Winternitz one-time signature (WOTS)

A Winternitz one-time signature (WOTS) is a hash-based signature that can safely sign only one message per key pair. The private key is a set of random strings; the public key comes from applying a hash function to each string a fixed number of times. To sign, the signer discloses each secret string hashed a number of times determined by the message digest, and the verifier finishes the remaining hash steps and compares the result against the public key. The Winternitz parameter w trades signature size against the number of hash calls.

Role in larger schemes

WOTS cannot be used alone, because signing a second message with the same key exposes secret values and enables forgeries. Instead many WOTS key pairs form the leaves of a Merkle tree whose single root serves as a long-lived public key. This is how the stateful scheme XMSS and the stateless standard SLH-DSA (SPHINCS+) authenticate their one-time keys. Both use the hardened WOTS+ variant, which mixes bitmask and address inputs into the hash chains to resist multi-target and generic attacks. Because security rests only on the hash function, WOTS is believed to resist quantum attackers.

Sources

  1. RFC 8391: XMSS: eXtended Merkle Signature Scheme (IETF, 2018)
  2. FIPS 205, Stateless Hash-Based Digital Signature Standard (NIST, 2024)
Cite this entry
"Winternitz one-time signature (WOTS)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/wots@misc{pqwiki-wots, title = {Winternitz one-time signature (WOTS)}, howpublished = {\url{https://postquantum.wiki/wots}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }