hrm. I was going to say it's extremely wasteful, but since it's sequential I guess you're only burning one core. There's no computational arms race like with blockchain PoW.
How does the math work? The decryption key is some kind of exponentiation you can compute directly with a trapdoor, but without the trapdoor you have to repeatedly multiply instead?
You can just use desktop/laptop CPU accelerated sha256, iterate the round function for as long as you want. No hardware exists that can beat it on latency by any significant margin.
Start with some random 256-bit string as the seed. Iterate on it for t time using sha256 CPU instructions - by either repeatedly hashing the seed or increasing the number of rounds to an arbitrary value (and do something about the round constants, such as removing them).
After t time you stop and use the result to encrypt a message.
You then publish the encrypted message and seed + number of rounds you ended up using.
It will take t time before anyone can decrypt it. They will have to redo what you did, having multiple machines will not help in this task.
The trapdoor method is successive squaring and relies on quite a few assumptions for its security.
The hash method also has the advantage that the sender can utilize multiple machines/cores in creating the encrypted package. By executing the serial hash task in parallel with all available resources and using the results of each chain to encrypt each other in another chain.[1]
How does the math work? The decryption key is some kind of exponentiation you can compute directly with a trapdoor, but without the trapdoor you have to repeatedly multiply instead?