| Graph-Based One Time Signatures |

| | On the opposite, **one-time** **signature** schemes can be built based on arbitrary "one-way" functions, and thus, they increase the degree of freedom in choosing the underlying cryptographic primitive (and decrease the possibility that unforeseen attacks to a particular "one-way" function have devastating effects). |

| | Second, **one-time** **signature** schemes are potentially much more efficient than their regular counterparts, and therefore good candidates in settings where fast **signature** setup, generation or verification is needed. |

| | Given the **signature** of two different messages (sets), a particular algebraic **signature** scheme would allow the **signature** of the message representing the union of these two sets to be computed, without the assistance of the signer. |

| www.cse.ucsd.edu /~ahevia/research/gbots.html (632 words) |