4.1. The Construction
The sender randomly chooses two distinct safe primes,
and
, where
and
are also primes, and then it computes
and chooses a random generator,
. (A zero-knowledge proof
can be generated to prove that
N is the product of two safe primes [
37]). The time-lock puzzle is constructed on
: for a large time parameter,
t, the sender computes
efficiently by the trapdoor
; it first computes
and computes
, which is used as a mask to encapsulate the message,
m. The time-lock puzzle is generated as
. After receiving the puzzle,
z, the receiver computes
h based on the element,
g, and the time parameter,
t. Since the receiver does not know the trapdoor,
, it must compute
h by
t sequential computations. The receiver can reveal the message,
m, from the puzzle,
z, as
.
Based on the above time-lock puzzle construction, we combine it with the framework in
Section 3 to verify the secret message. To facilitate the generation of the proof, we require that the time parameter,
t, can be presented as
for a positive integer
. For a secret message,
, the time-lock puzzle,
z, is generated as the protocol in the above section. The sender chooses a random value
and computes
. It signs on
x to obtain the signature
. Additionally, the sender generates a sequential proof
to help the receiver check the validity of the puzzle efficiently. The receiver is given the values
x,
a, the proof,
, and the signature,
.
As a summary, the process of the sender is present in Algorithm 1. For simplicity, we denote all values except the time-lock puzzle sent by the sender as auxiliary information.
Algorithm 1: The sender’s process based on iterated squaring |
Setup: The RSA number, N, the group, , the public verification key, , and the secret signing key, Input: A secret message Choose a random element Generate the puzzle as // The sender can compute efficiently as Choose a random value Compute the commitment of the message as Generate the sequential proof Sign on x: Output: The time-lock puzzle, z, and auxiliary information .
|
After receiving the outputs from the sender, the receiver first checks the validity of the signature, , to make sure that x is correctly generated by the sender, then the receiver needs to verify the relationship between z and x. The receiver computes and computes . Then, it verifies the time relationship between and by the proof . If the value passes the verification, then the receiver is convinced that it has obtained a value . Since the operation to obtain the value is the exponent on the puzzle, z, the receiver is convinced that the puzzle is , and the revealed value m is already committed by the sender.
The algorithm of the receiver is shown in Algorithm 2:
Algorithm 2: The receiver’s process based on iterated squaring |
|
The security of the RSA group is based on the assumption that the adversary cannot find the factorization of the RSA number efficiently. Another group used in iterated squaring is the class group of an imaginary quadratic field [
38,
39]. This group has a property that there is no efficient algorithm to compute the order of such group.
An alternative method for constructing a time-lock puzzle is based on modular square roots. For a prime, p, and a quadratic residue a modulo p, a sequential time is required to compute the square roots of a. In this method, the time of sequential evaluation is fixed for a given prime, p. In contract, with an iterated-squaring-based construction, the time can be easily adjusted by changing the number of iterations.
4.2. Security Analysis
As outlined in
Section 3, the construction should satisfy the following properties.
The correctness requires that if the outputs of the sender are correctly generated, then the time-lock puzzle must pass the verification of the receiver, and the puzzle can be revealed as the same message encapsulated by the sender.
Theorem 1. For a secret message m, if the sender follows the protocol and sends the time-lock puzzle, z, and auxiliary information to the receiver, then the puzzle, z, can pass the puzzle verification algorithm and be revealed as the secret message, m, by the receiver.
Proof. If the sender and the receiver both follow the protocol, the sender uses to encapsulate the secret message, h, and the receiver computes by iterated squaring. Since the order of is , there is . Hence, the time-lock puzzle can be correctly solved by the receiver.
Additionally, if the time-lock puzzle and auxiliary information are generated correctly, it holds that , , and . The receiver computes and can use the sequential proof to verify that is exactly . So, the receiver can be convinced that the puzzle is correctly generated as . After verifying the validity of the puzzle, z, the receiver can solve the puzzle as . □
The sequentiality requires all probabilistic polynomial time adversaries to spend a certain amount of time to solve the puzzle.
Theorem 2. In the construction in Section 4, for and any adversary with a running time less than , there exists a negligible function , such that the probability that the receiver can solve the puzzle faster than time after receiving the puzzle, z, from the sender is . Proof. The sequentiality of the time-lock puzzle is based on Definition 6. For any probabilistic polynomial time adversary , it does not know the factorization of N; hence, cannot compute faster than time t.
Except for the time-lock puzzle, z, is also given x, which is also related to the secret message, m. The secret message, m, can be computed from x as . Since does not know the factorization of N, the probability of success for is .
Additionally, the proof
is related to the sequential computation and the adversary wants to compute
faster from
. The specific construction of
is given in
Section 2, the values given in
can be presented as
for
, where
. The closest value to
is
. Since
, there is
. Hence, it requires at least
times iterated squaring for the adversary to compute
from
. In practice,
t is chosen as
and
, so
.
Hence, after receiving the puzzle, z, from the sender, the receiver should spend at least time to solve the puzzle, where . □
The unforgeability of the puzzle requires that, for any probabilistic polynomial time adversary, the probability that it can generate a forged puzzle that can pass the puzzle verification algorithm is negligible.
Theorem 3. In the construction in Section 4, for any probabilistic polynomial time adversary , it can query the message it chooses and obtain the corresponding outputs of the sender. There exists a negligible function, , and the probability that the adversary can forge a new puzzle that can pass the verification of the receiver is . Proof. The adversary can query the set of messages and obtains the corresponding set of tuples . Denote the set of all obtained puzzles as . If can forge a new puzzle and passes the pre-verification, then it must satisfy one of the following two situations.
The first situation is that the adversary generates a tuple by choosing a new message , and generate the puzzle , the commitment value by itself. It then tries to forge the signature , on the commitment value . The unforgeability of the signature scheme ensures that the probability of can forge a signature on a new commitment value successfully is .
Another situation is to bypass the forgery of the signature scheme. The adversary
reuses the commitment value
of some tuple that has been queried before. In this case, if the adversary wants to generate another puzzle
, then it tries to find another message
but
. The construction in
Section 4 sets
as
for a random
, since
a is coprime with
, the function
F is a permutation on
. Hence, the adversary cannot find such
.
In summary, the probability that a PPT adversary can forge a valid puzzle that can pass the pre-verification is negligible. □
The unforgeability of solution requires that the probability that a receiver can forge a solution that can pass the solution verification is negligible.
Theorem 4. In the construction in Section 4, for any secret message, m, after receiving the corresponding valid tuple from the sender, there exists a negligible function, , and the probability that the adversary can forge a solution, , that can pass the solution verification is . Proof. After obtaining the solution, , from the receiver, the third party first checks whether is the signature of the value, x, by the public key of the puzzle generator, and then verifies whether x is the commitment on . If the receiver can succeed forge a solution that can pass the verification of the third party, it must satisfy one of the following two situations.
The first situation is that the receiver generates a commitment on the forged solution, , and then forges the signature , on . The unforgeability of the signature scheme guarantees that the probability that this situation happens is negligible. Another situation requires the commitment x can be revealed as the forged solution, . The probability of this situation is negligible according to the binding property of the commitment scheme.
In summary, the probability that a receiver can forge a solution, , and pass the post-verification step, is negligible. □
4.3. Efficiency Analysis
According to Algorithm 1, in order to generate the time-lock puzzle, the sender first computes and then computes . These are two modular exponentiation operations, which require multiplications over . In the puzzle verification algorithm, the receiver needs to compute , and verify that is exactly by the proof . The proof contains small proofs which can be verified in parallel. The verification time complexity of each small proof is . So the time complexity of this verification process is . For the solution verification algorithm, a third party checks the correctness of the solution by verifying the signature and the commitment, which results in a time complexity of . As proved in Theorem 2, the time complexity of solving the time-lock puzzle for all receiver is .
In practice, the time parameter t is a polynomial of the security parameter . This indicates that the generation and the verification of the time-lock puzzle are much faster than solving the puzzle. Hence, the pre-verification and the post-verification are both efficient.
4.4. Construction for Long Messages
In the above construction, it requires that the message, m, lies in the group . In practice, N is chosen as a 2048 bits number; hence, the length of m is at most 2048 bits, which is shorter than the length of message in a real network. A long message can still be treated as a group element in the protocol, as in the case of a short message. In this method, a group with the same length as the message needs to be generated during the setup phase of the protocol. This will increase the evaluation time of each group operation, resulting in the poor efficiency of the protocol. Additionally, this method is not flexible if the length of the message changes. A new group must be generated for a longer message, which is inconvenient in practice implementation.
A common approach to handle a long message is to segment the message into short consecutive blocks: . Here, represents the concatenation of two strings, and each block is bits. Here, is a parameter related to the security parameter . For example, . This ensures that each block can be represented as a group element in with overwhelming probability. If the last block is less than bits, a padding scheme can be used to fill the last block.
The element we used to encapsulate a short message is a group element in , which is at most bits. It can be used to encapsulate only one block each time. A naive idea is to compute different to mask different blocks, i.e., the puzzle is generated as . In this case, the verification for each block is the same as the short message case, and the receiver needs to solve n different short time-lock puzzles to reveal the message. Another method to generate the puzzle uses only one time-delay element. The sender computes and generates the puzzle as . In this case, the receiver needs to solve one short time-lock puzzle to reveal the message.