Journal of Cryptology

, Volume 8, Issue 4, pp 201–222

Practical and provably secure release of a secret and exchange of signatures

  • Ivan Bjerre Damgård

DOI: 10.1007/BF00191356

Cite this article as:
Damgård, I.B. J. Cryptology (1995) 8: 201. doi:10.1007/BF00191356


We present a protocol that allows a sender to release gradually and verifiably a secret to a receiver. We argue that the protocol can be efficiently applied to the exchange of secrets in many cases, such as when the secret is a digital signature. This includes Rabin, low-public-exponent RSA, and El Gamal signatures. In these cases, the protocol requires an interactive three-pass initial phase, after which each bit (or block of bits) of the signature can be released noninteractively (i.e., by sending one message). The necessary computations can be done in a couple of minutes on an up-to-date PC. The protocol is statistical zero-knowledge, and therefore releases a negligible amount of side information in the Shannon sense to the receiver. The sender is unable to cheat, if he cannot factor a large composite number before the protocol is completed.

Key words

Exchange of secretsDigital signaturesZero-knowledge

Copyright information

© International Association for Cryptologic Research 1995

Authors and Affiliations

  • Ivan Bjerre Damgård
    • 1
  1. 1.Mathematical Institute, Aarhus UniversityAarhus CDenmark