\section{Problem 5}
\paragraph{One-time \textbf{unambiguous} signature from a one-way permutation}

We slightly modify the classical Lamport one–time signature by \textbf{insisting that $f$ is a permutation}.  
Because every output of a permutation has a unique pre-image, every message can have \textbf{only one} valid signature – the property we call \textit{unambiguousness}.

\paragraph{Algorithms}

Let $f:\{0,1\}^n\rightarrow\{0,1\}^n$ be a one-way permutation.

\begin{itemize}
    \item \textbf{Key generation}  
$\text{Gen}(1^n)$  

\begin{enumerate}
    \item Pick $2n$ independent and uniform values  
    $\{x_i^b\}_{i\in[n],\,b\in\{0,1\}}\leftarrow\{0,1\}^n$.  
    \item Set $y_i^b := f(x_i^b)$ and output  
    secret key $sk=\{x_i^b\}$, public key $pk=\{y_i^b\}$.
\end{enumerate}

\item \textbf{Signing}  
$\text{Sign}(sk,m)$ with $m=(b_1,\dots ,b_n)\in\{0,1\}^n$  
outputs $\sigma=(x_1^{b_1},\dots ,x_n^{b_n})$.

\item \textbf{Verification}  
$\text{Verify}(pk,m,\sigma)$ with $\sigma=(s_1,\dots ,s_n)$  
accepts iff $f(s_i)=y_i^{b_i}$ for every $i\in[n]$.
\end{itemize}


\paragraph{Correctness}  
Correctness is immediate.

\paragraph{Unambiguousness}

\textbf{Lemma.} For every message $m$ there exists \textbf{exactly one} string $\sigma$ that Verify accepts.

\textbf{Proof.} Because $f$ is a permutation, each $y_i^{b_i}$ has a \textit{single} pre-image, namely $x_i^{b_i}$.  
Therefore, the only candidate signature is $\sigma=(x_1^{b_1},\dots ,x_n^{b_n})$, and it is valid. \qed

Consequently, if an adversary queried $m_1$ and obtained $\sigma_1$, any later pair $(m^*,\sigma^*)$ with $m^*=m_1$ must satisfy $\sigma^*=\sigma_1$ – otherwise Verify will inevitably reject.  
Hence the scheme is \textit{perfectly} unambiguous.

\paragraph{One-time security}

The scheme is also existentially unforgeable under one signing query.

\textbf{Theorem.} If a PPT forger $\mathcal{A}$ wins the one-time (unambiguous) forgery game with probability $\varepsilon(n)$, then we can invert $f$ with probability $\varepsilon(n)/(2n)$.

\subparagraph{Reduction}  
An inverter $\mathcal{B}$ is given $y^\star=f(x^\star)$.

\begin{enumerate}
    \item $\mathcal{B}$ chooses a random index $i^\star\in[n]$ and random bit $b^\star$.
    \item It runs Gen for all pairs $(i,b)\neq(i^\star,b^\star)$ and sets $y_{i^\star}^{b^\star}:=y^\star$ (leaving the matching $x$ unknown).  
    The resulting $pk$ is given to $\mathcal{A}$.
    \item When $\mathcal{A}$ asks to sign $m_1$:  
    \begin{itemize}
        \item If $m_1[i^\star]=b^\star$ (i.e., $x_{i^\star}^{b^\star}$ is needed), abort.
        \item Otherwise, $\mathcal{B}$ can produce the correct signature and answer.  
        (This succeeds with probability $\frac{1}{2}$.)
    \end{itemize}
    \item Let $(m^*,\sigma^*)$ be $\mathcal{A}$’s forgery.  
    Because $m^*\neq m_1$, there is at least one position where $m^*$ differs from $m_1$;  
    with probability $\ge\frac{1}{n}$ this is exactly $i^\star$.  
    If additionally $m^*[i^\star]=b^\star$ (probability $\frac{1}{2}$), then $\sigma^*$ contains a value $s^\star$ such that $f(s^\star)=y_{i^\star}^{b^\star}=y^\star$, yielding $s^\star=x^\star$.  
    $\mathcal{B}$ outputs $s^\star$ and succeeds.
\end{enumerate}

Overall success probability is  
\[
\Pr[\text{step 3 doesn’t abort}]\cdot\Pr[\text{step 4 gives }x^\star] 
\ge \frac{1}{2}\cdot\frac{1}{n}\cdot\frac{1}{2} = \frac{\varepsilon(n)}{2n}.
\]

Since $2n$ is polynomial, any non-negligible advantage $\varepsilon$ contradicts the one-wayness of $f$. \qed

\paragraph{Conclusion}

Using a one-way permutation, the above Lamport-style construction is:

\begin{enumerate}
    \item Correct;
    \item Perfectly unambiguous (each message has a unique valid signature);
    \item One-time existentially unforgeable.
\end{enumerate}

Hence it fulfils the required \textit{one-time unambiguous signature} notion.
