Winternitz Signature Scheme Using Nonadjacent Forms
Hash-based signatures are gaining attention as one of the alternatives that can replace current digital signatures that are not secure against an attack by quantum computers along with lattice-based signatures, multivariate signatures, and code-based signatures. Up to now, all hash-based signatures have used binary representations to generate signatures. In this paper, we propose using the nonadjacent form (NAF) when generating signatures in hash-based signatures. Concretely, we propose a hash-based signature scheme, WSS-N, which is obtained by applying nonadjacent forms (NAF) to the Winternitz signature scheme. We prove that WSS-N is existentially unforgeable under chosen message attacks in the standard model. And we show that WSS-N needs less hash function calls compared to the Winternitz signature scheme using the binary representation, WSS-B. For a specific parameter with a 256-bit security, we can see that WSS-N generates signatures faster than WSS-B by 8%. Finally, we implement both WSS-N and WSS-B and show that WSS-N generates signatures faster than WSS-B on a desktop computer.
Recent research progress on quantum computers has brought postquantum cryptography to the forefront to protect against attacks by quantum computers. Once quantum computers are developed, most modern cryptographic systems will become insecure. Particularly, it would cause catastrophic damage to public key cryptography. Most modern public key cryptographic algorithms are secure under the assumption that the integer factorization and the discrete logarithm problem are computationally infeasible. However, quantum computers can solve these problems using Shor’s algorithm  in polynomial time. Therefore, the advent of quantum computers will make modern public key cryptographic systems insecure.
In this situation, cryptographic society put spurs to develop postquantum cryptography. The NIST (National Institute of Standards and Technology) started a process to standardize postquantum cryptographic algorithms. Moreover, the NSA (National Security Agency) has announced preliminary plans for transitioning algorithms approved for protecting the classified and unclassified national security systems of the United States to quantum-resistant algorithms.
The leading fields of postquantum cryptography are lattice-based cryptography, code-based cryptography, multivariate cryptography, and hash-based digital signatures. In this paper, we propose a new technique that could increase the efficiency of hash-based digital signatures. Hash-based digital signatures are slower than digital signatures that are based on a lattice, code, and multivariate polynomials. However, hash-based digital signatures provide stronger security guarantees than those of other categories because hash-based digital signatures are secure under only one assumption that the underlying hash functions are secure. Therefore, hash-based signatures are considered to be the most promising alternative in the short-term. Hash-based digital signatures have been researched continuously since the Lamport digital signature  such as LMS  and SPHINCS .
All hash-based digital signatures use binary representations to generate signatures up to now. In this paper, we propose using the nonadjacent form (NAF) representation when generating signatures. Specifically, this paper proposes WSS-N by applying the NAF to W-OTS+ . W-OTS+ is a Winternitz-type one-time signature scheme (the Winternitz signature is a one-time digital signature that can be used as a component of recent hash-based digital signatures that are capable of signing many messages. Particularly, the Winternitz signature is used as a building block of XMSS, SPHINCS, etc.)  that was proposed by Hülsing in 2013. It allows reducing the signature size more than previous Winternitz-type one-time signature schemes and is proven to be strongly unforgeable under chosen message attacks in the standard model.
We prove that WSS-N is existentially unforgeable under adaptive chosen message attacks, if the used hash function family is second preimage-resistant, undetectable, and one-way. And we also analyze the performance of WSS-N and compare it with WSS-B.
The NAF uses signed digits 0, 1, and −1 while the binary representation uses bits 0 and 1. While the binary representation has a uniform distribution, the NAF representation has a biased distribution. It makes the Winternitz signature scheme require less hash function calls when generating a signature. For a specific parameter with a 256-bit security, the Winternitz signature using the NAF requires 8% less hash function calls (thus generates signatures 8% faster) than that using the binary representation. However, the key generation and signature verification time of the Winternitz signature using the NAF become longer than that using the binary representation. We analyzed these trade-offs in detail.
Figure 1 gives the intuition of WSS-N showing better signature generation performance than WSS-B. Concretely, the graph shows the number of blocks by the number of hash function calls when WSS-B and WSS-N, each having a hashed message length of 256 bits and a block length of 4 bits, generate a signature. That is, the point of the graph means that when WSS-B or WSS-N generates signatures for hashed messages, the total number of blocks that call the hash function times is . In addition, the blue and red vertical dotted lines of the graph represent the number of hash function evaluations that each block calls on average when WSS-B and WSS-N generate signatures, respectively. As can be seen from the graph, the maximum number of hash function calls of the WSS-N block is larger than that of WSS-B. However, in the case of WSS-N, since the number of blocks making a small number of hash function calls is larger than that of WSS-B, on average, WSS-N requires less hash function calls than WSS-B. So, WSS-N generates signatures faster than WSS-B on average.
Now let us look at the usage and the meaning of WSS-N. Basically, WSS-N can be used when signature generation time is more important than key generation time. Generally, the bottleneck of a one-time digital signature is not the signature generation time but the key generation time, but there will certainly be a situation where the signature generation time is more critical. Devices that sense data that do not happen frequently but need a quick response, such as seismic sensors, fire sensors, and so forth, should generate a signature as soon as possible if an event occurs. They can generate a key pair in the wait time. Also, in situations where we need to send measurement data on a regular basis (e.g., every 5 minutes), we will be able to generate a key pair between data measurements and wait for signature generation. Note that efforts to reduce signature generation time have been around for a long time [7, 8]. And the most important contribution of the paper is that it shows the possibility of a numeral system that can provide better performance than a binary representation.
The rest of this paper is organized as follows. Section 2 presents some preliminaries. In Section 3, the properties of the NAF that are required to analyze the efficiency of the Winternitz signature using the NAF are given and proven. In Section 4, we present WSS-N, the Winternitz signature using the NAF, and prove that it is existentially unforgeable under chosen message attacks in the standard model. We compare the efficiency of the Winternitz signatures using the NAF and the binary representation in Section 5. And we give implementation results comparing WSS-N and WSS-B in Section 6. Finally, we conclude the paper in Section 7.
This section gives some notation and formal definitions. We follow the notation of . From now on, the notation means that is randomly chosen from the set using the uniform distribution. We will denote by the uniform distribution over . We follow the definition of a digital signatures scheme in . Let denote a signature scheme with a security parameter . We also adopt the definitions of the EU-CMA security of and in .
Using this, we define EU-CMA in the following way.
Definition 1 (EU-CMA ). Let be a digital signature scheme with a security parameter . is -existentially unforgeable under an adaptive chosen message attack if , the maximum success probability of all possibly probabilistic -time adversaries making at most queries to Sign in the above experiment, is at most ;
WSS-N uses a family of functions with a key space . It can be viewed as a cryptographic hash function family that is noncompressing. Using , we define the following chaining function.
For , for given a value , an iteration counter , a key , and randomization elements with , the chaining function works in the following way. In case , returns . For , we define recursively as The subset of will be denoted by . When , we define to be the empty string. It is assumed that the function family is publicly known.
Throughout the paper, we measure all runtimes by counting the number of the evaluations of elements from . In what follows, we use the (distinguishing) advantage of an adversary .
Functions . We use three properties for families of functions. The first two of them are the one-wayness and the second preimage resistance of the family and the success probability of adversaries against them are defined as and .
To define the other property, undetectability, consider the two distributions, and , over . A sample from is obtained by sampling and . A sample from is obtained by sampling and then evaluating on a uniformly random -bit string, that is, . The advantage of an adversary against the undetectability of is as follows: Using this, we define the undetectability as follows.
Definition 2 (undetectability (UD) ). Let and be a family of functions as described above. is -undetectable if the advantage of any -time adversary against the undetectability of is at most :
Now we provide some more notation and formal definitions regarding the NAF. First, we give the formal definition of the NAF and related definitions that are useful to describe our results.
Definition 3. Let be an integer. A signed binary representation of is an equation of the form , where for all . A signed binary representation of an integer is said to be in nonadjacent form provided that no two consecutive ’s are nonzero. Such a representation is denoted as a NAF representation.
Note that the NAF representation of an integer is unique.
Definition 4. Let be a set of all the NAFs, which consists of signed digits and for . And let and . Furthermore, let and .
Proposition 5 shows the explicit formula for and a recurrence relation of .
Proposition 5. For an integer , and .
The functions defined in the following definition give an order on .
Definition 6. We define five functions on which give orders on . (1)Let be an injective function such that (2)Let be a bijective function such that if , where .(3)Let be a bijective function such that for .(4)Let be an injective function such that for .(5)Let be an injective function such that for .
3. Properties of the NAF
In this section, we give some properties of the NAF. They will have a crucial role in analyzing the efficiency of WSS-N.
Let and be positive integers such that divides . For , let be the NAF of . Here, we assume that is always equal to 0. And let(i) for and ;(ii) for and
We compute the numbers of the elements in and for all and . First, the numbers of the elements in and are as follows.
Lemma 7. For all , (1)(2)
Proof. First, suppose that . Because should be 0 for , . Additionally, because and for , .
Next, suppose that . If there is an element in , should be 0. Then represents a negative integer. This contradicts our assumption. Hence, . In the same manner, we can see that .
We are now in a position to calculate the numbers of the elements in and for all and .
Theorem 8. For all and , (1)(2)
Proof. See Appendix A.
4. Winternitz Signature Scheme Using the NAF
In this section, we propose WSS-N, a Winternitz signature scheme that uses the NAF representation. WSS-N is parameterized by the security parameter , the message length , and the Winternitz parameter . And let Algorithms 1–3 describe the key generation, signature generation, and signature verification algorithms of WSS-N.
Note that distinct messages will yield distinct values and that the checksum guarantees that given corresponding to a message, corresponding to another message include at least one such that .
The following theorem shows that WSS-N is existentially unforgeable under chosen message attacks, provided that a second preimage-resistant and undetectable one-way function family is used.
Theorem 9. Let , , and be a second preimage-resistant and undetectable one-way function family. Then, , the insecurity of WSS-N against an EU-CMA attack, is bounded by with and .
Proof. It may be proven in much the same way as Theorem 1 in . The only difference between them is that the heights of the chains to compute public keys of WSS-N and W-OTS+  are different. Since the heights of the chains in WSS-N are not constant, the proof becomes a bit more complicated. However, the main idea of the proof does not change. For the detailed proof, we refer the reader to Appendix B.
Remark 10. The length of the signatures of the WSS-N can be reduced by using a secure pseudorandom generator. For example, a -bit seed of a secret key can be used to generate the -bit secret key using the pseudorandom generator based on an AES counter mode. Naturally, the length of the signatures of the WSS-B can be reduced in a similar way.
In this section, we compare the Winternitz signature using the NAF with that using the binary representation. When is the security parameter, is the message length and is the Winternitz parameter; let WSS-N and WSS-B denote the Winternitz signatures using the NAF and the binary representation, respectively. We compare WSS-N with WSS-B in terms of efficiency.
First, we compare the number of hash function calls that are needed to generate a WSS-N signature and a WSS-B signature. We show that WSS-N needs less hash function calls than WSS-B to generate a signature when and . For the ease of the analysis, we only consider the case where divides in this section.
Before counting the numbers of the hash function calls that are needed in the signature generation steps, we give a lemma concerning the lengths of the count fields.
Lemma 11. Let be the security parameter, let be the message length, and let be the bit length of the block, the Winternitz parameter. And suppose that divides . The difference between the block length of the count field of WSS-B and that of WSS-N is less than or equal to 1 when .
Proof. The block length of the count field of WSS-B is And the block length of the count field of WSS-N is Thus, it is enough to show that It is equivalent to Because when , we can see that when . This completes the proof.
Now we count the numbers of hash function calls that are needed in the signature generation steps of the Winternitz signature schemes using the binary representation and the NAF representation.
Theorem 12. Let and be the numbers of hash function calls that are needed to generate a WSS-B signature and a WSS-N signature on average, respectively, where is the security parameter, is the Winternitz parameter, and is the message length. And suppose that divides . Then when and .
Proof. First, we compute . The first and second terms correspond to the numbers of the hash function calls that are needed for the message and count fields, respectively.
Next, we compute . The first six and the last terms correspond to the numbers of hash calls that are needed for the message and count fields, respectively.
Applying Lemma 11 yieldsWe shall have established the theorem if we prove that the right-hand side of the above inequality is greater than or equal to 0 when and . The right-hand side can be rewritten as Because and , we can show that the right-hand side is greater than or equal to 0. This finishes the proof, and the detailed verification of the right-hand side being greater than or equal to 0 is left to the reader.
The above theorem states that WSS-N needs less hash function calls to generate a signature than WSS-B on average when and . Note that when .
We proceed to show the numbers of hash function calls that are needed in the key generation steps of WSS-B and WSS-N. It is easily seen that hash function calls are needed to generate a WSS-B key pair. Similarly, we see thathash function calls are needed to generate a WSS-N key pair.
What is left is to count the numbers of hash function calls that are required to verify a WSS-B signature and a WSS-N signature. An analysis similar to that in the proof of Theorem 12 shows that hash function calls are needed to verify a WSS-B signature. Similarly, we obtain that hash function calls are needed to verify a WSS-N signature.
Now, we give the concrete result of the efficiency analysis (Table 1) that compares WSS-N and WSS-B. The numbers in the public key, secret key, and signature columns are byte lengths and those in the key generation, signature generation, and signature verification columns are the number of hash function calls. Additionally, the numbers with the dagger mark are average values. Table 1 shows that the number of hash function calls to generate a Winternitz signature is reduced by about 8% when using the NAF representation compared to that with the binary representation. However, generating a key pair and verifying a signature need more hash function calls when using the NAF compared to the binary representation.
Remark 13. WSS-N needs less hash function calls when generating a signature than that of WSS-B. By giving the other orders on , one can make the Winternitz signature scheme need less hash function calls when verifying a signature. However, we will not cover this feature in this paper.
6. Benchmarks and Comparison
In this section, we provide benchmarking results of WSS-N and WSS-B. Concretely, we implement WSS-N and WSS-B and compare their software performances. The specific parameters and functions are summarized in Table 2. We use SHA-256 in OpenSSL .
Table 3 shows implementation results of WSS-N and WSS-B. It gives the average clock cycle counts of 1,000,000 runs for key generation, signing, and verification. All results in Table 3 were obtained on an Intel Core i7-6700 running at 3.40 GHz. We used the compiler gcc-5.4.0 with the options "-O3," "-march=broadwell," and "-mtune=generic" to compile our C program.
We can see that WSS-N generates signatures faster than WSS-B by about 8% on a general desktop computer. However, the key generation and the signature verification of WSS-N are slower than those of WSS-B as expected. The source code that benchmarks WSS-N and WSS-B can be found in the supplementary materials (available here).
In this paper, we proposed a hash-based signature using the NAF, WSS-N. It is existentially unforgeable under chosen message attacks in the standard model. And we proved that WSS-N requires less hash function calls than WSS-B when generating a signature on average. In a concrete example, WSS-N makes the signature generation time 8% shorter than that of the WSS-B. And we also gave benchmarking results on a regular desktop computer and it could be seen that the signature generation of WSS-N can be implemented faster than that of WSS-B. However, it takes longer to generate the keys and verify the signatures.
WSS-N is the first hash-based signature that uses a numeral system other than the binary representation. Applying the NAF to hash-based signatures has trade-offs between the key generation time, the signature generation time, and the signature verification time. It would be interesting to determine what other trade-offs occur when applying numeral systems other than the binary representation and the NAF.
A. Proof of Theorem 8
In this section, we give the proof of Theorem 8.
Proof. The proof is by induction on . As a base case, we compute for given . When , if and only if . It follows that if . And when , if and only if . Consequently, if . Furthermore, it is clear that for all .
For the inductive step, let be an integer and assume that the theorem holds for . We first have for all , provided . In the same manner, we have for all , provided .
We next have for all , provided . In the same manner, we have for all , provided .
Thus, the theorem holds for , and this completes the proof.
B. Security Proof of WSS-N
Proof. Suppose that there exists a forger that -breaks existential unforgeability of WSS-N, where