GMSS - Generalized Merkle Signature Sheme

2.5 The Merkle Signature Sheme

2.5.2 GMSS - Generalized Merkle Signature Sheme

Asmentionedabove GMSS isanexpansionof the Merklesignature sheme. GMSS

stands for generalized Merkle signature sheme and was proposed in2007 [7℄. One

instaneof GMSSisCMSS, whihwasproposedin2006[5℄. When MSS andCMSS

haverelatively largesizedsignatures, GMSS isadressedtoallowsmallersignatures,

andfastergenerationandveriation. AdditionallywithGMSSitispossibletosign

up to

2 ⁸⁰

^and ^even ^more ^messages, ^while ^with ^MSS ^this ^number ^is ^only ^appliable

up to

2 ²⁰

^. ^This ^attribute ^is ^helpful ^onsidering ^pratial ^applianes ^like ^web ^server

appliations,wherebigamountsofsignaturesareneessary. Theparameterizationof

GMSSallowsthehoieofeitherfastruntime,smallsignaturesoratrade-obetween

bothdependingontheappliation. This setionintroduesthemainharateristis

andgivesanoverviewaboutGMSS. Amoredetaileddesriptionanbefound in[7℄

and [17℄.

General Constrution. The general GMSS onstrution is made up of a tree

with height

T

^. ^The ^nodes ^of ^this ^tree ^are ^again ^Merkle ^trees. ^Eah ^of ^the ^Merkle

trees on layer

i

^of ^the ^basi ^tree ^has ^height

h i

^and ^is ^parent ^of

2 ^h ⁱ

^Merkle ^trees ^on

the layer

i + 1

^. ^The ^Merkle ^trees ^are ^labeled

T _i,j

^, ^where

i

^is ^the ^level ⁱⁿ ^the ^basi

tree and j is the numberof the node onheight

i

^, onseutively numbered from left toright with

0 . . . 2 ^h ¹ ^+h ² ^+...+h ⁱ ⁻¹ − 1

^. ^The ^root^tree ^is ^labeled

T 1,0

Againthe WinternitzOTSshemeisusedforthesignaturesintheMerkletrees. For

eahlayeradierentparameter

w _i

i = 1 . . . T

^is^allowed. ^GMSS^isparameterizedby theheightofthebasitree,theheightsofthetreesoneahlayerandtheWinternitz

parameters. Altogetherthe parameter set

P

^of ^GMSS ^is

P = (T, (h 1 , . . . , h T ), (w 1 , . . . , w T ))

CMSS isthe variant dened by the parameters

P = (2, (h, h), (w, w))

The root of eah Merkle tree

T i,j

^is ^labeled ^Root

T i,j

^. ^It ^gets ^signed ^with ^the ^OTS

keyoftheorrespondingparentleaf: therootoftree

T i,j

^is^signed^using^the^signature

key of a leaf of the parent tree on height

i − 1

^. ^The ^signature ^of ^tree

T

^'s ^root ^is

alledSig

T

^. ^T^o ^sign ^a^message ^digest^the ^signature ^keys ^of ^the ^Merkle^trees ^on^the

deepest layer

T

^are ^used. ^These ^signatures ^are ^denoted ^with ^Sig

d

^. ^F^ollowing ^this

onstrution the number of message digests that an be signed is

2 ^h ¹ ^+h ² ^...h ^T

^. ^The

generalonstrution of GMSS isillustrated in gure 6.

PSfrag replaements

T T,0 T T,1 T T,j

T 2,0 T 2,1

T 1,0

T

Sig

T

Root

T

Figure 6: Basi onstrution of GMSS. Onlythe leaves on the lowest layer areused for

GMSSsignatures.

As on upper layers the leaves advane less frequently, the preomputation of these

trees an be distributed over many steps. This property allows an advane in

sig-naturegeneration time. As wellitallowsthe hoieof higher parameters

w i

^for ^the

OTS sheme,whih leads toa smallersignature size intotal.

A GMSS signature. As known from MSS for eah signature there is a unique

path from the leaf

ϕ

^up ^to ^the ^root. ^Here ^this ^path ^ontains ^one ^Merkle ^tree ^on

eahlayer. Additionaltotheone timesignature ofthe messagedigest,the onetime

signatures of the rootvalues of these trees are stored inthe GMSS signature. Also

theauthentiationdataonthepathexistingofAuth

T ,l

^for^eah^tree

T

^is^appended

tothe GMSS signature. Hereby

l

^is ^the ^index ^of ^the ^leaf ^of ^tree

T

^used ^for ^signing

therootofthetree onthelayerbelow. Onthedeepestlayerthe authentiationdata

ofthe leaf used tosign the message digestis appended. An exampleof this proess

isdepited in gure 7.

Totallythe GMSS signature onsistsof the following:

•

^the ^index

ϕ

^of ^the ^leaf^used

•

^the^one^time^signature^Sig

d

^of^the^doument

d

^signed^with^the^key

orrespond-ingtoa leafof the lowest layer

•

^the ^one ^time ^signatures ^Sig

T i,j

^of ^the ^roots

•

^the authentiation paths Auth

T i,j

^of ^eah ^tree ^on ^the ^path ^from ^the ^bottom

leaf

ϕ

^to ^the ^GMSS ^root

PSfrag replaements

ϕ,

^Sig

d

Sig

T T ,0

Sig

T i,j

Auth

T T ,0

Auth

T i,j

Auth

T 1,0

T T,0

T i,j

T 1,0

Figure 7: Example ofa GMSSsignature

SeedalulationinGMSS. ForeverysingleMerkletreeoftheGMSSonstrut

the seed generation proedure desribed on page 25 is used. There an initial seed

forevery tree isneeded. Forevery tree ofthe GMSS struture this isaninitialseed

value Seed

in _Ti,j

^. ^The ^Seed

in

^for ^the ^rst ^tree ⁱⁿ^eah ^layer^(Seed

in _Ti,0

⁾ ^is^required

asinput. The following

seed in

^values ^are ^omputed ^as^the ^output ^of ^the ^last^leaf^of

the previous tree:

(

^Seed

in _Ti,j+1 ,

^Seed

OT S ) ←

^Prng

(

^Seed

₂ hi )

Here Seed

2 ^hi

^is ^the ^seed ^of^the ^last^leaf^of ^tree

T i,j

^. ^Hene ^using^one ^initial^seed ^for

eah layer allrequired seed values an be onstuted.

GMSS KeyGeneration. This phaseusestheinitialseedvaluesforonstruting

the publi and private keys needed for GMSS. The GMSS publikey is the rootof

the top Merkletree: Root

T 1,0

^. ^The ^private ^key ^is ^built ^by ^the ^following:

Seed

in _Ti,0 , i

⁼

1 . . . T

^Seed

in _Ti,2 , i

⁼

2 . . . T

Sig

T i,0 , i

⁼

2 . . . T

^Root

T i,1 , i

⁼

2 . . . T

Auth

T i,0 ,0 , i

⁼

1 . . . T

^Auth

T i,1 ,0 , i

⁼

2 . . . T

Usingthe treehash algorithm (Algorithm1) the root values of the rst Merkle tree

on eah layer

T _i,0

^(inluding ^the ^GMSS ^publi ^key ^Root

_T _1,0

⁾ ^are ^built. ^F^or ^this

the initial seed values Seed

in _Ti,0

^are ^needed. ^While ^alulating ^these ^roots ^the

authentiation data of the rst tree Auth

T i,0 ,0

^of ^eah ^layer ^an ^be ^stored, ^so ^that

the Auth values for these trees are obtained for free. The initial seeds for the

seond trees are now available. The same as above the root values of the seond

trees Root

T i,1

^and ^the orrespondingauthentiation data Auth

T i,1 ,0

^are ^generated

with Algorithm 1. After this the initialseed values for the third tree of eah layer

Seed

in _Ti,2

^is ^ready ^and ^an ^be^stored ⁱⁿ ^the ^priv^ate ^key. ^The ^signatures ^Sig

T i,0

^are

the one time signatures of the root values already known.

PSfrag replaements

Figure 8: Example GMSSkeys. The privatekey onsistsof the authentiation path for

therstleaf oftherst twotrees oneahlayer, the Seed

in

^for ^the ^rst^and^the ^third^tree

on eah layer, the root signatures Sigof the rst trees and the root values Root of the

seondtrees. The publi keyisthe uppermostroot valueRoot

T 1,0

This private GMSS key is the key for the rst signature. Having reated this

sig-nature the key is updated and so hanges for every new signature. Therefore the

GMSS shemeis alledakey evolving signature sheme [18℄. As the private signing

key hanges (evolves) frequently, this leads to a speial seurity feature of GMSS,

soalledforward seurity. Also ifanadversary ompromisesthe atualsigningkey,

it is impossible to forge signatures belonging to former signing keys. Using the

introduedseed sheduling, MSS does ontain this seurity feature as well [6℄.

GMSS Signature Generation. The signature generation is distributed in an

online and an oine part. Suh a separated framework is desribed in [19℄. The

oinepart anbeseen aspreparationof the next onlinepart. This onlinepart an

notbedoneuntilthemessageisknown. Itisafastproess, sothatthesignaturean

be generated rapidly,when the oine part has already been done. The oine part

belonging to the rst signature was done during the key generation phase. Later

duringtheoinephase theprivate key has tobeupdated(as mentioned above,key

evolving sheme). The online part only onsists of the generation of the signature.

Allpartsneededforthis signaturewere reated andprovidedbythe previousoine

part. A detailleddesriptionof both phases an be found in[7, 17℄.

The oine part distributes the omputation of the needed Root, leaf and Sig

values,sothatforeahsignaturethetimetospendisnottoodierent. IfaRootor

aSigvalueisomputedatone,the atualroundlastslongerthanprevious rounds

where nosuh time expensive operationswere done. Therefore the omputationof

thosevalues isdistributed overthe alulation ofthe leavesof the underlyinglayer,

i.e. over

2 ^h ⁱ⁺¹

^steps. ^Figure⁹illustrates the preomputation of those values.

PSfrag replaements

Root

T i,j+2

Sig

T i,j+1

T i − 1,j

T i,j T i,j+1 T i,j+2

T i+1,j

Figure 9: While advaning a leaf in tree

T _i,j

^, ^the ^values ^Sig

_T _i,j+1

^and ^Root

_T _i,j+2

^are

updated,sothattheomputationofthosevaluesisdistributedoverall

2 ^h ⁱ

^steps^of^tree

T i,j

Whiledoingone stepin

T _i+1,j

^the ^leaf^of^tree

T _i,j+2

^is^partly ^omputed.

GMSS Veriation. The GMSS veriation is nearly the same as in the

orig-inal Merkle sheme. The rst part is the veriation of the one time signature of

the original data. If this already fails, the veriation an be stopped. Next the

authentiation starts with the tree on the lowest layer. Using the orresponding

authentiationdata the rootvalue of alltrees an be alulated. The one time

sig-natureof the roots are ompared to the values Sigin the signature. Alsoif one of

these signatures annot be veried truly, the GMSS veriation fails with a

nega-tive result. Endingup at the rootRoot

T 1,0

^of ^the ^GMSS onstrution, this an be ompared tothe GMSS publi key. Onlyif this omparison is suessful the whole

signature isaepted.

Needed Storage. Following[7℄ the size of the keys and the signature is:

m

^pubkey

= n

^bits

m

^privkey

= X ^T

i=1

(h i + 1) + X T

i=2

(h i + t w i − 1 + 2)

· n

^bits

m

^signature

= X T

i=1

(h i + t w i ) · n

^bits

The variable

n

^again ^denotes ^the ^length ^of ^the ^output ^of ^the ^hash ^funtion ^Hash.

Thepublikey isonlyone singlehashvalue,that's why itsbitlengthis

n

^. ^The ^size

of the private key and the signature an easily be derived fromthe listingsabove.

Inpratie thesenumbers willnot hold. Some additionaldata has tobe stored,for

example the parameters

P

^must ^be ^added ^to ^the ^publi ^key ^as^they ^are ^needed ^for

the veriation proess. So these numbers are more theoretial, but they give an

ideaof the overall sizes ofsignatures and keys. Aomparison ofthe needed storage

apaity an be found in setion6.

3.1 Overview

The Merkle tree traversal problem is the hallenge of omputing the

authentia-tion paths of onseutive leaves of one single Merkle tree. This is one of the most

ruial steps in the Merkle signature sheme and its derivatives. Today MSS and

its desendants are not often used in pratie, beause they are too slow or the

signature size is too big. Better traversal tehniques may speed up the signature

generation (as well as better implementations like GMSS shall make the system

more useful for pratial onsiderations). As onseutive leaves mostly share a lot

ofauthentiationnodes, onlythe hanges have tobeomputed fromone leaftothe

following. Goodshedulingalgorithmsuse this fattospeedup the omputationof

new authentiationdata.

Withdigitalsignatures a treetraversal algorithmforauthentiation data onsistof

threephases: key generation,output and veriation.

During thekey generation phasetherootof theMerkletree isonstruted andthe

rst authentiation path is stored. Some additional authentiation data an

bestored used as input forthe traversal algorithmas well.

The output phase onsists of

2 ^H

^rounds. ^In ^eah ^round ^the ^leaf ^value

Φ(ϕ)

^and

theauthentiationdata{Auth

h

^}^of^leaf

ϕ

^is^output^and ^then^updated^for^the

next round. This isthe main part, requiring good shedulingideas.

The veriation phaseis always the same asfor the original Merkletree.

Inhis originalpaperMerkle introdued asimple traversal algorithm[4℄. Jakobsson

et. al. proposed analgorithmusing subtrees in [20℄. Thisalgorithmallows a

trade-o between storage and omputation time. It needs a maximum of

2H / log(H)

hash funtionevaluations and maximum storage of

1.5H ² / log(H)

^hash ^values ^per

round. An implementationof the Merklesignature sheme using Jakobsson's ideas

an be found in[21℄.

Szydlo presented a log-time and log-spae algorithm in [22℄ and a slightly

dier-ent version in a preprint in [16℄. An algorithm is alled logarithmi if its time per

roundrespetively the maximum memoryapaity needed is logarithmi in the

to-tal number of signatures

N

^. ^He ^also ^proves ^that ^these ^bounds ^are ^optimal ^for ^the

authentiationpath omputation, i.e. that it isnot possible toreate analgorithm

that in both time and spae omplexity is better than

O(log N )

^. ^Other ^work

on-sideringauthentiation path omputationan befound in [23℄. The new algorithm

presented in this thesis is an improvement of Szydlo's algorithms. For this reason

the outline of this setion is the introdution of Szydlo's traversal algorithm (the

moreeientpreprintversionof[16℄,notthemoresimple,publishedversionof[22℄).

Thedesriptionof Merkle'slassialalgorithmleadstoSzydlo'simprovedalgorithm

version (Algorithm2). Finallysome drawbaks of Szydlo'salgorithmare presented

tomotivate the improved algorithmpresented in the main part of this thesis.

Im Dokument DaadUiveiyfTe h (Seite 28-36)

GMSS - Generalized Merkle Signature Sheme

2.5 The Merkle Signature Sheme

2.5.2 GMSS - Generalized Merkle Signature Sheme

2 80

2 20

T

i

h i

2 h i

i + 1

T i,j

i

i

0 . . . 2 h 1 +h 2 +...+h i −1 − 1

T 1,0

w i

i = 1 . . . T

P

P = (T, (h 1 , . . . , h T ), (w 1 , . . . , w T ))

P = (2, (h, h), (w, w))

T i,j

T i,j

T i,j

i − 1

T

T

T

d

2 h 1 +h 2 ...h T

T T,0 T T,1 T T,j

T 2,0 T 2,1

T 1,0

T

T

T

w i

ϕ

T ,l

T

l

T

•

ϕ

•

d

d

•

T i,j

•

T i,j

ϕ

ϕ,

d

T T ,0

T i,j

T T ,0

T i,j

T 1,0

T T,0

T i,j

T 1,0

in Ti,j

in

in Ti,0

seed in

(

in Ti,j+1 ,

OT S ) ←

(

2 hi )

2 hi

T i,j

T 1,0

in Ti,0 , i

1 . . . T

in Ti,2 , i

2 . . . T

T i,0 , i

2 . . . T

T i,1 , i

2 ⁸⁰

2 ²⁰

2 ^h ⁱ

T _i,j

0 . . . 2 ^h ¹ ^+h ² ^+...+h ⁱ ⁻¹ − 1

w _i

2 ^h ¹ ^+h ² ^...h ^T

in _Ti,j

in _Ti,0

in _Ti,j+1 ,

₂ hi )

2 ^hi

in _Ti,0 , i

in _Ti,2 , i

T _i,0

_T _1,0

in _Ti,0

in _Ti,2

2 ^h ⁱ⁺¹

T _i,j

_T _i,j+1

_T _i,j+2

2 ^h ⁱ

T _i+1,j

T _i,j+2

= X ^T

2 ^H

1.5H ² / log(H)