## Timed-Release Cryptography (2001)

### Cached

### Download Links

- [www.hpl.hp.co.uk]
- [eprint.iacr.org]
- [www.hpl.hp.com]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In In Selected Areas in Cryptography VIII (SAC'01 |

Citations: | 16 - 0 self |

### BibTeX

@INPROCEEDINGS{Mao01timed-releasecryptography,

author = {Wenbo Mao},

title = {Timed-Release Cryptography},

booktitle = {In In Selected Areas in Cryptography VIII (SAC'01},

year = {2001},

pages = {342--357},

publisher = {Prentice Hall}

}

### Years of Citing Articles

### OpenURL

### Abstract

Let n be a large composite number. Without factoring n, the computation of a 2 t (mod n)given a, t with gcd(a# n) = 1 and t!n can be done in t squarings modulo n.For t n (e.g., n?2 1024 and t!2 100 ), no lower complexity than t squarings is known to fulfill this task. Rivest et al suggested to use such constructions as good candidates for realising timed-release crypto problems. We argue the necessity for a zero-knowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log 2 t standard crypto operations, the correctness of (a e ) 2 t (mod n) with respect to a e where e is an RSA encryption exponent. With such a proof, a Timed-release Encryption of a message M can be given as a 2 t M (mod n) with the assertion that the correct decryption of the RSA ciphertext M e (mod n) can be obtained by performing t squarings modulo n starting from a. Timed-release RSA signatures can be constructed analogously. Keywords Timed-release cryptography, Time-lock puzzles, Non-parallelisability, Efficient zero-knowledge protocols. 1

### Citations

491 | Heyst. Group signatures - Chaum, van |

448 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...se of a practical public-key encryption scheme, M in (8) should be randomised using a proper plaintext randomisation scheme designed for providing the semantic security (e.g., the OAEP scheme for RSA =-=[1]-=-). 53.2 Timed-release of an RSA Signature Let e, n be as above and d satisfy ed 1(mod (n)) (so d is in the position of an RSA signing exponent). For message M <n(see Remark below), to make its RSA si... |

226 |
A simple unpredictable pseudo-random number generator
- Blum, Blum, et al.
- 1986
(Show Context)
Citation Context ...r security requirements on the large magnitudes of Order (n)(2) and Ordern(a). Then we observe that the mapping from ae to ae (t) is random (which follows the Blum-Blum-Shub random sequence generator =-=[2]-=-) in a large subset of the quadratic residues modulo n. Thus, given the di culty of extracting the e-th root of a random element in the RSA group, a successful extraction of a(t) fromae (t) will const... |

146 | Parallel Collision Search with Cryptanalytic Applications - Oorschot, Wiener - 1999 |

128 | RSA-OAEP is secure under the RSA assumption - Fujisaki, Okamoto, et al. |

121 | Proving in Zero-Knowledge That a Number Is the Product of Two Safe Primes
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ... all distinct primes of roughly equal size. We assume that Alice has proven to Bob in zero-knowledge such a structure of n. This can be achieved via using, e.g., the protocol of Camenisch and Michels =-=[4]-=-. 1 Let a 2 Zn satisfy gcd(a 1�n)=1� (12) a n = ;1: (13) It is elementary to show thata satisfying (12) and (13) has the full order 2p 0 q 0 . The following lemma observes a property of a. 1 Due to th... |

102 | Time-lock puzzles and timed-release crypto - Rivest, Shamir, et al. - 1996 |

32 | Practical zero-knowledge proofs: Giving hits and using deficiencies - Boyar, Friedl, et al. - 1991 |

24 | How to prove all NP statements in zero-knowledge and 11 a methodology of cryptographic protocol design - Goldreich, Micali, et al. - 1987 |

21 | RSA-based undeniable signatures for general moduli - Galbraith, Mao, et al. - 2002 |

13 | Timed commitments (extended abstract
- Boneh, Naor
- 2000
(Show Context)
Citation Context ...s puzzle in x1.2.) 1.1 Applications Boneh and Naor used a subset of L(a� t� n) (details to be discussed in x1.2) and constructed a timed-release crypto primitive which they called \timed commitments" =-=[3]-=-. Besides several suggested applications they suggested an interesting use of their primitive for solving a long-standing problem in fair contract signing. A previous solution (due to Damgard [6]) for... |

7 | Description of the LCS35 Time Capsule Crypto-Puzzle - Rivest - 1999 |

4 | Proving in zero-knowledge thatanumber is the product of two safe primes - Michels, M - 1999 |

4 | Practical and probably secure release of a secret and exchange of signatures - Damg˚ard - 1993 |

3 | A simple and secure way toshowthatvalidity of your public - Graaf, Peralta - 1988 |

1 | Coin Flipping byTelephone: A Protocol for Solving Impossible - Blum - 1981 |