One-Time Signatures Overview

Updated 13 November 2025

One-Time Signatures are digital signature schemes designed for a single secure message authentication using methods such as hash-based, code-based, and quantum protocols.
They employ minimal-complexity signing mechanisms with security grounded in hard cryptographic assumptions and feature forgery-detection availability through hash collision evidence.
Design trade-offs in OTS include large key/signature sizes and increased primitive invocations, which are essential for achieving strong, post-quantum security guarantees.

A one-time signature (OTS) is a digital signature primitive wherein a keypair is designed to be securely used for authenticating only a single message. OTS schemes, first formalized by Lamport, provide minimal-complexity signing mechanisms with security anchored to strong cryptographic assumptions, making them foundational within classical, code-based, lattice, and quantum-resistant cryptography. OTS remains a primary mechanism for post-quantum security and serves as a critical component within stateful or stateless hash-based signature frameworks, code-based authentication, and emerging quantum public-key schemes.

1. Formal Definitions, Security Models, and Efficiency Metrics

Let $n$ denote the message bit-length, and let $(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})$ define the OTS protocol. In the random-oracle model, key generation $\mathsf{Gen}^O(1^n)$ , signing $\mathsf{Sign}^O(SK, m)$ , and verification $\mathsf{Verify}^O(VK, m, \sigma)$ each query a public oracle $O$ , with perfect completeness requiring that for every $O$ , each $(SK, VK)$ , and $m$ , verification of a legitimate signature always succeeds. The crucial security property is existential unforgeability under a chosen-message attack, restricted to one signing query: for every forger $A$ (possibly computationally unbounded) making $T$ queries to $O$ , the probability of forging a valid signature on a novel message is at most $T/S$ , where $S$ is the black-box security parameter (often $2^{\text{poly}(n)}$ for strong schemes) (0801.3680).

Security metrics for OTS schemes further include resistance to key-recovery and support for forgery-detection availability (FDA): in many hash-based schemes, any successful forgery leaks a collision of the underlying hash (provably) (Kiktenko et al., 2019). Efficiency metrics are typically dominated by key size, signature size, and the number of required calls to the underlying primitive (e.g., oracle queries, matrix operations, code decoding steps).

2. Classical Hash-Based One-Time Signatures

Classical OTS constructions focus on minimizing cryptographic assumptions, relying solely on the existence of one-way functions. The Lamport OTS scheme and its generalization, the Winternitz OTS (WOTS), reveal only preimages under the hash function $H$ , so their security directly inherits the hardness of inverting $H$ . The generic Lamport OTS exposes no algebraic relationships, and each private key element is simply a uniformly random element hashed into the public key.

Lamport OTS: For $n$ -bit messages, the signer generates $2n$ random values $SK_{i,0}, SK_{i,1} \in \{0,1\}^l$ , computes $VK_{i,b}=H(SK_{i,b})$ , and reveals $(SK_{i,m_i})$ for message $m=(m_1,\ldots,m_n)$ . The signature consists of $n$ hash preimages.

Efficiency Trade-offs:

Key and signature sizes are large: with $n=256$ , each secret/public key is $2n\cdot l$ bits, each signature is $n\cdot l$ bits.
Signing and verification involve $n$ hash function evaluations.

Winternitz OTS achieves shorter signatures by trading off signature size versus signing/verification time (by chaining hashes).

A crucial property is forgery-detection availability (§3): upon any successful forgery, a previously unknown hash collision (or preimage) is revealed with overwhelming probability $1 - 5.22 \cdot 2^{-\delta}$ , where the parameter $\delta$ increases the preimage domain for robust detection. The practical implication is cryptographic agility—any such event is cryptographically convincing evidence that $H$ has failed and must be replaced (Kiktenko et al., 2019).

The efficiency of hash-based OTS is bounded from below: Barak and Mahmoody show that no construction using only $q$ random-oracle queries (distributed across $\mathsf{Gen}$ , $\mathsf{Sign}$ , and $\mathsf{Verify}$ ) can exceed security $S \le 2^{(1+o(1))q}$ , even for ideal hash functions (0801.3680). This lower bound is tight up to a constant, achieved by combinatorial variations of Lamport: for $q$ queries, at best $S \sim 2^{0.812q}$ . Therefore, achieving $128$-bit security requires at least $128$ calls to the base primitive per key/signature.

3. Post-Quantum and Code-Based OTS Constructions

Classical OTS schemes directly generalize to post-quantum settings by substituting post-quantum hash functions. However, compact keys/signatures and performant parameterization motivate alternative designs.

Code-Based OTS

Sparse, code-based primitives such as [Baldi2013] and Persichetti's QC-code schemes use low-density generator matrices (LDGM) and syndromes under a public hash function.

Critical failure mode: Sparse signatures leak the underlying secret through basic statistical analysis of multiple (even single) signatures. Given a signature $\mathbf{z}(x) = c(x)\mathbf{e}(x) + \mathbf{y}(x)$ and knowledge of the sparse codeword $c(x)$ , an attacker reconstructs most of the sparse secret $\mathbf{e}(x)$ by summing shifted versions of the signature components, then solves for the remainder via Information Set Decoding (ISD). For Persichetti's parameters, full key recovery occurs at work factor $2^{37.6}$ , far below any practical security target (Santini et al., 2018).

SPANSE: Dense Code-Based OTS

To defeat sparsity attacks, the SPANSE scheme (Baldi et al., 2022) constructs signatures as maximally dense (no zero entries), shifting security to the NP-hardness of large-weight syndrome decoding over non-binary QC codes. The trapdoor remains code-based (QC-LDGM), but signatures are produced by mapping message randomness to sparse syndromes embedded in a dense signature vector. No two signatures reveal the same sparse support, so statistical attacks do not apply.

Performance summary:

Key generation: $O(n^3)$ field operations (done offline).
Signing/Verification: $O(n^2)$ field operations, $10$ ms for $n \sim 24,000$ on commodity processors.
Key size: $2,436$ KiB; signature size: $21$ KiB for 128-bit security.
Security: best known attacks require $2^{131.6}$ work (field ops).

This approach yields smaller attack surfaces and practical performance at the cost of moderate key size and preservation of true one-time use.

4. OTS Based on PRNG Chains and Beyond

The classical hash-chain can be generalized using pseudorandom number generators (PRNGs), notably linear-congruential generators (LCGs), as in Chen’s proposal (Chen, 23 Dec 2024).

LCG-based OTS:

Private key: seed $p\in \{0,\dots,m-1\}$ .
Public key: value after $2^w - 1$ LCG steps: $pk=f_{2^w-1}(p)$ .
Signing: derive integer $t$ from hash of message; output (t, $S=a\oplus f_t(p)$ ), $a$ the LCG multiplier.
Verification: using $S$ , LCG parameters, and message hash, run LCG for $2^w-1-t$ steps and check against $pk$ .

Trade-offs:

Signature length: $n + w$ bits (with $n \sim 256$ , $w = 16$ yields 272 bits).
Time per sign/verify: $2^{w-1}$ LCG steps.
Security: tied to the one-wayness of the LCG and collision-resistance of $H$ .
Forgery-resistance collapses if a keypair is ever used to sign more than one message.

This design achieves minimal key and signature size at the expense of computational time. Using a block-cipher-based PRNG (e.g., AES-CTR) is suggested for stronger assumptions.

5. Quantum Public-Key One-Time Signatures

Quantum signature schemes with quantum public keys demonstrate existential unforgeability based on the existence of pseudorandom quantum states, even absent quantum-secure one-way functions (Morimae et al., 2021).

In such schemes:

Secret key: $(sk_0, sk_1) \in \{0,1\}^n \times \{0,1\}^n$ .
Public key: $(|\psi_{sk_0}\rangle, |\psi_{sk_1}\rangle)$ , where $|\psi_k\rangle = \mathsf{StateGen}(k)$ is a pseudorandom quantum state.
Signing: Output $sk_m$ for a bit $m$ .
Verification: Perform measurement on $|\psi_{sk_m}\rangle$ in basis containing $|\psi_\sigma\rangle$ ; accept if the outcome aligns.

Security: Reduction shows that any QPT forger with non-negligible success probability can distinguish pseudorandom quantum states from Haar-random ones, violating the security of the quantum state generator. This base assumption is strictly weaker than any classical cryptographic primitive, suggesting that one-time quantum signatures can exist under purely quantum assumptions.

6. Efficiency Lower Bounds, Black-Box Constructions, and the Symmetric/Efficiency Gap

Barak and Mahmoody's lower bounds (0801.3680) have foundational implications for OTS design:

Random oracle model: Any OTS using $q$ queries, across all phases, admits at most $2^{(1+o(1))q}$ black-box security.
Symmetric primitives: Any black-box construction of a secure OTS from a symmetric primitive (e.g., block cipher, MAC, or PRF) must make $\Omega(n)$ calls to the primitive to sign an $n$ -bit message at exponential security. Private-key primitives themselves need only $O(1)$ calls to achieve exponential security.
Efficiency gap: There is an inherent and formal efficiency gap between OTS and all other symmetric primitives: for digital signing, efficiency can only be achieved by increasing the number of primitive invocations linearly with the security parameter.

This result generalizes to random-permutation and ideal-cipher oracles, with only small multiplicative losses in the exponent.

7. Extensions: One-Time Aggregate, Identity-Based, and Code Design Challenges

One-time signatures are employed and extended in several directions:

Aggregate signatures: Schemes such as MTA-OTIBAS (Zhang et al., 2015) allow one-time identity-based aggregate signatures over multiple trusted authorities. Security relies on the co-computational Diffie–Hellmann assumption in bilinear groups, and single-use keys per identity prevent signature replay and linking.
Detection and crypto-agility: FDA enables automated detection of a broken hash function and immediate protocol migration, a unique property for hash-based OTS frameworks (Kiktenko et al., 2019).
Code-based OTS challenges: The risk with sparse signatures remains acute unless signatures are made dense (e.g., SPANSE (Baldi et al., 2022)); any significant information leakage or repeated use violates one-time use, as exploited in key-recovery attacks (Santini et al., 2018). A plausible implication is that code-based OTS must make the signature dense or introduce randomness at every invocation to ensure practical security.

Table: Summary of Main OTS Families

Scheme Family	Security Basis	Key Size	Signature Size	Signing Time	Security Notes
Lamport/WOTS	Hash function	Large	Large	Very Fast	FDA, easily parameterized, quantum-resistant
Code-based (QC-LDGM)	Syndrome decoding	Medium-large	Medium	Fast/Medium	Sparsity leaks (unless dense), quantum-resistant
PRNG-chain OTS	PRNG one-wayness	Minimal	Minimal	Medium (param. $2^w$ )	Only secure for strict one-time use
Quantum-PK OTS	PR quantum states	Minimal/classical	Minimal/qubits	Table-lookup/classical	Weaker assumptions, quantum public keys
Aggregate/IBS OTS	group hardness	Small	Small/aggregated	Fast	Single-use ensures unlinkability

Editor’s term: FDA, “forgery-detection availability”.

References

Barak & Mahmoody. "Lower Bounds on Signatures from Symmetric Primitives" (0801.3680)
Santini, Baldi, Chiaraluce. "Cryptanalysis of a One-Time Code-Based Digital Signature Scheme" (Santini et al., 2018)
Finiasz, et al. "SPANSE: combining sparsity with density for efficient one-time code-based digital signatures" (Baldi et al., 2022)
Alagic et al. "Quantum commitments and signatures without one-way functions" (Morimae et al., 2021)
Chen. "One-Time Signature Based on Pseudorandom Number Generator" (Chen, 23 Dec 2024)
Grechnikov. "Proof-of-forgery for hash-based signatures" (Kiktenko et al., 2019)
Cheng, et al. "On the Security of MTA-OTIBASs" (Zhang et al., 2015)

A comprehensive understanding of OTS demands careful alignment of use-case (one-time, few-time, Merkle-hierarchical), security assumption (hash-based, code-based, quantum), and efficiency target (signature/key size, computation). Each family carries nuanced trade-offs; robust security—particularly in post-quantum contexts—often prioritizes one-time operation and provable resistance to various forms of analytic, algebraic, and quantum attacks.