Content uploaded by Helger Lipmaa

Author content

All content in this area was uploaded by Helger Lipmaa

Content may be subject to copyright.

DISSERTATIONES MATHEMATICAE UNIVERSITATIS TARTUENSIS

19

SECURE AND EFFICIENT

TIME-STAMPING SYSTEMS

HELGER LIPMAA

TARTU 1999

DISSERTATIONES MATHEMATICAE UNIVERSITATIS TARTUENSIS

19

DISSERTATIONES MATHEMATICAE UNIVERSITATIS TARTUENSIS

19

SECURE AND EFFICIENT

TIME-STAMPING SYSTEMS

HELGER LIPMAA

TARTU 1999

Department of Mathematics, University of Tartu, Estonia

Dissertation is accepted for the commencement of the degree of Doctor of Philos-

ophy (PhD) on April 30, 1999 by the Council of the Department of Mathematics,

University of Tartu.

Opponents:

PhD, associate professor Jaak Henno

Tallinn Technical University

Tallinn, Estonia

PhD, principal scientist Kaisa Nyberg

Nokia Research Center

Helsinki, Finland

Commencement will take place on June 30, 1999.

Publication of this dissertation is granted by the governmental ﬁnancial support to

PhD students.

cHelger Lipmaa, 1999 Tartu ¨

Ulikooli Kirjastuse tr¨ukikoda

Tiigi 78, 50410 Tartu

Tellimus nr. 381

CONTENTS

LIST OF ORIGINAL PUBLICATIONS 8

INTRODUCTION 9

Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Time-Stamping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Main Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Outline of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1 PREREQUISITES 13

1.1 Collision-Resistant Hash Functions . . . . . . . . . . . . . . . . . . . 13

1.2 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3 Authentication Graphs . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.4 Merkle’s Authentication Tree . . . . . . . . . . . . . . . . . . . . . . 15

2 EXISTING TIME-STAMPING SYSTEMS 16

2.1 Simple Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.2 Linear Linking Scheme (LLS) . . . . . . . . . . . . . . . . . . . . . 17

2.3 Tree-Like Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3 SECURITY OBJECTIVES 20

3.1 Relative Temporal Authentication . . . . . . . . . . . . . . . . . . . 20

3.2 Discussion: Absolute Time . . . . . . . . . . . . . . . . . . . . . . . 21

3.3 Accountable Time-Stamping . . . . . . . . . . . . . . . . . . . . . . 22

3.4 Security Preconditions . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.5 Feasibility Requirements . . . . . . . . . . . . . . . . . . . . . . . . 24

3.5.1 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.5.2 Graph Density . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.5.3 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.5.4 Accumulated Time-Stamping . . . . . . . . . . . . . . . . . . . . 25

3.6 Necessity of Rounds . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 ACCUMULATED LINEAR LINKING SCHEME 28

4.1 Description of the Authentication Graph . . . . . . . . . . . . . . . . 28

4.2 Role of the TSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.3 Stamping Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.4 Veriﬁcation Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.5 Audit Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

5 ANTI-MONOTONE SCHEMES 33

5.1 Concrete Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5

5.2 Accumulated Anti-Monotone Graphs . . . . . . . . . . . . . . . . . . 35

5.3 Proof of Theorem 5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . 37

6 OPTIMAL GRAPHS 40

6.1 Optimal Anti-Monotone Schemes . . . . . . . . . . . . . . . . . . . 40

6.2 Threaded Authentication Trees . . . . . . . . . . . . . . . . . . . . . 41

6.3 Optimality of Threaded Authentication Trees . . . . . . . . . . . . . 42

REFERENCES 44

INDEX 47

KOKKUV ˜

OTE 49

ACKNOWLEDGEMENTS 51

6

List of Figures

1 Merkle’s authentication tree V3. . . . . . . . . . . . . . . . . . . . 14

2Linear linking scheme with 9 elements. . . . . . . . . . . . . . . 17

3 A modiﬁcation of linear linking scheme, where every time-stamp

is linked with 2 time-stamps directly preceding it. . . . . . . . . . 18

4 An example of the time-stamp for round rby the schemes pre-

sented in [BdM91]. . . . . . . . . . . . . . . . . . . . . . . . . . 18

5 An example of the time-stamp for round rby the schemes pre-

sented in [BHS92]. . . . . . . . . . . . . . . . . . . . . . . . . . 19

6 Double-stamping a signature. . . . . . . . . . . . . . . . . . . . . 22

7 Graph composition G1G2. Here, s G1. . . . . . . . . . . 26

8 A two-layered linear linking “toy” scheme Λ4Λ4. . . . . . . . . 28

9 Databases kept by a TSA. . . . . . . . . . . . . . . . . . . . . . . 30

10 Anti-monotone composition G:G1G2. . . . . . . . . . . . . 33

11 Construction of Gfrom G. . . . . . . . . . . . . . . . . . . . . 33

12 The AM graph T5. . . . . . . . . . . . . . . . . . . . . . . . . . . 35

13 The “toy” accumulated scheme T2T3. . . . . . . . . . . . . 36

14 Time certiﬁcates in the case G T5explained. . . . . . . . . . . . 37

15 The optimal anti-monotone scheme U4. . . . . . . . . . . . . . . 40

16 Threaded authentication tree of depth 3. . . . . . . . . . . . . . . 41

17 Transforming Ginto the complete binary tree. . . . . . . . . . . . 43

7

LIST OF ORIGINAL PUBLICATIONS

1. Ahto Buldas, Peeter Laud, Helger Lipmaa, and Jan Villemson. Time-stamp-

ing with binary linking schemes. In Hugo Krawczyk, editor, Advances on

Cryptology — CRYPTO ’98, volume 1462 of Lecture Notes in Computer Sci-

ence, pages 486–501, Santa Barbara, USA, August 1998. Springer-Verlag.

2. Ahto Buldas, Helger Lipmaa, and Berry Schoenmakers. Optimally efﬁcient

accountable time-stamping. Submitted, May 1999.

3. Helger Lipmaa. IDEA: A cipher for multimedia architectures? In Stafford

Tavares and Henk Meijer, editors, Selected Areas in Cryptography ’98, vol-

ume 1556 of Lecture Notes in Computer Science, pages 248–263, Kingston,

Canada, 17–18 August 1998. Springer-Verlag.

8

INTRODUCTION

Because of the increasing importance of the international business and communi-

cation, it has become necessary to forward signed documents to a long distance.

Traditional mail system is too slow for the information society needs. Radio, TV,

Fax and Computer Networks made it possible to send information from one point

to another with the greatest possible speed — the speed of light. Of course, the

received electronic document cannot just be assumed to be authentic because:

electronic documents can be easily copied and modiﬁed without detection;

unlike hand-written characters, digitally encoded characters have not the in-

dividuality;

the signature of an electronic document is not physically connected to the

content of the document.

Due to these disadvantages electronic documents are rarely considered to have any

legal force.

Digital signature [DH76, RSA78, Pﬁ96] is a cryptographic technique that en-

ables to protect digital information (represented as a bit-stream) from undesirable

modiﬁcation. Digital signatures are widely used to protect data in secure e-mail

systems. Digital signature can effectively substitute the hand-written signature in

the electronic environment. In many countries the laws and regulations have been

adopted which equalize the use and functions of digital signature to handwritten

signature. However, non of these countries have any experience of using digitally

signed data as an evidence in the court.

The legal use of electronic records is increasingly important. One of the rea-

sons, as it has been said above, is that electronic documents enable to communicate

much faster. Another reason is that the archives are full of old paper documents

which have a legal importance but are used very rarely. Saving the space in archives

is urgently needed. This helps to understand why the initiative to form the Com-

mittee of Law of Electron Documents in Estonia became from the archivists.

It became clear that the most important step towards the legal use of electronic

documents is to enable the legal regulation of digital signatures. Before issuing a

law on digital signature, deﬁnite understanding of the technical details necessary

to support the law is inevitable. Thereby, the intensive cooperation of lawyers,

archivists and data security specialists is needed.

Security techniques used in electronic documents have been developed keep-

ing an eye on secure messaging systems. However, the secure maintenance of

electronic documents with a long lifetime is a bit more complicated task. Numer-

ous problems in this area were not solved yet. Some of these have been regarded

below from the viewpoint of data security specialists.

9

Private Keys

A problem related to the use of digital signatures is the management of the private

signature keys. If somebody else, except the owner, gains access to the private

key, he or she will be able to forge the owner’s signatures on electronic documents.

At that point even the value of legitimately signed documents can be called into

question. Moreover, if the signer of a particularly important document (for exam-

ple, a loan agreement) later wishes to repudiate his or her signature, he or she can

dishonestly report the compromise of his or her private key.

Therefore, the veriﬁer of a digitally signed document should be able to ascer-

tain when the document was actually signed. Digital time-stamping is a solution to

this problem.

Time-Stamping

Most of the time-stamping systems use a trusted third party called Time-Stamping

Authority (TSA). The time-stamp is a digital attestation of the TSA that an iden-

tiﬁed electronic document, subscribed with a digital signature, has been presented

to TSA at a certain time. Time-stamping is a set of techniques enabling one to

ascertain whether an electronic document was created or signed at a certain time.

The real importance of time-stamping becomes clear when there is a need for

a legal use of electronic documents with a long lifetime. Without time-stamping

we neither can trust signed documents when the cryptographic primitives used for

signing have become unreliable nor solve the cases when the signer himself repu-

diates the signing, claiming that he has accidentally lost his signature key. During

the last years, especially in the context of legal regulation of using digital signa-

tures, the organizational and legal aspects of time-stamping itself have become

the subject of world-wide attention. In addition to deﬁning the responsibilities of

the owner of the signature, duties and responsibilities of the third party (Time-

Stamping Authority, TSA) must be stated as well. Hence, there is an increasing

interest in time-stamping systems where the need to trust the TSA is minimized. In

order to make users liable only for their own mistakes, there has to be a possibility

to ascertain the offender.

Unlike physical objects, digital documents do not comprise the seal of time.

Thus, the association of an electronic document uniquely with a certain moment

of time is very complicated, if not impossible. Even by the theory of relativity, no

absolute time exists. The best we can achieve with time-stamping is the relative

temporal authentication (RTA) based on the complexity-theoretic assumption on

the existence of collision-resistant hash functions. RTA enables the veriﬁer given

two time-stamped documents to verify which of the two was created earlier.

Some ten years ago time-stamping was considered to be an uninteresting area

10

since the only known time-stamping method employed completely trusted third

party — the Time-Stamping Authority. Whatever the TSA said the clients had to

believe. More people became interested in this ﬁeld after the seminal publication

[HS90] of Haber and Stornetta, where it was shown that the trust to the TSA can

be creatly reduced by using so called linking schemes. Several papers improving

the original schemes were published in early nineties. The surge of papers dried

soon, since it seemt that everything attainable has been attained. Again, the area

was considered to be uninterested. Until [BLLV98] was published.

Main Contributions

Out contributions to the ﬁeld are manifold. At ﬁrst, the paper [BLLV98] by Bul-

das, Laud, Lipmaa and Villemson was the ﬁrst scientiﬁc paper ever that explic-

itly treated the (extremely strong) security requirements of legally applicable time-

stamping. Starting from the cognition that absolute temporal authentication is im-

possible, this paper presented a new set of protocols that enables one to prove

the relative temporal authentication, and to detect and demonstrate the frauds by

a trusted third party (i.e., the proposed time-stamping system was accountable).

A number of previously proposed time-stamping systems was examined an dis-

carded. It was also shown that the linear linking scheme of Haber and Stornetta

[HS90, HS91] can be used to achieve accountability, but the resulting system would

be plainly impractical. A new system (based on “binary linking schemes”) was

proposed that was accountable and practical.

The paper [BL98] by Buldas and Laud formalized the “anti-monotonicity” re-

quirement that these binary linking schemes had to satisfy and deﬁned a new anti-

monotone binary linking scheme (shortly, AM scheme), where the certiﬁcate sizes

were tightly optimal in the class of AM schemes.

Further, the paper [BLS99] of Buldas, Lipmaa and Schoenmakers showed that

the anti-monotonicity requirement is unnecessary for accountability. A new family

of graphs (“threaded authentication trees”) was proposed, and it was proven that

this family is tightly optimal (in certiﬁcate size) in the class of all acyclic digraphs.

In fact, the term “accountable time-stamping” was the ﬁrst time proposed by this

paper, This paper also speciﬁed the security requirements, by explicitly listing the

security preconditions, under which the accountability can be achieved. For ﬁrst

time ever, also the publication protocol between the time-stamping authority and

the publishing authority was discussed. It was shown that the publishing process

does not have to be blindly trusted. Indeed, it is possible to establish which party

is guilty in wrong publications (the publication protocol is not discussed in this

thesis, however).

Apart from the intra-round optimizations, the paper [BLLV98] also deﬁned ac-

cumulated time-stamping, where the cumulative round stamps are connected with

11

each other in a similar manner as the stamps of one round. Such two-layered ap-

proach enables efﬁcient veriﬁcation of the one-way dependency between stamps

issued in different rounds even when the TSA does not have a copy of stamps from

intermediate rounds. Hence, the storage requirements to the TSA decrease dras-

ticly. A manuscript [Lip99] of the author of this thesis formalizes and simpliﬁes

accumulated time-stamping.

Brieﬂy, our objective was to elaborate a secure and efﬁcient time-stamping sys-

tem. This objective was obtained. Moreover, new system is tightly optimal under

some reasonable assumptions. We would like to stress that the optimal efﬁciency

is a hard thing to attain. While our systems are optimal in space complexity, they

may not be optimal in time complexity. Optimality in time would also depend on

usage of fast cryptographic primitives, and fast implementations of these. Nobody

knows what is the lower bound of the time complexity of collision-resistant hash

functions. Moreover, as it was exempliﬁed in [Lip98], rapidity of cryptographic

primitives intrinsicly depends on the hardware used and on the programming skills

of the implementer.

Outline of Thesis

In Sect. 1 we give a brief short survey of the cryptographic prerequisites. In Sect. 2

the time-stamping solutions proposed to date are analyzed. Sect. 3 clariﬁes the

security objectives of time-stamping by giving essential requirements to the time-

stamping systems. In Sect. 4 the protocols of the new time-stamping system are

described using the linear linking scheme. In Sect. 5 anti-monotone schemes are

introduced and a scheme with logarithmic verifying time is presented. Finally, in

Sect. 6, optimal schemes are investigated. A new scheme that is tightly optimal in

the general case is proposed.

12

1 PREREQUISITES

1.1 Collision-Resistant Hash Functions

Deﬁnition 1 (Collision-resistant hash function) Acollision-resistant hash func-

tion ([MOV96, Sect. 9.2]) is a function Hwhich has the properties of

compression —Hmaps an input xof arbitrary ﬁnite bit-length, to an output

H x of ﬁxed bit-length χ;

ease of computation — given Hand an input x,H x is easy to compute;

preimage resistance — for essentially all pre-speciﬁed outputs, it is com-

putationally infeasible to ﬁnd any input which hashes to that output, i.e.,

to ﬁnd any preimage xsuch that H x y when given any yfor which a

corresponding input is not known;

second-preimage resistance — it is computationally infeasible to ﬁnd any

second input which has the same output as any speciﬁed input, i.e, given x,

to ﬁnd a 2nd-preimage x x such that H x H x , and

collision resistance — it is computationally infeasible to ﬁnd any two distinct

inputs x,xwhich hash to the same output, i.e., such that H x H x . (Note

that here there is free choice of both inputs.)

While the existence of collision-resistant hash functions (CRHF) is still an im-

portant open problem, there exists a plethora of fast candidate hash functions, in-

cluding SHA-1 [NIS94] and RIPEMD-160 [DBP96]. For a recent overview of

the literature about the connections between collision-resistant hash functions and

other cryptographic primitives, we direct readers to [Sim98].

1.2 Digital Signatures

Another cryptographic primitive we use are the digital signatures [DH76, RSA78].

In what follows, let sigAMbe A’s signature on the message M. Since the time-

stamping protocols require the principals to sign arbitrary data, the used signature

scheme should be secure against adaptive chosen message attack [GMR88]. The

most efﬁcient and secure signature schemes [CS98, GHR99] known at the current

moment base on the recently proposed Strong RSA Assumption [BP97].

13

1.3 Authentication Graphs

Let G V E be a directed acyclic graph (DAG), which we assume to be topologi-

cally sorted (i.e., for each edge v w E we have v w), where V1n G

V. Furthermore, we assume that vertex Vis the unique sink of G, which we

sometimes call the root of G. The set of sources of Gis denoted by G. We say

that Gis simply connected if there is a directed path between any two vertices v

and wwith v w (or equivalently, if v v 1E, for all vexcept the root).

As a general notation, let LN:Ln1Lnk, where n1nkare the ele-

ments of Nin strictly increasing order. Recall that hdenotes a CRHF. As a gen-

eralization of Merkle’s authentication trees [Mer80], we introduce authentication

graphs G as labeled DAGs with the labels assigned in the following manner. Each

source vof Gis labeled by a label LvHv, where Hvis a given string speciﬁc to

source v. The label of a non-source vertex vis computed as a function of the labels

of its proper ancestors: Lvh LE1v.

We say that v V is computable from W V if either

1. v W or

2. E1v/

0and all wE1vare computable from W.

We say that W1Vis computable from W2Vif all v W1are computable from

W2. For any path V G G , we say that the set APG:E1

is the authenticator of . Clearly, is computable from APG. A vertex v

computable from is consistent with vif the subgraph of Ginduced by vis a

subgraph of some authentication graph (i.e., if there are no internal inconsistencies

in calculation the Lv’s of the joint graph).

L1H1L5H5L7H7

L15 H L13 L14

L13 H L9L10

L9H L1L2L10 H L3L4L11 H L5L6

L14 H L11 L12

L12 H L7L8

L3H3

L2H2L4H4L6H6L8H8

Figure 1: Merkle’s authentication tree V3.

14

Let d v w denote the distance from vertex vto vertex w, that is, length of the

shortest path from vto w, and let dpt GmaxvVd1v d v V . We say

that Gis dense if dpt Glog VO1.

1.4 Merkle’s Authentication Tree

As an example, let us look at the Merkle’s authentication tree VdV E [Mer80]

with 2dsources (V3is represented by Figure 1). Trivially, Vdis an authentication

graph. Vdis not simply connected, but it is dense (dpt Vddlog n Vd1 ).

Let 3 10 13 15 be a path in V3. Corresponding authenticator is APV3

9 4 14 .

15

2 EXISTING TIME-STAMPING SYSTEMS

2.1 Simple Solutions

Let us at ﬁrst describe a “na¨ıve” solution, “digital safety-deposit box” [HS91,

Sect. 3]. Whenever a client has a document to be time-stamped, he or she trans-

mits the document to a time-stamping authority (TSA). The authority records the

date and time the document was received and retains a copy of the document for

safe-keeping. If the integrity of the client’s document is ever challenged, it can

be compared to the copy stored by the TSA. If they are identical, this is evidence

that the document has not been tampered with after the date contained in the TSA

records. This procedure does in fact meet the central requirements for the time-

stamping of a digital document. However, this approach raises several concerns:

Privacy This method compromises the privacy of the document in two ways: a

third party could eavesdrop while the document is being transmitted, and

after transmission it is available indeﬁnitely to the TSAitself. Thus the client

has to worry not only about the security of documents it keeps under its direct

control, but also about the security of its documents at the TSA.

Bandwidth and storage Both the amounts of time required to send a document

for time-stamping and the amount of storage required at the TSA depend on

the length of the document to be time-stamped. Thus the time and expense

required to time-stamp a large document might be prohibitive.

Incompetence The TSA copy of the document could be corrupted in transmission

to the TSA, it could be incorrectly time-stamped when it arrives at the TSA,

or it could become corrupted or lost altogether at any time while it is stored

at the TSA. Any of these occurrences would invalidate the client’s time-

stamping claim.

Trust The fundamental problem remains: nothing in this scheme prevents the TSA

from colluding with a client in order to claim to have time-stamped a docu-

ment for a date and time different from the actual one.

The next simple time-stamping protocol, discussed by Haber and Stornetta [HS91,

Sect. 4], addresses the ﬁrst three concerns listed above. The ﬁnal issue, trust, will

be handled in the subsequent sections. By this protocol, the TSA appends the

current time tto the submitted document X, signs the composite document t X

and returns the two values tand ssigTSA t X to the client. The weaknesses

of this scheme are the unreliability of old time-stamps after a possible leakage

of the signature key of the TSA and the impossibility of verifying whether swas

16

issued actually at time tstated in the time-stamp, implying that the TSA has to be

unconditionally trusted. Because of these drawbacks it has been widely accepted

that a secure time-stamping system cannot rely solely on keys or on any other

secret information. Two recent overviews of the existing time-stamping solutions

are [MQ97] and [Jus98a].

2.2 Linear Linking Scheme (LLS)

In order to diminish the need for trust, the users may demand that the TSA links

all time-stamps together into a chain using a collision-resistant hash function Has

was proposed in [HS91, Sect. 5.1, variant 1] (Figure 2). In this case the time-stamp

for the n-th submitted document Hnis

ssigTSA n tnIDnHnLn

where tnis the current time, IDnis the identiﬁer of the submitter and Lnis the

linking information deﬁned by the recursive equation

Ln:tn1IDn1Hn1H Ln1

L1L2L3L4L5L6L7L8L9

H1H2H3H4H5H6H7H8H9

Figure 2: Linear linking scheme with 9 elements.

There are several complications with the practical implementation of this scheme.

Most important complication is that the number of steps needed to verify the one-

way relationship between two stamps is linear with respect to the number of stamps

between them. Hence, a single veriﬁcation may be as costly as it was to create the

whole chain. This solution has impractical trust and broadcast requirements, as

it was pointed out already in [BdM91]. A modiﬁcation was proposed in [HS91,

Sect. 5.1, variant 2] (Figure 3) where every time-stamp is linked with k1 time-

stamps directly preceding it. This variation decreases the requirements for broad-

cast by increasing the space needed to store individual stamps.

2.3 Tree-Like Schemes

Two similar schemes based on Merkle’s authnetication trees [Mer80] have been

proposed [BdM91, BHS92]. In the Haber-Stornetta scheme [BHS92, HS97], the

17

L1L2L3L4L5L6L7L8

Figure 3: A modiﬁcation of linear linking scheme, where every time-stamp is

linked with 2 time-stamps directly preceding it.

time-stamping procedure is divided into rounds. The time-stamp Rrfor round ris

a cumulative hash of the time-stamp Rr1for round r1 and of all the documents

submitted to the TSA during the round r. After the end of the r-th round a binary

tree Tris built.

Every participant Piwho wants to time-stamp at least one document in this

round, submits to the TSA a hash yriwhich is a hash of Rr1and of all the doc-

uments he wants to time-stamp in this round. The sources of Trare labeled by

different yri. Each inner node kof Tris recursively labeled by Hk:H HkLHkR

[HS97], where kLand kRare correspondingly the left and the right proper ances-

tor of k, and His a collision-resistant hash function. The TSA has to store only

the time-stamps Rrfor rounds (Figure 4). All the remaining information, required

to verify whether a certain document was time-stamped during a ﬁxed round, is

included into the individual time-stamp of the document.

Rr1yr1

yr4

yr2

yr3

H4

H5

H6Rr

Figure 4: An example of the time-stamp for round rby the schemes presented in

[BdM91].

For example, the individual time-stamp for yr3is r;yr4LH4R. The veri-

fying procedure of the time-stamp of yr3consists of verifying the equality Rr

HHH4H yr3yr4Rr1. Here, the size of a single time-stamp is logarithmic

with respect to the number of participants submitting their documents to the TSA

for the current round.

18

The Haber–Stornetta tree scheme [BHS92, HS97] (Figure 5) differs slightly

from the Benaloh–de Mare scheme [BdM91]. Here, the time-stamp Rnfor the n-th

round is linked directly to Rn1, enabling the veriﬁer to check one-way dependen-

cies between Riwithout examining the individual time-stamps of the submitted

documents. This is impossible in the Benaloh–de Mare scheme. However, in the

Haber–Stornetta scheme the individual time-stamps in the n-th round are not linked

to the time-stamp Rn1for previous round.

Rr1Rr

yr1

yr4

yr2

yr3

H4

H5

H6

Figure 5: An example of the time-stamp for round rby the schemes presented in

[BHS92].

These schemes are feasible but provide the RTA for the documents issued during

the same round only if we unconditionally trust the TSA to maintain the order

of time-stamps in Tr. Therefore, this method either increases the need for trust

or otherwise limits the maximum temporal duration of rounds to the insigniﬁcant

units of time. However, if the number of submitted documents during a round is too

small, the expenses of time-stamping a single document may become unreasonably

large (Sect. 3.5.4).

19

3 SECURITY OBJECTIVES

In the following we give a deﬁnition of time-stamping systems applicable in legal

situations. Later we will justify our approach and compare it to older ones.

Atime-stamping system consists of a set of principals with the time-stamping

authority (TSA) together with a triple S V A of protocols. The stamping protocol

Sallows each participant to post a message. The veriﬁcation algorithm Vis used

by a principal having two stamps to verify the temporal order between those time-

stamps. The audit protocol Ais used by a principal to verify whether the TSA

carries out his duties. Additionally, no principal (in particular, TSA) should be able

to produce fake time-stamps without being caught (this notion will be formalized

in Sect. 3.3).

A time-stamping system has to be able to handle time-stamps which are anony-

mous and do not reveal any information about the content of the stamped data. The

TSA is not required to identify the initiators of time-stamping requests. Our notion

of time-stamping system differs from the one given in, e.g., [BdM91] by several

important aspects. Below we motivate the differences.

3.1 Relative Temporal Authentication

The main security objective of time-stamping is temporal authentication (a phrase

coined probably by Michael Just, [Jus98b]) — ability to prove that a certain doc-

ument has been created at a certain moment of time. Although the creation of a

digital data item is an observable event in the physical world, the moment of its

creation cannot be ascertained by observing the data itself (moreover, even by the

theory of relativity, no such thing as the absolute time exists). The best one can

do is to check the relative temporal order between some auxiliary data (i.e., prove

the relative temporal authentication,RTA) using one-way dependencies deﬁning

the arrow of time, analogous to the way in which the growth of entropy deﬁnes the

arrow of time in the physical world [Haw88, Chap. 9].

All (but the most simplest) time-stamping systems that we describe use some

authentication graph Gbuilt in a black-box manner upon a collision-resistant one-

way hash function H. In such cases one says that nis one-way dependent of mif

there is a G-path from mto n. The intuition behind this is the following “rough”

derivation rule:

If H X and Xare known to a principal Aat a moment t, then someone

(possibly Ahimself) used Xto compute H X at a moment prior to t.

All proposed time-stamping systems make sense only under the hypothesis of the

existence of collision free one-way hash functions.

20

Vertices of Gare also sometimes referred as linking items. In the context of

time-stamping Hn(referred to also as data items) denotes the (hash of the) n-th

time-stamped document. The time certiﬁcate Cert n of Hnis equal to n LN, for

some N1n G (exact deﬁnition will depend on the graph Gand will be

given later). To achieve RTA it is necessary for some Lnin Cert nto be one-way

dependent of some element Lmin Cert m, whenever m n.

Note that a one-way relationship between Lnand Lmdoes not prove that in the

moment of creating Hnthe bit-string Hmdid not exist. All we know is that Hndid

exist at the moment of creating Lm.

3.2 Discussion: Absolute Time

The stamp of Hndoes not contain any absolute time tnwhereas it could not be taken

for granted that the value tnindeed represents the submission time of Hn. The only

way for a principal to associate a stamp with a certain moment of time is to stamp a

nonce at this moment. By a nonce we mean a sufﬁciently long (say, k-bit, k160)

random bit-string, such that the probability it has been already time-stamped is

negligible (easily achieved if the bit-string is generated using a cryptographically

strong pseudo-random number generator).

In order to verify the absolute creating time of a document time-stamped by

another principal, the veriﬁer has to compare the time-stamp with the time-stamps

of nonces generated by the veriﬁer herself. In this solution there are neither supple-

mentary duties to the TSA nor to the other principals. The use of nonces illustrates

the similarity between time-stamping and ordinary authentication protocols, where

nonces are used to prevent the possible reuse of old messages from previous com-

munications (a reader interested more in authentication protocols, is directed to,

e.g., [BR93]).

By using relative temporal authentication it is possible to determine not only

the submitting time of the signature but also the time of signing the document.

Before signing a document Xthe principal Agenerates a nonce Rand stamps it.

He then includes the stamp LRof Rto the document (Figure 6), signs it and

obtains the stamp L X of the signature XsigAL R X . From the view-point

of the TSA these two stamping events are identical (he need not be aware whether

he is stamping a nonce or meaningful data). For the veriﬁcation of the document

X, the veriﬁer has to compare both these tamps with the stamps trusted by her.

As there are one-way dependencies between L R ,Xand L X , the veriﬁer may

conclude that the signature was created in the time-frame betweenthe moments of

issuance of L R and of L X respectively. If these moments are close enough, the

signing time can be ascertained with necessary precision.

21

ATSA

L R

R

X

L X

X H sigAX L R

R0 1 k

Figure 6: Double-stamping a signature.

3.3 Accountable Time-Stamping

A time-stamping system must have properties enabling users to verify whether

an arbitrary time certiﬁcate is correct or not. (As we already noted, possession

of two documents with corresponding time certiﬁcates is not enough to prove the

RTA between the documents because everyone is able to produce fake chains of

stamps.)

A time-stamping system should allow

1. To determine whether the time certiﬁcates possessed by an individual have

been tampered with; and

2. In the case of tampering, to determine whether the certiﬁcates were tampered

by the TSA or tampered after the issuing (generally by unknown means).

In the second case, there is no-one to bring an action against.

As a general principle, the principals interested in legal use of stamps should

themselves verify their correctness immediately after the issuing (using signatures

and other techniques discussed later) because if the signature of the TSA becomes

unreliable, the signed time-stamps cannot be used as an evidence.

In order to increase the trustworthiness of the time-stamping services it should

be possible for the clients to periodically inspect the TSA. Also, in the case when

the TSA is not guilty heshould have a mechanism to prove his innocence,i.e., that

he has not issued a certain time-stamp during a certain round.

Additionally, the TSA must publish regularly, in an authenticated manner, the

time-stamps for rounds [BdM91] in mass media. If the time-stamping protocol

includes (by using collision-resistant one-way hash functions)

1. the message digest of any time-stamp issued during the r-th round into the

time-stamp for r-th round, and

22

2. the message digest of the time-stamp for round r1 into any time-stamp

issued during the r-th round,

it will be intractable for anyone to undetectably forge a time-stamp. The forgery

detection procedures should be simple. Forgeries should be determinable either

during the stamping protocol (when the time-stamp, signed by the TSA, fails to

be correct) or later when it is unable to establish the temporal order between two

otherwise correct time-stamps (see Sect. 4 for details).

Deﬁnition 2 A time-stamping system is accountable, if (on some reasonable se-

curity assumptions) it makes the trusted third parties accountable for their actions

by enabling a principal to detect and later prove to the judge any frauds. Moreover,

if a party has honestly followed the protocol but will still be accused in forgeries,

she can explicitly disprove any false accusations.

3.4 Security Preconditions

In the current subsection we postulate some security assumptions. It can be shown

that the later proposed time-stamping systems are accountable if the following —

usually tacitly assumed in the crypto context — conditions hold:

Liveliness. The TSA responds to the clients instantaneously (i.e., no Denial of Ser-

vice attacks). “Denial of Service” attacks are extremely powerful against the time-

stamping systems (indeed, the whole concept of a TSI would become meaningless

if DoS attacks against it were easy to employ) and should therefore be considered

very seriously.

Competence of honest parties. The party willing to prove misbehaviour of other

parties is honest and competent. In particular, she should verify the signatures and

not accept if the veriﬁcation fails.

Key secrecy. The signing keys of TSA do not compromise until the end of the

next round. Otherwise, the owner of the leaked key holds full responsibility for

any damage resulting from the key compromise. It is reasonable to assume that

the TSA is competent to keep his keys uncompromised during a short time-frame.

Timely reporting of the key compromise decreases the inﬂuence of the key leakage

to one round.

Validity of cryptographic assumptions. None of the used cryptographic primitives

(hash function, signature scheme) is broken during a round. Note that key secrecy

implies in general (but not always) that the used signature scheme is secure.

23

3.5 Feasibility Requirements

3.5.1 Connectivity

Sect. 4 shows how to modify the linear linking scheme [HS91, Sect. 5.1] to achieve

accountability. On the other hand, one certiﬁcate veriﬁcation takes as much time

as was done by the TSA stamping all the documents. As noted, e.g., in [Jus98b],

it is easy to forge stamps when we can assume that the veriﬁer has limited com-

putational power. Hence, the number of stamps per round is limited by the com-

putational power of the weakest potential veriﬁer. This leads us to the question of

feasibility.

3.5.2 Graph Density

The time wasted in veriﬁcation is of order dpt G. If dpt G n G , the number

of stamps issued is very much restricted by the desire to have lightning fast veriﬁ-

cation procedure. But a time-stamping service is assumed to work for ages, and to

issue millions billions of time-stamps. Clearly, in this case veriﬁcation is feasible

only if the authentication graph Gis dense, i.e., if dpt Glogn G O1. The

less the value dpt G, the bigger is the gap between the work done by issuing the

stamps and by a single veriﬁcation. One of the most important results of our work

is that we found a tight lower bound for the value of dpt G.

3.5.3 Connectivity

Tree-like schemes [BdM91, BHS92] were motivated by the desire to compress the

data submitted to the TSA during short time intervals referred to as rounds. The du-

ration of rounds was assumed to be small enough to think about the time-stamping

requests submitted during the same round as simultaneous. Unfortunately, bound-

ing the round lengths reduces the compression effect A simple enlarging of rounds

is insecure because of the reordering attack where the TSA rearranges the time-

stamping requests submitted during the round.

Reordering attack. Let Alice request a stamp for her document X. Bob has bribed

the TSA to delay stamping of any Alice’s documents. Hence, TSA assigns a con-

veniently large number mto Alice’s stamp, marks mas “issued” and continues by

assigning the intermediate numbers to the next documents. Alice can neither detect

reordering attacks nor prove their existence to third parties.

In case of a simply connected graph, a demonstrated one-way dependent path be-

tween two stamps can clearly be interpreted as a proof. On the other hand, if a

graph is not simply connected, a possible future veriﬁer of a temporal order is

forced to rely on linking conventions such as “previously issued stamps locate left

24

in the tree, compared to the later issued stamps”. Although the use of such con-

ventions will probably almost always sufﬁce in practice, it still introduces a certain

degree of looseness into the system. We can certainly imagine a situation, when it

is advantageous to all of the principals to follow the protocol for a certain time, but

later to change the practice and pretend that at this time in the past, left was right

and right was left. Even if such attacks may seem to be exaggerated, we should

still worry about them.

Our quest is to elaborate a practical “real world” time-stamping service re-

lying only on some simple, easily understood security preconditions, so that no

matter how the clients use the time-stamps in higher level protocols, the security

objectives of these protocols will not be refuted if an “ideal world” trusted TSS

is replaced with the “real world” untrusted TSS. Such approach of simulating an

ideal world object with a real world object is common in modern cryptography.

The current thesis is more concerned with efﬁciency than with security, but we

stress that reordering attack is one of the possible forgeries the TSA can accom-

plish and thus, simply connected authentication graph is a necessary precondition

for accountability.

3.5.4 Accumulated Time-Stamping

In order to make relative temporal authentication feasible in the case when stamps

belong to different rounds, it is reasonable to deﬁne an additional layer of links

between the time-stamps for rounds. We do it by deﬁning graph composition G1

G2. Informally, G2is the authentication graph used inside the rounds. G1is used

as this second layer. Both G1and G2should be sufﬁciently large ﬁnite graphs (say,

of 232 280 vertices).

Deﬁnition 3 Let G1V1E1and G2V2E2be two authentication graphs.

Graph composition G1G2V E (Figure 7) is a graph produced from G1by

replacing every source rof G1with a copy Gr

2of G2(more precisely, by identifying

the sink of Gr

2with r), and by identifying the sink of Gr

2with the ﬁrst vertex (which

is, by deﬁnition, a source) of Gr1

2. Trivially, G1G2is an acyclic digraph with

sink, and thus, correctly labeled, also an authentication graph. With G1and G2

ﬁxed, we deﬁne ξrto be the number of the rth source of G1in G1G2(we

assume that if r1r2then ξr1ξr2). Let G1G2be the set of vertices

m V G1G2such that mξr E for some r(i.e., the set of vertices n Gr

2,

for some r). The rth copy Gr

2of G2is also called rth round (of G1G2). The values

rLξrare also referred to as the stamps for rounds.

If (the subgraphs induced by) G1G1and G2G2are simply connected,

then so is (the subgraph induced by) G1G2G1G2. Thus G1G2could

be used in a system achieving RTA. Note that the stamps requested from the TSA

25

G2

1s

G1

s12

G2G2G2

Figure 7: Graph composition G1G2. Here, s G1.

during the veriﬁcation algorithm should belong to the set of stamps for rounds

because only these stamps are available in the TSA (see Sect. 4.2 for more).

An obvious generalization of the construct G1G2is to allow the copies of G2

differ. Namely, let the generalized graph composition G G1Gsbe the graph

constructed from Gby replacing the rth source with a copy of Gr. Everything else

is deﬁned as in Def. 3.

Deﬁnition 4 Let Gbe an authentication graph and let ξ:V G V G .Gξis

an accumulated graph with rank m, if

1. If ξr n ξr1 then E1nξrξr1ξ;

2. ξr1ξr m.

We say that Gis an accumulated graph if for arbitrary positive mthere exists

ξ:V G V G , such that the Gξ-scheme is an accumulated graph with rank

m.

If the underlying authentication graph is accumulated, the duration of the rounds

can be ﬂexibly enlarged in order to guarantee that only a small fraction of the time-

stamps are kept in the memory of the time-stamping server. A way to achieve

accumulated time-stamping was proposed in [BLLV98]. A much simpler way to

achieve the ﬂexibility in choosing the round lengths is to use the generalized graph

composition G G1Gs, where rth round Gris itself a member of recursively

constructed graph family, so that Grcan be extended or “cut” if necessary. Some

examples of accumulated schemes will be given later.

3.6 Necessity of Rounds

There are several, partially controversial, reasons why rounds are introduced into

time-stamping. Most of the reasons are explained elsewhere in this thesis. Here

26

we just give a concentrated list of some of the reasons why it is necessary to have

1) rounds at all and 2) ﬂexibility in choosing the round lengths.

Storage A time-stamping authority will not and should not be able to store all the

time-stamps issued during its functioning (cf Sect. 3.3).

Havoc limitation In the systems described in the next sections, time-stamping au-

thority’s secret key is required to stay secure only in duration of one-two

rounds. Key compromise will inﬂuence only the trustworthiness of stamps

issued during a single round (cf Sect. 3.4). The same is true in the case if the

underlying cryptographic primitives are suddenly broken.

Accountability Accountability is impossible if the veriﬁer (say, the judge) does

not possess an authenticated common successor of the two disputed stamps

(this is due to the simplicity of building “parallel worlds” of one-way depen-

dencies).

Connection with absolute time As it was stressed in Sect. 3.1, relative temporal

authentication is what we can expect from the time-stamping. There still

should be a connection with real time, at some point. For example, in court

in some cases one would like to refer to a particular date. Then it helps if the

absolute starting time of each round is publicly veriﬁable.

27

4 ACCUMULATED LINEAR LINKING SCHEME

For pedagogical reasons, we outline the protocols and the basic organizational prin-

ciples of our system using the linear linking scheme of Sect. 2.2, upon which an

accumulated linking scheme is built, corresponding to the ideology of Sect. 3.5.4.

We will describe the operation of TSA, and also the protocols. Described scheme

fulﬁlls all the trust requirements but is impractical. In the next sections, efﬁciency

of the described scheme is signiﬁcantly improved by replacing the linear scheme

with a binary linking scheme. The ﬁnal scheme, presented in Sect. 6.2 has tightly

(i.e., not only asymptotically) optimal stamp lengths.

4.1 Description of the Authentication Graph

Let the number Mof time-stamps per round be a constant known to the participants

(clients). The round graph G2is equal to the linear linking scheme ΛMwith M

sources. The second layer graph G1is equal to the linear linking scheme with,

say N280, sources (Figure 8). Thus, this scheme bases on graph ΛNΛM. The

time-stamp for the r-th round has number ξr M r. Let all the data items Hnbe

of ﬁxed size of kbits (i.e., the documents are hashed).

H1H2H3H4H6H7H8H10 H11 H12 H14 H16

H15

1L4 3 L12 4 L16

L5L13 L17

2L8

L9

Figure 8: A two-layered linear linking “toy” scheme Λ4Λ4.

Remark 1 In real life, the underlying scheme would be

ΛNΛM1ΛMs

Due to the construction of linear schemes, the TSA can choose the round length

at any time. Thus, the TSA has very ﬂexible choice of round lengths. While this is

very important in practice, we will not stress this point for the next schemes.

All our subsequent constructions will use the next deﬁnition (resp. to the corre-

sponding underlying graph).

28

Deﬁnition 5 (Head and tail) Let G G1G2be the underlying graph of an ac-

cumulated time-stamping system. For any mξr1 1 ξr, let m:

ξr1m1m(resp m:m m2ξr) be the unique shortest path

from ξr1 to m(resp from mto ξr). Let mm1mand m:

m2ξr. Let head m: APG2m, tail m: APG2m. Let

Cert m:m Lhead mLtail m

be the time certiﬁcate of Hm. For any mand n,m n, let mn be the unique shortest

path between mand n. Let body m n : APGmn . The functions head ,

tail and body are natural extensions of those functions to the whole graph

G1G2.

If GΛNΛMand mand nbelong to the same round, then

Lhead nLξr1Hξr1 1 Hn1Hn

Ltail mHm1Hm1Hξr1Lξr

and

Lbody m n LmHm1Hn1Hn

Clearly, Lbody m n is computable from Ltail mLhead nand

Lbody m n Ltail m r m 1r n 1Lhead nr m r n

Lbody m n r m r n (1)

4.2 Role of the TSA

The time-stamping authority (TSA) maintains the following databases (Figure 9):

1. the database cof the stamps of the current round.

2. the database pof the stamps of the previous round.

3. the database rof the stamps for rounds.

4. the complete database all of stamps.

The three ﬁrst databases are considered to be on-line in the sense that any client

can make requests into them at any moment. The fourth database is also stored but

not on-line (it may be stored into an archive of CD-s). Requests to this database

are possible, but costly (e.g., requiring human interaction). After the end of each

29

c

On-line Off-line

p r all

Figure 9: Databases kept by a TSA.

round, the stamps in pare stored to a separate CD (this process may be audited).

Thereafter, pis emptied. The stamp Rrfor the current round is computed, added

to rand published in a newspaper. The database cis copied into pand a new

database cis created.

Most of the time-stamping schemes proposed to date are vulnerable in sense

that if the database all ceases to exist, one is no more able to perform relative

temporal authentication. Even if the stamps of rounds are regularly (say weekly, as

in the Digital Notary [Sur99] system) published in a newspaper, destruction of the

database signiﬁcantly reduces the accuracy — from (say) one secondto one week.

What we really expect from the time certiﬁcates is that:

if mand nare “close” enough in time (lie in the same round), their one-way

relationship can be established using Cert mand Cert n;

if mand nare not “close” enough in time (lie in different rounds), their one-

way relationship can be established using Cert m, Cert nand data pub-

lished in the newspaper.

These requirements are satisﬁed if ΛMΛNis used as the underlying authentica-

tion graph (cf Eq. (1)). Security of accumulated schemes does not depend on the

integrity of the database all.

4.3 Stamping Protocol

The stamping protocol S consists of two parts, the stamp issuing protocol which

is executed when a client asks for a stamp, and the stamp completion protocol

which is executed later, after the end of the round. The Protocol 4.1 is a slight

modiﬁcation of the protocol [BLLV98, Sect. 4.2] due to [BLS99], that minimizes

the communication complexity of the stamp issuing.

30

Protocol 4.1 Stamp issuing protocol with linear linking scheme. Here, ris the

current round number.

1. Client sends Hnto the TSA.

2. The TSA ﬁnds LnH HnLn1, and adds the pair HnLnto c.

3. The TSA sends the client the message n LnsigTSA n Ln.

4. The client veriﬁes the signature of TSA.

After the Mrequests have been answered, the TSA ﬁnishes the round by calculating

the round stamp rand publishing rand his public veriﬁcation key VKTSA in the

newspaper. The client may now continue, during a limited period, with the stamp

completion protocol (represented by Figure 4.2) in order to get the time certiﬁcate

for Hn.

Protocol 4.2 Stamp completion protocol with linear linking scheme.

1. The client sends a request to the TSA.

2. The TSA answers by sending Cert nsigTSA Cert nto the client.

3. The client checks, whether head nis consistent with Lnand whether tail n

is consistent with r n . Authenticated value r n can be found either from

the newspaper or by requesting for their values from the on-line database r

of the TSA.

We stress that every client who is interested in the legal use of some time certiﬁcate,

should validate it during these two protocols. In a relatively short period between

the issuing protocol and between the completion protocol, the signature key of TSA

is trusted to authenticate him (cf Sect. 3.4) and therefore, his signature on an invalid

Cert ncan be used as an evidence in the court. But the client is responsible for

doing it when the signature key of TSA can still be trusted. Later, the signature

of TSA may become unreliable and therefore only the one-way properties can be

used.

4.4 Veriﬁcation Algorithm

Let r n denote the round where nth stamp was issued. Assume that the veri-

ﬁer possesses two time-stamped documents Hm1Cert m1and Hm2Cert m2

where m1m2. Let

vm1m2r m1r m11r m21

be a tuple deﬁned by Lbody m1m2Ltail m1vm1m2Lhead m2. The algorithm Vis

represented by Protocol 4.3.

31

Protocol 4.3 Veriﬁcation whether Hmwas stamped before than Hnwas.

INPUT: Hm1Cert m1,Hm2Cert m2.

1. If r m1r m2, the veriﬁer obtains from the TSA (or from the newspaper)

the values vm1m2and r m2.

2. The veriﬁer checks whether Lhead miLmiLtail mir miis internally con-

sistent, for i1 2.

3. The veriﬁer veriﬁes that the value of r m in vmn is equal to the value of

r m in Cert mand that vmn is consistent with r n 1.

4.5 Audit Protocol

Because of the possible legal importance of the stamps issued by the TSA, there

should be some mechanism to audit TSA. One easy way to do it is to periodically

ask stamps from the TSA and verify them. If these stamps are linked inconsistently,

the TSA can be proven to be guilty. Also, there has to be a mechanism for the TSA

to prove that he has not issued a certain stamp Sin a certain round r. This can be

done if the TSA presents all the stamps issued during the r-th round, shows that

Sis not among them and that the stamp for the r-th round, found by using these

stamps and the linking rules, coincides with the published stamp.

In all the time-stamping systems described in this thesis, such disavowal pro-

tocol requires the TSA to present all stamps. Existence of a time-stamping system

with succinct “negative proofs” is an important open problem.

32

5 ANTI-MONOTONE SCHEMES

In the current section we give a construction of a practical linking scheme with

logarithmic upper bound to the number of issued time-stamps. Described scheme

bases directly on the “binary linking schemes” paradigm of Buldas, Laud, Lipmaa

and Villemson [BLLV98].

Deﬁnition 6 A simply connected graph G V E is called anti-monotone binary

(AM graph, for short) if (1) m,E1m2; and (2) if k m n,k n E and

m E then k.

As it was shown in [BL98], the family of AM graphs is equal to the family of

graphs, constructed recursively from the singleton graph G1/

0by using the

anti-monotone composition operator (Figure 10). Clearly, G1G2F G1G2,

where F1 2 3 1 3 2 3 .

G1G2

G1

1

G

G1

Figure 10: Anti-monotone composition G:G1G2.

Deﬁnition 7 The anti-monotone scheme (AM scheme)Gis constructed from

AM graph Gby introducing a vertex vand an edge v v for every vertex v V G

(Figure 11).

G G

Figure 11: Construction of Gfrom G.

33

Lemma 5.1 The next claims are true.

1. Let G be an AM graph. For any m and n, m n, there exists an unique

shortest G-path from m to n.

2. If G1and G2are AM graphs, then G1G2is an AM graph. Moreover,

G1G2G1G2.

3. Let G be an AM graph, and let m1m2V G , m1m2. Let 1be the

unique shortest path from m1to n G and let 2be the unique shortest path

from 1to m2. Then 1 2 /

0.

4. Let G1G2be the underlying AM graph. The number of stamped docu-

ments per round is equal to G21G21.

Proof. We shall prove the ﬁrst claim by induction on the structure of graph G. The

base (G1/

0) is trivial. Let G G1G2. If m n G1or m n G2, then the

claim holds by the induction hypothesis. If m G1and n G2, then by induction

hypothesis there is an unique shortest path from mto G1and and unique shortest

path from G1to n. Concatenation of those paths is the unique shortest path from

mto n.

The second claim says that accumulated time-stamping preserves the anti-monot-

onicity property.

5.1 Concrete Scheme

The next inﬁnite family Tnof AM graphs is a slight modiﬁcation of the family

deﬁned in [BLLV98]:

1. T1consists of a single vertex which is labeled with the number 1. This vertex

is both the source and the sink of the graph T1.

2. Let Tnbe already constructed. Its sink is labeled by 2n1. The graph Tn1

consists of two copies of Tn, where the sink of the ﬁrst copy is linked to the

source of the ﬁrst copy, and an additional vertex labeled by 2n11 which

is linked from the sink of the second copy. Labels of the second copy are

increased by 2n1. The source of Tn1is equal to the source of the ﬁrst

copy, the sink of Tn1is equal to the vertex labeled by 2n11.

Thereafter, add a link from the sink of the ﬁrst copy to all the vertices of the

second copy that have less than two in-going links. Note that there is now a

double link from the sink of the ﬁrst copy to the source of the second copy.

34

1

2n1

TnTn

2n11

2n12

Tn1

2n

The sequence Tndeﬁnes an countable AM graph with the vertices labeled by

natural numbers which contains each graph Tnas its initial segment. The graph T5

is represented by Figure 12.

21

3

4 5

6

7

8 9

10

11

12

13

14

15

16 17

18

19 20

21

22

23 24

25

26 27

28

29

30

31

Figure 12: The AM graph T5.

Theorem 5.2 If n 2and 0a b 2nthen d a b 3n5. (Proof is presented

in Sect. 5.3)

Denote by ordnthe greatest power of 2 dividing n. In the AM graph Tnpresented

above, it is reasonable to enumerate stamps in the lexicographical order with pairs

m p , where 0 pordmand m0. Then every vertex m p has as predeces-

sors the vertices enumerated with

f m p :m2p1ord m2p1m2p

m2pord m2potherwise

and

g m p :m p 1p0

m1 ord m1p0

5.2 Accumulated Anti-Monotone Graphs

In Sect. 4 we presented an outline of a time-stamping system that fulﬁlls our trust

requirements. In the next we show how to make this system feasible by using an

35

H1H2H4H5H8H10 H11 H14 H16 H17

H18

H19

32

H13

H12 H15

H6

H7

1

H3H9

L8

L9

L14

L18

Figure 13: The “toy” accumulated scheme T2T3.

AM scheme. Namely, we take GNMTNTMas an underlying graph, where

(say) N M 40 (a toy example is represented by Figure 13).

Thus, we can directly apply Def. 5 to get the deﬁnitions of head, tail, body and

Cert mfor the graph TNTM.

Example 1 Let the underlying graph be T2T3(Figure 13). Then,

Lhead 10 :L8H9H10

Ltail 10 :H11 L9H12 L9H13

Lhead 19 :L14 H15 L18 H19

Ltail 19 : (empty string)

By the construction of TM, length of the n-th time certiﬁcate

Cert n n Lhead nLtail n

does not exceed 2dpt m k bits, where kis the output size of the hash function H.

It is easy to show that maxndpt n2 logm[BL98] and thus

Lemma 5.3 For any n, Cert n4kM.

For example, if M40 and k160 bits then Cert n3200 bytes.

By Lem .5.1, if m n then tail mand head nhave a common element c

which implies that body m n tail mhead nand thus, by Theorem 5.2, that

body m n is of logarithmic length. When r m r n ,

body m n m m ξr m ξr n 1n n

36

21

3

4 5

6

7

8 9

10

11

12

13

14

15

16 17

18

19 20

21

22

23 24

25

26 27

28

29

30

31

Figure 14: Time certiﬁcates in the case GT5explained.

where the number of ξj-s is logarithmic due to the fact that the time-stamps

for rounds are linked together in a way similar to the linking of all time-stamps

(Figure 13).

Example 2 Let us look at the Figure 14. Here, the common element in tail 16

and head 28 is 22.

Corollary 5.4 Due to the similarity between the veriﬁcation and the stamping pro-

cedure, for an arbitrary pair of stamped documents the number of steps executed

(and therefore, also the number of stamps examined) during a single run of the

veriﬁcation protocol is O logn .

5.3 Proof of Theorem 5.2

In this section we will prove an upper bound for the length of the time certiﬁcates

for the linking scheme described in Sect. 5. Let ek2k1, i.e. ekis the number of

the last vertex of Tk. To simplify the proof we add the vertex 0 to the scheme and

link it with all the vertices ei,ik. As previously, let d a b denote the length of

the shortest path between aand b. The equations d0ek1, d ek1ek2 and

ekek1ek11 follow immediately from the deﬁnition.

Lemma 5.5 If 0a ekb then d a b d a ekd ekb . If ek1a ek

then d a ekd a ek1d ek1ek.

The claims above follow immediately from the structural properties of the linking

scheme.

Lemma 5.6 If ek1a b ekthen d a b d a ek1b ek1.

Proof. This follows from the construction of Tkfrom the two copies of Tk1. Here

aand bare vertices in the second copy of Tk1(or the last vertex of the ﬁrst copy),

37

and a ek1and bek1are the same vertices in the ﬁrst copy of Tk1(or the

vertex 0).

Lemma 5.7 If 0a ekthen d 0a k.

Proof. Induction on k.

Base: k 1. Then a0 and d0a0k.

Step: k 1. Observe the following cases:

If 0 a ek1then the induction assumption gives d0a k 1k.

If ek1a ekthen d0a d 0ek1d ek1a1d0a ek1

by Lemma 5.6. Observe the following cases:

–a ek1. Then d0a1d0a ek11d0ek12k.

–a ek1. Then d0a1d0a ek11k1kby

induction assumption.

Lemma 5.8 If 0a ekthen d a ek2k1.

Proof. Induction on k.

Base: k 1. Then a1 and d a ekd1 1 0 2 k1 .

Step: k 1. Observe the following cases:

If 0 a ek1then da ekd a ek1d ek1ek2k2 2

2k1 by induction assumption.

If ek1a ekthen observe the following cases:

–a ek. Then d a ek0 2 k1 .

–a ek. Then d a ekd a ek1d ek1ekd a ek1ek1

1 by the Lemma 5.6. Induction assumption now gives d a ekd a

ek1ek11 2 k2 1 2 k1 .

Proof. [Theorem 5.2] Induction on k.

Base: k 3. In this case one can directly verify that d a b 4.

Step: k 3. Observe the following cases:

If 0 abek1then the induction assumption gives us d a b 3k

1 5 3k5.

38

If 0 a ek1b ekthen d a b d a ek1d ek1b2k2

d ek1bby the Lemma 5.8. The following cases are possible:

–b ek. Then d ek1b2k1.

–b ek1. Then d ek1b1k1.

–b ek1. Then the lemmas 5.6 and 5.7 give

d ek1b d 0b ek1k1.

Thus d a b 2k2k1 3k5.

If ek1a b ekthen observe the following cases:

–b ek. Then d a b d a ek2k1 3k5 by Lemma 5.8.

–b ek. Then d a b d a ek1b ek13k1 5 3k5

by Lemma 5.6 and induction assumption.

As logb k iff ek11b ek1 we get klogb1 and thus

d a b 3 log b2

39

6 OPTIMAL GRAPHS

6.1 Optimal Anti-Monotone Schemes

By Lemma 5.1, if the underlying authentication graph Gis anti-monotone, then

tail mand head nhave an intersection point for every mand n,m n, that belong

to the same round. Therefore, anti-monotone linking schemes guarantee that any

two time certiﬁcates Cert mand Cert ntogether contain sufﬁcient information

for establishing a one-way relationship between Lmand Ln.

Though, in the case of the AM schemes Tn(Sect. 5.1), the certiﬁcate length

Cert mis logarithmic in Tn, the size may still become signiﬁcant if the

rounds are large. Thus, it is also important to ﬁnd tightly, not only asymptoticly,

optimal graphs.

As we know (cf page 36), the certiﬁcate length is intimately connected to the

value dpt G. Buldas and Laud [BL98] deﬁned a new family Tkof AM graphs, that

has minimal value of dpt Gover all AM graphs (and hence, minimal certiﬁcate

lengths over all AM graphs), as follows.

Deﬁnition 8 Let U11/

0be the singleton graph. For n1, let

Un:U1Un1Un1Un1

The AM graph U4is represented by Figure 15.

Figure 15: The optimal anti-monotone scheme U4.

As it was shown in [BL98],

Un1

23n1

2

and dpt Un3n1 . Hence,

dpt Un

log Un

3

log231

1o1

40

On the other hand, it was also proven by Buldas and Laud, that for any AM graph

G, if dpt G m, then G3m3O1 , and thus the family Unis tightly optimal

family of AM graphs.

6.2 Threaded Authentication Trees

Next we present a new construction of Buldas, Lipmaa and Schoenmakers [BLS99]

that uses threaded authentication trees. When using Merkle’s authentication tree

of depth d, the length of a time-certiﬁcate is kd1 . We will proceed by adding

extra edges to the authentication tree such that the resulting graph will be simply

connected, but without enlarging the certiﬁcates.

Let Vdbe the complete binary tree of depth d. We use the standard lexico-

graphic enumeration of the vertices, representing the root by the empty string φ,

and the left and right predecessors of a vertex vby s0 and s1, where sis the string

representing v. We deﬁne the threaded authentication treeWdas the authentication

graph built from VdV E by

1. adding a vertex and, for each s0 1 d, adding an edge s,

2. for each s0 1 d, adding a vertex s1 and a corresponding edge s1s,

3. for each sssuch that s1s0 1 d, adding an edge s0s1s.

L00

Rr1L

L000

H000

L001

H001 H010

L010 L011

H011

L100

H100 H101

L101 L110

H110 H111

L111

L11

L10

L01

L0RrLφL1

Figure 16: Threaded authentication tree of depth 3.

41

Example 3 (Figure 16) Let Hi, i 0 1 3, be the documents stamped during the

rth round. Then,

Lhead 2Rr1L00 H010

Ltail 2L011 L1

Lhead 6L1L0L10 H110

Ltail 6L111

L010 H2Lhead 2

L110 H6Lhead 6

LnGH L0H L10 H L110 L111

The union of Cert 2 and Cert 6 contains sufﬁcient information to compute the

one-way path

Rr1L010 L01 H L010 L011 L0L110 L11 H L110 L111

L1H L10 L11 RrH L0L1

and verify its internal consistency.

Hence, while in the case of AM schemes, the union of two time certiﬁcates con-

tained the whole “proof” of one-way dependency, in the current case the proof

itself is not contained in, but can still be computed from the union. That is, intu-

itively, the main source of the redundancy in the AM schemes compared to the new

scheme.

Threaded authentication trees are simply connected. Moreover, for any m n

Wd,m n d m n 2d1. Thus, the veriﬁcation can be done very efﬁciently.

Moreover, Cert m k 1 log Wdk,m. It will be proven in Sect. 6.3

that this is also the lower bound.

6.3 Optimality of Threaded Authentication Trees

Let

ap G: max

v G minap m

where ranges over the set of the root paths m k n G starting from v.

Let h: 0 1 0 1 k. Then, Cert mlog G k min ap m, and thus

maxmCert mlog G k ap G.

Therefore, a tight lower bound for ap Ggives as a result tight lower bound for

maxmCert m. Below we prove that for a acyclic digraph Gwith sink, ap G

log G1. Concrete graph Gachieving this bound was presented in Sect. 6.2.

42

Theorem 6.1 Let G be a acyclic digraph with sink. Then ap Glog G1.

Proof. Let Gbe a acyclic digraph with sink. We show in several steps how to

transform Gby local modiﬁcations to a complete binary tree Vn, so that Vn

Gand ap Vnap G.

First step (eliminating fan-in f2). Replace any vertex with more than two

in-coming edges with an (almost) balanced binary tree (Figure 17, 1). Let G1be

the resulting graph. Trivially, G1Gand ap G1ap G.

1. 2. 3.

4. 5.

Figure 17: Transforming Ginto the complete binary tree.

Second step (eliminating fan-outs f1). Every vertex with fan-out 1 can

be replicated (Figure 17, 2). We can repeat the procedure until we get a graph

G2with no internal vertex having fan-out 1. Trivially, G2G1and

ap G2ap G1.

Third step (replicating the sources). Every source with fan-out 1 can just be

replicated (Figure 17, 3). The resulting binary tree G3has G3G2and

ap G2ap G2.

Fourth step (making G3complete). Any internal vertex v V G3with only

one proper ancestor can be deleted (Figure 17, 4). Let the resulting graph be G4.

Trivially, G4G3and ap G4ap G3.

Fifth step (balancing the tree). If G4is not yet a complete binary tree, there

exists a source vV G4so that d v n G4is less than the height of G3. We

proceed by adding two proper ancestors to the tree (Figure 17). Let the resulting

graph be G5. Trivially, G5G4and ap G5ap G4.

Thus for any graph Gthere exists a complete binary tree Vnsuch that Vn

Gand ap Vnap G. But Vn2nand ap Vnn1, thus for any

graph G, ap Gap Vnlog Vn1 log G1.

43

REFERENCES

[BdM91] Josh Benaloh and Michael de Mare. Efﬁcient broadcast time-stamping.

Technical Report 1, Clarkson University Department of Mathematics

and Computer Science, August 1991.

[BHS92] Dave Bayer, Stuart A. Haber, and Wakeﬁeld Scott Stornetta. Improving

the efﬁciency and reliability of digital time-stamping. In Sequences’91:

Methods in Communication, Security, and Computer Science, pages

329–334. Springer-Verlag, 1992.

[BL98] Ahto Buldas and Peeter Laud. New linking schemes for digital time-

stamping. In The 1st International Conference on Information Security

and Cryptology, pages 3–14, 18–19 December 1998.

[BLLV98] Ahto Buldas, Peeter Laud, Helger Lipmaa, and Jan Villemson. Time-

stamping with binary linking schemes. In Hugo Krawczyk, editor, Ad-

vances on Cryptology — CRYPTO ’98, volume 1462 of Lecture Notes

in Computer Science, pages 486–501, Santa Barbara, USA, August

1998. Springer-Verlag.

[BLS99] Ahto Buldas, Helger Lipmaa, and Berry Schoenmakers. Optimally

efﬁcient accountable time-stamping. Submitted, May 1999.

[BP97] Niko Bari´c and Birgit Pﬁtzmann. Collision-free accumulators and fail-

stop signature schemes without trees. In Walter Fumy, editor, Advances

on Cryptology — EUROCRYPT ’97, volume 1233 of Lecture Notes in

Computer Science, pages 480–494, Konstanz, Germany, May 1997.

Springer-Verlag.

[BR93] Mihir Bellare and Philip Rogaway. Entity authentication and key dis-

tribution. In Douglas R. Stinson, editor, Advances on Cryptology —

CRYPTO’93, volume 773 of Lecture Notes in Computer Science, pages

232–249, Santa Barbara, USA, August 1993. Springer-Verlag.

[CS98] Ronald Cramer and Victor Shoup. Signature schemes based on

the strong RSA assumption. Unpublished. Available from URL

http://www.inf.ethz.ch/personal/cramer/

, December 1998.

[DBP96] Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. RIPEMD-160:

A strengthened version of RIPEMD. In Dieter Grollman, editor, Fast

Software Encryption: Third International Workshop, volume 1039 of

Lecture Notes in Computer Science, pages 71–82, Cambridge, UK, 21–

23 February 1996. Springer-Verlag.

44

[DH76] Whitﬁeld Difﬁe and Martin E. Hellman. New directions in cryptogra-

phy. IEEE Trans. Inform. Theory, IT-22:644–654, November 1976.

[GHR99] Rosario Gennaro, Shai Halevi, and Tal Rabin. Secure hash-and-sign

signatures without the random oracle. In Jacques Stern, editor, Ad-

vances on Cryptology — EUROCRYPT ’99, volume 1592 of Lecture

Notes in Computer Science, pages 123–139, Prague, Czech Republic,

2–6 May 1999. Springer-Verlag.

[GMR88] Shaﬁ Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital sig-

nature scheme secure against adaptive chosen-message attacks. SIAM

Journal of Computing, 17:281–308, 1988.

[Haw88] Stephen W. Hawking. A Brief History of Time: From the Big Bang to

Black Holes. Bantam Books, April 1988.

[HS90] Stuart Haber and W. Scott Stornetta. How to time-stamp a digital doc-

ument. In A. J. Menezes and S. A. Vanstone, editors, Advances in

Cryptology—CRYPTO ’90, volume 537 of Lecture Notes in Computer

Science, pages 437–455. Springer-Verlag, 1991, 11–15 August 1990.

[HS91] Stuart A. Haber and Wakeﬁeld Scott Stornetta. How to time-stamp a

digital document. Journal of Cryptology, 3(2):99–111, 1991.

[HS97] Stuart A. Haber and Wakeﬁeld Scott Stornetta. Secure names for bit-

strings. In Proceedings of the 4th ACM Conference on Computer and

Communications Security, pages 28–35, April 1997.

[Jus98a] Michael K. Just. On the Temporal Authentication of Digital Data. PhD

thesis, Carleton University, December 1998.

[Jus98b] Michael K. Just. Some timestamping protocol failures. In Symposium

on Network and Distributed Systems Security. Internet Society, March

1998.

[Lip98] Helger Lipmaa. IDEA: A cipher for multimedia architectures? In

Stafford Tavares and Henk Meijer, editors, Selected Areas in Cryptog-

raphy ’98, volume 1556 of Lecture Notes in Computer Science, pages

248–263, Kingston, Canada, 17–18 August 1998. Springer-Verlag.

[Lip99] Helger Lipmaa. Accumulated time-stamping made simple. Manu-

script, April 1999.

45

[Mer80] R. C. Merkle. Protocols for public key cryptosystems. In IEEE, editor,

Proceedings of the 1980 Symposium on Security and Privacy, April 14–

16, 1980 Oakland, California, 1109 Spring Street, Suite 300, Silver

Spring, MD 20910, USA, 1980. IEEE Computer Society Press.

[MOV96] Alfred J. Menezes, Paul C. Van Oorschot, and Scott A. Vanstone.

Handbook of Applied Cryptography. CRC Press, 1996.

[MQ97] Henry Massias and Jean Jacques Quisquater. Time and cryptogra-

phy. Technical report, Universit´e catholique de Louvain, March 1997.

TIMESEC Technical Report WP1.

[NIS94] NIST. Announcement of weakness in the Secure Hash Standard (SHS).

Technical report, May 1994.

[Pﬁ96] Birgit Pﬁtzmann. Digital Signature Schemes. Springer-Verlag, Berlin,

Heidelberg, 1996.

[RSA78] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method

for obtaining digital signatures and public-key cryptosystems. Com-

munications of the ACM, 21(2):120–126, 1978.

[Sim98] Daniel R. Simon. Finding collusions on a one-way street: Can secure

hash functions be based on general assumptions. In Kaisa Nyberg,

editor, Advances on Cryptology — EUROCRYPT ’98, volume 1403 of

Lecture Notes in Computer Science, pages 334–345, Helsinki, Finland,

June 1998. Springer-Verlag.

[Sur99] Surety Technologies, Inc. Digital notary service. technical overview.

Technical report, Surety Technologies, Inc., 1999.

46

INDEX

A, 20

algorithm

veriﬁcation, 20

APG, 14

ap G, 42

attack

adaptive chosen message, 13

Denial of Service, 23

reordering, 24

authentication

relative temporal, 20

temporal, 20

authentication tree

Merkle’s, 15

threaded, 41

authenticator, 14

body , 29

body , 29

Cert , 29

collision resistance, 13

computability, 14

consistency, 14

CRHF, 13

d, 15

all, 29

data item, 21

c, 29

Digital Notary, 30

digital signature, 13

p, 29

dpt , 15

r, 29

G G1Gs, 26

G1G2, 25

G1G2, 33

G, 33

graph

accumulated, 26

AM, 33

anti-monotone binary, 33

authentication, 14

dense, 15

directed acyclic, 14

simply connected, 14

graph composition, 25

generalized, 26

hash function

collision-resistant, 13

head , 29

head , 29

IDn, 17

ideal world, 25

r, 25

LN, 14

ΛM, 28

linking item, 21

linking scheme

linear, 17

n G , 14

nonce, 21

one-way dependency, 20

ordn, 35

preimage resistance, 13

protocol

audit, 20

stamp completion, 30, 31

stamp issuing, 30

stamping, 20, 30

47

rank, 26

real world, 25

reordering attack, 24

RIPEMD-160, 13

root, 14

round, 24, 25

RTA, 20

, 14

, 25

S, 20

scheme, 11

AM, 33

anti-monotone, 33

second preimage resistance, 13

SHA-1, 13

sigAM, 13

simulation paradigm, 25

sink, 14, 34

source, 34

stamp for round, 25

Strong RSA Assumption, 13

tail , 29

tail , 29

time certiﬁcate, 21, 29

time-stamping authority, 20

time-stamping system, 20

accountable, 23

TSA, 10, 16, 20

Un, 40

V, 20

Vd, 15, 41

Wd, 41

ξr, 25

48

TURVALISED JA EFEKTIIVSED

AJATEMPLIS ¨

USTEEMID

Kokkuv˜

ote

Viimastel aastatel on arvutisidev˜orgud plahvatuslikult kasvanud. T ¨anu sellele edas-

tatakse elektroonilisel teel ¨uha enam ja enam ka dokumente, millel on otsene v˜oi

kaudne juriidiline v¨a¨artus. Erinevalt paberdokumendist ei ole elektrooniline doku-

ment ¨uks¨uheselt seotud andmekandjaga, ning seega saab dokumenti vabalt kopee-

rida, muuta v˜oi kustutada. Seadusloome seisukohast m¨angib suurt rolli dokumen-

tide autentsus: dokumentide omadus, mis seob dokumenti selle loojaga. Elekt-

rondokumentide autentsust tagavaks kr¨uptograaﬁliseks primitiiviks on digitaalsig-

natuur: protseduur, mis seab dokumendile ja signeerimisv˜otmele turvaliselt vas-

tavusse selle dokumendi signatuuri. Kahjuks ei ole digitaalsignatuur ¨uksinda ka-

sutatav, sest puudub meetod signeerimisv˜otme ja signeerija isiku seostamiseks.

Muu hulgas v˜oib n¨aiteks signeerija hiljem v¨aita, et tema v˜oti oli signeerimishetkel

kompromiteerunud. Ehkki leiduvad standardmeetodid v˜otmekompromiteerumi-

sest teatamiseks (v˜otmet¨uhistuseks), on vaja ka meetodeid, mis v˜oimaldaksid kind-

lalt v¨aita, et v˜otmet¨uhistus toimus enne signeerimist. ¨

Uldkr¨uptograaﬁlised eeltead-

mised on toodud antud dissertatsiooni 1. peat¨ukis.

Ajatembeldus (time-stamping) on organisatoorsete ja matemaatiliste meetodite

kogu, mis v˜oimaldab suhtelist ajalist autentimist ehk kindlaks teha, milline kahest

esitatud dokumendist oli ajatembeldatud varem. Turvalise ja efektiivse ajatemp-

lis¨usteemi olemasolu korral saab seega t˜oestada, et v˜otmet¨uhistus toimus enne kui

signeerimine. ¨

Uldistades: on v˜oimalik t˜oestada, et elektrooniline dokument oli

olemas enne ajahetke.

Umbes k¨umme aastat tagasi n˜oudsid k˜oik teadaolevad ajatembelduss¨usteemid

t¨aielikult usaldatava kolmanda osapoole (ajatemplikeskuse) olemasolu. K˜oike,

mida too osapool v¨aitis, usuti. 1990. aastal n¨aitasid Haber ja Stornetta, et t¨aielikult

usaldatav kolmas osapool ei ole tingimata vajalik. Nende leiutatud ajatemplis¨us-

teem baseerus nn linkimisskeemidele, kus hiljem v¨alja antud ajatempel on “¨uhe-

suunaliselt” s˜oltuv k˜oigist eelnevalt v¨aljastatud ajatemplitest. Haberi ja Stornetta

skeemi on hiljem muudetud nii turvalisemaks kui ka efektiivsemaks. ¨

Ulevaade

vanematest linkimiskeemidest on toodud dissertatsiooni 2. peat¨ukis.

Uus l¨abimurre tuli 1998. aastal, kui Buldas, Laud, Lipmaa ja Villemson p¨o¨ora-

sid artiklis “Time-Stamping with Binary Linking Schemes” esmakordselt t¨ahele-

panu seadusloomes kasutatava ajatemplis¨usteemi turvan˜ouetele. Sellises s¨usteemis

peab olema v˜oimalik avastada ning kolmandatele osapoolele t˜oestada ajatempli-

serveri tehtud vigu. N¨aidati, et eelnevad ajatemplis¨usteemid ei v˜oimalda t˜oestusi

(ehk sertiﬁkaate) efektiivselt esitada. Pakuti v¨alja uus, neid tingimusi rahuldav, nn

binaarsetel linkimisskeemidel p˜ohinev ajatemplis¨usteem. Dissertatsiooni 3. pea-

49

t¨ukk k¨asitleb ajatemplis¨usteemidele esitatavaid n˜oudeid. 4. peat¨ukk kirjeldab neid

n˜oudeid rahuldavat ajatemplis¨usteemi. Edasi, 5. peat¨ukis on n¨aidatud, kuidas too-

dud ajatemplis¨usteemi saab muuta efektiivseks.

Pakutud s¨usteemi on hiljem t¨aiendatud. 1998. aasta l˜opus formaliseerisid Bul-

das ja Laud binaarsetelt linkimisskeemidelt n˜outud antimonotoonsuse omaduse

ning esitasid minimaalse sertiﬁkaadipikkusega antimonotoonse skeemi. 1999. aas-

tal n¨aitasid Buldas, Lipmaa ja Schoenmakers, et antimonotoonsuse tingimus on

ebavajalik ning esitas uue s¨usteemi, mis on optimaalne ¨uldisel juhul. 6. peat¨ukk

k¨asitleb esmalt l¨uhidalt Buldas-Laud’i skeemi ning seej¨arel keskendub Buldas-

Lipmaa-Schoenmakers’i skeemile.

50

ACKNOWLEDGEMENTS

Your presence is a present in my life.

I would like to thank my coauthor and friend Ahto Buldas for being thoughtful and

for a very big number (which is hopefully prime) of discussions. His inﬂuence has

been profound, I hope this inﬂuence has been mutual. Additionally, I will always

remember our chess matches in various pubs around the world.

I am very thankful to most of my colleagues in K¨uberneetika AS. Here I will

only name Monika Oit. A “thank you” goes to my coauthors, Peeter Laud and Jan

Villemson, for being creative, but also for being good friends. The same words go

for Berry Schoenmakers. I hope he will have more chances to visit our beautiful

country. I would like to thank my advisor Mati Tombak for giving me freedom

to choose my own area of research. It seems that my choice was correct. He has

always been very supportive and patient. Many thanks goes to Stuart Haber. Al-

though he is almost always busy, discussions with him have helped us to understand

time-stamping.

At last, I would like to thank the people whom I love or whom I have loved for

their presence in my life. You know who you are.

51

CURRICULUM VITAE

Helger Lipmaa

Citizenship: Estonian Republic.

Born: April 8, 1972, P¨arnu, Estonia.

Marital status: single.

Address: Sauga alevik 27-5, P¨arnu maakond, 80043 Estonia,

phone: (37 2) 6654241, e-mail: helger@cyber.ee

Education

1979–1987 P¨arnu ¨

Ulej˜oe G¨umnaasium.

1987–1990 P¨arnu Koidula G¨umnaasium.

1990–1999 Faculty of Mathematics, University of Tartu

Special Courses

1994 — DAIMI, ˚

Arhus University

1996 — DAIMI, ˚

Arhus University

1997 — New Trends in Computer Science and Information Technology, Palmse

1997 — School on Natural Computation, Turku

1998 — Parallel and Quantum Computation, Palmse, Estonia

1998 — Summer School in Cryptography and Data Security, ˚

Arhus, Denmark

1999 — Fourth Estonian Winter School in Computer Science, Palmse, Estonia.

Professional employment

1995–1995 Junior researcher at Institute of Computer Scence, University of Tartu.

1995–1996 Senior assistant at Institute of Computer Science, University of Tartu.

1996–1997 Junior researcher at Institute of Cybernetics, Tallinn.

1997–1999 Senior research engineer at K¨uberneetika AS, Tallinn.

53

Scientiﬁc work

Coauthor of books “Infos¨usteemide turve I. Turvarisk” (1997) and “Infos¨usteemide

turve II. Turbetehnoloogia” (1998). Main papers: “IDEA: An Architecture for

Multimedia Architectures?” (1998) “Time-Stamping with Binary Linking Schemes”

(1998). Invited presentations: Information Security Training Seminar of Institute

of Cybernetics (1996), Information Security Training Seminar of K¨uberneetika AS

(1997), Autumn School of Young Physicists (1998). Has published surveys in

quantum computation and cryptography.

54

CURRICULUM VITAE

Helger Lipmaa

Kodakondsus: Eesti Vabariik.

S¨unniaeg ja -koht: 8. aprill, 1972, P¨arnu, Eesti.

Perekonnaseis: vallaline.

Aadress: Sauga alevik 27-5, P¨arnu maakond, 80043 Eesti,

tel.: (2) 6654241, e-post: helger@cyber.ee

Haridus

1979–1987 P¨arnu ¨

Ulej˜oe G¨umnaasium.

1987–1990 P¨arnu Koidula G¨umnaasium.

1990–1999 Tartu ¨

Ulikooli matemaatikateaduskond.

Erialane eneset¨aiendus

1994 — DAIMI, ˚

Arhus University

1996 — DAIMI, ˚

Arhus University

1997 — New Trends in Computer Science and Information Technology, Palmse

1997 — School on Natural Computation, Turku

1998 — Parallel and Quantum Computation, Palmse

1998 — Summer School in Cryptography and Data Security, Aarhus, Taani

1999 — Fourth Estonian Winter School in Computer Science, Palmse.

Erialane teenistusk¨aik

1995–1995 nooremteadur, Arvutiteaduse Instituut, Tartu ¨

Ulikool.

1995–1996 vanemassistent, Arvutiteaduse Instituut, Tartu ¨

Ulikool.

1996–1997 nooremteadur, K¨uberneetika Instituut, Tallinn.

1997–1999 vanemteadur, K¨uberneetika AS, Tallinn.

55

Teadustegevus

Raamatute “Infos¨usteemide turve I. Turvarisk” (1997) ja “Infos¨usteemide turve

II. Turbetehnoloogia” (1998) kaasautor. Peamised artiklid: “IDEA: An Architec-

ture for Multimedia Architectures?” (1998), “Time-Stamping with Binary Link-

ing Schemes” (1998). Kutsutud ettekanded: K¨uberneetika Instituudi andmeturbe

teabep¨aev (1996), K¨uberneetika AS andmeturbe teabep¨aev (1997), Noorte F¨u¨usi-

kute S¨ugiskool (1998). On avaldanud ¨ulevaateartikleid kvantarvutitest ja kr¨upto-

graaﬁast.

56

DISSERTATIONES MATHEMATICAE

UNIVERSITATIS TARTUENSIS

1. Mati Heinloo. The design of nonhomogeneous spherical vessels, cylindrical

tubes and circular discs. Tartu, 1991. 23 p.

2. Boris Komrakov. Primitive actions and the Sophus Lie problem. Tartu, 1991.

14 p.

3. Jaak Heinloo. Phenomenological (continuum) theory of turbulence. Tartu,

1992. 47 p.

4. Ants Tauts. Inﬁnite formulae in intuitionistic logic of higher order. Tartu,

1992. 15 p.

5. Tarmo Soomere. Kinetic theory of Rossby waves. Tartu, 1992. 32 p.

6. J¨uri Majak. Optimization of plastic axisymmetric plates and shells in the case

of Von Mises yield condition. Tartu, 1992. 32 p.

7. Ants Aasma. Matrix transformations of summability and absolute summabil-

ity ﬁelds of matrix methods. Tartu, 1993. 32 p.

8. Helle Hein. Optimization of plastic axisymmetric plates and shells with

piece-wise constant thickness. Tartu, 1993. 28 p.

9. Toomas Kiho. Study of optimality of iterated Lavrentiev method and its gen-

eralizations. Tartu, 1994. 23 p.

10. Arne Kokk. Joint spectral theory and extension of non-trivial multiplicative

linear functionals. Tartu, 1995. 165 p.

11. Toomas Lepikult. Automated calculation of dynamically loaded rigidplastic

structures. Tartu, 1995. 93 p. (in russian)

12. Sander Hannus. Parametrical optimization of the plastic cylindrical shells by

taking into account geometrical and physical nonlinearities. Tartu, 1995. 74

p. (in russian)

13. Sergrei Tupailo. Hilbert’s epsilon-symbol in predicative subsystems of anal-

ysis. Tartu, 1996. 134 p.

14. Enno Saks. Analysis and optimization of elastic-plastic shafts in torsion.

Tartu, 1996. 96 p.

15. Valdis Laan. Pullbacks and ﬂatness properties of acts. Tartu, 1999. 90 p.

16. M¨art P˜oldvere. Subspaces of Banach spaces having Phelps’ uniqueness prop-

erty. Tartu, 1999. 74 p.

17. Jelena Ausekle. Compactness of operators in Lorentz and Orlicz sequence

spaces. Tartu, 1999. 72 p.

18. Krista Fischer. Structural mean models for analyzing the effects of compli-

ance in clinical trials. Tartu, 1999. 125 p.

57