Security Proofs for Hash Tree Time-Stamping Using Hash Functions with Small Output Size

Abstract

The known security proofs for hash tree time-stamping assume collision-resistance (CR). An asymptotically optimally tight proof has the security loss formula \(\frac{t'}{\delta'}\approx 14 \sqrt{C}\left(\frac{t}{\delta}\right)^{1.5}\), where \(\frac{t'}{\delta'}\) is the time-success ratio of a collision-finder, \(\frac{t}{\delta}\) is the ratio of a back-dating adversary and C is the size of the hash tree created in every time unit. Practical schemes use 256-bit hash functions that are just 2¹²⁸-secure because of the birthday bound. For having a 2⁸⁰-secure time-stamping scheme, we have C < 10³ that is insufficient for global scale solutions. Due to tightness bounds for CR, practically relevant security proofs must use assumptions stronger than CR. We show that under the random oracle (RO) assumption, the security loss is independent of C. We establish a linear-preserving security reduction under the Pre-Image Awareness (PrA) assumption. We present a new slightly stronger assumption SPrA that leads to much tighter proofs. We also show that bounds on C are necessary—based on any PrA/SPrA function, we construct a PrA/SPrA function that is insecure for unbounded time-stamping.