Common use of Memory Usage and Benchmarks Clause in Contracts

Memory Usage and Benchmarks. ‌ This section outlines the performance when running the applet on a Java Card. For this, we performed measurements and ran tests on NXP-produced JCOP cards, as well as a card of unclear origin (ICFabricator=0005). While this is somewhat indicative of relative performance, we note that measurements may vary wildly when comparing different cards by different manufacturers. Tables 1 and 2 give the individual benchmarks for the primitives on the cards we used. For a WOTS+ signature operation with the parameters described in Sect. 2.1, we measure an average time of approximately 33 s. In the best case, the prepa- ration step requires one WOTS+ key generation, which requires approximately a minute. When we consider a realistic parameter set, where h = 20 and d = 4, i.e. subtrees with 32 leaf nodes, we notice that the cost of authentication path generation starts to come into play. In particular, the access to nodes stored in persistent memory makes this more costly than a back-of-the-envelope com- putation would predict9. For these parameters, a signature takes roughly 54 s in the best case: every 32nd signature adds an additional WOTS+ signature gener- ation, every 256th signature adds two WOTS+ signatures, et cetera. Similarly, preparation takes 85 s in the best case. Varying to d = 5 results in a slightly shorter signing time, coming in at 50 s in the best case (but more frequently requires new WOTS+ signatures). Besides a small number of bytes to store the keys and index, the requirements on persistent memory follow from the storage of WOTS+ signatures and leaf nodes: 32 l (d 1) bytes for the WOTS+ signatures, and 32 (2 d 1) 2 h bytes for the leaf nodes. For d = 4, this comes down to 6432 + 7168 = 13600 = 13.28 KiB. Similarly, for d = 5, this adds up to 8576+4608 = 13.18 KiB. Note that increasing d also increases signature size by additional WOTS+ signatures, but decreasing d while maintaining h = 20 sharply increases the memory requirements for node storage, as well as the cost of (off-card) key generation. Considering the signing states described in Sect. 4, in particular in Fig. 2, it can be easily seen that the signature is output in stages as computation pro- gresses. With the WOTS+ chain computation taking up most of the computa- tion, splitting this over eight APDUs levels out communication costs.