## How to Time-stamp a Digital Document (1991)

Venue: | Journal of Cryptology |

Citations: | 216 - 3 self |

### BibTeX

@ARTICLE{Haber91howto,

author = {Stuart Haber and W. Scott Stornetta},

title = {How to Time-stamp a Digital Document},

journal = {Journal of Cryptology},

year = {1991},

volume = {3},

pages = {99--111}

}

### Years of Citing Articles

### OpenURL

### Abstract

The prospect of a world in which all text, audio, picture, and video documents are in digital form on easily modifiable media raises the issue of how to certify when a document was created or last changed. The problem is to time-stamp the data, not the medium. We propose computationally practical procedures for digital time-stamping of such documents so that it is infeasible for a user either to back-date or to forward-date his document, even with the collusion of a time-stamping service. Our procedures maintain complete privacy of the documents themselves, and require no record-keeping by the time-stamping service. Appeared, with minor editorial changes, in Journal of Cryptology, Vol. 3, No. 2, pp. 99--111, 1991. 0 Time's glory is to calm contending kings, To unmask falsehood, and bring truth to light, To stamp the seal of time in aged things, To wake the morn, and sentinel the night, To wrong the wronger till he render right. The Rape of Lucrece, l. 941 1 Introduction ...

### Citations

2840 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...= h(x 0 ). (Such a pair is called a collision for h.) The practical importance of such functions has been known for some time, and researchers have used them in a number of schemes; see, for example, =-=[7, 15, 16]. Damgard gave the f-=-irst formal definition, and a constructive proof of their existence, on the assumption that there exist one-way "claw-free" permutations [4]. For this, any "one-way group action" i... |

1224 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...e, we suggest that a precise complexity-theoretic definition of the strongest possible level of time-stamping security could be given along the lines of the definitions given by Goldwasser and Micali =-=[9]-=-, Goldwasser, Micali, and Rivest [10], and Galil, Haber, and Yung [8] for various cryptographic tasks. The time-stamping and the verification procedures would all depend on a security parameter p. A t... |

745 | A pseudorandom generator from any one-way function
- Hastad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...particular, they are unpredictable. Such generators were first studied by Blum and Micali [2] and by Yao [22]; Impagliazzo, Levin, and Luby have shown that they exist if there exist one-way functions =-=[12]-=-. Once again, we consider a hash value y that our client would like to time-stamp. She uses y as a seed for the pseudorandom generator, whose output can be interpreted in a standard way as a k-tuple o... |

618 |
How to generate cryptographically strong sequences of pseudo-random bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...nput seeds to output sequences that are indistinguishable by any feasible algorithm from random sequences; in particular, they are unpredictable. Such generators were first studied by Blum and Micali =-=[2]-=- and by Yao [22]; Impagliazzo, Levin, and Luby have shown that they exist if there exist one-way functions [12]. Once again, we consider a hash value y that our client would like to time-stamp. She us... |

524 |
Theory and application of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...utput sequences that are indistinguishable by any feasible algorithm from random sequences; in particular, they are unpredictable. Such generators were first studied by Blum and Micali [2] and by Yao =-=[22]-=-; Impagliazzo, Levin, and Luby have shown that they exist if there exist one-way functions [12]. Once again, we consider a hash value y that our client would like to time-stamp. She uses y as a seed f... |

386 |
The MD4 Message Digest Algorithm
- Rivest
- 1991
(Show Context)
Citation Context ...all [20]. See x6.3 below for a discussion of the differences between these two sorts of cryptographic hash functions. There are practical implementations of hash functions, for example that of Rivest =-=[19]-=-, which seem to be reasonably secure. We will use the hash functions as follows. Instead of transmitting his document x to the TSS, a client will send its hash value h(x) = y instead. For the purposes... |

359 |
Prediction and entropy of printed english
- Shannon
- 1951
(Show Context)
Citation Context ...mply because the high-order bit of each byte is always 0. Even worse, the density of acceptable English text can be bounded above by an estimate of the entropy of English as judged by native speakers =-=[21]-=-. This value is approximately 1 bit per ASCII character, giving a density of (2 1 =2 8 ) N , or 1=128 N . We leave it to future work to determine whether one can formalize the increased difficulty of ... |

319 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...ing x, to compute another string x 0 6= x satisfying h(x) = h(x 0 ) for a randomly chosen h. They were able to construct such functions on the assumption that there exist one-to-one one-way functions =-=[17]-=-. Rompel has recently shown that such functions exist if there exist one-way functions at all [20]. See x6.3 below for a discussion of the differences between these two sorts of cryptographic hash fun... |

301 |
A design principle for hash functions
- Damgard
- 1990
(Show Context)
Citation Context ...ns. As far as is currently known, a stronger complexity assumption---namely, the existence of claw-free pairs of permutations---is needed in order to prove the existence of these functions. (See also =-=[5]-=- and [6] for further discussion of the theoretical properties of cryptographic hash functions.) Universal one-way hash functions were the tool used in order to construct a secure signature scheme. Our... |

201 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...were able to construct such functions on the assumption that there exist one-to-one one-way functions [17]. Rompel has recently shown that such functions exist if there exist one-way functions at all =-=[20]-=-. See x6.3 below for a discussion of the differences between these two sorts of cryptographic hash functions. There are practical implementations of hash functions, for example that of Rivest [19], wh... |

110 |
Chameleon signatures
- Krawczyk, Rabin
- 2000
(Show Context)
Citation Context ...formally, a signature scheme is an algorithm for a party, the signer, to tag messages in a way that uniquely identifies the signer. Digital signatures were proposed by Rabin and by Diffie and Hellman =-=[18, 7]-=-. After a long sequence of papers by many authors, Rompel [20] showed that the existence of one-way functions can be used in order to design a signature scheme satisfying the very strong notion of sec... |

64 |
Public Key Systems
- Merkle, \Secrecy
- 1979
(Show Context)
Citation Context ...= h(x 0 ). (Such a pair is called a collision for h.) The practical importance of such functions has been known for some time, and researchers have used them in a number of schemes; see, for example, =-=[7, 15, 16]. Damgard gave the f-=-irst formal definition, and a constructive proof of their existence, on the assumption that there exist one-way "claw-free" permutations [4]. For this, any "one-way group action" i... |

29 |
One-Way Functions are Essential for Complexity-Based Cryptography
- Impagliazzo, Luby
- 1989
(Show Context)
Citation Context ...tamping to the simple assumption that one-way functions exist. This is the minimum reasonable assumption for us, since all of complexity-based cryptography requires the existence of one-way functions =-=[12, 13]-=- 6.4 Practical considerations As we move from the realm of complexity theory to that of practical cryptosystems, new questions arise. In one sense, time-stamping places a heavier demand on presumably ... |

20 |
A secure digital signature scheme
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...showed that the existence of one-way functions can be used in order to design a signature scheme satisfying the very strong notion of security that was first defined by Goldwasser, Micali, and Rivest =-=[10]-=-. With a secure signature scheme available, when the TSS receives the hash value, it appends the date and time, then signs this compound document and sends it to the client. By checking the signature,... |

19 |
Collision-free hash functions and public key signature schemes
- DamgËšard
- 1987
(Show Context)
Citation Context ...r of schemes; see, for example, [7, 15, 16]. Damgard gave the first formal definition, and a constructive proof of their existence, on the assumption that there exist one-way "claw-free" per=-=mutations [4]. For this, any &quo-=-t;one-way group action" is sufficient [3]. Naor and Yung defined the similar notion of "universal one-way hash functions," which satisfy, in place of the second condition above, the sli... |

17 |
One-way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ...= h(x 0 ). (Such a pair is called a collision for h.) The practical importance of such functions has been known for some time, and researchers have used them in a number of schemes; see, for example, =-=[7, 15, 16]. Damgard gave the f-=-irst formal definition, and a constructive proof of their existence, on the assumption that there exist one-way "claw-free" permutations [4]. For this, any "one-way group action" i... |

11 |
One-way group actions
- Brassard, Yung
- 1991
(Show Context)
Citation Context ...e the first formal definition, and a constructive proof of their existence, on the assumption that there exist one-way "claw-free" permutations [4]. For this, any "one-way group action&=-=quot; is sufficient [3]. Naor and-=- Yung defined the similar notion of "universal one-way hash functions," which satisfy, in place of the second condition above, the slightly weaker requirement that it be computationally infe... |

3 |
On the design of provably secure cryptographic hash functions
- DeSantis, Yung
- 1991
(Show Context)
Citation Context ...ar as is currently known, a stronger complexity assumption---namely, the existence of claw-free pairs of permutations---is needed in order to prove the existence of these functions. (See also [5] and =-=[6]-=- for further discussion of the theoretical properties of cryptographic hash functions.) Universal one-way hash functions were the tool used in order to construct a secure signature scheme. Our apparen... |

2 |
When photographs lie. Newsweek
- Alter
- 1990
(Show Context)
Citation Context ...are tamper-unpredictable. Therefore, time-stamping can help to distinguish an original photograph from a retouched one, a problem that has received considerable attention of late in the popular press =-=[1, 11]. It is in-=- fact difficult to think of any other algorithmic "fix" that could add more credibility to photographs, videos, or audio recordings than time-stamping. 8 Summary In this paper, we have shown... |

2 |
Interactive public-key cryptosystems
- Galil, Haber, et al.
(Show Context)
Citation Context ...trongest possible level of time-stamping security could be given along the lines of the definitions given by Goldwasser and Micali [9], Goldwasser, Micali, and Rivest [10], and Galil, Haber, and Yung =-=[8]-=- for various cryptographic tasks. The time-stamping and the verification procedures would all depend on a security parameter p. A time-stamp scheme would be polynomially secure if the success probabil... |

2 |
Ask it no questions: The camera can lie
- Grundberg
- 1990
(Show Context)
Citation Context ...are tamper-unpredictable. Therefore, time-stamping can help to distinguish an original photograph from a retouched one, a problem that has received considerable attention of late in the popular press =-=[1, 11]. It is in-=- fact difficult to think of any other algorithmic "fix" that could add more credibility to photographs, videos, or audio recordings than time-stamping. 8 Summary In this paper, we have shown... |

2 |
Writing the laboratory notebook, p. 117
- Kanare
- 1985
(Show Context)
Citation Context ...upted in transmission to the TSS, it could be incorrectly time-stamped when it arrives at the TSS, or it could become corrupted 1 The authors recently learned of a similar proposal sketched by Kanare =-=[14]-=-. 2 or lost altogether at any time while it is stored at the TSS. Any of these occurences would invalidate the client's time-stamping claim. Trust The fundamental problem remains: nothing in this sche... |