Allknown work on traversal algorithmsonsider the leaf-alulation and the
hash-funtion evaluation to require the same amount of omputation. Both operations
are ounted as one omputation unit eah. When applying a one time signature
sheme for the leaf alulation, many hash value omputations are needed to
gen-erate a single leaf, i.e. up to thousands. One an expet that leaf-alulation is
muhmore expensive onsidering the omputationtime needed than a single
hash-funtionevaluation. This leads tothe problemthat one annotpreditthe number
of hashes really needed during one step of the authentiation path algorithms. So
the generation time of asignature varies enormously fromround to round.
Szydlo'salgorithmisthe one that provably allows the best time and memory
prop-erties. Using
H
staks whih store atmostH
nodes eah, the maximum numberofnodes stored is in
O(H 2 )
. He shows that the memory needed for the staks is atmost
H
,sothatallothermemoryspaesare notneeded atone. Butimplementing this algorithm on a platform without dynami memory alloation would need theomplete spae of
O(H 2 )
, asspae for allH 2 nodes has tobereserved.
These ideas were inluded onstruting the new traversal algorithm (Algorithm 3)
whih is presented in the next setion. Counting the number of hashes and the
numberofleafalulationsseparatelyleads tomorebalanedtimings. Furthermore
we show that it is possible that all treehash instanes share one single stak, so
that the storage needed is bounded linearly in
H
even onsystem without dynamimemoryalloation.
This setion introdues a new algorithm for Merkle tree authentiation path
om-putation. It is an improvement of Szydlo's preprint algorithm [16℄ and addresses
it'sdrawbaksmentionedinsetion3. Theorretnessof the newalgorithmwillbe
proved below. Further, some alulations on runtime and storage requirements are
made for omparison with former algorithms. This setion presents the theoretial
results,whereas pratialresults are given later insetion 6.
Ournew algorithmwillallowatime-memorytrade-o. Inthe keygenerationphase
the whole Merkle tree has to be omputed ompletely one. In this phase the
rst authentiation path was stored as input for Merkle's and Szydlo's sheduling
algorithms. Now we are going to store some more nodes: as the omputation of
rightnodes near totherootismostexpensive, theidea istostorethose rightnodes
from the beginning, so that the time to ompute these nodes is saved later. The
parameter
K
denotes the numberof top layers in the tree whereall right nodes arestored.
K
ishosensothatH − K
iseven (weperform(H − K)/2
stepsperround).Asmentioned above,our new algorithmyields toa morebalaned signature
gener-ationtime and alsoa moderatespae requirement. Clearly the logarithmi bounds
inspaeand time omplexity shall be maintained. We willshow thatan amountof
less than
H/2
leaf alulations per round are suient to ompute authentiation pathsand that storageis alsobounded logarithmiallyin the number of leaves.We use staks that are slightly dierent from the ones used by Szydlo. For eah
height weapply astruture Treehash, whihomputes the upomingright nodes
for the authentiation path (again using Algorithm 1). All these instanes share
one single stak, whereas in former algorithms every instane had its own stak to
storenodes on. Weahievealogarithmitotalnumberof nodes storedatone,also
ondevies withoutdynamimemory alloation. Wewillshow that sharingasingle
stak for all Treehashs works well. Further on we are using a slightly modied
sheduling of the omputation of right nodes, so that the amount of
(H − K)/2
leaf alulationsperround are suient. The omputation of right nodes hanges,
whereas left nodes are omputed in the same manneras with Szydlo's algorithm.
4.1 Notation
The main part of the notationis already known fromprevious setions.
H
denotesagain the height of the Merkle tree. With
y h [j]
thej
th node on heighth
(i = 0 . . . H, j = 0 . . . 2 H−h − 1
) is referred. The authentiation path of the urrent leafϕ
is again Auth0 , . . . ,AuthH−1
. The values Keep0 , . . . ,KeepH −2
are the same
H −2
are the sameertainnodes toquikly ompute left hildren. With
τ
we denotethe height of therst parent of the atual leaf
ϕ
whih is a left node. The staks to store the rightnodes near to the root (on the upper
K
levels,K ≥ 2
) are alled Retainh (h = H − 2 . . . H − K). They are lled from left to right, so that the top node of a
Retainstak is always the next one needed forthe authentiationpath.
AgainweuseanoraleLeafalwhihomputesthe leafvalueoftheleafwiththe
omittedindex. UsingtheMerkletreefordigitalsignaturesthismethodomputesthe
veriationkeyofthe underlyingone timesignaturesheme. Indierenetoformer
algorithms we do not just ount it as one omputation unit, we will distinguish
between the omputationof leavesand single hash evaluations.
4.1.1 Treehash Staks
With Treehash
0 . . .TreehashH−K−1
we denote the strutures to ompute right
hildren. Eah suh instane stores the rst node itself, further nodes are pushed
on the ommonly shared stak. A node stored on a Treehash stak is alled
a tail node. Additionally to the push and pop operations eah treehash stak is
equipped with three methods: initialize(), height() and update(). The method
Treehash
h
.initialize() sets the start node whih tells the Treehash with whih leaf the omputation of the stak has to begin. Treehashh
.height() returns theheightofthelowestnodestoredintheinstane,eitheronthestakorinTreehash
h
itself. This method is required for the sheduling of the
(H − K)/2
Leafaloperations,whiharealwaysassignedtotheoneinstanewiththelowesttailnode. If
thereismorethanoneinstanewithsamelowestnodeheight,theonewiththelowest
indexishosenfortheupdate. Inordertoskipinstanesthatarealreadynishedor
not yet initialized,Treehash
h
.height() is set to innity in these ases. When thetreehashstakwasinitialized,the rstallofthe lastmethodTreehash
h
.update()alulates the leaf with the start index. It is stored inthe instane itself. The next
updates work in analogy to Algorithm 1: the next leaf is alulated and stored on
the stak. If the top twonodes havethe same height they are hashed together and
theresult is pushed onthe stak. Ifthe top node onthe stak andthe rst node in
the treehash have sameheight, the result replaes the rst node of the treehash.