Non-malleable Time-Lock Puzzles and Applications

Abstract

Time-lock puzzles are a mechanism for sending messages “to the future”, by allowing a sender to quickly generate a puzzle with an underlying message that remains hidden until a receiver spends a moderately large amount of time solving it. We introduce and construct a variant of a time-lock puzzle which is non-malleable, which roughly guarantees that it is impossible to “maul” a puzzle into one for a related message without solving it.

Using non-malleable time-lock puzzles, we achieve the following applications:

• The first fair non-interactive multi-party protocols for coin flipping and auctions in the plain model without setup.

• Practically efficient fair multi-party protocols for coin flipping and auctions proven secure in the (auxiliary-input) random oracle model.

As a key step towards proving the security of our protocols, we introduce the notion of functional non-malleability, which protects against tampering attacks that affect a specific function of the related messages. To support an unbounded number of participants in our protocols, our time-lock puzzles satisfy functional non-malleability in the fully concurrent setting. We additionally show that standard (non-functional) non-malleability is impossible to achieve in the concurrent setting (even in the random oracle model).

A Discussion of Non-malleable Definitions

We briefly discuss the different notions of non-malleability studied in this work. Specifically, we compare standard non-malleability (Definition 3.4), non- malleability against depth-bounded distinguishers, and functional non-malleability (Definition 4.1). In Sect. 1.3, we also discuss the definitions considered in the concurrent works of [3, 4, 28].

Common to all of our definitions, there is a depth-bounded man-in-the-middle (MIM) attacker, which we call \(\mathcal {A}\), that on input a puzzle z with solution s tries to output a different puzzle \(\tilde{z}\) to a related value \(\tilde{s}\). Here, \(\mathcal {A}\) is depth-bounded relative to the difficulty of the puzzle, so it should not be able to solve the puzzle. The definitions vary in what it means for \(\tilde{s}\) to be “related” to s. For our standard notion of non-malleability, we require that no unbounded distinguisher \(\mathcal {D} \) on input \(\tilde{s}\) can tell if it came from the experiment starting with s or the all-zero string. In the definition of non-malleability against depth-bounded distinguishers, \(\mathcal {D} \) is restricted to be depth-bounded in the same way as \(\mathcal {A}\). In the case of functional non-malleability, the (unbounded) distinguisher \(\mathcal {D} \) receives instead as input \(f(\tilde{s})\) where f is a low-depth function. We parameterize functional non-malleability by an output length m. When \(m = |s|\), this captures plain non-malleability by considering f to be the identity function. When \(m = 1\), this captures depth-bounded distinguisher non-malleability as f essentially plays the role of the depth-bounded distinguisher \(\mathcal {D} \). In Theorem 4.2, we show how to construct a time-lock puzzle satisfying functional non-malleability for any output length m assuming a time-lock puzzle that is secure.

When considering concurrent non-malleability, the MIM attacker \(\mathcal {A}\) receives possibly multiple puzzles \(z_1,\ldots , z_{n_L}\) that have solutions \(s_1,\ldots , s_{n_L}\) as input and tries to output multiple puzzles \(\tilde{z}_1, \ldots , \tilde{z}_{n_R}\) (different from its inputs) corresponding to \(\tilde{s}_1, \ldots , \tilde{s}_{n_R}\). In the most general form, we can consider some distinguisher \(\mathcal {D} \) that receives as input \(f(\tilde{s}_1,\ldots , \tilde{s}_{n_R})\) and tries to tell if it came from the experiment starting with \(s_1,\ldots , s_{n_L}\) or with \(n_{L}\) all-zero strings. We show in the full version that if the MIM attacker can encode a time-lock puzzle into the value \(f(\tilde{s}_1,\ldots , \tilde{s}_{n_R})\) (where f may be the identity), then the construction cannot be secure against an unbounded distinguisher. In particular, if the function’s output length m is greater than the output length of the time-lock puzzle, the scheme may not be secure. On the other hand, our construction of Theorem 4.2 works for functional non-malleability even in the fully concurrent setting, as the output length of f is bounded. So, as long as the output length of the function f is sufficiently small, we can support unbounded concurrency.

Finally, our separation in the full version gives a construction that satisfies plain (non-concurrent) non-malleability against depth-bounded distinguishers yet does not satisfy non-malleability against unbounded distinguishers. We remark that in the setting where the message length for the puzzle is 1 bit, these notions are equivalent by simply considering the depth-bounded distinguisher that outputs the bit it gets as input. Moreover, it can be shown that they are equivalent as long as the message length is in \(O(\log \lambda )\). Therefore, this separation necessarily relies on the fact that the message length for the puzzle is in \(\omega (\log \lambda )\).

Fig. 1.

Relationship between notions of non-malleability. An arrow from A to B indicates that any construction satisfying A also satisfies B. Here, m is the message length, n is the concurrency, and \(\mathcal {F} _{\ell }\) is class of depth-bounded functions with \(\ell \)-bit output.

We summarize the various relationships between the definitions in Fig. 1.