Revocable Quantum Timed-Release Encryption
Journal of the ACM
Timed-release encryption is a kind of encryption scheme that a recipient can decrypt only after a specified amount of time T (assuming that we have a moderately precise estimate of his computing power). A revocable timed-release encryption is one where, before the time T is over, the sender can "give back" the timed-release encryption, provably loosing all access to the data. We show that revocable timed-release encryption without trusted parties is possible using quantum cryptography (while
... ptography (while trivially impossible classically). Along the way, we develop two proof techniques in the quantum random oracle model that we believe may have applications also for other protocols. Finally, we also develop another new primitive, unknown recipient encryption, which allows us to send a message to an unknown/unspecified recipient over an insecure network in such a way that at most one recipient will get the message. F Full proofs: precomputation 43 G Full proofs: iterated hashing 47 H Hash-based revocable timed-release encryptions 50 I Unknown recipient encryption 50 References 56 Symbol index 58 Keyword index 59 2 One challenge: The client needs to convince the dealer that the TRE indeed contains a signature on a transaction. I.e., we need a way to prove that a TRE V contains a given value (and the running time of this proof should not depend on T ). At least for our constructions (see below), this could be achieved as follows: The client produces a commitment c on the content of the classical inner TRE V 0 and proves that c contains the right content (using a SNARK [BCCT12] so that the verification time does not depend on T ). Then client and dealer perform a quantum two-party computation [DNS12] with inputs c, V , and opening information for c, and with dealer outputs V and b where b is a bit indicating whether the message in V satisfies P .