COMS W4995 Introduction to Cryptography
November 13, 2003
Lecture 21: Multiple Use Signature Schemes
Lecturer: Tal Malkin
Scribes: M. Niccolai, M. Raibert
Summary
In this lecture, we use the one time secure signature schemes discussed in lecture
20 to construct multiple use schemes. We describe Merkle signatures (which are
provably secure), and Full Domain Hash signatures. Discussion of the security of the
Full Domain Hash has two parts: First, we evaluate the security with respect to the
normal deﬁnition of computationally secure signature schemes; Then, because we are
unable to prove security, we introduce the Random Oracle Model (ROM) to support
the (unproven) assertion that these schemes is secure.
1 Merkle Signatures
A signature scheme for use with multiple messages of arbitrary length; built using
Collision Resistant HashFunctions (CRHF) and one time signatures.
For this signature scheme, we must know in advance how many signatures the user
will ever plan on sending. Assume that we have a one time signature scheme; generate
n
pairs (
PK
i
,SK
i
) and build a tree using a colision resistant hash function,
h
, by
hashing each pair of adjacent nodes recursively up the tree to the root. The root is
the public key,
r
.
SK
=
{
(
PK
i
,SK
i
)
}
i
=1
...n
Note: The public keys
{
PK
i
}
i
are used to sign the messages, and so are formally
speciﬁed as part of the secret key. However , they need not remain secret (and in fact
they are published as part of the signature).
We build our tree from the
n
pairs of (public key, secret key).
Let the (
PK
i
,SK
i
) pairs be the base of the tree (
n
leaves). Compute the next level
up, and name the elements of the tree, as follows:
1
This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentFigure 1: Merkle Signature tree
s
1
1
=
h
(
PK
1
,PK
2
)
, s
1
2
=
h
(
PK
3
,PK
4
)
, ... , s
1
n/
2
=
h
(
PK
n

1
,PK
n
)
For constructing the second level from the ﬁrst level, we compute:
s
2
1
=
h
(
s
1
1
,s
1
2
)
, s
2
2
=
h
(
s
1
3
,s
This is the end of the preview.
Sign up
to
access the rest of the document.
 Fall '04
 Jarecki
 Cryptography, Cryptographic hash function, signature scheme, random oracle model, P Kn

Click to edit the document details