Winternitz one-time signature (WOTS)
A Winternitz one-time signature (WOTS) is a hash-based signature that can safely sign only one message per key pair. The private key is a set of random strings; the public key comes from applying a hash function to each string a fixed number of times. To sign, the signer discloses each secret string hashed a number of times determined by the message digest, and the verifier finishes the remaining hash steps and compares the result against the public key. The Winternitz parameter w trades signature size against the number of hash calls.
Role in larger schemes
WOTS cannot be used alone, because signing a second message with the same key exposes secret values and enables forgeries. Instead many WOTS key pairs form the leaves of a Merkle tree whose single root serves as a long-lived public key. This is how the stateful scheme XMSS and the stateless standard SLH-DSA (SPHINCS+) authenticate their one-time keys. Both use the hardened WOTS+ variant, which mixes bitmask and address inputs into the hash chains to resist multi-target and generic attacks. Because security rests only on the hash function, WOTS is believed to resist quantum attackers.
Sources
Cite this entry
"Winternitz one-time signature (WOTS)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/wots@misc{pqwiki-wots,
title = {Winternitz one-time signature (WOTS)},
howpublished = {\url{https://postquantum.wiki/wots}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}