0

From what I understand, to reduce the time taken for public key generation, you can use nested trees in XMSS to form Multi-tree XMSS.

For an instantion of 2 layers, it seems that the leaf of each L tree (one of these nested trees) is an OTS public key. This means that the leaves of the top level tree sign the OTS keys in the L tree below it.

I read that this allows you to only compute the top main tree and only the first tree in each layer, which naturally saves a lot of storage and computation time.

However, I do not understand how this is possible because to compute the top layer tree, you need to know the root of each L tree, which involves computing the whole L tree below each leaf.

What am I missing here?

João Diogo Duarte
  • 25
  • 5

1 Answers1

1

to compute the top layer tree, you need to know the root of each L tree, which involves computing the whole L tree below each leaf.

You need to compute the entire top level tree, which involves generating the WOTS+ public key for each of the leafs of that tree. However, you don't need to propagate below that; when it comes time to sign with a next-level tree, then at that time, you need to know that next-level tree root (so that you can generate a WOTS+ signature for it); you don't need to do that earlier (you can, if it is convenient).

So, to generate the initial signature, you need to generate the full XMSS tree for every tree that's on the left side of the hypertree; you don't have an immediate need to generate anything else.

In practice, we (or at least, I) find it convenient to incrementally generate the next XMSS tree at each level while we're using the leafs of the current XMSS tree; that just happens to work out well, but it's not mandatory.

poncho
  • 154,064
  • 12
  • 239
  • 382