![An example of the time-stamp for round r by the schemes presented in [BHS92].](https://www.researchgate.net/profile/Helger-Lipmaa/publication/216824681/figure/fig1/AS:669384628523018@1536605140294/An-example-of-the-time-stamp-for-round-r-by-the-schemes-presented-in-BHS92_Q320.jpg)
Content uploaded by Helger Lipmaa
Author content
All content in this area was uploaded by Helger Lipmaa
Content may be subject to copyright.
DISSERTATIONES MATHEMATICAE UNIVERSITATIS TARTUENSIS
19
SECURE AND EFFICIENT
TIME-STAMPING SYSTEMS
HELGER LIPMAA
TARTU 1999
DISSERTATIONES MATHEMATICAE UNIVERSITATIS TARTUENSIS
19
DISSERTATIONES MATHEMATICAE UNIVERSITATIS TARTUENSIS
19
SECURE AND EFFICIENT
TIME-STAMPING SYSTEMS
HELGER LIPMAA
TARTU 1999
Department of Mathematics, University of Tartu, Estonia
Dissertation is accepted for the commencement of the degree of Doctor of Philos-
ophy (PhD) on April 30, 1999 by the Council of the Department of Mathematics,
University of Tartu.
Opponents:
PhD, associate professor Jaak Henno
Tallinn Technical University
Tallinn, Estonia
PhD, principal scientist Kaisa Nyberg
Nokia Research Center
Helsinki, Finland
Commencement will take place on June 30, 1999.
Publication of this dissertation is granted by the governmental financial support to
PhD students.
cHelger Lipmaa, 1999 Tartu ¨
Ulikooli Kirjastuse tr¨ukikoda
Tiigi 78, 50410 Tartu
Tellimus nr. 381
CONTENTS
LIST OF ORIGINAL PUBLICATIONS 8
INTRODUCTION 9
Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Time-Stamping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Main Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Outline of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1 PREREQUISITES 13
1.1 Collision-Resistant Hash Functions . . . . . . . . . . . . . . . . . . . 13
1.2 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.3 Authentication Graphs . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.4 Merkle’s Authentication Tree . . . . . . . . . . . . . . . . . . . . . . 15
2 EXISTING TIME-STAMPING SYSTEMS 16
2.1 Simple Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2 Linear Linking Scheme (LLS) . . . . . . . . . . . . . . . . . . . . . 17
2.3 Tree-Like Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3 SECURITY OBJECTIVES 20
3.1 Relative Temporal Authentication . . . . . . . . . . . . . . . . . . . 20
3.2 Discussion: Absolute Time . . . . . . . . . . . . . . . . . . . . . . . 21
3.3 Accountable Time-Stamping . . . . . . . . . . . . . . . . . . . . . . 22
3.4 Security Preconditions . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.5 Feasibility Requirements . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5.1 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5.2 Graph Density . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5.3 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5.4 Accumulated Time-Stamping . . . . . . . . . . . . . . . . . . . . 25
3.6 Necessity of Rounds . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4 ACCUMULATED LINEAR LINKING SCHEME 28
4.1 Description of the Authentication Graph . . . . . . . . . . . . . . . . 28
4.2 Role of the TSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3 Stamping Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4 Verification Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.5 Audit Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5 ANTI-MONOTONE SCHEMES 33
5.1 Concrete Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5
5.2 Accumulated Anti-Monotone Graphs . . . . . . . . . . . . . . . . . . 35
5.3 Proof of Theorem 5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6 OPTIMAL GRAPHS 40
6.1 Optimal Anti-Monotone Schemes . . . . . . . . . . . . . . . . . . . 40
6.2 Threaded Authentication Trees . . . . . . . . . . . . . . . . . . . . . 41
6.3 Optimality of Threaded Authentication Trees . . . . . . . . . . . . . 42
REFERENCES 44
INDEX 47
KOKKUV ˜
OTE 49
ACKNOWLEDGEMENTS 51
6
List of Figures
1 Merkle’s authentication tree V3. . . . . . . . . . . . . . . . . . . . 14
2Linear linking scheme with 9 elements. . . . . . . . . . . . . . . 17
3 A modification of linear linking scheme, where every time-stamp
is linked with 2 time-stamps directly preceding it. . . . . . . . . . 18
4 An example of the time-stamp for round rby the schemes pre-
sented in [BdM91]. . . . . . . . . . . . . . . . . . . . . . . . . . 18
5 An example of the time-stamp for round rby the schemes pre-
sented in [BHS92]. . . . . . . . . . . . . . . . . . . . . . . . . . 19
6 Double-stamping a signature. . . . . . . . . . . . . . . . . . . . . 22
7 Graph composition G1G2. Here, s G1. . . . . . . . . . . 26
8 A two-layered linear linking “toy” scheme Λ4Λ4. . . . . . . . . 28
9 Databases kept by a TSA. . . . . . . . . . . . . . . . . . . . . . . 30
10 Anti-monotone composition G:G1G2. . . . . . . . . . . . . 33
11 Construction of Gfrom G. . . . . . . . . . . . . . . . . . . . . 33
12 The AM graph T5. . . . . . . . . . . . . . . . . . . . . . . . . . . 35
13 The “toy” accumulated scheme T2T3. . . . . . . . . . . . . 36
14 Time certificates in the case G T5explained. . . . . . . . . . . . 37
15 The optimal anti-monotone scheme U4. . . . . . . . . . . . . . . 40
16 Threaded authentication tree of depth 3. . . . . . . . . . . . . . . 41
17 Transforming Ginto the complete binary tree. . . . . . . . . . . . 43
7
LIST OF ORIGINAL PUBLICATIONS
1. Ahto Buldas, Peeter Laud, Helger Lipmaa, and Jan Villemson. Time-stamp-
ing with binary linking schemes. In Hugo Krawczyk, editor, Advances on
Cryptology — CRYPTO ’98, volume 1462 of Lecture Notes in Computer Sci-
ence, pages 486–501, Santa Barbara, USA, August 1998. Springer-Verlag.
2. Ahto Buldas, Helger Lipmaa, and Berry Schoenmakers. Optimally efficient
accountable time-stamping. Submitted, May 1999.
3. Helger Lipmaa. IDEA: A cipher for multimedia architectures? In Stafford
Tavares and Henk Meijer, editors, Selected Areas in Cryptography ’98, vol-
ume 1556 of Lecture Notes in Computer Science, pages 248–263, Kingston,
Canada, 17–18 August 1998. Springer-Verlag.
8
INTRODUCTION
Because of the increasing importance of the international business and communi-
cation, it has become necessary to forward signed documents to a long distance.
Traditional mail system is too slow for the information society needs. Radio, TV,
Fax and Computer Networks made it possible to send information from one point
to another with the greatest possible speed — the speed of light. Of course, the
received electronic document cannot just be assumed to be authentic because:
electronic documents can be easily copied and modified without detection;
unlike hand-written characters, digitally encoded characters have not the in-
dividuality;
the signature of an electronic document is not physically connected to the
content of the document.
Due to these disadvantages electronic documents are rarely considered to have any
legal force.
Digital signature [DH76, RSA78, Pfi96] is a cryptographic technique that en-
ables to protect digital information (represented as a bit-stream) from undesirable
modification. Digital signatures are widely used to protect data in secure e-mail
systems. Digital signature can effectively substitute the hand-written signature in
the electronic environment. In many countries the laws and regulations have been
adopted which equalize the use and functions of digital signature to handwritten
signature. However, non of these countries have any experience of using digitally
signed data as an evidence in the court.
The legal use of electronic records is increasingly important. One of the rea-
sons, as it has been said above, is that electronic documents enable to communicate
much faster. Another reason is that the archives are full of old paper documents
which have a legal importance but are used very rarely. Saving the space in archives
is urgently needed. This helps to understand why the initiative to form the Com-
mittee of Law of Electron Documents in Estonia became from the archivists.
It became clear that the most important step towards the legal use of electronic
documents is to enable the legal regulation of digital signatures. Before issuing a
law on digital signature, definite understanding of the technical details necessary
to support the law is inevitable. Thereby, the intensive cooperation of lawyers,
archivists and data security specialists is needed.
Security techniques used in electronic documents have been developed keep-
ing an eye on secure messaging systems. However, the secure maintenance of
electronic documents with a long lifetime is a bit more complicated task. Numer-
ous problems in this area were not solved yet. Some of these have been regarded
below from the viewpoint of data security specialists.
9
Private Keys
A problem related to the use of digital signatures is the management of the private
signature keys. If somebody else, except the owner, gains access to the private
key, he or she will be able to forge the owner’s signatures on electronic documents.
At that point even the value of legitimately signed documents can be called into
question. Moreover, if the signer of a particularly important document (for exam-
ple, a loan agreement) later wishes to repudiate his or her signature, he or she can
dishonestly report the compromise of his or her private key.
Therefore, the verifier of a digitally signed document should be able to ascer-
tain when the document was actually signed. Digital time-stamping is a solution to
this problem.
Time-Stamping
Most of the time-stamping systems use a trusted third party called Time-Stamping
Authority (TSA). The time-stamp is a digital attestation of the TSA that an iden-
tified electronic document, subscribed with a digital signature, has been presented
to TSA at a certain time. Time-stamping is a set of techniques enabling one to
ascertain whether an electronic document was created or signed at a certain time.
The real importance of time-stamping becomes clear when there is a need for
a legal use of electronic documents with a long lifetime. Without time-stamping
we neither can trust signed documents when the cryptographic primitives used for
signing have become unreliable nor solve the cases when the signer himself repu-
diates the signing, claiming that he has accidentally lost his signature key. During
the last years, especially in the context of legal regulation of using digital signa-
tures, the organizational and legal aspects of time-stamping itself have become
the subject of world-wide attention. In addition to defining the responsibilities of
the owner of the signature, duties and responsibilities of the third party (Time-
Stamping Authority, TSA) must be stated as well. Hence, there is an increasing
interest in time-stamping systems where the need to trust the TSA is minimized. In
order to make users liable only for their own mistakes, there has to be a possibility
to ascertain the offender.
Unlike physical objects, digital documents do not comprise the seal of time.
Thus, the association of an electronic document uniquely with a certain moment
of time is very complicated, if not impossible. Even by the theory of relativity, no
absolute time exists. The best we can achieve with time-stamping is the relative
temporal authentication (RTA) based on the complexity-theoretic assumption on
the existence of collision-resistant hash functions. RTA enables the verifier given
two time-stamped documents to verify which of the two was created earlier.
Some ten years ago time-stamping was considered to be an uninteresting area
10
since the only known time-stamping method employed completely trusted third
party — the Time-Stamping Authority. Whatever the TSA said the clients had to
believe. More people became interested in this field after the seminal publication
[HS90] of Haber and Stornetta, where it was shown that the trust to the TSA can
be creatly reduced by using so called linking schemes. Several papers improving
the original schemes were published in early nineties. The surge of papers dried
soon, since it seemt that everything attainable has been attained. Again, the area
was considered to be uninterested. Until [BLLV98] was published.
Main Contributions
Out contributions to the field are manifold. At first, the paper [BLLV98] by Bul-
das, Laud, Lipmaa and Villemson was the first scientific paper ever that explic-
itly treated the (extremely strong) security requirements of legally applicable time-
stamping. Starting from the cognition that absolute temporal authentication is im-
possible, this paper presented a new set of protocols that enables one to prove
the relative temporal authentication, and to detect and demonstrate the frauds by
a trusted third party (i.e., the proposed time-stamping system was accountable).
A number of previously proposed time-stamping systems was examined an dis-
carded. It was also shown that the linear linking scheme of Haber and Stornetta
[HS90, HS91] can be used to achieve accountability, but the resulting system would
be plainly impractical. A new system (based on “binary linking schemes”) was
proposed that was accountable and practical.
The paper [BL98] by Buldas and Laud formalized the “anti-monotonicity” re-
quirement that these binary linking schemes had to satisfy and defined a new anti-
monotone binary linking scheme (shortly, AM scheme), where the certificate sizes
were tightly optimal in the class of AM schemes.
Further, the paper [BLS99] of Buldas, Lipmaa and Schoenmakers showed that
the anti-monotonicity requirement is unnecessary for accountability. A new family
of graphs (“threaded authentication trees”) was proposed, and it was proven that
this family is tightly optimal (in certificate size) in the class of all acyclic digraphs.
In fact, the term “accountable time-stamping” was the first time proposed by this
paper, This paper also specified the security requirements, by explicitly listing the
security preconditions, under which the accountability can be achieved. For first
time ever, also the publication protocol between the time-stamping authority and
the publishing authority was discussed. It was shown that the publishing process
does not have to be blindly trusted. Indeed, it is possible to establish which party
is guilty in wrong publications (the publication protocol is not discussed in this
thesis, however).
Apart from the intra-round optimizations, the paper [BLLV98] also defined ac-
cumulated time-stamping, where the cumulative round stamps are connected with
11
each other in a similar manner as the stamps of one round. Such two-layered ap-
proach enables efficient verification of the one-way dependency between stamps
issued in different rounds even when the TSA does not have a copy of stamps from
intermediate rounds. Hence, the storage requirements to the TSA decrease dras-
ticly. A manuscript [Lip99] of the author of this thesis formalizes and simplifies
accumulated time-stamping.
Briefly, our objective was to elaborate a secure and efficient time-stamping sys-
tem. This objective was obtained. Moreover, new system is tightly optimal under
some reasonable assumptions. We would like to stress that the optimal efficiency
is a hard thing to attain. While our systems are optimal in space complexity, they
may not be optimal in time complexity. Optimality in time would also depend on
usage of fast cryptographic primitives, and fast implementations of these. Nobody
knows what is the lower bound of the time complexity of collision-resistant hash
functions. Moreover, as it was exemplified in [Lip98], rapidity of cryptographic
primitives intrinsicly depends on the hardware used and on the programming skills
of the implementer.
Outline of Thesis
In Sect. 1 we give a brief short survey of the cryptographic prerequisites. In Sect. 2
the time-stamping solutions proposed to date are analyzed. Sect. 3 clarifies the
security objectives of time-stamping by giving essential requirements to the time-
stamping systems. In Sect. 4 the protocols of the new time-stamping system are
described using the linear linking scheme. In Sect. 5 anti-monotone schemes are
introduced and a scheme with logarithmic verifying time is presented. Finally, in
Sect. 6, optimal schemes are investigated. A new scheme that is tightly optimal in
the general case is proposed.
12
1 PREREQUISITES
1.1 Collision-Resistant Hash Functions
Definition 1 (Collision-resistant hash function) Acollision-resistant hash func-
tion ([MOV96, Sect. 9.2]) is a function Hwhich has the properties of
compression —Hmaps an input xof arbitrary finite bit-length, to an output
H x of fixed bit-length χ;
ease of computation — given Hand an input x,H x is easy to compute;
preimage resistance — for essentially all pre-specified outputs, it is com-
putationally infeasible to find any input which hashes to that output, i.e.,
to find any preimage xsuch that H x y when given any yfor which a
corresponding input is not known;
second-preimage resistance — it is computationally infeasible to find any
second input which has the same output as any specified input, i.e, given x,
to find a 2nd-preimage x x such that H x H x , and
collision resistance — it is computationally infeasible to find any two distinct
inputs x,xwhich hash to the same output, i.e., such that H x H x . (Note
that here there is free choice of both inputs.)
While the existence of collision-resistant hash functions (CRHF) is still an im-
portant open problem, there exists a plethora of fast candidate hash functions, in-
cluding SHA-1 [NIS94] and RIPEMD-160 [DBP96]. For a recent overview of
the literature about the connections between collision-resistant hash functions and
other cryptographic primitives, we direct readers to [Sim98].
1.2 Digital Signatures
Another cryptographic primitive we use are the digital signatures [DH76, RSA78].
In what follows, let sigAMbe A’s signature on the message M. Since the time-
stamping protocols require the principals to sign arbitrary data, the used signature
scheme should be secure against adaptive chosen message attack [GMR88]. The
most efficient and secure signature schemes [CS98, GHR99] known at the current
moment base on the recently proposed Strong RSA Assumption [BP97].
13
1.3 Authentication Graphs
Let G V E be a directed acyclic graph (DAG), which we assume to be topologi-
cally sorted (i.e., for each edge v w E we have v w), where V1n G
V. Furthermore, we assume that vertex Vis the unique sink of G, which we
sometimes call the root of G. The set of sources of Gis denoted by G. We say
that Gis simply connected if there is a directed path between any two vertices v
and wwith v w (or equivalently, if v v 1E, for all vexcept the root).
As a general notation, let LN:Ln1Lnk, where n1nkare the ele-
ments of Nin strictly increasing order. Recall that hdenotes a CRHF. As a gen-
eralization of Merkle’s authentication trees [Mer80], we introduce authentication
graphs G as labeled DAGs with the labels assigned in the following manner. Each
source vof Gis labeled by a label LvHv, where Hvis a given string specific to
source v. The label of a non-source vertex vis computed as a function of the labels
of its proper ancestors: Lvh LE1v.
We say that v V is computable from W V if either
1. v W or
2. E1v/
0and all wE1vare computable from W.
We say that W1Vis computable from W2Vif all v W1are computable from
W2. For any path V G G , we say that the set APG:E1
is the authenticator of . Clearly, is computable from APG. A vertex v
computable from is consistent with vif the subgraph of Ginduced by vis a
subgraph of some authentication graph (i.e., if there are no internal inconsistencies
in calculation the Lv’s of the joint graph).
L1H1L5H5L7H7
L15 H L13 L14
L13 H L9L10
L9H L1L2L10 H L3L4L11 H L5L6
L14 H L11 L12
L12 H L7L8
L3H3
L2H2L4H4L6H6L8H8
Figure 1: Merkle’s authentication tree V3.
14
Let d v w denote the distance from vertex vto vertex w, that is, length of the
shortest path from vto w, and let dpt GmaxvVd1v d v V . We say
that Gis dense if dpt Glog VO1.
1.4 Merkle’s Authentication Tree
As an example, let us look at the Merkle’s authentication tree VdV E [Mer80]
with 2dsources (V3is represented by Figure 1). Trivially, Vdis an authentication
graph. Vdis not simply connected, but it is dense (dpt Vddlog n Vd1 ).
Let 3 10 13 15 be a path in V3. Corresponding authenticator is APV3
9 4 14 .
15
2 EXISTING TIME-STAMPING SYSTEMS
2.1 Simple Solutions
Let us at first describe a “na¨ıve” solution, “digital safety-deposit box” [HS91,
Sect. 3]. Whenever a client has a document to be time-stamped, he or she trans-
mits the document to a time-stamping authority (TSA). The authority records the
date and time the document was received and retains a copy of the document for
safe-keeping. If the integrity of the client’s document is ever challenged, it can
be compared to the copy stored by the TSA. If they are identical, this is evidence
that the document has not been tampered with after the date contained in the TSA
records. This procedure does in fact meet the central requirements for the time-
stamping of a digital document. However, this approach raises several concerns:
Privacy This method compromises the privacy of the document in two ways: a
third party could eavesdrop while the document is being transmitted, and
after transmission it is available indefinitely to the TSAitself. Thus the client
has to worry not only about the security of documents it keeps under its direct
control, but also about the security of its documents at the TSA.
Bandwidth and storage Both the amounts of time required to send a document
for time-stamping and the amount of storage required at the TSA depend on
the length of the document to be time-stamped. Thus the time and expense
required to time-stamp a large document might be prohibitive.
Incompetence The TSA copy of the document could be corrupted in transmission
to the TSA, it could be incorrectly time-stamped when it arrives at the TSA,
or it could become corrupted or lost altogether at any time while it is stored
at the TSA. Any of these occurrences would invalidate the client’s time-
stamping claim.
Trust The fundamental problem remains: nothing in this scheme prevents the TSA
from colluding with a client in order to claim to have time-stamped a docu-
ment for a date and time different from the actual one.
The next simple time-stamping protocol, discussed by Haber and Stornetta [HS91,
Sect. 4], addresses the first three concerns listed above. The final issue, trust, will
be handled in the subsequent sections. By this protocol, the TSA appends the
current time tto the submitted document X, signs the composite document t X
and returns the two values tand ssigTSA t X to the client. The weaknesses
of this scheme are the unreliability of old time-stamps after a possible leakage
of the signature key of the TSA and the impossibility of verifying whether swas
16
issued actually at time tstated in the time-stamp, implying that the TSA has to be
unconditionally trusted. Because of these drawbacks it has been widely accepted
that a secure time-stamping system cannot rely solely on keys or on any other
secret information. Two recent overviews of the existing time-stamping solutions
are [MQ97] and [Jus98a].
2.2 Linear Linking Scheme (LLS)
In order to diminish the need for trust, the users may demand that the TSA links
all time-stamps together into a chain using a collision-resistant hash function Has
was proposed in [HS91, Sect. 5.1, variant 1] (Figure 2). In this case the time-stamp
for the n-th submitted document Hnis
ssigTSA n tnIDnHnLn
where tnis the current time, IDnis the identifier of the submitter and Lnis the
linking information defined by the recursive equation
Ln:tn1IDn1Hn1H Ln1
L1L2L3L4L5L6L7L8L9
H1H2H3H4H5H6H7H8H9
Figure 2: Linear linking scheme with 9 elements.
There are several complications with the practical implementation of this scheme.
Most important complication is that the number of steps needed to verify the one-
way relationship between two stamps is linear with respect to the number of stamps
between them. Hence, a single verification may be as costly as it was to create the
whole chain. This solution has impractical trust and broadcast requirements, as
it was pointed out already in [BdM91]. A modification was proposed in [HS91,
Sect. 5.1, variant 2] (Figure 3) where every time-stamp is linked with k1 time-
stamps directly preceding it. This variation decreases the requirements for broad-
cast by increasing the space needed to store individual stamps.
2.3 Tree-Like Schemes
Two similar schemes based on Merkle’s authnetication trees [Mer80] have been
proposed [BdM91, BHS92]. In the Haber-Stornetta scheme [BHS92, HS97], the
17
L1L2L3L4L5L6L7L8
Figure 3: A modification of linear linking scheme, where every time-stamp is
linked with 2 time-stamps directly preceding it.
time-stamping procedure is divided into rounds. The time-stamp Rrfor round ris
a cumulative hash of the time-stamp Rr1for round r1 and of all the documents
submitted to the TSA during the round r. After the end of the r-th round a binary
tree Tris built.
Every participant Piwho wants to time-stamp at least one document in this
round, submits to the TSA a hash yriwhich is a hash of Rr1and of all the doc-
uments he wants to time-stamp in this round. The sources of Trare labeled by
different yri. Each inner node kof Tris recursively labeled by Hk:H HkLHkR
[HS97], where kLand kRare correspondingly the left and the right proper ances-
tor of k, and His a collision-resistant hash function. The TSA has to store only
the time-stamps Rrfor rounds (Figure 4). All the remaining information, required
to verify whether a certain document was time-stamped during a fixed round, is
included into the individual time-stamp of the document.
Rr1yr1
yr4
yr2
yr3
H4
H5
H6Rr
Figure 4: An example of the time-stamp for round rby the schemes presented in
[BdM91].
For example, the individual time-stamp for yr3is r;yr4LH4R. The veri-
fying procedure of the time-stamp of yr3consists of verifying the equality Rr
HHH4H yr3yr4Rr1. Here, the size of a single time-stamp is logarithmic
with respect to the number of participants submitting their documents to the TSA
for the current round.
18
The Haber–Stornetta tree scheme [BHS92, HS97] (Figure 5) differs slightly
from the Benaloh–de Mare scheme [BdM91]. Here, the time-stamp Rnfor the n-th
round is linked directly to Rn1, enabling the verifier to check one-way dependen-
cies between Riwithout examining the individual time-stamps of the submitted
documents. This is impossible in the Benaloh–de Mare scheme. However, in the
Haber–Stornetta scheme the individual time-stamps in the n-th round are not linked
to the time-stamp Rn1for previous round.
Rr1Rr
yr1
yr4
yr2
yr3
H4
H5
H6
Figure 5: An example of the time-stamp for round rby the schemes presented in
[BHS92].
These schemes are feasible but provide the RTA for the documents issued during
the same round only if we unconditionally trust the TSA to maintain the order
of time-stamps in Tr. Therefore, this method either increases the need for trust
or otherwise limits the maximum temporal duration of rounds to the insignificant
units of time. However, if the number of submitted documents during a round is too
small, the expenses of time-stamping a single document may become unreasonably
large (Sect. 3.5.4).
19
3 SECURITY OBJECTIVES
In the following we give a definition of time-stamping systems applicable in legal
situations. Later we will justify our approach and compare it to older ones.
Atime-stamping system consists of a set of principals with the time-stamping
authority (TSA) together with a triple S V A of protocols. The stamping protocol
Sallows each participant to post a message. The verification algorithm Vis used
by a principal having two stamps to verify the temporal order between those time-
stamps. The audit protocol Ais used by a principal to verify whether the TSA
carries out his duties. Additionally, no principal (in particular, TSA) should be able
to produce fake time-stamps without being caught (this notion will be formalized
in Sect. 3.3).
A time-stamping system has to be able to handle time-stamps which are anony-
mous and do not reveal any information about the content of the stamped data. The
TSA is not required to identify the initiators of time-stamping requests. Our notion
of time-stamping system differs from the one given in, e.g., [BdM91] by several
important aspects. Below we motivate the differences.
3.1 Relative Temporal Authentication
The main security objective of time-stamping is temporal authentication (a phrase
coined probably by Michael Just, [Jus98b]) — ability to prove that a certain doc-
ument has been created at a certain moment of time. Although the creation of a
digital data item is an observable event in the physical world, the moment of its
creation cannot be ascertained by observing the data itself (moreover, even by the
theory of relativity, no such thing as the absolute time exists). The best one can
do is to check the relative temporal order between some auxiliary data (i.e., prove
the relative temporal authentication,RTA) using one-way dependencies defining
the arrow of time, analogous to the way in which the growth of entropy defines the
arrow of time in the physical world [Haw88, Chap. 9].
All (but the most simplest) time-stamping systems that we describe use some
authentication graph Gbuilt in a black-box manner upon a collision-resistant one-
way hash function H. In such cases one says that nis one-way dependent of mif
there is a G-path from mto n. The intuition behind this is the following “rough”
derivation rule:
If H X and Xare known to a principal Aat a moment t, then someone
(possibly Ahimself) used Xto compute H X at a moment prior to t.
All proposed time-stamping systems make sense only under the hypothesis of the
existence of collision free one-way hash functions.
20
Vertices of Gare also sometimes referred as linking items. In the context of
time-stamping Hn(referred to also as data items) denotes the (hash of the) n-th
time-stamped document. The time certificate Cert n of Hnis equal to n LN, for
some N1n G (exact definition will depend on the graph Gand will be
given later). To achieve RTA it is necessary for some Lnin Cert nto be one-way
dependent of some element Lmin Cert m, whenever m n.
Note that a one-way relationship between Lnand Lmdoes not prove that in the
moment of creating Hnthe bit-string Hmdid not exist. All we know is that Hndid
exist at the moment of creating Lm.
3.2 Discussion: Absolute Time
The stamp of Hndoes not contain any absolute time tnwhereas it could not be taken
for granted that the value tnindeed represents the submission time of Hn. The only
way for a principal to associate a stamp with a certain moment of time is to stamp a
nonce at this moment. By a nonce we mean a sufficiently long (say, k-bit, k160)
random bit-string, such that the probability it has been already time-stamped is
negligible (easily achieved if the bit-string is generated using a cryptographically
strong pseudo-random number generator).
In order to verify the absolute creating time of a document time-stamped by
another principal, the verifier has to compare the time-stamp with the time-stamps
of nonces generated by the verifier herself. In this solution there are neither supple-
mentary duties to the TSA nor to the other principals. The use of nonces illustrates
the similarity between time-stamping and ordinary authentication protocols, where
nonces are used to prevent the possible reuse of old messages from previous com-
munications (a reader interested more in authentication protocols, is directed to,
e.g., [BR93]).
By using relative temporal authentication it is possible to determine not only
the submitting time of the signature but also the time of signing the document.
Before signing a document Xthe principal Agenerates a nonce Rand stamps it.
He then includes the stamp LRof Rto the document (Figure 6), signs it and
obtains the stamp L X of the signature XsigAL R X . From the view-point
of the TSA these two stamping events are identical (he need not be aware whether
he is stamping a nonce or meaningful data). For the verification of the document
X, the verifier has to compare both these tamps with the stamps trusted by her.
As there are one-way dependencies between L R ,Xand L X , the verifier may
conclude that the signature was created in the time-frame betweenthe moments of
issuance of L R and of L X respectively. If these moments are close enough, the
signing time can be ascertained with necessary precision.
21
ATSA
L R
R
X
L X
X H sigAX L R
R0 1 k
Figure 6: Double-stamping a signature.
3.3 Accountable Time-Stamping
A time-stamping system must have properties enabling users to verify whether
an arbitrary time certificate is correct or not. (As we already noted, possession
of two documents with corresponding time certificates is not enough to prove the
RTA between the documents because everyone is able to produce fake chains of
stamps.)
A time-stamping system should allow
1. To determine whether the time certificates possessed by an individual have
been tampered with; and
2. In the case of tampering, to determine whether the certificates were tampered
by the TSA or tampered after the issuing (generally by unknown means).
In the second case, there is no-one to bring an action against.
As a general principle, the principals interested in legal use of stamps should
themselves verify their correctness immediately after the issuing (using signatures
and other techniques discussed later) because if the signature of the TSA becomes
unreliable, the signed time-stamps cannot be used as an evidence.
In order to increase the trustworthiness of the time-stamping services it should
be possible for the clients to periodically inspect the TSA. Also, in the case when
the TSA is not guilty heshould have a mechanism to prove his innocence,i.e., that
he has not issued a certain time-stamp during a certain round.
Additionally, the TSA must publish regularly, in an authenticated manner, the
time-stamps for rounds [BdM91] in mass media. If the time-stamping protocol
includes (by using collision-resistant one-way hash functions)
1. the message digest of any time-stamp issued during the r-th round into the
time-stamp for r-th round, and
22
2. the message digest of the time-stamp for round r1 into any time-stamp
issued during the r-th round,
it will be intractable for anyone to undetectably forge a time-stamp. The forgery
detection procedures should be simple. Forgeries should be determinable either
during the stamping protocol (when the time-stamp, signed by the TSA, fails to
be correct) or later when it is unable to establish the temporal order between two
otherwise correct time-stamps (see Sect. 4 for details).
Definition 2 A time-stamping system is accountable, if (on some reasonable se-
curity assumptions) it makes the trusted third parties accountable for their actions
by enabling a principal to detect and later prove to the judge any frauds. Moreover,
if a party has honestly followed the protocol but will still be accused in forgeries,
she can explicitly disprove any false accusations.
3.4 Security Preconditions
In the current subsection we postulate some security assumptions. It can be shown
that the later proposed time-stamping systems are accountable if the following —
usually tacitly assumed in the crypto context — conditions hold:
Liveliness. The TSA responds to the clients instantaneously (i.e., no Denial of Ser-
vice attacks). “Denial of Service” attacks are extremely powerful against the time-
stamping systems (indeed, the whole concept of a TSI would become meaningless
if DoS attacks against it were easy to employ) and should therefore be considered
very seriously.
Competence of honest parties. The party willing to prove misbehaviour of other
parties is honest and competent. In particular, she should verify the signatures and
not accept if the verification fails.
Key secrecy. The signing keys of TSA do not compromise until the end of the
next round. Otherwise, the owner of the leaked key holds full responsibility for
any damage resulting from the key compromise. It is reasonable to assume that
the TSA is competent to keep his keys uncompromised during a short time-frame.
Timely reporting of the key compromise decreases the influence of the key leakage
to one round.
Validity of cryptographic assumptions. None of the used cryptographic primitives
(hash function, signature scheme) is broken during a round. Note that key secrecy
implies in general (but not always) that the used signature scheme is secure.
23
3.5 Feasibility Requirements
3.5.1 Connectivity
Sect. 4 shows how to modify the linear linking scheme [HS91, Sect. 5.1] to achieve
accountability. On the other hand, one certificate verification takes as much time
as was done by the TSA stamping all the documents. As noted, e.g., in [Jus98b],
it is easy to forge stamps when we can assume that the verifier has limited com-
putational power. Hence, the number of stamps per round is limited by the com-
putational power of the weakest potential verifier. This leads us to the question of
feasibility.
3.5.2 Graph Density
The time wasted in verification is of order dpt G. If dpt G n G , the number
of stamps issued is very much restricted by the desire to have lightning fast verifi-
cation procedure. But a time-stamping service is assumed to work for ages, and to
issue millions billions of time-stamps. Clearly, in this case verification is feasible
only if the authentication graph Gis dense, i.e., if dpt Glogn G O1. The
less the value dpt G, the bigger is the gap between the work done by issuing the
stamps and by a single verification. One of the most important results of our work
is that we found a tight lower bound for the value of dpt G.
3.5.3 Connectivity
Tree-like schemes [BdM91, BHS92] were motivated by the desire to compress the
data submitted to the TSA during short time intervals referred to as rounds. The du-
ration of rounds was assumed to be small enough to think about the time-stamping
requests submitted during the same round as simultaneous. Unfortunately, bound-
ing the round lengths reduces the compression effect A simple enlarging of rounds
is insecure because of the reordering attack where the TSA rearranges the time-
stamping requests submitted during the round.
Reordering attack. Let Alice request a stamp for her document X. Bob has bribed
the TSA to delay stamping of any Alice’s documents. Hence, TSA assigns a con-
veniently large number mto Alice’s stamp, marks mas “issued” and continues by
assigning the intermediate numbers to the next documents. Alice can neither detect
reordering attacks nor prove their existence to third parties.
In case of a simply connected graph, a demonstrated one-way dependent path be-
tween two stamps can clearly be interpreted as a proof. On the other hand, if a
graph is not simply connected, a possible future verifier of a temporal order is
forced to rely on linking conventions such as “previously issued stamps locate left
24
in the tree, compared to the later issued stamps”. Although the use of such con-
ventions will probably almost always suffice in practice, it still introduces a certain
degree of looseness into the system. We can certainly imagine a situation, when it
is advantageous to all of the principals to follow the protocol for a certain time, but
later to change the practice and pretend that at this time in the past, left was right
and right was left. Even if such attacks may seem to be exaggerated, we should
still worry about them.
Our quest is to elaborate a practical “real world” time-stamping service re-
lying only on some simple, easily understood security preconditions, so that no
matter how the clients use the time-stamps in higher level protocols, the security
objectives of these protocols will not be refuted if an “ideal world” trusted TSS
is replaced with the “real world” untrusted TSS. Such approach of simulating an
ideal world object with a real world object is common in modern cryptography.
The current thesis is more concerned with efficiency than with security, but we
stress that reordering attack is one of the possible forgeries the TSA can accom-
plish and thus, simply connected authentication graph is a necessary precondition
for accountability.
3.5.4 Accumulated Time-Stamping
In order to make relative temporal authentication feasible in the case when stamps
belong to different rounds, it is reasonable to define an additional layer of links
between the time-stamps for rounds. We do it by defining graph composition G1
G2. Informally, G2is the authentication graph used inside the rounds. G1is used
as this second layer. Both G1and G2should be sufficiently large finite graphs (say,
of 232 280 vertices).
Definition 3 Let G1V1E1and G2V2E2be two authentication graphs.
Graph composition G1G2V E (Figure 7) is a graph produced from G1by
replacing every source rof G1with a copy Gr
2of G2(more precisely, by identifying
the sink of Gr
2with r), and by identifying the sink of Gr
2with the first vertex (which
is, by definition, a source) of Gr1
2. Trivially, G1G2is an acyclic digraph with
sink, and thus, correctly labeled, also an authentication graph. With G1and G2
fixed, we define ξrto be the number of the rth source of G1in G1G2(we
assume that if r1r2then ξr1ξr2). Let G1G2be the set of vertices
m V G1G2such that mξr E for some r(i.e., the set of vertices n Gr
2,
for some r). The rth copy Gr
2of G2is also called rth round (of G1G2). The values
rLξrare also referred to as the stamps for rounds.
If (the subgraphs induced by) G1G1and G2G2are simply connected,
then so is (the subgraph induced by) G1G2G1G2. Thus G1G2could
be used in a system achieving RTA. Note that the stamps requested from the TSA
25
G2
1s
G1
s12
G2G2G2
Figure 7: Graph composition G1G2. Here, s G1.
during the verification algorithm should belong to the set of stamps for rounds
because only these stamps are available in the TSA (see Sect. 4.2 for more).
An obvious generalization of the construct G1G2is to allow the copies of G2
differ. Namely, let the generalized graph composition G G1Gsbe the graph
constructed from Gby replacing the rth source with a copy of Gr. Everything else
is defined as in Def. 3.
Definition 4 Let Gbe an authentication graph and let ξ:V G V G .Gξis
an accumulated graph with rank m, if
1. If ξr n ξr1 then E1nξrξr1ξ;
2. ξr1ξr m.
We say that Gis an accumulated graph if for arbitrary positive mthere exists
ξ:V G V G , such that the Gξ-scheme is an accumulated graph with rank
m.
If the underlying authentication graph is accumulated, the duration of the rounds
can be flexibly enlarged in order to guarantee that only a small fraction of the time-
stamps are kept in the memory of the time-stamping server. A way to achieve
accumulated time-stamping was proposed in [BLLV98]. A much simpler way to
achieve the flexibility in choosing the round lengths is to use the generalized graph
composition G G1Gs, where rth round Gris itself a member of recursively
constructed graph family, so that Grcan be extended or “cut” if necessary. Some
examples of accumulated schemes will be given later.
3.6 Necessity of Rounds
There are several, partially controversial, reasons why rounds are introduced into
time-stamping. Most of the reasons are explained elsewhere in this thesis. Here
26
we just give a concentrated list of some of the reasons why it is necessary to have
1) rounds at all and 2) flexibility in choosing the round lengths.
Storage A time-stamping authority will not and should not be able to store all the
time-stamps issued during its functioning (cf Sect. 3.3).
Havoc limitation In the systems described in the next sections, time-stamping au-
thority’s secret key is required to stay secure only in duration of one-two
rounds. Key compromise will influence only the trustworthiness of stamps
issued during a single round (cf Sect. 3.4). The same is true in the case if the
underlying cryptographic primitives are suddenly broken.
Accountability Accountability is impossible if the verifier (say, the judge) does
not possess an authenticated common successor of the two disputed stamps
(this is due to the simplicity of building “parallel worlds” of one-way depen-
dencies).
Connection with absolute time As it was stressed in Sect. 3.1, relative temporal
authentication is what we can expect from the time-stamping. There still
should be a connection with real time, at some point. For example, in court
in some cases one would like to refer to a particular date. Then it helps if the
absolute starting time of each round is publicly verifiable.
27
4 ACCUMULATED LINEAR LINKING SCHEME
For pedagogical reasons, we outline the protocols and the basic organizational prin-
ciples of our system using the linear linking scheme of Sect. 2.2, upon which an
accumulated linking scheme is built, corresponding to the ideology of Sect. 3.5.4.
We will describe the operation of TSA, and also the protocols. Described scheme
fulfills all the trust requirements but is impractical. In the next sections, efficiency
of the described scheme is significantly improved by replacing the linear scheme
with a binary linking scheme. The final scheme, presented in Sect. 6.2 has tightly
(i.e., not only asymptotically) optimal stamp lengths.
4.1 Description of the Authentication Graph
Let the number Mof time-stamps per round be a constant known to the participants
(clients). The round graph G2is equal to the linear linking scheme ΛMwith M
sources. The second layer graph G1is equal to the linear linking scheme with,
say N280, sources (Figure 8). Thus, this scheme bases on graph ΛNΛM. The
time-stamp for the r-th round has number ξr M r. Let all the data items Hnbe
of fixed size of kbits (i.e., the documents are hashed).
H1H2H3H4H6H7H8H10 H11 H12 H14 H16
H15
1L4 3 L12 4 L16
L5L13 L17
2L8
L9
Figure 8: A two-layered linear linking “toy” scheme Λ4Λ4.
Remark 1 In real life, the underlying scheme would be
ΛNΛM1ΛMs
Due to the construction of linear schemes, the TSA can choose the round length
at any time. Thus, the TSA has very flexible choice of round lengths. While this is
very important in practice, we will not stress this point for the next schemes.
All our subsequent constructions will use the next definition (resp. to the corre-
sponding underlying graph).
28
Definition 5 (Head and tail) Let G G1G2be the underlying graph of an ac-
cumulated time-stamping system. For any mξr1 1 ξr, let m:
ξr1m1m(resp m:m m2ξr) be the unique shortest path
from ξr1 to m(resp from mto ξr). Let mm1mand m:
m2ξr. Let head m: APG2m, tail m: APG2m. Let
Cert m:m Lhead mLtail m
be the time certificate of Hm. For any mand n,m n, let mn be the unique shortest
path between mand n. Let body m n : APGmn . The functions head ,
tail and body are natural extensions of those functions to the whole graph
G1G2.
If GΛNΛMand mand nbelong to the same round, then
Lhead nLξr1Hξr1 1 Hn1Hn
Ltail mHm1Hm1Hξr1Lξr
and
Lbody m n LmHm1Hn1Hn
Clearly, Lbody m n is computable from Ltail mLhead nand
Lbody m n Ltail m r m 1r n 1Lhead nr m r n
Lbody m n r m r n (1)
4.2 Role of the TSA
The time-stamping authority (TSA) maintains the following databases (Figure 9):
1. the database cof the stamps of the current round.
2. the database pof the stamps of the previous round.
3. the database rof the stamps for rounds.
4. the complete database all of stamps.
The three first databases are considered to be on-line in the sense that any client
can make requests into them at any moment. The fourth database is also stored but
not on-line (it may be stored into an archive of CD-s). Requests to this database
are possible, but costly (e.g., requiring human interaction). After the end of each
29
c
On-line Off-line
p r all
Figure 9: Databases kept by a TSA.
round, the stamps in pare stored to a separate CD (this process may be audited).
Thereafter, pis emptied. The stamp Rrfor the current round is computed, added
to rand published in a newspaper. The database cis copied into pand a new
database cis created.
Most of the time-stamping schemes proposed to date are vulnerable in sense
that if the database all ceases to exist, one is no more able to perform relative
temporal authentication. Even if the stamps of rounds are regularly (say weekly, as
in the Digital Notary [Sur99] system) published in a newspaper, destruction of the
database significantly reduces the accuracy — from (say) one secondto one week.
What we really expect from the time certificates is that:
if mand nare “close” enough in time (lie in the same round), their one-way
relationship can be established using Cert mand Cert n;
if mand nare not “close” enough in time (lie in different rounds), their one-
way relationship can be established using Cert m, Cert nand data pub-
lished in the newspaper.
These requirements are satisfied if ΛMΛNis used as the underlying authentica-
tion graph (cf Eq. (1)). Security of accumulated schemes does not depend on the
integrity of the database all.
4.3 Stamping Protocol
The stamping protocol S consists of two parts, the stamp issuing protocol which
is executed when a client asks for a stamp, and the stamp completion protocol
which is executed later, after the end of the round. The Protocol 4.1 is a slight
modification of the protocol [BLLV98, Sect. 4.2] due to [BLS99], that minimizes
the communication complexity of the stamp issuing.
30
Protocol 4.1 Stamp issuing protocol with linear linking scheme. Here, ris the
current round number.
1. Client sends Hnto the TSA.
2. The TSA finds LnH HnLn1, and adds the pair HnLnto c.
3. The TSA sends the client the message n LnsigTSA n Ln.
4. The client verifies the signature of TSA.
After the Mrequests have been answered, the TSA finishes the round by calculating
the round stamp rand publishing rand his public verification key VKTSA in the
newspaper. The client may now continue, during a limited period, with the stamp
completion protocol (represented by Figure 4.2) in order to get the time certificate
for Hn.
Protocol 4.2 Stamp completion protocol with linear linking scheme.
1. The client sends a request to the TSA.
2. The TSA answers by sending Cert nsigTSA Cert nto the client.
3. The client checks, whether head nis consistent with Lnand whether tail n
is consistent with r n . Authenticated value r n can be found either from
the newspaper or by requesting for their values from the on-line database r
of the TSA.
We stress that every client who is interested in the legal use of some time certificate,
should validate it during these two protocols. In a relatively short period between
the issuing protocol and between the completion protocol, the signature key of TSA
is trusted to authenticate him (cf Sect. 3.4) and therefore, his signature on an invalid
Cert ncan be used as an evidence in the court. But the client is responsible for
doing it when the signature key of TSA can still be trusted. Later, the signature
of TSA may become unreliable and therefore only the one-way properties can be
used.
4.4 Verification Algorithm
Let r n denote the round where nth stamp was issued. Assume that the veri-
fier possesses two time-stamped documents Hm1Cert m1and Hm2Cert m2
where m1m2. Let
vm1m2r m1r m11r m21
be a tuple defined by Lbody m1m2Ltail m1vm1m2Lhead m2. The algorithm Vis
represented by Protocol 4.3.
31
Protocol 4.3 Verification whether Hmwas stamped before than Hnwas.
INPUT: Hm1Cert m1,Hm2Cert m2.
1. If r m1r m2, the verifier obtains from the TSA (or from the newspaper)
the values vm1m2and r m2.
2. The verifier checks whether Lhead miLmiLtail mir miis internally con-
sistent, for i1 2.
3. The verifier verifies that the value of r m in vmn is equal to the value of
r m in Cert mand that vmn is consistent with r n 1.
4.5 Audit Protocol
Because of the possible legal importance of the stamps issued by the TSA, there
should be some mechanism to audit TSA. One easy way to do it is to periodically
ask stamps from the TSA and verify them. If these stamps are linked inconsistently,
the TSA can be proven to be guilty. Also, there has to be a mechanism for the TSA
to prove that he has not issued a certain stamp Sin a certain round r. This can be
done if the TSA presents all the stamps issued during the r-th round, shows that
Sis not among them and that the stamp for the r-th round, found by using these
stamps and the linking rules, coincides with the published stamp.
In all the time-stamping systems described in this thesis, such disavowal pro-
tocol requires the TSA to present all stamps. Existence of a time-stamping system
with succinct “negative proofs” is an important open problem.
32
5 ANTI-MONOTONE SCHEMES
In the current section we give a construction of a practical linking scheme with
logarithmic upper bound to the number of issued time-stamps. Described scheme
bases directly on the “binary linking schemes” paradigm of Buldas, Laud, Lipmaa
and Villemson [BLLV98].
Definition 6 A simply connected graph G V E is called anti-monotone binary
(AM graph, for short) if (1) m,E1m2; and (2) if k m n,k n E and
m E then k.
As it was shown in [BL98], the family of AM graphs is equal to the family of
graphs, constructed recursively from the singleton graph G1/
0by using the
anti-monotone composition operator (Figure 10). Clearly, G1G2F G1G2,
where F1 2 3 1 3 2 3 .
G1G2
G1
1
G
G1
Figure 10: Anti-monotone composition G:G1G2.
Definition 7 The anti-monotone scheme (AM scheme)Gis constructed from
AM graph Gby introducing a vertex vand an edge v v for every vertex v V G
(Figure 11).
G G
Figure 11: Construction of Gfrom G.
33
Lemma 5.1 The next claims are true.
1. Let G be an AM graph. For any m and n, m n, there exists an unique
shortest G-path from m to n.
2. If G1and G2are AM graphs, then G1G2is an AM graph. Moreover,
G1G2G1G2.
3. Let G be an AM graph, and let m1m2V G , m1m2. Let 1be the
unique shortest path from m1to n G and let 2be the unique shortest path
from 1to m2. Then 1 2 /
0.
4. Let G1G2be the underlying AM graph. The number of stamped docu-
ments per round is equal to G21G21.
Proof. We shall prove the first claim by induction on the structure of graph G. The
base (G1/
0) is trivial. Let G G1G2. If m n G1or m n G2, then the
claim holds by the induction hypothesis. If m G1and n G2, then by induction
hypothesis there is an unique shortest path from mto G1and and unique shortest
path from G1to n. Concatenation of those paths is the unique shortest path from
mto n.
The second claim says that accumulated time-stamping preserves the anti-monot-
onicity property.
5.1 Concrete Scheme
The next infinite family Tnof AM graphs is a slight modification of the family
defined in [BLLV98]:
1. T1consists of a single vertex which is labeled with the number 1. This vertex
is both the source and the sink of the graph T1.
2. Let Tnbe already constructed. Its sink is labeled by 2n1. The graph Tn1
consists of two copies of Tn, where the sink of the first copy is linked to the
source of the first copy, and an additional vertex labeled by 2n11 which
is linked from the sink of the second copy. Labels of the second copy are
increased by 2n1. The source of Tn1is equal to the source of the first
copy, the sink of Tn1is equal to the vertex labeled by 2n11.
Thereafter, add a link from the sink of the first copy to all the vertices of the
second copy that have less than two in-going links. Note that there is now a
double link from the sink of the first copy to the source of the second copy.
34
1
2n1
TnTn
2n11
2n12
Tn1
2n
The sequence Tndefines an countable AM graph with the vertices labeled by
natural numbers which contains each graph Tnas its initial segment. The graph T5
is represented by Figure 12.
21
3
4 5
6
7
8 9
10
11
12
13
14
15
16 17
18
19 20
21
22
23 24
25
26 27
28
29
30
31
Figure 12: The AM graph T5.
Theorem 5.2 If n 2and 0a b 2nthen d a b 3n5. (Proof is presented
in Sect. 5.3)
Denote by ordnthe greatest power of 2 dividing n. In the AM graph Tnpresented
above, it is reasonable to enumerate stamps in the lexicographical order with pairs
m p , where 0 pordmand m0. Then every vertex m p has as predeces-
sors the vertices enumerated with
f m p :m2p1ord m2p1m2p
m2pord m2potherwise
and
g m p :m p 1p0
m1 ord m1p0
5.2 Accumulated Anti-Monotone Graphs
In Sect. 4 we presented an outline of a time-stamping system that fulfills our trust
requirements. In the next we show how to make this system feasible by using an
35
H1H2H4H5H8H10 H11 H14 H16 H17
H18
H19
32
H13
H12 H15
H6
H7
1
H3H9
L8
L9
L14
L18
Figure 13: The “toy” accumulated scheme T2T3.
AM scheme. Namely, we take GNMTNTMas an underlying graph, where
(say) N M 40 (a toy example is represented by Figure 13).
Thus, we can directly apply Def. 5 to get the definitions of head, tail, body and
Cert mfor the graph TNTM.
Example 1 Let the underlying graph be T2T3(Figure 13). Then,
Lhead 10 :L8H9H10
Ltail 10 :H11 L9H12 L9H13
Lhead 19 :L14 H15 L18 H19
Ltail 19 : (empty string)
By the construction of TM, length of the n-th time certificate
Cert n n Lhead nLtail n
does not exceed 2dpt m k bits, where kis the output size of the hash function H.
It is easy to show that maxndpt n2 logm[BL98] and thus
Lemma 5.3 For any n, Cert n4kM.
For example, if M40 and k160 bits then Cert n3200 bytes.
By Lem .5.1, if m n then tail mand head nhave a common element c
which implies that body m n tail mhead nand thus, by Theorem 5.2, that
body m n is of logarithmic length. When r m r n ,
body m n m m ξr m ξr n 1n n
36
21
3
4 5
6
7
8 9
10
11
12
13
14
15
16 17
18
19 20
21
22
23 24
25
26 27
28
29
30
31
Figure 14: Time certificates in the case GT5explained.
where the number of ξj-s is logarithmic due to the fact that the time-stamps
for rounds are linked together in a way similar to the linking of all time-stamps
(Figure 13).
Example 2 Let us look at the Figure 14. Here, the common element in tail 16
and head 28 is 22.
Corollary 5.4 Due to the similarity between the verification and the stamping pro-
cedure, for an arbitrary pair of stamped documents the number of steps executed
(and therefore, also the number of stamps examined) during a single run of the
verification protocol is O logn .
5.3 Proof of Theorem 5.2
In this section we will prove an upper bound for the length of the time certificates
for the linking scheme described in Sect. 5. Let ek2k1, i.e. ekis the number of
the last vertex of Tk. To simplify the proof we add the vertex 0 to the scheme and
link it with all the vertices ei,ik. As previously, let d a b denote the length of
the shortest path between aand b. The equations d0ek1, d ek1ek2 and
ekek1ek11 follow immediately from the definition.
Lemma 5.5 If 0a ekb then d a b d a ekd ekb . If ek1a ek
then d a ekd a ek1d ek1ek.
The claims above follow immediately from the structural properties of the linking
scheme.
Lemma 5.6 If ek1a b ekthen d a b d a ek1b ek1.
Proof. This follows from the construction of Tkfrom the two copies of Tk1. Here
aand bare vertices in the second copy of Tk1(or the last vertex of the first copy),
37
and a ek1and bek1are the same vertices in the first copy of Tk1(or the
vertex 0).
Lemma 5.7 If 0a ekthen d 0a k.
Proof. Induction on k.
Base: k 1. Then a0 and d0a0k.
Step: k 1. Observe the following cases:
If 0 a ek1then the induction assumption gives d0a k 1k.
If ek1a ekthen d0a d 0ek1d ek1a1d0a ek1
by Lemma 5.6. Observe the following cases:
–a ek1. Then d0a1d0a ek11d0ek12k.
–a ek1. Then d0a1d0a ek11k1kby
induction assumption.
Lemma 5.8 If 0a ekthen d a ek2k1.
Proof. Induction on k.
Base: k 1. Then a1 and d a ekd1 1 0 2 k1 .
Step: k 1. Observe the following cases:
If 0 a ek1then da ekd a ek1d ek1ek2k2 2
2k1 by induction assumption.
If ek1a ekthen observe the following cases:
–a ek. Then d a ek0 2 k1 .
–a ek. Then d a ekd a ek1d ek1ekd a ek1ek1
1 by the Lemma 5.6. Induction assumption now gives d a ekd a
ek1ek11 2 k2 1 2 k1 .
Proof. [Theorem 5.2] Induction on k.
Base: k 3. In this case one can directly verify that d a b 4.
Step: k 3. Observe the following cases:
If 0 abek1then the induction assumption gives us d a b 3k
1 5 3k5.
38
If 0 a ek1b ekthen d a b d a ek1d ek1b2k2
d ek1bby the Lemma 5.8. The following cases are possible:
–b ek. Then d ek1b2k1.
–b ek1. Then d ek1b1k1.
–b ek1. Then the lemmas 5.6 and 5.7 give
d ek1b d 0b ek1k1.
Thus d a b 2k2k1 3k5.
If ek1a b ekthen observe the following cases:
–b ek. Then d a b d a ek2k1 3k5 by Lemma 5.8.
–b ek. Then d a b d a ek1b ek13k1 5 3k5
by Lemma 5.6 and induction assumption.
As logb k iff ek11b ek1 we get klogb1 and thus
d a b 3 log b2
39
6 OPTIMAL GRAPHS
6.1 Optimal Anti-Monotone Schemes
By Lemma 5.1, if the underlying authentication graph Gis anti-monotone, then
tail mand head nhave an intersection point for every mand n,m n, that belong
to the same round. Therefore, anti-monotone linking schemes guarantee that any
two time certificates Cert mand Cert ntogether contain sufficient information
for establishing a one-way relationship between Lmand Ln.
Though, in the case of the AM schemes Tn(Sect. 5.1), the certificate length
Cert mis logarithmic in Tn, the size may still become significant if the
rounds are large. Thus, it is also important to find tightly, not only asymptoticly,
optimal graphs.
As we know (cf page 36), the certificate length is intimately connected to the
value dpt G. Buldas and Laud [BL98] defined a new family Tkof AM graphs, that
has minimal value of dpt Gover all AM graphs (and hence, minimal certificate
lengths over all AM graphs), as follows.
Definition 8 Let U11/
0be the singleton graph. For n1, let
Un:U1Un1Un1Un1
The AM graph U4is represented by Figure 15.
Figure 15: The optimal anti-monotone scheme U4.
As it was shown in [BL98],
Un1
23n1
2
and dpt Un3n1 . Hence,
dpt Un
log Un
3
log231
1o1
40
On the other hand, it was also proven by Buldas and Laud, that for any AM graph
G, if dpt G m, then G3m3O1 , and thus the family Unis tightly optimal
family of AM graphs.
6.2 Threaded Authentication Trees
Next we present a new construction of Buldas, Lipmaa and Schoenmakers [BLS99]
that uses threaded authentication trees. When using Merkle’s authentication tree
of depth d, the length of a time-certificate is kd1 . We will proceed by adding
extra edges to the authentication tree such that the resulting graph will be simply
connected, but without enlarging the certificates.
Let Vdbe the complete binary tree of depth d. We use the standard lexico-
graphic enumeration of the vertices, representing the root by the empty string φ,
and the left and right predecessors of a vertex vby s0 and s1, where sis the string
representing v. We define the threaded authentication treeWdas the authentication
graph built from VdV E by
1. adding a vertex and, for each s0 1 d, adding an edge s,
2. for each s0 1 d, adding a vertex s1 and a corresponding edge s1s,
3. for each sssuch that s1s0 1 d, adding an edge s0s1s.
L00
Rr1L
L000
H000
L001
H001 H010
L010 L011
H011
L100
H100 H101
L101 L110
H110 H111
L111
L11
L10
L01
L0RrLφL1
Figure 16: Threaded authentication tree of depth 3.
41
Example 3 (Figure 16) Let Hi, i 0 1 3, be the documents stamped during the
rth round. Then,
Lhead 2Rr1L00 H010
Ltail 2L011 L1
Lhead 6L1L0L10 H110
Ltail 6L111
L010 H2Lhead 2
L110 H6Lhead 6
LnGH L0H L10 H L110 L111
The union of Cert 2 and Cert 6 contains sufficient information to compute the
one-way path
Rr1L010 L01 H L010 L011 L0L110 L11 H L110 L111
L1H L10 L11 RrH L0L1
and verify its internal consistency.
Hence, while in the case of AM schemes, the union of two time certificates con-
tained the whole “proof” of one-way dependency, in the current case the proof
itself is not contained in, but can still be computed from the union. That is, intu-
itively, the main source of the redundancy in the AM schemes compared to the new
scheme.
Threaded authentication trees are simply connected. Moreover, for any m n
Wd,m n d m n 2d1. Thus, the verification can be done very efficiently.
Moreover, Cert m k 1 log Wdk,m. It will be proven in Sect. 6.3
that this is also the lower bound.
6.3 Optimality of Threaded Authentication Trees
Let
ap G: max
v G minap m
where ranges over the set of the root paths m k n G starting from v.
Let h: 0 1 0 1 k. Then, Cert mlog G k min ap m, and thus
maxmCert mlog G k ap G.
Therefore, a tight lower bound for ap Ggives as a result tight lower bound for
maxmCert m. Below we prove that for a acyclic digraph Gwith sink, ap G
log G1. Concrete graph Gachieving this bound was presented in Sect. 6.2.
42
Theorem 6.1 Let G be a acyclic digraph with sink. Then ap Glog G1.
Proof. Let Gbe a acyclic digraph with sink. We show in several steps how to
transform Gby local modifications to a complete binary tree Vn, so that Vn
Gand ap Vnap G.
First step (eliminating fan-in f2). Replace any vertex with more than two
in-coming edges with an (almost) balanced binary tree (Figure 17, 1). Let G1be
the resulting graph. Trivially, G1Gand ap G1ap G.
1. 2. 3.
4. 5.
Figure 17: Transforming Ginto the complete binary tree.
Second step (eliminating fan-outs f1). Every vertex with fan-out 1 can
be replicated (Figure 17, 2). We can repeat the procedure until we get a graph
G2with no internal vertex having fan-out 1. Trivially, G2G1and
ap G2ap G1.
Third step (replicating the sources). Every source with fan-out 1 can just be
replicated (Figure 17, 3). The resulting binary tree G3has G3G2and
ap G2ap G2.
Fourth step (making G3complete). Any internal vertex v V G3with only
one proper ancestor can be deleted (Figure 17, 4). Let the resulting graph be G4.
Trivially, G4G3and ap G4ap G3.
Fifth step (balancing the tree). If G4is not yet a complete binary tree, there
exists a source vV G4so that d v n G4is less than the height of G3. We
proceed by adding two proper ancestors to the tree (Figure 17). Let the resulting
graph be G5. Trivially, G5G4and ap G5ap G4.
Thus for any graph Gthere exists a complete binary tree Vnsuch that Vn
Gand ap Vnap G. But Vn2nand ap Vnn1, thus for any
graph G, ap Gap Vnlog Vn1 log G1.
43
REFERENCES
[BdM91] Josh Benaloh and Michael de Mare. Efficient broadcast time-stamping.
Technical Report 1, Clarkson University Department of Mathematics
and Computer Science, August 1991.
[BHS92] Dave Bayer, Stuart A. Haber, and Wakefield Scott Stornetta. Improving
the efficiency and reliability of digital time-stamping. In Sequences’91:
Methods in Communication, Security, and Computer Science, pages
329–334. Springer-Verlag, 1992.
[BL98] Ahto Buldas and Peeter Laud. New linking schemes for digital time-
stamping. In The 1st International Conference on Information Security
and Cryptology, pages 3–14, 18–19 December 1998.
[BLLV98] Ahto Buldas, Peeter Laud, Helger Lipmaa, and Jan Villemson. Time-
stamping with binary linking schemes. In Hugo Krawczyk, editor, Ad-
vances on Cryptology — CRYPTO ’98, volume 1462 of Lecture Notes
in Computer Science, pages 486–501, Santa Barbara, USA, August
1998. Springer-Verlag.
[BLS99] Ahto Buldas, Helger Lipmaa, and Berry Schoenmakers. Optimally
efficient accountable time-stamping. Submitted, May 1999.
[BP97] Niko Bari´c and Birgit Pfitzmann. Collision-free accumulators and fail-
stop signature schemes without trees. In Walter Fumy, editor, Advances
on Cryptology — EUROCRYPT ’97, volume 1233 of Lecture Notes in
Computer Science, pages 480–494, Konstanz, Germany, May 1997.
Springer-Verlag.
[BR93] Mihir Bellare and Philip Rogaway. Entity authentication and key dis-
tribution. In Douglas R. Stinson, editor, Advances on Cryptology —
CRYPTO’93, volume 773 of Lecture Notes in Computer Science, pages
232–249, Santa Barbara, USA, August 1993. Springer-Verlag.
[CS98] Ronald Cramer and Victor Shoup. Signature schemes based on
the strong RSA assumption. Unpublished. Available from URL
http://www.inf.ethz.ch/personal/cramer/
, December 1998.
[DBP96] Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. RIPEMD-160:
A strengthened version of RIPEMD. In Dieter Grollman, editor, Fast
Software Encryption: Third International Workshop, volume 1039 of
Lecture Notes in Computer Science, pages 71–82, Cambridge, UK, 21–
23 February 1996. Springer-Verlag.
44
[DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptogra-
phy. IEEE Trans. Inform. Theory, IT-22:644–654, November 1976.
[GHR99] Rosario Gennaro, Shai Halevi, and Tal Rabin. Secure hash-and-sign
signatures without the random oracle. In Jacques Stern, editor, Ad-
vances on Cryptology — EUROCRYPT ’99, volume 1592 of Lecture
Notes in Computer Science, pages 123–139, Prague, Czech Republic,
2–6 May 1999. Springer-Verlag.
[GMR88] Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital sig-
nature scheme secure against adaptive chosen-message attacks. SIAM
Journal of Computing, 17:281–308, 1988.
[Haw88] Stephen W. Hawking. A Brief History of Time: From the Big Bang to
Black Holes. Bantam Books, April 1988.
[HS90] Stuart Haber and W. Scott Stornetta. How to time-stamp a digital doc-
ument. In A. J. Menezes and S. A. Vanstone, editors, Advances in
Cryptology—CRYPTO ’90, volume 537 of Lecture Notes in Computer
Science, pages 437–455. Springer-Verlag, 1991, 11–15 August 1990.
[HS91] Stuart A. Haber and Wakefield Scott Stornetta. How to time-stamp a
digital document. Journal of Cryptology, 3(2):99–111, 1991.
[HS97] Stuart A. Haber and Wakefield Scott Stornetta. Secure names for bit-
strings. In Proceedings of the 4th ACM Conference on Computer and
Communications Security, pages 28–35, April 1997.
[Jus98a] Michael K. Just. On the Temporal Authentication of Digital Data. PhD
thesis, Carleton University, December 1998.
[Jus98b] Michael K. Just. Some timestamping protocol failures. In Symposium
on Network and Distributed Systems Security. Internet Society, March
1998.
[Lip98] Helger Lipmaa. IDEA: A cipher for multimedia architectures? In
Stafford Tavares and Henk Meijer, editors, Selected Areas in Cryptog-
raphy ’98, volume 1556 of Lecture Notes in Computer Science, pages
248–263, Kingston, Canada, 17–18 August 1998. Springer-Verlag.
[Lip99] Helger Lipmaa. Accumulated time-stamping made simple. Manu-
script, April 1999.
45
[Mer80] R. C. Merkle. Protocols for public key cryptosystems. In IEEE, editor,
Proceedings of the 1980 Symposium on Security and Privacy, April 14–
16, 1980 Oakland, California, 1109 Spring Street, Suite 300, Silver
Spring, MD 20910, USA, 1980. IEEE Computer Society Press.
[MOV96] Alfred J. Menezes, Paul C. Van Oorschot, and Scott A. Vanstone.
Handbook of Applied Cryptography. CRC Press, 1996.
[MQ97] Henry Massias and Jean Jacques Quisquater. Time and cryptogra-
phy. Technical report, Universit´e catholique de Louvain, March 1997.
TIMESEC Technical Report WP1.
[NIS94] NIST. Announcement of weakness in the Secure Hash Standard (SHS).
Technical report, May 1994.
[Pfi96] Birgit Pfitzmann. Digital Signature Schemes. Springer-Verlag, Berlin,
Heidelberg, 1996.
[RSA78] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method
for obtaining digital signatures and public-key cryptosystems. Com-
munications of the ACM, 21(2):120–126, 1978.
[Sim98] Daniel R. Simon. Finding collusions on a one-way street: Can secure
hash functions be based on general assumptions. In Kaisa Nyberg,
editor, Advances on Cryptology — EUROCRYPT ’98, volume 1403 of
Lecture Notes in Computer Science, pages 334–345, Helsinki, Finland,
June 1998. Springer-Verlag.
[Sur99] Surety Technologies, Inc. Digital notary service. technical overview.
Technical report, Surety Technologies, Inc., 1999.
46
INDEX
A, 20
algorithm
verification, 20
APG, 14
ap G, 42
attack
adaptive chosen message, 13
Denial of Service, 23
reordering, 24
authentication
relative temporal, 20
temporal, 20
authentication tree
Merkle’s, 15
threaded, 41
authenticator, 14
body , 29
body , 29
Cert , 29
collision resistance, 13
computability, 14
consistency, 14
CRHF, 13
d, 15
all, 29
data item, 21
c, 29
Digital Notary, 30
digital signature, 13
p, 29
dpt , 15
r, 29
G G1Gs, 26
G1G2, 25
G1G2, 33
G, 33
graph
accumulated, 26
AM, 33
anti-monotone binary, 33
authentication, 14
dense, 15
directed acyclic, 14
simply connected, 14
graph composition, 25
generalized, 26
hash function
collision-resistant, 13
head , 29
head , 29
IDn, 17
ideal world, 25
r, 25
LN, 14
ΛM, 28
linking item, 21
linking scheme
linear, 17
n G , 14
nonce, 21
one-way dependency, 20
ordn, 35
preimage resistance, 13
protocol
audit, 20
stamp completion, 30, 31
stamp issuing, 30
stamping, 20, 30
47
rank, 26
real world, 25
reordering attack, 24
RIPEMD-160, 13
root, 14
round, 24, 25
RTA, 20
, 14
, 25
S, 20
scheme, 11
AM, 33
anti-monotone, 33
second preimage resistance, 13
SHA-1, 13
sigAM, 13
simulation paradigm, 25
sink, 14, 34
source, 34
stamp for round, 25
Strong RSA Assumption, 13
tail , 29
tail , 29
time certificate, 21, 29
time-stamping authority, 20
time-stamping system, 20
accountable, 23
TSA, 10, 16, 20
Un, 40
V, 20
Vd, 15, 41
Wd, 41
ξr, 25
48
TURVALISED JA EFEKTIIVSED
AJATEMPLIS ¨
USTEEMID
Kokkuv˜
ote
Viimastel aastatel on arvutisidev˜orgud plahvatuslikult kasvanud. T ¨anu sellele edas-
tatakse elektroonilisel teel ¨uha enam ja enam ka dokumente, millel on otsene v˜oi
kaudne juriidiline v¨a¨artus. Erinevalt paberdokumendist ei ole elektrooniline doku-
ment ¨uks¨uheselt seotud andmekandjaga, ning seega saab dokumenti vabalt kopee-
rida, muuta v˜oi kustutada. Seadusloome seisukohast m¨angib suurt rolli dokumen-
tide autentsus: dokumentide omadus, mis seob dokumenti selle loojaga. Elekt-
rondokumentide autentsust tagavaks kr¨uptograafiliseks primitiiviks on digitaalsig-
natuur: protseduur, mis seab dokumendile ja signeerimisv˜otmele turvaliselt vas-
tavusse selle dokumendi signatuuri. Kahjuks ei ole digitaalsignatuur ¨uksinda ka-
sutatav, sest puudub meetod signeerimisv˜otme ja signeerija isiku seostamiseks.
Muu hulgas v˜oib n¨aiteks signeerija hiljem v¨aita, et tema v˜oti oli signeerimishetkel
kompromiteerunud. Ehkki leiduvad standardmeetodid v˜otmekompromiteerumi-
sest teatamiseks (v˜otmet¨uhistuseks), on vaja ka meetodeid, mis v˜oimaldaksid kind-
lalt v¨aita, et v˜otmet¨uhistus toimus enne signeerimist. ¨
Uldkr¨uptograafilised eeltead-
mised on toodud antud dissertatsiooni 1. peat¨ukis.
Ajatembeldus (time-stamping) on organisatoorsete ja matemaatiliste meetodite
kogu, mis v˜oimaldab suhtelist ajalist autentimist ehk kindlaks teha, milline kahest
esitatud dokumendist oli ajatembeldatud varem. Turvalise ja efektiivse ajatemp-
lis¨usteemi olemasolu korral saab seega t˜oestada, et v˜otmet¨uhistus toimus enne kui
signeerimine. ¨
Uldistades: on v˜oimalik t˜oestada, et elektrooniline dokument oli
olemas enne ajahetke.
Umbes k¨umme aastat tagasi n˜oudsid k˜oik teadaolevad ajatembelduss¨usteemid
t¨aielikult usaldatava kolmanda osapoole (ajatemplikeskuse) olemasolu. K˜oike,
mida too osapool v¨aitis, usuti. 1990. aastal n¨aitasid Haber ja Stornetta, et t¨aielikult
usaldatav kolmas osapool ei ole tingimata vajalik. Nende leiutatud ajatemplis¨us-
teem baseerus nn linkimisskeemidele, kus hiljem v¨alja antud ajatempel on “¨uhe-
suunaliselt” s˜oltuv k˜oigist eelnevalt v¨aljastatud ajatemplitest. Haberi ja Stornetta
skeemi on hiljem muudetud nii turvalisemaks kui ka efektiivsemaks. ¨
Ulevaade
vanematest linkimiskeemidest on toodud dissertatsiooni 2. peat¨ukis.
Uus l¨abimurre tuli 1998. aastal, kui Buldas, Laud, Lipmaa ja Villemson p¨o¨ora-
sid artiklis “Time-Stamping with Binary Linking Schemes” esmakordselt t¨ahele-
panu seadusloomes kasutatava ajatemplis¨usteemi turvan˜ouetele. Sellises s¨usteemis
peab olema v˜oimalik avastada ning kolmandatele osapoolele t˜oestada ajatempli-
serveri tehtud vigu. N¨aidati, et eelnevad ajatemplis¨usteemid ei v˜oimalda t˜oestusi
(ehk sertifikaate) efektiivselt esitada. Pakuti v¨alja uus, neid tingimusi rahuldav, nn
binaarsetel linkimisskeemidel p˜ohinev ajatemplis¨usteem. Dissertatsiooni 3. pea-
49
t¨ukk k¨asitleb ajatemplis¨usteemidele esitatavaid n˜oudeid. 4. peat¨ukk kirjeldab neid
n˜oudeid rahuldavat ajatemplis¨usteemi. Edasi, 5. peat¨ukis on n¨aidatud, kuidas too-
dud ajatemplis¨usteemi saab muuta efektiivseks.
Pakutud s¨usteemi on hiljem t¨aiendatud. 1998. aasta l˜opus formaliseerisid Bul-
das ja Laud binaarsetelt linkimisskeemidelt n˜outud antimonotoonsuse omaduse
ning esitasid minimaalse sertifikaadipikkusega antimonotoonse skeemi. 1999. aas-
tal n¨aitasid Buldas, Lipmaa ja Schoenmakers, et antimonotoonsuse tingimus on
ebavajalik ning esitas uue s¨usteemi, mis on optimaalne ¨uldisel juhul. 6. peat¨ukk
k¨asitleb esmalt l¨uhidalt Buldas-Laud’i skeemi ning seej¨arel keskendub Buldas-
Lipmaa-Schoenmakers’i skeemile.
50
ACKNOWLEDGEMENTS
Your presence is a present in my life.
I would like to thank my coauthor and friend Ahto Buldas for being thoughtful and
for a very big number (which is hopefully prime) of discussions. His influence has
been profound, I hope this influence has been mutual. Additionally, I will always
remember our chess matches in various pubs around the world.
I am very thankful to most of my colleagues in K¨uberneetika AS. Here I will
only name Monika Oit. A “thank you” goes to my coauthors, Peeter Laud and Jan
Villemson, for being creative, but also for being good friends. The same words go
for Berry Schoenmakers. I hope he will have more chances to visit our beautiful
country. I would like to thank my advisor Mati Tombak for giving me freedom
to choose my own area of research. It seems that my choice was correct. He has
always been very supportive and patient. Many thanks goes to Stuart Haber. Al-
though he is almost always busy, discussions with him have helped us to understand
time-stamping.
At last, I would like to thank the people whom I love or whom I have loved for
their presence in my life. You know who you are.
51
CURRICULUM VITAE
Helger Lipmaa
Citizenship: Estonian Republic.
Born: April 8, 1972, P¨arnu, Estonia.
Marital status: single.
Address: Sauga alevik 27-5, P¨arnu maakond, 80043 Estonia,
phone: (37 2) 6654241, e-mail: helger@cyber.ee
Education
1979–1987 P¨arnu ¨
Ulej˜oe G¨umnaasium.
1987–1990 P¨arnu Koidula G¨umnaasium.
1990–1999 Faculty of Mathematics, University of Tartu
Special Courses
1994 — DAIMI, ˚
Arhus University
1996 — DAIMI, ˚
Arhus University
1997 — New Trends in Computer Science and Information Technology, Palmse
1997 — School on Natural Computation, Turku
1998 — Parallel and Quantum Computation, Palmse, Estonia
1998 — Summer School in Cryptography and Data Security, ˚
Arhus, Denmark
1999 — Fourth Estonian Winter School in Computer Science, Palmse, Estonia.
Professional employment
1995–1995 Junior researcher at Institute of Computer Scence, University of Tartu.
1995–1996 Senior assistant at Institute of Computer Science, University of Tartu.
1996–1997 Junior researcher at Institute of Cybernetics, Tallinn.
1997–1999 Senior research engineer at K¨uberneetika AS, Tallinn.
53
Scientific work
Coauthor of books “Infos¨usteemide turve I. Turvarisk” (1997) and “Infos¨usteemide
turve II. Turbetehnoloogia” (1998). Main papers: “IDEA: An Architecture for
Multimedia Architectures?” (1998) “Time-Stamping with Binary Linking Schemes”
(1998). Invited presentations: Information Security Training Seminar of Institute
of Cybernetics (1996), Information Security Training Seminar of K¨uberneetika AS
(1997), Autumn School of Young Physicists (1998). Has published surveys in
quantum computation and cryptography.
54
CURRICULUM VITAE
Helger Lipmaa
Kodakondsus: Eesti Vabariik.
S¨unniaeg ja -koht: 8. aprill, 1972, P¨arnu, Eesti.
Perekonnaseis: vallaline.
Aadress: Sauga alevik 27-5, P¨arnu maakond, 80043 Eesti,
tel.: (2) 6654241, e-post: helger@cyber.ee
Haridus
1979–1987 P¨arnu ¨
Ulej˜oe G¨umnaasium.
1987–1990 P¨arnu Koidula G¨umnaasium.
1990–1999 Tartu ¨
Ulikooli matemaatikateaduskond.
Erialane eneset¨aiendus
1994 — DAIMI, ˚
Arhus University
1996 — DAIMI, ˚
Arhus University
1997 — New Trends in Computer Science and Information Technology, Palmse
1997 — School on Natural Computation, Turku
1998 — Parallel and Quantum Computation, Palmse
1998 — Summer School in Cryptography and Data Security, Aarhus, Taani
1999 — Fourth Estonian Winter School in Computer Science, Palmse.
Erialane teenistusk¨aik
1995–1995 nooremteadur, Arvutiteaduse Instituut, Tartu ¨
Ulikool.
1995–1996 vanemassistent, Arvutiteaduse Instituut, Tartu ¨
Ulikool.
1996–1997 nooremteadur, K¨uberneetika Instituut, Tallinn.
1997–1999 vanemteadur, K¨uberneetika AS, Tallinn.
55
Teadustegevus
Raamatute “Infos¨usteemide turve I. Turvarisk” (1997) ja “Infos¨usteemide turve
II. Turbetehnoloogia” (1998) kaasautor. Peamised artiklid: “IDEA: An Architec-
ture for Multimedia Architectures?” (1998), “Time-Stamping with Binary Link-
ing Schemes” (1998). Kutsutud ettekanded: K¨uberneetika Instituudi andmeturbe
teabep¨aev (1996), K¨uberneetika AS andmeturbe teabep¨aev (1997), Noorte F¨u¨usi-
kute S¨ugiskool (1998). On avaldanud ¨ulevaateartikleid kvantarvutitest ja kr¨upto-
graafiast.
56
DISSERTATIONES MATHEMATICAE
UNIVERSITATIS TARTUENSIS
1. Mati Heinloo. The design of nonhomogeneous spherical vessels, cylindrical
tubes and circular discs. Tartu, 1991. 23 p.
2. Boris Komrakov. Primitive actions and the Sophus Lie problem. Tartu, 1991.
14 p.
3. Jaak Heinloo. Phenomenological (continuum) theory of turbulence. Tartu,
1992. 47 p.
4. Ants Tauts. Infinite formulae in intuitionistic logic of higher order. Tartu,
1992. 15 p.
5. Tarmo Soomere. Kinetic theory of Rossby waves. Tartu, 1992. 32 p.
6. J¨uri Majak. Optimization of plastic axisymmetric plates and shells in the case
of Von Mises yield condition. Tartu, 1992. 32 p.
7. Ants Aasma. Matrix transformations of summability and absolute summabil-
ity fields of matrix methods. Tartu, 1993. 32 p.
8. Helle Hein. Optimization of plastic axisymmetric plates and shells with
piece-wise constant thickness. Tartu, 1993. 28 p.
9. Toomas Kiho. Study of optimality of iterated Lavrentiev method and its gen-
eralizations. Tartu, 1994. 23 p.
10. Arne Kokk. Joint spectral theory and extension of non-trivial multiplicative
linear functionals. Tartu, 1995. 165 p.
11. Toomas Lepikult. Automated calculation of dynamically loaded rigidplastic
structures. Tartu, 1995. 93 p. (in russian)
12. Sander Hannus. Parametrical optimization of the plastic cylindrical shells by
taking into account geometrical and physical nonlinearities. Tartu, 1995. 74
p. (in russian)
13. Sergrei Tupailo. Hilbert’s epsilon-symbol in predicative subsystems of anal-
ysis. Tartu, 1996. 134 p.
14. Enno Saks. Analysis and optimization of elastic-plastic shafts in torsion.
Tartu, 1996. 96 p.
15. Valdis Laan. Pullbacks and flatness properties of acts. Tartu, 1999. 90 p.
16. M¨art P˜oldvere. Subspaces of Banach spaces having Phelps’ uniqueness prop-
erty. Tartu, 1999. 74 p.
17. Jelena Ausekle. Compactness of operators in Lorentz and Orlicz sequence
spaces. Tartu, 1999. 72 p.
18. Krista Fischer. Structural mean models for analyzing the effects of compli-
ance in clinical trials. Tartu, 1999. 125 p.
57
