The core idea behind a time-lock puzzle is simple: hide a secret behind a computation that has to be done in order, one step after another.

That sounds easy until you ask the real question: what kind of computation stays slow even if the attacker has a lot of hardware?

The best practical answer so far is to use a mathematical setting where the obvious shortcut is hidden. The classic version uses RSA-style repeated squaring. The main alternative uses class groups.

The short version is that time-lock puzzles are about forced waiting by computation. You publish something now, but nobody should be able to open it until they have done a long chain of sequential work.

Explain it like I’m five

Imagine I lock a note in a box.

But this is a strange box.

It does not open with a key. It opens only after you turn a crank 10 million times.

The catch is that the box only counts turns if you do them one after another. You cannot hire 1,000 people to each do 10,000 turns at the same time. The box ignores that trick.

A time-lock puzzle is the math version of that box.

You take a secret, lock it behind a long chain of steps, and publish the locked version. Anyone can open it eventually, but only after doing the steps in order.

That is the whole idea.

The rest of the article is about the hard part: how to build a mathematical box that really behaves like that.

What a time-lock puzzle is trying to do

Suppose Alice wants to publish an encrypted message now that should only become readable after roughly one week of computation.

She does not want to trust a server to release a key next week.

She wants the delay to come from math itself.

So the puzzle needs two properties:

1. It should be fast to create.
2. It should be slow to solve, even for someone with parallel hardware.

That second point is the hard part. A lot of cryptographic work is expensive, but still parallelizable. If I can split the work across 1,000 machines, it is not a good time-lock puzzle.

The ideal puzzle forces a long chain of steps where step i+1 depends on the output of step i. No shortcuts. No broad parallel speedup.

That is why time-lock puzzles are closely related to later ideas like verifiable delay functions, or VDFs. A VDF is basically a delay function with a cheap proof that the output is correct. Time-lock puzzles came first. VDFs cleaned up the idea and made it easier to use in protocols.

What people use them for

The original 1996 paper already gave some practical examples:

• sealed-bid auctions, where bids should stay secret until bidding closes
• voting and contract-signing style protocols, where early disclosure would be unfair
• timed release of private material, like a diary, archive, or message meant for the future
• delayed access in escrow-like systems

Modern papers add a few more:

• timed commitments
• public randomness systems
• blockchain protocols that need a source of delay nobody can cheaply skip

Some of these are more common in research papers than in mainstream products. That is worth saying plainly. Time-lock puzzles are influential, but they are still more common as a cryptographic building block than as a feature ordinary users interact with every day.

The classic RSA construction

The original practical construction comes from Rivest, Shamir, and Wagner’s 1996 paper on time-lock puzzles and timed-release crypto.

The basic trick is elegant.

Start with an RSA modulus N = p * q. The puzzle creator knows p and q, so they know phi(N). Everyone else only sees N.

Now pick some base a, and define the hard part of the puzzle as:

a^(2^T) mod N

Here T is the delay parameter. If T is huge, the obvious way to compute this is to square a mod N, then square the result, then square again, for T rounds.

That is the sequential chain:

a -> a^2 -> a^4 -> a^8 -> ... -> a^(2^T) mod N

The puzzle setter can cheat, in the good sense, because they know phi(N). They can reduce the exponent modulo phi(N) and compute the final answer quickly. A solver who does not know the factorization of N is believed to be stuck doing the long chain of squarings.

So the sender does this:

1. Generate a symmetric key k.
2. Encrypt the message with k.
3. Hide k using the value a^(2^T) mod N.
4. Publish the puzzle.

Anybody can eventually recover k, but only after doing about T sequential squarings.

This is the original time-lock puzzle in one sentence: hide the key behind repeated squaring in an RSA group, where the setter knows a shortcut and the solver is not supposed to have one.

Why this works at all

RSA is usually introduced as a public-key system. Time-lock puzzles use a different feature.

They use the fact that the multiplicative group modulo N has hidden order if you do not know the factorization of N.

That hidden order is the key idea.

If the solver knew the group order, they could often reduce huge exponents modulo that order and skip the long sequence. The delay would collapse. The reason the RSA puzzle has a chance is that phi(N) is hidden.

This “hidden-order group” view is more useful than thinking “time-lock puzzles use RSA.” RSA is just one concrete way to get a hidden-order group.

Once you see that, a lot of the literature makes more sense:

• RSA groups are the classic hidden-order choice.
• Class groups are the main non-RSA hidden-order choice.
• Known-order groups are usually bad news for generic delay constructions.

The main alternative: class groups

If hidden order is what you want, RSA is not the only option.

The main alternative is the class group of an imaginary quadratic field. That phrase sounds much scarier than the high-level idea.

You can think of class groups here as another algebraic setting where:

• the group order is hidden
• repeated operations can still be computed
• there is no need to generate an RSA modulus with secret factors

That last point is the big selling point.

RSA-based delay systems usually need a trusted setup story. Someone has to generate N = p * q, and if they keep p and q, they keep the shortcut forever. Class groups avoid that particular trust problem. That is a big reason they became attractive in the VDF literature, and surveys like this one from CWI treat them as one of the main practical hidden-order candidates.

The tradeoff is that class-group arithmetic is less familiar and usually less mature in engineering terms than plain modular arithmetic modulo an RSA integer.

So the practical picture today is roughly:

• RSA groups are simple and well understood, but setup is touchy.
• Class groups avoid trusted RSA setup, but they are more specialized.

A quick note on elliptic curves

Since this is a common question: standard elliptic-curve groups are usually not where classic time-lock puzzles come from.

The short reason is that their group order is known, which tends to destroy the kind of “no shortcut” behavior these puzzles need. There is theory behind that, including Rotem, Segev, and Shahaf’s 2020 result on hidden-order groups.

There are still curve-related delay constructions in the literature, especially around isogenies and hyperelliptic curves. For example, there is a line of work on VDFs and delay encryption where the slow step is walking through a long chain of isogenies rather than doing repeated squaring in a hidden-order group, including this hyperelliptic-curve paper.

But that is a different world from ordinary ECC. It is better to think of those as alternative delay constructions, not as a simple drop-in replacement for the original RSA-style puzzle.

Other directions in the literature

Once the original RSA puzzle existed, researchers pushed in a few directions.

One line asked whether time-lock puzzles can be built from broader assumptions, such as randomized encodings or random oracles. Some of that work is mostly theoretical. It helps explain what is possible in principle, but it has not displaced hidden-order groups in practice.

Another line focused on security models. Katz, Loss, and Xu’s 2020 paper studies the security of time-lock puzzles and timed commitments more carefully, including the classic sequential-squaring assumption.

Another line focused on verifiability. A plain time-lock puzzle tells you “wait and solve.” A VDF adds an efficient way to verify that the solver’s output is right. That is why VDFs became popular in decentralized systems, randomness beacons, and blockchain protocol design.

And very recent work keeps adding features, like verifiable time-lock puzzles, where the solver can know in advance that the thing they will eventually reveal is actually useful.

The basic architecture, though, has not changed that much:

• get a sequential process
• avoid shortcut structure
• preferably make verification cheap

Hidden-order groups still sit near the center of that story.

The annoying part: “time” is only approximate

Time-lock puzzles do not measure wall-clock time directly. They measure how long a particular sequential computation takes on available hardware.

That means the “unlocks in 7 days” story is always approximate.

A faster machine will solve earlier. A slower machine will solve later. Hardware progress changes the estimate. Specialized implementations can change it too.

This is one reason trusted-release systems still exist. If you need a message to open at exactly 09:00 UTC next Tuesday, pure time-lock puzzles are awkward. If you want “this should take a lot of sequential work and no one should be able to shortcut it cheaply,” then they are much more natural.

My take

The cleanest way to understand time-lock puzzles is this:

They are a search for sequentiality without trust.

The original RSA puzzle works because hidden order blocks the obvious exponent shortcut. Class groups matter because they give you hidden order without RSA setup. That is the conceptual center of the field.

For classic time-lock puzzles, the real dividing line is not old crypto versus new crypto. It is hidden order versus known order.