Talk:Merkle signature scheme

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

This contribution is a result of the seminar 'Post Quantum Cryptology' which was held at the chair for communication security at the Ruhr-University Bochum, Germany http://www.crypto.rub.de/its_seminar_ss08.html Georg987 (talk) 16:55, 7 October 2008 (UTC)[reply]

One-time public/private keys confusion[edit]

There was a text: "the receiver computes ... by hashing the private key of the one-time signature". But the receiver do not know the private key because it's private. The receiver can only know the public key, and public keys should be hashed in tree instead of private ones. [1] There was a similar discussion on German Wiki. I believe it's a confusion with Lamport one-time signatures, in which public key is actually a hash of the corresponding private key. Quyse (talk) 10:02, 2 May 2012 (UTC)[reply]

The private key gets revealed when the message is signed, though. I changed it back to hashing the private key. My reasoning is that given an arbitrary one-time signature scheme, it seems sensible to assume that the public keys of that scheme can be leaked. However, I think both work, so someone should feel free to change it back if they have a strong opinion. Either way, I cleaned up the article some as it was extremely confusing prior. WuTheFWasThat (talk) 00:00, 7 September 2015 (UTC)[reply]
When considering public/private in Lamport context, the private key does not get fully revealed in signing, only parts of it. Actually, I think the definition of public/private key signing should be that the private key is not revealed by the signing process. The earlier part of the current article talks of public/private pair (X,Y) and refers X as the public key, but later part describing signature generation refers to "public parts of X_i", hinting the opposite way. From what I understand in Merkle's original tree text, the tree is used to validate vector Y of keys (Y1, Y2, ...) without actually talking about public/private pairs. I will edit the text to assume that the public key is hashed, and private key parts are a part of public/private key system specific data, I think that is the most general way to describe this, and resembles [1] which I felt very easy to digest. --Jokkebk (talk) 15:14, 2 February 2017 (UTC)[reply]

References

  1. ^ https://www.emsec.rub.de/media/crypto/attachments/files/2011/04/becker_1.pdf

a bit of clarification[edit]

I randomly stumbled upon lamport signature and the article clarified this entire one, can someone give that as an example here please? There is literally a "need to define sig" in this article and I thinnk that Lamport really clarifies the missing parts of this one 204.193.184.94 (talk) 16:39, 6 March 2015 (UTC)[reply]

this article was poorly written. hopefully I just improved it some... I took out the "need to define sig", as IMO it is defined enough (it's simply the signature using the one-time scheme) WuTheFWasThat (talk) 00:03, 7 September 2015 (UTC)[reply]

Clarification[edit]

I do not know why the maths articles have to be so obscure, with no intuitive background. But if we want to be only formal, then it needs to be right. First sentence:

The first step of generating the public key pub {\displaystyle {\text{pub}}} {\displaystyle {\text{pub}}} is to generate N {\displaystyle N} N private/public key pairs ( X i , Y i ) {\displaystyle (X_{i},Y_{i})} (X_i, Y_i) of some one-time signature scheme (such as the Lamport signature scheme). For each 1 ≤ i ≤ 2 n {\displaystyle 1\leq i\leq 2^{n}} 1 \leq i \leq 2^n, a hash value of the public key h i = H ( Y i ) {\displaystyle h_{i}=H(Y_{i})} {\displaystyle h_{i}=H(Y_{i})} is computed.

If there are only N Y_is, how can there be 2^(n) H(Y^(i))s?  ???

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Merkle_signature_scheme&oldid=1201177588"