CHAPTER 3 Families of Post-quantum Schemes 33 t0,0 t1,0 t1,1 t2,0 t2,1 t2,2 t2,3 h0,0 h0,1 r 0,0 r 0,1 Public Private h1,0 h1,1 h2,0 h2,1 h3,0 h3,1 r 1,0 r 1,1 r 2,0 r 2,1 r 3,0 r 3,1 Figure 3.3: Example of a many-time signature scheme for single-bit messages. The public key of Alice is the root t0,0 of the tree. The first component of the private key (r0,0, r0,1) has already been used and must not be used again. For signing the next message »false«, Alice publishes the private key component r1,0 of her second private key pair and the verification path {h1,1, t2,0, t1,1}. Bob can verify the message »false« by first hashing r1,0 in order to obtain h1,0. Now, he can follow the verification path by computing 2,1 = hash(ℎ1,0, ℎ1,1) and 1,0 = hash(2,0, 2,1) until he reaches the public key 0,0 = hash(1,0, 1,1). Since only Alice knows all secret r-values, only she can have initially computed her public key t0,0. For signature schemes that allow to sign longer messages than just single-bit messages, the private key values can be replaced by hash chains.
PQC_for_Dummies
To see the actual publication please follow the link above