# How do hash-based post-quantum digital signatures work? (Part 1)
Eric Zhang, VegeBun
One class of post-quantum digital signatures is hash-based digital signature schemes. Unlike the current digital signature schemes used to validate blockchain transactions, hash functions provide much less structures for quantum computers to exploit, and are widely believed to be quantum-safe. The goal of this article is to provide an up-to-date overview of hash-based digital signatures and explain how they work in detail.
[Digital signatures](https://en.wikipedia.org/wiki/Digital_signature) widely used on current blockchain infrastructures, such as [BLS](https://en.wikipedia.org/wiki/BLS_digital_signature) and [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm), are based on the [discrete logarithm problem](https://en.wikipedia.org/wiki/Discrete_logarithm).
*For those who are not familiar with digital signatures, there are four parts of a signature scheme: System Generation (SysGen), Key Generation (KeyGen), Signature Generation (Sign), and Signature Verification (Verify).*
For example, in ECDSA public key $Pk$ is generated on an elliptic curve group of generator $G$, with private key $Sk$ satisfying $Pk = Sk * G$. Given $Pk$, it is difficult to find $Sk$ using classical algorithms.
The BLS signature scheme is constructed on a pairing group $PG = (G, G_T, g, p, e)$. The public/secret key pair satisfies $Pk = g^{Sk}$.
Because quantum algorithms being good at finding **periodicity** of some functions, it uncovers special structures of classically hard problems like factorization and discrete logarithm. When quantum computers with thousands of logical qubits are available, BLS, ECDSA, and other signature schemes relying on [factorization](https://arxiv.org/pdf/quant-ph/0301141.pdf) and discrete logarithm problems will not be secure.
*For example, finding prime factors of a number $N=p*q$ can be reduced to finding period of a function $D(x) = c^x mod N$, where $c$ is a coprime of $N$. Once a period is found, then the two prime factors can be found by calculating $gcd(N,c^{p/2}+1)$ and $gcd(N,c^P{p/2}-1)$. The greatest common divisor can be found quickly with the famous [Euclidean Algorithm](https://en.wikipedia.org/wiki/Euclidean_algorithm), it runs on a classical computer. On the other hand, finding the period of $D(x)$ is hard on classical computers, but a QPU can do it within polynomial time.*
Although current-day quantum computers only have [a few hundred noisy physical qubits](https://en.wikipedia.org/wiki/Noisy_intermediate-scale_quantum_era), quantum computer builders do have intensive roadmaps to achieve large-scale quantum computers. Superconducting quantum computer manufacturers like [IBM](https://research.ibm.com/blog/ibm-quantum-roadmap-2025) and [Rigetti Computing](https://quantumcomputingreport.com/rigetti-announces-detailed-product-roadmap-and-new-partnerships) are moving towards 1000-physical-qubit quantum computers, and use **tileable modules** to obtain larger number of [logical qubits](https://en.wikipedia.org/wiki/Physical_and_logical_qubits). Beyond that, there are several other methods that could lead to meaningful quantum computing systems in the foreseeable future, including [Ion Trap](https://ionq.com/technology), Neutral Atoms, and Measurement Based Quantum Computing.
On the other hand, there is *so far* no efficient quantum algorithm found to break a hash function, and quantum computers only speeds up birthday attack to $O(N^{1/3})$ compared to $O(N^{1/2})$ on classical computers.
Now let's look at how hash functions are used to construct digital signatures and go through hash-based quantum-safe signatures.
## One-Time Signature Schemes
The first hash-based signature was [Lamport Signature](https://en.wikipedia.org/wiki/Lamport_signature) first introduced in 1979. It is a one-time signature scheme (OTS) because one Lamport signature key can only securely sign one message. The signature scheme works as follows:
For each message, the signer needs to prepare for two sets of key pairs. $SK_0[0,...,255], PK_0[0,...,255]$ and $SK_1[0,...,255], PK_1[0,...,255]$.
$PKs$ are calculated by hashing $SKs$. Assuming we are using a 256-bit cryptographic hash function to produce digests of messages, each set of key pairs consists of 256 secret keys and public keys. In total, we will need to prepare for 512 secret keys and 512 public keys to sign any single message.
To sign a message, first hash the message into a 256-bit random number; Then, based on the bit value of the hashed number, choose SK accordingly.
*Note that we will always sign a digest of a message $h(m)$ (where $h$ is a cryptographic hash function) instead of signing a message of arbitrary length. To make notations simple, we will only use $m$ instead of $h(m)$ in the rest of the article. When you see $m$, you know that it actually means $h(m)$.*
** The signature is $SK_0[0], SK_1[1],...,SK_0[255]$ and the message itself.
To verify the signature, first compute $H(m)$, then compute $PK_0[0],PK_1[1],...,PK_0[255]$ from the signature, verifies that $PKs$ are indeed results hashed from $SKs$, and the indexes are correct.
The process exposes half of the secret keys after signing any message. So key pairs can only be used once, otherwise an attacker will be able to use the exposed secret keys to validate messages.
## Manage OTS Keys with Merkle Trees
From a 21th century crypto user's standpoint, the Lamport signature scheme might at first look strange and messy. Writing down private key or mnemonic phrase once can be already stressful and annoying, isn't it driving people crazy if that key can only sign one message, and a different public key has to be shared for every message?
It turns out that the OTS (introduced later) signature schemes can be not that bad, if we can properly introduce mechanisms and tools to manage the keys.
Because Lamport OTS and Winternitz OTS can only sign one message at a time, if multiple messages need to be signed, there must be many keys. The [Merkle Tree Signature Scheme](https://link.springer.com/content/pdf/10.1007/0-387-34805-0_21.pdf) (commonly called "MSS") was invented by Ralph Merkle to manage Lamport OTS keys.
The basic idea is to use Merkle tree leaves to store Lamport OTS keys. Because Merkle tress are binary trees, a Merkle tree of height $h$ has $2^h$ leaves. If leaves are used to manage digests of Lamport OTS keys, a Merkle tree can manage $2^h$ Lamport OTS key pairs.
When signing a message, one Lamport key pair needs to be picked up from the tree that has not been used before. The signature consists of the index of the leaf, the Lamport public key, the digest of the Lamport public key (the leaf), and the authentication path of that leaf.
** In this simple Merkle tree, a message signed by $sk_2$ is $\sigma = (2,auth_2,\sigma_2, pk_2)$, where $auth_2 = (h(pk_3),h_{1,0})$, and $\sigma_2$ is half of $sk_2$.
If many messages need to be signed, the above process can be repeated. As a Lamport key pair is a one-time key pair, no leaf can be selected more than once. Therefore, MSS is a *stateful signature scheme*.
You might also have noticed that the Lamport signature scheme itself does not prevent [middle-man attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack), if the verifier is given a Lamport signature only.
In order to verify the signer's Lamport public keys are authentic without Merkle tree, the verifier needs to keep a copy of the keys. Because all the individual key pairs are one-time use only, the verifier then needs to keep a copy of all public keys. Using a Merkle tree effectively allows the verifier to only save the Merkle root instead of saving $2^h$ key pairs, reducing space from O(2^h) to O(1). It means that securely exchanging a single Merkle root allows many signature verifications.
As a result of using Merkle tree, signature must include auth path each time - a bit more space, and the verifier computes $O(h)$ more hashes for verifying each signature.
## Winternitz OTS
Another problem with Lamport OTS is that the Lamport public keys and Lamport signatures are too long. Robert Winternitz provided an improved signature scheme (now called WOTS) that significantly reduced the size of signature.
Instead of preparing private and public key pairs for every bit of a message, Winternitz OTS divides a hashed message $m$ into chunks. If a message is divided into N chunks, and each chunk has l bits, we have $lenth(m) = N*l$. We will use the same $l,N$ notations across this article to make it easier to read.
Suppose that we still use a 256-bit hash function on the message, and get a 256-bit digest of the message. In this case, $N * l = 256$ (for example, $N=64, l=4$, or $N=8,l=32$, etc.).
Use the above example, $m$ is splitted into 64 chunks and each chunk has 4 bits. So, WOTS only needs to prepare for 64 private keys $sk_0,...,sk_{64}$. Public keys are computed by applying a hash function on each private key for $2^4-1$ times.
A WOTS signature is generated as follows.
1. Compute the decimal values of each chunk from the message digest. For example, the decimal value of the first chunk is 5.
2. Compute signature of $i$th chunk by hashing the corresponding private key $2^{l-1-m}$ times. In the above example, $sk_0$ will be hashed $2^{4}-1-5=10$ times.
3. Apply (1) adn (2) on $N$ chunks and produce signature $\sigma=[h^{2^l-1-m_0},...,h^{2^l-1-m_{N-1}}]$.
** Each public key is obtained by hasing the corresponding private key $2^l-1$ times.
To verify the signature, a verifier will first hash the message and get a 256-bit digest $m$. The verifier then divides $m$ into chunks, obtaining decimal values of each group.
The verifier then hashes each value the signature $2^{m_i}$ times, getting $pk_v = (pk_{v0}, pk_{v1},...,pk_{v(N-1)})$. If $pk_v$ is identical to the public key set $pk$, signature is valid, otherwise the signature is rejected.
The tradeoff of WOTS is to add more computation in signature generation and verification. As a result, WOTS signatures will be significantly smaller than Lamport signatures (by a factor of about 4 to 8 according to Merkle).
Notably, WOTS is still a one-time signature scheme, because once a key pair is used, an attacker can produce a valid message for each chunk as long as the decimal value of a chunk is smaller than the original value. Therefore, it is not going to be secure at all to use WOTS more than once.
## WOTS+
WOTS+ adds randomization to WOTS. It first adds an additional public key $pk_N$ to the set of public keys $pk_0,...,pk_N-1$. The new $pk_N$ is a set of $2^l-1$ random numbers $(r_1,...,r_{2^l-1})$.
$c$ is a hash function used by WOTS+ that replaces $h$ used in WOTS. $c$ takes two inputs and is recursively defined as:
$$ c^i(x,PK_N) =
\begin{cases}
x& \text{i=0}\\
H(c^{i-1}(x,pk_N)\oplus pk_N^i)& \text{i>0}
\end{cases}$$
where $x$ is the private keys and $H$ is a hash function.
** WOTS+ public keys are computed in the same way as in WOTS, except replacing $h$ with $c$, and adding $pk_N$
The WOTS+ signature is generated in a similar way to WOTS, with some modifications. It first divides a message $m$ into $N$ pieces $(m_0,...,m_{N-1})$, then computes a checksum $C=\sum^{N-1}_{i=1}(2^{l}-1-m_i)$, concatenate the checksum, producing $b = m || c$.
Compute the signature:
$\sigma=(\sigma_0,...,\sigma_{N-1})=(H^{b_0}(sk_0,pk_N), H^{b_1}(sk_1,pk_N),...,H^{b_{N-1}}(sk_{N-1},pk_N))$
Send the signature together with the random number $(pk_N, \sigma)$ to the verifier.
** The signature is a set of middle squares (hash values) according to $m_i$.
A signature can be verified by continuing hashing the elements from the received $\sigma$ until each of the entire set of $\sigma$ is verified by $pk$.
Specifically, compute
$pk_v = (pk_N,...,H^{2^{l}-1-b_0}(sk_0,pk_N), H^{2^{l}-1-b_1}(sk_1,pk_N),...,H^{2^{l}-1-b_{N-1}}(sk_{N-1},pk_N))$
If $pk_v$ elements match $pk$, the signature is valid, otherwise reject the signature.
Although WOTS and some variants of WOTS use simple hash chains, their iteration methods are common and simple. However, WOTS+ has some [special mode of iteration](https://eprint.iacr.org/2017/965.pdf), which enables the tight security proof without requiring the used hash function family to be collision resistant.
## The eXtended Merkle Tree Signature Scheme
Because WOTS+ is still a one-time signature scheme, key management is important if there are multiple messages to sign.
[The Extended Merkle Tree Signature Scheme](https://datatracker.ietf.org/doc/html/rfc8391) (commonly called XMSS) uses Merkle tree to manage WOTS+ keys in a similar way that MSS uses a Merkle tree to manage Lamport keys.
Because we already know how MSS works with Lamport key pairs, let's look at the top-level Merkle tree first.
** The auth path to verify the final XMSS public key is marked in color
In XMSS, the public key is the XMSS Merkle root. Every leaf of the Merkle tree is a Merkle root of a WOTS+ public key set. To illustrate this, "expand" $pk^2_{WOTS+}$ from above we will have a "sub" Merkle tree attached to leaf $pk^2_{WOTS+}$ above. This tree is also called "L-tree" in literatures.
** A WOTS+ key set managed by a L-tree. Actual tree height depends on the size of the WOTS+ key set.
Bitmasks are used in L-trees. Before applying the hash function to two nodes each time, two bottom values will XOR with their corresponding bitmasks. Each level of the L-tree has two bitmask values $q_l$ and $q_r$, they will be used to XOR left and right nodes on that level. Therefore, a L-tree of height $h$ will need $2h$ bitmasks in total.
** How L-trees compute - XOR a value with a bitmask before entering hash function.
Now moving down the L-tree - the leaves of a L-tree are WOTS+ public keys. Every leaf represents one WOTS+ public key, which is created using a chain of hash values from a private key as described in WOTS+.
To sign a message $m$, first choose a leaf indexed by $i$ from the XMSS tree and make sure the leaf has never been used before. Then we know that the leaf is a Merkle root of a WOTS+ public keys set. The WOTS+ private keys can be used to sign the message, and get a WOTS+ signature $\sigma_i$ of message $m$. The XMSS signature $\sigma_m = (\sigma_i, auth_i, i, leaf_i)$ where $i$ is the index of the WOTS+ key pairs and $leaf_i$ is the Merkle root of this WOTS+ public keys set.
To verify the signature, first verify the $\sigma_i$ using $m$ and the WOTS+ public keys indexed by $i$, then verify the correctness of $leaf_i$ with $auth_i$ and the XMSS public key.
With XMSS, multiple WOTS+ keys can be managed and validated.
## Further Reading
The signature schemes introduced in this article are basic building blocks of hash-based signature schemes. More in-depth analysis of algorithmic properties of hash-based signature schemes can be found in [this paper](https://csrc.nist.gov/csrc/media/events/workshop-on-cybersecurity-in-a-post-quantum-world/documents/papers/session5-hulsing-paper.pdf) by Andreas Hülsing et al.
There are other previously NIST recommended signature schemes (e.g. the [Leighton-Micali Signature](https://datatracker.ietf.org/doc/html/rfc8554#page-12)) and multi-tree variance such as Hierarchical Signature System (HSS) and the [multi-tree XMSS (XMSS-MT)](https://www.rfc-editor.org/rfc/rfc8391.html). These signature schemes and the ones introduced in the first part of this article are not currently recommended by the NIST's recent Third Round of [Post-Quantum Cryptography Standardization Process](https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413-upd1.pdf). However, it is important to understand the details of these signature schemes, because newer, and often more complicated signature schemes are designed based on the ideas of these algorithms.
The second part of this article will introduce more recent developments of hash-based signature schemes, including SPHINCS/SPHINCS+, as well as the status of engineering and open source libraries.
Google Drive
Gist
Clipboard
Sign in with Wallet
