Search Quorum docs

Search pages and sections across all documentation sets.

Technical docs

a step-by-step guide

Winternitz state management

Operate Winternitz one-time-signature state safely inside Quorum.

Winternitz state management

Winternitz approvals are hash-based, but they are also stateful. Operators must treat one-time signing state as part of the custody procedure.

Quorum is devnet software and should not be used to protect production funds before audit and mainnet readiness.

One-time positions

Each Winternitz approval consumes a position. A wallet must track which position is next and must never sign two different proposal messages from the same one-time position.

Burn-on-broadcast behavior

Once a Winternitz approval is broadcast, the signing position should be treated as burned. Even if a transaction later fails, operators should avoid reusing that position unless the implementation explicitly proves it is safe.

Wallet preflight

Wallets should preflight the next state, the proposal message, and the expected state transition before producing a Winternitz approval. This keeps state mistakes out of the proposal flow.

Operational guidance

  • Keep Winternitz signing in a wallet that understands one-time state.
  • Back up the root secret and state metadata together.
  • Prefer Falcon when the team needs simpler repeated approval operations.
State reuse risk

Reusing one-time signing state can invalidate the security assumption behind a Winternitz approval.

Wallet Winternitz signing

See the operator-facing state checklist.