[Resource Topic] 2001/014: Timed-Release Cryptography

Welcome to the resource topic for 2001/014

Timed-Release Cryptography

Authors: Wenbo Mao


Let n be a large composite number. Without factoring n, the
validation of a^{2^t} (\bmod \, n) given a, t with gcd(a, n) = 1 and t < n can be done in t squarings modulo n. For t \ll n
(e.g., n > 2^{1024} and t < 2^{100}), no lower complexity than t
squarings is known to fulfill this task (even considering massive
parallelisation). Rivest et al suggested to use such constructions as
good candidates for realising timed-release crypto problems.

We argue the necessity for zero-knowledge proof of the correctness of
such constructions and propose the first practically efficient
protocol for a realisation. Our protocol proves, in \log_2 t
standard crypto operations, the correctness of (a^e)^{2^t} (\bmod\,n) with respect to a^e where e is an RSA encryption
exponent. With such a proof, a {\em Timed-release RSA Encryption} of a
message M can be given as a^{2^t} M (\bmod \,n) with the
assertion that the correct decryption of the RSA ciphertext M^e (\bmod \, n) can be obtained by performing t squarings modulo n
starting from a. {\em Timed-release RSA signatures} can be
constructed analogously.

ePrint: https://eprint.iacr.org/2001/014

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .