 Hello, everyone, and welcome to my TCC 2020 virtual talk. So in this talk, I will present the security of time lock puzzles and timed commitments. So this is joint work with Jonathan Katz and Julian Loth. So here's the outline of my talk. Both time lock puzzles and timed commitments are topics in the area of timed cryptography. So I will first talk about what time cryptography is. And our first contribution is to present an idealized model called the strong algebraic group model. And then we analyze a widely used time lock puzzle called the RSW assumption or the RSW puzzle in the strong AGM. And finally, we show how to construct timed commitments from a variant of RSW called decisional RSW. And along the way, we also present another primitive called timed public key encryption. So timed cryptography involves some tasks that takes and prescribes time to compute. And importantly, there should be no parallel speedup, so you'll still need time t, even if you have access to a parallelized computer. A classic topic in timed cryptography is timed encryption, which was introduced by this is Reverend Shamir and Wagner in 1996. So what is the time encryption? Recall that in the standard public key encryption, if you have the secret key, then you can decrypt fast. But if you don't have the secret key, then decryption would become infeasible. And in timed encryption scheme, so again, if you have secret key, then similar to a public key encryption, you can still decrypt fast. But the difference is, even without the secret key, you can still decrypt. But this decryption process will take the prescribed time t to complete. But to be a little bit more formal, the encryption algorithm takes as input the public key and a message and an output of Cypherx. So this is the same with standard public key encryption. But the decryption algorithm, there are two decryption algorithms. So the fast decryption algorithm takes the secret key and the Cypherx and an output message or reject. And the slow decryption algorithm only takes the public key and the Cypherx and it also outputs message or reject. And the slow decryption should take the prescribed time t. So as you can imagine, in timed cryptography, you cannot rely on some classic assumptions such as the hardness of this gridlock because they simply don't fit here. And instead, we need some problems with mild hardness, which can be solved in some prescribed time, but not any faster. And this is the so-called time lock puzzles. So the most well-known time lock puzzle is the RS sub-lock puzzle, again proposed by the original RS sub-lock 1996 paper. So there's a fixed group and given a random group M and G, the task is to compute G to the power of two to T. So this is used in almost every timed cryptographic schemes up to now. And in particular, it is the underlying assumption in the two well-known verifiable delay functions which have wide applications in many blockchain systems. So of course, if the group order is known, then you can compute G to two to T really fast because you can first compute the internet G as sorry, the internet Z as two to T mod the group order. And then instead of computing G to two to T directly, you can compute G to Z by repeated squaring. So we need to use a group of unknown order. For example, we can use the quadratic residual group QRN, where N is the product of two large safe primes. So now repeated squaring should take time, should take T sequential group operations to complete. And of course, the question is whether you can solve this puzzle faster than T steps. So the assumption says that computing G to two to T in fewer than T steps is as hard as factor N. And there's a variant called the decisional assumption which says that even distinguishing G to two to T and a random group element in fewer than T steps is still as hard as factor N. So this is stronger than R sub blue. So we want to analyze the R sub blue assumption in an idealized model. A natural candidate would be the algebraic group model proposed in two years ago in 2018. So roughly speaking, this HM stands between the standard model and the general group model. And a so-called algebraic algorithm whenever it outputs a group element, it must also output its so-called algebraic representation which is how the output can be expressed using existing group elements in the algorithm's view. So unfortunately, on an intuitive level, it is very easy to see that the plain AGM is not good for use in our context. This is because the AGM has no notion of time or step. So an algebraic algorithm can just output G to two to T together with its representation, two to T. And that's it. So the algorithm has in just one step. So to analyze the R sub blue assumption, we, in this paper, we introduce a quantified version of the AGM, which is called the strong AGM. So the strong AGM is between the AGM and the general group model. So as you can see here, there's a spectrum of models. So at one end is the standard model and at the other end is the general group model. So the AGM lies between the standard model and the general group model. And the strong AGM lies between the AGM and the general group model. So in the strong AGM, we require that the algorithm must output the entire path of computation. So concretely, if an algorithm outputs some group element Y in a certain step, so it also needs to show how Y is computed using previously seen or previously output group elements and using basic operations. So there are two types of basic operations. One is multiplication and the other is inverse. And importantly, we allow an algorithm to output multiple group elements in a single step. And this exactly models what a parallelized algorithm can do. So here's an almost trivial example. Here in G, compute G to the power of eight in three steps. So this is the R sub blue puzzle where T is three. So in the first step, the algorithm only sees G. So it can only output G square as G times three. And then in the second step, the algorithm can use both G and G square. So it can output G to four as G square times G square. And then finally, in the third step, it can output the final output G to eight as G to four times G to four. So now we can show that the R sub assumption holds in the strong area. So the proof is by a reduction which factorizes on. So say algorithm A is an R sub blue solve. When A outputs a group element X in step I, the reduction R can recursively compute an integer X such that the group element output by I is this capital X is G to X. And by induction, we can easily show that this integer X is at most two to I. So now if the algorithm A, the strongly algebraic algorithm A computes G to T in fewer than two steps, and the reduction R correspondingly computes the integer X, which is strictly smaller than two to T. And this implies that two to T minus X is a non-zero multiple of the group order, the order of QRN. So now the reduction R of times a non-zero multiple of phi of N, and of course it can then factor N. So we also have a complementary result which is it is impossible to prove the R sub blue assumption with AGM. So these two results combined show a separation result between the AGM and the strong AGM. Okay, so equipped with this R sub blue assumption we can now construct a timed encryption scheme which is similar to the algorithm. So the power key is N and the secret key is a factorization of N. So to encrypt your first tools are random group element and then your multiple is random group element, sorry, your multiple the random group element to the power of two to T was a message. So it is easy to see that this scheme is CCA secure under the decisional R sub blue assumption. But of course it is not CCA secure because it is vulnerable. So then how to construct a CCA secure a timed public key encryption scheme. So one possible approach is to use an authenticated encryption scheme and a verifiable delay function. But the problem is it uses a random oracle. So without a random oracle we can construct a CCA secure encryption a timed encryption using the Nar Young paradigm. So recall that Nar Young is a compiler from a CCA secure public key encryption scheme or CCA secure scheme. So it uses two keys and it encrypts the message twice and then it uses a simulation sound and no interactive self-knowledge proof to prove that these two ciphertexts correspond to the same plaintext. So plugging in the previous CCA secure scheme we obtain a CCA secure scheme as shown here. We prove that this scheme is CCA secure under the decisional R sub blue assumption. So this proof is very similar to the original proof by now and you know, there are some subtleties here. So for example, the reduction to the decisional R sub blue assumption must simulate the decryption oracle in a fast manner. And this requires fast decryption which in turn requires fast verification of the NSIC. Okay, so our next topic is non-interactive timed commitments. So this was first proposed by Bonnet and now in 2000. In an ITC, there are four algorithms. The commitment algorithm takes as input a message and outputs a commitment proof and a decommission proof. And secondly, the commitment verification algorithm takes a commitment and a commitment proof and outputs either accept or reject. And the decommission verification algorithm takes a commitment, a message and a decommission proof. And again, it outputs either accept or reject. And finally, there's a forced decommission scheme which takes only the commitment and it outputs the message or the rejection symbol. So both of the two verification algorithms run in time fast while the first decommission algorithm takes prescribed time T to complete. But what does all of these mean? So it's a graphical illustration. So the committer sends the commitment as well as the commitment proof to the receiver. So this is the commitment stage. And in this stage, the receiver can verify whether this commitment can be opened with the message in time fast. And then in the decommission stage, the committer can send the message as well as the decommission proof. And the receiver can again verify whether this message is valid or not. Again, in time fast. And on the other hand, if the committer refuses to decommit, then the receiver can still do the forced decommitment algorithm based on the commitment only to obtain the message. But this will take time, the prescribed time T to complete. So the security of timed commitment seems we have two security notions. So hiding means that what the receiver sees in the commitment phase, which is the commitment and the commitment proof, they should reveal no information about the message. And we require the non-monability property, which is the commitment and the commitment proof should reveal no information about the message, even given access to the forced decommitment protocol. And in binding properties, binding property says that first, it is infeasible to come up with a valid commitment and two pairs of messages and decommitment proof, such that the messages are different, but both of them are valid with respect to the commitment. And it should also be infeasible to come up with a fake decommitment proof. So given timed publicly encryption, CCA secure timed publicly encryption scheme, we can very straightforwardly construct a non-interactive timed commitment scheme. So we use two basics for two relations. So both of these relations, the sign for text is encrypted correctly. So the difference is whether the message is in the witness or in the instance. So to commit, you just encrypt the message along with these two proofs that M is computed correctly. And for the commitment verification algorithm, you'll verify the first music and for decommitment verification, you'll verify the second music. And finally, for forced decommitment algorithm, you'll just decrypt and recover the message. To summarize, this paper mainly has three contributions. So the first one is we proposed the strong AGM, which is a quantitative version of the AGM. And secondly, we analyze timelock puzzles in the strong AGM. So we present one of the first hardness results about the RSW assumption. And there's also a concurrent work in crypto this year, analyzing the same assumption, but they are in the general green model. And finally, we construct non-interactive timed commitments. So as a building block, we first construct CCA secure timed public key encryption. And so we do a compiler from CCA secure timed public key encryption for non-interactive timed commitments. So this is the end of my talk. Thank you very much. And our paper is on e-print, so you can check it out if you are interested.