Winternitz Signature Scheme Using Nonadjacent Forms

Hash-based signatures are gaining attention as one of the alternatives that can replace current digital signatures that are not secure against an attack by quantum computers along with lattice-based signatures, multivariate signatures, and code-based signatures. Up to now, all hash-based signatures have used binary representations to generate signatures. In this paper, we propose using the nonadjacent form (NAF) when generating signatures in hash-based signatures. Concretely, we propose a hash-based signature scheme,WSS-N, which is obtained by applying nonadjacent forms (NAF) to theWinternitz signature scheme. We prove thatWSSN is existentially unforgeable under chosen message attacks in the standard model. And we show that WSS-N needs less hash function calls compared to theWinternitz signature scheme using the binary representation, WSS-B. For a specific parameter with a 256-bit security, we can see that WSS-N generates signatures faster than WSS-B by 8%. Finally, we implement both WSS-N and WSS-B and show that WSS-N generates signatures faster than WSS-B on a desktop computer.


Introduction
Recent research progress on quantum computers has brought postquantum cryptography to the forefront to protect against attacks by quantum computers.Once quantum computers are developed, most modern cryptographic systems will become insecure.Particularly, it would cause catastrophic damage to public key cryptography.Most modern public key cryptographic algorithms are secure under the assumption that the integer factorization and the discrete logarithm problem are computationally infeasible.However, quantum computers can solve these problems using Shor's algorithm [1] in polynomial time.Therefore, the advent of quantum computers will make modern public key cryptographic systems insecure.
In this situation, cryptographic society put spurs to develop postquantum cryptography.The NIST (National Institute of Standards and Technology) started a process to standardize postquantum cryptographic algorithms.Moreover, the NSA (National Security Agency) has announced preliminary plans for transitioning algorithms approved for protecting the classified and unclassified national security systems of the United States to quantum-resistant algorithms.
The leading fields of postquantum cryptography are lattice-based cryptography, code-based cryptography, multivariate cryptography, and hash-based digital signatures.In this paper, we propose a new technique that could increase the efficiency of hash-based digital signatures.Hash-based digital signatures are slower than digital signatures that are based on a lattice, code, and multivariate polynomials.However, hash-based digital signatures provide stronger security guarantees than those of other categories because hash-based digital signatures are secure under only one assumption that the underlying hash functions are secure.Therefore, hashbased signatures are considered to be the most promising alternative in the short-term.Hash-based digital signatures have been researched continuously since the Lamport digital signature [2] such as LMS [3] and SPHINCS [4].
All hash-based digital signatures use binary representations to generate signatures up to now.In this paper, we propose using the nonadjacent form (NAF) representation when generating signatures.Specifically, this paper proposes WSS-N by applying the NAF to W-OTS+ [5].W-OTS+ is a Winternitz-type one-time signature scheme (the Winternitz signature is a one-time digital signature that can be used as a component of recent hash-based digital signatures that are capable of signing many messages.Particularly, the Winternitz signature is used as a building block of XMSS, SPHINCS, etc.) [6] that was proposed by Hülsing in 2013.It allows reducing the signature size more than previous Winternitz-type one-time signature schemes and is proven to be strongly unforgeable under chosen message attacks in the standard model.
We prove that WSS-N is existentially unforgeable under adaptive chosen message attacks, if the used hash function family is second preimage-resistant, undetectable, and oneway.And we also analyze the performance of WSS-N and compare it with WSS-B.
The NAF uses signed digits 0, 1, and −1 while the binary representation uses bits 0 and 1.While the binary representation has a uniform distribution, the NAF representation has a biased distribution.It makes the Winternitz signature scheme require less hash function calls when generating a signature.For a specific parameter with a 256-bit security, the Winternitz signature using the NAF requires 8% less hash function calls (thus generates signatures 8% faster) than that using the binary representation.However, the key generation and signature verification time of the Winternitz signature using the NAF become longer than that using the binary representation.We analyzed these trade-offs in detail.
Figure 1 gives the intuition of WSS-N showing better signature generation performance than WSS-B.Concretely, the graph shows the number of blocks by the number of hash function calls when WSS-B and WSS-N, each having a hashed message length of 256 bits and a block length of 4 bits, generate a signature.That is, the point (, ) of the graph means that when WSS-B or WSS-N generates signatures for 2 256 hashed messages, the total number of blocks that call the hash function  times is .In addition, the blue and red vertical dotted lines of the graph represent the number of hash function evaluations that each block calls on average when WSS-B and WSS-N generate signatures, respectively.As can be seen from the graph, the maximum number of hash function calls of the WSS-N block is larger than that of WSS-B.However, in the case of WSS-N, since the number of blocks making a small number of hash function calls is larger than that of WSS-B, on average, WSS-N requires less hash function calls than WSS-B.So, WSS-N generates signatures faster than WSS-B on average.Now let us look at the usage and the meaning of WSS-N.Basically, WSS-N can be used when signature generation time is more important than key generation time.Generally, the bottleneck of a one-time digital signature is not the signature generation time but the key generation time, but there will certainly be a situation where the signature generation time is more critical.Devices that sense data that do not happen frequently but need a quick response, such as seismic sensors, fire sensors, and so forth, should generate a signature as soon as possible if an event occurs.They can generate a key pair in the wait time.Also, in situations where we need to send measurement data on a regular basis (e.g., every 5 minutes), we will be able to generate a key pair between data measurements and wait for signature generation.Note that efforts to reduce signature generation time have been around for a long time [7,8].And the most important contribution of the paper is that it shows the possibility of a numeral system that can provide better performance than a binary representation.
The rest of this paper is organized as follows.Section 2 presents some preliminaries.In Section 3, the properties of the NAF that are required to analyze the efficiency of the Winternitz signature using the NAF are given and proven.In Section 4, we present WSS-N, the Winternitz signature using the NAF, and prove that it is existentially unforgeable under chosen message attacks in the standard model.We compare the efficiency of the Winternitz signatures using the NAF and the binary representation in Section 5.And we give implementation results comparing WSS-N and WSS-B in Section 6.Finally, we conclude the paper in Section 7.

Preliminaries
This section gives some notation and formal definitions.We follow the notation of [5].From now on, the notation  $ ←  X means that  is randomly chosen from the set X using the uniform distribution.We will denote by U 푛 the uniform distribution over {0, 1} 푛 .We follow the definition of a digital signatures scheme DSS = (Kg, Sign, Vf) in [5].Let DSS(1 푛 ) denote a signature scheme with a security parameter 1 푛 .We also adopt the definitions of the EU-CMA security of DSS(1 푛 ) and Succ EU-CMA DSS(1  ) (A) in [5].Using this, we define EU-CMA in the following way.
Definition 1 (EU-CMA [5]).Let DSS(1 푛 ) be a digital signature scheme with a security parameter 1 푛 .DSS(1 푛 ) is (, , )existentially unforgeable under an adaptive chosen message attack if InSec EU-CMA (DSS(1 푛 ); , ), the maximum success probability of all possibly probabilistic -time adversaries A making at most  queries to Sign in the above experiment, is at most ; WSS-N uses a family of functions F 푛 : { 푘 : {0, 1} 푛 → {0, 1} 푛 |  ∈ K 푛 } with a key space K 푛 .It can be viewed as a cryptographic hash function family that is noncompressing.Using F 푛 , we define the following chaining function.
Throughout the paper, we measure all runtimes by counting the number of the evaluations of elements from F 푛 .In what follows, we use the (distinguishing) advantage of an adversary [5].
Functions [5].We use three properties for families of functions.The first two of them are the one-wayness and the second preimage resistance of the family F 푛 and the success probability of adversaries against them are defined as Succ OW F  (A) and Succ SPR F  (A) [5].To define the other property, undetectability, consider the two distributions, D UD,U  and The advantage of an adversary A against the undetectability of F 푛 is as follows: Using this, we define the undetectability as follows.
Definition 2 (undetectability (UD) [5]).Let  ∈ N and F 푛 be a family of functions as described above.F 푛 is undetectable if the advantage of any -time adversary A against the undetectability of F 푛 is at most : Now we provide some more notation and formal definitions regarding the NAF.First, we give the formal definition of the NAF and related definitions that are useful to describe our results.Definition 3. Let  be an integer.A signed binary representation of  is an equation of the form  = ∑ 푙−1 푖=0  푖 2 푖 , where  푖 ∈ {0, 1, −1} for all .A signed binary representation ( 푙−1 , . . .,  0 ) of an integer  is said to be in nonadjacent form provided that no two consecutive  푖 's are nonzero.Such a representation is denoted as a NAF representation.
Note that the NAF representation of an integer is unique.The functions defined in the following definition give an order on  푛 .Definition 6.We define five functions on  푛 which give orders on  푛 .

Properties of the NAF
In this section, we give some properties of the NAF.They will have a crucial role in analyzing the efficiency of WSS-N.

Winternitz Signature Scheme Using the NAF
In this section, we propose WSS-N, a Winternitz signature scheme that uses the NAF representation.WSS-N is parameterized by the security parameter  ∈ N, the message length , and the Winternitz parameter 1 <  ∈ N.And let Algorithms 1-3 describe the key generation, signature generation, and signature verification algorithms of WSS-N.Note that distinct messages will yield distinct  푖 values and that the checksum guarantees that given  = ( 1 , . . .,  푡  ) corresponding to a message,  耠 = ( 耠 1 , . . .,  耠 푡  ) corresponding to another message include at least one 1 ≤  ≤  푊 such that  耠 푖 <  푖 .
The following theorem shows that WSS-N is existentially unforgeable under chosen message attacks, provided that a second preimage-resistant and undetectable one-way function family is used.Proof.It may be proven in much the same way as Theorem 1 in [5].The only difference between them is that the heights of the chains to compute public keys of WSS-N and W-OTS + [5] are different.Since the heights of the chains in WSS-N are not constant, the proof becomes a bit more complicated.However, the main idea of the proof does not change.For the detailed proof, we refer the reader to Appendix B.
Remark 10.The length of the signatures of the WSS-N can be reduced by using a secure pseudorandom generator.For example, a 2-bit seed of a secret key can be used to generate the  푊 -bit secret key using the pseudorandom generator based on an AES counter mode.Naturally, the length of the signatures of the WSS-B can be reduced in a similar way.

Comparisons
In this section, we compare the Winternitz signature using the NAF with that using the binary representation.When  ∈ N is the security parameter,  ∈ N is the message length and 1 <  ∈ N is the Winternitz parameter; let WSS-N(1 푛 , , ) and WSS-B(1 푛 , , ) denote the Winternitz signatures using the NAF and the binary representation, respectively.We compare WSS-N with WSS-B in terms of efficiency.
Input: message , signature  and public key pk Output: valid or invalid 1. compute  as in Sign.

if
, for all  = 1 and ⌈/⌉ <  ≤  푊 ; ( 푖 , r 푏  +1,푁(푤)−1 ), for all 1 <  ≤ ⌈/⌉ then return valid, else return invalid.First, we compare the number of hash function calls that are needed to generate a WSS-N signature and a WSS-B signature.We show that WSS-N(1 푛 , , ) needs less hash function calls than WSS-B(1 푛 , , ) to generate a signature when  ≥ 15 and  ≥ 2. For the ease of the analysis, we only consider the case where  divides  in this section.
Before counting the numbers of the hash function calls that are needed in the signature generation steps, we give a lemma concerning the lengths of the count fields.
Lemma 11.Let  be the security parameter, let  be the message length, and let  be the bit length of the block, the Winternitz parameter.And suppose that  divides .The difference between the block length of the count field of WSS-B(1 푛 , , ) and that of WSS-N(1 푛 , , ) is less than or equal to 1 when  ≥ 2.
Proof.The block length of the count field of WSS-B(1 푛 , , ) is And the block length of the count field of WSS-N(1 푛 , , ) is Thus, it is enough to show that log It is equivalent to Because () − 1 = (2 푤+2 − (−1) 푤 )/3 ≤ 2 푤+1 − 2 when  ≥ 2, we can see that when  ≥ 2. This completes the proof.Now we count the numbers of hash function calls that are needed in the signature generation steps of the Winternitz signature schemes using the binary representation and the NAF representation.
The first and second terms correspond to the numbers of the hash function calls that are needed for the message and count fields, respectively.Next, we compute ](1 푛 , , ).
The first six and the last terms correspond to the numbers of hash calls that are needed for the message and count fields, respectively.Applying Lemma 11 yields We shall have established the theorem if we prove that the right-hand side of the above inequality is greater than or equal to 0 when  ≥ 15 and  ≥ 2. The right-hand side can be rewritten as Because  ≥ 15 and  ≥ 2, we can show that the right-hand side is greater than or equal to 0. This finishes the proof, and the detailed verification of the right-hand side being greater than or equal to 0 is left to the reader.
We proceed to show the numbers of hash function calls that are needed in the key generation steps of WSS-B(1 푛 , , ) and WSS-N(1 푛 , , ).It is easily seen that hash function calls are needed to generate a WSS-B(1 푛 , , ) key pair.Similarly, we see that hash function calls are needed to generate a WSS-N(1 푛 , , ) key pair.What is left is to count the numbers of hash function calls that are required to verify a WSS-B(1 푛 , , ) signature and a WSS-N(1 푛 , , ) signature.An analysis similar to that in the proof of Theorem 12 shows that hash function calls are needed to verify a WSS-B(1 푛 , , ) signature.Similarly, we obtain that )) hash function calls are needed to verify a WSS-N(1 푛 , , ) signature.Now, we give the concrete result of the efficiency analysis (Table 1) that compares WSS-N(1 256 , 4, 256) and WSS-B(1 256 , 4, 256).The numbers in the public key, secret key, and signature columns are byte lengths and those in the key generation, signature generation, and signature verification columns are the number of hash function calls.Additionally, the numbers with the dagger mark are average values.Table 1 shows that the number of hash function calls to generate a Winternitz signature is reduced by about 8% when using the NAF representation compared to that with the binary representation.However, generating a key pair and verifying a signature need more hash function calls when using the NAF compared to the binary representation.
Remark 13.WSS-N needs less hash function calls when generating a signature than that of WSS-B.By giving the other orders on  푤 , one can make the Winternitz signature scheme need less hash function calls when verifying a signature.However, we will not cover this feature in this paper.

Benchmarks and Comparison
In this section, we provide benchmarking results of WSS-N and WSS-B.Concretely, we implement WSS-N(1 256 , 4, 256) and WSS-B(1 256 , 4, 256) and compare their software performances.The specific parameters and functions are summarized in Table 2.We use SHA-256 in OpenSSL [9].
Table 3 shows implementation results of WSS-N and WSS-B.It gives the average clock cycle counts of 1,000,000 runs for key generation, signing, and verification.All results in Table 3 were obtained on an Intel Core i7-6700 running at 3.40 GHz.We used the compiler gcc-5.4.0 with the options "-O3, " "-march=broadwell, " and "-mtune=generic" to compile our C program.
We can see that WSS-N generates signatures faster than WSS-B by about 8% on a general desktop computer.However, the key generation and the signature verification of WSS-N are slower than those of WSS-B as expected.The source code that benchmarks WSS-N and WSS-B can be found in the supplementary materials (available here).

Conclusions
In this paper, we proposed a hash-based signature using the NAF, WSS-N.It is existentially unforgeable under chosen message attacks in the standard model.And we proved that WSS-N requires less hash function calls than WSS-B when generating a signature on average.In a concrete example, WSS-N(1 256 , 4, 256) makes the signature generation time 8% shorter than that of the WSS-B(1 256 , 4, 256).And we also gave benchmarking results on a regular desktop computer and it could be seen that the signature generation of WSS-N can be implemented faster than that of WSS-B.However, it takes longer to generate the keys and verify the signatures.
WSS-N is the first hash-based signature that uses a numeral system other than the binary representation.Applying the NAF to hash-based signatures has trade-offs between the key generation time, the signature generation time, and the signature verification time.It would be interesting to determine what other trade-offs occur when applying numeral systems other than the binary representation and the NAF.

A. Proof of Theorem 8
In this section, we give the proof of Theorem 8.
Input: security parameter , function key , one-way challenge  푐 and second preimage resistance challenge  푐 Output: a value that is either a preimage of  푐 or the second preimage for  푐 under  푘 or fail. 1. run Kg (1 푛 ) to generate a WSS-N(1 푛 , , ) key pair (sk, pk). 7. run A Sign(sk,⋅) (pk 耠 ). 8. if A Sign(sk,⋅) (pk 耠 ) queries Sign with a message  then a. compute  as in Algorithm 2. b. if  훼 <  then return fail.c. generate a signature of  of :

B. Security Proof of WSS-N
In this section, we give the proof of Theorem 9.It can be proven in much the same way as [5].
First, M A obtains a key pair (sk, pk) by running the WSS-N(1 푛 , , ) Kg (Line 1).Then, M A selects the positions to

2 SecurityFigure 1 :
Figure 1: The number of blocks by the number of hash function calls when WSS-B and WSS-N, each having a hashed message length of 256 bits and a block length of 4 bits, generate a signature.

Table 1 :
Efficiency analyses of the Winternitz signatures.

Table 2 :
Implementation parameters and functions.

Table 3 :
Benchmarking on a desktop computer.