Fast Verification of Hash Chains

  • Marc Fischlin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2964)


A hash chain is a sequence of hash values x i  = hash(x i − 1) for some initial secret value x 0. It allows to reveal the final value x n and to gradually disclose the pre-images x n − 1, x n − 2, ... whenever necessary. The correctness of a given value x i can then be verified by re-computing the chain and comparing the result to x n . Here we present a method to speed up the verification by outputting some extra information in addition to the chain’s end value x n . This information allows to relate the verifier’s workload to a variably chosen security bound. That is, on input a putative chain value the verifier determines a security level (i.e., security against adversaries with at most T steps and success probability ε) and performs only a fraction p=p(T,ε) of the original work by using the additional information. We also show lower bounds for the length of this extra information.


Certificate hash chain Hash function Hash tree 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Kohno, T.: Hash Function Balance and its Impact on Birthday Attacks. Number 2003/65 in Cryptology eprint archive. (2003)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: Proceedings of the Annual Conference on Computer and Communications Security (CCS), ACM Press, New York (1993)Google Scholar
  3. 3.
    Coppersmith, D., Jakobsson, M.: Almost Optimal Hash Sequence Traversal. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Dwork, C., Goldberg, A., Naor, M.: On Memory-Bound Funtions for Fighting t Spam. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 426–444. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Haller, N.: The S/KEY One-Time Password Scheme. Symposium on Network and Distributed Systems Security, pp. 151–157. Internet Society (1994)Google Scholar
  6. 6.
    Haller, N.: The S/KEY One-Time Password Scheme (1995)Google Scholar
  7. 7.
    Hu, Y.-C., Johnson, D., Perrig, A.: SEAD: Secure Efficient Distance Vector Routing in Mobile Wireless Ad Hoc Networks. In: Workshop on Mobile Computing Systems and Applications (WMCSA) 2002, IEEE Computer Society Press, Los Alamitos (2002)Google Scholar
  8. 8.
    Hu, Y.-C., Perrig, A., Johnson, D.: Efficient Security Mechanisms for Routing Protocols. In: Annual Symposium on Network and Distributed System Security (NDSS 2003), Internet Society (2003)Google Scholar
  9. 9.
    Hauser, R., Przygienda, A., Tsudik, G.: Reducing the Cost of Security in Link State Routing. In: Annual Symposium on Network and Distributed System Security (NDSS 1997). Internet Society (1997)Google Scholar
  10. 10.
    Hauser, R., Steiner, M., Waidner, M.: Micro-Payments Based on iKP. In: Proceedings of SECURICOM 1996, Worldwide Congress on Computer and Communications Security and Protection, pp. 67–82 (1996)Google Scholar
  11. 11.
    Jakobsson, M., Leighton, T., Micali, S., Szydlo, M.: Fractal Merkle Tree Representation and Traversal. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 314–326. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Lamport, L.: Password Authentication with Insecure Communication. Communications of the ACM 24(11), 770–772 (1981)CrossRefMathSciNetGoogle Scholar
  13. 13.
    Merkle, R.: A Digital Signature Based on a Conventional Encryption Function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988)Google Scholar
  14. 14.
    Micali, S.: Efficient Certificate Revocation. Technical Report MIT/LCS/TM-542b, MIT Laboratory for Computer Science (1996)Google Scholar
  15. 15.
    Perrig, A., Canetti, R., Song, D., Tygar, D.: The TESLA Broadcast Authentication Protocol. In: CryptoBytes, vol. 5, pp. 2–13. RSA Security (2002)Google Scholar
  16. 16.
    Perrig, A.: The BiBa One-Time Signature and Broadcast Authentication Protocol. In: Proceedings of the Annual Conference on Computer and Communications Security (CCS), pp. 28–37. ACM Press, New York (2001)Google Scholar
  17. 17.
    Rivest, R., Shamir, A.: PayWord and MicroMint: Two Simple Micropayment Schemes. In: Lomas, M. (ed.) Security Protocols 1996. LNCS, vol. 1189, pp. 69–87. Springer, Heidelberg (1997)Google Scholar
  18. 18.
    Sella, Y.: On the Computation-Storage Trade-Offs of Hash Chain Traversals. In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 270–285. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Marc Fischlin
    • 1
  1. 1.Department of Computer Science & EngineeringUniversity of CaliforniaSan DiegoUSA

Personalised recommendations