Long-Term Secure Time-Stamping Using Preimage-Aware Hash Functions (Short Version)

The lifetime of commonly used digital signature schemes is limited because their security is based on computational assumptions that potentially break in the future. In 1993, Bayer et al. suggested that the lifetime of a digital signature can be prolonged by time-stamping the signature together with the signed document. Based on this idea, various long-term timestamp schemes have been proposed and standardized that repeatedly renew the protection with new timestamps. In order to minimize the risk of a design failure affecting the security of these schemes, it is indispensable to formally analyze their security. However, many of the proposed schemes have not been subject to a formal security analysis yet. In this paper, we address this issue by formally describing and analyzing a long-term timestamp scheme that uses hash trees for timestamp renewal. Our analysis shows that the security level of the described scheme degrades cubic over time, which suggests that in practice the scheme should be instantiated with a certain security margin.