Efficient Constructions for One-Way Hash Chains
Lecture Notes in Computer Science
One-way chains are an important cryptographic primitive in many security applications. As one-way chains are very efficient to verify, they recently became increasingly popular for designing security protocols for resource-constrained mobile devices and sensor networks, as their low-powered processors can compute a one-way function within milliseconds, but would require tens of seconds or up to minutes to generate or verify a traditional digital signature  . Recent sensor network security
... tocols thus extensively use one-way chains to design protocols that scale down to resource-constrained sensors [21, 29] . Recently, researchers also proposed a variety of improvements to one-way hash chains to make storage and access more efficient [9, 18, 33] , or to make setup and verification more efficient [17, 21] . In this paper we present two new constructions for one-way hash chains, which significantly improve the efficiency of one-way chains. Our first construction, the Sandwich-chain, provides a smaller bandwidth overhead for one-way chain values, and enables efficient verification of oneway chain values if the trusted one-way chain value is far away. Our second construction, Comb Skipchain, features a new lower bound for one-way chains in terms of storage and traversal overhead. In fact previously, researchers  cite a lower bound of log 2 (n) for the product of pervalue traversal overhead and memory requirements for one-dimensional chains. We show that one can achieve a lower bound by considering multi-dimensional chains. In particular, our two-dimensional construction requires O(log(n)) memory and O(1) traversal overhead, thereby improving on the one-dimensional bound. In addition, the setup cost for the one-way chain is in contrast only O(n/ log(n)). Other benefits for both constructions include a faster verification step than the traditional hash chains provide; a verifier can "catch up" efficiently, after having missed some number of previously released hash values (for the Sandwich-chain); and resistance against DoS attacks on authentication values. Moreover, we describe fractal traversal schemes for our proposed structures, bringing down the traversal costs for our structure to the same as those of the simpler "traditional" hash chain. Our new construction is orthogonal to most previously proposed techniques, and can be used in conjunction with techniques for efficient setup or verification of one-way chains. One-way chains are a widely deployed cryptographic primitive. Lamport first proposed to use one-way chains for efficient authentication of one-time passwords  , which Haller later refined to the S/KEY standard  . Since Lamport's work, many researchers proposed to use one-way chains as a basic building block for a variety of applications, for example for digital cash [2, 15, 27, 31] , for extending the lifetime of digital certificates [1, 25], for constructing one-time signatures [10, 23, 24, 32], for authenticating link-state routing updates [8, 14, 34], or for efficient packet authentication . Despite the computational efficiency of one-way functions, one-way chains are still challenging to use in resource-constrained environments, such as on small mobile devices or sensor networks. Especially some of the proposed sensor networks have significant resource limitations, as they use minimal hardware to lower the energy consumption  . In these resource-challenged environments the setup, traversal, verification, and storage of long one-way chains is a major challenge. Recently, researchers proposed a variety of improvements to one-way hash chains to make setup, traversal, and storage more efficient. A good metric for one-way chain efficiency is the product of the per-value traversal overhead and the memory requirements. 4 For example, simply storing each value of a one-way chain with length n would result in a cost of O(n), as storage requires O(n) memory and traversal is O(1) (no computation necessary, the one-way chain values are simply stored in an array). Another straightforward approach is to only store the seed of the chain, and derive each value on the fly, with an O(n) efficiency again, as storage costs are O(1) and traversal costs O(n). Jakobsson , Coppersmith and Jakobsson , and Sella  propose new techniques that make traversal and storage more efficient, and apply these techniques to traditional one-way chains. All of these techniques allow the computation of consecutive values in the hash chain at a cost of only O(log(n)) one-way function computations (traversal cost), while also requiring O(log(n)) storage, resulting in an efficiency of O(log 2 (n)). Given that the traversal techniques are applied to standard hash chains, the verification cost is not affected by the manner in which the values are represented and computed, making the verification cost O(n). This is also the computational cost of the setup phase, in which the value at the endpoint is computed given a randomly selected seed; this computation may be performed by a powerful and trusted device, as opposed to the resource constrained device that performs the traversal. Hu et al. propose a new structure for one-way chains, in which more than one level of chains are used  . The main benefit of their structure is that it allows for more efficient verification: a verifier would only have to compute the 4 The traversal cost can be zero when the entire chain is stored, which would result that the product would be zero as well. We could deal with this by also accounting for memory accesses, or by adding 1 to the number of one-way function computations for the traversal cost. Both techniques result in a non-zero positive traversal cost.