Merkle signature scheme

In hash-based cryptography, the Merkle signature scheme is a digital signature scheme based on Merkle trees (also called hash trees) and one-time signatures such as the Lamport signature scheme.

It was developed by Ralph Merkle in the late 1970s[1] and is an alternative to traditional digital signatures such as the Digital Signature Algorithm or RSA.

NIST has approved specific variants of the Merkle signature scheme in 2020.

[2] An advantage of the Merkle signature scheme is that it is believed to be resistant against attacks by quantum computers.

The traditional public key algorithms, such as RSA and ElGamal would become insecure if an effective quantum computer could be built (due to Shor's algorithm).

The Merkle signature scheme, however, only depends on the existence of secure hash functions.

This makes the Merkle signature scheme very adjustable and resistant to quantum computer-based attacks.

The work of Moni Naor and Moti Yung on signature based one-way permutations and functions (and the invention of universal one-way hash functions) gives a way to extend a Merkle-like signature to a complete signature scheme.

[3] The Merkle signature scheme can be used to sign a limited number of messages with one public key

The first step of generating the public key

, a hash value of the public key

a hash tree is built, by placing these

hash values as leaves and recursively hashing to form a binary tree.

denote the node in the tree with height

The value for each inner node of the tree is the hash of the concatenation of its two children.

The private key of the Merkle signature scheme is the entire set of

A shortcoming with the scheme is that the size of the private key scales linearly with the number of messages to be sent.

can be made public without breaking security.

However, they are not needed in the public key, so they can be kept secret to minimize the size of the public key.

with the Merkle signature scheme, the signer picks a key pair

, signs the message using the one-time signature scheme, and then adds additional information to prove that the key pair used was one of the original key pairs (rather than one newly generated by a forger).

pair which had not previously been used to sign any other message, and uses the one-time signature scheme to sign the message, resulting in a signature

was in fact one of the original key pairs, the signer simply includes intermediate nodes of the Merkle tree so that the verifier can verify

was used to compute the public key

The path in the hash tree from

An example of an authentication path is illustrated in the figure on the right.

Note that when using the Lamport signature scheme as the one-time signature scheme,

First, the receiver verifies the one-time signature

using the one-time signature public key

by hashing the public key of the one-time signature.

Merkle Tree with 8 leaves
Merkle tree with path A and authentication path for i = 2, n = 3