Paper 2014/329

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal

Berry Schoenmakers


We present explicit optimal binary pebbling algorithms for reversing one-way hash chains. For a hash chain of length $2^k$, the number of hashes performed in each output round does not exceed $\lceil k/2 \rceil$, whereas the number of hash values stored (pebbles) throughout is at most $k$. This is optimal for binary pebbling algorithms characterized by the property that the midpoint of the hash chain is computed just once and stored until it is output, and that this property applies recursively to both halves of the hash chain. We introduce a framework for rigorous comparison of explicit binary pebbling algorithms, including simple speed-1 binary pebbling, Jakobsson's speed-2 binary pebbling, and our optimal binary pebbling algorithm. Explicit schedules describe for each pebble exactly how many hashes need to be performed in each round. The optimal schedule turns out to be essentially unique and exhibits a nice recursive structure, which allows for fully optimized implementations that can readily be deployed. In particular, we develop the first in-place implementations with minimal storage overhead (essentially, storing only hash values), and fast implementations with minimal computational overhead. Moreover, we show that our approach is not limited to hash chains of length $n=2^k$, but accommodates hash chains of arbitrary length $n\geq1$, without incurring any overhead. Finally, we show how to run a cascade of pebbling algorithms along with a bootstrapping technique, facilitating sequential reversal of an unlimited number of hash chains growing in length up to a given bound.

Note: Sample code available at

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Financial Crypto 2016
hash chainspebblingin-place algorithmslightweight cryptographypost-quantum cryptographyhash-based signaturesone-way function
Contact author(s)
berry @ win tue nl
2016-08-01: last of 5 revisions
2014-05-13: received
See all versions
Short URL
Creative Commons Attribution


      author = {Berry Schoenmakers},
      title = {Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal},
      howpublished = {Cryptology ePrint Archive, Paper 2014/329},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.