Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [hash-signature]

Signature schemes built out of and based on properties of hash functions. DO NOT USE THIS TAG if the signature is based on other hard problems and just happen to employ a hash function.

Hash-based digital signatures, such as Lamport one-time signatures, are digital signature schemes based on a (non-trapdoor) one-way function such as a cryptographic hash function. Such schemes are expected to remain secure even against attacks using quantum computers.

See also:

186 questions
154
votes
7 answers

Should we sign-then-encrypt, or encrypt-then-sign?

Frequently, we want to send messages that are (a) encrypted, so passive attackers can't discover the plaintext of the message, and (b) signed with a private-key digital signature, so active attackers can't make Alice think that a message came from…
David Cary
  • 5,744
  • 4
  • 22
  • 35
15
votes
3 answers

Lamport signature: How many signatures are needed to forge a signature?

Lamport signature: Signing the message Note that now Alice's private key is used and should never be used again. The other 256 random numbers that she did not use for the signature she must never publish or use. Preferably she should delete them;…
Sup3rgnu
  • 369
  • 2
  • 7
11
votes
2 answers

Advantages and disadvantages of hash-based signatures

We know hash-based signatures (Winternitz signature, HORS(T) signature) that are quantum-safe and efficient. They can be stateful or stateless, one-time or multiple-time. But why are they not widely used in practice? Or maybe they are, please tell…
Laura
  • 377
  • 2
  • 11
11
votes
3 answers

One-time digital signatures

Are there digital signatures for which, given two documents signed by the same key, one could derive the key? With such one-time signatures, one may be able to design a cryptocurrency based on proof-of-stake instead of proof-of-work. To…
Randomblue
  • 512
  • 3
  • 13
10
votes
3 answers

Why is SHA3 more secure than SHA2?

Why are SHA3 algorithms considered more secure than their SHA2 counterparts? Surely in part, it is due to their resistance to length extension attacks. But specifically, when considering collision resistance they have the same O(n) attack times. Is…
Arturo Roman
  • 129
  • 1
  • 7
10
votes
3 answers

Why don't crypto-currencies use the Lamport signature scheme?

The Lamport signature scheme is faster, less complex and considerably safer than ECDSA. It's only downside - being only usable once - isn't really a downside when signing transactions, since you could just include your next public key whenever…
MaiaVictor
  • 1,365
  • 8
  • 16
9
votes
3 answers

Winternitz One-Time Signature

I am reading the page 38 in this "Post Quantum Cryptography" book (Equations 8 and 9). My question is, why to compute the verification key $Y$, $f$ is applied $2^w-1$ times? Are there any security notions involved?
juaninf
  • 2,781
  • 3
  • 21
  • 29
9
votes
2 answers

How is SPHINCS Hash-based signature "stateless"?

I really hope someone can help me with these questions related to SPHINCS. I am trying to understand the concept of “stateless” vs. “stateful” signature scheme which is the basis of SPHINCS. I went to read Chapter 6.4 of Goldreich’s Foundations of…
Mona
  • 337
  • 1
  • 8
9
votes
3 answers

Can one use a Cryptographic Accumulator to efficiently store Lamport public keys without the need of a Merkle Tree?

One of the problems of one-time Lamport signatures is that public keys are disposed after use, so you must generate many keys and store them in a Merkle tree. The root is the "real" public key and each signature is supplied with a Merkle branch from…
SDL
  • 1,927
  • 13
  • 25
8
votes
1 answer

Understanding example of ECDSA P256

I am new to cryptography, I found the below Example on a nice website, but I am not able to understand the most of the terms used (H:Hash, K:Random number,E=?, Kinv=?,Rx=?=RY?,R=Private key?,D?,S? same in verification). Please help me with the…
Yash Vardhan
  • 93
  • 1
  • 1
  • 4
8
votes
1 answer

Difference Between Gravity-SPHINCS and SPHINCS+?

What are the differences between Gravity-SPHINCS and SPHINCS+ from security and practicality standpoints? Are they just different implementations of the underlying SPHINCS algorithms or are they functional variations on the underlying algorithms?
CoryG
  • 589
  • 3
  • 11
8
votes
3 answers

Stateless hash based public key cryptography?

Merkle-Winternitz signatures based on fractal hash trees are an attractive alternative to other post-quantum cryptographic schemes, in particular since they are conceptually simple, the security properties are easily understood and they are easy to…
Henrick Hellström
  • 10,556
  • 1
  • 32
  • 59
7
votes
1 answer

Do other one-time signature schemes exist?

I'm curious to know if there are any one-time signature schemes other than Lamport's or its variants (Merkle trees are one such variant). The first I've discovered is called "Bins and Balls" which doesn't use a trapdoor function. Any others? Are…
Melab
  • 4,178
  • 4
  • 24
  • 49
6
votes
3 answers

Why do we need Collision Resistant Hash Function for the Merkle Tree Signature Scheme?

I am studying Merkle Tree Construction for digital signature. I don't quite understand why we need collision resistant hash function for Merkle tree construction. There are few papers like XMSS that try to lower the requirement from collision…
DiamondDuck
  • 403
  • 3
  • 17
6
votes
2 answers

Is there a signature scheme which doesn't rely on the difficulty of factoring/dlp which generates short signatures?

The Lamport signature scheme, for example, doesn't rely on the difficulty of any problem and it only depends on the existence of one-way functions. Is there an alternative scheme which also doesn't rely on the difficulty of factoring/discrete…
MaiaVictor
  • 1,365
  • 8
  • 16
1
2 3
12 13