Welcome to the resource topic for
**2001/014**

**Title:**

Timed-Release Cryptography

**Authors:**
Wenbo Mao

**Abstract:**

Let n be a large composite number. Without factoring n, the

validation of a^{2^t} (\bmod \, n) given a, t with gcd(a, n) =
1 and t < n can be done in t squarings modulo n. For t \ll n

(e.g., n > 2^{1024} and t < 2^{100}), no lower complexity than t

squarings is known to fulfill this task (even considering massive

parallelisation). Rivest et al suggested to use such constructions as

good candidates for realising timed-release crypto problems.

We argue the necessity for zero-knowledge proof of the correctness of

such constructions and propose the first practically efficient

protocol for a realisation. Our protocol proves, in \log_2 t

standard crypto operations, the correctness of (a^e)^{2^t}
(\bmod\,n) with respect to a^e where e is an RSA encryption

exponent. With such a proof, a {\em Timed-release RSA Encryption} of a

message M can be given as a^{2^t} M (\bmod \,n) with the

assertion that the correct decryption of the RSA ciphertext M^e
(\bmod \, n) can be obtained by performing t squarings modulo n

starting from a. {\em Timed-release RSA signatures} can be

constructed analogously.

**ePrint:**
https://eprint.iacr.org/2001/014

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

**Example resources include:**
implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .