\(n\in\mathbb{Z}^+\) |
security parameter as a positive integer |
\(f: \{0,1\}^n\rightarrow \{0,1\}^n\)
|
one way function, implemented as SHA3 |
\(f^m(x)=f(f(\cdots(f(x)\cdots)))\)
|
applying \(f(\cdot)\) to \(x\) \(m\) times |
\(g: \{0,1\}^*\rightarrow \{0,1\}^n\) |
cryptographic hash function, implemented as SHA3 |
\(w\) |
width (in bits) of the Winternitz parameter; it's a member of the set \(\{2,4\}\) |
\(\ell_1\)
|
\(\lceil 8n/w\rceil\) |
\(\ell_2\)
|
\(\lfloor\log_2(\ell_1(2^w-1))/w\rfloor+1\) |
\(\ell\)
|
\(\ell_1+\ell_2\)
|
\(H\in\mathbb{N}\)
|
number of docs to sign is \(2^H\) with \(H\geq 2\) |
\(M\)
|
document/message to sign |
\(d=g(M)=d_{n-1}\|\dots \|d_0\)
|
digest of message \(M\) evaluated by \(g(\cdot)\), where \(d_i\in\{0,1\}\) denotes the
\(i\)-th bit of \(d\) counting from right to left
|
\(\nu_{i,j}\)
|
the digest of the \(j\)-th node at height \(i\in\{0,1,\dots,H\}\) |
\(\sigma=(\sigma_{n-1},\dots,\sigma_0)\)
|
signature, where \(\sigma_i\) denotes the \(i\)-th component generated by the corresponding
secret key
|