Digital signature forgery?

So here's the scenario, there's a big network of anonymous people. Alice wants to give herself an alias using a hash that can be used to identify that her work is hers. She posts her work and puts the little hash at the end. Bob decides to clone her work and change the hash, claiming that he created it and Alice's copy is stolen. Note that there are absolutely no timestamps used because they're generally considered unreliable because anyone could set the date to whatever they like. How does Alice let others know that her copy is hers and that her hash is her own. Do note that Bob could also copy the binary of the hash and post stuff under her name. How would someone work around something like this?
Have the hash be a particularly large number divisible by only two primes. Alice knows one of the primes, and therefore the other. Bob wouldn't. Alice can verify by showing the second prime, while Bob cannot.
@Ispil the issue is a claim of ownership - both parties sign the code with their own signature and both claim the code was originally written by them.
Oh, right.

Um... not particularly, no. The problem with digital information is that there is no way to verify age that cannot be manipulated. The only way to make code that would be impossible to be stolen would be to write it in Brainfuck or something else that would both verify that you're the creator and be impossible to actually understand by anyone else with the source code. You'd have to make your own programming language. You could print out the source code with a particular isotope of a chemical embedded in the ink with a known half-life, but now we're reaching absurdity.
Last edited on
Whoa, that's fantastic thinking. Only one problem. In the case that Bob duplicates the hash and the hashes need to be verified, the verification process can only be done on a one-on-one basis in a very secure fashion. Unfortunately, a large group of people would ask for the two primes, and it must be given to them. Bob, since no one on the network has an alias unless they assign themself one, can ask Alice for both primes. Alice, who doesn't know she's speaking with Bob, will give him both primes. Bob can then use these primes to falsely verify Alice's stolen hash as his own. People wouldn't be able to tell who actually created the software.

TL;DR: Yeah, what LB said...
Last edited on
The issue is that copy-and-paste functionality is built into pretty much every device in use today. Plagiarism is a well-known issue, and I think you're mixing in digital signing for no reason other than to add confusion.
I think you're accusing me of trying to confuse people because the idea of plagiarism and hashing mixed together confuses you. What verification method would you have used instead? I picked hashing because I'm familiar with it.
This is not how digital signatures work.

1. Alice publishes her public key PK and keeps her private key K safe.
2. Alice produces an original bitstring S.
3. Alice computes S'=f(S, K), which is a fixed-length bitstring.
4. Alice publishes S+S'.
5. If Carol wants to know if Alice is in fact the author of S, all she needs to do is compute g(S, S', PK), which returns true if S is the bitstring that was signed with S' and if it was K that was used to produce the signature. Assuming that only Alice knows K, this is enough to prove Alice's authorship of S.
6. If Bob wants to impersonate Alice, stealing S' is useless because S' can only be used to authenticate S. Stealing PK is also useless because it can only be used to authenticate, not to sign. Altering S or S' doesn't work because it will cause the authentication to fail. Bob's only option is to steal or attempt to crack K.

Hashing can be useful if you're both the source and destination of the message. For example:
1. You produce some bitstring S.
2. You compute S'=f(S). Let's assume that f is an uncrackable cipher such that x = g(f(x)), but that g() can't guarantee the authenticity of its input.
3. You compute H=h(S'), which is a hash digest.
4. You give S' to an untrusted party.
5. At some point in the future, you get back S" from the untrusted party.
6. You compute H'=h(S").
7. If H'==H, you have a fair degree of certainty that S'==S".
Last edited on
Whoa, I'll have to look into that...
The verification method used is irrelevant; your question boils down to "what do you do when two people both claim they independently created the same thing?" Hashing, signing, encrypting, etc. doesn't have anything to do with that.
My question is more so asking how can an original artist prepare to prove that their work is theirs in the given scenario when someone else claims they did the same thing.

Hashing, signing, encrypting, etc. are all possible methods.
RealGiganitris wrote:
Hashing, signing, encrypting, etc. are all possible methods.
Anyone can sign/hash/encrypt some codebase, that doesn't mean they wrote the code.
Usually if is who publish first wins.
Also if some person has proof of his work, and other does not (one has complete git history with all commits, showing how project was developed, and other only has one commit with whole program) he might win in either case.
@JLBorges: that's cool, I didn't know about that. It sounds like it could easily solve this problem.
Last edited on
@LB, may I please ask you to stop using a condescending tone. Do understand that hashing, signing and encrypting are all tools, like a spring. Although a spring may have absolutely nothing to do with outer space, a springs applications in terms of exploration are wide and varied. Much like hashing and verification (An obvious one I can think of is storing user passwords in a database).

This video shows some of the "theoretical" physics we learn in high school being tested out in an anti-gravity environment to help us better understand outer space environments: https://www.youtube.com/watch?v=JghsCipopIc
I never intend to have a condescending tone (or any tone), sorry you interpreted my writing that way. The point I am trying to make is that the tools you were suggesting be used did not seem relevant to the problem you were presenting - to me it was like asking to fix a car tire with a debugger. JLBorges showed me that in fact it is not as unrelated as I thought - an agreed-upon reliable third party can use the tools you mentioned.

I don't understand the purpose of your link.
The purpose of the link was proof that springs truly do have an application in space exploration, since many would argue otherwise just to hold up their original statement.
Sorry, I still don't understand how that's relevant to this thread? I would have been surprised if springs were not used in space exploration.
It's not relevant to this thread, I'm just equating hashes and authentication to springs and space to demonstrate that it's useful.
Topic archived. No new replies allowed.