Let n be a large composite number. Without factoring n, the computation of a2 t (mod n) given a, t with gcd(a, n) = 1 and t < n can be done in t squarings modulo n. For t ≪ n (e.g., n > 21024 and t < 2100), no lower complexity than t squarings is known to fulfill this task. Rivest et al suggested to use such constructions as good candidates for realising timed-release crypto problems.
We argue the necessity for a zero-knowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log2 t standard crypto operations, the correctness of (a e )2 t (mod n) with respect to a e where e is an RSA encryption exponent. With such a proof, a Timed-release Encryption of a message M can be given as a 2 t M (mod n) with the assertion that the correct decryption of the RSA ciphertext M e (mod n) can be obtained by performing t squarings modulo n starting from a. Timed-release RSA signatures can be constructed analogously.
KeywordsTimed-release cryptography Time-lock puzzles Non-parallelisability Efficient zero-knowledge protocols
- 1.Blum, M. Coin Flipping by Telephone: A Protocol for Solving Impossible Problems, Proceedings of the 24th IEEE Computer Conference, pages 133–137, 1981.Google Scholar
- 2.Boyar, J., Friedl, K. and Lund, C. Practical zero-knowledge proofs: Giving hints and using deficiencies, Advances in Cryptology — Proceedings of EUROCRYPT 89 (J.-J. Quisquater and J. Vandewalle, eds.), Lecture Notes in Computer Science 434, Springer-Verlag 1990, pages 155–172.Google Scholar
- 4.Camenisch J. and Michels, M. Proving in zero-knowledge that a number is the product of two safe primes, In Advances in Cryptology—EUROCRYPT 99 (J. Stern ed.), Lecture Notes in Computer Science 1592, Springer-Verlag 1999, pages 106–121.Google Scholar
- 5.Chaum, D. Zero-knowledge undeniable signatures, Advances in Cryptology: Proceedings of CRYPTO 90 (I.B. Damgaard, ed.) Lecture Notes in Computer Science 473, Springer-Verlag 1991, pages 458–464.Google Scholar
- 6.Damgård, I. Practical and probably secure release of a secret and exchange of signatures, Advances in Cryptology—Proceedings of EUROCRYPT 93 (T. Helleseth ed.), Lecture Notes in Computer Science 765, Springer-Verlag 1994, pages 200–217.Google Scholar
- 7.Fujisaki, E., Okamoto, T. Pointcheval, D. and Stern, J. RSA-OAEP is Secure under the RSA Assumption, To appear in Advances in Cryptology: Proceedings of CRYPTO 01, Springer-Verlag 2001.Google Scholar
- 8.Galbraith, S., Mao, W. and Paterson, K. RSA-based undeniable signatures for general moduli, to appear in the 2002 RSA Conference, Cryptographers’ Track, February 2002.Google Scholar
- 9.Goldreich, O., Micali, S. and Wigderson, A. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design, Advances in Cryptology—Proceedings of CRYPTO 86 (A.M. Odlyzko ed.), Lecture Notes in Computer Science, Springer-Verlag 263 (1987), pages 171–185.CrossRefGoogle Scholar
- 10.Rivest, R.L. Description of the LCS35 Time Capsule Crypto-Puzzle, http://www.lcs.mit.edu/about/tcapintro041299, April 4th, 1999.
- 11.Rivest, R.L., Shamir, A. and Wagner, D.A. Time-lock puzzles and timed-release crypto, Manuscript. Available at (http://theory.lcs.mit.edu/~rivest/RivestShamirWagner-timelock.ps).
- 12.van de Graaf, J. and Peralta, R. A simple and secure way to show that validity of your public key, (C. Pomerance ed.), CRYPTO’ 87, Springer LNCS 293, (1988) 128–134.Google Scholar