Abstract. We state the basic requirements for time-stamping systems applicable as the necessary support to the legal use of electronic documents. We analyze the main drawbacks of the time-stamping systems proposed to date and present a new system that meets all the stated requirements. We prove that these requirements cannot be signi cantly tightened. 1

Abstract. It is almost a folklore-knowledge that hash-based time-stamping schemes are secure if the underlying hash function is collisionresistant but still no rigorous proofs have been published. We try to establish such proof and conclude that the existing security conditions are improper because they ignore precomputations by adversaries. After analyzing a simplistic patent filing scenario, we suggest a new security condition for time-stamping schemes that leads to a new security property of hash functions – chain-resistance. We observe that if the variety of possible shapes of hash-chains is polynomial (and the verification procedure is suitably improved), then the time-stamping scheme becomes provably secure, assuming that the underlying hash function is collisionresistant. Finally, we show that in some sense, the restrictions in the security definition are necessary – conventional black-box techniques are unable to prove that chain-resistance follows from collision-resistance. 1

Abstract. We study the influence of collision-finding attacks on the security of time-stamping schemes. We distinguish between client-side hash functions used to shorten the documents before sending them to time-stamping servers and server-side hash functions used for establishing one way causal relations between time stamps. We derive necessary and sufficient conditions for client side hash functions and show by using explicit separation techniques that neither collisionresistance nor 2nd preimage resistance is necessary for secure time-stamping. Moreover, we show that server side hash functions can even be not one-way. Hence, it is impossible by using black-box techniques to transform collisionfinders into wrappers that break the corresponding time-stamping schemes. Each such wrapper should analyze the structure of the hash function. However, these separations do not necessarily hold for more specific classes of hash functions. Considering this, we take a more detailed look at the structure of practical hash functions by studying the Merkle-Damg˚ard (MD) hash functions. We show that attacks, which are able to find collisions for MD hash functions with respect to randomly chosen initial states, also violate the necessary security conditions for client-side hash functions. This does not contradict the black-box separations results because the MD structure is already a deviation from the black-box setting. As a practical consequence, MD5, SHA-0, and RIPEMD are no more recommended to use as client-side hash functions in time-stamping. However, there is still no evidence against using MD5 (or even MD4) as server-side hash functions. 1

We present a universally composable time-stamping scheme based on universal one-way hash functions.