https://github.com/drand/tlock Skip to content Sign up * Product + Features + Mobile + Actions + Codespaces + Copilot + Packages + Security + Code review + Issues + Discussions + Integrations + GitHub Sponsors + Customer stories * Team * Enterprise * Explore + Explore GitHub + Learn and contribute + Topics + Collections + Trending + Skills + GitHub Sponsors + Open source guides + Connect with others + The ReadME Project + Events + Community forum + GitHub Education + GitHub Stars program * Marketplace * Pricing + Plans + Compare plans + Contact Sales + Education [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this organization All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} drand / tlock Public * Notifications * Fork 3 * Star 50 Timelock Encryption made practical. The Go `tlock` library and the `tle` cmd line tool home to encrypt towards the future. License Unknown, MIT licenses found Licenses found Unknown LICENSE-APACHE MIT LICENSE-MIT 50 stars 3 forks Star Notifications * Code * Issues 1 * Pull requests 0 * Discussions * Actions * Security * Insights More * Code * Issues * Pull requests * Discussions * Actions * Security * Insights drand/tlock This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags 1 branch 1 tag Code * Clone HTTPS GitHub CLI [https://github.com/d] Use Git or checkout with SVN using the web URL. [gh repo clone drand/] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching Xcode If nothing happens, download Xcode and try again. Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit @AnomalRoil AnomalRoil Merge pull request #32 from rootulp/rp/truncate-file ... 80219e4 Aug 15, 2022 Merge pull request #32 from rootulp/rp/truncate-file 80219e4 Git stats * 165 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github/workflows github action with go1.17 Jul 5, 2022 cmd/tle fix: truncate file Aug 15, 2022 networks/http refactor for Nicolas's notes Jul 7, 2022 test_artifacts new project structure Jun 29, 2022 .gitignore removing vendor Jun 29, 2022 LICENSE-APACHE Dual MIT/Apache licensing Jun 15, 2022 LICENSE-MIT Dual MIT/Apache licensing Jun 15, 2022 README.md Update README.md Aug 3, 2022 go.mod update kyber to 1..1.13 Aug 4, 2022 go.sum update kyber to 1..1.13 Aug 4, 2022 tlock.go fixing linter issues Jul 7, 2022 tlock_age.go refactor for Nicolas's notes Jul 7, 2022 tlock_age_test.go went back to using network directly Jul 6, 2022 tlock_test.go refactor for Nicolas's notes Jul 7, 2022 View code [ ] tlock: Timelock Encryption/Decryption Made Practical See How It Works Table Of Contents Install or Build the CLI CLI Usage Time Lock Encryption Time Lock Decryption Library Usage Time Lock Encryption Time Lock Decryption Applying another layer of encryption Encrypting Data With Passphrase Decrypting Data With Passphrase Security considerations License README.md tlock: Timelock Encryption/Decryption Made Practical tlock gives you time based encryption and decryption capabilities by relying on a drand threshold network. It's also a Go library, which is used to implement the tle command line tool enabling anybody to leverage timelock encryption. Our timelock encryption system relies on an unchained drand network. Currently, the only publicly available one is the League of Entropy Testnet. However, it should soon also be available on the League's Mainnet. Working endpoints to access it are, for now: * https://pl-us.testnet.drand.sh/ * https://testnet0-api.drand.cloudflare.com/ Notice this is relying on the League of Entropy Testnet, which should not be considered secure. A compatible League of Entropy Mainnet network is going to be launched in mid September, which can be considered secure. In the meantime, we recommend only using the Testnet network for development and testing purposes. You can also spin up a new drand network and run your own, but notice that the security guarantees boil down to the trust you can have in your network. --------------------------------------------------------------------- See How It Works [177999855-] --------------------------------------------------------------------- Table Of Contents * Install the CLI * Build it * CLI usage + Encryption + Decryption * Library usage * Applying another layer of encryption * Security considerations --------------------------------------------------------------------- Install or Build the CLI This tool is pure Go, it works without CGO (CGO_ENABLED=0) go install github.com/drand/tlock/cmd/tle@latest git clone https://github.com/drand/tlock go build cmd/tle/tle.go --------------------------------------------------------------------- CLI Usage Usage: tle [--encrypt] (-r round)... [--armor] [-o OUTPUT] [INPUT] tle --decrypt [-o OUTPUT] [INPUT] Options: -e, --encrypt Encrypt the input to the output. Default if omitted. -d, --decrypt Decrypt the input to the output. -n, --network The drand API endpoint to use. -c, --chain The chain to use. Can use either beacon ID name or beacon hash. Use beacon hash in order to ensure public key integrity. -r, --round The specific round to use to encrypt the message. Cannot be used with --duration. -D, --duration How long to wait before the message can be decrypted. Defaults to 120d (120 days). -o, --output Write the result to the file at path OUTPUT. -a, --armor Encrypt or Decrypt to a PEM encoded format. If the OUTPUT exists, it will be overwritten. NETWORK defaults to the Drand test network http://pl-us.testnet.drand.sh/. CHAIN defaults to the "unchained" hash in the default test network: 7672797f548f3f4748ac4bf3352fc6c6b6468c9ad40ad456a397545c6e2df5bf DURATION has a default value of 120d. When it is specified, it expects a number followed by one of these units: "ns", "us" (or "us"), "ms", "s", "m", "h", "d", "M", "y"). Example: $ tle -D 10d -o encrypted_file data_to_encrypt After the specified duration: $ tle -d -o dencrypted_file.txt encrypted_file Time Lock Encryption Files can be encrypted using a duration (--duration/-D) in which the encrypted_data can be decrypted. $ tle -n="http://pl-us.testnet.drand.sh/" -c="7672797f548f3f4748ac4bf3352fc6c6b6468c9ad40ad456a397545c6e2df5bf" -D=5s -o=encrypted_data data.txt If a round (--round/-R) number is known, it can be used instead of the duration. The data can be decrypted only when that round becomes available in the network. $ tle -n="http://pl-us.testnet.drand.sh/" -c="7672797f548f3f4748ac4bf3352fc6c6b6468c9ad40ad456a397545c6e2df5bf" -r=123456 -o=encrypted_data data.txt It is also possible to encrypt the data to a PEM encoded format using the armor (--armor/-a) flag. $ tle -a -n="http://pl-us.testnet.drand.sh/" -c="7672797f548f3f4748ac4bf3352fc6c6b6468c9ad40ad456a397545c6e2df5bf" -r=123456 -o=encrypted_data.PEM data.txt Time Lock Decryption For decryption, it's only necessary to specify the network. $ tle -d -n="http://pl-us.testnet.drand.sh/" -o=decrypted_data encrypted_data If decoding a PEM source. $ tle -a -d -n="http://pl-us.testnet.drand.sh/" -o=decrypted_data encrypted_data --------------------------------------------------------------------- Library Usage These example show how to use the API to time lock encrypt and decrypt data. Time Lock Encryption // Open an io.Reader to the data to be encrypted. in, err := os.Open("data.txt") if err != nil { log.Fatalf("open: %s", err) return } defer in.Close() // Construct a network that can talk to a drand network. // host: "http://pl-us.testnet.drand.sh/" // chainHash: "7672797f548f3f4748ac4bf3352fc6c6b6468c9ad40ad456a397545c6e2df5bf" network := http.NewNetwork(host, chainHash) // Specify how long we need to wait before the file can be decrypted. duration := 10 * time.Second // Use the network to identify the round number that represents the duration. roundNumber, err := network.RoundNumber(time.Now().Add(duration)) if err != nil { log.Fatalf("round by duration: %s", err) return } // Write the encrypted file data to this buffer. var cipherData bytes.Buffer // Encrypt the data for the given round. if err := tlock.New(network).Encrypt(&cipherData, in, roundNumber); err != nil { log.Fatalf("encrypt: %v", err) return } Time Lock Decryption // Open an io.Reader to the data to be decrypted. in, err := os.Open("data.tle") if err != nil { log.Fatalf("open: %v", err) return } defer in.Close() // Construct a network that can talk to a drand network. // host: "http://pl-us.testnet.drand.sh/" // chainHash: "7672797f548f3f4748ac4bf3352fc6c6b6468c9ad40ad456a397545c6e2df5bf" network := http.NewNetwork(host, chainHash) // Write the decrypted file data to this buffer. var plainData bytes.Buffer // Decrypt the data. If you try to decrypt the data *before* the specified // duration, it will fail with the message: "too early to decrypt". if err := tlock.New(network).Decrypt(&plainData, in); err != nil { log.Fatalf("decrypt: %v", err) return } --------------------------------------------------------------------- Applying another layer of encryption The recommended way of doing "hybrid" encryption where you both encrypt your data using timelock encryption, but also with another encryption scheme, such as a public-key or a symmetric-key scheme is to simple re-encrypt your encrypted data using tlock. For example, you can use the age cli to encrypt your data with a passphrase as follows. Encrypting Data With Passphrase $ cat data.txt | age -p | tle -D 30s -o encrypted_data Decrypting Data With Passphrase $ cat encrypted_data | tle -d | age -d -o data.txt Note that you could do the same with PGP or any other encryption tool. --------------------------------------------------------------------- Security considerations Currently, this is relying on the League of Entropy Testnet, which should not be considered secure. A compatible League of Entropy Mainnet network is going to be launched in mid September, which can be considered secure. The security of our timelock encryption mechanism relies on four main things: * The security of the underlying Identity Encryption Scheme (proposed in 2001) and its implementation that we're using. * The security of the threshold BLS scheme (proposed in 2003), and its impementation by the network you're relying on. * The security of age's underlying primitives, and that of the age implementation we're using to encrypt the data, since we rely on the hybrid encryption principle, where we only timelock encrypt ("wrap") a random symmetric key that is used by age to actually symmetrically encrypt the data using Chacha20Poly1305). * The security of the threshold network providing you with its BLS signatures at a given frequency, for instance the default for tle is to rely on drand and its existing League of Entropy network. In practice this means that if you trust there are never more than the threshold t malicious nodes on the network you're relying on, you are guaranteed that you timelocked data cannot be decrypted earlier than what you intended. Please note that neither BLS nor the IBE scheme we are relying on are "quantum resistant", therefore shall a Quantum Computer be built that's able to threaten their security, our current design wouldn't resist. There are also no quantum resistant scheme that we're aware of that could be used to replace our current design since post-quantum signatures schemes do not "thresholdize" too well in a post-quantum IBE-compatible way. However, such a quantum computer seems unlikely to be built within the next 5-10 years and therefore we currently consider that you can expect a "long term security" horizon of at least 5 years by relying on our design. --------------------------------------------------------------------- License This project is licensed using the Permissive License Stack which means that all contributions are available under the most permissive commonly-used licenses, and dependent projects can pick the license that best suits them. Therefore, the project is dual-licensed under Apache 2.0 and MIT terms: * Apache License, Version 2.0, (LICENSE-APACHE or http:// www.apache.org/licenses/LICENSE-2.0) * MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT) 89 About Timelock Encryption made practical. The Go `tlock` library and the `tle` cmd line tool home to encrypt towards the future. Resources Readme License Unknown, MIT licenses found Licenses found Unknown LICENSE-APACHE MIT LICENSE-MIT Stars 50 stars Watchers 8 watching Forks 3 forks Releases 1 tags Packages 0 No packages published Contributors 5 * @ardan-bkennedy * @gerep * @AnomalRoil * @rootulp * @CluEleSsUK Languages * Go 100.0% Footer (c) 2022 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.