 Review
 Open access
 Published:
Hashbased signature revisited
Cybersecurity volume 5, Article number: 13 (2022)
Abstract
The current development toward quantum attack has shocked our confidence on classical digital signature schemes. As one of the mainstreams of post quantum cryptography primitives, hashbased signature has attracted more and more concern in both cryptographic research and application in recent years. The goal of this paper is to present, classify and discuss different solutions for hashbased signature. Firstly, this paper discusses the research progress in the component of hashbased signature, i.e., onetime signature and fewtime signature; then classifies the treebased public key authentication schemes of hashbased signature into limited number and stateful schemes, unlimited number and stateful schemes and unlimited number and stateless schemes. The above discussion aims to analyze the overall design idea of different categories of hashbased signatures, as well as the construction, security reduction and performance efficiency of specific schemes. Finally, the perspectives and possible development directions of hashbased signature are briefly discussed.
Introduction
Digital signature based on publickey cryptosystems has been widely used in the modern online information transmission, for example, electronic elections, digital cash, etc., to provide entity authentication and nonrepudiation, message integrity and confidentiality. The original research of publickey digital signature is focused on the schemes upon the computationally hard number theoretic problems, such as RSA designed on the difficulty assumption of factoring large integers (Rivest et al. 1978), ElGamal designed on the difficulty assumption of discrete logarithms, etc. (ElGamal 1985) But the development of quantum computer has shocked our confidence on this kind of classical digital signature schemes (Gisin et al. 2002; Bennett et al. 1992; Bernstein 2009; Brassard et al. 2000; Ekert 1991; Bennett 1992; Gröblacher et al. 2006), by applying “Shor’s algorithm” (Shor 1999), theoretic problems will no longer be hard and classical cryptosystems can be broken easily. We can only achieve computational security by improving the related parameters in scale, it is dynamically affected by the development of number theory and computing performance, as a result, it lacks sustainedly durable security.
Another kind of publickey based signature scheme, hashbased signature, which is believed to resist to both classical and quantum computers, is attracting more and more attention in cryptography research. Hashbased signature is commonly designed in combining onetime signature (OTS) (Merkle 1979b; Naor et al. 2005) or fewtime signature (FTS) (Perrig 2001; Reyzin and Reyzin 2002; Aumasson and Endignoux 2017, 2018; Bernstein et al. 2017, 2019) with hash tree, and its security is only based on the security assumptions of the underlying hash function, such as collision resistance, second preimage resistance, onewayness (Coron et al. 2005; Rogaway and Shrimpton 2004), etc., avoiding the dependence on the hard number theoretic problems of other digital signature schemes. Hash function is one of the foundational topics in cryptography, and many different rapid design approaches and relevant researches have been presented to achieve different security properties. Opposite to the digital signature designed on hard number theoretic problem, attacks against a specific hash function will not affect the overall security of hashbased signature; it could be solved by replacing the attacked hash function by others remain secure easily.
Due to the concision and efficiency in the design, hash function has been implemented maturely after decades of improvement, hashbased signature which treats hash function as the central subroutine can achieve high efficiency as well. In addition, through choosing distinct underlying hash functions and their parameters, as well as onetime/FTS schemes, tree traversal algorithms, etc., it is sufficiently flexible to make a tradeoff between signature size, time and storage, etc., to meet distinct needs in applications.
However, hashbased signature still has some drawbacks which need to be solved to make it more practical. First, the signature key can be used only once to sign one message in the underlying OTS, even for FTS in which a single key pair could be used to sign a few messages, the security of the signature decreases as the number of signatures increases, it raises a crucial issue that how to manage largescale public keys consequently. The treebased public key authentication is a classical way to solve the public key management issue. In the original path authentication schemes the signature size grows logarithmically with the number of signatures, and more path authentication schemes have been presented in the recent research to achieve more efficiency. Second, as the key pair has to be changed into a fresh one after each signature generation, a natural way is to utilize the state management to keep record of the state and synchronization between signer and verifier, otherwise, there may exists reduplicate use of the signature key, such that the adversary can forge a valid signature easily. Therefore, state management plays an essential role in many scenarios of the application of hashbased signature, but it also limits it less practical. In recent years, some stateless hashbased signatures have been presented which attract researcher’s concerns, but the stateless hashbased signature has significantly higher signatures size compared with the stateful ones in the analogous security level, as a result, it is difficult to be widely applied in practice.
The goal of this survey is to present, classify and discuss different schemes that provide solutions for OTS/FTS, manytime and fulltime hashbased signatures, focus on different security analysis and implementation strategies about stateful and stateless hashbased signatures. The rest of the survey is organized as follows. In “Related work” section, we briefly introduce the related work and progress in the research of hashbased signature; in “Security notions” section, we give the security notions of hash function, as well as the definition and the corresponding security notions of signature scheme; in “Hashbased Signature” section, we discuss the progress in the component of hashbased signature in detail, i.e., onetime signature and fewtime signature, and classify the treebased public key authentication schemes of hashbased signature into limited number and stateful schemes, unlimited number and stateful schemes and unlimited number and stateless schemes, introduce their constructions, analyze and compare the security assumptions of underlying function required in these specific hashbased signature schemes; in “Conclusion” section, the perspectives and possible development directions of hashbased signature are briefly discussed.
Related work
Research into hashbased signature has a long history. In 1979, Merkle presented the first hashbased signature scheme constructed out of hash function only (Merkle 1979b; Rogaway and Shrimpton 2004), therefore, it is also named as Merkle signature scheme, which is a combination of an OTS to sign a single message per key pair and a path authentication scheme to provide an authentication path to verify the public key related to the signature of this single message. During the past 40 years, much more schemes with security analysis have become available on hashbased signature. For OTS, the following schemes have been wildly studied: the Lamport OTS (Merkle 1989), the Merkle OTS (Merkle 1989), the Winternitz OTS (Merkle 1989; Buchmann et al. 2011a), the BleichenbacherMaurer (Bleichenbacher and Maurer 1994) OTS and WOTS + (Hülsing 2013), etc. Merkle OTS is designed based on the Lamport OTS, Winternitz OTS can be regarded and as a generalization of Merkle OTS, Merkle OTS and Winternitz OTS, it iterates an underlying function repeatedly while iteration times relate to the message to be signed. Bleichenbacher and Maurer gave a generalization of OTS schemes on acyclic graphs. WOTS + provides shorter signatures than previous schemes with the analogous security level, and offers a tight reduction that WOTS + is existentially unforgeable under an adaptive chosen message attack (EUCMA) in the standard model, if the underlying hash function family is second preimage resistant and undetectable oneway.
FTS, as the name suggests, can be used to sign more than one message with the same key pair. Typical schemes for FTS schemes are Biba FTS (Perrig 2001), Hors FTS (Reyzin and Reyzin 2002) with its variants Pors FTS (Aumasson and Endignoux 2017, 2018) and Fors FTS (Bernstein et al. 2017, 2019), etc. Biba FTS can achieve high verification efficiency at the cost of heavy precomputation on key generation and signature; meanwhile, it requires time synchronization between the sender and receiver. Hors FTS is mainly focus on selecting some elements which is determined by the message to be signed from a far larger set. Pors and Fors FTS improves Hors FTS in a way avoiding weak messages, which are mapped to a small subset and vulnerable to subset resilience attack.
Although all FTS schemes suggest using the single key pair to sign more than one message in contrast to one message in OTS scheme, the security of the signature decreases as the number of signatures increases.
Since key size increases linearly with the number of the signed messages in hashbased signature, it is essential to use key management to realize using fewer key pairs to authenticate more messages, thus path authentication scheme comes into being. Among them, treebased authentication using the hash tree to authenticate public keys efficiently is wildly adopted to solve the problem of key management. To sign a message, after the OTS signature is generated, an authentication path generated by the treebased authentication scheme has to be applied to verifier. Verifier authenticates the onetime public key along with the authentication path to construct the tree from leaf nodes to root, or from the root to bottom, which comes into two main different approaches to authenticate public keys in large scale, depending on stateful or stateless of the hashbased signature scheme, and signing limited number or cryptographic unlimited number of messages. In terms of stateful hashbased signature, its signature key needs to be renewed when exceeding its service time, namely, the signing times it can be used to sign the messages; whereas the stateless hashbased signature selects signature key pseudorandomly, and doesn’t require key management. Typical schemes of limited number and stateful hashbased signature are Merkle hashbased signature (Merkle 1989), eXtended Merkle Signature Scheme (XMSS) (Buchmann et al. 2011b; Hülsing et al. 2018), LeightonMicali signature (LMS) (Leighton and Micali 1995; Katz 2016; Failed 2017; McGrew et al. 2019; Buchmann et al. 2006), etc.; typical Schemes of unlimited number and stateful hashbased signature are generalized Merkle signature scheme (GMSS) (Buchmann et al. 2006, 2007), XMSS with multitree (XMSS^{MT}) (Hülsing et al. 2018, 2013), Hierarchical Signature System (HSS) (McGrew et al. 2019), etc.; typical Schemes of unlimited number and stateless hashbased signature are SPHINCS(Bernstein et al. 2015), SPHINCS + (Bernstein et al. 2017, 2019), GravitySPHINCS (Aumasson and Endignoux 2017, 2018), etc.
There has been an increasing amount of literatures on traversal algorithm of hashbased signature, such as tree traversal algorithm and hash chain traversal algorithm, which allows for optimal tradeoff between signature time and storage cost. In terms of tree traversal algorithm, two different approaches are mainly discussed to compute authentication paths, depending on considering the node or the subtree of a Merkle tree as the basic computational element. In terms of fractal hash chains traversal algorithm (Jakobsson 2002; Jakobsson et al. 2003; Naor et al. 2006; Coppersmith and Jakobsson 2002; Sella 2003; Berman et al. 2007; Knecht et al. 1409; Buchmann et al. 2008), all elements in a hash chain are determined by the initial input and the combined output is a single element. As the main purpose of this paper is to introduce typical hashbased signature schemes which have been discussed and adopted widely, readers can refer to the literature in detail to learn more about traversal algorithm of hashbased signature.
In the application, Even and Goldreich proposed an online/offline signature scheme (Even et al. 1996), which uses the efficient OTS scheme for the online signing, along with an ordinary signature scheme used for the offline phase. Other applications such as TESLA (Perrig et al. 2002), wireless security, etc., are also well researched (Perrig et al. 2001; Bergadano et al. 2002; Buldas et al. 2017, 2018).
Security notions
A hash function family H is a map \(H: = \left\{ {h_{k} :{\kern 1pt} {\kern 1pt} {\kern 1pt} {\kern 1pt} {\kern 1pt} {\kern 1pt} \left( {0,{\kern 1pt} {\kern 1pt} {\kern 1pt} {\kern 1pt} 1} \right)^{*} \to \left( {0,{\kern 1pt} {\kern 1pt} {\kern 1pt} {\kern 1pt} 1} \right)^{n} k \in \left( {0,{\kern 1pt} {\kern 1pt} {\kern 1pt} {\kern 1pt} 1} \right)^{n} {\kern 1pt} {\kern 1pt} } \right\}\), such that n is polynomial in security parameter λ, here, {0, 1}* denotes the binary string of arbitrary length.
In this section, firstly we give four security assumptions, oneway, second preimage resistant, collision resistant, enhanced target collision resistant hash function related to hash function, as the basic component of hashbased signature, the security of hash function affects the performance of corresponding hashbased signature seriously. Secondly, we give the definition and the corresponding security notion of signature scheme.
Definition 1
Oneway hash function (Merkle 1979a).
Hash function family H, security parameter λ are defined as above. We give the definition that function family H is one way if for any probabilistic polynomialtime adversary A there is a negligible function negl such that
Here x \(\xleftarrow{\$ }\) X denotes that x is chosen from X uniformly at random.
Definition 2
Second preimage resistant hash function (Menezes et al. 2018).
Hash function H, security parameter λ are defined as above. We give the definition of the function family H is second preimage resistant if for any probabilistic polynomialtime adversary A there is a negligible function negl such that
Definition 3
Collisionresistant hash function (Damgård 1989; Preneel et al. 1993; Black et al. 2002; Goldwasser et al. 1988).
Hash function H, security parameter λ are defined as above. We give the definition of the function family H is collision resistant if for any probabilistic polynomialtime adversary A there is a negligible function negl such that
Definition 4
Enhanced target collision resistant hash function (eTCR) (Halevi and Krawczyk 2006).
Hash function H, security parameter λ are defined as above. We give the definition of the function family H is eTCR if for any probabilistic polynomialtime adversary A there is a negligible function negl such that
In eTCR game, first A commits a message m, then receives a random key K, A wins the game if he can output (m′, k′) such that
Definition 5
Signature scheme (Rivest et al. 1978; ElGamal 1985).
A digital signature scheme ∏ is defined as a triple of probabilistic polynomialtime algorithms ∏ = (Gen, Sign, Ver):
Gen On input security parameter 1^{λ}, output a private signature key sk and public verification key pk;
Sig On input a signature key sk, message m, output a signature σ;
Ver Ver is a deterministic algorithm, on input a public key, a message and its signature triple (pk, m, σ), output 1 iff σ is a valid signature on m.
Definition 6
EUCMA security (Halevi and Krawczyk 2006).
Let ∏ = (Gen, Sig, Ver) be a signature scheme with private key sk and public key pk. We define EUCMA as follows. The forger A has access to the public key and a signing oracle O (sk, ·). On input the query of a message m, O returns A the signature Sig(m) on m. A has the chance to adaptively query O at most q times. The parameter q is bounded up with different kinds of signature schemes. For one time signature, q = 1. The property adaptive means a message may depend on answers of O replied previously. On input security parameter λ, ∏ is unforgeability under an adaptive chosen message attack if for any probabilistic polynomialtime A there is a negligible function negl such that
Definition 7
Forwardsecure property (Krawczyk 2000; Bellare and Miner 1999).
Forwardsecure property makes sense for keyevolving signature scheme, in which the whole signature process is divided into T periods, the public key pk i.e., the overall public key, is fixed for all these T periods, but the private key sk_{i} is evolved in each period, where i = 1, …, T. Compared with the conventional signature scheme, forwardsecure signature scheme only generates pk and sk_{0} in key generation algorithm, and an additional secret key update algorithm Sku is needed, which generates sk_{i} on input sk_{i1}, for i = 1, …, T; Sig in each period i takes as input the signature key sk_{i} and message m, output a signature σ along with the period index i.
Let ∏ = (Gen, Sku, Sig, Ver) be a keyevolving signature scheme with private key sk_{0} of the first period and public key pk. We define forwardsecure EUCMA as follows.
The forger A has access to the total number of time periods, the current time period, the public key pk and a signing oracle O (sk, ·). In the chosenmessage attack phase, on input the query of a message m, O returns A the signature Sig(m) on m under the private key sk_{1}, …, sk_{T} in order. A has the chance to query O at most q times. The parameter q is bounded up with different kinds of signature schemes. For one time signature, q = 1.
A stops the chosenmessage attack at a period of his choice, and then goes into the breakin phase, where A obtains sk_{j} of the current period j, his goal is to forge a signature \(\left( {i,{\kern 1pt} {\kern 1pt} \sigma *} \right)\) on m* of his choice such that \(\;(i,M*) \ne (i,M_{i} _{i = 1}^{{{\kern 1pt} {\kern 1pt} q}} )\) and \(Ver(m*,i,{\kern 1pt} {\kern 1pt} \sigma *,pk) = 1\), where i < j. In the following, we use breakin to denote both the breakin phase and the index of it for simplicity. On input security parameter λ, ∏ is forwardsecure EUCMA if for any probabilistic polynomialtime A there is a negligible function negl such that
Hashbased signature
OTS
In this section, we introduce several OTS schemes, including Lamport OTS and its improved version Merkle OTS, Winternitz OTS and WOTS + OTS. Compared with other kinds of OTS scheme, such as graphbased OTS, the above schemes following Merkle and Winternitz’s approach are still more widely accepted and employed in the application.
Idea
One signature key of OTS can only be used to sign one message.
Typical Schemes

(1)
Lamport OTS
The first OTS scheme was presented by Lamport in 1979(Merkle 1989; Lamport 1979), called Lamport OTS or LamportDiffie OTS.

A.
Idea
Lamport OTS adopts the construction with maximum storage cost and the minimum calculation cost. In order to sign a kbit message, it utilizes 2k private keys and 2k public keys. As shown in Fig. 1, each message bit corresponds to two private keys. When the message bit is 0, it corresponds to the first private key; otherwise, it corresponds to the second one. Only one hash evaluation of a oneway hash function is used to construct the public key on input the relevant private key.

B.
Scheme
For Lamport OTS scheme Sig = (Gen, Sig, Ver), a oneway hash function H is used which is a map: {0, 1}^{n} → {0, 1}^{n}, where n is polynomial in security parameter λ. The message m is presented as \(m = (m_{0} ,{\kern 1pt} {\kern 1pt} {\kern 1pt} m_{1} ,{\kern 1pt} {\kern 1pt} {\kern 1pt} \ldots ,{\kern 1pt} {\kern 1pt} {\kern 1pt} {\kern 1pt} m_{k} )\).
The signature scheme is described as follows.
Gen On input security parameter 1^{λ}, choose private key sequence \(sk = (sk_{1,0} ,sk_{1,1} ,sk_{2,0} ,sk_{2,1} , \ldots ,sk_{k} ,sk_{k,0,1} )\)\(\xleftarrow{\$ }\)(0,1)^{n*2k}, n is polynomial in security parameter λ, then output the public key sequence pk as follows:
Sig On input the message \(m = (m_{0} ,{\kern 1pt} {\kern 1pt} {\kern 1pt} m_{1} ,{\kern 1pt} {\kern 1pt} {\kern 1pt} \ldots ,{\kern 1pt} {\kern 1pt} {\kern 1pt} {\kern 1pt} m_{k} )\) and private key sequence sk, output the signature as follows:
Ver On input the message m, public key sequence pk, signature σ, the following compution and comparison are done in order to verify the signature.
To sign a message of arbitrary length, compression hash function should be used to compute message digest, which is applied to the signature algorithm as input.

C.
Security
Unforgeability of Lamport OTS depends on the onewayness of hash function H.

(2)
Improved Lamport OTS: Merkle OTS

A.
Idea
Merkle improves Lamport OTS by appending an extra checksum value to each message before signing the message, which records the quantity of 0 bit in the message, as shown in Fig. 2. The length needs to be signed becomes \(\left\lfloor {\log k} \right\rfloor\) + 1 bits longer than that of Lamport OTS, set s = \(\left\lfloor {\log k} \right\rfloor\) + 1.

B.
Scheme
The public key sequence pk is generated as \(\begin{aligned} pk & = (pk_{1} ,pk_{2} , \ldots ,pk_{{k + s}} ) \\ & = (H(sk_{1} ),H(sk_{2} ), \ldots ,H(sk_{{k + s}} )) \\ \end{aligned}\).
To sign a message m, mchecksum = (m_{1}, …, m_{k+s}), the signer only needs to reveal the sk_{i} which is related to m_{i} = 1, i = 1, …, k + s. The signature σ turns to be:
where \(m_{{j_{p} }} = 1,\;\;0 < j_{p} \le k + s\).
Consequently, the verification becomes into check:
Adversary who what to alter the bit value of the message to be signed has to reveal at least one preimage concerning either the original message or its checksum.

C.
Security and Efficiency
Lamport OTS scheme and Merkle OTS is EUCMA as long as the used hash function is oneway.
Although the key generation, signature and verification of Lampot OTS becomes more efficient, the scale of the signature and corresponding key pair is still quite large; compared with Lamport OTS, Merkle OTS only achieves limited improvement in performance.

(3)
Winternitz OTS
In this section we describe Winternitz OTS mentioned in Merkle (1989); Buchmann et al. 2011a), which is an improvement of Lamport OTS and Merkle’s scheme, achieves shorter signature and key pair size. An iterative function is applied in the Winternitz OTS to compute the public keys from the private keys.

A.
Idea
The main drawback of Lamport OTS signatures is its long signature size as well as key pair size, the signature size of Lamport OTS increases proportionally with the bit length of message to be signed by n times, where n is the bit length of each component of key sequence. Moreover, both private key and private key size as 2n times as bit length of message. Although by appending a checksum to each message, only limited decrease has been made in Merkle OTS of signature and key pair size. The idea of Winternitz OTS is to reduce the signature size and key pair size at the expense of some extra hash evaluations as shown in Fig. 3. Concretely, Winternitz OTS processes message m to the new form in base w representation firstly, then decomposes m into blocks of length log w. for each block, iterates a oneway hash function at most w–1 times, and the output of the hash function is considered as the signature for each block, which will be concatenated sequentially to form the whole signature of m. Winternitz OTS provides a tradeoff between the signature time and the signature size using the parameter w. The larger w is, the smaller signature size will be. For example, on input a 256 bits message, the hash functions used in Lamport OTS and Winternitz OTS are both maps of {0, 1}^{n} to {0, 1}^{n}, when w is chosen as 16, the signature size of Winternitz OTS is 67n bits, signature generation requires 960 and 483 evaluations of the underlying hash function in the worst case and average case, separately; when w is chosen as 256, the signature size of Winternitz OTS is 34n bits, signature generation requires 8160 and 4082 evaluations of the underlying hash function in the worst case and average case, separately; compared with signature size of 256n bits and signature generation of 512 hash evaluations in Lamport OTS, signature size of 264n bits and 136n bits in worst case and average case, signature generation of 264n hash evaluations in Merkle OTS.

B.
Scheme
For Winternitz OTS scheme Sig = (Gen, Sign, Ver), a oneway keyed hash function h is used: \(\left( {0,1} \right)^{n} \times k \to \left( {0,1} \right)^{n}\) where k is chosen from the key space K uniformly at random. Two parameter w (to be power of two) and l are used, which are related to the bit length of message block and the number of key components in one signature respectively.
The iteration function h^{i}(x) is constructed by repeating the function h(x) i times, where i ∈ {0,..., w − 1}, that is, h^{2}(x) = h(h (x)) and h ^{0}(x) = x. On input a m bits message, process it to the new form (m_{1}, m_{2}, …, m_{p}) in base w representation, then attach checksum \(C \, = \mathop \Sigma \limits_{i = 1}^{p} \left( {w  1  m_{i} } \right)\) in base w representation is to m, denote the whole string of mC as (b_{1}, b_{2}, …, b_{l}), where \(\, l = \left\lceil {\frac{m}{\log w}} \right\rceil { + }\left\lceil {\frac{{\log \left( {\left\lceil {\frac{m}{\log w}} \right\rceil \cdot (w  1)} \right)}}{\log w}} \right\rceil\).The signature scheme is described as follows.
Gen On input security parameter 1^{λ}, choose private key sequence \(sk = (sk_{1} ,sk_{2} , \ldots ,sk_{l} )\)\(\xleftarrow{\$ }\)(0,1)^{n*l}, n is polynomial in security parameter λ, then compute public key sequence pk as follows:
Sig On input the message m and private key sequence sk, compute the signature sequenceσis:
Ver On input the message m, public key sequence pk, signature sequence σ, the following compution and comparison are done verify the signature:
A collision resistant hash function should be utilized here to sign message of arbitrary length.

C.
Security
It has been proven that the Winternitz OTS is EUCMA if using either a collision resistant, undectable hash function or a PRF (Dods et al. 2005).
In Dods et al. (2005), the Authors provide security reductions for graph based OTS schemes, and achieves the conclusion that any compressed graph based OTS scheme with strongly compatible signature sets, including Winternitz OTS, is secure if the underlying functions are collisionresistant, oneway and undetectable.
In Buchmann et al. (2011a), it is proven that a variant of WOTS is EUCMA when instantiated with PRF. Furthermore, it has been proven that a variant of oneway function named key onewayness function exists if PRF exists. Actually, this variant of WOTS is proven to be EUCMA directly if the underlying function is keyoneway in their reduction. The following conclusions about original Winternitz OTS can be obtained spontaneously that the Winternitz OTS is EUCMA when the used hash function is oneway. Here, we omit the reduction for concision.
It is not discussed that whether or not the message to be signed needs to be compressed into a digest in Winternitz OTS in Merkle (1989), we come to the above conclusion in the assumption that the message will not be compressed by a hash function before being signed, and if on the contrary, no better conclusion than collision resistance can be drawn.

(4) WOTS +

A.
Idea and Scheme
WOTS + presented in Hülsing (2013) still follows the construction of WOTS as shown in Fig. 4, the main difference between them is that WOTS + uses a new iteration function h_{i} (sk, x) constructed as follows.
For Winternitz OTS scheme Sig = (Gen, Sign, Ver), a oneway function family F is used: \(F: = \left\{ {f_{k} :k \times {\kern 1pt} {\kern 1pt} \left( {0,{\kern 1pt} 1} \right)^{n} \to \left( {0,{\kern 1pt} 1} \right)^{n} k \in \left( {0,{\kern 1pt} 1} \right)^{n} } \right\}\), k is chosen from {0, 1}^{n} uniformly at random. Definitions and assignment of two parameters w, l are same as that of WOTS. On input the iteration counter i ∈ {0, …, w − 1}, randomized element r = (r_{1}, …, r_{j}) ∈ {0, 1}^{n}*^{j} where j ≥ i. the iteration function h^{i}(x, r) is constructed by repeating the function h(x) i times, h^{i} (x, r) = h^{i−1} (x, r) ⊕ r_{i},h ^{0}(x) = x.
WOTS + is only designed to sign the message of fixed length, similarly a collision resistant hash function should be utilized for message of arbitrary length.

B.
Security
It has been proven that the WOTS + is EUCMA as long as the used hash function family is second preimage resistant and undetectable oneway function family.
The bit security of Winternitz OTS is nw12log(w), compared with nlog(w^{2}l + w) of that of WOTS + . It can be concluded that as a negative impact on the security level, w has a linear effect on Winternitz OTS whereas logarithmic effect on WOTS + . In consequence, it is more autonomous in setting security level by using WOTS + in implementations.
We describe a variant of WOTS + in RFC8391 (Hülsing et al. 2018) in "Typical Schemes" section. In order to randomize each call of the iteration function, a unique pair of key and bitmask is used, which is generated by a PRF taking a seed key and a unique address as input at the cost of two additional PRF calls. For more details see "Typical Schemes" section.
Performance and security comparison
Here, we compare the performance and security level of Lampot OTS, Merkle OTS, Winternitz OTS and OTS + in the average size of signature key, verification key, signature, the average time cost of key generation scheme Gen, signature scheme Sig, verification scheme Ver, and the security level, separately, as shown in Table 1, where k denotes the bit length of message, n denotes the input and output bit length of hash/oneway function, w and l follow the definition in WOTS and WOTS + . We measure the average timing in terms of evaluations of underlying hash/ oneway function, we just concern the time cost related to the computations of hash/oneway function, and omit the time cost of initial elements generation such as generating the private key and randomized elements, we also ignore the computation cost of XOR operation, as it can be neglected compared with the operation cost of hash function. As shown above, in terms of former two OTS schemes, although the key generation, signature and verification of are very efficient, the scale of the signature and corresponding key pair is quite large, and only limited decrease has been made in Merkle OTS compared with Lamport OTS in performance. The latter two OTS schemes reduced the key pair size and signature size significantly at the cost of additional computation, they perform similar in size of key pair and signature and the time cost when ignoring the producing cost of randomized elements and computation cost of XOR operation. The main difference between Winternitz OTS and WOTS + is the influence of parameter w on the security levels. That is, w impacts the security level of Winternitz OTS negative linearly while impacts WOTS + negative logarithmically in sense of security level, which leads that w will be limited if we target a specific security level in WOTS compared with WOTS + .
FTS
In this section, we introduce several FTS schemes, including Biba, Hors, Pors.
Idea
FTS, as the name suggests, can be used to sign more than one message with the same key pair. Although all FTS schemes uses the single key pair to sign more than one message in contrast to one of OTS scheme, the security of the signature decreases with the number of messages to be signed. Examples for FTS schemes are Biba, Hors, Pors, Fors, etc. Biba FTS can achieve high verification efficiency at the cost of signature generation time as well as the public key scale, it is suggested to use Biba in the secure broadcast communication protocol to achieve low communication overload and high robustness to packet loss. On the downside, this scheme requires time synchronization between the sender and receiver, and heavy precomputation before signature generation. Hors, Pors, Fors is mainly focus on selecting k elements which is determined by the message to be signed from a large set of t, where t > > k. The security of Hors is based on the subsetresilient assumption. But actually, Hors maps some messages to small subsets which are easier to be covered in a subset resilience attack. Pors solves this problem in such a way that a pseudorandom number generator (PRG) is utilized to obtain a pseudorandom subset, Fors is designed that k elements are selected from k sets of t elements each, i,e, one in each.
Typical schemes

(1)
Biba
In this section we describe BiBa signature scheme mentioned in Perrig (2001), which achieves fast verification and small signature size, at the cost of signature generation time as well as the public key scale. We also describe the main idea of a secure broadcast communication protocol based on Biba mentioned in Perrig (2001).

A.
Idea
BiBa exploits kway (k ≥ 2) collision of a hash function family to generate the signature. Precisely, the signer precomputes a large scale of random numbers which are authenticated by the public keys. In particular, the calculation from random numbers to public keys is oneway. Then, use the random numbers to generate BiBa signature in a way that the signature is the k random elements among them who collides in the relatively function family. The verification can easily and efficient be achieved by verify the output of the relatively function family on input the k elements of the signature separately. The verifiable random number possessed by the signer is significantly larger than that of the adversary, as a result, signer can find a signature with overwhelming probability than adversary.

B.
Scheme

(a)
Initial Biba FTS

i.
Scheme
For Biba FTS scheme Sig = (Gen, Sign,Ver), the following hash function h, oneway function family G are used:
On input a message to be signed, the digest of the message h(m) needs to be computed first. The signature scheme is described as follows.
Gen On input security parameter 1^{λ}, firstly generate t random numbers SEAL_{i} from \(\left( {0,1} \right)^{n}\), for i = 1,…, t, t is polynomial in security parameter λ. Then on input SEAL_{i} for i = 1, …, t, output the public keys sequence as follows:
Sig On input the message m, SEAL_{i} i = 1,…, t, choose k \(SEAL_{{j_{p} }}\) by checking
where p = 1,…, k, i ≤ j_{p} ≤ t.
Output the signature as follows:
Ver On input the message m, public key sequence \(\left( {pk_{1} , \ldots ,pk_{t} } \right),\) signature sequence \(\left( {\sigma_{1} , \ldots ,\sigma_{k} } \right)\), the following compution and comparison are done in order to verify the signature:

ii.
Why is Biba FTS?
In Biba FTS, for any message digest, the signer all can find kway collisions with high probability to form the signature of the messages as long as the signer has sufficient SEALs, which are verifiable as the preimage of the corresponding public key of function F; meanwhile, we have pointed that the SEALs possessed by the signer is significantly larger than that of the adversary, signer can find a signature with overwhelming probability than adversary. Therefore, the more signatures have been generated, the more SEALs can be obtained by the adversary simultaneously, and the higher probability the adversary is with to forge a signature successfully. For a kway collision, the probability that adversary forges a signature is as follows:
where t is the number of SEALs revealed by previous signature.

(b)
Broadcast Authentication Protocol Based on Biba
The main idea of the broadcast authentication protocol based on Biba is to use oneway hash chains to achieve the fast authentication and replenishment of SEALs. Two pseudorandom functions (PRF) F, F′ are used here to generate the SEALs and the corresponding dedicatedkeys.
For the dedicatedkey sequence {K_{i}} where1 ≤ i ≤ l,
For the dedicatedkey sequence {SEAL_{i,j}} where i = 1, …, t, 1 ≤ j ≤ l,
The label i in the above is considered as the signature period, which is used from 1 to l in accordance with signature order. In each time period p, the SEAL_{1,p}, …, SEAL_{t, p} and dedicatedkey K_{p} are active. These k colliding elements to generate the signature in Biba schemes are chosen form SEAL_{1, p}, …, SEAL_{t, p}. In order to verify the signature, the signer publishes K_{p}, and sends SEAL_{i,p–1} (i = 1, …, t) and K_{p–1} over an authenticated channel. The following compution and comparison are done in order to achieve the signing verification: firstly, check whether the SEALs corresponding to the k elements in the signature are generated correctly by function F on input the related SEALs of previous period and dedicatedkey of current period; secondly, verify whether k elements in the signature collide with each other of function G. This broadcast authentication protocol requires time synchronization between the signer and verifier.

(2)
Hors

A.
Idea
Hors can be considered as a generalization of Lamport OTS proposed in 2002 (Reyzin and Reyzin 2002), in which a large number of public keys are precomputed on input the related private keys of a oneway function. The essence of Hors is to solve the problem of selecting a small subset containing k elements from a large set of t elements pseudorandomly, t > > k. The message digest is interpreted as a label sequence which indicates a specific subset of the key pairs, and the private keys in this subset form the signature. In order to sign a few messages using these key pairs, the underlying hash function H used to digest the message should be rsubsetresilient, i.e., for any probabilistic polynomialtime adversary A who can output (m_{1}, m_{2},…, m_{r+1}) such that \(H\left( {m_{r + 1} } \right)\mathop \subseteq \limits_{i = 1}^{r} H(m_{i} )\) successfully with negligible probability.

B.
Scheme
For Hors FTS scheme Sig = (Gen, Sign, Ver), the following oneway function f, hash function h are used:
\(h:\left( {0,1} \right)^{*} \to \left( {0,{\kern 1pt} 1} \right)^{l}\).
On input a message to be signed, digest the message m to be h(m) first, then sign h(m) as follows.
Gen On input security parameter 1^{λ}, firstly generate t nbit private keys sk_{i} uniformly at random, for i = 1,…, t, t is polynomial in security parameter λ. Then, output the public keys sequence as follows:
Sig On input the message m, private keys sk_{i} i = 1, …, t, denote h(m) as (b_{1}, b_{2}, …, b_{k}) in base t representation, where \(l = k * \log t.\) Output the signature as follows:
Ver On input the message m, public key sequence \(\left( {pk_{1} , \ldots ,pk_{t} } \right),\) signature sequence \(\left( {\sigma_{1} , \ldots ,\sigma_{k} } \right)\), firstly digest the message m to be h(m) and denote h(m) as (b_{1}, b_{2}, …, b_{k}) in base t representation, the following compution and comparison are done in order to check the signature:

C.
Security
It has been proven that the signatures are rtime EUCMA if the hash function used to digest the message is rsubsetresilient and function used to generate the public keys is oneway.

(3)
Pors
The security of Hors is based on the subsetresilient assumption (Aumasson and Endignoux 2018). But actually, Hors maps some messages to small subsets which are easier to be covered in a subset collision attack. Pors solves this problem in such a way that a PRG is utilized to obtain a pseudorandom subset. Concretely, a hash function family H: \(\{ h_{k} :\left( {0,1} \right)^{*} \to \left( {0,1} \right)^{n} k \in K\}\) and a PRF G: \(\left( {0,1} \right)^{n} \to \left( {0,1} \right)^{*}\) is used in Pors. Firstly, on input a message m into G, choose the first k distinct output (b_{1}, b_{2}, …, b_{k}) as label sequence which indicates the specific subset of the key pairs, where each block is in base t representation, i.e., G(m) = (b_{1}, b_{2}, …, b_{k}).
The key generation is the same as that of Hors, and the above k indices are used to select k parameters as the signature value, from the private key which contains t values.

(4)
Fors

A.
Idea
Fors is presented in the SPHINCS + hashbased signature in 2017 (Bernstein et al. 2017), which is also a successor of Hors. As Hors selects k elements all from one set of t elements, the same indices of the message digests yield the same elements in the signature; in order to solve this issue, Fors is designed in such a way that k elements are selected from k sets of t elements each, i,e, one for each; t is set to be power of 2, t > > k. In this case, only the same indices with the same position in the message digest blocks sequence yield the same elements in the signature. a PRF F: \(\left( {0,1} \right)^{n} \times \left( {0,{\kern 1pt} 1} \right)^{32} \to \left( {0,1} \right)^{n}\) and a tweakable hash function H is used in Pors.
Tweakable hash utilizes a public parameter and a tweakable parameter in addition to the message as input to a hash function to generate different outputs, in order to be multifunction multitarget resistant. Several specific tweakable hash functions are introduced in Bernstein et al. (2019), one can choose one among them on demand, for more details of tweakable hash see (Bernstein et al. 2019; Hülsing et al. 2016).

B.
Scheme
Fors FTS scheme Sig = (Gen, Sig, Ver) is described as follows.
Gen On input security parameter 1^{λ}, firstly choose nbit private keys sk uniformly at random, n is polynomial in security parameter λ. Then, on input sk, the address of each private key ADRS_{i}, i = 1, …, kt, output the private keys sequence as follows:
For each set (sk_{it+1}, …, sk_{(i+1)t}), i = 0, …, k1, use the tweakable hash function H to build a binary tree with height of log t, and the roots of k trees consist of the set of \(\left( {pk_{1} , \ldots ,pk_{k} } \right)\), which is then input into a tweakable hash function, generating the final public key pk.
Sig On input the message m, private keys sk_{i} i = 1, …, kt, denote h(m) as (b_{1}, b_{2}, …, b_{k}) in base t representation, where \(l = k * \log t.\) Output the signature as follows:
where path_{auth,i} is the authentication path in the ith tree, authentication path of the hash tree will be thoroughly discussed in section.
Ver On input the message m, public key pk, signature σ, firstly digest the message m to be h(m) and denote h(m) as (b_{1}, b_{2}, …, b_{k}) in base t representation, the following compution and comparison are done in order to check the signature:
Firstly, invoke the tweakable hash function on input \(\left( {sk_{{b_{i} + (i  1) \, t}} ,path_{auth,i} } \right)\) to compute PK_{i}, i = 1, …, k. Then, \(\left( {pk_{1} ,...,pk_{k} } \right)\) is input into the tweakable hash function, generating the final public key pk’.
Finally, compare \(pk{\prime }\mathop = \limits^{?} pk\), if yes, it is a valid signature.
Performance and security comparison
Here, we compare the performance and security level of Biba, Hors and Pors in the size of signature key, verification key and signature, the time cost of key generation scheme Gen, signature scheme Sig, verification scheme Ver and the security level, separately, as shown in Table 2. Without loss of generality, in all schemes t denotes the number of key pairs (also the number of private keys and public keys separately), k denotes the component number in the signature, n denotes the input and output of hash/oneway function, r denotes the signature times, l and n_{1} follow the definition in broadcast authentication protocol based on Biba, q and q’ denote the number of queries to oracle and hash function separately, Ps denotes the probability that the signer can find a signature in one trial. We measure the timing in terms of evaluations of underlying hash function/oneway function/PRF. We compare the security level of the above scheme in rnonadaptivechosenmessage attack model, in which the adversary queries signatures r times on r messages of his choice, and then he tries to forge a signature on a new message m of his choice.
As shown above, all these schemes can be used to sign t messages with the same key pair and achieve high verification efficiency at the cost of signature generation time as well as the public key scale. As an improvement of Hors, Pors can achieve a higher security level.
Treebased public key authentication
We have pointed out the main drawback of both OTS and FTS schemes is that one key pair can only be used to sign one or a few messages. In a signature scheme, we authenticate the message based on the integrity of public key. As a result, to authenticate public key on a large scale has become a vital issue in the research of hashbased signature.
The treebased public key authentication is a classical way to solve the public key management issue. Furthermore, as the key pair has to be changed into a fresh one after each signature generation, a natural way is to utilize the state management to keep record of the state and synchronization between signer and verifier, otherwise there may exists reduplicate use of the signature key, such that the adversary can forge a valid signature easily. Therefore, state management plays an essential role in many scenarios of the application of hashbased signature, but it also limits it less practical. Stateless hashbased signature settles state management at the cost of significantly higher signature size compared with the stateful ones in the analogous security level.
In this section, we focus on different constructions and security analysis about hashtree based public key authentication of hashbased signature, classify hashbased signature into limited number and stateful schemes, unlimited number and stateful schemes and unlimited number and stateless schemes, the goal is to present, classify and discuss different solutions for treebased public key authentication.
Different ideas

(1)
Limited number or (cryptographic) unlimited number

A.
Downtop or topdown
Treebased authentication scheme efficiently using the hash tree to authenticate public keys is wildly adopted to solve the problem of key management. To sign a message, after the OTS is generated, the following parameters, including the message, the OTS and its index, the onetime public key, along with an authentication path generated by the treebased authentication scheme, have to be applied to verifier. Verifier authenticates the signature in two steps. Firstly, verify the OTS by the first four parameters of the signature; Secondly, authenticate the onetime public key along with the authentication path to construct the tree from leaf nodes to root, or from the root to bottom, which comes into two main different approaches to authenticate public keys in large scale, depending on signing limited number or cryptographic unlimited number of messages.
In terms of authentication downtop, the root, i.e., the overall public key, which can be used to verify all of the public key as leaf nodes, should be constructed form the leaf nodes in the bottom layer to the top. In terms of authentication topdown, along this direction one can establish the trust relationship, as well as the tree with unlimited number leaf nodes, each node in the tree can be constructed independent in contrast to the downto the tree with unlimited number leaf nodes, each node in the tree can be constructed independent in contrast to the downtop approach that the interior nodes need to be constructed by its children nodes, the private key corresponding to the node on the higher layer which has already been authenticated is used to sign the node on one layer lower, the buildingup of all these signatures in the authentication path is based on the authenticated root, along topdown direction one can establish the trust relationship.
Specifically, in the case of downtop authentication, we set all the public keys to be leaf nodes of a binary hash tree, these nodes above the lowest layer are calculated from the output of hash function on input the two closest nodes, called children nodes one level lower. For a binary tree whose height we denote as h, actually, it has 2^{h} leaf nodes and h + 1 layers, which are ranged from 0 to h from bottom up. All of the nodes are denoted as N_{i},_{j}, where i = 0, …, h, denotes the height of the node counted from bottom to top in the tree, j = 0, …, 2^{i} – 1, denotes the horizontal index counted from left to right. To authenticate the ith public key, an inner node sequence is used as the authentication path which consist of the sibling nodes on the path from N_{0,i} to root N_{h,0}. As shown in Fig. 5, to authenticate N_{0,4}, the corresponding authentication path is N_{0,5} → N_{1,3} → N_{2,0} → N_{3,0} in order, along with the message, the OTS and its index have to be applied to verify the signature in the verification phase. In many cases the onetime public key can be calculated from the message and the OTS, and needs not to be transmitted to the verifier as a consequence. The nodes in the authentication path should be used in order, with N_{0,i} as the initial one, to generate the root node, the signature is valid as long as the root node generated by the verifier equals the authenticated one.
In the case of topdown authentication, firstly, one generates OTS key pairs randomly or pseudorandomly, here we will not discuss how to generate these key pairs, which depends on the specific application scenario; then, construct the authentication path in the opposite directions compared with the above approach, i.e., from root node to leaf node, the private key related to the parent node is used to sign its child node in the topdown order. As shown in Fig. 5, to authenticate N_{0,4}, the corresponding authentication path is N_{3,0} → N_{2,1} → N_{1,2} → N_{0,4} in order. Specifically, N_{3,0} is the overall public key of the whole system whose integrity has already been authenticated, i.e., the private key corresponding to N_{3,0} is used to sign the node N_{2,1}, and so on, till N_{0,4}, the buildingup of all these signatures in the authentication path is based on the authenticated N_{3,0}. This approach is similar to the case of hierarchical public key infrastructure (PKI), where public key of root CA is signed by a trusted authority, and corresponding public key certificate of root CA has been distributed to all other entities in this PKI system, and can be verified when necessary. Take three layers PKI for example, the root CA is on the highest layer will the end entities in on the lowest layer. The intermediate CA certificate is issued by Root CA, i.e., the public key of the intermediate certificate is signed by the Root CA’s private key. The intermediate certificate then issues certificates to end entities. Authentication is done from top to bottom.
For the two tree authentication approaches mentioned above, it is a natural way to construct the authentication tree by the first approach as long as the number the signatures is acceptable, and there no other computing expense except signing the original message and generating the related authentication path in the tree. Nevertheless, the key generation cost goes up exponentially with the number of layers in the tree in this approach. Compared with the first approach, the number of signatures generated by the tree is no longer fixed in the second one, and it exponentially reduces the computing and storing cost to generate the authentication path at the expense of linearly increasing signatures with the quantity of the layers, which are generated by the private key corresponding to the node on the higher layer. In consequence, the topdown authentication is a more flexible way to sign unlimited number of messages.

B.
Hypertree
For a larger scale hashbased signature signing enough messages, it is common to use the hypertree trees which combines both of the two approaches above, such as GMSS, XMSS^{MT} and HSS which are the hypertree variants of Merkle hashbased signature, LMS and XMSS separately; SPHINCS with many of its variants such as SPHINCS + , Gravity SPHINCS, etc., allowing to make a tradeoff between the signature size and time by the number of layers.
A whole tree of height h is constructed by d layers subtrees of height (h + 1)/d1, where h, d ∈ N, dh + 1. The whole tree can be used to sign 2^{h} messages while single subtree to sign a group of 2^{(h+1)/d} public keys or messages in the hashbased signature, these subtrees will be used consecutively and only one subtree on each layer needs to be computed.
By using the multilayer subtrees, firstly, the key generation time reduces from O(2^{h}) to O(2^{h+1/d}) at the cost of additional (d–1) signatures. The computation scale reduces approximately exponentially with increase of the number of layers, as a consequence, can meet the requirement of signing enough message in the resourcelimited environment; secondly, using a single tree to generate a large scale of signature keys will inevitably lead to a variety of problems in key storing and distributing. When the signature key is copied for distributing to other application module, there is risk of reuse. By using the multilayer subtrees, one can using a single subtree to generate the onetime key pairs for one specific usage, by doing this, the above problems are easily solved.

(2)
Stateful or stateless
The hashbased signature schemes commonly used in practice are stateful due to the underlying OTS/FTS, the signature key needs to be renewed when exceeding its service time, namely, the signing times it can be used to sign the messages, thus it is necessary to update the internal key state over time, otherwise, it is feasible for the forger to generate a new signature without recovering the signature key. Although it is a natural way to use this stateful approach to construct a hashbased signature scheme, it is not in line with the standard definition of digital definition, in which there is no requirement about the key state management; moreover, state management may be difficult to implement in a cryptosystem with limited functions. In consequence, how to design stateless hashbased signature has become a raised concern.
In the design of the stateless hashbased schemes, to select a signature key pseudorandomly when signing a message, to sign as many messages as possible on the same system scale, to design a tree in a much larger scale and to efficiently generate each subtree are all the key issues needed to be fulfilled in the stateless schemes. See “Typical schemes” section for detailed analysis.
Typical schemes

(1)
Limited number and stateful schemes
As analyzed above, to build authentication path from bottom top and update the signature key after exceeding its service time, is the most fundamental way to construct hashbased signature.

A.
Merkle tree
Merkle tree is proposed by Merkle in 1979 (Merkle 1989), which is the original tree authentication scheme following the approach of signing limited number of messages mentioned above. A hash function H:{0, 1}^{2n} → {0, 1}^{n} is utilized to construct the nodes in it. A Merkle tree is a binary tree with 2^{ h} leaves on the bottom layer, whose height we denote as h. for interior nodes we denote the two nearest nodes on the first lower layer as its children nodes, the interior nodes values are set in such a way that it is the output of the hash function H on input their children node values, i.e.,
where i = 1, …, h, j = 0, …, 2^{i} – 1.
The interior nodes are computed from left to right, from bottom to top sustainedly, and we denote the node on h + 1th layer as Root.
A hashbased signature consisting of OTS and Merkle tree works in the following way. Firstly, a Merkle tree is constructed whose leaf on the lowest layer is the onetime public key (or its digest). The Root is authenticated by public key authentication technology such as digital certificate. The Root is the overall public key which will be used to authenticate all the signatures constructed by the onetime key related to the leaf in the Merkle tree.
To sign a message, the onetime private key is used to generate the onetime signature. Then, the following data related to the signature, including the message, the onetime signature and its index, the public key, along with authentication path by the tree authentication scheme, have to be applied to verifier. Before the verification, the authentication of the Root, such as the root’s digital certificate, has to been sent to verifier in advance. The verifier authenticates the Root first, then verifies the onetime signature, finally validates the onetime public key using the authentication path sequentially from bottom up to calculate the tree root, and compare the calculated root with Root, if they are equal, the signature is valid.
Treehash algorithm has been presented to compute the root of the Merkle tree with lower storage requirement. The basic idea is to use a stack along with the push and pop operations to store the value of nodes when necessary. The treehash algorithm is also used in the BDS algorithm as a subroutine. For more details see (Buchmann et al. 2008).

B.
XMSS
XMSS, short for eXtended Merkle Signature Scheme proposed in 2011 (Buchmann et al. 2011b), can be considered as an improved version of SPRMSS and achieves forward secure and EUCMA if the underlying hash function family is second preimage resistant.

a)
Idea
The original version of XMSS uses WOTS as its underlying OTS scheme (which is changed to WOTS + in the later version), and an XOR tree as its authentication scheme. First, in order to achieve forward secure, XMSS makes the following changes to the underlying OTS scheme: using a forwardsecure PRG to generate the signature key sequence instead of generating them randomly. It has been proven by Krawczyk (2000) that an unforgeable forwardsecure signature scheme can be constructed by combining a forwardsecure PRG to generate the signature keys and an unforgeable signature scheme to generate the signature. In this way, XMSS achieves forward secure analogously. Second, in the public key authentication phrase, XMSS uses the XOR tree authentication proposed by Bellare and Rogaway, to construct unforgeable hashbased signature scheme, in order to relax the security assumption of the underlying hash function to second preimage resistance instead of collision resistance. In this way, the signature size is reduced in the analogical security level. Compared with SPRMSS which use Lamport OTS as its underlying OTS in its reduction to compute its security level, the usage of WOTS in XMSS reduces the signature size by more than 75% in the analogical security level.

(b)
Scheme
As we have discussed about WOTS scheme in "Typical schemes' section, here, we just introduce the onetime key generation scheme and tree authentication scheme of XMSS.

i.
OneTime Key Generation
A PRF F(n) = \(\left\{ {f_{k} :\left( {0,{\kern 1pt} 1} \right)^{n} \to \left( {0,{\kern 1pt} 1} \right)^{n} k \in \left( {0,{\kern 1pt} 1} \right)^{n} } \right\}\) is used in XMSS to iteratively generate the state in each Winternitz OTS started from a random initial state SEED. Precisely, to generate each Winternitz OTS signature key, beginning with the initial state SEED, XMSS uses the state \(State_{{i{  }1}}\) of the i1th Winternitz OTS to produce a new state \(State_{i}\) and a new \(SEED_{{OTS_{i} }}\) of the ith Winternitz OTS, and then use \(SEED_{{OTS_{i} }}\) to generate the onetime private key sequence sk_{i}, i.e.,
where i = 1, …, l.
The public key pk_{i} are computed in the same way as that of WOTS on input the corresponding sk_{i}.
The onetime key pair generation above using the iterative PRG to achieve the keyevolving has already been proven to be the forwardsecure PRG (Krawczyk 2000).

ii.
Tree authentication
Two type of authentication tree, Ltree and XMSStree, are used in the XMSS tree authentication scheme. The former is to construct each leaf node of the XMSS tree on input the onetime public key, whereas the latter is to reduce the authentication of all these onetime public keys to a single root of XMSStree.
Both the two kinds of trees use the following algorithm to construct the whole tree: A keyed hash function \(H_{ht} (n) = \left\{ {h_{k} :\left( {0,1} \right)^{4n} \to \left( {0,{\kern 1pt} 1} \right)^{n} k \in \left( {0,1} \right)^{n} } \right\}\) is utilized to construct the nodes on the tree. Similar to that in the Merkle tree, the two nearest nodes on the first lower layer in the tree are defined as the children nodes of the interior nodes. For a tree whose height we denote as h, the bitmasks b_{l,j} b_{r,j} are chosen uniformly at random from {0, 1}^{2n*h}, k is chosen uniformly at random from {0, 1}^{n}. All of the nodes are denoted by N_{i},_{j}, where i denotes the height of the node counted from bottom to top in the tree, j denotes the horizontal serial index counted from left to right, both i and j are counted from 0. The interior nodes values are calculated as:
\(N_{i, \, j} = H_{ht} \left( {N_{i  1,2j} N_{i  1,2j + 1} \oplus b_{l,j} b_{r,j} } \right)\),where i = 1, …, h, j = 0, …, 2^{i}–1.
The interior nodes are computed from left to right, from bottom to top sustainedly.
The main differences between Ltree and XMSStree are as follows. Firstly, the number of leaf nodes of XMSStree must be set to the power of 2, but it is not necessary for Ltree, which leads that the last node in some layers of Ltree may have no sliding node. In this case, this last node will be raised to the lowest higher layer in which it has the sibling node in the Ltree. Secondly, the leaf nodes of each Ltree are the public keys from the underlying OTS scheme, whereas the leaf nodes of each XMSStree are the root nodes of each Ltree.
The verification is done similarly as in the Merletree hashbased signature. The message, OTS, the state, the authentication path along with the public key of the XMSStree has to been sent from the signer to verifier. The verifier authenticates the message by verifying OTS first, then validates the onetime public key by using the nodes in the authentication path sequentially from bottom up to calculate the tree root, and compare it with the received one, the signature is valid if they are equal.

iii.
Security
By using a forwardsecure PRF F(n), a second preimage resistant hash function family H_{ht} as well as WOTS +, XMSS achieves forward secure and EUCMA.

B’ a Variant of XMSS in RFC 8391
In RFC 8391 (Hülsing et al. 2018), a variant of XMSS was proposed using variants of WOTS + and tree authentication scheme, the EUCMA of this variant can be deduced from multifunction multitarget second preimage resistance of the underlying function.

(a)
Idea
Multifunction multitarget notions of preimage, second preimage resistance and eTCR, which have been proven to have identical or similar security as the standard notions of that in singlefunction singletarget notions (Hülsing et al. 2016). However, initial XMSS along with its tree and multitree variant, like XMSS^{MT} and SPHINCS, are referred to singlefunction multitarget notions, where an attacker obtains d target images or preimages together with a random function from the hash function family, he attacks successfully if he can just find one preimage or second preimage for d targets with nonnegligible probability. It has been proven that for singlefunction multitarget attack, the complexities are reduced by d and \(\sqrt d\) in classical and quantum attacks respectively. By using independent keys and bitmasks to randomize each call of the PRF and the hash function in the OTS and the hash tree, the EUCMA of XMSS can be deduced from multifunction multitarget second preimage resistance of the underlying function.

(b)
Scheme

i.
A Variant of WOTS +
In this section, we introduce the address generation scheme, iteration function, Key generation, signature and verification schemes used in this variant of WOTS+.

An Address Generation Scheme
In order to randomize each call of either the PRF or the hash function, a unique pair of key and bitmask is used, which is generated by a PRF taking a seed key and a unique address as input. We describe the address generation scheme in detail as follows.
For different usages in OTS, Ltree, and multitree, the addresses are generated in different way. Generally, the address begins with the layer address and tree address, which separately describe the height of a tree and the position in a layer, to indicate the position of a specific tree in multitree and are set to zero in the case of a single tree as in OTS and Ltree. The third parameter called type is used to distinguish the different usages of this address, which is set to different values to indicate the OTS address, Ltree address, subtree address respectively. For a OTS address, the next three words are OTS address, chain address and hash address which describe the position of the OTS in the tree, the chain address and the index of the hash call in the chain. For an Ltree address, the next three words are the Ltree address, tree height and the tree index which describe the index of the corresponding leaf calculated with this Ltree, the height of the node for the next computation and the position of the node at this height in the Ltree. For a multitree address, the next three words are zero padding, tree height and the tree index, the latter two describe the height of the node for the next computation and the position of the node at this height in the multitree. For the three types of addresses, the last parameter called keyAndMask indicates the different usage of the address, which is set to different values for generating the key, the most significant bytes and the least significant bytes of bitmask.

Iteration Function
Compared with the initial WOTS + , this variant randomizes each call of the iteration function family \(H(n) = \left\{ {h_{k} :\left( {0,1} \right)^{n} \times \left( {0,1} \right)^{n} \to \left( {0,1} \right)^{n} k \in \left( {0,{\kern 1pt} 1} \right)^{n} } \right\}\) by a PRF \(G(n) = \left\{ {g_{SEED} :\left( {0,1} \right)^{n} \to \left( {0,1} \right)^{n} SEED \in \left( {0,{\kern 1pt} 1} \right)^{n} } \right\}\) on input a seed key and the corresponding address to generate a key of H and a bitmask with whom the intermediate value will XOR with. Definition of parameters w is same as in WOTS + . On input a value x ∈ {0, 1}^{n}, an iteration counter i ∈ {0, …, w − 1}, a public seed key SEED, an address ADRS_{key,i} or ADRS_{mask,i} with index indicating its usage in the ith iteration, the new iteration function h^{i}(x) with G works as follows.
The iteration function iterated as needed times returns the output of any length of this chain, i.e., iterating from the initial state or any intermediate state any rounds as needed.
The above is an instance of tweakable hash. For more discuss of tweakable hash see "Typical schemes" section.

Key Generation, Signature and Verification
The private keys are either chosen uniformly at random or generated pseudorandomly. Similar as in the initial WOTS + , the public keys are generated by iterating the private key w–1 times, while signature and verification are generated by iterating either the private key or the signature certain times determined by the message to be signed, with only difference of the above new iteration function used.

ii.
A Variant of XMSS Tree Authentication
The variant of XMSS in 8391 uses the above WOTS + variant as its OTS scheme, before inputting into the WOTS + variant, the message of arbitrary length is compressed by a hash function \(H_{dgt} :\left( {0,1} \right)^{n} \times \left( {0,1} \right)^{n} \times \left( {0,1} \right)^{n} \times \left( {0,1} \right)^{*} \to \left( {0,{\kern 1pt} 1} \right)^{n}\) to nbit message digest; after OTS scheme, a specific tree authentication scheme with the PRF G(n) required in the above WOTS + and a hash function \(H_{{_{ht} }}^{\prime } (n) = \left\{ {h_{{_{{ht,{\kern 1pt} k}} }}^{\prime } :\left( {0,1} \right)^{n} \times \left( {0,1} \right)^{2n} \to \left( {0,1} \right)^{n} k \in \left( {0,1} \right)^{n} } \right\}\) will be used to compute a authentication path, as shown in Fig. 6. Finally, the private key is renewed to prepare for the next signature. We describe the message digest scheme and the tree authentication scheme in detail.

Message Digest
Choose private key sk_{dgt} uniformly at random from {0, 1}^{n}; on input sk_{dgt}, public SEED, public key PK_{root}, message m, index of the signature IDX,
Calculate
The generation of PK_{root} is described in the following tree authentication scheme.

Tree Authentication
In the variant of XMSS in 8391 (Hülsing et al. 2018), as shown in Fig. 6, each subroutine H_{ht} used to the XMSS tree is randomized by using a PRG on input a seed key and the corresponding address to generate a key of H_{ht}’ and two bitmasks with whom the intermediate values will XOR with in H_{ht}’.
The variant of XMSS still uses Ltree and XMSStree of similar structure in constructing authentication tree, but with the distinct tree function H_{ht}’ as follows.
The bitmasks Mask_{i} and function key k_{i} of H’_{ht} are generated by function G(n) of public SEED and corresponding address. The interior node value N_{i, j} of the hash tree is calculated by function H_{ht}’ as:
where N_{i1},_{2j} and N_{i1},_{2j+1} are two nearest nodes on the first lower layer in the tree, i = 0, …, h, j = 0, …, 2^{i}1.
The nodes on the bottom layer of the Ltree are each component of one public key, whereas those of XMSStree are the root nodes of each Ltree. The interior nodes are computed from left to right, from bottom to top sustainedly, and the root of XMSStree is PK_{root}.
The authentication path of a public key node N_{0,i} consists of the sibling nodes on the path from N_{0,i} to root N_{h,0}.

Security
In contrast to the original XMSS, in which once the key is randomly chosen, the function will be fixed until the whole tree is constructed, and all the bitmasks in the tree are chosen uniformly at random as well, tree authentication scheme in this variant by using independent keys and bitmasks to randomize each call in the OTS and the hash tree, can achieve multifunction multitarget resistance in the related security assumption of hash function.
It is obvious to see that if the signature is EUCMA, the adversary cannot find a second preimage (Rand’, m’) of (Rand, m) under H_{dgt} in message digest phase, otherwise, the adversary can output a forge a signature by simply replace (Rand, m) with (Rand’, m’) in a valid signature, it is a more stringent security assumption than eTCR.
The literature (Aumasson and Endignoux 2018) gives the security reduction of XMSST. The difference between XMSST and the variant of XMSS are: first, two secret keys must be generated pseudorandomly by function H_{prf}; second, PK_{root} is not part of the input parameters in the message digest function H_{dgt}’; therefore, H_{dgt}’only needs to be (postquantum) eTCR secure in XMSST. XMSST is postquantum EUCMA under the following assumptions: the hash function family H(n) in the variant of WOTS + and H’_{ht} (n) in tree authentication scheme are postquantum multifunction multitarget second preimage resistant, where F has at least two preimages; H_{rdm} and H_{prf} are PRF; G(n) needs to be programmed as quantum random oracle, the message digest function H_{dgt}’ to be postquantum eTCR secure.

C.
LMS

(a)
Scheme
The LMS scheme was proposed in 1995 as a USA patent by Leighton and Micali (1995), and recently was published as RFC8554 by IETF (McGrew et al. 2019). The LMS scheme also can be considered as an improved version Merkle scheme, and can achieve stronger security by using different prefix in its iteration function. The main difference between LMS and Merkle scheme lies in the iteration function from the perspective of designing structure. Here, we mainly introduce the iteration function of the version in RFC8554.
LMS randomizes each call of the iteration function \(h:\left( {0,1} \right)^{n} *\left( {0,{\kern 1pt} 1} \right)^{n} \to \left( {0,1} \right)^{n}\) by an additional prefix as part of the input. Precisely, when using the iteration function h in the OTS of LMS, on input a value x ∈ {0, 1}^{n}, iteration counter i ∈ {0, …, w − 1}, PRIFIX_{i} which is related to subtree address, the position of the OTS in the subtree, the chain address and the index of the hash call in the chain, etc. The iteration function h^{i}(x) works as follows.
When using it in the tree authentication generation, the parameter PRIFIX_{i} is related to node number and some fixed values, N_{i1},_{2j} and N_{i1},_{2j+1} denote the values of two children nodes. The iteration function H’_{ht}(x) is changed into:
where i = 0, …, h, j = 0, …, 2^{i}–1.
For more recommended parameters see (Cooper et al. 2019).

(b)
Security
As we can see from above, different prefixes are used in each iteration function, as a result, the following attack will be prevented: the adversary tries some random inputs of H or or H’_{ht} or the hash function used to generate the onetime public key by digesting the concatenation of each single public key component, to check if the related outputs match the outputs of these functions, in some sense this kind of attack is essentially equivalent to multifunction multitarget attack proposed in Hülsing et al. (2016). The iteration functions of OTS and hash tree both need to be second preimage resistant. The literature (Eaton 2017) gives the security reduction of LMS in quantum random oracle model.
Security analysis of LMS is given in the random oracle model; in addition, the hash compression function is also needed to be a random oracle, which is less convincing compared with that of initial XMSS analyzed in the standard model (in the variant of XMSS in RFC8391, PRF G(n) used to generate the bitmask and key for each call of hash function, needs to be programmed as random oracle).
In terms of implementation performance, the prefix values in LMS are just related to position and some fixed values that can be prepared in the initialization phase, compared with some parameters of the iteration in the XMSS dependent on the output of the previous round, LMS is faster than XMSS in the signature generation. Meanwhile, LMS is more flexible and adaptable, one can implement initialization and signature generation on separated devices.

(2)
Unlimited Number and Stateful
As the name suggests, unlimited number and stateful hashbased signature can sign cryptographic unlimited number of messages, meanwhile, the signature key must be renewed after exceeding its service time. One can use the limited number and stateful hashbased signature schemes as the subtree to construct the corresponding hypertree schemes to sign enough messages. Most of the limited number and stateful hashbased signature schemes have their own unlimited number and stateful versions, such as the GMSS, XMSS^{MT} and HSS which are the multitree variants of Merkle tree scheme, XMSS and LMS separately, which we will introduce in this section.
Generally, by using its limited number and stateful version as the subtree, the unlimited number and stateful scheme builds a whole tree of height h by d layers subtrees of height (h + 1)/d–1, where h, d ∈ N, dh + 1, as shown in Fig. 7. As a stateful scheme, one can make full use of all the onetime/fewtime signature keys with the key state management algorithm, as a consequence, k*2^{ h} signatures can be made by the whole tree while only a single subtree of height (h + 1)/d–1 needs to be computed per layer signing one message, where k is the times one key pair used in signature.
To sign a message, authentication path inner a subtree follows downtop approach, and the root node of the subtree is calculated from the bottom node to the top; while authentications between subtrees follows topdown approach, the leaf nodes of the higher subtree is used to authenticate the root of the subtree one layer lower. Concretely, each subtree is constructed independently; the leaf nodes of each subtree are the public keys, nodes of the subtree above the lowest layer are calculated by the tree hash on input the two children nodes. In this way, we have established all the nodes of the whole tree. The root of the top subtree is the overall public key; it is based on its integrity that the leaf nodes of subtree on the higher layer can be used to authenticate the signature of the root of the subtree one layer below consecutively. Key state management chooses the signature key to sign the message directly, whose related public key is one leaf node of the bottom subtree. The signature can be presented as follows:
The following data related to the signature \(\sigma\) have to be applied to verifier, including the message m, the OTS/FTS σ_{m} and its index i, along with the following data per layer containing signature σ_{j} of the root of the subtree on layer j generated using a signature key of the subtree on layer j–1, and the authentication path Auth_{j} used to construct the root of subtree on layer j from the bottom up to verify or construct the onetime/fewtime public key on the bottom of this subtree traversed by the whole authentication path, where j = 1,…d–1.
What need to be mentioned here is, in many cases, the onetime/fewtime public key traversed by the authentication path on the bottom of each subtree can be deduced by the corresponding onetime/FTS of the root of the subtree below, as a consequence, it need not to be contained in the signature σ, we just use each OTS/FTS to construct the corresponding public key along the authentication path until the root of the subtree on the top layer, and compare it with the overall public key. The signature is valid if the comparison returns equal; otherwise, it is rejected. If in some exceptional cases the interior onetime/fewtime public keys mentioned above cannot be deduced in this way, we still need to contain them in the signature σ, which turns to be:
\(\sigma = \left( {i,{\kern 1pt} {\kern 1pt} \sigma_{m} ,{\kern 1pt} {\kern 1pt} Auth_{d  1} ,{\kern 1pt} {\kern 1pt} Pk_{d  1} , \sigma_{d  2} ,{\kern 1pt} {\kern 1pt} Pk_{d  2} ,{\kern 1pt} Auth_{d  2} ,...,{\kern 1pt} {\kern 1pt} \sigma_{0} ,Pk_{0} ,{\kern 1pt} Auth_{0} } \right)\), where Pk_{i} is the interior public keys per layer, i = 1, …, d.
The verification can be done similarly as the above schemes.

A.
GMSS and XMSS^{MT}
Structural comparison of GMSS and XMSS^{MT} is shown in Table 3.

(a)
GMSS
GMSS is a variant of the Merkle signature presented in 2007 (Buchmann et al. 2007), which allows signing cryptographically unlimited number of messages by using hypertree. It can be seen as an improved version of CMSS proposed in 2006 which just consists of two layers of trees (Buchmann et al. 2006). To sign a message, GMSS uses a hash function to generate its digest, Winternitz OTS as its OTS scheme to sign the message digest and the root of each single subtree expect the top one, Merkle tree to build the interior authentication path in a single tree. For a subtree, the leaf nodes of each Merkle tree are the hash values of concatenation of public keys from the Winternitz OTS onetime signature scheme, whereas the leaf nodes of each XMSStree are the root nodes of each Ltree.
Similar to the construction of XMSS, a PRF F is used in GMSS to iteratively generate the state and key pairs in each Winternitz OTS started from a random initial state SEED. Precisely, GMSS uses the state \(State_{{i{  }1}}\) of the i–1th Winternitz OTS as the index to choose a fixed function \(f_{{State_{i  1} }}\) from the PRF, then uses \(f_{{State_{i  1} }}\) to produce a new state \(State_{i}\) and a new \(SEED_{{OTS_{i} }}\) of the ith Winternitz OTS, and at last uses \(SEED_{{OTS_{i} }}\) to generate the onetime private key sequence sk_{i} of the ith Winternitz OTS. The public key pk_{i} are computed in the same way as that of WOTS on input the corresponding sk_{i}. It has been mentioned above that, the onetime key pair generation in the above way has already been proven to be forwardsecure PRG if the underlying F is a secure PRF.
Remark

1.
Subtree in different layers may have different heights.

2.
Different Subtree may use different Winternitz parameters.

Security Comments
No exact security reduction has been given in Buchmann et al. (2007). As GMSS uses hash function to generate message digest and the leaf nodes of each Merkle tree, security obviously cannot be better than the collision resistance of the underlying hash function. The argument is similar to the above schemes and it is straight forward to obtain the following conclusion that GMSS achieves EUCMA if F is a PRF, the underlying message digest function is collision resistant, and the hash tree function is oneway. The proof is omitted for the sake of brevity.
Furthermore, the GMSS key generation approach fits the construction to generate the forwardsecure signature proposed in Cooper et al. (2019). In consequence, we can extend the security of GMSS as follows: if GMSS is an unforgeable signature scheme and the function F used to generate the onetime keys is a secure PRF, then the GMSS is an unforgeable forwardsecure signature scheme.

(b)
XMSS^{MT}

i.
Construction

Basic Construction
XMSS^{MT}, an abbreviation for XMSS with MultiTree, is the hypertree vision of XMSS which allows signing cryptographically unlimited number of messages purposed in Bernstein et al. (2015). It uses XMSS to build the interior authentication path in a subtree, and Winternitz OTS to sign the root of the subtree by the signature key corresponding to the leaf node on the one layer higher.

Using BDS Algorithm
Particularly, XMSS^{MT} applies the BDS algorithm to make a tradeoff between the signature generation time and the storage cost, which can decrease runtime in the worst case by incomplete calculation of the authentication path at the cost of some additional storage. By doing this, the signature generation time in the worst case reduces from 2^{ h} − 1 to (h − k)/2 computations of leaf and TreeHash, where h denotes the tree height and k is the BDS parameter.

Optimal Parameters Selection
Moreover, optimal parameters for XMSS^{MT}, including the BDS parameters, Winternitz parameters, the number of layers, the tree height and the security level, have been provided by linear optimization, to meet different application requirements towards the key size, key generation time, signature time, signature size, etc. For more details about parameter selection see (Hülsing et al. 2013).

ii.
Security
The security of XMSS^{MT} can be deduced from that of Winternitz OTS and XMSS directly. we omit it for concision.

B.
HSS

(a)
Construction
HSS, an abbreviation for Hierarchical Signature System, is the hypertree version of LMS which allows signing cryptographically unlimited number of messages. In its construction, it uses LMS both to build the interior authentication path in a subtree, and the signature between the subtree. For more details about parameter selection see (McGrew et al. 2019).

(b)
Security
The EUCMA of HSS is based on the EUCMA of LMS, i.e., if the adversary can forgery a valid signature for HSS with negligible probability, implies he can also forgery a valid signature for the LMS with negligible probability. The iteration functions of OTS and hash tree both need to be second preimage resistant as in the LMS.

(3)
Unlimited Number and Stateless
Stateless hashbased signature schemes don’t need key state management to update the signature key any more, i.e., the signature key is chosen pseudorandomly when signing a message. In the consequence, it collides with the probability of k^{−1/2} based on the birthday attack if the OTS schemes are used to sign messages, where k is the signature keys space, i.e., p^{2} signature keys are needed if signing p messages. Therefore, the scale of the whole tree is much larger than that of the same number of messages to be signed in the stateful schemes. Several key issues should be concerned in the design unlimited number and stateless hashbased signature schemes.
Firstly, an efficient algorithm should be used to select the key from the space of all the signature keys randomly or pseudorandomly instead of selecting sequentially by the key state management; in practice, most stateless hashbased signature schemes take the message to be signed as one input of the PRG algorithm to select the key pseudorandomly.
Secondly, hypertree is still the most common approach to construct unlimited number and stateless schemes. A whole tree in a much larger scale needs to be constructed to avoid the key collision in which one key is used twice to sign two messages. As we analyzed in previous section, by using the hypertree in hashbased signatures, only one subtree needs to be computed on each layer, the key generation time reduces exponentially just at the cost of linear increase of the number of signatures between subtrees. Therefore, hypertree is still an extraordinary applicable way in designing unlimited number and stateless schemes, which is similar to the unlimited number and stateful schemes.
Finally, the specific implementation should be efficient enough to make this scheme practical. Several approaches could be used to reduce the storage and computation cost. For instance, at the bottom of the whole tree, FTS schemes are used to sign the messages instead of signing them by OTSs; in terms of generating the subtree in each layer, PRG is used to generate its leaf nodes efficiently with a short seed, instead of producing them randomly, etc.
Similarly, the signature consists of the index of the private key being used, FTS of the message, as well as the signatures and corresponding authentication path of the root public key on each layer.

A.
SPHINCS
SPHINCS schemes purposed in 2015 is the first practical stateless hashbased signature with practical performance (Bernstein et al. 2015); moreover, its security is given in the standard model instead of the random oracle.

(a)
Idea
SPHINCS can be viewed as the combination of pseudorandom signature key chosen algorithm, Horst FTS, and XMSS^{MT}. The whole structure can be viewed as a hypertree of height h with d layers of subtree of height (h + 1)/d1, PRG and PRF are used to generate the private keys and select them pseudorandomly to sign the message. XMSS^{MT} is used to sign the root nodes of the subtree, Horst is used on the bottom layer to sign the message directly.

(b)
Construction
In this section, we introduce the construction of SPHINCS by explaining how it solves the several key issues in the stateless hashbased signature.
Firstly, to solve the matter of selecting the signature key (pseudo)randomly, SPHINCS uses a hash function H: {0, 1}^{2n} → {0, 1}^{n} and a PRF F:{0, 1}^{n} × {0, 1}^{*} → {0, 1}^{2n} to generate the index IDX of Horst signature key on input the message m as follows.
Choose two private key sk_{rand}, sk_{SEED} uniformly at randomly from {0, 1}^{n};
Calculate
where prefix_{a, b} (x) denotes the bit substring of x from the ath bit to bth bit counted from left to right Starting with 1; IDX and prefix_{1, n} (Rand) are parts of the final signature.
Secondly, SPHINCS uses XMSS^{MT} as its hypertree scheme, i.e., the root of each subtree is signed by the WOTS + key pairs of the trees one layer higher, each subtree is constructed using XMSS excepting the subtree on the bottom layer whose leaf nodes used to authenticate the signature of message are generated by Horst FTS.
Finally, two main approaches are used in SPHINCS to achieve more efficient and practical. On one hand, the FTS scheme Hors is used instead of OTSs to sign the messages. Moreover, in order to reduce the public key size of Hors and the combined signature size, an improved scheme Horst, which is the abbreviation for Hors with tree, is used in SPHINCS for further compressing public key. Concretely, a single primary tree is used to compress t components in one Horst public key to one Horst root. As a result, a Horst signature consists of k signature keys and the related authentication paths, one for each. Horst reduces the public key size by increasing authentication paths in the signature. Particularly, an optimization technique is used in generating Horst authentication path to make the combined size of signature and public key minimum. On the other hand, SPHINCS uses an address algorithm, to allocate a unique address ADRS for each node in the whole tree which is set to different values to indicate OTS address, Horst address, Ltree address, and subtree address respectively. Then the PRF F is used to generate the seed of private key on input of the ADRS address in Hors or WOTS + and private key sk_{SEED}, then PRG G will be used to generate the Horst or WOTS + private key sequence K_{Horst or WOTS+,1}, K_{Horst or WOTS+,2}, …, K_{Horst or WOTS+, t} where n is polynomial in security parameter, i.e.,

(c)
Security
SPHINCS is EUCMA under the following condition: the iteration function used in WOTS + is second preimage resistant and undetectable oneway, the hash function used to generate authentication path is second preimage resistant, PRG and PRF used are secure pseudorandom and the underlying function to generate the Horst signature is subsetresilient. Furthermore, SPHINCS256 achieves 128bit security against quantum attack.

(d)
Performance
SPHINCS256 instantiated with BLAKE256, BLAKE512, CHACHA etc., generating a signature of a short message takes around 51 M cycles on a single core while hashing throughput is 1.6 cycles per byte, and can generate 200 signatures per second on a 4core 3.5 GHz Intel CPU, with size of 41 KB, public keys size of 1 KB and private key size of 1 KB, which makes it practical in application.

B.
SPHINCS +
SPHINCS + is an improved version of SHINCS and purposed in 2017 (Aumasson and Endignoux 2017, 2018; Bernstein et al. 2017, 2019), the following improvements have been made compared with SHINCS: firstly, Hors is replaced by Fors, which has been introduced in "Typical schemes" section. Fors is designed in such a way that k elements are selected from k sets instead one, to solve the weak message problem in which the same indices of the message digests yield the same elements in the signature; secondly, tweakable hash is utilized to achieve multifucntion multitarget attack resistant, different bitmask and function key are applied to each evaluation of the underlying hash function; finally, all the components in one WOTS + public key are compressed by one call of tweakable hash instead of Ltree. Though these improvements, SPHINCS + reduces the signature size dramatically, and becomes one of the eight candidate algorithms in the third round PQC standardization process.
Alike SPHINCS, SPHINCS + can be considered as the combination of pseudorandom signature key chosen algorithm, XMSS^{MT} of the version in RFC8391, along with Fors FTS. Similarly, the whole structure also can be viewed as a hypertree with d layers of subtree, XMSS^{MT} is used to sign the immediate nodes in the hypertree, excepting that Fors is used on the bottom layer to sign the messages directly. PRG and PRF are used to generate the private keys and select them pseudorandomly to sign the message. Specially, tweakable hash functions mentioned in “Typical schemes” section are used in many components of SPHINCS +, such as the iteration functions, the public keys compression, etc., to make each call of the hash function is independent with each other, so as to prevent the multifunction multitarget attack.
We also introduce the construction of SPHINCS + by explaining how it solves the key issues in the stateless hashbased signature; moreover, the main improvement of SPHINCS + compared with SPHINCS will be included in this section as well.
Firstly, in order to achieve stateless, SPHINCS + uses a hash function H and a PRF F to generate the message digest and the index Idx of the Fors signature key on input the message m and a pair of public parameters PK.seed and PK.root which separately denote the public seed and overall root:
Choose private key sk_{rand} (pseudo)randomly;
Calculate Rand = F (sk_{rand}, R, m) and make it public;
where R is set to zero by default, and also can be generated (pseudo)randomly.
Compared with the index selection algorithm of Horst in SPHINCS, which uses private key as part of input and cannot be verified, the adversary can attack SPHINCS by evaluating index randomly, computing the related message digest, and then checking if the private keys of Horst used to sign this message have already been revealed in previous signatures; and if yes, the adversary forges the signature successfully. It will not happen in SPHINCS + as all the input parameters used to generate the index are public and can be verified. Therefore, it is not needed to contain the index in signature of SPHINCS + anymore.
Secondly, for the hypertree, SPHINCS + also uses XMSS^{MT} as its hypertree scheme, excepting the subtree on the bottom layer are generated using Fors FTS.
Finally, several approaches are adopted by SPHINCS + to reduce the signature size, and to make the whole scheme more efficient and practical.
On the first place, the Fors is used in SPHINCS + instead of Hors. For Hors which is the most principal component of Horst, its underlying subsetresilience problem has been proven to be insecure against adaptive attacks; furthermore, Hors pseudorandomly selects k elements from the set of t elements, and the distribution of the selected k elements should be as uniform as possible, but in fact, some weak messages will map the digest into a smaller space, which makes it easier to be attacked. Fors, the abbreviation of forest of random subsets, selects k elements from t sets rather than one, and compress each set using a subtree; finally, uses a tweakle hash function to compress the k toot nodes to construct an overall public key for one Fors instance.
Security comparison
In this section, we analyze and compare the security assumptions of underlying function of hash tree and reduction model required in these specific hashbased signature schemes, the relevant conclusions are shown in Table 4.
For all the hashbased signature schemes mentioned above, we do not consider the security assumptions of underlying function required in key generation. In terms of stateful signature schemes, we only discuss the security assumptions of underlying functions used in constructing hash tree. In terms of the stateless signature scheme, we consider not only that in constructing hash tree, but security assumptions of the underlying function related to pseudorandom key selection. H in the table above denotes the underlying function used to generate parent node in hash tree, other representations are defined in the specific schemes. Among the above conclusions, CR, SPR, PQ, MM, RO denote collision resistant, second preimage resistant, postquantum, multifunction and multitarget, random oracle, separately. The security of CR, SPR, PRF decreases in turn, MMSPR has the same security level with standard SPR against classical and quantum attacks.
In practice, we expect to design the hashbased signature scheme with the security assumption of underling function as weak as possible. Only consider the required security of underlying function in hash tree, under the same security level, the output length of the above SPRbased signature algorithm is halved compared with CRbased one. In addition, the proof given in standard model is more convincing than that of RO.
Conclusion
In this paper, firstly, we discuss the research progress in the component hashbased signature, i.e., OTS and FTS, then classify the treebased public key authentication schemes of hashbased signature into limited number and stateful schemes, unlimited number and stateful schemes and unlimited number and stateless schemes, to analyze the overall design idea of different categories of hashbased signatures, as well as the construction, security reduction and performance of specific schemes. Due to the better performance of stateful hashbased schemes, they are more widely accepted and become standards in practice, such as the XMSS and XMSS^{MT} are specified by IETF in RFC8391, whereas LMS in RFC8554. However, in the standardization of post standard quantum cryptography algorithms, stateless hashbased signature, which is more in line with the core of digital signature primitive, has attracted more interest in both research and application. The research of the stateful and stateless hashbased signature parallel needs to be carried out parallelly and cannot be replaced with each other. The specification of stateful schemes is more conducive to its application in industry; however, in scenarios that do not support key management, stateless schemes is the necessary choice.
Availability of data and materials
Not applicable.
References
Aumasson JP, Endignoux G (2017) Gravity SPHINCS, A submission to the NIST standardization project on postquantum cryptography. https://github.com/gravitypostquantum/gravitysphincs. Accessed 09 Jan 2018
Aumasson JP, Endignoux G (2018) Improving stateless hashbased signatures. In: Cryptographers’ track at the RSA conference. Springer, Cham, pp 219–242
Bellare M, Miner SK (1999) A forwardsecure digital signature scheme. In: Annual international cryptology conference. Springer, Berlin, pp 431–448
Bennett CH (1992) Quantum cryptography using any two nonorthogonal states. Phys Rev Lett 68(21):3121
Bennett CH, Bessette F, Brassard G et al (1992) Experimental quantum cryptography. J Cryptol 5(1):3–28
Bergadano F, Cavagnino D, Crispo B (2002) Individual authentication in multiparty communications. Comput Secur 21(8):719–735
Berman P, Karpinski M, Nekrich Y (2007) Optimal tradeoff for Merkle tree traversal. Theoret Comput Sci 372(1):26–36
Bernstein DJ (2009) Introduction to postquantum cryptography//Postquantum cryptography. Springer, Berlin, pp 1–14
Bernstein DJ, Hopwood D, Hülsing A et al (2015) Sphincs: practical stateless hashbased signatures. In: Annual international conference on the theory and applications of cryptographic techniques. Springer, pp 368–397
Bernstein DJ, Dobraunig C, Eichlseder M et al (2017) SPHINCS+, A submission to the NIST standardization project on postquantum cryptography. https://sphincs.org/. Accessed 09 Jan 2018
Bernstein DJ, Hülsing A, Kölbl S et al (2019) The SPHINCS+ signature framework. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp 2129–2146
Black J, Rogaway P, Shrimpton T (2002) Blackbox analysis of the blockcipherbased hashfunction constructions from PGV. In: Advances in cryptology—CRYPTO 2002, California, USA
Bleichenbacher D, Maurer UM (1994) Directed acyclic graphs, oneway functions and digital signatures. In: Advances in cryptology—CRYPTO ’94, volume 839 of lecture notes in computer science, pp 75–82
Brassard G, Lütkenhaus N, Mor T et al (2000) Limitations on practical quantum cryptography. Phys Rev Lett 85(6):1330
Buchmann J, García LCC, Dahmen E et al (2006) CMSS—an improved Merkle signature scheme. In: International conference on cryptology in India. Springer, pp 349–363
Buchmann J, Dahmen E, Klintsevich E et al (2007) Merkle signatures with virtually unlimited signature capacity. In: International conference on applied cryptography and network security. Springer, Berlin, pp 31–45
Buchmann J, Dahmen E, Schneider M (2008) Merkle tree traversal revisited. In: International workshop on postquantum cryptography. Springer, Berlin, pp 63–78
Buchmann J, Dahmen E, Ereth S et al (2011a) On the security of the Winternitz onetime signature scheme. In: International conference on cryptology in Africa. Springer, Berlin, pp 363–378
Buchmann J, Dahmen E, Hülsing A (2011b) Xmssa practical forward secure signature scheme based on minimal security assumptions. In: International workshop on postquantum cryptography. Springer, pp 117–129
Buldas A, Laanoja R, Truu A (2017) A serverassisted hashbased signature scheme. In: Nordic conference on secure IT systems. Springer, Cham, pp 3–17
Buldas A, Laanoja R, Truu A (2018) A blockchainassisted hashbased signature scheme. In: Nordic conference on secure IT systems. Springer, Cham, pp. 138–153
Cooper D, Apon D, Dang Q, et al (2019) Recommendation for stateful hashbased signature schemes. draft NIST Special Publication 800–208. NIST. SP, pp 800–208
Coppersmith D, Jakobsson M (2002) Almost optimal hash sequence traversal. In: International conference on financial cryptography. Springer, Berlin, pp 102–119
Coron JS, Dodis Y, Malinaud C et al (2005) MerkleDamgård revisited: how to construct a hash function. In: Annual international cryptology conference. Springer, Berlin, pp 430–448
Damgård I (1989) A design principle for hash functions. In: Crypto ’89. LNCS No. 435, pp 416–427
Dods C, Smart NP, Stam M (2005) Hash based digital signature schemes. In: IMA international conference on cryptography and coding. Springer, Berlin, pp 96–115
Eaton E (2017) LeightonMicali hashbased signatures in the quantum randomoracle model. In: International conference on selected areas in cryptography. Springer, Cham, pp 263–280
Ekert AK (1991) Quantum cryptography based on Bell’s theorem. Phys Rev Lett 67(6):661
ElGamal T (1985) A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans Inf Theory 31(4):469–472
Even S, Goldreich O, Micali S (1996) Online/offline digital signatures. In: 1996 International association for cryptologic research
Gisin N, Ribordy G, Tittel W et al (2002) Quantum cryptography. Rev Mod Phys 74(1):145
Goldwasser S, Micali S, Rivest RL (1988) A digital signature scheme secure against adaptive chosenmessage attacks. SIAM J Comput 17(2):281–308
Gröblacher S, Jennewein T, Vaziri A et al (2006) Experimental quantum cryptography with qutrits. New J Phys 8(5):75
Halevi S, Krawczyk H (2006) Strengthening digital signatures via randomized hashing. In: CRYPTO 06
Hülsing A (2013) WOTS+–shorter signatures for hashbased signature schemes. In: International conference on cryptology in Africa. Springer, Berlin, pp 173–188
Hülsing A, Rausch L, Buchmann J (2013) Optimal parameters for XMSS^{MT}. In: International conference on availability, reliability, and security. Springer, pp 194–208
Hülsing A, Rijneveld J, Song F (2016) Mitigating multitarget attacks in hashbased signatures. In: Publickey cryptography–PKC 2016. Springer, Berlin, pp 387–416
Hülsing A, Butin D, Gazdag S, Rijneveld J, Mohaisen A (2018) RFC8391XMSS: eXtended hashbased signatures. RFC 8391, RFC Editor
Jakobsson M (2002) Fractal hash sequence representation and traversal. In: Proceedings IEEE international symposium on information theory. IEEE, p 437
Jakobsson M, Leighton T, Micali S et al (2003) Fractal Merkle tree representation and traversal. In: Cryptographers’ track at the RSA conference. Springer, Berlin, pp 314–326
Kampanakis P, Fluhrer SR (2017) Lms vs xmss: a comparison of the stateful hashbased signature proposed standards. IACR Cryptology ePrint Archive
Katz J (2016) Analysis of a proposed hashbased signature standard. In: International conference on research in security standardisation. Springer, pp 261–273
Knecht M, Meier W, Nicola CU (2014) A spaceand timeefficient Implementation of the Merkle Tree Traversal Algorithm. arXiv:1409.4081
Krawczyk H (2000) Simple forwardsecure signatures from any signature scheme. In: Proceedings of the 7th ACM conference on computer and communications security, pp 108–115
Lamport L (1979) Constructing digital signatures from a oneway function. Technical Report CSL98, SRI International Palo Alto
Leighton FT, Micali A (1995) Large provably fast and secure digital signature schemes based on secure hash functions. US Patent 5,432,852
McGrew D, Curcio M, Fluhrer S (2019) LeightonMicali hashbased signatures. RFC 8554, IRTF
Menezes AJ, Van Oorschot PC, Vanstone SA (2018) Handbook of applied cryptography. CRC Press, Boca Raton
Merkle RC (1979a) Secrecy, authentication, and public key systems. Stanford University, Stanford
Merkle RC (1979b) Secrecy, “Authentication and public key systems”. Ph.D. Thesis, Stanford
Merkle RC (1989) A certified digital signature. In: Conference on the theory and application of cryptology. Springer, New York, pp 218–238
Naor D, Shenhav A, Wool A (2005) Onetime signatures revisited: Have they become practical? IACR Cryptol. ePrint Arch
Naor D, Shenhav A, Wool A (2006) Onetime signatures revisited: practical fast signatures using fractal merkle tree traversal. In: 2006 IEEE 24th convention of electrical and electronics engineers in Israel. IEEE, pp 255–259
Perrig A (2001) The BiBa onetime signature and broadcast authentication protocol. In: Proceedings of the 8th ACM conference on computer and communications security, pp 28–37
Perrig A, Canetti R, Song D et al (2001) Efficient and secure source authentication for multicast. In: Network and distributed system security symposium, NDSS, vol 1, pp 35–46
Perrig A, Canetti R, Tygar JD et al (2002) The TESLA broadcast authentication protocol. RSA Cryptobytes 5(2):2–13
Preneel B, Govaerts R, Vandewalle J (1993) Hash functions based on block ciphers: a synthetic approach. In: Advances in cryptology—CRYPTO ’93. Santa Barbara, California, USA
Reyzin L, Reyzin N (2002) Better than BiBa: short onetime signatures with fast signing and verifying. In: Australasian conference on information security and privacy. Springer, pp 144–153
Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and publickey cryptosystems. Commun ACM 21(2):120–126
Rogaway P, Shrimpton T (2004) Cryptographic hashfunction basics: definitions, implications, and separations for preimage resistance, secondpreimage resistance, and collision resistance. In: International workshop on fast software encryption. Springer, Berlin, pp 371–388
Sella Y (2003) On the computationstorage tradeoffs of hash chain traversal. In: International conference on financial cryptography. Springer, Berlin, pp 270–285
Shor PW (1999) Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev 41(2):303–332
Acknowledgements
Not applicable.
Funding
This work is supported by National Natural Science Foundation of China (No. 61972391).
Author information
Authors and Affiliations
Contributions
The first author completed the main work of the paper and drafted the manuscript. The second and third authors participated in problem discussions and improvements of the manuscript. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Li, L., Lu, X. & Wang, K. Hashbased signature revisited. Cybersecurity 5, 13 (2022). https://doi.org/10.1186/s4240002200117w
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s4240002200117w