HORSIC+: An Efficient Post-Quantum Few-Time Signature Scheme

It is well known that conventional digital signature algorithms such as RSA and ECDSA are vulnerable to quantum computing attacks. Hash-based signature schemes are attractive as post-quantum signature schemes in that it is possible to calculate the quantitative security level and the security is proven. SPHINCS is a stateless hash-based signature scheme and introduces HORST few-time signature scheme which is an improvement of HORS. However, HORST as well as HORS suffers from pretty large signature sizes. HORSIC is proposed to reduce the signature size, yet does not provide in-depth security analysis. In this paper, we propose HORSIC+, which is an improvement of HORSIC. HORSIC+ differs from HORSIC in that HORSIC+ does not apply f as a plain function to the signature key, but uses a member of a function family. In addition, HORSIC+ uses the chaining function similar to W-OTS+. These enable the strict security proof without the need for the used function family to be a permutation or collision resistant. HORSIC+ is existentially unforgeable under chosen message attacks, assuming a second-preimage resistant family of undetectable one-way functions and cryptographic hash functions in the random oracle model. HORSIC+ reduces the signature size by as much as 37.5% or 18.75% compared to HORS and by as much as 61.5% or 45.8% compared to HORST for the same security level.


Introduction
Nowadays, digital signatures are widely used in various security applications to provide authentication, integrity, and non-repudiation. RSA [1] and ECDSA [2] are two of the most widely used digital signature schemes. The security of RSA and ECDSA is based on the difficulty of factoring and computing discrete logarithms, respectively. However, in 1994, Shor proposed a polynomial-time quantum algorithm for integer factorization and discrete logarithm problems [3]. If a large-scale quantum computer is built, RSA and ECDSA cannot be used anymore. Thus, alternative digital signature schemes which are resilient to attacks by quantum computers are needed. They are called post-quantum cryptography [4,5].
Various post-quantum signature schemes such as lattice-based [6], multivariate [7], code-based [8], and hash-based have been studied. Lattice-based signature schemes are relatively fast with a reasonably small signature size. However, it is difficult to calculate the quantitative security level and the security is not proven against quantum adversaries. Multivariate signature schemes are relatively fast with an extremely small signature size. However, it is also difficult to estimate the security of multivariate signature schemes against quantum attacks. Code-based signature schemes have a reasonably small signature size and it is possible to calculate the quantitative security level to some extent. However, code-based signature schemes need too large keys to be secure against quantum attacks. Hash-based signature schemes receive a lot of attention in that it is possible to calculate the quantitative security level and the security is also proven [9]. Moreover, hash-based signature schemes are considered to be a good candidate for the security of IoT devices due to their simplicity of implementation and customization [10,11].
The hash-based signature schemes XMSS (eXtended Merkle Signature Scheme) [12] and SPHINCS [13] were introduced in 2011 and 2015, respectively. XMSS is stateful, meaning that the signer and the verifier have to maintain their own state information, while SPHINCS is stateless. SPHINCS introduces a few-time signature scheme named HORST (HORS with Trees). HORST is an improvement of a few-time signature scheme HORS (Hash to Obtain Random Subset) [14]. In the context of SPHINCS, each full signature should contain not only a HORST signature but also a HORST public key. HORST uses a Merkle tree to reduce the public key size to a single hash value. However, HORST as well as HORS suffers from pretty large signature sizes.
HORSIC (Hash to Obtain Random Subset and Integer Composition) [15] is a fewtime signature scheme for broadcast authentication in wireless sensor networks. HORSIC reduces the signature size compared to HORS and HORST. Whereas HORS and HORST use only a cryptographic hash function H, making it infeasible to find two different messages that will produce the same k-element subset, HORSIC decreases the probability of forgery by using another cryptographic hash function G and a bijective function C k,z as well as H to make it infeasible to find two different messages that will produce the same k-part integer composition as well as the same k-element subset. The security analysis of HORSIC is performed on the unrealistic assumption that it is impossible for an adversary to invert the one-way permutation f . In fact, the probability of inverting f is not zero, but negligible. The security analysis should consider the probability of inverting f . This paper proposes HORSIC+, an improvement of HORSIC. HORSIC+ differs from HORSIC in that HORSIC+ does not apply f as a plain function to the signature key, but uses a member of a function family which is second-preimage resistant, undetectable, and one-way. In addition, HORSIC+ uses the chaining function c s (x, r) similar to W-OTS + [16]. These enable the strict security proof without the need for the used function family to be a permutation or collision resistant. We prove HORSIC+ is existentially unforgeable under chosen message attacks, if the used function family is a second-preimage resistant family of undetectable one-way functions and H and G are cryptographic hash functions in the random oracle model. HORSIC+ reduces the signature size by as much as 37.5% or 18.75% compared to HORS and by as much as 61.5% or 45.8% compared to HORST for the same security level.
The rest of the paper is organized as follows. Section 2 introduces some preliminaries and presents two signature schemes that HORSIC+ is based on. Section 3 describes the details of the proposed scheme HORSIC+. Section 4 discusses the security of HORSIC+ including a comparison with HORS and HORST. Section 5 presents the conclusions.

Preliminaries and Related Works
In this section, we discuss two signature schemes that HORSIC+ is based on. One is the Winternitz one-time signature scheme (W-OTS) [17], and the other is HORSIC [15]. We begin by introducing some preliminaries and then describe W-OTS and HORSIC.

Preliminaries
We start this subsection with several definitions and notions related to digital signature schemes and function families [16,18,19]. From now on, we write x $ ← S if x is chosen randomly from the finite set S using a uniform distribution. Let Dss(1 n ) be a digital signature scheme with security parameter n. The standard definition of security for digital signature schemes is existential unforgeability under adaptive chosen message attack (EU-CMA). EU-CMA is defined using the following experiment. Experiment be the query-answer pairs of Sign(X, ·).
The success probability of an adversary A in the above experiment can be written by: Definition 2. Let n, T, q ∈ N and T, q = poly(n). A digital signature scheme Dss(1 n ) is EU-CMA secure if the success probability of any adversary A running in time ≤ T and making at most q queries to the oracle Sign in the above experiment is negligible in n: We then discuss several security properties for function families: preimage resistance (one-wayness, OW), second preimage resistance (SPR), collision resistance (CR), and undetectability (UD). Let n ∈ N be the security parameter and be a family of functions. The elements of K are called keys and each key κ specifies a particular function f κ in the family F n . A function is preimage resistant (or one-way) if it is easy to compute but difficult to invert. The success probability of an adversary against the preimage resistance of F n is Definition 3. We call F n preimage resistant (or one-way), if the success probability of any adversary A running in time ≤ T against the preimage resistance of F n is negligible in n: A function is second preimage resistant if, given some x in the domain, it is difficult to find some x unequal to x that maps the same value. The success probability of an adversary against the second preimage resistance of F n is Definition 4. We call F n second preimage resistant, if the success probability of any adversary A running in time ≤ T against the second preimage resistance of F n is negligible in n: A function is collision resistant if it is hard to find any pair (x, x ) in the domain that maps to the same value. The success probability of an adversary against the collision resistance of F n is Definition 5. We call F n collision resistant, if the success probability of any adversary A running in time ≤ T against the collision resistance of F n is negligible in n: To define the undetectability property, we need to define the (distinguishing) advantage of an adversary. Definition 6. Let X and Y be two distributions. The advantage Adv X ,Y (A) of an adversary A in distinguishing between these two distributions is defined as A function family is undetectable if no adversary can distinguish its outputs from uniformly random values. Consider two distributions D UD,U and D UD,F n over {0, 1} n × K.
A sample (u, κ) from the first distribution D UD,U is obtained in the following way: u ← K, and then calculating u = f κ (x). The advantage of an adversary against the undetectability of F n is defined as the distinguishing advantage for these two distributions: Definition 7. We call F n undetectable, if the advantage of any adversary A running in time ≤ T against the undetectability of F n is negligible in n: Table 1 summarizes the best known generic attacks against different functions given different environments [20]. Using generic(brute-force) classical attacks, one requires Θ(2 n ) evaluations of the function to compute preimages or second preimages. Because of the birthday paradox, one requires Θ(2 n/2 ) evaluations of the function to find a collision with probability greater than 1 2 [21]. Using generic quantum attacks such as Grover's algorithm [9], one requires Θ(2 n/2 ) evaluations of the function to compute preimages or second preimages and Θ(2 n/3 ) evaluations of the function to find a collision [22].

OW SPR CR
Classical

Winternitz One-Time Signature Scheme (W-OTS)
In this subsection, we discuss W-OTS and its two variants, W-OTS $ and W-OTS + .

W-OTS
W-OTS produces much shorter signatures than Lamport-Diffie one-time signature scheme [23] by iteratively applying a function on a secret key, whereas the number of iterations depends on the signed message [17]. W-OTS uses a one-way function Key generation: A Winternitz parameter w, which is the number of bits to be signed simultaneously is chosen. In the following, we restrict the length of the message to be signed to m bits. It is straightforward to generalize to arbitrary sized messages by using a collision resistant hash function.
The signature key X consists of l bit strings of length n chosen uniformly at random, where l is computed as follows.
The chaining function c s (x) for W-OTS is defined as follows.
The verification key Y is calculated by applying the chaining function to each x i in the signature key 2 w − 1 times. Thus we have Signature generation: A message M is split into l 1 bit strings of length w and each bit string is converted to an integer in base-w. So we have where Then the checksum C is calculated as follows.
The checksum C is converted to base w. The base w representation of the checksum C is C = (c 1 , c 2 , . . . , c l 2 ). The signature of M is computed as Signature verification: For the verification of the signature σ = (σ 1 , σ 2 , . . . , σ l ), the base-w strings M = (m 1 , m 2 , . . . , m l 1 ) and C = (c 1 , c 2 , . . . , c l 2 ) are calculated as described above. Then we check if = (y 1 , . . . , y l 1 , y l 1 +1 , . . . , y l ) It is proved that W-OTS is strongly unforgeable under chosen message attacks if F n is a collision resistant family of undetectable one-way functions [20].

W-OTS $
W-OTS $ differs from W-OTS in that W-OTS $ uses a family of pseudo random functions instead of a one-way function [24]. The chaining function c s (x) for W-OTS $ is defined as follows.
It is proved that W-OTS $ is existentially unforgeable under chosen message attacks if F n is a pseudorandom function family [24].

W-OTS +
W-OTS + uses a second preimage resistant family of undetectable one-way functions [16]. It uses bitmasks to replace the collision resistant one-way function families. The idea of using bitmasks comes from the "XOR tree" [25]. The chaining function c s (x, r) for W-OTS + is defined as follows.
where the bitmasks r consist of 2 w − 1 bit strings of length n chosen uniformly at random, It is proved that W-OTS + is strongly unforgeable under chosen message attacks if F n is a second preimage resistant family of undetectable one-way functions [16].

HORSIC
HORSIC [15] is basically an extension of HORS [14]. Whereas HORS uses only a cryptographic hash function H, making it infeasible to find two different messages that will produce the same k-element subset, HORSIC decreases the probability of forgery by using another cryptographic hash function G and a bijective function C k,z as well as H to make it infeasible to find two different messages that will produce the same k-part integer composition as well as the same k-element subset.
Let f : {0, 1} n → {0, 1} n be a one-way permutation operating on n-bit strings. Let be cryptographic hash functions in the random oracle model [26]. t, k, and z are security parameters. The public key size is linear in t, and the signature size is linear in k.
Algorithm 1 represents the key generation of HORSIC. If first generates t random n-bit numbers and then creates a one-way chain of length w for each n-bit number.

Algorithm 1: Key generation of HORSIC (Kg HORSIC ())
System Parameters: Parameters n, t, k, z, and w Output: Signature key X and verification key Y Algorithm 2 represents the signing of HORSIC. HORSIC uses a bijective function C k,z and two cryptographic hash functions H and G. A cryptographic hash function H is used to map each message M to a k-element ordered subset (i 1 , i 2 , . . . , i k ) of a t-element set {1, 2, . . . , t}. A counter ctr is used to ensure that all i j are distinct. A cryptographic hash function G and a bijective function C k,z are used to map each message M to a k-part integer composition (a 1 , a 2 , . . . , a k ) of z.

Algorithm 2:
Signing of HORSIC (Sign HORSIC (X, M)) System Parameters: Parameters n, t, k, z, and w Input: Signature key X and message M Output: Signature . . , h k ) of length log 2 t bits each 6: Interpret each h j as an integer i j for all j ∈ {1, 2, . . . , k} 7: if there exist p and q with p, q ∈ {1, 2, . . . , k} such that i p = i q and p = q then 8: ctr = ctr + 1 and go to Step 4 9: Compute sig j = f w−a j (x i j ) for all j ∈ {1, 2, . . . , k} 10: return σ = (ctr, sig 1 , sig 2 , . . . , sig k ) Algorithm 3 represents the verification of HORSIC. Each sig j is verified by applying the one-way permutation a j times and comparing it with the verification key. return "reject" 8: if there exist j ∈ {1, 2, . . . , k} such that f a j (sig j ) = y i j then 9: return "reject" 10: return "accept" The probability of a forgery for HORSIC is k!(k−1)!(z−k)! t k (z−1)! [15]. Note that it does not depend on the security parameter n. The security analysis of HORSIC is performed on the unrealistic assumption that it is impossible for an adversary to invert the one-way permutation f . In fact, the probability of inverting f is not zero, but negligible. The security analysis should consider the probability of inverting f . Moreover, HORSIC requires f to be a one-way permutation. Whereas one-way functions can be based on various assumptions, candidate one-way permutation families are remarkably rare [28].

The HORSIC+ Signature Scheme
In this section, we describe HORSIC+ focusing on the differences with HORSIC. Firstly, HORSIC+ does not apply f as a plain function to the signature key, but uses a member of a function family. Let F n = { f κ : {0, 1} n → {0, 1} n | κ ∈ K} be a family of functions which is second-preimage resistant, undetectable and one-way. The function key κ $ ← K specifies a particular function f κ in the family F n . The function key κ is chosen at random at key generation time and is the same for all function calls. In addition, HORSIC+ uses the chaining function c s (x, r) similar to W-OTS + [16]. It enables the strict security proof without the need for the used function family to be collision resistant.
where bitmasks r is defined as We denote r a,b as the substring (r a , . . . , r b ) of r. We also define r a,b to be the empty string when a > b.
Algorithm 4: Implementation of the function C k,z (g) System Parameters: Parameters k and z where k ≤ z Input: g where 0 ≤ g < ( z−1 k−1 ) Output: (a 1 , a 2 , . . . , a k ) 1: s = 0, r = k 2: for i = 1 to k − 2 do 3: for j = 1 to z − r + 1 do 4: if g < s + ( z−1−j r−2 ) then 5: a i = j, r = r − 1, z = z − j Algorithm 5 represents the key generation of HORSIC+. It first chooses t and w n-bit strings uniformly at random. The first t bit strings are used as the signature key and the remaining w bit strings are used as the bitmasks r = (r 1 , r 2 , . . . , r w ). Then it also chooses a function key κ $ ← K. The function key κ specifies a particular function f κ in the family F n . It is important to note that the verification key Y includes (κ, r) and thus known to everybody.

Algorithm 5: Key generation of HORSIC+ (Kg HORSIC+ ())
System Parameters: Parameters n, t, k, z, and w Output: Signature key X and verification key Y 3: Choose κ $ ← K 4: Compute Y = (y 0 , y 1 , y 2 , . . . , y t ) = ((κ, r), c w (x 1 , r), c w (x 2 , r), . . . , c w (x t , r)) 5: return (X, Y) Figure 1 and Algorithm 6 represent the signing of HORSIC+. HORSIC+ uses a bijective function C k,z and two cryptographic hash functions H and G. A cryptographic hash function H is used to map each message M to a k-element ordered subset (i 1 , i 2 , . . . , i k ) of a t-element set {1, 2, . . . , t}. A counter ctr is used to ensure that all i j are distinct. A cryptographic hash function G and a bijective function C k,z are used to map each message M to a k-part integer composition (a 1 , a 2 , . . . , a k ) of z. Each sig j is generated by applying the chaining function w − a j times on x i j .  return "reject" 8: if there exist j ∈ {1, 2, . . . , k} such that c a j (sig j , r w−a j +1,w ) = y i j then 9: return "reject" 10: return "accept"

Analysis
In this section, we analyze the security of HORSIC+ and calculate its security level. We also compare HORSIC+ with HORS and HORST for the same security levels.

Security Analysis
In this subsection, we analyze the security of HORSIC+. We prove HORSIC+ is existentially unforgeable under chosen message attacks, if the used function family F n is a second-preimage resistant family of undetectable one-way functions and H and G are cryptographic hash functions in the random oracle model.  (HORSIC+(1 n , t, k, z, w); T, 1) w · InSec UD (F n ; T ) + wt · max{InSec OW (F n ; T ), w · InSec SPR (F n ; T )}} (30) with the time T = T + (t + 2k)w and T = T + (t + 2k + 1)w − 1.
Proof of Theorem 1. The proof is provided in Appendix A.

Security Level
In this subsection, we calculate the security level of HORSIC+ using Theorem 1. According to [29], HORSIC+ has security level b if a successful attack on HORSIC+ is expected to require 2 b−1 evaluations of functions from F n on average. The security level of HORSIC+ can be calculated by finding a lower bound for T such that 1 2 ≤ InSec EU−CMA (HORSIC+(1 n , t, k, z, w); T, 1). Table 1 in Section 2.1 and [20] can be used to compute the insecurity of F n under generic attacks: From now on, we assume T = T = T , since (t + 2k)w and (t + 2k + 1)w − 1 are negligible when compared to the value T. We calculate the lower bound on T.
Solving this for T gives us So, we can obtain the security level b for HORSIC+:

Comparison with HORS and HORST
In this subsection, we compare HORSIC+ with HORS and HORST for the same security levels. Since the security level of HORS is the same as that of HORST with the same parameters, we refer to HORS and HORST together as HORS/HORST.

Security Parameters for HORSIC+
In this sub-subsection, we choose security parameters for HORSIC+ having the same security levels as HORS/HORST. Figure 2 shows the security level of HORSIC+ for various choices of k and HORS/HORST for signing a single message. In this case, we set z = w + k − 1 for HORSIC+. The X-axis represents the parameter w, which affects the computational cost. The Y-axis corresponds to the security level.
The parameters for HORS/HORST in Figure 2 are chosen from (a) HORS [14] and (b) HORST as used in SPHINCS [13]. The original HORS scheme recommends to use SHA-1 [30] or RIPEMD-160 [31] as a cryptographic hash function H which has an output length of 160 bits [14]. Thus, the original HORS scheme uses t = 2 10 and k = 16 (10 × 16 = 160). The parameters for SPHINCS-256 (t = 2 16 , k = 32) are selected to provide long-term 2 128 security against attackers with access to quantum computers. The security level of HORS/HORST can be obtained from the following equation [14,32]: When using the parameters in Figure 2a In Figure 2, 'HORSIC+ 1st' refers to the first argument of the min function in Equation (34) (i.e., log 2 ( t k (z−1)! k!(k−1)!(z−k)! )). 'HORSIC+ 2nd' refers to the second argument of the min function in Equation (34) (i.e., n − log 2 (w 2 t + w)). 'HORSIC+ 1st' corresponds to the case where the adversary succeeds in forging only with already revealed secret values. As the number of signatures using the same HORSIC+ key increases, the number of revealed secret values also increases. Thus, the security level of 'HORSIC+ 1st' decreases more rapidly than that of 'HORSIC+ 2nd'. So it is more appropriate to compare the security level of 'HORSIC+ 1st' with that of HORS/HORST.
In HORSIC+, as the parameter k decreases, the signature size also decreases, but the parameter w should increase to offer the same security level. Figure 2 shows that increased w results in increased security level of 'HORSIC+ 1st'. However, it also results in increased overhead in key generation, signing, and verification. We choose two sets of parameters taking into account the relative importance of speed and signature size. The first is n = 128, t = 2 10 , k = 10, and w = 13, implying z = 22 which offers 96-bit security level. The second is n = 256, t = 2 16 , k = 26, and w = 10, implying z = 35 which offers 352-bit security level. Based on these two sets of parameters, a comparison of HORSIC+ with HORS/HORST will be presented in Section 4.3.3.

Security for Multiple Messages
HORSIC+ can be used as a few-time signature scheme in two ways. The first is for the signer and the verifier to maintain their own state information as in [15,33]. It is a good strategy when HORSIC+ is used in broadcast authentication in wireless sensor networks. However, it is not appropriate when used as a general signature scheme because maintaining the state information means it is stateful. If the state information update fails, then HORSIC+ cannot be used anymore. The second is to use HORSIC+ many times without state information as HORST in [13]. In this case, the security level decreases as the number of signatures using the same key increases.
To investigate how rapidly the security level decreases as the number of signatures using the same key (r) increases, we normalize the security level for r = 1 to 1 and compare the normalized security level of HORSIC+ and HORS/HORST. For simplicity, we compute the normalized security level of HORSIC+ by solving the subset-resilience problem. Figure 3 shows the normalized security level of HORSIC+ and HORS/HORST for multiple messages. The x-axis shows the number of signatures using the same key (r). We can see that the normalized security level of HORSIC+ decreases more slowly than that of HORS/HORST. It is because HORSIC+ uses smaller k than HORS/HORST for the same security level. Table 2 compares HORSIC+ with HORS and HORST for the same security levels (96 bit, 352 bit). For simplicity, we assume that HORST does not apply any optimizations in [13]. The table shows that a HORSIC+ signature size is smaller than a HORS and HORST signature size with a comparable security level. With parameters n = 128, t = 2 10 , k = 10, z = 22, w = 13, HORSIC+ signatures are 37.5% shorter than HORS signatures and 61.5% shorter than HORST signatures to offer a 96-bit security level. With parameters n = 256, t = 2 16 , k = 26, z = 35, w = 10, HORSIC+ signatures are 18.75% shorter than HORS signatures and 45.8% shorter than HORST signatures to offer a 352-bit security level. HORSIC+ reduces the signature size at the cost of increased overhead in key generation, signing, and verification. The key generation overhead and the signing overhead of HORSIC+ are larger than those of HORS and HORST. However, it does not affect the usability of HORSIC+, since the key generation has to be performed only once and the signing overhead is still tolerable. Since asymmetric key algorithms are typically hundreds to thousands of times slower than symmetric key algorithms and hash algorithms [34], the costs of signing HORSIC+ (130 with 96-bit security level and 260 with 352-bit security level) are relatively low.

Conclusions
In this paper, we proposed HORSIC+, an efficient post-quantum few-time signature scheme. HORSIC+ differs from HORSIC in that HORSIC+ does not apply f as a plain function to the signature key, but uses a member of a function family which is second-preimage resistant, undetectable, and one-way. Moreover, HORSIC+ uses the chaining function c s (x, r) similar to W-OTS + . These enable the strict security proof without the need for the used function family to be a permutation or collision resistant. We proved HORSIC+ is existentially unforgeable under chosen message attacks, if the used function family is a second-preimage resistant family of undetectable one-way functions and H and G are cryptographic hash functions in the random oracle model. HORSIC+ reduces the signature size by as much as 37.5% or 18.75% compared to HORS and by as much as 61.5% or 45.8% compared to HORST for the same security level. Future work includes further analysis of HORSIC+ and integration of HORSIC+ in SPHINCS.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Proof of Theorem 1
In this appendix, we give the proof of Theorem 1. The proof follows similar lines of the proof of Theorem 1 in [16]. Since each HORSIC+ signature have to reveal z secret values, forging a signature can be accomplished in two mutually exclusive cases.
Case 1: The adversary is able to forge a signature to any of the k! permutations of (sig 1 , sig 2 , sig 3 , . . . , sig k ). For example, the adversary can create a valid signature σ = (ctr , sig 2 , sig 1 , sig 3 , . . . , sig k ) for its own message M where H(M | ctr ) = (h 2 , h 1 , h 3 , . . . , h k ) and C k,z (G(M )) = (a 2 , a 1 , a 3 , . . . , a k ). In this case, the adversary is able to forge a signature by using only already revealed secret values by the signature to the signature query.
Case 2: The adversary is able to forge a signature that contains at least one secret value which has not been revealed by the signature to the signature query. In this case, we try to guess the position of the revealed secret value and place the preimage challenge y c there. So we can respond to the signature query and hopefully get a preimage of y c . We also place a second preimage challenge in the same chain to manipulate the randomization elements.
We slightly modify the distribution of the public key to manipulate our challenges. It is proved that this does not significantly change the adversary's success probability if F n is undetectable [16].
Proof of Theorem 1. We'll prove by contradiction. Suppose there exists an adversary A that can produce existential forgeries for HORSIC+(1 n , t, k, z, w) by mounting an adaptive chosen message attack in time ≤ T with success probability A = Succ EU−CMA HORSIC+(1 n ,t,k,z,w) (A). Then we can construct an oracle machine M A that either breaks the OW or SPR of F n using the adversary A. Algorithm A1 shows the pseudo-code description of M A and Figure A1 shows its key structure.
The oracle machine M A first generates a pair of HORSIC+ keys (X, Y) (Line 1). Then, M A randomly selects the positions to place the OW and the SPR challenges in the key chain. The index of the key chain is α, the positions of the OW and the SPR challenges are β and γ, respectively (Line 2, 6). M A places the OW challenge y c in the position β. M A also places the SPR challenge x c at the input of the γth evaluation of the chain, replacing r γ (Line 7). The modified public key Y is computed using the manipulated randomization elements r (Line 8, Figure A1). Then M A runs A on input Y (Line 9).
The adversary A can ask to provide the signature on a message M of the adversary's choice (Line 10). M A knows the secret key values x i for all i ∈ {1, 2, . . . , t} except for α, and M A only knows the βth intermediate value for the chain with the index α. Thus, M A can answer the query for the j where i j = α, only when w − a j ≥ β (Line 12). Otherwise, M A returns "fail" (Line 13). M A generates signature σ of message M as described in the signature algorithm (Line 14).
If the adversary A returns an existential forgery (M , σ ) (Line 16), M A first checks whether the forged signature is generated by using only already revealed secret values by the signature to the signature query (Line 18). If it is, M A returns "fail" (Line 19). Then, M A looks for j ∈ {1, 2, . . . , k} where i j = α. The forgery is only useful if such j exists and w − a j < β (Line 20).
If β = w, the forgery contains a preimage of y c . In this case, sig j is an intermediate value of the chain with the index α that ends in y c . So M A calculates the preimage and returns it (Line 23).
Otherwise, the chain continuing at sig j either has or does not have y c as the βth intermediate value. In the first case, we can compute the preimage again (Line 25). In the second case, the chains continued from y c and sig j must collide somewhere between β + 1 and w according to the pigeonhole principle. If they collide at position γ for the first time, a second preimage for x c can be calculated (Line 27). Otherwise, M A returns "fail" (Line 28).
To easily calculate the success probability of M A , we only calculate the probability for a certain success case. If there exists j ∈ {1, 2, . . . , k} such that i j = α obtained from A's query, we assume a j = w − β. If not, we assume β = w. Since β is randomly chosen from a uniform distribution, the probability of a j = w − β and β = w are both equal to 1 w . Modification of the verification key Y might lead to changing the input distribution of A, so we denote the probability that A returns a valid forgery in line 16 of the Algorithm A1 as A . In case where the forged signature (M , σ ) is generated by using only already revealed secret values, the probability that A returns a valid forgery is k!(k−1)!(z−k)! t k (z−1)! [15].
If not, the forged signature (M , σ ) contains at least one secret value which has not been revealed yet. The probability of the newly revealed secret value being in the chain with the index α is at least 1 t . At this point there are two mutually exclusive cases, one of which occurs with probability p and the other with probability (1 − p).
Case 1: Either β = w or the chain continuing at sig j has y c as the βth intermediate value. In this case, M A returns a preimage for y c with probability 1.
Case 2: β < w and the chain continuing at sig j does not have y c as the βth intermediate value. In this case, M A returns a second preimage for x c if the chains continued from y c and sig j collide for the first time at position γ. This occurs with a greater probability of 1 w as γ was randomly and uniformly chosen within the interval [β + 1, w].
Using the assumptions about the one-wayness and second preimage resistance of F n we can bound the success probability of A if called by M A : wt · max{InSec OW (F n ; T ), w · InSec SPR (F n ; T )}} where the time T = T + (t + 2k)w is an upper bound obtained as the runtime of A plus the time needed to run each algorithm of HORSIC+ once; Kg HORSIC+ , Sign HORSIC+ , and V f HORSIC+ used in M A require at most tw, kw, and kw calculations of f κ , respectively.
As a second step, we bound the difference between the success probability A of A when called by M A and its probabillity of success A in the original experiment. It can be directly obtained from [16], so we omit this proof. Finally, we can get a bound on A which leads to the required contradiction: w · InSec UD (F n ; T ) + wt · max{InSec OW (F n ; T ), w · InSec SPR (F n ; T )}} where the time T = T + (t + 2k)w and T = T + (t + 2k + 1)w − 1. Figure A1. The basic construction of the modified public key.