Improved Scalable Hash Chain Traversal Sung-Ryul Kim ⋆ Division of Internet & Media and Multidisciplinary Aerospace System Design Center Konkuk University Seoul, Korea Abstract. Yaron Sella recently proposed a scalable version of Jakob- sson’s algorithm to traverse a hash chain of size n. Given the hash chain and a computation limit m (k = m + 1 and b = k √ n), Sella’s algorithm traverses the hash chain using a total of kb memory. We improve the memory usage to k(b - 1). Because efficient hash chain traversal algorithms are aimed at devices with severely restricted computation and memory requirements, a reduction by a factor of (b - 1)/b is considered to be important. Further, our algorithm matches the memory requirements of Jakobsson’s algorithm while still remain- ing scalable. Sella’s algorithm, when scaled to the case of Jakobsson’s algorithm, has a memory requirement of about twice that of Jakobsson’s. Keywords: efficient hash chain traversal, secure hash, pebbles 1 Introduction Many useful cryptographic protocols are designed based on the hash chain con- cept. Given a hash function f () which is assumed to be difficult to invert, a hash chain is a sequence <x 0 ,x 1 ,...,x n > of values where each value x i is defined to be f (x i-1 ). The hash chain is being used as an efficient authentication tool in applications such as the S/Key [2], in signing multicast streams [5], message authentication codes [5,6], among others. Traditionally the hash chain has been used by one of two methods. One is to store the entire hash chain in memory. The other is to recompute the entire hash chain from x 0 as values are exposed from x n to x 0 . Both methods are not very efficient. The first one requires a memory of size Θ(n) while the second one requires Θ(n) hash function evaluations for each value that is exposed. The memory-times-storage complexity of the first method is O(n) and it is O(n 2 ) for the second method. As mobile computing becomes popular, small devices with restricted memory and computation powers are being used regularly. As these devices are being used for jobs requiring security and authentication, the memory and computation efficiency of hash chain traversal is becoming more important. ⋆ Corresponding author. kimsr@konkuk.ac.kr J. Zhou, M. Yung, Y. Han (Eds.): ACNS 2003, LNCS 2846, pp. 86–95, 2003. c  Springer-Verlag Berlin Heidelberg 2003