Merkle trees

Introduced by Ralph Merkle, 1979 “Classic” cryptographic construction Involves combining hash functions on binary

tree structure An authentication scheme

Using only one-way hash function as building blocks

No number theory or trapdoor permutations An efficient data structure with many

practical applications

Merkle tree data structure

xxxxxx

xxxxxx

xxxxx xxxxx xxxxxxxxxxx

xxxxxx xxxxxx

xxxxxxx xxxxxx xxxxxxx

vi =Hash( si )

• Binary tree, nodes are assigned (e.g. 160 bit) values

• Extra, secret values associated to each leaf.

v=Hash( vleft || vright )

si secret

leaves

Interior nodes

Setup

Computing the tree and root hash1. Select a random (e.g 160 bit) secret S2. Derive leaf secrets si = h(S || i )

3. Use hash function to get leaf / interior node values

4. Publish root hash as P as the public key Complexity analysis

Tree of height H has N= 2H leaves Nodes at height h will depend on 2h leaf values Obtaining P requires calculating all N leaf values

plus 2H-1 more hash function evaluations

Authenticating a secret

Prover wishes to reveals si to identify herself Prover sends i,si (each secret used just once) Additional data required:”sibling node” values

Verifier checks si against the public key P Hash first si

Hash result together with its sibling in tree Repeat, moving up tree Check result with root

This scheme can be used as a one-time key scheme The secret si is used only once

Sibling node values required

xxxxxx

xxxxxx

xxxxx xxxxx

xxxxxx xxxxxxSibling nodes required to authenticate secret

Root value is public

1. Verify secret value by hashing, then hashing together with sibling, etc.

2. Accept if the computed root hash matches with the root value

s0

H

H

H

Data authentication using Merkle tree

Authenticate that a piece of data is in the tree

How to use Merkle hash tree for efficient public key revocation? Key revocation problem

Certificates invalidated before expiration• Usually due to compromised key• May be due to change in circumstance (e.g., someone leaving

company)

The certificate authority needs to answer queries about key revocation status has key A been revoked or not? CA responses with Yes or No along with a proof The proof is for the protection of message integrity

A naïve sign-all approach requires CA to sign each response Merkle hash tree significantly improves the efficiency and

only requires one signature on the root hashHow to prove something is not on the tree? Hint: items can be sorted and indexed on the tree.

Merkle’s Tree Scheme

Construct Merkle hash tree by computing hashes recursively h is hash function Ci is certificate i

Root hash (h(1,4) in example) is published and is known to all Root hash is signed by

the certificate authority to ensure the value’s integrity

h(1,4)

h(1,2) h(3,4)

h(1,1) h(2,2) h(3,3) h(4,4)

C1 C2 C3 C4

Validation

To validate C1: Compute h(1, 1) Obtain h(2, 2) Compute h(1, 2) Obtain h(3, 4) Compute h(1,4) Compare to known h(1,

4) Need to know siblings of

nodes on path from C1 to the root The proof from CA

consists of these hashes (in rectangles on the left)

h(1,4)

h(1,2) h(3,4)

h(1,1) h(2,2) h(3,3) h(4,4)

C1 C2 C3 C4

References

Wenliang Du, et al. Uncheatable grid computing. ICDCS, pages 4-11, 2004.

Michael Szydlo. Merkle Tree Traversal in Log Space & Time. Eurocrypt 2004.

R. Merkle. A digital signature based on a conventional encryption function. In CRYPTO’87, pages 369-378, 1988.

R. Merkle. A certified digital signature. In CRYPTO’89, pages 218-239, 1990.

Slides credits: Michael SzydloMatt Bishop

Exercise at home Design a scheme for password-protected access by a user to a server.

The scheme should satisfy the following requirements: A new password should be used each day. The communication cost for the initial setup and for subsequently

changing passwords should be low. The storage space at the server and the user's machine should be

low. A communication failure (possibly caused by an adversary)

between the user and server should not prevent the new password from being used the next day.

Generating random passwords and giving them to the user at the beginning of each year would not be a valid solution because of the high storage requirement for both parties.

Having the user send to the server the next password during the current session is not an acceptable solution either, because a communication failure could prevent the server from learning the correct password for the next day.

Some more problems to think about at home1. In digital signature schemes such as RSA, why does the

signer sign on the hash of a message?2. What is SYN flood attack?

Describe how it can be prevented using SYN cookie.3. What is TPM_Extend operation?

Why it can detect a substitution of kernel module? What specific cryptographic assumption is TPM_Extend’s security based on?

4. Attestation is for a remote server to verify the integrity of a client. Describe the major steps of TPM-based attestation in a client-server architecture.

5. Merkle tree is an efficient way for a data owner to prove item authenticity to a requester. An alternative is a sign-all approach – data owner signs each item. Compare complexities of the two solutions.