Timed-Release Cryptography

Let n be a large composite number. Without factoring n, the computation of a2t (mod n) given a, t with gcd(a, n) = 1 and t < n can be done in t squarings modulo n. For t ≪ n (e.g., n ≥ 21024 and t < 2100), no lower complexity than t squarings is known to fulfill this task. Rivest et al suggested to use such constructions as good candidates for realising timed-release crypto problems. We argue the necessity for a zero-knowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log2 t standard crypto operations, the correctness of (ae)2t (mod n) with respect to ae where e is an RSA encryption exponent. With such a proof, a Timed-release Encryption of a message M can be given as a2t M (mod n) with the assertion that the correct decryption of the RSA ciphertext Me (mod n) can be obtained by performing t squarings modulo n starting from a. Timed-release RSA signatures can be constructed analogously.

[1]  Jeroen van de Graaf,et al.  A Simple and Secure Way to Show the Validity of Your Public Key , 1987, CRYPTO.

[2]  Manuel Blum,et al.  Coin flipping by telephone a protocol for solving impossible problems , 1983, SIGA.

[3]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[4]  Carsten Lund,et al.  Practical Zero-Knowledge Proofs: Giving Hints and Using Deficiencies , 1989, EUROCRYPT.

[5]  Kenneth G. Paterson,et al.  RSA-Based Undeniable Signatures for General Moduli , 2002, CT-RSA.

[6]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[7]  Hugo Krawczyk,et al.  RSA-Based Undeniable Signatures , 1997, Journal of Cryptology.

[8]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[9]  David Chaum,et al.  Zero-Knowledge Undeniable Signatures , 1991, EUROCRYPT.

[10]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[11]  Jan Camenisch,et al.  Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes , 1998, EUROCRYPT.

[12]  Silvio Micali,et al.  How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[13]  Rafail Ostrovsky,et al.  Conditional Oblivious Transfer and Timed-Release Encryption , 1999, EUROCRYPT.

[14]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[15]  Ivan Damgård Practical and Provably Secure Release of a Secret and Exchange of Signatures , 1993, EUROCRYPT.

[16]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..