Repository files navigation

Victor, familiar name in cryptography to denoteVERIFIER,serves to publicly timestamp hash fingerprints of files.

We may need to certify that a document existed on aparticular date (e.g. for copyright or patent purposes).If the certification process can take place publiclythat would certainly add veracity to the matter.GitHub can be used to perform as a trusted timestamping service.

A git repository is designed in such a way that it isimpossible to change a single bit of its content withoutthat change becoming apparent in the commit identifiers(SHA-1). The explicit time of a commit is recorded by git,although it relies on the accuracy of the system's local clock.

Thevictor repository is used as follows:

• User produces an one-way hash of a document, say, using SHA-256.
• That hash is posted at a reliable public site ("Marker"),e.g. in a Bitbucket snippet or Twitter tweet with permalink.
• That joint information is committed under thetime/YYYY directory.
• Anyone can thenverify the date and time of said hashvia the commit identifier.
• The commit ID is finally embedded into a distributed ledger,i.e. a public blockchain (e.g. Bitcoin), for another timestamp.

The virtue of this protocol is that the document itselfis not stored within this repository. The user does notneed to reveal the content of the document (privacy)since the hash digest will cryptographically suffice.

Clearly the repository will not be large in sizesince the documents themselves are not stored(unless they serve to authenticate the timeline).The data is centrally backed up, but if this repository isdistributed among many users, it can be securely reconstituted(not necessarily at GitHub).

If a challenge occurs to a particular timestamp, one couldin principle get testimony from originators of the previous andfollowing documents: for the correct time must be sandwichedin-between them. Email addresses are used at GitHub to attributework done in a repository. However, cross-validationusing the URL addresses of where the hash codes were publishedshould serve as evidence against collusion and faked timestamps.

One may think of this repository as a collective unionsigning the public timeline of hash commits.The strict relative history of commits and git's cryptographichash of those commits, together with open verification,are the essence of this project.

You can also contribute by periodically adding a hash ofvictor's last state to a blockchain for another source ofindependent timestamping.New in v2: every victor commithash can be embedded into theBitcoin blockchainautomatically by incorporating the post-commit hookposted inbin -- free of charge!

Alice has just finished her 404-page novel,and would like to register its date before sendingit off to nine publishers for review.There is also a high-resolution image she wouldlike to see on the front cover.

I, Alice Example of Los Angeles, thereby record the SHA-256 digest of my novel, Unsolved Disappearances:d98722c626307fb00e728ba2ff246b7dd91b932a1e872f19a42dedee3058cc8aand a photo of my college friends:f9c8cda5be4787626905f39e2d73ca4fe9615aeb607375683921595d3bb21cc0on this day, Wed Nov  4 16:01:40 PST 2015.

She would like her notice to be posted on some reputable website,so she makes public the following:https://bitbucket.org/snippets/rsvp/bRxRAwhich will date Alice's notice independently of her stated claim.

To strength the evidence of her authorship and completion date,she goes to Victor and makes a pull request of her original noticewith added mention of theMarker site.Alice has been authenticated by GitHub, so Victor mergesinto thetime/2015 directory, resulting in:https://github.com/rsvp/victor/commit/ebe6e6b715089430017a03f2615722f1bb29da49

So now we have two more additional sources for the timeline:Victor's machine and the system time at a central repository.In fact, Alice has even stronger evidence because her commit issandwiched among other authenticated users with an ordered trail ofthird-party markers publicly open for verification.

The design ofgit as version control software places Alice'smarker notice in a DAG, directed acyclic graph,with an unique immutable SHA-1 commitidentifier:ebe6e6b715089430017a03f2615722f1bb29da49which will reveal not only various date sources but alsothe hash signatures of her original works.That identifier would serve as a superb reference code inAlice's communication with her prospective publishers.

As a bonus, Alice had installed the post-commit hookfound in Victor's bin -- which embedded her committimestamp in another blockchain, Bitcoin -- freeof charge:

 ::  hooks/post-commit: ebe6e6b715089430017a03f2615722f1bb29da49 to BLOCKCHAIN.{"hash_sha256":"ebe6e6b715089430017a03f2615722f1bb29da49","created_at":"2015-11-05T01:10:15.648Z", "updated_at":"2015-11-05T01:10:15.648Z","submitted_at":null,"title":null} ::  http://www.originstamp.org/s/ebe6e6b715089430017a03f2615722f1bb29da49[develop ebe6e6b] Add 2015-11-05-example.txt only as illustrative marker

Thus we have another verifiable public markerhttp://www.originstamp.org/s/ebe6e6b715089430017a03f2615722f1bb29da49which not only dated Alice's commit in real time, but alsowill report back hours later on the blocktime, the timeof the confirmed Bitcoin transaction embedding her commit identifier.

In effect, Alice's signed work ispermanently on the Bitcoin blockchain.And just in case, for all the world to witness, a tweet isautomatically posted (discretely) regarding this event:https://twitter.com/OriginStamp/status/662074416113799168which would constitute the seventh timestamp!

Victor's protocol permits a timestamp to become trustworthyby the chained integrity of multiple independent sources of evidencewhich are publicly verifiable.Alice did not necessarily have to reveal the full contentsof her novel to the world, but the means to authenticateit resides in one string preserved in many backed upcopies of the openvictor repository.

• Trusted timestamping:https://en.wikipedia.org/wiki/Trusted_timestampingsee esp.ANSI ASC X9.95 StandardandLinked timestamping.

• Bela Gipp, N. Meuschke, and A. Gernandt. "Decentralized Trusted Timestampingusing the Crypto Currency Bitcoin," inProceedings of the iSchools iConference,Newport Beach, CA, USA,March 2015orarXiv:1502.04015 cs.CR[implemented in victor v2 post-commit hook].

• Bruce Schneier,Applied Cryptography, 1996 second edition, see esp. chapter 4.1.

Timestamps based on the X9.95 standard can be used to provide [victor comments]:

• Authenticity: trusted, non-refutable time when data was digitally signed.[victor presumes GitHub and markers use trusted time sources, e.g. NIST.Note that victor does not hash or check the original document itself,that's the committer's responsibility.]

• Integrity: protection of the timestamp from tampering without detection.[victor relies on the git's hash tree structure for integrity.]

• Timeliness: proof that the time of the digital signature was the actual time.[victor timeline provides excellent approximation.]

• Evidentiary trail of authenticity.[A document's hash and a time Marker jointly produces another hash,git's commit identifier.]

"Linked timestamping creates tokens [markers]which are dependent on each other, entangled into someauthenticated data structure [git hash tree by GitHub users].Later modification of issued timestamps would invalidate this structure.Temporal order of issued timestamps is also protected by this data structure,making backdating of the issued timestamps impossible,even by the issuing server itself."

Summary:The issued timestamps fromvictor are in factGit commit identifiers. By examining the git log,the secure hash and signatory information of the original document can berecovered along with verifiable date and time of the entries.

Shortcut to this page:https://git.io/victor | Revision date : 2018-01-02