Table 3: Parameters and costs of two OTS.
w key & sig. length Winternitz proposed
wL l KeyGen Sign Verify b KeyGen Sign Verify
55 14,080 32 1,705 852 852 14 1,540 770 770
45 11,520 64 2,835 1,417 1,417 29 2,610 1,305 1,305
39 9,984 128 4,953 2,476 2,476 55 4,290 2,145 2,145
34 8,704 256 8,670 4,335 4,335 113 7,684 3,842 3,842
Find hash values just before the converging point
of the two chains, and the values give the collision of
the hash function h. Goal 3 is achieved in this case.
In summary, the probability that A
2
achieves either
one of three goals is
1
2
p
A
+
p
B
2
1 −
T
0
w−1,b
T
0
w,b
!!
or more, which is non-negligible if A
1
wins the
game with non-negligible probability.
This brings a contradiction to our assumptions,
and it is concluded that there is no polynomial-
time algorithm like A
1
that wins the game with non-
negligible probability. □
6 COMPARISON OF
EFFICIENCY
This section is to compare the efficiency of Winternitz
OTS and the proposed OTS. For the fairness of com-
parison, we first need to set up the two OTS so that
they have the same security level.
Fortunately, both Winternitz OTS and the pro-
posed OTS are provably secure, and it is likely no
attacking method can do better than the exhaustive at-
tack. The security of the OTS is thus determined by
the bit length of the hash and fingerprinting functions.
We, therefore, consider Winternitz OTS and the pro-
posed OTS that are both set up for the same security
parameter n = 256 and consider to use the same hash
function that produces 256-bit hash values (L = 256).
Another point we need to remark on is that there is
a certain time-space trade-off in both Winternitz OTS
and the proposed OTS.
To avoid complications, we select parameter val-
ues so that the two OTS have the same key length
(the same signature length), and compare the costs for
KeyGen, Sign, and Verify.
Consider parameter values of Winternitz OTS that
have been shown in Tab. 1. For each value of w =
55,45, 39,34 in Tab. 1, we determined the value of b
that is necessary to make T
0
w,b
≥ 2
256
. Tab. 3 shows the
values of l and b, and the costs for three operations of
the two OTS, where average costs are shown for Sign
and Verify in Winternitz OTS.
We can see from the table that the proposed
scheme reduces by about 10% of the costs for opera-
tions in Winternitz OTS.
This improvement is made because the proposed
OTS uses shorter hash chains (length 2b) than Winter-
nitz OTS (length l −1), which is enabled by the use of
zero-sum fingerprints as a means to constitute a mutu-
ally unordered set. The set of zero-sum fingerprints is
“denser” than the set of check-summed fingerprints,
and short hash chains suffice to accommodate enough
fingerprints.
7 CONCLUSION
This study focused on the check-sum mechanism in
Winternitz OTS and characterized the security of the
scheme in terms of mutually unordered sets. Then
we investigated a zero-sum fingerprinting function as
a practical means to obtain fingerprints in a mutu-
ally unordered set. Investigations show that about a
10% reduction of the costs for operations is possible
by using the proposed OTS. We also showed that the
proposed scheme is strongly existential unforgeable
and thus has provable security, which is essential and
mandatory in the study of modern cryptology. These
results seem to suggest that there is little technical ad-
vantage in continuously using Winternitz OTS.
We also note that the approach taken in this study
is combinable with other investigations that try to
strengthen Winternitz OTS. For example, the pro-
posed zero-sum fingerprinting function can be in-
corporated in WOTS+(Hulsing, 2013), and in more
advanced scheme including SPHINCS+(Aumasson
et al., 2020), one of digital signature algorithms that
were selected in the PQC standardizations process of
NIST(Nat. Inst. of Standards and Technology, 2022).
REFERENCES
Aumasson, J., Daniel, J., et al. (2020). SPHINCS+. Sub-
mission to the NIST post-quantum project.
SECRYPT 2023 - 20th International Conference on Security and Cryptography
310