Fast Verification of Hash Chains

A hash chain is a sequence of hash values x i = hash(x i − 1) for some initial secret value x 0. It allows to reveal the final value x n and to gradually disclose the pre-images x n − 1, x n − 2, ... whenever necessary. The correctness of a given value x i can then be verified by re-computing the chain and comparing the result to x n . Here we present a method to speed up the verification by outputting some extra information in addition to the chain’s end value x n . This information allows to relate the verifier’s workload to a variably chosen security bound. That is, on input a putative chain value the verifier determines a security level (i.e., security against adversaries with at most T steps and success probability e) and performs only a fraction p=p(T,e) of the original work by using the additional information. We also show lower bounds for the length of this extra information.

[1]  Mihir Bellare,et al.  Hash Function Balance and Its Impact on Birthday Attacks , 2004, EUROCRYPT.

[2]  Yih-Chun Hu,et al.  SEAD: secure efficient distance vector routing for mobile wireless ad hoc networks , 2002, Proceedings Fourth IEEE Workshop on Mobile Computing Systems and Applications.

[3]  Marc Joye,et al.  Topics in Cryptology — CT-RSA 2003 , 2003 .

[4]  Adrian Perrig,et al.  The BiBa one-time signature and broadcast authentication protocol , 2001, CCS '01.

[5]  Adi Shamir,et al.  PayWord and MicroMint: Two Simple Micropayment Schemes , 1996, Security Protocols Workshop.

[6]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[7]  Marc Fischlin Progressive Verification: The Case of Message Authentication: (Extended Abstract) , 2003, INDOCRYPT.

[8]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[9]  Gene Tsudik,et al.  Reducing the cost of security in link-state routing , 1997, Proceedings of SNDSS '97: Internet Society 1997 Symposium on Network and Distributed System Security.

[10]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[11]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[12]  Yih-Chun Hu,et al.  Efficient Security Mechanisms for Routing Protocolsa , 2003, NDSS.

[13]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[14]  Markus Jakobsson,et al.  Fractal Merkle Tree Representation and Traversal , 2003, CT-RSA.

[15]  Yih-Chun Hu Efficient Security Mechanisms for Routing Protocols , 2003 .

[16]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[17]  Ralf Hauser,et al.  Micro-Payments based on iKP , 1996 .

[18]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[19]  Yaron Sella On The Computation-Storage Trade-Offs of Hash Chain Traversal , 2003, Financial Cryptography.

[20]  S. Micali Eecient Certiicate Revocation , 1996 .

[21]  Dawn Song,et al.  The TESLA Broadcast Authentication Protocol , 2002 .

[22]  Markus Jakobsson,et al.  Almost Optimal Hash Sequence Traversal , 2002, Financial Cryptography.