Death is... whimsical... today.

Monday, 12 January 2009

I'm not sure how you can pre-announce something in a way that cannot be later faked.

The best I can imagine is you write it in a text file and post the size / hash of the file.

steve@skx:~$ ls -l 10-march-2009
-rw-r--r-- 1 steve users 234 Jan 12 21:40 10-march-2009
steve@skx:~$ sha1sum 10-march-2009
99d1b6d625ed4c15a3be2be5fec63c17941c370d  10-march-2009
steve@skx:~$ md5sum 10-march-2009
1a0e68b8fbb3b0fe30e5b4a9413ceeec  10-march-2009

I don't need anybody to keep me honest, but I welcome interesting suggestions on more neat ways to pre-confirm you have content that hasn't been changed between being written and being released...?

I guess you could use GPG and a disposible key-pair, and then post the secret key afterward, but that feels kinda wrong too.

Update of course you could post the detached signature. D'oh.

Shamir's Secret Sharing could be another option - posting just enough pieces of the secret to make recovery possible with the addition of one piece that was witheld until the later date. Jake wrote a nice introduction to secret sharing a couple of years ago.

ObFilm: Léon

| 12 comments.

 

Comments On This Entry

[gravitar] Arthur de Jong

Submitted at 22:11:21 on 12 january 2009

You could also have a look at the Guy Fawkes protocol: http://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf (but the detached signature is probably the easiest)
[gravitar] Anonymous

Submitted at 22:40:26 on 12 january 2009

You already figured out the solution to your problem, namely detached signatures. You might have some interest in the opposite problem, as well: how to prove that you created something at a particular time, rather than creating it earlier and using a date in the future. Check out rsync.net's "warrant canary": http://www.rsync.net/resources/notices/canary.txt
[gravitar] Karl Chen

Submitted at 23:35:15 on 12 january 2009

See http://en.wikipedia.org/wiki/Commitment_scheme for some formal theory, as you said the easy implementation is to just hash it or sign it. Using a hash proves "the data exists"; using a digital signature says "the data exists, plus you can prove I wrote it" (non-repudiation). Re proving when you wrote it, it looks like the rsync notice just uses a newspaper headline to prove they did NOT sign it in the past, which isn't very useful. Proving that you had something in the past is the realm of digital notary / digital timestamping (google for those terms).
[gravitar] W

Submitted at 23:47:36 on 12 january 2009

posting the hash-method have already been proven to not work:
http://www.win.tue.nl/hashclash/Nostradamus/

[gravitar] Didier Raboud

Submitted at 07:53:08 on 13 january 2009

Hi,
Eindhoven researchers used MD5 to prove their prior knowledge of the result of the 2008 presidentials:
http://www.win.tue.nl/hashclash/Nostradamus/
I would not use md5 for this. :)
Regards, OdyX
[gravitar] A Canuck

Submitted at 11:27:30 on 13 january 2009

A detached signature and the file hash are essentially the same thing. Another option is to use gpg to encrypt the file with a symmetric key, publish the file, and later publish the key. No need for complicated secret sharing keys.
[gravitar] A Canuck

Submitted at 11:28:06 on 13 january 2009

A detached signature and the file hash are essentially the same thing. Another option is to use gpg to encrypt the file with a symmetric key, publish the file, and later publish the key. No need for complicated secret sharing keys.
[author] Steve Kemp

Submitted at 11:32:07 on 13 january 2009

Thanks for the feedback everybody.

A Canuck: You're almost correct. A hash would prove, assuming that the hash wasn't broken, that somebody knew the contents of a file.

A gpg signature tracks identity too - so that would prove that I knew the contents.

[gravitar] David T.

Submitted at 12:17:26 on 13 january 2009

Additionally to just posting the hashes or a detached signature, you also should make sure that there is a trusted timestamp on it (see http://en.wikipedia.org/wiki/Trusted_timestamping).
[author] Steve Kemp

Submitted at 12:23:23 on 13 january 2009

Thanks David, that idea of timestamping is very interesting.

This is going to be such an anticlimax ..

[gravitar] Mark Wooding

Submitted at 18:01:17 on 13 january 2009

No, Shamir's secret sharing won't work as a commitment scheme. Indeed, given any `secret', and one fewer share than the threshold, you can deduce (using Lagrange interpolation in the usual way) what the remaining shares ought to be. This is fundamental to the proof of security (it implies that an adversary without enough shares has no information about the secret) and is used in proofs of higher-level protocols.
I'm rather partial to Pedersen commitments, myself...
[gravitar] Sotiris Tsimbonis

Submitted at 09:41:37 on 15 january 2009

Try http://www.publictimestamp.org/

 

Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags