p ower exp ected during the lifetime of the puzzle She encrypts M with key K and encryption algorithm RC to obtain the ciphertext C RC K M M She picks a random a mo dulo n with an and encrypts K as t C K a mo d n K To do this eciently she rst computes t e mo d n and then computes e b a mo d n She pro duces as output the timelo ckpuzzlen a t C C and erases anyother K M variables suchas p q created during this computation We add as a technical fo otnote here the remark that p q and a can b e chosen carefully so that is guaranteed to have a large order mo dulo n and so that a is guaranteed to have a large order mo dulo n See Blum Blum and Shub for some relevant discussion However cho osing p q and a randomly should give the desired level of dicultywithoverwhelming probability so that these precautions are not exp ected to b e necessary in practice Indeed in practice cho osing a xed value a should b e safe with high probability Since there are other risks in the whole approach eg an adversary could just guess K aiming for p erfection in the numb ertheory is probably overkill Solving the puzzle By design searching for the RC key K directly is infeasible so the fastest known approach to solving the puzzle is to determine t mo d n b a t somehow Knowing n enables to b e reduced eciently to e mo dulo n so that b can b e computed eciently by equation However computing nfromn is provably as hard as factoring n so that once Alice publishes the puzzle and throws away the key throws away the factors p and q there seems to b e no faster way of computing b than to start with a and p erform t squarings sequentially each time squaring the previous result While factoring n is certainly an alternativeattack for solving the puzzle when p and q are large enough the factoring approach is far less ecient than rep eated squaring The number t of squarings required to solve the puzzle can b e exactly controlled Thus we can create puzzles of various desired levels of diculty More imp ortantly rep eated squaring seems to b e an intrinsically sequential pro cess We knowofnoobvious way to parallelize it to any large degree A small amountof parallelization may b e p ossible within each squaring Having many computers is no b etter than having one But having one fast computer is b etter than one slow one The degree of variation in how long it mighttaketosolve the puzzle dep ends on the variation in the sp eed of single computers and not on ones total budget Since the sp eed of hardware available to individual consumers is within a small constant factor of what is available to large intelligence organizations