Comparison: GMSS

Inthis part theGMSS implementationisanalyzed. Ashash funtion,alltests used

the SHA1 version out of the FlexiCoreProvider. As pseudo randomnumber

gener-ator the Sha1PRNG of the Sun provider was used. All tests were performed on an

IntelCore 2Duo T72002GHzproessor with1 GBRAM. As runtimeenvironment

the Sun JRE 1.3 was deployed.

The time needed for generationand veriation of a singlesignature is quitesmall.

For this it is essential to measure timings in miroseonds. Following [27℄ we use

the hrtlib.dll library, whih provides atimer to exatly measure time dierenes in

those spheres. Just reating a signature more than one and omputing the mean

valuewould not be asolution: the private key hangeswith everysignature, soitis

not easyto reate the same signature more than one.

Nearlyall parametersets

P

^{used for the testings are} haraterized by the fat that the Winternitz parameter belonging to the lowest layer is smaller than all others.

Smallerparameter

w

^{allowsfaster signature}generation,butisresponsibleforbigger signatures. As on the lowest layer the publi keys for the leaf values have to be

omputed at one and annot be distributed, a smaller parameter on this layer

speeds up thewhole proess, even more than the parametersonupperlayers would

do. For this the Winternitz parameter onthe lowest layeris mostly hosen smaller

thanthe others.

Balaning. First a omparison between the old GMSS implementation of [17℄ is

omparedtothe newone. Usingtheparameterset

P = (4, (4, 4, 4, 4), (8, 8, 8, 3))

^the

signature generationlasts arbitrarilyfour milliseonds,whatever implementationis

used. But amongdierent signatures the durationvaries more or less, beause the

oinepartdoesnotalwaysomputethesameparts. Figure18depitstheresulting

timings for both implementations for

200

signatures. The red line indiates the timingsofthenewimplementation,thebluelinebelongstheoldone. Theparameter

K

^{isset to}

2

^{oneah layer.}

900 0 920 940 960 980 1000 1020 1040 1060 1080 1100 5

10 15 20 25 30 35

PSfrag replaements

SignatureIndex

ϕ

SigningTime[ms℄

oldimplementation newimplementation

Figure 18: Time needed for signing with GMSS. The red line shows the timings using

thenewGMSSimplementation,the bluelinebelongs tothe oldimplementation. Theused

parametersetis

P = (4, (4, 4, 4, 4), (8, 8, 8, 3))

^,

K

^isset

2

^{on eahlayer.}

Figure18 illustratesthat the time needed for signing is muh more balaned using

the new GMSS implementation. The edges within the blue graph ome up every

16

signatures. Using a bottom tree of height

4

^{(whih means}

2 ⁴ = 16

^leaves),

the old implementationneeds muhtime for advaning aleaf on the seond lowest

layer. This isthe situationwhere the new implementationuses the better balaned

authentiationpath algorithm. Furthermore the preomputation of the atual and

the oming (treehash) leaves of this tree saves time. Those leaves are omputed

ompletely within the old implementation, whereas in the other ase they an be

simply opied. So the applied hanges really aet the timings the way it was

supposed.

The statistialanalysis of the data emphasizes the better balaning of the new

im-plementation: whereas the meanvalue remainsnearly thesame (

5.0

^{ms(old) to}

4.2

ms(new)), the standard deviation of the timings was redued to more than a

sev-enthpart: itdereases from

4.6

^msto

0.6

^{msusing the newGMSS} implementation.

Thisevidently shows thatthe shedulingofthe nodes inthe uppertree reallyleads

tobetter balaning attributes for the signature generation.

Greater Amounts Of Signatures. In [7℄ some linear optimization was used to

ndoptimalGMSSparametersets,allowingmodularkeyandsignaturesizesbesides

appliable timings. The optimal sets for an amount of

2 ⁴⁰

^and

2 ⁸⁰

^{signatures were}

adoptedand the parameter

K

^{was inluded. Sowe getthe followingparametersets}

forour test:

P 40 = (2, (20, 20), (10, 5), (2, 2)) P ₄₀ ^′ = (2, (20, 20), (9, 3), (2, 2))

P ₈₀ ^′ = (4, (20, 20, 20, 20), (7, 7, 7, 3), (2, 2, 2, 2))

The following tabular shows the resulting timings and memory requirements. The

key size always denotes the byte length of the ASN.1 enoded keys. The timings

were obtained on the above mentioned platform as mean value of the rst

2 ¹²

sig-natures. With a tree of height

20

^{on the lowest layer, for omparison the rst}

2 ²¹

or even more signatures should have been reated, so that an advane on upper

layers was onsidered. But this test would take too long, so only the rst

2 ¹²

^were

onstruted. Toshowhowthiseetsthenalresults,weomparedthetimingsand

key sizes of a GMSS struture with lowest layer height

10

^with

2 ¹⁰

^and

2 ¹⁵

signa-tures: the diereneinthe privatekeysize is

0.2%

^{,whereas intimingsnodierene}

is reognizable. So we adopt that for our parametersets it is adequate to ompare

onlythe rst

2 ¹²

signatures.

Thevalues inthe tablesrepresentthefollowing:

m

^{valuesare memory}requirements for the keys and the signature. The time needed for key pair generation, signature

onstrutionorveriation, respetively, is denoted by

t

^values.

m

^publikey

m

^privatekey

m

^signature

t

^keygen

t

^sign

t

^verify

P 40 75

^bytes

12341

^bytes

1868

^bytes

539

^min

13.4

^ms

13.1

^ms

P ₄₀ ^′ 75

^bytes

12501

^bytes

2348

^bytes

299

^min

6.6

^ms

8.1

^ms

P ₈₀ ^′ 93

^bytes

30372

^bytes

4256

^bytes

464

^min

7.4

^ms

8.4

^ms

Table 6: Measured valuesfor the new GMSSimplementation

For omparing these numbers with the old GMSS implementation, we adopt the

resultsfrom [17℄ measured on anAsusV6J (1.83GHz CPU).

m

^publikey

m

^privatekey

m

^signature

t

^keygen

t

^sign

t

^verify

P ₄₀ 67

^bytes

5467

^bytes

1868

^bytes

579

^min

22.6

^ms

19.4

^ms

P ₄₀ ^′ 67

^bytes

5547

^bytes

2348

^bytes

321

^min

11.6

^ms

10.6

^ms

P ₈₀ ^′ 79

^bytes

14731

^bytes

4256

^bytes

498

^min

11.6

^ms

9.5

^ms

Table 7: Measured values forthe oldGMSSimplementation,from [17℄

The timings are quite the same using both implementations, the disrepanies are

mostly aused by the dierent platforms. The signature size remains exatly the

same,it was not touhed by the revision of GMSS. The publikey rises few,as the

K

^{parameters for eah layer have to be stored} additionally. The private key size nearly doubles. For the better authentiation path omputation, more upoming

datahas tobestored,likethetreehash instanes orthestaks ofthe followingtrees

oneahheight. This dataisstoredintheprivatekey, andthatiswhyitssizegrows.

However, the sizes of up to

30

^{kilobytes are stilluseableinpratie. The table only}

shows a mean value of the private key sizes: for

P ₄₀ ^′

^{it ranges from}

10541

^to

12731

bytes,for

P ₈₀ ^′

^{itdiersbetween}

28413

^and

30602

^{bytes. Thebalaningofthetimings}

annotbe seen inthis tables, the ahievements inthis onern have been shown in

the lastsetion.

Some more measures are depited in Appendix A. Therefrom we get some more

informationof the aets of the GMSS parameters: if the parameters

K

^{raise, the}

private key size rises as well. Higher

K

^{makes sure that more upper nodes are}

permanentlystored inthe privatekey, soitis lear that itssize inreases.

Simulta-neously the signing time delines, as the upper nodes must no more be omputed

hosing higher

K

^{values. The signature size is not aeted by this parameter.}

The impats of the parameter

w

^{are the same as before in GMSS: hoosing bigger}

w

^{values, the signature and the private key sizes deline,whereas the timings grow}

abit. Smaller

w

^{'shave exatlythe ontrary impat.}

It is onluded that GMSS is ready to use in pratial appliations. The timings

areomparabletoothersignatureshemesthat areused widelytoday,likeECDSA,

DSA or RSA. For measured results of these shemes see for example [5℄. Even if

the key sizes, espeiallyof the private signingkeys, are relativelybig, GMSS is still

appliable. We have reated up to

2 ⁸⁰

^{signature keys with reasonable eort and}

osts. This amount should be adequate for todays use, even in online appliations

like paket signingin broadast protools.

Merkle Tree Traversal. This thesis presented a new algorithmfor the

ompu-tation of onseutive authentiation paths in Merkle trees. Compared to the best

formerlyknown, the new algorithmfeatures a better balaning onerning the real

numberof hash funtionalls perround. This property ouldbeobtained

theoreti-ally,and itould be approved by pratialresults aswell. The worst ase number

of leaves alulated per round was redued to

(H − K)/2 + 1

^{, while the maximum}

number ofhashes to perform is bounded linearly in

H

^.

Parameterization allows a trade-o between omputation time and memory

de-mands. This allows the appliation of the algorithm on dierent kinds of devies,

for example on smart ards and similar low omputation applianes. The storage

needed for the ow of the algorithm is bounded logarithmially in the number of

leaves, whih is the best omplexity to reah. Even on hardware whih does not

allow dynami memory alloation, the new algorithmdoes only need linear spae.

This resultsin the utilizationof one single stak shared by alltreehash instanes.

For heights

H

^{greater than twenty the advantages of Algorithm 3 deline. But in}

pratie Merkle trees with heights

H > 20

^{should not be applied. The key pair}

generation,whihmustalwaysompute thewholetreeatone,lasts toolonginthis

ase. Itis muhmore omfortabletouse the extensions of MSS, if greateramounts

of signatures are demanded.

Pratial Part: GMSS. The seondpart of this thesis was the implementation

of the new algorithminto anexisting GMSS implementation forthe FlexiProvider.

The onstrution and use of the JCA assures maximal exibility. The generalized

MerklesignatureshemeanbepluggedintoeveryappliationbasedontheJCA.As

anexamplethere exists aMSOutlookplugin forsigningemails withany algorithm

of the FlexiPovider [5℄. The Winternitz one time signature sheme an easily be

replaedbyanyotherOTSsheme. AsarstfurtherworktheBiBaOTSsheme[13℄

shall be integrated into GMSS, as it allows smaller signatures than the Winternitz

sheme. Forthehashfuntion,usedfortheonstrutionoftheMerkletrees,dierent

shouldturnoutinseure,themessagedigestfuntionouldbeexhangedeasily. The

same ours to the used pseudo random number generator. Whilewe used the one

desribed in [14℄, another one ould be made use of.

Stillone drawbak of GMSS is the long key generation time. As an amount of

2 ⁸⁰

keys an be regarded as ryptographially unlimited, in pratie this problem an

be disregarded, beause it only must be run one before all signatures are reated.

Sothis part an bedone oine, beforethe reationof the rst signature.

TheMerklesignatureshemesareharaterizedbyanenormousexibility. Equipped

withsomanyparameterstheseshemesanbeusedonnearlyeveryimaginable

plat-form. Thesize ofthe keysand thesignatures anbeadjustedaswellasthe timings

for signature generation or veriation, respetively. This makes GMSS (as atual

thebestimplementationof the Merkleshemes)appliableonallhardware devies.

The timings for signature generation and veriation, respetively, are omparable

to the widely used shemes like RSA, DSA or ECDSA. The GMSS publi key is

even smaller than former keys. The private key is relatively big, but for today's

pratial usage still reasonable. Therefore, a onlusion is that today there are

digital signature shemes that exist out of the post quantum omputing eld with

possiblepratiable use.

[1℄ Peter W.Shor. Algorithmsforquantumomputation: Disrete logarithmsand

fatoring. In IEEE Symposium on Foundations of Computer Siene, pages

124134,1994.

[2℄ Lov K. Grover. A fast quantum mehanial algorithm for database searh. In

STOC'96: Proeedingsofthetwenty-eighthannualACMsymposiumonTheory

of omputing,pages 212219,New York, NY, USA, 1996.ACM.

[3℄ ArjenK.LenstraandEri R.Verheul. Seleting ryptographikeysizes.

Jour-nal of Cryptology, 14(4):255293,2001. Updated versionfrom2004availableat

http://plan9.bell-labs.o m/wh o/ak l/in dex. html .

[4℄ RalphC.Merkle. Aertied digitalsignature. InPro. Advanesin Cryptology

(Crypto'89),volume435 ofLeture Notesin ComputerSiene,pages218238.

Springer-Verlag,1989.

[5℄ Johannes Buhmann, Luis Carlos Coronado Garia, Erik Dahmen, Martin

Döring,and ElenaKlintsevih. CMSS animproved Merklesignaturesheme.

In Pro. Progress in Cryptology (Indorypt'06), volume 4329 of Leture Notes

in Computer Siene,pages 349363.Springer-Verlag, 2006.

[6℄ LuisCarlosCoronado Garía. On the seurity andthe eieny of the Merkle

signature sheme. CryptologyePrint Arhive, Report 2005/192, 2005.

[7℄ Johannes Buhmann,Erik Dahmen, Elena Klintsevih,Katsuyuki Okeya, and

Camille Vuillaume. Merkle signatures with virtually unlimited signature

a-paity. 5th International Conferene on Applied Cryptography and Network

Seurity - ACNS'07, LNCS 4521, Springer, 2007, pp. 31-45.

[8℄ WhiteldDieandMartinE.Hellman. New diretionsinryptography. IEEE

Transations on Information Theory,IT-22(6):644654, 1976.

[9℄ AlexanderMay.SkriptzurVorlesungPubliKeyKryptanalyse,TUDarmstadt,

2005/2006.

nist.gov/publiations/Pubs FIPS .ht ml.

[11℄ Ron Rivest. The MD5 Message-Digest Algorithm, 1992.

[12℄ Chris Dods, Nigel Smart, and Martijn Stam. Hash based digital signature

shemes. In Pro. Cryptography and Coding, volume 3796 of Leture Notes in

Computer Siene, pages 96115.Springer-Verlag, 2005.

[13℄ AdrianPerrig. TheBiBaone-timesignatureand broadastauthentiation

pro-tool. In ACM Conferene on Computer and Communiations Seurity, pages

2837,2001.

[14℄ Digitalsignaturestandard. FIPS PUB186-2,2000. Availableathttp://sr.

nist.gov/publiations/Pubs FIPS .ht ml.

[15℄ Y.Hu,A.Perrig,and D.Johnson. Paket leashes: Adefense againstwormhole

attaksinwirelessadhonetworks. Tehnialreport,DepartmentofComputer

Siene, Rie University, 2001.

[16℄ Mihael Szydlo. Merkle tree traversal in logspae and time(preprint version),

2003. Available athttp://www.szydlo.om.

[17℄ SebastianBlume.EientJavaimplementationofGMSS,diplomathesis,2007.

[18℄ Mihir Bellare and Sara K. Miner. A forward-seure digital signature sheme.

Leture Notes in Computer Siene, 1666:431448,1999.

[19℄ ShimonEven, OdedGoldreih,and SilvioMiali. On-line/o-linedigital

signa-tures. InCRYPTO '89: ProeedingsonAdvanesin ryptology, pages263275,

New York,NY, USA, 1989. Springer-Verlag New York, In.

[20℄ Markus Jakobsson, Tom Leighton, Silvio Miali, and Mihael Szydlo. Fratal

Merkle tree representation and traversal. In Pro. Cryptographer's Trak at

RSA Conferene (CT-RSA'03), volume 2612 of Leture Notes in Computer

Siene, pages 314326.Springer-Verlag, 2003.

Have they beome pratial. Cryptology ePrint Arhive, Report 2005/442,

2005.

[22℄ MihaelSzydlo. Merkletree traversalinlogspaeand time. InPro. Advanes

in Cryptology (Eurorypt'04), volume 3027 of Leture Notes in Computer

Si-ene, pages541554. Springer-Verlag,2004.

[23℄ Piotr Berman, Marek Karpinski, and Yakov Nekrih. Optimal trade-o for

Merkletree traversal. El. Coll. on Comp. Complexity,49, 2004.

[24℄ Sun Mirosystems. JavaTM Cryptography Arhiteture - API Speiation

and Referene, 2004. Available at http://java.sun.om/j2se/1. 5.0/ dos /

guide/seurity/CryptoSpe. html .

[25℄ FlexiProvider researh group at Tehnishe Universität Darmstadt. Flexi

-provider - an open soure java ryptographi servie provider, 2001 - 2008.

Available athttp://www.flexiprovider.de.

[26℄ International Teleommuniation Union Teleommuniation

Standardiza-tion Setor (ITU-T). Abstrat Syntax Notation One (ASN.1) X.680:

Spei-ationof basi notation, ITU Standard, 2002.

[27℄ VladimirRoubtsov.Mykingdomforagoodtimer! Reahsubmilliseondtiming

preisioninJava.JavaWorld.om,January2003,http://www.javaworld.om/

javaworld/javaqa/2003-01/ 01-qa-0 110-tim ing. html .

[28℄ DonJohnsonandAlfredMenezes. Theelliptiurvedigitalsignaturealgorithm

ECDSA,1999.

[29℄ RonRivest, AdiShamir,andLeonardAdleman. Amethodforobtainingdigital

signaturesandpubli-keyryptosystems. Commun.ACM,21(2):120126,1978.

[30℄ Taher El Gamal. A publi key ryptosystem and a signature sheme based on

disrete logarithms. In Proeedingsof CRYPTO 84 on Advanes in ryptology,

pages1018, New York, NY, USA, 1985. Springer-VerlagNew York,In.

[32℄ S. Miali. Eient ertiate revoation. Tehnial Report

MIT/LCS/TM-542b,1996.

[33℄ A.Perrig,R. Canetti, D.Tygar,and D. Song. The teslabroadast

authentia-tion protool, 2002.

[34℄ Charanjit Jutla and Moti Yung. Paytree: 'amortized-signature' for exible

miropayments. In 2nd Workshop on Eletroni Commere, pages 213221.

USENIX, 1996.

[35℄ Ronald L. Rivest and Adi Shamir. Payword and miromint: Two simple

mi-ropayment shemes. In Seurity Protools Workshop,pages 6987, 1996.

m

^publikey

m

^privatekey

m

^signature

t

^keygen

t

^sign

t

^verify

P = (2, (8, 8), (10, 5), (2, 2))

75

^bytes

5852

^bytes

1388

^bytes

8.0

^se

8.9

^ms

15.1

^ms

P = (2, (8, 8), (10, 5), (6, 6))

75

^bytes

7780

^bytes

1388

^bytes

8.1

^se

5.8

^ms

14.6

^ms

P = (4, (8, 8, 8, 8), (3, 3, 3, 3), (2, 2, 2, 2))

93

^bytes

26261

^bytes

5216

^bytes

1.9

^se

4.2

^ms

2.1

^ms

P = (4, (8, 8, 8, 8), (8, 8, 8, 3), (2, 2, 2, 2))

93

^bytes

16464

^bytes

3116

^bytes

11.6

^se

4.1

^ms

13.9

^ms

P = (4, (8, 8, 8, 8), (8, 8, 8, 3), (6, 6, 6, 6))

93

^bytes

21315

^bytes

3116

^bytes

11.8

^se

2.5

^ms

14.3

^ms

P = (4, (10, 10, 10, 10), (9, 9, 9, 3), (2, 2, 2, 2))

93

^bytes

18205

^bytes

3156

^bytes

80.2

^se

5.2

^ms

24.8

^ms

P = (4, (12, 12, 12, 12), (9, 9, 9, 3), (2, 2, 2, 2))

93

^bytes

20585

^bytes

3256

^bytes

136

^se

12.7

^ms

11.4

^ms

P = (4, (16, 16, 16, 16), (8, 8, 8, 3), (2, 2, 2, 2))

93

^bytes

20000

^bytes

3316

^bytes

322.9

^se

63

^ms

22.1

^ms

P = (2, (10, 10), (5, 4), (2, 2))

75

^bytes

8335

^bytes

1968

^bytes

4.8

^se

6.9

^ms

1.2

^ms

P = (2, (10, 10), (10, 5), (2, 2))

75

^bytes

6977

^bytes

1468

^bytes

32.6

^se

10.6

^ms

15.1

^ms

P = (2, (15, 15), (5, 4), (3, 3))

75

^bytes

10873

^bytes

2168

^bytes

149

^se

9.3

^ms

2.1

^ms

P = (2, (15, 15), (8, 5), (3, 3))

75

^bytes

9834

^bytes

1748

^bytes

409

^se

13.8

^ms

5.1

^ms

Continues onnext page...

m

^publikey

m

^privatekey

m

^signature

t

^keygen

t

^sign

t

^verify

P = (3, (15, 15, 10), (5, 5, 4), (3, 3, 2))

84

^bytes

17982

^bytes

3072

^bytes

193

^se

7.4

^ms

2.9

^ms

P = (3, (15, 15, 10), (8, 8, 5), (3, 3, 2))

84

^bytes

15644

^bytes

2392

^bytes

849

^se

11.1

^ms

10.4

^ms

P ₄₀ ^′ = (2, (20, 20), (9, 3), (2, 2))

75

^bytes

12501

^bytes

2348

^bytes

299

^min

6.6

^ms

8.1

^ms

P 40 = (2, (20, 20), (10, 5), (2, 2))

75

^bytes

12341

^bytes

1868

^bytes

539

^min

13.4

^ms

13.1

^ms

P ₈₀ ^′ = (4, (20, 20, 20, 20), (7, 7, 7, 3), (2, 2, 2, 2))

93

^bytes

30372

^bytes

4256

^bytes

464

^min

7.4

^ms

8.4

^ms

Table 8: Results of the new GMSS implementation: time and memory requirements of

seleted parameter sets. For the average timings, in eah ase the mean value of the rst

2 ¹²

^{signatures wereonsidered.}

This setion presents an example ode extrat that shows how to use the

Flexi-Providerimplementationof GMSS. It is divided intothree steps: Generating akey

pair,generating a signature and verifyingthe signature.

Generating a Key Pair.

Input: Parameterset, Output: ASN.1enoded keys

1. Add Providers

Seurity.addProvider(new FlexiCoreProvider());

Seurity.addProvider(new FlexiPQCProvider());

2. Get KPG instane

KeyPairGenerator kpg = KeyPairGenerator.getInsta ne( "GMS Swit hSH A1") ;

3. Set the required Parameterset, reateorresponding Parameterspe

GMSSParameterset gps = new GMSSParameterset(3, {10, 10, 10}, {2, 4,

3}, {2, 2, 2});

GMSSParameterSpe gpsp = new GMSSParameterSpe(gps);

4. InitializingKeyPairGenerator

kpg.initialize(gpsp);

5. Generatingkey pair

KeyPair GMSSkeyPair = kpg.generateKeyPair();

GMSSPrivateKey privateKey = (GMSSPrivateKey)GMSSkeyPair. getP riv ate( );

GMSSPubliKey publiKey = (GMSSPubliKey)GMSSkeyPair .get Publ i( );

byte[℄ privKey = privateKey.getEnoded();

byte[℄ pubKey = publiKey.getEnoded();

Input: enoded keys, message, Output: signature

1. Get the private key

KeySpe privKeySpe = new PKCS8EnodedKeySpe(privKe y);

KeyFatory kf = KeyFatory.getInstane("GMSS ", "FlexiPQC");

privateKey = (GMSSPrivateKey)kf.generate Priv ate( priv KeyS pe) ;

2. Initializethe signature generation phase

Signature Sig = Signature.getInstane("GMSSw ithS HA1" ,"Fl exiP QC" );

Sig.initSign(privateKey);

3. Createthe signature

Sig.update(message.getBytes( ));

byte[℄ sigBytes = Sig.sign();

Verifying the Signature.

Input: signature, message, enoded publikey

1. deode publi key

KeySpe pubKeySpe = new X509EnodedKeySpe(pubKey);

publiKey = (GMSSPubliKey)kf.generatePu bli (pub KeyS pe) ;

2. InitializeVeriation

Sig.initVerify(publiKey);

3. Veriation Proess, returns either trueor false

Sig.update(message.getBytes( ));

Sig.verify(sigBytes);

This part presents the ASN.1 enoding [26℄ of the GMSS keys. The publi key

enoding was modied only marginally: the ParameterSet was extended by the

sequene ofthe parameter

K

^{foreahlayer. Thisisthe newASN.1denition ofthe}

GMSS publikey:

The private key ASN.1 denition was enlarged with the treehash, stak and

re-tain parts. DistrRoot and TreehashStak were added as well. The whole ASN.1

denition of the GMSS private key isthe following:

GMSSPrivateKey ::= SEQUENCE {

upperTHLeaf SEQUENCE OF DistrLeaf

AuthPath ::= SEQUENCE OF OCTET STRING

Stak ::= SEQUENCE OF OCTET STRING

The following table shows the objet identiers of some predened GMSS

imple-mentations. Those use the given hash funtion for the OTS sheme as well as for

the Merkle tree onstrution. Forall ases the hash funtions are taken out of the

FlexiCoreProvider.

Hashfuntion Objet Identier (OID)

SHA1 1.3.6.1.4.1.8301.3.1.3.3.1

SHA224 1.3.6.1.4.1.8301.3.1.3.3.2

SHA256 1.3.6.1.4.1.8301.3.1.3.3.3

SHA384 1.3.6.1.4.1.8301.3.1.3.3.4

SHA512 1.3.6.1.4.1.8301.3.1.3.3.5

Table 9: ObjetIdentiers for GMSS

Thedierentnumbergroupsof the abovegiven objetidentierssignify the

follow-ing:

1.3.6.1.4.1.8301 Darmstadt University of Tehnology

1.3.6.1.4.1.8301.3 Cryptography and Computer AlgebraResearhGroup

1.3.6.1.4.1.8301.3.1 Cryptographi Algorithms

1.3.6.1.4.1.8301.3.1.3 Post Quantum Cryptography

1.3.6.1.4.1.8301.3.1.3.3 GMSS

Im Dokument Da
adUiveiyfTe h (Seite 67-84)