3

There are two versions of Winternitz-One time signature scheme, $W-OTS$ and $W-OTS^+$

Security of both is as following

$W-OTS$ is strongly unforgeable under chosen message attacks if $F$ is a collision resistant, undetectable one-way function family

$W-OTS^+$is strongly unforgeable under chosen message attacks if $F$ is a $2nd$-preimage resistant, undetectable one-way function family

My question is which version is more secure $W-OTS$ or $W-OTS^+$?

According to my understanding $W-OTS$ is more secure than $W-OTS^+$ because for attacker it is comparatively easy to find collision resistant as compared to $2nd-$preimage resistant.

If so is it secure to use $2nd-$ preimage resistant Winternitz one time signature scheme?

Ideally scheme should be collision resistant or $2nd-$preimage resistant.

Infinity
  • 585
  • 3
  • 15

1 Answers1

6

W-OTS+ is stronger, as it makes weaker assumptions on the hash function.

Let us take a rather extreme example, let us consider W-OTS and W-OTS+ based on the MD5 hash function.

Now, the proof for W-OTS is quite invalid; it assumes that the hash function is collision resistant, and we know how to generate collisions with MD5.

On the other hand, W-OTS+ based on MD5 would appear to be secure; despite MD5 being "broken", we do not know how to create second preimages to MD5.

BTW: this appears to be more about the proof technique used to prove W-OTS, rather than the actual security; we can create MD5 collisions (invalidating the proof), however we don't know how to use those collisions to actually attack W-OTS-MD5; hence it would appear to be secure (but we can't prove it).

Also, one note: those aren't the only versions of Winternitz signatures in the published literature...

poncho
  • 154,064
  • 12
  • 239
  • 382