Show HN: Timelock.dev – Send a secret into the future using timelock encryption

> (on one core, it's not parallelizable)

Why is that? From what I see on Wikipedia ("n is a specific 616-digit (or 2048-bit) integer that is the product of two large primes (which are not given)" sounds like a textbook RSA public key), it's an offline brute force challenge, a guessing game, so different computers (or cores) could independently take different slices of the guessing space. I will admit that prime factorization is one of my weak spots and I'll just resort to a few minutes of running pari-gp for that, since I know it uses some algorithm that is much better than brute force (it was orders of magnitude faster than alternatives for a CTF challenge involving a 512-bit RSA key).

Even if the factorization process' time spent is dominated by finding the next prime to try, rather than testing a prime for correctness for example, why couldn't you start anywhere in the 2048-bit space and find the next primes from there? Is there something you can use from the ciphertext that makes you need to start at a certain point and generate (single core) from there onwards? It sounds like the holy grail for key strengthening without memory trade-off options like scrypt and argon2 both struggle with

> there’s no way to measure time directly. It clearly exists, yet all you can measure is change of things besides time.

If it can't be measured then it can't be said to clearly exist.

Imagine a cellular automata where particles have lots of "slots" that could be used for moving or interacting. As the particle speeds up and more slots are used for moving, there are fewer slots for the kind of interaction change that we use to measure time. At the highest speed, with all possible slots used for motion, the particle would experience no change, which is indistinguishable from no time passing.

Does that sound familiar to anything? It's certainly possible that light being a speed limit, time dilation, relativity, and so on are in some way actually describing change rather than time.

What about time crystals? https://en.wikipedia.org/wiki/Time_crystal

>Timelock puzzles and blockchain are imo hacky solutions to one of the most important outstanding problems in cryptography: securely and trustlessly agreeing on elapsed time.

Digital cryptography will always being a cat and mouse. DES, RSA, Elliptic curve... With intro of quantum computing, it will just fasten up the pace. Some government has start experimenting with quantum entanglement (https://apnews.com/article/china-google-justice-department-6...)

It is all about your threat model. Even that I'm sure someday some smart guy will also figure out how to figure out how to beat that.

On human scale, is this a real problem? Consensus gives us the ability to measure elapsed time with a high probability. It seems kind of analogous how fundamental particles are probability fields. That means that in theory a baseball could teleport. But because a baseball is big spontaneous teleportation is not a real concern for anyone.

What you just wrote reminds me of the song Secrets From the Future by MC Frontalot.

> You can’t hide secrets from the future with math

> You can try, but I bet that in the future they laugh

> At the half-assed schemes and algorithms amassed

> To enforce cryptographs in the past

It's also tough to find good algorithms where you can't just spend double to half the time until it unlocks.

The problem with "feasible" is that the time precision is poor. Feasibility is modulated by the value of the secret. If the secret exposes $1 billion in value, people will happily throw $100 million worth of compute at it.

I'm not an expert on DeFi but could we do something more time-precise using the Ethereum blockchain and a smart contract?

That's an interesting idea. Similarly, you could make a sort of quantum time capsule by encrypting a blob of data with RSA or ECC and publishing the cyphertext alongside the public key. You could even adjust the key size depending on how powerful you want the quantum computer that decrypts it to be.

If I'm understanding the Drand protocol correctly, then isn't the following quote from the Cloudflare blog misleading?

> Each organization contributes its own unique source of randomness into the joint pool of entropy used to seed the drand network – with Cloudflare using randomness from LavaRand, of course!

It leads you to think that the each round's random value comes from "combining" local sources of entropy that each node contributes, but skimming the actual Drand protocol used, isn't it closer to something like using AES-CTR as a PRNG, except instead of AES it's some particular threshold-signature scheme. From another cloudflare post

>To instantiate the required threshold signature scheme, drand uses the (t,n)-BLS signature scheme of Boneh, Lynn and Shacham. In particular, we can instantiate this scheme in the elliptic curve setting using Barreto-Naehrig curves. Moreover, the BLS signature scheme outputs sufficiently large signatures that are randomly distributed, giving them enough entropy to be sources of randomness. Specifically the signatures are randomly distributed over 64 bytes.

So "real-world randomness" only is mixed in during the very initial distributed key generation phase, and after that everything is purely deterministic right? Or put another way those fancy lava lamps are a non-sequitur since this scheme doesn't seem to rely on their values beyond the initial key generation?

It's funny just thinking about it. Because if you are not depending on a third-party, then you are depending on yourself only. Which means that once you encrypt something hoping that you won't be able to decrypt for some amount of time, you accept that changing of the time has something to do with the decryption of your encrypted message. Since you can certainly know how much of time should be pass, you can't keep secrets from yourself right?

So, in a sense, in my opinion, if you want to encrypt a message and send it to someone and make it timelocked without a third-party, you might as well just keep the message secret until the desired amount of time has passed and just give it to him.

Yes, essentially. However, the 'pinky-promisers' are large, well-funded, geographically distributed organizations that have strong incentives, both in terms of reputation and operations, to keep their promise

That's a good point. Not sure how to do that right now

VDF/sequential-PoW stops being interesting once you notice that efficient hardware implementations can beat CPU implementations by 6-10 orders of magnitude, depending on the work function.

hrm. I was going to say it's extremely wasteful, but since it's sequential I guess you're only burning one core. There's no computational arms race like with blockchain PoW.

How does the math work? The decryption key is some kind of exponentiation you can compute directly with a trapdoor, but without the trapdoor you have to repeatedly multiply instead?

Chia ran a contest for those:

https://news.ycombinator.com/item?id=18437659

I'm not sure how intensive the "backend" is, but I've found stuff like workers to be economically efficient only for hobby tier projects.

I operate a BitTorrent tracker I wrote for fun, and it receives around ~1500req/s (100mil+ a day)

This would be ~US$18/day with CF workers, but costs me €3.8/mo on my VPS

The solution in that paper does require third parties, except the parties are unknown, the amount of parties is unknown, and the system breaks down if insufficient people are interested in running the chain.

I’m really not convinced that solution is better is any way. If your adversary has the resources to coerce the “leave of entropy” in the OP, cracking that blockchain implementation will be trivial.

Some people do timelock encryption by using weak cryptography that's expected to be broken in a planned amount of time, but this project isn't doing that. It uses modern cryptography to encrypt some data to a set of public keys so that 18 of 22 nodes have to cooperate to decrypt it. Anything encrypted with modern cryptography isn't expected to be crackable in under millions of years.

Their design has the benefit over yours that people don't need to send data to peers in order to timelock some data. The timelock only needs to be sent to the peers for decryption.

You can run the decryption locally. The code is on git. The bigger concern is that the League of Entropy will disband and delete their keys permanently.

I have that problem with the whole internet these days.

ICANN is a cancer.

Death, for example

I used the very same mechanics (without the encryption, though) for lockmeout.online - for digital health/digital wellbeing to lock yourself out of your phone or addictive online accounts for a while.

There is no decentralized algorithm for timelock encryption. No such scheme exists. Distributed is the best you're going to get without a radical breakthrough, and that's exactly what TFA is.

HTLC would do the same in a distributed and trustless fashion and yet it's important to know League of Entropy is a bunch of distributed crypto organizations like Chainsafe or the Ethereum Foundation.

The spacecraft should generate the key pairs itself once it landed and send the public keys to earth to be sure no human stole the private keys.

But, while fun, your idea is not that stupid.

If the spacecraft continuously generate key pairs, you could even avoid landing it and "just" throw it in some direction, Voyager style (if you can afford rebuilding some every few decades) or on some orbit in the solar system. You don’t have to pay for the landing tech.

I wouldn’t even be surprised that this could be viable economically. It doesn’t sound that much technologically difficult

> Inspired by the TOR network.

Because it has such high delays? Basically revealing the information which the onion service or exit node encrypted for you only after, potentially, a few trips around the globe?

That makes me think this can be achieved without spacecraft, by just having geographically distributed private keys (even just a few kilometers; you just need the light delays to dominate over processing delays).

And I don't think you need more than two keys: if you wrap it in A(B(A(B(message)))), then party B cannot work on the first layer but first needs to send it to A, party A cannot decrypt the second layer but first needs to sent it back to B, etc. One of the parties could be your recipient, so that would also work with an expensive one-off spacecraft.

> land on the surface a distant body in the solar system

landing is a lot more difficult than staying in Neptune's orbit (notice how many moon-bound spacecraft crashed, even only in recent years!); you'll get the same characteristics by just going out to a desired orbit.

Also note that the amount of delay between Earth and <your orbit, such as Neptune's> will vary wildly

Wouldn't landing a spacecraft next to the first one allow you to decrypt messages in essentially one round trip time? So if you had a message on earth timed locked for 100 years you could transmit it your your own spacecraft next to the decrypting spacecraft and it could almost immediately get through all layers of encryption and send you back the decrypted message.

So encryption is a fixed-time operation, requiring a single round-trip to the spacecraft. There is another time-delay at decryption, quantized into round-trip times; the minimum decryption delay is one round-trip. For a moon of Neptune, a round-trip is about 9 hours(?).

If I want my secret exposed in 20 years, I will need to wrap it in 18,000 layers of encryption, and then start the decryption process immediately.

The duration of one decryption step depends on the distance to the spaceship; it would be difficult (but not impossible?) to rely on a spaceship whose distance is always changing. It needs to be somewhere faraway, and also to be somewhere that's always going to be roughly the same distance away. A moon of Neptune is a reasonable candidate.

Frist, should probably put the ship on a solar escape trajectory, so that physically intercepting it would be more difficult with time, and likely require a technological leap to accomplish. It would also be nice to have the ship on a trajectory as far away from the plane of the ecliptic as you can, to minimize occlusion and time variation based on the earth's orbit.

Next, instead of pre-seeding the ship with keys, you have it generate them (using its RTG for both power and a source of entropy) and send them back to earth at a fixed rate, possibly with the size of the keys increasing over time.

On earth, when you want to encrypt a payload to be decrypted at a future date, you calculate how many round trips it would require, then encrypt the data with that many keys from the stream, interleaved with keys generated locally. As the time will unlikely be an exact round trip time (which is ever-increasing), each end can delay the decrypt and re-transmission for some proportion of the remaining time.

> Generate a large number of named public/private keypairs and put the private keys on a spacecraft

I suppose, more practically, you could just put the private key in an envelope and bury it deep in a shipping container with a destination across the ocean. While in transit it's pretty damn hard to get to it.

This is a really cool idea using fundamental properties of physics but I don't think it works.

If the spacecraft is trusted by the person with the secret, it's much simpler to instruct the spacecraft to only disclose the secret after a set date. You don't seem to gain anything from the carded complexity.

If the spacecraft isn't trusted, there's nothing it stopping it disclosing all the key pairs at once.

I think the best bet at the moment is something like Rivest-Shamir-Wagner time lock puzzles, which requires a fixed number of sequential computations to perform.

> Send the spacecraft to land on the surface a distant body in the solar system, such as one of the moons of Neptune.

The economics of your proposal strike me as a tad weak at the knee.

No it requires a threshold of 12 out of 18 keys to be acquired by an attacker. Jurisdictional resilience is the standard technique for preventing this kind of attack--e.g. having operators in the USA, Russia, Japan, Israel, Europe, South America, India, Singapore, etc.

Smart contracts operate completely transparently. There is no private data other than the private keys used to sign transactions. Unless you just encrypt the data, then you need a key to access it, and the nodes don’t have that key.

I know a guy that worked on this same problem leveraging TEEs (trusted execution environments). This enables 3rd parties to run the software and join the network and take part without having access to the data. Unless they find a flaw in the TEE that can be exploited.

I'm only vaguely familiar with the concept of smart contracts, but from what I understand I can't see how it'd fair any better at enabling cryptographic timelocks - the core problem is designing encryption which can't be broken before a set period has passed. The naive approach is requiring to make a scheme which assumes it'll take X amount of time to brute force with Y resources.

That's obviously flawed because you can't constrain an enemies resources, and if the period is long there's plenty of room for improvement of algorithms/hardware which will shorten the time to brute force the scheme.

This only works because we create a scheme which can't reasonably be brute forced by classical means, and a human organization enforces/controls the time period.

In order to create something like that proposed in the posted link with smart contracts, the self contained smart contracts would have to employ a cryptographic timelock themselves. Otherwise, the smart contracts will be dependent on external (human) input, so it's just reinventing the same thing.

Ergh, could you explain how did you come to this conclusion?

> wonder if a smart contract could be useful in this scenario

It could not, at least with the capabilities of EVM or other mainstream smart-contract platform (I don't even thing it would be possible in theory but I may be wrong on this)

Do the trustees have to be known or can they remain fully anonymous ?

In that case, the whole warrant theory isn't the last word.