1993-02-23 - Timed-Release Crypto

Header Data

From: Eric Hughes <hughes@soda.berkeley.edu>
To: cypherpunks@toad.com
Message Hash: 68628a6147474d9679767199a9c603574ffd4e0072e37e91ab09195617780986
Message ID: <9302230205.AA23892@soda.berkeley.edu>
Reply To: <9302101955.AA09009@netcom.netcom.com>
UTC Datetime: 1993-02-23 02:18:28 UTC
Raw Date: Mon, 22 Feb 93 18:18:28 PST

Raw message

From: Eric Hughes <hughes@soda.berkeley.edu>
Date: Mon, 22 Feb 93 18:18:28 PST
To: cypherpunks@toad.com
Subject: Timed-Release Crypto
In-Reply-To: <9302101955.AA09009@netcom.netcom.com>
Message-ID: <9302230205.AA23892@soda.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain


By coincidence, I was thinking about time-release protocols the other
day.  I've got most of a system worked out, but I need to write it up
and look at it for a while to make sure it works.  what I think I have
is a system in which the sender is given a key by a beacon which he
can verify, at issuance time, will be revealed by the beacon at some
future time.  The implementation (but not the basic idea) relies on
using multiple public RSA keys with the same modulus.  I know there
are some attacks against this, but I don't know their nature.  If
someone who knows about this (or knows where to find out) could
contact me I would be most appreciative.

As far as sending money into the future goes, there are some tradeoffs
between anonymity of payment, length of time in the future, and
message size.  Anonymity of payment is difficult, since digital cash
has to expire in order for the bank not have to keep ever huger lists
of deposited numbers.  Large payments are less frequent anyway, and
provide less covering traffic.  If you continuously rotate your money
into the future, therefore, all the steps must be encapsulated, making
the size of the message grow linearly with the number of hops.  One
might be able to use a financial intermediary for anonymity, though.
It's not obvious to me that this will work.

Eric





Thread