There are several one-time signature schemes. The original one - Lamport - has very big signature sizes (several kbs). Is there an one-time signature scheme on which relies only on simple assumptions (one-way functions and random oracle), and on which signatures are no larger than a few bytes?
Asked
Active
Viewed 697 times
6
-
Since signature schemes like BLS or Schnorr/ECDSA are also one-time secure, technically you could include these too, so for BLS that would be 48 bytes :-) – ambiso Nov 20 '20 at 19:30
2 Answers
9
Well, if we assume a 128 bit hash function (and arrange things such that we assume only (second) preimage resistance), and use a Winternitz scheme with W=65536 (signing/verifying will be expensive), that'll get you down to about 168 bytes (assuming you insert an 8 byte randomizer into the initial hash, needed if we assume that the attacker can choose the message to be signed).
If we are even more aggressive (80 bit hash; may be good enough assuming it doesn't have to be TLA-proof), and W=$2^{29}$ (so Winternitz needs only a single check digit; signing/verifying will be real expensive), and a 4 byte randomizer, that gets you down to 44 bytes; but you had to make a lot of sacrifices to get to that level.
poncho
- 147,019
- 11
- 229
- 360
-
Is the first proposed construction similar to that in Johannes Buchmann, Erik Dahmen, Sarah Ereth, Andreas T. Hülsing, and Markus Rückert's On the Security of the Winternitz One-Time Signature Scheme (extended abstract in proceedings of Africacrypt 2011), with $b=64$ and $w=16$? – fgrieu Mar 28 '17 at 12:53
-
1@fgrieu: actually, $w=65536$ in their notation, and I believe the security level $b$ would be 128 (although their proof gives a rather smaller value), but otherwise, yes... – poncho Mar 28 '17 at 13:26
-
Are you sure? Seems part of their scheme involves $2^w$ steps or something, making $w=65536$ out of question; and that your W is their $2^w$, hence $w=16$ for W=65536. Independently: Andreas T. Hülsing mentions his own W-OTS+ - Shorter Signatures for Hash-Based Signature Schemes, published in proceedings of Africacrypt 2013, and from a first look at it that might improve the signature size. – fgrieu Mar 28 '17 at 13:45
-
1@fgrieu: this is notation, but yes, I'm sure Buchmann et al use the convention that $w$ (actually, $w-1$) is the length of the Winternitz chain, and so you end up doing $O(w)$, not $O(2^w)$ operations. As for W-OTS+, Andreas's improvement is improved provable security, not shortened signatures; he shows that his scheme achieves the security level you'd expect (as opposed to Buchmann et al's scheme, where they proved a significantly smaller level); I already assumed that when I said "I believe the security level $b$ would be 128" – poncho Mar 28 '17 at 14:04
-
The notation in Buchmann et al. has me plain lost. Their algorithms sometime uses $w$ consistently with your reading (in particular, in their verification of page 4 "the function is iterated $w-1$ times"). Yet they state (page 2), on Winternitz signature in general, "signing roughly requires $2^wm/w$ hash operations", and in their conclusion (page 12) consider $w=16$; and claim security level $n-w-1-2\log_2(l,w)$; things that I manage to make sense of only with my reading of their $w$. To clarify: I have no reservation about the numbers in your answer. – fgrieu Mar 28 '17 at 14:33
-
1@fgrieu: hmmm, yes, it appears that document is a bit inconsistent. However, if you read further papers by those authors, they do use the "$w$ is the Winternitz length/base" convention... – poncho Mar 28 '17 at 14:40
-
1@fgrieu: In the security claim this $w$ definitely refers to the chain length. The typo on page 2 is probably there because most previous papers used the $2^w$ chain length terminology while this paper was the first that allowed chains of length which is not a power of two. The reasoning at that time was that it might lead to better trade-offs which I think turned out wrong. – mephisto Mar 29 '17 at 21:30
-
Got it! Buchmann et al.'s paper uses $w$ as the length of the hash chain, except probably for a typo in the spot where they introduce $w$, and that got me on the wrong track. Their security bound is not optimal and collapses in the negative for the large $w$ thought by Poncho, but that's improved in the later Hülsing paper, which essentially makes that bound tighter, which is the main (only?) reason that it can claim shorter signature. – fgrieu Mar 30 '17 at 05:21
-
-
Could you clarify what do you mean by "and arrange things such that we assume only (second) preimage resistance"? As far as I understand, that's what WOTS+, not WOTS, attempt to do. But in the post you seem to be talking about WOTS. – MaiaVictor Jul 08 '21 at 22:26
1
To add to the answer by poncho: Theoretically, there is also the Bleichenbacher-Maurer Scheme (probably best described in Dods, Smart, Stam: "Hash Based Digital Signature Schemes". Cryptography and Coding, LNCS 3796, pp 96-115, Springer Berlin / Heidelberg, 2005) which is asymptotically more efficient than WOTS and can be proven optimal in some metric. However, this is paid for with a terribly complex construction which is why people are not using it. So W-OTS with large w is your tool.
