Available via license: CC BY 4.0
Content may be subject to copyright.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier
Novel One Time Signatures (NOTS): A
Compact Post-quantum Digital Signature
Scheme
FURQAN SHAHID1, IFTIKHAR AHMAD 2, MUHAMMAD IMRAN 3, and MUHAMMAD SHOAIB 4
1COMSATS University Islamabad (CUI), Park Road, Islamabad 45550, Pakistan (e-mail: furqan.shahid.cs@gmail.com)
2Faculty of Computer and Information Technology, King Abdulaziz University, Saudi Arabia.(e-mail: iftikharwattoo@gmail.com)
3College of Applied Computer Science, King Saud University, Saudi Arabia.(e-mail: dr.m.imran@ieee.org)
4College of Computer and Information Sciences, King Saud University, Riyadh, Saudi Arabia.(e-mail: muhshoaib@ksu.edu.sa)
Corresponding author: Muhammad Imran (e-mail: dr.m.imran@ieee.org).
ABSTRACT The future of the hash based digital signature schemes appears to be very bright in the
upcoming quantum era because of the quantum threats to the number theory based digital signature schemes.
The Shor’s algorithm is available to allow a sufficiently powerful quantum computer to break the building
blocks of the number theory based signature schemes in a polynomial time. The hash based signature
schemes being quite efficient and provably secure can fill in the gap effectively. However, a draw back of the
hash based signature schemes is the larger key and signature sizes which can prove a barrier in their adoption
by the space critical applications, like the blockchain. A hash based signature scheme is constructed using a
one time signature (OTS) scheme. The underlying OTS scheme plays an important role in determining key
and signature sizes of a hash based signature scheme. In this article, we have proposed a novel OTS scheme
with minimized key and signature sizes as compared to all of the existing OTS schemes. Our proposed OTS
scheme offers an 88% reduction in both key and signature sizes as compared to the popular Winternitz OTS
scheme. Furthermore, our proposed OTS scheme offers an 84% and an 86% reductions in the signature and
the key sizes respectively as compared to an existing compact variant of the WOTS scheme, i.e. WOTS+.
INDEX TERMS Hash-based digital signatures, Post-quantum cryptography, Blockchain, One-time signa-
tures
I. INTRODUCTION
The one way mathematical functions [1] act as the build-
ing blocks of the todays most popular digital signature
schemes. These functions emerge as hard mathematical prob-
lems which provide a base for digital signatures and other
cryptographic protocols. The three core hard mathematical
problems currently being used by a wide range of crypto-
graphic protocols include Integer Factorization (IF) prob-
lem, Discrete Logarithm Problem (DLP), and Elliptic Curve
Discrete Logarithm Problem (ECDLP). The digital signature
schemes constructed using these hard mathematical problems
are commonly referred to as number theory based digital
signature schemes which include, Rivest-Shamir-Adleman
(RSA) signature scheme [2], El-Gamal signature scheme [3],
and Elliptic Curve Digital Signature Algorithm (ECDSA)
[4]. However, a sufficiently powerful quantum computer will
be able to break these hard mathematical problems with the
help of the Shor’s algorithm [5]. The advancement trends
of technology allow us to expect that a quantum computer
being able to break these hard mathematical problems will
be available after just a decade [6]. So what will be the future
of the cryptographic protocols constructed over these hard
mathematical problems? We are particularly concerned with
the future of the digital signature schemes in the quantum
era. Thankfully, quantum computers will not erase the digital
signatures technology at all because of the availability of the
other types of digital signature schemes which can defeat
quantum attacks [7]. We refer those digital signature schemes
to as post-quantum digital signature schemes. There are total
five types of post-quantum digital signature schemes avail-
able to-date, including the lattice-based signature schemes,
the hash-based signature schemes, the elliptic curve isogeny
based signature schemes, the multivariate signature schemes,
and the code-based signature schemes. Although all these
types of digital signature schemes are not newer, rather
some of them bear a fairly old history (like, the hash-based
signature schemes), however, none of them could attract
the practitioners at a large scale. The possible resistors to
VOLUME x, 20xx 1
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
their wide-range adoption include, the low efficiency, the
breakable security, and the difficult key management [7], [8].
The hash-based digital signature (HBS) schemes, being
quite-efficient and provably-secure, appear as a dominant
type of post quantum digital signature schemes [9]. The
security of the HBS schemes has strongly been established
against both classical and quantum attacks. Furthermore,
HBS schemes are the most efficient type of schemes with
key and signature creation times minimum among all type of
digital signature schemes [10]. However, the major drawback
of the HBS schemes is the larger signature and key sizes [11],
[12].
An HBS scheme is a combination of two schemes; one is
a core One-Time-Signature (OTS) or a Few-Time-Signature
(FTS) scheme and second is a hash tree which maps a no. of
OTS/FTS public keys to another single public key. Without
covering an OTS/FTS scheme by a hash trees, the key man-
agement is a challenging task in an HBS scheme. The signa-
ture size depends purely on the core OTS/FTS used, whereas,
the key size depends upon both of the core OTS/FTS scheme
as well as the nature and size of the hash tree used by the
scheme. The signature size in the very first OTS scheme,
i.e. Lamport-Diffie (LD) OTS scheme [13], was impractically
larger. However, the later OTS schemes, like Winternitz OTS
scheme [14], reduced the signature size to a practical level.
Even after the improvement, the signature sizes of the OTS
schemes are larger than the classical schemes, which make
them unfavorite for highly space sensitive applications, like
the distributed financial ledgers (cryptocurrencies). In this
article, we have proposed a novel OTS scheme “NOTS” with
key and signature sizes minimum among all of the existing
OTS schemes. NOTS offers an 88% reduction in both key
and signature sizes as compared to the popular Winternitz
OTS scheme.
Among the existing OTS/FTS schemes, WOTS and its
variants [14], [15], [16] emerge as the most efficient type
of OTS schemes, which offer minimum key and signature
sizes. Furthermore, WOTS and its variants allow for compu-
tation of the OTS public key purely from the corresponding
signatures, which is a valued characteristic of WOTS and
its variants. Other type of OTS/FTS schemes (except WOTS
and its variants) are not capable for allowing computation of
the public key from the signatures unless a huge additional
set of information is provided to the verifier. This additional
set of information may either be as large as the original
signatures (like in case of LD-OTS scheme [13]) or it may
be exponentially larger than the original signatures (like, in
case of HORS [17], HORST [18], and PORS [19]). Our
proposed schemes (NOTS) is a WOTS like scheme in which
the signatures are intelligent enough to allow the verifier for
computation of the corresponding public key without any
additional set of information. The intelligent signatures not
only reduce the signature size but also make the scheme more
convenient for the hash trees.
Our contribution:
1) We have proposed a novel OTS scheme NOTS with
following valued features:
a) NOTS offers an 88% reduction in both key and
signature sizes as compared to the popular WOTS
scheme
b) NOTS offers an 84% and an 86% reductions in the
signature and the key sizes respectively as com-
pared to an existing compact variant of WOTS,
i.e. WOTS+.
c) NOTS signatures are intelligent enough to allow
the verifier for computation of the corresponding
public key without any additional set of informa-
tion.
2) We have formally proved that our proposed scheme
(NOTS) is existentially unforgeable under adaptive
chosen message attack model.
The rest of the paper is organized as: Section-2 will pro-
vide a preliminary knowledge about HBS schemes and post-
quantum cryptocurrencies proposed to-date. In Section-3, we
will discuss our proposed OTS scheme (NOTS) in detail. In
Sections - 4, 5, and 6, we will respectively evaluate security,
space requirements, and execution time of NOTS. Finally, in
Section-7, we will conclude our discussion.
II. LITERATURE REVIEW
The popular OTS/FTS schemes proposed to-date in-
clude, Lamport-Diffie OTS (LD-OTS) [13], Winternitz OTS
(WOTS) [14], WOTSP RF [15], WOTS+[16], HORS [17],
HORS with Tree (HORST) [18], and PRNG to obtain a
random subset (PORS) [19].
The pioneer HBS scheme is the Merkle signature scheme
(MSS) [14] which uses WOTS as its base OTS scheme.
An improved version of MSS is eXtended Merkle Signature
Scheme (XMSS) [12] which uses WOTSPRF [15] as its
base OTS scheme. An MSS tree or an XMSS tree can map
a finite no. of OTS public keys to a single public key. An
enhanced version of XMSS is Multi-tree XMSS (XMSSMT )
[20] which is capable of mapping virtually an unlimited no.
of OTS key pairs to single public key. XMSSMT also uses
WOTSPRF as the base OTS scheme. XMSSM T is a state-
based scheme which maintains a state to guarantee that a
distinct seed is selected each time the scheme is instanti-
ated to sign a new message. SPHINCS [18] is a stateless
HBS scheme which guarantees a distinct seed in each of
its instantiation without preserving a state. SPHINCS uses
HORST FTS and WOTS+as its base schemes. Gravity-
SPHINCS [19] is a compact version of SPHINCS which uses
PORS and WOTS as its core schemes. SPHINCS-Simpira
[21] is an efficient version of SPHINCS which have replaced
simple hash functions (SHA256 and SHA512) by AES-based
hash permutations Simpira [22]. Figure 1 shows a mapping
between OTS/FTS and HBS schemes.
A. POST-QUANTUM CRYPTOCURRENCIES
The popular post-quantum cryptocurrencies proposed to-date
include, IoTA [23], QRL [24], quantum-secured blockchain
2VOLUME x, 20xx
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
HBS scheme OTS/FTS schemes
G-SPHINCS
SPHINCS-S
LD
WOTS
WOTSPRF
WOTS+
HORS
HORST
PORS
MSS
XMSS
XMSSMT
SPHINCS
Figure 1: OTS/FTS schemes mapping to the HBS schemes
[25], qBitcoin [26], PQChain [27], and post-quantum
blockchains incorporating lattice-based signature schemes
[28], [29]. Among the existing post-quantum cryptocurren-
cies, three are using hash-based digital signature schemes.
IoTA uses WOTS, QRL uses WOTS+with XMSS, and
PQChain recommends using WOTSPRF with XMSS. The
post-quantum blockchain proposed in [28] uses a short in-
teger solutions (SIS) based signature scheme. Quantum-
secured blockchain [25] allows a couple of peers to connect
over a quantum channel to generate a symmetric key. Then
those peers would be able to securely communicate over
a classical channel with the help of their symmetric key.
qBitcoin [26] proposes to represent the coins as quantum
states. Because it is impossible to generate duplicate copies
of a quantum state (i.e. no-cloning theorem), therefore, the
proposed cryptocurrency is safe against double-spending at-
tacks. Both quantum-secured blockchain and qBitcoin in-
volve quantum-based technologies and hence, would only be
practical when quantum computers will be available at a large
scale.
III. PRELIMINARY KNOWLEDGE
In this section, we provide a preliminary knowledge about
hash based digital signature schemes and OTS/FTS schemes.
The discussion in this section helps reader to understand and
compare, key and signature sizes of the existing OTS/FTS
schemes.
A. HASH-BASED SIGNATURE (HBS) SCHEMES
The building block of an HBS scheme can either be an un-
keyed hash functions, a keyed hash functions, or a block
cipher (like AES). Because all these cryptographic protocols
are very efficient (especially the un-keyed/keyed hash func-
tions), therefore HBS schemes are the most efficient type of
digital signature schemes [10]. An HBS scheme is a two-
fold; first, there is a base OTS/FTS scheme and second is
a hash tree that encapsulates a (finite or virtually infinite)
no. of OTS/FTS public keys into another single public key.
Although the hash trees are very important because other-
wise key management is hard in HBS schemes, however
there are real life applications which use an OTS or an
FTS independently. For example, the popular post-quantum
digital currency IoTA [23] uses WOTS signature scheme
independently without a hash tree.
1) Hash-based OTS/FTS schemes
Lamport proposed the very first hash based OTS scheme in
late seventies [13]. The security of Lamport-Diffie (LD) OTS
was proved later in the studies [30] and [31]. The LD OTS
scheme suffers from impractically large key and signature
sizes. In this scheme, we sign hash of the message, bit-by-
bit; i.e. we create a separate signature-item for each of the
individual bits. For a 512-bit long message-hash (we use l
to denote bit-length of the message-hash to be signed), there
will be a total of 512 signature-items. If each item itself is
512-bit long then, the total signature size will be 32.8KB. The
key-size will be even double than the signature size because
each of the bits has two key-items associated to it. The bit-
length of an individual key/signature item depends upon the
desired level of security therefore we refer it as the security
parameter (n). The formulas for computing signature (σ) and
the key (P K) sizes for the LD OTS scheme are given in
equations (1) and (2).
σ(LD)= (l)(n)(1)
P K(LD)= 2(l)(n)(2)
Winternitz [14] made first major improvement in the initial
work of Lamport. In Wintenitz OTS (WOTS) scheme, the bits
are signed in groups/patches. We create a single signature-
item for a group or patch of bits. The patch-size (let we
denote it as p) is customizable, i.e. user can select the patch-
size, he wants. The patch size is inversely proportional to the
key and signature length, however, it is directly proportional
to the processing cost. Therefore, a balance must be estab-
lished. A typical patch-size is 4-bits. For WOTS, we can write
the message-hash (H) like given in eq. (3). In WOTS, both
key and the signatures consist of total l
pitems. Each of the
private key item is transformed to its corresponding public
VOLUME x, 20xx 3
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
Table 1: Parameters description
Parameter Description
MMessage to be signed
HHash of the message (M) to be signed
Hhex Hexadecimal representation of the hash of the message (H)
hAn individual character in the hash of the message (H)
pThe bit-length of an individual character (h) in the hash of the message
lThe bit-length of the hash of the message (H) to be signed
SK /P K An OTS private key/public key
sk/pk An individual value/element in SK/P K
σMSignatures created on message M
σiAn individual value/element in σ
nThe bit-length of an individual key/signature element (sk/pk/σi)
fsk/f pk/f σ First half part of sk/pk/σi
bsk/bpk/bσ Last half part of sk/pk/σi
(MF, σF)Message with corresponding signatures sent by F
fHA common hash function
fow A one-way (pre-image resistant) hash function
fcr A collision resistant hash function
cThe checksum appended to Mby WOTS and its variants
ADV An adversary trying to break security of a hash function
FOR A forger trying to break security of the proposed scheme NOTS
index(chr)A function which returns index of a given character chr in the hash (H) of the message
sumDigits(str)A function which computes sum of the digits in a given string str
key item by passing it through a hash chain. There are total 2p
hash iterations in a single hash chain. The signature elements
are basically some of the middle stages of the hash chains.
The hash of the message (to be signed) allows the signer
to decide which of the middle stage of an individual chain
should be declared as signatures. Finally, the hash of the
corresponding message also allows the verifier to complete
all of the hash chains to produce public key of the signer.
H=h1||h2||h3||......||hl
p(3)
An individual patch in the message-hash can produce a
value in the range zero to 2p−1. WOTS also appends a
checksum cto the message-hash which is computed using
the formula given in equation (4). Finally, the signature
size of WOTS can be computed using the formula given in
equation (5). The key-size in WOTS is exactly same as the
signature size. The WOTS scheme is provably secure under
Existentially Unforgeable – Chosen Message Attack (EU-
CMA) model [15].
c=
l
p
X
i=1
(2p−1) −hi(4)
σ(W OT S)=l
p|| c(n)(5)
WOTSPRF [15] and WOTS+[16] are the two compact
variants of WOTS which offer reduced key and signature
sizes as compared to WOTS. WOTSP RF has reduced key
and signature sizes by replacing a collision resistant (CR)
hash function by a pseudo-random function (PRF). For a CR
hash function the length of an individual key/signature item
must be at least three times the desired level of post-quantum
security however, for a PRF the length of an individual
key/signature item must be at least two times the desired
level of post-quantum security. WOTS+uses bit-masks to
replace a CR hash function by an undetectable one-way
function (which may either by a keyed hash function or a
block cipher). The signature sizes of both WOTSPRF and
WOTS+can be computed using the same formula given
in eq. (5) by adjusting value of the security parameter (n)
accordingly. The key size of WOTSP RF is approximately
same as its signature size however, the key size of WOTS+
is somehow larger because of an additional set of randomiza-
tion elements. The formula to compute key size of WOTS+
is given in eq. (6)
P K(W OT S+)=hl
p|| c+ 2pi(n)(6)
The HORS FTS scheme yet provides another different ap-
proach for creating hash-based few time signatures [17]. Like
WOTS scheme, HORS also creates signatures on the patches
of bits; means there is a single signature-item for a patch of
bits. However, the patch size in HORS must be significantly
larger because for small sized patches this scheme will not
be secure. The large sized patches reduce the signature size
significantly as compared to WOTS. Another difference is
that HORS does not append any checksum to the message-
hash which also reduces the signature size. However the key
size of HORS is extremely larger. The formulas to compute
key and signature sizes of HORS scheme are given in eqs.
(7) and (8) respectively. HORS scheme is nearly impractical
because of its extremely large key size.
P K(HORS)= (2p)(n)(7)
4VOLUME x, 20xx
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
σ(HORS)=l
p(n)(8)
The PORS [19] scheme is very close to the HORS scheme
however, offers stronger security than HORS at a very
marginal computational overhead. The key and signature
sizes of PORS are exactly same as HORS. The only dif-
ference is that in case of HORS, multiple bit-patches may
correspond to a same signature-item whereas in PORS there
is always a distinct signature-item against each of the bit-
patches.
Our proposed scheme (NOTS) recommends using 4-bit
long patches. The key and signature sizes of NOTS both are
computed using the formula given in equation (9). Because
pis fairly smaller (just 4-bit) therefore both key and the
signature sizes of NOTS are significantly smaller. NOTS
offers just 1KB key and signature sizes for a 512-bit long
security parameter (i.e. n= 512). The different parameters
referred in this section and throughout the article have been
explained in Table 1.
σ(NO T S)= (2p)(n)(9)
IV. NOVEL ONE TIME SIGNATURES (NOTS): THE
PROPOSED SCHEME
This section explains our proposed scheme (NOTS) in detail.
Our proposed scheme works as follows:
A. KEY GENERATION
The private key (sk) is simply a set of sixteen values each
being 512 bits long (Eq. (10)). We recommend generating
all of the values in the private key from a single seed. We
can apply a simple hash chain to the seed to generate the
sk values. Because our scheme never disclose any of the sk
values during signature verification, therefore it is safe to use
just a simple chain of values generated using a common hash
function like SHA512. The complete pseudo code for key
generation is given in Algorithm 1.
SK =
15
X
i=0
[ski•bitLength(ski) == 512] (10)
The public key (pk) is computed from the sk. There is
a corresponding pk value against each of the sk values. In
order to compute a pk value, we divide the corresponding sk
value into two equal halves and we compute hash of each of
the halves for 129 times (Eq. (11)). The length of the hash
function must be the same as the length of an individual half.
Like, if size of a single half is 256 bit, then we may use the
hash function SHA256.
P K =
15
X
i=0pki=sha256129 ski0,|ski|
2+
sha256129ski|ski|
2,|ski|
(11)
B. SIGNATURE CREATION
We initiate the signature creation process by computing hash
of the message (H) to be signed. We recommend using a
512-bit hash function (like SHA512). In this way, Hwill be
consisting of a total 128 hexadecimal symbols. We use Hhex
to denote hexadecimal representation of the message-hash.
Hhex guides the signer for generating index_strings which is
a list consisting of 16 different strings. The list index_strings
basically classifies the indexes of the hexadecimal characters
in Hhex into 16 different strings (Eqs. (12), (13)). There
is a separate string of indexes for each type of alphabet
in Hhex. In next step, the signer will compute sum of the
digits in each of the index_strings; we name this new list as
sum_index_string. Signer also ensure that all the values in the
list sum_index_string must be in the range {1→128} (Eq.
(14)).
15
X
i=0
index_stringi=< > (12)
∀h∈Hhex •index_string0
h=index_stringh+index(h)
(13)
15
X
i=0
sum_index_stringi=
sumofdigits(index_stringi) % 128 + 1
(14)
The sum_index_string will finally let the signer to pro-
duce signatures (σ) on the corresponding message (M). The
signer will compute hash of each of the sk value for num-
ber of times, equal to the corresponding value in the list
sum_index_string. While computing hash of an individual
sk value, the signer will divide it into two halves (we say
them forward sk (fsk) and backward sk (bsk)). Signer will
compute hash of fsk for number of times, exactly equal to the
corresponding value in the list sum_index_string, however,
signer will compute hash of bsk for number of times equal
to 129 minus the corresponding values in sum_index_string.
Finally, signer will concatenate both of the final hash outputs
to generate an individual signature value (Eq. (15)). Signer
will adopt the same procedure for each of the 16 sk values
to generate the 16 signature values. Figure 2 explains the
signature creation process for an example message; and the
pseudo code for signature creation is given in Algorithm 2.
15
X
i=0σi=sha256sum_index_str ingiski0,|ski|
2+
sha256129 −sum_index_stringiski|ski|
2,|ski|
(15)
C. SIGNATURE VERIFICATION
The verifier will compute the sum_index_string following
the same steps as followed by the signer during signature
creation. The list sum_index_string will allow the verifier to
VOLUME x, 20xx 5
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
8e8b47e6c1e58a60b2e24e2860022c859be1dbf24ca6c5195e688d5663128adc8ea51f8e3364c29d5019088716d1ac5c232bc8ae55d3066ded98c2d13396716c
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
1128
Indexes
i
16 26 27 82 85 109
10 36 47 59 69 83 89 92 120 126
18 20 23 28 29 40 60 78 97 99 118
58 73 74 98 108 121 122
5 21 41 76
12 32 46 49 55 68 81 95 105 106
8 15 25 44 51 56 57 75 90 110 111 124 127
6 88 125
1 3 13 24 31 52 53 61 65 71 86 87 102 116
33 48 79 84 115 123
14 43 62 67 93 103
4 17 34 38 100
9 30 42 45 64 77 94 96 101 117 128
37 54 63 80 91 107 112 114 119
2 7 11 19 22 35 50 66 72 104 113
39 70
index_string i
58
102
107
70
27
92
102
31
100
60
50
32
102
76
70
20
sum_index_string iσ i
H
16 26 27 85
82 109
fH58
fH102
fH107
fH70
fH27
fH92
fH102
fH31
fH100
fH60
fH50
fH32
fH102
fH76
fH70
fH20
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
fH(129-58)
fH(129-102)
fH(129-107)
fH(129-70)
fH(129-27)
fH(129-92)
fH(129-102)
fH(129-31)
fH(129-100)
fH(129-60)
fH(129-50)
fH(129-32)
fH(129-102)
fH(129-76)
fH(129-70)
fH(129-20)
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
[(1+6+2+6+2+7+8+2+8+5+1+0+9)%128+1]
Figure 2: NOTS: Signature Creation
Table 2: Hash functions security levels [30], [32], [33]
Hash function Classical security Quantum security
Pre-image Collision Pre-image Collision
SHA160 160-bit 80-bit 80-bit 53-bit
SHA256 256-bit 128-bit 128-bit 85-bit
SHA384 384-bit 192-bit 192-bit 128-bit
SHA512 512-bit 256-bit 256-bit 171-bit
produce the verification key (VK) from the signatures (σ). In
order to compute an individual vk value from the correspond-
ing σvalue, the verifier will divide the σvalue into two halves
(we say them forward signature (fσ) and backward signature
(bσ)). Verifier will compute hash of fσ for number of times,
equal to the 129 minus the corresponding value in the list
sum_index_string, however, verifier will compute hash of bσ
for number of times, exactly equal to the corresponding value
in sum_index_string. Verifier will concatenate both of the
final hash outputs to generate an individual vk value (Eq.
(16)). Verifier will adopt the same procedure for each of the
16 "σvalues" to generate the 16 vk values. Finally, verifier
will compare his own computed verification key VK with the
signers previously announced public key PK. If both of the
keys will be equal then verifier will accept the signatures. The
pseudo code for signature verification is given in Algorithm
3.
15
X
i=0v ki=sha256129 −sum_index_stringiσi0,|σi|
2
+sha256sum_index_stringiσi|σi|
2,|σi|
(16)
V. NOTS SECURITY ANALYSIS
The foremost security requirement of NOTS is that it must
be populated with a secure hash function which can resist
three types of attacks, pre-image attacks, second pre-image
attacks, and collision attacks. In the case of the pre-image
attack, the challenge for the adversary (ADV) is to find such
an input which corresponding output is known to him (Eq.
17). In case of second pre-image attack, the adversary knows
an input-output pair (x,y), whereas the challenge for him is to
find another input which must be different from x, however
its output should be the same (i.e. y) [Eq. 18]. Finally, in
collision-based challenge, the adversary has to find any two
different inputs which must map to the same output (Eq. 19).
P r[y=fh(x); x0← ADV (y) : x=x0]≤(17)
P r[y=fh(x); x0← ADV (x, y) : x06=x∧y=fh(x0)] ≤
(18)
P r[x, x0← ADV :x6=x0∧fh(x) = fh(x0)] ≤(19)
The resistance power of a cryptographic protocol against
different types of attacks is generally known as the security-
level offered by that protocol. The classical and quantum
security levels offered by a hash function (fh) depend upon
6VOLUME x, 20xx
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
Algorithm 1 Key Generation
Input: security parameter(n)we use n = 512
Output: sk[ ], pk[ ]
1: seed ←os.urandom(64) “seed" is 512-bit (64-byte) cryptographic random value
2: s←sha512(seed)hash of “seed" is computed and stored in "s"
3: sk ←[ ] “sk" initialization
4: for a= 0 →15 do generates the private key “sk"
5: sk.append(s)
6: s←sha512(s)“sk" is simply the hash-chain of the “seed"
7: end for
8: pk ←[ ] public key “pk" initialization
9: for a= 0 →15 do
10: k←sk[a]
11: kf ←k[0 : 31] each sk element is divided into two halves “kf" and “kb"
12: kb ←k[32 : 63]
13: for b= 1 →129 do a pk-element is the 129th post-image of the corresponding sk-element
14: kf ←sha256(kf )hash chains are applied to “kf" and “kb" separately
15: kb ←sha256(kb)
16: end for
17: pk.append(kf +kb)concatenation of the final chain results produce the corresponding pk-element
18: end for
Algorithm 2 Signature Creation
Input: message(M), priv ate key(sk[ ])
Output: signatures(σ[ ])
1: H←sha512(M)hash of message is computed
2: Hhex ←hexlify(H)hash of message in its hexadecimal representation
3: index_strings ←[ ] defines an empty list “index_strings"
4: hex_symbols ←“0123456789abcdef ”the hexadecimal alphabet-set stored as an array
5: for (hs)in (hex_symbols)do a loop iterating for each of the hexadecimal alphabet
6: str ←“ ” an empty string declaration
7: for a= 1 →128 do a loop parsing whole of the hexadecimal message hash
8: if Hhex[a] == hs then filters the message-hash indexes containing the corresponding hash-alphabet
9: str ←str +a
10: end if
11: end for
12: index_strings.append(str)appends “str" from the inner loop into the list “index_strings"
13: end for
14: sum_index_strings ←[ ] defines an empty list “sum_index_strings"
15: for (indstr)in (index_strings)do a loop parsing whole of the list “index_strings"
16: sum ←0
17: for (a)in (indstr)do to access each of the digit in the string “indstr"
18: sum ←sum +int(a)summing-up the digits of “indstr"
19: end for
20: sum ←(sum%128) + 1 to ensure that “sum" always lies in the range (1 →128)
21: sum_index_strings.append(sum)appending “sum" from the inner loop into the list “sum_index_string"
22: end for
23: σ←“ ” initializes signatures as an empty list
24: for a= 0 →15 do
25: k←sk[a]
26: kf ←k[0 : 31] each sk-element is divided into two halves “kf" and “kb"
27: kb ←k[32 : 63]
28: for f= 1 →sum_index_strings[a]do the “kf" will be hashed for “sum_index_strings" no. of times
29: kf ←sha256(kf )
30: end for
31: for b= 1 →(129 −sum_index_strings[a]) do the “kb" will be hashed for 29 minus the “sum_index_strings" no. of times
32: kb ←sha256(kb)
33: end for
34: σ.append(kf +kb)concatenation of the above chain results produce the corresponding signature-element
35: end for
digest-size (d) of that function [32]. The post-quantum secu-
rity level of a family of hash functions is relatively smaller
than the classical security level because of the popular
Grover’s search algorithm [34]. A d-sized hash function is
capable of providing d-bit classical and d
2-bit post- quan-
tum security against pre-image and second pre-image based
attacks. However, collision resistant is relatively a complex
security requirement and hence, relatively harder to achieve.
Therefore, a d-sized hash function provides d
2-bit classical
and d
3-bit post-quantum security against collision based at-
tacks [30], [33]. Table- 2 lists down the classical and post-
quantum security levels of the common hash functions.
A. FORMAL SECURITY PROOF OF NOTS
In this subsection, we formally proof that NOTS is an exis-
tentially unforgeable signature scheme under adaptive chosen
message attack (CMA). We prove that NOTS is unforgeable
until the underlying hash function used by NOTS is a oneway
hash function. Formally stating, we prove that the security
of NOTS is a security reduction of the onewayness of the
underlying hash function used to instantiate NOTS.
VOLUME x, 20xx 7
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
Algorithm 3 Signature Verification
Input: message(M),signatures(σ[ ]),public key(pk[ ])
Output: Succeeded/F ailed
1: Follow steps 1 to 22 of algorithm 2 (Signature Creation) to generate the list “sum_index_strings"
2: vk ←“ ” the public key computed by the verifier
3: for a= 0 →15 do
4: s←σ[a]
5: sf ←s[0 : 31] each signature element is divided into two halves “sf" and “sb"
6: sb ←s[32 : 63]
7: for f= 1 →(129 −sum_index_strings[a]) do “sf" will be hashed for 129 −“sum_index_strings" no. of times
8: sf ←sha256(sf)
9: end for
10: for b= 1 →sum_index_strings[a]do “sb" will be hashed for “sum_index_strings" no. of times
11: sb ←sha256(sb)
12: end for
13: vk.append(sf +sb)concatenation of the above chain results produce the corresponding ver_pk-element
14: end for
15: if P15
i=0 vk[i] == pk[i]then the “ver_pk" computed by the verifier must be equal to the “pk"
16: output :verif ication succeeded
17: else
18: output :verif ication f ailed
19: end if
1) An overview of NOTS
NOTS is a triple (GEN, SIGN, VERIFY).GEN takes a security
parameter (n) as input and returns a key pair (SK, PK), such
that: SK =P15
i=0 skiand P K =P15
i=0 pki.GEN follows
Eq. (11) to compute an individual pkifrom the corresponding
ski.SIGN takes a message (M) as input and returns signatures
of M, i.e. σM. In order to compute the signatures, SIGN
computes a list/array of sixteen values sum_index_strings
(following Equations. (12) to (14)) and transforms each of
the skiinto the corresponding σifollowing Eq. (15). VERIFY
takes message (M), signatures (σM), and public key (PK) as
input and returns either TRUE (if σMis valid signature of M)
or FALSE otherwise. VERIFY follows Eq. (16) to compute a
verification key (VK) and compares this verification key with
the public key (PK) to reach a consensus about validity of the
signatures.
2) Existential unforgeability of NOTS
GEN generates a new key pair (SK,PK). A signing oracle O
having knowledge of SK is able to sign an arbitrary number
of messages. A forger FOR accepts challenge of breaking
security of the scheme (NOTS). FOR has knowledge of
PK and the underlying algorithm of NOTS, however, FOR
does not know SK.FOR can query a message (MQ) to O,
where Omust return valid signature of MQto FOR. In the
end, FOR returns a message-signature pair (MF, σF)to O.
FOR wins the game if, σFare valid signatures of MFand
MF6=MQ.NOTS is an existentially unforgeable scheme
if, FOR queries at most one message to Oand the success
probability of FOR in a time tis at most . We formally write
it as, NOTS is a (t, , 1)-existentially unforgeable signature
scheme.
3) Security reduction to pre-image resistance
The background knowledge provided in Subsections V-A1
and V-A2 allows us to finally present our security reduction
proof. In this subsection, we prove that the security of NOTS
is a security reduction of the onewayness of the underlying
hash function used by NOTS. An adversary ADVoneway ness
acting as a signing oracle Oinitiates the experiment. Algo-
rithm 4 explains how an adversary (ADVoneway ness) can use
the forger (FORN OT S ) to break onewayness of the hash
function (fow) used by NOTS. ADV oneway ness initiates by
generating a new key pair (SK, PK). Then he alters forward
part of a randomly chosen pk-item (i.e. fpkα). He computes
hash of the challenged post-image y(for which he has to
deduce the pre-image) for 129 −βtimes and sets this value
as the new value of fpkα, where βis also a randomly chosen
value. Then he runs FORN OT S . When F ORNO T S queries
a message (MQ) for signatures then either ADVonewayness
will respond the FORN OT S with the valid signature (σQ)
of MQor will quit the algorithm (Lines 6−11). Finally,
when FORN OT S will return a message-signature pair (i.e.
MF, σF) to ADV oneway ness then ADVonewayness will be
able to return the challenged pre-image x, if and only if,
the conditions in Line−13 are satisfied and the value of
sum_index_stringsαfor MFis sufficiently larger.
Now we compute success probability of the ADVonewayness.
Since, ADVonewayness choses both αand βpurely at
random therefore, the success probability of ADVonewayness
in Lines 6−11 is (128−β)(2048)−1. The F ORN OT S ’s suc-
cess probability in Line−13 is N OT S . Finally, the success
probability of ADVonewayness in Line−14 is (β)(2048)−1.
This allows us to conclude that the overall maximum success
probability of ADVonewayness is N OT S (250)−1. The total
time taken by ADVonewayness (tADV onewayness ) includes,
the key generation time tGEN (Line−1), the message signing
time tSI GN (Lines 8−10), and the FORN OT S ’s time
tNO T S (Line−12). Hence it is proved that NOTS is an
existentially unforgeable scheme under CMA model with
NO T S ≤(250)(oneway ness)and tN OT S =tonewayness −
tGEN −tS IGN . The security reduction of NOTS to the
onewayness of the underlying hash function allows us to infer
that NOTS is capable of providing 128−bit post-quantum
security.
8VOLUME x, 20xx
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
Algorithm 4 ADVonewayness
Input: NOTS scheme (GEN, SIGN, VERIFY), one-way function fow, security parameter n, forger FOR, a post-image y
Output: A pre-image xcomputed from y, such that: y=fow(x)or fail
1: Generate a new NOTS key pair (SK, PK)
2: Randomly choose an α∈ {0,··· ,15}
3: Randomly choose a β∈ {1,··· ,128}
4: fpkα←f129−β
ow (y)ADV tampers first half of the corresponding PK-item
5: Run the forger FOR(., P K)
6: When FO R queries signature on a message (MQ)then
7: If sum_index_stringsQ
α< β then return fail
8: Generate signatures on message MQlike:
9: P15
i=0 σQ
i←fsum_index_stringsQ
i
ow (fski) + f129−sum_index_stringsQ
i
ow (bski)for i6=α ski=fski+bski
10: σQ
α←fsum_index_stringsQ
α−β
ow (y) + f129−sum_index_stringsQ
α
ow (bskα)
11: Send σQback to FO R
12: When FO R returns a message/signature pair (MF, σF)then
13: If σFare valid signatures of MFand MF6=MQthen
14: If sum_index_stringsF
α> β then return fail
15: Compute x←fβ−sum_index_stringsF
α−1
ow (fσF
α)“fσ" refers to the first half part of the corresponding signature-item
16: return x
17: In all other cases return fail
4) Security reduction to collision resistance
This subsection formally reduces security of our proposed
scheme NOTS to collision-resistance of the hash function
(fcr) used by the scheme. Algorithm 5 explains that how
an adversary ADVcollision can exploit a forger FORN OT S
to find hash-collisions in fcr.ADV generates a new key-
pair (SK,PK) [step-1]. Then ADV initiates the forger FOR,
providing him knowledge of the corresponding public key
(PK) [step-2]. FOR can ask ADV to generate signatures on
a message MQ, and ADV returns valid signatures of MQ
to FOR [steps 3, 4]. Finally, ADV exploits the message-
signature pair returned by FOR (MF,σF) to find collisions
in fcr [steps 5 - 11].
5) Quantum-resiliency in NOTS
NOTS is purely based on hash functions which are provably
quantum-resistant [16]. Even a powerful quantum will be
able to slightly affect security of the hash functions [30], with
the help of Grover’s quantum-based search algorithm [34].
This affect can easily be subsided by adjusting digest-size of
the corresponding hash function. For example, because of a
quantum computer, the security of the common hash function
SHA256 will decrease from 128-bit to 85-bit. One can easily
manage the affect by replacing SHA256 by SHA384, which
(i.e. SHA384) offers 128-bit post-quantum security [33].
VI. NOTS KEY AND SIGNATURE SIZES
NOTS offers a significant reduction in both key and signature
sizes as compared to all of the existing OTS/FTS schemes.
The popular OTS/FTS schemes proposed before NOTS in-
clude Lamport OTS [13], WOTS and its variants [14], [15],
[16], HORS [17], and PORS [19]. NOTS is basically a
WOTS-like scheme which allows computation of the public
key purely from signatures without any additional set of
information. The key and signature lengths of WOTS-like
schemes are already smaller than the other type of OTS/FTS
schemes, however, NOTS offers a further significant reduc-
tion in both key and signature lengths as compared to WOTS
and its existing variants. A comparison of the “key and
signature” sizes of NOTS with other OTS/FTS schemes has
been given in Table 3. The formulas for computing key
and signature sizes for the different OTS/FTS schemes have
already been explained in Subsection III-A (see Equations (1)
- (9)). The key and signature sizes vary with values of certain
parameters, therefore, Table 3 also specifies the values, we
set for different parameters in order to make a comparison.
Here, we provide a brief explanation of those parameters. n
is the bit-length of an individual key/signature element. The
size of an individual key/signature element is directly related
to the security strength of the corresponding scheme. The
digest-size of the hash function used by the scheme (fH)
to transform an skito the corresponding pkialso affects
key/signature sizes and security strength of the scheme. l
is bit-length of the hash of the message (H) to be signed.
|key| represents the number of values/elements in SK/PK. w
represents the number of hash iterations used to transform
an skito the corresponding pki. |σ| represents the number
of elements in the signatures. σ-size is the size of signatures
(in KB) computed against the parameters-values specified in
the corresponding row. |key|-size is size of SK/PK (in KB)
computed against parameters-values specified in the corre-
sponding row. Finally, Post-Quantum Security Level (PQ-
SL) allows reader to realize and compare security strengths
of the different schemes against quantum-computer based
attacks.
The comparison shows that NOTS offers an 88% reduction
in both key and signature sizes as compared to WOTS and an
84% reduction in both key and signature sizes as compared to
WOTSPRF . Furthermore, NOTS offers an 84% and an 86%
reductions in the signature and key sizes respectively as com-
pared to the compact variant of WOTS, i.e. WOTS+. Finally,
NOTS has achieved all these reductions in key and signature
sizes without compromising the security level. NOTS still
offers an appropriate post-quantum security.
VII. NOTS EXECUTION TIME
NOTS offers fairly smaller execution time. The exact execu-
tion time for the three algorithms, key generation,signature
VOLUME x, 20xx 9
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
Algorithm 5 ADVcollision
Input: NOTS scheme (GEN, SIGN, VERIFY), collision-resistant function fcr, security parameter n, forger F OR
Output: x, x0, such that, x6=x0∧fcr(x) = fcr (x0)or fail
1: Generate a new NOTS key pair (SK, PK)
2: Run the forger FOR(., P K)
3: When FO R queries signature on a message (MQ)then
4: Respond FO R with σQ
5: When FO R returns a message/signature pair (MF, σF)then
6: If σFare valid signatures of MFand MF6=MQthen
7: Compute sum_index_strings for MF
8: If there exists an isuch that, fsum_index_stringsF
i
cr (fski)6=fσ F
ithen
9: Compute the smallest jsuch that, fsum_index_stringsF
i+j
cr (fski) = fj
cr(f σF
i)and fsum_index_stringsF
i+(j−1)
cr (fski)6=fj−1
cr (fσF
i)
10: x←fsum_index_stringsF
i+(j−1)
cr (fski),x0←fj−1
cr (fσF
i)
11: return (x,x0)
12: In any other case return fail
Table 3: Key and signature sizes: Hash-based OTS/FTS schemes
Scheme n1Hash function l2|Key|3w4|σ|5σ-size 6Key-size 7PQ-SL 8
[13] 512 SHA512 512 1024 1 512 32.8 65.5 171
[14] 512 SHA512 512 131 16 131 8.4 8.4 171
[15] 384 SHA384 512 131 16 131 6.3 6.3 173
[16] 384 SHA384 512 147 16 131 6.3 7.1 185
[19] 512 SHA512 512 65536 1 32 2.0 4194 171
NOTS 512 SHA256 512 16 129 16 1.0 1.0 128
1Security parameter (n): The length of an individual key/signature element
2The bit-length of the hash of the message to be signed
3The total no. of elements/values in the set of private/public key
4The no. of hash iterations to transform an sk-element to the corresponding pk-element
5The total no. of elements/values in the set of signatures
6The size of signatures in KB
7The size of the private/public key in KB
8The post-quantum security level offered by the scheme
creation, and signature verification can be seen in the graphs
in Figures 3, 4, and 5 respectively. The graphs also help
to compare the execution time of NOTS with other OTS/FTS
schemes. All these results have been taken on Intel Core i5
CPU (2.4 GHz) with 4GB RAM, running Windows 8.1 32-
bit release. The schemes have been implemented in Python
language using the environment “JetBrains PyCharm Com-
munity Edition 2018.3.3”. The values of parameters set for
these implementations are the same as given in table 3. The
results show that the execution time of NOTS is comparable
to other OTS/FTS schemes. Because NOTS is a WOTS-like
scheme therefore we were specially concerned to compare
its execution time with WOTS [14] and WOTS+[16]. The
results show that execution time of NOTS is equal to WOTS,
whereas, NOTS is clearly faster than WOTS+. Furthermore,
WOTS+uses bit-masking and randomization to replace a
collision resistant (CR) hash functions by an undetectable
one-way function, however, research reports that bit-masking
is more expensive to achieve on quantum processors as
compared to collision resistance [35]. Therefore, NOTS is
based on pure CR hash functions and avoids bit-masking
and/or randomization operations.
VIII. CONCLUSIONS
In this article, we have proposed a novel one-time signature
scheme NOTS, which offers minimum key and signature
sizes from all of the existing OTS/FTS schemes. NOTS has
achieved an 88% reduction in both key and signature sizes as
0.006 0.012 0.043
0.517
0.008
Lamport [13] WOTS [14] WOTS+ [16] PORS [19] NOTS
Key Generation Time
(seconds)
OTS/FTS Schemes
Figure 3: Key Generation Time of the OTS/FTS Schemes
0.001
0.007
0.025
0.0001
0.007
Lamport [13] WOTS [14] WOTS+ [16] PORS [19] NOTS
Sig. Creation Time (seconds)
OTS/FTS Schemes
Figure 4: Sig. Creation Time of the OTS/FTS Schemes
10 VOLUME x, 20xx
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
0.004 0.006
0.024
0.001
0.007
Lamport [13] WOTS [14] WOTS+ [16] PORS [19] NOTS
Sig. Verification Time
(seconds)
OTS/FTS Schemes
Figure 5: Sig. Verification Time of the OTS/FTS Schemes
compared to the popular WOTS scheme. Furthermore, NOTS
has achieved an 84% and an 86% reductions in the signature
and the key sizes respectively as compared to the existing
compact variant of WOTS, i.e. WOTS+. The execution time
of NOTS is fairly smaller for all three algorithms, key gen-
eration, signature creation, and signature verification. NOTS
offers an appropriate level of post-quantum security. NOTS
can be used as a base OTS of any of the popular hash based
digital signature scheme like XMSS or XMSSMT etc. to
achieve a magical reduction in both key and signature sizes.
The minimal key and signature sizes of NOTS allow us to
hope that NOTS-based digital signature schemes will prove a
best alternate of ECDSA in cryptocurrencies, in the quantum
era.
ACKNOWLEDGMENT
M. Imran and M. Shoaib are supported by the Deanship of
Scientific Research at King Saud University through research
group project number RG-1439-036.
References
[1] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans.
Inf. Theor., vol. 22, no. 6, pp. 644–654, Sep. 1976. [Online]. Available:
http://dx.doi.org/10.1109/TIT.1976.1055638
[2] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining
digital signatures and public-key cryptosystems,” Commun. ACM,
vol. 21, no. 2, pp. 120–126, Feb. 1978. [Online]. Available: http:
//doi.acm.org/10.1145/359340.359342
[3] T. Elgamal, “A public key cryptosystem and a signature scheme based on
discrete logarithms,” IEEE Transactions on Information Theory, vol. 31,
no. 4, pp. 469–472, July 1985.
[4] K. Koyama, U. M. Maurer, T. Okamoto, and S. A. Vanstone, “New public-
key schemes based on elliptic curves over the ring zn,” in Proceedings
of the 11th Annual International Cryptology Conference on Advances in
Cryptology, ser. CRYPTO ’91. London, UK, UK: Springer-Verlag,
1992, pp. 252–266. [Online]. Available: http://dl.acm.org/citation.cfm?
id=646756.705363
[5] P. W. Shor, “Polynomial-time algorithms for prime factorization
and discrete logarithms on a quantum computer,” SIAM J. Comput.,
vol. 26, no. 5, pp. 1484–1509, Oct. 1997. [Online]. Available:
http://dx.doi.org/10.1137/S0097539795293172
[6] D. Aggarwal, G. Brennen, T. Lee, M. Santha, and M. Tomamichel,
“Quantum attacks on bitcoin, and how to protect against them,” Ledger,
vol. 3, 10 2017.
[7] W. Buchanan and A. Woodward, “Will quantum computers be the end of
public key encryption?” Journal of Cyber Security Technology, pp. 1–22,
09 2016.
[8] J. Buchmann, C. Coronado, M. D¨oring, D. Engelbert, C. Ludwig,
R. Overbeck, A. Schmidt, A. Vollmer, and R.-P. Weinmann, “Post-
quantum signatures,” in IACR Cryptology ePrint Archive, 2004.
[9] J. Buchmann, E. Dahmen, and M. Szydlo, Hash-based Digital Signature
Schemes. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp.
35–93. [Online]. Available: https://doi.org/10.1007/978- 3-540-88702- 7_3
[10] C. Dods, N. P. Smart, and M. Stam, “Hash based digital signature
schemes,” in Cryptography and Coding, N. P. Smart, Ed. Berlin,
Heidelberg: Springer Berlin Heidelberg, 2005, pp. 96–115.
[11] D. Naor, A. Shenhav, and A. Wool, “One-time signatures revisited: Prac-
tical fast signatures using fractal merkle tree traversal,” in 2006 IEEE 24th
Convention of Electrical Electronics Engineers in Israel, Nov 2006, pp.
255–259.
[12] J. Buchmann, E. Dahmen, and A. Hülsing, “Xmss - a practical forward
secure signature scheme based on minimal security assumptions,” in Post-
Quantum Cryptography, B.-Y. Yang, Ed. Berlin, Heidelberg: Springer
Berlin Heidelberg, 2011, pp. 117–129.
[13] L. Lamport, “Constructing digital signatures from a one-way function,” in
Tech. Rep, 1979.
[14] R. C. Merkle, “A certified digital signature,” in Advances in Cryptology
— CRYPTO’ 89 Proceedings, G. Brassard, Ed. New York, NY: Springer
New York, 1990, pp. 218–238.
[15] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert, “On
the security of the winternitz one-time signature scheme,” in Progress in
Cryptology – AFRICACRYPT 2011, A. Nitaj and D. Pointcheval, Eds.
Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 363–378.
[16] A. Hülsing, “W-ots+ – shorter signatures for hash-based signature
schemes,” in Progress in Cryptology – AFRICACRYPT 2013, A. Youssef,
A. Nitaj, and A. E. Hassanien, Eds. Berlin, Heidelberg: Springer Berlin
Heidelberg, 2013, pp. 173–188.
[17] L. Reyzin and N. Reyzin, “Better than biba: Short one-time signatures with
fast signing and verifying,” in Information Security and Privacy, L. Batten
and J. Seberry, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg,
2002, pp. 144–153.
[18] D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen,
L. Papachristodoulou, M. Schneider, P. Schwabe, and Z. Wilcox-O’Hearn,
“Sphincs: Practical stateless hash-based signatures,” in Advances in Cryp-
tology – EUROCRYPT 2015, E. Oswald and M. Fischlin, Eds. Berlin,
Heidelberg: Springer Berlin Heidelberg, 2015, pp. 368–397.
[19] J.-P. Aumasson and G. Endignoux, “Improving stateless hash-based signa-
tures,” in Topics in Cryptology – CT-RSA 2018, N. P. Smart, Ed. Cham:
Springer International Publishing, 2018, pp. 219–242.
[20] A. Hülsing, L. Rausch, and J. Buchmann, “Optimal parameters for
xmssmt,” in Security Engineering and Intelligence Informatics, A. Cuz-
zocrea, C. Kittl, D. E. Simos, E. Weippl, and L. Xu, Eds. Berlin,
Heidelberg: Springer Berlin Heidelberg, 2013, pp. 194–208.
[21] S. Gueron and N. Mouha, “Sphincs-simpira: Fast stateless hash-based
signatures with post-quantum security,” IACR Cryptology ePrint Archive,
vol. 2017, p. 645, 2017.
[22] ——, “Simpira v2: A family of efficient permutations using the aes round
function,” in Advances in Cryptology – ASIACRYPT 2016, J. H. Cheon
and T. Takagi, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2016,
pp. 95–125.
[23] S. Popov, “The tangle,” in IoTA white paper, 2017. [Online]. Available:
http://iotatoken.com/IOTA_Whitepaper.pdf
[24] theQRL, “The quantum resistant ledger,” in QRL white paper, 2016.
[Online]. Available: https://github.com/theQRL/Whitepaper/blob/master/
QRL_whitepaper.pdf
[25] E. Kiktenko, N. Pozhar, M. Anufriev, A. Trushechkin, R. Yunusov,
Y. Kurochkin, A. Lvovsky, and A. Fedorov, “Quantum-secured
blockchain,” Quantum Science and Technology, vol. 3, 05 2017.
[26] K. Ikeda, “qbitcoin: A peer-to-peer quantum cash system,” in Intelligent
Computing, K. Arai, S. Kapoor, and R. Bhatia, Eds. Cham: Springer
International Publishing, 2019, pp. 763–771.
[27] R. El Bansarkhani, M. Geihs, and J. Buchmann, “Pqchain: Strategic design
decisions for distributed ledger technologies against future threats,” IEEE
Security & Privacy, vol. 16, pp. 57–65, 07 2018.
[28] Y. Gao, X. Chen, Y. Sun, X. Niu, and Y. Yang, “A secure cryptocurrency
scheme based on post-quantum blockchain,” IEEE Access, vol. PP, pp. 1–
1, 04 2018.
[29] C.-Y. Li, X.-B. Chen, Y.-L. Chen, Y.-Y. Hou, and J. Li, “A new lattice-
based signature scheme in post-quantum blockchain network,” IEEE Ac-
cess, vol. PP, pp. 1–1, 12 2018.
VOLUME x, 20xx 11
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
[30] E. Dahmen, K. Okeya, T. Takagi, and C. Vuillaume, “Digital signatures
out of second-preimage resistant hash functions,” in Post-Quantum Cryp-
tography, J. Buchmann and J. Ding, Eds. Berlin, Heidelberg: Springer
Berlin Heidelberg, 2008, pp. 109–123.
[31] L. coronado garcía, “On the security and the efficiency of the merkle
signature scheme,” IACR Cryptology ePrint Archive, vol. 2005, p. 192,
01 2005.
[32] A. K. Lenstra, “Key length. contribution to the handbook of information
security,” 2004.
[33] K. Chalkias, J. Brown, M. Hearn, T. Lillehagen, I. Nitto, and T. Schroeter,
“Blockchained post-quantum signatures,” 2018 IEEE International Con-
ference on Internet of Things (iThings) and IEEE Green Computing
and Communications (GreenCom) and IEEE Cyber, Physical and Social
Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 1196–1203,
2018.
[34] L. K. Grover, “A fast quantum mechanical algorithm for database search,”
in ANNUAL ACM SYMPOSIUM ON THEORY OF COMPUTING.
ACM, 1996, pp. 212–219.
[35] D. Bernstein, “Cost analysis of hash collisions: Will quantum computers
make sharcs obsolete,” 01 2009.
FURQAN SHAHID is pursuing his Ph.D. degree
in Computer Science from COMSATS Univer-
sity Islamabad (CUI), Islamabad, Pakistan. Pre-
viously, he completed his MS/M.Phil in Software
Engineering from International Islamic University,
Islamabad (IIUI) in 2012. He got his Masters
degree in Computer Science from University of
Agriculture, Faisalabad (UAF). He completed his
Bachelor in Computer Science from Petroman
Training Institute, Faisalabad in affiliation with
Allama Iqbal Open University (AIOU) Islamabad. His research interests
include distributed ledgers, post-quantum cryptography, IoT, hash-based
digital signature schemes, cryptocurrencies, and garbled computing.
IFTIKHAR AHMAD is faculty member in In-
formation Technology department at Faculty of
computing and information technology. He also
served as a faculty member and a research super-
visor at various Universities from 2001. Further,
he has been involved in several funded projects as
PI and Co-PI. He holds a Ph.D. in the field of In-
formation Technology from Universiti Teknologi
PETRONAS, Malaysia, 2011. He obtained his
MS/M.Phil. degree in Computer Science from
COMSATS Institute of Information Technology, Abbottabad, Pakistan in
2007. He received the M.Sc. Computer Science from University of Agri-
culture, Faisalabad, Pakistan in 2001 and the B.Sc. degree from Islamia
University, Bahawalpur, Pakistan, in 1999. He has published several papers
in reputed journals and conferences. He is also a member of several scientific
and professional bodies.
MUHAMMAD IMRAN is an Associate Professor
in the College of Applied Computer Science at
King Saud University, Saudi Arabia. He received
a Ph. D in Information Technology from the Uni-
versity Teknologi PETRONAS, Malaysia in 2011.
His research interest includes Internet of Things,
Mobile and Wireless Networks, Big Data Analyt-
ics, Cloud computing, and Information Security.
His research is financially supported by several
grants. He has completed a number of interna-
tional collaborative research projects with reputable universities. He has
published more than 150 research articles in top conferences and journals.
European Alliance for Innovation (EAI) has appointed him as an Editor in
Chief for EAI Transactions on Pervasive Health and Technology. He also
serves as an associate editor for reputable international journals such as IEEE
Communications Magazine, Future Generation Computer Systems, IEEE
Access, Ad Hoc & Sensor Wireless Networks Journal (SCIE), IET Wireless
Sensor Systems, International Journal of Autonomous and Adaptive Com-
munication Systems (Inderscience). He served/serving as a guest editor for
more than a dozen special issues in journals such as IEEE Communications
Magazine, Computer Networks (Elsevier), Future Generation Computer
Systems (Elsevier), MDPI Sensors, International Journal of Distributed
Sensor Networks (Hindawi), Journal of Internet Technology, and Interna-
tional Journal of Autonomous and Adaptive Communications Systems. He
has been involved in more than seventy conferences and workshops in
various capacities such as a chair, co-chair and technical program committee
member.
MUHAMMAD SHOAIB received his Ph.D. de-
gree in Communication and Information System
from Beijing University of Posts and Telecommu-
nications, China (2010). He received his M.Eng.
(2005) and B.Eng. (1995) from NED University of
Engineering and Technology, Karachi. His areas
of research include video compression techniques,
multilayer video coding, commercial Data Center
facilities and IP packet based network, infrastruc-
ture and security. He worked as a Senior Manager
(IP Operations, South) in Pakistan Telecommunication Company Limited,
Pakistan. He also worked as a Maintenance Engineer in R. M. International.
Currently, he is working as an Assistant Professor in the College of Com-
puter and Information Sciences (Information Systems Department) in King
Saud University.
12 VOLUME x, 20xx