 Είμαι ο Κόλος Λαμμμπορής. Είμαι ο πρόσφυρδρος κομμάτις από το ΙΟΚ. Σήμερα θα σας παρακολουθήσω ένα σχήμα του ΙΟΚ. Αυτό το δίσκομα είναι στην συγγραμμή με τον Μερτοαραπίνης, ένας κομμάτις από το ΙΟΚ. Και από Μαζαχαρίας, ένα πρόσφυρδρος κομμάτις από την ίνστητα. Οπότε πρώτα θα σας δώσω την εξεκτική της σχέσης της Λοκογραμμίας. Πρώτα θα σας παρακολουθήσω την εξαιρετική δίσκομα στον επόμενο πρόσφυρδρο. Στην τρίτη εξαιρετική μου, θα συγχωρήσω την εξαιρετική μας και τελείωστοι δίσκομα στο επόμενο πρόσφυρδρο. Οπότε πρώτα, πώς είναι η Λοκογραμμία. Απ'ήρχομαι, το σημαίνιε το θες, μέχρι που η Λοκογραμμία εξαιρετικάδει τη δίσκομα με την κομμάτι της Εξαιρετική. Και το results είναι η δίσκομα. Ώστε, η Λοκογραμμία που διεξίδει τη κομμάτι να κατα erstmal στην κομμάτι, εξαιρετικάδει η δίσκομα και όλοι μπορεί να εξαιρετικάδει την δίσκομα για να συγχωρεθήσει το πρόσφυρδρος πρόσφυρδρο. But what happens if that voter doesn't actually provide the secret key? No one can actually retrieve the initial message, and then we have fairness issues, and specifically in self-telling protocols. So with time-lock encryption we can solve such difficulties, because again, let us consider the same scenario. Then someone encrypts the plaintext with an encryption algorithm, and instead of using a public key, it uses a specific time that this ciphertext should be open. The result is a ciphertext, and then after this time has been reached by using the decryption algorithm and time proof. A time proof is a proof that the time has been reached. Everyone can retrieve the initial message. There are certain types of time-lock encryption. The first one, it is called relativistic time, and it is based on computational puzzle. So everyone that solves a puzzle can actually retrieve the initial message. The second one is called the absolute time-lock encryption, where a witness naturally occurring from, example, the blockchain, and with an encryption witness-based scheme, someone can encrypt and actually decrypt the message. Finally, we have centralized time-lock encryption schemes, where a centralized authority releases time tokens, and acts as a secret key for decrypting messages on specific times. The Astrolabus, the construction that we actually provide in this work, is a relativistic time construction based on computational puzzle and specifically based on hash function that realizes our ideal functionality. Despite the fact that Astrolabus is a relativistic time, our ideal functionality captures all of these three types of time-lock encryption. So, I refer earlier about a time-proof, but what is a time-proof in a computational puzzle case? So, in the computational puzzle time-lock encryption schemes, we have a puzzle that needs to be solved in order for someone to be able to retrieve the initial message. This puzzle can be based in hash function or in arithmetic, for example, the repeating squaring problem. So, next, the party actually tries and solves the puzzle and obtains the solution. The solution is the time-proof, the proof that some computation has been done, and by providing the solution to the decryption algorithm, any party can actually retrieve the initial message. But ideally, in the concept of time-lock encryption, we want to create an asymmetry between the puzzle generation time and the puzzle solving time. So, ideally, the puzzle generation should be small and the puzzle solving should be big. Of course, there are cases and construction with these two times are equal, but are not so much of interest. So, the puzzle generation can be efficiently, can be done efficiently because the computations can be parallelized or there is a trapdoor information that can be used for speed up the computations. On the other hand, the puzzle solving is slower because no parallelization can be occurred or there is no trapdoor information or the entities that actually solves the puzzle are not aware of the trapdoor information. Now, I'm going to speak to you about the related work in the field of time-lock encryption. So, first, there are time-lock encryptions based on arithmetics. The first and the most well-known one, it is based on reverse at all. By that time, the author didn't provide any formal treatment and operates as follows. The initiator of the puzzle actually encrypts the message M with a secret key K by using a symmetric encryption scheme. In that case, IS. Next, the key K is hidden into a puzzle named CK. And specifically, on the key K, we add the A power 2 power T, module N. And because the initiator of the puzzle is aware of the factorization of N, can actually speed up the computations by computing first the E, which is equal to power T, module Phini, where Ph is the Euler function. After that, can compute the B, which is the A power E. And the resulting ciphertext is a tuple, where the first argument is the composite number N. The second one is the base A. The third is the difficulty of the puzzle T. The next one is the puzzle itself, CK. And the last one is the CM, which is the result of the IS encryption. Next, we have HUSB-based time lock encryption puzzles. This one is proposed by Mahmoud Yatoll. And it is based on sequential hushing. So we have a secret X0 until XN. And the puzzle itself is a tuple, where the first argument is the value X0. The second one is the HUS evaluation over the value X0. XOR, the second part of the secret, which is the value X1. And this goes on the same until the value XN. It works mentioning that this time lock puzzle C scheme was not intended for encryption, as you can see, because obviously semantic security does not hold, because the puzzle, the secret, is revealing in a progressive way. Neither composable security was provided. There are also time lock encryptions based on the witness encryption. And specifically, this one is proposed by Liu et al. And it's based on blockchain. So we have a statement, XT. In that case, the statement is that I know a blockchain of length T, a Genesis block G, and starting difficulty D. We have a witness of that statement, which is actually this blockchain. We have a relationship U, which is actually equals 1, if the WX is the witness for the statement X, and 0 if it's not. So if someone wants to encrypt a message M based on a statement XT, it uses the encryption algorithm, which is parametrized by our relationship U, and the result is a ciphertext CT. Next, in order to decrypt that message, someone used a decryption algorithm with that ciphertext and the witness for that statement. If indeed, this is the witness of that statement, the resulting value is the message M, else it is bottom. Unfortunately, the proposed construction is not efficient, there are lack of crypto libraries that actually implement it, and the authors didn't provide any composable security arguments. Another TLE construction is one that is based on time token release. Specifically, a trusted party releases type tokens on specific times. So for example, if we want to encrypt the message M and that message will be retrievable on Monday, we use the information Monday and the result is a ciphertext C. So the trusted party releases some tokens on Monday the blue one, on Wednesday the green one, on Friday the orange one. And by using the decryption algorithm with the blue token, in that case the Mondays, anyone can retrieve the message M. These constructions are based on public key infrastructure and unfortunately are centralized. So a natural generalization of time lock puzzles and time lock encryption in general are the verifiable delayed functions. So in a nutshell are time lock puzzles, but on top of that they provide a way to verify that the resulting solution is the correct one without resolving the puzzle. Most of these constructions are based on repeating squaring. Regarding the security definitions on time lock encryption, all of them are game-based definitions and specifically they assume in their thread model that the adversary operates in a concrete number of steps. In contrary, if we want to study the time lock encryption primitive in the UC framework in order to argue about the composability of our protocol, someone needs to study the adversary in an asymptotic way because this is the way the universal composable framework works. Another work in the same line with ours recently presented in Eurocrypt is TARDIS, a foundation of time lock puzzles in UC. The authors provide a UC definition of time lock puzzles, a construction based on a repeating squaring and also they prove that the construction satisfy a public verifiable notion based on a definition that they provide. Despite our similarities, there are fundamental differences between our works. The first one is regarding the modeling. So they assume that a message is revealed after specific numbers of computation has been done. We assume that a message is revealed in an epsilon time when a specific time has been reached. We believe that this captures more natural the concept of time lock encryption because a message is opened when a specific time has been reached rather than when some computations has been done. Another difference is regarding the generalization. The TARDIS functionality only captures time lock encryption schemes based on computational puzzles. So the TARDIS functionality cannot model centralized constructions or witness-based encryption constructions as we have referred. The second one is that their construction cannot model adversaries that possess an advantage on opening a message in comparison with the honest parties and specifically in witness-based encryption constructions which is based on blockchain, the one that I referred earlier. Because of the selfish mining, the adversary can construct a witness faster than the honest parties, and that gives it an advantage. TARDIS cannot model this. And the third one is that the construction that TARDIS provides is based both on the Radomorockel and the generic group model. In our case, our ideal functionality is more general because it's just, it's related in the absolute time rather in the computational time which means that it captures all of the mentioned time lock encryption scheme constructions. Also, we captures this kind of situation where the adversary possess an advantage with the leak function. Ideal the leak function is equal to the identity which means that the adversary doesn't possess any advantage in comparison with the honest parties. But there are also constructions which are very useful where the adversary possess an advantage over the honest parties. So we can capture them by parameterizing our ideal functionality with the leak function. And last, our construction, the Astrolabus, it is based only in the Radomorockel model. I'm going to present an attack on the public verifiability notion presented on TARDIS. So first, let us assume that we have a puzzle creator on the left, a puzzle designator on the right and we have the server that actually solves and provides the proof of correct computations to the designated party in the middle. So the initiator of the puzzle encrypt the message M along with the travel information and the result is a cypher taxi. It sends that cypher taxi both to the server and the designated party. The server solves the puzzle and obtains the solution solve and next, with that solution, encrypts the cypher taxi and obtains both the message M and the travel information. Then the server sends to the designated party the message M, the travel information and the solution solve and now the designated party with a verifying function can verify that indeed the solution was correct. But what happens in case that the server is malicious, which means that solves the puzzle with a solution decrypts the cypher text obtains the correct message and the correct travel information but instead of sending them it sends another message another travel information and another solution. Now the designated party when uses the verifying function in order to verify that the provided solution was correct the verification will fail so far so good but the problem now is which was the malicious party was the server or was the initiator of the puzzle and unfortunately this is something that the designated party cannot answer In the third part of my talk I'm going to speak about our research contribution So, first we define in the universal composable framework the concept of time lock encryption by using an ideal functionality and specifically the FTLE and we capture certain security properties the first one is the privacy we capture it because the simulator doesn't learn anything about the message but instead only learns the length of the message second that's related with the asymmetry between the puzzle creation and the puzzle solution that I refer earlier because encryption also takes some time and special in the concept of time lock encryption we manage to capture it by parameterize our ideal functionality with the function delay So, if delay is 0 it means that the encryption takes 0 rounds if it's 1 it means that it takes 1 round next is the correctness where if a ciphertext is obtained twice the functionality returns an error message as in the case of classical public encryption and finally we have our leak function where the simulator possess an advantage during encryption time over the honest parties like the bitcoin construction that I refer Ideally the leak function should be equal to the identity one which means that the simulator does not possess any advantage in comparison with the other parties when using certain encryption schemes Of course there are challenges on defining a puzzle based UCTLE protocol that realizes our ideal functionality the first challenge is related with the fact that all messages are eventually open and specifically the simulator receives the length of the message so the simulator needs to encrypt a ciphertext based on something that we don't know so for that reason the simulator just encrypts a fake message but in the concept of time lock encryption that message will eventually open after some time and then when that message opens it needs to be open to the real message to the correct one so how this is possible how the simulator can manage to encrypt a fake message and opening to the correct one is using a cryptographic primitive which is called non-committing encryption and it is based on the other moracri model the second challenge is that the concept of time lock encryption as I referred earlier it is based on the concrete time so in nature the time lock encryption operates in a concrete time but we need to capture the concept of time lock encryption in an asymptotic model so first we need to guarantee that the computation for solving the puzzle cannot be done locally because then a Turing machine can actually solve the puzzle any difficulty actually in just one round so for that reason we based our puzzle in the other moracri model and of course the access to the other moracri model should be restricted for that we are using the functionality wrapper so the extended time lock encryption construction that we use is as follows when when we want to encrypt a message M with difficulty T the resulting ciphertext is a table where the first argument is the result of the time lock encryption scheme we are using with R to be a random string T to be the difficulty the next argument is the random moracri call or the hash evaluation over the value R XOR with a message M here as you can see because the random moracri is programmable the simulator can equivocate and actually change the fake message to the real one this is why we made this one of the reasons we made this extension and the last argument is just the random moracri call on R concatenate the message M and this actually guarantees that our scheme is non malleable so this is a part of the actual protocol its party can done two queries both for puzzle creation and puzzle solving the puzzle creation queries can be polynomial many because they can be parallelized in contrast with the puzzle solving where it can be at most Q because they cannot parallelize next the ciphertext must broadcast it immediately because the puzzles needs to be solved and this actually makes the connection between the absolute time and the computational time because our ideal functionality captures the concept of time lock encryption in an absolute time but with our construction in our protocol that you see realize our functionality we use a computational time one so that's why the parties needs to receive immediately the resulting ciphertext its starting to solve it so that when the time comes the computation will be done and thus the message can be opened so in order to link the provided algorithm and the you see definition we define a game based definition which is called Q security Q security states that it is hard to reverse the challenge message before the time comes this captures only one wayness and not semantic security but with a equivocable extension in the random oracle that I refer earlier is enough for having a you see realization so we have our first theorem which states that if the provided time lock encryption algorithm satisfies our game based definition then we have a you see realization so now I'm going to present your strollers the idea behind the strollers is that we combine the time lock puzzle of Mahmoudi and specifically we hide in the time lock puzzle a key K as in the first argument of the table is the value X0 until the value Xn and in the last argument is the XOR of the last of these axes XORed with a key K so in order for someone to retrieve the key must actually compute in a sequential way all of these has evaluations like in Mahmoudi but instead of hiding the key K across all of the puzzle and retrieving a part of it each time we hide it at once in the final argument and secondly we use a symmetric key encryption scheme for example IS to hide the message M by using the key K like in reverse and the result is they are strollables as you can see it is based solely on the random miracle model in contrast with the reverse that is based both in the generic group model and the random miracle one it is public verifiable without the knowledge of any trapdoor information because the entity that actually solves the puzzle can provide all of the hash evaluation and any third party at once and in parallel can evaluate them and actually see if the solution is it matches also the puzzle generation doesn't require any knowledge of any trapdoor information because all of the computations can be parallelized and the time is proportional to the number of the CPU cores regarding the security of Astrolabus we have a theorem that states that Astrolabus satisfies the Q security so Astrolabus if it is included in the protocol that we refer earlier can you serialize our ideal functionality but what happens if we want to study the security of Astrolabus outside of the UC framework for example in a standalone setting is the Q security enough the answer is no because as I refer semantic security does not hold because Q security only stress the one way in property so for that reason we define an in-CPA style game based definition but in the time log setting and Astrolabus satisfies it in the last part of my talk I'm going to speak to you about our future directions so first is to improve the scalability of Astrolabus and specifically we have the puzzle generation which can be paralyzed and is proportional in the number of CPU cores based on an early benchmarking we found that for an average computer which possess 4 to 6 cores a 12 hour puzzle can be generated in 1 to 2 hours which is not practical so our idea is instead of using a CPU we can use a GPU where the number of cores are many more but the architecture and the way that GPU solves a problem it's way different so for that reason we need benchmarking regarding our second research direction when we actually create a time lock puzzle with Astrolabus we need to be sure that someone will not take advantage of the hardware acceleration and solve the puzzle faster for that reason we will enhance Astrolabus and make it memory hard which means that the CPU fetches data from RAM all the time because cannot predict which data is actually the correct one and this is expensive even for a dedicated hardware we are going to borrow ideas from the balloon passing paper so that we can predict more safely the correct parameters for the puzzle creation but more research needs to be done not for applying and enhance Astrolabus with this construction but also we need to be sure that the puzzle generation is efficient this is the reference and thank you for your attention