EP1105994A1 - Time-stamping with binary linking schemes - Google Patents

Time-stamping with binary linking schemes

Info

Publication number
EP1105994A1
EP1105994A1 EP99942384A EP99942384A EP1105994A1 EP 1105994 A1 EP1105994 A1 EP 1105994A1 EP 99942384 A EP99942384 A EP 99942384A EP 99942384 A EP99942384 A EP 99942384A EP 1105994 A1 EP1105994 A1 EP 1105994A1
Authority
EP
European Patent Office
Prior art keywords
time
nonce
document
stamping
tss
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP99942384A
Other languages
German (de)
French (fr)
Other versions
EP1105994A4 (en
Inventor
Ahto Bildos
Peeter Laud
Helger Lipmaa
Jan Villemson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
RLJ Timestamp Corp
Original Assignee
RLJ Timestamp Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by RLJ Timestamp Corp filed Critical RLJ Timestamp Corp
Publication of EP1105994A1 publication Critical patent/EP1105994A1/en
Publication of EP1105994A4 publication Critical patent/EP1105994A4/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • This invention relates to digital signatures in computer documents, and more particularly to time stamping digital signatures so that the latest time will be unambiguously known.
  • Time stamping is a set of techniques enabling the ascertaining of when an electronic document was created or signed.
  • the real importance of time-stamping comes about with the legal use of long lifetime documents.
  • a problem with time stamping signed documents comes about when, for example, the signer repudiates the document and the cryptographic primitives become unreliable.
  • the security of the signature becomes questionable. For example, a signer might claim she had lost her signature key, repudiate the signing, and bring the authenticity of a signature into question in order to escape responsibility for a document.
  • RTA Relative Temporal Authentication
  • RTA gives the verifier with two time stamped documents the ability to verify which of the two was created first.
  • An example of an existing time stamping technique is a simple time stamping protocol.
  • a weakness of this approach is the unreliability of documents with old time stamps after a signature key leakage, which may make it impossible to verify the time t on the document. This implies that for a reasonable solution the TSS must be unconditionally trusted. It is therefore widely accepted that a secure time stamping system cannot rely solely on the keys or on any other secret information of that sort.
  • the time-stamping procedure is divided into rounds.
  • the time-stamp R,. for round r is a cumulative hash of the time stamp R. . , for round r-1 and of all the documents submitted to the TSS during the round r.
  • a binary tree T r is built. Every participant P ( who wants to time-stamp at least one document in this round, submits to the TSS a hash y which is a hash of all the documents he wants to time-stamp in this round.
  • the leaves of T r are labeled by the submitted data items y j .
  • Each inner node k of T r is recursively labeled by numerical values H k ⁇ H ⁇ , H, ⁇ , where k L and k R are correspondingly the left and the right child nodes of k, and H is a collision-resistant hash function.
  • the TSS has to store only the time-stamps R. for rounds (Fig. 1). All the remaining information, required to verify whether a certain document was time-stamped during a fixed round is included into the time certificates.
  • a time certificate of a document comprises the information required to verify whether a certain document was time stamped during a fixed round, i. e., for restoring the label of the predecessor node needed to know the labels of the sibling nodes.
  • the time certificates for y 3 in Figure 1 is (r;(y 4 ,L),(H 4 ,R)).
  • the verifying procedure of the time stamp of y 3 consists of verifying the equality:
  • R r H(H(H 4 ,H(y 3 ,y 4 )),R r.1 ).
  • the size of the time certificate and thereby also the number of computational steps during the verification is logarithmic on the number of documents submitted.
  • the values of R_ are stored into a database and some of them are published in a newspaper.
  • the schemes are feasible but provide the RTA for the documents issued during the same round only if we unconditionally trust the TSS to maintain the order of time-stamps in T r . Therefore, this method either increases the need for trust or otherwise limits the maximum temporal duration of rounds to the insignificant units of time (one second in Digital Notary system). However, if the number of submitted documents during a round is too small, the expenses of time-stamping a single document may become unreasonably large.
  • the present invention comprises a method of time-stamping a digital document using a binary linking scheme where the value of the catenate certificate L n is generated by applying a one-way hash function H to a catenation comprising the value of the catenate certificate L n _j and the value of another suitably chosen catenate certificate L f(n) , with /being a fixed deterministic function algorithm, i.e.
  • L n H (n,XJL n _,,L f(n) ).
  • a method is also presented of certifying the moment of signing, not only the moment of submitting.
  • a principal P Before signing a document X a principal P generates nonce N and time-stamps it.
  • a nonce is meant sufficiently long random bit-string, such that the probability it has been already time-stamped is negligible.
  • the verifier has to compare both these time-stamps with the time-stamps trusted by the verifier (which may be nonces generated by the verifier herself).
  • the verifier may conclude that the signature was created in the time- frame between the moments of issuance o ⁇ L(N) and ofL(S) respectively. If these moments are close enough, the signing time can be ascertained with necessary precision. In this solution there are no supplementary duties to the TSS or to the other principals.
  • a time-stamping procedure is also defined, as follows: (1) the client sends to the TSS the data item X to be time-stamped; (2) the TSS answers immediately by sending then current L n and the necessary data for verifying the one-way dependency between L n and the time-stamp for the previous round. The TSS signs L n and sends the signature D ⁇ n, LJ to the client; (3) if the round is over, the client may apply the TSS for the data necessary to verify a one-way relationship between L n and the time-stamp for round. Therefore, the TSS is not able to rearrange the time-stamps during a round. This means the present scheme reduces the need for trusting the TSS in maintaining the temporal order of time-stamped documents.
  • Fig. 1 is flow chart of a tree linking system for the certification of Digital
  • Fig. 2 is flow chart of a binary linking system (BLS) for the certification of Digital Signatures.
  • BLS binary linking system
  • Fig. 3 is flow chart of a BLS with the shortest verification links between digital signatures.
  • Fig. 4 is a flow chart of an Accumulated Linking System (ALS) which may be used in the invention.
  • ALS Accumulated Linking System
  • Fig. 5 is flow chart of a Time Stamp system of the invention.
  • Table I is a definition of a recursive linking system for digital signature verification.
  • Table II shows how recursive linking may be programmed on a computer.
  • Table III is a proof that a further reduction in the complexity of linking digital signatures is not feasible beyond the invention.
  • Table IV-A and IV-B comprise proofs of the sufficiency of the invention for verification of digital signatures as disclosed. Description of the Preferred Embodiment
  • time-stamping systems applicable in legal situations. Later the approach will be justified and compared to older systems.
  • a time-stamping system consists of a set of principals with the time- stamping server (TSS) together with a triple (S, V, A) of protocols.
  • the stamping protocol S allows each participant to post a message.
  • the verification protocol V is used by a principal having two time-stamps to verify the temporal order between those time-stamps.
  • the audit protocol A is used by a principal to verify whether the TSS carries out his duties. Additionally, no principal (in particular, TSS) should be able to produce fake time-stamps without being caught.
  • a time-stamping system has to be able to handle time-stamps which are anonymous and do not reveal any information about the content of the stamped data.
  • the TSS is not required to identify the initiators of time-stamping requests.
  • time-stamping The main security objective of time-stamping is temporal authentication - ability to prove that a certain document has been created at a certain moment of time.
  • the creation of a digital data item is an observable event in the physical world, the moment of its creation cannot be ascertained by observing the data itself.
  • the best one can do is to check the relative temporal order of the created data items (i.e., prove the RTA) using one-way dependencies defining the arrow of time, analogous to the way in which the growth of entropy defines the arrow of time in the physical world.
  • H is a collision-resistant one-way hash function
  • the system utilizes collision- resistant one-way hash functions.
  • a collision-resistant one-way hash function is a function H which has the properties of compression, ease of computation, preimage resistance, 2nd-preimage resistance and collision resistance.
  • a (p, H)-linking scheme is a procedure to link a family (H of data items together using auxiliary linking items L n satisfying the recursive formula
  • L n : H(H n , L n 1, ... ,Ln ⁇ p.1(n) ),
  • a sequence (m j ) ⁇ i 1 , where m ; p m i+1 is called a verifying chain between m, and m ⁇ with length ⁇ .
  • H n H(n,XJ, where X tract denotes the n-th time-stamped document.
  • the linking item L n is also referred to as a time-stamp of X tract. Note that a one-way relationship between L n and L m (n ⁇ m) does not prove that in the moment of creating X tract the bit-string ⁇ did not exist, but we do know that X propel did exist at the moment of creating L m .
  • RTA By using RTA it is possible to determine not only the submitting time of the signature but also the time of signing the document.
  • the verifier may conclude that the signature was created in the time-frame between the moments of issuance of L(N) and of L( ⁇ ) respectively. If these moments are close enough, the signing time can be ascertained with necessary precision.
  • a time-stamping system must have properties enabling users to verify whether an arbitrary time-stamp is correct or not. Possession of two documents with corresponding time-stamps is not enough to prove the RTA between the documents because everyone is able to produce fake chains of time-stamps.
  • a time-stamping system should allow the user (1) to determine whether the time-stamps possessed by an individual have been tampered with; and (2) in the case of tampering, to determine whether the time-stamps were tampered with by the TSS or tampered after the issuing (generally by unknown means). In the second case, there is no one to bring an action against.
  • the principals interested in legal use of time-stamps should themselves verify their correctness immediately after the issuing (using signatures and other techniques discussed later) because if the signature of the TSS becomes unreliable, the signed time-stamps cannot be used as evidence.
  • the clients In order to increase the trustworthiness of the time-stamping services it should be possible for the clients to periodically inspect the TSS. Also, in the case when the TSS is not guilty he should have a mechanism to prove his innocence, i.e., that he has not issued a certain time-stamp during a certain round.
  • the TSS must publish regularly, in an authenticated manner, the time-stamps for rounds [BdM91] in mass media. If the time-stamping protocol includes (by using collision-resistant one-way hash functions) (1) the message digest of any time-stamp issued during the r-th round, into the time-stamp for r-th round, and (2) the message digest of the time-stamp for round r - 1 into any time-stamp issued during the r-th round, it will be difficult for anyone to forge a time-stamp without detection.
  • the forgery detection procedures should be simple. Forgeries should be determinable either during the stamping protocol (when the time-stamp, signed by the TSS, fails to be correct) or later when it is unable to establish the temporal order between two otherwise correct time-stamps.
  • the values SU r are also referred to as the time-stamps for rounds. Note that the time-stamps requested from the TSS during the verification protocol should belong to the set of time-stamps for rounds because only these time-stamps are available in the time-stamping server.
  • a (P, ⁇ , ⁇ ,H)-linking scheme is said to be an Accumulated Linking Scheme (ALS) with rank m, if
  • a (p, H)-linking scheme enables accumulated time-stamping if for arbitrary positive m there exists ⁇ , such that the (p, ⁇ , p, H)-scheme is an ALS with rank m.
  • the duration of the rounds can be flexibly enlarged in order to guarantee that only a negligible fraction of the time-stamps are kept in the memory of the time-stamping server.
  • n the total number of time-stamps issued till the moment of the current run of stamping/verification protocol.
  • the number of the evaluations of the hash function during the verification protocol should be O(log n).
  • the number of time-stamps examined during a single run of the verification protocol should be O(log n);
  • the size of an individual time-stamp should be small.
  • the TSS maintains the following three databases:
  • the fourth database (the complete database of time-stamps) is also stored but not on-line (it may be stored into an archive of CDs). Requests to this database are possible, but costly (e.g., requiring human interaction).
  • the time-stamps in D p are stored to a separate CD (this procedure may be audited). Thereafter Dp is emptied.
  • the time- stamp Rr for the current round is computed, added to Dr and published in a newspaper or similar publication (two processes which should be audited).
  • the database Dc is copied into Dp and a new database Dc is created.
  • Client sends X freely to the TSS.
  • the TSS signs the pair (n, L n ) and sends (n, L n , Sig ⁇ ss (n,L n )) back to the client. 4.
  • the client verifies the signature of TSS and checks whether
  • L ⁇ r H (H' ⁇ r ,L ⁇ r. ,)(where H' ⁇ H ⁇ L ⁇ . ,)) and publishing L er and his public key K ⁇ ss in the newspaper or the like.
  • the client may now continue, during a limited period, the protocol in order to get the complete individual time-stamp for
  • the client sends a request to the TSS.
  • tail (n) (H ⁇ r . together H ⁇ r.2 , ..., H n+2 ,H n+1 ).
  • the TSS answers by sending (tail (n), sig ⁇ ss (tail (n))) to the client.
  • the client checks whether
  • the signature key of TSS is trusted to authenticate him and therefore, his signature on an invalid head (n) or tail (n) can be used as an evidence in the court.
  • the client is responsible for doing it when the signature key of TSS can still be trusted. Later, the signature of TSS may become unreliable and therefore only the one-way properties can be used.
  • the verifier sends a request to the TSS.
  • the TSS answers by sending the tuple V mn (m)) and the signature sig ⁇ ss (V mn )to the verifier.
  • the verifier validates the signature, finds L ⁇ r(m) using (3), finds L r (n) -1 using the formula
  • L r(n) - ⁇ H (H ⁇ r(n) _ ⁇ , H (H ⁇ r(n ⁇ ) , L ⁇ r(m) )(7)). and finally, compares the value of L n in s n with the value given by (2).
  • time-stamps issued by the TSS there should be some mechanism to audit the TSS.
  • One easy way to do it is to periodically ask for time-stamps from the TSS and verify them. If these time-stamps are linked inconsistently (i.e., Eq. (2) and (3) hold for both time-stamps but the verification protocol fails), the TSS can be proven to be guilty.
  • the TSS has to find the shortest verifying chains between ⁇ r(n) resort, and n and between N and ⁇ .
  • the n-th individual time-stamp consists of the minimal amount of data necessary to verify the mutual one-way dependencies between all Lj which lay on these chains. It can be shown that if f satisfies the implication
  • the length of the n-th time-stamp in this scheme does not exceed 2 -3 • log(n)- x bits, where x is the output size of the hash function H.
  • the maximum length of rounds grows proportionally to O(log n).
  • the average length of rounds is constant and therefore it is practical to publish the time-stamps for rounds after constant units of time. This can be achieved easily with the following procedure. If the "deadline" for a round is approaching and there are still q time-stamps not issued yet, assign random values to the remaining data items H».
  • Remark 1 Denote by ord n the greatest power of 2 dividing n. In the ALS presented above, it is reasonable to label time-stamps in the lexicographical order with pairs (n, p), where 0 ⁇ p ⁇ ord n and n > 0. Then,
  • ⁇ (i) : (2 1 " 1 i, k - 1 + ord i), for i ⁇ 1.
  • C 2 be verifying chains from z to x and w to y respectively. It is obvious that C, and C 2 have a common element. Thus, if m ⁇ n then the verifying chains tail (m) and head (n) have a common element c which implies the existence of a verifying chain.
  • Example 2 For the chains given in Example 1, the common element is 7 and the verifying chain between 4 and 10 is (4, 5, 6, 7, 10).
  • Corollary 1 Due to the similarity between the verification and the stamping procedure, for an arbitrary pair of time-stamped documents the number of steps executed (and therefore, also the number of time-stamps examined) during a single run of the verification protocol is O(log n).
  • the Theorem 2 can be straightforwardly generalized to claim that the number of examined time-stamps must be greater than any fixed constant.
  • a binary linking scheme can alternatively be defined as a directed countable graph which is connected, contains no cycles and where all the vertices have two outgoing edges (links). Let us construct an infinite family of such graphs Tk in the following way:
  • Tl consists of a single vertex which is labeled with the number 1. This vertex is both the source and the sink of the graph Tl
  • Tk be already constructed. Its sink is labeled by 2 k -l .
  • the graph Tk+1 consists of two copies of Tk, where the sink of the second copy is linked to the source of the first copy, and an additional vertex labeled by 2 k+1 -l which is linked to the source of the second copy. Labels of the second copy are increased by 2 k -l.
  • the sink of Tk+1 is equal to the sink oft the first copy
  • the source of Tk+1 is equal to the vertex labeled by 2 k+1 -l.
  • l(a,b) be the length of the shortest verifying chain from b to a. If k>2 and 0 ⁇ a ⁇ b ⁇ 2 k then l(a,b) ⁇ 3k-5.
  • RTA Relative Temporal Authentication
  • An embodiment of the present invention comprises a method of time stamping a digital document using binary linking.
  • a catenate certificate L n is generated by applying a one-way hash function H to a concatenation of the value of the catenate certificate L submit .
  • ⁇ and the value of a suitably chosen catenate certificate L ⁇ n) where f is a fixed deterministic function, such as:
  • L n H(n, X n , L n.1 ,L f(n) ).
  • the indices are such that for each k the time certificate L n(k) is generated exclusively with values of L j , where n(k-l) ⁇ j ⁇ n(k), and of L n(j) with j ⁇ k. Treating intervals between the issuance of different L n(k) as "rounds", the anti-monotonic property insures that the time stamp for a round is not linked directly to the inner time stamps of other rounds.
  • the moment of signing is certified.
  • a principal P Before signing a document X a principal P generates nonce N and time stamps it.
  • a nonce is a long random bit string, with an arbitrary length judged sufficient to reduce the probability of a conflict with another time stamp to insignificance.
  • the time stamping events are identical; that is, the TSS does not know or need to know whether the time stamping is for a nonce or for meaningful data.
  • the verifier compares both time stamps with other time stamps trusted by the verifier; which may be nonces developed for this purpose.
  • the verifier can conclude that the signature was created in the time frame between the moments of issuance of L(N) and of L(S), respectively. If these moments are close enough in time, the signing time can be ascertained with precision. In this embodiment there are no supplementary duties for the TSS or other principals. In yet another embodiment, limited reliance on the TSS allows for a simplified system:
  • the TSS responds immediately with the current L n and the necessary data for verifying the one-way dependency between L n and the time stamp for the previous round, signs to create an L n , and sends the signature D TSS (n,L n ) to the client, and
  • the client may apply to the TSS for the data necessary to verify a one-way relationship between Ln and the time stamp for the round.
  • the above embodiment thereby reduces the need for trusting the TSS in maintaining the temporal order of time stamped documents by preventing the TSS from having an opportunity to rearrange the documents.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A digital signature certification system creates a nonce and attaches a time to the nonce to create a time stamped nonce uniquely identifying the time stamp then attaches the time stamped nonce to a document, attaches a digital signature to the document, then attaches a time to the document to form a time stamped document, so that the nonce uniquely identifies the signature on the document.

Description

TIME-STAMPING WITH BINARY LINKING SCHEMES
[BLL V98] Ahto Buldas, Peeter Laud, Helger Lipmaa, Jan Villemson, "Time-stamping with binary linking schemes," Proc. CRYPTO '98.
[BdM91] Josh Benaloh, Michael de Mare, "Efficient broadcast time- stamping," Technical report 1, Clarcson University Department of Mathematics and Computer Science, August 1991.
[BHS92] Dave Bayer, Stuart Haber, W. Scott Stornetta, "Improving the efficiency and reliablity of digital time-stamping," In Sequences '91: Methods in Communications, Security, and Computer Science, pp. 329-334. Springer- Verlag, 1992. [HS91] Stuart Haber, W. Scott Stornetta, "How to time-stamp a digital document," Journal of Cryptology, 3 (2):99-l l l, 1991.
[HS97] Stuart Haber, W. Scott Stornetta, "Secure names for bit-strings," In proceedings of the 4th ACM Conference on Computer and Communications Security, pp. 28-35, April 1997.
Field of the Invention
This invention relates to digital signatures in computer documents, and more particularly to time stamping digital signatures so that the latest time will be unambiguously known.
Background
Time stamping is a set of techniques enabling the ascertaining of when an electronic document was created or signed. The real importance of time-stamping comes about with the legal use of long lifetime documents. A problem with time stamping signed documents comes about when, for example, the signer repudiates the document and the cryptographic primitives become unreliable. The security of the signature becomes questionable. For example, a signer might claim she had lost her signature key, repudiate the signing, and bring the authenticity of a signature into question in order to escape responsibility for a document.
Recently, especially in the local regulation of digital signatures, organizational and legal questions about reliability in time stamping signatures have been gaining world wide attention. In the prior art, in addition to defining the responsibilities of the owner of the signature, the duties and responsibilities of the Time Stamping Service (TSS) employed must be stated. It is becoming increasingly important that trust of the TSS not be an issue; or that questions relating to the need to trust the TSS be minimized. In order to make users liable only for their own actions, the offender in a situation involving a digital signature infraction must be positively identifiable, even if the offender is the TSS.
Digital signatures, since they are administered by systems that inherently do not have any relation to physical time (real time) in their operation, do not have real time acknowledgments. For this reason, the association of an electronic document directly to a unique moment in time is difficult, and may be impossible. The best we can do with time stamping is Relative Temporal Authentication (RTA), that is, we can associate a document with some relative time that we trust.
This method, which is often used, is based on a complexity-theoretic assumption of the existence of collision-resistant one-way hash functions. RTA gives the verifier with two time stamped documents the ability to verify which of the two was created first.
The following examples of existing time stamping systems will illustrate the problems: 1) An example of an existing time stamping technique is a simple time stamping protocol. The TSS appends the current time t to the current document X, the composite document is signed, and two values, t and s=sigTSS(t,X) are returned to the client. A weakness of this approach is the unreliability of documents with old time stamps after a signature key leakage, which may make it impossible to verify the time t on the document. This implies that for a reasonable solution the TSS must be unconditionally trusted. It is therefore widely accepted that a secure time stamping system cannot rely solely on the keys or on any other secret information of that sort.
2) One example of an embodiment of a digital signature certification system of the type discussed above is shown in [BHS92,HS97] and Patent No. 5,136,646 by Haber and Stornetta. Signatures with time certificates attached are linked together in a one-way function, such that the verifier is able to follow a step by step chain of intermediate time stamps, and is able to ascertain at each step which was created earlier. In this way a type of time tree is grown, with the credibility of the signature verified by trusted documents preceding and following in time.
The time certificate for the n-th submitted document is: c=DTSS(n,tn,IDn,Xn,Ln), where tn is the current time, IDn is the identifier of the submitter, and Ln is the n-th catenate certificate defined by the recursive formula: Ln=(tn.1,IDn.1,Xn.],H(Ln.,)), and H is a collision-resistant one-way hash function.
There are several complications with the implementation of the above system. The number of steps needed to verify the one-way relationship between two time stamps is linear with respect to the number of time stamps between them, so a single verification may be as costly as creating an entire chain. It was pointed out in the publication of the Benolah-de Mare proposal [BdM91] that this solution has impossible trust and broadcast requirements. A modification was proposed [HS91] wherein, every time stamp is linked with k>l time stamps directly preceding. This variation decreases the requirements for broadcasting but increases the space required for storing individual time stamps.
3) Tree linking systems as disclosed [in BdM91 , BHS92, HS97] US Patent Number Re. 34,954 reduce verification cost in a significant way.
[BHS92] illustrated in Fig. A]. The time-stamping procedure is divided into rounds. The time-stamp R,. for round r is a cumulative hash of the time stamp R.., for round r-1 and of all the documents submitted to the TSS during the round r. After the end of the r-th round a binary tree Tr is built. Every participant P( who wants to time-stamp at least one document in this round, submits to the TSS a hash y which is a hash of all the documents he wants to time-stamp in this round. The leaves of Tr are labeled by the submitted data items yj. Each inner node k of Tr is recursively labeled by numerical values Hk ^H^^, H,^, where kL and kR are correspondingly the left and the right child nodes of k, and H is a collision-resistant hash function. The TSS has to store only the time-stamps R. for rounds (Fig. 1). All the remaining information, required to verify whether a certain document was time-stamped during a fixed round is included into the time certificates.
A time certificate of a document comprises the information required to verify whether a certain document was time stamped during a fixed round, i. e., for restoring the label of the predecessor node needed to know the labels of the sibling nodes. For example, the time certificates for y3 in Figure 1 is (r;(y4,L),(H4,R)). The verifying procedure of the time stamp of y3 consists of verifying the equality:
Rr=H(H(H4,H(y3,y4)),Rr.1). The size of the time certificate and thereby also the number of computational steps during the verification is logarithmic on the number of documents submitted. The values of R_ are stored into a database and some of them are published in a newspaper. The schemes are feasible but provide the RTA for the documents issued during the same round only if we unconditionally trust the TSS to maintain the order of time-stamps in Tr. Therefore, this method either increases the need for trust or otherwise limits the maximum temporal duration of rounds to the insignificant units of time (one second in Digital Notary system). However, if the number of submitted documents during a round is too small, the expenses of time-stamping a single document may become unreasonably large.
Summary of the Invention
The present invention comprises a method of time-stamping a digital document using a binary linking scheme where the value of the catenate certificate Ln is generated by applying a one-way hash function H to a catenation comprising the value of the catenate certificate Ln_j and the value of another suitably chosen catenate certificate Lf(n), with /being a fixed deterministic function algorithm, i.e.
Ln = H (n,XJLn_,,Lf(n)).
With choosing the function/appropriately it is possible to verify a one-way relationship between two time-certificates with a number of computational steps proportional to the logarithm of the number of time-stamped documents. A function is presented that guarantees logarithmic verification. A binary linking scheme is presented where the linking function/is chosen in such a way that it satisfies the anti-monotonic property, i.e. that f(m)<n<m implies f(n)≥f(m). Said property is sufficient for the existence of a series n(l),...,n(k),... of indices such that, for each k, the time-certificate Ln(k) is generated only using the values of Lp where n(k-l)<i<n(k), and of Ln(β with j<k. Thus, the intervals between the issuance of different Ln(k) can be thought about as the rounds. The anti-monotonic property says that the time-stamp for a round is not linked directly to the inner time-stamps of other rounds.
A method is also presented of certifying the moment of signing, not only the moment of submitting. Before signing a document X a principal P generates nonce N and time-stamps it. By a nonce is meant sufficiently long random bit-string, such that the probability it has been already time-stamped is negligible. Principle P then includes the time-stamp L(N) of Nto the document, signs it and obtains the time- stamp L(S) of the signature S=Dp(L(N),X). For the verification of the document X, the verifier has to compare both these time-stamps with the time-stamps trusted by the verifier (which may be nonces generated by the verifier herself). As there are one-way dependencies between L(N), S and L(S) the verifier may conclude that the signature was created in the time- frame between the moments of issuance oϊL(N) and ofL(S) respectively. If these moments are close enough, the signing time can be ascertained with necessary precision. In this solution there are no supplementary duties to the TSS or to the other principals.
A time-stamping procedure is also defined, as follows: (1) the client sends to the TSS the data item X to be time-stamped; (2) the TSS answers immediately by sending then current Ln and the necessary data for verifying the one-way dependency between Ln and the time-stamp for the previous round. The TSS signs Ln and sends the signature D^n, LJ to the client; (3) if the round is over, the client may apply the TSS for the data necessary to verify a one-way relationship between Ln and the time-stamp for round. Therefore, the TSS is not able to rearrange the time-stamps during a round. This means the present scheme reduces the need for trusting the TSS in maintaining the temporal order of time-stamped documents.
Brief Description of the Drawings
Fig. 1 is flow chart of a tree linking system for the certification of Digital
Signatures.
Fig. 2 is flow chart of a binary linking system (BLS) for the certification of Digital Signatures.
Fig. 3 is flow chart of a BLS with the shortest verification links between digital signatures.
Fig. 4 is a flow chart of an Accumulated Linking System (ALS) which may be used in the invention.
Fig. 5 is flow chart of a Time Stamp system of the invention.
Table I is a definition of a recursive linking system for digital signature verification.
Table II shows how recursive linking may be programmed on a computer.
Table III is a proof that a further reduction in the complexity of linking digital signatures is not feasible beyond the invention.
Table IV-A and IV-B comprise proofs of the sufficiency of the invention for verification of digital signatures as disclosed. Description of the Preferred Embodiment
In the following a definition is given of time-stamping systems applicable in legal situations. Later the approach will be justified and compared to older systems.
A time-stamping system consists of a set of principals with the time- stamping server (TSS) together with a triple (S, V, A) of protocols. The stamping protocol S allows each participant to post a message. The verification protocol V is used by a principal having two time-stamps to verify the temporal order between those time-stamps. The audit protocol A is used by a principal to verify whether the TSS carries out his duties. Additionally, no principal (in particular, TSS) should be able to produce fake time-stamps without being caught.
A time-stamping system has to be able to handle time-stamps which are anonymous and do not reveal any information about the content of the stamped data. The TSS is not required to identify the initiators of time-stamping requests.
The present notion of a time-stamping system differs from the one given in, e.g., [BdM91] in several important aspects. The differences are explained below.
Relative Temporal Authentication:
The main security objective of time-stamping is temporal authentication - ability to prove that a certain document has been created at a certain moment of time. Although the creation of a digital data item is an observable event in the physical world, the moment of its creation cannot be ascertained by observing the data itself. The best one can do is to check the relative temporal order of the created data items (i.e., prove the RTA) using one-way dependencies defining the arrow of time, analogous to the way in which the growth of entropy defines the arrow of time in the physical world. For example, if H is a collision-resistant one-way hash function, one can reliably use the following "rough" derivation rule: if H(X) and X are known to a principal P at a moment t, then someone (possibly P itself) used X to compute H(X) at a moment prior to t. Preferably, the system utilizes collision- resistant one-way hash functions.
Definition 1. A collision-resistant one-way hash function is a function H which has the properties of compression, ease of computation, preimage resistance, 2nd-preimage resistance and collision resistance.
Definition 2. Let p be a binary relation on N, such that x p y implies x < y and H to be a collision-resistant one-way hash function. A (p, H)-linking scheme is a procedure to link a family (H of data items together using auxiliary linking items Ln satisfying the recursive formula
Ln: = H(Hn, Ln 1, ... ,Lnξp.1(n)),
where nl ≥ ... ≥ nξp.1(n) are exactly the elements of p"'(n) := (m | m p n) (the preimage of n by p). A sequence (mj)ξ i=1, where m; p mi+1 is called a verifying chain between m, and mξ with length ξ.
In the context of time-stamping Hn= H(n,XJ, where X„ denotes the n-th time-stamped document. The linking item Ln is also referred to as a time-stamp of X„. Note that a one-way relationship between Ln and Lm (n < m) does not prove that in the moment of creating X„ the bit-string ^ did not exist, but we do know that X„ did exist at the moment of creating Lm.
We have omitted the tn in the formula for Hn, whereas it should not be taken for granted that the value tn indeed represents the submission time of X,,. The only way for a principal to associate a time-stamp with a certain moment of time is to time-stamp a nonce at this moment. By a nonce we mean a sufficiently long random bit-string, such that the probability it has been already time-stamped is negligible. In order to verify the absolute creating time of a document time-stamped by another principal, the verifier has to compare the time-stamp with the time stamps of nonces generated by the verifier herself. In this solution there are neither supplementary duties to the TSS nor to the principals. The use of nonces illustrates the similarity between time-stamping and ordinary authentication protocols, where nonces are used to prevent the possible reuse of old messages from previous communications.
By using RTA it is possible to determine not only the submitting time of the signature but also the time of signing the document. Before signing a document X the principal P generates a nonce N and time-stamps it. He then includes the time- stamp L(N) of N to the document, signs it and obtains the time-stamp L(σ) of the signature σ=sigp (L(N), X). From the view-point of the TSS these stamping events are identical (he need not be aware whether he is time-stamping a nonce or meaningful data). For the verification of the document X, the verifier has to compare both these time-stamps with the time-stamps trusted by her. As there are one-way dependencies between L(N), σ and L(σ) the verifier may conclude that the signature was created in the time-frame between the moments of issuance of L(N) and of L(σ) respectively. If these moments are close enough, the signing time can be ascertained with necessary precision.
3.2 Detection of Forgeries
A time-stamping system must have properties enabling users to verify whether an arbitrary time-stamp is correct or not. Possession of two documents with corresponding time-stamps is not enough to prove the RTA between the documents because everyone is able to produce fake chains of time-stamps.
A time-stamping system should allow the user (1) to determine whether the time-stamps possessed by an individual have been tampered with; and (2) in the case of tampering, to determine whether the time-stamps were tampered with by the TSS or tampered after the issuing (generally by unknown means). In the second case, there is no one to bring an action against. The principals interested in legal use of time-stamps should themselves verify their correctness immediately after the issuing (using signatures and other techniques discussed later) because if the signature of the TSS becomes unreliable, the signed time-stamps cannot be used as evidence. In order to increase the trustworthiness of the time-stamping services it should be possible for the clients to periodically inspect the TSS. Also, in the case when the TSS is not guilty he should have a mechanism to prove his innocence, i.e., that he has not issued a certain time-stamp during a certain round.
Additionally, the TSS must publish regularly, in an authenticated manner, the time-stamps for rounds [BdM91] in mass media. If the time-stamping protocol includes (by using collision-resistant one-way hash functions) (1) the message digest of any time-stamp issued during the r-th round, into the time-stamp for r-th round, and (2) the message digest of the time-stamp for round r - 1 into any time-stamp issued during the r-th round, it will be difficult for anyone to forge a time-stamp without detection. The forgery detection procedures should be simple. Forgeries should be determinable either during the stamping protocol (when the time-stamp, signed by the TSS, fails to be correct) or later when it is unable to establish the temporal order between two otherwise correct time-stamps.
3.3 Feasibility Requirements The time-stamping systems of [BdM91] and [HS97] use nonlinear partial ordering of time-stamps and therefore do not support RTA. A later discussion shows how to modify the linear linking scheme [HS91] to fulfill the security objectives (RTA and detection of forgeries). On the other hand, in practice, in this scheme the detection of forgeries would take too many steps. It is easy to forge time-stamps assuming that the verifier has limited computational power. This leads to the question of feasibility. In order to make RTA feasible in the case when time- stamps belong to different rounds, it is reasonable to define an additional layer of links between the time-stamps for rounds. Definition 3. Assume (p,H) and (δ,H) linking schemes and a monotonically increasing function ξ: N→N. By a (p,ξ, δ, H)-linking scheme is meant to be a procedure for linking a family (Hn) of data items together using auxiliary linking items Ln and ££r satisfying the recursive formulas shown in Table I.
The values SUr are also referred to as the time-stamps for rounds. Note that the time-stamps requested from the TSS during the verification protocol should belong to the set of time-stamps for rounds because only these time-stamps are available in the time-stamping server.
Definition 4. A (P,ξ,δ,H)-linking scheme is said to be an Accumulated Linking Scheme (ALS) with rank m, if
1. Ifξ (r) < n ≤ ξ (r + l) then p-' (n) C [ξ (r + l), ξ (r + l)] U ξ (N).
2. ξ (r + l) - ξ (r) ≥ m.
A (p, H)-linking scheme enables accumulated time-stamping if for arbitrary positive m there exists ξ, such that the (p, ξ, p, H)-scheme is an ALS with rank m.
If the linking scheme used enables accumulated time-stamping, the duration of the rounds can be flexibly enlarged in order to guarantee that only a negligible fraction of the time-stamps are kept in the memory of the time-stamping server.
Let n be the total number of time-stamps issued till the moment of the current run of stamping/verification protocol. The feasibility requirements can be summarized with the following:
1. The number of the evaluations of the hash function during the verification protocol should be O(log n). In particular, the number of time-stamps examined during a single run of the verification protocol should be O(log n);
2. There should be a conveniently small upper bound to the length of rounds, whereas the clients want to get their time-stamps in reasonable time. It seems to be sensible to require that the stamping protocol of the n-th document must terminate before the TSS has received additional O(log n) time-stamp requests. In real applications it is desirable for the average length of rounds to be constant (this would guarantee that for an arbitrary constant c there would be a negligible fraction of rounds with length greater then c).
3. The size of an individual time-stamp should be small.
There is a trade-off between these quantities. Later there is presented an improvement of the scheme above.
First Version of The System: Linear Linking For pedagogical reasons, the protocols and the basic organizational principles of the system using the linear linking scheme are outlined below. This scheme fulfills all the trust requirements but is impractical. Further, the described scheme is significantly improved by replacing the linear scheme with a binary linking scheme.
Let the number M of time-stamps per round be a constant known to the participants (clients) and all the data items X„ be of fixed size. Therefore, in the case of the linear linking scheme, the time-stamp for the r-th round has a number ξr = M r.
Role of the TSS: The TSS maintains the following three databases:
1. the database Dc of the time-stamps of the current round.
2. the database Dp of the time-stamps of the previous round.
3. the database Dr of the time-stamps for rounds.
These databases are considered to be on-line in the sense that any client can make requests into them at any moment. The fourth database (the complete database of time-stamps) is also stored but not on-line (it may be stored into an archive of CDs). Requests to this database are possible, but costly (e.g., requiring human interaction). After the end of each round, the time-stamps in Dp are stored to a separate CD (this procedure may be audited). Thereafter Dp is emptied. The time- stamp Rr for the current round is computed, added to Dr and published in a newspaper or similar publication (two processes which should be audited). The database Dc is copied into Dp and a new database Dc is created.
Stamping Protocol:
Suppose, the current round number is r. 1. Client sends X„ to the TSS.
2. The TSS finds Hn =H(D,X and Ln=(Hn,Ln.,), and adds the pair (H_Ln) to Dc.
3. The TSS signs the pair (n, Ln) and sends (n, Ln, Sigτss (n,Ln)) back to the client. 4. The TSS sends the tuple head(n) = (Hn.„ H__2, , Hξr+1 + 1) to the client.
5. The client verifies the signature of TSS and checks whether
H H_ H (Ha.„ , H (RξτA + 1, Lξr., ) )) = Ln where the true values Lξr can be found either from the newspaper or by requesting for their values from the on-line database Dr of the TSS. After the M requests have been answered the TSS finishes the round by finding Lξr = H (H'ξr,Lξr.,)(where H'^H^L^.,)) and publishing Ler and his public key Kτss in the newspaper or the like. The client may now continue, during a limited period, the protocol in order to get the complete individual time-stamp for
6. The client sends a request to the TSS.
7. Let tail (n) = (Hξr.„ Hξr.2, ..., Hn+2,Hn+1). The TSS answers by sending (tail (n), sigτss (tail (n))) to the client.
8. The client checks whether
Lξr = H (Hξr.„ H (Hξr.2, H (H„+2 , H (Ha+1 , Ln))...)) Definition 5. The complete individual time-stamp sn for the n-th document is s„:=(tail(n),head(n),n,Ln,sigTSS(n,Ln)).
Every client who is interested in the legal use of a time-stamp, should validate it during the stamping protocol. In a relatively short period between the 1st and the 3rd step and between the 4th and 6th step, the signature key of TSS is trusted to authenticate him and therefore, his signature on an invalid head (n) or tail (n) can be used as an evidence in the court. But the client is responsible for doing it when the signature key of TSS can still be trusted. Later, the signature of TSS may become unreliable and therefore only the one-way properties can be used.
Verification Protocol:
Let r (n) denote the round where sn was issued. Assume, the verifier has two time-stamped documents (X^s,,,) and (X„,sn) where m < n.
1. The verifier checks the validity of the equations (2) and (3) for both time- stamps. 2. If r (m) = r (n) then the data held in tail (m) and head (n) will be enough to check whether
Ln = H (Hn3 H(Hn.„ H (H^,, L )).
3. If r (m) < r (n), the verifier sends a request to the TSS.
4. The TSS answers by sending the tuple Vmn (m)) and the signature sigτss (Vmn )to the verifier.
5. The verifier validates the signature, finds Lξr(m) using (3), finds Lr (n) -1 using the formula
Lr(n)= H (H ξr(n)_ι, H (H ξr(nι), Lξr(m))...)). and finally, compares the value of Ln in sn with the value given by (2).
Audit Protocol:
Because of the possible legal importance of the time-stamps issued by the TSS, there should be some mechanism to audit the TSS. One easy way to do it is to periodically ask for time-stamps from the TSS and verify them. If these time-stamps are linked inconsistently (i.e., Eq. (2) and (3) hold for both time-stamps but the verification protocol fails), the TSS can be proven to be guilty. Also, there has to be a mechanism for the TSS to prove that he has not issued a certain time-stamp S in a certain round r. This can be done if the TSS presents all the time-stamps issued using the r-th round, and the time-stamp, found by using these time-stamps and the linking rules, coincides with the published time-stamp.
Above an outline is presented of a time-stamping system that fulfills trust requirements. Next is shown how to make this system feasible by using a BLS as shown in Fig. 4.
In order to issue the individual time-stamp for the n-th document, the TSS has to find the shortest verifying chains between ξr(n)„, and n and between N and ξ^. The n-th individual time-stamp consists of the minimal amount of data necessary to verify the mutual one-way dependencies between all Lj which lay on these chains. It can be shown that if f satisfies the implication
m > n - (f (m) ≤ f (n) V f (m) ≥ n)
then (f,H) enables accumulated time-stamping (the proof has been omitted because of its technicality.) In particular, the binary linking scheme described in enables accumulated time-stamping. For a fixed m let k := [log2m], ξ0 := 0, ξj := 2k - 1 (the source of Tk) and for arbitrary i > 1,
ξ(i)~{
2-ξi/2+l, ifi=2j , where j := [log2 i]. The length of the n-th time-stamp in this scheme does not exceed 2 -3 log(n)- x bits, where x is the output size of the hash function H. The maximum length of rounds grows proportionally to O(log n). However, the average length of rounds is constant and therefore it is practical to publish the time-stamps for rounds after constant units of time. This can be achieved easily with the following procedure. If the "deadline" for a round is approaching and there are still q time-stamps not issued yet, assign random values to the remaining data items H».
Remark 1. Denote by ord n the greatest power of 2 dividing n. In the ALS presented above, it is reasonable to label time-stamps in the lexicographical order with pairs (n, p), where 0< p ≤ ord n and n > 0. Then,
(0,p) n=2p f(n,p):={
(n-2p,ord(n-2p)), otherwise
and g(n, p) := (n,p-l) if p > 0 and g(n, 0):= (n - 1, ord (n-1)). Also, the formulas of ξ{ will simplify. In this case, ξ(i) := (21"1 i, k - 1 + ord i), for i ≥ 1.
It is easy to show that for each n and m the shortest verifying chain between n and m is uniquely defined. The data υmn necessary to verify the one-way dependence is computed by the procedure TSData(m, n) as shown in Table II and illustrated in Fig. 5.
Let (f, H) be a BLS satisfying the implication (4). Let x < y < z < w and C,,
C2 be verifying chains from z to x and w to y respectively. It is obvious that C, and C2 have a common element. Thus, if m < n then the verifying chains tail (m) and head (n) have a common element c which implies the existence of a verifying chain.
(m = n0, n„ , IL . „ IL = C, iv,,...,!!. „ne = n) This chain can be found by a simple algorithm and is of logarithmic length. Let (m) denote the round into which m belongs. The proof of the last claim for the case r (m) = r (n) is given below under the heading proof of Theorem 1. If m and n belong to different rounds, the verifying is straightforward, because of the similar structure of the second layer of links, the verifying chain from n to m is of the form
(m, ...,m',ξr(m),n',...,n).
where the number of ξj "B is logarithmic due to the fact that the time-stamps for rounds are linked together in a way similar to the linking of all time-stamps (Fig. 2). The length of the sequences (m,....m') and (n', , n) is also logarithmic.
Example 2. For the chains given in Example 1, the common element is 7 and the verifying chain between 4 and 10 is (4, 5, 6, 7, 10).
Corollary 1. Due to the similarity between the verification and the stamping procedure, for an arbitrary pair of time-stamped documents the number of steps executed (and therefore, also the number of time-stamps examined) during a single run of the verification protocol is O(log n).
Optimality:
Our solution meets asymptotically the feasibility requirements, but could these requirements be refined? Mostly not, an insight into this is given below. Namely, we show that for any linking scheme there does not exist a time-stamping solution where (1) the length of the time-stamps is O (log n), (2) for any m and n there exists a verifying chain between m and n with the length O (log n) that is completely contained in the union S(m) U S(n) of the corresponding individual time- stamps and (3) the stamping protocol will end in a logarithmic time. We prove this under the assumptions (1) that an individual time-stamp is a subset of N and (2) that the size of a time-stamp is proportional to the size of ||S(n)|| +||p"I(S(n)||=O(||p"1(S(n)||) (holds if the transitive closure pn of p coincides with the natural order <, i.e., the time stamp S(n) consists of tail (n) and head (n))).
Theorem 2. Let p be a binary relation on N satisfying Pn = <. There does not exist a function S: ||N → 2,N such that
1. |p"' (S(n))|<c, log n for some c„ for any n; also see Table IV-A and IV-B.
2. For every m and n there exists a p-chain(m=m,,m2,...,mk=n) where mi=S(m)uS(n) (that is, the number of stamps to examine during the verification protocol is greater than 2).
3. For any n, max (S(n)) - n < c2 log n for some constant c2 as shown in Table III.
The Theorem 2 can be straightforwardly generalized to claim that the number of examined time-stamps must be greater than any fixed constant.
Proof of Theorem 1 :
We will prove an upper bound for the length of the verifying chain for the linking scheme described elsewhere. Let ek = 2k - 1, i.e. ek is the number of the last vertex of Tk. To simplify the proof we add the vertex 0 to the scheme and link it with all the vertices that have less than two outgoing links. These are exactly the vertices eκ. Let L(a, b) denote the length of the shortest path between a and b. The equations L (O, ek) = 1, L (ek_, , ek) = 2 and e^, = ek.j + 1 follow immediately from the definition. Binary Linking Scheme:
In the current section we give a construction of a practical linking scheme with logarithmic upper bound to the length of the shortest verifying chain between any two time-stamps.
Definition 6. Let f and g be functions from N to N satisfying the condition f(n)<g(n)<n for any n. A(f,g,h) binary linking scheme (BLS) is a (p,H) linking scheme where for any n, p"'(n) [=(f(n), g(n)). In order to guarantee the existence of a verifying chain between arbitrary x and y, we have to take g(n):=n-l . In these cases we omit n-1 and talk about an (f,H)-BLS.
A binary linking scheme can alternatively be defined as a directed countable graph which is connected, contains no cycles and where all the vertices have two outgoing edges (links). Let us construct an infinite family of such graphs Tk in the following way:
1. Tl consists of a single vertex which is labeled with the number 1. This vertex is both the source and the sink of the graph Tl
2. Let Tk be already constructed. Its sink is labeled by 2k-l . The graph Tk+1 consists of two copies of Tk, where the sink of the second copy is linked to the source of the first copy, and an additional vertex labeled by 2k+1-l which is linked to the source of the second copy. Labels of the second copy are increased by 2k-l. The sink of Tk+1 is equal to the sink oft the first copy, the source of Tk+1 is equal to the vertex labeled by 2k+1-l.
Thereafter, link all the vertices of the second copy which have less than two outgoing links to the source of the first copy. Note that there is now a double link from the sink of the second copy to the source of the first copy as shown in Fig. 3. The sequence (Tk) defines a binary linking scheme, add links from the sources of any such initial segment to a special vertex labeled by 0 (Fig. 2). Here (see also Rem. 1), f(n)=n-2h(n)+l, where h(n) is given recursively by the equation below and as illustrated in Fig. 4.
k, ifn=2k-l, h(n)={
A fn+l^ if2k l<n<2k-l.
Theorem 1. Let l(a,b) be the length of the shortest verifying chain from b to a. If k>2 and 0<a<b<2k then l(a,b)≤3k-5.
Theoretical and practical considerations of the present invention are:
1) the importance of trust of the TSS in time stamping is significantly reduced, and
2) time complexity of Relative Temporal Authentication (RTA) becomes logarithmic with the number of issued time stamps.
An embodiment of the present invention comprises a method of time stamping a digital document using binary linking. A catenate certificate Ln is generated by applying a one-way hash function H to a concatenation of the value of the catenate certificate L„.ι and the value of a suitably chosen catenate certificate L^n), where f is a fixed deterministic function, such as:
Ln=H(n, Xn, Ln.1,Lf(n)).
The time tπ has been omitted. It should not be taken for granted that the value tn actually represents the submission time of document X„. With choosing the function f appropriately it is possible to verify a one-way relationship between two time certificates with a number of computational steps proportional to the logarithm of the number of time stamped documents that are to be reviewed. A function f of the invention, which was presented at [BLLV98], guarantees logarithmic computational steps in a signature verification.
In an embodiment of the binary linking system of the invention, a linking function f, which satisfies an anti-monotonic property such as f(m)<n<m, which implies f(n)>f(m) or f(n)=f(m), is sufficient for the existence of a series n(l),...,n(k). The indices are such that for each k the time certificate Ln(k) is generated exclusively with values of Lj, where n(k-l)<j<n(k), and of Ln(j) with j<k. Treating intervals between the issuance of different Ln(k)as "rounds", the anti-monotonic property insures that the time stamp for a round is not linked directly to the inner time stamps of other rounds.
In another embodiment of the invention, the moment of signing, not just the moment of submitting, is certified. Before signing a document X a principal P generates nonce N and time stamps it. A nonce is a long random bit string, with an arbitrary length judged sufficient to reduce the probability of a conflict with another time stamp to insignificance. The time stamp L(N) of N is then included in the document, the document signed, and a time stamp certification L(S) of the signature S=DP(L(N),X) results. From the standpoint of the TSS, the time stamping events are identical; that is, the TSS does not know or need to know whether the time stamping is for a nonce or for meaningful data. For the verification of the document X, the verifier compares both time stamps with other time stamps trusted by the verifier; which may be nonces developed for this purpose.
Since the dependencies between L(N), S, and L(S) are one-way, the verifier can conclude that the signature was created in the time frame between the moments of issuance of L(N) and of L(S), respectively. If these moments are close enough in time, the signing time can be ascertained with precision. In this embodiment there are no supplementary duties for the TSS or other principals. In yet another embodiment, limited reliance on the TSS allows for a simplified system:
1) the client sends a data item X to the TSS to be time stamped,
2) the TSS responds immediately with the current Ln and the necessary data for verifying the one-way dependency between Ln and the time stamp for the previous round, signs to create an Ln, and sends the signature DTSS(n,Ln) to the client, and
3) if the round is over, the client may apply to the TSS for the data necessary to verify a one-way relationship between Ln and the time stamp for the round.
The above embodiment thereby reduces the need for trusting the TSS in maintaining the temporal order of time stamped documents by preventing the TSS from having an opportunity to rearrange the documents.
It will be seen that by providing time stamp verification which is independent, or at least, relatively independent, of the TSS or third parties, the integrity of the signature is significantly improved.
Definition A*t e fee ft given (p, ) and &, H) Unkmy βeht u tnd Λ monβtoiάcΛtb taαwatrnj function {: H → ti. Bg o iβ,ξx6, )-ϋnking totem* we mean m procedure for linking β family (H*) of dot* ήtms toget e using mua&erg Imk f ϋn Σ- oni £- Λo $f_ ng the recwowe formla* r :- ∑(r) - H{7ir, C^ , ... , A.(1_, ^ )
H, :"ff(H , 1Λi,... >^mι .llnJ) i vhen tn end ό l(r) m
TAS Z
PΓOC TBDaia(mtn) 2 Daea^øH
D*i* s« appeod(D**a, H«)
JJUfl Date 3= append ata, J^-i); n := /(n) ejtt Data ?* app« (Data, /<R)); n :« n - 1
pjl-
H«e, ad(n) :* ϋ tmf J. Ut & » 0 and & ~ 15 (Fi* 2). In ordar to compute * berth and the taαth efaaa-ettmne wβ need tatt(lθ) :* (Jϊu, £o, #ι*. . #u. I<ι») . h*ad(10) :« (Hw, £*, #τ , ,
h*d(<) =(H,Lt,Ht,Lι) .
TA L -TIT We win prove an upper bound for the length of the verifying: chain for the hnk g scheme described in Sect. 6. Let βA = 2* - 1, I.e. e* is the number of the last vertex of ?*. lb amplify the proof we add the vertex 0 to the scheme and link it with all the vertices that here less than two outgoing links. These an exactly the vertices e*. Let l( , b) denote the length of the shortest path between α and o. The equations *(0,e*) « 1, *(e*_i,e*) = 2 and e* - e*_ι «= Ck-ι + 1 follow Immediately from the definition.
Lemma 1. //0 < α < e* < δ then l[α,b) « /(o, e*) + («*, b). If &*_! < α < e* then £(«,«*) = *(α,e* - 1} + (e* - Lt_).
The dai s above follow immediately from the structural properties of the linking scheme.
Lemma 2. If c_—ι < α < δ < e* then l{ ,b) = f (α — e*wi, 6 — «*_ι).
Proof. This follows from the construction of 1k from the two copies of Tk-ι- Here α and 6 are vertices in the second copy of T*_ι (or the last vertex of the firs copy), and - Ch-\ and b — tt-\ are the same vertices in the first copy of T -ι (or the vertex 0). D
Lemma 8. [JO _ o < e* then *(0,α) < it.
Proof. Induction on k.
Bate k = L Then a. = 0 and *(0,α) « 0 < it.
Λee.* J > I. Observe the following cases:
- If 0 < α < cfc-i then the induction assumption gives 1(0, a) < k - 1 < k.
- If e*_t < α < e* then *(Q,c) = ^0,et_ι) + /(e*-,,α) s 1 + έ(0,a - e -i) by Lemms 2. Observe the following cases:
• α β a* - 1. Then t(Q,a) = 1 + *(0,α - cs-,) = 1 -Z(0f e*_,) a 2 < it.
• α < e* - 1. Then l(Q,a) e 1 + f(0,o - e*_ι) < 1 + (fc - 1) *Tjk by iadttctioa assumption.
0
Lemma.4. If 0 < α < e* m«n (α,efc) < 2(fc - 1).
Proof. Induction on k.
Baso.- k « 1. Then α • 1 and l(o,tk) = A ) = 0 « 2(*-l).
$**»•.- a > 1. Obarvβ the following cases:
- If 0 < α < ea-i thβn./fce*) « (o,eft-t) + /(e*_ι .«*) < 2(c - 2) + 2 « 2(fc — 1) by induction assumption.
- tf«A-ι <α≤c* then observe the following cases:
• a «= e*. Then €(α,e*) = 0 < 2(fc - 1).
• o < CA. Then Ifack) «l(αfe* - 1) + (** - l,*s) = l{a~ es-i.c*.]) + 1 by the Lemma 2. Induction assumption now gives l(a,e*) « {(a - e*-x,eA-,) + 1 < 2(* - 2) + 1< 2{* - 1).
G
Proof (Teorem 1); mductioα on k. βa$β: k « 3. In this case oαe can directly verify that I (α, ) < 4.
Λee.* & > 3. Observe the following cases:
- If0 < α < 6 ≤ βA-i then the induction assumption gives us i(a,b) < 3(*-l)-δ<3*-8.
- If 0 < o < e4-.i < b < ek then f(α,6) * «(α,e*-ι) + (C-I.S) ≤ 2(k - 2) + '(«*-!, 6) by the Lemma 4. The following cases are possible:
• b ■= e*. Then *(«*_j ,6) «= 2 < A - 1.
« b * e* -- 1. Then ^e*-ι,6) -> 1< k - 1.
• t < e* — 1. Then the lemmas 2 and 3 give /(e*..,.*) »/(0,&-e*-i) < *- 1.
Thue «X«,e) 20 - 2) + ft - 1 « 3* - 6.
- He*.ι < e < 6 < e* than observe the following cases:
• * * e*. Then *(α,ft) * l(a,*k) < 2(ft- 1) < 3k - 5 by Lemma 4.
• • < e*. Then t(«,b) » f(α-e*-ι,*- β4..£) ≤ $(* - 1) +« < J*-5 by Lemma .2 and indυct xi assumption.
Q
As flαgo] - k iff e*-! + 1 < 6 < tk + J we get k < flog b] + 1 and thus

Claims

Claims
1. A digital signature certification system comprising: creating a nonce; time stamping said nonce to create a time stamped nonce uniquely identifying said time stamp; attaching said time stamped nonce to a document; attaching a digital signature to said document with said nonce; time stamping said document and the signature; whereby uniquely represents said signature on said document.
2. The system of claim 1 wherein said nonce is a random bit string having a length such that the probability of an identical nonce is insignificant.
3. The system of claim 2 wherein reliance on a Time Stamping Service (TSS) for verification of a signature is reduced or eliminated.
4. The system of claim 1 wherein reliance on RTA directly with other signatures is reduced or eliminated.
5. The system of Claim 1 wherein said nonce is used as a time-related standard for RTA.
6. A digital signature certification system comprising: creating a nonce; time stamping said nonce to create a time stamped nonce uniquely identifying said time stamp; attaching said time stamped nonce to a document; attaching a digital signature to said document; time stamping said document and the signature; whereby the nonce stamp uniquely represents said signature on said document; creating said time stamped nonce entries as a binary database; linking said binary database to a verifiable RTA source; whereby said RTA source is a verifiable point for all said time stamped nonce entries within a time frame associated with said RTA.
7. The system of claim 6 wherein said nonce is a random bit string having a length such that the probability of an identical nonce is insignificant.
8. The system of claim 7 wherein reliance on a Time Stamping Service (TSS) for verification of a signature is reduced or eliminated.
9. The system of claim 6 wherein reliance on RTA directly with other signatures is reduced or eliminated.
10. A digital signature certification system comprising: creating a nonce means; relating said nonce means to some time standard uniquely identifying said nonce; attaching said nonce means to a document; attaching a digital signature to said document and to said nonce means; relating said document to said nonce means; whereby said nonce means uniquely identifies said signature on said document;
11. The system of claim 10, comprising: creating said nonce means as a database means; linking said database means to a verifiable time; whereby said verifiable time thereby verifying signatures associated with said nonce means within a time frame associated with said verifiable time.
12. The system of claim 10 wherein said nonce means is a data means having characteristics such that the probability of an identical nonce means is insignificant.
13. The system of claim 10 wherein reliance on commercial verification services for verification of a signature is reduced or eliminated.
14. The system of claim 11 wherein reliance on time services for verification of signatures is reduced or eliminated.
15. A method of time-stamping a digital document using a binary linking scheme where the value of the catenate certificate Ln is generated by applying a one-way hash function H to a catenation comprising the value of the catenate certificate nΛ and the value of another suitably chosen catenate certificate L^n), with f being a fixed deterministic function algorithm,
LB = H(nϊX,Λ,ι, Lw)-
16. A method as claimed in claim 15 including verifying a one-way relationship between two time-certificates with a number of computational steps proportional to the logarithm of the number of time-stamped documents.
17. A method of digital time-stamping wherein: each document X is given a time-certificate t(X) of reasonable length that uniquely defines the relative position of X inside the protocol-round it is time-stamped, and thereafter. given two documents X and Y and certificates t(X) and t(Y) a verifier is able to establish a one-way relationship between the corresponding time stamps.
18. A time-stamping procedure using a binary linking scheme, comprising: a client sends to a TSS a data item X to be time-stamped; the TSS answers immediately by sending then current Ln and necessary data for verifying a one-way dependency between Ln and a time-stamp, the TSS further signs Ln and sends a signed receipt D{TSS) (n, Ln) to the client and, upon completion of a round, the client obtains the time-certificates.
19. A method of determining a time of signing a document comprising: generating a nonce N and time-stamping the document with time-stamp L(N), signing the document, generating the time-stamp L(σ) of the signature σ = segp (L(N), X), and verifying the document by comparing time of issuance of L(N) and L(σ).
20. A method as claimed in claim 19 wherein the time-stamp L(N) and L(σ) includes collision-resistant one way hash functions to prevent forgery of any of said time-stamps.
EP99942384A 1998-08-18 1999-08-18 Time-stamping with binary linking schemes Withdrawn EP1105994A4 (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US9693598P 1998-08-18 1998-08-18
US96935P 1998-08-18
US37593599A 1999-08-17 1999-08-17
US375935 1999-08-17
PCT/US1999/019061 WO2000011828A1 (en) 1998-08-18 1999-08-18 Time-stamping with binary linking schemes

Publications (2)

Publication Number Publication Date
EP1105994A1 true EP1105994A1 (en) 2001-06-13
EP1105994A4 EP1105994A4 (en) 2004-12-01

Family

ID=26792222

Family Applications (1)

Application Number Title Priority Date Filing Date
EP99942384A Withdrawn EP1105994A4 (en) 1998-08-18 1999-08-18 Time-stamping with binary linking schemes

Country Status (5)

Country Link
EP (1) EP1105994A4 (en)
JP (1) JP2002530709A (en)
CN (1) CN1319290A (en)
AU (1) AU5577599A (en)
WO (1) WO2000011828A1 (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3899808B2 (en) * 2000-12-07 2007-03-28 株式会社日立製作所 Digital signature generation method and digital signature verification method
DE10106083A1 (en) * 2001-02-08 2002-08-29 Jan Wendenburg Procedure for assigning digital time stamps
US7451116B2 (en) * 2001-03-07 2008-11-11 Diebold, Incorporated Automated transaction machine digital signature system and method
US8261975B2 (en) 2001-03-07 2012-09-11 Diebold, Incorporated Automated banking machine that operates responsive to data bearing records
US20090026753A1 (en) * 2007-07-28 2009-01-29 Simske Steven J Security deterrent mark and methods of forming the same
US9756665B2 (en) 2013-07-19 2017-09-05 Nokia Solutions And Networks Oy Network assisted automatic disaster trigger to enable device-to-device (D2D) ad hoc communication
WO2016050285A1 (en) 2014-09-30 2016-04-07 Telefonaktiebolaget L M Ericsson (Publ) Technique for handling data in a data network
PT3259871T (en) 2015-02-20 2020-11-10 Ericsson Telefon Ab L M Method of providing a hash value for a piece of data, electronic device and computer program
US10396995B2 (en) 2015-02-20 2019-08-27 Telefonaktiebolaget Lm Ericsson (Publ) Method of providing a hash value for a piece of data, electronic device and computer program
EP3281145B1 (en) 2015-04-10 2019-11-06 Telefonaktiebolaget LM Ericsson (publ) Verification paths of leaves of a tree
CN110084032B (en) * 2018-01-26 2023-08-22 阿里巴巴集团控股有限公司 Time stamp, time verification, data processing method, apparatus, medium
CN114726536B (en) * 2022-03-31 2024-08-09 南方电网科学研究院有限责任公司 Time stamp generation method and device, electronic equipment and storage medium
CN115277239B (en) * 2022-08-02 2023-12-05 恒生电子股份有限公司 Encryption method and device for database data

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5136647A (en) * 1990-08-02 1992-08-04 Bell Communications Research, Inc. Method for secure time-stamping of digital documents
US5422953A (en) * 1993-05-05 1995-06-06 Fischer; Addison M. Personal date/time notary device

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
BAYER,HABER: "Improving the Efficiency and Reliability of Digital Time Stamping" METHODS IN COMMUNICATION, SECURITY AND COMPUTER SCIENCE, [Online] 1993, XP002292803 NEY YORK Retrieved from the Internet: URL:http://citeseer.ist.psu.edu/bayer93imp roving.html> [retrieved on 2004-08-17] *
BULDAS, LAUD: "New linking schemes for digital time-stamping" PROCEEDINGS OF 1998 INTERNATIONAL CONFERENCE ON INFORMATION SECURITY AND CRYPTOLOGY, [Online] 18 December 1998 (1998-12-18), XP002292802 KOREA Retrieved from the Internet: URL:http://citeseer.ist.psu.edu/buldas98ne w.html> [retrieved on 2004-08-17] *
HABER,STORNETTA: "How to Time-stamp a Digital Document" JOURNAL OF CRYPTOLOGY, [Online] vol. 3, no. 2, 1991, pages 99-111, XP002292804 Retrieved from the Internet: URL:http://citeseer.ist.psu.edu/haber91how .html> [retrieved on 2004-08-17] *
MENEZES, VANSTONE, OORSCHOT: "Handbook of Applied Cryptography" 1997, CRC PRESS LLC , USA , XP002292896 * page 397 - page 400 * * page 559 * *
See also references of WO0011828A1 *

Also Published As

Publication number Publication date
EP1105994A4 (en) 2004-12-01
WO2000011828A8 (en) 2000-06-02
JP2002530709A (en) 2002-09-17
AU5577599A (en) 2000-03-14
CN1319290A (en) 2001-10-24
WO2000011828A1 (en) 2000-03-02
WO2000011828A9 (en) 2000-08-17

Similar Documents

Publication Publication Date Title
Buldas et al. Time-stamping with binary linking schemes
Bayer et al. Improving the efficiency and reliability of digital time-stamping
Buldas et al. Accountable certificate management using undeniable attestations
US6397329B1 (en) Method for efficiently revoking digital identities
US6282295B1 (en) Auto-recoverable and auto-certifiable cryptostem using zero-knowledge proofs for key escrow in general exponential ciphers
KR0146437B1 (en) Identification scheme, digital signature giving message recovery scheme, digital signature with appendix schemie, key exchange scheme,..
US5903651A (en) Apparatus and method for demonstrating and confirming the status of a digital certificates and other data
EP0541727B1 (en) Method for secure time-stamping of digital documents
US5960083A (en) Certificate revocation system
US6389136B1 (en) Auto-Recoverable and Auto-certifiable cryptosystems with RSA or factoring based keys
WO2000011828A1 (en) Time-stamping with binary linking schemes
US20040193872A1 (en) System and method for renewing and extending digitally signed certificates
Camacho et al. Strong accumulators from collision-resistant hashing
Buldas et al. Efficient quantum-immune keyless signatures with identity
EP3767873B1 (en) Delegated signatures for smart devices
EP1540882B1 (en) Groups signature scheme
Lipmaa Secure and efficient time-stamping systems
Haber et al. Time-stamping
AU737037B2 (en) Auto-recoverable auto-certifiable cryptosystems
Ansper et al. Improving the availability of time-stamping services
US6965998B1 (en) Time stamping method using time-based signature key
Just On the temporal authentication of digital data
Matsuura et al. Digital Timestamps for Dispute Settlement in Electronic Commerce: Generation, Verification, and Renewal.
Pasqual et al. A new method for digital time-stamping of electronic document
Haber et al. Hash-and-Sign

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20010215

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

A4 Supplementary search report drawn up and despatched

Effective date: 20041014

17Q First examination report despatched

Effective date: 20050422

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20050301