One Time Signatures as an Advantage?

The National Institute of Standards and Technology (NIST) is currently in the process of standardizing SLH-DSA, a hash-based signature scheme that boasts post-quantum security. A notable feature of SLH-DSA is its ability to sign multiple messages without maintaining state; however, this capability comes with an increased signature size, resulting in signatures that are 7,888 bytes long for parameters n=16 and w=16. In contrast, when statelessness is not a requirement, using XMSS with the same parameters can significantly decrease the signature size to just 900 bytes.

Further size reductions can be achieved by using "one-time signatures" like WOTS+, which bring down the size to 560 bytes. This represents approximately a 14-fold decrease in signature size. The use of such one-time signatures aligns with the best practices within Bitcoin transactions, where reusing keys or addresses is discouraged and considered potentially harmful. This approach also includes a security feature where attempting a double-spend could lead to the exposure of the user's private key, echoing a principle from Chaum's digital cash system.

There is ongoing discussion about whether NIST should focus on standardizing stateful or one-time-use signature algorithms. These types of algorithms are particularly apt for blockchain applications, which inherently operate within a global and persistent state context and do not typically require address reuse. However, integrating one-time-use algorithms into wallet software requires careful management to ensure that each address is used only once for a single transaction and is not reused for public or long-term purposes. Despite the complexity this might introduce, the substantial reduction in signature size makes these algorithms an attractive option for specific use cases.