Abstract
Hashbased signatures are gaining attention as one of the alternatives that can replace current digital signatures that are not secure against an attack by quantum computers along with latticebased signatures, multivariate signatures, and codebased signatures. Up to now, all hashbased signatures have used binary representations to generate signatures. In this paper, we propose using the nonadjacent form (NAF) when generating signatures in hashbased signatures. Concretely, we propose a hashbased signature scheme, WSSN, which is obtained by applying nonadjacent forms (NAF) to the Winternitz signature scheme. We prove that WSSN is existentially unforgeable under chosen message attacks in the standard model. And we show that WSSN needs less hash function calls compared to the Winternitz signature scheme using the binary representation, WSSB. For a specific parameter with a 256bit security, we can see that WSSN generates signatures faster than WSSB by 8%. Finally, we implement both WSSN and WSSB and show that WSSN generates signatures faster than WSSB on a desktop computer.
1. Introduction
Recent research progress on quantum computers has brought postquantum cryptography to the forefront to protect against attacks by quantum computers. Once quantum computers are developed, most modern cryptographic systems will become insecure. Particularly, it would cause catastrophic damage to public key cryptography. Most modern public key cryptographic algorithms are secure under the assumption that the integer factorization and the discrete logarithm problem are computationally infeasible. However, quantum computers can solve these problems using Shor’s algorithm [1] in polynomial time. Therefore, the advent of quantum computers will make modern public key cryptographic systems insecure.
In this situation, cryptographic society put spurs to develop postquantum cryptography. The NIST (National Institute of Standards and Technology) started a process to standardize postquantum cryptographic algorithms. Moreover, the NSA (National Security Agency) has announced preliminary plans for transitioning algorithms approved for protecting the classified and unclassified national security systems of the United States to quantumresistant algorithms.
The leading fields of postquantum cryptography are latticebased cryptography, codebased cryptography, multivariate cryptography, and hashbased digital signatures. In this paper, we propose a new technique that could increase the efficiency of hashbased digital signatures. Hashbased digital signatures are slower than digital signatures that are based on a lattice, code, and multivariate polynomials. However, hashbased digital signatures provide stronger security guarantees than those of other categories because hashbased digital signatures are secure under only one assumption that the underlying hash functions are secure. Therefore, hashbased signatures are considered to be the most promising alternative in the shortterm. Hashbased digital signatures have been researched continuously since the Lamport digital signature [2] such as LMS [3] and SPHINCS [4].
All hashbased digital signatures use binary representations to generate signatures up to now. In this paper, we propose using the nonadjacent form (NAF) representation when generating signatures. Specifically, this paper proposes WSSN by applying the NAF to WOTS+ [5]. WOTS+ is a Winternitztype onetime signature scheme (the Winternitz signature is a onetime digital signature that can be used as a component of recent hashbased digital signatures that are capable of signing many messages. Particularly, the Winternitz signature is used as a building block of XMSS, SPHINCS, etc.) [6] that was proposed by Hülsing in 2013. It allows reducing the signature size more than previous Winternitztype onetime signature schemes and is proven to be strongly unforgeable under chosen message attacks in the standard model.
We prove that WSSN is existentially unforgeable under adaptive chosen message attacks, if the used hash function family is second preimageresistant, undetectable, and oneway. And we also analyze the performance of WSSN and compare it with WSSB.
The NAF uses signed digits 0, 1, and −1 while the binary representation uses bits 0 and 1. While the binary representation has a uniform distribution, the NAF representation has a biased distribution. It makes the Winternitz signature scheme require less hash function calls when generating a signature. For a specific parameter with a 256bit security, the Winternitz signature using the NAF requires 8% less hash function calls (thus generates signatures 8% faster) than that using the binary representation. However, the key generation and signature verification time of the Winternitz signature using the NAF become longer than that using the binary representation. We analyzed these tradeoffs in detail.
Figure 1 gives the intuition of WSSN showing better signature generation performance than WSSB. Concretely, the graph shows the number of blocks by the number of hash function calls when WSSB and WSSN, each having a hashed message length of 256 bits and a block length of 4 bits, generate a signature. That is, the point of the graph means that when WSSB or WSSN generates signatures for hashed messages, the total number of blocks that call the hash function times is . In addition, the blue and red vertical dotted lines of the graph represent the number of hash function evaluations that each block calls on average when WSSB and WSSN generate signatures, respectively. As can be seen from the graph, the maximum number of hash function calls of the WSSN block is larger than that of WSSB. However, in the case of WSSN, since the number of blocks making a small number of hash function calls is larger than that of WSSB, on average, WSSN requires less hash function calls than WSSB. So, WSSN generates signatures faster than WSSB on average.
Now let us look at the usage and the meaning of WSSN. Basically, WSSN can be used when signature generation time is more important than key generation time. Generally, the bottleneck of a onetime digital signature is not the signature generation time but the key generation time, but there will certainly be a situation where the signature generation time is more critical. Devices that sense data that do not happen frequently but need a quick response, such as seismic sensors, fire sensors, and so forth, should generate a signature as soon as possible if an event occurs. They can generate a key pair in the wait time. Also, in situations where we need to send measurement data on a regular basis (e.g., every 5 minutes), we will be able to generate a key pair between data measurements and wait for signature generation. Note that efforts to reduce signature generation time have been around for a long time [7, 8]. And the most important contribution of the paper is that it shows the possibility of a numeral system that can provide better performance than a binary representation.
The rest of this paper is organized as follows. Section 2 presents some preliminaries. In Section 3, the properties of the NAF that are required to analyze the efficiency of the Winternitz signature using the NAF are given and proven. In Section 4, we present WSSN, the Winternitz signature using the NAF, and prove that it is existentially unforgeable under chosen message attacks in the standard model. We compare the efficiency of the Winternitz signatures using the NAF and the binary representation in Section 5. And we give implementation results comparing WSSN and WSSB in Section 6. Finally, we conclude the paper in Section 7.
2. Preliminaries
This section gives some notation and formal definitions. We follow the notation of [5]. From now on, the notation means that is randomly chosen from the set using the uniform distribution. We will denote by the uniform distribution over . We follow the definition of a digital signatures scheme in [5]. Let denote a signature scheme with a security parameter . We also adopt the definitions of the EUCMA security of and in [5].
Using this, we define EUCMA in the following way.
Definition 1 (EUCMA [5]). Let be a digital signature scheme with a security parameter . is existentially unforgeable under an adaptive chosen message attack if , the maximum success probability of all possibly probabilistic time adversaries making at most queries to Sign in the above experiment, is at most ;
WSSN uses a family of functions with a key space . It can be viewed as a cryptographic hash function family that is noncompressing. Using , we define the following chaining function.
For [5], for given a value , an iteration counter , a key , and randomization elements with , the chaining function works in the following way. In case , returns . For , we define recursively as The subset of will be denoted by . When , we define to be the empty string. It is assumed that the function family is publicly known.
Throughout the paper, we measure all runtimes by counting the number of the evaluations of elements from . In what follows, we use the (distinguishing) advantage of an adversary [5].
Functions [5]. We use three properties for families of functions. The first two of them are the onewayness and the second preimage resistance of the family and the success probability of adversaries against them are defined as and [5].
To define the other property, undetectability, consider the two distributions, and , over . A sample from is obtained by sampling and . A sample from is obtained by sampling and then evaluating on a uniformly random bit string, that is, . The advantage of an adversary against the undetectability of is as follows: Using this, we define the undetectability as follows.
Definition 2 (undetectability (UD) [5]). Let and be a family of functions as described above. is undetectable if the advantage of any time adversary against the undetectability of is at most :
Now we provide some more notation and formal definitions regarding the NAF. First, we give the formal definition of the NAF and related definitions that are useful to describe our results.
Definition 3. Let be an integer. A signed binary representation of is an equation of the form , where for all . A signed binary representation of an integer is said to be in nonadjacent form provided that no two consecutive ’s are nonzero. Such a representation is denoted as a NAF representation.
Note that the NAF representation of an integer is unique.
Definition 4. Let be a set of all the NAFs, which consists of signed digits and for . And let and . Furthermore, let and .
Proposition 5 shows the explicit formula for and a recurrence relation of .
Proposition 5. For an integer , and .
The functions defined in the following definition give an order on .
Definition 6. We define five functions on which give orders on . (1)Let be an injective function such that (2)Let be a bijective function such that if , where .(3)Let be a bijective function such that for .(4)Let be an injective function such that for .(5)Let be an injective function such that for .
3. Properties of the NAF
In this section, we give some properties of the NAF. They will have a crucial role in analyzing the efficiency of WSSN.
Let and be positive integers such that divides . For , let be the NAF of . Here, we assume that is always equal to 0. And let(i) for and ;(ii) for and
for .
We compute the numbers of the elements in and for all and . First, the numbers of the elements in and are as follows.
Lemma 7. For all , (1)(2)
Proof. First, suppose that . Because should be 0 for , . Additionally, because and for , .
Next, suppose that . If there is an element in , should be 0. Then represents a negative integer. This contradicts our assumption. Hence, . In the same manner, we can see that .
We are now in a position to calculate the numbers of the elements in and for all and .
Theorem 8. For all and , (1)(2)
Proof. See Appendix A.
4. Winternitz Signature Scheme Using the NAF
In this section, we propose WSSN, a Winternitz signature scheme that uses the NAF representation. WSSN is parameterized by the security parameter , the message length , and the Winternitz parameter . And let Algorithms 1–3 describe the key generation, signature generation, and signature verification algorithms of WSSN.



Note that distinct messages will yield distinct values and that the checksum guarantees that given corresponding to a message, corresponding to another message include at least one such that .
The following theorem shows that WSSN is existentially unforgeable under chosen message attacks, provided that a second preimageresistant and undetectable oneway function family is used.
Theorem 9. Let , , and be a second preimageresistant and undetectable oneway function family. Then, , the insecurity of WSSN against an EUCMA attack, is bounded by with and .
Proof. It may be proven in much the same way as Theorem 1 in [5]. The only difference between them is that the heights of the chains to compute public keys of WSSN and WOTS^{+} [5] are different. Since the heights of the chains in WSSN are not constant, the proof becomes a bit more complicated. However, the main idea of the proof does not change. For the detailed proof, we refer the reader to Appendix B.
Remark 10. The length of the signatures of the WSSN can be reduced by using a secure pseudorandom generator. For example, a bit seed of a secret key can be used to generate the bit secret key using the pseudorandom generator based on an AES counter mode. Naturally, the length of the signatures of the WSSB can be reduced in a similar way.
5. Comparisons
In this section, we compare the Winternitz signature using the NAF with that using the binary representation. When is the security parameter, is the message length and is the Winternitz parameter; let WSSN and WSSB denote the Winternitz signatures using the NAF and the binary representation, respectively. We compare WSSN with WSSB in terms of efficiency.
First, we compare the number of hash function calls that are needed to generate a WSSN signature and a WSSB signature. We show that WSSN needs less hash function calls than WSSB to generate a signature when and . For the ease of the analysis, we only consider the case where divides in this section.
Before counting the numbers of the hash function calls that are needed in the signature generation steps, we give a lemma concerning the lengths of the count fields.
Lemma 11. Let be the security parameter, let be the message length, and let be the bit length of the block, the Winternitz parameter. And suppose that divides . The difference between the block length of the count field of WSSB and that of WSSN is less than or equal to 1 when .
Proof. The block length of the count field of WSSB is And the block length of the count field of WSSN is Thus, it is enough to show that It is equivalent to Because when , we can see that when . This completes the proof.
Now we count the numbers of hash function calls that are needed in the signature generation steps of the Winternitz signature schemes using the binary representation and the NAF representation.
Theorem 12. Let and be the numbers of hash function calls that are needed to generate a WSSB signature and a WSSN signature on average, respectively, where is the security parameter, is the Winternitz parameter, and is the message length. And suppose that divides . Then when and .
Proof. First, we compute . The first and second terms correspond to the numbers of the hash function calls that are needed for the message and count fields, respectively.
Next, we compute . The first six and the last terms correspond to the numbers of hash calls that are needed for the message and count fields, respectively.
Applying Lemma 11 yieldsWe shall have established the theorem if we prove that the righthand side of the above inequality is greater than or equal to 0 when and . The righthand side can be rewritten as Because and , we can show that the righthand side is greater than or equal to 0. This finishes the proof, and the detailed verification of the righthand side being greater than or equal to 0 is left to the reader.
The above theorem states that WSSN needs less hash function calls to generate a signature than WSSB on average when and . Note that when .
We proceed to show the numbers of hash function calls that are needed in the key generation steps of WSSB and WSSN. It is easily seen that hash function calls are needed to generate a WSSB key pair. Similarly, we see thathash function calls are needed to generate a WSSN key pair.
What is left is to count the numbers of hash function calls that are required to verify a WSSB signature and a WSSN signature. An analysis similar to that in the proof of Theorem 12 shows that hash function calls are needed to verify a WSSB signature. Similarly, we obtain that hash function calls are needed to verify a WSSN signature.
Now, we give the concrete result of the efficiency analysis (Table 1) that compares WSSN and WSSB. The numbers in the public key, secret key, and signature columns are byte lengths and those in the key generation, signature generation, and signature verification columns are the number of hash function calls. Additionally, the numbers with the dagger mark are average values. Table 1 shows that the number of hash function calls to generate a Winternitz signature is reduced by about 8% when using the NAF representation compared to that with the binary representation. However, generating a key pair and verifying a signature need more hash function calls when using the NAF compared to the binary representation.
Remark 13. WSSN needs less hash function calls when generating a signature than that of WSSB. By giving the other orders on , one can make the Winternitz signature scheme need less hash function calls when verifying a signature. However, we will not cover this feature in this paper.
6. Benchmarks and Comparison
In this section, we provide benchmarking results of WSSN and WSSB. Concretely, we implement WSSN and WSSB and compare their software performances. The specific parameters and functions are summarized in Table 2. We use SHA256 in OpenSSL [9].
Table 3 shows implementation results of WSSN and WSSB. It gives the average clock cycle counts of 1,000,000 runs for key generation, signing, and verification. All results in Table 3 were obtained on an Intel Core i76700 running at 3.40 GHz. We used the compiler gcc5.4.0 with the options "O3," "march=broadwell," and "mtune=generic" to compile our C program.
We can see that WSSN generates signatures faster than WSSB by about 8% on a general desktop computer. However, the key generation and the signature verification of WSSN are slower than those of WSSB as expected. The source code that benchmarks WSSN and WSSB can be found in the supplementary materials (available here).
7. Conclusions
In this paper, we proposed a hashbased signature using the NAF, WSSN. It is existentially unforgeable under chosen message attacks in the standard model. And we proved that WSSN requires less hash function calls than WSSB when generating a signature on average. In a concrete example, WSSN makes the signature generation time 8% shorter than that of the WSSB. And we also gave benchmarking results on a regular desktop computer and it could be seen that the signature generation of WSSN can be implemented faster than that of WSSB. However, it takes longer to generate the keys and verify the signatures.
WSSN is the first hashbased signature that uses a numeral system other than the binary representation. Applying the NAF to hashbased signatures has tradeoffs between the key generation time, the signature generation time, and the signature verification time. It would be interesting to determine what other tradeoffs occur when applying numeral systems other than the binary representation and the NAF.
Appendix
A. Proof of Theorem 8
In this section, we give the proof of Theorem 8.
Proof. The proof is by induction on . As a base case, we compute for given . When , if and only if . It follows that if . And when , if and only if . Consequently, if . Furthermore, it is clear that for all .
For the inductive step, let be an integer and assume that the theorem holds for . We first have for all , provided . In the same manner, we have for all , provided .
We next have for all , provided . In the same manner, we have for all , provided .
Thus, the theorem holds for , and this completes the proof.
B. Security Proof of WSSN
In this section, we give the proof of Theorem 9. It can be proven in much the same way as [5].
Proof. Suppose that there exists a forger that breaks existential unforgeability of WSSN, where