Timed-release cryptography

Let n be a large composite number. Without factoring n, the validation of a2t (mod n) given a, t with gcd (a, n) = 1 and t 21024 and t 100), no lower complexity than t squarings is known to fulfil this task (even considering massive parallelisation). Rivest et al suggested to use such constructions as good candidates for realising timed-release crypto problems. We argue the necessity for zero-knowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log2 t standard crypto operations, the correctness of (ae)2t (mod n) with respect to ae where e is an RSA encryption exponent. With such a proof, a Timed-release RSA Encryption of a message M can be given as a2t M (mod n) with the assertion that the correct decryption of the RSA ciphertext Me (mod n) can be obtained by performing t squarings modulo n starting from a. Timed-release RSA signatures can be constructed analogously.