How to Build a Time Lock Crypto Service based on League of Entropy (drand)

Setting and motivation

We assume the reader to be familiar with the League of Entropy (a.k.a. drand) system but the presentation of our treatment is self-contained. In the following we denote by \( g_1,g_2 \)

the generators of the groups \(G_1,G_2\) of some prime order \(p\) used by LOE, and by \(PK_L\) the public key of LOE that has the form \(PK_L=g_2^{sk_L}\) where \(sk_L\in Z_p\) is the corresponding secret key that is shared by the LOE members. For simplicity, in the following we will often say that at time \(C\) LOE releases a secret key \(SK_C\) whereas we should actually refer to a round number rather than a time. We recall that LOE is a coalition of members who, at each time interval \(C \), release a BLS signature \(\sigma_C=Hash(C)^{SK_L}\), where \(Hash\) is a (standardized hash function) that maps bit strings to points in \(G_1\) (we skip technical details about the actual encodings of \(C \) . This signature is jointly computed in a threshold fashion by the LOE members in a way that a minority of the members cannot obtain the secret key \(SK_L\) (that is shared by the members). To ease our presentation, henceforth we denote by \(SK_C\) the signature \(\sigma_C\) for time \(C\) and we say that \(SK_C\) is the secret key of LOE for time \(C\) . For the purpose of our treatment, the reader does not need to know the details of the LOE protocol but simply that at each time interval \(C\) the afore-mentioned secret key \(SK_C\) is publicly available.

We want a cryptographic protocol among a set of parties to jointly construct a public key \(PK\) whose corresponding secret key \(sk\) can be publicly computed only at time greater or equal than \(C\) when the secret key \(SK_C\) of LOE for time \(C\) will be made available; here \(C\) is a public input to all parties. The public key \(PK\) should have the form \(g^{sk}\) where \(g\) is the generator of a group of some prime order \(q\), so \(sk \in Z_q\). We look for generic approaches so we consider any kind of prime order group in which the Dlog Assumption holds: that is elliptic curve groups (both bilinear and non-bilinear groups) and multiplicative groups of prime order; later on we will also cover a specific RSA setting. This public key \(PK\) can be then used for encryption using any encryption scheme defined over the group generated by \(g\) (later on we will also discuss other applications to digital signatures and zero-knowledge proofs).

Observe that this problem, though related, is independent from the recently proposed timelock encryption primitive. Indeed, a user Alice can use the public key \(PK \), that was part of the output of an execution of the TLCS protocol for time \(C \), to encrypt measages without specifying any time and only performing cryptographic operations related to the group generated by \(g\) . After time \(C \), using \(SK_C\) and the transcript of the TLCS protocol anyone (and thus a smart contract) can compute the secret key \(sk\) corresponding to \(PK\). Bob can use \(sk\) to decrypt Alice's messages. Observe that, unlike timelock encryption, here the computations of Alice and Bob are completely independent from the LOE system.

We assume that there is a blockchain on which anyone (or possibly only registered people to avoid DoS) can post data as a mean to generate a public key PK and some related data that can be used by anyone, and so by a smart contract, to obtain the corresponding secret key \(sk\) at time \(C \) .

Additionally, we want that there is a committee of members that anyone can freely join, that is the set of participants in a particular execution of the protocol is not fixed, and we want the protocol to require just one message of interaction from each participant (assuming a perfect broadcast channel like a blockchain).