SHA-256 Dataset Fingerprinting

SHA-256 is the cryptographic hash function that makes dataset fingerprinting possible. It transforms any dataset into a fixed-length, deterministic fingerprint — a unique identifier that is computationally infeasible to reverse or collide.

In CertifiedData's certification workflow, SHA-256 fingerprinting is the first step: every generated dataset is hashed before the certificate is signed. The hash is included in the certificate payload and becomes the stable identity of the dataset.

SHA-256 produces a 256-bit (32-byte) hash that has three properties critical for dataset certification: determinism (same input always produces the same hash), collision resistance (finding two datasets with the same hash is computationally infeasible), and avalanche effect (changing even one byte produces a completely different hash).

These properties mean that a SHA-256 fingerprint is both a stable identifier (for lookup and reference) and a tamper detector (any modification is immediately detectable).

For structured tabular datasets, CertifiedData uses RFC 8785 JSON Canonicalization Scheme (JCS) to produce a deterministic JSON representation before hashing. This ensures that field ordering, whitespace variations, and encoding differences do not affect the hash.

The canonical JSON is then passed to SHA-256. The resulting hash is included in the certificate as the `dataset_hash` field — a hex-encoded 64-character string.

To verify a dataset fingerprint, a verifier re-computes the hash of the dataset using the same canonicalization procedure, then compares it to the `dataset_hash` field in the certificate.

If the hashes match, the dataset is intact and corresponds to the certified version. If they do not match, either the dataset has been modified or the wrong dataset is being compared.

SHA-256 fingerprinting is the first of two verification steps in CertifiedData's workflow. After confirming the hash match, the verifier checks the Ed25519 signature over the certificate payload — proving both that the dataset is intact and that the certificate was issued by CertifiedData.

Together, these two checks provide tamper-evident certification: any modification to either the dataset or the certificate is immediately detectable.

To verify a certified dataset using SHA-256, no API access or issuer contact is required:

The computed hash must exactly match the dataset_hash field in the certificate. A single-character difference indicates the dataset has changed.

Linux / macOS: sha256sum dataset.csv → a3f9b2e1c4d7f6a9b8e2c1d4f5a6b7c8...

Windows (PowerShell): Get-FileHash dataset.csv -Algorithm SHA256

Certificate field: { "dataset_hash": "sha256:a3f9b2e1c4d7f6a9..." }

Any change to a certified dataset — a single added row, a modified value, a removed column — produces a completely different SHA-256 hash. This is the avalanche effect: small input changes produce completely unpredictable hash changes.

Rows cannot be added or removed, values cannot be changed, and datasets cannot be partially substituted without detection. Modification is always immediately detectable.

SHA-256 fingerprinting is the first step in CertifiedData's two-part verification model. The dataset fingerprint is embedded in the certificate payload, which is then signed with an Ed25519 private key.

SHA-256 proves dataset integrity. Ed25519 proves certificate authenticity. Together they create a complete chain: any modification to either the dataset or the certificate is immediately detectable independently of the issuer.