One-time signature schemes are not well-suited for Bitcoin because they:
- cannot be used to participate in multi-user transaction (as another
participant could fail the process and force a second signature)
- incur lost funds or lost keys upon address reuse (as every node would
need to track every output script to prevent duplicates, and the
recipient has no say in their output script being sent to another time)
- are incompatible with transaction replacement (zero-conf enthusiasts
rejoice!)
Murch
On 2026-05-20 10:41, Jason Resch wrote:
NIST is standardizing SLH-DSA as a stateless, post-quantum-secure
hash-based signature scheme. However, to achieve the stateless feature
of being able to sign multiple messages, requires a significant size
overhead.
SLH-DSA (for parameters n=16, w=16) results in signatures that are
7,888 bytes long.
However, if statelessness isn't required, and this can be reduced to
900 bytes for something like XMSS using the same parameters.
Furthermore, if multiple signings per key are dropped as a
requirement, and "one time signatures" are used (e.g. WOTS+) then this
size reduces further to 560 bytes.
This is a ~14× reduction in signature size for a feature that Bitcoin
transactions not only don't need, but are strongly discouraged if not
harmful. Using the same key more than once is only required if one is
reusing the same address (discouraged), or if one is attempting some
kind of double-spend attack.
This could be seen as a sort of advantage: if one attempts to
double-spend, they may expose their private key. This same property
was an element of Chaum's digital cash: attempting to double-spend
exposed you.
Is there any advocacy for NIST to standardize stateful or one-time-use
signature algorithms? They seem well-suited to the block-chain use
case, where there is always global and persistent state, and keys
ought not be re-used. Though this needs to be carefully managed by
wallet software: to only expose a one-time-use address to handle a
single transaction with a single payer, and never use a OTS address
for any kind of public-facing or long-term donation address. Perhaps
this complication makes OTS not worth introducing generally, but their
space saving properties are attractive.
Jason
--
You received this message because you are subscribed to the Google
Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/d3648bd4-03d3-4b98-92bf-d845302be349n%40googlegroups.com
<https://groups.google.com/d/msgid/bitcoindev/d3648bd4-03d3-4b98-92bf-d845302be349n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Bitcoin
Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/ec83d322-c7e7-4d12-a1ac-2768db4515a3%40murch.one.
