HBSS: (simple) Hash-Based Stateless Signatures – Hash All the Way to the Rescue!

One-time signatures (originated by Lamport) and their extensions to many signatures has gained recent momentum with the need for Post-Quantum secure signing since they are essentially based on standard hash (one-way) functions (rather than number theoretic assumptions). Such signatures, to date, have been based on an array of commitments that are de-committed (private key/preimage revealed) only based on bits of a representation of the hashed message signed, and their stateless versions have been based on pseudorandom functions. In this work, a new approach to the above is presented, based on probabilistic “set membership data structure,” which in turn is based on hash functions. A signature based on hash access to a suitably long array, where k hash functions which are independent are used for each message to tag an index in the array. The above access is similar to the access performed in Bloom filters. The resulting signature scheme is stateless and can be tuned to support any given upper-bound number of signatures (by tuning the array’s length). The central idea is that a de-committed array is only partially loaded with de-commitments to be valid, a fact that assures correctness (signed message is validated), soundness (unsigned message is not fully validated), and unforgeability of the signature (an attempt to forge a signature is reduced to decommitment without access to the private key/decommited preimage). Constructions that are based on enhancing a one-time or bounded-message construction (such as the Naor-Yung extension from bounded messages to regular signatures) are valid for the new Hash-Based Stateless Signature (HBSS).