2

In post-quantum signature schemes that are (to put it simply) built out of merkle trees, they usually employ some sort of OTS scheme on the very bottom leaves. I.e WOTS Winternitz scheme.

A relatively simple scheme such as Merkle is making a bunch of Lamport/WOTS keys and putting them on a merkle tree.

Is it possible to instead put the WOTS scheme itself on a tree, where each leaf represents a byte value, and where each leaf is a simple chain of 1 hash?

By tripling the computation required to make a single use WOTS key, it becomes a potentially finite use key, and you don't have the problem of being able hash forward that is usually resolved with checksums.

Are there some obvious security downsides to doing this?

Modal Nest
  • 1,473
  • 5
  • 18

2 Answers2

0

This question is essentially "can we put the HORS scheme on a tree". And the answer is yes, as it is the basically HORST.

The question adds confusion by mentioning a Merkle tree and not mentioning an index. The actual question is (or should've been) "can x HORS public key sets be put on trees with each HORS tree being used to sign each of the x bytes".

Maybe it is not normal to think of HORS/T as WOTS compressed (or Lamport inflated) on an index/tree, but I will leave the question in case it helps anyone else who does.

Modal Nest
  • 1,473
  • 5
  • 18
-3

Yes, any one time scheme (such as lamport, WOTS) can be turned many time scheme by placing the public keys into a merkle tree leaves and considering the merkle root to be the new public key.

SEJPM
  • 46,697
  • 9
  • 103
  • 214
Joe Horst
  • 29
  • 2