# Ephemeral Keys Authenticated with Merkle Trees and Their Use in IoT Applications

## Abstract

**:**

## 1. Introduction

## 2. Preliminaries

- Public key cryptosystem with a pair of keys: We are only interested in key generation and authentication. The $KeyGen$ primitive for a cryptosystem should efficiently generate a pair $(SK,PK)$ (from some randomness; see further), where $SK$ denotes a secret key, and $PK$ a public key. We suppose that to initiate secure communication between the client and server, it is sufficient to provide a mechanism to transport the authenticated public key of the server to the client. We are not interested in further protocols that realize the rest of the secure channel establishment, etc.
- The $KeyGen$ primitive can be based on a deterministic algorithm $KDF:{\mathbb{Z}}_{2}^{n}\to \mathcal{K}$, that computes keypair $(SK,PK)$ from a bitstring k of length n. We call k a pre-key. In the classical setting, $n=\lambda $, where $\lambda $ is a security level, but in the post-quantum setting, we use pre-keys $n=2\lambda $ to prevent Grover’s algorithm-based speedup.
- A truly random pre-key is required for a secure public key system. In our scheme, we use a single master (secret) pre-key that is generated as a true random bit-string. All other pre-keys are derived with a one way function $OWF:{\mathbb{Z}}_{2}^{n}\to {\mathbb{Z}}_{2}^{n}$.
- In the construction of public key authentication, we also use a specific cryptographically secure hash function denoted by $hash$ (in practice, instantiated by the standard SHA-2 or SHA-3). Both $OWF$ and $KDF$ can be implemented with the correct use of the same hash function (or by a different specific mechanism, as required by the system/protocol).

## 3. Merkle Tree

## 4. Authenticating Ephemeral Keys with the Merkle Tree

#### 4.1. Sequential Tree Authenticated Ephemeral Keys

- Generate a random secret seed ${k}_{0}\in {\mathbb{Z}}_{2}^{\lambda}$.
- Use a one way function $OWF$ to define a sequence of derived pre-keys ${k}_{i}=OWF\left({k}_{i-1}\right)$.
- Generate ${2}^{l}$ ephemeral key pairs $(S{K}_{i},P{K}_{i})$ from pre-keys ${k}_{i}$ using the defined $KDF$ function.
- Compute the hashes ${h}_{{2}^{l}+i}=hash\left(P{K}_{i}\right)$.
- Compute the rest of the Merkle tree with ${h}_{j}=hash\left(\right)open="("\; close=")">{h}_{2j}|{h}_{2j+1}$.
- Publish (signed by the CA or delivered to devices by a trusted channel) the root ${h}_{1}$.
- Store as an initial (secret) state: $S=(0,{k}_{0})$ and the hash path from ${h}_{{2}^{l}}$ to the root.

- Sends current public key $P{K}_{i}$ along with the verification string for the path in the tree from ${h}_{{2}^{l}+i}$ to the root.

- Verifies that ${h}_{{2}^{l}+i}=hash\left(P{K}_{i}\right)$ and that for each hash in the path to the root: ${h}_{j}=hash\left(\right)open="("\; close=")">{h}_{2j}|{h}_{2j+1}$.

- Derive the next ${k}_{i+1}=OWF\left({k}_{i}\right)$.
- Recompute the hash path.
- Store a new (secret) state: $S=(i+1,{k}_{i+1})$ and the hash path from ${h}_{{2}^{l}+i+1}$ to the root.

#### 4.2. Parallel Tree Authenticated Ephemeral Keys

- Generate a random secret seed ${k}_{0}\in {\mathbb{Z}}_{2}^{\lambda}$.
- Define pre-keys with ${k}_{i}=OWF\left({k}_{0}\right|i)$, for $i=1,2,\dots ,{2}^{l}$.
- Generate ${2}^{l}$ ephemeral key pairs $(S{K}_{i},P{K}_{i})$ from pre-keys ${k}_{i}$ using the defined $KDF$ function.
- Compute the hashes ${h}_{{2}^{l}+i}=hash\left(P{K}_{i}\right)$.
- Compute the rest of the Merkle tree with ${h}_{j}=hash\left(\right)open="("\; close=")">{h}_{2j}|{h}_{2j+1}$.
- Publish (signed by CA or delivered to devices by a trusted channel) the root ${h}_{1}$.

- Selects random i from the set $\{1,2,\dots ,{2}^{l}\}$.
- Computes pre-key ${k}_{i}=OWF\left({k}_{0}\right|i)$.
- Generates ephemeral key pairs $(S{K}_{i},P{K}_{i})$ from pre-key ${k}_{i}$ using the defined $KDF$ function.
- Sends public key $P{K}_{i}$ along with the verification string for the path in the tree from ${h}_{{2}^{l}+i}$ to the root.

- Verifies that ${h}_{{2}^{l}+i}=hash\left(P{K}_{i}\right)$ and that for each hash in the path to the root: ${h}_{j}=hash\left(\right)open="("\; close=")">{h}_{2j}|{h}_{2j+1}$.

## 5. Security Analysis

#### 5.1. Formal Security

- provide $PK$, which is accepted by the attacker with non-negligible probability (otherwise, his/her advantage would remain negligible due to random challenge strings ${c}^{\prime}$);
- distinguish messages encrypted by the provided $PK$ with non-negligible advantage.

## 6. Prototype Implementation of the Protocol

## 7. Experimental Results

`openssl speed`command).

## 8. Discussion

## 9. Summary

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## References

- Grover, L.K. A fast quantum mechanical algorithm for database search. In Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, Philadelphia, PA, USA, 22–24 May 1996; pp. 212–219. [Google Scholar]
- Grassl, M.; Langenberg, B.; Roetteler, M.; Steinwandt, R. Applying Grover’s algorithm to AES: Quantum resource estimates. In Post-Quantum Cryptography; Springer: Berlin/Heidelberg, Germany, 2016; pp. 29–43. [Google Scholar]
- Alassaf, N.; Gutub, A.; Parah, S.A.; Al Ghamdi, M. Enhancing speed of SIMON: A light-weight-cryptographic algorithm for IoT applications. Multimed. Tools Appl.
**2019**, 78, 32633–32657. [Google Scholar] [CrossRef] - Zajac, P. Upper bounds on the complexity of algebraic cryptanalysis of ciphers with a low multiplicative complexity. Des. Codes Cryptogr.
**2017**, 82, 43–56. [Google Scholar] [CrossRef] - Shor, P.W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev.
**1999**, 41, 303–332. [Google Scholar] [CrossRef] - McEliece, R.J. A public key cryptosystem based on algebraic coding theory. DSN Prog. Rep.
**1978**, 42, 114–116. [Google Scholar] - Repka, M.; Zajac, P. Overview of the McEliece cryptosystem and its security. Tatra Mt. Math. Publ.
**2014**, 60, 57–83. [Google Scholar] [CrossRef][Green Version] - Colombo, C.; Vasco, M.I.G.; Steinwandt, R.; Zajac, P. Secure communication in the quantum era:(group) key establishment. In Advanced Technologies for Security Applications; Springer: Berlin/Heidelberg, Germany, 2020; pp. 65–74. [Google Scholar]
- Bohli, J.M.; González Vasco, M.I.; Steinwandt, R. Building Group Key Establishment on Group Theory: A Modular Approach. Symmetry
**2020**, 12, 197. [Google Scholar] [CrossRef][Green Version] - Chen, L.; Chen, L.; Jordan, S.; Liu, Y.K.; Moody, D.; Peralta, R.; Perlner, R.; Smith-Tone, D. Report on Post-Quantum Cryptography; US Department of Commerce, National Institute of Standards and Technology: Washington, DC, USA, 2016.
- Aragon, N.; Barreto, P.; Bettaieb, S.; Bidoux, L.; Blazy, O.; Deneuville, J.C.; Gaborit, P.; Gueron, S.; Guneysu, T.; Melchor, C.A.; et al. BIKE: Bit Flipping Key Encapsulation. 2017. Available online: https://hal.archives-ouvertes.fr/hal-01671903/document (accessed on 12 March 2021).
- Alagic, G.; Alperin-Sheriff, J.; Apon, D.; Cooper, D.; Dang, Q.; Kelsey, J.; Liu, Y.K.; Miller, C.; Moody, D.; Peralta, R.; et al. Status Report on the Second Round of the Nist Post-Quantum Cryptography Standardization Process; US Department of Commerce, National Institute of Standards and Technology: Washington, DC, USA, 2020.
- Yamada, A.; Eaton, E.; Kalach, K.; Lafrance, P.; Parent, A. QC-MDPC KEM: A Key Encapsulation Mechanism Based on the QC-MDPC McEliece Encryption Scheme. 2017. Available online: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/QC_MDPC_KEM.zip (accessed on 12 March 2021).
- Guo, Q.; Johansson, T.; Stankovski, P. A key recovery attack on MDPC with CCA security using decoding errors. In Proceedings of the Advances in Cryptology–ASIACRYPT 2016: 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, 4–8 December 2016; Proceedings, Part I 22. Springer: Berlin/Heidelberg, Germany, 2016; pp. 789–815. [Google Scholar]
- Fabšič, T.; Hromada, V.; Stankovski, P.; Zajac, P.; Guo, Q.; Johansson, T. A reaction attack on the QC-LDPC McEliece cryptosystem. In International Workshop on Post-Quantum Cryptography; Springer: Berlin/Heidelberg, Germany, 2017; pp. 51–68. [Google Scholar]
- Eaton, E.; Lequesne, M.; Parent, A.; Sendrier, N. QC-MDPC: A timing attack and a CCA2 KEM. In International Conference on Post-Quantum Cryptography; Springer: Berlin/Heidelberg, Germany, 2018; pp. 47–76. [Google Scholar]
- Fabšic, T.; Hromada, V.; Zajac, P. A Reaction Attack on LEDApkc. IACR Eprint Archive. 2018. Available online: https://eprint.iacr.org/2018/140 (accessed on 12 March 2021).
- Rescorla, E.; Dierks, T. The Transport Layer Security (TLS) Protocol Version 1.3; Technical report; 2018; Available online: https://www.hjp.at/doc/rfc/rfc8446.html (accessed on 12 March 2021).
- Fouque, P.A.; Hoffstein, J.; Kirchner, P.; Lyubashevsky, V.; Pornin, T.; Prest, T.; Ricosset, T.; Seiler, G.; Whyte, W.; Zhang, Z. Falcon: Fast-fourier lattice-based compact signatures over NTRU. In Submission to the NIST’s Post-Quantum Cryptography Standardization Process; 2018. Available online: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/Falcon.zip (accessed on 12 March 2021).
- Shim, K.A.; Koo, N.; Park, C.M. HiMQ-3: A High Speed Signature Scheme based on Multivariate Quadratic Equations. 2017. Available online: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/HiMQ_3.zip (accessed on 12 March 2021).
- Bernstein, D.; Dobraunig, C.; Eichlseder, M.; Fluhrer, S.; Gazdag, S.L.; Hülsing, A.; Kampanakis, P.; Kölbl, S.; Lange, T.; Lauridsen, M.; et al. SPHINCS+. 2017. Available online: https://sphincs.org/ (accessed on 12 March 2021).
- Merkle, R.C. A digital signature based on a conventional encryption function. In Advances in Cryptology—CRYPTO ’87; Pomerance, C., Ed.; Springer: Berlin/Heidelberg, Germany, 1988; pp. 369–378. [Google Scholar]
- Goldreich, O. Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In Conference on the Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1986; pp. 104–110. [Google Scholar]
- Baldi, M.; Barenghi, A.; Chiaraluce, F.; Pelosi, G.; Santini, P. Design of LEDAkem and LEDApkc Instances with Tight Parameters and Bounded Decryption Failure Rate; Università Politecnica delle Marche: Ancona, Italy, 2019. [Google Scholar]
- Lamport, L. Constructing Digital Signatures from a One-Way Function; Technical report, Technical Report CSL-98; SRI International: Menlo Park, CA, USA, 1979. [Google Scholar]
- Merkle, R.C. A certified digital signature. In Conference on the Theory and Application of Cryptology; Springer: Berlin/Heidelberg, Germany, 1989; pp. 218–238. [Google Scholar]
- Novotný, M. Implementation of Experimental Post-Quantum Protocol. Master’s Thesis, Slovak University of Technology in Bratislava, Bratislava, Slovakia, 2019. (In Slovak). [Google Scholar]
- NIST. Post-Quantum Cryptography. Round 1 Submissions. 2018. Available online: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions (accessed on 12 March 2021).

**Figure 1.**Example of a relevant part of a Merkle tree. The validity of ${h}_{10}$ can be verified, if we provide hashes ${h}_{11}$, ${h}_{4}$, and ${h}_{3}$: Firstly, we compute ${h}_{5}^{\prime}=hash\left({h}_{10}\right|{h}_{11})$, and then, ${h}_{2}^{\prime}=hash\left({h}_{4}\right|{h}_{5}^{\prime})$. Finally, we verify that ${h}_{1}=hash\left({h}_{2}^{\prime}\right|{h}_{3})$.

**Figure 2.**Example of a relevant part of a sequential key structure and Merkle tree authenticator built on top of the precomputed public key hashes.

**Figure 3.**Example of a relevant part of a parallel key structure and Merkle tree authenticator built on top of the precomputed public key hashes.

**Figure 4.**Preparation of keys on the server side [27].

**Figure 5.**Overview of the protocol use within TLS 1.2 scope for client-server communication [27]. PK, public key.

**Figure 6.**Update of the authentication path for the next ephemeral key on the server [27].

Total Time for All Keys (ms) | |||
---|---|---|---|

Merkle Tree Levels | 18 | 21 | 24 |

No. of Keypairs | ${2}^{17}$ | ${2}^{20}$ | ${2}^{23}$ |

Keypair Generation | 35,442 | 285,894 | 2,254,612 |

Merkle Tree Building | 57 | 451 | 3662 |

Signature Generation | 188 | 1821 | 16,819 |

Signature Verification | 971 | 9085 | 82,695 |

Total Time for All Keys (μs) | |||
---|---|---|---|

Merkle Tree Levels | 18 | 21 | 24 |

No. of Keypairs | ${2}^{17}$ | ${2}^{20}$ | ${2}^{23}$ |

Keypair Generation | 270.402 | 272.650 | 268.771 |

Merkle Tree Building | 0.437 | 0.431 | 0.437 |

Signature Generation | 1.440 | 1.737 | 2.005 |

Signature Verification | 7.412 | 8.665 | 9.858 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Zajac, P.
Ephemeral Keys Authenticated with Merkle Trees and Their Use in IoT Applications. *Sensors* **2021**, *21*, 2036.
https://doi.org/10.3390/s21062036

**AMA Style**

Zajac P.
Ephemeral Keys Authenticated with Merkle Trees and Their Use in IoT Applications. *Sensors*. 2021; 21(6):2036.
https://doi.org/10.3390/s21062036

**Chicago/Turabian Style**

Zajac, Pavol.
2021. "Ephemeral Keys Authenticated with Merkle Trees and Their Use in IoT Applications" *Sensors* 21, no. 6: 2036.
https://doi.org/10.3390/s21062036