Determining Minimum Hash Width for Hash Chains

Cryptographic hash functions are used in authentication, and repeated application in hash chains is used in communication protocols. In embedded devices, the width of hash values and the associated effort to evaluate the hash function is crucial, and hence the hash values should be as short as possible but should still be sufficient to guarantee the required level of security. We present a new proof for a known result by Flajolet and Odlyzko (Eurocrypt 1989), using only elementary combinatoric and probabilistic arguments. Using this result, we derive a bound on the expected number of hash values still reachable after a given number of steps in the hash chain, so that given any two of the three parameters hash chain length, width of the hash value, and security level, the remaining parameter can be computed. Furthermore, we illustrate how to "refresh" a hash chain to increase the number of reachable hash values if the initial seed is long enough. Based on this, we present a scheme that allows reduced width of hash values, and thus reduced energy consumption in the device, for a hash chain of similar length and similar security level. We illustrate our findings with experiments.