Merkle signature scheme

Last updated April 08, 2023

In hash-based cryptography, the Merkle signature scheme is a digital signature scheme based on Merkle trees (also called hash trees) and one-time signatures such as the Lamport signature scheme. It was developed by Ralph Merkle in the late 1970s^[1] and is an alternative to traditional digital signatures such as the Digital Signature Algorithm or RSA. NIST has approved specific variants of the Merkle signature scheme in 2020.^[2]

An advantage of the Merkle signature scheme is that it is believed to be resistant against attacks by quantum computers. The traditional public key algorithms, such as RSA and ElGamal would become insecure if an effective quantum computer could be built (due to Shor's algorithm). The Merkle signature scheme, however, only depends on the existence of secure hash functions. This makes the Merkle signature scheme very adjustable and resistant to quantum computer-based attacks. The Merkle signature is a one time signature with finite signing potential. The work of Moni Naor and Moti Yung on signature based one-way permutations and functions (and the invention of universal one-way hash functions) gives a way to extend a Merkle-like signature to a complete signature scheme.^[3]

Key generation

The Merkle signature scheme can be used to sign a limited number of messages with one public key ${\text{pub}}$ . The number of possible messages must be a power of two, so we denote the possible number of messages as $N=2^{n}$ .

The first step of generating the public key ${\text{pub}}$ is to generate $N$ private/public key pairs $(X_{i},Y_{i})$ of some one-time signature scheme (such as the Lamport signature scheme). For each $1\leq i\leq 2^{n}$ , a hash value of the public key $h_{i}=H(Y_{i})$ is computed.

Merkle Tree with 8 leaves MerkleTree1.1.svg — Merkle Tree with 8 leaves

With these hash values $h_{i}$ a hash tree is built, by placing these $2^{n}$ hash values as leaves and recursively hashing to form a binary tree. Let $a_{i,j}$ denote the node in the tree with height $i$ and left-right position $j$ . Then, the hash values $h_{i}=a_{0,i}$ are the leaves. The value for each inner node of the tree is the hash of the concatenation of its two children. For example, $a_{1,0}=H(a_{0,0}||a_{0,1})$ and $a_{2,0}=H(a_{1,0}||a_{1,1})$ . In this way, a tree with $2^{n}$ leaves and $2^{n+1}-1$ nodes is built.

The private key of the Merkle signature scheme is the entire set of $(X_{i},Y_{i})$ pairs. A shortcoming with the scheme is that the size of the private key scales linearly with the number of messages to be sent.

The public key ${\text{pub}}$ is the root of the tree, $a_{n,0}$ . The individual public keys $Y_{i}$ can be made public without breaking security. However, they are not needed in the public key, so they can be kept secret to minimize the size of the public key.

Signature generation

To sign a message $M$ with the Merkle signature scheme, the signer picks a key pair $(X_{i},Y_{i})$ , signs the message using the one-time signature scheme, and then adds additional information to prove that the key pair used was one of the original key pairs (rather than one newly generated by a forger).

Merkle tree with path A and authentication path for i = 2, n = 3 MerkleTree2.1.svg — Merkle tree with path A and authentication path for i = 2, n = 3

First, the signer chooses a $(X_{i},Y_{i})$ pair which had not previously been used to sign any other message, and uses the one-time signature scheme to sign the message, resulting in a signature ${\text{sig}}'$ and corresponding public key $Y_{i}$ . To prove to the message verifier that $(X_{i},Y_{i})$ was in fact one of the original key pairs, the signer simply includes intermediate nodes of the Merkle tree so that the verifier can verify $h_{i}=a_{0,i}$ was used to compute the public key $a_{n,0}$ at the root of the tree. The path in the hash tree from $a_{0,i}$ to the root is $n+1$ nodes long. Call the nodes $A_{0},\ldots ,A_{n}$ , with $A_{0}=a_{0,i}=H(Y_{i})$ being a leaf and $A_{n}=a_{n,0}={\text{pub}}$ being the root.

$A_{i}$ is a child of $A_{i+1}$ . To let the verifier calculate the next node $A_{i+1}$ given the previous, they need to know the other child of $A_{i+1}$ , the sibling node of $A_{i}$ . We call this node ${\text{auth}}_{i}$ , so that $A_{i+1}=H(A_{i}||{\text{auth}}_{i})$ . Hence, $n$ nodes ${\text{auth}}_{0},\ldots ,{\text{auth}}_{n-1}$ are needed, to reconstruct $A_{n}=a_{n,0}={\text{pub}}$ from $A_{0}=a_{0,i}$ . An example of an authentication path is illustrated in the figure on the right.

Together, the nodes ${\text{auth}}_{0},\ldots ,{\text{auth}}_{n-1}$ , the $Y_{i}$ , and the one-time signature ${\text{sig}}'$ constitute a signature of $M$ using the Merkle signature scheme: ${\text{sig}}=({\text{sig}}'||Y_{i}||{\text{auth}}_{0}||{\text{auth}}_{1}||\ldots ||{\text{auth}}_{n-1})$ .

Note that when using the Lamport signature scheme as the one-time signature scheme, ${\text{sig}}'$ contains a part of the private key $X_{i}$ .

Signature verification

The receiver knows the public key ${\text{pub}}$ , the message $M$ , and the signature ${\text{sig}}=({\text{sig}}'||Y_{i}||{\text{auth}}_{0}||{\text{auth}}_{1}||\ldots ||{\text{auth}}_{n-1})$ . First, the receiver verifies the one-time signature ${\text{sig}}'$ of the message $M$ using the one-time signature public key $Y_{i}$ . If ${\text{sig}}'$ is a valid signature of $M$ , the receiver computes $A_{0}=H(Y_{i})$ by hashing the public key of the one-time signature. For $j=1,\ldots ,n-1$ , the nodes of $A_{j}$ of the path are computed with $A_{j}=H(A_{j-1}||{\text{auth}}_{j-1})$ . If $A_{n}$ equals the public key ${\text{pub}}$ of the Merkle signature scheme, the signature is valid.

Related Research Articles

The Digital Signature Algorithm (DSA) is a public-key cryptosystem and Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. DSA is a variant of the Schnorr and ElGamal signature schemes.

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created by a known sender (authenticity), and that the message was not altered in transit (integrity).

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

Kademlia is a distributed hash table for decentralized peer-to-peer computer networks designed by Petar Maymounkov and David Mazières in 2002. It specifies the structure of the network and the exchange of information through node lookups. Kademlia nodes communicate among themselves using UDP. A virtual or overlay network is formed by the participant nodes. Each node is identified by a number or node ID. The node ID serves not only as identification, but the Kademlia algorithm uses the node ID to locate values.

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.

In cryptography and computer science, a hash tree or Merkle tree is a tree in which every "leaf" (node) is labelled with the cryptographic hash of a data block, and every node that is not a leaf is labelled with the cryptographic hash of the labels of its child nodes. A hash tree allows efficient and secure verification of the contents of a large data structure. A hash tree is a generalization of a hash list and a hash chain.

The GOST hash function, defined in the standards GOST R 34.11-94 and GOST 34.311-95 is a 256-bit cryptographic hash function. It was initially defined in the Russian national standard GOST R 34.11-94 Information Technology – Cryptographic Information Security – Hash Function. The equivalent standard used by other member-states of the CIS is GOST 34.311-95.

In cryptography, a Lamport signature or Lamport one-time signature scheme is a method for constructing a digital signature. Lamport signatures can be built from any cryptographically secure one-way function; usually a cryptographic hash function is used.

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

In cryptography, the Merkle–Damgård construction or Merkle–Damgård hash function is a method of building collision-resistant cryptographic hash functions from collision-resistant one-way compression functions. This construction was used in the design of many popular hash algorithms such as MD5, SHA-1 and SHA-2.

A hash chain is the successive application of a cryptographic hash function to a piece of data. In computer security, a hash chain is a method to produce many one-time keys from a single key or password. For non-repudiation a hash function can be applied successively to additional pieces of data in order to record the chronology of data's existence.

In cryptography, the unbalanced oil and vinegar (UOV) scheme is a modified version of the oil and vinegar scheme designed by J. Patarin. Both are digital signature protocols. They are forms of multivariate cryptography. The security of this signature scheme is based on an NP-hard mathematical problem. To create and validate signatures, a minimal quadratic equation system must be solved. Solving $m$ equations with $n$ variables is NP-hard. While the problem is easy if $m$ is either much much larger or much much smaller than $n$ , importantly for cryptographic purposes, the problem is thought to be difficult in the average case when $m$ and $n$ are nearly equal, even when using a quantum computer. Multiple signature schemes have been devised based on multivariate equations with the goal of achieving quantum resistance.

In cryptography, Very Smooth Hash (VSH) is a provably secure cryptographic hash function invented in 2005 by Scott Contini, Arjen Lenstra and Ron Steinfeld. Provably secure means that finding collisions is as difficult as some known hard mathematical problem. Unlike other provably secure collision-resistant hashes, VSH is efficient and usable in practice. Asymptotically, it only requires a single multiplication per log(n) message-bits and uses RSA-type arithmetic. Therefore, VSH can be useful in embedded environments where code space is limited.

In cryptography, post-quantum cryptography (PQC) refers to cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer. The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Network coding has been shown to optimally use bandwidth in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers. The pollution of network packets spreads quickly since the output of honest node is corrupted if at least one of the incoming packets is corrupted.

In cryptography, server-based signatures are digital signatures in which a publicly available server participates in the signature creation process. This is in contrast to conventional digital signatures that are based on public-key cryptography and public-key infrastructure. With that, they assume that signers use their personal trusted computing bases for generating signatures without any communication with servers.

Non-commutative cryptography is the area of cryptology where the cryptographic primitives, methods and systems are based on algebraic structures like semigroups, groups and rings which are non-commutative. One of the earliest applications of a non-commutative algebraic structure for cryptographic purposes was the use of braid groups to develop cryptographic protocols. Later several other non-commutative structures like Thompson groups, polycyclic groups, Grigorchuk groups, and matrix groups have been identified as potential candidates for cryptographic applications. In contrast to non-commutative cryptography, the currently widely used public-key cryptosystems like RSA cryptosystem, Diffie–Hellman key exchange and elliptic curve cryptography are based on number theory and hence depend on commutative algebraic structures.

Hash-based cryptography is the generic term for constructions of cryptographic primitives based on the security of hash functions. It is of interest as a type of post-quantum cryptography.

LSH is a cryptographic hash function designed in 2014 by South Korea to provide integrity in general-purpose software environments such as PCs and smart devices. LSH is one of the cryptographic algorithms approved by the Korean Cryptographic Module Validation Program (KCMVP). And it is the national standard of South Korea.

References

↑ Merkle, Ralph (1979). "Secrecy, authentication and public key systems" (PDF). Ph.D. Dissertation: 32–61.
↑ "Stateful Hash-Based Signature Schemes: SP 800-208 | CSRC". 30 October 2020.
↑ Naor, Moni; Yung, Moti (1989). "Universal One-Way Hash Functions and their Cryptographic Applications" (PDF). Symposium on Theory of Computing : 33–43.

E. Dahmen, M. Dring, E. Klintsevich, J. Buchmann, L.C. Coronado Garca. "CMSS - an improved merkle signature scheme". Progress in Cryptology - Indocrypt 2006, 2006.
E. Klintsevich, K. Okeya, C.Vuillaume, J. Buchmann, E.Dahmen. "Merkle signatures with virtually unlimited signature capacity". 5th International Conference on Applied Cryptography and Network Security - ACNS07, 2007.
S. Micali, M. Jakobsson, T. Leighton, M. Szydlo. "Fractal merkle tree representation and traversal". RSA-CT 03, 2003

External links

Efficient Use of Merkle Trees - RSA labs explanation of the original purpose of Merkle trees + Lamport signatures, as an efficient one-time signature scheme.
An introduction to hash-based signatures and Merkle signatures by Adam Langley.
A 4 parts series on hash-based signatures by David Wong.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Merkle, Ralph (1979). "Secrecy, authentication and public key systems" (PDF). Ph.D. Dissertation: 32–61.

[2] "Stateful Hash-Based Signature Schemes: SP 800-208 | CSRC". 30 October 2020.

[3] Naor, Moni; Yung, Moti (1989). "Universal One-Way Hash Functions and their Cryptographic Applications" (PDF). Symposium on Theory of Computing : 33–43.

[1]

[2]

[3]