Some

Cryptographic
Primitives
Murat Osmanoglu
 Digital Signature Scheme
signing by hand
 Digital Signature Scheme
signing by hand
 Digital Signature Scheme
signing by hand
 Digital Signature Scheme
signing by hand

verify the signature

 Digital Signature Scheme
signing electronically
 Digital Signature Scheme
signing electronically

electronic
signature
 Digital Signature Scheme
signing electronically

• signature can be easily copied

electronic • it should be a function of the

signature message
 Digital Signature Scheme

PK, SK
 Digital Signature Scheme

PK, SK

SK

Signature

SIGNING
ALGORITHM
 Digital Signature Scheme

PK, SK
 Digital Signature Scheme

PK, SK

1 or 0 PK

VERIFICATION
ALGORITHM
 Digital Signature Scheme
A digital signature scheme consists of three algorithms
Gen : outputs a key pair (pk, sk)
Sign :takes a message m in M and the signing key sk as inputs
and outputs a signature σ on m
Verify : takes a signature σ, the public key pk, and a message
m as inputs and outputs 1 or 0

Correctness

For all (pk, sk) output by Gen and for all m in M

Verify(pk, m, Sign(sk, m)) = 1

 Digital Signature Scheme
A digital signature scheme consists of three algorithms
Gen : outputs a key pair (pk, sk)
Sign :takes a message m in M and the signing key sk as inputs
and outputs a signature σ on m
Verify : takes a signature σ, the public key pk, and a message
m as inputs and outputs 1 or 0
• Integrity
Correctness
• Authenticity
For all (pk, sk) output by Gen and for all• mNon-repudiation
in M

Verify(pk, m, Sign(sk, m)) = 1

 RSA Signature

KeyGen

• pick two large primes p and q

• compute N = p.q
• choose an exponent e such that gcd(e,phi(N)) = 1
• choose an exponent d such that e.d = 1 mod phi(N)
 RSA Signature
PK=(N,e)

SK=(N, d)

KeyGen

• pick two large primes p and q

• compute N = p.q
• choose an exponent e such that gcd(e,phi(N)) = 1
• choose an exponent d such that e.d = 1 mod phi(N)
• keep (N, d) as secret key, and publish (N, e) as public key
 1024-bit prime p (309 digits) :
RSA Signature
14926660406676521425746589984505259593698043308528112047243863356010910984506208081319
56748971365259498401849653125052988699487229776494690230843615504129894860602079175805
40454081140587353862234445577520476872543676486167892443872308705026778461121261224322
PK=(N,e)
495328346630383486386663628878772838449087770123303
1024-bit prime q (309 digits) :
11613613323752462862307997343676166615781213580255442213388439971627821582770818854043
09941587431632243604740043902608510350793965690708054362041417166453772064699311683053
51122258807934047024235765278566582937247825531441295648260124631056178986340098086793
666788683120626019654875802245983332214723863553333
2048-bit N = p*q (617 digits) :
17335246217810680499565282364130282347913694411139706552337646969996795185310539972695
SK=(N, d)
21358952194887788871014810831418332247519311546653852372027284816592666735822538434338
92884640596924123847468319293906862022798176422316189203111527718629657728492287223809
26373552800043250590230507345247504584516585217552163181827225685419709962073929610117
KeyGen
85207875481813218795712875845153649877824714771313687872723823283851257056268551307467
39659929219301975845456600691347974780165760856198842806361918614258903112139836688041
•47423192923778212236303196414996652277121672303217925415867248268691221399027188630076
pick two large primes p and q
689585126618899
compute N = p.q
•e= 65537
choose an exponent e such that gcd(e,phi(N)) = 1
•d=156889308164396431400692065987710672887346835620783590145841716088838352812353946228
•91972529034215081468682805358018205828859592737807144047750439346373279344813134904276
choose an exponent d such that e.d = 1 mod phi(N)
35456103680016686842205912449803850909739266099781320495323886360922086895776441251828
keep (N, d) as secret key, and publish (N, e) as public key
•09693149600565934559448607974452395629861213088638273908322193647517562366779545756246
94333459199323797014292572744820690951743368632774427103258270737146365143542038629603
86987521680125465264397787114761980772967265876932453895158342739562236679770844723218
94791941724936692758146268591864077998906212085463254632733257316467651948214324936532
49128075792100409
 RSA Signature
PK=(N,e)

SK=(N, d)
 RSA Signature
PK=(N,e)

SK=(N, d)

Signing

σ = md (mod N) where m in (ZN)*

 RSA Signature
PK=(N,e)

m, σ

SK=(N, d)
 RSA Signature
PK=(N,e)

SK=(N, d)

Verification

if m = σe (mod N), then output 1;

otherwise, output 0
 Attack on RSA Signature
no-message attack

Charlie Adversary
(Challenger)
(N,e)
(pk,sk) ç Gen(.)
where
pk = (N, e) and sk = (N, d)
 Attack on RSA Signature
no-message attack

Charlie Adversary
(Challenger)
(N,e)
(pk,sk) ç Gen(.) choose σ’ in ZN*
where
pk = (N, e) and sk = (N, d) compute m’ = (σ’)e mod N
 Attack on RSA Signature
no-message attack

Charlie Adversary
(Challenger)
(N,e)
(pk,sk) ç Gen(.) choose σ’ in ZN*
where
pk = (N, e) and sk = (N, d) compute m’ = (σ’)e mod N
(m’, σ’)
 Attack on RSA Signature
no-message attack

Charlie Adversary
(Challenger)
(N,e)
(pk,sk) ç Gen(.) choose σ’ in ZN*
where
pk = (N, e) and sk = (N, d) compute m’ = (σ’)e mod N
(m’, σ’)

since m’ = (σ’)e mod N, adversary wins the game

 Attack on RSA Signature
no-message attack

Charlie Adversary
(Challenger)
(N,e)
(pk,sk) ç Gen(.) choose σ’ in ZN*
where
pk = (N, e) and sk = (N, d) compute m’ = (σ’)e mod N
(m’, σ’)

sincethe
m’ =adversary
(σ’)e mod has no control wins
N, adversary over the game
the message
 Attack on RSA Signature
forging a signature on an arbitrary message

(N,e)

Charlie Adversary
(Challenger)

(pk,sk) ç Gen(.)
where
pk = (N, e) and sk = (N, d)
 Attack on RSA Signature
forging a signature on an arbitrary message

(N,e)

m1, m2
Charlie Adversary
(Challenger)

(pk,sk) ç Gen(.) for a message m

where
pk = (N, e) and sk = (N, d) choose m1, m2 in ZN*
s.t. m = m1.m2 mod N
 Attack on RSA Signature
forging a signature on an arbitrary message

(N,e)

m1, m2
Charlie Adversary
(Challenger)
(m1, σ1) and (m2, σ2)
(pk,sk) ç Gen(.) for a message m
where
pk = (N, e) and sk = (N, d) choose m1, m2 in ZN*
s.t. m = m1.m2 mod N
 Attack on RSA Signature
forging a signature on an arbitrary message

(N,e)

m1, m2
Charlie Adversary
(Challenger)
(m1, σ1) and (m2, σ2)
(pk,sk) ç Gen(.) for a message m
where
pk = (N, e) and sk = (N, d) choose m1, m2 in ZN*
(m, σ) s.t. m = m1.m2 mod N
compute σ = σ1. σ2 mod N
 Attack on RSA Signature
forging a signature on an arbitrary message

(N,e)

m1, m2
Charlie Adversary
(Challenger)
(m1, σ1) and (m2, σ2)
(pk,sk) ç Gen(.) for a message m
where
pk = (N, e) and sk = (N, d) choose m1, m2 in ZN*
(m, σ) s.t. m = m1.m2 mod N
compute σ = σ1. σ2 mod N
since σe = (σ1. σ2)e = (m1d. m2d)e
= m1.m2 mod N = m
adversary wins the game
 RSA-FDH
PK=(N, H, e)

SK=(N, H, d)

Signing

σ = H(m)d (mod N) where m in {0,1}*

 RSA-FDH
PK=(N, H, e)

SK=(N, H, d)
 RSA-FDH
PK=(N, H, e)

SK=(N, H, d)

Verification

if H(m) = σe (mod N), then output 1;

otherwise, output 0
 RSA-FDH
PK=(N, H, e)

• to prevent no-message attack, it should be

infeasible for the adversary to invert H
---- find m from H(m) ----

SK=(N, H, d)

Verification

if H(m) = σe (mod N), then output 1;

otherwise, output 0
 RSA-FDH
PK=(N, H, e)

• to prevent no-message attack, it should be

infeasible for the adversary to invert H
---- find m from H(m) ----
• to prevent the second attack, it should be
hard to find three message m, m1, m2 such
SK=(N, H, d)
that H(m) = H(m1).H(m2) mod N

Verification

if H(m) = σe (mod N), then output 1;

otherwise, output 0
 RSA-FDH
PK=(N, H, e)

• to prevent no-message attack, it should be

infeasible for the adversary to invert H
---- find m from H(m) ----
• to prevent the second attack, it should be
hard to find three message m, m1, m2 such
SK=(N, H, d)
that H(m) = H(m1).H(m2) mod N

• also, it should be hard toVerification

find collusion:
---- find m1, m2 s.t. H(m1) = H(m2) ----
if H(m) = σe (mod N), then output 1;
otherwise, output 0
 Hash Functions
• maps inputs of some length to short, fixed-length output

m hash
h(m)
function

h : {0,1}* → {0,1}n
 Hash Functions
• maps inputs of some length to short, fixed-length output

m hash
h(m) sometimes called digest
function

h : {0,1}* → {0,1}n
 Hash Functions
• maps inputs of some length to short, fixed-length output

m hash
h(m) sometimes called digest
function

h : {0,1}* → {0,1}n

• originally proposed to provide input to digital signature schemes, by

Diffie-Hellman in 1976
 Hash Functions
• maps inputs of some length to short, fixed-length output

m hash
h(m) sometimes called digest
function

h : {0,1}* → {0,1}n

• originally proposed to provide input to digital signature schemes, by

Diffie-Hellman in 1976
• security features for hash functions
pre-image resistance,
weak collusion resistance,
collusion resistance
 Hash Functions
• pre-image resistance; given d, it should be hard to find a message
m such that h(m) = d
 Hash Functions
• pre-image resistance; given d, it should be hard to find a message
m such that h(m) = d
it is required in Proof of Work algorithm in Bitcoin, i.e. if the
underlying hash functions does not satisfy that feature, it would
be much easier to solve the cryptographic puzzle to create blocks
 Hash Functions
• pre-image resistance; given d, it should be hard to find a message
m such that h(m) = d
it is required in Proof of Work algorithm in Bitcoin, i.e. if the
underlying hash functions does not satisfy that feature, it would
be much easier to solve the cryptographic puzzle to create blocks

• weak collision resistance; given m1, it should be hard to find m2

such that h(m1) = h(m2)
 Hash Functions
• pre-image resistance; given d, it should be hard to find a message
m such that h(m) = d
it is required in Proof of Work algorithm in Bitcoin, i.e. if the
underlying hash functions does not satisfy that feature, it would
be much easier to solve the cryptographic puzzle to create blocks

• weak collision resistance; given m1, it should be hard to find m2

such that h(m1) = h(m2)

• strong collision resistance; it should be hard to find m1 ≠ m2 such

that h(m1) = h(m2)
 Hash Functions
• pre-image resistance; given d, it should be hard to find a message
m such that h(m) = d
it is required in Proof of Work algorithm in Bitcoin, i.e. if the
underlying hash functions does not satisfy that feature, it would
be much easier to solve the cryptographic puzzle to create blocks

• weak collision resistance; given m1, it should be hard to find m2

such that h(m1) = h(m2)

• strong collision resistance; it should be hard to find m1 ≠ m2 such

that h(m1) = h(m2)
it is required for a digital signature scheme to provide non-
repudiation, i.e. the signer can produce two messages m1 and m2,
and signs one of them. Later he can deny his signature and claim he
signed the other one
 Hash Functions
• pre-image resistance; given d, it should be hard to find a message
m such that h(m) = d
it is required in Proof of Work algorithm in Bitcoin, i.e. if the
underlying hash functions does not satisfy that feature, it would
be much easier to solve the cryptographic puzzle to create blocks

• weak collision resistance; given m1, it should be hard to find m2

such that h(m1) = h(m2)

• strong collision resistance; it should be hard to find m1 ≠ m2 such

that h(m1) = h(m2)
since thefor
• required
it is domain is larger
a digital thanscheme
signature the range, the collision
to provide non-
must exist
repudiation, i.e. the signer can produce two messages m and m ,
1 2
and• signs
but, one of range
if the them. isLater
largeheenough,
can deny hiscomputationally
it is signature and claim he
signedhard
the to
other
findone
collisions
 Hash Functions
• there is a common method for constructing hash functions
- construct a fixed-input-length collision resistant hash function
(collision resistant compression function)
h : {0,1}2n → {0,1}n
- use it to construct a hash function
 Hash Functions
• there is a common method for constructing hash functions
- construct a fixed-input-length collision resistant hash function
(collision resistant compression function)
h : {0,1}2n → {0,1}n
- use it to construct a hash function

Merkle – Damgard Transform

• Let (Gen, h) be a fixed-length hash function ( h : {0,1}2n → {0,1}n )
• Construct hash function (Gen, H) as follows:
 Hash Functions
• there is a common method for constructing hash functions
- construct a fixed-input-length collision resistant hash function
(collision resistant compression function)
h : {0,1}2n → {0,1}n
- use it to construct a hash function

Merkle – Damgard Transform

• Let (Gen, h) be a fixed-length hash function ( h : {0,1}2n → {0,1}n )
• Construct hash function (Gen, H) as follows:
- set B = L / n (number of blocks) where L < 2n is the input length
 Hash Functions
• there is a common method for constructing hash functions
- construct a fixed-input-length collision resistant hash function
(collision resistant compression function)
h : {0,1}2n → {0,1}n
- use it to construct a hash function

Merkle – Damgard Transform

• Let (Gen, h) be a fixed-length hash function ( h : {0,1}2n → {0,1}n )
• Construct hash function (Gen, H) as follows:
- set B = L / n (number of blocks) where L < 2n is the input length
- pad the input m with zeros so its length is a multiple of n
- cut the input into B b-bit blocks m1, m2, ..., mB
 Hash Functions
• there is a common method for constructing hash functions
- construct a fixed-input-length collision resistant hash function
(collision resistant compression function)
h : {0,1}2n → {0,1}n
- use it to construct a hash function

Merkle – Damgard Transform

• Let (Gen, h) be a fixed-length hash function ( h : {0,1}2n → {0,1}n )
• Construct hash function (Gen, H) as follows:
- set B = L / n (number of blocks) where L < 2n is the input length
- pad the input m with zeros so its length is a multiple of n
- cut the input into B b-bit blocks m1, m2, ..., mB
- set z0 = 0n
 Hash Functions
• there is a common method for constructing hash functions
- construct a fixed-input-length collision resistant hash function
(collision resistant compression function)
h : {0,1}2n → {0,1}n
- use it to construct a hash function

Merkle – Damgard Transform

• Let (Gen, h) be a fixed-length hash function ( h : {0,1}2n → {0,1}n )
• Construct hash function (Gen, H) as follows:
- set B = L / n (number of blocks) where L < 2n is the input length
- pad the input m with zeros so its length is a multiple of n
- cut the input into B b-bit blocks m1, m2, ..., mB
- set z0 = 0n
- for i = 1, 2, ..., B + 1, compute zi = h(zi-1 ll xi), and output zB+1
 Hash Functions
• there is a common method for constructing hash functions
m
- construct a fixed-input-length collision resistant000
hash function
(collision m
resistant compression
m function)
... m
1 2 B
h: {0,1}2n → {0,1}n
- use it to construct a hash function
z0 h h ... h
zB+1
Merkle – Damgard Transform
• Let (Gen, h) be a fixed-length hash function ( h : {0,1}2n → {0,1}n )
• Construct hash function (Gen, H) as follows:
- set B = L / n (number of blocks) where L < 2n is the input length
- pad the input m with zeros so its length is a multiple of n
- cut the input into B b-bit blocks m1, m2, ..., mB
- set z0 = 0n
- for i = 1, 2, ..., B + 1, compute zi = h(zi-1 ll xi), and output zB+1
 Hash Functions
• Most widely used hash functions MD5, SHA-1 and SHA-2 use Merkle –
Damgard transform
 Hash Functions
• Most widely used hash functions MD5, SHA-1 and SHA-2 use Merkle –
Damgard transform
• MD5 introduced by Rivest in 1991
- was very popular until recently
- first collision attacks appeared in 2004
- first practical collision attack appeared in 2008
- Flame malware used an MD5 collision to forge a Windows certificate in
2012
 Hash Functions
• Most widely used hash functions MD5, SHA-1 and SHA-2 use Merkle –
Damgard transform
• MD5 introduced by Rivest in 1991
- was very popular until recently
- first collision attacks appeared in 2004
- first practical collision attack appeared in 2008
- Flame malware used an MD5 collision to forge a Windows certificate in
2012
• SHA-1 introduced by NSA, based on MD4 and MD5 in 1995
- 160-bit output size
 Hash Functions
• Most widely used hash functions MD5, SHA-1 and SHA-2 use Merkle –
Damgard transform
• MD5 introduced by Rivest in 1991
- was very popular until recently
- first collision attacks appeared in 2004
- first practical collision attack appeared in 2008
- Flame malware used an MD5 collision to forge a Windows certificate in
2012
• SHA-1 introduced by NSA, based on MD4 and MD5 in 1995
- 160-bit output size
- first collision attacks appeared in 2005
- Google, Microsoft, and Mozilla stop accepting SHA-1 based
certificates in 2017
 Hash Functions
• Most widely used hash functions MD5, SHA-1 and SHA-2 use Merkle –
Damgard transform
• MD5 introduced by Rivest in 1991
- was very popular until recently
- first collision attacks appeared in 2004
- first practical collision attack appeared in 2008
- Flame malware used an MD5 collision to forge a Windows certificate in
2012
• SHA-1 introduced by NSA, based on MD4 and MD5 in 1995
- 160-bit output size
- first collision attacks appeared in 2005
- Google, Microsoft, and Mozilla stop accepting SHA-1 based
certificates in 2017
- extended to SHA-2 (256-bit and 512-bit output)
- NIST organized a competition for a new hash SHA-3, and Keccak wins
it in 2012
 Hash Functions
• Most widely used hash functions MD5, SHA-1 and SHA-2 use Merkle –
Damgard transform
• MD5 introduced by Rivest in 1991
- was very popular until recently
- first collision attacks appeared in 2004
- first practical collision attack appeared in 2008
- Flame malware used an MD5 collision to forge a Windows certificate in
2012
• SHA-1 introduced by NSA, based on MD4 and MD5 in 1995
- 160-bit output size
- first collision attacks appeared in 2005
- Google, Microsoft, and Mozilla stop accepting SHA-1 based
certificates in 2017
- extended to SHA-2 (256-bit and 512-bit output)
- NIST organized a competition for a new hash SHA-3, and Keccak wins
it in 2012
 Hash Functions
• Most widely used hash functions MD5, SHA-1 and SHA-2 use Merkle –
Damgard transform
• MD5 introduced by Rivest in 1991
- was very popular until recently
- first collision attacks appeared in 2004
- first practical collision attack appeared in 2008
- Flame malware used an MD5 collision to forge a Windows certificate in
2012
• SHA-1 introduced by NSA, based on MD4 and MD5 in 1995
- 160-bit output size
- first
• collision
SHA-256 attacks
and appeared
SHA-512instill
2005secure, best known
- Google,attack against
Microsoft, and them
Mozillaisstop
birthday attack
accepting SHA-1 based
certificates in 2017
- extended to SHA-2 (256-bit and 512-bit output)
- NIST organized a competition for a new hash SHA-3, and Keccak wins
it in 2012
 Applications
• Virus fingerprinting
- keep a database containing the hashes of known viruses
- look up the hash of a downloaded application or an email
attachment in the database to detect a virus
- for each virus, a short string needs to be stored, thus the
overhead is feasible
 Applications
• Virus fingerprinting
- keep a database containing the hashes of known viruses
- look up the hash of a downloaded application or an email
attachment in the database to detect a virus
- for each virus, a short string needs to be stored, thus the
overhead is feasible
• Password Protection
- store the hash of the password instead of password itself in a file
- when users enter the passwords, check whether the hash equals
the value stored in the corresponding file before granting the
access
 Applications
• Virus fingerprinting
- keep a database containing the hashes of known viruses
- look up the hash of a downloaded application or an email
attachment in the database to detect a virus
- for each virus, a short string needs to be stored, thus the
overhead is feasible
• Password Protection
- store the hash of the password instead of password itself in a file
- when users enter the passwords, check whether the hash equals
the value stored in the corresponding file before granting the
access
• Authentication Protocol
hello, a
Alice Bob

h(K ll a), b

h(K ll b)
 Applications
Merkle Tree

• check the integrity of a file using hash function

Client Server
 Applications
Merkle Tree

• check the integrity of a file using hash function

Client Server

write file

H(F) = d

keep d
 Applications
Merkle Tree

• check the integrity of a file using hash function

Client Server

write file

H(F) = d
read file (F ’)
keep d
 Applications
Merkle Tree

• check the integrity of a file using hash function

Client Server

write file

H(F) = d
read file (F ’)
keep d

check d = h(F ’)
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server
. . .
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server

H(F1) = d1 write files

H(F2) = d2
. . .

. . .

H(Fn) = dn

keep d1,d2,…,dn
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server

H(F1) = d1 write files

H(F2) = d2
read file (Fi ’)
. . .

. . .

H(Fn) = dn

keep d1,d2,…,dn
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server

H(F1) = d1 write files

H(F2) = d2
read file (Fi ’)
. . .

. . .

H(Fn) = dn

keep d1,d2,…,dn

check di = h(Fi ’) for each i

 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server

H(F1) = d1 write files

H(F2) = d2
read file (Fi ’)
. . .

. . .

• fast to check integrity of a single file and

H(Fn) = update
dn a single file
• but linear storage
keep d1,d2,…,dn

check di = h(Fi ’) for each i

 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server
keep D
write files
F1

h(F1llF2ll…llFn) = D
F2

. . .

. . .
Fn
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server
keep D
write files
F1

h(F1llF2ll…llFn) = D
read files (F1 ’,..., Fn ’)
F2

. . .

. . .
Fn
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server
keep D
write files
F1

h(F1llF2ll…llFn) = D
read files (F1 ’,..., Fn ’)
F2

. . .

. . .
check h(F1 'llF2 'll…llFn ') = D
Fn
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server
keep D
write files
F1

h(F1llF2ll…llFn) = D
read files (F1 ’,..., Fn ’)
F2

. . .

. . .
• linear time to check integrity and update file
check• h(F1 'llF2
small 'll…llFn ') = D
storage Fn
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server

F1 F2 F3 F4
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client Server

keep the root

h(A ll B)

A = h(h(F1) ll h(F2)) h(h(F3) ll h(F4)) = B

h(F1) h(F2) h(F3) h(F4)

F1 F2 F3 F4
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client write files and all the hashes Server

except the root
keep the root
F1
h(A ll B)

F2
A = h(h(F1) ll h(F2)) h(h(F3) ll h(F4)) = B

F3
h(F1) h(F2) h(F3) h(F4)

F4

F1 F2 F3 F4
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client write files and all the hashes Server

except the root
keep the root
F1
h(A ll B)

F2
A = h(h(F1) ll h(F2)) h(h(F3) ll h(F4)) = B for the file F3,
read F3, C = h(F4), A
F3
h(F1) h(F2) h(F3) h(F4)

F4

F1 F2 F3 F4
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client write files and all the hashes Server

except the root
keep the root
F1
h(A ll B)

F2
A = h(h(F1) ll h(F2)) h(h(F3) ll h(F4)) = B for the file F3,
read F3, C = h(F4), A
F3
h(F1) h(F2) h(F3) h(F4)

F4

check whether
F1 F2 F3 F4 h(A ll h(h(F3) ll C)) = root
 Applications
Merkle Tree

• check the integrity of multiple files using hash function

Client write files and all the hashes Server

except the root
keep the root
F1
h(A ll B)

F2
A = h(h(F1) ll h(F2)) h(h(F3) ll h(F4)) = B for the file F3,
read F3, C = h(F4), A
F3
h(F1) h(F2) h(F3) h(F4)
• logarithmic time to check integrity and
update file F4

• small storage check whether

F1 F2 F3 F4 h(A ll h(h(F3) ll C)) = root