QR Date, a trusted timestamp for real-time media - 2022-03-03

I came upon a neat concept on twitter: embedding a signed timestamp in media shared in near real time.

A tweet introducing QR Date
Archived Tweet

This inspired a series of articles; this is the first of several! In total this series will cover:

Before fully introducing it, I would like to point out some prior art.

From long before any of us were born, in the 1660's, researchers wanted to claim they had something first. Without cryptography they obscured hints that their ideas were complete as anagrams to one another.

These days, trusted timestamps are a thing, starting in 1991 by Haber and Stornetta, developing into a standard with RFC3161 in 2001, and now recently as proof of existence on the blockchain for reasons.

These solutions rely on hashing the content and then having a trusted authority sign that hash. The trusted authority never has to receive the content to certify that it had been observed at that time.

thinking-about
This allows a requestor to get a token certifying the content exists without sharing the content to anyone.
By the way, a cryptographic hash or cryptographic digest is a fixed blob of data that cannot be reversed and which others can create from the original data or content. Any party with the original data can re-create the digest, also just called the "hash", to verify that it was not modified. This is not encryption, it does not provide confidentiality.
ssssh
Time Stamping Hashes Content
Credits

In the above graphic, a Time Stamp Authority (TSA) can provide a Time Stamp Token (TST) to certify that a hash had been observed at a certain time. A fundamental requirement is that the TSA never lies about the time.

A TST's use case is to certify that the content existed as early as the timestamp in the token. This is useful for regulatory, auditing, financial, and legal uses. Read more about this topic with the ANSI X9.95 standard.

Like A Time Stamp Authority, QR Date hopes to be a trusted authority for the public to time stamp their media.

Meet QR Date

QR Code website

The author describes QR Date as:

This is QR Date, a signed timestamp inside a QR code that you can use to verify the date in (near-) realtime photojournalism, photo/video uploads and live streams.
That's cool, but does it actually solve a problem?
Or is it just a solution in search of a problem?
cool-story
beg
Take a moment to consider the context and day that I'm writing.
surprise
Last Thursday Russia invaded Ukraine.
nightmare
I saw so many shocking videos and images on twitter that I had to take a sick day. I was unable to function. I needed time away from things.
looking-ych
I saw misinformation spread before my eyes. Some of the emotional harm I experienced was because of misinformation.
Debunked Ukraine media
Some of that imagery, shocking or hopeful, has since been debunked by USATODAY.
Archived Tweet

We're seeing past events at other locations replayed to our eyes. I have never been to Ukraine, I am not equipped to assess if what I'm seeing is truth or fiction. All I can tell is the media shared is scary, it looks like it happened some where I do not know... and someone on the internet says or suggests it is happening now.

Is there a way to mark images and videos in a way where it would be difficult to replay them later as a real time event? I think this is what QR Date is trying to accomplish.

This is where QR Date's differs from prior art; TSA's TST tokens certify that a content hash was observed by a TSA at a certain date and the earliest TST can be linked to a claim about the content.
this
QR Date does not receive the content or content hash. Instead the content or media is supposed to embed the QR Date as a weak certification that the media and the trusted timestamp were collected at the same time together.
boop

Here's where the author thinks this technology can be helpful:

  1. You have a photograph or video you want to make and send to many people, rapidly.
  2. You need to prove beyond a reasonable doubt that the event or subject you are photographing happened or existed at the moment of capture.

If I want to say that I was truly writing this around 2022-03-02 01:36 UTC, then I can have the QR code in the image media somewhere.

A draft of this article with a qr code over it

And if you visited this on your phone you'd see something like this:

Valid QR Date

What if someone made their own QR code with a tampered link to the honest service? If either the signature or the date were modified, the honest service would reject a tampered url. That's where cryptography comes in; it provides message integrity, the message being the timestamp.

Invalid QR Date and Signature
If the signature were modified, it will not validate.
Invalid QR Date and Signature
If the date were modified, it will not validate.

QR Date is neat and simple; it is being designed so that another can operate their own instance with their own key.

Additionally, a specification is being created so others can create their own matching implementation. Whether this becomes some sort of web of trust or federated network, I do not know.


I do have some recommendations and areas of concern to point out, but before that I would like to cover how we can build something like this ourselves.

Up next is A deep dive into Ed25519 Signatures, where I'll go step by step in key generation to signing with OpenSSL.

This will come later! Up next is Why Digital Signature Algorithms.

panic
Whoops! I thought the next post would be A deep dive into Ed25519 Signatures, but it turns out Digital Signature Algorithms need to be introduced first! A lot of educational material elaborates asymmetric encryption, but hardly any cover signatures or Why Digital Signature Algorithms are a thing! If you haven't used RSA, ECDSA, or EdDSA signatures, I highly recommend you read this next article.
angel
Hey, the next post A deep dive into Ed25519 Signatures is out! Make sure to at least skim it to see a how Ed25519 works in action for a use case like QR Date!