Proof of authenticity (POA) using the bitcoin blockchain

[wolciph]

The purpose of the following method and script is to permit one to provide a proof of the authenticity of a document, that is prove that a document is the original version, that it has not been altered since it's first publication.
This can have several uses, such as proving authorship, or preventing an adversary from spreading disinformation or confusion about for instance the date and location of an event (e.g. if "Anonymous" wishes to coordinate a DDOS attack). Another example which triggered my interest in this is that of Breivik's manifesto of which some decided to spread altered versions in order to make the original message difficult to find and spread. (note: I do not support Breivik; I am merely providing a method that can help all people, regardless of their intention. In the end, this method benefits the Truth.)

The idea is to insert a hash of a document in a block before publishing said document. Then, as the blockchain grows, it becomes increasingly difficult to modify this block and the hash it contains, thus providing a cryptographic proof that this exact document existed at a certain point in time.
So, in order to be able to prove a document of mine is authentic I would first have to publish it's hash in the blockchain and then wait a sufficient amount of time for two things:
 - that the blockchain has grown sufficiently that modifying the block of my hash has become infeasible;
 - and more importantly, that enough time had elapsed that there would be no doubt in the eyes of my public that the document was not publicly available at the time I inserted the hash.
 Thus, depending on the situation, waiting weeks or months after insertion of the hash may be necessary before publishing.

Technically, there are several ways of inserting a hash in the blockchain.
One would be to send transactions of amounts which, once concatenated, would form the hash. This method is somewhat impractical.
Another is to generate a "false" bitcoin address formed from the hash and to send a small amount of bitcoins to it (e.g. one satoshi). This is the method implemented in my script.
Yet another would be to instead generate the bitcoin private key from the hash, by using it as seed for the pseudo-random number generator for instance, and later disclosing this private key to enable verification.

[1714108925]

1714108925

[1714108925]

1714108925

[1714108925]

1714108925

[1714108925]

1714108925

[1714108925]

1714108925

[wolciph]

I can already hear the screams of "Satoshi intended the bitcoin blockchain for bitcoin transfer only" and the like but once again I am merely providing a tool which you may or may not use at your own discretion. There is also no blockchain more secure than that of bitcoin and I am afraid that a blockchain specifically for the purpose of POA may never catch on and never be secure enough against powerful adverseries. Anyhow, I do not see this method being used on a daily basis by many so it would not pose much risk of overloading the network, especially given the need for transaction fees.


Bellow, is a bash script which enables creation and verification of a bitcoin POA.
It requires the original bitcoin client running as a daemon for creation of a POA and Gavin Andresen's dbdump.py (https://github.com/gavinandresen/bitcointools/tree/45f5c0030ac9a121fff504b0ffd27efc27423bde) for verification.

Code:

#!/bin/bash
#bitpoa: Bitcoin blockchain based proof of authenticity
#Author: Wolciph
#Public domain, use at your own risk
set -e

#config:
interactive=1
hashAlgo=sha256
amount=0.00000001
fee=0.0001
keyType=pk
infoFile='info.poa'

bitcoind=~/bitcoind
bitcoinDir=~/.bitcoin/
dbdump=~/bitcointools/dbdump.py

cd "$(dirname "$0")"
. addrgen.so.bash
#. bitpoa.conf
cd - >/dev/null

_tries=5
get_transaction_block() #(txid)
{
	#workaround to access block of transaction:
	local c=$($bitcoind getblockcount)
	local b=$($bitcoind gettransaction $1 |
		grep -m1 '"confirmations" :' |
		sed -r 's/^.*"confirmations" : ([0-9]*).*$/\1/g';
		[[ ${PIPESTATUS[@]} = '0 0 0' ]])
	local c2=$($bitcoind getblockcount)
	if (( $c2 == $c )); then echo $((c - b + 1))
	elif (( _tries > 0 )); then ((_tries--)); get_transaction_block
	else 
		echo "Cannot get stable blockcount. Wait until your blockchain is up\
		to date and try again." >&2
		return 2
	fi
}
get_field() #(field)
{
	grep -m1 "^$1:" | sed -r "s/^$1:(.*)$/\1/g"
	[[ ${PIPESTATUS[@]} = '0 0' ]]
}

check_pipes() { [[ "${PIPESTATUS[@]}" =~ ^0(\ 0)*$ ]]; }

help="bitpoa Bitcoin blockchain proof of authenticity tool:
Examples:
  These tasks require the bitcoin server to be active:
    Creation: $0 -cf document.txt -i info.poa -a sha256 -A 0.00000001
    Finding the block: $0 -b -i info.poa
  This task requires the bitcoin server to be stopped:
    Verifying: $0 -vf document.txt -i info.poa
Commands:
	-c, --create : create and send _amount_ coins to a new address
	-b, --find-block : find the block in which the new transaction is to
		complete the info file
	-v, --verify : verify a POA
	-f, --file= : file from which to create a hash
	-i, --info-file= : info file to read or write info for checking the POA
	-h, --hash : do not hash the file (to use if it already is a hash)
	-a, --algo= : the hashing algorithm; uses openssl
	-y, --assume-yes : do not prompt before critical operations, non-interactive
	-s, --secret-key : use hash in the private key (NOT IMPLEMENTED)
	-A, --amount= : amount of bitcoins to send (WILL BE LOST FOREVER!!!)
	-F, --fee= : transaction fee
"
#------------------

OPTS=$(getopt -o cvbf:i:ha:yA:F: \
	--long create,verify,find-block,file:,info-file:,hash,algo:,assume-yes,help,amount,fee\
	-n "$0" -- "$@")
if [ $? != 0 ]; then echo "Terminating. Use --help for help." >&2; exit 1; fi
eval set -- "$OPTS"
while true; do
	case "$1" in
		-c|--create) action=create; shift;;
		-v|--verify) action=verify; shift;;
		-b|--find-block) action=findBlock; shift;;
		-f|--file) file="$2"; shift 2;;
		-i|--info-file) infoFile="$2"; shift 2;;
		-h|--hash) hash=1;; #the file cointains the hash
		-a|--algo) hashAlgo="$2"; shift 2;; #first round (followed by ripemd160)
		-y|--assume-yes) interactive=0; shift;;
		-s|--secret-key) keyType=sk; shift;;
		-A|--amount) amount=$2; shift 2;;
		-F|--fee) txfee=$2; shift 2;;
		--help) printf "%s" "$help" >&2; exit 0;;
		--) shift; break;;
		*) echo "Invalid argument: $1. Use --help for help." >&2; exit 1;;
	esac
done
[ -n "$1" ] && { echo "Unknown extra argument: $1" >&2; exit 1; }
[ -z "$action" ] && { echo 'No action specified (-c|-v|-b)' >&2; exit 1; }

if [[ $action = findBlock ]]; then
	txid="$(get_field txid < $infoFile)"
	block=$(get_transaction_block $txid)
	printf "%s\n" "block:$block" >> $infoFile
	exit 0
fi

if [[ "$hash" = '1' ]]; then 
	hash=$(cat "$file")
else
	hash=$(cat "$file" | openssl dgst -$hashAlgo -hex; [[ ${PIPESTATUS[@]} = '0 0' ]];) ||
	{ echo "Error while hashing using $hashAlgo. Exiting." >&2; exit 1; }
fi

if [[ $keyType = pk ]]; then
	h=$(xxd -p -r <<< "$hash" | openssl dgst -rmd160)
	address=$(hash160ToAddress $h)
else
	exit 1
	#use hash as seed for prng?
fi

if [[ $action = 'create' ]]; then
	printf "%s\n%s\n%s\n" "file:$file" "algo:$hashAlgo" "address:$address" > $infoFile
	cmd="$bitcoind -paytxfee=$txfee sendtoaddress $address $amount"
	if [[ $interactive = '1' ]]; then
		echo "Warning: $amount bitcoins will be lost forever." >&2
		printf '%s\n%s\n%s\n' "The following command is about to be sent to the bitcoin daemon:"\
		"$cmd" "Make sure it is running. Proceed? (y/n)" >&2
		read r
		[[ "$r" =~ ^y(es?)?$ ]] || exit 0
	fi
	echo -n 'txid:' >> $infoFile
	eval $cmd >> $infoFile
	if [[ $interactive = '1' ]]; then
		printf "%s%s\n" 'You must now wait for the transaction to be '\
		"integrated into a new block before launching $0 -b [...]" >&2
	fi
elif [[ $action = 'verify' ]]; then
	address2="$(get_field address < $infoFile)"
	if [[ "$address2" != "$address" ]]; then 
		printf "%s\n" "FAILURE: The address is incorrect (should be $address)!" >&2
		exit 5
	fi
	block=$(get_field block < $infoFile)
	blockInfo="$($dbdump --block=$block)"
	if ! (grep -m1 "pubkey: $address" <<< "$blockInfo"); then
		echo "FAILURE: The address is correct but does not appear in the given block!" >&2
		exit 6
	fi
	echo "The address is correct and was published in the blockchain at around:"
	grep -m1 '^Time: ' <<< "$blockInfo" | sed -r 's/Time: (.*) Nonce:.*$/\1/'
fi

Usage examples:

Code:

  These tasks require the bitcoin server to be active:
    Creation: ./bitpoa.bash -cf document.txt -i info.poa -a sha256 -A 0.00000001
    Finding the block: ./bitpoa.bash -b -i info.poa
      (for creation, a second step must be taken to find the block of the transaction in order to speed up verification)
  This task requires the bitcoin server to be stopped:
    Verifying: ./bitpoa.bash -vf document.txt -i info.poa

[wolciph]

I would like to thank Grondilu for his bash library (I guess we could call it that) for generating bitcoin addresses.

Here is a bitpoa info file for the script, that I just made for testing purposes:

Code:

file:bitpoa.bash
algo:sha256
address:1Dga4BiLThvbFeA7b2sxzQx2G85uCk67kr
txid:9209f8bfaa967cf2530a6a708ac12b370615ca4e4d5242e8bc28261f12522bce
block:142683

You can check it with

Code:

bitpoa -v -f bitpoa.bash -i bitpoa.bash.poa

where bitpoa.bash.poa is this info file. But it may not work if you copy/paste due to tabbing (yes, I know: tabs are evil) and newlines. However, it should work with the file provided in the archive below.
(blockexplorer link: http://blockexplorer.com/address/1Dga4BiLThvbFeA7b2sxzQx2G85uCk67kr)

Megaupload link to an archive containing the script, grondilu's script and Gavin Andresen's tools: http://www.megaupload.com/?d=BR470E20
(sha256sum: 76ee03f4dc494af8fe16d0340679803eeb745394dbb97d1e1e96c8ebe3d5db2a  bitpoa.tar.gz)

Sorry for multiple posts but I'm having problems sending it all in one chunk.

[theymos]

There's a very easy way to do this without any program:

First, SHA-1 the data you want to timestamp (or RIPEMD-160, or SHA-256 and truncate to 160 bits). Then use this to turn it into an address:

http://blockexplorer.com/q/hashtoaddress/putHashHere

Then, send any amount of BTC to the returned address. (If you modify Bitcoin, it's actually possible to create a transaction that sends 0 BTC to an address, which would also work. Then you don't have to destroy BTC.)

Finally, you can see the timestamp here:

http://blockexplorer.com/q/addressfirstseen/timestampAddress

[ArtForz]

nice hack, but innovative?
https://bitcointalk.org/index.php?topic=24605.0

[wolciph]

I did do a quick search before posting but didn't find anything.
Well, anyhow, my implementation still has the advantage of being automated and not relying on trust in blockexplorer I guess.

[Sukrim]

You can do this on your own offline as well.

[Frozenlock]

Just so you know, I used this in a real life situation.

I just moved in a new apartment. The previous occupant obviously left a window opened and it rained inside. Now part of the floor is ugly.



I told the owner about it, but I still want to keep a proof that I didn't do it. (What if he dies? Did he wrote somewhere the floor is in this state?)

Instead of "hoping" nothing bad happens, I took some pictures, zipped them, got the SHA-1 and sent 0.01 BTC to the equivalent address.

Here is the official time-stamp that will protect my ass if I ever need to: http://blockexplorer.com/q/addressfirstseen/1Lx3wYgWJJ6Rxj3EyXf8riMFd9SCZNVFzD

[ElectricMucus]

A more automated way to accomplish this would be nice.
Lets do this

[molecular]

A more automated way to accomplish this would be nice.
Lets do this

the service could safe-keep the data itself, too (just in case the customer misplaces it) and help with providing expert witnesses for use in court.

[bitcool]

Just so you know, I used this in a real life situation.

I just moved in a new apartment. The previous occupant obviously left a window opened and it rained inside. Now part of the floor is ugly.

http://img8.imageshack.us/img8/8408/dsc01021mf.jpg

I told the owner about it, but I still want to keep a proof that I didn't do it. (What if he dies? Did he wrote somewhere the floor is in this state?)

Instead of "hoping" nothing bad happens, I took some pictures, zipped them, got the SHA-1 and sent 0.01 BTC to the equivalent address.

Here is the official time-stamp that will protect my ass if I ever need to: http://blockexplorer.com/q/addressfirstseen/1Lx3wYgWJJ6Rxj3EyXf8riMFd9SCZNVFzD

That 0.01 BTC was sent to hyperspace and even Satoshi can't get it back, correct?

Smart but a more sustainable approach will be better.

Edit: Sorry, didn't scroll up far enough to see theymos's comment.

[mila]

(If you modify Bitcoin, it's actually possible to create a transaction that sends 0 BTC to an address, which would also work. Then you don't have to destroy BTC.)

I thought it was legal to send 0.00 btc as long as I pay the .0005 fee

I like the approach of commit coin. they do not destroy the bitcoins at all, in fact the message is computed from the send to and send from transactions. but could be pruned from blockchain eventually. (unless a satoshi is left in the account, but that could be spend by the attacker and empty address pruned anyway)
maybe burning bitcoin is the cost of this