Documentation ¶
Overview ¶
Package winternitz implements the Winternitz one-time signature scheme using the Blake2b-256 hash function and a Winternitz compression parameter w of 256.
Secret keys are one time use. A secret key must not sign more than one message.
Hash-based signature schemes are of particular interest and importance due to the belief that they are resistant against quantum computing attacks. Unlike RSA and ECDSA, hash-based signatures do not rely on the discrete logarithm problem (which a quantum computer can solve in polynomial time) as being computationally hard.
This package has not received an independent security audit.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenerateKey ¶
func GenerateKey(rand io.Reader) (fp *Fingerprint, sk *SecretKey, err error)
GenerateKey derives a public and secret key, reading cryptographically-secure randomness from rand.
Types ¶
type Fingerprint ¶
type Fingerprint [32]byte
Fingerprint is a Blake2b-256 hash of a 1088-byte public key.
Verifying a valid signed message results in the recovery of the 1088-byte public key from the signature. When verifying, the recovered public key is hashed with Blake2b-256 and compared to the fingerprint to determine signature validity.
type SecretKey ¶
type SecretKey [32]byte
SecretKey is a seed for creating the initial hash list to create a Lamport signature with Winternitz compression. Using a ChaCha20 CSPRNG, it is expanded to create 34 secret seeds (32 values for each byte of the message hash, plus 2 extra values for signing 2 bytes of checksum) which are each Blake2b-256 hashed 255 times to result in 256 hash lists. The final hash list is the full 1088 byte public key.
type Signature ¶
type Signature [1088]byte // 34 * 32
Signature is a proof that the possessor of the associated secret key for some public key has digitally signed a message, proving the authenticity of the message contents.
Signature is constructed as the concatenation of 34 32-byte secret key values picked for each byte of the message hash and checksum, using the hash list for values of that byte.
Because Signature is comprised the values from the expanded secret key hash lists, and message verification reveals the positions of these secrets in the hash lists, signing multiple messages with the same secret key is prohibited. Doing so destroys the security of this signature scheme by revealing preimages to forge signatures of other messages.