Department of Computer Siene
Cryptography and Computeralgebra
Diploma Thesis
Improved Authentiation Path
Computation For Merkle Trees
Mihael Shneider
Darmstadt University of Tehnology
Department of Mathematis
Marh 2008
Supervisor: Prof. Dr. Johannes Buhmann
Erik Dahmen
1 Introdution 11
1.1 Outline. . . 11
1.2 About This Thesis . . . 12
2 Bakground 14 2.1 Digital Signatures . . . 14
2.2 Hash Funtions . . . 16
2.3 One Time Signatures . . . 18
2.3.1 The WinternitzOne Time Signature Sheme . . . 19
2.4 Merkle Trees. . . 21
2.5 The Merkle Signature Sheme . . . 23
2.5.1 MSS - MerkleSignature Sheme . . . 23
2.5.2 GMSS -Generalized Merkle Signature Sheme . . . 27
3 Common Traversal Algorithms 34 3.1 Overview. . . 34
3.1.1 Notation . . . 35
3.2 Szydlo's Algorithm . . . 36
3.2.1 Motivation . . . 36
3.2.2 The Algorithm . . . 36
3.3 Drawbaks of Former Algorithms . . . 40
4 A New Authentiation Path Algorithm 41
4.1 Notation . . . 42
4.1.1 Treehash Staks . . . 42
4.2 Algorithm Desription . . . 43
4.2.1 Initialization. . . 43
4.2.2 AuthentiationPath Computation . . . 44
4.3 Corretness of the Algorithm. . . 47
4.4 ComputationalBounds . . . 49
4.5 Storage Eieny . . . 52
4.6 Computing Leavesusing a PRNG . . . 55
4.7 Comparison of TheoretialBounds . . . 55
5 Java Implementation 57 5.1 Overview. . . 57
5.2 Distributed Node Computation . . . 59
5.3 Implementation of the AuthentiationPath Algorithm . . . 62
6 Results 63 6.1 Comparison: Authentiation Path Algorithm . . . 63
6.2 Comparison: GMSS . . . 66
7 Conlusion and Further Work 71
Referenes 73
B Code Examples 79
C ASN.1 Enoding 81
D Objet Identiers 83
List of Abbreviations
RSA Cypher and Signature Algorithm of Rivest,
Shamir and Adleman
DSA Digital Signature Algorithm
ECDSA Ellipti Curve DigitalSignature Algorithm
PQC Post Quantum Cryptography
MD5 Message Digest Algorithm5
SHA Seure Hash Algorithm
MAC Message AuthentiationCode
DL problem Disrete Logarithm problem
OTS One TimeSignature
OTSS One TimeSignature Sheme
PRNG Pseudo Random NumberGenerator
MSS Merkle Signature Sheme
CMSS Coronado Merkle Signature Sheme
GMSS Generalized Merkle Signature Sheme
JCA Java Cryptography Arhiteture
JCE Java Cryptography Extension
API AppliationProgramming Interfae
List of Figures
1 A omplete binary tree of height H = 2. The values
0 . . . 4
are theleaf indies,
h
denotes the nodes' height. . . . . . . . . . . . . . . . . 222 A Merkle tree with leaf values
A, B, C, D
. . . . . . . . . . . . . . . . 223 Authentiation data of leaf
ϕ
. Hashing the onatenation of Auth0
and
Φ(ϕ)
gives the upper node, ontinuing up the root nally givesthe rootvalue. Thedashed nodes denotethe authentiationpath for
leaf
ϕ
. The arrows indiate the path fromleafϕ
to the root. . . . . 234 Sample of the treehash algorithm: value 'D' is pushed on the stak.
Then 'C' and 'D' are hashed to a height 1 node whih is then again
hashed with the bottom node to aheight 2node. . . 25
5 Seed generation for a single Merkle tree. Eah array indiates one
allto the Prng. . . 26
6 Basi onstrution of GMSS. Only the leaves onthe lowest layerare
used for GMSS signatures. . . 28
7 Example of a GMSS signature . . . 29
8 Example GMSS keys. The private key onsists of the authentiation
path for the rst leaf of the rst two trees oneah layer, the Seed
in
for the rst and the third tree oneah layer, the root signatures Sig
of the rst trees and the root values Root of the seond trees. The
publi key isthe uppermost rootvalue Root
T 1,0
. . . . . . . . . . . . 319 Whileadvaningaleafintree
T i,j,thevaluesSigT i,j+1
andRootT i,j+2
are updated, so that the omputation of those values is distributed
over all
2 h i steps of tree T i,j. Whiledoing one step in T i+1,j the leaf
T i+1,j the leaf
of tree
T i,j+2 ispartly omputed.. . . . . . . . . . . . . . . . . . . . . 32
10 Leftnodeomputation: AMerkletreeofheight
4
inroundsϕ = 3
andϕ = 4
. Intheuppertree theheightofthe rstparentofleafϕ
thatisa left node is
τ = 2
. The lower gure shows the authentiation data of leafϕ = 4
. All lower authentiation nodes (Auth0
and Auth1
)are pushed from the staks anreset in round
ϕ = 3
. . . . . . . . . . . 3711 Values of the initialization,
H = 5, K = 3
. The dashed nodes areauthentiation nodes, the blak ones are stored intreehash, the grey
nodes are kept inretain staks. . . 43
12 In round
ϕ
the node Authτ
is storedinKeepτ
. This node isneededinround
ϕ + 2 τ forthe omputationof itsparentnode, whihispart
of the dashed authentiation path omputed inround
ϕ + 2 τ.. . . . . 44
13 In round
ϕ
the node Auth2
is popped from Treehash2
. This in-stane is then initialized anew with start index
ϕ + 1 + 3 · 2 2 and
omputes the delared right node on height 2. This node is needed
in round
ϕ + 2 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
14 Whileadvaningaleafintree
T i+1,j,thenextleafoftreeT i,j ispartly
omputed. . . 60
15 Suppose
(H − K )/2
= 4, so that the four dark leaves of the uppertree are required for treehash updates. They are omputed while
advaning leaves inthe lower tree. . . 61
16 Numberof hashes needed for right nodes per round while advaning
one Merkle tree. On the x-axis the single rounds are assigned (tree
height
H = 5 = ⇒ 2 5 = 32
rounds), the y-axis shows the number ofneeded hash funtion evaluations. . . 64
17 Number of hashes per round. The upper graph shows the result of
Algorithm 3, the lower graph belongs to Szydlo's algorithm (
H =
10 = ⇒ 1024
rounds). . . . . . . . . . . . . . . . . . . . . . . . . . . . 6418 Time needed for signingwith GMSS. The red line shows the timings
usingthenewGMSS implementation,thebluelinebelongstotheold
implementation. Theusedparametersetis
P = (4, (4, 4, 4, 4), (8, 8, 8, 3))
,K
is set2
oneah layer. . . . . . . . . . . . . . . . . . . . . . . . . . 67List of Tables
1 Numberof Leafal operations . . . 47
2 Total number of node stored inRetain (
2 K − K − 1
). . . . . . . . . 543 Comparison of omplexity bounds. In onern of omputation time,
Algorithm 3 distinguishes between hash funtion evaluations (rst
row) and leafalulations (seond row) . . . 56
4 Statisti data of the number of hashes requiredperround . . . 63
5 Comparison of the numberof hashes required inthe worst ase. . . . 65
6 Measured values for the new GMSS implementation . . . 69
7 Measured values for the oldGMSS implementation,from[17℄ . . . 69
8 ResultsofthenewGMSSimplementation: timeandmemoryrequire-
mentsofseletedparametersets. Fortheaveragetimings,ineahase
the mean value of the rst
2 12 signatures were onsidered.. . . . . . . 78
9 ObjetIdentiers for GMSS . . . 83
1.1 Outline
Digitalsignaturesare one of the mostpopularappliationsof ryptographialteh-
nis, besides enryption. The onern is to allow identiation, authentiation,
integrity, and liability in eletroni appliations. Digital signatures are used for
seure interation over the internet by signing emails or proteting web browser
ommuniations by SSL/TLS. They are neessary for proedures likedigitalvoting
orbureauratisolutions overthe internet.
Todaydigitalsignaturesare mostlyimplementedusingasymmetri,alsoalledpub-
li key ryptography. Famous examples are the RSA, ECDSA, or DSA signature
shemes. In the majority of ases the seurity of these methods is based onmath-
ematial,number theoretial assumptions, like the fatoring of big numbers or the
disrete logarithmproblem. Today all of thesealgorithmsand shemes an beon-
sideredas suiently seure. However, new algorithmsalready exist to solve these
number theoretial problems on quantum omputers [1, 2℄. The established sig-
nature algorithms an be used without worries, as long as no pratially useable
quantum omputers exist. But additionally, new tehniques must be found to be
prepared for the ase of working quantum omputers. This eld of work is alled
post quantum omputing(PQC).Anotherweakness ofthe establishedtehniquesis
the inreasing key size. Beause today's omputers performane develops rapidly,
thekeysizeoftheusedpublikeyshemesmustberaisedtoassureseurity[3℄. This
proedureofrisingkeylengthsends,ifalgorithmsindependentofnumbertheoretial
assumptionsare found.
An alternative way is to use so alled one time signatures (OTS). These signature
shemes are onsidered to be seure also on quantum omputers. Their seurity
reliesonthe seurity ofhash funtions. Ahash funtionisa mathematialfuntion
whih is easy to ompute but hard to invert. While the keys of a usual signature
algorithman beused moreoften,thekeysofaonetime signaturemustnotbeused
more than one. Otherwise the seurity of the signature sheme would be redued,
asan OTSsignature reveals parts of the seurity of the sheme. The problemwith
onetime signatures isthat the numberof keysthat havetobestoredand delivered
inreases enormously. This is a well known problem by symmetri ryptography.
To solve this key management problem, Merkle proposed his idea of using binary
trees for authentiation of big amounts of OTS publi keys in 1989 [4℄. Using this
newidea, itis possibleto authentiateup to
2 20 (and even more)OTS private keys
with one single publi key. This leads to eieny in storage onerns, as only
one key has to be permanently stored instead of many. Merkle's idea oered the
possibilityto reatea multi-timesignature sheme, alledMerkle signature sheme
(MSS), based onany one time signature sheme. Extendingthis idea of MSS some
extensions and andvanementswere proposed: CMSS [5,6℄and GMSS [7℄, whihis
a generalization of CMSS. The advantage of GMSS (Generalized Merkle signature
sheme)omparedtothe originalmerkleshemeisthesmallersize ofthesignatures
andabettershedulingof thesignaturegeneration. Furthermorethe GMSSsheme
isparameterized. This feature allows toustomize the sheme for dierent applia-
tions, like usage on smartards or omparable low omputation devies where low
storagespae plays animportantrole. One importantpart of the Merkle signature
sheme is the traversal of the authentiation tree. Whereas simple traversal algo-
rithmsarrestthesignaturegeneration,afasttraversalalgorithmenhanesthewhole
sheme. Thus itis importantto develop good authentiationpath algorithms.
1.2 About This Thesis
ThesubjetofthisthesisistheintrodutionofanewtraversalalgorithmforMerkle
trees and the integration of this algorithm in GMSS, inluding an implementation
inJava for the FlexiProvider. Setion2 gives the bakground information needed,
while setion 3 desribes former known traversal algorithms. In setion 4 the new
traversal algorithm is introdued. Corretness and eieny proofs omplete this
setion. TheJavaimplementationfortheFlexiProviderisonsideredinsetion5. In
setion6theomparisonofGMSSusingthenewauthentiationpathalgorithmwith
otherestablishedsignature algorithmsisdrawn. Setion7nallygivesaonlusion
of the thesis.
Thereader ofthis thesis issupposed tobefamiliarwith fundamentalmathematial
notations of ryptographi onsiderations like signing or enryption funtions, as
wellassimplemathematialpriniples likegeometriseries. Understandingofbasi
omplexitytheoretialideas(likethe
O
-notation)andalgorithmnotationmightalsobeneessary to understandthe main parts ofthis thesis.
This setion informs about the basi mathematial and ryptographial priniples
andtehniquesneededfortheonsideredappliations. Firstanintrodutionofdigi-
talsignaturesisgiven. Thenthepriniplesofhashfuntionsandonetimesignatures
are explained, followed by an example one time signature sheme, the Winternitz
OTSsheme,whihwillbeusedfortheimplementationof thenewalgorithm. After
that the idea of Merkle trees and the Merkle signatures are illustrated. Finally, a
shortexplanation of the GMSS extension isgiven.
2.1 Digital Signatures
The purpose of a digital signature is to oer speial seurity purposes like identi-
ation,authentiation,integrityorliability. Itan, insomeparts,beompared toa
handwrittensignature: onlyone person an reateits own signature, every forgery
anbedetermined. Onebigdiereneisthatthedigitalexponentisamathematial
funtion of the message. If the doument hanges, the signature hanges as well.
The digital signature ould otherwise be moved from one doument to another, as
alldigital data an be easilyopied.
Notonlydoumentsaresigneddigitally. Digitalsignaturesarealsousedforpakage
transport seurityintransportprotools. Inprinipleeverykindof digitaldataan
be signed. In most appliations not the data or doument itself is signed but a
message digest of it. That is a kind of ngerprint of the data. The priniples of
messagedigests are explained insetion 2.2.
Digital signatures are always based on asymmetri ryptography. Suh a system
wasrst introduedbyDieandHellmanin1976[8℄,whihwasoneofthe greatest
advanes in modern ryptology. For suh a digital signature, two dierent types
of keys are needed: a private key for signature generation and a publi key for
veriation. The private key in this purpose is alsoalled the signing key and the
publi key is also alled the veriation key. As one ould guess from the name,
the private key has to be kept seret,whereas the publi key an be spread widely.
Everyone knowing this publi key an verify the signature, but only the owner of
theprivate key isabletoreateone. Foronetime signatureshemes, thesekeysare
generated newly for every signature. In ontrast, for multi-timesignature shemes
both keys are used for bigger amounts of signatures. Some of the ommonly used
signature algorithms are also used for enryption (like RSA), whereas some of the
systems are only appliable to signatures (like DSA and ECDSA). Some attributes
of adigital signature sheme are:
Authentiity: Everyone should be able to ontrol that the signer really is the
originatorofa signature. This ispossiblebeauseeveryone an use the publi
veriation key. Nobody else shall be able to sign a doument in the signers
name. Forthis purpose the private signing key must be kept seret.
Non-Repudiation: This property means that the signer an not suessfully deny
the fat of havingsigned a doument. Everyone possessing the signature and
theoriginaldoumentanprovethatthe signaturewasreallyreatedwiththe
signer'sprivate key.
Sine a signature is also afuntion of the private key and no one besides the
signer knows this signing key, then nobody is able to onstrut signatures
whih an be veried by the orresponding publi key. The signer an never
deny having signed amessage if averiable signature exists.
When the liability has to be proved, a third person (for example a ourt)
has to ontrolif a signature really belongs to the person it should. The non-
reusability property of a signature in this onern means that this ation an
be performed without revealing the private key, so that it an be used again
by the user.
Integrity: If a doument hanges or is manipulated, the signature of the origi-
nal doument (a ontrat for example) will not math this forged doument
and will be refused. Therefore hanges in data an be proved using digital
signatures.
Mathematially, digital signatures are based on one-way funtions with trapdoor.
A one-way funtion is a mathematial funtion whih is easy to ompute in one
diretion. However to ompute the inversion of the funtion is hard. If
y = f (x)
(with a one-way funtion
f
) it is easy to omputey
givenx
andf
, but it is hardto get
x
, if onlyy
andf
are known. A trapdoor means a seret (e.g. a seretnumber) whihallows toapply theinverse funtioneasilyby knowingthe seret. In
a signature sheme the private key an be onsidered as the trapdoor. Creation of
the signature isthe inverse funtion, whih ishard orimpossibleto ompute when
the signing key is unknown. When it is said that a funtion is hard to invert it is
meant in today's ontext: it is possible that in a few years (when the performane
ofomputershas raisedfurthermoreoreven quantumomputersexist) today'sone-
way funtions willbe invertiblewithout problems.
A digital signature sheme onsists of three parts: akey generation algorithm,the
signatureonstrution,andtheveriationphase. Asthenameimplies,therstpart
servesfor the reationofthe private and the publikey. The seond part isthe use
ofthe privatesigning key forreatingthe signature ofa message. Finally,usingthe
publikey and the originalmessage the autentiity of the signature isrevised. The
individualphases willbedesribed later in the introdution of partiular signature
shemes.
2.2 Hash Funtions
Mostofthe knownmulti-signatureshemesarebased onmathematialassumptions
like fatoringof bignumbers orthe disrete logarithmproblem. However, one time
signaturesare mostlybased onryptographihashfuntions. Forthisreason,those
messagedigest priniples are illustrated in this setion.
Ahashfuntionmapsanykindofdigitaldatatoashorter,randomlookingsequene
of numbers alled the hash value ormessage digest of the data, whih an be seen
as kind of a 'ngerprint.' It is mostly represented by a hexadeimal depition. As
anexample, the hexadeimal depition of the 160 bitlong SHA1 hash value of the
string'Improved AuthentiationPath Computation'is
′ f a072597154f81ba39b841f 265acc8f a2d47d937 ′
Changingonly one letter inthe originaldata willhangethe whole messagedigest:
the SHA1-hashof 'improved Authentiation Path Computation'is
′ 70e053246a5e9f 591bcae5b47173295899e62cba ′
More mathematially,ahash funtion an bedenoted asthe following:
Hash
: X = {0, 1} ∗ → Y = {0, 1} n
wherethe domain X inludesallbitstrings witharbitrary lengthand the odomain
Yonsistsofallnbitstrings. Animportantattitudeofahashfuntionisit'sability
toonlygoone way. This means that itis not possibleto generate the originaldata
out of its hash value. A hash funtion an be onsidered seure if it assures the
following assumptions:
•
pre-imageresistaneGiven the hash funtion Hash and a value
y
, it is not possible to nd anx
withHash
(x) = y
.•
seond-pre-imageresistaneGiven Hash and
x
, itis not possible tond anx ′ (with x 6= x ′)and
Hash
(x) =
Hash(x ′ )
.•
ollisionresistaneGiven Hash, it is not possible to nd
x, x ′ (with x 6= x ′) and Hash(x) =
(x) =
Hash
(x ′ )
. As thesize oftheo-domainY
issmallerthanthedomainsize itislear that there are ollisions between dierent messages out of
X
. Collisionresistanemeansthe impossibilityof ndingsuhaollisionwithnon random
propability.
In [6℄ Coronado shows that, for the seurity of the Merkle signature sheme, one-
way-ness and ollisionresistane of the integrated hash funtionare suient.
Hash funtions have dierent appliations in ryptography. They are used for n-
gerprinting or message authentiation odes (MAC) to seurely identify data. In
most signature algorithms, the message is hashed before it is signed, so that the
seurity inreases. For example,without appliationof a hash funtionto the mes-
sagethe RSAsheme isnotseureagainsthosenmessageattaks[9℄. Mostfamous
representatives of hash funtions are the SHA-family [10℄ and the Message Digest
Algorithm5 (MD5)[11℄.
In this thesis Hash
: {0, 1} ∗ → {0, 1} n is always an arbitrary hash funtion.
The onseutive appliation of this funtion is denoted with supersript numbers:
Hash
2 (m) stands for Hash(
Hash(m))
.
2.3 One Time Signatures
As mentioned in the introdution, one time signature (OTS) shemes are speial
kinds of signature algorithms where the signing key must not be used more than
one,aseveryfurtheruseofthesekeyswouldrevealinformationwhihouldweaken
the seurity of the signature. Most OTS shemes are based on hash funtions [12℄.
The seurity does not rely on mathematial problems, but only on the seurity of
thehashfuntion. Asmentionedabovethisis dependent onpropertieslikeollision
resistane. The seurity of most algorithms used today for multi-time signatures
an only be inreased by raising the length of the used keys. In the last 20 years,
the key lengths of algorithmslike RSA orECDSA have been onstantly inreasing
[3℄. Furthermoreif large sale quantum omputers exist, the searh for ollisionsof
hash funtions is hard, whereas the underlying problems of ECDSA and RSA an
be omputed inlinear time. These shemes an be broken on quantum omputers,
whileone time signature shemes based onhash funtions remainseure.
Asthe omputationof hash funtionsis fast, one time signatures are veryeient.
Theirappliationispossibleonlowomputationomplexitydevieslikesmartards.
2.3.1 The Winternitz One Time Signature Sheme
In this thesis, as in the atual GMSS, the Winternitz One Time Signature Sheme
isused[4℄[12℄. The usageofotherone timesignatureshemes liketheBiBasheme
[13℄would bepossible aswell. The Winternitzshemeuses aparameter
w
,whihistypiallyhosen asmall powerof two. This parameter
w
allows atrade-obetweengenerationostandsignature size. Itdenes thebitlengthofthesingle partsofthe
private key,whereas
t w isthe ount of omponents. Withn
as lengthof ahash, we
dene
t w = l n/w m
+ l
⌊log 2 (⌈n/w⌉)⌋ + 1 + w /w m
The private signature key is
X = (x 1 , . . . , x t w )
, wherex 1 . . . x t w are random values.
Forthe generation of random data, a pseudo random number generator (Prng)is
used:
Prng
: {0, 1} n 7→ {0, 1} n × {0, 1} n :
Seedin 7→ (Seedout ,Rand)
)
It uses a value Seed
in
to generate two random looking values Seedout
and Rand.IfSeed
out
isagainusedasinputforthe samePrngweget ahainofvaluesRandi
whih an always be reprodued by knowledge of only the rst Seed
in
. In thisthesisthe used Prngis alwaysthe one desribed inthe DigitalSignatureStandard
(Appendix 3.1) [14℄ whihrequires only one allto ahash funtion Hash:
Rand
←
Hash(
Seedin ), Seedout ← (1 +Seedin +Rand) mod 2 n
in +Rand) mod 2 n
Key Generation. Forthe publi key we apply the hashfuntion
2 w − 1
times toeah
x i, i.e. we alulate y i =
Hash2 w −1 (x i )
for i = 1 . . . t w. The veriation key is
then reated out of the onatenation of the
y i-values:
Y =
Hash(y 1 k . . . ky t w )
Signature Generation. Forgeneration of the signature of a message rst of all
the n-bit message digest of this message is reated. The digest
md
is then splitinto
⌈n/w⌉
partsmd 1 . . . md ⌈n/w⌉, eah with a length of w
(if neessary zeros are
padded rst). Then the heksum
C = P ⌈n/w⌉
i=1 2 w − md i
is built. This heksum isalsodividedintobloksoflength
w
,namelymd ⌈n/w⌉+1 . . . md t w. The nalsignature
is reated by onatenating the hash-values
s i =
Hashmd i (x i ) for i = 1 . . . t w
. The
signature isthen
Sig
= (s 1 k . . . ks t w )
Veriation. Forverifying the message digest,the signature and the veriation
key are needed. First the values
md i are omputed in the same manner as in
the signing proess. Then
v i =
Hash2 w −md i −1 (s i ) is generated. Now the vetor
V =
Hash(v 1 k . . . kv t w )
an be ompared to the veriation key. Eah of the x i
values should now have been hashed
2 w − 1
times. The signature is delared tobe veried if and only if
V = Y
. Example 1 explains a Winternitz OTS sampleinstane.
Withoutusingtheheksum anattakerouldhashagainsomeofthe
s ivalues. The
result would be a validsignature whih ould not beveried by the original publi
key. Therefore the sheme would not be seure against known signature attaks
leadingto existentialforgery. Forthis, the heksum is appended to the signature,
sothat everyadditionalhash to one of the
s i an be deteted.
Example1. Considera15bitmessagedigesttobesigned:
md = 101100000010010
.Choose
w = 4
.Key Generation
Prng
⇒ X = (0101
| {z }
x 1
1100 | {z }
x 2
1010 | {z }
x 3
1110 | {z }
x 4
0011 | {z }
x 5
1111 | {z }
x 6
)
(Private key)t w = l 15/4 m
+ l
⌊log 2 (⌈15/4⌉)⌋ + 1 + 4 / 4 m
= 4 + l
(2 + 1 + 4) / 4 m
= 6
⇒
Publi key:Y = (
Hash15 (x 1 ), . . . ,Hash15 (x 6 ))
Signature Generation
md = 0 101
| {z }
b 1
1000 | {z }
b 2
0001 | {z }
b 3
0010 | {z }
b 4
C = (10000 − 0101) + (10000 − 1000) + (10000 − 0001) + (10000 − 0010)
= 1011 + 1000 + 1111 + 1110 = 110000
⇒ b 5 = 00 11
andb 6 = 0000
Sig
=
Hash
5 (x 1 ) kHash8 (x 2 ) kHash(x 3 ) k
Hash2 (x 4 ) kHash3 (x 5 ) k x 6
(x 3 ) k
Hash2 (x 4 ) kHash3 (x 5 ) k x 6
= (s 1 k . . . ks 6 )
Veriation (
b i the same asabove)
V =
Hash
10 (s 1 ) kHash7 (s 2 ) kHash14 (s 3 ) k
14 (s 3 ) k
Hash
13 (s 4 ) kHash12 (s 5 ) kHash15 (s 6 )
15 (s 6 )
=
Hash
15 (x 1 ) k . . . kHash15 (x 6 ) !
= Y
2.4 Merkle Trees
A problem whih ours by usage of one time signatures is well known from sym-
metri ryptography appliations: the spae needed to store all involved keys rises
too fast. For every message a user A wants to send to another user B, a private
key must bereated for user A.Additionally,user B hasto store onepubli keyfor
every message.
Merkle'sideawastouseaompletebinarytreeforveriationofonetimesignatures.
With this approah many signatures an be veried by one single publi key. The
storage needed for the veriation key is extremely small (only one key has to be
stored). Every one time signature sheme an be extended to a multi-time one by
using suh anauthentiation tree.
A omplete binary tree of height
H
onsists of2 H leaves and 2 H − 1
inner nodes.
The height of a leaf is dened to be
0
, whereas the height of inner nodes denotesthe length of a path down to a leaf. Thus, the rootnode has height
H
. The leavesarenumberedonseutivelyfromleft toright,startingwith
0
. Anexample treeanbeseen inFigure1.
HHH
@ @ @ @
root
0 1 2 3
h = 2
h = 1
h = 0
Figure1: Aomplete binarytreeof heightH =2. Thevalues
0 . . . 4
arethe leafindies,h
denotes the nodes' heightMerkletreeswererstintroduedbyMerklein1989[4℄. AMerkletreeisaomplete
binary tree equipped with a hash funtion Hash. The values
Φ(n)
of a leaf an behosenarbitrarily,whereas thevalues ofinnernodesare alulatedby thefollowing:
for eah inner node
n parent the value Φ(n parent )
is dened to be the hash of the
onatenation of the left and righthild nodes
n lef t and n right:
Φ(n parent ) =
Hash(n lef t k n right )
Φ(n parent ) =
Hash(n lef t k n right )
Bythisonstrution theMerkletree isompletelydeterminedby the leafvalues. A
sampletree is shown in Figure2.
HHH
@ @ @ @
Hash
Hash
(AB)
Hash(CD)
Hash
(AB)
Hash(CD)
A B C D
Figure 2: AMerkle treewith leafvalues
A, B, C, D
Merkletrees areused for authentiatingthe leafdata using therootvalue. Forthis
purpose additional data is required, alled the authentiation data. For authenti-
ating leaf
i
, on eah heighth
(h = 0 . . . H − 1
) one node value Authh
is stored,namelythe sibling of the nodes onthe path fromleaf
i
up to the root. Anexampleforthe authentiationpath is illustrated in Figure3. Forauthentiating leaf
i
, onestartsatthebottomofthetree. Usingthe leafvalueandtheauthentiationdataon
eah height by onatenating and hashing the root value an be omputed. If the
original stored root value is idential to the newly alulated one, the leaf value is
truely authentiated.
PSfrag replaements
Auth
0 ϕ
Auth
1
Auth
2
Figure 3: Authentiationdata ofleaf
ϕ
. Hashing the onatenation ofAuth0
andΦ(ϕ)
givestheuppernode,ontinuinguptherootnallygivestherootvalue. Thedashednodes
denotetheauthentiation pathfor leaf
ϕ
. Thearrows indiatethepath fromleafϕ
to theroot.
Besides digital signatures Merkle trees have been implemented for other useful ap-
pliations like wireless seurity [15℄. As authentiation is the real purpose of the
Merkletree andnot signature veriation, lotsof otherappliationsare imaginable.
However, this thesis willonly fous onthe appliationof digital signatures.
2.5 The Merkle Signature Sheme
2.5.1 MSS - Merkle Signature Sheme
TheMerkleSignatureSheme(MSS)proposedin[4℄onsistsofaonetimesignature
shemelikethe WinternitzOTSS andaMerkle tree. AMerkletree of heightH an
beusedtoauthentiate
2 H OTSkeys (oneforeahleafof the tree). The leafvalues
ofthetreeareformedby theOTSpublikeys
Y i. Morepreiselythethreesignature
steps are:
MSS Key Generation. The MSS private key is the set of OTS private keys
(Y 1 , . . . , Y 2 H )
whih are omputed as usual, depending on the used sheme (for theWinternitz sheme e.g. see setion 2.3.1). The OTS publi keys are hashed and
storedasthetree's leafvalues. Byonatenatingand hashingeah twohildnodes,
the node labels of the tree an beomputed from bottom up to the root. The root
value of the tree forms the MSS publi key forveriation.
The key pair generation uses analgorithmalled treehash (Algorithm1) [16℄. This
algorithm is used to ompute the root of a Merkle tree using a stak struture
equipped with the usual push and pop operations 1
. It onseutively omputes
the
2 H leaf values onsisting of the OTS veriation keys Y j from left to right and
pushs them on the stak. When two nodes of the same height lie on the stak,
they are onatenated and hashed to the next upper node. After omplete
2 H leaf
alulations and
2 H − 1
hash evaluations, the root of the Merkle tree is the upper node onthe stak. Figure 4illustratesan example.Algorithm 1 Treehash
Input: Leaf
l
,stakStakOutput: updatedstakStak
1. pushlto Stak
2. whiletoptwonodesofStakhavesameheightdo
(a) pop
n 1
from Stak,popn 2
fromStak(b) pushHash
(n 1 kn 2 )
toStak3. returnStak.
MSS Signature Generation. Complete
2 H signatures an be reated using one
Merkle Tree. For eah new signature the next OTS key is used so that eah OTS
1
A stakisadatastrutureusinga'rst in- rstout' strategy: pushstoresanodeontopof
thestak,popdeliversthetopnodeofthestak.
D
height0C
height0Hash
(AB )
height1Stakbeforehashing
Hash
(
Hash(AB k
Hash(CD)))
height2Stakafter hashing
Figure 4: Sample of the treehash algorithm: value'D' is pushedon the stak. Then'C'
and 'D' are hashedto a height 1 node whih is then again hashedwith the bottom node
toa height 2 node.
key is only used one. The MSS signature onsists of the index
ϕ
that appointswhih OTS key is used for the urrent signature. Furthermore the OTS signature,
the OTS veriation key
Y ϕ and the authentiation data of leaf ϕ
are omponents
of the MSS signature: Sig
M SS = (ϕ,SigOT S , Y ϕ , {Authϕ }).
ϕ }).
MSS Veriation. The rst step of veriation is the ontrol of the OTS sig-
nature using the key
Y ϕ. If this phase fails, the whole MSS signature is rejeted
as invalid. Otherwise the authentiation of this key is neessary. This happens by
alulatingthe rootvalueofthe treeusingthe value
Y ϕ andtheauthentiationdata
stored in the MSS signature. First Y ϕ is onatenated and hashed with Auth0
on
0
onthe lowest level, then the result is hashed again with Auth
1
and so on up to theroot. If the thus omputed root is equal to the publi MSS key, the signature is
onsideredto be valid.
Seedalulation. EveryleafoftheMerkletreerequiresarandomvalueSeed
OT S
forthegenerationofthe
x kvaluesneededforgenerationoftheWinternitzOTSkeys.
This randomdata is alulated usingthe Prngas desribed in setion2.3.1:
(
Seedϕ+1 ,SeedOT S ) ← Prng(
Seedϕ )
(
Seedϕ )
(1)
(
SeedOT S , x k ) ← Prng(
SeedOT S ), k = 1 . . . t w i
(2)
Asinputarandomvalue Seed
0
isrequired. Formula(1) generatesthe seedsneededfor the leaves. Formula(2) delivers the random data
x k. This seed alulation an
be seen as alattie of seed values, as Figure5 illustrates: the upper lineshows the
onseutive alulationoftheSeed
OT S
values, whereasthe downsidelinesshowthegenerationof the
x k values.
Seed
0 -
Seed
1 -
Seed
2 · · · -
Seedϕ · · · -
Seed2 H
?
Seed
OT S
?
x 1
.
.
.
?
x k
.
.
.
?
x t ω
?
Seed
OT S
?
x 1
.
.
.
?
x k
.
.
.
?
x t ω
?
Seed
OT S
?
x 1
.
.
.
?
x k
.
.
.
?
x t ω
?
Seed
OT S
?
x 1
.
.
.
?
x k
.
.
.
?
x t ω
Figure 5: Seed generation for a single Merkle tree. Eah array indiates one all to
the Prng .
With this onstrution of the seed values we get a value Seed
2 H
as output of theseed alulation. This output will be used in GMSS later on. Here we onlude
that for the generation of all private and publi keys only one initial seed value is
required.
Seurity Of MSS. The seurity of MSS was regarded in [6℄. It an be proved
that the Merklesignature sheme resists any adaptive hosen message attak if
1. aseure, that means ollisionresistant hash funtion exists and
2. the underlyingone time signature sheme resists any forgery.
Ahosenmessageattakisanattakwheretheadversaryhasthepossibilitytogeta
validsignaturetoeveryhosenmessage. Heanuse thismessage/signaturepairsei-
thertoforgeasignatureortobreakthe private key. Adaptiveinthisonernmeans
that the attakers messages an behosen dependent on further message/signature
pairs. AsCoronadoshowsin[6℄,this attakwillfailifthe abovementionedassump-
tionshold. TheMerklesignatureshemeanbeonstrutedusinganarbitraryhash
funtion. So if a hash funtion should get inseure, it an be easilysubstituted by
aseure one. The MSS remains seure.
2.5.2 GMSS - Generalized Merkle Signature Sheme
Asmentionedabove GMSS isanexpansionof the Merklesignature sheme. GMSS
stands for generalized Merkle signature sheme and was proposed in2007 [7℄. One
instaneof GMSSisCMSS, whihwasproposedin2006[5℄. When MSS andCMSS
haverelatively largesizedsignatures, GMSS isadressedtoallowsmallersignatures,
andfastergenerationandveriation. AdditionallywithGMSSitispossibletosign
up to
2 80 and even more messages, while with MSS this number is only appliable
up to
2 20. This attribute is helpful onsidering pratial applianes like web server
appliations,wherebigamountsofsignaturesareneessary. Theparameterizationof
GMSSallowsthehoieofeitherfastruntime,smallsignaturesoratrade-obetween
bothdependingontheappliation. This setionintroduesthemainharateristis
andgivesanoverviewaboutGMSS. Amoredetaileddesriptionanbefound in[7℄
and [17℄.
General Constrution. The general GMSS onstrution is made up of a tree
with height
T
. The nodes of this tree are again Merkle trees. Eah of the Merkletrees on layer
i
of the basi tree has heighth i and is parent of 2 h i Merkle trees on
the layer
i + 1
. The Merkle trees are labeledT i,j, where i
is the level in the basi
tree and j is the numberof the node onheight
i
, onseutively numbered from left toright with0 . . . 2 h 1 +h 2 +...+h i −1 − 1
. The roottree is labeledT 1,0.
Againthe WinternitzOTSshemeisusedforthesignaturesintheMerkletrees. For
eahlayeradierentparameter
w i,i = 1 . . . T
isallowed. GMSSisparameterizedby
theheightofthebasitree,theheightsofthetreesoneahlayerandtheWinternitz
parameters. Altogetherthe parameter set
P
of GMSS isP = (T, (h 1 , . . . , h T ), (w 1 , . . . , w T ))
CMSS isthe variant dened by the parameters
P = (2, (h, h), (w, w))
.The root of eah Merkle tree
T i,j is labeled RootT i,j
. It gets signed with the OTS
keyoftheorrespondingparentleaf: therootoftree
T i,j issignedusingthesignature
key of a leaf of the parent tree on height
i − 1
. The signature of treeT
's root isalledSig
T
. To sign amessage digestthe signature keys of the Merkletrees onthedeepest layer
T
are used. These signatures are denoted with Sigd
. Following thisonstrution the number of message digests that an be signed is
2 h 1 +h 2 ...h T. The
generalonstrution of GMSS isillustrated in gure 6.
PSfrag replaements
T T,0 T T,1 T T,j
T 2,0 T 2,1
T 1,0
T
Sig
T
Root
T
Figure 6: Basi onstrution of GMSS. Onlythe leaves on the lowest layer areused for
GMSSsignatures.
As on upper layers the leaves advane less frequently, the preomputation of these
trees an be distributed over many steps. This property allows an advane in sig-
naturegeneration time. As wellitallowsthe hoieof higher parameters
w i for the
OTS sheme,whih leads toa smallersignature size intotal.
A GMSS signature. As known from MSS for eah signature there is a unique
path from the leaf
ϕ
up to the root. Here this path ontains one Merkle tree oneahlayer. Additionaltotheone timesignature ofthe messagedigest,the onetime
signatures of the rootvalues of these trees are stored inthe GMSS signature. Also
theauthentiationdataonthepathexistingofAuth
T ,l
foreahtreeT
isappendedtothe GMSS signature. Hereby
l
is the index of the leaf of treeT
used for signingtherootofthetree onthelayerbelow. Onthedeepestlayerthe authentiationdata
ofthe leaf used tosign the message digestis appended. An exampleof this proess
isdepited in gure 7.
Totallythe GMSS signature onsistsof the following:
•
the indexϕ
of the leafused•
theonetimesignatureSigd
ofthedoumentd
signedwiththekeyorrespond-ingtoa leafof the lowest layer
•
the one time signatures SigT i,j
of the roots•
the authentiation paths AuthT i,j
of eah tree on the path from the bottomleaf
ϕ
to the GMSS rootPSfrag replaements
ϕ,
Sigd
Sig
T T ,0
Sig
T i,j
Auth
T T ,0
Auth
T i,j
Auth
T 1,0
T T,0
T i,j
T 1,0
Figure 7: Example ofa GMSSsignature
SeedalulationinGMSS. ForeverysingleMerkletreeoftheGMSSonstrut
the seed generation proedure desribed on page 25 is used. There an initial seed
forevery tree isneeded. Forevery tree ofthe GMSS struture this isaninitialseed
value Seed
in Ti,j
. The Seedin
for the rst tree ineah layer(Seedin Ti,0
) isrequiredasinput. The following
seed in values are omputed asthe output of the lastleafof
the previous tree:
(
Seedin Ti,j+1 ,SeedOT S ) ←Prng(
Seed2 hi )
(
Seed2 hi )
Here Seed
2 hi
is the seed ofthe lastleafof treeT i,j. Hene usingone initialseed for
eah layer allrequired seed values an be onstuted.
GMSS KeyGeneration. This phaseusestheinitialseedvaluesforonstruting
the publi and private keys needed for GMSS. The GMSS publikey is the rootof
the top Merkletree: Root
T 1,0
. The private key is built by the following:Seed
in Ti,0 , i = 1 . . . T
Seedin Ti,2 , i = 2 . . . T
2 . . . T
Sig
T i,0 , i = 2 . . . T
RootT i,1 , i = 2 . . . T
2 . . . T
Auth
T i,0 ,0 , i = 1 . . . T
AuthT i,1 ,0 , i = 2 . . . T
2 . . . T
Usingthe treehash algorithm (Algorithm1) the root values of the rst Merkle tree
on eah layer
T i,0 (inluding the GMSS publi key RootT 1,0
) are built. For this
the initial seed values Seed
in Ti,0
are needed. While alulating these roots theauthentiation data of the rst tree Auth
T i,0 ,0
of eah layer an be stored, so thatthe Auth values for these trees are obtained for free. The initial seeds for the
seond trees are now available. The same as above the root values of the seond
trees Root
T i,1
and the orrespondingauthentiation data AuthT i,1 ,0
are generatedwith Algorithm 1. After this the initialseed values for the third tree of eah layer
Seed
in Ti,2
is ready and an bestored in the private key. The signatures SigT i,0
arethe one time signatures of the root values already known.
PSfrag replaements
Auth
0
Auth
0
Auth
0
Auth
0
Auth
0
Seed
in
Seed
in
Seed
in
Seedout
Seed
out
Sig
Sig
Root
Root
Root
T 1,0 =
PublikeyFigure 8: Example GMSSkeys. The privatekey onsistsof the authentiation path for
therstleaf oftherst twotrees oneahlayer, the Seed
in
for the rstandthe thirdtreeon eah layer, the root signatures Sigof the rst trees and the root values Root of the
seondtrees. The publi keyisthe uppermostroot valueRoot
T 1,0
.This private GMSS key is the key for the rst signature. Having reated this sig-
nature the key is updated and so hanges for every new signature. Therefore the
GMSS shemeis alledakey evolving signature sheme [18℄. As the private signing
key hanges (evolves) frequently, this leads to a speial seurity feature of GMSS,
soalledforward seurity. Also ifanadversary ompromisesthe atualsigningkey,
it is impossible to forge signatures belonging to former signing keys. Using the
introduedseed sheduling, MSS does ontain this seurity feature as well [6℄.
GMSS Signature Generation. The signature generation is distributed in an
online and an oine part. Suh a separated framework is desribed in [19℄. The
oinepart anbeseen aspreparationof the next onlinepart. This onlinepart an
notbedoneuntilthemessageisknown. Itisafastproess, sothatthesignaturean
be generated rapidly,when the oine part has already been done. The oine part
belonging to the rst signature was done during the key generation phase. Later
duringtheoinephase theprivate key has tobeupdated(as mentioned above,key
evolving sheme). The online part only onsists of the generation of the signature.
Allpartsneededforthis signaturewere reated andprovidedbythe previousoine
part. A detailleddesriptionof both phases an be found in[7, 17℄.
The oine part distributes the omputation of the needed Root, leaf and Sig
values,sothatforeahsignaturethetimetospendisnottoodierent. IfaRootor
aSigvalueisomputedatone,the atualroundlastslongerthanprevious rounds
where nosuh time expensive operationswere done. Therefore the omputationof
thosevalues isdistributed overthe alulation ofthe leavesof the underlyinglayer,
i.e. over
2 h i+1 steps. Figure9illustrates the preomputation of those values.
PSfrag replaements
Root
T i,j+2
Sig
T i,j+1
T i − 1,j
T i,j T i,j+1 T i,j+2
T i+1,j
Figure 9: While advaning a leaf in tree
T i,j, the values SigT i,j+1
and RootT i,j+2
are
updated,sothattheomputationofthosevaluesisdistributedoverall
2 h i stepsoftreeT i,j.
Whiledoingone stepin
T i+1,j the leafoftree T i,j+2 ispartly omputed.
GMSS Veriation. The GMSS veriation is nearly the same as in the orig-
inal Merkle sheme. The rst part is the veriation of the one time signature of
the original data. If this already fails, the veriation an be stopped. Next the
authentiation starts with the tree on the lowest layer. Using the orresponding
authentiationdata the rootvalue of alltrees an be alulated. The one time sig-
natureof the roots are ompared to the values Sigin the signature. Alsoif one of
these signatures annot be veried truly, the GMSS veriation fails with a nega-
tive result. Endingup at the rootRoot
T 1,0
of the GMSS onstrution, this an be ompared tothe GMSS publi key. Onlyif this omparison is suessful the wholesignature isaepted.
Needed Storage. Following[7℄ the size of the keys and the signature is:
m
pubkey= n
bitsm
privkey= X T
i=1
(h i + 1) + X T
i=2
(h i + t w i − 1 + 2)
· n
bitsm
signature= X T
i=1
(h i + t w i ) · n
bitsThe variable
n
again denotes the length of the output of the hash funtion Hash.Thepublikey isonlyone singlehashvalue,that's why itsbitlengthis
n
. The sizeof the private key and the signature an easily be derived fromthe listingsabove.
Inpratie thesenumbers willnot hold. Some additionaldata has tobe stored,for
example the parameters
P
must be added to the publi key asthey are needed forthe veriation proess. So these numbers are more theoretial, but they give an
ideaof the overall sizes ofsignatures and keys. Aomparison ofthe needed storage
apaity an be found in setion6.
3.1 Overview
The Merkle tree traversal problem is the hallenge of omputing the authentia-
tion paths of onseutive leaves of one single Merkle tree. This is one of the most
ruial steps in the Merkle signature sheme and its derivatives. Today MSS and
its desendants are not often used in pratie, beause they are too slow or the
signature size is too big. Better traversal tehniques may speed up the signature
generation (as well as better implementations like GMSS shall make the system
more useful for pratial onsiderations). As onseutive leaves mostly share a lot
ofauthentiationnodes, onlythe hanges have tobeomputed fromone leaftothe
following. Goodshedulingalgorithmsuse this fattospeedup the omputationof
new authentiationdata.
Withdigitalsignatures a treetraversal algorithmforauthentiation data onsistof
threephases: key generation,output and veriation.
During thekey generation phasetherootof theMerkletree isonstruted andthe
rst authentiation path is stored. Some additional authentiation data an
bestored used as input forthe traversal algorithmas well.
The output phase onsists of
2 H rounds. In eah round the leaf value Φ(ϕ)
and
theauthentiationdata{Auth
h
}ofleafϕ
isoutputand thenupdatedforthenext round. This isthe main part, requiring good shedulingideas.
The veriation phaseis always the same asfor the original Merkletree.
Inhis originalpaperMerkle introdued asimple traversal algorithm[4℄. Jakobsson
et. al. proposed analgorithmusing subtrees in [20℄. Thisalgorithmallows atrade-
o between storage and omputation time. It needs a maximum of
2H / log(H)
hash funtionevaluations and maximum storage of
1.5H 2 / log(H)
hash values perround. An implementationof the Merklesignature sheme using Jakobsson's ideas
an be found in[21℄.
Szydlo presented a log-time and log-spae algorithm in [22℄ and a slightly dier-
ent version in a preprint in [16℄. An algorithm is alled logarithmi if its time per
roundrespetively the maximum memoryapaity needed is logarithmi in the to-
tal number of signatures
N
. He also proves that these bounds are optimal for theauthentiationpath omputation, i.e. that it isnot possible toreate analgorithm
that in both time and spae omplexity is better than
O(log N )
. Other work on-sideringauthentiation path omputationan befound in [23℄. The new algorithm
presented in this thesis is an improvement of Szydlo's algorithms. For this reason
the outline of this setion is the introdution of Szydlo's traversal algorithm (the
moreeientpreprintversionof[16℄,notthemoresimple,publishedversionof[22℄).
Thedesriptionof Merkle'slassialalgorithmleadstoSzydlo'simprovedalgorithm
version (Algorithm2). Finallysome drawbaks of Szydlo'salgorithmare presented
tomotivate the improved algorithmpresented in the main part of this thesis.
3.1.1 Notation
For authentiation data the notation already known is used: Auth
h
is the heighth
sibling onthe path fromthe urrent leafϕ
to the root. Further on for eah levelh
of the tree one instane of thetreehash algorithm(Algorithm1)alledStakh
isused. For pratialonsiderations two methodsinitialize() and update() exist
forthese instanes. Therst methodonly sets thestart node index and the desired
height of the instane. The update() method eitheromputes anode and pushs it
on the stak or it one hashes the stak's top nodes if possible (if top nodes have
sameheight). Temporarilystored nodes onastakare alled tail nodes. IfStak
h
is ompleted, the top node is stored in an array Need
h
. There all upoming rightnodes are stored untilthey are needed foran authentiationpath.
Some omputed nodes are later on again helpful for speeding up the omputation
of higher left nodes. For eah height
h
at most one suh additional node an bekept. For this the set Keep
h
is used. The height of the tree is denotedH
, henethe numberof nodes is
N = 2 H, numbered from 0
to N − 1
from left to right. All
papers [4, 16, 20, 22, 23℄ do not onsider the omplexity of the alulation of one
leaf. They use an orale Leafal
(ϕ)
whih omputes the leaf valueΦ(ϕ)
. Theallofthis oraleisountedasone omputationunit forthe omplexityanalysis, as
wellas hash funtionevaluations are ounted one unit eah.
3.2 Szydlo's Algorithm
3.2.1 Motivation
The lassial algorithm introdued by Merkle in his original paper distinguishes
between omputation of left and right authentiation nodes. It uses one treehash
instane for eah height, as desribed above. Using these, new upoming right
authentiationnodesarepreomputed,forthattheyarereadywhentheyareneeded
for Auth values. In eah round
ϕ ∈ [0 . . . 2 H − 1]
every treehash instane gets oneupdate,ifit wasnotalready ompleted. This leadstothe followingproblem: inthe
worst ase all
H
treehash instanes are ative at the same time. Sothe maximumnumber of required spae units is
0.5(log(N)) 2. Szydlo's idea was to hange the
shedulingstrategy for the treehash instanes to save memory.
The generation of left nodes is quite easy, beause their hild nodes have already
been omputed. Saving those hild nodes only one hash operation is required for
omputationof a leftauthentiation node.
AsMerkledid in hisoriginalalgorithm,Szydlo distinguishes between the omputa-
tion of left and right authentiation nodes. The omputation of left nodes is quite
the same asin Merkle's paper.
3.2.2 The Algorithm
As input Algorithm 2 needs the authentiation path of the rst leaf of the Merkle
tree. These values
{
Authh , h = 0 . . . H} an be stored during the key generation
phase when omputing the root of the tree. So the rst authentiation path is
obtained for free. Every round of the authentiation path algorithm of Szydlo the
same steps are exeuted: