Timed-Release Cryptography

Wenbo Mao

Paper 2001/014

Timed-Release Cryptography

Wenbo Mao

Abstract

Let $n$ be a large composite number. Without factoring $n$ , the validation of $a^{2^{t}} (mod n)$ given $a$ , $t$ with $g c d (a, n) = 1$ and $t < n$ can be done in $t$ squarings modulo $n$ . For $t ≪ n$ (e.g., $n > 2^{1024}$ and $t < 2^{100}$ ), no lower complexity than $t$ squarings is known to fulfill this task (even considering massive parallelisation). Rivest et al suggested to use such constructions as good candidates for realising timed-release crypto problems. We argue the necessity for zero-knowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in standard crypto operations, the correctness of with respect to where is an RSA encryption exponent. With such a proof, a {\em Timed-release RSA Encryption} of a message can be given as with the assertion that the correct decryption of the RSA ciphertext can be obtained by performing squarings modulo starting from . {\em Timed-release RSA signatures} can be constructed analogously.

Metadata

Available format(s): PDF PS
Category: Public-key cryptography
Publication info: Published elsewhere. Submitted
Keywords: Timed-release cryptography Zero-knowledge protocols
Contact author(s): wm @ hplb hpl hp com
History: 2001-03-07: revised; 2001-02-23: received; See all versions
Short URL: https://ia.cr/2001/014
License: CC BY

BibTeX

@misc{cryptoeprint:2001/014,
      author = {Wenbo Mao},
      title = {Timed-Release Cryptography},
      howpublished = {Cryptology {ePrint} Archive, Paper 2001/014},
      year = {2001},
      url = {https://eprint.iacr.org/2001/014}
}