[lucb1e]

The only way that I know to encrypt something into the future is generating an N-bit key and hoping someone will go through the trouble of cracking it when that becomes feasible. That involves lots of assumptions (e.g., how computing power develops and how much that person cares).

The website's implementation is this:

> A group of [orgs] holds the keys. There are 18 separate organizations running a total of 22 nodes, with a threshold of 12 needed to release a secret.

[montecarl]

What you just wrote reminds me of the song Secrets From the Future by MC Frontalot.

> You can’t hide secrets from the future with math

> You can try, but I bet that in the future they laugh

> At the half-assed schemes and algorithms amassed

> To enforce cryptographs in the past

[charcircuit]

It's also tough to find good algorithms where you can't just spend double to half the time until it unlocks.

[dave1010uk]

There's not many.

The Rivest, Shamir, and Wagner time lock algorithm is an example of one that can't be parallelized.

In theory the NSA and Google can't brute force it much faster than you can on a laptop.

[dheera]

The problem with "feasible" is that the time precision is poor. Feasibility is modulated by the value of the secret. If the secret exposes $1 billion in value, people will happily throw $100 million worth of compute at it.

I'm not an expert on DeFi but could we do something more time-precise using the Ethereum blockchain and a smart contract?

[Groxx]

You might be able to implement this same kind of "have N cooperating message-senders that agree to do X at time Y or M of them can prove violation and penalize [probably everyone]", but you still need information that is not available until time Y. People / systems need to hold onto but not reveal that information until that time.

This is basically weaponized (and possibly automated) enforcement of a rule. It's not crypto, it's just "agree to this or you get the lead pipe". Lead pipes are extremely useful and valuable and this is a completely reasonable tradeoff in a huge amount of situations, but it's not a true barrier.

To get around the lead pipe requirement, you need some kind of data that exists but is technologically or physically inaccessible until time Y. Ethereum has no primitives like that because nobody has primitives like that. About the closest you get is to say "crack this public key to get the reward" and, yea, that's effectively time-lock encryption (it'll Y years with all the hardware in the world so it's "locked" for at least that long at 99% confidence or something) but nobody really considers it "time locked" unless you are intentionally designing a key to take Y time under Z hardware assumptions (which does exist, but a 1-PC-year key takes seconds with enough hardware).

[lucb1e]

I don't understand the lead pipe analogy. What's up with getting a metal pipe if you don't "agree to keep this secret"?

[Groxx]

It's just one of many tools commonly used in the https://xkcd.com/538/ meme.

[lucb1e]

Oh it's a way of saying "killed", or at least that something inconvenient will happen for/to you. Got it

[bigiain]

See also "Rubber-hose cryptanalysis"

https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

[lucb1e]

> could we do something more time-precise using the Ethereum blockchain and a smart contract?

I think only if you want a transaction to move forward at a certain time, and are confident that a majority of network members will not conspire to alter your smart contract.

Hiding information in a smart contract: I don't know of a way that could be done, but I'm not up-to-date on this stuff either (I left that scene after Bitcoin outgrew the tech demo phase and became popular as a "so long as a majority keeps buying and holding, everyone's coins are worth insane amounts!" scheme)

[FriedPickles]

You could create a DeFi system not too unlike the one linked in this post: a number of oracles release keys at designated times (use M of N encryption).

The oracles could be financially incentivized to behave properly. E.g. they post a bond, which is confiscated if they don't post a private key on time or if a whistleblower discovers and reports a key early. In return for correct behavior they can earn some fees paid by users of the service.

The financial incentive still flips if the secret's value is sufficiently large, but it would require coordination of many unprincipled oracles.

[dheera]

The problem with whistleblowers is that now the entire system's security is transferred to them. Whistleblowers can also be bribed to blow whistles early or not blow whistles.

Here's an another idea. Bitcoin has a halving, right? Somehow the entire system has agreed to halve at a certain time, and not halve early or halve late? How does this work? Can we utilize this time agreement somehow? Can it be incorporated into an algorithmic whistleblower, whereby (a) N people each know 1/N of the key (b) if anyone demonstrates that they know the answer to a question before halving, whistles are blown by a contract and all N people are punished (c) after halving, all N people receive a reward?

[Groxx]

Anyone can halve at any time, so anyone can "cheat" that by halving immediately.

The reason everyone does it at the same time is because doing it [literally right now] will lead to a history that nobody else agrees is valid (halved at the wrong block number), so any coins you mine on your forked chain will be worthless. There's a monetary incentive to play by the rules, but absolutely no technical requirement.

Bitcoin's primary achievement (IMO but it's fairly common) is that it managed to design a technological system that encourages playing by the rules. Cheating always pays worse than playing along, and even trolling only works if you have the majority of all computing power (very expensive), so there's no reason to cheat. But outside the core public key cryptography that handles addresses and proving transactions, and the "proof of work" that basically just limits the speed of everything so there's time for the world to agree on things, there's not really any fundamental crypto involved. Just self-reinforcing social incentives.

(this kind of disagreement is why there's both Bitcoin and Bitcoin Cash. they share a common beginning but branched off some time ago and are now completely separate)

[FriedPickles]

The whistleblowers are not designated parties, they are just any Ethereum user. They would have a financial incentive for whistleblowing, and they could never falsely whistleblow because the smart contract can check whether they actually have the private key early or not.

[pcthrowaway]

Not with ethereum or a smart contract, because any ethereum node can simulate any execution of a smart contract.

But it occurred to me that you can sort of do something like this with a proof of work-like algorithm, though the time to solve would still be variable.

Essentially you'd need a network of "miners" and instead of a block, you'd have a node encrypt a message with an encryption key of a set difficulty (decryption key length), based on the target decryption time and the network hash rate (hash rate probably is not the correct term, but I'll use it for conciseness).

The miners would then work to decrypt the data using the knowledge of the key length.

I'm not sure how you would incentivize the miners to work on decrypting it though, and the node which encrypted it would of course have knowledge of the message, so I don't see how this could be used in practice.

In theory if your miners were running something like a tamper-proof secure enclave (I'm not even sure if these truly exist) perhaps there's a way to attest their own hashrate, and then an encrypted message can be proposed by a node to a subset of miners which collectively have the assumed hashrate. The secret-encrypted data can then be re-encrypted for each miner, with their public key.

This ensures other miners not participating in the challenge can't attempt to decrypt the data.

The problem here is incentivization over a long period of attempting to decrypt the data. You'd have to offer a reward large enough to incentivize the miners to cooperatively work to decrypt the message for the longest possible amount of time it could take to decrypt the message.

edit: I think for this to work you'd first need to encrypt the data for each miner which should participate in the challenge, and then encrypt it with the secret key. That way a miner which solves this can publish the decryption key and the still-encrypted payload, which only they can decrypt, and all the other miners can apply the same solution to verify the published solution and solved message with their own private keys.

edit 2: I suspect there's something potentially useful here, but I don't know enough about secure enclaves to really know if it's feasible to implement in a way that prevents gaming, so if someone knows more about such things, feel free to take the idea and run with it.

[buu700]

That's an interesting idea. Similarly, you could make a sort of quantum time capsule by encrypting a blob of data with RSA or ECC and publishing the cyphertext alongside the public key. You could even adjust the key size depending on how powerful you want the quantum computer that decrypts it to be.