Merkle signature scheme

The Merkle signature scheme is a digital signature scheme based on hash trees (also called Merkle trees) and one-time signatures such as the Lamport signature scheme. It was developed by Ralph Merkle in the late 1970s and is an alternative to traditional digital signatures such as the Digital Signature Algorithm or RSA.

The advantage of the Merkle signature scheme is that it is believed to be resistant against quantum computer algorithms. The traditional public key algorithms, such as RSA and ElGamal would become insecure in case an effective quantum computer can be built (due to Shor's algorithm). The Merkle signature scheme however only depends on the existence of secure hash functions. This makes the Merkle signature scheme very adjustable and resistant to quantum computing. Note that Merkle signature is a one time signature with finite signing potential; the work of Moni Naor and Moti Yung on signature based on one-way permutations and functions (and the invention of universal one-way hash function) give a way to extend a Merkle like signature to a complete signature scheme.

Key generation

The Merkle signature scheme can be used to sign a limited number of messages with one public key $\text{pub}$ . The number of possible messages must be a power of two, so we denote the possible number of messages as $N = 2^n$ .

The first step of generating the public key $\text{pub}$ is to generate $N$ public/private key pairs $(X_i, Y_i)$ of some one-time signature scheme (such as the Lamport signature scheme). For each $1 \leq i \leq 2^n$ , a hash value $h_i = H(Y_i)$ is computed.

Merkle Tree with 8 leaves

With these hash values $h_i$ a hash tree is built, by placing these $2^n$ hash values as leaves and recursively hashing to form a binary tree. Let $a_{i,j}$ denote the node in the tree with height $i$ and left-right position $j$ . Then, the hash values $h_i = a_{0,i}$ are the leaves. The value for each inner node of the tree is the hash of the concatenation of its two children. For example $a_{1,0} = H(a_{0,0} || a_{0,1})$ and $a_{2,0} = H(a_{1,0} || a_{1,1})$ . In this way, a tree with $2^n$ leaves and $2^{n+1} - 1$ nodes is built.

The private key of the Merkle signature scheme is the entire set of $(X_i, Y_i)$ pairs. (One of the major problems with the scheme is that the size of the private key scales with the number of messages to be sent.)

The public key $\text{pub}$ is the root of the tree, $a_{n,0}$ . The individual public keys $X_i$ can be made public without breaking security. However, as they are not needed in the public key, it is more practical to keep them secret to minimize its size.

Signature generation

Intuitively, to sign a message $M$ with the Merkle signature scheme, the signer picks a key pair $(X_i, Y_i)$ , signs uses the one-time signature scheme, and then adds additional information to prove that it was indeed one of the original key pairs (rather than one newly generated by a forger).

Merkle tree with path A and authentication path for i = 2

Concretely, the signer chooses a $(X_i, Y_i,)$ pair which had not previously been used to sign any other message (the first message may simply be signed with $(X_0, Y_0)$ , the second with $(X_1, Y_1)$ , and so on), and uses the one-time signature scheme to sign the message, resulting in a signature $\text{sig}'$ , first. To prove to the message verifier that $(X_i, Y_i,)$ was in fact one of the original key pairs, the signer simply includes intermediate nodes of the Merkle tree so that the verifier can verify $h_i = a_{0,i}$ was used to compute the public key $a_{n,0}$ . The path in the hash tree from $a_{0,i}$ to the root be $n + 1$ nodes, call them $A_0, \ldots, A_n$ , with $A_0 = a_{0,i} = H(Y_i)$ being a leaf and $A_n = a_{n,0} = \text{pub}$ being the root.

We know that $A_i$ is a child of $A_{i+1}$ . To let the verifier calculate the next node $A_{i+1}$ given the previous, they need to know the other child of $A_{i+1}$ , the sibling node of $A_i$ . We call this node $\text{auth}_i$ , so that $A_{i+1} = H(A_i || \text{auth}_i)$ . Hence, $n$ nodes $\text{auth}_0, \ldots, \text{auth}_{n-1}$ are needed, to reconstruct $A_n = a_{n,0} = \text{pub}$ from $A_0 = a_{0,i}$ . An example of an authentication path is illustrated in the figure on the right.

These nodes $\text{auth}_{0}, \ldots, \text{auth}_{n-1}$ , the $Y_i,$ public part of the key, and the one-time signature $\text{sig}'$ , together constitute a signature of $M$ using the Merkle signature scheme: $\text{sig} = (\text{sig}' || Y_i || \text{auth}_0 || \text{auth}_1 || \ldots || \text{auth}_{n-1})$ .

Signature verification

The receiver knows the public key $\text{pub}$ , the message $M$ , and the signature $\text{sig} = (\text{sig}' || X_i || Y_i || \text{auth}_0 || \text{auth}_1 || \ldots || \text{auth}_{n-1})$ . First, the receiver verifies the one-time signature $\text{sig}'$ of the message $M$ using the one-time signature public key $X_i$ . If $\text{sig}'$ is a valid signature of $M$ , the receiver computes $A_0 = H(Y_i)$ by hashing the private key of the one-time signature. For $j = 1, \ldots, n - 1$ , the nodes of $A_j$ of the path are computed with $A_j = H(A_{j-1} || \text{auth}_{j-1})$ . If $A_n$ equals the public key $\text{pub}$ of the Merkle signature scheme, the signature is valid.

References

G. Becker. "Merkle Signature Schemes, Merkle Trees and Their Cryptanalysis", seminar 'Post Quantum Cryptology' at the Ruhr-University Bochum, Germany.
E. Dahmen, M. Dring, E. Klintsevich, J. Buchmann, L.C. Coronado Garca. "CMSS - an improved merkle signature scheme". Progress in Cryptology - Indocrypt 2006, 2006.
E. Klintsevich, K. Okeya, C.Vuillaume, J. Buchmann, E.Dahmen. "Merkle signatures with virtually unlimited signature capacity". 5th International Conference on Applied Cryptography and Network Security - ACNS07, 2007.
Ralph Merkle. "Secrecy, authentication and public key systems / A certified digital signature". Ph.D. dissertation, Dept. of Electrical Engineering, Stanford University, 1979.
Moni Naor, Moti Yung: Universal One-Way Hash Functions and their Cryptographic Applications .STOC 1989: 33-43
S. Micali, M. Jakobsson, T. Leighton, M. Szydlo. "Fractal merkle tree representation and traversal". RSA-CT 03, 2003

External links

Efficient Use of Merkle Trees - RSA labs explanation of the original purpose of Merkle trees + Lamport signatures, as an efficient one-time signature scheme.
An introduction to hash-based signatures and Merkle signatures by Adam Langley.

Public-key cryptography

Algorithms

Integer Factorization	Benaloh Blum–Goldwasser Cayley–Purser Damgård–Jurik GMR Goldwasser–Micali Paillier Rabin RSA Okamoto–Uchiyama Schmidt–Samoa

Discrete logarithm	Cramer–Shoup DH DSA ECDH ECDSA EdDSA EKE ElGamal signature scheme MQV Schnorr SPEKE SRP STS

Others	AE CEILIDH EPOC HFE IES Lamport McEliece Merkle–Hellman Naccache–Stern Naccache–Stern knapsack cryptosystem NTRUEncrypt NTRUSign Three-pass protocol XTR

Theory

Standardization

Topics

Cryptography

History of cryptography Cryptanalysis Outline of cryptography

Symmetric-key algorithm Block cipher Stream cipher Public-key cryptography Cryptographic hash function Message authentication code Random numbers Steganography

Category · Portal · WikiProject

This article is issued from Wikipedia - version of the Wednesday, March 30, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.