Gradual and Verifiable Release of a Secret (Extended Abstract)

  • Ernest F. Brickell
  • David Chaum
  • Ivan B. Damgård
  • Jeroen van de Graaf
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 293)


Protocols are presented allowing someone with a secret discrete logarithm to release it, bit by bit, such that anyone can verify each bit’s correctness as they receive it. This new notion of release of secrets generalizes and extends that of the already known exchange of secrets protocols. Consequently, the protocols presented allow exchange of secret discrete logs between any number of parties.

The basic protocol solves an even more general problem than that of releasing a discrete log. Given any instance of a discrete log problem in a group with public group operation, the party who knows the solution can make public some interval I and convince anyone that the solution belongs to I, while releasing no additional information, such as any hint as to where in I the solution is.

This can be used directly to release a discrete log, or to transfer it securely between different groups, i.e. prove that two instances are related such that knowledge of the solution to one implies knowledge of the solution to the other.

We show how this last application can be used to implement a more efficient release protocol by transferring the given discrete log instance to a group with special properties. In this scenario, each bit of the secret can be verified by a single modular squaring, and unlike the direct use of the basic protocol, no interactive proofs are needed after the basic setup has been done.

Finally, it is shown how the basic protocol can be used to release the factorization of a public composite number.


Commitment Scheme Basic Protocol Oblivious Transfer Interactive Proof Minimum Knowledge 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [Bl81]
    Blum: “Three applications of the oblivious transfer”, Dept. of EECS, Univ. of California, Berkely, 1981.Google Scholar
  2. [Bl83]
    Blum: “How to exchange (secret) keys”, ACM Transactions on Computer Systems, vol. 1, 1983, pp. 175–193.CrossRefGoogle Scholar
  3. [BCC87]
    Brassard, Chaum and Crépeau: “Minimum disclosure proofs of knowledge”, to appear.Google Scholar
  4. [BrCr86]
    G. Brassard, and C. Crépeau, “Zero-Knowledge Simulation of Boolean Circuits,” Presented at Crypto 86, (August 1986).Google Scholar
  5. [Ch86]
    D. Chaum, “Demonstrating that a Public Predicate can be Satisfied Without Revealing Any Information About How,” Presented at Crypto 86, (August 1986).Google Scholar
  6. [CDG87]
    Chaum, Damgård and van de Graaf: “Multiparty computations ensuring privacy of each party’s input and correctness of the result”, Proc. of Crypto 87.Google Scholar
  7. [CEGP86]
    D. Chaum, J.-H. Evertse, J. van de Graaf, and R. Peralta, “Demonstrating possession of a discrete logarithm without revealing it,” To appear in the Proceedings of Crypto 86, (August 1986).Google Scholar
  8. [CG87]
    Chaum, van de Graaf: “An improved protocol for demonstrating possession of a discrete log and some generalisations”, Proc. of Eurocrypt 87.Google Scholar
  9. [FFS87]
    Fiege, Fiat and Shamir: “Zero knowledge proof of identity”, Proc. of STOC 87.Google Scholar
  10. [GHY87]
    Galil, Haber and Yung: “Cryptographic Computation: Secure Fault-tolerant Protocols in the Public Key Model”, Proc. of Crypto 87.Google Scholar
  11. [GMR85]
    S. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Roof Systems,” 17th STOC (1985).Google Scholar
  12. [GMW86]
    O. Goldreich, S. Micali, and A. Wigderson, “How to Prove all NP-statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design,” Presented at Crypto 86, (August 1986).Google Scholar
  13. [Go84]
    J. Gordon, “Strong primes are easy to find”, Proceedings of Eurocrypt 84.Google Scholar
  14. [HaSh85]
    “The cryptographic security of truncated linearly related variables,” Proc. of 17th STOC, 1985, pp. 356–362.Google Scholar
  15. [LMR83]
    Luby, Micali and Rackoff: “How to simultaneously exchange a secret bit by flipping a symmetrically biased coin”, Proc. 24th FOCS, 1983, pp.11–21.Google Scholar
  16. [Ra81]
    Rabin: “How to exchange secrets using oblivious transfer”, Technical memo, TR-81, Aiken Computation Lab., Harward Univ., 1981.Google Scholar
  17. [VaV83]
    Vazirani and Vazirani: “Trapdoor pseudo random number generators with applications to protocol design”, Proc. 24th. FOCS, 1983, pp.23–30.Google Scholar
  18. [Te83]
    Tedrick: “How to exchange half a bit”, Proc. of Crypto 83, pp.147–151.Google Scholar
  19. [Te84]
    Tedrick: “Fair exchange of secrets”, Proc. of Crypto 84, pp.434–438.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1988

Authors and Affiliations

  • Ernest F. Brickell
    • 1
  • David Chaum
    • 2
  • Ivan B. Damgård
    • 2
  • Jeroen van de Graaf
    • 2
  1. 1.Bell Communications ResearchMorristownUSA
  2. 2.Centre for Mathematics and Computer ScienceAmsterdamThe Netherlands

Personalised recommendations