Module wots 

WOTS+ one-time signature scheme based on hash chains. WOTS+ one-time signature scheme (FIPS 205, Algorithms 1, 4-8).

WOTS+ (Winternitz One-Time Signature Plus) is the foundational one-time signature scheme used at the leaves of every XMSS tree in SLH-DSA. It signs a single n-byte message by:

1. Splitting the message into base-w digits and computing a checksum.
2. For each digit d_i, evaluating a hash chain F^(d_i)(sk_i) where sk_i is derived from the secret seed via PRF.
3. Verification completes each chain to step w - 1 and compresses all endpoints into a single n-byte public key using T_l.

WOTS+ is purely hash-based: its one-time security relies solely on the second-preimage resistance of the hash function F.

Functions

base_2b

Extract base-2^b digits from a byte string.

chain

Apply the WOTS+ chain function s times starting from step i.

to_byte

Convert an integer to a big-endian byte vector of length n.

to_byte_stack

Stack-allocated to_byte for small sizes (up to 8 bytes).

wots_pk_from_sig

Compute a WOTS+ public key candidate from a signature.

wots_pk_gen

Generate a WOTS+ public key.

wots_sign

Sign an n-byte message using WOTS+.

wots_sign_into

Streaming variant of wots_sign — writes the LEN * N-byte signature into the start of out (which must be at least that size) instead of returning a freshly-allocated Vec<u8>.