Merkle Tree Traversal in Log Space and Time

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3027)


We present a technique for Merkle tree traversal which requires only logarithmic space and time. For a tree with N leaves, our algorithm computes sequential tree leaves and authentication path data in time 2 log2(N) and space less than 3 log2(N), where the units of computation are hash function evaluations or leaf value computations, and the units of space are the number of node values stored. This result is an asymptotic improvement over all other previous results (for example, measuring cost=space*time). We also prove that the complexity of our algorithm is optimal: There can exist no Merkle tree traversal algorithm which consumes both less than O(log2(N)) space and less than O(log2(N)) time. Our algorithm is especially of practical interest when space efficiency is required.


amortization authentication path Merkle tree tail zipping binary tree fractal traversal pebbling 


  1. 1.
    Coppersmith, D., Jakobsson, M.: Almost Optimal Hash Sequence Traversal. In: Financial Crypto 2002 (2002), Available at
  2. 2.
    Jakobsson, M.: Fractal Hash Sequence Representation and Traversal. In: ISIT 2002, p. 437 (2002), Available at
  3. 3.
    Jutla, C., Yung, M.: PayTree: Amortized-Signature for Flexible Micropayments. In: 2nd USENIX Workshop on Electronic Commerce, pp. 213–221 (1996)Google Scholar
  4. 4.
    Lamport, L.: Constructing Digital Signatures from a One Way Function. SRI International Technical Report CSL-98 (October 1979)Google Scholar
  5. 5.
    Lipmaa, H.: On Optimal Hash Tree Traversal for Interval Time-Stamping. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 357–371. Springer, Heidelberg (2002), Available at CrossRefGoogle Scholar
  6. 6.
    Jakobsson, M., Leighton, T., Micali, S., Szydlo, M.: Fractal Merkle Tree Representation and Traversal. In: RSA Cryptographers Track, RSA Security Conference (2003)Google Scholar
  7. 7.
    Merkle, R.: Secrecy, Authentication, and Public Key Systems. UMI Research Press (1982); Also appears as a Stanford Ph.D. thesis in 1979 (1979)Google Scholar
  8. 8.
    Merkle, R.: A Digital Signature Based on a Conventional Encryption Function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988)Google Scholar
  9. 9.
    Micali, S.: Efficient Certificate Revocation. In: RSA Cryptographers Track, RSA Security Conference, and U.S. Patent No. 5,666,416 (1997)Google Scholar
  10. 10.
    Malkin, T., Micciancio, D., Miner, S.: Efficient Generic Forward-Secure Signatures With An Unbounded Number Of Time Periods. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 400–417. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Perrig, A., Canetti, R., Tygar, D., Song, D.: The TESLA Broadcast Authentication Protocol. Cryptobytes 5(2), 2–13 (RSA Laboratories, Summer/Fall 2002), Available at
  12. 12.
    Rivest, R., Shamir, A.: PayWord and MicroMint–Two Simple Micropayment Schemes. CryptoBytes 2(1), 7–11 (RSA Laboratories, Spring 1996), Available at
  13. 13.
    FIPS PUB 180-1, Secure Hash Standard, SHA-1, Available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  1. 1.RSA LaboratoriesBedfordUSA

Personalised recommendations