Notes on IACR TCC 2024/1786

Notes on IACR TCC 2024/1786 12/24/2024 1 of 9 ה׳ ירצה אם 2024 paper "Black-Box Timed Commitments from Time-Lock Puzzles" by Abusalah and Avitabile Table of Content TL;DR: Layman's TL;DR: ZKP/FHE/MPC SME TL;DR: Cryptography Practitioner TL;DR: Theoretical Computer Scientist TL;DR: Non-Hype / Critical TL;DR: Application: Unexpected Findings: Key Terms: Approach: Results and Evaluation: Practical Deployment and Usability: Limitations, Assumptions, and Caveats: Promises and Horizons: Conflict of Interest: TL;DR: This paper presents a way to build Timed Commitments (TCs) using Time-Lock Puzzles (TLPs) in a generic, "black-box" manner. This is significant because it allows constructing TCs from a wider range of assumptions than previous methods, which relied on the specific assumption of repeated squaring. Implications: Broader Foundations: TCs can now potentially be built based on any problem that allows for TLPs, including some that are believed to be resistant to quantum computers. Post-Quantum Security: Using a specific TLP construction, this work achieves the first plausibly post-quantum secure TC. Modularity: The black-box nature of the construction means improvements in TLPs automatically translate to improvements in TCs. Simplified Analogy: Imagine you want to commit to a secret (like a prediction) without revealing it immediately. You could write it down, lock it in a safe, and give the safe to a friend. But what if your friend is dishonest or loses the safe? Timed commitments are like a safe that automatically opens after a set amount of time, even if your friend is uncooperative. This paper shows how to build such a Notes on IACR TCC 2024/1786 12/24/2024 2 of 9 "timed safe" using only a "time-lock puzzle" (a puzzle that takes a certain amount of time to solve) as a building block, without needing any other special tools. Layman's TL;DR: This paper shows how to build a special type of commitment scheme called a "timed commitment" using only a "time-lock puzzle" as a building block. Timed commitments are like digital safes that automatically open after a set amount of time, ensuring that a secret is eventually revealed. This is a big deal because it allows us to build these timed commitments from a wider range of assumptions, including some that are believed to be secure against quantum computers. ZKP/FHE/MPC SME TL;DR: Abusalah and Avitabile construct timed commitments (TCs) generically from time-lock puzzles (TLPs) in a black-box manner, relying additionally on one-way permutations and collision-resistant hashing. They introduce quasi-publicly verifiable TLPs (QPV- TLPs) as a key tool, which they construct from any TLP. Their TC achieves computational binding, statistical well-formedness, and public verifiability against unbounded adversaries, and its commit phase is a five-round protocol. This broadens the foundations of TCs beyond repeated squaring and yields the first plausibly post- quantum secure TC using [AMZ24]'s TLP. The construction cleverly uses a commit-and- prove system based on MPC-in-the-head to ensure consistency of commitments across multiple invocations of the TLP, achieving statistical binding. Cryptography Practitioner TL;DR: This paper provides a new, modular way to build timed commitments (TCs) from time- lock puzzles (TLPs). This is important for applications where you need to commit to a value now and provably reveal it after a certain time, like in sealed-bid auctions or fair multi-party computation. The construction is black-box, meaning it can use any TLP as a building block, and it achieves strong security properties. Notably, using a specific post-quantum TLP, you can get a post-quantum secure TC. The commit phase is interactive (5 rounds), but the security properties are quite strong, including statistical well-formedness and public verifiability of the forced opening. Theoretical Computer Scientist TL;DR: The paper establishes a black-box reduction from timed commitments (TCs) to time- lock puzzles (TLPs), assuming also one-way permutations and collision-resistant hashing. This implies that TCs exist based on the minimal assumption of non- parallelizing languages, and that plausibly post-quantum secure TCs exist. The construction introduces quasi-publicly verifiable TLPs (QPV-TLPs) and uses a novel combination of techniques, including a commit-and-prove system based on MPC-in- Notes on IACR TCC 2024/1786 12/24/2024 3 of 9 the-head and a careful analysis of the resulting timed commitment scheme. The results significantly broaden the theoretical foundations of TCs and open new avenues for constructing them from various cryptographic assumptions. Non-Hype / Critical TL;DR: The paper presents a black-box construction of timed commitments from time-lock puzzles, which is theoretically interesting as it expands the set of assumptions known to imply TCs. However, the construction is quite complex, involving a five-round commit phase and the use of a commit-and-prove system based on MPC-in-the-head. While the black-box approach offers modularity, it remains to be seen whether this leads to practically efficient TCs. The reliance on a new QPV-TLP notion, while weaker than publicly-verifiable TLPs, still requires careful scrutiny. The post-quantum security claim hinges on the security of a specific TLP construction, which needs further analysis. Overall, this is a valuable theoretical contribution, but its practical impact is yet to be determined. Application: Problem: Existing timed commitment (TC) schemes rely on the repeated squaring assumption, which is a single point of failure and might not be secure against quantum computers. Solution: This paper provides a generic way to build TCs from any time-lock puzzle (TLP), which can be based on a wider range of assumptions, including some that are plausibly post-quantum secure. How it works: The authors introduce a new primitive called a quasi-publicly verifiable TLP (QPV-TLP) and show how to build it from any TLP. They then use this, along with a commit- and-prove system based on MPC-in-the-head, to construct a TC with strong security properties. Unexpected Findings: 1. Black-Box Construction from Generic TLPs: The paper's main contribution is a black-box construction of TCs from generic TLPs. This is surprising because previous TC constructions relied heavily on the specifics of the repeated squaring assumption. This black-box approach allows for greater flexibility and potentially weaker security assumptions. Rationale: This is significant because it decouples the security of TCs from the repeated squaring assumption, opening the door to constructing TCs from other, potentially more secure, time-based primitives. 2. Quasi-Public Verifiability: The introduction of QPV-TLPs is a novel and unexpected contribution. This relaxation of publicly verifiable TLPs is sufficient for constructing TCs and can be achieved generically from any TLP. Notes on IACR TCC 2024/1786 12/24/2024 4 of 9 Rationale: This is a clever insight that simplifies the construction and allows for a more general result. It demonstrates that full public verifiability of the underlying TLP is not necessary for building secure TCs. 3. Post-Quantum Secure TC: By using the plausibly post-quantum secure TLP of [AMZ24], the authors achieve the first TC that is plausibly secure against quantum adversaries. Rationale: This is a major advancement in the field of timed cryptography, as it addresses the growing concern about the threat of quantum computers to existing cryptographic schemes. Key Terms: Timed Commitment (TC): A cryptographic primitive that allows a sender to commit to a message in such a way that the message remains hidden for a specified amount of time, after which it can be efficiently opened by anyone. Time-Lock Puzzle (TLP): A cryptographic puzzle that takes a specified amount of time to solve, even with parallel computation. Quasi-Publicly Verifiable TLP (QPV-TLP): A relaxation of publicly verifiable TLPs where the receiver can produce a convincing proof of a solution's correctness only if the puzzle is well- formed. Black-Box Construction: A construction that uses a cryptographic primitive as a "black box," meaning that it only relies on the primitive's input-output behavior and not on its internal workings. Repeated Squaring Assumption: The assumption that it is hard to compute repeated squarings in a group of unknown order faster than performing the squarings sequentially. Commit-and-Prove System: A cryptographic protocol that allows a party to commit to a value and then prove a statement about that value in zero-knowledge. MPC-in-the-Head: A technique for constructing zero-knowledge proofs by simulating a secure multi-party computation (MPC) protocol in the prover's head. Post-Quantum Secure: A cryptographic scheme that is believed to be secure against attacks by quantum computers. Indistinguishability Obfuscation (iO): A powerful cryptographic primitive that allows one to obfuscate a program in such a way that it is indistinguishable from any other program with the same functionality. Non-Parallelizing Languages: Languages for which there is no algorithm that can decide the language significantly faster by using parallelism. Circular Small-Secret LWE: A variant of the Learning With Errors (LWE) problem that is believed to be hard even for quantum computers. Honest-Verifier Zero-Knowledge: A zero-knowledge proof where the simulator only needs to simulate the view of an honest verifier. Statistical/Computational Binding/Hiding: Security properties of commitment schemes. Statistical binding/hiding means that the property holds even against computationally Notes on IACR TCC 2024/1786 12/24/2024 5 of 9 unbounded adversaries, while computational binding/hiding means that it holds against computationally bounded adversaries. Well-Formedness: A property of TCs that guarantees that if the commit phase terminates successfully, the commitment can be force-opened in time t. Public Verifiability: A property of TCs that allows anyone to verify the correctness of a forced opening, given the transcript of the commit phase. Falsifiable Assumption: An assumption that can be disproven by an efficient algorithm if it is false. Succinct Non-Interactive Argument (SNARG): A non-interactive proof system where the proof size is much smaller than the size of the statement being proven. (Non-)Malleability: A security property of cryptographic schemes that guarantees that an adversary cannot modify a ciphertext (or commitment) in a meaningful way without knowing the underlying plaintext (or committed value). CCA-Security: A strong security notion for encryption schemes that guarantees security even if the adversary has access to a decryption oracle. Homomorphic Properties: Properties of cryptographic schemes that allow computations to be performed on encrypted data without decrypting it. (Worst-Case) Non-Parallelizing Languages: Languages for which there is no algorithm that can decide the language significantly faster by using parallelism (in the worst case). Succinct Randomized Encodings: A way to encode an input and a function into a randomized encoding such that the output of the function on the input can be efficiently computed from the encoding, but the encoding reveals nothing else about the input or the function. Trapdoor VDFs: Verifiable delay functions that have a trapdoor that allows for faster evaluation. Random Oracle Model: A theoretical model where a cryptographic hash function is treated as a truly random function. UC Framework: A framework for defining and proving the security of cryptographic protocols in a composable way. State-Preserving Succinct Arguments of Knowledge: Succinct arguments of knowledge where the extraction process does not significantly disturb the prover's state. (Quasi) Publicly Verifiable Time-Lock Puzzles (PV-TLPs/QPV-TLPs): Time-lock puzzles where anyone can verify the correctness of a solution (or in the case of QPV-TLPs, the receiver can produce a convincing proof of correctness if the puzzle is well-formed). One-Sided PV-TLPs: A variant of PV-TLPs where proofs are accepting even for malformed puzzles. Extractable Commitments: Commitment schemes where there exists an efficient extractor that can extract the committed value from a successful commitment. Over-Extraction: A phenomenon in extractable commitments where the extractor may output an arbitrary value if the commitment is invalid. Weakly Extractable Commitments: Extractable commitments where the extraction can fail with a certain probability. Notes on IACR TCC 2024/1786 12/24/2024 6 of 9 Approach: 1. Outline of Research Methodology: The authors introduce a new primitive called a quasi-publicly verifiable time-lock puzzle (QPV-TLP). They show how to construct a QPV-TLP from any standard TLP in a black-box way. They construct a new timed commitment (TC) scheme using a generic QPV-TLP, a non- interactive statistically binding commitment scheme, and a secure 3-party MPC protocol. They prove the security of their construction, including binding, t-hiding, public verifiability, and well-formedness. They analyze the efficiency of their construction and compare it to existing TC schemes. They show how to achieve full t-hiding by using a two-round statistically hiding commitment scheme. They discuss how to achieve a more efficient force-open procedure by leveraging the properties of QPV-TLPs. They show that their construction can be based on the minimal assumption of non- parallelizing languages when the well-formedness guarantee is weakened to computational. They show that their construction is plausibly post-quantum secure when instantiated with a specific TLP based on the circular small-secret LWE problem. 2. Problem-Solving Techniques: Quasi-Public Verifiability: Instead of requiring full public verifiability of the underlying TLP, the authors introduce the notion of QPV-TLPs, which only requires the receiver to be able to produce a convincing proof of correctness if the puzzle is well-formed. This relaxation allows them to construct QPV-TLPs from any TLP. Black-Box Construction: The construction of the TC from QPV-TLPs is black-box, meaning that it only relies on the input-output behavior of the QPV-TLP and does not need to access its internal workings. This allows for greater generality and modularity. Commit-and-Prove System: The authors use a commit-and-prove system based on MPC-in-the-head to ensure that the sender commits to the same message in multiple parallel executions of the TLP. This is crucial for achieving statistical binding and well- formedness. Honest-Verifier ZK to Full ZK: The authors show how to transform their honest-verifier zero-knowledge TC into a fully zero-knowledge TC by using a technique of Goldreich and Kahan [GK96] that involves having the receiver commit to its random challenges. State-Preserving Succinct Arguments: To strengthen the security against quantum adversaries, the authors use state-preserving succinct arguments of knowledge from [LMS21]. Notes on IACR TCC 2024/1786 12/24/2024 7 of 9 MPC-in-the-Head: This technique is used to construct a commit-and-prove system that allows the sender to prove that it has committed to the same message across multiple parallel executions of the TLP. The MPC protocol is used to evaluate a predicate that checks the consistency of the committed values. Collapsing Hash Functions: Used in the construction of succinct non-interactive arguments in the quantum random oracle model. Fully Homomorphic Encryption (FHE): Used in a variant of the main construction to achieve public-coin properties and reduce the round complexity. Indistinguishability Obfuscation (iO): Used in the construction of succinct key generation for the underlying TCFs, and also relied upon by the assumption of non- parallelizing languages. Puncturable PRFs: Used in the construction of succinct key generation. Fiat-Shamir Transform: Used to make the interactive protocol non-interactive in the quantum random oracle model. Rejection Sampling: Used in the security proof to argue about the distribution of values in the commitment phase. Results and Evaluation: 1. Key Findings: Timed commitments (TCs) can be constructed in a black-box manner from any time- lock puzzle (TLP), assuming also one-way permutations and collision-resistant hashing. Quasi-publicly verifiable TLPs (QPV-TLPs) are a useful intermediate primitive for constructing TCs and can be built from any TLP. The proposed TC scheme achieves statistical binding, well-formedness, and public verifiability against unbounded adversaries. The TC scheme is honest-receiver t-hiding, and this can be upgraded to full t-hiding using standard techniques. The construction can be instantiated with a plausibly post-quantum secure TLP, resulting in the first plausibly post-quantum secure TC. The construction can be based on the minimal assumption of non-parallelizing languages when the well-formedness guarantee is weakened to computational. 2. Quantitative Results: The commit phase of the main construction is a five-round protocol. The force-open procedure takes time t · poly( λ ), where t is the time parameter of the TC. The verification of a forced opening takes time poly(log t, λ ). The efficiency of the construction depends on the efficiency of the underlying TLP, the MPC protocol, and the commitment schemes used. 3. Notable Achievements: Notes on IACR TCC 2024/1786 12/24/2024 8 of 9 The first black-box construction of TCs from generic TLPs. The introduction of the QPV-TLP primitive and a generic construction from any TLP. The first TC whose timed security can be based on the minimal assumption of non- parallelizing languages. The first plausibly post-quantum secure TC. A modular and general framework for constructing TCs with strong security properties. Practical Deployment and Usability: Real-World Applicability: Timed commitments have applications in various cryptographic protocols, including sealed-bid auctions, fair multi-party computation, and non-malleable commitments. The proposed construction expands the set of assumptions on which TCs can be based, potentially leading to more practical and secure instantiations. Practicality and Ease of Use: The practicality of the construction depends on the efficiency of the underlying primitives, such as the TLP, the MPC protocol, and the commitment schemes. While the black-box approach offers modularity, the concrete efficiency needs to be further investigated. The five-round commit phase might be a bottleneck in some applications. Examples: Sealed-Bid Auctions: TCs can be used to ensure that bids remain secret until a predetermined time, after which they are all revealed. Fair Multi-Party Computation: TCs can be used to ensure that parties commit to their inputs before any outputs are revealed, preventing early results from influencing later inputs. Non-Malleable Commitments: TCs can be used as building blocks for constructing non-malleable commitment schemes. Limitations, Assumptions, and Caveats: Efficiency: The construction involves multiple rounds of interaction and relies on relatively heavy cryptographic tools like MPC-in-the-head. The concrete efficiency needs to be analyzed further. Assumptions: The construction relies on the existence of TLPs, one-way permutations, and collision-resistant hashing. The post-quantum security relies on the circular small-secret LWE assumption and the security of the [AMZ24] TLP. QPV-TLP Security: The security of the QPV-TLP notion needs to be carefully analyzed, as it is a new primitive introduced in this work. Black-Box Use of TLP: While the construction is black-box, it still requires the TLP to satisfy certain properties, such as being injective and having a specific structure for the QPV-TLP construction. Honest-Receiver t-Hiding: The main construction only achieves honest-receiver t-hiding. Full t-hiding is achieved using a generic transformation that adds two rounds to the protocol. Notes on IACR TCC 2024/1786 12/24/2024 9 of 9 Computational Well-Formedness: The variant based on the minimal assumption of non- parallelizing languages only achieves computational well-formedness, which might not be sufficient for all applications. Promises and Horizons: Future Benefits: The work opens up new avenues for constructing TCs from various assumptions and with different efficiency/security trade-offs. It also provides a more modular framework for designing and analyzing TCs. New Research Areas: The QPV-TLP primitive could be of independent interest and might find applications in other cryptographic protocols. Further research could focus on improving the efficiency of the construction, exploring alternative approaches to achieving public verifiability, and investigating the relationship between TCs and other time-based primitives. Evolution: Future work could aim to reduce the round complexity of the commit phase, improve the concrete efficiency of the construction, and explore new applications of TCs in various cryptographic settings. Conflict of Interest: The authors are affiliated with the IMDEA Software Institute, a research institution. The paper does not mention any specific funding sources. Potential Biases: As with any academic research, there could be potential biases towards publishing positive results and emphasizing the significance of the findings. However, the paper provides a detailed technical analysis and acknowledges the limitations of the work, suggesting a balanced presentation of the results. ≡ 🪐 ( 🔐🔤 ) ∪ ( 💭📍 ) ∖ ( 📚🔍 ) ⟨ CC-BY-SA ⟩⇔⟨ 🔄 ⨹ 🔗 ⟩⊇⟨ 👥 ⨹ 🎁 ⟩⊂⟨ 📝 ⨹ 🔍 ⟩⊇⟨ 🔄 ⨹ 🔗 ⟩⊂⟨ 📚 ⨹ 🔬 ⟩ ⊇⟨ 🔄 ⨹ 🔗 ⟩ 🪐 ( 📜🔥 Créé par HKBH avec dyb comme un récipient reconnaissant, dans la miséricorde 📜🔥 )