Timed-Release Cryptography

  • Wenbo Mao
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2259)


Let n be a large composite number. Without factoring n, the computation of a2 t (mod n) given a, t with gcd(a, n) = 1 and t < n can be done in t squarings modulo n. For tn (e.g., n > 21024 and t < 2100), no lower complexity than t squarings is known to fulfill this task. Rivest et al suggested to use such constructions as good candidates for realising timed-release crypto problems.

We argue the necessity for a zero-knowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log2 t standard crypto operations, the correctness of (a e )2 t (mod n) with respect to a e where e is an RSA encryption exponent. With such a proof, a Timed-release Encryption of a message M can be given as a 2 t M (mod n) with the assertion that the correct decryption of the RSA ciphertext M e (mod n) can be obtained by performing t squarings modulo n starting from a. Timed-release RSA signatures can be constructed analogously.


Timed-release cryptography Time-lock puzzles Non-parallelisability Efficient zero-knowledge protocols 


  1. 1.
    Blum, M. Coin Flipping by Telephone: A Protocol for Solving Impossible Problems, Proceedings of the 24th IEEE Computer Conference, pages 133–137, 1981.Google Scholar
  2. 2.
    Boyar, J., Friedl, K. and Lund, C. Practical zero-knowledge proofs: Giving hints and using deficiencies, Advances in Cryptology — Proceedings of EUROCRYPT 89 (J.-J. Quisquater and J. Vandewalle, eds.), Lecture Notes in Computer Science 434, Springer-Verlag 1990, pages 155–172.Google Scholar
  3. 3.
    Boneh, D. and Naor, M. Timed commitments (extended abstract), Advances in Cryptology: Proceedings of CRYPTO’00, Lecture Notes in Computer Science 1880, Springer-Verlag 2000, pages 236–254.CrossRefGoogle Scholar
  4. 4.
    Camenisch J. and Michels, M. Proving in zero-knowledge that a number is the product of two safe primes, In Advances in Cryptology—EUROCRYPT 99 (J. Stern ed.), Lecture Notes in Computer Science 1592, Springer-Verlag 1999, pages 106–121.Google Scholar
  5. 5.
    Chaum, D. Zero-knowledge undeniable signatures, Advances in Cryptology: Proceedings of CRYPTO 90 (I.B. Damgaard, ed.) Lecture Notes in Computer Science 473, Springer-Verlag 1991, pages 458–464.Google Scholar
  6. 6.
    Damgård, I. Practical and probably secure release of a secret and exchange of signatures, Advances in Cryptology—Proceedings of EUROCRYPT 93 (T. Helleseth ed.), Lecture Notes in Computer Science 765, Springer-Verlag 1994, pages 200–217.Google Scholar
  7. 7.
    Fujisaki, E., Okamoto, T. Pointcheval, D. and Stern, J. RSA-OAEP is Secure under the RSA Assumption, To appear in Advances in Cryptology: Proceedings of CRYPTO 01, Springer-Verlag 2001.Google Scholar
  8. 8.
    Galbraith, S., Mao, W. and Paterson, K. RSA-based undeniable signatures for general moduli, to appear in the 2002 RSA Conference, Cryptographers’ Track, February 2002.Google Scholar
  9. 9.
    Goldreich, O., Micali, S. and Wigderson, A. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design, Advances in Cryptology—Proceedings of CRYPTO 86 (A.M. Odlyzko ed.), Lecture Notes in Computer Science, Springer-Verlag 263 (1987), pages 171–185.CrossRefGoogle Scholar
  10. 10.
    Rivest, R.L. Description of the LCS35 Time Capsule Crypto-Puzzle,, April 4th, 1999.
  11. 11.
    Rivest, R.L., Shamir, A. and Wagner, D.A. Time-lock puzzles and timed-release crypto, Manuscript. Available at (
  12. 12.
    van de Graaf, J. and Peralta, R. A simple and secure way to show that validity of your public key, (C. Pomerance ed.), CRYPTO’ 87, Springer LNCS 293, (1988) 128–134.Google Scholar
  13. 13.
    van Oorschot, P.C. and Wiener, M.J. Parallel collision search with cryptanalytic applications, J. of Cryptology, Vol.12, No.1 (1999), pages 1–28.zbMATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Wenbo Mao
    • 1
  1. 1.Hewlett-Packard LaboratoriesBristolUK

Personalised recommendations