Da
adUiveiyfTe h

Department of Computer Siene

Cryptography and Computeralgebra

Diploma Thesis

Improved Authentiation Path

Computation For Merkle Trees

Mihael Shneider

Darmstadt University of Tehnology

Department of Mathematis

Marh 2008

Supervisor: Prof. Dr. Johannes Buhmann

Erik Dahmen

1 Introdution 11

1.1 Outline. . . 11

1.2 About This Thesis . . . 12

2 Bakground 14 2.1 Digital Signatures . . . 14

2.2 Hash Funtions . . . 16

2.3 One Time Signatures . . . 18

2.3.1 The WinternitzOne Time Signature Sheme . . . 19

2.4 Merkle Trees. . . 21

2.5 The Merkle Signature Sheme . . . 23

2.5.1 MSS - MerkleSignature Sheme . . . 23

2.5.2 GMSS -Generalized Merkle Signature Sheme . . . 27

3 Common Traversal Algorithms 34 3.1 Overview. . . 34

3.1.1 Notation . . . 35

3.2 Szydlo's Algorithm . . . 36

3.2.1 Motivation . . . 36

3.2.2 The Algorithm . . . 36

3.3 Drawbaks of Former Algorithms . . . 40

4 A New Authentiation Path Algorithm 41

4.1 Notation . . . 42

4.1.1 Treehash Staks . . . 42

4.2 Algorithm Desription . . . 43

4.2.1 Initialization. . . 43

4.2.2 AuthentiationPath Computation . . . 44

4.3 Corretness of the Algorithm. . . 47

4.4 ComputationalBounds . . . 49

4.5 Storage Eieny . . . 52

4.6 Computing Leavesusing a PRNG . . . 55

4.7 Comparison of TheoretialBounds . . . 55

5 Java Implementation 57 5.1 Overview. . . 57

5.2 Distributed Node Computation . . . 59

5.3 Implementation of the AuthentiationPath Algorithm . . . 62

6 Results 63 6.1 Comparison: Authentiation Path Algorithm . . . 63

6.2 Comparison: GMSS . . . 66

7 Conlusion and Further Work 71

Referenes 73

B Code Examples 79

C ASN.1 Enoding 81

D Objet Identiers 83

List of Abbreviations

RSA Cypher and Signature Algorithm of Rivest,

Shamir and Adleman

DSA Digital Signature Algorithm

ECDSA Ellipti Curve DigitalSignature Algorithm

PQC Post Quantum Cryptography

MD5 Message Digest Algorithm5

SHA Seure Hash Algorithm

MAC Message AuthentiationCode

DL problem Disrete Logarithm problem

OTS One TimeSignature

OTSS One TimeSignature Sheme

PRNG Pseudo Random NumberGenerator

MSS Merkle Signature Sheme

CMSS Coronado Merkle Signature Sheme

GMSS Generalized Merkle Signature Sheme

JCA Java Cryptography Arhiteture

JCE Java Cryptography Extension

API AppliationProgramming Interfae

List of Figures

1 A omplete binary tree of height H = 2. The values

0 . . . 4

leaf indies,

h

2 A Merkle tree with leaf values

A, B, C, D

3 Authentiation data of leaf

ϕ

0

and

Φ(ϕ)

the rootvalue. Thedashed nodes denotethe authentiationpath for

leaf

ϕ

ϕ

4 Sample of the treehash algorithm: value 'D' is pushed on the stak.

Then 'C' and 'D' are hashed to a height 1 node whih is then again

hashed with the bottom node to aheight 2node. . . 25

5 Seed generation for a single Merkle tree. Eah array indiates one

allto the Prng. . . 26

6 Basi onstrution of GMSS. Only the leaves onthe lowest layerare

used for GMSS signatures. . . 28

7 Example of a GMSS signature . . . 29

8 Example GMSS keys. The private key onsists of the authentiation

path for the rst leaf of the rst two trees oneah layer, the Seed

in

for the rst and the third tree oneah layer, the root signatures Sig

of the rst trees and the root values Root of the seond trees. The

publi key isthe uppermost rootvalue Root

T 1,0

9 Whileadvaningaleafintree

T i,j

T i,j+1

T i,j+2

are updated, so that the omputation of those values is distributed

over all

2 ^{h i}

T i,j

T i+1,j

of tree

T i,j+2

10 Leftnodeomputation: AMerkletreeofheight

4

ϕ = 3

ϕ = 4

ϕ

a left node is

τ = 2

ϕ = 4

0

1

are pushed from the staks anreset in round

ϕ = 3

11 Values of the initialization,

H = 5, K = 3

authentiation nodes, the blak ones are stored intreehash, the grey

nodes are kept inretain staks. . . 43

12 In round

ϕ

_τ

_τ

inround

ϕ + 2 ^τ

of the dashed authentiation path omputed inround

ϕ + 2 ^τ

13 In round

ϕ

₂

₂

stane is then initialized anew with start index

ϕ + 1 + 3 · 2 ²

omputes the delared right node on height 2. This node is needed

in round

ϕ + 2 ³

14 Whileadvaningaleafintree

T i+1,j

T i,j

omputed. . . 60

15 Suppose

(H − K )/2

tree are required for treehash updates. They are omputed while

advaning leaves inthe lower tree. . . 61

16 Numberof hashes needed for right nodes per round while advaning

one Merkle tree. On the x-axis the single rounds are assigned (tree

height

H = 5 = ⇒ 2 ⁵ = 32

needed hash funtion evaluations. . . 64

17 Number of hashes per round. The upper graph shows the result of

Algorithm 3, the lower graph belongs to Szydlo's algorithm (

H =

10 = ⇒ 1024

18 Time needed for signingwith GMSS. The red line shows the timings

usingthenewGMSS implementation,thebluelinebelongstotheold

implementation. Theusedparametersetis

P = (4, (4, 4, 4, 4), (8, 8, 8, 3))

K

2

List of Tables

1 Numberof Leafal operations . . . 47

2 Total number of node stored inRetain (

2 ^K − K − 1

3 Comparison of omplexity bounds. In onern of omputation time,

Algorithm 3 distinguishes between hash funtion evaluations (rst

row) and leafalulations (seond row) . . . 56

4 Statisti data of the number of hashes requiredperround . . . 63

5 Comparison of the numberof hashes required inthe worst ase. . . . 65

6 Measured values for the new GMSS implementation . . . 69

7 Measured values for the oldGMSS implementation,from[17℄ . . . 69

8 ResultsofthenewGMSSimplementation: timeandmemoryrequire-

mentsofseletedparametersets. Fortheaveragetimings,ineahase

the mean value of the rst

2 ¹²

9 ObjetIdentiers for GMSS . . . 83

1.1 Outline

Digitalsignaturesare one of the mostpopularappliationsof ryptographialteh-

nis, besides enryption. The onern is to allow identiation, authentiation,

integrity, and liability in eletroni appliations. Digital signatures are used for

seure interation over the internet by signing emails or proteting web browser

ommuniations by SSL/TLS. They are neessary for proedures likedigitalvoting

orbureauratisolutions overthe internet.

Todaydigitalsignaturesare mostlyimplementedusingasymmetri,alsoalledpub-

li key ryptography. Famous examples are the RSA, ECDSA, or DSA signature

shemes. In the majority of ases the seurity of these methods is based onmath-

ematial,number theoretial assumptions, like the fatoring of big numbers or the

disrete logarithmproblem. Today all of thesealgorithmsand shemes an beon-

sideredas suiently seure. However, new algorithmsalready exist to solve these

number theoretial problems on quantum omputers [1, 2℄. The established sig-

nature algorithms an be used without worries, as long as no pratially useable

quantum omputers exist. But additionally, new tehniques must be found to be

prepared for the ase of working quantum omputers. This eld of work is alled

post quantum omputing(PQC).Anotherweakness ofthe establishedtehniquesis

the inreasing key size. Beause today's omputers performane develops rapidly,

thekeysizeoftheusedpublikeyshemesmustberaisedtoassureseurity[3℄. This

proedureofrisingkeylengthsends,ifalgorithmsindependentofnumbertheoretial

assumptionsare found.

An alternative way is to use so alled one time signatures (OTS). These signature

shemes are onsidered to be seure also on quantum omputers. Their seurity

reliesonthe seurity ofhash funtions. Ahash funtionisa mathematialfuntion

whih is easy to ompute but hard to invert. While the keys of a usual signature

algorithman beused moreoften,thekeysofaonetime signaturemustnotbeused

more than one. Otherwise the seurity of the signature sheme would be redued,

asan OTSsignature reveals parts of the seurity of the sheme. The problemwith

onetime signatures isthat the numberof keysthat havetobestoredand delivered

inreases enormously. This is a well known problem by symmetri ryptography.

To solve this key management problem, Merkle proposed his idea of using binary

trees for authentiation of big amounts of OTS publi keys in 1989 [4℄. Using this

newidea, itis possibleto authentiateup to

2 ²⁰

with one single publi key. This leads to eieny in storage onerns, as only

one key has to be permanently stored instead of many. Merkle's idea oered the

possibilityto reatea multi-timesignature sheme, alledMerkle signature sheme

(MSS), based onany one time signature sheme. Extendingthis idea of MSS some

extensions and andvanementswere proposed: CMSS [5,6℄and GMSS [7℄, whihis

a generalization of CMSS. The advantage of GMSS (Generalized Merkle signature

sheme)omparedtothe originalmerkleshemeisthesmallersize ofthesignatures

andabettershedulingof thesignaturegeneration. Furthermorethe GMSSsheme

isparameterized. This feature allows toustomize the sheme for dierent applia-

tions, like usage on smartards or omparable low omputation devies where low

storagespae plays animportantrole. One importantpart of the Merkle signature

sheme is the traversal of the authentiation tree. Whereas simple traversal algo-

rithmsarrestthesignaturegeneration,afasttraversalalgorithmenhanesthewhole

sheme. Thus itis importantto develop good authentiationpath algorithms.

1.2 About This Thesis

ThesubjetofthisthesisistheintrodutionofanewtraversalalgorithmforMerkle

trees and the integration of this algorithm in GMSS, inluding an implementation

inJava for the FlexiProvider. Setion2 gives the bakground information needed,

while setion 3 desribes former known traversal algorithms. In setion 4 the new

traversal algorithm is introdued. Corretness and eieny proofs omplete this

setion. TheJavaimplementationfortheFlexiProviderisonsideredinsetion5. In

setion6theomparisonofGMSSusingthenewauthentiationpathalgorithmwith

otherestablishedsignature algorithmsisdrawn. Setion7nallygivesaonlusion

of the thesis.

Thereader ofthis thesis issupposed tobefamiliarwith fundamentalmathematial

notations of ryptographi onsiderations like signing or enryption funtions, as

wellassimplemathematialpriniples likegeometriseries. Understandingofbasi

omplexitytheoretialideas(likethe

O

beneessary to understandthe main parts ofthis thesis.

This setion informs about the basi mathematial and ryptographial priniples

andtehniquesneededfortheonsideredappliations. Firstanintrodutionofdigi-

talsignaturesisgiven. Thenthepriniplesofhashfuntionsandonetimesignatures

are explained, followed by an example one time signature sheme, the Winternitz

OTSsheme,whihwillbeusedfortheimplementationof thenewalgorithm. After

that the idea of Merkle trees and the Merkle signatures are illustrated. Finally, a

shortexplanation of the GMSS extension isgiven.

2.1 Digital Signatures

The purpose of a digital signature is to oer speial seurity purposes like identi-

ation,authentiation,integrityorliability. Itan, insomeparts,beompared toa

handwrittensignature: onlyone person an reateits own signature, every forgery

anbedetermined. Onebigdiereneisthatthedigitalexponentisamathematial

funtion of the message. If the doument hanges, the signature hanges as well.

The digital signature ould otherwise be moved from one doument to another, as

alldigital data an be easilyopied.

Notonlydoumentsaresigneddigitally. Digitalsignaturesarealsousedforpakage

transport seurityintransportprotools. Inprinipleeverykindof digitaldataan

be signed. In most appliations not the data or doument itself is signed but a

message digest of it. That is a kind of ngerprint of the data. The priniples of

messagedigests are explained insetion 2.2.

Digital signatures are always based on asymmetri ryptography. Suh a system

wasrst introduedbyDieandHellmanin1976[8℄,whihwasoneofthe greatest

advanes in modern ryptology. For suh a digital signature, two dierent types

of keys are needed: a private key for signature generation and a publi key for

veriation. The private key in this purpose is alsoalled the signing key and the

publi key is also alled the veriation key. As one ould guess from the name,

the private key has to be kept seret,whereas the publi key an be spread widely.

Everyone knowing this publi key an verify the signature, but only the owner of

theprivate key isabletoreateone. Foronetime signatureshemes, thesekeysare

generated newly for every signature. In ontrast, for multi-timesignature shemes

both keys are used for bigger amounts of signatures. Some of the ommonly used

signature algorithms are also used for enryption (like RSA), whereas some of the

systems are only appliable to signatures (like DSA and ECDSA). Some attributes

of adigital signature sheme are:

Authentiity: Everyone should be able to ontrol that the signer really is the

originatorofa signature. This ispossiblebeauseeveryone an use the publi

veriation key. Nobody else shall be able to sign a doument in the signers

name. Forthis purpose the private signing key must be kept seret.

Non-Repudiation: This property means that the signer an not suessfully deny

the fat of havingsigned a doument. Everyone possessing the signature and

theoriginaldoumentanprovethatthe signaturewasreallyreatedwiththe

signer'sprivate key.

Sine a signature is also afuntion of the private key and no one besides the

signer knows this signing key, then nobody is able to onstrut signatures

whih an be veried by the orresponding publi key. The signer an never

deny having signed amessage if averiable signature exists.

When the liability has to be proved, a third person (for example a ourt)

has to ontrolif a signature really belongs to the person it should. The non-

reusability property of a signature in this onern means that this ation an

be performed without revealing the private key, so that it an be used again

by the user.

Integrity: If a doument hanges or is manipulated, the signature of the origi-

nal doument (a ontrat for example) will not math this forged doument

and will be refused. Therefore hanges in data an be proved using digital

signatures.

Mathematially, digital signatures are based on one-way funtions with trapdoor.

A one-way funtion is a mathematial funtion whih is easy to ompute in one

diretion. However to ompute the inversion of the funtion is hard. If

y = f (x)

(with a one-way funtion

f

y

x

f

to get

x

y

f

number) whihallows toapply theinverse funtioneasilyby knowingthe seret. In

a signature sheme the private key an be onsidered as the trapdoor. Creation of

the signature isthe inverse funtion, whih ishard orimpossibleto ompute when

the signing key is unknown. When it is said that a funtion is hard to invert it is

meant in today's ontext: it is possible that in a few years (when the performane

ofomputershas raisedfurthermoreoreven quantumomputersexist) today'sone-

way funtions willbe invertiblewithout problems.

A digital signature sheme onsists of three parts: akey generation algorithm,the

signatureonstrution,andtheveriationphase. Asthenameimplies,therstpart

servesfor the reationofthe private and the publikey. The seond part isthe use

ofthe privatesigning key forreatingthe signature ofa message. Finally,usingthe

publikey and the originalmessage the autentiity of the signature isrevised. The

individualphases willbedesribed later in the introdution of partiular signature

shemes.

2.2 Hash Funtions

Mostofthe knownmulti-signatureshemesarebased onmathematialassumptions

like fatoringof bignumbers orthe disrete logarithmproblem. However, one time

signaturesare mostlybased onryptographihashfuntions. Forthisreason,those

messagedigest priniples are illustrated in this setion.

Ahashfuntionmapsanykindofdigitaldatatoashorter,randomlookingsequene

of numbers alled the hash value ormessage digest of the data, whih an be seen

as kind of a 'ngerprint.' It is mostly represented by a hexadeimal depition. As

anexample, the hexadeimal depition of the 160 bitlong SHA1 hash value of the

string'Improved AuthentiationPath Computation'is

′ f a072597154f81ba39b841f 265acc8f a2d47d937 ^′

Changingonly one letter inthe originaldata willhangethe whole messagedigest:

the SHA1-hashof 'improved Authentiation Path Computation'is

′ 70e053246a5e9f 591bcae5b47173295899e62cba ^′

More mathematially,ahash funtion an bedenoted asthe following:

Hash

: X = {0, 1} ^∗ → Y = {0, 1} ⁿ

wherethe domain X inludesallbitstrings witharbitrary lengthand the odomain

Yonsistsofallnbitstrings. Animportantattitudeofahashfuntionisit'sability

toonlygoone way. This means that itis not possibleto generate the originaldata

out of its hash value. A hash funtion an be onsidered seure if it assures the

following assumptions:

•

Given the hash funtion Hash and a value

y

x

withHash

(x) = y

•

Given Hash and

x

x ^′

x 6= x ^′

Hash

(x) =

(x ^′ )

•

Given Hash, it is not possible to nd

x, x ^′

x 6= x ^′

(x) =

Hash

(x ^′ )

Y

lear that there are ollisions between dierent messages out of

X

resistanemeansthe impossibilityof ndingsuhaollisionwithnon random

propability.

In [6℄ Coronado shows that, for the seurity of the Merkle signature sheme, one-

way-ness and ollisionresistane of the integrated hash funtionare suient.

Hash funtions have dierent appliations in ryptography. They are used for n-

gerprinting or message authentiation odes (MAC) to seurely identify data. In

most signature algorithms, the message is hashed before it is signed, so that the

seurity inreases. For example,without appliationof a hash funtionto the mes-

sagethe RSAsheme isnotseureagainsthosenmessageattaks[9℄. Mostfamous

representatives of hash funtions are the SHA-family [10℄ and the Message Digest

Algorithm5 (MD5)[11℄.

In this thesis Hash

: {0, 1} ^∗ → {0, 1} ⁿ

The onseutive appliation of this funtion is denoted with supersript numbers:

Hash

2 (m)

(

(m))

2.3 One Time Signatures

As mentioned in the introdution, one time signature (OTS) shemes are speial

kinds of signature algorithms where the signing key must not be used more than

one,aseveryfurtheruseofthesekeyswouldrevealinformationwhihouldweaken

the seurity of the signature. Most OTS shemes are based on hash funtions [12℄.

The seurity does not rely on mathematial problems, but only on the seurity of

thehashfuntion. Asmentionedabovethisis dependent onpropertieslikeollision

resistane. The seurity of most algorithms used today for multi-time signatures

an only be inreased by raising the length of the used keys. In the last 20 years,

the key lengths of algorithmslike RSA orECDSA have been onstantly inreasing

[3℄. Furthermoreif large sale quantum omputers exist, the searh for ollisionsof

hash funtions is hard, whereas the underlying problems of ECDSA and RSA an

be omputed inlinear time. These shemes an be broken on quantum omputers,

whileone time signature shemes based onhash funtions remainseure.

Asthe omputationof hash funtionsis fast, one time signatures are veryeient.

Theirappliationispossibleonlowomputationomplexitydevieslikesmartards.

2.3.1 The Winternitz One Time Signature Sheme

In this thesis, as in the atual GMSS, the Winternitz One Time Signature Sheme

isused[4℄[12℄. The usageofotherone timesignatureshemes liketheBiBasheme

[13℄would bepossible aswell. The Winternitzshemeuses aparameter

w

typiallyhosen asmall powerof two. This parameter

w

generationostandsignature size. Itdenes thebitlengthofthesingle partsofthe

private key,whereas

t _w

n

dene

t w = l n/w m

+ l

⌊log 2 (⌈n/w⌉)⌋ + 1 + w /w m

The private signature key is

X = (x 1 , . . . , x t w )

x 1 . . . x t w

Forthe generation of random data, a pseudo random number generator (Prng)is

used:

Prng

: {0, 1} ⁿ 7→ {0, 1} ⁿ × {0, 1} ⁿ :

_in 7→ (

_out ,

)

It uses a value Seed

in

out

IfSeed

out

i

whih an always be reprodued by knowledge of only the rst Seed

in

thesisthe used Prngis alwaysthe one desribed inthe DigitalSignatureStandard

(Appendix 3.1) [14℄ whihrequires only one allto ahash funtion Hash:

Rand

←

(

in ),

out ← (1 +

in +

) mod 2 ⁿ

Key Generation. Forthe publi key we apply the hashfuntion

2 ^w − 1

eah

x i

y i =

^{2 w −1} (x i )

i = 1 . . . t w

then reated out of the onatenation of the

y i

Y =

(y ₁ k . . . ky _{t w} )

Signature Generation. Forgeneration of the signature of a message rst of all

the n-bit message digest of this message is reated. The digest

md

into

⌈n/w⌉

md 1 . . . md ⌈n/w⌉

w

padded rst). Then the heksum

C = P ⌈n/w⌉

i=1 2 ^w − md _i

alsodividedintobloksoflength

w

md ⌈n/w⌉+1 . . . md t w

is reated by onatenating the hash-values

s i =

^{md i} (x i )

i = 1 . . . t w

signature isthen

Sig

= (s 1 k . . . ks t w )

Veriation. Forverifying the message digest,the signature and the veriation

key are needed. First the values

md i

the signing proess. Then

v i =

^{2 w −md i −1} (s i )

V =

(v 1 k . . . kv t w )

x i

values should now have been hashed

2 ^w − 1

be veried if and only if

V = Y

instane.

Withoutusingtheheksum anattakerouldhashagainsomeofthe

s _i

result would be a validsignature whih ould not beveried by the original publi

key. Therefore the sheme would not be seure against known signature attaks

leadingto existentialforgery. Forthis, the heksum is appended to the signature,

sothat everyadditionalhash to one of the

s i

Example1. Considera15bitmessagedigesttobesigned:

md = 101100000010010

Choose

w = 4

Key Generation

Prng

⇒ X = (0101

| {z }

x 1

1100 | {z }

x 2

1010 | {z }

x 3

1110 | {z }

x 4

0011 | {z }

x 5

1111 | {z }

x 6

)

t w = l 15/4 m

+ l

⌊log 2 (⌈15/4⌉)⌋ + 1 + 4 / 4 m

= 4 + l

(2 + 1 + 4) / 4 m

= 6

⇒

Y = (

¹⁵ (x 1 ), . . . ,

¹⁵ (x 6 ))

Signature Generation

md = 0 101

| {z }

b 1

1000 | {z }

b 2

0001 | {z }

b 3

0010 | {z }

b 4

C = (10000 − 0101) + (10000 − 1000) + (10000 − 0001) + (10000 − 0010)

= 1011 + 1000 + 1111 + 1110 = 110000

⇒ b 5 = 00 11

b 6 = 0000

Sig

=

Hash

5 (x ₁ ) k

⁸ (x ₂ ) k

(x ₃ ) k

² (x ₄ ) k

³ (x ₅ ) k x ₆

= (s 1 k . . . ks 6 )

Veriation (

b i

V =

Hash

10 (s ₁ ) k

⁷ (s ₂ ) k

¹⁴ (s ₃ ) k

Hash

13 (s 4 ) k

¹² (s 5 ) k

¹⁵ (s 6 )

=

Hash

15 (x 1 ) k . . . k

¹⁵ (x 6 ) _!

= Y

2.4 Merkle Trees

A problem whih ours by usage of one time signatures is well known from sym-

metri ryptography appliations: the spae needed to store all involved keys rises

too fast. For every message a user A wants to send to another user B, a private

key must bereated for user A.Additionally,user B hasto store onepubli keyfor

every message.

Merkle'sideawastouseaompletebinarytreeforveriationofonetimesignatures.

With this approah many signatures an be veried by one single publi key. The

storage needed for the veriation key is extremely small (only one key has to be

stored). Every one time signature sheme an be extended to a multi-time one by

using suh anauthentiation tree.

A omplete binary tree of height

H

2 ^H

2 ^H − 1

The height of a leaf is dened to be

0

the length of a path down to a leaf. Thus, the rootnode has height

H

arenumberedonseutivelyfromleft toright,startingwith

0

beseen inFigure1.

HHH

@ @ @ @

root

0 1 2 3

h = 2

h = 1

h = 0

Figure1: Aomplete binarytreeof heightH =2. Thevalues

0 . . . 4

h

MerkletreeswererstintroduedbyMerklein1989[4℄. AMerkletreeisaomplete

binary tree equipped with a hash funtion Hash. The values

Φ(n)

hosenarbitrarily,whereas thevalues ofinnernodesare alulatedby thefollowing:

for eah inner node

n parent

Φ(n parent )

onatenation of the left and righthild nodes

n _{lef t}

n _right

Φ(n _parent ) =

(n _{lef t} k n _right )

Bythisonstrution theMerkletree isompletelydeterminedby the leafvalues. A

sampletree is shown in Figure2.

HHH

@ @ @ @

Hash

Hash

(AB)

(CD)

Hash

(AB)

(CD)

A B C D

Figure 2: AMerkle treewith leafvalues

A, B, C, D

Merkletrees areused for authentiatingthe leafdata using therootvalue. Forthis

purpose additional data is required, alled the authentiation data. For authenti-

ating leaf

i

h

h = 0 . . . H − 1

h

namelythe sibling of the nodes onthe path fromleaf

i

forthe authentiationpath is illustrated in Figure3. Forauthentiating leaf

i

startsatthebottomofthetree. Usingthe leafvalueandtheauthentiationdataon

eah height by onatenating and hashing the root value an be omputed. If the

original stored root value is idential to the newly alulated one, the leaf value is

truely authentiated.

PSfrag replaements

Auth

0 ϕ

Auth

1

Auth

2

Figure 3: Authentiationdata ofleaf

ϕ

0

Φ(ϕ)

givestheuppernode,ontinuinguptherootnallygivestherootvalue. Thedashednodes

denotetheauthentiation pathfor leaf

ϕ

ϕ

root.

Besides digital signatures Merkle trees have been implemented for other useful ap-

pliations like wireless seurity [15℄. As authentiation is the real purpose of the

Merkletree andnot signature veriation, lotsof otherappliationsare imaginable.

However, this thesis willonly fous onthe appliationof digital signatures.

2.5 The Merkle Signature Sheme

2.5.1 MSS - Merkle Signature Sheme

TheMerkleSignatureSheme(MSS)proposedin[4℄onsistsofaonetimesignature

shemelikethe WinternitzOTSS andaMerkle tree. AMerkletree of heightH an

beusedtoauthentiate

2 ^H

ofthetreeareformedby theOTSpublikeys

Y i

steps are:

MSS Key Generation. The MSS private key is the set of OTS private keys

(Y 1 , . . . , Y ₂ ^H )

Winternitz sheme e.g. see setion 2.3.1). The OTS publi keys are hashed and

storedasthetree's leafvalues. Byonatenatingand hashingeah twohildnodes,

the node labels of the tree an beomputed from bottom up to the root. The root

value of the tree forms the MSS publi key forveriation.

The key pair generation uses analgorithmalled treehash (Algorithm1) [16℄. This

algorithm is used to ompute the root of a Merkle tree using a stak struture

equipped with the usual push and pop operations 1

. It onseutively omputes

the

2 ^H

Y j

pushs them on the stak. When two nodes of the same height lie on the stak,

they are onatenated and hashed to the next upper node. After omplete

2 ^H

alulations and

2 ^H − 1

Algorithm 1 Treehash

Input: Leaf

l

Output: updatedstakStak

1. pushlto Stak

2. whiletoptwonodesofStakhavesameheightdo

(a) pop

n 1

n 2

(b) pushHash

(n 1 kn 2 )

3. returnStak.

MSS Signature Generation. Complete

2 ^H

Merkle Tree. For eah new signature the next OTS key is used so that eah OTS

1

A stakisadatastrutureusinga'rst in- rstout' strategy: pushstoresanodeontopof

thestak,popdeliversthetopnodeofthestak.

D

C

Hash

(AB )

Stakbeforehashing

Hash

(

(AB k

(CD)))

Stakafter hashing

Figure 4: Sample of the treehash algorithm: value'D' is pushedon the stak. Then'C'

and 'D' are hashedto a height 1 node whih is then again hashedwith the bottom node

toa height 2 node.

key is only used one. The MSS signature onsists of the index

ϕ

whih OTS key is used for the urrent signature. Furthermore the OTS signature,

the OTS veriation key

Y ϕ

ϕ

of the MSS signature: Sig

M SS = (ϕ,

OT S , Y ϕ , {

ϕ })

MSS Veriation. The rst step of veriation is the ontrol of the OTS sig-

nature using the key

Y ϕ

as invalid. Otherwise the authentiation of this key is neessary. This happens by

alulatingthe rootvalueofthe treeusingthe value

Y _ϕ

Y ϕ

0

the lowest level, then the result is hashed again with Auth

1

root. If the thus omputed root is equal to the publi MSS key, the signature is

onsideredto be valid.

Seedalulation. EveryleafoftheMerkletreerequiresarandomvalueSeed

OT S

forthegenerationofthe

x k

This randomdata is alulated usingthe Prngas desribed in setion2.3.1:

(

_ϕ+1 ,

_{OT S} ) ←

(

_ϕ )

(1)

(

OT S , x k ) ←

(

OT S ), k = 1 . . . t w i

(2)

Asinputarandomvalue Seed

0

for the leaves. Formula(2) delivers the random data

x k

be seen as alattie of seed values, as Figure5 illustrates: the upper lineshows the

onseutive alulationoftheSeed

OT S

generationof the

x k

Seed

0 -

Seed

1 -

Seed

2 · · · -

ϕ · · · -

2 ^H

?

Seed

OT S

?

x 1

.

.

.

?

x k

.

.

.

?

x t ω

?

Seed

OT S

?

x 1

.

.

.

?

x k

.

.

.

?

x t ω

?

Seed

OT S

?

x 1

.

.

.

?

x k

.

.

.

?

x t ω

?

Seed

OT S

?

x 1

.

.

.

?

x k

.

.

.

?

x t ω

Figure 5: Seed generation for a single Merkle tree. Eah array indiates one all to

the Prng .

With this onstrution of the seed values we get a value Seed

2 ^H

seed alulation. This output will be used in GMSS later on. Here we onlude

that for the generation of all private and publi keys only one initial seed value is

required.

Seurity Of MSS. The seurity of MSS was regarded in [6℄. It an be proved

that the Merklesignature sheme resists any adaptive hosen message attak if

1. aseure, that means ollisionresistant hash funtion exists and

2. the underlyingone time signature sheme resists any forgery.

Ahosenmessageattakisanattakwheretheadversaryhasthepossibilitytogeta

validsignaturetoeveryhosenmessage. Heanuse thismessage/signaturepairsei-

thertoforgeasignatureortobreakthe private key. Adaptiveinthisonernmeans

that the attakers messages an behosen dependent on further message/signature

pairs. AsCoronadoshowsin[6℄,this attakwillfailifthe abovementionedassump-

tionshold. TheMerklesignatureshemeanbeonstrutedusinganarbitraryhash

funtion. So if a hash funtion should get inseure, it an be easilysubstituted by

aseure one. The MSS remains seure.

2.5.2 GMSS - Generalized Merkle Signature Sheme

Asmentionedabove GMSS isanexpansionof the Merklesignature sheme. GMSS

stands for generalized Merkle signature sheme and was proposed in2007 [7℄. One

instaneof GMSSisCMSS, whihwasproposedin2006[5℄. When MSS andCMSS

haverelatively largesizedsignatures, GMSS isadressedtoallowsmallersignatures,

andfastergenerationandveriation. AdditionallywithGMSSitispossibletosign

up to

2 ⁸⁰

up to

2 ²⁰

appliations,wherebigamountsofsignaturesareneessary. Theparameterizationof

GMSSallowsthehoieofeitherfastruntime,smallsignaturesoratrade-obetween

bothdependingontheappliation. This setionintroduesthemainharateristis

andgivesanoverviewaboutGMSS. Amoredetaileddesriptionanbefound in[7℄

and [17℄.

General Constrution. The general GMSS onstrution is made up of a tree

with height

T

trees on layer

i

h i

2 ^{h i}

the layer

i + 1

T _i,j

i

tree and j is the numberof the node onheight

i

0 . . . 2 ^{h 1 +h 2 +...+h i −1} − 1

T 1,0

Againthe WinternitzOTSshemeisusedforthesignaturesintheMerkletrees. For

eahlayeradierentparameter

w _i

i = 1 . . . T

parameters. Altogetherthe parameter set

P

P = (T, (h 1 , . . . , h T ), (w 1 , . . . , w T ))

CMSS isthe variant dened by the parameters

P = (2, (h, h), (w, w))

The root of eah Merkle tree

T i,j

T i,j

keyoftheorrespondingparentleaf: therootoftree

T i,j

key of a leaf of the parent tree on height

i − 1

T

alledSig

T

deepest layer

T

d

onstrution the number of message digests that an be signed is

2 ^{h 1 +h 2 ...h T}

generalonstrution of GMSS isillustrated in gure 6.

PSfrag replaements

T T,0 T T,1 T T,j

T 2,0 T 2,1

T 1,0

T

Sig

T

Root

T

Figure 6: Basi onstrution of GMSS. Onlythe leaves on the lowest layer areused for

GMSSsignatures.

As on upper layers the leaves advane less frequently, the preomputation of these

trees an be distributed over many steps. This property allows an advane in sig-

naturegeneration time. As wellitallowsthe hoieof higher parameters

w i

OTS sheme,whih leads toa smallersignature size intotal.

A GMSS signature. As known from MSS for eah signature there is a unique

path from the leaf

ϕ

eahlayer. Additionaltotheone timesignature ofthe messagedigest,the onetime

signatures of the rootvalues of these trees are stored inthe GMSS signature. Also

theauthentiationdataonthepathexistingofAuth

T ,l

T

tothe GMSS signature. Hereby

l

T

therootofthetree onthelayerbelow. Onthedeepestlayerthe authentiationdata

ofthe leaf used tosign the message digestis appended. An exampleof this proess

isdepited in gure 7.

Totallythe GMSS signature onsistsof the following:

•

ϕ

•

d

d

ingtoa leafof the lowest layer

•

T i,j

•

T i,j

leaf

ϕ

PSfrag replaements

ϕ,

d

Sig

T T ,0

Sig

T i,j

Auth

T T ,0

Auth

T i,j

Auth

T 1,0

T T,0

T i,j

T 1,0

Figure 7: Example ofa GMSSsignature

SeedalulationinGMSS. ForeverysingleMerkletreeoftheGMSSonstrut

the seed generation proedure desribed on page 25 is used. There an initial seed

forevery tree isneeded. Forevery tree ofthe GMSS struture this isaninitialseed

value Seed

in _Ti,j

in

in _Ti,0

asinput. The following

seed in

the previous tree:

(

in _Ti,j+1 ,

OT S ) ←

(

₂ hi )

Here Seed

2 ^hi

T i,j

eah layer allrequired seed values an be onstuted.

GMSS KeyGeneration. This phaseusestheinitialseedvaluesforonstruting

the publi and private keys needed for GMSS. The GMSS publikey is the rootof

the top Merkletree: Root

T 1,0

Seed

in _Ti,0 , i

1 . . . T

in _Ti,2 , i

2 . . . T

Sig

T i,0 , i

2 . . . T

T i,1 , i

2 . . . T

Auth

T i,0 ,0 , i

1 . . . T

T i,1 ,0 , i

2 . . . T

Usingthe treehash algorithm (Algorithm1) the root values of the rst Merkle tree

on eah layer

T _i,0

_{T 1,0}

the initial seed values Seed

in _Ti,0

authentiation data of the rst tree Auth

T i,0 ,0

the Auth values for these trees are obtained for free. The initial seeds for the

seond trees are now available. The same as above the root values of the seond

trees Root

T i,1

T i,1 ,0

with Algorithm 1. After this the initialseed values for the third tree of eah layer

Seed

in _Ti,2

T i,0

the one time signatures of the root values already known.

PSfrag replaements

Auth

0

Auth

0

Auth

0

Auth

0

Auth

0

Seed

in

Seed

in

Seed

in

out

Seed

out

Sig

Sig

Root

Root

Root

T 1,0 =

Figure 8: Example GMSSkeys. The privatekey onsistsof the authentiation path for

therstleaf oftherst twotrees oneahlayer, the Seed

in

on eah layer, the root signatures Sigof the rst trees and the root values Root of the

seondtrees. The publi keyisthe uppermostroot valueRoot

T 1,0

This private GMSS key is the key for the rst signature. Having reated this sig-

nature the key is updated and so hanges for every new signature. Therefore the

GMSS shemeis alledakey evolving signature sheme [18℄. As the private signing

key hanges (evolves) frequently, this leads to a speial seurity feature of GMSS,

soalledforward seurity. Also ifanadversary ompromisesthe atualsigningkey,

it is impossible to forge signatures belonging to former signing keys. Using the

introduedseed sheduling, MSS does ontain this seurity feature as well [6℄.

GMSS Signature Generation. The signature generation is distributed in an

online and an oine part. Suh a separated framework is desribed in [19℄. The

oinepart anbeseen aspreparationof the next onlinepart. This onlinepart an

notbedoneuntilthemessageisknown. Itisafastproess, sothatthesignaturean

be generated rapidly,when the oine part has already been done. The oine part

belonging to the rst signature was done during the key generation phase. Later

duringtheoinephase theprivate key has tobeupdated(as mentioned above,key

evolving sheme). The online part only onsists of the generation of the signature.

Allpartsneededforthis signaturewere reated andprovidedbythe previousoine

part. A detailleddesriptionof both phases an be found in[7, 17℄.

The oine part distributes the omputation of the needed Root, leaf and Sig

values,sothatforeahsignaturethetimetospendisnottoodierent. IfaRootor

aSigvalueisomputedatone,the atualroundlastslongerthanprevious rounds

where nosuh time expensive operationswere done. Therefore the omputationof

thosevalues isdistributed overthe alulation ofthe leavesof the underlyinglayer,

i.e. over

2 ^{h i+1}

PSfrag replaements

Root

T i,j+2

Sig

T i,j+1

T i − 1,j

T i,j T i,j+1 T i,j+2

T i+1,j

Figure 9: While advaning a leaf in tree

T _i,j

_{T i,j+1}

_{T i,j+2}

updated,sothattheomputationofthosevaluesisdistributedoverall

2 ^{h i}

T i,j

Whiledoingone stepin

T _i+1,j

T _i,j+2

GMSS Veriation. The GMSS veriation is nearly the same as in the orig-

inal Merkle sheme. The rst part is the veriation of the one time signature of

the original data. If this already fails, the veriation an be stopped. Next the

authentiation starts with the tree on the lowest layer. Using the orresponding

authentiationdata the rootvalue of alltrees an be alulated. The one time sig-

natureof the roots are ompared to the values Sigin the signature. Alsoif one of

these signatures annot be veried truly, the GMSS veriation fails with a nega-

tive result. Endingup at the rootRoot

T 1,0

signature isaepted.

Needed Storage. Following[7℄ the size of the keys and the signature is:

m

= n

m

= X ^T

i=1

(h i + 1) + X T

i=2

(h i + t w i − 1 + 2)

· n

m

= X T

i=1

(h i + t w i ) · n

The variable

n

Thepublikey isonlyone singlehashvalue,that's why itsbitlengthis

n

of the private key and the signature an easily be derived fromthe listingsabove.

Inpratie thesenumbers willnot hold. Some additionaldata has tobe stored,for

example the parameters

P

the veriation proess. So these numbers are more theoretial, but they give an

ideaof the overall sizes ofsignatures and keys. Aomparison ofthe needed storage

apaity an be found in setion6.

3.1 Overview

The Merkle tree traversal problem is the hallenge of omputing the authentia-

tion paths of onseutive leaves of one single Merkle tree. This is one of the most

ruial steps in the Merkle signature sheme and its derivatives. Today MSS and

its desendants are not often used in pratie, beause they are too slow or the

signature size is too big. Better traversal tehniques may speed up the signature

generation (as well as better implementations like GMSS shall make the system

more useful for pratial onsiderations). As onseutive leaves mostly share a lot

ofauthentiationnodes, onlythe hanges have tobeomputed fromone leaftothe

following. Goodshedulingalgorithmsuse this fattospeedup the omputationof

new authentiationdata.

Withdigitalsignatures a treetraversal algorithmforauthentiation data onsistof

threephases: key generation,output and veriation.

During thekey generation phasetherootof theMerkletree isonstruted andthe

rst authentiation path is stored. Some additional authentiation data an

bestored used as input forthe traversal algorithmas well.

The output phase onsists of

2 ^H

Φ(ϕ)

theauthentiationdata{Auth

h

ϕ

next round. This isthe main part, requiring good shedulingideas.

The veriation phaseis always the same asfor the original Merkletree.

Inhis originalpaperMerkle introdued asimple traversal algorithm[4℄. Jakobsson

et. al. proposed analgorithmusing subtrees in [20℄. Thisalgorithmallows atrade-

o between storage and omputation time. It needs a maximum of

2H / log(H)

hash funtionevaluations and maximum storage of

1.5H ² / log(H)

round. An implementationof the Merklesignature sheme using Jakobsson's ideas

an be found in[21℄.

Szydlo presented a log-time and log-spae algorithm in [22℄ and a slightly dier-

ent version in a preprint in [16℄. An algorithm is alled logarithmi if its time per

roundrespetively the maximum memoryapaity needed is logarithmi in the to-

tal number of signatures

N

authentiationpath omputation, i.e. that it isnot possible toreate analgorithm

that in both time and spae omplexity is better than

O(log N )

sideringauthentiation path omputationan befound in [23℄. The new algorithm

presented in this thesis is an improvement of Szydlo's algorithms. For this reason

the outline of this setion is the introdution of Szydlo's traversal algorithm (the

moreeientpreprintversionof[16℄,notthemoresimple,publishedversionof[22℄).

Thedesriptionof Merkle'slassialalgorithmleadstoSzydlo'simprovedalgorithm

version (Algorithm2). Finallysome drawbaks of Szydlo'salgorithmare presented

tomotivate the improved algorithmpresented in the main part of this thesis.

3.1.1 Notation

For authentiation data the notation already known is used: Auth

h

h

ϕ

h

h

used. For pratialonsiderations two methodsinitialize() and update() exist

forthese instanes. Therst methodonly sets thestart node index and the desired

height of the instane. The update() method eitheromputes anode and pushs it

on the stak or it one hashes the stak's top nodes if possible (if top nodes have

sameheight). Temporarilystored nodes onastakare alled tail nodes. IfStak

h

is ompleted, the top node is stored in an array Need

h

nodes are stored untilthey are needed foran authentiationpath.

Some omputed nodes are later on again helpful for speeding up the omputation

of higher left nodes. For eah height

h

kept. For this the set Keep

h

H

the numberof nodes is

N = 2 ^H

0

N − 1

papers [4, 16, 20, 22, 23℄ do not onsider the omplexity of the alulation of one

leaf. They use an orale Leafal

(ϕ)

Φ(ϕ)

allofthis oraleisountedasone omputationunit forthe omplexityanalysis, as

wellas hash funtionevaluations are ounted one unit eah.

3.2 Szydlo's Algorithm

3.2.1 Motivation

The lassial algorithm introdued by Merkle in his original paper distinguishes

between omputation of left and right authentiation nodes. It uses one treehash

instane for eah height, as desribed above. Using these, new upoming right

authentiationnodesarepreomputed,forthattheyarereadywhentheyareneeded

for Auth values. In eah round

ϕ ∈ [0 . . . 2 ^H − 1]

update,ifit wasnotalready ompleted. This leadstothe followingproblem: inthe

worst ase all

H

number of required spae units is

0.5(log(N)) ²

shedulingstrategy for the treehash instanes to save memory.

The generation of left nodes is quite easy, beause their hild nodes have already

been omputed. Saving those hild nodes only one hash operation is required for

omputationof a leftauthentiation node.

AsMerkledid in hisoriginalalgorithm,Szydlo distinguishes between the omputa-

tion of left and right authentiation nodes. The omputation of left nodes is quite

the same asin Merkle's paper.

3.2.2 The Algorithm

As input Algorithm 2 needs the authentiation path of the rst leaf of the Merkle

tree. These values

{

h , h = 0 . . . H}

phase when omputing the root of the tree. So the rst authentiation path is

obtained for free. Every round of the authentiation path algorithm of Szydlo the

same steps are exeuted: