Time-Stamping: a survey

Karel Wouters

Overview

Definition Conventional needs for time-stamping events and documents The use of time-stamps in cryptography Simple time-stamps Linked time-stamps Recent developments

Definition
Time-stamp: proof that a certain piece of information existed, prior to the time, indicated by the timestamp. Examples:

A postmarked, unopened letter (registered mail) A statement/document, signed and dated by a notary An electronic/digital time-stamp

Time-marks in (unprotected) logfiles should not be considered as time-stamps

Conventional needs for time-stamping

Research and patents: proof that you were first. > research diary, periodically signed by a notary Credibility of business documents within a company Credibility of photographs, video, audio

Time-stamps in cryptography

digital signatures can be bound to a time-line:

> signature created between ts1 and ts2

Long-term protection of digital signatures against key compromise, certificate expiry and algorithm weakening: time-stamps can indicate that the signature was generated before compromise/expiry/algorithm break time-stamps on random data can be used as a nonce: they indicate their own freshness.

Simple time-stamps

Essentially: SignTSA(Time,Hash(Document))
TSA:Time Stamping Authority

Additional signed information in the time-stamp token:

Serial number Time-stamp policy ID/hash value Accuracy Ordering

Simple time-stamps - 2

Pro:
Easy to compute, compact Independent of other time-stamps Single-step protocol Time-stamps of different TSAs can be compared

Contra:
TSA has to be trusted completely, a malicious TSA can issue back-dated time-stamps. All time-stamps become useless when the TSA private key is compromised.

Simple time-stamps - 3

IETF RFC 3161, ISO/IEC 18014-2

TSA

{StatusInfo} {Signature} TSTInfo version policy hashAlgorithm hashedMessage serialNumber genTime accuracy ordering nonce tsa

Simple time-stamps - 4

Some existing implementations (RFC3161):

AuthentiDate US Postal Services Electronic Postmark OpenTSA Open source and free time stamping authority client and server application Several other small businesses/countries

PGP Digital Time-stamping Service : free, proof of concept.

Linked time-stamps

Basic idea: make the next time-stamp depend on the previously issued time-stamps, in a one-way fashion, using a hash function. Publish intermediate values in a widely-witnessed medium. First approach: linear linking scheme (Haber&Stornetta) s = sigTSA(n,tn,IDn,Hn,Ln) Ln = (tn-1,IDn-1,Hn-1,H(Ln-1))

Linked time-stamps - 2

Main concern: the number of steps needed to compare two stamps depends on the number of stamps between them. Partial solution: Aggregation - collect time-stamp requests and bundle them in a Merkle tree: L11=H(H5,H6) L14=H(L11,L12) L15=H(L13,L14)

Linked time-stamps - 3

3 phases in linked time-stamping schemes:

aggregation collect hash values na hash values get the same time-stamp linking link to the previous link value(s), return a partial time-stamp (head) until the linking round is over (time/#requests) publishing publish the n-th round value, complete time-stamps from n-th round (tail) TSA cannot cheat anymore

note1: the gap between linking and publishing can be covered by classical crypto (signature) note2: the time-stamp doesn't necessarily contain a time value. We have relative temporal authentication

Linked time-stamps - 4

Limiting the time-stamp/verification chain size Idea: use simply connected authentication graphs:

Directed acyclic graphs with numbered vertices, topologically sorted: (v,w)E v<w if v1<v2, there exists a directed path from v1 to v2 Vertices are labelled with hash values: Lv=h(LE-1(v))

Linked time-stamps - 5

Binary linking scheme (Buldas, Laud, Lipmaa, Villemson)

Allows for accumulated time-stamping Length of the verification chain ~ log(#time-stamps/round)

Linked time-stamps - 6

Threaded Authentication trees (Buldas, Lipmaa, Schoenmakers)

Add extra vertices to Merkle authentication tree Optimal in time-stamp size: d+3 hash values

Linked time-stamps - 7

Pro:
Security independent of the TSA's private key Back-dating impossible Verification: fast

Contra:
Hard to compare time-stamps of different TSAs Difficult protocol Re-time-stamping??

Linked time-stamping - 8

Some existing implementations:

Surety: founded by Haber&Stornetta Services: AbsoluteProofTM: digital notary (inventions) and data integrity, based on a linear linking scheme; intermediate values in NYTimes. Cybernetica (Estonia): Time-stamping service, using aggregation and linking. Software open source. ISO/IEC 18014-3

Recent developments
(time-stamping is not dead)

Providing time-stamping services to mobile devices, D. Cotroneo, C. di Flora, A. Mazzeo, L. Romano, S. Russo, G. P.
Saggese, Words 2003.

Efficient relative time-stamping scheme based on the ternary link, Igarashi Y, Kuwakado H, Tanaka H, IEICE Trans on
Fundamentals of Electronics, Communications and Computer Sciences, 2003

OASIS: Digital Signature Services XML format for a time-stamp service (WIP)

References

How to Time-Stamp a Digital Document (Stuart Haber and W. Scott Stornetta, Journal of Cryptology, Vol. 3, No. 2, pp. 99-111 (1991)) Time-Stamping With Binary Linking Schemes (Ahto Buldas, Peeter Laud, Helger Lipmaa, Jan Villemson, Crypto '98) Optimally Efficient Accountable Time-Stamping (Ahto Buldas, Helger Lipmaa, Berry Schoenmakers, PKC '2000 Internet X.509 Public Key Infrastructure Time Stamp Protocols (TSP) (RFC 3161) http://www.ieft.org ISO/IEC 18014-1,2,3: Information technology - Security techniques - Time-stamping services -- Part 1,2&3 OpenTSA http://www.opentsa.org Cybernetica Time-stamp service. http://www.timestamp.cyber.ee Surety http://www.surety.com OASIS Digital Signature Services TC http://www.oasis-open.org

Digital Time-Stamping link archive by Helger Lipmaa: http://www.tcs.hut.fi/~helger/crypto/link/timestamping/

Q?

Time flies like an arrow. Fruit flies like a banana. Lisa Grossman