In hash-based cryptography , the Merkle signature scheme is a digital signature scheme based on Merkle trees (also called hash trees) and one-time signatures such as the Lamport signature scheme . It was developed by Ralph Merkle in the late 1970s and is an alternative to traditional digital signatures such as the Digital Signature Algorithm or RSA . NIST has approved specific variants of the Merkle signature scheme in 2020.
35-548: XMSS may refer to: Extended Merkle signature scheme , a type of hash-based cryptography Xinmin Secondary School , a secondary school in Hougang, Singapore Xiamen Shuangshi High School See also [ edit ] XMS (disambiguation) XMMS Topics referred to by the same term [REDACTED] This disambiguation page lists articles associated with
70-442: A 0 , i {\displaystyle a_{0,i}} to the root is n + 1 {\displaystyle n+1} nodes long. Call the nodes A 0 , … , A n {\displaystyle A_{0},\ldots ,A_{n}} , with A 0 = a 0 , i = H ( Y i ) {\displaystyle A_{0}=a_{0,i}=H(Y_{i})} being
105-408: A 2 , 0 = H ( a 1 , 0 | | a 1 , 1 ) {\displaystyle a_{2,0}=H(a_{1,0}||a_{1,1})} . In this way, a tree with 2 n {\displaystyle 2^{n}} leaves and 2 n + 1 − 1 {\displaystyle 2^{n+1}-1} nodes is built. The private key of
140-467: A n , 0 {\displaystyle a_{n,0}} . The individual public keys Y i {\displaystyle Y_{i}} can be made public without breaking security. However, they are not needed in the public key, so they can be kept secret to minimize the size of the public key. To sign a message M {\displaystyle M} with the Merkle signature scheme,
175-486: A n , 0 = pub {\displaystyle A_{n}=a_{n,0}={\text{pub}}} from A 0 = a 0 , i {\displaystyle A_{0}=a_{0,i}} . An example of an authentication path is illustrated in the figure on the right. Together, the nodes auth 0 , … , auth n − 1 {\displaystyle {\text{auth}}_{0},\ldots ,{\text{auth}}_{n-1}} ,
210-409: A cryptographic hash function such as SHA-2 is used for the hashing. If the hash tree only needs to protect against unintentional damage, unsecured checksums such as CRCs can be used. In the top of a hash tree there is a top hash (or root hash or master hash ). Before downloading a file on a P2P network , in most cases the top hash is acquired from a trusted source, for instance a friend or
245-452: A peer-to-peer network are received undamaged and unaltered, and even to check that the other peers do not lie and send fake blocks. Hash trees are used in: Suggestions have been made to use hash trees in trusted computing systems. The initial Bitcoin implementation of Merkle trees by Satoshi Nakamoto applies the compression step of the hash function to an excessive degree, which is mitigated by using Fast Merkle Trees. A hash tree
280-404: A hash list or hash chain becomes fairly big. But if it is a tree, one small branch can be downloaded quickly, the integrity of the branch can be checked, and then the downloading of data blocks can start. The Merkle hash root does not indicate the tree depth, enabling a second-preimage attack in which an attacker creates a document other than the original that has the same Merkle hash root. For
315-439: A leaf and A n = a n , 0 = pub {\displaystyle A_{n}=a_{n,0}={\text{pub}}} being the root. A i {\displaystyle A_{i}} is a child of A i + 1 {\displaystyle A_{i+1}} . To let the verifier calculate the next node A i + 1 {\displaystyle A_{i+1}} given
350-481: A power of two, so we denote the possible number of messages as N = 2 n {\displaystyle N=2^{n}} . The first step of generating the public key pub {\displaystyle {\text{pub}}} is to generate N {\displaystyle N} private/public key pairs ( X i , Y i ) {\displaystyle (X_{i},Y_{i})} of some one-time signature scheme (such as
385-453: A web site that is known to have good recommendations of files to download. When the top hash is available, the hash tree can be received from any non-trusted source, like any peer in the P2P network. Then, the received hash tree is checked against the trusted top hash, and if the hash tree is damaged or fake, another hash tree from another source will be tried until the program finds one that matches
SECTION 10
#1732787441989420-492: Is a one time signature with finite signing potential. The work of Moni Naor and Moti Yung on signature based one-way permutations and functions (and the invention of universal one-way hash functions ) gives a way to extend a Merkle-like signature to a complete signature scheme. The Merkle signature scheme can be used to sign a limited number of messages with one public key pub {\displaystyle {\text{pub}}} . The number of possible messages must be
455-600: Is a tree of hashes in which the leaves (i.e., leaf nodes, sometimes also called "leafs") are hashes of data blocks in, for instance, a file or set of files. Nodes farther up in the tree are the hashes of their respective children. For example, in the above picture hash 0 is the result of hashing the concatenation of hash 0-0 and hash 0-1 . That is, hash 0 = hash ( hash 0-0 + hash 0-1 ) where "+" denotes concatenation. Most hash tree implementations are binary (two child nodes under each node) but they can just as well use many more child nodes under each node. Usually,
490-453: Is a prerequisite of some formal security proofs , and helps in making some proofs tighter. Some implementations limit the tree depth using hash tree depth prefixes before hashes, so any extracted hash chain is defined to be valid only if the prefix decreases at each step and is still positive when the leaf is reached. The Tiger tree hash is a widely used form of hash tree. It uses a binary hash tree (two child nodes under each node), usually has
525-400: Is built, by placing these 2 n {\displaystyle 2^{n}} hash values as leaves and recursively hashing to form a binary tree. Let a i , j {\displaystyle a_{i,j}} denote the node in the tree with height i {\displaystyle i} and left-right position j {\displaystyle j} . Then,
560-412: Is labelled with the cryptographic hash of the labels of its child nodes. A hash tree allows efficient and secure verification of the contents of a large data structure . A hash tree is a generalization of a hash list and a hash chain . Demonstrating that a leaf node is a part of a given binary hash tree requires computing a number of hashes proportional to the logarithm of the number of leaf nodes in
595-715: The Y i {\displaystyle Y_{i}} , and the one-time signature sig ′ {\displaystyle {\text{sig}}'} constitute a signature of M {\displaystyle M} using the Merkle signature scheme: sig = ( sig ′ | | Y i | | auth 0 | | auth 1 | | … | | auth n − 1 ) {\displaystyle {\text{sig}}=({\text{sig}}'||Y_{i}||{\text{auth}}_{0}||{\text{auth}}_{1}||\ldots ||{\text{auth}}_{n-1})} . Note that when using
630-459: The Lamport signature scheme as the one-time signature scheme, sig ′ {\displaystyle {\text{sig}}'} contains a part of the private key X i {\displaystyle X_{i}} . The receiver knows the public key pub {\displaystyle {\text{pub}}} , the message M {\displaystyle M} , and
665-406: The Lamport signature scheme). For each 1 ≤ i ≤ 2 n {\displaystyle 1\leq i\leq 2^{n}} , a hash value of the public key h i = H ( Y i ) {\displaystyle h_{i}=H(Y_{i})} is computed. With these hash values h i {\displaystyle h_{i}} a hash tree
700-493: The Merkle signature scheme is that it is believed to be resistant against attacks by quantum computers . The traditional public key algorithms, such as RSA and ElGamal would become insecure if an effective quantum computer could be built (due to Shor's algorithm ). The Merkle signature scheme, however, only depends on the existence of secure hash functions . This makes the Merkle signature scheme very adjustable and resistant to quantum computer-based attacks. The Merkle signature
735-386: The Merkle signature scheme is the entire set of ( X i , Y i ) {\displaystyle (X_{i},Y_{i})} pairs. A shortcoming with the scheme is that the size of the private key scales linearly with the number of messages to be sent. The public key pub {\displaystyle {\text{pub}}} is the root of the tree,
SECTION 20
#1732787441989770-475: The example above, an attacker can create a new document containing two data blocks, where the first is hash 0-0 + hash 0-1 , and the second is hash 1-0 + hash 1-1 . One simple fix is defined in Certificate Transparency : when computing leaf node hashes, a 0x00 byte is prepended to the hash data, while 0x01 is prepended when computing internal node hashes. Limiting the hash tree size
805-437: The hash values h i = a 0 , i {\displaystyle h_{i}=a_{0,i}} are the leaves. The value for each inner node of the tree is the hash of the concatenation of its two children. For example, a 1 , 0 = H ( a 0 , 0 | | a 0 , 1 ) {\displaystyle a_{1,0}=H(a_{0,0}||a_{0,1})} and
840-409: The one-time signature scheme to sign the message, resulting in a signature sig ′ {\displaystyle {\text{sig}}'} and corresponding public key Y i {\displaystyle Y_{i}} . To prove to the message verifier that ( X i , Y i ) {\displaystyle (X_{i},Y_{i})} was in fact one of
875-391: The original key pairs, the signer simply includes intermediate nodes of the Merkle tree so that the verifier can verify h i = a 0 , i {\displaystyle h_{i}=a_{0,i}} was used to compute the public key a n , 0 {\displaystyle a_{n,0}} at the root of the tree. The path in the hash tree from
910-797: The previous, they need to know the other child of A i + 1 {\displaystyle A_{i+1}} , the sibling node of A i {\displaystyle A_{i}} . We call this node auth i {\displaystyle {\text{auth}}_{i}} , so that A i + 1 = H ( A i | | auth i ) {\displaystyle A_{i+1}=H(A_{i}||{\text{auth}}_{i})} . Hence, n {\displaystyle n} nodes auth 0 , … , auth n − 1 {\displaystyle {\text{auth}}_{0},\ldots ,{\text{auth}}_{n-1}} are needed, to reconstruct A n =
945-409: The public key pub {\displaystyle {\text{pub}}} of the Merkle signature scheme, the signature is valid. Merkle tree In cryptography and computer science , a hash tree or Merkle tree is a tree in which every "leaf" node is labelled with the cryptographic hash of a data block, and every node that is not a leaf (called a branch , inner node , or inode )
980-697: The receiver computes A 0 = H ( Y i ) {\displaystyle A_{0}=H(Y_{i})} by hashing the public key of the one-time signature. For j = 1 , … , n − 1 {\displaystyle j=1,\ldots ,n-1} , the nodes of A j {\displaystyle A_{j}} of the path are computed with A j = H ( A j − 1 | | auth j − 1 ) {\displaystyle A_{j}=H(A_{j-1}||{\text{auth}}_{j-1})} . If A n {\displaystyle A_{n}} equals
1015-443: The receiver verifies the one-time signature sig ′ {\displaystyle {\text{sig}}'} of the message M {\displaystyle M} using the one-time signature public key Y i {\displaystyle Y_{i}} . If sig ′ {\displaystyle {\text{sig}}'} is a valid signature of M {\displaystyle M} ,
1050-403: The result with hash 0-0 and then hash 1 and finally comparing the result with the top hash . Similarly, the integrity of data block L3 can be verified if the tree already has hash 1-1 and hash 0 . This can be an advantage since it is efficient to split files up in very small data blocks so that only small blocks have to be re-downloaded if they get damaged. If the hashed file is big, such
1085-431: The signature sig = ( sig ′ | | Y i | | auth 0 | | auth 1 | | … | | auth n − 1 ) {\displaystyle {\text{sig}}=({\text{sig}}'||Y_{i}||{\text{auth}}_{0}||{\text{auth}}_{1}||\ldots ||{\text{auth}}_{n-1})} . First,
XMSS - Misplaced Pages Continue
1120-547: The signer picks a key pair ( X i , Y i ) {\displaystyle (X_{i},Y_{i})} , signs the message using the one-time signature scheme, and then adds additional information to prove that the key pair used was one of the original key pairs (rather than one newly generated by a forger). First, the signer chooses a ( X i , Y i ) {\displaystyle (X_{i},Y_{i})} pair which had not previously been used to sign any other message, and uses
1155-466: The title XMSS . If an internal link led you here, you may wish to change the link to point directly to the intended article. Retrieved from " https://en.wikipedia.org/w/index.php?title=XMSS&oldid=1085946143 " Category : Disambiguation pages Hidden categories: Short description is different from Wikidata All article disambiguation pages All disambiguation pages Merkle signature scheme An advantage of
1190-424: The top hash. The main difference from a hash list is that one branch of the hash tree can be downloaded at a time and the integrity of each branch can be checked immediately, even though the whole tree is not available yet. For example, in the picture, the integrity of data block L2 can be verified immediately if the tree already contains hash 0-0 and hash 1 by hashing the data block and iteratively combining
1225-591: The tree. Conversely, in a hash list, the number is proportional to the number of leaf nodes itself. A Merkle tree is therefore an efficient example of a cryptographic commitment scheme , in which the root of the tree is seen as a commitment and leaf nodes may be revealed and proven to be part of the original commitment. The concept of a hash tree is named after Ralph Merkle , who patented it in 1979. Hash trees can be used to verify any kind of data stored, handled and transferred in and between computers. They can help ensure that data blocks received from other peers in
#988011