Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Bounded Pre-image Awareness and the Security of Hash-Tree Keyless Signatures

  • Conference paper
Provable Security (ProvSec 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8782))

Included in the following conference series:

Abstract

We present a new tighter security proof for unbounded hash tree keyless signature (time-stamping) schemes that use Merkle-Damgård (MD) hash functions with Preimage Aware (PrA) compression functions. It is known that the PrA assumption alone is insufficient for proving the security of unbounded hash tree schemes against back-dating attacks. We show that many known PrA constructions satisfy a stronger Bounded Pre-Image Awareness (BPrA) condition that assumes the existence of an extractor \(\mathcal{E}\) that is bounded in the sense that for any efficiently computable query string α, the number of outputs y for which \(\mathcal{E}(y,\alpha)\) succeeds does not exceed the number of queries in α. We show that blockcipher based MD-hash functions with rate-1 compression functions (such as Davies-Meyer and Miyaguchi-Preneel) of both type I and type II are BPrA. We also show that the compression function of Shrimpton-Stam that uses non-compressing components is BPrA. The security proof for unbounded hash-tree schemes is very tight under the BPrA assumption. In order to have 2s-security against back-dating, the hash function must have n = 2s + 4 output bits, assuming that the security of the hash function is close to the birthday barrier, i.e. that there are no structural weaknesses in the hash function itself. Note that the previous proofs that assume PrA gave the estimation n = 2s + 2 log2 C + 2, where C is the maximum allowed size of the hash tree. For example, if s = 100 (2100-security) and C = 260, the previous proofs require n = 322 output bits, while the new proof requires n = 204 output bits.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bayer, D., Haber, S., Stornetta, W.-S.: Improving the efficiency and reliability of digital timestamping. In: Sequences II: Methods in Communication, Security, and Computer Sci., pp. 329–334. Springer, Heidelberg (1993)

    Chapter  Google Scholar 

  2. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: The 1st ACM Conference on Computer and Communications Security: CCS 1993, pp. 62–73. ACM (1993)

    Google Scholar 

  3. Bellare, M., Rogaway, P.: The exact security of digital signatures - How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  4. Buldas, A., Laanoja, R.: Security proofs for hash tree time-stamping using hash functions with small output size. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 235–250. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  5. Buldas, A., Niitsoo, M.: Optimally tight security proofs for hash-then-publish time-stamping. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 318–335. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  6. Buldas, A., Saarepera, M.: On provably secure time-stamping schemes. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 500–514. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  7. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. JACM 51(4), 557–594 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  8. Dodis, Y., Pietrzak, K., Puniya, P.: A new mode of operation for block ciphers and length-preserving MACs. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 198–219. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  9. Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for practical applications. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  10. Haber, S., Stornetta, W.-S.: How to time-stamp a digital document. Journal of Cryptology 3(2), 99–111 (1991)

    Article  Google Scholar 

  11. Luby, M.: Pseudorandomness and Cryptographic Applications. Princeton University Press, Princeton (1996)

    MATH  Google Scholar 

  12. Merkle, R.C.: Protocols for public-key cryptosystems. In: Proceedings of the 1980 IEEE Symposium on Security and Privacy, pp. 122–134 (1980)

    Google Scholar 

  13. Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)

    Chapter  Google Scholar 

  14. Shrimpton, T., Stam, M.: Building a collision-resistant compression function from non-compressing primitives. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 643–654. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  15. Stam, M.: Blockcipher-based hashing revisited. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. GuardTime AS, Tammsaare tee 60, 11316, Tallinn, Estonia

    Ahto Buldas, Risto Laanoja & Ahto Truu

  2. Tallinn University of Technology, Raja 15, 12618, Tallinn, Estonia

    Ahto Buldas & Risto Laanoja

  3. Cybernetica AS, Mäealuse 2/1, 12618, Tallinn, Estonia

    Peeter Laud

Authors
  1. Ahto Buldas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Risto Laanoja
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Peeter Laud
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ahto Truu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Information Engineering, Chinese University of Hong Kong, Rm. 808 Ho Sin Hang Engineering Building, Sha Tin, N.T., Hong Kong

    Sherman S. M. Chow

  2. Institute for Infocomm Research, A*STAR, 1 Fusionopolis Way, 138632, Singapore, Singapore

    Joseph K. Liu

  3. Department of Computer Science, The University of Hong Kong, Chow Yei Ching Building, Pokfulam Road,, Hong Kong

    Lucas C. K. Hui

  4. Department of Computer Science, The University of Hong Kong, Chow Yei Ching Building, Pokfulam Road, Hong Kong

    Siu Ming Yiu

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Buldas, A., Laanoja, R., Laud, P., Truu, A. (2014). Bounded Pre-image Awareness and the Security of Hash-Tree Keyless Signatures. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds) Provable Security. ProvSec 2014. Lecture Notes in Computer Science, vol 8782. Springer, Cham. https://doi.org/10.1007/978-3-319-12475-9_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12475-9_10

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12474-2

  • Online ISBN: 978-3-319-12475-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation