保密、认证与公钥系统

Merkle's thesis gathers the work that, alongside Diffie and Hellman, opened public-key cryptography: how two strangers can agree on a shared secret over a channel an eavesdropper can hear, and how a message can be signed so that anyone may verify it yet no one can forge it.

One building block is the Lamport–Diffie one-time signature, which signs a single message by revealing pre-images of a one-way function. It is secure but wasteful: each public key can be used only once, so signing many messages means publishing — and somehow trusting — a long list of public values.

Merkle's remedy is to place the many public values at the leaves of a binary tree and label every internal node with the hash of its two children. The single value at the top — the root — then commits to all the leaves at once. To prove one leaf is genuine, you reveal only that leaf together with the sibling hash at each level on the way up: about log₂n values, however many leaves there are. Recomputing the hashes along that path must reproduce the published root, or the leaf is rejected.

This is the structure now called a Merkle tree (or hash tree). It turns the authentication of arbitrarily many items into the storage of one root hash plus a short, checkable path per item.

The dissertation develops these ideas in full — one-way functions, the puzzle method for public-key distribution, the one-time signature, and the tree of one-time signatures — across its chapters; the complete text is at the source below.