i-TiRE: Incremental Timed-Release Encryption or How to use Timed-Release Encryption on Blockchains?

Timed-release encryption can encrypt a message to a future time such that it can only be decrypted after that time. Potential applications include sealed bid auctions, scheduled con dential transactions, and digital time capsules. To enable such applications as decentralized smart contracts, we explore how to use timed-release encryption on blockchains. Practical constructions in the literature rely on a trusted server (or servers in a threshold setting), which periodically publishes an epoch-speci c decryption key based on a long-term secret. Their main idea is to model time periods or epochs as identities in an identity-based encryption scheme. However, these schemes su er from a fatal aw: an epoch's key does not let us decrypt ciphertexts locked to prior epochs. Paterson and Quaglia [SCN'10] address this concern by having encryption specify a range of epochs when decryption is allowed. However, we are left with an e ciency concern: in each epoch, the server(s) must publish (via a smart contract transaction) a decryption key of size logarithmic in the lifetime (total number of epochs). For instance, on Ethereum, for a modest lifetime spanning 2 years of 1-minute long epochs, a server must spend over $6 in gas fees, every minute; this cost multiplies with the number of servers in a threshold setting. We propose a novel timed-release encryption scheme, where a decryption key, while logarithmic in size, allows incremental updates, wherein a short update key (single group element) is su cient to compute the successive decryption key; our decryption key lets the client decrypt ciphertexts locked to any prior epoch. This leads to signi cant reduction is gas fees, for instance, only$0.30 in the above setting. Moreover, ciphertexts are also compact (logarithmic in the total lifetime), and encryption and decryption are on the order of few milliseconds. Furthermore, we decentralize the trust among a number of servers, so as to tolerate up to a threshold number of (malicious) corruptions. Our construction is based on bilinear pairing, and adapts ideas from Canetti et al.'s binary tree encryption [Eurocypt 2003] and Naor et al. 's distributed pseudorandom functions [Eurocrypt 1999].