2.5 The Merkle Signature Sheme
2.5.2 GMSS - Generalized Merkle Signature Sheme
Asmentionedabove GMSS isanexpansionof the Merklesignature sheme. GMSS
stands for generalized Merkle signature sheme and was proposed in2007 [7℄. One
instaneof GMSSisCMSS, whihwasproposedin2006[5℄. When MSS andCMSS
haverelatively largesizedsignatures, GMSS isadressedtoallowsmallersignatures,
andfastergenerationandveriation. AdditionallywithGMSSitispossibletosign
up to
2 80 and even more messages, while with MSS this number is only appliable
up to
2 20. This attribute is helpful onsidering pratial applianes like web server
appliations,wherebigamountsofsignaturesareneessary. Theparameterizationof
GMSSallowsthehoieofeitherfastruntime,smallsignaturesoratrade-obetween
bothdependingontheappliation. This setionintroduesthemainharateristis
andgivesanoverviewaboutGMSS. Amoredetaileddesriptionanbefound in[7℄
and [17℄.
General Constrution. The general GMSS onstrution is made up of a tree
with height
T
. The nodes of this tree are again Merkle trees. Eah of the Merkletrees on layer
i
of the basi tree has heighth i and is parent of 2 h i Merkle trees on
the layer
i + 1
. The Merkle trees are labeledT i,j, where i
is the level in the basi
tree and j is the numberof the node onheight
i
, onseutively numbered from left toright with0 . . . 2 h 1 +h 2 +...+h i −1 − 1
. The roottree is labeledT 1,0.
Againthe WinternitzOTSshemeisusedforthesignaturesintheMerkletrees. For
eahlayeradierentparameter
w i,i = 1 . . . T
isallowed. GMSSisparameterizedby
theheightofthebasitree,theheightsofthetreesoneahlayerandtheWinternitz
parameters. Altogetherthe parameter set
P
of GMSS isP = (T, (h 1 , . . . , h T ), (w 1 , . . . , w T ))
CMSS isthe variant dened by the parameters
P = (2, (h, h), (w, w))
.The root of eah Merkle tree
T i,j is labeled RootT i,j
. It gets signed with the OTS
keyoftheorrespondingparentleaf: therootoftree
T i,j issignedusingthesignature
key of a leaf of the parent tree on height
i − 1
. The signature of treeT
's root isalledSig
T
. To sign amessage digestthe signature keys of the Merkletrees onthedeepest layer
T
are used. These signatures are denoted with Sigd
. Following thisonstrution the number of message digests that an be signed is
2 h 1 +h 2 ...h T. The
generalonstrution of GMSS isillustrated in gure 6.
PSfrag replaements
T T,0 T T,1 T T,j
T 2,0 T 2,1
T 1,0
T
Sig
T
Root
T
Figure 6: Basi onstrution of GMSS. Onlythe leaves on the lowest layer areused for
GMSSsignatures.
As on upper layers the leaves advane less frequently, the preomputation of these
trees an be distributed over many steps. This property allows an advane in
sig-naturegeneration time. As wellitallowsthe hoieof higher parameters
w i for the
OTS sheme,whih leads toa smallersignature size intotal.
A GMSS signature. As known from MSS for eah signature there is a unique
path from the leaf
ϕ
up to the root. Here this path ontains one Merkle tree oneahlayer. Additionaltotheone timesignature ofthe messagedigest,the onetime
signatures of the rootvalues of these trees are stored inthe GMSS signature. Also
theauthentiationdataonthepathexistingofAuth
T ,l
foreahtreeT
isappendedtothe GMSS signature. Hereby
l
is the index of the leaf of treeT
used for signingtherootofthetree onthelayerbelow. Onthedeepestlayerthe authentiationdata
ofthe leaf used tosign the message digestis appended. An exampleof this proess
isdepited in gure 7.
Totallythe GMSS signature onsistsof the following:
•
the indexϕ
of the leafused•
theonetimesignatureSigd
ofthedoumentd
signedwiththekeyorrespond-ingtoa leafof the lowest layer
•
the one time signatures SigT i,j
of the roots•
the authentiation paths AuthT i,j
of eah tree on the path from the bottomleaf
ϕ
to the GMSS rootPSfrag replaements
ϕ,
Sigd
Sig
T T ,0
Sig
T i,j
Auth
T T ,0
Auth
T i,j
Auth
T 1,0
T T,0
T i,j
T 1,0
Figure 7: Example ofa GMSSsignature
SeedalulationinGMSS. ForeverysingleMerkletreeoftheGMSSonstrut
the seed generation proedure desribed on page 25 is used. There an initial seed
forevery tree isneeded. Forevery tree ofthe GMSS struture this isaninitialseed
value Seed
in Ti,j
. The Seedin
for the rst tree ineah layer(Seedin Ti,0
) isrequiredasinput. The following
seed in values are omputed asthe output of the lastleafof
the previous tree:
(
Seedin Ti,j+1 ,SeedOT S ) ←Prng(
Seed2 hi )
(
Seed2 hi )
Here Seed
2 hi
is the seed ofthe lastleafof treeT i,j. Hene usingone initialseed for
eah layer allrequired seed values an be onstuted.
GMSS KeyGeneration. This phaseusestheinitialseedvaluesforonstruting
the publi and private keys needed for GMSS. The GMSS publikey is the rootof
the top Merkletree: Root
T 1,0
. The private key is built by the following:Seed
in Ti,0 , i = 1 . . . T
Seedin Ti,2 , i = 2 . . . T
2 . . . T
Sig
T i,0 , i = 2 . . . T
RootT i,1 , i = 2 . . . T
2 . . . T
Auth
T i,0 ,0 , i = 1 . . . T
AuthT i,1 ,0 , i = 2 . . . T
2 . . . T
Usingthe treehash algorithm (Algorithm1) the root values of the rst Merkle tree
on eah layer
T i,0 (inluding the GMSS publi key RootT 1,0
) are built. For this
the initial seed values Seed
in Ti,0
are needed. While alulating these roots theauthentiation data of the rst tree Auth
T i,0 ,0
of eah layer an be stored, so thatthe Auth values for these trees are obtained for free. The initial seeds for the
seond trees are now available. The same as above the root values of the seond
trees Root
T i,1
and the orrespondingauthentiation data AuthT i,1 ,0
are generatedwith Algorithm 1. After this the initialseed values for the third tree of eah layer
Seed
in Ti,2
is ready and an bestored in the private key. The signatures SigT i,0
arethe one time signatures of the root values already known.
PSfrag replaements
Figure 8: Example GMSSkeys. The privatekey onsistsof the authentiation path for
therstleaf oftherst twotrees oneahlayer, the Seed
in
for the rstandthe thirdtreeon eah layer, the root signatures Sigof the rst trees and the root values Root of the
seondtrees. The publi keyisthe uppermostroot valueRoot
T 1,0
.This private GMSS key is the key for the rst signature. Having reated this
sig-nature the key is updated and so hanges for every new signature. Therefore the
GMSS shemeis alledakey evolving signature sheme [18℄. As the private signing
key hanges (evolves) frequently, this leads to a speial seurity feature of GMSS,
soalledforward seurity. Also ifanadversary ompromisesthe atualsigningkey,
it is impossible to forge signatures belonging to former signing keys. Using the
introduedseed sheduling, MSS does ontain this seurity feature as well [6℄.
GMSS Signature Generation. The signature generation is distributed in an
online and an oine part. Suh a separated framework is desribed in [19℄. The
oinepart anbeseen aspreparationof the next onlinepart. This onlinepart an
notbedoneuntilthemessageisknown. Itisafastproess, sothatthesignaturean
be generated rapidly,when the oine part has already been done. The oine part
belonging to the rst signature was done during the key generation phase. Later
duringtheoinephase theprivate key has tobeupdated(as mentioned above,key
evolving sheme). The online part only onsists of the generation of the signature.
Allpartsneededforthis signaturewere reated andprovidedbythe previousoine
part. A detailleddesriptionof both phases an be found in[7, 17℄.
The oine part distributes the omputation of the needed Root, leaf and Sig
values,sothatforeahsignaturethetimetospendisnottoodierent. IfaRootor
aSigvalueisomputedatone,the atualroundlastslongerthanprevious rounds
where nosuh time expensive operationswere done. Therefore the omputationof
thosevalues isdistributed overthe alulation ofthe leavesof the underlyinglayer,
i.e. over
2 h i+1 steps. Figure9illustrates the preomputation of those values.
PSfrag replaements
Root
T i,j+2
Sig
T i,j+1
T i − 1,j
T i,j T i,j+1 T i,j+2
T i+1,j
Figure 9: While advaning a leaf in tree
T i,j, the values SigT i,j+1
and RootT i,j+2
are
updated,sothattheomputationofthosevaluesisdistributedoverall
2 h i stepsoftreeT i,j.
Whiledoingone stepin
T i+1,j the leafoftree T i,j+2 ispartly omputed.
GMSS Veriation. The GMSS veriation is nearly the same as in the
orig-inal Merkle sheme. The rst part is the veriation of the one time signature of
the original data. If this already fails, the veriation an be stopped. Next the
authentiation starts with the tree on the lowest layer. Using the orresponding
authentiationdata the rootvalue of alltrees an be alulated. The one time
sig-natureof the roots are ompared to the values Sigin the signature. Alsoif one of
these signatures annot be veried truly, the GMSS veriation fails with a
nega-tive result. Endingup at the rootRoot
T 1,0
of the GMSS onstrution, this an be ompared tothe GMSS publi key. Onlyif this omparison is suessful the wholesignature isaepted.
Needed Storage. Following[7℄ the size of the keys and the signature is:
m
pubkey= n
bitsm
privkey= X T
i=1
(h i + 1) + X T
i=2
(h i + t w i − 1 + 2)
· n
bitsm
signature= X T
i=1
(h i + t w i ) · n
bitsThe variable
n
again denotes the length of the output of the hash funtion Hash.Thepublikey isonlyone singlehashvalue,that's why itsbitlengthis
n
. The sizeof the private key and the signature an easily be derived fromthe listingsabove.
Inpratie thesenumbers willnot hold. Some additionaldata has tobe stored,for
example the parameters
P
must be added to the publi key asthey are needed forthe veriation proess. So these numbers are more theoretial, but they give an
ideaof the overall sizes ofsignatures and keys. Aomparison ofthe needed storage
apaity an be found in setion6.
3.1 Overview
The Merkle tree traversal problem is the hallenge of omputing the
authentia-tion paths of onseutive leaves of one single Merkle tree. This is one of the most
ruial steps in the Merkle signature sheme and its derivatives. Today MSS and
its desendants are not often used in pratie, beause they are too slow or the
signature size is too big. Better traversal tehniques may speed up the signature
generation (as well as better implementations like GMSS shall make the system
more useful for pratial onsiderations). As onseutive leaves mostly share a lot
ofauthentiationnodes, onlythe hanges have tobeomputed fromone leaftothe
following. Goodshedulingalgorithmsuse this fattospeedup the omputationof
new authentiationdata.
Withdigitalsignatures a treetraversal algorithmforauthentiation data onsistof
threephases: key generation,output and veriation.
During thekey generation phasetherootof theMerkletree isonstruted andthe
rst authentiation path is stored. Some additional authentiation data an
bestored used as input forthe traversal algorithmas well.
The output phase onsists of
2 H rounds. In eah round the leaf value Φ(ϕ)
and
theauthentiationdata{Auth
h
}ofleafϕ
isoutputand thenupdatedforthenext round. This isthe main part, requiring good shedulingideas.
The veriation phaseis always the same asfor the original Merkletree.
Inhis originalpaperMerkle introdued asimple traversal algorithm[4℄. Jakobsson
et. al. proposed analgorithmusing subtrees in [20℄. Thisalgorithmallows a
trade-o between storage and omputation time. It needs a maximum of
2H / log(H)
hash funtionevaluations and maximum storage of
1.5H 2 / log(H)
hash values perround. An implementationof the Merklesignature sheme using Jakobsson's ideas
an be found in[21℄.
Szydlo presented a log-time and log-spae algorithm in [22℄ and a slightly
dier-ent version in a preprint in [16℄. An algorithm is alled logarithmi if its time per
roundrespetively the maximum memoryapaity needed is logarithmi in the
to-tal number of signatures
N
. He also proves that these bounds are optimal for theauthentiationpath omputation, i.e. that it isnot possible toreate analgorithm
that in both time and spae omplexity is better than
O(log N )
. Other workon-sideringauthentiation path omputationan befound in [23℄. The new algorithm
presented in this thesis is an improvement of Szydlo's algorithms. For this reason
the outline of this setion is the introdution of Szydlo's traversal algorithm (the
moreeientpreprintversionof[16℄,notthemoresimple,publishedversionof[22℄).
Thedesriptionof Merkle'slassialalgorithmleadstoSzydlo'simprovedalgorithm
version (Algorithm2). Finallysome drawbaks of Szydlo'salgorithmare presented
tomotivate the improved algorithmpresented in the main part of this thesis.