In some aspects, nodes of a cryptographic hash tree are stored in a buffer memory. Nodes of an active subtree are stored in a first set of indexed locations in the buffer memory, and nodes of a future subtree are stored in a second set of indexed locations in the buffer memory. A one-time signature (OTS) is generated based on a signing key associated with a current value of a signing index. An authentication path for the OTS is generated by retrieving a subset of the nodes from the buffer memory. A new node of the future subtree is calculated based on the current value of the signing index and stored in the buffer memory. The signing index is then advanced from the current value to a next value of the signing index.