Abstract. We state the basic requirements for time-stamping systems applicable as the necessary support to the legal use of electronic documents. We analyze the main drawbacks of the time-stamping systems proposed to date and present a new system that meets all the stated requirements. We prove that these requirements cannot be signi cantly tightened. 1

In this paper, we address the problem of the performance analysis of image watermarking systems that do not require the availability of the original image during ownership verification. We focus on a statistical approach to obtain models that can serve as a basis for the application of the decision theory to the design of efficient detector structures. Special attention is paid to the possible nonexistence of a statistical description of the original image. Different modeling approaches are proposed for the cases when such a statistical characterization is known and when it is not. Watermarks may encode a message, and the performance of the watermarking system is evaluated using as a measure the probability of false alarm, the probability of detection when the presence of the watermark is tested, and the probability of error when the information that it carries is extracted. Finally, the modeling techniques studied are applied to the analysis of two watermarking schemes, one of them defined in the spatial domain, and the other in the direct cosine transform (DCT) domain. The theoretical results are contrasted with empirical data obtained through experimentation covering several cases of interest. We show how choosing an appropriate statistical model for the original image can lead to considerable improvements in performance

A (secure) reliable multicast protocol enables a process to multicast a message to a group of processes in a way that ensures that all honest destination-group members receive the same message, even if some group members and the multicast initiator are maliciously faulty. Reliable multicast has been shown to be useful for building multiparty cryptographic protocols and secure distributed services. We present a high-throughput reliable multicast protocol that tolerates the malicious behavior of up to fewer than one-third of the group members. Our protocol achieves high-throughput using a novel technique for chaining multicasts, whereby the cost of ensuring agreement on each multicast message is amortized over many multicasts. This is coupled with a novel flow-control mechanism that yields low multicast latency. 1. Introduction Reliable multicast is a fundamental communication protocol that underlies many forms of secure distributed computation. A (secure) reliable multicast protocol en...

Partial order time expresses issues central to many problems in asynchronous distributed systems, but suffers from inherent security and privacy risks. Secure partial order clocks provide a general method to develop application protocols that transparently protect against these risks. Our previous Signed Vector Timestamp protocol provides a partial order time service with some security: no one can forge dependence on an honest process. However, that protocol still permits some forgery of dependence, permits all denial of precedence, and leaks private information. This paper uses secure coprocessors to improve the vector protocol: our new Sealed Vector Timestamp protocol detects both the presence and absence of causal paths even in the presense of malicious processes, and protects against some privacy risks as well. By solving these previously open security problems, our new protocol provides a foundation for incorporating security and privacy into distributed application protocols bas...

Abstract. Efficient secure time-stamping schemes employ a 2-level approach in which the time-stamping service operates in rounds. We say that a time-stamping service is accountable if if it makes the TSA and other authorities accountable for their actions by enabling a principal to detect and later prove to a judge any frauds, including attempts to reorder time-stamps from the same round. We investigate the paradigm of time-stamping services based on simply connected graphs, and propose a simple, yet optimal, accountable time-stamping service, using what we call threaded tree schemes. We improve upon the previously best scheme by Buldas and Laud by reducing the size of a time stamp by a factor of about 3.786 and show that our construction is optimal in a strict sense. The new protocols also increase the trustworthiness of the publication process, which takes place at the end of each round. 1

The increasing use of digital documents, and the need to refer to them conveniently and unambiguously, raise an important question: can one "name" a digital document in a way that conveniently enables users to find it, and at the same time enables a user in possession of a document to be sure that it is indeed the one that is referred to by the name? One crucial piece of a complete solution to this problem would be a method that provides a cryptographically verifiable label for any bit-string (for example, the content, in a particular format, of the document). This problem has become even more acute with the emergence of the WorldWide Web, where a document (whose only existence may be on-line) is now typically named by giving its URL, which is merely a pointer to its virtual location at a particular moment in time. Using a one-way hash function to call files by their hash values is cryptographically verifiable, but the resulting names are unwieldy, because of their length and randomn...

The potential of secure coprocessing to address many emerging security challenges and to enable new applications has been a long-standing interest of many members of the Computer Research and Applications Group, including this author. The purpose of this paper is to summarize this thinking, by presenting a taxonomy of some potential applications and by summarizing what we regard as some particularly interesting research questions.

Protocol failures are presented for two timestamping schemes. These failures emphasize the importance and difficulty of implementing a secure protocol even though there exist secure underlying algorithms. As well, they indicate the importance of clearly defining the goals for a protocol. For the scheme of Benaloh and de Mare (Eurocrypt '93), it is shown that although an indication of time can be included during the computation of the timestamp, the verifiation of the timestamp does not allow for the recovery of this temporal measure. For the scheme of Haber and Stornetta (Journal of Cryptology '91), we demonstrate how a collusion attack between a single user and a timestamping service allows for the backdating of timestamps. This attack is successful despite the claim that the timestamping service need not be trusted. For each of these schemes we discuss methods for improvement.

Binary Linking Schemes (BLS) for digital time-stamping [3] provide (1) relative temporal authentication to be performed in logarithmic time, and (2) time-certificates of reasonable size, which together with the data published in a widely available medium enable the verifier to establish their relative temporal positions, even if the database held by the Time-Stamping Service (TSS) ceases to exist. We show that the size of a time-certificate ø(X) of a document X in the scheme presented in [3] is bounded by 4 \Delta log 2 N where k is the output size of the hash function and N is the number of time-stamps issued. We then present a new BLS with ø (X) ß 6 log 2 3 \Delta k \Delta log 2 N and prove that the presented scheme is optimal in that sense.

Most anonymous, electronic cash systems are signature-based. A side effect of this is that in these systems the bank has the technical ability to issue unreported, valid money. It has been noticed in the past that this may lead to a disaster if the secret key of the bank is compromised. Furthermore, the above feature prevents any effective monitoring of the system. In this paper we build a fully anonymous, auditable system, by constructing an electronic cash system that is signature-free, and where the bank needs to have no secret at all. The security of the system relies instead on the ability of the bank to maintain the integrity of a public database. Our system takes a completely new direction for meeting the above requirements, and, in particular, it is the first to do so without the necessity of making individual transactions potentially traceable: payers enjoy unconditional anonymity for their payment transactions. The system is theoretically efficient but not yet practical.