Research Summary: I Told You Tomorrow: Practical Time-Locked Secrets using Smart Contracts

TLDR:

The Time-Lock (TL) implementation within a smart contract is achieved by distributing a secret to multiple parties, punishing them for revealing their share before disclosure time, and rewarding them for acting in accordance with the commitment. This is an innovative approach as it does not rely on trusting individuals, and can be executed cost-effectively with respect to time, memory, and gas.

Citation

  • Enrico Bacis, Dario Facchinetti, Marco Guarnieri, Marco Rosa, Matthew Rossi, and Stefano Paraboschi. 2021. I Told You Tomorrow: Practical Time-Locked Secrets using Smart Contracts. In The 16th International Conference on Availability, Reliability and Security (ARES 2021). Association for Computing Machinery, New York, NY, USA, Article 17, 1–10. DOI:https://doi.org/10.1145/3465481.3465765

Link

Core Research Question

  • What are the practical steps toward creating a decentralized time-lock service?

Background

  • A Time-Lock (TL) is a way to hold a secret and reveal it after a certain point in time. Real-world scenarios include voting for elections, or sealing an inheritance in a will. Without smart contracts, they are achieved by entrusting a third party, such as a notary public.
  • The Bitcoin Lightning network, for example, runs on the basis of Hash Time-Locked Contracts in order to facilitate use cases such as micro payments in Bitcoin.
  • There have been multiple approaches to the creation of payment channels on Ethereum using decentralized Hash Time-Locked services, such as the Raiden Network.
  • Early approaches for the creation of a decentralized TL have tried to estimate the computing power needed to solve a cryptographically-hard problem, but time estimation of future computing power is often not reliable.
  • Secure Multi-Party Computation (sMPC) is a cryptographic protocol for jointly computing a function while keeping them private.
  • Threshold Cryptography is a field in cryptography that distributes a secret between multiple users, and allows reconstruction only when multiple pieces are combined.

Summary

Overview

The I Told You Tomorrow protocol (ITYT) is a decentralized TL that leverages threshold cryptography, secure Multi-Party Computation framework (sMPC), smart contracts, and the economic hypothesis on rational adversaries.

A rational adversary is a player in game theory, characterized by their rationality: they seek to maximize their interests, and will not hurt others if there is nothing to gain, which would be emotional and irrational. This is the bedrock for game theory analysis and thus this protocol.

ITYT is built on a smart contract, which ensures execution without centralized middlemen. Threshold cryptography and sMPC are technologies that simulate player actions in the game.

The Game Setting

In the protocol setting are three players: the Owner, Shareholder, and Whistleblower.

  • The Owner is responsible for launching the protocol and specifying parameters, such as the number of other participants (n), payoffs of each action, and the condition in which the secret is retrieved. The protocol will split the secret into n pieces, and only at least k shares could retrieve the secret.

  • Shareholders are responsible for keeping a piece of information secret until a given point in time. Otherwise they are punished.

  • Whistleblowers are responsible for reporting shareholders that leaked secrets before final disclosure time. Should at least k shares uncover the secret together, Whistleblowers will also whistleblow the secret, marking the protocol as failed, and depriving all Shareholders of the final reward.

Design of Payoffs

To make sure there are no loopholes for profiting without following the desired route, the authors discuss possible alternatives participants may consider, and how to set the pay-off so that they are discouraged to do so.

These are protocol parameters that would be helpful for the discussion. (3.1 Definitions, page 3)

Misbehaviors from single users

  • To ensure that the people will join as Shareholders, the cost of participating B_H must be smaller than the expected reward R_H
  • The reward of whistleblowing a share W_h must be lower than the cost of participating B_H. Otherwise, the Whistleblower could falsely report a share, collect the reward, and split it with the reported Shareholder
  • Participants should be incentivized to report an early disclosure of the secret. Therefore, the payoff for reporting when the secret is revealed before time W_S should be larger than the Shareholder reward R_H
  • Since the Owner is also a participant, we should also make sure that the owner’s fee F_O does not exceed the reward of whistleblowing the whole secret W_S

Reconstruction of the secret

  • k shareholders may want to cooperate to reconstruct the secret, profit on that (at the pay-off of V, and whistleblow the leaked secret to collect the reward for whistleblowing W_S. To avoid this outcome, we need to ensure the payoff for keeping the secret and revealing only after disclosure time is a better option:

    • k \cdot B_H > V + W_S
  • The opposite strategy should also be prevented. n-k+1 shareholders might cooperate and not release the secret.

    • (n-k+1) \cdot R_H > V

Abuse of the share whistleblowing

  • A coalition M could submit shares, then whistleblow the secret, and profit from other participants who might also happen to submit their shares. Note: W_{er} is the profit from whistleblowing shares of other participants.

    • k \cdot B_H > V + W_S + W_{er}
  • However, another coalition M' may also want to profit in the same way, except that they would like to take advantage of the fact that someone else has already revealed shares.

    • Coalition M does not want this to happen, so they need to restrict the number of shares they disclose. j_a^o is the optimal number of shares to whistleblow so that M' does not end up having a positive payoff.

    • j^{0}_{a} = \max_{i} \left\{ i|(k - i) \cdot B_{\mathcal{H}} > V + W_{\mathcal{S}}, \ i \in 1,..., k - 1 \right\}

    • j_b^o will be the optimal number of shares to recover if there is no other coalition than M capable of recovering the secret.

    • j^{0}_{b} = max \left\{ 2k-n-1; j^{0}_{a} \right\}

Rewards and bonuses

  • The fee paid by the owner has to cover the rewards

    • Which is in the case of success:

    • F_O \geq n \cdot (R_H - B_H)

    • And in the case of failure:

    • F_o +n \cdot B_H \geq (k-1)*W_h + W_S

Smart contract implementation

A finite-state machine is used to represent the different states of the protocol:

  • setup: Owner deploys the contract for the Shareholders to subscribe
  • share generation: splitting the secret and getting ready for activation
  • activation: Owner finalizes contract, Shareholders confirm, and the economic penalties become consequential if the misbehavior happens
  • lock: Shareholders keep their secrets, and Whistleblowers do their duty
  • termination: the secret is finally disclosed, the TL either fails or succeeds

It is worth noting that share generation is implemented by the sMPC mentioned in the first section.

Method

Game theory derivation: To ensure the incentives are going to properly work, the authors set up rules to properly incentivize players, including negative incentives and positive incentives, and base everything on game theory.

Experiment: A test that includes the deployment and testing of smart contracts and the simulation of sMPC network protocols is carried out. The former is to estimate the execution cost of each ITYT instance measured in gas. The latter is for execution time and memory consumption.

Results

Gas cost: measuring the amount of computational effort for running on the Ethereum network. The table below shows the gas amount corresponding to the executed function in ITYT.

Memory and Time consumption: The authors discovered that as the number of participants rises, so does significant sMPC latency. To address this problem, they sought to implement a two-phase sMPC, which separates and bulk executes the share generation phase of several participants together. The results are visible in the figure below.

Discussion and Key Takeaways

The authors include a discussion section to show how ITYT prevents unwanted loopholes.

Misbehavior detection

A joint effort among Shareholders is possible to bypass the protocol and recover the secret before disclosure time by recovering the secret without releasing any share nor the key, thus preventing the Whistleblower from whistleblowing.

This can be prevented by either using an encryption scheme that is vulnerable to the Known Plaintext Attack, or incompatible with the sMPC setting

DOS and deadlock prevention

This is caused by multiple ITYT users that refuse to deposit their bids, commit, or correctly execute the sMPC protocol

This can be prevented by introducing a reputation system. Research has shown that adding an additional step in the FSM setup phase of asking all participants to deposit a small service pawn that returns only at activation time can accurately filter misbehaving users.

Implications and Follow-ups

The authors dedicate a section to discussing related work that uses cryptography to achieve TL, pointing out each of their shortcomings. To name a few:

  • One type of TL entrusted individuals with a private decryption key to release a secret in the future. This is breakable once users misbehave.
  • Time-lock puzzles, as mentioned before, estimations of future computing power can be unreliable and thus not a practical approach
  • Early attempts to use smart contracts did not introduce security deposits, nor did they consider misbehavior from collective users
  • Witness encryption was also used to create TLs, but relies on the availability of a witness encryption scheme

Applicability

The improvements proposed in this paper open the door to applying smart contract TLs with more versatility and fewer limitations, providing a way to seal confidential messages in a trustless manner.

3 Likes

Thanks for the summary! The trustless and distributive time-lock in this paper seems promising. There is a lot to be explored here when it comes to implementation!

I did have a few questions that hopefully we can discuss here. First, it seems like this is a potential solution to “future proof” time-locks. @Larry_Bates summarized research on the potential quantum computing threat to Bitcoin a few months back. The big takeaway from that project to me was that some of the forward-looking security concerns were not as specific as they needed to be nor as worrying. This article isn’t talking about quantum computer, but it did mention the difficulty in estimating future computer power. That left me thinking:

  • How big of a concern are these estimates of future computer power to current time-lock protocols?
  • How well does the ITYT protocol solve this problem?

It also seems like the major advantage here is the distributed and decentralized nature of the protocol. From my understanding here, that is enabled by Threshold Cryptography. Are there some good sources to look into regarding this? Or maybe someone could provide an overview? I know that @Sami_B has been working on literature related to decentralization, so it might be great to have his contributions here also.

3 Likes

Just to add to this conversation:

One of the reasons time-locked smart contracts may be more viable is because “time-warp attacks” had been prevalent early on when blockchain networks were small and easily 51%'ed. As the time-warp attack problem was less likely to occur in a large network, the newer and smaller networks that started to grow took the time-warp attack as a serious threat. The inevitable result would be a time-based locking system that effectively becomes the solution to the time-warp attack.

While the time-warp attack is not as much of a threat to larger networks, a Time-Lock will still prove useful as a means of securing information in smaller networks and eventually larger networks alike.

4 Likes

It’s true that the ITYT protocol is approaching this problem from a different angle. With this direction, the effectiveness of computing power estimation isn’t a remote concern.

As for threshold cryptography, a deep understanding of that field isn’t necessary for reading this paper. ITYT is using it as a practical solution, and the paper maintains its focus on mechanism design.

1 Like

Thanks for joining the conversation by briefing us with a little history of preventing attacks.

To go a little further on the topic you’ve started, I would start by saying that time-locks can still be useful scaling solutions. The Bitcoin lightning network, briefly mentioned in the paper, is a great example.

As we all know, transactions are costly and particularly undesirable if they happen in small quantities frequently. A possible approach to this problem comes from creating a micro-payment channel and finding a more efficient way of settling small payments.

To keep it short, a timelock makes sure that both parties have an agreement before broadcasting a state or settling the balance.

It is the trustless custody that runs with a similar logic behind the ITYT protocol.

5 Likes

I went through the paper, quite an innovative move.
Thanks for the summary.

I’ll have to point out some things.

While cryptographic systems which is the foundational implementation of IIYT provide a secured protocol for private data and information and can be applied to different applications, the project builds the level of confidentiality attained by the stakeholders on the incentives and pay-offs, instead of on the value of information secured.

@Twan points out, as written on the paper that an agreement of all parties is maintained. It is speculated that the bids from the shareholders, attack costs, and payoff might discourage the shareholders from teaming up to expose the secret.

Although, there are preventive measures to prevent bypassing the protocol through sMPC, building the system on the rationality and ‘assumed behaviors’ of shareholders might open subsequent rooms for maneuvering the system in a manner which the whistleblower might not be able to detect. This is feasible, especially if the shareholders figure out that the private data at stake is worth the attack.

3 Likes

Thanks @Twan for this summary! I echo @Nachy in their sentiment of quite an innovative move.

My biggest interest here is why someone would use the ITYT protocol. I’m not sold on the removal of a single-party notary, as the paper mentions, as the primary use case for this. Nor does the assumption of a notary as a single-point of failure hold. Notaries are typically incentivized to uphold agreements by the state (and in the US, by the legal consequences) and nor do they have anything to gain in cases where they’ve notarized private data (unless they also hold an additional role in the private data. I.e., executor of a will & estate or a relative, but those cases have to be far and few and most likely unreported with low impact and consequences to the public). Notaries are also valuable because of “physical presence” which cannot be replicated with a remote smart contract that may not be able to verify the true identity (government-defined) of the individuals involved. See national notary standards linked here for context.

As well, notaries have a condition called ‘disqualifying interest’, where they cannot be family members or such relative of the signer. ITYT did not classify who the shareholders cannot be. I think the disqualification here that identity is not important to private information is actually a mischaracterization of the private data or Secret itself.

With that, and looking for use cases in data management systems, I’m not clearly seeing the use cases beyond current use of time-locks in concurrency control of multi-user systems. Is there a use case where private data or algorithms for deployment would need to be secured by a seemingly random or at least reputational group of people?

1 Like