 So, welcome everyone. So, I'm gonna talk on homomorphic time-lock puzzles and applications. So, let's move straight to what the primitive is. So, time-lock puzzles, the concept first originally envisaged in 93 and later proposed by Riva Sharmid and Wagner in 96, is basically Hallis choosing to have a solution embedded inside a puzzle and giving it to Bob. And Bob takes this puzzle and tries to solve it for some amount of time that's t and eventually obtains the end solution that was originally embedded. Okay? So, what are the properties of such a time-lock puzzle? It requires this to considerably faster in generating this puzzle, meaning that she takes much shorter time than t that is required to solve it. And as a security requirement, Bob, when he tries to solve the puzzle, no matter how much amount of parallel computation power he uses, he cannot solve the puzzle before time t. And this primitive has found applications in wide ranging spheres, namely sealed with auctions, fair contract signings, zero-knowledge arguments, non-malleable commitments, and so on and so forth. So, let me introduce some formalism for the primitive. We have two algorithms. That's the first one is the puzzle generation that takes the solution, the security parameter, and the timing hardness as input. And it outputs the puzzle. And there's the solve algorithm that takes the puzzle and eventually outputs the solution that was embedded in it. And as efficiency, we would require the puzzle generation to run in poly log t, where t is the timing hardness, while the solving algorithm has to run in poly t. Okay? And the security requirement is that for any depth t bounded adversary, a puzzle that's generated with solution S0 is indistinguishable from a puzzle that's generated with solution S1. Okay? There are two known constructions so far for Time Lock Puzzles, the first one from 96. It basically relies on the sequentially squaring group element from Zn star. Note that if the order phi n of Zn star is known, it's easy to compute the result here by simply computing 2 over 2 power t lambda and reducing it mod phi of n, and then encrypting the message as shown here. And if the order of the group is not known, that is phi of n is not known, then the only way to decrypt the message from this cif text is by taking the x and squaring it sequentially for 2 power t times. And the security relies on the sequential squaring assumption, where it says that depth t adversary cannot do better than simply sequentially squaring it. And then recently, by Butanski et al, we had a construction that's based on succinct randomized encodings, where a program that does nothing for t steps is what is inside the encoding, and thereby you get the time parameter that you require for a Time Lock Puzzle. And it relies on indistinguishability obfuscation. Time Lock Puzzle, the reason it has found many application in, for example, in seal bid auctions is that it proposes a solution for fairness, for some notion of fairness, which I will show you. Let's consider seal bid auctions where there is the bidding phase, where the bidders embed their bids inside Time Lock Puzzles and broadcast into the network. There are two ways to open the Time Lock Puzzle. The first way is the bidder simply reveals the random coins that he used to generate these puzzles, thereby revealing the bids directly. And the other way is if there are some bidders that are not revealing the coins, you can simply use the solving algorithm to solve these puzzles and obtain the bids that were embedded. Now notice that one way or the other, all the bids have been recovered. And now with this information, you can announce the winner. Notice that the fairness that is guaranteed by Time Lock Puzzle is that before announcing the eventual result, you consider every party's input or, in this case, every bidder's bid. But there are some limitations to Time Lock Puzzle, namely the first one is that if you want to ignore a Time Lock Puzzle in the hope of saving cost and solving it, you basically compromise correctness of the application. And this could lead to, for example, in the seal bid auction case, this could lead to bid suppression attacks where an adversary selectively suppresses some puzzles saying that he wants to save cost, right? And in the other extreme, when you have a large number of Time Lock Puzzles involved in a computation, this means that an adversary could force regular innocent players in the system to solve, like in this case, 10,000 or 100,000 Time Lock Puzzles, which could prove computationally prohibitive. Okay? So the conclusion is that Time Lock Puzzles suffer from a scalability problem, which actually hinders their practical adoption in many real-life applications. So our goal was to solve this very problem. So consider the traditional approach where you solve the puzzles for some time t, and then you learn and you compute the result here. We propose an alternate paradigm where you basically homomorphically compute on top of the puzzles, and then you obtain the embedded result, the desired result that you want from the application. Notice that this compute phase should be efficient for this approach to work. All right? So let me just drive in the fact by showing how this would work in the sealed bed auction case. Like before, we have the bid phase where bidders embed their bids in puzzles, and then you have a compute phase where you take all these puzzles, compute on top of them, which results in a single puzzle with some bid embedded in it, and you try to solve this puzzle now. Note that instead of five, you just have one puzzle to solve. Eventually, after time t, you obtain the bid bid that was embedded in this final puzzle, which happens to be, say, the maximum of all the bids that were originally bid in the bidding phase. With this information, now you can eventually announce the winner of the auction. All right? It's time to highlight our contribution. So we formally propose the notion of homomorphic time lock puzzles, give candidate constructions for different homomorphisms, and also identify key applications. So we identify three, we give three constructions, namely for linear homomorphism, multiplicative homomorphism, and as a feasibility result, we show a fully homomorphic time lock puzzle. And as applications go, we identify e-voting and multi-party coin flipping for our linear construction, contract signing for the multiplicative construction, and notice that with the fully homomorphic, you could achieve all these applications, but we care for practical efficiency, thereby these constructions actually make sense to realize the other applications. All right? Just to clarify how this FHTLP plays against FHE. Notice that FHE is considered hard for probabilistic polynomial time adversaries, depending on the setting. And FHTLP is hard for an arbitrary depth t adversary. While FHE saves communication cost in a multi-party computation, FHTLP is aimed at saving both communication and computation cost. And you would require a secret key eventually to decrypt the final result of the FHE, while in FHTLP, the final result of the evaluation becomes public after some time t. All right? So as far as formalism goes for homomorphic time lock puzzles, it inherits the two algorithms, that's the puzzle generation and puzzle solving algorithm from the native time lock puzzle. We additionally have a setup algorithm that takes the timing hardness and outputs some public parameters. And we would like to emphasize that this setup algorithm is a one-time setup, and you can consider the public parameters as being a common reference string, if you may. All right? And then you have the homomorphic evaluation algorithm that takes the circuit of interest and some puzzles and computes on top of these puzzles to output a resultant evaluated puzzle. As far as efficiency goes, we have the setup algorithm that runs in polylock t. And you have the evaluation algorithm that runs in poly the size of the circuit of interest here. Okay? So our correctness definition basically says that if you try to solve an evaluated puzzle with overwhelming probability, it should result in the circuit being evaluated on the embedded solutions. And the solving algorithm when it operates on an evaluated puzzle is the running time is bounded by some p over the timing hardness t. And then you have the security definition, which is quite similar to what we had for normal time lock puzzles, which is saying that a homomorphically generated puzzle with solution s0 is indistinguishable from a puzzle with embedded result s1 for depth t bounded adversity. And then you have a compactness definition that says that the size of the evaluated puzzle is bounded by some fixed polynomial on the output, on the size of the output of the circuit on the embedded solutions here. All right? Let me directly go into our linear homomorphic construction, which is fairly simple. We have the setup algorithm that basically chooses RSA modulus n shown here. And it generates a generator G, which is the generator for the group Jn, which is the set of all elements from Zn star with Jacobi symbol plus one. It generates H over here, which we can call a partial puzzle. Notice that this computation can be sped up because we know the factorization of n. So this 2 power t can be computed fast. And the resultant heads can be computed much faster than what it would require to solve. And then we output the public parameters with whatever we computed here. All right? And then you have the puzzle generation algorithm that basically, okay. Okay. So the puzzle generation algorithm chooses a random R, which acts as a randomization factor. And it outputs the puzzle components u and v, where notice that the component v is reminiscent of the Pyliacrypto system. Okay? And then you have the solving algorithm that takes the puzzle uv and takes the first component u and sequentially squares it to obtain this blinding factor and eventually obtain the solution s. Notice that the correctness of this solving algorithm follows the binomial expansion as in the Pyliacrypto system. The evaluation algorithm is fairly simple. You take several puzzles. You multiply the components of each of these puzzles to obtain the eventual evaluated puzzle here. The security argument depends on the following assumptions. You rely on strong sequential squaring assumption that basically says that the adversary in this case has knowledge of the group structure ahead of time. And this assumption has been made in recent works. Then you rely on the DDH assumption over Jn, which is the Jacobi symbol plus one of z and star. And then you rely on the DCR assumption that is the Decisional Residuosity Assumption. Okay? Let me jump into an application that's e-voting for our linear construction. Notice that here we are our model, the adversarial model is basically a semi-malicious model. And this model could potentially be relaxed if we use non-interactive zero knowledge to prove the well-formness of puzzles. Okay? So in this case, we have some set of candidates, five candidates, and there are some voters here. And they would like to vote for the candidate. Note that if it's a one, it's a vote for this candidate. And if it's a zero, it's not a vote for the candidate. So the voters decide their votes. And they embed these votes inside time lock puzzles and broadcast it to the network. Note that the channel here happens to be anonymous so that the voters are not identified. Is it the case that we have to solve 40 puzzles? Hopefully not. And this is where our linear construction jumps in. What we do is we basically take all the puzzles that are corresponding to a candidate, homomorphically evaluate on top of that to obtain the resultant puzzle, which gives us these puzzles for the candidates. Notice that the total number of votes garnered by this candidate is embedded in this evaluated puzzle for each candidate here. Okay? Now, you only have five puzzles to solve instead of 40, right? And after the solving phase, you obtain the tally of each of each candidate and you can eventually announce the result. You could also gain public verifiability if you run this voting on top of a public ledger like a blockchain, where any user in the blockchain system can potentially solve puzzles. We don't need a trusted authority to do the tally. Okay? The other application for our linear construction is multiparty coin flipping. Here, the users embed their randomness inside puzzles and broadcast them among themselves. We homomorphically compute on top of these puzzles to obtain a resultant puzzle that has t here. Notice that instead of having four puzzles to solve now, you have just one. And after spending time t solving this puzzle, you obtain the result of the coin toss that you wanted to compute originally. Here, it's a linear combination of the randomness that were embedded originally. Okay? So let me now briefly show you our multiplicative construction. The setup algorithm follows the same as in our linear construction. The puzzle generation is reminiscent of the Elgamal system here. Notice that this construction of MHTLP can be extended to XOR homomorphism if you encode the solution S this way by having it as minus one power S and the S is nothing but 0 or 1 bits. And then you have the resultant puzzle here. The solving algorithm similarly takes the first component repeatedly squares it and then unblines from the second component to achieve the solution. The homomorphic evaluation algorithm is the same as what we had for Elghtlp. You take different puzzles and you multiply each component of them correspondingly to obtain the evaluated puzzle. Alright? The security argument we rely on assumptions as we had before the strong sequential squaring assumption and the DDH assumption over JN. And we can prove the security of our MHTLP construction. Okay? As an application of our MHTLP, let me show you the multiparty coin contract signing case. Consider that we have RSA aggregate signatures where the signatures are elements of quadratic residue N and the aggregation algorithm is simply taking the signatures and multiplying them together and reducing it to modulo N. And consider the case that this aggregated signature happens to be the valid signature on the contract. Okay? So the process runs in rounds. So in the first round, each user signs the document and embeds the signature inside a puzzle of hardness T, which happens to be the timing hardness for this round, and broadcasts the puzzle to everyone. And in each successive round, the players embed their signatures in new puzzles of hardness that is half the hardness of what it was of the previous round. So namely TI is nothing but TI minus 1 over 2. If at a round, if an adversary fails to broadcast a puzzle, the other users can come together homomorphically evaluate the puzzles that were in the previous round to obtain a resultant puzzle, which has the embedded aggregate signature in it. After solving for time Tj minus 1, which is the hardness of the previous round, they can obtain the aggregated signature while the adversarial player can obtain it in half a time as the honest guys. Okay? There are some extensions of homomorphic time block puzzles that we propose in our paper. One of them being that we can indeed homomorphically evaluate on top of puzzles of different timing hardness. Consider the case that T1 is greater than T2. And if the difference in the timing hardness between them is of this structure, we can natively combine these puzzles in this manner as shown here. Okay? Finally, as a feasibility result, we show the construction for FHTLP, which is based on probabilistic I.O., which was proposed, which was used in Kennedy et al. in 2015 to construct FHE. Here the puzzle is of the form, a ciphertext and a normal TLP puzzle. And to solve this puzzle, you simply ignore the first ciphertext and you solve the resulting time block puzzle here. For homomorphic evaluation, we have an obfuscated program that's output in the setup that basically performs the operation that we require. So it takes in two puzzles, decrypts the ciphertext in this case and computes a NAND of the underlying messages and generates the resulting evaluated puzzle. The security follows from sub-exponential I.O. and sub-exponential one-way functions and the applications, apart from being, we can do all the previous cited applications, we can also do sealed bid auctions with our FHTLP construction. To conclude my talk, our homomorphic time block puzzle, HTLP, scales well in multi-party settings and actively prevents denial of service attacks. We provide three constructions for different homomorphisms, linear, multiplicative and for any polynomial-sized circuit evaluation. And our LHTLP and MHDLP, which are the linear multiplicative constructions, are quite efficient for practical purposes because the homomorphic evaluation is just multiplication of group elements. And as future work, we identify development of application-specific proof of well-formness, having efficient trustless setup and building FHDLP from practical, for building FHDLP from practical primitives as future work. And already we have Malavolta, who is my co-author, has a follow-up paper on FHDLP from standard assumptions. All right. So if you have questions, we are in the audience. Please ask us. Thank you. Thank you for listening. If you have a question, please come to the microphone. Hi. So for applications like auctions and coin flipping, are you going to end up with the thing where the different inputs can now depend on each other? So if you bid B, can I bid B plus one by homomorphically changing your time block puzzle? Okay. So we don't go into the detail of how you authenticate your bids, how you authenticate your puzzles and things like that. So my bid is, you can, in a complete system, you can consider my bid to be authenticated with my signature and evaluating on top of it and calling it your bid probably is, could be prevented through measures that we don't deal with in our paper here. More questions? Let's thank the speaker again.