Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [hash-signature]

Signature schemes built out of and based on properties of hash functions. **DO NOT USE THIS TAG** if the signature is based on other hard problems and just happen to employ a hash function.

Hash-based digital signatures, such as Lamport one-time signatures, are digital signature schemes based on a (non-trapdoor) one-way function such as a cryptographic hash function. Such schemes are expected to remain secure even against attacks using quantum computers.

See also:

155 questions
144
votes
6 answers

Should we sign-then-encrypt, or encrypt-then-sign?

Frequently, we want to send messages that are (a) encrypted, so passive attackers can't discover the plaintext of the message, and (b) signed with a private-key digital signature, so active attackers can't make Alice think that a message came from…
David Cary
  • 5,474
  • 4
  • 20
  • 35
13
votes
3 answers

Lamport signature: How many signatures are needed to forge a signature?

Lamport signature: Signing the message Note that now Alice's private key is used and should never be used again. The other 256 random numbers that she did not use for the signature she must never publish or use. Preferably she should delete them;…
Sup3rgnu
  • 349
  • 2
  • 6
11
votes
2 answers

Advantages and disadvantages of hash-based signatures

We know hash-based signatures (Winternitz signature, HORS(T) signature) that are quantum-safe and efficient. They can be stateful or stateless, one-time or multiple-time. But why are they not widely used in practice? Or maybe they are, please tell…
Laura
  • 357
  • 1
  • 11
11
votes
3 answers

One-time digital signatures

Are there digital signatures for which, given two documents signed by the same key, one could derive the key? With such one-time signatures, one may be able to design a cryptocurrency based on proof-of-stake instead of proof-of-work. To…
Randomblue
  • 512
  • 3
  • 13
10
votes
3 answers

Why is SHA3 more secure than SHA2?

Why are SHA3 algorithms considered more secure than their SHA2 counterparts? Surely in part, it is due to their resistance to length extension attacks. But specifically, when considering collision resistance they have the same O(n) attack times. Is…
Arturo Roman
  • 119
  • 1
  • 6
10
votes
3 answers

Why don't crypto-currencies use the Lamport signature scheme?

The Lamport signature scheme is faster, less complex and considerably safer than ECDSA. It's only downside - being only usable once - isn't really a downside when signing transactions, since you could just include your next public key whenever…
MaiaVictor
  • 1,325
  • 7
  • 16
9
votes
3 answers

Winternitz One-Time Signature

I am reading the page 38 in this "Post Quantum Cryptography" book (Equations 8 and 9). My question is, why to compute the verification key $Y$, $f$ is applied $2^w-1$ times? Are there any security notions involved?
juaninf
  • 2,621
  • 2
  • 17
  • 26
8
votes
3 answers

Stateless hash based public key cryptography?

Merkle-Winternitz signatures based on fractal hash trees are an attractive alternative to other post-quantum cryptographic schemes, in particular since they are conceptually simple, the security properties are easily understood and they are easy to…
Henrick Hellström
  • 10,336
  • 1
  • 29
  • 56
7
votes
1 answer

Difference Between Gravity-SPHINCS and SPHINCS+?

What are the differences between Gravity-SPHINCS and SPHINCS+ from security and practicality standpoints? Are they just different implementations of the underlying SPHINCS algorithms or are they functional variations on the underlying algorithms?
CoryG
  • 549
  • 2
  • 9
7
votes
1 answer

Do other one-time signature schemes exist?

I'm curious to know if there are any one-time signature schemes other than Lamport's or its variants (Merkle trees are one such variant). The first I've discovered is called "Bins and Balls" which doesn't use a trapdoor function. Any others? Are…
Melab
  • 3,487
  • 2
  • 20
  • 41
7
votes
3 answers

Can one use a Cryptographic Accumulator to efficiently store Lamport public keys without the need of a Merkle Tree?

One of the problems of one-time Lamport signatures is that public keys are disposed after use, so you must generate many keys and store them in a Merkle tree. The root is the "real" public key and each signature is supplied with a Merkle branch from…
SDL
  • 1,847
  • 13
  • 23
6
votes
3 answers

Why do we need Collision Resistant Hash Function for the Merkle Tree Signature Scheme?

I am studying Merkle Tree Construction for digital signature. I don't quite understand why we need collision resistant hash function for Merkle tree construction. There are few papers like XMSS that try to lower the requirement from collision…
DiamondDuck
  • 403
  • 3
  • 16
6
votes
2 answers

Is there a signature scheme which doesn't rely on the difficulty of factoring/dlp which generates short signatures?

The Lamport signature scheme, for example, doesn't rely on the difficulty of any problem and it only depends on the existence of one-way functions. Is there an alternative scheme which also doesn't rely on the difficulty of factoring/discrete…
MaiaVictor
  • 1,325
  • 7
  • 16
6
votes
1 answer

Choice of the one-way function (OWF) for Lamport signatures

I am studying the Lamport signature scheme, and I found that in many sources (eg: Hash-based Digital Signature Schemes) the input and output bitstring of the OWF and the message digest have the same size, generally 256. As the minimal requirement…
Fraktal
  • 209
  • 1
  • 5
5
votes
1 answer

How does second pre-image attack on Merkle Signature Scheme work?

I understand that a second pre-image attack on the Merkle tree works by creating another Merkle tree using the intermediate nodes as the leaf nodes, and this will lead to the same root hash (public key) being constructed 1. However, I thought that…
evernal
  • 237
  • 1
  • 5
1
2 3
10 11