[cryptography] Timelock: time-release encryption incentivised by Bitcoins

Solar Designer solar at openwall.com
Wed Jun 4 21:14:57 EDT 2014

On Wed, Jun 04, 2014 at 09:45:16AM -0400, Peter Todd wrote:
> Create a secret key that can be decrypted in a known amount of time
> using parallel-serial hash chains. The creator can compute the timelock
> in parallel, taking advantage of the large amount of cheap parallelism
> available today, while others are forced to compute it serially,
> constrained by the lack of scalar performance growth.


On PHC discussions list, we considered how to limit attacker's speedup
in computing password hashes (even if the attacker has ASICs and much
faster memory, which would allow them to reduce the time factor in
area*time).  Two main approaches, usable on typical defenders' commodity
hardware, are to use integer multiplication (with serial data
dependencies on the longest to compute result bits) and rapid random
lookups from L1 cache (also with serial dependencies).  Bill Cox, who
has experience with ASICs, said that these two have relatively little
potential to speed up in ASICs vs. commodity CPUs.  Much less than
typical symmetric crypto primitives.  These two approaches are now used
in two PHC submissions: Bill's TwoCats and my yescrypt.  You could use
them, too.  That would move the incentive to speeding up those other
things, though - so it might or might not meet your goals.

PHC discussions list archives are available via a link from:


For others reading this, Peter's timelock is also discussed at:



More information about the cryptography mailing list