[PPT] - Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal PowerPoint Presentation

SLIDE 1

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal

Berry Schoenmakers

Coding & Crypto group

Dept of Mathematics & Computer Science TU Eindhoven, The Netherlands berry@win.tue.nl

20th Financial Cryptography Tuesday, February 23, 2016

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 2

Outline

Background

(long) hash chains & pebbling algorithms

Framework for binary pebbling

speed-1 / speed-2 (Jakobsson) / optimal pebbling

Optimized implementations

in-place (minimize storage) vs fast (maximize speed)

Extensions & Conclusions

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 3

Hash Chains

Famous example: Bitcoin’s block chain. We use “ordinary” hash chains: no proof of work.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 4

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 5

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x0

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 6

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x0

f

− → x1

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 7

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x0

f

− → x1

f

− → x2

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 8

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x0

f

− → x1

f

− → x2

f

− → . . .

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 9

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x0

f

− → x1

f

− → x2

f

− → . . .

f

− → xn−2

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 10

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x0

f

− → x1

f

− → x2

f

− → . . .

f

− → xn−2

f

− → xn−1

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 11

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x0

f

− → x1

f

− → x2

f

− → . . .

f

− → xn−2

f

− → xn−1

f

− → xn

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 12

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x0

f

− → x1

f

− → x2

f

− → . . .

f

− → xn−2

f

− → xn−1

f

− → xn

Registration random x0 (authentic message) xn ← f n(x0) − − send xn − − − − − − − → store xn

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 13

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

xn

Registration random x0 (authentic message) xn ← f n(x0) − − send xn − − − − − − − → store xn

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 14

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

xn−1

f

− → xn

Registration random x0 (authentic message) xn ← f n(x0) − − send xn − − − − − − − → store xn 1st identification xn−1 ← f n−1(x0) − send xn−1 − − − − − − − − − → xn

?

= f (xn−1) store xn−1

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 15

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

xn−2

f

− → xn−1

f

− → xn

Registration random x0 (authentic message) xn ← f n(x0) − − send xn − − − − − − − → store xn 1st identification xn−1 ← f n−1(x0) − send xn−1 − − − − − − − − − → xn

?

= f (xn−1) store xn−1 2nd identification xn−2 ← f n−2(x0) − send xn−2 − − − − − − − − − − − → xn−1

?

= f (xn−2) store xn−2

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 16

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x2

f

− → . . .

f

− → xn−2

f

− → xn−1

f

− → xn

Registration random x0 (authentic message) xn ← f n(x0) − − send xn − − − − − − − → store xn 1st identification xn−1 ← f n−1(x0) − send xn−1 − − − − − − − − − → xn

?

= f (xn−1) store xn−1 2nd identification xn−2 ← f n−2(x0) − send xn−2 − − − − − − − − − − − → xn−1

?

= f (xn−2) store xn−2 . . .

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 17

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x1

f

− → x2

f

− → . . .

f

− → xn−2

f

− → xn−1

f

− → xn

Registration random x0 (authentic message) xn ← f n(x0) − − send xn − − − − − − − → store xn 1st identification xn−1 ← f n−1(x0) − send xn−1 − − − − − − − − − → xn

?

= f (xn−1) store xn−1 2nd identification xn−2 ← f n−2(x0) − send xn−2 − − − − − − − − − − − → xn−1

?

= f (xn−2) store xn−2 . . . n − 1st identification x1 ← f (x0) − − send x1 − − − − − − − − → x2

?

= f (x1) store x1

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 18

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x0

f

− → x1

f

− → x2

f

− → . . .

f

− → xn−2

f

− → xn−1

f

− → xn

Registration random x0 (authentic message) xn ← f n(x0) − − send xn − − − − − − − → store xn 1st identification xn−1 ← f n−1(x0) − send xn−1 − − − − − − − − − → xn

?

= f (xn−1) store xn−1 2nd identification xn−2 ← f n−2(x0) − send xn−2 − − − − − − − − − − − → xn−1

?

= f (xn−2) store xn−2 . . . n − 1st identification x1 ← f (x0) − − send x1 − − − − − − − − → x2

?

= f (x1) store x1 nth identification seed x0 − − send x0 − − − − − − − − → x1

?

= f (x0)

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 19

Lamport’s Identification Scheme (Unix S/key One-Time Passwords)

One-way hash chain for seed x0:

x0

f

− → x1

f

− → x2

f

− → . . .

f

− → xn−2

f

− → xn−1

f

− → xn

Registration random x0 (authentic message) xn ← f n(x0) − − send xn − − − − − − − → store xn 1st identification xn−1 ← f n−1(x0) − send xn−1 − − − − − − − − − → xn

?

= f (xn−1) store xn−1 2nd identification xn−2 ← f n−2(x0) − send xn−2 − − − − − − − − − − − → xn−1

?

= f (xn−2) store xn−2 . . . n − 1st identification x1 ← f (x0) − − send x1 − − − − − − − − → x2

?

= f (x1) store x1 nth identification seed x0 − − send x0 − − − − − − − − → x1

?

= f (x0) Asymmetric scheme: values stored not secret. Secure against passive eavesdropper: xn of no use for 1st identification, etc.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 20

Security Requirements for Function f

Function f should be one-way on its iterates (Levin ’85, Pedersen ’96). Matyas-Meyer-Oseas one-way function f : {0, 1}128 → {0, 1}128 where f (x) = AESIV(x) ⊕ x View f as a random function. Given y = f n(x), finding z such that f (z) = y takes 2128/n time. For hash chain of length n = 232: security of 2128

232 = 296.

Pebbling algorithms do not affect security.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 21

Applications of (Long) Hash Chains

Micropayment schemes: CAFE phone ticks, Payword TESLA secure routing for wireless sensor networks Multicast authentication Online auctions Communication between airplanes and DME towers DME (Distance Measuring Equipment) tower authenticates its messages to airplanes. Boneh-Wang 2010: hash chain of length n = 86400 (1 link per second for 1 day)

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 22

Ultra Long Hash Chains

Length n = 232 hash chain. Direct computation of f n−i(x0) impedes fast identification. Pebbling algorithms Smart card/sensor space time recomputes xn−i from x0 O(1) O(n) stores all of x0, . . . , xn−i O(n) O(1) uses pebbling O(log n) O(log n) Each pebble

xi

stores one value xi of the hash chain.

Binary pebbling: initial positions of 5 pebbles for n = 16

x0

·

· · · · · ·

x8

·

· ·

x12

·

x14

x15
·

Operations on pebbles: clone to create new pebble at same position move one position to the right (using one application of f )

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 23

Ultra Long Hash Chains

Length n = 232 hash chain. Direct computation of f n−i(x0) impedes fast identification. Pebbling algorithms Smart card/sensor space time recomputes xn−i from x0 O(1) O(n) stores all of x0, . . . , xn−i O(n) O(1) uses pebbling O(log n) O(log n) Each pebble

xi

stores one value xi of the hash chain.

Binary pebbling: initial positions of 5 pebbles for n = 16

x0

·

· · · · · ·

x8

·

· ·

x12

·

x14

x15
·

Operations on pebbles: clone to create new pebble at same position move one position to the right (using one application of f )

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 24

Ultra Long Hash Chains

Length n = 232 hash chain. Direct computation of f n−i(x0) impedes fast identification. Pebbling algorithms Smart card/sensor space time recomputes xn−i from x0 O(1) O(n) stores all of x0, . . . , xn−i O(n) O(1) uses pebbling O(log n) O(log n) Each pebble

xi

stores one value xi of the hash chain.

Binary pebbling: initial positions of 5 pebbles for n = 16

x0

·

· · · · · ·

x8

·

· ·

x12

·

x14

x15
·

Operations on pebbles: clone to create new pebble at same position move one position to the right (using one application of f )

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 25

Ultra Long Hash Chains

Length n = 232 hash chain. Direct computation of f n−i(x0) impedes fast identification. Pebbling algorithms Smart card/sensor space time recomputes xn−i from x0 O(1) O(n) stores all of x0, . . . , xn−i O(n) O(1) uses pebbling O(log n) O(log n) Each pebble

xi

stores one value xi of the hash chain.

Binary pebbling: initial positions of 5 pebbles for n = 16

x0

·

· · · · · ·

x8

·

· ·

x12

·

x14

x15
·

Operations on pebbles: clone to create new pebble at same position move one position to the right (using one application of f )

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 26

Background

Related previous work: 1979 Winternitz iterated hash functions 1981 Lamport hash chains for identification resisting eavesdropping 2001 Itkis-Reyzin pebbling algorithms for efficient key updates 2002 Jakobsson long hash chains using pebbling FC 2002 Coppersmith-Jakobsson near optimal binary pebbling / lower bound 2009 Yum-Seo-Eom-Lee greedy optimal binary pebbling FC 2016 explicit construction for optimal binary pebbling allowing for fully optimized implementations and extensions

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 27

Background

Related previous work: 1979 Winternitz iterated hash functions 1981 Lamport hash chains for identification resisting eavesdropping 2001 Itkis-Reyzin pebbling algorithms for efficient key updates 2002 Jakobsson long hash chains using pebbling FC 2002 Coppersmith-Jakobsson near optimal binary pebbling / lower bound 2009 Yum-Seo-Eom-Lee greedy optimal binary pebbling FC 2016 explicit construction for optimal binary pebbling allowing for fully optimized implementations and extensions

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 28

Background

Related previous work: 1979 Winternitz iterated hash functions 1981 Lamport hash chains for identification resisting eavesdropping 2001 Itkis-Reyzin pebbling algorithms for efficient key updates 2002 Jakobsson long hash chains using pebbling FC 2002 Coppersmith-Jakobsson near optimal binary pebbling / lower bound 2009 Yum-Seo-Eom-Lee greedy optimal binary pebbling FC 2016 explicit construction for optimal binary pebbling allowing for fully optimized implementations and extensions

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 29

Background

Related previous work: 1979 Winternitz iterated hash functions 1981 Lamport hash chains for identification resisting eavesdropping 2001 Itkis-Reyzin pebbling algorithms for efficient key updates 2002 Jakobsson long hash chains using pebbling FC 2002 Coppersmith-Jakobsson near optimal binary pebbling / lower bound 2009 Yum-Seo-Eom-Lee greedy optimal binary pebbling FC 2016 explicit construction for optimal binary pebbling allowing for fully optimized implementations and extensions

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 30

Background

Related previous work: 1979 Winternitz iterated hash functions 1981 Lamport hash chains for identification resisting eavesdropping 2001 Itkis-Reyzin pebbling algorithms for efficient key updates 2002 Jakobsson long hash chains using pebbling FC 2002 Coppersmith-Jakobsson near optimal binary pebbling / lower bound 2009 Yum-Seo-Eom-Lee greedy optimal binary pebbling FC 2016 explicit construction for optimal binary pebbling allowing for fully optimized implementations and extensions

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 31

Background

Related previous work: 1979 Winternitz iterated hash functions 1981 Lamport hash chains for identification resisting eavesdropping 2001 Itkis-Reyzin pebbling algorithms for efficient key updates 2002 Jakobsson long hash chains using pebbling FC 2002 Coppersmith-Jakobsson near optimal binary pebbling / lower bound 2009 Yum-Seo-Eom-Lee greedy optimal binary pebbling FC 2016 explicit construction for optimal binary pebbling allowing for fully optimized implementations and extensions

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 32

Background

Related previous work: 1979 Winternitz iterated hash functions 1981 Lamport hash chains for identification resisting eavesdropping 2001 Itkis-Reyzin pebbling algorithms for efficient key updates 2002 Jakobsson long hash chains using pebbling FC 2002 Coppersmith-Jakobsson near optimal binary pebbling / lower bound 2009 Yum-Seo-Eom-Lee greedy optimal binary pebbling FC 2016 explicit construction for optimal binary pebbling allowing for fully optimized implementations and extensions

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 33

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 34

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 35

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 36

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 37

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 38

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 39

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 40

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 41

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9 8 •

ց•
x8

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 42

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9 8 •

ց•
x8

9 •

ց•

x7

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 43

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9 8 •

ց•
x8

9 •

ց•

x7 10 •

x6

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 44

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9 8 •

ց•
x8

9 •

ց•

x7 10 •

x6

11 •ց•

ց•

x5

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 45

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9 8 •

ց•
x8

9 •

ց•

x7 10 •

x6

11 •ց•

ց•

x5 12 •

ց•

x4

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 46

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9 8 •

ց•
x8

9 •

ց•

x7 10 •

x6

11 •ց•

ց•

x5 12 •

ց•

x4

13 •

ց•

x3

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 47

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9 8 •

ց•
x8

9 •

ց•

x7 10 •

x6

11 •ց•

ց•

x5 12 •

ց•

x4

13 •

ց•

x3 14 •

x2

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 48

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9 8 •

ց•
x8

9 •

ց•

x7 10 •

x6

11 •ց•

ց•

x5 12 •

ց•

x4

13 •

ց•

x3 14 •

x2

15 •ց• x1

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 49

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9 8 •

ց•
x8

9 •

ց•

x7 10 •

x6

11 •ց•

ց•

x5 12 •

ց•

x4

13 •

ց•

x3 14 •

x2

15 •ց• x1 16 • x0

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 50

Pebbling Algorithm Visualization

Simple (speed-1) binary pebbling for n = 16: y4 y3 y2 y1 y0 yi = f 16−2i (x) x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

utput

1 •

x15

2 •

x14

3 •ց•

ց•
ց•

x13 4 •

ց•

ց•
x12

5 •

ց•

ց•

x11 6 •

ց•

x10

7 •

ց•
ց•

x9 8 •

ց•
x8

9 •

ց•

x7 10 •

x6

11 •ց•

ց•

x5 12 •

ց•

x4

13 •

ց•

x3 14 •

x2

15 •ց• x1 16 • x0

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 51

Binary Pebble Pk(x) yi = f 2k−2i(x)

To generate hash chain of length n = 2k in reverse for seed value x. Pk−1 Pk−2

yk = x
yk−1
yk−2
y1
y0
Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal

Berry Schoenmakers

SLIDE 52

Binary Pebble Pk(x) yi = f 2k−2i(x)

Pk−1 Pk−2

••

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 53

Binary Pebble Pk(x) yi = f 2k−2i(x)

x

Pk−1 Pk−2

••

yk yk−1 yk−2 y0

− − −

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 54

Binary Pebble Pk(x) yi = f 2k−2i(x)

x

Pk−1 Pk−2

••

initial stage

utput

stage

yk yk−1 yk−2 y0

− − − round 1 round 2k round 2k+1−1

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 55

Binary Pebble Pk(x) yi = f 2k−2i(x)

x

Pk−1 Pk−2

••

initial stage

utput

stage

yk yk−1 yk−2 y0

− − − round 1 round 2k round 2k+1−1 Compute: yk = x yk−1 = f 2k−1(x) . . . y0 = f 2k−1(x)

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 56

Binary Pebble Pk(x) yi = f 2k−2i(x)

x

Pk−1 Pk−2

••

initial stage

utput

stage

yk yk−1 yk−2 y0

− − − round 1 round 2k round 2k+1−1 Compute: yk = x yk−1 = f 2k−1(x) . . . y0 = f 2k−1(x) Output y0.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 57

Binary Pebble Pk(x) yi = f 2k−2i(x)

x

Pk−1 Pk−2

••

initial stage

utput

stage

yk yk−1 yk−2 y0

− − − round 1 round 2k round 2k+1−1 Compute: yk = x yk−1 = f 2k−1(x) . . . y0 = f 2k−1(x) Output y0. Run in parallel: Pk−1(yk) Pk−2(yk−1) . . . P1(y0)

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 58

Framework for Binary Pebbling

Hash chain sequence f ∗

k(x) = {x, f (x), f 2(x), . . . , f 2k−1(x)}

Schedule sequence Tk = {tr}2k−1

r=1

with total tr = 2k − 1 Pebble Pk(x) is recursively defined by: Rounds [1, 2k): Store yi = f 2k−2i (x) for i=k, . . . , 0 using tr hashes in round r. Round 2k: Output y0. Rounds (2k, 2k+1): Run Pi−1(yi) in parallel for i=1, . . . , k. Pebble Pk(x) produces f ∗

k(x) in reverse, using k2k−1 hashes in total.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 59

Framework for Binary Pebbling

Hash chain sequence f ∗

k(x) = {x, f (x), f 2(x), . . . , f 2k−1(x)}

Schedule sequence Tk = {tr}2k−1

r=1

with total tr = 2k − 1 Pebble Pk(x) is recursively defined by: Rounds [1, 2k): Store yi = f 2k−2i (x) for i=k, . . . , 0 using tr hashes in round r. Round 2k: Output y0. Rounds (2k, 2k+1): Run Pi−1(yi) in parallel for i=1, . . . , k. Pebble Pk(x) produces f ∗

k(x) in reverse, using k2k−1 hashes in total.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 60

Framework for Binary Pebbling

Hash chain sequence f ∗

k(x) = {x, f (x), f 2(x), . . . , f 2k−1(x)}

Schedule sequence Tk = {tr}2k−1

r=1

with total tr = 2k − 1 Pebble Pk(x) is recursively defined by: Rounds [1, 2k): Store yi = f 2k−2i (x) for i=k, . . . , 0 using tr hashes in round r. Round 2k: Output y0. Rounds (2k, 2k+1): Run Pi−1(yi) in parallel for i=1, . . . , k. Pebble Pk(x) produces f ∗

k(x) in reverse, using k2k−1 hashes in total.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 61

Framework for Binary Pebbling

Hash chain sequence f ∗

k(x) = {x, f (x), f 2(x), . . . , f 2k−1(x)}

Schedule sequence Tk = {tr}2k−1

r=1

with total tr = 2k − 1 Pebble Pk(x) is recursively defined by: Rounds [1, 2k): Store yi = f 2k−2i (x) for i=k, . . . , 0 using tr hashes in round r. Round 2k: Output y0. Rounds (2k, 2k+1): Run Pi−1(yi) in parallel for i=1, . . . , k. Pebble Pk(x) produces f ∗

k(x) in reverse, using k2k−1 hashes in total.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 62

Performance Measures: Time vs Space

Schedule Tk: number of hashes per round during initial stage of Pk. Performance measures: Work Wk: number of hashes per round during output stage of Pk. Storage Sk: number of hash values stored by Pk in each round. Best achievable for binary pebbling: Storage: max(Sk) ≈ k to store hash values yk, . . . , y0. Work: max(Wk) ≈ k/2 to perform k2k−1 hashes in 2k rounds.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 63

Performance Measures: Time vs Space

Schedule Tk: number of hashes per round during initial stage of Pk. Performance measures: Work Wk: number of hashes per round during output stage of Pk. Storage Sk: number of hash values stored by Pk in each round. Best achievable for binary pebbling: Storage: max(Sk) ≈ k to store hash values yk, . . . , y0. Work: max(Wk) ≈ k/2 to perform k2k−1 hashes in 2k rounds.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 64

Performance Measures: Time vs Space

Schedule Tk: number of hashes per round during initial stage of Pk. Performance measures: Work Wk: number of hashes per round during output stage of Pk. Storage Sk: number of hash values stored by Pk in each round. Best achievable for binary pebbling: Storage: max(Sk) ≈ k to store hash values yk, . . . , y0. Work: max(Wk) ≈ k/2 to perform k2k−1 hashes in 2k rounds.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 65

Rushing Pebbles

r T4S4

rushing pebble P4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1

1
1
1
1
1
1
1
1
1
1
1
1
1
1

15

5
•

minimizes storage some very slow rounds Schedule Tk: All hashes in last round. Rushing pebble Pk uses up to max(Wk) ≈ 2k hashes max(Sk) ≈ k storage

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 66

Rushing Pebbles

r T4S4

rushing pebble P4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1

1
1
1
1
1
1
1
1
1
1
1
1
1
1

15

5

W4

•

4 1

4
•

3 3

4
•

3 1

3
•

2 7

4
•

3 1

3
•

2 3

3
•

2 1

2
•

1

minimizes storage

some very slow rounds Schedule Tk: All hashes in last round. Rushing pebble Pk uses up to max(Wk) ≈ 2k hashes max(Sk) ≈ k storage

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 67

Speed-1 Pebbles

r T4S4

speed-1 pebble P4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1 1

2

1

•

2 1

2

1

2

1

2

1

2

1

2

1

2

1

3

1

•

3 1

3

1

3

1

4

1

•

4 1

5
•

reasonably fast rounds high worst-case storage Schedule Tk: Exactly one hash per round. Speed-1 pebble Pk uses up to max(Wk) ≈ k hashes max(Sk) ≈ 2k storage

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 68

Speed-1 Pebbles

r T4S4

speed-1 pebble P4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1 1

2

1

•

2 1

2

1

2

1

2

1

2

1

2

1

2

1

3

1

•

3 1

3

1

3

1

4

1

•

4 1

5

W4

•

4 3

6

2

•
•
•

5 2

5

1

•

4 2

5

1

•
•

4 1

4
•

3 2

4

1

•
•

3 1

3
•

2 1

2
•

1

reasonably fast rounds

high worst-case storage Schedule Tk: Exactly one hash per round. Speed-1 pebble Pk uses up to max(Wk) ≈ k hashes max(Sk) ≈ 2k storage

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 69

Speed-2 Pebbles (Jakobsson 2002)

r T4S4

speed-2 pebble P4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1

1
1
1
1
1
1
1

2

2

2

2

2

2

2

2

2

3

2

3

2

4

1

5
•

storage optimal reasonably fast rounds Schedule Tk: 1st half: idle 2nd half: 2 hashes per round Speed-2 pebble Pk uses up to max(Wk) ≈ k hashes max(Sk) ≈ k storage

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 70

Speed-2 Pebbles (Jakobsson 2002)

r T4S4

speed-2 pebble P4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1

1
1
1
1
1
1
1

2

2

2

2

2

2

2

2

2

3

2

3

2

4

1

5

W4

•

4 1

4

2

•

4 1

4

2

•

4 3

4

2

•

4 1

4
•

3 1

3

2

•

3 1

3
•

2 1

2
•

1

storage optimal

reasonably fast rounds Schedule Tk: 1st half: idle 2nd half: 2 hashes per round Speed-2 pebble Pk uses up to max(Wk) ≈ k hashes max(Sk) ≈ k storage

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 71

Optimal Pebbles

r T4S4

ptimal

pebble P4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1

1
1
1
1
1
1
1

2

2

2

2

1

2

1

2

2

2

2

3

2

3

3

5
•

no slow rounds storage optimal (stays “behind” speed-2 pebble) Schedule Tk: 1st-half: idle 2nd-half: average speed 2 hashes Formula for #hashes in round r

1

2 ((k+r) mod 2 + k + 1 − len((2r) mod 2len(2k −r))) len(x): bit length of x

Optimal pebble Pk uses up to max(Wk) ≈ k/2 hashes max(Sk) ≈ k storage

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 72

Optimal Pebbles

r T4S4

ptimal

pebble P4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1

1
1
1
1
1
1
1

2

2

2

2

1

2

1

2

2

2

2

3

2

3

3

5

W4

•

4 1

4

1

•

4 2

•
4

2

•

4 2

4

2

•

4 2

•
4
•

3 1

3

1

•

3 2

•
3
•

2 1

2
•

1

no slow rounds

storage optimal (stays “behind” speed-2 pebble) Schedule Tk: 1st-half: idle 2nd-half: average speed 2 hashes Formula for #hashes in round r

1

2 ((k+r) mod 2 + k + 1 − len((2r) mod 2len(2k −r))) len(x): bit length of x

Optimal pebble Pk uses up to max(Wk) ≈ k/2 hashes max(Sk) ≈ k storage

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 73

Optimal Pebbles

r T4S4

ptimal

pebble P4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1

1
1
1
1
1
1
1

2

2

2

2

1

2

1

2

2

2

2

3

2

3

3

5

W4

•

4 1

4

1

•

4 2

•
4

2

•

4 2

4

2

•

4 2

•
4
•

3 1

3

1

•

3 2

•
3
•

2 1

2
•

1

Not

recursive! no slow rounds storage optimal (stays “behind” speed-2 pebble) Schedule Tk: 1st-half: idle 2nd-half: average speed 2 hashes Formula for #hashes in round r

1

2 ((k+r) mod 2 + k + 1 − len((2r) mod 2len(2k −r))) len(x): bit length of x

Optimal pebble Pk uses up to max(Wk) ≈ k/2 hashes max(Sk) ≈ k storage

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 74

Optimal Schedule Tk—Extreme, Essentially Unique Object

Tk = {tr}2k−1

r=1 , where

len(x): bit length of x

tr = 0, 1 ≤ r < 2k−1 tr = 1

2

k + 1 − len

(2r) mod 2len(2k−r) , 2k−1 ≤ r < 2k Tk = 02k−1−1 Uk Vk, where

: concatenation

Uk = 1

2 + Uk−1 12k−3,

Vk = 1

2 + Uk−1 1 2 + Vk−1

avg. speed 2

speed 1

avg. speed 2
avg. speed 3

U3V3 2122 U4V4 22112223 U5V5 3221111132213233 U6V6 33221212111111113322121233223334 U7V7 4332222221212121111111111111111143322222212121214332222243324344

avg. speed 2

speed 1

avg. speed 2
avg. speed 3

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 75

Optimal Schedule Tk—Extreme, Essentially Unique Object

Tk = {tr}2k−1

r=1 , where

len(x): bit length of x

tr = 0, 1 ≤ r < 2k−1 tr = 1

2

k + 1 − len

(2r) mod 2len(2k−r) , 2k−1 ≤ r < 2k Tk = 02k−1−1 Uk Vk, where

: concatenation

Uk = 1

2 + Uk−1 12k−3,

Vk = 1

2 + Uk−1 1 2 + Vk−1

avg. speed 2

speed 1

avg. speed 2
avg. speed 3

U3V3 2122 U4V4 22112223 U5V5 3221111132213233 U6V6 33221212111111113322121233223334 U7V7 4332222221212121111111111111111143322222212121214332222243324344

avg. speed 2

speed 1

avg. speed 2
avg. speed 3

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 76

Optimized Implementations

Optimal schedule minimizes storage and computation of hashes Naive implementation may nullify these efforts by storing extensive states per pebble expensive state updates expensive calculation of schedules tr (# hashes in round r) Explicit formula for tr enables fully optimized implementations: For min. storage overhead: In-place (no state per pebble between rounds) For min. computational overhead:

Max. speed, quick calculation of tr from more redundant state. Useful if

hash computations are relatively fast (e.g., implemented in hardware).

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 77

In-Place Implementations

Define state of speed-2/optimal pebble Pk as: idle in rounds [1, 2k−1) no hashes at all hashing in rounds [2k−1, 2k] ≥ 1 hash per round redundant in rounds (2k, 2k+1) work done by child pebbles P0, . . . , Pk−1 As a function of the round number r, we determine for Pk: which non-redundant pebbles are present (running in parallel) whether these pebbles are idle/hashing number of hash values stored by these pebbles etc.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 78

From Round Number to Pebble States

Recall: Pebble Pk(x) is recursively defined by: Rounds [1, 2k): Store yi = f 2k−2i (x) for i=k, . . . , 0 using tr hashes in round r. Round 2k: Output y0. Rounds (2k, 2k+1): Run Pi−1(yi) in parallel for i=1, . . . , k. Example (From c = 360 to c = 359) c8 c7 c6 c5 c4 c3 c2 c1 c0

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 79

From Round Number to Pebble States

Let c = 2k+1 − r count number of rounds left in output stage of Pk. For speed-2 pebble Pk in round c: Exactly one non-redundant pebble Pi present iff bit ci = 1 Non-redundant pebble Pi is hashing if bit ci−1 = 0, otherwise idle. Each non-redundant pebble Pi stores t + 1 hash values, where t is maximal s.t. bits ci−1 = . . . = ci−t = 0. Example (From c = 360 to c = 359) c8 c7 c6 c5 c4 c3 c2 c1 c0

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 80

From Round Number to Pebble States

Let c = 2k+1 − r count number of rounds left in output stage of Pk. For speed-2 pebble Pk in round c: Exactly one non-redundant pebble Pi present iff bit ci = 1 Non-redundant pebble Pi is hashing if bit ci−1 = 0, otherwise idle. Each non-redundant pebble Pi stores t + 1 hash values, where t is maximal s.t. bits ci−1 = . . . = ci−t = 0. Example (From c = 360 to c = 359) c8 c7 c6 c5 c4 c3 c2 c1 c0 c = 360 1 1 1 1 P state

i/hash values

P hashing

8/y8/y7

P idle

6/y6

P hashing

5/y5/y4

P hashing

3/y3/y2/y1/y0

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 81

From Round Number to Pebble States

Let c = 2k+1 − r count number of rounds left in output stage of Pk. For speed-2 pebble Pk in round c: Exactly one non-redundant pebble Pi present iff bit ci = 1 Non-redundant pebble Pi is hashing if bit ci−1 = 0, otherwise idle. Each non-redundant pebble Pi stores t + 1 hash values, where t is maximal s.t. bits ci−1 = . . . = ci−t = 0. Example (From c = 360 to c = 359) c8 c7 c6 c5 c4 c3 c2 c1 c0 c = 360 1 1 1 1 P state

i/hash values

P hashing

8/y8/y7

P idle

6/y6

P hashing

5/y5/y4

P hashing

3/y3/y2/y1/y0

c = 359 1 1 1 1 1 1 P state

i/hash values

P hashing

8/y8/y7

P idle

6/y6

P hashing

5/y5/y4/y3

P idle

2/y2

P idle

1/y1

P hash

0/y0

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 82

In-Place Speed-2 Pebbles

Use single array z of length k to store all hash values.

1: output z[0] 2: i ← pop0(c) 3: z[0..i−1] ← z[1..i] 4: i ← i + 1; c ← ⌊c/2⌋ 5: q ← i − 1 6: while c = 0 do 7:

z[q] ← f (z[i])

8:

if q = 0 then z[q] ← f (z[q])

9:

i ← i + pop0(c) + pop1(c)

10:

q ← i

pop0(c): count & remove trailing 0-bits from c pop1(c): count & remove trailing 1-bits from c

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 83

Optimal Schedule: Simple Characterization

Example: consider pebble Pk at c = 8429 rounds from the end.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 84

Optimal Schedule: Simple Characterization

Example: consider pebble Pk at c = 8429 rounds from the end. c = 1 1 1 1 1 1 1

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 85

Optimal Schedule: Simple Characterization

Example: consider pebble Pk at c = 8429 rounds from the end. 0s–1s runs

c =

1 1 1 1 1 1 1

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 86

Optimal Schedule: Simple Characterization

Example: consider pebble Pk at c = 8429 rounds from the end. 0s–1s runs

c =

1 1 1 1 1 1 1 P13 Hashing pebble P13 performs 8/2 hashes.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 87

Optimal Schedule: Simple Characterization

Example: consider pebble Pk at c = 8429 rounds from the end. 0s–1s runs

c =

1 1 1 1 1 1 1 P13 P5 Hashing pebble P13 performs 8/2 hashes. Hashing pebble P5 performs 3/2 hashes.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 88

Optimal Schedule: Simple Characterization

Example: consider pebble Pk at c = 8429 rounds from the end. 0s–1s runs

c =

1 1 1 1 1 1 1 P13 P5 P2 Hashing pebble P13 performs 8/2 hashes. Hashing pebble P5 performs 3/2 hashes. Hashing pebble P2 performs 2/2 hashes.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 89

Optimal Schedule: Simple Characterization

Example: consider pebble Pk at c = 8429 rounds from the end. 0s–1s runs

c =

1 1 1 1 1 1 1 P13 P5 P2 Hashing pebble P13 performs 8/2 hashes. Hashing pebble P5 performs 3/2 hashes. Hashing pebble P2 performs 2/2 hashes. Now, trivially, in total k/2 hashes in any round.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 90

In-Place Optimal Binary Pebbles

1: output z[0] 2: i ← pop0(c) 3: z[0..i−1] ← z[1..i] 4: i ← i + 1; c ← ⌊c/2⌋ 5: m ← i; s ← 0 6: while c = 0 do 7:

l ← i

8:

i ← i + pop0(c)

9:

j ← (−r) mod 2i

10:

p ← (i + j) mod 2

11:

h ← ⌊(p + j(i − m) + (m + 3 − l)2l − 2m)/2⌋

12:

q ← len(h) − 1

13:

for d ← 1 to ⌊(p + i + 1 − s)/2⌋ do

14:

y ← z[q]

15:

if h = 2q then q ← q − 1

16:

z[q] ← f (y)

17:

h ← h − 1

18:

m ← i; s ← m + 1

19:

i ← i + pop1(c)

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 91

Fast Optimal Binary Pebbles

1: output z[0] 2: i ← pop0(c) 3: z[0..i−1] ← z[1..i] 4: i ← i + 1; c ← ⌊c/2⌋ 5: if c odd then a[v] ← (i, 0); v ← v + 1 6: u ← v 7: w ← (r mod 2) + i + 1 8: while c = 0 do 9:

w ← w + pop0(c)

10:

u ← u − 1; (q, g) ← a[u]

11:

for d ← 1 to ⌊w/2⌋ do

12:

y ← z[q]

13:

if g = 0 then q ← q − 1; g = 2q

14:

z[q] ← f (y)

15:

g ← g − 1

16:

if q = 0 then a[u] ← (q, g) else v ← v − 1

17:

w ← (w mod 2) + pop1(c)

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 92

Extensions

Chains of arbitrary length n

2k−1 < n ≤ 2k Compute initial state directly, using exactly n hashes Correct intermediate hash values are stored in array z

Cascades and bootstrapping

Techniques to offload initialization Require additional authentication steps (e.g., using one-time signatures)

Eliminate shifting z[0..i−1] ← z[1..i]

Copying entire hash values may be expensive No shifting, but retain in-place property

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 93

Cascade: Practically Free Reinitialization

x

•
Run Pk(x) for seed x.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 94

Cascade: Practically Free Reinitialization

x′

•
x
•
Run Pk(x) for seed x.

Then Pk(x ′) for a new seed x ′.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 95

Cascade: Practically Free Reinitialization

x′′

•
x′
•
x
•
Run Pk(x) for seed x.

Then Pk(x ′) for a new seed x ′. Then Pk(x ′′) for a new seed x ′′.

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 96

Cascade: Practically Free Reinitialization

x′′′

•
x′′
•
x′
•
x
•
Run Pk(x) for seed x.

Then Pk(x ′) for a new seed x ′. Then Pk(x ′′) for a new seed x ′′. And so, on. Each endpoint needs to be authenticated!!

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

SLIDE 97

Concluding Remarks

Lightweight. For very efficient implementation use f (x) = AESIV(x) ⊕ x:

Length 232 chain in 516 bytes at max. 16 hashes per identification round. Length 216 chain in 258 bytes at max. 8 hashes per identification round.

Post-Quantum:

Lamport’s identification scheme: asymmetric but entirely hash-based Merkle authentication trees: in-place traversal?

Time-Space Product for length n = 2k chain:

binary pebbling:

1 2 k2

Coppersmith-Jakobsson lower bound: ≈ 1

4 k2

bound already found by Grim et al. [GPRS96] lower bound does not take limited number of hashes per round into account

Potential alternative: Fibonacci pebbling with n = Fk