Merkle signature scheme
The Merkle signature is a digital signature scheme based on Merkle trees and one-time signatures such as the Lamport one-time signatures. It was developed by Ralph Merkle in the late seventies and is an alternative to traditional digital signatures, such as the Digital Signature Algorithm based on RSA signatures or dar. In contrast to these, it is resistant to attacks by quantum computers, since its security safer only of the existence of hash functions depends.
Idea
A problem of one-time signatures, such as the Lamport signature, the transfer of the public key. Since each key exactly one can only be used once, comes along a larger amount of data that must be passed reliably to the recipient.
The Merkle signature method solves this problem by the whole (public ) key material of one-time signatures is summarized in a multilevel hash method into a single hash value. As a public key only needs to be published, then can be signed with him messages.
The signature of a message is then composed of two parts:
- A public key and the signed with the corresponding private key message. The recipient can verify that the sender was indeed in possession of the private key.
- A proof that it is the public key is a key, from which the hash value was calculated.
Key generation
The Merkle signature scheme can only be used to sign a limited number of messages with a public key. The number of possible messages corresponds to a power of two and is therefore referred to as.
The first step in the generation of the public key, the generation of the public key and the private key of single signatures. For each private key, a hash value is calculated. These hash values, a hash tree is built.
A node of the tree to identify the level of the node designated. The level of a node is defined by its distance to the leaves. Thus, a sheet of the plain and the root has the level. The nodes of each level are numbered from left to right so that the node is on the far left level.
In the Merkle tree, the hash values are the leaves of the binary tree, so. Each internal node of the tree is the hash value of the concatenation of its two children. For example, and.
In this way, a tree with leaves and nodes is established. The root of the tree is the public key of the Merkle signature scheme.
Signing
To sign a message with the Merkle signature scheme, the message is first signed with a one-time signature scheme, so that the signature is created. To this end, one of the key pairs of public and private key will be used.
The public session key corresponding leaf of the hash tree is. The path in the hash tree from the root is denoted by. The path consists of nodes, and wherein the blades are the root of the tree. In order to calculate this path of each child of the node requires. It is known that a child is. To calculate the next node of the path, both children must be known. Therefore, the brother of needs. This node is denoted by so. Therefore nodes are required to calculate each node of the path. These nodes are calculated and stored. They form together with a time signature of the signature of the Merkle signature scheme.
Verification
The receiver knows the public key, the message and the signature. First, the receiver verifies the time signature of the message. If a valid signature is, the receiver computes by computing the hash value of the private key of the time signature. For the nodes of the path are calculated with. If the public key of the Merkle signature scheme corresponds, so the signature is valid.
Swell
- G. Becker: Merkle Signature Schemes, Merkle Trees and Their Cryptanalysis (PDF file, 370 kB ) seminar 'Post Quantum Cryptology ' at the Ruhr- University Bochum.
- E. Dahmen, M. Dring, E. Klintsevich, J. Buchmann, LC Coronado Garca: CMSS - to improved merkle signature scheme (PDF file, 264 kB). Progress in Cryptology - Indocrypt 2006, 2006.
- E. Klintsevich, K. Okeya, C. Vuillaume, J. Buchmann, E. Dahmen: Merkle signatures with Virtually unlimited signature capacity (PDF file, 179 kB). 5th International Conference on Applied Cryptography and Network Security - ACNS07, 2007.
- Ralph Merkle: Secrecy, authentication and public key systems / A certified digital signature. Ph.D. dissertation, Dept.. of Electrical Engineering, Stanford University, 1979. (PDF)
- Silvio Micali, M. Jakobsson, T. Leighton, M. Szydlo: Fractal merkle tree representation and traversal. RSA - CT 03, 2003