WO2000011828A1  Timestamping with binary linking schemes  Google Patents
Timestamping with binary linking schemes Download PDFInfo
 Publication number
 WO2000011828A1 WO2000011828A1 PCT/US1999/019061 US9919061W WO0011828A1 WO 2000011828 A1 WO2000011828 A1 WO 2000011828A1 US 9919061 W US9919061 W US 9919061W WO 0011828 A1 WO0011828 A1 WO 0011828A1
 Authority
 WO
 WIPO (PCT)
 Prior art keywords
 time
 nonce
 document
 stamping
 tss
 Prior art date
Links
 238000000034 methods Methods 0 claims description 15
 230000002829 reduced Effects 0 claims description 7
 238000004422 calculation algorithm Methods 0 claims description 3
 230000000875 corresponding Effects 0 claims description 3
 230000002123 temporal effects Effects 0 description 10
 239000002004 ayurvedic oil Substances 0 description 8
 230000001939 inductive effects Effects 0 description 6
 230000000576 supplementary Effects 0 description 3
 238000010276 construction Methods 0 description 2
 239000000727 fractions Substances 0 description 2
 230000001976 improved Effects 0 description 2
 230000001965 increased Effects 0 description 2
 239000010410 layers Substances 0 description 2
 108060003435 Beta family Proteins 0 description 1
 241000282414 Homo sapiens Species 0 description 1
 230000003935 attention Effects 0 description 1
 230000033228 biological regulation Effects 0 description 1
 239000002131 composite material Substances 0 description 1
 238000007906 compression Methods 0 description 1
 230000001186 cumulative Effects 0 description 1
 238000009795 derivation Methods 0 description 1
 230000012010 growth Effects 0 description 1
 239000003999 initiator Substances 0 description 1
 230000003993 interaction Effects 0 description 1
 239000010912 leaf Substances 0 description 1
 239000002609 media Substances 0 description 1
 230000015654 memory Effects 0 description 1
 230000004048 modification Effects 0 description 1
 238000006011 modification Methods 0 description 1
 230000036961 partial Effects 0 description 1
 230000003405 preventing Effects 0 description 1
 230000001603 reducing Effects 0 description 1
 238000006722 reduction reaction Methods 0 description 1
Classifications

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
 H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, nonrepudiation, key authentication or verification of credentials
 H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, nonrepudiation, key authentication or verification of credentials involving digital signatures

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
 H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, nonrepudiation, key authentication or verification of credentials
 H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, nonrepudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
 H04L2209/38—Chaining, e.g. hash chain or certificate chain
Abstract
Description
TIMESTAMPING WITH BINARY LINKING SCHEMES
[BLL V98] Ahto Buldas, Peeter Laud, Helger Lipmaa, Jan Villemson, "Timestamping with binary linking schemes," Proc. CRYPTO '98.
[BdM91] Josh Benaloh, Michael de Mare, "Efficient broadcast time stamping," Technical report 1, Clarcson University Department of Mathematics and Computer Science, August 1991.
[BHS92] Dave Bayer, Stuart Haber, W. Scott Stornetta, "Improving the efficiency and reliablity of digital timestamping," In Sequences '91: Methods in Communications, Security, and Computer Science, pp. 329334. Springer Verlag, 1992. [HS91] Stuart Haber, W. Scott Stornetta, "How to timestamp a digital document," Journal of Cryptology, 3 (2):99l l l, 1991.
[HS97] Stuart Haber, W. Scott Stornetta, "Secure names for bitstrings," In proceedings of the 4th ACM Conference on Computer and Communications Security, pp. 2835, April 1997.
Field of the Invention
This invention relates to digital signatures in computer documents, and more particularly to time stamping digital signatures so that the latest time will be unambiguously known.
Background
Time stamping is a set of techniques enabling the ascertaining of when an electronic document was created or signed. The real importance of timestamping comes about with the legal use of long lifetime documents. A problem with time stamping signed documents comes about when, for example, the signer repudiates the document and the cryptographic primitives become unreliable. The security of the signature becomes questionable. For example, a signer might claim she had lost her signature key, repudiate the signing, and bring the authenticity of a signature into question in order to escape responsibility for a document.
Recently, especially in the local regulation of digital signatures, organizational and legal questions about reliability in time stamping signatures have been gaining world wide attention. In the prior art, in addition to defining the responsibilities of the owner of the signature, the duties and responsibilities of the Time Stamping Service (TSS) employed must be stated. It is becoming increasingly important that trust of the TSS not be an issue; or that questions relating to the need to trust the TSS be minimized. In order to make users liable only for their own actions, the offender in a situation involving a digital signature infraction must be positively identifiable, even if the offender is the TSS.
Digital signatures, since they are administered by systems that inherently do not have any relation to physical time (real time) in their operation, do not have real time acknowledgments. For this reason, the association of an electronic document directly to a unique moment in time is difficult, and may be impossible. The best we can do with time stamping is Relative Temporal Authentication (RTA), that is, we can associate a document with some relative time that we trust.
This method, which is often used, is based on a complexitytheoretic assumption of the existence of collisionresistant oneway hash functions. RTA gives the verifier with two time stamped documents the ability to verify which of the two was created first.
The following examples of existing time stamping systems will illustrate the problems: 1) An example of an existing time stamping technique is a simple time stamping protocol. The TSS appends the current time t to the current document X, the composite document is signed, and two values, t and s=sig_{TSS}(t,X) are returned to the client. A weakness of this approach is the unreliability of documents with old time stamps after a signature key leakage, which may make it impossible to verify the time t on the document. This implies that for a reasonable solution the TSS must be unconditionally trusted. It is therefore widely accepted that a secure time stamping system cannot rely solely on the keys or on any other secret information of that sort.
2) One example of an embodiment of a digital signature certification system of the type discussed above is shown in [BHS92,HS97] and Patent No. 5,136,646 by Haber and Stornetta. Signatures with time certificates attached are linked together in a oneway function, such that the verifier is able to follow a step by step chain of intermediate time stamps, and is able to ascertain at each step which was created earlier. In this way a type of time tree is grown, with the credibility of the signature verified by trusted documents preceding and following in time.
The time certificate for the nth submitted document is: c=D_{TSS}(n,t_{n},ID_{n},X_{n},L_{n}), where t_{n} is the current time, ID_{n} is the identifier of the submitter, and L_{n} is the nth catenate certificate defined by the recursive formula: Ln=(t_{n.1},ID_{n.1},X_{n.]},H(L_{n}.,)), and H is a collisionresistant oneway hash function.
There are several complications with the implementation of the above system. The number of steps needed to verify the oneway relationship between two time stamps is linear with respect to the number of time stamps between them, so a single verification may be as costly as creating an entire chain. It was pointed out in the publication of the Benolahde Mare proposal [BdM91] that this solution has impossible trust and broadcast requirements. A modification was proposed [HS91] wherein, every time stamp is linked with k>l time stamps directly preceding. This variation decreases the requirements for broadcasting but increases the space required for storing individual time stamps.
3) Tree linking systems as disclosed [in BdM91 , BHS92, HS97] US Patent Number Re. 34,954 reduce verification cost in a significant way.
[BHS92] illustrated in Fig. A]. The timestamping procedure is divided into rounds. The timestamp R,. for round r is a cumulative hash of the time stamp R._{.}, for round r1 and of all the documents submitted to the TSS during the round r. After the end of the rth round a binary tree T_{r} is built. Every participant P_{(} who wants to timestamp at least one document in this round, submits to the TSS a hash y which is a hash of all the documents he wants to timestamp in this round. The leaves of T_{r} are labeled by the submitted data items y_{j}. Each inner node k of T_{r} is recursively labeled by numerical values H_{k} ^H^^, H,^, where k_{L} and k_{R} are correspondingly the left and the right child nodes of k, and H is a collisionresistant hash function. The TSS has to store only the timestamps R. for rounds (Fig. 1). All the remaining information, required to verify whether a certain document was timestamped during a fixed round is included into the time certificates.
A time certificate of a document comprises the information required to verify whether a certain document was time stamped during a fixed round, i. e., for restoring the label of the predecessor node needed to know the labels of the sibling nodes. For example, the time certificates for y_{3} in Figure 1 is (r;(y_{4},L),(H_{4},R)). The verifying procedure of the time stamp of y_{3} consists of verifying the equality:
R_{r}=H(H(H_{4},H(y_{3},y_{4})),R_{r.1}). The size of the time certificate and thereby also the number of computational steps during the verification is logarithmic on the number of documents submitted. The values of R_ are stored into a database and some of them are published in a newspaper. The schemes are feasible but provide the RTA for the documents issued during the same round only if we unconditionally trust the TSS to maintain the order of timestamps in T_{r}. Therefore, this method either increases the need for trust or otherwise limits the maximum temporal duration of rounds to the insignificant units of time (one second in Digital Notary system). However, if the number of submitted documents during a round is too small, the expenses of timestamping a single document may become unreasonably large.
Summary of the Invention
The present invention comprises a method of timestamping a digital document using a binary linking scheme where the value of the catenate certificate L_{n} is generated by applying a oneway hash function H to a catenation comprising the value of the catenate certificate L_{n}_j and the value of another suitably chosen catenate certificate L_{f(n)}, with /being a fixed deterministic function algorithm, i.e.
L_{n} = H (n,XJL_{n}_,,L_{f(n)}).
With choosing the function/appropriately it is possible to verify a oneway relationship between two timecertificates with a number of computational steps proportional to the logarithm of the number of timestamped documents. A function is presented that guarantees logarithmic verification. A binary linking scheme is presented where the linking function/is chosen in such a way that it satisfies the antimonotonic property, i.e. that f(m)<n<m implies f(n)≥f(m). Said property is sufficient for the existence of a series n(l),...,n(k),... of indices such that, for each k, the timecertificate L_{n(k)} is generated only using the values of L_{p} where n(kl)<i<n(k), and of L_{n(β} with j<k. Thus, the intervals between the issuance of different L_{n(k)} can be thought about as the rounds. The antimonotonic property says that the timestamp for a round is not linked directly to the inner timestamps of other rounds.
A method is also presented of certifying the moment of signing, not only the moment of submitting. Before signing a document X a principal P generates nonce N and timestamps it. By a nonce is meant sufficiently long random bitstring, such that the probability it has been already timestamped is negligible. Principle P then includes the timestamp L(N) of Nto the document, signs it and obtains the time stamp L(S) of the signature S=D_{p}(L(N),X). For the verification of the document X, the verifier has to compare both these timestamps with the timestamps trusted by the verifier (which may be nonces generated by the verifier herself). As there are oneway dependencies between L(N), S and L(S) the verifier may conclude that the signature was created in the time frame between the moments of issuance oϊL(N) and ofL(S) respectively. If these moments are close enough, the signing time can be ascertained with necessary precision. In this solution there are no supplementary duties to the TSS or to the other principals.
A timestamping procedure is also defined, as follows: (1) the client sends to the TSS the data item X to be timestamped; (2) the TSS answers immediately by sending then current L_{n} and the necessary data for verifying the oneway dependency between L_{n} and the timestamp for the previous round. The TSS signs L_{n} and sends the signature D^n, LJ to the client; (3) if the round is over, the client may apply the TSS for the data necessary to verify a oneway relationship between L_{n} and the timestamp for round. Therefore, the TSS is not able to rearrange the timestamps during a round. This means the present scheme reduces the need for trusting the TSS in maintaining the temporal order of timestamped documents.
Brief Description of the Drawings
Fig. 1 is flow chart of a tree linking system for the certification of Digital
Signatures.
Fig. 2 is flow chart of a binary linking system (BLS) for the certification of Digital Signatures.
Fig. 3 is flow chart of a BLS with the shortest verification links between digital signatures.
Fig. 4 is a flow chart of an Accumulated Linking System (ALS) which may be used in the invention.
Fig. 5 is flow chart of a Time Stamp system of the invention.
Table I is a definition of a recursive linking system for digital signature verification.
Table II shows how recursive linking may be programmed on a computer.
Table III is a proof that a further reduction in the complexity of linking digital signatures is not feasible beyond the invention.
Table IVA and IVB comprise proofs of the sufficiency of the invention for verification of digital signatures as disclosed. Description of the Preferred Embodiment
In the following a definition is given of timestamping systems applicable in legal situations. Later the approach will be justified and compared to older systems.
A timestamping system consists of a set of principals with the time stamping server (TSS) together with a triple (S, V, A) of protocols. The stamping protocol S allows each participant to post a message. The verification protocol V is used by a principal having two timestamps to verify the temporal order between those timestamps. The audit protocol A is used by a principal to verify whether the TSS carries out his duties. Additionally, no principal (in particular, TSS) should be able to produce fake timestamps without being caught.
A timestamping system has to be able to handle timestamps which are anonymous and do not reveal any information about the content of the stamped data. The TSS is not required to identify the initiators of timestamping requests.
The present notion of a timestamping system differs from the one given in, e.g., [BdM91] in several important aspects. The differences are explained below.
Relative Temporal Authentication:
The main security objective of timestamping is temporal authentication  ability to prove that a certain document has been created at a certain moment of time. Although the creation of a digital data item is an observable event in the physical world, the moment of its creation cannot be ascertained by observing the data itself. The best one can do is to check the relative temporal order of the created data items (i.e., prove the RTA) using oneway dependencies defining the arrow of time, analogous to the way in which the growth of entropy defines the arrow of time in the physical world. For example, if H is a collisionresistant oneway hash function, one can reliably use the following "rough" derivation rule: if H(X) and X are known to a principal P at a moment t, then someone (possibly P itself) used X to compute H(X) at a moment prior to t. Preferably, the system utilizes collision resistant oneway hash functions.
Definition 1. A collisionresistant oneway hash function is a function H which has the properties of compression, ease of computation, preimage resistance, 2ndpreimage resistance and collision resistance.
Definition 2. Let p be a binary relation on N, such that x p y implies x < y and H to be a collisionresistant oneway hash function. A (p, H)linking scheme is a procedure to link a family (H of data items together using auxiliary linking items L_{n} satisfying the recursive formula
L_{n}: = H(H_{n}, L_{n} 1, ... ,Ln_{ξp.1(n)}),
where nl ≥ ... ≥ n_{ξp.1(n)} are exactly the elements of p^{"}'(n) := (m  m p n) (the preimage of n by p). A sequence (m_{j})^{ξ} _{i=1}, where m_{;} p m_{i+1} is called a verifying chain between m, and m_{ξ} with length ξ.
In the context of timestamping H_{n}= H(n,XJ, where X„ denotes the nth timestamped document. The linking item L_{n} is also referred to as a timestamp of X„. Note that a oneway relationship between L_{n} and L_{m} (n < m) does not prove that in the moment of creating X„ the bitstring ^ did not exist, but we do know that X„ did exist at the moment of creating L_{m}.
We have omitted the t_{n} in the formula for H_{n}, whereas it should not be taken for granted that the value t_{n} indeed represents the submission time of X,,. The only way for a principal to associate a timestamp with a certain moment of time is to timestamp a nonce at this moment. By a nonce we mean a sufficiently long random bitstring, such that the probability it has been already timestamped is negligible. In order to verify the absolute creating time of a document timestamped by another principal, the verifier has to compare the timestamp with the time stamps of nonces generated by the verifier herself. In this solution there are neither supplementary duties to the TSS nor to the principals. The use of nonces illustrates the similarity between timestamping and ordinary authentication protocols, where nonces are used to prevent the possible reuse of old messages from previous communications.
By using RTA it is possible to determine not only the submitting time of the signature but also the time of signing the document. Before signing a document X the principal P generates a nonce N and timestamps it. He then includes the time stamp L(N) of N to the document, signs it and obtains the timestamp L(σ) of the signature σ=sig_{p} (L(N), X). From the viewpoint of the TSS these stamping events are identical (he need not be aware whether he is timestamping a nonce or meaningful data). For the verification of the document X, the verifier has to compare both these timestamps with the timestamps trusted by her. As there are oneway dependencies between L(N), σ and L(σ) the verifier may conclude that the signature was created in the timeframe between the moments of issuance of L(N) and of L(σ) respectively. If these moments are close enough, the signing time can be ascertained with necessary precision.
3.2 Detection of Forgeries
A timestamping system must have properties enabling users to verify whether an arbitrary timestamp is correct or not. Possession of two documents with corresponding timestamps is not enough to prove the RTA between the documents because everyone is able to produce fake chains of timestamps.
A timestamping system should allow the user (1) to determine whether the timestamps possessed by an individual have been tampered with; and (2) in the case of tampering, to determine whether the timestamps were tampered with by the TSS or tampered after the issuing (generally by unknown means). In the second case, there is no one to bring an action against. The principals interested in legal use of timestamps should themselves verify their correctness immediately after the issuing (using signatures and other techniques discussed later) because if the signature of the TSS becomes unreliable, the signed timestamps cannot be used as evidence. In order to increase the trustworthiness of the timestamping services it should be possible for the clients to periodically inspect the TSS. Also, in the case when the TSS is not guilty he should have a mechanism to prove his innocence, i.e., that he has not issued a certain timestamp during a certain round.
Additionally, the TSS must publish regularly, in an authenticated manner, the timestamps for rounds [BdM91] in mass media. If the timestamping protocol includes (by using collisionresistant oneway hash functions) (1) the message digest of any timestamp issued during the rth round, into the timestamp for rth round, and (2) the message digest of the timestamp for round r  1 into any timestamp issued during the rth round, it will be difficult for anyone to forge a timestamp without detection. The forgery detection procedures should be simple. Forgeries should be determinable either during the stamping protocol (when the timestamp, signed by the TSS, fails to be correct) or later when it is unable to establish the temporal order between two otherwise correct timestamps.
3.3 Feasibility Requirements The timestamping systems of [BdM91] and [HS97] use nonlinear partial ordering of timestamps and therefore do not support RTA. A later discussion shows how to modify the linear linking scheme [HS91] to fulfill the security objectives (RTA and detection of forgeries). On the other hand, in practice, in this scheme the detection of forgeries would take too many steps. It is easy to forge timestamps assuming that the verifier has limited computational power. This leads to the question of feasibility. In order to make RTA feasible in the case when time stamps belong to different rounds, it is reasonable to define an additional layer of links between the timestamps for rounds. Definition 3. Assume (p,H) and (δ,H) linking schemes and a monotonically increasing function ξ: N→N. By a (p,ξ, δ, H)linking scheme is meant to be a procedure for linking a family (H_{n}) of data items together using auxiliary linking items L_{n} and ££_{r} satisfying the recursive formulas shown in Table I.
The values SU_{r} are also referred to as the timestamps for rounds. Note that the timestamps requested from the TSS during the verification protocol should belong to the set of timestamps for rounds because only these timestamps are available in the timestamping server.
Definition 4. A (P,ξ,δ,H)linking scheme is said to be an Accumulated Linking Scheme (ALS) with rank m, if
1. Ifξ (r) < n ≤ ξ (r + l) then p' (n) C [ξ (r + l), ξ (r + l)] U ξ (N).
2. ξ (r + l)  ξ (r) ≥ m.
A (p, H)linking scheme enables accumulated timestamping if for arbitrary positive m there exists ξ, such that the (p, ξ, p, H)scheme is an ALS with rank m.
If the linking scheme used enables accumulated timestamping, the duration of the rounds can be flexibly enlarged in order to guarantee that only a negligible fraction of the timestamps are kept in the memory of the timestamping server.
Let n be the total number of timestamps issued till the moment of the current run of stamping/verification protocol. The feasibility requirements can be summarized with the following:
1. The number of the evaluations of the hash function during the verification protocol should be O(log n). In particular, the number of timestamps examined during a single run of the verification protocol should be O(log n);
2. There should be a conveniently small upper bound to the length of rounds, whereas the clients want to get their timestamps in reasonable time. It seems to be sensible to require that the stamping protocol of the nth document must terminate before the TSS has received additional O(log n) timestamp requests. In real applications it is desirable for the average length of rounds to be constant (this would guarantee that for an arbitrary constant c there would be a negligible fraction of rounds with length greater then c).
3. The size of an individual timestamp should be small.
There is a tradeoff between these quantities. Later there is presented an improvement of the scheme above.
First Version of The System: Linear Linking For pedagogical reasons, the protocols and the basic organizational principles of the system using the linear linking scheme are outlined below. This scheme fulfills all the trust requirements but is impractical. Further, the described scheme is significantly improved by replacing the linear scheme with a binary linking scheme.
Let the number M of timestamps per round be a constant known to the participants (clients) and all the data items X„ be of fixed size. Therefore, in the case of the linear linking scheme, the timestamp for the rth round has a number ξ_{r} = M ^{•} r.
Role of the TSS: The TSS maintains the following three databases:
1. the database Dc of the timestamps of the current round.
2. the database Dp of the timestamps of the previous round.
3. the database Dr of the timestamps for rounds.
These databases are considered to be online in the sense that any client can make requests into them at any moment. The fourth database (the complete database of timestamps) is also stored but not online (it may be stored into an archive of CDs). Requests to this database are possible, but costly (e.g., requiring human interaction). After the end of each round, the timestamps in D_{p} are stored to a separate CD (this procedure may be audited). Thereafter Dp is emptied. The time stamp Rr for the current round is computed, added to Dr and published in a newspaper or similar publication (two processes which should be audited). The database Dc is copied into Dp and a new database Dc is created.
Stamping Protocol:
Suppose, the current round number is r. 1. Client sends X„ to the TSS.
2. The TSS finds H_{n} =H(_{D},X and L_{n}=(H_{n},L_{n.},), and adds the pair (H_L_{n}) to Dc.
3. The TSS signs the pair (n, L_{n}) and sends (n, L_{n}, Sig_{τss} (n,L_{n})) back to the client. 4. The TSS sends the tuple head(n) = (H_{n.}„ H___{2}, , H_{ξr+1} + 1) to the client.
5. The client verifies the signature of TSS and checks whether
H H_ H (H_{a}.„ , H (R_{ξτA} + 1, L_{ξr.}, ) )) = L_{n} where the true values L_{ξr} can be found either from the newspaper or by requesting for their values from the online database D_{r} of the TSS. After the M requests have been answered the TSS finishes the round by finding L_{ξr} = H (H'_{ξr},L_{ξr.},)(where H'^H^L^_{.},)) and publishing L_{er} and his public key K_{τss} in the newspaper or the like. The client may now continue, during a limited period, the protocol in order to get the complete individual timestamp for
6. The client sends a request to the TSS.
7. Let tail (n) = (H_{ξr}.„ H_{ξr.2}, ..., H_{n+2},H_{n+1}). The TSS answers by sending (tail (n), sig_{τss} (tail (n))) to the client.
8. The client checks whether
L_{ξr} = H (H_{ξr.}„ H (H_{ξr.2}, H (H„_{+2} , H (H_{a+1} , L_{n}))...)) Definition 5. The complete individual timestamp s_{n} for the nth document is s„:=(tail(n),head(n),n,L_{n},sig_{TSS}(n,L_{n})).
Every client who is interested in the legal use of a timestamp, should validate it during the stamping protocol. In a relatively short period between the 1st and the 3rd step and between the 4th and 6th step, the signature key of TSS is trusted to authenticate him and therefore, his signature on an invalid head (n) or tail (n) can be used as an evidence in the court. But the client is responsible for doing it when the signature key of TSS can still be trusted. Later, the signature of TSS may become unreliable and therefore only the oneway properties can be used.
Verification Protocol:
Let r (n) denote the round where s_{n} was issued. Assume, the verifier has two timestamped documents (X^s,,,) and (X„,s_{n}) where m < n.
1. The verifier checks the validity of the equations (2) and (3) for both time stamps. 2. If r (m) = r (n) then the data held in tail (m) and head (n) will be enough to check whether
L_{n} = H (H_{n3} H(H_{n}.„ H (H^,, L )).
3. If r (m) < r (n), the verifier sends a request to the TSS.
4. The TSS answers by sending the tuple V_{mn}
(m)) and the signature sig_{τss} (V_{mn} )to the verifier.5. The verifier validates the signature, finds L_{ξr(m)} using (3), finds L_{r} (n) 1 using the formula
L_{r(n)}ι ^{=} H (H _{ξr(n)}_ι, H (H _{ξr(nι)}, L_{ξr(m)})...)). and finally, compares the value of L_{n} in s_{n} with the value given by (2).
Audit Protocol:
Because of the possible legal importance of the timestamps issued by the TSS, there should be some mechanism to audit the TSS. One easy way to do it is to periodically ask for timestamps from the TSS and verify them. If these timestamps are linked inconsistently (i.e., Eq. (2) and (3) hold for both timestamps but the verification protocol fails), the TSS can be proven to be guilty. Also, there has to be a mechanism for the TSS to prove that he has not issued a certain timestamp S in a certain round r. This can be done if the TSS presents all the timestamps issued using the rth round, and the timestamp, found by using these timestamps and the linking rules, coincides with the published timestamp.
Above an outline is presented of a timestamping system that fulfills trust requirements. Next is shown how to make this system feasible by using a BLS as shown in Fig. 4.
In order to issue the individual timestamp for the nth document, the TSS has to find the shortest verifying chains between ξ_{r(n)}„, and n and between N and ξ^. The nth individual timestamp consists of the minimal amount of data necessary to verify the mutual oneway dependencies between all Lj which lay on these chains. It can be shown that if f satisfies the implication
m > n  (f (m) ≤ f (n) V f (m) ≥ n)
then (f,H) enables accumulated timestamping (the proof has been omitted because of its technicality.) In particular, the binary linking scheme described in enables accumulated timestamping. For a fixed m let k := [log_{2}m], ξ_{0} := 0, ξ_{j} := 2^{k}  1 (the source of T_{k}) and for arbitrary i > 1,
ξ(i)~{
2ξ_{i/2}+l, ifi=2^{j} , where j := [log_{2} i]. The length of the nth timestamp in this scheme does not exceed 2 3 ^{•} log(n) x bits, where x is the output size of the hash function H. The maximum length of rounds grows proportionally to O(log n). However, the average length of rounds is constant and therefore it is practical to publish the timestamps for rounds after constant units of time. This can be achieved easily with the following procedure. If the "deadline" for a round is approaching and there are still q timestamps not issued yet, assign random values to the remaining data items H».
Remark 1. Denote by ord n the greatest power of 2 dividing n. In the ALS presented above, it is reasonable to label timestamps in the lexicographical order with pairs (n, p), where 0< p ≤ ord n and n > 0. Then,
(0,p) n=2^{p} f(n,p):={
(n2^{p},ord(n2^{p})), otherwise
and g(n, p) := (n,pl) if p > 0 and g(n, 0):= (n  1, ord (n1)). Also, the formulas of ξ_{{} will simplify. In this case, ξ(i) := (2^{1}"^{1} i, k  1 + ord i), for i ≥ 1.
It is easy to show that for each n and m the shortest verifying chain between n and m is uniquely defined. The data υ_{mn} necessary to verify the oneway dependence is computed by the procedure TSData(m, n) as shown in Table II and illustrated in Fig. 5.
Let (f, H) be a BLS satisfying the implication (4). Let x < y < z < w and C,,
C_{2} be verifying chains from z to x and w to y respectively. It is obvious that C, and C_{2} have a common element. Thus, if m < n then the verifying chains tail (m) and head (n) have a common element c which implies the existence of a verifying chain.
(m = n_{0}, n„ , IL _{.} „ IL = C, iv,,...,!!_{.} „n_{e} = n) This chain can be found by a simple algorithm and is of logarithmic length. Let (m) denote the round into which m belongs. The proof of the last claim for the case r (m) = r (n) is given below under the heading proof of Theorem 1. If m and n belong to different rounds, the verifying is straightforward, because of the similar structure of the second layer of links, the verifying chain from n to m is of the form
(m, ...,m',ξ_{r(m)},n',...,n).
where the number of ξ_{j} ^{"B} is logarithmic due to the fact that the timestamps for rounds are linked together in a way similar to the linking of all timestamps (Fig. 2). The length of the sequences (m,....m') and (n', , n) is also logarithmic.
Example 2. For the chains given in Example 1, the common element is 7 and the verifying chain between 4 and 10 is (4, 5, 6, 7, 10).
Corollary 1. Due to the similarity between the verification and the stamping procedure, for an arbitrary pair of timestamped documents the number of steps executed (and therefore, also the number of timestamps examined) during a single run of the verification protocol is O(log n).
Optimality:
Our solution meets asymptotically the feasibility requirements, but could these requirements be refined? Mostly not, an insight into this is given below. Namely, we show that for any linking scheme there does not exist a timestamping solution where (1) the length of the timestamps is O (log n), (2) for any m and n there exists a verifying chain between m and n with the length O (log n) that is completely contained in the union S(m) U S(n) of the corresponding individual time stamps and (3) the stamping protocol will end in a logarithmic time. We prove this under the assumptions (1) that an individual timestamp is a subset of N and (2) that the size of a timestamp is proportional to the size of S(n) +p^{"I}(S(n)=O(p^{"1}(S(n)) (holds if the transitive closure p^{n} of p coincides with the natural order <, i.e., the time stamp S(n) consists of tail (n) and head (n))).
Theorem 2. Let p be a binary relation on N satisfying P^{n} = <. There does not exist a function S: N → 2^{,N} such that
1. p^{"}' (S(n))<c, log n for some c„ for any n; also see Table IVA and IVB.
2. For every m and n there exists a pchain(m=m,,m_{2},...,m_{k}=n) where m_{i}=S(m)uS(n) (that is, the number of stamps to examine during the verification protocol is greater than 2).
3. For any n, max (S(n))  n < c_{2} log n for some constant c_{2} as shown in Table III.
The Theorem 2 can be straightforwardly generalized to claim that the number of examined timestamps must be greater than any fixed constant.
Proof of Theorem 1 :
We will prove an upper bound for the length of the verifying chain for the linking scheme described elsewhere. Let e_{k} = 2^{k}  1, i.e. e_{k} is the number of the last vertex of T_{k}. To simplify the proof we add the vertex 0 to the scheme and link it with all the vertices that have less than two outgoing links. These are exactly the vertices e_{κ}. Let L(a, b) denote the length of the shortest path between a and b. The equations L (O, e_{k}) = 1, L (e_{k}_, , ek) = 2 and e^, = e_{k.j} + 1 follow immediately from the definition. Binary Linking Scheme:
In the current section we give a construction of a practical linking scheme with logarithmic upper bound to the length of the shortest verifying chain between any two timestamps.
Definition 6. Let f and g be functions from N to N satisfying the condition f(n)<g(n)<n for any n. A(f,g,h) binary linking scheme (BLS) is a (p,H) linking scheme where for any n, p^{"}'(n) [=(f(n), g(n)). In order to guarantee the existence of a verifying chain between arbitrary x and y, we have to take g(n):=nl . In these cases we omit n1 and talk about an (f,H)BLS.
A binary linking scheme can alternatively be defined as a directed countable graph which is connected, contains no cycles and where all the vertices have two outgoing edges (links). Let us construct an infinite family of such graphs Tk in the following way:
1. Tl consists of a single vertex which is labeled with the number 1. This vertex is both the source and the sink of the graph Tl
2. Let Tk be already constructed. Its sink is labeled by 2^{k}l . The graph Tk+1 consists of two copies of Tk, where the sink of the second copy is linked to the source of the first copy, and an additional vertex labeled by 2^{k+1}l which is linked to the source of the second copy. Labels of the second copy are increased by 2^{k}l. The sink of Tk+1 is equal to the sink oft the first copy, the source of Tk+1 is equal to the vertex labeled by 2^{k+1}l.
Thereafter, link all the vertices of the second copy which have less than two outgoing links to the source of the first copy. Note that there is now a double link from the sink of the second copy to the source of the first copy as shown in Fig. 3. The sequence (Tk) defines a binary linking scheme, add links from the sources of any such initial segment to a special vertex labeled by 0 (Fig. 2). Here (see also Rem. 1), f(n)=n2^{h(n)}+l, where h(n) is given recursively by the equation below and as illustrated in Fig. 4.
k, ifn=2^{k}l, h(n)={
A fn+l^ if2^{k l}<n<2^{k}l.
Theorem 1. Let l(a,b) be the length of the shortest verifying chain from b to a. If k>2 and 0<a<b<2^{k} then l(a,b)≤3k5.
Theoretical and practical considerations of the present invention are:
1) the importance of trust of the TSS in time stamping is significantly reduced, and
2) time complexity of Relative Temporal Authentication (RTA) becomes logarithmic with the number of issued time stamps.
An embodiment of the present invention comprises a method of time stamping a digital document using binary linking. A catenate certificate L_{n} is generated by applying a oneway hash function H to a concatenation of the value of the catenate certificate L„_{.}ι and the value of a suitably chosen catenate certificate L^_{n)}, where f is a fixed deterministic function, such as:
L_{n}=H(n, X_{n}, L_{n.1},L_{f(n)}).
The time t_{π} has been omitted. It should not be taken for granted that the value t_{n} actually represents the submission time of document X„. With choosing the function f appropriately it is possible to verify a oneway relationship between two time certificates with a number of computational steps proportional to the logarithm of the number of time stamped documents that are to be reviewed. A function f of the invention, which was presented at [BLLV98], guarantees logarithmic computational steps in a signature verification.
In an embodiment of the binary linking system of the invention, a linking function f, which satisfies an antimonotonic property such as f(m)<n<m, which implies f(n)>f(m) or f(n)=f(m), is sufficient for the existence of a series n(l),...,n(k). The indices are such that for each k the time certificate L_{n(k)} is generated exclusively with values of L_{j}, where n(kl)<j<n(k), and of L_{n(j)} with j<k. Treating intervals between the issuance of different L_{n(k)}as "rounds", the antimonotonic property insures that the time stamp for a round is not linked directly to the inner time stamps of other rounds.
In another embodiment of the invention, the moment of signing, not just the moment of submitting, is certified. Before signing a document X a principal P generates nonce N and time stamps it. A nonce is a long random bit string, with an arbitrary length judged sufficient to reduce the probability of a conflict with another time stamp to insignificance. The time stamp L(N) of N is then included in the document, the document signed, and a time stamp certification L(S) of the signature S=D_{P}(L(N),X) results. From the standpoint of the TSS, the time stamping events are identical; that is, the TSS does not know or need to know whether the time stamping is for a nonce or for meaningful data. For the verification of the document X, the verifier compares both time stamps with other time stamps trusted by the verifier; which may be nonces developed for this purpose.
Since the dependencies between L(N), S, and L(S) are oneway, the verifier can conclude that the signature was created in the time frame between the moments of issuance of L(N) and of L(S), respectively. If these moments are close enough in time, the signing time can be ascertained with precision. In this embodiment there are no supplementary duties for the TSS or other principals. In yet another embodiment, limited reliance on the TSS allows for a simplified system:
1) the client sends a data item X to the TSS to be time stamped,
2) the TSS responds immediately with the current L_{n} and the necessary data for verifying the oneway dependency between L_{n} and the time stamp for the previous round, signs to create an L_{n}, and sends the signature D_{TSS}(n,L_{n}) to the client, and
3) if the round is over, the client may apply to the TSS for the data necessary to verify a oneway relationship between Ln and the time stamp for the round.
The above embodiment thereby reduces the need for trusting the TSS in maintaining the temporal order of time stamped documents by preventing the TSS from having an opportunity to rearrange the documents.
It will be seen that by providing time stamp verification which is independent, or at least, relatively independent, of the TSS or third parties, the integrity of the signature is significantly improved.
Definition A*t e fee ft given (p, ) and &, H) Unkmy βeht u tnd Λ monβtoiάcΛtb taαwatrnj function {: H → ti. Bg o iβ,ξ_{x}6, )ϋnking totem* we mean m procedure for linking β family (H*) of dot* ήtms toget e using mua&erg Imk f ϋn Σ oni £ Λo $f_ ng the recwowe formla*
r : ∑(r)  H{7i_{r}, C^ , ... , A._{(1}_, ^ )H, :"ff(H , _{1Λi},... >^m_{ι} ._{llnJ}) i vhen tn end ό ^{l}(r) m
TAS Z
PΓOC TBDaia(m_{t}n) 2 Daea^øH
D*i* s« appeod(D**a, H«)
JJUfl Date _{3}= append ata, J^i); n := /(n) ejtt Data _{?}* app« (Data, /<R)); n :^{«} n  1
pjl
H«e, ad(n) :*
ϋ tmf J. Ut & » 0 and & ~ 15 (Fi* 2). In ordar to compute * berth and the taαth efaaaettmne wβ need tatt(lθ) :* (Jϊu, £o, #ι*. . #u. I<ι») . h*ad(10) :« (H_{w}, £*, #τ , ,h*d(<) =(H,Lt,H_{t},Lι) .
TA L TIT We win prove an upper bound for the length of the verifying: chain for the hnk g scheme described in Sect. 6. Let β_{A} = 2*  1, I.e. e* is the number of the last vertex of ?*. lb amplify the proof we add the vertex 0 to the scheme and link it with all the vertices that here less than two outgoing links. These an exactly the vertices e*. Let l( , b) denote the length of the shortest path between α and o. The equations *(0,e*) « 1, *(e*_i,e*) = 2 and e*  e*_ι «= Ckι + 1 follow Immediately from the definition.
Lemma 1. //0 < α < e* < δ then l[α,b) « /(o, e*) + («*, b). If &*_! < α < e* then £(«,«*) = *(α,e*  1} + (e*  Lt_).
The dai s above follow immediately from the structural properties of the linking scheme.
Lemma 2. If c_—ι < α < δ < e* then l{ ,b) = f (α — e*wi, 6 — «*_ι).
Proof. This follows from the construction of 1k from the two copies of T_{k}ι Here α and 6 are vertices in the second copy of T*_ι (or the last vertex of the firs copy), and  Ch\ and b — tt_{\} are the same vertices in the first copy of T ι (or the vertex 0). D
Lemma 8. [JO _ o < e* then *(0,α) < it.
Proof. Induction on k.
Bate k = L Then a. = 0 and *(0,α) « 0 < it.
Λee.^{*} J > I. Observe the following cases:
 If 0 < α < cfci then the induction assumption gives 1(0, a) < k  1 < k.
 If e*__{t} < α < e* then *(Q,c) = ^0,et_ι) + /(e*,,α) s 1 + έ(0,a  e _{i}) by Lemms 2. Observe the following cases:
• α ^{β} a*  1. Then t(Q,a) = 1 + *(0,α  cs,) = 1 Z(0_{f} e*_,) a 2 < it.
• α < e*  1. Then l(^{Q},a) e 1 + f(0,o  e*_ι) < 1 + (fc  1) _{*}Tjk by iadttctioa assumption.
0
Lemma.4. If 0 < α < e* m«n (α,e_{fc}) < 2(fc  1).
Proof. Induction on k.
Baso. k « 1. Then α • 1 and l(o,t_{k}) = A ) = 0 « 2(*l).
$**»•. a > 1. Obarvβ the following cases:
 If 0 < α < eai thβn./fce*) « (o,e_{ft}_{t}) + /(e*_ι .«*) < 2(c  2) + 2 « 2(fc — 1) by induction assumption.
 tf«Aι <α≤c* then observe the following cases:
• a «= e*. Then €(α,e*) = 0 < 2(fc  1).
• o < CA. Then Ifac_{k}) «l(α_{f}e*  1) + (**  l,*s) = l{a~ esi.c*.]) + 1 by the Lemma 2. Induction assumption now gives l(a,e*) « {(a  e*x,eA,) + 1 < 2(*  2) + 1< 2{*  1).
G
Proof (Teorem 1); mductioα on k. βa$β: k « 3. In this case oαe can directly verify that I (α, ) < 4.
Λee.* & > 3. Observe the following cases:
 If0 < α < 6 ≤ β_{A}i then the induction assumption gives us i(a,b) < 3(*l)δ<3*8.
 If 0 < o < e_{4}.i < b < e_{k} then f(α,6) _{*} «(α,e*ι) + (C_{I}.S) ≤ 2(k  2) + '(«*!, 6) by the Lemma 4. The following cases are possible:
• b ■= e*. Then *(«*_j ,6) «= 2 < A  1.
« b * e*  1. Then ^e*ι,6) > 1< k  1.
• t < e* — 1. Then the lemmas 2 and 3 give /(e*..,.*) »/(0,&e*i) < * 1.
Thue «X«,e) 20  2) + ft  1 « 3*  6.
 He*.ι < e < 6 < e* than observe the following cases:
• * * e*. Then *(α,ft) * l(a,*_{k}) < 2(ft 1) < 3k  5 by Lemma 4.
• • < e*. Then t(«,b) » f(αe*ι,* β_{4}.._{£}) ≤ $(*  1) +« < J*5 by Lemma .2 and indυct xi assumption.
Q
As flαgo]  k iff e*_{!} + 1 < 6 < t_{k} + J we get k < flog b] + 1 and thus
Claims
Priority Applications (4)
Application Number  Priority Date  Filing Date  Title 

US9693598P true  19980818  19980818  
US60/096,935  19980818  
US37593599A true  19990817  19990817  
US09/375,935  19990817 
Applications Claiming Priority (3)
Application Number  Priority Date  Filing Date  Title 

EP99942384A EP1105994A4 (en)  19980818  19990818  Timestamping with binary linking schemes 
AU55775/99A AU5577599A (en)  19980818  19990818  Timestamping with binary linking schemes 
JP2000583317A JP2002530709A (en)  19980818  19990818  Time stamping using binary link system 
Publications (3)
Publication Number  Publication Date 

WO2000011828A1 true WO2000011828A1 (en)  20000302 
WO2000011828A8 WO2000011828A8 (en)  20000602 
WO2000011828A9 WO2000011828A9 (en)  20000817 
Family
ID=26792222
Family Applications (1)
Application Number  Title  Priority Date  Filing Date 

PCT/US1999/019061 WO2000011828A1 (en)  19980818  19990818  Timestamping with binary linking schemes 
Country Status (5)
Country  Link 

EP (1)  EP1105994A4 (en) 
JP (1)  JP2002530709A (en) 
CN (1)  CN1319290A (en) 
AU (1)  AU5577599A (en) 
WO (1)  WO2000011828A1 (en) 
Cited By (8)
Publication number  Priority date  Publication date  Assignee  Title 

EP1213873A2 (en) *  20001207  20020612  Hitachi, Ltd.  Digital signature generating method and digital signature verifying method 
DE10106083A1 (en) *  20010208  20020829  Jan Wendenburg  A method for assigning digital timestamps 
CN100334830C (en) *  20010307  20070829  迪布尔特有限公司  Automated transaction machine digital signature system and method 
US8261975B2 (en)  20010307  20120911  Diebold, Incorporated  Automated banking machine that operates responsive to data bearing records 
WO2015009321A1 (en) *  20130719  20150122  Nokia Siemens Networks Oy  Network assisted automatic disaster trigger to enable devicetodevice (d2d) ad hoc communication 
WO2016131575A1 (en) *  20150220  20160825  Telefonaktiebolaget Lm Ericsson (Publ)  Method of providing a hash value for a piece of data, electronic device and computer program 
US10389534B2 (en)  20150220  20190820  Telefonaktiebolaget Lm Ericsson (Publ)  Methods of deriving a time stamp, and signing a data stream, and electronic device, server and computer programs 
US10402593B2 (en)  20150410  20190903  Telefonaktiebolaget Lm Ericsson (Publ)  Verification paths of leaves of a tree 
Families Citing this family (1)
Publication number  Priority date  Publication date  Assignee  Title 

US20090026753A1 (en)  20070728  20090129  Simske Steven J  Security deterrent mark and methods of forming the same 
Citations (2)
Publication number  Priority date  Publication date  Assignee  Title 

US5136647A (en) *  19900802  19920804  Bell Communications Research, Inc.  Method for secure timestamping of digital documents 
US5422953A (en) *  19930505  19950606  Fischer; Addison M.  Personal date/time notary device 

1999
 19990818 CN CN 99811241 patent/CN1319290A/en not_active Application Discontinuation
 19990818 JP JP2000583317A patent/JP2002530709A/en active Pending
 19990818 WO PCT/US1999/019061 patent/WO2000011828A1/en not_active Application Discontinuation
 19990818 AU AU55775/99A patent/AU5577599A/en not_active Abandoned
 19990818 EP EP99942384A patent/EP1105994A4/en not_active Withdrawn
Patent Citations (2)
Publication number  Priority date  Publication date  Assignee  Title 

US5136647A (en) *  19900802  19920804  Bell Communications Research, Inc.  Method for secure timestamping of digital documents 
US5422953A (en) *  19930505  19950606  Fischer; Addison M.  Personal date/time notary device 
NonPatent Citations (1)
Title 

See also references of EP1105994A4 * 
Cited By (14)
Publication number  Priority date  Publication date  Assignee  Title 

EP1213873A2 (en) *  20001207  20020612  Hitachi, Ltd.  Digital signature generating method and digital signature verifying method 
EP1213873A3 (en) *  20001207  20030723  Hitachi, Ltd.  Digital signature generating method and digital signature verifying method 
DE10106083A1 (en) *  20010208  20020829  Jan Wendenburg  A method for assigning digital timestamps 
CN100334830C (en) *  20010307  20070829  迪布尔特有限公司  Automated transaction machine digital signature system and method 
US8261975B2 (en)  20010307  20120911  Diebold, Incorporated  Automated banking machine that operates responsive to data bearing records 
US8479984B2 (en)  20010307  20130709  Diebold, Incorporated  Automated banking machine that operates responsive to data bearing records 
US9756665B2 (en)  20130719  20170905  Nokia Solutions And Networks Oy  Network assisted automatic disaster trigger to enable devicetodevice (D2D) ad hoc communication 
WO2015009321A1 (en) *  20130719  20150122  Nokia Siemens Networks Oy  Network assisted automatic disaster trigger to enable devicetodevice (d2d) ad hoc communication 
WO2016131575A1 (en) *  20150220  20160825  Telefonaktiebolaget Lm Ericsson (Publ)  Method of providing a hash value for a piece of data, electronic device and computer program 
US10389534B2 (en)  20150220  20190820  Telefonaktiebolaget Lm Ericsson (Publ)  Methods of deriving a time stamp, and signing a data stream, and electronic device, server and computer programs 
US10396995B2 (en)  20150220  20190827  Telefonaktiebolaget Lm Ericsson (Publ)  Method of providing a hash value for a piece of data, electronic device and computer program 
US10447479B2 (en)  20150220  20191015  Telefonaktiebolaget Lm Ericsson (Publ)  Method of providing a hash value for a piece of data, electronic device and computer program 
US10511440B2 (en)  20150220  20191217  Telefonaktiebolaget Lm Ericsson (Publ)  Methods of proving validity and determining validity, electronic device, server and computer programs 
US10402593B2 (en)  20150410  20190903  Telefonaktiebolaget Lm Ericsson (Publ)  Verification paths of leaves of a tree 
Also Published As
Publication number  Publication date 

JP2002530709A (en)  20020917 
WO2000011828A9 (en)  20000817 
WO2000011828A8 (en)  20000602 
EP1105994A1 (en)  20010613 
EP1105994A4 (en)  20041201 
AU5577599A (en)  20000314 
CN1319290A (en)  20011024 
Similar Documents
Publication  Publication Date  Title 

Krohn et al.  Onthefly verification of rateless erasure codes for efficient content distribution  
Saeednia et al.  An efficient strong designated verifier signature scheme  
Mykletun et al.  Authentication and integrity in outsourced databases  
Canetti  Towards realizing random oracles: Hash functions that hide all partial information  
Merkle  A certified digital signature  
Micali  Simple and fast optimistic protocols for fair electronic exchange  
Lysyanskaya  Unique signatures and verifiable random functions from the DHDDH separation  
EP0676109B1 (en)  Method of extending the validity of a cryptographic certificate  
US5276737A (en)  Fair cryptosystems and methods of use  
JP4742049B2 (en)  System and method for generating a digital certificate  
Frankel et al.  “Indirect discourse proofs”: Achieving efficient Fair OffLine ecash  
Brickell et al.  Gradual and verifiable release of a secret  
Boyd et al.  Offline fair payment protocols using convertible signatures  
Micali et al.  Verifiable random functions  
US5604804A (en)  Method for certifying public keys in a digital signature scheme  
Zhou et al.  Towards verification of nonrepudiation protocols  
Micali et al.  Accountablesubgroup multisignatures  
US4868877A (en)  Public key/signature cryptosystem with enhanced digital signature certification  
EP0695485B1 (en)  Fair cryptosystems and methods of use  
US4309569A (en)  Method of providing digital signatures  
Song  Practical forward secure group signature schemes  
EP0786178B1 (en)  Secretkey certificates  
Pang et al.  Verifying completeness of relational query results in data publishing  
US7493661B2 (en)  Secure transmission system  
Park et al.  Constructing fairexchange protocols for Ecommerce via distributed computation of RSA signatures 
Legal Events
Date  Code  Title  Description 

WWE  Wipo information: entry into national phase 
Ref document number: 99811241.0 Country of ref document: CN 

AL  Designated countries for regional patents 
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG 

AK  Designated states 
Kind code of ref document: A1 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW 

121  Ep: the epo has been informed by wipo that ep was designated in this application  
AL  Designated countries for regional patents 
Kind code of ref document: C1 Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG 

AK  Designated states 
Kind code of ref document: C1 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW 

CFP  Corrected version of a pamphlet front page  
CR1  Correction of entry in section i 
Free format text: PAT. BUL. 09/2000 UNDER (30) REPLACE "NOT FURNISHED" BY "09/375935" 

DFPE  Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)  
AL  Designated countries for regional patents 
Kind code of ref document: C2 Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG 

AK  Designated states 
Kind code of ref document: C2 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW 

COP  Corrected version of pamphlet 
Free format text: PAGES 126, DESCRIPTION, REPLACED BY NEW PAGES 122; PAGES 2730, CLAIMS, REPLACED BY NEW PAGES 2326; PAGES 1/22/2, DRAWINGS, REPLACED BY NEW PAGES 1/55/5; DUE TO LATE TRANSMITTAL BY THE RECEIVING OFFICE 

WWE  Wipo information: entry into national phase 
Ref document number: 1999942384 Country of ref document: EP 

WWP  Wipo information: published in national office 
Ref document number: 1999942384 Country of ref document: EP 

REG  Reference to national code 
Ref country code: DE Ref legal event code: 8642 

WWW  Wipo information: withdrawn in national office 
Ref document number: 1999942384 Country of ref document: EP 