Papers
Topics
Authors
Recent
Search
2000 character limit reached

One-Time Signatures Overview

Updated 13 November 2025
  • One-Time Signatures are digital signature schemes designed for a single secure message authentication using methods such as hash-based, code-based, and quantum protocols.
  • They employ minimal-complexity signing mechanisms with security grounded in hard cryptographic assumptions and feature forgery-detection availability through hash collision evidence.
  • Design trade-offs in OTS include large key/signature sizes and increased primitive invocations, which are essential for achieving strong, post-quantum security guarantees.

A one-time signature (OTS) is a digital signature primitive wherein a keypair is designed to be securely used for authenticating only a single message. OTS schemes, first formalized by Lamport, provide minimal-complexity signing mechanisms with security anchored to strong cryptographic assumptions, making them foundational within classical, code-based, lattice, and quantum-resistant cryptography. OTS remains a primary mechanism for post-quantum security and serves as a critical component within stateful or stateless hash-based signature frameworks, code-based authentication, and emerging quantum public-key schemes.

1. Formal Definitions, Security Models, and Efficiency Metrics

Let nn denote the message bit-length, and let (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify}) define the OTS protocol. In the random-oracle model, key generation GenO(1n)\mathsf{Gen}^O(1^n), signing SignO(SK,m)\mathsf{Sign}^O(SK, m), and verification VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma) each query a public oracle OO, with perfect completeness requiring that for every OO, each (SK,VK)(SK, VK), and mm, verification of a legitimate signature always succeeds. The crucial security property is existential unforgeability under a chosen-message attack, restricted to one signing query: for every forger AA (possibly computationally unbounded) making (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})0 queries to (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})1, the probability of forging a valid signature on a novel message is at most (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})2, where (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})3 is the black-box security parameter (often (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})4 for strong schemes) (0801.3680).

Security metrics for OTS schemes further include resistance to key-recovery and support for forgery-detection availability (FDA): in many hash-based schemes, any successful forgery leaks a collision of the underlying hash (provably) (Kiktenko et al., 2019). Efficiency metrics are typically dominated by key size, signature size, and the number of required calls to the underlying primitive (e.g., oracle queries, matrix operations, code decoding steps).

2. Classical Hash-Based One-Time Signatures

Classical OTS constructions focus on minimizing cryptographic assumptions, relying solely on the existence of one-way functions. The Lamport OTS scheme and its generalization, the Winternitz OTS (WOTS), reveal only preimages under the hash function (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})5, so their security directly inherits the hardness of inverting (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})6. The generic Lamport OTS exposes no algebraic relationships, and each private key element is simply a uniformly random element hashed into the public key.

Lamport OTS: For (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})7-bit messages, the signer generates (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})8 random values (Gen,Sign,Verify)(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})9, computes GenO(1n)\mathsf{Gen}^O(1^n)0, and reveals GenO(1n)\mathsf{Gen}^O(1^n)1 for message GenO(1n)\mathsf{Gen}^O(1^n)2. The signature consists of GenO(1n)\mathsf{Gen}^O(1^n)3 hash preimages.

Efficiency Trade-offs:

  • Key and signature sizes are large: with GenO(1n)\mathsf{Gen}^O(1^n)4, each secret/public key is GenO(1n)\mathsf{Gen}^O(1^n)5 bits, each signature is GenO(1n)\mathsf{Gen}^O(1^n)6 bits.
  • Signing and verification involve GenO(1n)\mathsf{Gen}^O(1^n)7 hash function evaluations.

Winternitz OTS achieves shorter signatures by trading off signature size versus signing/verification time (by chaining hashes).

A crucial property is forgery-detection availability (§3): upon any successful forgery, a previously unknown hash collision (or preimage) is revealed with overwhelming probability GenO(1n)\mathsf{Gen}^O(1^n)8, where the parameter GenO(1n)\mathsf{Gen}^O(1^n)9 increases the preimage domain for robust detection. The practical implication is cryptographic agility—any such event is cryptographically convincing evidence that SignO(SK,m)\mathsf{Sign}^O(SK, m)0 has failed and must be replaced (Kiktenko et al., 2019).

The efficiency of hash-based OTS is bounded from below: Barak and Mahmoody show that no construction using only SignO(SK,m)\mathsf{Sign}^O(SK, m)1 random-oracle queries (distributed across SignO(SK,m)\mathsf{Sign}^O(SK, m)2, SignO(SK,m)\mathsf{Sign}^O(SK, m)3, and SignO(SK,m)\mathsf{Sign}^O(SK, m)4) can exceed security SignO(SK,m)\mathsf{Sign}^O(SK, m)5, even for ideal hash functions (0801.3680). This lower bound is tight up to a constant, achieved by combinatorial variations of Lamport: for SignO(SK,m)\mathsf{Sign}^O(SK, m)6 queries, at best SignO(SK,m)\mathsf{Sign}^O(SK, m)7. Therefore, achieving SignO(SK,m)\mathsf{Sign}^O(SK, m)8-bit security requires at least SignO(SK,m)\mathsf{Sign}^O(SK, m)9 calls to the base primitive per key/signature.

3. Post-Quantum and Code-Based OTS Constructions

Classical OTS schemes directly generalize to post-quantum settings by substituting post-quantum hash functions. However, compact keys/signatures and performant parameterization motivate alternative designs.

Code-Based OTS

Sparse, code-based primitives such as [Baldi2013] and Persichetti's QC-code schemes use low-density generator matrices (LDGM) and syndromes under a public hash function.

Critical failure mode: Sparse signatures leak the underlying secret through basic statistical analysis of multiple (even single) signatures. Given a signature VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma)0 and knowledge of the sparse codeword VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma)1, an attacker reconstructs most of the sparse secret VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma)2 by summing shifted versions of the signature components, then solves for the remainder via Information Set Decoding (ISD). For Persichetti's parameters, full key recovery occurs at work factor VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma)3, far below any practical security target (Santini et al., 2018).

SPANSE: Dense Code-Based OTS

To defeat sparsity attacks, the SPANSE scheme (Baldi et al., 2022) constructs signatures as maximally dense (no zero entries), shifting security to the NP-hardness of large-weight syndrome decoding over non-binary QC codes. The trapdoor remains code-based (QC-LDGM), but signatures are produced by mapping message randomness to sparse syndromes embedded in a dense signature vector. No two signatures reveal the same sparse support, so statistical attacks do not apply.

Performance summary:

  • Key generation: VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma)4 field operations (done offline).
  • Signing/Verification: VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma)5 field operations, VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma)6 ms for VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma)7 on commodity processors.
  • Key size: VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma)8 KiB; signature size: VerifyO(VK,m,σ)\mathsf{Verify}^O(VK, m, \sigma)9 KiB for 128-bit security.
  • Security: best known attacks require OO0 work (field ops).

This approach yields smaller attack surfaces and practical performance at the cost of moderate key size and preservation of true one-time use.

4. OTS Based on PRNG Chains and Beyond

The classical hash-chain can be generalized using pseudorandom number generators (PRNGs), notably linear-congruential generators (LCGs), as in Chen’s proposal (Chen, 2024).

LCG-based OTS:

  • Private key: seed OO1.
  • Public key: value after OO2 LCG steps: OO3.
  • Signing: derive integer OO4 from hash of message; output (t, OO5), OO6 the LCG multiplier.
  • Verification: using OO7, LCG parameters, and message hash, run LCG for OO8 steps and check against OO9.

Trade-offs:

  • Signature length: OO0 bits (with OO1, OO2 yields 272 bits).
  • Time per sign/verify: OO3 LCG steps.
  • Security: tied to the one-wayness of the LCG and collision-resistance of OO4.
  • Forgery-resistance collapses if a keypair is ever used to sign more than one message.

This design achieves minimal key and signature size at the expense of computational time. Using a block-cipher-based PRNG (e.g., AES-CTR) is suggested for stronger assumptions.

5. Quantum Public-Key One-Time Signatures

Quantum signature schemes with quantum public keys demonstrate existential unforgeability based on the existence of pseudorandom quantum states, even absent quantum-secure one-way functions (Morimae et al., 2021).

In such schemes:

  • Secret key: OO5.
  • Public key: OO6, where OO7 is a pseudorandom quantum state.
  • Signing: Output OO8 for a bit OO9.
  • Verification: Perform measurement on (SK,VK)(SK, VK)0 in basis containing (SK,VK)(SK, VK)1; accept if the outcome aligns.

Security: Reduction shows that any QPT forger with non-negligible success probability can distinguish pseudorandom quantum states from Haar-random ones, violating the security of the quantum state generator. This base assumption is strictly weaker than any classical cryptographic primitive, suggesting that one-time quantum signatures can exist under purely quantum assumptions.

6. Efficiency Lower Bounds, Black-Box Constructions, and the Symmetric/Efficiency Gap

Barak and Mahmoody's lower bounds (0801.3680) have foundational implications for OTS design:

  • Random oracle model: Any OTS using (SK,VK)(SK, VK)2 queries, across all phases, admits at most (SK,VK)(SK, VK)3 black-box security.
  • Symmetric primitives: Any black-box construction of a secure OTS from a symmetric primitive (e.g., block cipher, MAC, or PRF) must make (SK,VK)(SK, VK)4 calls to the primitive to sign an (SK,VK)(SK, VK)5-bit message at exponential security. Private-key primitives themselves need only (SK,VK)(SK, VK)6 calls to achieve exponential security.
  • Efficiency gap: There is an inherent and formal efficiency gap between OTS and all other symmetric primitives: for digital signing, efficiency can only be achieved by increasing the number of primitive invocations linearly with the security parameter.

This result generalizes to random-permutation and ideal-cipher oracles, with only small multiplicative losses in the exponent.

7. Extensions: One-Time Aggregate, Identity-Based, and Code Design Challenges

One-time signatures are employed and extended in several directions:

  • Aggregate signatures: Schemes such as MTA-OTIBAS (Zhang et al., 2015) allow one-time identity-based aggregate signatures over multiple trusted authorities. Security relies on the co-computational Diffie–Hellmann assumption in bilinear groups, and single-use keys per identity prevent signature replay and linking.
  • Detection and crypto-agility: FDA enables automated detection of a broken hash function and immediate protocol migration, a unique property for hash-based OTS frameworks (Kiktenko et al., 2019).
  • Code-based OTS challenges: The risk with sparse signatures remains acute unless signatures are made dense (e.g., SPANSE (Baldi et al., 2022)); any significant information leakage or repeated use violates one-time use, as exploited in key-recovery attacks (Santini et al., 2018). A plausible implication is that code-based OTS must make the signature dense or introduce randomness at every invocation to ensure practical security.

Table: Summary of Main OTS Families

Scheme Family Security Basis Key Size Signature Size Signing Time Security Notes
Lamport/WOTS Hash function Large Large Very Fast FDA, easily parameterized, quantum-resistant
Code-based (QC-LDGM) Syndrome decoding Medium-large Medium Fast/Medium Sparsity leaks (unless dense), quantum-resistant
PRNG-chain OTS PRNG one-wayness Minimal Minimal Medium (param. (SK,VK)(SK, VK)7) Only secure for strict one-time use
Quantum-PK OTS PR quantum states Minimal/classical Minimal/qubits Table-lookup/classical Weaker assumptions, quantum public keys
Aggregate/IBS OTS group hardness Small Small/aggregated Fast Single-use ensures unlinkability

Editor’s term: FDA, “forgery-detection availability”.

References

  • Barak & Mahmoody. "Lower Bounds on Signatures from Symmetric Primitives" (0801.3680)
  • Santini, Baldi, Chiaraluce. "Cryptanalysis of a One-Time Code-Based Digital Signature Scheme" (Santini et al., 2018)
  • Finiasz, et al. "SPANSE: combining sparsity with density for efficient one-time code-based digital signatures" (Baldi et al., 2022)
  • Alagic et al. "Quantum commitments and signatures without one-way functions" (Morimae et al., 2021)
  • Chen. "One-Time Signature Based on Pseudorandom Number Generator" (Chen, 2024)
  • Grechnikov. "Proof-of-forgery for hash-based signatures" (Kiktenko et al., 2019)
  • Cheng, et al. "On the Security of MTA-OTIBASs" (Zhang et al., 2015)

A comprehensive understanding of OTS demands careful alignment of use-case (one-time, few-time, Merkle-hierarchical), security assumption (hash-based, code-based, quantum), and efficiency target (signature/key size, computation). Each family carries nuanced trade-offs; robust security—particularly in post-quantum contexts—often prioritizes one-time operation and provable resistance to various forms of analytic, algebraic, and quantum attacks.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to One-Time Signatures.