Follow
I wonder if there is a primitive that would allow us to protect inactive users (e.g. something like a "step" function that takes us from key_i to key_{i+1} that's sufficiently expensive etc. and a corresponding function that takes a ciphertext decryptable with key_i and makes a ciphertext decryptable with key_i+1 out of it without access to either).
I don't get how verifiable delays are useful here. You obviously don't want to wait/burn compute to retrieve your secrets, so who would be burning the compute and when?
@robryk @filippo @juliank adding another layer of encrypted wrapping with a VDF (verifiable delay function) is a close approximation. Or similarly, doing something similar by chaining another slow KDF.