On the security of the Winternitz one-time signature scheme

J. Buchmann; E. Dahmen; S. Ereth; A. Hülsing; M. Rückert

doi:10.1504/IJACT.2013.053435

On the security of the Winternitz one-time signature scheme

J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, M. Rückert

Applied and Provable Security

Research output: Contribution to journal › Article › Academic › peer-review

15 Citations (Scopus)

Abstract

We show that the Winternitz one-time signature scheme is existentially unforgeable under adaptive chosen message attacks when instantiated with a family of pseudorandom functions. Our result halves the signature size at the same security level, compared to previous results, which require a collision resistant hash function. We also consider security in the strong sense and show that the Winternitz one-time signature scheme is strongly unforgeable assuming additional properties of the pseudorandom function family. In this context we formally define several key-based security notions for function families and investigate their relation to pseudorandomness. All our reductions are exact and in the standard model and can directly be used to estimate the output length of the hash function required to meet a certain security level.

Original language	English
Pages (from-to)	84-96
Number of pages	13
Journal	International Journal of Applied Cryptography
Volume	3
Issue number	1
DOIs	https://doi.org/10.1504/IJACT.2013.053435
Publication status	Published - 2013

Keywords

Applied cryptography
EU-CMA
Hash-based signatures
One-time signature schemes
Post-quantum signatures
PRFs
Pseudorandom functions
Security notions
Security reductions
SU-CMA
Winternitz one-time signature scheme

Access to Document

10.1504/IJACT.2013.053435

Cite this

@article{396b04d7af074bae931fa70619f6dd9d,

title = "On the security of the Winternitz one-time signature scheme",

abstract = "We show that the Winternitz one-time signature scheme is existentially unforgeable under adaptive chosen message attacks when instantiated with a family of pseudorandom functions. Our result halves the signature size at the same security level, compared to previous results, which require a collision resistant hash function. We also consider security in the strong sense and show that the Winternitz one-time signature scheme is strongly unforgeable assuming additional properties of the pseudorandom function family. In this context we formally define several key-based security notions for function families and investigate their relation to pseudorandomness. All our reductions are exact and in the standard model and can directly be used to estimate the output length of the hash function required to meet a certain security level.",

keywords = "Applied cryptography, EU-CMA, Hash-based signatures, One-time signature schemes, Post-quantum signatures, PRFs, Pseudorandom functions, Security notions, Security reductions, SU-CMA, Winternitz one-time signature scheme",

author = "J. Buchmann and E. Dahmen and S. Ereth and A. H{\"u}lsing and M. R{\"u}ckert",

year = "2013",

doi = "10.1504/IJACT.2013.053435",

language = "English",

volume = "3",

pages = "84--96",

journal = "International Journal of Applied Cryptography",

issn = "1753-0563",

publisher = "Inderscience Enterprises Ltd.",

number = "1",

}

TY - JOUR

T1 - On the security of the Winternitz one-time signature scheme

AU - Buchmann, J.

AU - Dahmen, E.

AU - Ereth, S.

AU - Hülsing, A.

AU - Rückert, M.

PY - 2013

Y1 - 2013

N2 - We show that the Winternitz one-time signature scheme is existentially unforgeable under adaptive chosen message attacks when instantiated with a family of pseudorandom functions. Our result halves the signature size at the same security level, compared to previous results, which require a collision resistant hash function. We also consider security in the strong sense and show that the Winternitz one-time signature scheme is strongly unforgeable assuming additional properties of the pseudorandom function family. In this context we formally define several key-based security notions for function families and investigate their relation to pseudorandomness. All our reductions are exact and in the standard model and can directly be used to estimate the output length of the hash function required to meet a certain security level.

AB - We show that the Winternitz one-time signature scheme is existentially unforgeable under adaptive chosen message attacks when instantiated with a family of pseudorandom functions. Our result halves the signature size at the same security level, compared to previous results, which require a collision resistant hash function. We also consider security in the strong sense and show that the Winternitz one-time signature scheme is strongly unforgeable assuming additional properties of the pseudorandom function family. In this context we formally define several key-based security notions for function families and investigate their relation to pseudorandomness. All our reductions are exact and in the standard model and can directly be used to estimate the output length of the hash function required to meet a certain security level.

KW - Applied cryptography

KW - EU-CMA

KW - Hash-based signatures

KW - One-time signature schemes

KW - Post-quantum signatures

KW - PRFs

KW - Pseudorandom functions

KW - Security notions

KW - Security reductions

KW - SU-CMA

KW - Winternitz one-time signature scheme

UR - http://www.scopus.com/inward/record.url?scp=84876524229&partnerID=8YFLogxK

U2 - 10.1504/IJACT.2013.053435

DO - 10.1504/IJACT.2013.053435

M3 - Article

AN - SCOPUS:84876524229

SN - 1753-0563

VL - 3

SP - 84

EP - 96

JO - International Journal of Applied Cryptography

JF - International Journal of Applied Cryptography

IS - 1

ER -

On the security of the Winternitz one-time signature scheme

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this