Re: [bitcoindev] One Time Signatures as an Advantage?

[Murch <murch@murch.one>]

One-time signature schemes are not well-suited for Bitcoin because they:

- cannot be used to participate in multi-user transaction (as another 
participant could fail the process and force a second signature)
- incur lost funds or lost keys upon address reuse (as every node would 
need to track every output script to prevent duplicates, and the 
recipient has no say in their output script being sent to another time)
- are incompatible with transaction replacement (zero-conf enthusiasts 
rejoice!)

  Murch

On 2026-05-20 10:41, Jason Resch wrote:
> NIST is standardizing SLH-DSA as a stateless, post-quantum-secure 
> hash-based signature scheme. However, to achieve the stateless feature 
> of being able to sign multiple messages, requires a significant size 
> overhead.
>
> SLH-DSA (for parameters n=16, w=16) results in signatures that are 
> 7,888 bytes long.
>
> However, if statelessness isn't required, and this can be reduced to 
> 900 bytes for something like XMSS using the same parameters.
>
> Furthermore, if multiple signings per key are dropped as a 
> requirement, and "one time signatures" are used (e.g. WOTS+) then this 
> size reduces further to 560 bytes.
>
> This is a ~14× reduction in signature size for a feature that Bitcoin 
> transactions not only don't need, but are strongly discouraged if not 
> harmful. Using the same key more than once is only required if one is 
> reusing the same address (discouraged), or if one is attempting some 
> kind of double-spend attack.
>
> This could be seen as a sort of advantage: if one attempts to 
> double-spend, they may expose their private key. This same property 
> was an element of Chaum's digital cash: attempting to double-spend 
> exposed you.
>
> Is there any advocacy for NIST to standardize stateful or one-time-use 
> signature algorithms? They seem well-suited to the block-chain use 
> case, where there is always global and persistent state, and keys 
> ought not be re-used. Though this needs to be carefully managed by 
> wallet software: to only expose a one-time-use address to handle a 
> single transaction with a single payer, and never use a OTS address 
> for any kind of public-facing or long-term donation address. Perhaps 
> this complication makes OTS not worth introducing generally, but their 
> space saving properties are attractive.
>
> Jason
> -- 
> You received this message because you are subscribed to the Google 
> Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit 
> https://groups.google.com/d/msgid/bitcoindev/d3648bd4-03d3-4b98-92bf-d845302be349n%40googlegroups.com 
> <https://groups.google.com/d/msgid/bitcoindev/d3648bd4-03d3-4b98-92bf-d845302be349n%40googlegroups.com?utm_medium=email&utm_source=footer>.

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/ec83d322-c7e7-4d12-a1ac-2768db4515a3%40murch.one.