About Archive Tags RSS Feed

 

Death is... whimsical... today.

12 January 2009 21:50

I'm not sure how you can pre-announce something in a way that cannot be later faked.

The best I can imagine is you write it in a text file and post the size / hash of the file.

steve@skx:~$ ls -l 10-march-2009
-rw-r--r-- 1 steve users 234 Jan 12 21:40 10-march-2009
steve@skx:~$ sha1sum 10-march-2009
99d1b6d625ed4c15a3be2be5fec63c17941c370d  10-march-2009
steve@skx:~$ md5sum 10-march-2009
1a0e68b8fbb3b0fe30e5b4a9413ceeec  10-march-2009

I don't need anybody to keep me honest, but I welcome interesting suggestions on more neat ways to pre-confirm you have content that hasn't been changed between being written and being released...?

I guess you could use GPG and a disposible key-pair, and then post the secret key afterward, but that feels kinda wrong too.

Update of course you could post the detached signature. D'oh.

Shamir's Secret Sharing could be another option - posting just enough pieces of the secret to make recovery possible with the addition of one piece that was witheld until the later date. Jake wrote a nice introduction to secret sharing a couple of years ago.

ObFilm: Léon

| 12 comments

 

Comments on this entry

icon Arthur de Jong at 22:11 on 12 January 2009
You could also have a look at the Guy Fawkes protocol: http://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf (but the detached signature is probably the easiest)
icon Anonymous at 22:40 on 12 January 2009
You already figured out the solution to your problem, namely detached signatures. You might have some interest in the opposite problem, as well: how to prove that you created something at a particular time, rather than creating it earlier and using a date in the future. Check out rsync.net's "warrant canary": http://www.rsync.net/resources/notices/canary.txt
icon Karl Chen at 23:35 on 12 January 2009
See http://en.wikipedia.org/wiki/Commitment_scheme for some formal theory, as you said the easy implementation is to just hash it or sign it. Using a hash proves "the data exists"; using a digital signature says "the data exists, plus you can prove I wrote it" (non-repudiation). Re proving when you wrote it, it looks like the rsync notice just uses a newspaper headline to prove they did NOT sign it in the past, which isn't very useful. Proving that you had something in the past is the realm of digital notary / digital timestamping (google for those terms).
icon W at 23:47 on 12 January 2009
posting the hash-method have already been proven to not work:
http://www.win.tue.nl/hashclash/Nostradamus/

icon Didier Raboud at 07:53 on 13 January 2009
Hi,
Eindhoven researchers used MD5 to prove their prior knowledge of the result of the 2008 presidentials:
http://www.win.tue.nl/hashclash/Nostradamus/
I would not use md5 for this. :)
Regards, OdyX
icon A Canuck at 11:27 on 13 January 2009
A detached signature and the file hash are essentially the same thing. Another option is to use gpg to encrypt the file with a symmetric key, publish the file, and later publish the key. No need for complicated secret sharing keys.
icon A Canuck at 11:28 on 13 January 2009
A detached signature and the file hash are essentially the same thing. Another option is to use gpg to encrypt the file with a symmetric key, publish the file, and later publish the key. No need for complicated secret sharing keys.
icon Steve Kemp at 11:32 on 13 January 2009

Thanks for the feedback everybody.

A Canuck: You're almost correct. A hash would prove, assuming that the hash wasn't broken, that somebody knew the contents of a file.

A gpg signature tracks identity too - so that would prove that I knew the contents.

icon David T. at 12:17 on 13 January 2009
Additionally to just posting the hashes or a detached signature, you also should make sure that there is a trusted timestamp on it (see http://en.wikipedia.org/wiki/Trusted_timestamping).
icon Steve Kemp at 12:23 on 13 January 2009

Thanks David, that idea of timestamping is very interesting.

This is going to be such an anticlimax ..

icon Mark Wooding at 18:01 on 13 January 2009
No, Shamir's secret sharing won't work as a commitment scheme. Indeed, given any `secret', and one fewer share than the threshold, you can deduce (using Lagrange interpolation in the usual way) what the remaining shares ought to be. This is fundamental to the proof of security (it implies that an adversary without enough shares has no information about the secret) and is used in proofs of higher-level protocols.
I'm rather partial to Pedersen commitments, myself...
icon Sotiris Tsimbonis at 09:41 on 15 January 2009
Try http://www.publictimestamp.org/