Skip to main content

Merkle Tree Ladder Mode: Reducing the Size Impact of NIST PQC Signature Algorithms in Practice

  • Conference paper
  • First Online:
Topics in Cryptology – CT-RSA 2023 (CT-RSA 2023)

Abstract

We introduce the Merkle Tree Ladder (MTL) mode of operation for signature schemes. MTL mode signs messages using an underlying signature scheme in such a way that the resulting signatures are condensable: a set of MTL mode signatures can be conveyed from a signer to a verifier in fewer bits than if the MTL mode signatures were sent individually. In MTL mode, the signer sends a shorter condensed signature for each message of interest and occasionally provides a longer reference value that helps the verifier process the condensed signatures. We show that in a practical scenario involving random access to an initial series of \(10{,}000\) signatures that expands gradually over time, MTL mode can reduce the size impact of the NIST PQC signature algorithms, which have signature sizes of \(666\) to \(\mathrm{49,856}\) bytes with example parameters at various security levels, to a condensed signature size of 248 to 472 bytes depending on the selected security level. Even adding the overhead of the reference values, MTL mode signatures still reduce the overall signature size impact under a range of operational assumptions. Because MTL mode itself is quantum-safe, the mode can support long-term cryptographic resiliency in applications where signature size impact is a concern without limiting cryptographic diversity only to algorithms whose signatures are naturally short.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Post-quantum cryptography standardization, NIST. https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization. Accessed 13 Feb 2023

  2. Alagic, G., Apon, D., Cooper, D., Dang, Q., Dang, T., Kelsey, J., et al.: NIST IR 8413-upd1: status report on the third round of the NIST post-quantum cryptography standardization process. NIST (2022); includes updates as of 26 Sept 2022. https://doi.org/10.6028/NIST.IR.8413-upd1. Accessed 13 Feb 2023

  3. Cooper, D.A., Apon, D., Dang, Q.H., Davidson, M.S., Dworkin, M.J., Miller, C.A.: NIST special publication 800208: recommendation for stateful hash-based signature schemes. NIST (2020). https://doi.org/10.6028/NIST.SP.800-208

  4. Announcing the Commercial National Security Algorithm suite 2.0, National Security Agency. https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF. Accessed 13 Feb 2023

  5. Migration to post-quantum cryptography. NIST National Cybersecurity Center of Excellence. https://www.nccoe.nist.gov/crypto-agility-considerations-migrating-post-quantum-cryptographic-algorithms. Accessed 13 Feb 2023

  6. Wouters, P., Sury, O: RFC 8624, Algorithm implementation requirements and usage guidance for DNSSEC. IETF (2019). https://doi.org/10.17487/RFC8624

  7. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: RFC 5280, Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. IETF (2008). https://doi.org/10.17487/RFC5280

  8. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS security introduction and requirements. IETF (2005). https://doi.org/10.17487/RFC4033

  9. Laurie, B., Messeri, E., Stradling, R.: RFC 9162: Certificate transparency version 2.0. IETF (2021). https://doi.org/10.17487/RFC9162

  10. Merkle, R.: Secrecy, authentication, and public key systems. Ph.D. thesis, Stanford University (1979). http://www.ralphmerkle.com/papers/Thesis1979.pdf. Accessed 13 Feb 2023

  11. FIPS PUB 81: DES modes of operation. National Bureau of Standards, U.S. Department of Commerce (1980). https://doi.org/10.6028/NBS.FIPS.81

  12. Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15

    Chapter  Google Scholar 

  13. Fluhrer, S.: Further analysis of a proposed hash-based signature standard. In: Cryptology ePrint Archive, Paper 2017/553. https://eprint.iacr.org/2017/553. Accessed 13 Feb 2023

  14. Katz, J.: Analysis of a proposed hash-based signature standard. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 261–273. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49100-4_12

    Chapter  Google Scholar 

  15. Grilo, A.B., Hövelmanns, K., Hülsing, A., Majenz, C.: Tight adaptive reprogramming in the QROM. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 637–667. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_22

    Chapter  Google Scholar 

  16. Bos, J.W., Hülsing, A., Renes, J., van Vredendaal, C.: Rapidly verifiable XMSS signatures, Cryptology ePrint archive, paper 2020/898. https://eprint.iacr.org/2020/898. Accessed 13 Feb 2023

  17. Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, NIST. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf. Accessed 13 Feb 2023

  18. Bai, S., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P. et al.: CRYSTALS-dilithium algorithm specifications and supporting documentation (Version 3.1). 08 Feb 2021. https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf. Accessed 13 Feb 2023

  19. Fouque, P.-A., Hoffstein, J., Kirchner, P., Lyubashevsky, V., Pornin, T., Prest, T., et al.: Falcon: fast-Fourier lattice-based compact signatures over NTRU specification v1.2, 10 Jan 2020. https://falcon-sign.info/falcon.pdf. Accessed 13 Feb 2023

  20. Aumasson, J.-P., Bernstein, D.J., Beullens, W., Dobraunig, C., Eichlseder, M., Fluhrer, S., et al.: SPHINCS+ submission to the NIST post-quantum project, v.3.1., 10 June 2022. https://sphincs.org/data/sphincs+-r3.1-specification.pdf. Accessed 13 Feb 2023

  21. McGrew, D., Curcio, M., Fluhrer, S.: RFC 8554, Leighton-Micali hash-based signatures. IETF (2019). https://doi.org/10.17487/RFC8554

  22. Huelsing, A., Butin, D., Gazdag, S., Rijneveld, J., Mohaisen, A.: RFC8391, XMSS: eXtended Merkle signature scheme. IETF (2018). https://doi.org/10.17487/RFC8391

  23. Mockapetris, P.: RFC 1034, Domain names - concepts and facilities. IETF (1987). https://doi.org/10.17487/RFC1034

  24. Day in the life of the internet traces, DNS-OARC. https://www.dns-oarc.net/oarc/data/catalog. Accessed 13 Feb 2023

  25. Barker, W., Polk, W., Souppaya, M.: Getting ready for post-quantum cryptography: exploring challenges associated with adopting and using post-quantum cryptographic algorithms, NIST cybersecurity white paper. 25 April 2021. https://doi.org/10.6028/NIST.CSWP.04282021

  26. Driscoll, F.: Terminology for post-quantum traditional hybrid schemes. https://datatracker.ietf.org/doc/draft-driscoll-pqt-hybrid-terminology. Accessed 13 Feb 2023. Work in progress

  27. Champine, L.: Streaming Merkle proofs within binary numeral trees. In: Cryptology ePrint Archive, Paper 2021/038. https://eprint.iacr.org/2021/038. Accessed 13 Feb 2023

  28. Crosby, S., Wallach, D.: Efficient data structures for tamper-evident logging. In: Proceedings of the 18th USENIX Security Symposium, pp. 317–334. USENIX Association (2009). https://dl.acm.org/doi/abs/10.5555/1855768.1855788

  29. Todd, P.: Merkle mountain ranges. https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md. Accessed 13 Feb 2023

  30. Bünz, B., Kiffer, L., Luu, L., Zamani, M.: FlyClient: super-light clients for cryptocurrencies. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 928–946. IEEE (2020). https://doi.org/10.1109/SP40000.2020.00049

  31. Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_24

    Chapter  Google Scholar 

  32. Reyzin, L., Yakoubov, S.: Efficient asynchronous accumulators for distributed PKI. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 292–309. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_16

    Chapter  MATH  Google Scholar 

  33. Kuszmaul, J.: Verkle trees. https://math.mit.edu/research/highschool/primes/materials/2018/Kuszmaul.pdf. Accessed 13 Feb 2023

  34. Buterik, V.: Verkle trees (2022). https://vitalik.ca/general/2021/06/18/verkle.html. Accessed 13 Feb 2023

  35. Catalano, D., Fiore, D.: Vector commitments and their applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 55–72. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_5

    Chapter  Google Scholar 

  36. Peikert, C., Pepin, Z., Sharp, C.: Vector and functional commitments from lattices. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13044, pp. 480–511. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90456-2_16

    Chapter  Google Scholar 

  37. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. In: Cryptology ePrint Archive, Paper (2018). https://eprint.iacr.org/2018/046. Accessed 13 Feb 2023

  38. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_26

    Chapter  Google Scholar 

  39. Khaburzaniya, I., Chalkias, K., Lewi, K., Malvai, H.: Aggregating and thresholdizing hash-based signatures using STARKs. In: Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security, pp. 393–407. ACM, New York (2022). https://doi.org/10.1145/3488932.3524128

  40. Goyal, R., Vaikuntanathan, V.: Locally verifiable signature and key aggregation. In: Dodis, Y., Shrimpton, T. (eds.) Advances in Cryptology – CRYPTO 2022, LNCS, vol. 13508, pp. 761–791. Springer , Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_26

  41. Li, F., Yi, K., Hadjieleftheriou, M., Kollios, G.: Proof-infused streams: Enabling authentication of sliding window queries on streams. In: Proceedings of the 33rd International Conference on Very Large Data Bases, pp. 147–158. VLDB Endowment (2007). https://dl.acm.org/doi/10.5555/1325851.1325871

  42. Papamanthou, C., Shi, E., Tamassia, R., Yi, K.: Streaming authenticated data structures. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 353–370. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_22

    Chapter  Google Scholar 

  43. Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in applying proof methodologies to signature schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_7

    Chapter  MATH  Google Scholar 

  44. Chase, M., Kohlweiss, M., Lysyanskaya, A., Meiklejohn, S.: Malleable signatures: new definitions and delegatable anonymous credentials. In: 2014 IEEE 27th Computer Security Foundations Symposium, pp. 199–213. IEEE (2014). https://doi.org/10.1109/CSF.2014.22

  45. Ahn, J.H., Boneh, D., Camenisch, J., Hohenberger, S., Shelat, A., Waters, B.: Computing on authenticated data. J. Cryptol. 28(2), 351–395 (2014). https://doi.org/10.1007/s00145-014-9182-0

    Article  MathSciNet  MATH  Google Scholar 

  46. Attrapadung, N., Libert, B., Peters, T.: Computing on authenticated data: new privacy definitions and constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 367–385. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_23

    Chapter  Google Scholar 

  47. Decker, C., Wattenhofer, R.: Bitcoin transaction malleability and MtGox. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 313–326. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11212-1_18

    Chapter  Google Scholar 

  48. Sikeridis, D., Kampanakis, P., Devetsikiotis, M.: Post-quantum authentication in TLS 1.3: a performance study. In: Network and Distributed Systems Security (NDSS) Symposium 2020. The Internet Society (2020). https://dx.doi.org/10.14722/ndss.2020.24203

  49. Sikeridis, D., Huntley, S., Ott, D., Devetsikiotis, M.: Intermediate certificate suppression in post-quantum TLS: an approximate membership querying approach. In: CoNEXT ’22: Proceedings of the 18th International Conference on Emerging Networking EXperiments and Technologies, pp. 35–42. ACM (2022). https://dl.acm.org/doi/abs/10.1145/3555050.3569127

  50. Kudinov, M., Hülsing, A., Ronen, E., Yogev, E.: SPHINCS+C: compressing Sphincs+ with (almost) no cost. In: Cryptology ePrint Archive, Paper 2022/778. https://eprint.iacr.org/2022/778. Accessed 13 Feb 2023

  51. Baldimtsi, F., Chalkias, K., Chatzigiannis, P., Kelkar, M.: Truncator: time-space tradeoff of cryptographic primitives. In: Cryptology ePrint Archive, Paper 2022/1581. https://eprint.iacr.org/2022/1581. Accessed 13 Feb 2023

  52. Draft call for additional digital signature schemes for the post-quantum cryptography standardization process, NIST (2022). https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/call-for-proposals-dig-sig-sept-2022.pdf. Accessed 13 Feb 2023s

Download references

Acknowledgments

We thank our Verisign colleagues for reviewing drafts of this paper and discussing its concepts, with particular appreciation to Duane Wessels for guidance on the selection of data sources for Section 7.3 and assistance with the data analysis. Thanks also to DNS-OARC for providing access to their data sets and servers. Finally, the paper would not have reached its final form without the improvements encouraged by the anonymous CT-RSA reviewers. We thank them for their generous commitment to the peer review process.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Burton S. Kaliski Jr. .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fregly, A., Harvey, J., Kaliski Jr., B.S., Sheth, S. (2023). Merkle Tree Ladder Mode: Reducing the Size Impact of NIST PQC Signature Algorithms in Practice. In: Rosulek, M. (eds) Topics in Cryptology – CT-RSA 2023. CT-RSA 2023. Lecture Notes in Computer Science, vol 13871. Springer, Cham. https://doi.org/10.1007/978-3-031-30872-7_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30872-7_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30871-0

  • Online ISBN: 978-3-031-30872-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics