Time-lock puzzles 1 Jeffrey Finkelstein Computer Science Department, Boston University
advertisement
es
s
Time-lock puzzles
Jeffrey Finkelstein
Computer Science Department, Boston University
ro
gr
February 20, 2015
See also: timed-release encryption, timed commitment schemes
1
Time-lock puzzles
-p
A time-lock puzzle is merely an encryption scheme that has no secret key. The
secret key in an encryption scheme is intended to allow efficient decryption only
for the holder of the key. If the sender wishes the receiver to be the only receiver
of the message, he or she should use a secure encryption scheme on top of the
time-lock puzzle. In a time-lock puzzle, “efficient” decryption (in a certain sense)
is neither desired nor necessary; any decryption should be “inefficient” (that is,
should require a large amount of resources).
in
Definition 1.1. Suppose M is a finite set of messages. A pair of functions
(Enc, Dec) is a time-lock puzzle if m = Dec(Enc(m)) for all m ∈ M .
k-
Definition 1.2. TODO this is an informal definition of indistinguishability. Use the formal definitions from Goldreich, Volume II.
A time-lock puzzle (Enc, Dec) is secure if no NC adversary can distinguish
Enc(m1 ) from Enc(m2 ) for any m1 and m2 in M with non-negligible probability.
Algebraic time-lock puzzles
W
or
2
2.1
Greatest common divisor
Assumption 2.1 (Computational GCD assumption). For any NC algorithm A,
the probability over randomly chosen k-bit integers a and b that A(a, b) = gcd(a, b)
is negligible in k.
Copyright 2014, 2015 Jeffrey Finkelstein ⟨jeffreyf@bu.edu⟩.
This document is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License, which is available at https://creativecommons.org/licenses/by-sa/4.0/.
The LATEX markup that generated this document can be downloaded from its website at
https://github.com/jfinkels/timelock. The markup is distributed under the same license.
1
Assumption 2.2 (Decisional GCD assumption). TODO this is an informal
definitions of indistinguishability.
Let k be the security parameter and K = 2k . The following two probability
distributions are NC indistinguishable.
• (a, b, d), where a and b are chosen uniformly at random from {1, . . . , K}
and d = gcd(a, b)
• (a, b, r), where a, b, and r are chosen uniformly at random from {1, . . . , K}
Proposition 2.3. If the decisional GCD assumption is true, then the computational GCD assumption is true.
Proof. Assume with the intention of producing a contradiction that the computational GCD assumption is false, so there is an NC algorithm A(a, b) that
1
computes gcd(a, b) with non-negligible probability (say probability at least p(k)
for some polynomial p in the security parameter k). We construct an NC algorithm A0 to distinguish (a, b, d) from (a, b, r) as follows. On input (a, b, z), the
algorithm runs A(a, b), which outputs an integer d. Now A0 accepts if and only
if z = d.
A0 is an NC algorithm since it performs only the computation of A, which is
itself an NC algorithm, along with a single comparison of the outputs of A(a, b)
1
with the string z. The probability that A0 accepts (a, b, d) is at least p(k)
. The
0
probability that A accepts (a, b, z), where z is a random
string, is the probability
1
1
that z = gcd(a, b), which is exactly 2k . The value p(k) − 21k is non-negligible,
and hence A0 violates the decisional GCD assumption.
Protocol 2.4 (GCD time-lock puzzle). Define time-lock puzzle (Enc, Dec) as
follows.
Encryption: On input message m ∈ Σk , output (mx, my), where x and y are
coprime integers chosen uniformly at random from Σk . (The products mx and
my are elements of Σ2k .)
Decryption: On input ciphertext (a, b), output gcd(a, b).
Conjecture 2.5. If the decisional GCD assumption is true, then the GCD
time-lock puzzle is secure.
2.2
Modular inverse
Assumption 2.6 (Modular inverse assumption). For any NC algorithm A
and for all k-bit primes p, the probability over randomly chosen a in Z∗p that
A(a) ≡ a−1 (mod p) is negligible in k.
Assumption 2.7 (Modular exponentiation assumption). For any NC algorithm
A and for all k-bit primes p, the probability over randomly chosen a and b in Z∗p
that A(a, b) ≡ ab (mod p) is negligible in k.
2
Proposition 2.8. If the modular inverse assumption is true, the modular exponentiation assumption is true.
Proof. If there is an algorithm that computes ab from a, then there is an
algorithm that computes ap−1 , which is congruent to a−1 in Z∗p , by Fermat’s
Little Theorem.
Protocol 2.9 (Modular inverse time-lock puzzle). Let p be a k-bit prime. Define
time-lock puzzle (Enc, Dec) as follows.
Encryption: On input message m ∈ Z∗p , output (mx, x), where x is chosen
uniformly at random from Z∗p .
Decryption: On input ciphertext (c, d), output cd−1 .
Conjecture 2.10. If the modular inverse assumption is true, then the modular
inverse time-lock puzzle is secure.
2.3
Planar integer programming
This puzzle is a bit more complicated to describe. The message to encrypt is
interpreted as a vector in Z2 . The ciphertext is an integer linear program with
the message as its optimum solution.
Definition 2.11 (Planar integer programming). Given an n × 2 integer matrix
A, an n × 1 integer vector b, and a 2 × 1 integer vector c, find a 2 × 1 integer
vector x such that Ax ≤ b and c| x is maximized.
Assumption 2.12 (Planar integer programming assumption). For any NC
algorithm D, the probability over randomly chosen A, b, and c that D(A, b, c)
outputs x such that c| x is maximized is negligible in k.
Protocol 2.13 (Planar integer programming time-lock puzzle). Define time-lock
puzzle (Enc, Dec) as follows. TODO need to specify maximum bit size of
randomly generated integers. TODO another way to encrypt would
be to generate the vertices randomly instead of generating the lines
randomly.
Encryption: On input message (x1 , x2 ) ∈ Z2 ,
1. (Random objective function.) Generate random (c1 , c2 ) ∈ Z2 .
2. (Force (x1 , x2 ) to be vertex with maximum value.) Generate random
(a11 , a12 ), (a21 , a22 ) ∈ Z2 such that − aa11
< − cc12 and − aa21
> − cc21 . Let
12
22
b1 = a11 x1 + a12 x2 and b2 = a21 x1 + a22 x2 .
3. (Create random feasible region.) For each i in {3, . . . , n}, generate random
(ai1 , ai2 ) ∈ Z2 and random bi ∈ Z such that ai1 x1 + ai2 x2 ≤ bi . TODO
are redundant constraints acceptable?
4. Output matrix A whose entries are aij , vector b whose entries are bi , and
vector c whose entries are cj .
3
Decryption: On input ciphertext (A, b, c), output x such that Ax ≤ b and
c| x is maximized.
Conjecture 2.14. If the planar integer programming assumption is true, then
the planar integer programming time-lock puzzle is secure.
We know that there is an NC algorithm that computes the greatest common
divisor of two integers if and only if there is an NC algorithm that computes an
optimal solution to a planar integer program. TODO add citation here.
Conjecture 2.15. The planar integer programming assumption is true if and
only if the GCD assumption is true.
Conjecture 2.16. The planar integer programming time-lock puzzle is secure
if and only if the GCD time-lock puzzle is secure.
3
Circuit time-lock puzzles
Encryption schemes that are secure against (nonuniform) polynomial time adversaries are usually based on computational problems that are not NP-complete
(for example, discrete logarithm, factoring, and the RSA problem).
Definition 3.1. TODO should I really be making up definitions? This
doesn’t make sense, because we can always verify by just encrypting...
A time-lock puzzle (Enc, Dec) is worst-case secure if the language
{(c, m) | Dec(c) = m}
is prP-complete.
The promise is that c is the correct encryption of m. This promise allows us
to ignore the complexity of instances (c, m) for which c is not the encryption of
m.
3.1
Circuit evaluation
Protocol 3.2 (Single-bit circuit evaluation time-lock puzzle). Let k be the
security parameter. Define time-lock puzzle (Enc, Dec) as follows.
Encryption: On input message m ∈ {0, 1}, generate random circuit C and
input for that circuit α such that C(α) = m as follows. TODO how can we
do this? http://arxiv.org/pdf/1102.3310v2.pdf has a way to generate
random C and α that are likely hard to evaluate in parallel, but the
output is random...
Decryption: On input ciphertext (C, α), compute C(α) by evaluating the
circuit gate-by-gate.
4
3.2
Permutation inversion
Protocol 3.3 (Permutation time-lock puzzle). Let k be the security parameter.
Define time-lock puzzle (Enc, Dec) as follows.
Encryption: On input message m ∈ {0, 1}k , generate random NC0 permutation f TODO how? and output ciphertext (f, f (m)).
Decryption: On input ciphertext (f, c), output f −1 (c) TODO ensure that
this is polynomial time computable.
4
4.1
Time-lock puzzles for limited nondeterminism
Limited depth, limited nondetermnism circuit satisfiability
Protocol 4.1 (βk NCd circuit satisfiability time-lock puzzle). Let n be the
security parameter. Let k and d be nonnegative integers. Define time-lock
puzzle (Enc, Dec) as follows. TODO there are several ways to perform
this encryption.
Encryption: On input message b ∈ {0, 1}, generate a random circuit C with
n gates, m inputs, and O(logd m) depth and a random partial input string α of
size m − logk n such that there is some β satisfying C(α, β) = b.
Decryption:
5
