Linked timestamping explained

Linking

Publishing

Security

Linked timestamping is inherently more secure than the usual, public-key signature based time-stamping. All consequential time-stamps "seal" previously issued ones - hash chain (or other authenticated dictionary in use) could be built only in one way; modifying issued time-stamps is nearly as hard as finding a preimage for the used cryptographic hash function. Continuity of operation is observable by users; periodic publications in widely witnessed media provide extra transparency.

Tampering with absolute time values could be detected by users, whose time-stamps are relatively comparable by system design.

Absence of secret keys increases system trustworthiness. There are no keys to leak and hash algorithms are considered more future-proof^[1] than modular arithmetic based algorithms, e.g. RSA.

Linked timestamping scales well - hashing is much faster than public key cryptography. There is no need for specific cryptographic hardware with its limitations.

The common technology^[2] for guaranteeing long-term attestation value of the issued time-stamps (and digitally signed data^[3]) is periodic over-time-stamping of the time-stamp token. Because of missing key-related risks and of the plausible safety margin of the reasonably chosen hash function this over-time-stamping period of hash-linked token could be an order of magnitude longer than of public-key signed token.

Research

Foundations

Stuart Haber and W. Scott Stornetta proposed^[4] in 1990 to link issued time-stamps together into linear hash-chain, using a collision-resistant hash function. The main rationale was to diminish TSA trust requirements.

Tree-like schemes and operating in rounds were proposed by Benaloh and de Mare in 1991^[5] and by Bayer, Haber and Stornetta in 1992.^[6]

Benaloh and de Mare constructed a one-way accumulator^[7] in 1994 and proposed its use in time-stamping. When used for aggregation, one-way accumulator requires only one constant-time computation for round membership verification.

Surety^[8] started the first commercial linked timestamping service in January 1995. Linking scheme is described and its security is analyzed in the following article^[9] by Haber and Sornetta.

Buldas et al. continued with further optimization^[10] and formal analysis of binary tree and threaded tree^[11] based schemes.

Skip-list based time-stamping system was implemented in 2005; related algorithms are quite efficient.^[12]

Provable security

Security proof for hash-function based time-stamping schemes was presented by Buldas, Saarepera^[13] in 2004. There is an explicit upper bound

Next, in 2005 it was shown^[14] that bounded time-stamping schemes with a trusted audit party (who periodically reviews the list of all time-stamps issued during an aggregation period) can be made universally composable - they remain secure in arbitrary environments (compositions with other protocols and other instances of the time-stamping protocol itself).

Buldas, Laur showed^[15] in 2007 that bounded time-stamping schemes are secure in a very strong sense - they satisfy the so-called "knowledge-binding" condition. The security guarantee offered by Buldas, Saarepera in 2004 is improved by diminishing the security loss coefficient from

The hash functions used in the secure time-stamping schemes do not necessarily have to be collision-resistant^[16] or even one-way;^[17] secure time-stamping schemes are probably possible even in the presence of a universal collision-finding algorithm (i.e. universal and attacking program that is able to find collisions for any hash function). This suggests that it is possible to find even stronger proofs based on some other properties of the hash functions.

At the illustration above hash tree based time-stamping system works in rounds (

Standards

ISO 18014 part 3 covers 'Mechanisms producing linked tokens'.

American National Standard for Financial Services, "Trusted Timestamp Management and Security" (ANSI ASC X9.95 Standard) from June 2005 covers linking-based and hybrid time-stamping schemes.

There is no IETF RFC or standard draft about linking based time-stamping. (Evidence Record Syntax) encompasses hash tree and time-stamp as an integrity guarantee for long-term archiving.

External links

• "Series of mini-lectures about cryptographic hash functions"; includes application in time-stamping and provable security; by A. Buldas, 2011.

Notes and References

1. Book: 10.1007/978-3-540-88702-7_3. 978-3-540-88701-0. Post-Quantum Cryptography. 2009. Buchmann . J.. Hash-based Digital Signature Schemes. Dahmen . E.. Szydlo . M.. 35 .
2. See ISO/IEC 18014-1:2002 Chapter 4.2
3. For example see XAdES-A.
4. 10.1007/BF00196791 . How to time-stamp a digital document . 1991 . Haber . S. . 2 . Stornetta . W. S. . Journal of Cryptology . 3. 99–111 . 10.1.1.46.8740 . 14363020 .
5. Benaloh . Josh . de Mare . Michael . Efficient Broadcast Time-Stamping . Technical Report 1 . Clarkson University Department of Mathematics and Computer Science . 1991 . 10.1.1.38.9199 .
6. Bayer . Dave . Stuart A. . Haber . Wakefield Scott . Stornetta . Improving the Efficiency And Reliability of Digital Time-Stamping . 329–334 . Sequences II: Methods in Communication, Security and Computer Science . Springer-Verlag . 1992 . 10.1.1.46.5923 .
7. Book: 10.1007/3-540-48285-7_24. 978-3-540-57600-6. Advances in Cryptology – EUROCRYPT '93. 1994. Benaloh. One-Way Accumulators: A Decentralized Alternative to Digital Signatures . J.. Mare . M.. 765. Lecture Notes in Computer Science. 274. http://citeseer.ist.psu.edu/old/benaloh94oneway.html .
8. Web site: Surety, LLC | Protect the Integrity of Electronic Records.
9. Book: 10.1145/266420.266430 . 978-0897919128 . Proceedings of the 4th ACM conference on Computer and communications security - CCS '97 . 1997 . Haber . Secure names for bit-strings . S. . Stornetta . W. S. . 28 . 10.1.1.46.7776 . 14108602 . https://archive.org/details/proceedingsof4th0000unse/page/28 .
10. Book: 10.1007/BFb0055749. Time-stamping with binary linking schemes. 978-3-540-64892-5. 1998. Buldas . A.. Laud . P.. Lipmaa . H.. Villemson . J.. 1462. Lecture Notes in Computer Science. 486. 10.1.1.35.9724.
11. Book: Buldas . Ahto . Lipmaa . Helger . Schoenmakers . Berry . Optimally Efficient Accountable Time-Stamping . 293–305 . 1751 . 2000 . 10.1007/b75033. 10.1.1.40.9332 . Lecture Notes in Computer Science . 978-3-540-66967-8 . 573442 .
12. Book: 10.1007/11751595_43. 978-3-540-34075-1. Computational Science and Its Applications - ICCSA 2006. 2006. Blibech. A New Timestamping Scheme Based on Skip Lists . K.. Gabillon . A.. 3982. 395. Lecture Notes in Computer Science.
13. Book: Buldas. Ahto. Saarepera. Märt. On Provably Secure Time-Stamping Schemes. 500–514. 3329. 2004. 10.1007/b104116. 10.1.1.65.8638. Lecture Notes in Computer Science. 978-3-540-23975-8. 1230568.
14. Book: Buldas. A.. Laud. P.. Saarepera. M. R.. Willemson. J.. 2005. Universally Composable Time-Stamping Schemes with Audit S. Lecture Notes in Computer Science. 3650. 359–373. 10.1007/11556992_26. 10.1.1.59.2070. 978-3-540-31930-6.
15. Book: 10.1007/978-3-540-71677-8_11 . 978-3-540-71676-1 . Knowledge-Binding Commitments with Applications in Time-Stamping . 2007 . Buldas . A.. Laur . S.. 4450 . Lecture Notes in Computer Science . 150–165. 10.1.1.102.2680 .
16. Book: 10.1007/978-3-540-75670-5_9 . 978-3-540-75669-9 . Does Secure Time-Stamping Imply Collision-Free Hash Functions? . 2007 . Buldas . A.. Jürgenson . A.. 4784 . Lecture Notes in Computer Science . 138–150. 10.1.1.110.4564 .
17. Book: 10.1007/11767480_4 . 978-3-540-34703-3 . Do Broken Hash Functions Affect the Security of Time-Stamping Schemes? . 2006 . Buldas . A.. Laur . S.. 3989 . Lecture Notes in Computer Science . 50–65. 10.1.1.690.7011 .