Lamport One Time Signature Scheme

Lamport One Time Signature is a method for constructing a digital signature and typically involved the use of a cryptographic hash function. As it is a one-time signature scheme, it can only be used to securely sign one message.
Suppose Alice wants to digitally sign her message to Bob, the process can be explained in 3 steps:

  1. Key Generation
  2. Signature Generation
  3. Signature Verification.

1. Key Generation:

  • Alice first needs to create a Lamport key pair, a private key and a corresponding public key.
  • In order to create the private key, a secure random number generator is used to generate 256 pairs of random numbers. Each number consists of 256 bits. Alice will store this private key securely. Remember that the private key is not meant to be shared with anyone.
  • In order to create the public key, Alice hashes each of the 512 numbers of her private key. This will produce another 512 numbers, each consisting of 256 bits. This is the public key that will be shared with anyone.

In mathematical representation:

  • let k be a positive integer, P={\{0,1\}}^k be the set of messages to be signed and f:Y\rightarrow Z be a one way hash function.
  • For 1\lei\le i\lei\le k and j\in{0,1}, Alice randomly chooses y_{i,j}\inY and applies the one way hash function to compute z_{i,j}=f(y_{i,j}).
  • The private key and public key both consists of 2k values, y_{i,j} and z_{i,j} respectively.

2. Signature Generation:

  • Alice hashes her message using a 256-bit cryptographic hash function, eg SHA 256, to obtain a 256-bit digest.
  • For each bit, depending on whether the bit value is 1 or 0, Alice will pick the corresponding number from the pair of numbers of her private key i.e. if the bit is 0, the first number is chosen, and if the bit is 1, the second number is chosen. This results in a sequence of 256 numbers which is her signature.

    Lamport One Time Signature Scheme

  • Alice sends the message along with her signature to Bob.

In mathematical representation,



  • let M=m_1,m_2,\ldots,m_k\ \in\left\{0,1\right\}^k be the message Alice wants to sign.
  • The signature is generated as sig\left(m_1,m_2,\ldots,m_k\right)=\left({y_1,}_{m1,\ }{y_2,}_{m2,}\ldots,{y_k,}_{mk}\right)=\left(s_1,s_2,\ldots,s_k\right).
  • This signature is sent to Bob along with the message.

3. Signature Verification:

  • Bob hashes the message using the same 256-bit cryptographic hash function, to obtain a 256-bit digest.
  • For each bit, depending on whether the bit value is 1 or 0, Bob will pick the corresponding number from Alice’s public key i.e if the first bit of the message hash is 0, he picks the first hash in the first pair, and so on. This is done in the same manner as shown in the diagram above. This results in a sequence of 256 numbers.
  • Bob hashes each of the numbers in Alice’s signature to obtain a 256-bit digest. If this matches the sequence of 256 numbers that Bob had previously picked out, the signature is valid.

In mathematical representation, Bob checks that f(s_i)={z_I,}_{mi\ } for all 1\lei\le i\lei\le k


Note:It is important to understand that since Alice has publicly published half of a private key as her signature, her remaining private key cannot be used again and must be destroyed.

Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.

My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.


Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.