Practical and Provably Secure Release of a Secret and Exchange of Signatures

We present a protocol that allows a sender to gradually and verifiably release a secret to a receiver. We argue that the protocol can be efficiently applied to exchange secrets in many cases, for example when the secret is a digital signature. This includes Rabin, low-public-exponent RSA, and El Gamal signatures. In these cases, the protocol requires an interactive 3-pass initial phase, after which each bit (or block of bits) of the signature can be released non-interactively (i.e. by sending 1 message). The necessary computations can be done in a few seconds on an up-to-date PC. The protocol is statistical zero-knowledge, and therefore releases a negligible amount of side information in the Shannon sense to the receiver. The sender is unable to cheat, if he cannot factor a large composite number before the protocol is completed.We also point out a simple method by which any type of signatures can be applied to fair contract signing using only one signature.

[1]  Ivan Damgård,et al.  Collision Free Hash Functions and Public Key Signature Schemes , 1987, EUROCRYPT.

[2]  Adi Shamir,et al.  The cryptographic security of truncated linearly related variables , 1985, STOC '85.

[3]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[4]  Oded Goldreich,et al.  RSA/Rabin Bits are 1/2 + 1/poly(log N) Secure , 1984, FOCS.

[5]  Tom Tedrick,et al.  Fair Exchange of Secrets , 1984, CRYPTO.

[6]  Manuel Blum,et al.  How to exchange (secret) keys , 1983, TOCS.

[7]  Richard Cleve,et al.  Controlled Gradual Disclosure Schemes for Random Bits and Their Applications , 1989, CRYPTO.

[8]  Andrew Chi-Chih Yao,et al.  How to Generate and Exchange Secrets (Extended Abstract) , 1986, FOCS.

[9]  Silvio Micali,et al.  A fair protocol for signing contracts , 1990, IEEE Trans. Inf. Theory.

[10]  Jeroen van de Graaf,et al.  A Simple and Secure Way to Show the Validity of Your Public Key , 1987, CRYPTO.

[11]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[12]  Silvio Micali,et al.  How to simultaneously exchange a secret bit by flipping a symmetrically-biased coin , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[13]  Oded Goldreich,et al.  RSA and Rabin Functions: Certain Parts are as Hard as the Whole , 1988, SIAM J. Comput..

[14]  Martin Tompa,et al.  Random self-reducibility and zero knowledge interactive proofs of possession of information , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[15]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[16]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[17]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[18]  Shafi Goldwasser,et al.  Advances in Cryptology — CRYPTO’ 88: Proceedings , 1990, Lecture Notes in Computer Science.

[19]  Birgit Pfitzmann,et al.  The Dining Cryptographers in the Disco - Underconditional Sender and Recipient Untraceability with Computationally Secure Serviceability (Abstract) , 1990, EUROCRYPT.

[20]  Vijay V. Vazirani,et al.  Trapdoor pseudo-random number generators, with applications to protocol design , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[21]  Moti Yung,et al.  Direct Minimum-Knowledge Computations , 1987, CRYPTO.

[22]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1988, Journal of Cryptology.