We show that the Winternitz one-time signature scheme is existentially unforgeable under adaptive chosen message attacks when instantiated with a family of pseudo random functions. Compared to previous results, which require a collision resistant hash function, our result provides significantly smaller signatures at the same security level. We also consider security in the strong sense and show that the Winternitz one-time signature scheme is strongly unforgeable assuming additional properties of the pseudo random function. In this context we formally define several key-based security notions for function families and investigate their relation to pseudorandomness. All our reductions are exact and in the standard model and can directly be used to estimate the output length of the hash function required to meet a certain security level.

Crash-only programs crash safely and recover quickly. There is only one way to stop such softwary - by crashing it - and only one way to bring it up - by initiating recovery.

Describes a trick to use CRT for checking RSA private key operations (normally you use the public operation)

A technique for encrypting an arbitrary set onto itself (for instance from valid CC numbers to valid CC numbers).

Turns out that ~100 signature/message pairs with only the 3 low bits of the random k nonce is sufficient to recover the private key. Nice analysis.