# Timed-Release Cryptography

## Abstract

Let *n* be a large composite number. Without factoring n, the computation of a^{2} ^{t} (mod *n*) given *a, t* with gcd(a, n) = 1 and *t* < *n* can be done in *t* squarings modulo *n*. For *t* ≪ *n* (e.g., *n* > 2^{1024} and *t* < 2^{100}), no lower complexity than *t* squarings is known to fulfill this task. Rivest et al suggested to use such constructions as good candidates for realising timed-release crypto problems.

We argue the necessity for a zero-knowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log_{2} *t* standard crypto operations, the correctness of (*a* ^{ e })^{2} ^{t} (mod *n*) with respect to *a* ^{ e } where e is an RSA encryption exponent. With such a proof, a Timed-release Encryption of a message M can be given as *a* ^{ 2 } ^{ t } * M* (mod *n*) with the assertion that the correct decryption of the RSA ciphertext *M* ^{ e } (mod *n*) can be obtained by performing *t* squarings modulo *n* starting from *a*. Timed-release RSA signatures can be constructed analogously.

## Keywords

Timed-release cryptography Time-lock puzzles Non-parallelisability Efficient zero-knowledge protocols## References

- 1.Blum, M. Coin Flipping by Telephone: A Protocol for Solving Impossible Problems, Proceedings of the 24th IEEE Computer Conference, pages 133–137, 1981.Google Scholar
- 2.Boyar, J., Friedl, K. and Lund, C. Practical zero-knowledge proofs: Giving hints and using deficiencies, Advances in Cryptology — Proceedings of EUROCRYPT 89 (J.-J. Quisquater and J. Vandewalle, eds.), Lecture Notes in Computer Science 434, Springer-Verlag 1990, pages 155–172.Google Scholar
- 3.Boneh, D. and Naor, M. Timed commitments (extended abstract), Advances in Cryptology: Proceedings of CRYPTO’00, Lecture Notes in Computer Science 1880, Springer-Verlag 2000, pages 236–254.CrossRefGoogle Scholar
- 4.Camenisch J. and Michels, M. Proving in zero-knowledge that a number is the product of two safe primes, In Advances in Cryptology—EUROCRYPT 99 (J. Stern ed.), Lecture Notes in Computer Science 1592, Springer-Verlag 1999, pages 106–121.Google Scholar
- 5.Chaum, D. Zero-knowledge undeniable signatures, Advances in Cryptology: Proceedings of CRYPTO 90 (I.B. Damgaard, ed.) Lecture Notes in Computer Science 473, Springer-Verlag 1991, pages 458–464.Google Scholar
- 6.Damgård, I. Practical and probably secure release of a secret and exchange of signatures, Advances in Cryptology—Proceedings of EUROCRYPT 93 (T. Helleseth ed.), Lecture Notes in Computer Science 765, Springer-Verlag 1994, pages 200–217.Google Scholar
- 7.Fujisaki, E., Okamoto, T. Pointcheval, D. and Stern, J. RSA-OAEP is Secure under the RSA Assumption, To appear in Advances in Cryptology: Proceedings of CRYPTO 01, Springer-Verlag 2001.Google Scholar
- 8.Galbraith, S., Mao, W. and Paterson, K. RSA-based undeniable signatures for general moduli, to appear in the 2002 RSA Conference, Cryptographers’ Track, February 2002.Google Scholar
- 9.Goldreich, O., Micali, S. and Wigderson, A. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design, Advances in Cryptology—Proceedings of CRYPTO 86 (A.M. Odlyzko ed.), Lecture Notes in Computer Science, Springer-Verlag 263 (1987), pages 171–185.CrossRefGoogle Scholar
- 10.Rivest, R.L. Description of the LCS35 Time Capsule Crypto-Puzzle, http://www.lcs.mit.edu/about/tcapintro041299, April 4th, 1999.
- 11.Rivest, R.L., Shamir, A. and Wagner, D.A. Time-lock puzzles and timed-release crypto, Manuscript. Available at (http://theory.lcs.mit.edu/~rivest/RivestShamirWagner-timelock.ps).
- 12.van de Graaf, J. and Peralta, R. A simple and secure way to show that validity of your public key, (C. Pomerance ed.),
*CRYPTO*’ 87, Springer LNCS 293, (1988) 128–134.Google Scholar - 13.van Oorschot, P.C. and Wiener, M.J. Parallel collision search with cryptanalytic applications,
*J. of Cryptology*, Vol.12, No.1 (1999), pages 1–28.zbMATHCrossRefGoogle Scholar