1 Introduction Our motivation is the notion of "timed-release crypto, " where the goal is to encrypt a message so that it can not be decrypted by anyone, not even the sender, until a pre-determined amount of time has passed. The goal is to "send information into the future. " This problem was first discussed by Timothy May [6]. What are the applications of "timed-release crypto"? Here are a few possibilities (some due to May):

We introduce the notion of escrowed identity, an application of key-escrow ideas to the problem of identification. In escrowed identity, one party A does not give his identity to another party B, but rather gives him information that would allow an authorized third party E to determine A's identity. However, B receives a guarantee that E can indeed determine A's identity. We give protocols for escrowed identity based on the El-Gamal (signature and encryption) schemes and on the RSA function. A useful feature of our protocol is that after setting up A to use the system, E is only involved when it is actually needed to determine A's identity. Keywords: Cryptography, Key escrow, Proofs of identity. 1

) Markus Jakobsson Information Sciences Research Center, Bell Labs, Murray Hill, New Jersey 07974 www.markus-jakobsson.com Ari Juels RSA Laboratories, 20 Crosby Drive, Bedford, MA 01730 ari@rsa.com Abstract We formalize the notion of a proof of work (POW). In many cryptographic protocols, a prover seeks to convince a verifier that she possesses knowledge of a secret or that a certain mathematical relation holds true. By contrast, in a POW, a prover demonstrates to a verifier that she has performed a certain amount of computational work in a specified interval of time. POWs have served as the basis of a number of security protocols in the literature, but have hitherto lacked careful characterization. In this paper, we offer definitions treating the notion of a POW and related concepts. We also introduce the dependent idea of a bread pudding protocol. Bread pudding is a dish that originated with the purpose of reusing bread that has gone stale. In the same spirit, we define a...

The main objection to current key-escrow proposals is that they assume complete faith in the authority and its trustees. If the authority does not follow the rules, or is replaced by an un-trustworthy authority tomorrow, it can immediately recover the secret keys of all users, and embark on massive wiretapping. We introduce a new approach tokey escrow called encapsulated key escrow (EKE). With this approach itis computationally possible for an authority to wiretap individual users, but computationally prohibitive for the authority to launch large scale wiretapping. This is achieved by imposing a time delay between obtaining the escrowed information of a user and actually recovering the secret key. Furthermore, the recoverability is veri able at escrow time. The approach is applicable both for session keys and for public key cryptography. EKE is a simple general paradigm, applicable across cryptosystems and key distribution protocols, regardless of their type. It solves in one stroke the problem of imposing time delays in key escrow. In particular it yields the rst time delayed key escrow system for RSA, and more e cient solutions for Di e-Hellman than achievable by the previous approach to time delays, namely partial key escrow (PKE). The idea behind EKE is a new cryptographic tool called a veri able cryptographic time capsule (VCTC). This has broader applications to \sending information into the future."

In this paper, we investigate the timed release of standard digital signatures, and demonstrate how to do it for RSA, Schnorr and DSA signatures. Such signatures, once released, cannot be distinguished from signatures of the same type obtained without a timed release, making it transparent to an observer of the end result. While previous work has allowed timed release of signatures, these have not been standard, but special-purpose signatures.

With equitable key escrow the control of society over the individual and the control of the individual over society are shared fairly. In particular, the control is limited to specified time periods. We consider two applications: time controlled key escrow and time controlled auctions with closed bids. In the rst the individual cannot be targeted outside the period authorized by the court. In the second the individual cannot withhold his closed bid beyond the bidding period. We propose two protocols, one for each application. We do not require the use of temper-proof devices.

We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An important application of our timed-commitment scheme is contract signing: two mutually suspicious parties wish to exchange signatures on a contract. We show a two-party protocol that allows them to exchange RSA or Rabin signatures. The protocol is strongly fair: if one party quits the protocol early, then the two parties must invest comparable amounts of time to retrieve the signatures. This statement holds even if one party has many more machines than the other. Other applications, including honesty preserving auctions and collective coin-flipping, are discussed.

. A partial key escrow cryptosystem based on publicly verifiable encryption is proposed. Partial key escrow adds a great deal of difficulty to mass privacy intrusion interested by malicious authorities (e.g., a human rights abusive government). Public verifiability improves efficiency and guarantees correctness in the establishment of partially escrowed key. 1 Introduction This paper proposes a publicly verifiable partial key escrow cryptosystem. In partial key escrow, a portion of a private key with a specified length will not be in escrow and as a result key recovery requires a non-trivial effort of computation to determine this portion after co-operating shareholders decrypt the key recovery material. Partial key escrow will add a great deal of difficulty to mass privacy intrusion interested by malicious authorities while preserving the property of an ordinary escrowed cryptosystem for targeting individual criminals. Partial key escrow must consider resilience to a so-called early ...

Information about individuals is currently maintained in many thousands of databases, with much of that information, such as name and address, replicated across multiple databases. However, this proliferation of personal information raises issues of privacy for the individual, as well as maintenance issues in terms of the accuracy of the information. Ideally, each individual would own, maintain and control his personal information, allowing access to those who needed at the time it was needed. Organizations would contact the individual directly to obtain information, therefore being assured of using current and correct information. While research has been performed on users owning and controlling access to their personal information in an electronic commerce environment, we argue that this concept should be extended to all user information including, for example, medical and financial information. The end goal is not for users to simply maintain copies of this information, but to be the source of this information. This paper presents the concept of users owning their personal information and introduces some of the issues involved in users being able to control access to this information. The security requirements, including authentication, access control and audit, as well as user interfaces and trust, for this new paradigm are given particular emphasis.

We introduce a new cryptographic problem called time capsule signature. Time capsule signature is a `future signature' that becomes valid from a specific future time t, when a trusted third party (called Time Server) publishes some trapdoor information associated with the time t. In addition, time capsule signature should satisfy the following properties: (1) If the signer wants, she can make her time capsule signature e#ective before the pre-defined time t. The recipient