TY - GEN

T1 - Time-lock puzzles from randomized encodings

AU - Bitansky, Nir

AU - Goldwasser, Shafi

AU - Jain, Abhishek

AU - Paneth, Omer

AU - Vaikuntanathan, Vinod

PY - 2016/1/14

Y1 - 2016/1/14

N2 - Time-lock puzzles are a mechanism for sending messages \to the future". A sender can quickly generate a puzzle with a solution s that remains hidden until a moderately large amount of time t has elapsed. The solution s should be hidden from any adversary that runs in time significantly less than t, including resourceful parallel adversaries with polynomially many processors. While the notion of time-lock puzzles has been around for 22 years, there has only been a single candidate proposed. Fifteen years ago, Rivest, Shamir and Wagner suggested a beautiful candidate time-lock puzzle based on the assump-Tion that exponentiation modulo an RSA integer is an \in-herently sequential" computation. We show that various avors of randomized encodings give rise to time-lock puzzles of varying strengths, whose se-curity can be shown assuming the mere existence of non-parallelizing languages, which are languages that require cir-cuits of depth at least t to decide, in the worst-case. The existence of such languages is necessary for the existence of time-lock puzzles. We instantiate the construction with dif-ferent randomized encodings from the literature, where in-creasingly better efficiency is obtained based on increasingly stronger cryptographic assumptions, ranging from one-way functions to indistinguishability obfuscation. We also ob-serve that time-lock puzzles imply one-way functions, and thus the reliance on some cryptographic assumption is nec-essary. Finally, generalizing the above, we construct other types of puzzles such as proofs of work from randomized encod-ings and a suitable worst-case hardness assumption (that is necessary for such puzzles to exist.

AB - Time-lock puzzles are a mechanism for sending messages \to the future". A sender can quickly generate a puzzle with a solution s that remains hidden until a moderately large amount of time t has elapsed. The solution s should be hidden from any adversary that runs in time significantly less than t, including resourceful parallel adversaries with polynomially many processors. While the notion of time-lock puzzles has been around for 22 years, there has only been a single candidate proposed. Fifteen years ago, Rivest, Shamir and Wagner suggested a beautiful candidate time-lock puzzle based on the assump-Tion that exponentiation modulo an RSA integer is an \in-herently sequential" computation. We show that various avors of randomized encodings give rise to time-lock puzzles of varying strengths, whose se-curity can be shown assuming the mere existence of non-parallelizing languages, which are languages that require cir-cuits of depth at least t to decide, in the worst-case. The existence of such languages is necessary for the existence of time-lock puzzles. We instantiate the construction with dif-ferent randomized encodings from the literature, where in-creasingly better efficiency is obtained based on increasingly stronger cryptographic assumptions, ranging from one-way functions to indistinguishability obfuscation. We also ob-serve that time-lock puzzles imply one-way functions, and thus the reliance on some cryptographic assumption is nec-essary. Finally, generalizing the above, we construct other types of puzzles such as proofs of work from randomized encod-ings and a suitable worst-case hardness assumption (that is necessary for such puzzles to exist.

UR - http://www.scopus.com/inward/record.url?scp=84966587836&partnerID=8YFLogxK

U2 - 10.1145/2840728.2840745

DO - 10.1145/2840728.2840745

M3 - פרסום בספר כנס

AN - SCOPUS:84966587836

T3 - ITCS 2016 - Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science

SP - 345

EP - 356

BT - ITCS 2016 - Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science

PB - Association for Computing Machinery, Inc

Y2 - 14 January 2016 through 16 January 2016

ER -