如何为一份数字文件盖上时间戳

The prospect of a world in which all text, audio, picture, and video documents are in digital form on easily modifiable media raises the issue of how to certify when a document was created or last changed.

We propose computationally practical procedures for digital time-stamping of such documents so that it is infeasible for a user either to back-date or to forward-date his document, even with the collusion of a time-stamping service. Our procedures maintain complete privacy of the documents themselves, and require no record-keeping by the time-stamping service.

In many situations there is a need to certify the date a document was created or last modified.

[Paper documents can be dated by forensic signs in the medium; digital data has no such physical trace. A digital time-stamping scheme must instead bind the date to the bits of the document, while revealing nothing about the document's contents — the service should never need to see the document, only a hash of it.]

A client computes a hash y = h(D) of the document D and sends only y to the time-stamping service (TSS). For the n-th request the TSS issues a signed certificate that records the sequence number, the time, the client's identifier, and the hash — together with linking information that ties this certificate to the previous one.

[In our notation the certificate is C(n) = (n, t(n), ID(n), y(n); L(n)), where the linking information L(n) = (t(n−1), ID(n−1), y(n−1), H(L(n−1))) carries a hash of the previous certificate's link. The hash values of documents submitted to the service are thereby chained together in a linear list into which nothing can feasibly be inserted or substituted, and from which nothing can feasibly be deleted.]

Anyone challenging the time on a certificate can ask its issuer to produce the certificates of the clients who came just before and just after; the temporal order is enforced by the chain itself, so the service cannot back-date a document without rewriting every certificate that followed.

[In the random-witness solution, several members of the client pool must date and sign the hash value; their signatures form a composite certification that the time-stamp request was witnessed. These witnesses are chosen by a pseudorandom generator seeded with the hash of the document itself, which makes it infeasible to deliberately choose which clients will and will not act as witnesses — so no single service need be trusted.]