nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal

verfasst von : Berry Schoenmakers

Erschienen in: Financial Cryptography and Data Security

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We present explicit optimal binary pebbling algorithms for reversing one-way hash chains. For a hash chain of length \(2^k\), the number of hashes performed in each output round does not exceed \(\lceil k/2 \rceil \), whereas the number of hash values stored (pebbles) throughout is at most k. This is optimal for binary pebbling algorithms characterized by the property that the midpoint of the hash chain is computed just once and stored until it is output, and that this property applies recursively to both halves of the hash chain.

We introduce a framework for rigorous comparison of explicit binary pebbling algorithms, including simple speed-1 binary pebbling, Jakobsson’s speed-2 binary pebbling, and our optimal binary pebbling algorithm. Explicit schedules describe for each pebble exactly how many hashes need to be performed in each round. The optimal schedule turns out to be essentially unique and exhibits a nice recursive structure, which allows for fully optimized implementations that can readily be deployed. In particular, we develop the first in-place implementations with minimal storage overhead (essentially, storing only hash values), and fast implementations with minimal computational overhead. Moreover, we show that our approach is not limited to hash chains of length \(n=2^k\), but accommodates hash chains of arbitrary length \(n\ge 1\), without incurring any overhead. Finally, we show how to run a cascade of pebbling algorithms along with a bootstrapping technique, facilitating sequential reversal of an unlimited number of hash chains growing in length up to a given bound.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Failures of Security APIs: A New Case

Nächstes Kapitel Factoring as a Service

Nur mit Berechtigung zugänglich

Bitcoin’s block chain [Nak08] is probably the best-known example of a hash chain nowadays. Unlike in our setting, however, block chains are costly to generate due to the “proof of work” requirement for the hash values linking the successive blocks.

E.g., using the space-time trade-offs of [Sel03] and [Kim03], one cannot go below \(\min _{b>1} b/(\log _2 b)^2 k^2\approx 0.89 k^2\) and \(\min _{b>1} (b-1)/(\log _2 b)^2 k^2\approx 0.74 k^2\), respectively.

Sample code (in Python, Java, C) available at www.win.tue.nl/~berry/pebbling/.

More precisely, function f should be one-way on its iterates [Lev85, Ped96].

Incidentally, this lower bound had been found already in a completely different context [GPRS96]; see Appendix A.

[BDE+13]

Buchmann, J., Dahmen, E., Ereth, S., Hülsing, A., Rückert, M.: On the security of the Winternitz one-time signature scheme. Int. J. Appl. Crypt. 3(1), 84–96 (2013)MathSciNetCrossRefMATH

[BÖS11]

Bos, J.W., Özen, O., Stam, M.: Efficient hashing using the AES instruction set. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 507–522. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23951-9_33 CrossRef

[CJ02]

Coppersmith, D., Jakobsson, M.: Almost optimal hash sequence traversal. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 102–119. Springer, Heidelberg (2003). doi:10.1007/3-540-36504-4_8 CrossRef

[Goy04]

Goyal, V.: How to re-initialize a hash chain. eprint.iacr.org/2004/097

[GPRS96]

Grimm, J., Potter, L., Rostaing-Schmidt, N.: Optimal time and minimum space-time product for reversing a certain class of programs. In: Berz, M., Bischof, C.H., Corliss, G., Griewank, A. (eds.) Computational Differentiation Techniques. Applications, and Tools, pp. 95–106. SIAM, Philadelphia (1996)

[Gri92]

Griewank, A.: Achieving logarithmic growth of temporal and spatial complexity in reverse automatic differentiation. Optim. Methods Softw. 1(1), 35–54 (1992)MathSciNetCrossRef

[GW08]

Griewank, A., Walther, A.: Evaluating Derivatives: Principles and Techniques of Algorithmic Differentiation, 2nd edn. SIAM, Reading (2008)CrossRefMATH

[Hal94]

Haller, N.: The S/KEY one-time password system. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS), pp. 151–157. Internet Society, February 1994. en.wikipedia.org/wiki/S/KEY

[IR01]

Itkis, G., Reyzin, L.: Forward-secure signatures with optimal signing and verifying. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 332–354. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_20 CrossRef

[Jak02]

Jakobsson, M.: Fractal hash sequence representation and traversal. In: Proceedings of IEEE International Symposium on Information Theory (ISIT 2002), p. 437. IEEE Press (2002). Full version eprint.iacr.org/2002/001

[Kim03]

Kim, S.-R.: Improved scalable hash chain traversal. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 86–95. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45203-4_7 CrossRef

[Lam81]

Lamport, L.: Password authentication with insecure communication. Commun. ACM 24(11), 770–772 (1981)MathSciNetCrossRef

[Lev85]

Levin, L.: One-way function and pseudorandom generators. In: Proceedings of the 17th Symposium on Theory of Computing (STOC 1985), pp. 363–365 (1985)

[Mer87]

Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988). doi:10.1007/3-540-48184-2_32

[Mer89]

Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). doi:10.1007/0-387-34805-0_21 CrossRef

[MSS13]

Mourier, N., Stampp, R., Strenzke, F.: An implementation of the hash-chain signature scheme for wireless sensor networks. In: Avoine, G., Kara, O. (eds.) LightSec 2013. LNCS, vol. 8162, pp. 68–80. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40392-7_6 CrossRef

[Nak08]

Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system, 31 October 2008. bitcoin.org/bitcoin.pdf

[PCTS02]

Perrig, A., Canetti, R., Tygar, J.D., Song, D.: The TESLA broadcast authentication protocol. RSA CryptoBytes 5(2), 2–13 (2002)

[Ped96]

Pedersen, T.P.: Electronic payments of small amounts. In: Lomas, M. (ed.) Security Protocols 1996. LNCS, vol. 1189, pp. 59–68. Springer, Heidelberg (1997). doi:10.1007/3-540-62494-5_5 CrossRef

[Per13]

Perumalla, K.: Introduction to Reversible Computing. Chapman and Hall/CRC, Boca Raton (2013)

[Sel03]

Sella, Y.: On the computation-storage trade-offs of hash chain traversal. In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 270–285. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45126-6_20 CrossRef

[Szy04]

Szydlo, M.: Merkle tree traversal in log space and time. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 541–554. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_32 CrossRef

[YSEL09]

Yum, D.H., Seo, J.W., Eom, S., Lee, P.J.: Single-layer fractal hash chain traversal with almost optimal complexity. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 325–339. Springer, Heidelberg (2009). doi:10.1007/978-3-642-00862-7_22 CrossRef

[ZL05]

Zhao, Y., Li, D.: An improved elegant method to re-initialize hash chains, January 2005. eprint.iacr.org/2005/011

Titel: Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal
verfasst von: Berry Schoenmakers
Verlag: Springer Berlin Heidelberg
Buch: Financial Cryptography and Data Security
Print ISBN: 978-3-662-54969-8

Electronic ISBN: 978-3-662-54970-4

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-3-662-54970-4_18

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"