Practical and provably secure release of a secret and exchange of signatures

We present a protocol that allows a sender to release gradually and verifiably a secret to a receiver. We argue that the protocol can be efficiently applied to the exchange of secrets in many cases, such as when the secret is a digital signature. This includes Rabin, low-public-exponent RSA, and El Gamal signatures. In these cases, the protocol requires an interactive three-pass initial phase, after which each bit (or block of bits) of the signature can be released noninteractively (i.e., by sending one message). The necessary computations can be done in a couple of minutes on an up-to-date PC. The protocol is statistical zero-knowledge, and therefore releases a negligible amount of side information in the Shannon sense to the receiver. The sender is unable to cheat, if he cannot factor a large composite number before the protocol is completed.

[1]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[2]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[3]  Birgit Pfitzmann,et al.  The Dining Cryptographers in the Disco - Underconditional Sender and Recipient Untraceability with Computationally Secure Serviceability (Abstract) , 1990, EUROCRYPT.

[4]  Hugh C. Williams,et al.  A modification of the RSA public-key encryption procedure (Corresp.) , 1980, IEEE Trans. Inf. Theory.

[5]  Oded Goldreich,et al.  RSA and Rabin Functions: Certain Parts are as Hard as the Whole , 1988, SIAM J. Comput..

[6]  Moti Yung,et al.  Direct Minimum-Knowledge Computations , 1987, CRYPTO.

[7]  Manuel Blum How to exchange (secret) keys , 1983, STOC '83.

[8]  Vijay V. Vazirani,et al.  Trapdoor pseudo-random number generators, with applications to protocol design , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[9]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[10]  Ivan Damgård,et al.  Collision Free Hash Functions and Public Key Signature Schemes , 1987, EUROCRYPT.

[11]  Tom Tedrick,et al.  Fair Exchange of Secrets , 1984, CRYPTO.

[12]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[13]  Martin Tompa,et al.  Random self-reducibility and zero knowledge interactive proofs of possession of information , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[14]  Ernest F. Brickell,et al.  Gradual and Verifiable Release of a Secret , 1987, CRYPTO.

[15]  A. Yao How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[16]  Adi Shamir,et al.  The cryptographic security of truncated linearly related variables , 1985, STOC '85.

[17]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1988, Journal of Cryptology.

[18]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[19]  Silvio Micali,et al.  How to simultaneously exchange a secret bit by flipping a symmetrically-biased coin , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[20]  Manuel Blum,et al.  Coin Flipping by Telephone. , 1981, CRYPTO 1981.

[21]  Ivan B. Damg Practical and Provably Secure Release of a Secret and Exchange of Signatures , 1995 .

[22]  Silvio Micali,et al.  A fair protocol for signing contracts , 1990, IEEE Trans. Inf. Theory.

[23]  Jeroen van de Graaf,et al.  A Simple and Secure Way to Show the Validity of Your Public Key , 1987, CRYPTO.

[24]  Richard Cleve,et al.  Controlled Gradual Disclosure Schemes for Random Bits and Their Applications , 1989, CRYPTO.

[25]  Ivan Damgård Practical and Provably Secure Release of a Secret and Exchange of Signatures , 1993, EUROCRYPT.

[26]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).