OTS (One-Time signature)
The name of the algorithm type implies that it can be securely used only once. The reason is that every time a message is signed, a part of the private key is being exposed. If used multiple times, all the private key parts will eventually become exposed and, therefore, compromised. However, OTS algorithms were developed in the 1970s, and if properly used, they were safe enough for the time.
Specialists distinguish two most widely known types of digital signatures:
1.1 LOTS (Lamport One-Time Signature)1
In 1979 Leslie Lamport suggested an improvement of M.Rabin's digital signature algorithm (1978) and introduced the concept of OTS that can be built from any one-way function, for example, a hash function. Lamport defined the one-way function as easy to compute but hard to revert. By contrast, with RSA (an algorithm suggested in 1977 by Ron Rivers, Adi Shamir, and Leonard Adleman), LOTS' hash is longer and, thus, believed to be more secure.
Since OTS belongs to Asymmetric Cryptography, the first step in using the algorithm is Public & private key pair generation.
1.1.1 LOTS Private Key Generation
The length of the private key depends on the length of the hash function used to generate it. If a hashing algorithm has length then random secret values must be generated to form the private key:
1.1.2 LOTS Public Key Generation
The Public Key is generated by concatenating the hashed values of the generated secrets.
1.1.3 Signature Generation
Before signing, a hash is generated from the message or the transaction. This resulting hash can be represented as a bit string To sign a message we must publish one of the keys from the pair depending on whether the corresponding bit is or . The final signature (SIG)
Since both the message and the signature are public an adversary can reconstruct a part, potentially, one half of the secret key (SK). If the key is reused, every time where there is a different bit value ( instead of or vice versa) the second part of the secret key will be exposed.
1.1.4 LOTS Signature Verification
Since the public key is a compilation of hashes of the values of the secret key, we can run the signature trough the same hashing algorithm and if the hashes match, the signature is valid.
1.2 WOTS (Winternitz One-Time Signature)
The major difference of WOTS is that a single secret value is used per a signed message block rather than each bit of a signed message which is the case for LOTS.
The paper2 mathematically proves the WOTS to be existentially unforgeable by a chosen message attack (EU-CMA) if used only once. The paper states that the signature is forgeable should it be used multiple times and the adversary has and attempts to break it.
1.2.1 Secret Key Generation
- The first step is choosing or the Winternitz parameter responsible for the compression level. It must be a natural number greater than 1.
- Then we generate an array or a string of random values of length where
- is the
length
of eachsecret key
item:
1.2.2 Public Key Generation
The Public Key (PK) used for the signature verification is generated by applying a hash function to each value:
The above can be represented as:
Key | Representation | ||
---|---|---|---|
sk | |||
pk | hash() | ... | hash() |
1.2.3 Signing a Message
The message is signed the following way:
- Step one, checksum computation:
- Base computation:
- The message signature computation:
1.2.4 Signature verification
The signature is considered valid if the comparison of the hashed signed message blocks result exactly in the public key elements exactly in their order:
Conclusion
OTS can be used quite securely to sign messages only once. However, they cannot be conveniently used in our case since they imply a new key generation for every new message alongside the new public key transportation to the verifying smart contract on the chain of destination. The last implies the introduction of another trusted entity or, in case of receiving the public key from an untrusted entity, it should have its secure way of verification. All that brings additional overhead and complexity while we strive to keep the system simple, maintainable, and stable.