Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [one-time-signature]

a digital signature scheme that can be used to sign one message per key pair

A one-time signature (OTS) scheme is a digital signature scheme that can be used to sign one message per key pair.

Examples of hash-based OTS schemes include the Lamport Signature and the Winternitz Signature.

Hash-based signature schemes use one-time signature schemes as their building block. A given one-time signing key can only be used to sign a single message securely. Indeed, signatures reveal part of the signing key. The security of (hash-based) one-time signature schemes relies exclusively on the security of an underlying hash function.

24 questions
11
votes
2 answers

Advantages and disadvantages of hash-based signatures

We know hash-based signatures (Winternitz signature, HORS(T) signature) that are quantum-safe and efficient. They can be stateful or stateless, one-time or multiple-time. But why are they not widely used in practice? Or maybe they are, please tell…
Laura
  • 377
  • 2
  • 11
9
votes
3 answers

Winternitz One-Time Signature

I am reading the page 38 in this "Post Quantum Cryptography" book (Equations 8 and 9). My question is, why to compute the verification key $Y$, $f$ is applied $2^w-1$ times? Are there any security notions involved?
juaninf
  • 2,781
  • 3
  • 21
  • 29
5
votes
1 answer

SPHINCS and HORST: can we sign the same message twice?

I was reading about SPHINCS which uses layers of WOTS+ trees and a bottom layer of HORST trees. HORST is a few time signature scheme, using a selection function you can sign at least twice without compromising security. I was then reading this…
Panos
  • 334
  • 1
  • 13
4
votes
1 answer

Difficulty of forging MACs based on linear functions over $GF\left(2^n\right)$

This is a homework question, therefore I'm not expecting full solutions, just general guidance. I want to build a one-time MAC using universal hashing. I defined my hash functions as: $h_{a,b}:\begin{array}{lll} \mathbb{F}_{2^{n}} & \to &…
Idra
  • 191
  • 7
3
votes
1 answer

How can a collision attack using MD5 be used to break WOTS

It is stated in Winternitz One time signature security that MD5 is not safe for Winternitz due to collision attack. Given that WOTS generates multiple, say 32 private keys then hashing them a number of times to obtain 32 public keys. How does a…
evernal
  • 237
  • 1
  • 6
3
votes
1 answer

What is "one-time signature"

I'm studying the post-quantum cryptography (PQC). While studying hash-based pqc, I read a thesis about Winternitz one-time signature scheme (W-OTS). What is the exact definition of "One-time Signature (OTS)"? There is lots of papers and posts quote…
bjkim
  • 31
  • 2
2
votes
0 answers

Hashing Public Key of Lamport or Winternitz OTS

For the Lamport or Winternitz public keys, couldn't one just hash down the large public key to 256 bits in order to greatly reduce the public key size while still having basically the same security? Why isn't this done? Thanks for your help. If you…
DaGammla
  • 21
  • 1
2
votes
0 answers

Is it more, or less, secure to use a different $F$ and $G$ for a Lamport signature?

A Lamport signature is made as follows: Alice stores $k_1, \cdots, k_{n'} \leftarrow K $ as her "private key", with one-way function $F: K\to V$, $n'>n$, and (easily enough) all $F(k_i)\neq F(k_j)$. Alice publishes $F$, $G$, and $\alpha =…
JamesTheAwesomeDude
  • 968
  • 7
  • 23
2
votes
2 answers

Can we place the WOTS scheme into a Merkle tree structure?

In post-quantum signature schemes that are (to put it simply) built out of merkle trees, they usually employ some sort of OTS scheme on the very bottom leaves. I.e WOTS Winternitz scheme. A relatively simple scheme such as Merkle is making a bunch…
Modal Nest
  • 1,473
  • 5
  • 18
2
votes
1 answer

Chaining one-time signatures

To introduce the notation for the question, consider a one-time signature algorithm: There are a private signing key $sk$ and a corresponding public key $pk$, generated by $Gen(seed)$. To sign a message, use $sig = Sign(sk, m)$, and verify the…
uk-ny
  • 187
  • 7
2
votes
1 answer

W-OTS+ one-wayness property

I am reading the "W-OTS⁺ – Shorter Signatures for Hash-Based Signature Schemes," by Andreas Hülsing, and I am stuck in understanding the success probability of an adversary, $\mathcal A$, against the one-wayness function of, $\mathcal F_n$; equation…
Mona
  • 337
  • 1
  • 8
2
votes
1 answer

Signing a message using SPHINCS Hash-based Signature scheme

I have questions on “SPHINCS: practical stateless has-based signature” by Bernstein et al. And I really hope that someone can help me with it. To help me understand it, I read the…
Mona
  • 337
  • 1
  • 8
2
votes
1 answer

Bitmasks or seed along with public key in WOTS+ post-quantum signatures

The state of the art hash-based post-quantum signature schemes, like Sphincs and XMSS, are using variations of WOTS (Winternitz OTS), like WOTS+, that require extra random bitmasks along with the public key. Some history: These bitmasks were…
Kostas Kryptos
  • 242
  • 1
  • 8
2
votes
2 answers

Question of one-time signature (digital signatures)

I am an undergrad computer science student (senior year) taking my first course in cryptography. My final exam is in 2 weeks and I am struggling quite a bit (it is one of the hardest courses I ever took). To prepare for the exam I am trying to solve…
IVRODB
  • 111
  • 1
2
votes
1 answer

How does signing with FORS work in SPHINCS+?

I was reading the SPHINCS+ paper and got confused in the signing with FORS (forest of random subsets) part. I understand how we can sign a message using FORS but I couldn't understand how we choose the corresponding WOTS+ key to sign the FORS root…
Andrew
  • 43
  • 3
1
2