Abstract
We present a protocol that allows a sender to release gradually and verifiably a secret to a receiver. We argue that the protocol can be efficiently applied to the exchange of secrets in many cases, such as when the secret is a digital signature. This includes Rabin, low-public-exponent RSA, and El Gamal signatures. In these cases, the protocol requires an interactive three-pass initial phase, after which each bit (or block of bits) of the signature can be released noninteractively (i.e., by sending one message). The necessary computations can be done in a couple of minutes on an up-to-date PC. The protocol is statistical zero-knowledge, and therefore releases a negligible amount of side information in the Shannon sense to the receiver. The sender is unable to cheat, if he cannot factor a large composite number before the protocol is completed.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
W. Alexi, B. Chor, O. Goldreich, and C. P. Schnorr. RSA and Rabin functions: certain parts are as hard as the whole, Proc. 25th FOCS, 1984, pp. 449–457.
M. Ben-Or, O. Goldreich, S. Micali, and R. Rivest. A fair protocol for signing contracts, IEEE Trans. Inform. Theory, vol. 36, 1990, pp. 40–46.
M. Blum. Three Applications of the Oblivious Transfer, Dept. of EECS, University of California, Berkeley, 1981.
M. Blum. Coin-flipping by telephone, Proc. IEEE Spring COMPCOM, 1982.
M. Blum. How to exchange (secret) keys, ACM Trans. Comput. Systems, vol. 1, 1983, pp. 175–193.
G. Brassard, D. Chaum, and C. Crépeau. Minimum disclosure proofs of knowledge, J. Comput. System Sci., vol. 37, 1988, pp. 156–189.
E. F. Brickell, D. Chaum, I. Damgård, and J. van de Graaf. Gradual and verifiable release of a secret, Proc. Crypto 87, Lecture Notes in Computer Science, vol. 293, Springer-Verlag, Berlin, 1988, pp. 156–166.
J. Cleve. Controlled gradual disclosure schemes for random bits and their applications, Proc. Crypto 89, Lecture Notes in Computer Science, vol. 435, Springer-Verlag, Berlin, 1990, pp. 573–588.
I. Damgård. Collision free hash functions and public key signature schemes, Proc. EuroCrypt 87, Lecture Notes in Computer Science, vol. 304, Springer-Verlag, Berlin, 1988, pp. 147–158.
I. Damgård. Practical and provably secure release of a secret and exchange of signatures, Proc. EuroCrypt 93, Lecture Notes in Computer Science, vol. 765, Springer-Verlag, Berlin, 1994, pp. 200–217.
S. Even, O. Goldreich, and Z. Lempel. A randomized protocol for signing contracts, Proc. Crypto 82, Plenum, New York, 1983, pp. 205–210.
S. Even and Y. Jacobi. Relations Among Public Key Signature Systems, Comput. Sci. Dept., Technion, Haifa, March 1980.
U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity, J. Cryptology, vol. 1, no. 2, 1988, pp. 77–94.
O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their validity and a methodology of cryptographic protocol design, Proc. 27th FOCS, 1986, pp. 174–187.
S. Goldwasser and L. Levin. Fair computation of general functions in presence of immoral majority, Proc. Crypto 90, Lecture Notes in Computer Science, vol. 537, Springer-Verlag, Berlin, 1991, pp. 77–93.
S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems, SIAM J. Comput., vol. 18, 1989, pp. 186–208.
J. van de Graaf and R. Peralta. A simple and secure way to show the validity of your public key, Proc. Crypto 87, Lecture Notes in Computer Science, vol. 293, Springer-Verlag, Berlin, 1988, pp. 128–134.
J. Håstad and A. Shamir. The cryptographic security of truncated linearly related variables, Proc. ACM Symp. on Theory of Computing, 1983, pp. 356–362.
R. Impagliazzo and M. Yung. Direct minimum knowledge computations, Proc. Crypto 87, Lecture Notes in Computer Science, vol. 293, Springer-Verlag, Berlin, 1988, pp. 40–51.
M. Luby, S. Micali, and C. Rackoff. How to simultaneously exchange a secret bit by flipping a symmetrically-biased coin, Proc. 24th FOCS, 1983, pp. 11–22.
M. Rabin. How to exchange secrets by oblivious transfer, Tech. Memo TR-81, Aiken Comput. Lab., Harward University, 1981.
T. Tedrick. Fair exchange of secrets, Proc. Crypto 84, Lecture Notes in Computer Science, vol. 196, Springer-Verlag, Berlin, 1985, pp. 434–438.
M. Tompa and H. Woll. Random self-reducibility and zero-knowledge proofs of information possession, Proc. 28th FOCS, 1987, pp. 472–482.
U. Vazirani and V. Vazirani. Trapdoor pseudorandom number generators with applications to cryptographic protocol design, Proc. 24th FOCS, 1983, pp. 23–30.
M. Waidner and B. Pfitzmann. The dining cryptographers at the disco: unconditional sender and recipient untraceability with computational secure serviceability, Proc. EuroCrypt 89, Lecture Notes in Computer Science, vol. 434, Springer-Verlag, Berlin, 1989, p. 690.
H. C. Williams. A modification of the RSA public key cryptosystem, IEEE Trans. Inform. Theory, vol. 26, 1980, pp. 417–426.
A. C. Yao. How to generate and exchange secrets, Proc. 27th FOCS, 1986, pp. 162–167.
Author information
Authors and Affiliations
Additional information
Communicated by Gilles Brassard
Rights and permissions
About this article
Cite this article
Damgård, I.B. Practical and provably secure release of a secret and exchange of signatures. J. Cryptology 8, 201–222 (1995). https://doi.org/10.1007/BF00191356
Received:
Revised:
Issue Date:
DOI: https://doi.org/10.1007/BF00191356