Paper 2002/023

Almost Optimal Hash Sequence Traversal

Don Coppersmith and Markus Jakobsson


We introduce a novel technique for computation of consecutive preimages of hash chains. Whereas traditional techniques have a memory-times-computation complexity of $O(n)$ per output generated, the complexity of our technique is only $O(log^2 \, n)$, where $n$ is the length of the chain. Our solution is based on the same principal amortization principle as \cite{J01}, and has the same asymptotic behavior as this solution. However, our solution decreases the real complexity by approximately a factor of two. Thus, the computational costs of our solution are approximately $ {1 \over 2} log_2 \, n$ hash function applications, using only a little more than $log_2 \, n$ storage cells. A result of independent interest is the lower bounds we provide for the optimal (but to us unknown) solution to the problem we study. The bounds show that our proposed solution is very close to optimal. In particular, we show that there exists no improvement on our scheme that reduces the complexity by more than an approximate factor of two.

Available format(s)
Publication info
Published elsewhere. FC '02
amortizationhash chainpebbleslower bound
Contact author(s)
mjakobsson @ rsasecurity com
2002-02-25: received
Short URL
Creative Commons Attribution


      author = {Don Coppersmith and Markus Jakobsson},
      title = {Almost Optimal Hash Sequence Traversal},
      howpublished = {Cryptology ePrint Archive, Paper 2002/023},
      year = {2002},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.