Title: MerkleLamport signatures Signatures from any oneway function
1Merkle/Lamport signaturesSignatures from any
one-way function
2Recall What functions are hard?
DES/AES Stream ciphers Hash functions
RSA Factorization Discrete log
Speed action
Graphs
Size representation
3Public key
Called Lamport signature Problem uses up
public key!
4Avoid using up public key
5Avoid using up public key
6Avoid using up public key
Longer longer!
A Merkle signature
7Merkle signatures with a tree
The red parts are given out to sign green is
public key
8How is a signature verified?
Pair-wise hashing compare root with known value
9Avoiding birthday attacks
The input to each hash step is a counter and an
identifier
10Are all values stored?
- We can generate leaf values on the fly by
making the secret keys of these be outputs of a
Pseudo Random Generator that takes as input the
leaf position, the secret key index, and a secret
seed. - (But the interior nodes cannot be generated like
this.)
11How to maintain the tree?
- You can store it all (thats a lot of storage!)
- You can compute the nodes you want when you want
them (thats a lot of work!) - You can amortize the computation by storing a
part and computing a little each time. (JLMS, S)
12Goal and Metrics
- Output sequence of (leaf preimage,
authentication path) - Metrics minimize computation and storage
13Why is this difficult?
- The value of each interior node depends on all
its descendants - A casual approach requires O(n) work to compute
a node, where n is the number of leaves - or needs O(n) values to be stored
- We want to reduce both to poly-logarithmic!
14Static view of storage
Blue areas contain pebbles, storing the tree
values.
15Dynamic view of storage
- Existing subtrees in blue, desired subtrees in
grey
16Computation of desired subtrees
Blue pebbles where filled, tail hanging below.
17Three phases
- Key generation (other computer ok)
- Output (by weak computer)
- Verification (traditional)
- For a description of the algorithm, see paper.