We will use the following terms:
pk is public key
sk is private key (secret key)
H is hash function
sig is message signature
m is plain-text message
o is binary homomorphic operation
Assume the classical digital signature operations:
sig = Sign(sk, m)
Verify(pk, sig, m)
Homomorphic Hashes hold the following equation:
H(x) o H(y) = H(x o y)
We'll use such homomorphic equation on our rules. We also assume the First Preimage Resistance, Second Preimage Resistance and Collision Resistance axioms used on strong hashes.
Let's begin by an hypothesis:
pk = H(sk)
sig = H(sk o m)
H(sk) o H(m) = H(sk o m)
pk o H(m) = sig
This hypothesis allows the forgery of signatures with the public key. What about something more like that below?
pk o H(m) = H(sig)
Using the First Preimage Resistance
axiom, it makes unfeasible to
forge signatures, therefore. Let's continue on that line of thinking.
pk o H(m) = H(H(sk o m))
pk o H(m) = H(H(sk) o H(m))
pk o H(m) = H(H(sk)) o H(H(m))
pk = H(H(sk))
H(m) = H(H(m))
Ops, this equation doesn't hold anymore. Perhaps if we rewrite a bit...
sig = H(sk o m)
pk o H(H(m)) = H(sig)
pk o H(H(m)) = H(H(sk) o H(m))
pk o H(H(m)) = H(H(sk)) o H(H(m))
pk = H(H(sk))
H(H(m)) = H(H(m))
Voila, we have our Post-Quantum Digital Signature so fast, beautiful and simple!
Update: A confluence relation there.