Skip to content

Death is... whimsical... today.

12th January 2009

I'm not sure how you can pre-announce something in a way that cannot be later faked.

The best I can imagine is you write it in a text file and post the size / hash of the file.

steve@skx:~$ ls -l 10-march-2009
-rw-r--r-- 1 steve users 234 Jan 12 21:40 10-march-2009
steve@skx:~$ sha1sum 10-march-2009
99d1b6d625ed4c15a3be2be5fec63c17941c370d  10-march-2009
steve@skx:~$ md5sum 10-march-2009
1a0e68b8fbb3b0fe30e5b4a9413ceeec  10-march-2009

I don't need anybody to keep me honest, but I welcome interesting suggestions on more neat ways to pre-confirm you have content that hasn't been changed between being written and being released...?

I guess you could use GPG and a disposible key-pair, and then post the secret key afterward, but that feels kinda wrong too.

Update of course you could post the detached signature. D'oh.

Shamir's Secret Sharing could be another option - posting just enough pieces of the secret to make recovery possible with the addition of one piece that was witheld until the later date. Jake wrote a nice introduction to secret sharing a couple of years ago.

ObFilm: Léon

Tags: debian, lenny, meta, pre-disclosure, ssss. | 12 comments.

Comments On This Entry

  1. [gravitar] Arthur de Jong Submitted at 22:11:21 on 12 January 2009
    You could also have a look at the Guy Fawkes protocol: http://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf (but the detached signature is probably the easiest)
  2. [gravitar] Anonymous Submitted at 22:40:26 on 12 January 2009
    You already figured out the solution to your problem, namely detached signatures. You might have some interest in the opposite problem, as well: how to prove that you created something at a particular time, rather than creating it earlier and using a date in the future. Check out rsync.net's "warrant canary": http://www.rsync.net/resources/notices/canary.txt
  3. [gravitar] Karl Chen Submitted at 23:35:15 on 12 January 2009
    See http://en.wikipedia.org/wiki/Commitment_scheme for some formal theory, as you said the easy implementation is to just hash it or sign it. Using a hash proves "the data exists"; using a digital signature says "the data exists, plus you can prove I wrote it" (non-repudiation). Re proving when you wrote it, it looks like the rsync notice just uses a newspaper headline to prove they did NOT sign it in the past, which isn't very useful. Proving that you had something in the past is the realm of digital notary / digital timestamping (google for those terms).
  4. [gravitar] W Submitted at 23:47:36 on 12 January 2009
    posting the hash-method have already been proven to not work:
    http://www.win.tue.nl/hashclash/Nostradamus/

  5. [gravitar] Didier Raboud Submitted at 07:53:08 on 13 January 2009
    Hi,
    Eindhoven researchers used MD5 to prove their prior knowledge of the result of the 2008 presidentials:
    http://www.win.tue.nl/hashclash/Nostradamus/
    I would not use md5 for this. :)
    Regards, OdyX
  6. [gravitar] A Canuck Submitted at 11:27:30 on 13 January 2009
    A detached signature and the file hash are essentially the same thing. Another option is to use gpg to encrypt the file with a symmetric key, publish the file, and later publish the key. No need for complicated secret sharing keys.
  7. [gravitar] A Canuck Submitted at 11:28:06 on 13 January 2009
    A detached signature and the file hash are essentially the same thing. Another option is to use gpg to encrypt the file with a symmetric key, publish the file, and later publish the key. No need for complicated secret sharing keys.
  8. [gravitar] Steve Kemp Submitted at 11:32:07 on 13 January 2009

    Thanks for the feedback everybody.

    A Canuck: You're almost correct. A hash would prove, assuming that the hash wasn't broken, that somebody knew the contents of a file.

    A gpg signature tracks identity too - so that would prove that I knew the contents.

  9. [gravitar] David T. Submitted at 12:17:26 on 13 January 2009
    Additionally to just posting the hashes or a detached signature, you also should make sure that there is a trusted timestamp on it (see http://en.wikipedia.org/wiki/Trusted_timestamping).
  10. [gravitar] Steve Kemp Submitted at 12:23:23 on 13 January 2009

    Thanks David, that idea of timestamping is very interesting.

    This is going to be such an anticlimax ..

  11. [gravitar] Mark Wooding Submitted at 18:01:17 on 13 January 2009
    No, Shamir's secret sharing won't work as a commitment scheme. Indeed, given any `secret', and one fewer share than the threshold, you can deduce (using Lagrange interpolation in the usual way) what the remaining shares ought to be. This is fundamental to the proof of security (it implies that an adversary without enough shares has no information about the secret) and is used in proofs of higher-level protocols.
    I'm rather partial to Pedersen commitments, myself...
  12. [gravitar] Sotiris Tsimbonis Submitted at 09:41:37 on 15 January 2009
    Try http://www.publictimestamp.org/