Conference PaperPDF Available

Optimally Efficient Accountable Time-Stamping

Authors:

Abstract and Figures

Efficient secure time-stamping schemes employ a 2-level approach in which the time-stamping service operates in rounds. We say that a time-stamping service is accountable if if it makes the TSA and other authorities accountable for their actions by enabling a principal to detect and later prove to a judge any frauds, including attempts to reorder time-stamps from the same round. We investigate the paradigm of time-stamping services based on simply connected graphs, and propose a simple, yet optimal, accountable time-stamping service, using what we call threaded tree schemes. We improve upon the previously best scheme by Buldas and Laud by reducing the size of a time stamp by a factor of about 3.786 and show that our construction is optimal in a strict sense. The new protocols also increase the trustworthiness of the publication process, which takes place at the end of each round.
Content may be subject to copyright.
In proceedings of PKC2000, Vol. 1751 of Lecture Notes in Computer Science, Springer-Verlag, 2000. pp. 293-305.
Optimally Efficient Accountable Time-Stamping
Ahto Buldas
?1
, Helger Lipmaa
?1
, and Berry Schoenmakers
??2
1
K¨uberneetika AS, Akadeemia tee 21, 12618 Tallinn, Estonia
{ahtbu,helger}@cyber.ee
2
Dept. of Mathematics and Computing Science, Eindhoven University of
Technology, P.O. Box 513, 5600 MB Eindhoven, The Netherlands
berry@win.tue.nl
Abstract. Efficient secure time-stamping schemes employ a 2-level ap-
proach in which the time-stamping service operates in rounds. We say
that a time-stamping service is accountable if if it makes the TSA and
other authorities accountable for their actions by enabling a principal to
detect and later prove to a judge any frauds, including attempts to re-
order time-stamps from the same round. We investigate the paradigm of
time-stamping services based on simply connected graphs, and propose
a simple, yet optimal, accountable time-stamping service, using what we
call threaded tree schemes. We improve upon the previously best scheme
by Buldas and Laud by reducing the size of a time stamp by a factor of
about 3.786 and show that our construction is optimal in a strict sense.
The new protocols also increase the trustworthiness of the publication
process, which takes place at the end of each round.
1 Introduction
A time-stamping service is a collection of protocols providing long-term authen-
tication of digital documents together with the moment in time at which they
were submitted for authentication. Time-stamping is expected to become an in-
tegral part of the legal framework for digital documents, as it enables one to
prove in court that a document existed at some given point in time. In addition,
time-stamping helps to significantly lower the level of trust currently required
of a public-key infrastructure by making it possible to prove that a document
was signed before the revocation act of the corresponding signature key was
stamped. As such, one will frequently depend on time-stamping to resolve the
status of documents and corresponding signature keys, which motivates the need
for a clear understanding of the security and efficiency requirements of time-
stamping.
In the context of time-stamping it is common to regard time as a relative
notion. We say that a (time-)stamping service provides relative temporal authen-
tication if one is able to decide which stamp has been issued first for each pair
of time-stamps. Following Haber and Stornetta [HS90,HS91], a cryptographic
way to achieve such a relative order for the documents is to create dependencies
?
Supported partially by Estonian Science Foundation grant 3742.
??
Part of this work was done while visiting K¨uberneetika AS.
between the time certificates attached to the documents, where later certificates
are obtained by applying a collision-resistant function to earlier ones. A short
description of the existing time-stamping schemes is given in Section 3.
We consider time-stamping services that operate in rounds, where clients
will issue requests to a central time-stamping authority (TSA) which in turn
hands over the cumulative round stamp to the publication authority (PA) so the
latter may publish it. In order that the time-stamps are meaningful in court, it
is required that one is able to actually prove that a relative temporal ordering
holds for any pair of time-stamps (even for time-stamps from the same round),
or to prove that an authority deviated from the protocols (be it accidentally
or intentionally). It is important to note that no single player in the scheme
(including the TSA and PA) is required to store all of the time stamps for the
rounds in which it takes part.
A time-stamping service is accountable, if it makes the TSA and other au-
thorities accountable for their actions by enabling a principal to detect and later
prove to a judge any frauds, including attempts to reorder time-stamps from the
same round. Moreover, if a honest party followed the protocol but is still accused
of forgeries, she can explicitly disavow any false accusations. Section 4 addresses
the security objectives in more depth, where we will rely on notions such as
simply connected graphs and authentication graphs, which are introduced in
Section 2.
In Sections 5–7 we present our main contributions. In Section 5 we introduce
a notion of general φ-schemes, based on simply connected graphs. In particu-
lar, we define two instances of it: anti-monotone schemes [BLLV98,BL98], and
our threaded tree schemes. We show that while the latter scheme is not anti-
monotone it satisfies the same security objectives as achieved by anti-monotone
schemes. The important difference is that the size of the time certificates be-
comes approximately 3.786 times shorter than for the optimal anti-monotone
schemes of [BL98], and overall the scheme also becomes simpler.
Section 6 presents an optimized set of time-stamping protocols using simply
connected graphs. As a novel feature, we present a publication protocol, in addi-
tion to the stamping protocol and the stamp completion protocol as described for
other time-stamping services. Finally, in Section 7, we prove that under general
assumptions our scheme based on threaded tree schemes is tightly optimal (i.e.,
optimality is not just asymptotic).
2 Preliminaries
2.1 Cryptographic Primitives
The basic cryptographic tools used in a time-stamping service are hash functions
and digital signatures. We let h : {0, 1}
{0, 1}
k
denote some fixed collision-
resistant hash function, where k is a security parameter. Furthermore, we let
sig
A
(M) denote A’s signature on message M. Since during stamping protocols
the principals must sign arbitrary data, we require the signature scheme to be
existentially unforgeable against adaptive chosen message attack.
2
2.2 Authentication Graphs
Let G = (V, E) be a directed acyclic graph such that V = {1, 2, . . . , |V |} and
v < w whenever (v, w) E, i.e., the vertices of G are topologically sorted (since
G is a directed acyclic graph, such a numbering always exists). For any W V
we define E(W ) = {v : (w W )(w, v) E} and E
1
(W ) = {v : (w
W )(v, w) E}. We assume that v = |V | is the unique vertex with E({v}) = ,
which we call the root of G. Finally, we let S(G) = {v V : E
1
({v}) = ∅} be
the set of source vertices of G.
Graph G is called simply connected if there is a directed path between each
pair of vertices v and w (going either from v to w or from w to v). For topologi-
cally sorted G it is equivalent to state that (v, v + 1) E for all v, 1 v < |V |.
For each pair v < w of vertices of a simply connected graph G we define the
distance d(v, w) as the length of the shortest path from v to w.
We say that U V is computable from W V if either (1) U W or
(2) U S(G) W and E
1
(U \ W ) is computable from W . For any subset
W V \ S(G), we say that the set A
G
(W ) = E
1
(W ) \ W is the authenticator
of W . Clearly, W is computable from A
G
(W ).
Recall that h denotes a collision-resistant hash function. As a generalization
of Merkle’s authentication trees [Mer80], we introduce authentication graphs G as
labeled directed acyclic graphs with the labels assigned in the following manner.
Each source v of G is labeled by L
v
= H
v
, where H
v
is a given string (data
element) specific to source v. The label of a non-source vertex v is computed
as a function of the labels of its predecessors: L
v
= h(L
E
1
(v)
). Here L
S
=
(L
v
1
, . . . , L
v
k
), where v
1
, . . . , v
k
are the elements of S in strictly increasing order.
We often identify the labels of an authentication graph with its vertices and say
that a vertex is computed from its predecessors rather than the label of a vertex
is computed from the labels of its predecessors.
3 State of the Art
Modern time-stamping services provide relative temporal authentication, where
one verifies the relative order of stamp issuing, given any two time stamps. In all
such schemes the time certificate of a later issued stamp is dependent on earlier
stamps (a paradigm first proposed in [HS90]).
Most of the proposed schemes are built upon authentication graphs. Linear
linking schemes [HS90] use a chain as the underlying graph. This solution is
clearly impractical, since certificate length increases linear with the number of
stamps issued so far. In the worst case, verification of a single time certificate
takes as much time as it takes the TSA to compute the stamps for all documents
issued so far.
Tree schemes [BdM91,BHS92] (using a tree as the underlying graph) were
motivated by the desire to minimize the storage and communication require-
ments. Since trees are not simply connected, this type of schemes do not provide
relative temporal authentication within rounds. To overcome this, the stamping
3
procedure was divided into rounds, so that the cumulative round stamp of every
round was published in an authenticated medium. Additionally, the duration of
rounds was assumed to be small enough to think about the stamping requests
submitted during the same round as simultaneous. Unfortunately, bounding the
round lengths reduces the compression effect.
Anti-monotone schemes [BLLV98,BL98] combine the simply connectedness
of linear schemes and efficiency of tree schemes, therefore sharing the best fea-
tures of these schemes. Anti-monotonicity makes the schemes slightly less ef-
ficient (and also, more difficult to understand and implement) than the tree
schemes.
Accumulator schemes [BdM93] (the only known viable alternative to the
graph based schemes) further reduce the storage requirements, by introducing
a trapdoor into the scheme. However, accumulator schemes share all drawbacks
of tree schemes. They have also another principal weakness: one has to trust
the coalition of parties who generated the trapdoor information. Hence, usage
of such schemes would directly violate the objective of reducing trust in stamp-
ing services. To date, there is no known efficient construction of trapdoorless
accumulators (see [San99] for recent work in this area).
4 Time-Stamping Objectives
A stamping service consists of a set of principals with the time-stamping au-
thority (TSA) and the publication authority (PA) together with a quadruple
(S, C, V, P ) of protocols. The stamping protocol S is used by a participant to
hand over a message to the TSA for time-stamping. During the stamp com-
pletion protocol C a participant obtains a time certificate from the TSA. The
verification algorithm V is used by a principal having two time certificates to
verify the temporal order of the corresponding stamping events. The publication
protocol P is used by a TSA to handle the round stamp (short fingerprint of the
round) to the PA who will publish it on some authenticated and easily accessible
medium.
We say a time-stamping service is accountable if the next two properties hold
whenever there is at least one uncorrupted party (say, one honest client inter-
ested in legal value of a particular time stamp) during the creation of stamped
information:
Fraud detection. The service makes the trusted third parties accountable for
their actions by enabling a principal to detect and later prove to a judge any
frauds affecting the relative ordering between time-stamps.
Anti-framing. If a party has honestly followed the protocol but is still accused
in forgeries, she can explicitly disavow any false accusations.
One of the crucial requirements of an accountable time-stamping service is
to withstand reordering attacks, where the TSA assigns an earlier stamp to
a document submitted later than another document, i.e., they should provide
relative temporal authentication. While network latency makes it impossible to
4
detect microscale reordering attacks, it should be intractable for the stamping
service to forge the order of time stamps for documents submitted in significantly
different time moments. An ideal time-stamping service should provide relative
temporal authentication between any pair of documents.
Simple time-stamping services (like hash-and-sign and simple tree schemes)
not ensuring relative ordering of time stamps within rounds are highly vul-
nerable to reordering attacks. However, these attacks can partially be elimi-
nated by using the stamping protocols defined in [BLLV98], where directly after
the vth stamping request H
v
the TSA returns a signed receipt on some value
L
v
= h(H
1
, . . . , H
v
) to the client, where h is a collision-resistant hash function
(informally, we say then that L
v
is (one-way) dependent on H
i
, i = 1, . . . , v).
If L
v
is additionally dependent on L
i
, 1 i < v, the client can use TSA’s
signatures on the values L
v
to prove any frauds.
Unfortunately, this methodology helps only until TSA’s signature can be
trusted (in the worst case, only until the end of the current round). If all L
v
were not authenticated by the round stamp, there would be no way to detect
the frauds after TSA’s key becomes invalid. Hence, a time-stamping service is
accountable only if the round stamp authenticates all the values L
v
, where every
L
v
is dependent on L
v1
. Moreover, every L
v
should be dependent on the round
stamp of the previous round. The resulting structure can be seen as a dependency
graph that has the round stamp as a label of its root and as a subgraph a simply
connected graph with vertices labeled by values L
v
, where the edges correspond
to applying a collision-resistant hash function, and the sources correspond to the
data elements H
v
. For efficiency we assume that each L
v
is a k-bit output of a
fixed hash function h. We additionally assume that L
1
is equal to the stamp for
the previous round, since the rounds have to be connected. A time certificate
has to contain sufficient data to prove that the mentioned dependencies hold.
We shall make these informal notions precise in the next sections.
It is important to realize what time-stamping does and what it does not.
For example, there is a type of reordering attack that is often used as an argu-
ment against linking schemes. Let H
1
, . . . , H
n
be the stamping requests during
a round. Before “officially” closing the round, the TSA may issue additional
time stamps for H
n
, H
n1
, . . . , H
1
in reverse order. After that the TSA is able,
for any pair of stamps of H
i
and H
j
, to present proofs for the statements H
i
was stamped before H
j
and H
j
was stamped before H
i
”. It may seem, there-
fore, that using linking schemes and signed receipts does not give any advantage
compared to simple hash-and-sign scheme.
The following example shows a weakness in this argument (cf. [BLLV98,
Section 3.1]). First, a client requests a stamp L
n
of a nonce from the TSA.
Subsequently, she stamps her signature σ on the actual document X and L
n
.
The TSA may then issue additional stamps for X and σ. However, no one is able
to back-date new documents relative to σ without cooperating with the signer.
Note that this attack is hard to prevent if the underlying graph is not simply
connected, and that usually the TSA is trusted not to mount such an attack.
5
5 Schemes Based on Simply Connected Graphs
5.1 General Construction
The first efficient accountable time-stamping service proposed in [BLLV98]is
based on anti-monotone schemes. Briefly, the intuition behind this scheme is to
define the time certificates in such a way that for any v and w, v < w, the union
of the vth and wth time certificates contains set-theoretically a dependent path
between the corresponding stamps L
v
and L
w
. In what follows we show that
up to 3.786 times shorter certificates can be achieved if we instead assume that
said union contains only information sufficient to compute this path. For this
we shall define a general framework that includes in particular anti-monotone
schemes and the new optimal threaded authentication schemes.
Let G = (V, E) be a rooted simply connected graph with a single source. Let
φ : V {red, black} be an arbitrary function, such that φ(1) = red. We regard
φ as a red/black-coloring of G. The φ-scheme [[G]]
φ
is constructed from G by
adding individual data elements, that is, a new vertex v
φ
and an edge (v
φ
, v), to
every black vertex v. Then we say that v
φ
is a data element connected to vertex
φ. We say that P : V 2
V
is a pass-through function if it maps an arbitrary
vertex v to a path (w, . . . , v, . . . , |V |), such that (1, w) E.
Definition 1. Let [[G]]
φ
be a φ-scheme, where G = (V, E), and let P : V 2
V
be a pass-through function. Now, let v V be a black vertex. We define head(v)
to be the set of vertices in A
[[G]]
φ
(P(v)) that can be computed from the set of data
elements connected to black vertices w v, and we set tail(v) = A
[[G]]
φ
(P(v)) \
head(v). The time certificate Cert(v) of a source v S([[G]]
φ
) is defined as
Cert(v) = (v, L
head(v)
, L
tail(v)
).
Recall that every source v of an authentication graph G corresponds to some
string H
v
. Intuitively, Cert(v) consists of the minimal amount of data necessary
to verify whether v lies on a path between 1 (for which the label is equal to the
last round stamp) and |V | (for which the label is equal to the current round
stamp). If v is represented by k bits then |Cert(v)| = k(|A
[[G]]
φ
(P(v))| + 1).
Jumping ahead a little, in the time-stamping protocols head(v) corresponds
to the maximum subset of A
[[G]]
φ
(P(v)) that the stamping authority knows di-
rectly after stamping the vth element and tail(v) corresponds to the remainder
of the authenticator. Since L
head(v)
is dependent on all data elements issued thus
far, by returning his signature on L
head(v)
(or on some value that is one-way de-
pendent on L
head(v)
) to a client directly after issuing the vth stamp, the stamping
authority commits himself to all data elements stamped before the vth element.
Transmission of the certificate to a client at the end of the round commits the
authority to every data element of this round even if the authority’s signing key
gets compromised later on. (The time-stamping protocols are given in Section 6.)
5.2 Anti-Monotone Schemes
Next we show that even if using exactly the same base graphs as in [BLLV98]
one can get a significant improvement over their solution. A simply connected
6
1 2
3
5
6
7
3
3
φ
21
2
φ
4
φ
6
φ
5
φ
5
6
7
φ
7
4 4
[[G]]
φ
G
Fig. 1. Construction of [[G]]
φ
for anti-monotone G.
graph G = (V, E) is anti-monotone if the in-degree of each vertex is at most 2,
and if for all (v
1
, w
1
), (v
2
, w
2
) E we have that v
1
< w
2
< w
1
implies v
1
v
2
.
Let φ : V {red, black} be such that φ(v) = black iff v 6= 1. The anti-monotone
φ-scheme [[G]]
φ
is a φ-scheme constructed from anti-monotone graph G.
As shown in [BLLV98], in this case tail(v) head(w) is nonempty for any
v < w. Since Cert(v) (respectively Cert(w)) contains by definition information
necessary to compute all the elements in L
tail(v)
(respectively in L
head(w)
), then
for any u tail(v) head(w), the union of Cert(v) and Cert(w) contains sufficient
information to verify that L
u
is dependent on L
v
and L
w
is dependent on L
u
.
Let d
pt
(G) = max
vV
(d(1, v) + d(v, |V |)). Buldas and Laud proved in [BL98]
that for any anti-monotone graph G, d
pt
(G) 1.893 log
2
|S(G)| + O(1). Using
the φ-scheme [[G]]
φ
we get that the length of a certificate Cert(v) is equal to
log
2
|S(G)|+ |head(v)| + |tail(v)|, and hence, max
v
|Cert(v)| (k + o(1)) · d
pt
(G).
However, the binary linking schemes of [BLLV98,BL98] used redundant certifi-
cates such that max
v
|Cert(v)| (2k + o(1)) · d
pt
(G) and hence casting the prob-
lem in a more general view has helped to reduce the length of the certificates by
a factor of two.
5.3 Threaded Authentication Trees
The security of the last construction depends only on the property that there
is a vertex u that can be computed from the union of Cert(v) and Cert(w). As
such element always exists (take the root), the anti-monotonicity property is not
necessary for the stamping service to be accountable. Below we present a new
construction based on threaded authentication trees. Optimality of this scheme
in the general case will be proven later.
For Merkle’s authentication tree T
d
of depth d, the certificate length for a
vertex v is k(d + 2), where k is the size of the outputs of hash function h.
In their stamping system, Benaloh and de Mare [BdM93] added a new vertex
1 with edges (1, w), for any w S(T
d
), to Merkle’s authentication tree. The
resulting graph has certificate length k(d + 3), and the vth certificate contains
dependency from R
r1
to L
v
to R
r
. We will proceed further by adding edges
to the Benaloh-de Mare scheme in such a way that the resulting graph will be
7
2 3 4 5 6 7 8 9
10 11 12 13
14 15
16
3
φ
4
φ
5
φ
6
φ
7
φ
8
φ
9
φ
2
φ
1
Fig. 2. Threaded tree scheme [[W
3
]]
φ
.
simply connected, but without enlarging the certificates. The method presented
below is not unique in this respect, but has the advantage that it permits an
efficient implementation.
Let T
d
= (V, E) be the complete binary tree of depth d. We number the
vertices of T
d
level by level, starting at the lowest level (at depth d) and from
left to right so that the leaves get numbers 2, . . . , 2
d
+ 1, and the root gets
number |V | = 2
d+1
. Let φ : V {red, black} color the sources of T
d
(i.e.,
vertices 2 v 2
d
+ 1) black and inner nodes red.
We define the threaded authentication tree W
d
as the graph built from T
d
by
applying the next two steps:
1. for each v S(T
d
) consider the unique root path P(v) starting from v
and add an edge (w, v) for each left child w of a vertex on P(v) provided
w 6∈ P(v), and
2. add a vertex 1 and, for each v S(T
d
), add an edge (1, v). Vertex 1 is labeled
by L
1
= R
r1
, where r is number of the current round. We color 1 red, since
it corresponds to a data element.
Note that the set of vertices w for which the edge (w, v) was added in the
step 1 is equal to head(v). We define the dth threaded tree scheme to be the φ-
scheme [[W
d
]]
φ
. Clearly, a threaded authentication tree W
d
is simply connected
(consider a postorder traversal of the binary tree T
d
), but it is not anti-monotone.
As an example, consider the threaded tree scheme [[W
3
]]
φ
of Figure 2. Graph
W
3
is simply connected because it contains the postorder traversal 2310
4 5 11 14 6 7 12 8 9 13 15 16 as a directed path. Then
head(4) = (1, 4
φ
, 10), tail(4) = (5, 15), head(8) = (1, 8
φ
, 12, 14), tail(8) = (9),
Cert(4) = (4; L
1
, L
4
φ
, L
10
; L
5
, L
15
) and Cert(8) = (8; L
1
, L
8
φ
, L
12
, L
14
; L
9
). The
set Cert(4) Cert(8) contains sufficient information to first compute and then
verify the following path from R
r1
to L
4
to L
8
to R
r
, where r is the number
8
INPUT: (C, L
v
, R
r1
, R
r
, H
v
), where C = (v, χ, τ ), χ = (χ
1
, . . . , χ
m
), τ = (τ
1
, . . . , τ
n
).
Reject if χ
1
6= R
r1
or χ
2
6= H
v
or τ
n
6= R
r
.
Reject if L
v
6= h(χ).
` := L
v
, p := 1; q := 3.
For i := 0 to log
2
v do:
if (v 1) & 2
i
= 0 then ` := h(`, τ
p
); p := p + 1 else ` := h(χ
q
, `); q := q + 1.
Reject if ` 6= R
r
. Otherwise accept.
Fig. 3. Certificate verification algorithm VfyCert for threaded tree schemes.
of the current round:
R
r1
= L
1
| {z }
head(4)head(8)
L
4
= h(R
r1
, L
4
φ
, L
10
| {z }
head(4)
) L
11
= h(L
4
, L
5
|{z}
tail(4)
)
L
14
= h( L
10
|{z}
head(4)
, L
11
) L
8
= h(R
r1
, L
8
φ
, L
12
, L
14
| {z }
head(8)
)
L
13
= h(L
8
, L
9
|{z}
tail(8)
) L
15
= h( L
12
|{z}
head(8)
, L
13
) L
16
= h( L
14
|{z}
head(8)
, L
15
|{z}
tail(4)
) = R
r
.
Certificate verification algorithm VfyCert (which is used in the verification algo-
rithm) is shown in Figure 3.
For any vertices v, w W
d
, v w d(v, w) 2d 1. Thus, the verification
can be done very efficiently, and |Cert(v)| = k(d + 3), for all v. It will be proven
in Section 7 that this is also the lower bound. While in the case of schemes
used in [BLLV98,BL98], the union of two time certificates contained the whole
“proof of dependency, in the current case the proof itself is not contained in,
but can still be computed from the union. That is, intuitively, the main source
of the redundancy in the anti-monotone schemes compared to the new scheme.
We think that this result is interesting in its own right in graph theory.
6 Protocols
As mentioned in Section 4, protocols are crucial for the overall security of a
time-stamping service. In this section we briefly describe the three protocols con-
stituting our time-stamping service. The stamping protocol and the stamp com-
pletion protocol are improvements over the protocols of [BLLV98, Section 4.2],
using threaded authentication trees. The publication protocol is an additional
protocol required in our model of time-stamping. See Figure 4 for an overview
of the protocols. We assume the base graph G and the functions P and φ to be
fixed.
The following algorithm is used in the stamping protocols to verify whether
v
1
, v
2
S([[G]]
φ
) and v
1
< v
2
(i.e., whether the corresponding documents H
v
1
and H
v
2
were stamped during the same round and further that H
v
1
was stamped
before H
v
2
was). Note that the algorithm proposed in [BLLV98] included an
unnecessary checking whether tail(v
1
) head(v
2
) 6= as a separate step.
9
(v, L
v
, sig
TSA
(v, L
v
))
TSATSAA PA A TSA
H
v
(c
r
, sig
TSA
(c
r
))
(c
r
, sig
PA
(c
r
, sig
TSA
(c
r
))) (Cert(v), sig
TSA
(Cert(v)))
v
a) Stamping protocol. b) Publication protocol c) Stamp completion protocol.
Fig. 4. Protocols of a time-stamping service.
Verification Algorithm. Let C = (v, L
χ
, L
τ
), where v is a non-source vertex
and χ and τ are paths in [[G]]
φ
, such that v is computable from χ and |V | is
computable from τ. Let VfyCert(C, L
v
, L
|V |
) be a function that accepts iff χ is
authenticator of some path from 1
φ
to v and τ is authenticator of some path
from v
φ
to |V |, and the value of a candidate v computed from the values in
L
χ
is equal to v (the same verification is done for |V | and L
τ
). The algorithm
V gets as input a tuple (C
1
, C
2
, L
v
1
, L
v
2
, R
r1
, R
r
, H
v
), where C
i
= (v
i
, χ
i
, τ
i
)
and accepts iff (1) VfyCert(C
i
, L
v
i
, R
r1
, R
r
, H
v
) holds, for i {1, 2}; and (2)
v
1
< v
2
.
Stamping Protocol. See Fig. 4(a). The client A begins the protocol by sending
hash H
v
of the vth document to the TSA. The TSA calculates L
v
= h(L
head(v)
),
adds L
v
to the database of stamps, and sends A the second message. The client
checks if the message is of the right form (note that he cannot yet verify whether
L
v
was computed correctly).
Publication Protocol. See Fig. 4(b). Here c
r
= (L
|V |
, r) and R
r
= L
|V |
is
the cumulative round stamp of the rth round. After the end of the rth round
the TSA begins the publication protocol by sending the tuple (c
r
, sig
TSA
(c
r
)) to
the PA. The PA checks if the message is of the right form. If it is, he sends the
TSA the second message and publishes
α
r
= (c
r
, sig
TSA
(c
r
), sig
PA
(c
r
, sig
TSA
(c
r
)))
on an accessible authenticated medium (e.g., in a newspaper). The TSA checks
if the second message is of the right form. If it is, he waits for the publication
and then checks if the published value α
0
r
is equal to α
r
. If it is not, he sends α
r
and the newspaper with α
0
r
to the judge.
Stamp Completion Protocol. See Fig. 4(c). At the end of the rth round, A
gets the value α
r
from the medium, checks if it is of correct form, and sends the
request v to the TSA. The TSA returns the second message m. The client checks
if the signature is correct. If it is, he computes the cumulative hash L
|V |
from
Cert(v) and compares it against the value in c
r
. If the verification algorithm V
rejects on input Cert(v), the client sends α
r
and the message m to the court.
The above of protocols rebalances the communication, compared these in
[BLLV98], by moving the burden from the stamping protocol to the stamp com-
pletion protocol, with the intuition that a lightweight stamping protocol helps to
avoid trivial reordering attacks. Because of the collision-resistance of hash func-
tion h, transmission of L
v
is sufficient if G is a simply connected authentication
graph.
10
2.
4.3.
1.
Fig. 5. Local graph modifications in Theorem 1.
7 Optimality
As informally argued in Section 4, the round graph G = (V, E) of a time-
stamping service has to be based on a simply connected graph for which the
corresponding φ-scheme is such that for any source v, L
1
is included in v’s cer-
tificate. More precisely, for any source v, there has to be a node w in every root
path of v, such that (1, w) E and w is computable from (1, . . . , v) but not
computable from (1, . . . , v 1). We say that a graph satisfying these conditions
is good.
For a good graph G we define a(G) = max
v∈S(G)
min
P
|A
G
(P(v))|, where
P ranges over all pass-through functions. Recall that h : {0, 1}
{0, 1}
k
.
Then by the definition of certificates, |Cert(v)| = k(min
P
|a
G
(P)| + 1), and thus
max
v
|Cert(v)| = k(a(G) + 1). Hence, a tight lower bound on a(G) yields a
tight lower bound on max
v
|Cert(v)|. If G is a round graph, then the number
of time-stamps issued per round is equal to n = |S(G)| 1, since one source
corresponds to the previous round stamp. Next we prove that for any good
graph G, a(G) log
2
n + 2. Hence, time-stamping service based on threaded
tree schemes is certificate length optimal if we cannot assume anything more
but existence of (one) collision-resistant hash-function.
Theorem 1. (1) For a rooted directed acyclic graph G, a(G) log
2
|S(G)| + 1.
(2) For a good graph G, a(G) log
2
(|S(G)| 1) + 2.
Proof. (1) We show in several steps how a given rooted directed acyclic graph
G can be transformed by local modifications to a complete binary tree T
d
such
that |S(T
d
)| |S(G)| and a(T
d
) a(G).
First step (eliminating fan-in > 2). Replace any vertex with s > 2 incoming
edges with a binary tree with s sources (Fig. 5, 1). Let G
1
be the resulting
graph. Then clearly |S(G
1
)| = |S(G)| and a(G
1
) a(G).
Second step (eliminating fan-out > 1). Every vertex with fan-out > 1 can be
replicated (Fig. 5, 2). An application of this step pushes the vertices with fan-
out > 1 “downwards” in the graph. The final applications just replicate the
11
sources, without adding any vertices with fan-out > 1. Thus, we can repeat the
procedure until we get a binary tree G
2
with no vertex having fan-out > 1.
Trivially, |S(G
2
)| |S(G
1
)| and a(G
2
) = a(G
1
).
Third step (making G
2
complete). Any vertex v V (G
2
) with only one pre-
decessor can be deleted (Fig. 5, 3). Let the resulting graph be G
3
. Trivially,
|S(G
3
)| = |S(G
2
)| and a(G
3
) = a(G
2
).
Fourth step (balancing G
3
). If G
3
is not yet a complete binary tree, there exists
a source v V (G
3
) such that d(v, |V (G
3
)|) is less than the height of G
3
. We
proceed by adding two vertices as predecessors of v (Fig. 5, 4). Let the resulting
graph be G
4
. Trivially, |S(G
4
)| |S(G
3
)| and a(G
4
) = a(G
3
).
Thus for any graph G there exists a complete binary tree T
d
such that
|S(T
d
)| |S(G)| and a(T
d
) a(G). But |S(T
d
)| = 2
d
and a(T
d
) = d + 1,
thus for any graph G, a(G) a(T
d
) = log
2
|S(T
d
)| + 1 log
2
|S(G)| + 1. ut
(2) Let G = (V, E) be a good graph with n = |S(G)| 1. W.l.o.g. we can
assume that the minimal authenticator for any v S(G) has the cardinality
a(G). Now let G
1
be the subgraph of G spanned by V \ {1}. By the definition
of good graphs, a(G
1
) = a(G) 1. Since a(G
1
) log
2
|S(G
1
)| + 1, we get that
a(G) log
2
n + 2. ut
8 Conclusion
The new time-stamping scheme achieves optimal lengths of time certificates
in a general sense (k log
2
n versus 3.786k log
2
n compared to the optimal anti-
monotone scheme [BL98], where n is the number of time stamps issued during
a round). As compared to the formerly known most efficient tree schemes, the
new scheme has the same space complexity and only somewhat larger time com-
plexity, while being accountable like the scheme of [BLLV98]. We also presented
the first accountable publication protocol that makes it unnecessary to audit the
publication process.
In practice, a reliable time-stamping service is virtually impossible to achieve
if the TSA and the PA are not replicated. Further research in this area is def-
initely necessary. The formal notion of temporal security is not yet developed
and needs additional research; it is not even clear if it could be defined sepa-
rately from the security of other primitives. An interesting question is whether
more efficient time-stamping services could be built on stronger cryptographic
assumptions.
Acknowledgements
The authors are thankful to Stuart Haber, Markus Jakobsson, Peeter Laud,
Kaisa Nyberg and to the anonymous referees for feedback and helpful discussions.
12
References
[BdM91] Josh Benaloh and Michael de Mare. Efficient Broadcast Time-Stamping.
Technical Report 1, Clarkson University Department of Mathematics and
Computer Science, August 1991.
[BdM93] Josh Benaloh and Michael de Mare. One-Way Accumulators: A Decentralized
Alternative to Digital Signatures (Extended Abstract). In Tor Helleseth, edi-
tor, Advances in Cryptology—EUROCRYPT 93, volume 765 of Lecture Notes
in Computer Science, pages 274–285. Springer-Verlag, 1994, 23–27 May 1993.
[BHS92] Dave Bayer, Stuart A. Haber, and Wakefield Scott Stornetta. Improving
the Efficiency And Reliability of Digital Time-Stamping. In Sequences ’91:
Methods in Communication, Security, and Computer Science, pages 329–334.
Springer-Verlag, 1992.
[BL98] Ahto Buldas and Peeter Laud. New Linking Schemes for Digital Time-
Stamping. In The 1st International Conference on Information Security and
Cryptology, pages 3–14, Seoul, Korea, 18–19 December 1998. Korea Institute
of Information Security and Cryptology.
[BLLV98] Ahto Buldas, Peeter Laud, Helger Lipmaa, and Jan Villemson. Time-
Stamping with Binary Linking Schemes. In Hugo Krawczyk, editor, Advances
on Cryptology CRYPTO ’98, volume 1462 of Lecture Notes in Computer
Science, pages 486–501, Santa Barbara, USA, August 1998. Springer-Verlag.
[HS90] Stuart Haber and Wakefield Scott Stornetta. How to Time-Stamp a Digi-
tal Document. In A. J. Menezes and S. A. Vanstone, editors, Advances in
Cryptology—CRYPTO ’90, volume 537 of Lecture Notes in Computer Sci-
ence, pages 437–455. Springer-Verlag, 1991, 11–15 August 1990.
[HS91] Stuart A. Haber and Wakefield Scott Stornetta. How to Time-Stamp a
Digital Document. Journal of Cryptology, 3(2):99–111, 1991.
[Mer80] Ralph C. Merkle. Protocols for Public Key Cryptosystems. In IEEE, editor,
Proceedings of the 1980 Symposium on Security and Privacy, April 14–16,
1980 Oakland, California, 1109 Spring Street, Suite 300, Silver Spring, MD
20910, USA, 1980. IEEE Computer Society Press.
[San99] Tomas Sander. Efficient Accumulators without Trapdoor. In The Second
International Conference on Information and Communication Security, Syd-
ney, Australia, 9–11 November 1999. To appear.
13
... Exonum uses anchoring algorithm for byzantine faulttolerant bitcoin. In a transaction on the bitcoin blockchain [10], the algorithm regularly yields the hash digest of a contemporary block on an Exonum blockchain. The anchoring operation is in a well-defined form and must be validated on the anchored Exonum blockchain by a plurality of validators. ...
... Anchoring transactions form a chain, and the output generated by the previous one is expended on each next anchoring transaction. Substantiation and manacling of anchoring transactions make the anchoring procedure comparable to the one that is described in [10]. ...
... Information breaches in healthcare capacity frameworks can be uncommonly exorbitant due to fines set out within the HIPAA of 1996 and misfortunes in notoriety. By using threshold data encryption in combination with public key infrastructure, blockchain technologies could reduce the risk of data breach [10]. Blockchain has gained considerable popularity recently because of cryptocurrency recognition in bitcoin. ...
Conference Paper
Owing to enlarged digital data obtainability and artificial intelligence (AI) progressions, there are quite a few occasions that can be reconnoitered in healthcare. Deep learning (DL) and inductive transfer practices are turning healthcare data— such as phantasmagorias and videotapes—into powerful data sources for predictive analytics. At the present time, patients fail to have entree to his/her individual medicinal records and hang around ignorant of data importance or prominence. This paper directs to offer a gestalt of AI and blockchain and exhibit a roadmap for a blockchain-assisted decentralized bionetwork of private healthcare data to expediate new methodologies to drug discovery and precautionary healthcare. A protected and crystal-clear disseminated marketplace of personal data by means of blockchain and DL technology will circumvent challenges faced by authorities of a given healthcare system and restore custody all across private records that includes medicinal documents back to humans. It also proposes a novel type of utility cryptotoken named LifeCoin, which can be produced through the stationing of data on the blockchain-assisted open market to streamline transactions and expedite inventive reward schemes.
... Verification algorithm V is used to confirm the authenticity of the timestamp and the time event sequences. Publishing protocol P uses the TSA to publish the timestamps on an authenticated and easily accessible medium [36]. ...
Article
Full-text available
Wireless sensors networks (WSNs) are characterized by flexibility and scalability in any environment. These networks are increasingly used in agricultural and industrial environments and have a dual role in data collection from sensors and transmission to a monitoring system, as well as enabling the management of the monitored environment. Environment management depends on trust in the data collected from the surrounding environment, including the time of data creation. This paper proposes a trust model for monitoring humidity and moisture in agricultural and industrial environments. The proposed model uses a digital signature and public key infrastructure (PKI) to establish trust in the data source, i.e., the trust in the sensor. Trust in data generation is essential for real-time environmental monitoring and subsequent analyzes, thus timestamp technology is implemented here to further ensure that gathered data are not created or changed after the assigned time. Model validation is performed using the Castalia network simulator by testing energy consumption at the receiver and sender nodes and the delay incurred by creating or validating a trust token. In addition, validation is also performed using the Ascertia TSA Crusher application for the time consumed to obtain a timestamp from the free TSA. The results show that by applying different digital signs and timestamps, the trust entity of the WSN improved significantly with an increase in power consumption of the sender node by up to 9.3% and receiver node by up to 126.3% for a higher number of nodes, along with a packet delay of up to 15.6% and an average total time consumed up to 1.186 s to obtain the timestamp from the best chosen TSA, which was as expected.
... Since all previous messages need to be available for verification, this also implies linear storage overhead. More sophisticated datastructures could reduce this to logarithmic overhead, both anti-monotone binary graphs [9] and threaded authentication trees [10] would be suitable and would only require a single additional hash per message. ...
Conference Paper
Secure Scuttlebutt (SSB) is a novel peer-to-peer event-sharing protocol and architecture for social apps. In this paper we describe SSB's features, its operations as well as the rationale behind the design. We also provide a comparison with Named Data Networking (NDN), an existing information-centric networking architecture, to motivate a larger exploration of the design space for information-centric networking primitives by formulating an identity-centric approach. We finally discuss SSB's limitations and evolution opportunities.
... The combination of a timestamping service and the immutability property of the blockchain, along with its consensus mechanism, can lead to the creation of various important properties such as accountability [35], auditability and non-repudiation [122] -the ability to definitively verify authenticity of statements recorded in the blockchain [85]. These properties make the blockchain a distributed immutable, tamper-proof, transparent and audit log that any attempt to tamper with it can be immediately evident and easily detectable. ...
Thesis
Full-text available
Data are gathered constantly, grow exponentially, and are considered a valuable asset. The need for extensive analysis has emerged by various organizations and researchers. However, they can be sensitive, private, and protected by privacy disclosure acts making data processing by third-parties almost impossible. We propose a protocol for data processing where data controllers can register their datasets and entities can request data processing operations by data processors. A distributed ledger is used as the controller of the system serving as an immutable history log of all actions taken by the participants. The blockchain-based distributed ledger provides data accountability, auditability and provenance tracking. We also use a Zero Knowledge Verifiable Computation scheme where a data processor is enforced to produce a proof of correctness of computation without revealing the dataset itself that the requestor verifies. This records the fact that correct processing has taken place without disclosing any information about the data.
... Linking schemes typically contain three phases: aggregation, linking, and publishing [4]. Examples of linking schemes can be found in [5,6] and some aggregation schemes in [7,8]. In the distributed scheme, multiple issuers independently generate a time stamp according to the simple scheme, each using its own key and time source. ...
Conference Paper
Full-text available
This paper provides an overview of the main state-of-the-art algorithms for time stamping applications and briefly discusses pros and cons of each technique. In particular, it highlights the crucial issues raised by the practical implementation of time stamping algorithms. In addition, it shows the first attempt at time-stamp authority software evaluation regarding some fundamental issues, such as conformance to the Serbian legislation, operating environment, renewal feasibility and responsiveness. Evaluation was carried out both for some commercial and open source time-stamping authority software.
Chapter
This chapter introduces the secure time-stamping technique and discusses how to construct a secure time-stamping scheme for cloud storage systems. This chapter first introduces the traditional secure time-stamping technique that is mainly applied in traditional data storage systems (where the data are stored locally on the user side). Then, a comprehensive survey on secure time-stamping schemes is provided. Finally, the relationship between the secure time-stamping technique and blockchains is discussed, and the secure time-stamping for cloud storage is studied.
Article
We propose Chronos $^{{\mathbf +}}$ + , an accurate blockchain-based time-stamping scheme for outsourced data, where both the storage and time-stamping services are provided by cloud service providers. Specifically, Chronos $^{{\mathbf +}}$ + integrates a file into a transaction on a blockchain once the file is created, which guarantees the file's latest creation time to be the time when the block containing the transaction is appended to the blockchain. A sufficient number of consecutive blocks that are latest confirmed on the blockchain is embedded into the file at the creation time. These blocks serve as a time-dependent random seed to prove the earliest creation time, due to blockchains’ chain quality property. Chronos $^{{\mathbf +}}$ + makes the file's timestamp corresponding to a time interval formed by the earliest and latest creation times which are derived from the heights of the corresponding blocks. Due to blockchains’ chain growth property, such a height-derived timestamp can ensure that the time intervals’ range is within a few minutes so as to guarantee the accuracy. We also point out potential threats towards outsourced time-sensitive files and present security analyses to prove that Chronos $^{{\mathbf +}}$ + is secure against these threats. Comprehensive performance evaluations demonstrate the efficiency and practicality of Chronos $^{{\mathbf +}}$ + .
Article
We want to find a timestamping method which improves efficient performance and have high-level security to send secured messages in the digital signature and the law of e-commerces. Our paper shows a H-binary tree of time stamp to use a time stamp protocol with high suity and performance in the packets of sending messages. We implement and analyze the protocols, show to compare with previous RSA methods. Our proposed protocol has O(log n) time complexity and high-performance.
Conference Paper
Time-Stamping is a cryptographic technique which allows us to prove that an electronic document existed at a certain point in time and that it has not been modified since then. Different time-stamping schemes have already been proposed. Most of them use the concept of trusted Time-Stamping Authority (TSA). A TSA is in charge of time-stamping documents and delivering a time-stamping certificate for each time-stamped document. The purpose of this paper is to propose a new time-stamping scheme using a Local Time-stamping System (LTS). The main idea can be summarised as follows: digests of the documents to be time-stamped are sent to a Local Time-stamping System (LTS). The LTS accumulates the digests into a round value using a round-based protocol. The round value is then time-stamped by a trusted and official TSA. We show how this time-stamping scheme could be useful for an organisation such as a digital library or a company.
Chapter
Digital timestamping is a cryptographic technique allowing to affix a reliable date to a digital document in order to prove that it exists and its integrity is kept since this date. However, there is a good chance that a lot of current timestamping systems will not be secure in the coming years. In fact, the security of most of the existing timestamping systems is based on the security of the used cryptographic techniques as hash functions. However, a hash function has a limited lifetime. In this context, we provide a non-interactive timestamping scheme in the bounded storage model (BSM). In this model, we assume that an adversary has a limited memory but his computing power can be unlimited. Thus, the security of our timestamping scheme does not depend on the lifetime of any cryptographic technique. We prove, in fact, that our timestamping scheme is eternally secure even against an adversary with unlimited computing power.
Conference Paper
Full-text available
We state the basic requirements for time-stamping systems applicable as the necessary support to the legal use of electronic documents. We analyze the main drawbacks of the time-stamping systems proposed to date and present a new system that meets all the stated requirements. We prove that these requirements cannot be signi cantly tightened. 1
Conference Paper
Full-text available
New cryptographic protocols which take full advantage of the unique properties of public key cryptosystems are now evolving. Several protocols for public key distribution and for dig~tal signatures are briefly compared with each other and with the conventional alternative. 1.
Article
Full-text available
To establish that a document was created after a given moment in time, it is necessary to report events that could not have been predicted before they happened. To establish that a document was created before a given moment in time, it is necessary to cause an event based on the document, which can be observed by others. Cryptographic hash functions can be used both to report events succinctly, and to cause events based on documents without revealing their contents. Haber and Stornetta have proposed two schemes for digital time-stamping which rely on these principles [HaSt 91]. We reexamine one of those protocols, addressing the resource constraint required for storage and verification of time-stamp certificates. By using trees, we show how to achieve an exponential increase in the publicity obtained for each time-stamping event, while reducing the storage and the computation required in order to validate a given certificate. We show how time-stamping can be used in certain circumstances to extend the useful lifetime of different kinds of cryptographic certifications of authenticity, in the event that the certifying protocol is compromised. This can be applied to digital signatures, or to time-stamping itself, making the digital time-stamping process renewable.
Article
)Josh BenalohClarkson UniversityMichael de MareClarkson UniversityApril 21, 1992Efficient Broadcast Time-Stamping(Extended Abstract)AbstractEven using an authenticated synchronous broadcast model, the task of unforgeablytime-stamping digital documents still presents some problems. It is simply not practicalto assume that all participants will record and store everyone else's documents so thatcreation times can be verified. This paper presents a time and space efficient...
Article
In 1994 Benaloh and de Mare introduced the notion of one way accumulators that allow to construct efficient protocols for proving membership in a list and related problems like time stamping and authentication. As required by Benaloh et al. unlike in signature based protocols no central trusted authority is (should be) needed. Accumulator based protocols do further improve on hash tree based protocols for proving membership in a list as verification and storage requirements are independent of the number of items in the list. Benaloh's et al. accumulator construction was based on exponentiation module a RSA modulus N = PQ. As already noted by Benaloh et al. the party (or parties) who generated the needed BSA modulus N during system set up knows a factorization of N. This knowledge allows this party to completely bypass the security of accumulator based protocols. For example a time stamping agency could forge time stamps for arbitrary documents. Thus these parties need to be trusted in (at least) two ways. First that they do not abuse their knowledge of the trapdoor and secondly to have had adequate security in place during system set up, which prevented outside attackers from getting hold of P and Q. In this paper we describe a way to construct (generalized) RSA moduli of factorization unknown to anybody. This yields (theoretically) efficient accumulators such that "nobody knows a trapdoor" and the two above mentioned trust requirements in the parties who set up the system can be removed.
Conference Paper
This paper describes a simple candidate one-way hash func- tion which satisfies a quasi-commutative property that allows it to be used aa an accumulator. This property allows protocols to be developed in which the need for a trusted central authority can be eliminated. Space- efficient distributed protocols are given for document time stamping and for membership testing, and many other applications are possible.
Conference Paper
. Binary Linking Schemes (BLS) for digital time-stamping [3]provide (1) relative temporal authentication to be performed in logarithmictime, and (2) time-certificates of reasonable size, which togetherwith the data published in a widely available medium enable the verifierto establish their relative temporal positions, even if the database heldby the Time-Stamping Service (TSS) ceases to exist. We show that thesize of a time-certificate (X) of a document X in the scheme presented...
Article
The prospect of a world in which all text, audio, picture, and video documents are in digital form on easily modifiable media raises the issue of how to certify when a document was created or last changed. The problem is to time-stamp the data, not the medium. We propose computationally practical procedures for digital time-stamping of such documents so that it is infeasible for a user either to back-date or to forward-date his document, even with the collusion of a time-stamping service. Our procedures maintain complete privacy of the documents themselves, and require no record-keeping by the time-stamping service. Appeared, with minor editorial changes, in Journal of Cryptology, Vol. 3, No. 2, pp. 99--111, 1991. 0 Time's glory is to calm contending kings, To unmask falsehood, and bring truth to light, To stamp the seal of time in aged things, To wake the morn, and sentinel the night, To wrong the wronger till he render right. The Rape of Lucrece, l. 941 1 Introduction ...