Abstract. We state the basic requirements for time-stamping systems applicable as the necessary support to the legal use of electronic documents. We analyze the main drawbacks of the time-stamping systems proposed to date and present a new system that meets all the stated requirements. We prove that these requirements cannot be signi cantly tightened. 1

Protocol failures are presented for two timestamping schemes. These failures emphasize the importance and difficulty of implementing a secure protocol even though there exist secure underlying algorithms. As well, they indicate the importance of clearly defining the goals for a protocol. For the scheme of Benaloh and de Mare (Eurocrypt '93), it is shown that although an indication of time can be included during the computation of the timestamp, the verifiation of the timestamp does not allow for the recovery of this temporal measure. For the scheme of Haber and Stornetta (Journal of Cryptology '91), we demonstrate how a collusion attack between a single user and a timestamping service allows for the backdating of timestamps. This attack is successful despite the claim that the timestamping service need not be trusted. For each of these schemes we discuss methods for improvement.

Binary Linking Schemes (BLS) for digital time-stamping [3] provide (1) relative temporal authentication to be performed in logarithmic time, and (2) time-certificates of reasonable size, which together with the data published in a widely available medium enable the verifier to establish their relative temporal positions, even if the database held by the Time-Stamping Service (TSS) ceases to exist. We show that the size of a time-certificate ø(X) of a document X in the scheme presented in [3] is bounded by 4 \Delta log 2 N where k is the output size of the hash function and N is the number of time-stamps issued. We then present a new BLS with ø (X) ß 6 log 2 3 \Delta k \Delta log 2 N and prove that the presented scheme is optimal in that sense.

In this paper, we present a simple method for generating random-based signatures when random number generators are either unavailable or of suspected quality (malicious or accidental).