US Patent 10116450 Merkle signature scheme using subtrees

In a general aspect, a Merkel signature scheme (MSS) uses subtree data. In some aspects, subtree data is loaded from a non-volatile memory into a volatile memory. The subtree data represents one or more nodes of a subtree of a cryptographic hash tree and a first authentication path portion that includes nodes outside the subtree. The subtree includes a subtree root node at a level below a root node of the cryptographic hash tree and lowest-level nodes of the cryptographic hash tree, which are based on respective verification keys for a one-time signature (OTS) scheme. An OTS is generated using a first signing key associated with a first verification key, which is associated with a lowest-level node in the subtree. The OTS, the first verification key, the first authentication path portion, and a second authentication path portion comprising one or more nodes of the subtree are sent to a recipient.