The Merkle signature scheme is a digital signature scheme based on hash trees (also called Merkle trees) and one-time signatures such as the Lamport signature scheme. It was developed by Ralph Merkle in the late 70s and is an alternative to traditional digital signatures such as the Digital Signature Algorithm or RSA. The advantage of the Merkle Signature Scheme is, that it is believed to be resistant against quantum computer algorithms. The traditional public key algorithms, such as RSA and ELGamal would become insecure in case an effective quantum computer can be built (Shor's algorithm). The Merkle Signature Scheme however only depends on the existence of secure hash functions. This makes the Merkle Signature Scheme very adjustable and resistant against quantum computing.

## Key generation

The Merkle Signature Scheme can only be used to sign a limited number of messages with one public key ${\displaystyle pub}$. The number of possible messages must be a power of two, so that we denote the possible number of messages as ${\displaystyle N=2^n}$.

The first step of generating the public key ${\displaystyle pub}$ is to generate the public keys ${\displaystyle X_i}$ and private keys ${\displaystyle Y_i}$ of ${\displaystyle 2^n}$ one-time signatures. For each private key ${\displaystyle Y_i}$, with ${\displaystyle 1 \leq i \leq 2^n}$, a hash value ${\displaystyle h_i=H(Y_i)}$ is computed. With these hash values ${\displaystyle h_i}$ a hash tree is built.

We call a node of the tree ${\displaystyle a_{i,j}}$, where ${\displaystyle i}$ denotes the level of the node. The level of a node is defined by the distance from the node to a leaf. Hence, a leaf of the tree has level ${\displaystyle i=0}$ and the root has level ${\displaystyle i=n}$. We number all nodes of one level from the left to the right, so that ${\displaystyle a_{i,0}}$ is the leftmost node of level ${\displaystyle i}$.

In the Merkle Tree the hash values ${\displaystyle h_i}$ are the leafs of a binary tree, so that ${\displaystyle h_i=a_{0,i}}$. Each inner node of the tree is the hash value of the concatenation of its two children. So ${\displaystyle a_{1,0}=H(a_{0,0}||a_{0,1})}$ and ${\displaystyle a_{2,0}=H(a_{1,0}||a_{1,1})}$. An example of a merkle tree is illustrated in figure \ref{fig:gra1}.

In this way, a tree with ${\displaystyle 2^n}$ leafs and ${\displaystyle 2^{n+1} - 1}$ nodes is built. The root of the tree ${\displaystyle a_{n,0}}$ is the public key ${\displaystyle pub}$ of the Merkle Signature Scheme.

## Signature generation

To sign a message ${\displaystyle M}$ with the Merkle Signature Scheme, the message ${\displaystyle M}$ is signed with a one-time signature scheme, resulting in a signature ${\displaystyle sig'}$, first. This is done, by using one of the public and private key pairs ${\displaystyle (X_i, Y_i,)}$.

The corresponding leaf of the hash tree to a one-time public key ${\displaystyle X_i}$ is ${\displaystyle a_{0,i}=H(Y_i)}$. We call the path in the hash tree from ${\displaystyle a_{0,i}}$ to the root ${\displaystyle A}$. The path ${\displaystyle A}$ consists of ${\displaystyle n+1}$ nodes, ${\displaystyle A_0, ... A_n}$, with ${\displaystyle A_0=a_{0,i}}$ being the leaf and ${\displaystyle A_n=a_{n,0}=pub}$ being the root of the tree. To compute this path ${\displaystyle A}$, we need every child of the nodes ${\displaystyle A_{1}, ..., A_{n}}$. We know that ${\displaystyle A_i}$ is a child of ${\displaystyle A_{i+1}}$. To calculate the next node ${\displaystyle A_{i+1}}$ of the path ${\displaystyle A}$, we need to know both children of ${\displaystyle A_{i+1}}$. So we need the brother node of ${\displaystyle A_i}$. We call this node ${\displaystyle auth_i}$, so that ${\displaystyle A_{i+1}=H(A_i||auth_i)}$. Hence, ${\displaystyle n}$ nodes ${\displaystyle auth_{0}, ... , auth_{n-1}}$ are needed, to compute every node of the path ${\displaystyle A}$. We now calculate and save these nodes ${\displaystyle auth_{0}, ... , auth_{n-1}}$.

These nodes, plus the one-time signature ${\displaystyle sig'}$ of ${\displaystyle M}$ is the signature ${\displaystyle sig=(sig'||auth_2||auth_3||...||auth_{n-1})}$ of the Merkle Signature Scheme. An example of an authentication path is illustrated in figure \ref{fig:gra2}.

## Signature verification

The receiver knows the public key ${\displaystyle pub}$, the message ${\displaystyle M}$, and the signature ${\displaystyle sig=(sig'||auth_0||auth_1||...||auth_{n-1})}$. At first, the receiver verifies the one-time signature ${\displaystyle sig'}$ of the message ${\displaystyle M}$. If ${\displaystyle sig'}$ is a valid signature of ${\displaystyle M}$, the receiver computes ${\displaystyle A_0=H(Y_i)}$ by hashing the public key of the one-time signature. For ${\displaystyle j=1,..,n-1}$, the nodes of ${\displaystyle A_j}$ of the path ${\displaystyle A}$ are computed with ${\displaystyle A_j=H(a_{j-1}||b_{j-1})}$. If ${\displaystyle A_n}$ equals the public key ${\displaystyle pub}$ of the merkle signature scheme, the signature is valid.

## References

• G. Becker. "Merkle Signature Schemes, Merkle Trees and Their Cryptanalysis", seminar 'Post Quantum Cryptology' at the Ruhr-University Bochum, Germany.
• E. Dahmen, M. Dring, E. Klintsevich, J. Buchmann, L.C. Coronado Garca. "CMSS - an improved merkle signature scheme". Progress in Cryptology - Indocrypt 2006, 2006.
• E. Klintsevich, K. Okeya, C.Vuillaume, J. Buchmann, E.Dahmen. "Merkle signatures with virtually unlimited signature capacity". 5th International Conference on Applied Cryptography and Network Security - ACNS07, 2007.
• Ralph Merkle. "Secrecy, authentication and public key systems / A certified digital signature". Ph.D. dissertation, Dept. of Electrical Engineering, Stanford University, 1979. [1]
• S. Micali, M. Jakobsson, T. Leighton, M. Szydlo. "Fractal merkle tree representation and traversal". RSA-CT 03, 2003