Security and Communication Networks

Volume 2018, Article ID 1452457, 12 pages

https://doi.org/10.1155/2018/1452457

## Winternitz Signature Scheme Using Nonadjacent Forms

National Security Research Institute, Daejeon, Republic of Korea

Correspondence should be addressed to Dongyoung Roh; rk.er.rsn@horyd

Received 22 December 2017; Revised 13 March 2018; Accepted 18 April 2018; Published 21 June 2018

Academic Editor: Kiseon Kim

Copyright © 2018 Dongyoung Roh et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Hash-based signatures are gaining attention as one of the alternatives that can replace current digital signatures that are not secure against an attack by quantum computers along with lattice-based signatures, multivariate signatures, and code-based signatures. Up to now, all hash-based signatures have used binary representations to generate signatures. In this paper, we propose using the nonadjacent form (NAF) when generating signatures in hash-based signatures. Concretely, we propose a hash-based signature scheme, WSS-N, which is obtained by applying nonadjacent forms (NAF) to the Winternitz signature scheme. We prove that WSS-N is existentially unforgeable under chosen message attacks in the standard model. And we show that WSS-N needs less hash function calls compared to the Winternitz signature scheme using the binary representation, WSS-B. For a specific parameter with a 256-bit security, we can see that WSS-N generates signatures faster than WSS-B by 8%. Finally, we implement both WSS-N and WSS-B and show that WSS-N generates signatures faster than WSS-B on a desktop computer.

#### 1. Introduction

Recent research progress on quantum computers has brought postquantum cryptography to the forefront to protect against attacks by quantum computers. Once quantum computers are developed, most modern cryptographic systems will become insecure. Particularly, it would cause catastrophic damage to public key cryptography. Most modern public key cryptographic algorithms are secure under the assumption that the integer factorization and the discrete logarithm problem are computationally infeasible. However, quantum computers can solve these problems using Shor’s algorithm [1] in polynomial time. Therefore, the advent of quantum computers will make modern public key cryptographic systems insecure.

In this situation, cryptographic society put spurs to develop postquantum cryptography. The NIST (National Institute of Standards and Technology) started a process to standardize postquantum cryptographic algorithms. Moreover, the NSA (National Security Agency) has announced preliminary plans for transitioning algorithms approved for protecting the classified and unclassified national security systems of the United States to quantum-resistant algorithms.

The leading fields of postquantum cryptography are lattice-based cryptography, code-based cryptography, multivariate cryptography, and hash-based digital signatures. In this paper, we propose a new technique that could increase the efficiency of hash-based digital signatures. Hash-based digital signatures are slower than digital signatures that are based on a lattice, code, and multivariate polynomials. However, hash-based digital signatures provide stronger security guarantees than those of other categories because hash-based digital signatures are secure under only one assumption that the underlying hash functions are secure. Therefore, hash-based signatures are considered to be the most promising alternative in the short-term. Hash-based digital signatures have been researched continuously since the Lamport digital signature [2] such as LMS [3] and SPHINCS [4].

All hash-based digital signatures use binary representations to generate signatures up to now. In this paper, we propose using the nonadjacent form (NAF) representation when generating signatures. Specifically, this paper proposes WSS-N by applying the NAF to W-OTS+ [5]. W-OTS+ is a Winternitz-type one-time signature scheme (the Winternitz signature is a one-time digital signature that can be used as a component of recent hash-based digital signatures that are capable of signing many messages. Particularly, the Winternitz signature is used as a building block of XMSS, SPHINCS, etc.) [6] that was proposed by Hülsing in 2013. It allows reducing the signature size more than previous Winternitz-type one-time signature schemes and is proven to be strongly unforgeable under chosen message attacks in the standard model.

We prove that WSS-N is existentially unforgeable under adaptive chosen message attacks, if the used hash function family is second preimage-resistant, undetectable, and one-way. And we also analyze the performance of WSS-N and compare it with WSS-B.

The NAF uses signed digits 0, 1, and −1 while the binary representation uses bits 0 and 1. While the binary representation has a uniform distribution, the NAF representation has a biased distribution. It makes the Winternitz signature scheme require less hash function calls when generating a signature. For a specific parameter with a 256-bit security, the Winternitz signature using the NAF requires 8% less hash function calls (thus generates signatures 8% faster) than that using the binary representation. However, the key generation and signature verification time of the Winternitz signature using the NAF become longer than that using the binary representation. We analyzed these trade-offs in detail.

Figure 1 gives the intuition of WSS-N showing better signature generation performance than WSS-B. Concretely, the graph shows the number of blocks by the number of hash function calls when WSS-B and WSS-N, each having a hashed message length of 256 bits and a block length of 4 bits, generate a signature. That is, the point of the graph means that when WSS-B or WSS-N generates signatures for hashed messages, the total number of blocks that call the hash function times is . In addition, the blue and red vertical dotted lines of the graph represent the number of hash function evaluations that each block calls on average when WSS-B and WSS-N generate signatures, respectively. As can be seen from the graph, the maximum number of hash function calls of the WSS-N block is larger than that of WSS-B. However, in the case of WSS-N, since the number of blocks making a small number of hash function calls is larger than that of WSS-B, on average, WSS-N requires less hash function calls than WSS-B. So, WSS-N generates signatures faster than WSS-B on average.