What has been bothering me about WOTS is that one could build an ASIC, that given a WOTS signature starts churning an alternative, by mutating the message, that would produce a valid envelope where every byte is >= than the original. And that it would be perfectly in the realm of possibility for it to find a collision at sufficient scale. Small checksums only seem to make finding a collision marginally more difficult. Not very convincing given the difficulty bitcoin miners are working with.
Or am I missing something?
Sadly the only way I found to make the WOTS signature 100% immutable is to double the envelope and signature size, where every byte of the message digest is accompanied by it’s modulo negated value as well, that means to move any forward the hash chain, an other would need to be moved backward (which is a preimage problem). While this doubles the size and computation cost, but it would still be significantly more compact than Lamport.
edit: Never mind!