Fractal Merkle Tree Representation and Traversal

  • Markus Jakobsson
  • Tom Leighton
  • Silvio Micali
  • Michael Szydlo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2612)


We introduce a technique for traversal of Merkle trees, and propose an efficient algorithm that generates a sequence of leaves along with their associated authentication paths. For one choice of parameters, and a total of N leaves, our technique requires a worst-case computational effort of 2 logN/loglog N hash function evaluations per output, and a total storage capacity of less than 1.5 log2 N/loglogN hash values. This is a simultaneous improvement both in space and time complexity over any previously published algorithm.


Amortization authentication fractal Merkle tree 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    D. Coppersmith and M. Jakobsson, “Almost Optimal Hash Sequence Traversal,” Financial Crypto’ 02. Available at 315
  2. [2]
    Y.-C. Hu, A. Perrig, and D. B. Johnson, “Packet Leashes: A Defense against Wormhole Attacks in Wireless Ad Hoc Networks,” Proceedings of the Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2003), IEEE, San Francisco, CA, April 2003, to appear 315Google Scholar
  3. [3]
    M. Jakobsson, “Fractal Hash Sequence Representation and Traversal,” ISIT’ 02, p. 437. Available at 315
  4. [4]
    C. Jutla and M. Yung, “PayTree: amortized-signature for flexible micropayments,” 2nd USENIX Workshop on Electronic Commerce, pp. 213–221, 1996. 315Google Scholar
  5. [5]
    L. Lamport, “Constructing Digital Signatures from a One Way Function,” SRI International Technical Report CSL-98 (October 1979). 315Google Scholar
  6. [6]
    H. Lipmaa, “On Optimal Hash Tree Traversal for Interval Time-Stamping,” In Proceedings of Information Security Conference 2002, volume 2433 of Lecture Notes in Computer Science, pp. 357–371. Available at 317Google Scholar
  7. [7]
    R. Merkle, “Secrecy, Authentication, and Public Key Systems,” UMI Research Press, 1982. Also appears as a Stanford Ph.D. thesis in 1979. 315Google Scholar
  8. [8]
    R. Merkle, “A digital signature based on a conventional encryption function,” Proceedings of Crypto’ 87, pp. 369–378. 314, 315, 317Google Scholar
  9. [9]
    S. Micali, “Efficient Certificate Revocation,” Proceedings of RSA’ 97, and U. S. Patent No. 5,666,416. 315Google Scholar
  10. [10]
    A. Perrig, R. Canetti, D. Tygar, and D. Song, “The TESLA Broadcast Authentication Protocol,” Cryptobytes Volume 5, No. 2(RSA Laboratories, Summer/Fall 2002), pp. 2–13. Available at 315Google Scholar
  11. [11]
    K. S. J. Pister, J. M. Kahn and B. E. Boser, “Smart Dust: Wireless Networks of Millimeter-Scale Sensor Nodes. Highlight Article in 1999 Electronics Research Laboratory Research Summary.”, 1999. Available at 314
  12. [12]
    R. Rivest and A. Shamir, “PayWord and MicroMint-Two Simple Micropayment Schemes,” CryptoBytes, volume 2, number 1 (RSA Laboratories, Spring 1996), pp. 7–11. Available at Scholar
  13. [13]
    FIPS PUB 180-1, “Secure Hash Standard, SHA-1”. Available at 316
  14. [14]
    Y. Sella, “Traversing Hash Chain with Constant Computation,” To appear in Financial Crypto’ 03. 315Google Scholar
  15. [15]
    S. Vaudenay, “One-time identification with low memory,” EUROCODE’92, CISM Course and Lecture 339, pp. 217–228, Springer-Verlag 1993 315Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Markus Jakobsson
    • 1
  • Tom Leighton
    • 2
    • 3
  • Silvio Micali
    • 3
  • Michael Szydlo
    • 1
  1. 1.RSA LaboratoriesBedford
  2. 2.MIT Laboratory for Computer ScienceCambridge
  3. 3.Akamai TechnologiesCambridge

Personalised recommendations