If I understand the topic of digital signatures correctly, you sign a message via hashing+encrypting it using your private key.

Then, if a private key is compromised by an attacker, she could sign stuff pretending she's you. This way, any organization that has the (even legal) power of asking you to decrypt your messages such to prove to a court there's no evidence of illegal action in them, has now the power of signing messages that state you did things you never did.

Is there any way for attaching a computationally-hard-to-fake timestamp (not silly cleartext meta's, course...) on a signature such that you can not only revoke a key after having been obliged to release it, but that you can also prevent them to now sign every message they want it to look you wrote?

  • 1
    "you sign a message via hashing+encrypting it using your private key" -- You don't understand signatures correctly: you sign using the private key and verify with a public key, but they're only similar with one specific algorithm (RSA), and even then there are differences, and you treat signatures and encryption keys very differently. With the ECDSA used in Bitcoin, it doesn't even resemble any sort of encryption, and is *just* for signatures. The rest of the question is still valid, but you should know that "encrypt with private key" is an oversimplification of one specific signature scheme. – cpast Feb 03 '15 at 15:48
  • just read about the [Lamport signature](http://en.wikipedia.org/wiki/Lamport_signature) and I've realized what you were trying to make me understand. Now it makes sense to me. :) – Giuseppe Crinò Feb 05 '15 at 09:01

1 Answers1


The specific case of a private key being compromised is actually handled already, but you have to do it right in the first place.

The correct way to do it is to use a secure timestamp as part of the signature. These timestamps are provided by trusted third party servers (there are several ones that are usable for free provided by big names in the security business). They include a hash of the signed data and are integral part of the digital signature (The TSA signature is applied to the timestamp, your data and your digital signature).

When a your private key is compromised, you indicate the date when the revocation starts (in practice, it usually starts when you notify the CA that the key should be revoked). Any application validating a document signed with the revoked key should then compare the timestamp included with the signature with the one included with the key revocation record: anything before that date should be considered valid and anything starting and after that date should be considered invalid.

That way, document you signed before your key was compromised can still be validated safely.

  • 18,557
  • 3
  • 61
  • 70
  • If you sign the timestamp (and not vice versa), what's stopping an attacker from getting a real timestamp, compromising your private key at a later data, and faking the signature then with the legitimate timestamp? – cpast Feb 03 '15 at 15:52
  • Then the attacker would sign a different timestamp, one that is after the key has been revoked. In order to completely fake the signature, the attacker would also need to be able to force the trutsed timestamp authority to issue and signed a invlaid timestamp (one that is in the past) – Stephane Feb 03 '15 at 16:02
  • @cpast, can you explain it better? – Giuseppe Crinò Feb 03 '15 at 16:03
  • @giuscri did you read the wikipedia article I linked ? it contains all the relevant information, including links to the relevant RFCs – Stephane Feb 03 '15 at 16:05
  • 1
    @Stephane What I mean is "what if the attacker creates his forged plaintext *before* compromising the key?" If I, right now, get a timestamper to timestamp "I, Stephane, give cpast all my money," and then compromise your private key in a month, you might revoke the keypair. But if I sign my message that I made today, wouldn't that show a timestamp before the revocation? – cpast Feb 03 '15 at 16:10
  • @cpast you're right. I went back and looked at [X9.95](https://en.wikipedia.org/wiki/ANSI_ASC_X9.95_Standard) and the hash used with the timestamp is of both the data and the digital signature. I'll fix my answer. thanks. – Stephane Feb 03 '15 at 16:17
  • @Stephane, yes. Sounds cool! So, shouldn't anyone who is willing to sign his messages ask **also** for a secure timestamp? – Giuseppe Crinò Feb 03 '15 at 16:28