Inthis part theGMSS implementationisanalyzed. Ashash funtion,alltests used
the SHA1 version out of the FlexiCoreProvider. As pseudo randomnumber
gener-ator the Sha1PRNG of the Sun provider was used. All tests were performed on an
IntelCore 2Duo T72002GHzproessor with1 GBRAM. As runtimeenvironment
the Sun JRE 1.3 was deployed.
The time needed for generationand veriation of a singlesignature is quitesmall.
For this it is essential to measure timings in miroseonds. Following [27℄ we use
the hrtlib.dll library, whih provides atimer to exatly measure time dierenes in
those spheres. Just reating a signature more than one and omputing the mean
valuewould not be asolution: the private key hangeswith everysignature, soitis
not easyto reate the same signature more than one.
Nearlyall parametersets
P
used for the testings are haraterized by the fat that the Winternitz parameter belonging to the lowest layer is smaller than all others.Smallerparameter
w
allowsfaster signaturegeneration,butisresponsibleforbigger signatures. As on the lowest layer the publi keys for the leaf values have to beomputed at one and annot be distributed, a smaller parameter on this layer
speeds up thewhole proess, even more than the parametersonupperlayers would
do. For this the Winternitz parameter onthe lowest layeris mostly hosen smaller
thanthe others.
Balaning. First a omparison between the old GMSS implementation of [17℄ is
omparedtothe newone. Usingtheparameterset
P = (4, (4, 4, 4, 4), (8, 8, 8, 3))
thesignature generationlasts arbitrarilyfour milliseonds,whatever implementationis
used. But amongdierent signatures the durationvaries more or less, beause the
oinepartdoesnotalwaysomputethesameparts. Figure18depitstheresulting
timings for both implementations for
200
signatures. The red line indiates the timingsofthenewimplementation,thebluelinebelongstheoldone. TheparameterK
isset to2
oneah layer.900 0 920 940 960 980 1000 1020 1040 1060 1080 1100 5
10 15 20 25 30 35
PSfrag replaements
SignatureIndex
ϕ
SigningTime[ms℄
oldimplementation newimplementation
Figure 18: Time needed for signing with GMSS. The red line shows the timings using
thenewGMSSimplementation,the bluelinebelongs tothe oldimplementation. Theused
parametersetis
P = (4, (4, 4, 4, 4), (8, 8, 8, 3))
,K
isset2
on eahlayer.Figure18 illustratesthat the time needed for signing is muh more balaned using
the new GMSS implementation. The edges within the blue graph ome up every
16
signatures. Using a bottom tree of height4
(whih means2 4 = 16
leaves),the old implementationneeds muhtime for advaning aleaf on the seond lowest
layer. This isthe situationwhere the new implementationuses the better balaned
authentiationpath algorithm. Furthermore the preomputation of the atual and
the oming (treehash) leaves of this tree saves time. Those leaves are omputed
ompletely within the old implementation, whereas in the other ase they an be
simply opied. So the applied hanges really aet the timings the way it was
supposed.
The statistialanalysis of the data emphasizes the better balaning of the new
im-plementation: whereas the meanvalue remainsnearly thesame (
5.0
ms(old) to4.2
ms(new)), the standard deviation of the timings was redued to more than a
sev-enthpart: itdereases from
4.6
msto0.6
msusing the newGMSS implementation.Thisevidently shows thatthe shedulingofthe nodes inthe uppertree reallyleads
tobetter balaning attributes for the signature generation.
Greater Amounts Of Signatures. In [7℄ some linear optimization was used to
ndoptimalGMSSparametersets,allowingmodularkeyandsignaturesizesbesides
appliable timings. The optimal sets for an amount of
2 40 and 2 80 signatures were
adoptedand the parameter
K
was inluded. Sowe getthe followingparametersetsforour test:
P 40 = (2, (20, 20), (10, 5), (2, 2)) P 40 ′ = (2, (20, 20), (9, 3), (2, 2))
P 80 ′ = (4, (20, 20, 20, 20), (7, 7, 7, 3), (2, 2, 2, 2))
The following tabular shows the resulting timings and memory requirements. The
key size always denotes the byte length of the ASN.1 enoded keys. The timings
were obtained on the above mentioned platform as mean value of the rst
2 12
sig-natures. With a tree of height
20
on the lowest layer, for omparison the rst2 21
or even more signatures should have been reated, so that an advane on upper
layers was onsidered. But this test would take too long, so only the rst
2 12 were
onstruted. Toshowhowthiseetsthenalresults,weomparedthetimingsand
key sizes of a GMSS struture with lowest layer height
10
with2 10 and 2 15
signa-tures: the diereneinthe privatekeysize is
0.2%
,whereas intimingsnodiereneis reognizable. So we adopt that for our parametersets it is adequate to ompare
onlythe rst
2 12 signatures.
Thevalues inthe tablesrepresentthefollowing:
m
valuesare memoryrequirements for the keys and the signature. The time needed for key pair generation, signatureonstrutionorveriation, respetively, is denoted by
t
values.m
publikeym
privatekeym
signaturet
keygent
signt
verifyP 40 75
bytes12341
bytes1868
bytes539
min13.4
ms13.1
msP 40 ′ 75
bytes12501
bytes2348
bytes299
min6.6
ms8.1
msP 80 ′ 93
bytes30372
bytes4256
bytes464
min7.4
ms8.4
msTable 6: Measured valuesfor the new GMSSimplementation
For omparing these numbers with the old GMSS implementation, we adopt the
resultsfrom [17℄ measured on anAsusV6J (1.83GHz CPU).
m
publikeym
privatekeym
signaturet
keygent
signt
verifyP 40 67
bytes5467
bytes1868
bytes579
min22.6
ms19.4
msP 40 ′ 67
bytes5547
bytes2348
bytes321
min11.6
ms10.6
msP 80 ′ 79
bytes14731
bytes4256
bytes498
min11.6
ms9.5
msTable 7: Measured values forthe oldGMSSimplementation,from [17℄
The timings are quite the same using both implementations, the disrepanies are
mostly aused by the dierent platforms. The signature size remains exatly the
same,it was not touhed by the revision of GMSS. The publikey rises few,as the
K
parameters for eah layer have to be stored additionally. The private key size nearly doubles. For the better authentiation path omputation, more upomingdatahas tobestored,likethetreehash instanes orthestaks ofthe followingtrees
oneahheight. This dataisstoredintheprivatekey, andthatiswhyitssizegrows.
However, the sizes of up to
30
kilobytes are stilluseableinpratie. The table onlyshows a mean value of the private key sizes: for
P 40 ′ it ranges from 10541
to12731
bytes,for
P 80 ′ itdiersbetween28413
and30602
bytes. Thebalaningofthetimings
annotbe seen inthis tables, the ahievements inthis onern have been shown in
the lastsetion.
Some more measures are depited in Appendix A. Therefrom we get some more
informationof the aets of the GMSS parameters: if the parameters
K
raise, theprivate key size rises as well. Higher
K
makes sure that more upper nodes arepermanentlystored inthe privatekey, soitis lear that itssize inreases.
Simulta-neously the signing time delines, as the upper nodes must no more be omputed
hosing higher
K
values. The signature size is not aeted by this parameter.The impats of the parameter
w
are the same as before in GMSS: hoosing biggerw
values, the signature and the private key sizes deline,whereas the timings growabit. Smaller
w
'shave exatlythe ontrary impat.It is onluded that GMSS is ready to use in pratial appliations. The timings
areomparabletoothersignatureshemesthat areused widelytoday,likeECDSA,
DSA or RSA. For measured results of these shemes see for example [5℄. Even if
the key sizes, espeiallyof the private signingkeys, are relativelybig, GMSS is still
appliable. We have reated up to
2 80 signature keys with reasonable eort and
osts. This amount should be adequate for todays use, even in online appliations
like paket signingin broadast protools.
Merkle Tree Traversal. This thesis presented a new algorithmfor the
ompu-tation of onseutive authentiation paths in Merkle trees. Compared to the best
formerlyknown, the new algorithmfeatures a better balaning onerning the real
numberof hash funtionalls perround. This property ouldbeobtained
theoreti-ally,and itould be approved by pratialresults aswell. The worst ase number
of leaves alulated per round was redued to
(H − K)/2 + 1
, while the maximumnumber ofhashes to perform is bounded linearly in
H
.Parameterization allows a trade-o between omputation time and memory
de-mands. This allows the appliation of the algorithm on dierent kinds of devies,
for example on smart ards and similar low omputation applianes. The storage
needed for the ow of the algorithm is bounded logarithmially in the number of
leaves, whih is the best omplexity to reah. Even on hardware whih does not
allow dynami memory alloation, the new algorithmdoes only need linear spae.
This resultsin the utilizationof one single stak shared by alltreehash instanes.
For heights
H
greater than twenty the advantages of Algorithm 3 deline. But inpratie Merkle trees with heights
H > 20
should not be applied. The key pairgeneration,whihmustalwaysompute thewholetreeatone,lasts toolonginthis
ase. Itis muhmore omfortabletouse the extensions of MSS, if greateramounts
of signatures are demanded.
Pratial Part: GMSS. The seondpart of this thesis was the implementation
of the new algorithminto anexisting GMSS implementation forthe FlexiProvider.
The onstrution and use of the JCA assures maximal exibility. The generalized
MerklesignatureshemeanbepluggedintoeveryappliationbasedontheJCA.As
anexamplethere exists aMSOutlookplugin forsigningemails withany algorithm
of the FlexiPovider [5℄. The Winternitz one time signature sheme an easily be
replaedbyanyotherOTSsheme. AsarstfurtherworktheBiBaOTSsheme[13℄
shall be integrated into GMSS, as it allows smaller signatures than the Winternitz
sheme. Forthehashfuntion,usedfortheonstrutionoftheMerkletrees,dierent
shouldturnoutinseure,themessagedigestfuntionouldbeexhangedeasily. The
same ours to the used pseudo random number generator. Whilewe used the one
desribed in [14℄, another one ould be made use of.
Stillone drawbak of GMSS is the long key generation time. As an amount of
2 80
keys an be regarded as ryptographially unlimited, in pratie this problem an
be disregarded, beause it only must be run one before all signatures are reated.
Sothis part an bedone oine, beforethe reationof the rst signature.
TheMerklesignatureshemesareharaterizedbyanenormousexibility. Equipped
withsomanyparameterstheseshemesanbeusedonnearlyeveryimaginable
plat-form. Thesize ofthe keysand thesignatures anbeadjustedaswellasthe timings
for signature generation or veriation, respetively. This makes GMSS (as atual
thebestimplementationof the Merkleshemes)appliableonallhardware devies.
The timings for signature generation and veriation, respetively, are omparable
to the widely used shemes like RSA, DSA or ECDSA. The GMSS publi key is
even smaller than former keys. The private key is relatively big, but for today's
pratial usage still reasonable. Therefore, a onlusion is that today there are
digital signature shemes that exist out of the post quantum omputing eld with
possiblepratiable use.
[1℄ Peter W.Shor. Algorithmsforquantumomputation: Disrete logarithmsand
fatoring. In IEEE Symposium on Foundations of Computer Siene, pages
124134,1994.
[2℄ Lov K. Grover. A fast quantum mehanial algorithm for database searh. In
STOC'96: Proeedingsofthetwenty-eighthannualACMsymposiumonTheory
of omputing,pages 212219,New York, NY, USA, 1996.ACM.
[3℄ ArjenK.LenstraandEri R.Verheul. Seleting ryptographikeysizes.
Jour-nal of Cryptology, 14(4):255293,2001. Updated versionfrom2004availableat
http://plan9.bell-labs.o m/wh o/ak l/in dex. html .
[4℄ RalphC.Merkle. Aertied digitalsignature. InPro. Advanesin Cryptology
(Crypto'89),volume435 ofLeture Notesin ComputerSiene,pages218238.
Springer-Verlag,1989.
[5℄ Johannes Buhmann, Luis Carlos Coronado Garia, Erik Dahmen, Martin
Döring,and ElenaKlintsevih. CMSS animproved Merklesignaturesheme.
In Pro. Progress in Cryptology (Indorypt'06), volume 4329 of Leture Notes
in Computer Siene,pages 349363.Springer-Verlag, 2006.
[6℄ LuisCarlosCoronado Garía. On the seurity andthe eieny of the Merkle
signature sheme. CryptologyePrint Arhive, Report 2005/192, 2005.
[7℄ Johannes Buhmann,Erik Dahmen, Elena Klintsevih,Katsuyuki Okeya, and
Camille Vuillaume. Merkle signatures with virtually unlimited signature
a-paity. 5th International Conferene on Applied Cryptography and Network
Seurity - ACNS'07, LNCS 4521, Springer, 2007, pp. 31-45.
[8℄ WhiteldDieandMartinE.Hellman. New diretionsinryptography. IEEE
Transations on Information Theory,IT-22(6):644654, 1976.
[9℄ AlexanderMay.SkriptzurVorlesungPubliKeyKryptanalyse,TUDarmstadt,
2005/2006.
nist.gov/publiations/Pubs FIPS .ht ml.
[11℄ Ron Rivest. The MD5 Message-Digest Algorithm, 1992.
[12℄ Chris Dods, Nigel Smart, and Martijn Stam. Hash based digital signature
shemes. In Pro. Cryptography and Coding, volume 3796 of Leture Notes in
Computer Siene, pages 96115.Springer-Verlag, 2005.
[13℄ AdrianPerrig. TheBiBaone-timesignatureand broadastauthentiation
pro-tool. In ACM Conferene on Computer and Communiations Seurity, pages
2837,2001.
[14℄ Digitalsignaturestandard. FIPS PUB186-2,2000. Availableathttp://sr.
nist.gov/publiations/Pubs FIPS .ht ml.
[15℄ Y.Hu,A.Perrig,and D.Johnson. Paket leashes: Adefense againstwormhole
attaksinwirelessadhonetworks. Tehnialreport,DepartmentofComputer
Siene, Rie University, 2001.
[16℄ Mihael Szydlo. Merkle tree traversal in logspae and time(preprint version),
2003. Available athttp://www.szydlo.om.
[17℄ SebastianBlume.EientJavaimplementationofGMSS,diplomathesis,2007.
[18℄ Mihir Bellare and Sara K. Miner. A forward-seure digital signature sheme.
Leture Notes in Computer Siene, 1666:431448,1999.
[19℄ ShimonEven, OdedGoldreih,and SilvioMiali. On-line/o-linedigital
signa-tures. InCRYPTO '89: ProeedingsonAdvanesin ryptology, pages263275,
New York,NY, USA, 1989. Springer-Verlag New York, In.
[20℄ Markus Jakobsson, Tom Leighton, Silvio Miali, and Mihael Szydlo. Fratal
Merkle tree representation and traversal. In Pro. Cryptographer's Trak at
RSA Conferene (CT-RSA'03), volume 2612 of Leture Notes in Computer
Siene, pages 314326.Springer-Verlag, 2003.
Have they beome pratial. Cryptology ePrint Arhive, Report 2005/442,
2005.
[22℄ MihaelSzydlo. Merkletree traversalinlogspaeand time. InPro. Advanes
in Cryptology (Eurorypt'04), volume 3027 of Leture Notes in Computer
Si-ene, pages541554. Springer-Verlag,2004.
[23℄ Piotr Berman, Marek Karpinski, and Yakov Nekrih. Optimal trade-o for
Merkletree traversal. El. Coll. on Comp. Complexity,49, 2004.
[24℄ Sun Mirosystems. JavaTM Cryptography Arhiteture - API Speiation
and Referene, 2004. Available at http://java.sun.om/j2se/1. 5.0/ dos /
guide/seurity/CryptoSpe. html .
[25℄ FlexiProvider researh group at Tehnishe Universität Darmstadt. Flexi
-provider - an open soure java ryptographi servie provider, 2001 - 2008.
Available athttp://www.flexiprovider.de.
[26℄ International Teleommuniation Union Teleommuniation
Standardiza-tion Setor (ITU-T). Abstrat Syntax Notation One (ASN.1) X.680:
Spei-ationof basi notation, ITU Standard, 2002.
[27℄ VladimirRoubtsov.Mykingdomforagoodtimer! Reahsubmilliseondtiming
preisioninJava.JavaWorld.om,January2003,http://www.javaworld.om/
javaworld/javaqa/2003-01/ 01-qa-0 110-tim ing. html .
[28℄ DonJohnsonandAlfredMenezes. Theelliptiurvedigitalsignaturealgorithm
ECDSA,1999.
[29℄ RonRivest, AdiShamir,andLeonardAdleman. Amethodforobtainingdigital
signaturesandpubli-keyryptosystems. Commun.ACM,21(2):120126,1978.
[30℄ Taher El Gamal. A publi key ryptosystem and a signature sheme based on
disrete logarithms. In Proeedingsof CRYPTO 84 on Advanes in ryptology,
pages1018, New York, NY, USA, 1985. Springer-VerlagNew York,In.
[32℄ S. Miali. Eient ertiate revoation. Tehnial Report
MIT/LCS/TM-542b,1996.
[33℄ A.Perrig,R. Canetti, D.Tygar,and D. Song. The teslabroadast
authentia-tion protool, 2002.
[34℄ Charanjit Jutla and Moti Yung. Paytree: 'amortized-signature' for exible
miropayments. In 2nd Workshop on Eletroni Commere, pages 213221.
USENIX, 1996.
[35℄ Ronald L. Rivest and Adi Shamir. Payword and miromint: Two simple
mi-ropayment shemes. In Seurity Protools Workshop,pages 6987, 1996.
m
publikeym
privatekeym
signaturet
keygent
signt
verifyP = (2, (8, 8), (10, 5), (2, 2))
75
bytes5852
bytes1388
bytes8.0
se8.9
ms15.1
msP = (2, (8, 8), (10, 5), (6, 6))
75
bytes7780
bytes1388
bytes8.1
se5.8
ms14.6
msP = (4, (8, 8, 8, 8), (3, 3, 3, 3), (2, 2, 2, 2))
93
bytes26261
bytes5216
bytes1.9
se4.2
ms2.1
msP = (4, (8, 8, 8, 8), (8, 8, 8, 3), (2, 2, 2, 2))
93
bytes16464
bytes3116
bytes11.6
se4.1
ms13.9
msP = (4, (8, 8, 8, 8), (8, 8, 8, 3), (6, 6, 6, 6))
93
bytes21315
bytes3116
bytes11.8
se2.5
ms14.3
msP = (4, (10, 10, 10, 10), (9, 9, 9, 3), (2, 2, 2, 2))
93
bytes18205
bytes3156
bytes80.2
se5.2
ms24.8
msP = (4, (12, 12, 12, 12), (9, 9, 9, 3), (2, 2, 2, 2))
93
bytes20585
bytes3256
bytes136
se12.7
ms11.4
msP = (4, (16, 16, 16, 16), (8, 8, 8, 3), (2, 2, 2, 2))
93
bytes20000
bytes3316
bytes322.9
se63
ms22.1
msP = (2, (10, 10), (5, 4), (2, 2))
75
bytes8335
bytes1968
bytes4.8
se6.9
ms1.2
msP = (2, (10, 10), (10, 5), (2, 2))
75
bytes6977
bytes1468
bytes32.6
se10.6
ms15.1
msP = (2, (15, 15), (5, 4), (3, 3))
75
bytes10873
bytes2168
bytes149
se9.3
ms2.1
msP = (2, (15, 15), (8, 5), (3, 3))
75
bytes9834
bytes1748
bytes409
se13.8
ms5.1
msContinues onnext page...
m
publikeym
privatekeym
signaturet
keygent
signt
verifyP = (3, (15, 15, 10), (5, 5, 4), (3, 3, 2))
84
bytes17982
bytes3072
bytes193
se7.4
ms2.9
msP = (3, (15, 15, 10), (8, 8, 5), (3, 3, 2))
84
bytes15644
bytes2392
bytes849
se11.1
ms10.4
msP 40 ′ = (2, (20, 20), (9, 3), (2, 2))
75
bytes12501
bytes2348
bytes299
min6.6
ms8.1
msP 40 = (2, (20, 20), (10, 5), (2, 2))
75
bytes12341
bytes1868
bytes539
min13.4
ms13.1
msP 80 ′ = (4, (20, 20, 20, 20), (7, 7, 7, 3), (2, 2, 2, 2))
93
bytes30372
bytes4256
bytes464
min7.4
ms8.4
msTable 8: Results of the new GMSS implementation: time and memory requirements of
seleted parameter sets. For the average timings, in eah ase the mean value of the rst
2 12 signatures wereonsidered.
This setion presents an example ode extrat that shows how to use the
Flexi-Providerimplementationof GMSS. It is divided intothree steps: Generating akey
pair,generating a signature and verifyingthe signature.
Generating a Key Pair.
Input: Parameterset, Output: ASN.1enoded keys
1. Add Providers
Seurity.addProvider(new FlexiCoreProvider());
Seurity.addProvider(new FlexiPQCProvider());
2. Get KPG instane
KeyPairGenerator kpg = KeyPairGenerator.getInsta ne( "GMS Swit hSH A1") ;
3. Set the required Parameterset, reateorresponding Parameterspe
GMSSParameterset gps = new GMSSParameterset(3, {10, 10, 10}, {2, 4,
3}, {2, 2, 2});
GMSSParameterSpe gpsp = new GMSSParameterSpe(gps);
4. InitializingKeyPairGenerator
kpg.initialize(gpsp);
5. Generatingkey pair
KeyPair GMSSkeyPair = kpg.generateKeyPair();
GMSSPrivateKey privateKey = (GMSSPrivateKey)GMSSkeyPair. getP riv ate( );
GMSSPubliKey publiKey = (GMSSPubliKey)GMSSkeyPair .get Publ i( );
byte[℄ privKey = privateKey.getEnoded();
byte[℄ pubKey = publiKey.getEnoded();
Input: enoded keys, message, Output: signature
1. Get the private key
KeySpe privKeySpe = new PKCS8EnodedKeySpe(privKe y);
KeyFatory kf = KeyFatory.getInstane("GMSS ", "FlexiPQC");
privateKey = (GMSSPrivateKey)kf.generate Priv ate( priv KeyS pe) ;
2. Initializethe signature generation phase
Signature Sig = Signature.getInstane("GMSSw ithS HA1" ,"Fl exiP QC" );
Sig.initSign(privateKey);
3. Createthe signature
Sig.update(message.getBytes( ));
byte[℄ sigBytes = Sig.sign();
Verifying the Signature.
Input: signature, message, enoded publikey
1. deode publi key
KeySpe pubKeySpe = new X509EnodedKeySpe(pubKey);
publiKey = (GMSSPubliKey)kf.generatePu bli (pub KeyS pe) ;
2. InitializeVeriation
Sig.initVerify(publiKey);
3. Veriation Proess, returns either trueor false
Sig.update(message.getBytes( ));
Sig.verify(sigBytes);
This part presents the ASN.1 enoding [26℄ of the GMSS keys. The publi key
enoding was modied only marginally: the ParameterSet was extended by the
sequene ofthe parameter
K
foreahlayer. Thisisthe newASN.1denition oftheGMSS publikey:
The private key ASN.1 denition was enlarged with the treehash, stak and
re-tain parts. DistrRoot and TreehashStak were added as well. The whole ASN.1
denition of the GMSS private key isthe following:
GMSSPrivateKey ::= SEQUENCE {
upperTHLeaf SEQUENCE OF DistrLeaf
AuthPath ::= SEQUENCE OF OCTET STRING
Stak ::= SEQUENCE OF OCTET STRING
The following table shows the objet identiers of some predened GMSS
imple-mentations. Those use the given hash funtion for the OTS sheme as well as for
the Merkle tree onstrution. Forall ases the hash funtions are taken out of the
FlexiCoreProvider.
Hashfuntion Objet Identier (OID)
SHA1 1.3.6.1.4.1.8301.3.1.3.3.1
SHA224 1.3.6.1.4.1.8301.3.1.3.3.2
SHA256 1.3.6.1.4.1.8301.3.1.3.3.3
SHA384 1.3.6.1.4.1.8301.3.1.3.3.4
SHA512 1.3.6.1.4.1.8301.3.1.3.3.5
Table 9: ObjetIdentiers for GMSS
Thedierentnumbergroupsof the abovegiven objetidentierssignify the
follow-ing:
1.3.6.1.4.1.8301 Darmstadt University of Tehnology
1.3.6.1.4.1.8301.3 Cryptography and Computer AlgebraResearhGroup
1.3.6.1.4.1.8301.3.1 Cryptographi Algorithms
1.3.6.1.4.1.8301.3.1.3 Post Quantum Cryptography
1.3.6.1.4.1.8301.3.1.3.3 GMSS