Papers
Topics
Authors
Recent
Search
2000 character limit reached

One-Time Signature (OTS) Overview

Updated 18 June 2026
  • One-Time Signature (OTS) is a digital signing scheme that uses a unique key pair for each message to prevent existential forgery, with constructions like Lamport, Winternitz, and PRNG-based methods.
  • OTS schemes employ rigorous security models—including classical and quantum random oracle approaches—and rely on parameters such as hash security, message length, and PRNG one-wayness.
  • These schemes are crucial for post-quantum digital signatures, secure remote attestation, and applications in distributed payment networks and blockchain protocols.

A one-time signature (OTS) is a digital signature primitive in which a generated key pair is secure for authenticating exactly one message; using a key for more than a single signing operation (even on two distinct messages) may enable strong existential forgery. OTS schemes form the foundation for numerous stateful and stateless many-time hash-based signature constructions, underlie signing in post-quantum cryptography, and have been extended to handle advanced adversarial models such as key exposure, side-channel attacks, and quantum-access threats.

1. Core Constructions: Lamport, Winternitz, and PRNG-based OTS

The canonical OTS scheme is the Lamport construction, which provides classical existential unforgeability (EUF-CMA) from minimal assumptions. Let nn be the hash security parameter and mm the message bit length. The Lamport secret key is a vector of $2m$ random bitstrings, and the public key is their hash images. To sign, the signer reveals one preimage per message bit. Lamport OTS has optimal simplicity but large keys and signatures (O(mn)O(mn) bits).

The Winternitz OTS (“W-OTS”) reduces signature size by encoding the message in base ww and using hash chains. The secret key consists of ll random values; the public key is the w1w-1 iterated hash of each. The signer reveals sufficiently many hashings to match the message+checksum digits. Security is proven under one-wayness, second-preimage resistance, and a non-trivial “undetectability” property for the hash (Kudinov et al., 2020, Majenz et al., 2021). Quantum-access security of the Winternitz OTS has been established under the blind unforgeability model, showing negligible success probability for superposition adversaries provided the output length nn and chain length ll are suitably chosen (Majenz et al., 2021).

Recent schemes replace hash chains with pseudorandom number generator (PRNG) chains. For instance, a construction based on an iterated linear congruential generator (LCG) produces compact key pairs and signatures (\ell bits per key, mm0 bits per signature, see Table below), at the cost of relying directly on PRNG one-wayness rather than general hash assumptions (Chen, 2024).

Scheme Key Size Signature Size Security Assumption
Lamport OTS mm1 bits mm2 bits Hash preimage/collision resistance
Winternitz-O(mm3) OTS mm4 bits mm5 bits Hash OW/SPR/UD
PRNG-OTS mm6 bits mm7 bits PRNG one-wayness

2. Security Models and Rigorous Bounds

OTS schemes are defined by a single-use security game: after observing a signature on one message, it should be infeasible for an adversary to forge a valid signature on any distinct message. Classical proofs for Lamport and Winternitz OTS reduce forgeries to inverting a hash or finding a second preimage, but detailed reductions require careful accounting when checking which chain elements may be exposed (Kudinov et al., 2020).

For W-OTSmm8, the tight bound for existential unforgeability against one-time adversaries making mm9 queries is (for $2m$0 chains of length $2m$1): $2m$2 where UD (undetectability) corrects a subtle flaw in earlier proofs (Kudinov et al., 2020).

Quantum-access adversaries in the QROM (quantum random oracle model) are bounded as follows (Majenz et al., 2021): $2m$3 A direct implication is that $2m$4 must be chosen significantly larger than the desired security level to counter the quadratic Grover speedup in quantum settings.

The PRNG-based OTS is secure if the output function $2m$5 is cryptographically one-way and the normalization hash prevents collision attacks (Chen, 2024).

3. Key Exposure and Leakage-resilient OTS

Classical OTS schemes do not tolerate secret key leakage; knowledge of the entire state after one signature trivially enables forgeries. The OTS-SKE model (Gurevin et al., 2022) introduces a construction in which even given all session keys, no adversary can forge on a new message or session. This is achieved with a session/key-derivation architecture:

  • Each signing key $2m$6 is split into $2m$7 subkeys.
  • For each message $2m$8, a pseudorandom index $2m$9 selects a unique subset of subkeys to participate in the signature.
  • Subset selection uses a PRP (pseudorandom permutation), and each subset, once accessed, is irreversibly erased (key insulation).
  • Security relies on the inability to reconstruct untouched subkey subsets after leakage.

This model is formalized through the OTS-SKE game: adversaries given all revealed signing material for any previously signed message must break CDH in the underlying group to succeed (Gurevin et al., 2022). The architecture leverages an on-chip one-way hardware key generator and an oblivious transfer memory to enforce per-session key erasure, ensuring both forward and backward security.

OTS-SKE can outperform ECDSA in signing latency but incurs higher key generation overhead.

4. Parameter Selection, Performance, and Efficiency Trade-offs

Signature length, key sizes, and computational cost are driven by the security parameter (O(mn)O(mn)0), message length (O(mn)O(mn)1), and the Winternitz/compression parameter (O(mn)O(mn)2):

  • Lamport OTS: O(mn)O(mn)3 keys and signatures, one hash per bit.
  • Winternitz OTS: Compresses size by O(mn)O(mn)4, increasing computational work per message symbol. Empirically, with O(mn)O(mn)5, O(mn)O(mn)6, one obtains O(mn)O(mn)7 hash chains (see "Security analysis of the W-OTSO(mn)O(mn)8 signature scheme" (Kudinov et al., 2020)).
  • PRNG-based OTS: Orders of magnitude smaller signatures but at the risk of weak PRNG parameterization (Chen, 2024).
Scheme / Parameter Example Sizes
Lamport (O(mn)O(mn)9, ww0) Key: 32,768 bits; Signature: 16,384 bits
Winternitz (ww1, ww2, ww3) Key: ww41152 bits; Signature: ww51152 bits
PRNG-OTS (ww6, ww7) Key: 128 bits; Signature: 152 bits

The efficiency of OTS schemes also depends on implementation details (e.g., use of modular arithmetic vs. hash calls). For PRNG-OTS, timings ranged from hundreds of milliseconds for 31- to 56-bit modulus LCGs (Chen, 2024). Hardware-aided key generation in OTS-SKE amortizes the high initial cost, and signing outpaces ECDSA by a factor of ww8 in targeted applications (Gurevin et al., 2022).

5. Applications in Cryptographic Protocols

Hash-based OTS schemes are critical for post-quantum digital signatures (e.g., as base layers for XMSS, SPHINCS, and SPHINCS+), and for stateless, forward-secure authentication. W-OTS[+] in particular is deployed as a building block for many-time stateless hash-based signatures (Kudinov et al., 2020, Majenz et al., 2021).

Beyond cryptography per se, OTS primitives provide strong guarantees for secure remote attestation facing key exposure (Gurevin et al., 2022). In distributed payment networks, “OTS-PC” leverages hash-based OTS (as an abstract primitive) for bidirectional payment channels on the Lightning Network, enabling ww9 storage per channel by rotating minimal OTS keys at each channel state; signatures of 36 bytes and pubkeys of 32 bytes are realized assuming strong preimage resistance for the base hash function (Lerner et al., 6 Nov 2025).

6. Limitations, Open Problems, and Future Work

All standard OTS schemes are strictly “one-time”; key reuse admits trivial attacks, due to leakage of intermediate key material or hash/PRNG states (Chen, 2024). While Winternitz and Lamport constructions are well-understood under hash-based assumptions, PRNG-based OTS requires careful selection of parameters due to known structural weaknesses in many PRNGs, especially concerning lattice attacks on classic LCGs. There is an identified need for formal quantum-random-oracle reductions for PRNG-based OTS and for new constructions offering multi-time signatures with one-time security per instance (Chen, 2024).

Quantum-specific OTS (“one-shot signatures,” OSS) extend the OTS paradigm into quantum signing keys and verification via quantum public states, but efficient, usability-focused OSS remain an active area for ongoing research (Huang et al., 13 Oct 2025).

7. Variants and Security Extensions

Several variants of OTS have emerged to satisfy additional threat models:

  • OTS-SKE specifically achieves unforgeability under secret-key exposure, suitable for adversaries able to mount full-state digital observation attacks, by blending PRP-selected key subset release and hardware-backed erasure (Gurevin et al., 2022).
  • OTS schemes tailored for on-chain usage, e.g., OTS-PC, adapt the OTS abstraction to resource-constrained distributed ledger environments and use generic hash-based instantiations (Lerner et al., 6 Nov 2025).
  • One-shot (quantum) signature schemes provide an OSS that restricts a quantum signing state to a single operation, with security fundamentally rooted in quantum properties (Huang et al., 13 Oct 2025).

Practical, future-proof OTS research intersects with the precise selection of underlying cryptographic primitives, secure parameterization for post-quantum settings, performance evaluations for both software and hardware deployments, and compositional use within broader cryptographic protocols.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to One-Time Signature (OTS).