Paper 2021/800

i-TiRE: Incremental Timed-Release Encryption or How to use Timed-Release Encryption on Blockchains?

Leemon Baird, Swirlds Labs
Pratyay Mukherjee, Swirlds Labs
Rohit Sinha, Swirlds Labs

Timed-release encryption can encrypt a message to a future time such that it can only be decrypted after that time. Potential applications include sealed bid auctions, scheduled confidential transactions, and digital time capsules. To enable such applications as decentralized smart contracts, we explore how to use timed-release encryption on blockchains. Practical constructions in literature rely on a trusted server (or servers in a threshold setting), which periodically publishes an epoch-specific decryption key based on a long-term secret. Their main idea is to model time periods or epochs as identities in an identity-based encryption scheme. However, these schemes suffer from a fatal flaw: an epoch’s key does not let us decrypt ciphertexts locked to prior epochs. Paterson and Quaglia [SCN'10] address this concern by having encryption specify a range of epochs when decryption is allowed. However, we are left with an efficiency concern: in each epoch, the server(s) must publish (via a smart contract transaction) a decryption key of size logarithmic in the lifetime (total number of epochs). For instance, on Ethereum, for a modest lifetime spanning 2 years of 1-minute long epochs, a server must spend over \$6 in gas fees, every minute; this cost multiplies with the number of servers in a threshold setting. We propose a novel timed-release encryption scheme, where a decryption key, while logarithmic in size, allows incremental updates, wherein a short update key (single group element) is sufficient to compute the successive decryption key; our decryption key lets the client decrypt ciphertexts locked to any prior epoch. This leads to significant reduction is gas fees, for instance, only \$0.30 in the above setting. Moreover, ciphertexts are also compact (logarithmic in the total lifetime), and encryption and decryption are on the order of few milliseconds. Furthermore, we decentralize the trust among a number of servers, so as to tolerate up to a threshold number of (malicious) corruptions. Our construction is based on bilinear pairing, and adapts ideas from Canetti et al.'s binary tree encryption [Eurocypt 2003] and Naor et al.'s distributed pseudorandom functions [Eurocrypt 1999].

Note: Updated with expanded related work section and an alternative scheme using any IBE (see Section-8).

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. ACM CCS 2022
timed-release encryption threshold cryptography
Contact author(s)
leemon @ swirldslabs com
pratyay85 @ gmail com
sinharo @ gmail com
2022-09-06: last of 3 revisions
2021-06-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Leemon Baird and Pratyay Mukherjee and Rohit Sinha},
      title = {i-TiRE: Incremental Timed-Release Encryption or How to use Timed-Release Encryption on Blockchains?},
      howpublished = {Cryptology ePrint Archive, Paper 2021/800},
      year = {2021},
      doi = {10.1145/3548606.3560704},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.