[148126] in cryptography@c2.net mail archive
Re: [Cryptography] [cryptography] NIST Randomness Beacon
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Mon Nov 11 23:35:45 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <E1Vg0to-0006u5-MH@login01.fos.auckland.ac.nz>
Date: Mon, 11 Nov 2013 22:03:52 -0500
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: cypherpunks@cpunks.org, cryptography@metzdowd.com, warren@kumari.net,
cryptography@randombit.net, andrew@acooke.org
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Nov 11, 2013, at 6:28 PM, Peter Gutmann wrote:
>> I've often wondered if there is a clever way to do the inverse -- basica=
lly
>> to have a "latest" timestamp? This seems like a much harder problem -- 'm
>> looking for a "movie plot" type solution that the public can easily
>> understand=85
> =
> You could do it with a physical one-way function. Take a photo of the vi=
ctim
> on top of the WTC and you know that it can't have been occurred after 9/1=
1. To
> generalise it, photograph the victim in front of some documented object a=
nd
> then destroy the object....
Seems awfully complicated. The only role the destruction of that physical =
object plays is that it's a widely observed event whose time of occurrence =
everyone can agree on. But it's not hard to *manufacture* such events compl=
etely in digital. What you need is a timed public commitment to something =
that is inextricably tied to whatever it is whose existence at a particular=
time you want to authenticate. For example, suppose you want to show that =
you wrote some document by midnight tonight. If you can arrange to publish=
the hash of the document to a wide audience before midnight tonight, you c=
ould always show the document, and anyone can compute the hash and check th=
e publication record.
In fact, a team at (I think) Bell Labs came up with a "digital notary" serv=
ice that did exactly this, in an efficient way. It combined the values sen=
t to it into a public Merkle tree, and once a day, published the current ro=
ot hash in an ad in the New York Times. That service seems to have vanishe=
d (and the phrase "digital notary" seems to have been re-applied to somethi=
ng else). But there are a number of "time-stamping" protocols, and a RFC (=
3161), an ANSI standard (X9.95), and ISO/IEC standard (18014) for different=
kinds of timestamps. See http://en.wikipedia.org/wiki/Trusted_timestampin=
g for a discussion of the general issue; http://en.wikipedia.org/wiki/Linke=
d_Timestamping has a discussion of the style of timestamp I mentioned (ther=
e are other ways to accomplish the same ends) along with a photo of a newsp=
aper showing a daily commitment.
(The particular system I was describing is probably described in this paper=
: http://link.springer.com/article/10.1007%2FBF00196791)
-- Jerry
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography