Concept Definition
What is tamper-evidence in invoicing?
Tamper-evidence means that any unauthorized modification to an invoice or its metadata can be detected. Tamper-evident invoices use cryptographic mechanisms (hashes, digital signatures) that change detectably when document content is altered. It is a required property of compliant e-invoice archives.
How is tamper-evidence implemented?
Tamper-evidence for invoices is implemented via:
- SHA-256 hash: A fixed-length fingerprint of the invoice computed at issuance. Any change to the document produces a different hash.
- Digital signature: Cryptographic signature binds the hash to the signer's key. Both content and signer identity are verifiable.
- Certificate chain: Signature verified against a trusted Certificate Authority confirms the signer's identity.
- Timestamp: Trusted timestamp from a Time Stamping Authority (TSA) proves the document existed at a specific time.
Frequently Asked Questions
- Is tamper-evidence the same as encryption?
- No. Encryption protects confidentiality by making content unreadable to unauthorized parties. Tamper-evidence protects integrity by making unauthorized modifications detectable. An invoice can be tamper-evident without being encrypted, and vice versa.
- What standard governs tamper-evident e-invoicing in the EU?
- The eIDAS Regulation (EU 910/2014) governs electronic signatures and seals in the EU. For invoicing, an Advanced Electronic Signature (AdES) or Qualified Electronic Signature (QES) provides legally recognized tamper-evidence. EN 16931 and Peppol both rely on transport-level security rather than document-level signatures.