Gradual and Verifiable Release of a Secret (Extended Abstract)
Protocols are presented allowing someone with a secret discrete logarithm to release it, bit by bit, such that anyone can verify each bit’s correctness as they receive it. This new notion of release of secrets generalizes and extends that of the already known exchange of secrets protocols. Consequently, the protocols presented allow exchange of secret discrete logs between any number of parties.
The basic protocol solves an even more general problem than that of releasing a discrete log. Given any instance of a discrete log problem in a group with public group operation, the party who knows the solution can make public some interval I and convince anyone that the solution belongs to I, while releasing no additional information, such as any hint as to where in I the solution is.
This can be used directly to release a discrete log, or to transfer it securely between different groups, i.e. prove that two instances are related such that knowledge of the solution to one implies knowledge of the solution to the other.
We show how this last application can be used to implement a more efficient release protocol by transferring the given discrete log instance to a group with special properties. In this scenario, each bit of the secret can be verified by a single modular squaring, and unlike the direct use of the basic protocol, no interactive proofs are needed after the basic setup has been done.
Finally, it is shown how the basic protocol can be used to release the factorization of a public composite number.
KeywordsCommitment Scheme Basic Protocol Oblivious Transfer Interactive Proof Minimum Knowledge
- [Bl81]Blum: “Three applications of the oblivious transfer”, Dept. of EECS, Univ. of California, Berkely, 1981.Google Scholar
- [BCC87]Brassard, Chaum and Crépeau: “Minimum disclosure proofs of knowledge”, to appear.Google Scholar
- [BrCr86]G. Brassard, and C. Crépeau, “Zero-Knowledge Simulation of Boolean Circuits,” Presented at Crypto 86, (August 1986).Google Scholar
- [Ch86]D. Chaum, “Demonstrating that a Public Predicate can be Satisfied Without Revealing Any Information About How,” Presented at Crypto 86, (August 1986).Google Scholar
- [CDG87]Chaum, Damgård and van de Graaf: “Multiparty computations ensuring privacy of each party’s input and correctness of the result”, Proc. of Crypto 87.Google Scholar
- [CEGP86]D. Chaum, J.-H. Evertse, J. van de Graaf, and R. Peralta, “Demonstrating possession of a discrete logarithm without revealing it,” To appear in the Proceedings of Crypto 86, (August 1986).Google Scholar
- [CG87]Chaum, van de Graaf: “An improved protocol for demonstrating possession of a discrete log and some generalisations”, Proc. of Eurocrypt 87.Google Scholar
- [FFS87]Fiege, Fiat and Shamir: “Zero knowledge proof of identity”, Proc. of STOC 87.Google Scholar
- [GHY87]Galil, Haber and Yung: “Cryptographic Computation: Secure Fault-tolerant Protocols in the Public Key Model”, Proc. of Crypto 87.Google Scholar
- [GMR85]S. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Roof Systems,” 17th STOC (1985).Google Scholar
- [GMW86]O. Goldreich, S. Micali, and A. Wigderson, “How to Prove all NP-statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design,” Presented at Crypto 86, (August 1986).Google Scholar
- [Go84]J. Gordon, “Strong primes are easy to find”, Proceedings of Eurocrypt 84.Google Scholar
- [HaSh85]“The cryptographic security of truncated linearly related variables,” Proc. of 17th STOC, 1985, pp. 356–362.Google Scholar
- [LMR83]Luby, Micali and Rackoff: “How to simultaneously exchange a secret bit by flipping a symmetrically biased coin”, Proc. 24th FOCS, 1983, pp.11–21.Google Scholar
- [Ra81]Rabin: “How to exchange secrets using oblivious transfer”, Technical memo, TR-81, Aiken Computation Lab., Harward Univ., 1981.Google Scholar
- [VaV83]Vazirani and Vazirani: “Trapdoor pseudo random number generators with applications to protocol design”, Proc. 24th. FOCS, 1983, pp.23–30.Google Scholar
- [Te83]Tedrick: “How to exchange half a bit”, Proc. of Crypto 83, pp.147–151.Google Scholar
- [Te84]Tedrick: “Fair exchange of secrets”, Proc. of Crypto 84, pp.434–438.Google Scholar