 Hi and welcome to this talk on TARDIS, a foundation of Timelock puzzles in UC, or rather time and relative delay in simulation. We will cover first an introduction of the concept of Timelock puzzles, which has inspired this work, and then a summary of our contributions, which will be followed by a detailed account of the following contributions. First of all, our detailed abstract composable time model, which services basis for our composable treatment of Timelock puzzles in the UC framework. And finally, our application to two-party computation without putting the pen on the board, which is built from our UC Timelock puzzles. And we'll finalize with a brief discussion of some future, or should I say past works. The concept of Timelock puzzles has been introduced back in 96 and allows parties to encrypt the message to the future. The idea is that a Timelock puzzle can be generated in such a way that it contains a message X, but it will take at least some minimal amount of time until the message X can be retrieved from the TLP. The message will be obtained after we say the Timelock puzzle is solved. Since you construct and model this sort of cryptographic primitive, we actually need a computational task that must be executed in sequential steps in such a way that each step takes at least a minimum amount of time. And with the guarantee that an adversary who has more computational resources cannot simply parallelize the process of computing the steps. This concept, as well as one of the first assumptions that allows us to build this Timelock puzzles, was first introduced by Rivas Shamir and Wagner in 96. And it was based on this problem of computing iterated squareings of elements of groups of unknown order. In particular, they used the problem of computing successive squareings of a random group element from the group of primitive residues modulo and RSA modulus. Their assumption essentially says that if you want to compute G to the two to the T, you will need at least as much time as it would take to compute T sequential squareings departing from G. Namely, G to the two, all the way to G to the two to the two, G to the two to the three, all the way to G to the two to the T. And using this problem, they concocted an interesting scheme that allows for a sender to lock a message inside a Timelock puzzle in such a way that a party who computes this T successive squareings is able to retrieve the message. And so the party after computing for some amount of time equivalent to T times the amount of time that it takes to solve a single step. On the other hand, notice that a party who has a trapdoor in this case the order of the group can easily compute the Timelock puzzle itself without having to perform the T sequential computational steps. What we do with the sort of construction is that it has no composability guarantee, meaning that there is no guarantee that the primitive remains secure that it has the same security properties when it is executed in parallel with other cryptographic primitives and protocols or other instances of itself. It means in practice that we cannot use Timelock puzzles and other timed primitives without composability guarantees to actually build more complex protocols and applications. In order to build such complex protocols and applications we need a Timelock puzzle construction that is composable that remains secure in situations where it is arbitrarily composed with other primitives and protocols. In order to achieve that we actually face a number of challenges. First of all, in the setting we are working at of the universal composability framework, we have no notion of time. We first need to define what time means in a composable sense. And in this case, different from previous works, we actually do not want to implement any sort of synchronized clock or to imply that the users have access to notions of time explicitly. What to do is to make sure that time passes equally for all parties involved in multiple executions of a protocol or of different protocols, and that time indeed is passing. But again without implying any synchronicity or implying that parties have any access to clocks. However, even if we can do that, we then have the issue of enforcing sequential computation. This issue arises when you observe how the UC framework models parallel execution of a protocol or multiple protocols. In this setting, we have the environment which orchestrates the execution of all parallel sessions and parallel instances of protocols, and the environment can activate each party in each session in a sequence. While having the this party's belief that they are indeed at the same point in time, because they are essentially suspended while another session in an or another party in the same sessions being executed. Using this fact, an environment could easily circumvent a time lock assumption by using multiple sessions to solve all of the steps of a time lock puzzle. Say you are given the initial time lock puzzle we discussed, which is basically a random group element and then the message multiplied by that random group element raised to a power that is equivalent to the number of steps we want. This environment could start by having the first session perform the first step, then activating the parties in the second session to perform the second step. And proceed like this until it gets to a teeth session where it obtains the final computational step needed to solve this time lock puzzle. All the while keeping the ideal adversaries and parties in each session, oblivious from this strategy of solving the time lock puzzle, making simulation extremely hard. So we need to deal both with the problem of modeling time and then with the problem of having a proper model for sequential computational assumptions. In order to do that, we first present an abstract model for time in the universal compulsability framework that enforces the passage of time equally for all parties and all sessions. But does not imply that parties have access to synchronized clocks or to explicit messages showing the passage of time. Based on this model, we present a UC treatment of time lock puzzles that includes both a definition of time lock puzzles within the UC model, and also a definition of the RSW96 time lock assumption based on iterated in the UC framework. Using our notion of composable time lock puzzles in our abstract model of time, we then prove that programmable random oracles are actually necessary for you see secure time lock puzzle constructions. We see having other setup assumptions, or the combination of other setup assumptions and a non programmable random oracle, or essentially any combination of setup assumptions that does not include a random oracle is not sufficient for constructing a UC secure time lock puzzle. And we prove this fact. Knowing that this is necessary. We then construct our time lock puzzle protocol, and also our application of time lock puzzles to two party computation with output independent abort while assuming a programmable random oracle as a set of time lock puzzles. Back to our application. The essential idea here is that we provide a notion of security for two party computation that sits in between two party computation with a board and fair to party computation. With the output independent abort, the adversary is still able to force the protocol execution to abort and then learn the output. However, it can only learn the output after making the decision of whether it will force the abort or not. This means that the adversary cannot make an informed decision to cause an abort based on the output, fulfilling a certain requirement or not fulfilling a certain requirement that might be advantages or disadvantages for the adversary. Related to our current effort, there is a number of works that have dealt with time in the UC model, and also with the modeling and construction of time lock puzzles with some sort of no malleability property. Initially, when time was being modeled in the UC framework, a number of clock functionalities have been proposed that essentially provide a synchronized clock to honest parties, allowing those parties as well as functionalities to ask for the current time. Also, in the related works on time lock puzzles, apart from the seminal work that introduced the first construction and the concept, we have a couple of very recent works that have constructed no malleable versions of time lock puzzles, which are closely related to our notion of universally composable time lock puzzles. However, here we we highlight that while some of these constructions do not need a random oracle, they also do not achieve arbitrary composability guarantees, which we do using random oracles and proving them to be necessary. Finally, there has been work on applying time lock puzzles to construct a notion of partial fairness for two party computation, which is, however, restricted to a setting without composability guarantees, which is not our case since we propose a non-composable to party computation with our notion of output independent of bar. So let's start understanding our notion of abstract composable time. In our model, instead of having a global clock, we have a global ticker functionality that provides no information about the passage of time to parties, but only to functionalities. However, this global ticker does not tell the functionalities a current value of a time counter. It only tells a functionality that a new tick has happened since the last time it has been activated by that functionality. We allow functionalities to query whether a new tick has happened and receive an answer telling the functionality whether this happened or not. However, parties are only allowed to communicate to the global ticker functionality in order to acknowledge that they have been activated since the last time they should have been activated according to the protocols we built on this model. So if a party is supposed to, for example, receive a message or observe a different event before acknowledging that time is supposed to advance, it waits until this event happens in order to activate the global ticker. However, upon activating a global ticker to acknowledge that a new that that time has passed for that party that it has been activated. Parties do not receive any acknowledgement from the global ticker nor any information about whether a new tick has happened, or about any sort of current time counter which is not kept at all by the global ticker. On the other hand, notice that you could use our global ticker to construct a clock functionality that continuously queries a global ticker for new ticks and when a new tick happens, simply increments an internal counter that it then makes available to function to other parties. Of course, in that protocol for a clock, the parties would be expected to activate the global ticker when they agree on the passage of time. Based on this model. We construct a universally composable notion of time lock puzzles, and of the underlying sequential computation assumptions that are needed for constructing such a primitive. In our model, a time lock puzzle is generated, taking as input a message X that is locked inside the puzzle, and a parameter tick T that indicates the amount of ticks that should be necessary for that message to be recovered from the puzzle. The time in this case is of course measured in the number of ticks that happened with respect to the global ticker. The parties are allowed to retrieve the message from the time lock puzzle functionality. Whenever they have activated that time lock puzzle functionality throughout T consecutive ticks or throughout a number T of ticks with a query to solve a given time lock puzzle. The interesting point of this approach is that we do not have to keep track of current concrete values of time in our proofs or protocol constructions. Instead, we just need to keep track of events. For example, a message being received, or a time lock puzzle being solved, which indicates that a certain amount of time has passed of course because we know that the time lock is only solved after a number of ticks and makes it simpler to keep track of event based protocols. As I mentioned before, we still need to model the underlying assumptions of sequential computation in order to construct our UC time lock puzzles. In this paper, we model the iterated squaring assumptions from RSW96 by providing an ideal functionality that captures it in a generic group model style, where parties are given random strings that represent each group element, but nobody's given any representation of those group elements. This allows parties to ask for as many group operations as they want during one tick, but they only receive the identifier, the random string identifying a group element after the next tick has happened. This means that if they know the identifying strings for many different group elements, they can, as they should, be able to solve several steps of a time lock puzzle in parallel, of several different time lock puzzles in parallel, but they only learn the identification for the resulting states of the time lock puzzles when the next tick happens, which ensures that each operation takes at least one tick. So this is a global functionality, which ensures that neither the environment nor the simulator have any special power over it in order to manipulate it to do any sort of faster computation than on a spout issue. Basically, this functionality has an internal table that associates each random identifying string to a group element and allows parties to both request a random group element upon which they receive the random string associated to this random group element or to request a squaring of that group element upon which the squaring is computed, but not yet revealed to the parties. They only know that this has been done. And then it has an interface that allows parties to receive the results of this squaring that happened in a previous tick. In the next tick, they can receive the results of the operations they performed in the previous tick. We also allow a special party called the owner to obtain a trap door that allows for instance squaring. If you want to relate this to the original assumption, this would be the P and Q that allow you to compute the file then that is the order of the time lock puzzle. So any party who has this trap door can now do instance squaring. And this can be used for public verifiability, for example, which we show in a future work. The point is that when the owner activates the functionality for the first time, it receives the trap door, and then any party can still do their calls for getting random group elements without knowing the trap door. Any party who has the trap door, maybe the owner himself or another party that has received that from the owner can now do instance squaring. Our TOP construction itself will use a new instance of FRSW for each TOP into global random oracles H1 and H2. The idea is to start by the party who generates the TOP, creating a new RSW group with our FRSW idea of functionality and obtaining the trap door. Then this party obtains a random group element and computes a number of iterated squaring's immediately using the trap door. Now, we essentially commit to this initial and final states, as well as the message and the trap door using the global random oracle, and create a couple of tags that encode this message and trap door in such a way that someone who solves the puzzle should retrieve the original message and the trap door. This will become important when we solve and verify this time lock puzzle, because now after we solve the time lock puzzle, we can use the trap door to both verify that the final state and the message are coherent with the committed states in H1 and H2. Notice that since this basically works as a global random oracle commitment, it also allows us to do simulation in a quite straightforward way. The simulator can always extract the message from H2 and the tags, and it can verify that those tags have been correctly generated. If we need to equivocate the message inside a time lock puzzle, we then resort to the programmability of the random oracle, which we also proved to be necessary, and simply program the output of the random oracle in this initial inputs that we have used to generate a bogus random oracle to actually output something that is consistent with the message we learn from the functionality. Now, using this time lock puzzles, this UC time lock puzzles as a generic building block, which we can do because they are composable, we now introduce the application to output independent abort. In this setting, we allow the adversary steel to cause an abort because it is impossible to prevent that in a setting with the dishonest majority, as we know from Cleve's seminal result. But we keep the adversary from seeing the output before it is forced to commit to forcing an abort or not. So basically, the adversary cannot bias the outputs based on a rational strategy. The basic idea for constructing this is that we execute the protocol up to a certain point up to the last round of the protocol, and then we have the party send the last protocol messages inside time lock puzzles in such a way that they do not know what the last messages of the protocol will be before a certain time has elapsed. Now, the adversary must send its own time lock puzzle before the honest time lock puzzle is sent and and solved. If the honest time lock puzzle is solved before the the adversary has sent its own puzzle, we detect an abort. The adversary will still be able to learn the output, but now it has committed to having aborted before it could actually see what was inside the honest party time lock puzzle and compute the output in advance. Of course this require careful parameterization of the delays of both the time lock puzzles and the proper treatment of the communication delay, which we also introduced as a functionality for a delayed channel within our abstract model for time. The applications of such a strategy are multiple, for example, constructing randomness beacons or a better secure computation with financial incentives. Since now the adversary has to decide whether to abort or not before it actually sees the output message. And in future works we generalize this approach to the multi party case. Talking about future works or should I say, past works, because it is already publicly available in the craft paper on imprint. We show that we can generalize our TLP construction in order to construct it from any sequential computational problem instead of the specific iterated squaring problem. And we provide that you see abstraction for such problems as well as showing that we can obtain public verifiability for our time lock puzzle construction from TARDIS, meaning that we can prove whether a time lock puzzle is valid or not or whether a certain message has been stored inside a solve time lock puzzle in such a way that the third party verifier does not have to solve the puzzle itself. The third party verifier can verify this proof in constant time after it has been generated by another party who solved this time lock puzzle. Moreover, we provide the first model in UC for verifiable delay functions which are related time based cryptographic primitives based on a global random marco as usual, since it is necessary and departing from a generic standalone VDF that we model as a VDF in that sort of generic group model style functionality as we had modeled the sequential computation. Using this construction, we provide the first full proof of the folklore VDF based randomness beacon construction that is quite popular in the blockchain community. And we actually show that we can get a much better construction for such a randomness beacon based on our novel publicly verifiable time lock puzzles. And the way that our construction improves in efficiency is that it will output a random value as fast as the network conditions allow. Finally, we then generalize our two PC construction without putting the pen and the boards to a NPC construction with multiple parties. And we also provide an output independent abort NPC with financial penalties and rewards. The contributions in this case are actually twofold because we in fact improve on the efficiency of existing NPC protocols with financial penalties and rewards even the ones that do not have the output independent abort property. And we also improve on the state of the art of how you can provide incentive mechanisms for NPC with financial penalties and rewards. Because now we can provide incentive mechanisms where the adversary has no knowledge about the outcome of the computation when deciding to abort or not so it is essentially taking a blind making a blind decision. Thanks for watching this talk, and you can find more information about both this paper 30s and its follow up crafts on the print. Thank you again, and have a good day.