The ability to verify the authenticity of documents (defined broadly as any set of digitized information) in the electronic age has become more challenging at the same time it has become more needed. Documents in electronic form are everywhere in modern banking, commerce, government, law, indeed, in modern life in general. In a world where documents are created, submitted, processed, stored, considered, etc., all electronically, sometimes even in multiple locations in the “cloud” unknown to the users themselves, notary or other official seals, physical signatures, special papers and other such tools are becoming increasingly unsuitable and unreliable.
Perhaps the most common way at present to verify the authenticity of electronic documents is to use some form of digital certificate to “sign” them, which is typically accomplished using some form of asymmetric cryptography. Public key cryptography is fast enough to enable almost instantaneous certificate generation. However, there is an inherent weakness in using asymmetric cryptography to create digital signatures: Cryptographic signature keys may become compromised. Once a key has become compromised, the certificates created with that key are no longer verifiable. Since the likelihood that a key will become compromised increases over time, certificates created by using keyed cryptography are useful only for a short term.
One other common method for verification involves publication, including, for example (but not necessarily) proof of an order of receipt using a sequence value bound to the digital record. When publishing is used to make a verifiable binding, the service provider typically publishes a digital record together with a sequence value in a widely-witnessed manner, for example, in a newspaper. If the service provider commits to certain rules regarding publication, then the published content can be relied upon as having been certified by the service provider. Since no cryptographic keys are used in the publication method, the problem of key compromise is not a concern. However, the publication method is inefficiently slow and unsuitable for large document collections. Publication is realistic daily or weekly, but instant certificate creation, though demanded by the modern electronic market, is impossible.
To verify the authenticity of a certificate for a long term, and to do so efficiently, publishing-based bindings and/or multiple key signatures can be used in combination. However, since this combination approach has the disadvantages of both systems, certificates must be regularly updated, creating additional expense to maintain the validity of the bindings.
There is another fundamental problem related to concerns the properties of the sequence values themselves, typically represented as integers. To some extent, verifiable bindings between digital records and integers can be viewed by verifying parties as proof that the records did indeed receive these sequence values.
Often, however, the sequence numbers assigned to digital records do not accurately reflect the real temporal order in which records were received. Malicious service providers may assign sequence numbers to records in any order they so desire. Thus, a need has arisen to detect erroneous behavior of a service provider. The concept of numbering records can be too abstract to reflect the registration process. For example, an assertion that three records were registered before any one particular record does not provide any information about how the records were registered. One way to overcome this problem is to define the sequence value of a particular record as the set of all records preceding a particular record in the repository. Such “sequence values” represent the order of registering, but since they also record the history of the repository, they cannot be denied by the service provider. However, if each sequence value reflects the entire history of the repository, the values may become so large as to make their calculation and transmission impractical.
One way to confirm the history of a service provider is to include a cryptographic digest of all previously registered records in the digital certificate issued to the record-providing party. For example, a linear chain hash may be created by applying a cryptographic hash function to a concatenation of a newly-received record and the record received immediately prior to it. Such a method is disclosed in U.S. Pat. No. 5,136,646 to Haber et al. Cryptographic digests which are included in order certificates create causal, one-way relationships between the confirmations and thus can be used to verify their order without fear of erroneous behavior by the service provider, because any erroneous confirmation is detectable by a verifier examining the one-way causal hash chain. The sequence values created by such processes are shorter because of the use of cryptographic hash functions. However, verifying such values still requires a calculation of all records in the repository, and thus can consume significant processing resources. This process is further disadvantageous because it cannot be performed without interaction with the service provider.
When it comes to verifying the authenticity of digital documents, regardless of whether the user cares about proof of receipt order or not, most existing methods have the serious flaw that users must in some way trust some service provider at some point. In other words, even with a theoretically trustworthy verification scheme, one must then instead trust the entity that performs the verification. The alternative of publishing a digital record along with some verifying information may avoid the need for such trust, but as mentioned above, a pure publication-verification scheme is unsuitable for large collections of documents that each may need authentication for. In other words, one or both of two common problems beset known authentication schemes: either there must be some “trust authority” or the systems are not amenable to extensive scalability.