ArticlePDF Available

Novel One Time Signatures (NOTS): A Compact Post-quantum Digital Signature Scheme

Authors:

Abstract and Figures

The future of the hash based digital signature schemes appears to be very bright in the upcoming quantum era because of the quantum threats to the number theory based digital signature schemes. The Shor’s algorithm is available to allow a sufficiently powerful quantum computer to break the building blocks of the number theory based signature schemes in a polynomial time. The hash based signature schemes being quite efficient and provably secure can fill in the gap effectively. However, a draw back of the hash based signature schemes is the larger key and signature sizes which can prove a barrier in their adoption by the space critical applications, like the blockchain. A hash based signature scheme is constructed using a one time signature (OTS) scheme. The underlying OTS scheme plays an important role in determining key and signature sizes of a hash based signature scheme. In this article, we have proposed a novel OTS scheme with minimized key and signature sizes as compared to all of the existing OTS schemes. Our proposed OTS scheme offers an 88% reduction in both key and signature sizes as compared to the popular Winternitz OTS scheme. Furthermore, our proposed OTS scheme offers an 84% and an 86% reductions in the signature and the key sizes respectively as compared to an existing compact variant of the WOTS scheme, i.e. WOTS+.
Content may be subject to copyright.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier
Novel One Time Signatures (NOTS): A
Compact Post-quantum Digital Signature
Scheme
FURQAN SHAHID1, IFTIKHAR AHMAD 2, MUHAMMAD IMRAN 3, and MUHAMMAD SHOAIB 4
1COMSATS University Islamabad (CUI), Park Road, Islamabad 45550, Pakistan (e-mail: furqan.shahid.cs@gmail.com)
2Faculty of Computer and Information Technology, King Abdulaziz University, Saudi Arabia.(e-mail: iftikharwattoo@gmail.com)
3College of Applied Computer Science, King Saud University, Saudi Arabia.(e-mail: dr.m.imran@ieee.org)
4College of Computer and Information Sciences, King Saud University, Riyadh, Saudi Arabia.(e-mail: muhshoaib@ksu.edu.sa)
Corresponding author: Muhammad Imran (e-mail: dr.m.imran@ieee.org).
ABSTRACT The future of the hash based digital signature schemes appears to be very bright in the
upcoming quantum era because of the quantum threats to the number theory based digital signature schemes.
The Shor’s algorithm is available to allow a sufficiently powerful quantum computer to break the building
blocks of the number theory based signature schemes in a polynomial time. The hash based signature
schemes being quite efficient and provably secure can fill in the gap effectively. However, a draw back of the
hash based signature schemes is the larger key and signature sizes which can prove a barrier in their adoption
by the space critical applications, like the blockchain. A hash based signature scheme is constructed using a
one time signature (OTS) scheme. The underlying OTS scheme plays an important role in determining key
and signature sizes of a hash based signature scheme. In this article, we have proposed a novel OTS scheme
with minimized key and signature sizes as compared to all of the existing OTS schemes. Our proposed OTS
scheme offers an 88% reduction in both key and signature sizes as compared to the popular Winternitz OTS
scheme. Furthermore, our proposed OTS scheme offers an 84% and an 86% reductions in the signature and
the key sizes respectively as compared to an existing compact variant of the WOTS scheme, i.e. WOTS+.
INDEX TERMS Hash-based digital signatures, Post-quantum cryptography, Blockchain, One-time signa-
tures
I. INTRODUCTION
The one way mathematical functions [1] act as the build-
ing blocks of the todays most popular digital signature
schemes. These functions emerge as hard mathematical prob-
lems which provide a base for digital signatures and other
cryptographic protocols. The three core hard mathematical
problems currently being used by a wide range of crypto-
graphic protocols include Integer Factorization (IF) prob-
lem, Discrete Logarithm Problem (DLP), and Elliptic Curve
Discrete Logarithm Problem (ECDLP). The digital signature
schemes constructed using these hard mathematical problems
are commonly referred to as number theory based digital
signature schemes which include, Rivest-Shamir-Adleman
(RSA) signature scheme [2], El-Gamal signature scheme [3],
and Elliptic Curve Digital Signature Algorithm (ECDSA)
[4]. However, a sufficiently powerful quantum computer will
be able to break these hard mathematical problems with the
help of the Shor’s algorithm [5]. The advancement trends
of technology allow us to expect that a quantum computer
being able to break these hard mathematical problems will
be available after just a decade [6]. So what will be the future
of the cryptographic protocols constructed over these hard
mathematical problems? We are particularly concerned with
the future of the digital signature schemes in the quantum
era. Thankfully, quantum computers will not erase the digital
signatures technology at all because of the availability of the
other types of digital signature schemes which can defeat
quantum attacks [7]. We refer those digital signature schemes
to as post-quantum digital signature schemes. There are total
five types of post-quantum digital signature schemes avail-
able to-date, including the lattice-based signature schemes,
the hash-based signature schemes, the elliptic curve isogeny
based signature schemes, the multivariate signature schemes,
and the code-based signature schemes. Although all these
types of digital signature schemes are not newer, rather
some of them bear a fairly old history (like, the hash-based
signature schemes), however, none of them could attract
the practitioners at a large scale. The possible resistors to
VOLUME x, 20xx 1
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
their wide-range adoption include, the low efficiency, the
breakable security, and the difficult key management [7], [8].
The hash-based digital signature (HBS) schemes, being
quite-efficient and provably-secure, appear as a dominant
type of post quantum digital signature schemes [9]. The
security of the HBS schemes has strongly been established
against both classical and quantum attacks. Furthermore,
HBS schemes are the most efficient type of schemes with
key and signature creation times minimum among all type of
digital signature schemes [10]. However, the major drawback
of the HBS schemes is the larger signature and key sizes [11],
[12].
An HBS scheme is a combination of two schemes; one is
a core One-Time-Signature (OTS) or a Few-Time-Signature
(FTS) scheme and second is a hash tree which maps a no. of
OTS/FTS public keys to another single public key. Without
covering an OTS/FTS scheme by a hash trees, the key man-
agement is a challenging task in an HBS scheme. The signa-
ture size depends purely on the core OTS/FTS used, whereas,
the key size depends upon both of the core OTS/FTS scheme
as well as the nature and size of the hash tree used by the
scheme. The signature size in the very first OTS scheme,
i.e. Lamport-Diffie (LD) OTS scheme [13], was impractically
larger. However, the later OTS schemes, like Winternitz OTS
scheme [14], reduced the signature size to a practical level.
Even after the improvement, the signature sizes of the OTS
schemes are larger than the classical schemes, which make
them unfavorite for highly space sensitive applications, like
the distributed financial ledgers (cryptocurrencies). In this
article, we have proposed a novel OTS scheme NOTS with
key and signature sizes minimum among all of the existing
OTS schemes. NOTS offers an 88% reduction in both key
and signature sizes as compared to the popular Winternitz
OTS scheme.
Among the existing OTS/FTS schemes, WOTS and its
variants [14], [15], [16] emerge as the most efficient type
of OTS schemes, which offer minimum key and signature
sizes. Furthermore, WOTS and its variants allow for compu-
tation of the OTS public key purely from the corresponding
signatures, which is a valued characteristic of WOTS and
its variants. Other type of OTS/FTS schemes (except WOTS
and its variants) are not capable for allowing computation of
the public key from the signatures unless a huge additional
set of information is provided to the verifier. This additional
set of information may either be as large as the original
signatures (like in case of LD-OTS scheme [13]) or it may
be exponentially larger than the original signatures (like, in
case of HORS [17], HORST [18], and PORS [19]). Our
proposed schemes (NOTS) is a WOTS like scheme in which
the signatures are intelligent enough to allow the verifier for
computation of the corresponding public key without any
additional set of information. The intelligent signatures not
only reduce the signature size but also make the scheme more
convenient for the hash trees.
Our contribution:
1) We have proposed a novel OTS scheme NOTS with
following valued features:
a) NOTS offers an 88% reduction in both key and
signature sizes as compared to the popular WOTS
scheme
b) NOTS offers an 84% and an 86% reductions in the
signature and the key sizes respectively as com-
pared to an existing compact variant of WOTS,
i.e. WOTS+.
c) NOTS signatures are intelligent enough to allow
the verifier for computation of the corresponding
public key without any additional set of informa-
tion.
2) We have formally proved that our proposed scheme
(NOTS) is existentially unforgeable under adaptive
chosen message attack model.
The rest of the paper is organized as: Section-2 will pro-
vide a preliminary knowledge about HBS schemes and post-
quantum cryptocurrencies proposed to-date. In Section-3, we
will discuss our proposed OTS scheme (NOTS) in detail. In
Sections - 4, 5, and 6, we will respectively evaluate security,
space requirements, and execution time of NOTS. Finally, in
Section-7, we will conclude our discussion.
II. LITERATURE REVIEW
The popular OTS/FTS schemes proposed to-date in-
clude, Lamport-Diffie OTS (LD-OTS) [13], Winternitz OTS
(WOTS) [14], WOTSP RF [15], WOTS+[16], HORS [17],
HORS with Tree (HORST) [18], and PRNG to obtain a
random subset (PORS) [19].
The pioneer HBS scheme is the Merkle signature scheme
(MSS) [14] which uses WOTS as its base OTS scheme.
An improved version of MSS is eXtended Merkle Signature
Scheme (XMSS) [12] which uses WOTSPRF [15] as its
base OTS scheme. An MSS tree or an XMSS tree can map
a finite no. of OTS public keys to a single public key. An
enhanced version of XMSS is Multi-tree XMSS (XMSSMT )
[20] which is capable of mapping virtually an unlimited no.
of OTS key pairs to single public key. XMSSMT also uses
WOTSPRF as the base OTS scheme. XMSSM T is a state-
based scheme which maintains a state to guarantee that a
distinct seed is selected each time the scheme is instanti-
ated to sign a new message. SPHINCS [18] is a stateless
HBS scheme which guarantees a distinct seed in each of
its instantiation without preserving a state. SPHINCS uses
HORST FTS and WOTS+as its base schemes. Gravity-
SPHINCS [19] is a compact version of SPHINCS which uses
PORS and WOTS as its core schemes. SPHINCS-Simpira
[21] is an efficient version of SPHINCS which have replaced
simple hash functions (SHA256 and SHA512) by AES-based
hash permutations Simpira [22]. Figure 1 shows a mapping
between OTS/FTS and HBS schemes.
A. POST-QUANTUM CRYPTOCURRENCIES
The popular post-quantum cryptocurrencies proposed to-date
include, IoTA [23], QRL [24], quantum-secured blockchain
2VOLUME x, 20xx
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
HBS scheme OTS/FTS schemes
G-SPHINCS
SPHINCS-S
LD
WOTS
WOTSPRF
WOTS+
HORS
HORST
PORS
MSS
XMSS
XMSSMT
SPHINCS
Figure 1: OTS/FTS schemes mapping to the HBS schemes
[25], qBitcoin [26], PQChain [27], and post-quantum
blockchains incorporating lattice-based signature schemes
[28], [29]. Among the existing post-quantum cryptocurren-
cies, three are using hash-based digital signature schemes.
IoTA uses WOTS, QRL uses WOTS+with XMSS, and
PQChain recommends using WOTSPRF with XMSS. The
post-quantum blockchain proposed in [28] uses a short in-
teger solutions (SIS) based signature scheme. Quantum-
secured blockchain [25] allows a couple of peers to connect
over a quantum channel to generate a symmetric key. Then
those peers would be able to securely communicate over
a classical channel with the help of their symmetric key.
qBitcoin [26] proposes to represent the coins as quantum
states. Because it is impossible to generate duplicate copies
of a quantum state (i.e. no-cloning theorem), therefore, the
proposed cryptocurrency is safe against double-spending at-
tacks. Both quantum-secured blockchain and qBitcoin in-
volve quantum-based technologies and hence, would only be
practical when quantum computers will be available at a large
scale.
III. PRELIMINARY KNOWLEDGE
In this section, we provide a preliminary knowledge about
hash based digital signature schemes and OTS/FTS schemes.
The discussion in this section helps reader to understand and
compare, key and signature sizes of the existing OTS/FTS
schemes.
A. HASH-BASED SIGNATURE (HBS) SCHEMES
The building block of an HBS scheme can either be an un-
keyed hash functions, a keyed hash functions, or a block
cipher (like AES). Because all these cryptographic protocols
are very efficient (especially the un-keyed/keyed hash func-
tions), therefore HBS schemes are the most efficient type of
digital signature schemes [10]. An HBS scheme is a two-
fold; first, there is a base OTS/FTS scheme and second is
a hash tree that encapsulates a (finite or virtually infinite)
no. of OTS/FTS public keys into another single public key.
Although the hash trees are very important because other-
wise key management is hard in HBS schemes, however
there are real life applications which use an OTS or an
FTS independently. For example, the popular post-quantum
digital currency IoTA [23] uses WOTS signature scheme
independently without a hash tree.
1) Hash-based OTS/FTS schemes
Lamport proposed the very first hash based OTS scheme in
late seventies [13]. The security of Lamport-Diffie (LD) OTS
was proved later in the studies [30] and [31]. The LD OTS
scheme suffers from impractically large key and signature
sizes. In this scheme, we sign hash of the message, bit-by-
bit; i.e. we create a separate signature-item for each of the
individual bits. For a 512-bit long message-hash (we use l
to denote bit-length of the message-hash to be signed), there
will be a total of 512 signature-items. If each item itself is
512-bit long then, the total signature size will be 32.8KB. The
key-size will be even double than the signature size because
each of the bits has two key-items associated to it. The bit-
length of an individual key/signature item depends upon the
desired level of security therefore we refer it as the security
parameter (n). The formulas for computing signature (σ) and
the key (P K) sizes for the LD OTS scheme are given in
equations (1) and (2).
σ(LD)= (l)(n)(1)
P K(LD)= 2(l)(n)(2)
Winternitz [14] made first major improvement in the initial
work of Lamport. In Wintenitz OTS (WOTS) scheme, the bits
are signed in groups/patches. We create a single signature-
item for a group or patch of bits. The patch-size (let we
denote it as p) is customizable, i.e. user can select the patch-
size, he wants. The patch size is inversely proportional to the
key and signature length, however, it is directly proportional
to the processing cost. Therefore, a balance must be estab-
lished. A typical patch-size is 4-bits. For WOTS, we can write
the message-hash (H) like given in eq. (3). In WOTS, both
key and the signatures consist of total l
pitems. Each of the
private key item is transformed to its corresponding public
VOLUME x, 20xx 3
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
Table 1: Parameters description
Parameter Description
MMessage to be signed
HHash of the message (M) to be signed
Hhex Hexadecimal representation of the hash of the message (H)
hAn individual character in the hash of the message (H)
pThe bit-length of an individual character (h) in the hash of the message
lThe bit-length of the hash of the message (H) to be signed
SK /P K An OTS private key/public key
sk/pk An individual value/element in SK/P K
σMSignatures created on message M
σiAn individual value/element in σ
nThe bit-length of an individual key/signature element (sk/pk/σi)
fsk/f pk/f σ First half part of sk/pk/σi
bsk/bpk/ Last half part of sk/pk/σi
(MF, σF)Message with corresponding signatures sent by F
fHA common hash function
fow A one-way (pre-image resistant) hash function
fcr A collision resistant hash function
cThe checksum appended to Mby WOTS and its variants
ADV An adversary trying to break security of a hash function
FOR A forger trying to break security of the proposed scheme NOTS
index(chr)A function which returns index of a given character chr in the hash (H) of the message
sumDigits(str)A function which computes sum of the digits in a given string str
key item by passing it through a hash chain. There are total 2p
hash iterations in a single hash chain. The signature elements
are basically some of the middle stages of the hash chains.
The hash of the message (to be signed) allows the signer
to decide which of the middle stage of an individual chain
should be declared as signatures. Finally, the hash of the
corresponding message also allows the verifier to complete
all of the hash chains to produce public key of the signer.
H=h1||h2||h3||......||hl
p(3)
An individual patch in the message-hash can produce a
value in the range zero to 2p1. WOTS also appends a
checksum cto the message-hash which is computed using
the formula given in equation (4). Finally, the signature
size of WOTS can be computed using the formula given in
equation (5). The key-size in WOTS is exactly same as the
signature size. The WOTS scheme is provably secure under
Existentially Unforgeable Chosen Message Attack (EU-
CMA) model [15].
c=
l
p
X
i=1
(2p1) hi(4)
σ(W OT S)=l
p|| c(n)(5)
WOTSPRF [15] and WOTS+[16] are the two compact
variants of WOTS which offer reduced key and signature
sizes as compared to WOTS. WOTSP RF has reduced key
and signature sizes by replacing a collision resistant (CR)
hash function by a pseudo-random function (PRF). For a CR
hash function the length of an individual key/signature item
must be at least three times the desired level of post-quantum
security however, for a PRF the length of an individual
key/signature item must be at least two times the desired
level of post-quantum security. WOTS+uses bit-masks to
replace a CR hash function by an undetectable one-way
function (which may either by a keyed hash function or a
block cipher). The signature sizes of both WOTSPRF and
WOTS+can be computed using the same formula given
in eq. (5) by adjusting value of the security parameter (n)
accordingly. The key size of WOTSP RF is approximately
same as its signature size however, the key size of WOTS+
is somehow larger because of an additional set of randomiza-
tion elements. The formula to compute key size of WOTS+
is given in eq. (6)
P K(W OT S+)=hl
p|| c+ 2pi(n)(6)
The HORS FTS scheme yet provides another different ap-
proach for creating hash-based few time signatures [17]. Like
WOTS scheme, HORS also creates signatures on the patches
of bits; means there is a single signature-item for a patch of
bits. However, the patch size in HORS must be significantly
larger because for small sized patches this scheme will not
be secure. The large sized patches reduce the signature size
significantly as compared to WOTS. Another difference is
that HORS does not append any checksum to the message-
hash which also reduces the signature size. However the key
size of HORS is extremely larger. The formulas to compute
key and signature sizes of HORS scheme are given in eqs.
(7) and (8) respectively. HORS scheme is nearly impractical
because of its extremely large key size.
P K(HORS)= (2p)(n)(7)
4VOLUME x, 20xx
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
σ(HORS)=l
p(n)(8)
The PORS [19] scheme is very close to the HORS scheme
however, offers stronger security than HORS at a very
marginal computational overhead. The key and signature
sizes of PORS are exactly same as HORS. The only dif-
ference is that in case of HORS, multiple bit-patches may
correspond to a same signature-item whereas in PORS there
is always a distinct signature-item against each of the bit-
patches.
Our proposed scheme (NOTS) recommends using 4-bit
long patches. The key and signature sizes of NOTS both are
computed using the formula given in equation (9). Because
pis fairly smaller (just 4-bit) therefore both key and the
signature sizes of NOTS are significantly smaller. NOTS
offers just 1KB key and signature sizes for a 512-bit long
security parameter (i.e. n= 512). The different parameters
referred in this section and throughout the article have been
explained in Table 1.
σ(NO T S)= (2p)(n)(9)
IV. NOVEL ONE TIME SIGNATURES (NOTS): THE
PROPOSED SCHEME
This section explains our proposed scheme (NOTS) in detail.
Our proposed scheme works as follows:
A. KEY GENERATION
The private key (sk) is simply a set of sixteen values each
being 512 bits long (Eq. (10)). We recommend generating
all of the values in the private key from a single seed. We
can apply a simple hash chain to the seed to generate the
sk values. Because our scheme never disclose any of the sk
values during signature verification, therefore it is safe to use
just a simple chain of values generated using a common hash
function like SHA512. The complete pseudo code for key
generation is given in Algorithm 1.
SK =
15
X
i=0
[skibitLength(ski) == 512] (10)
The public key (pk) is computed from the sk. There is
a corresponding pk value against each of the sk values. In
order to compute a pk value, we divide the corresponding sk
value into two equal halves and we compute hash of each of
the halves for 129 times (Eq. (11)). The length of the hash
function must be the same as the length of an individual half.
Like, if size of a single half is 256 bit, then we may use the
hash function SHA256.
P K =
15
X
i=0pki=sha256129 ski0,|ski|
2+
sha256129ski|ski|
2,|ski|
(11)
B. SIGNATURE CREATION
We initiate the signature creation process by computing hash
of the message (H) to be signed. We recommend using a
512-bit hash function (like SHA512). In this way, Hwill be
consisting of a total 128 hexadecimal symbols. We use Hhex
to denote hexadecimal representation of the message-hash.
Hhex guides the signer for generating index_strings which is
a list consisting of 16 different strings. The list index_strings
basically classifies the indexes of the hexadecimal characters
in Hhex into 16 different strings (Eqs. (12), (13)). There
is a separate string of indexes for each type of alphabet
in Hhex. In next step, the signer will compute sum of the
digits in each of the index_strings; we name this new list as
sum_index_string. Signer also ensure that all the values in the
list sum_index_string must be in the range {1128} (Eq.
(14)).
15
X
i=0
index_stringi=< > (12)
hHhex index_string0
h=index_stringh+index(h)
(13)
15
X
i=0
sum_index_stringi=
sumofdigits(index_stringi) % 128 + 1
(14)
The sum_index_string will finally let the signer to pro-
duce signatures (σ) on the corresponding message (M). The
signer will compute hash of each of the sk value for num-
ber of times, equal to the corresponding value in the list
sum_index_string. While computing hash of an individual
sk value, the signer will divide it into two halves (we say
them forward sk (fsk) and backward sk (bsk)). Signer will
compute hash of fsk for number of times, exactly equal to the
corresponding value in the list sum_index_string, however,
signer will compute hash of bsk for number of times equal
to 129 minus the corresponding values in sum_index_string.
Finally, signer will concatenate both of the final hash outputs
to generate an individual signature value (Eq. (15)). Signer
will adopt the same procedure for each of the 16 sk values
to generate the 16 signature values. Figure 2 explains the
signature creation process for an example message; and the
pseudo code for signature creation is given in Algorithm 2.
15
X
i=0σi=sha256sum_index_str ingiski0,|ski|
2+
sha256129 sum_index_stringiski|ski|
2,|ski|
(15)
C. SIGNATURE VERIFICATION
The verifier will compute the sum_index_string following
the same steps as followed by the signer during signature
creation. The list sum_index_string will allow the verifier to
VOLUME x, 20xx 5
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
8e8b47e6c1e58a60b2e24e2860022c859be1dbf24ca6c5195e688d5663128adc8ea51f8e3364c29d5019088716d1ac5c232bc8ae55d3066ded98c2d13396716c
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
1128
Indexes
i
16 26 27 82 85 109
10 36 47 59 69 83 89 92 120 126
18 20 23 28 29 40 60 78 97 99 118
58 73 74 98 108 121 122
5 21 41 76
12 32 46 49 55 68 81 95 105 106
8 15 25 44 51 56 57 75 90 110 111 124 127
6 88 125
1 3 13 24 31 52 53 61 65 71 86 87 102 116
33 48 79 84 115 123
14 43 62 67 93 103
4 17 34 38 100
9 30 42 45 64 77 94 96 101 117 128
37 54 63 80 91 107 112 114 119
2 7 11 19 22 35 50 66 72 104 113
39 70
index_string i
58
102
107
70
27
92
102
31
100
60
50
32
102
76
70
20
sum_index_string iσ i
H
16 26 27 85
82 109
fH58
fH102
fH107
fH70
fH27
fH92
fH102
fH31
fH100
fH60
fH50
fH32
fH102
fH76
fH70
fH20
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
(ski[0:31]) ||
fH(129-58)
fH(129-102)
fH(129-107)
fH(129-70)
fH(129-27)
fH(129-92)
fH(129-102)
fH(129-31)
fH(129-100)
fH(129-60)
fH(129-50)
fH(129-32)
fH(129-102)
fH(129-76)
fH(129-70)
fH(129-20)
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
(ski[32:63])
[(1+6+2+6+2+7+8+2+8+5+1+0+9)%128+1]
Figure 2: NOTS: Signature Creation
Table 2: Hash functions security levels [30], [32], [33]
Hash function Classical security Quantum security
Pre-image Collision Pre-image Collision
SHA160 160-bit 80-bit 80-bit 53-bit
SHA256 256-bit 128-bit 128-bit 85-bit
SHA384 384-bit 192-bit 192-bit 128-bit
SHA512 512-bit 256-bit 256-bit 171-bit
produce the verification key (VK) from the signatures (σ). In
order to compute an individual vk value from the correspond-
ing σvalue, the verifier will divide the σvalue into two halves
(we say them forward signature () and backward signature
()). Verifier will compute hash of for number of times,
equal to the 129 minus the corresponding value in the list
sum_index_string, however, verifier will compute hash of
for number of times, exactly equal to the corresponding value
in sum_index_string. Verifier will concatenate both of the
final hash outputs to generate an individual vk value (Eq.
(16)). Verifier will adopt the same procedure for each of the
16 "σvalues" to generate the 16 vk values. Finally, verifier
will compare his own computed verification key VK with the
signers previously announced public key PK. If both of the
keys will be equal then verifier will accept the signatures. The
pseudo code for signature verification is given in Algorithm
3.
15
X
i=0v ki=sha256129 sum_index_stringiσi0,|σi|
2
+sha256sum_index_stringiσi|σi|
2,|σi|
(16)
V. NOTS SECURITY ANALYSIS
The foremost security requirement of NOTS is that it must
be populated with a secure hash function which can resist
three types of attacks, pre-image attacks, second pre-image
attacks, and collision attacks. In the case of the pre-image
attack, the challenge for the adversary (ADV) is to find such
an input which corresponding output is known to him (Eq.
17). In case of second pre-image attack, the adversary knows
an input-output pair (x,y), whereas the challenge for him is to
find another input which must be different from x, however
its output should be the same (i.e. y) [Eq. 18]. Finally, in
collision-based challenge, the adversary has to find any two
different inputs which must map to the same output (Eq. 19).
P r[y=fh(x); x0 ADV (y) : x=x0](17)
P r[y=fh(x); x0 ADV (x, y) : x06=xy=fh(x0)]
(18)
P r[x, x0 ADV :x6=x0fh(x) = fh(x0)] (19)
The resistance power of a cryptographic protocol against
different types of attacks is generally known as the security-
level offered by that protocol. The classical and quantum
security levels offered by a hash function (fh) depend upon
6VOLUME x, 20xx
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
Algorithm 1 Key Generation
Input: security parameter(n)we use n = 512
Output: sk[ ], pk[ ]
1: seed os.urandom(64) “seed" is 512-bit (64-byte) cryptographic random value
2: ssha512(seed)hash of “seed" is computed and stored in "s"
3: sk [ ] “sk" initialization
4: for a= 0 15 do generates the private key “sk"
5: sk.append(s)
6: ssha512(s)“sk" is simply the hash-chain of the “seed"
7: end for
8: pk [ ] public key “pk" initialization
9: for a= 0 15 do
10: ksk[a]
11: kf k[0 : 31] each sk element is divided into two halves “kf" and “kb"
12: kb k[32 : 63]
13: for b= 1 129 do a pk-element is the 129th post-image of the corresponding sk-element
14: kf sha256(kf )hash chains are applied to “kf" and “kb" separately
15: kb sha256(kb)
16: end for
17: pk.append(kf +kb)concatenation of the final chain results produce the corresponding pk-element
18: end for
Algorithm 2 Signature Creation
Input: message(M), priv ate key(sk[ ])
Output: signatures(σ[ ])
1: Hsha512(M)hash of message is computed
2: Hhex hexlify(H)hash of message in its hexadecimal representation
3: index_strings [ ] defines an empty list “index_strings"
4: hex_symbols “0123456789abcdef the hexadecimal alphabet-set stored as an array
5: for (hs)in (hex_symbols)do a loop iterating for each of the hexadecimal alphabet
6: str an empty string declaration
7: for a= 1 128 do a loop parsing whole of the hexadecimal message hash
8: if Hhex[a] == hs then filters the message-hash indexes containing the corresponding hash-alphabet
9: str str +a
10: end if
11: end for
12: index_strings.append(str)appends “str" from the inner loop into the list “index_strings"
13: end for
14: sum_index_strings [ ] defines an empty list “sum_index_strings"
15: for (indstr)in (index_strings)do a loop parsing whole of the list “index_strings"
16: sum 0
17: for (a)in (indstr)do to access each of the digit in the string “indstr"
18: sum sum +int(a)summing-up the digits of “indstr"
19: end for
20: sum (sum%128) + 1 to ensure that “sum" always lies in the range (1 128)
21: sum_index_strings.append(sum)appending “sum" from the inner loop into the list “sum_index_string"
22: end for
23: σ initializes signatures as an empty list
24: for a= 0 15 do
25: ksk[a]
26: kf k[0 : 31] each sk-element is divided into two halves “kf" and “kb"
27: kb k[32 : 63]
28: for f= 1 sum_index_strings[a]do the “kf" will be hashed for “sum_index_strings" no. of times
29: kf sha256(kf )
30: end for
31: for b= 1 (129 sum_index_strings[a]) do the “kb" will be hashed for 29 minus the “sum_index_strings" no. of times
32: kb sha256(kb)
33: end for
34: σ.append(kf +kb)concatenation of the above chain results produce the corresponding signature-element
35: end for
digest-size (d) of that function [32]. The post-quantum secu-
rity level of a family of hash functions is relatively smaller
than the classical security level because of the popular
Grover’s search algorithm [34]. A d-sized hash function is
capable of providing d-bit classical and d
2-bit post- quan-
tum security against pre-image and second pre-image based
attacks. However, collision resistant is relatively a complex
security requirement and hence, relatively harder to achieve.
Therefore, a d-sized hash function provides d
2-bit classical
and d
3-bit post-quantum security against collision based at-
tacks [30], [33]. Table- 2 lists down the classical and post-
quantum security levels of the common hash functions.
A. FORMAL SECURITY PROOF OF NOTS
In this subsection, we formally proof that NOTS is an exis-
tentially unforgeable signature scheme under adaptive chosen
message attack (CMA). We prove that NOTS is unforgeable
until the underlying hash function used by NOTS is a oneway
hash function. Formally stating, we prove that the security
of NOTS is a security reduction of the onewayness of the
underlying hash function used to instantiate NOTS.
VOLUME x, 20xx 7
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
Algorithm 3 Signature Verification
Input: message(M),signatures(σ[ ]),public key(pk[ ])
Output: Succeeded/F ailed
1: Follow steps 1 to 22 of algorithm 2 (Signature Creation) to generate the list “sum_index_strings"
2: vk the public key computed by the verifier
3: for a= 0 15 do
4: sσ[a]
5: sf s[0 : 31] each signature element is divided into two halves “sf" and “sb"
6: sb s[32 : 63]
7: for f= 1 (129 sum_index_strings[a]) do “sf" will be hashed for 129 “sum_index_strings" no. of times
8: sf sha256(sf)
9: end for
10: for b= 1 sum_index_strings[a]do “sb" will be hashed for “sum_index_strings" no. of times
11: sb sha256(sb)
12: end for
13: vk.append(sf +sb)concatenation of the above chain results produce the corresponding ver_pk-element
14: end for
15: if P15
i=0 vk[i] == pk[i]then the “ver_pk" computed by the verifier must be equal to the “pk"
16: output :verif ication succeeded
17: else
18: output :verif ication f ailed
19: end if
1) An overview of NOTS
NOTS is a triple (GEN, SIGN, VERIFY).GEN takes a security
parameter (n) as input and returns a key pair (SK, PK), such
that: SK =P15
i=0 skiand P K =P15
i=0 pki.GEN follows
Eq. (11) to compute an individual pkifrom the corresponding
ski.SIGN takes a message (M) as input and returns signatures
of M, i.e. σM. In order to compute the signatures, SIGN
computes a list/array of sixteen values sum_index_strings
(following Equations. (12) to (14)) and transforms each of
the skiinto the corresponding σifollowing Eq. (15). VERIFY
takes message (M), signatures (σM), and public key (PK) as
input and returns either TRUE (if σMis valid signature of M)
or FALSE otherwise. VERIFY follows Eq. (16) to compute a
verification key (VK) and compares this verification key with
the public key (PK) to reach a consensus about validity of the
signatures.
2) Existential unforgeability of NOTS
GEN generates a new key pair (SK,PK). A signing oracle O
having knowledge of SK is able to sign an arbitrary number
of messages. A forger FOR accepts challenge of breaking
security of the scheme (NOTS). FOR has knowledge of
PK and the underlying algorithm of NOTS, however, FOR
does not know SK.FOR can query a message (MQ) to O,
where Omust return valid signature of MQto FOR. In the
end, FOR returns a message-signature pair (MF, σF)to O.
FOR wins the game if, σFare valid signatures of MFand
MF6=MQ.NOTS is an existentially unforgeable scheme
if, FOR queries at most one message to Oand the success
probability of FOR in a time tis at most . We formally write
it as, NOTS is a (t, , 1)-existentially unforgeable signature
scheme.
3) Security reduction to pre-image resistance
The background knowledge provided in Subsections V-A1
and V-A2 allows us to finally present our security reduction
proof. In this subsection, we prove that the security of NOTS
is a security reduction of the onewayness of the underlying
hash function used by NOTS. An adversary ADVoneway ness
acting as a signing oracle Oinitiates the experiment. Algo-
rithm 4 explains how an adversary (ADVoneway ness) can use
the forger (FORN OT S ) to break onewayness of the hash
function (fow) used by NOTS. ADV oneway ness initiates by
generating a new key pair (SK, PK). Then he alters forward
part of a randomly chosen pk-item (i.e. fpkα). He computes
hash of the challenged post-image y(for which he has to
deduce the pre-image) for 129 βtimes and sets this value
as the new value of fpkα, where βis also a randomly chosen
value. Then he runs FORN OT S . When F ORNO T S queries
a message (MQ) for signatures then either ADVonewayness
will respond the FORN OT S with the valid signature (σQ)
of MQor will quit the algorithm (Lines 611). Finally,
when FORN OT S will return a message-signature pair (i.e.
MF, σF) to ADV oneway ness then ADVonewayness will be
able to return the challenged pre-image x, if and only if,
the conditions in Line13 are satisfied and the value of
sum_index_stringsαfor MFis sufficiently larger.
Now we compute success probability of the ADVonewayness.
Since, ADVonewayness choses both αand βpurely at
random therefore, the success probability of ADVonewayness
in Lines 611 is (128β)(2048)1. The F ORN OT S ’s suc-
cess probability in Line13 is N OT S . Finally, the success
probability of ADVonewayness in Line14 is (β)(2048)1.
This allows us to conclude that the overall maximum success
probability of ADVonewayness is N OT S (250)1. The total
time taken by ADVonewayness (tADV onewayness ) includes,
the key generation time tGEN (Line1), the message signing
time tSI GN (Lines 810), and the FORN OT S ’s time
tNO T S (Line12). Hence it is proved that NOTS is an
existentially unforgeable scheme under CMA model with
NO T S (250)(oneway ness)and tN OT S =tonewayness
tGEN tS IGN . The security reduction of NOTS to the
onewayness of the underlying hash function allows us to infer
that NOTS is capable of providing 128bit post-quantum
security.
8VOLUME x, 20xx
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
Algorithm 4 ADVonewayness
Input: NOTS scheme (GEN, SIGN, VERIFY), one-way function fow, security parameter n, forger FOR, a post-image y
Output: A pre-image xcomputed from y, such that: y=fow(x)or fail
1: Generate a new NOTS key pair (SK, PK)
2: Randomly choose an α {0,··· ,15}
3: Randomly choose a β {1,··· ,128}
4: fpkαf129β
ow (y)ADV tampers first half of the corresponding PK-item
5: Run the forger FOR(., P K)
6: When FO R queries signature on a message (MQ)then
7: If sum_index_stringsQ
α< β then return fail
8: Generate signatures on message MQlike:
9: P15
i=0 σQ
ifsum_index_stringsQ
i
ow (fski) + f129sum_index_stringsQ
i
ow (bski)for i6=α ski=fski+bski
10: σQ
αfsum_index_stringsQ
αβ
ow (y) + f129sum_index_stringsQ
α
ow (bskα)
11: Send σQback to FO R
12: When FO R returns a message/signature pair (MF, σF)then
13: If σFare valid signatures of MFand MF6=MQthen
14: If sum_index_stringsF
α> β then return fail
15: Compute xfβsum_index_stringsF
α1
ow (fσF
α)fσ" refers to the first half part of the corresponding signature-item
16: return x
17: In all other cases return fail
4) Security reduction to collision resistance
This subsection formally reduces security of our proposed
scheme NOTS to collision-resistance of the hash function
(fcr) used by the scheme. Algorithm 5 explains that how
an adversary ADVcollision can exploit a forger FORN OT S
to find hash-collisions in fcr.ADV generates a new key-
pair (SK,PK) [step-1]. Then ADV initiates the forger FOR,
providing him knowledge of the corresponding public key
(PK) [step-2]. FOR can ask ADV to generate signatures on
a message MQ, and ADV returns valid signatures of MQ
to FOR [steps 3, 4]. Finally, ADV exploits the message-
signature pair returned by FOR (MF,σF) to find collisions
in fcr [steps 5 - 11].
5) Quantum-resiliency in NOTS
NOTS is purely based on hash functions which are provably
quantum-resistant [16]. Even a powerful quantum will be
able to slightly affect security of the hash functions [30], with
the help of Grover’s quantum-based search algorithm [34].
This affect can easily be subsided by adjusting digest-size of
the corresponding hash function. For example, because of a
quantum computer, the security of the common hash function
SHA256 will decrease from 128-bit to 85-bit. One can easily
manage the affect by replacing SHA256 by SHA384, which
(i.e. SHA384) offers 128-bit post-quantum security [33].
VI. NOTS KEY AND SIGNATURE SIZES
NOTS offers a significant reduction in both key and signature
sizes as compared to all of the existing OTS/FTS schemes.
The popular OTS/FTS schemes proposed before NOTS in-
clude Lamport OTS [13], WOTS and its variants [14], [15],
[16], HORS [17], and PORS [19]. NOTS is basically a
WOTS-like scheme which allows computation of the public
key purely from signatures without any additional set of
information. The key and signature lengths of WOTS-like
schemes are already smaller than the other type of OTS/FTS
schemes, however, NOTS offers a further significant reduc-
tion in both key and signature lengths as compared to WOTS
and its existing variants. A comparison of the “key and
signature” sizes of NOTS with other OTS/FTS schemes has
been given in Table 3. The formulas for computing key
and signature sizes for the different OTS/FTS schemes have
already been explained in Subsection III-A (see Equations (1)
- (9)). The key and signature sizes vary with values of certain
parameters, therefore, Table 3 also specifies the values, we
set for different parameters in order to make a comparison.
Here, we provide a brief explanation of those parameters. n
is the bit-length of an individual key/signature element. The
size of an individual key/signature element is directly related
to the security strength of the corresponding scheme. The
digest-size of the hash function used by the scheme (fH)
to transform an skito the corresponding pkialso affects
key/signature sizes and security strength of the scheme. l
is bit-length of the hash of the message (H) to be signed.
|key| represents the number of values/elements in SK/PK. w
represents the number of hash iterations used to transform
an skito the corresponding pki. |σ| represents the number
of elements in the signatures. σ-size is the size of signatures
(in KB) computed against the parameters-values specified in
the corresponding row. |key|-size is size of SK/PK (in KB)
computed against parameters-values specified in the corre-
sponding row. Finally, Post-Quantum Security Level (PQ-
SL) allows reader to realize and compare security strengths
of the different schemes against quantum-computer based
attacks.
The comparison shows that NOTS offers an 88% reduction
in both key and signature sizes as compared to WOTS and an
84% reduction in both key and signature sizes as compared to
WOTSPRF . Furthermore, NOTS offers an 84% and an 86%
reductions in the signature and key sizes respectively as com-
pared to the compact variant of WOTS, i.e. WOTS+. Finally,
NOTS has achieved all these reductions in key and signature
sizes without compromising the security level. NOTS still
offers an appropriate post-quantum security.
VII. NOTS EXECUTION TIME
NOTS offers fairly smaller execution time. The exact execu-
tion time for the three algorithms, key generation,signature
VOLUME x, 20xx 9
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
Algorithm 5 ADVcollision
Input: NOTS scheme (GEN, SIGN, VERIFY), collision-resistant function fcr, security parameter n, forger F OR
Output: x, x0, such that, x6=x0fcr(x) = fcr (x0)or fail
1: Generate a new NOTS key pair (SK, PK)
2: Run the forger FOR(., P K)
3: When FO R queries signature on a message (MQ)then
4: Respond FO R with σQ
5: When FO R returns a message/signature pair (MF, σF)then
6: If σFare valid signatures of MFand MF6=MQthen
7: Compute sum_index_strings for MF
8: If there exists an isuch that, fsum_index_stringsF
i
cr (fski)6= F
ithen
9: Compute the smallest jsuch that, fsum_index_stringsF
i+j
cr (fski) = fj
cr(f σF
i)and fsum_index_stringsF
i+(j1)
cr (fski)6=fj1
cr (fσF
i)
10: xfsum_index_stringsF
i+(j1)
cr (fski),x0fj1
cr (fσF
i)
11: return (x,x0)
12: In any other case return fail
Table 3: Key and signature sizes: Hash-based OTS/FTS schemes
Scheme n1Hash function l2|Key|3w4|σ|5σ-size 6Key-size 7PQ-SL 8
[13] 512 SHA512 512 1024 1 512 32.8 65.5 171
[14] 512 SHA512 512 131 16 131 8.4 8.4 171
[15] 384 SHA384 512 131 16 131 6.3 6.3 173
[16] 384 SHA384 512 147 16 131 6.3 7.1 185
[19] 512 SHA512 512 65536 1 32 2.0 4194 171
NOTS 512 SHA256 512 16 129 16 1.0 1.0 128
1Security parameter (n): The length of an individual key/signature element
2The bit-length of the hash of the message to be signed
3The total no. of elements/values in the set of private/public key
4The no. of hash iterations to transform an sk-element to the corresponding pk-element
5The total no. of elements/values in the set of signatures
6The size of signatures in KB
7The size of the private/public key in KB
8The post-quantum security level offered by the scheme
creation, and signature verification can be seen in the graphs
in Figures 3, 4, and 5 respectively. The graphs also help
to compare the execution time of NOTS with other OTS/FTS
schemes. All these results have been taken on Intel Core i5
CPU (2.4 GHz) with 4GB RAM, running Windows 8.1 32-
bit release. The schemes have been implemented in Python
language using the environment “JetBrains PyCharm Com-
munity Edition 2018.3.3”. The values of parameters set for
these implementations are the same as given in table 3. The
results show that the execution time of NOTS is comparable
to other OTS/FTS schemes. Because NOTS is a WOTS-like
scheme therefore we were specially concerned to compare
its execution time with WOTS [14] and WOTS+[16]. The
results show that execution time of NOTS is equal to WOTS,
whereas, NOTS is clearly faster than WOTS+. Furthermore,
WOTS+uses bit-masking and randomization to replace a
collision resistant (CR) hash functions by an undetectable
one-way function, however, research reports that bit-masking
is more expensive to achieve on quantum processors as
compared to collision resistance [35]. Therefore, NOTS is
based on pure CR hash functions and avoids bit-masking
and/or randomization operations.
VIII. CONCLUSIONS
In this article, we have proposed a novel one-time signature
scheme NOTS, which offers minimum key and signature
sizes from all of the existing OTS/FTS schemes. NOTS has
achieved an 88% reduction in both key and signature sizes as
0.006 0.012 0.043
0.517
0.008
Lamport [13] WOTS [14] WOTS+ [16] PORS [19] NOTS
Key Generation Time
(seconds)
OTS/FTS Schemes
Figure 3: Key Generation Time of the OTS/FTS Schemes
0.001
0.007
0.025
0.0001
0.007
Lamport [13] WOTS [14] WOTS+ [16] PORS [19] NOTS
Sig. Creation Time (seconds)
OTS/FTS Schemes
Figure 4: Sig. Creation Time of the OTS/FTS Schemes
10 VOLUME x, 20xx
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
0.004 0.006
0.024
0.001
0.007
Lamport [13] WOTS [14] WOTS+ [16] PORS [19] NOTS
Sig. Verification Time
(seconds)
OTS/FTS Schemes
Figure 5: Sig. Verification Time of the OTS/FTS Schemes
compared to the popular WOTS scheme. Furthermore, NOTS
has achieved an 84% and an 86% reductions in the signature
and the key sizes respectively as compared to the existing
compact variant of WOTS, i.e. WOTS+. The execution time
of NOTS is fairly smaller for all three algorithms, key gen-
eration, signature creation, and signature verification. NOTS
offers an appropriate level of post-quantum security. NOTS
can be used as a base OTS of any of the popular hash based
digital signature scheme like XMSS or XMSSMT etc. to
achieve a magical reduction in both key and signature sizes.
The minimal key and signature sizes of NOTS allow us to
hope that NOTS-based digital signature schemes will prove a
best alternate of ECDSA in cryptocurrencies, in the quantum
era.
ACKNOWLEDGMENT
M. Imran and M. Shoaib are supported by the Deanship of
Scientific Research at King Saud University through research
group project number RG-1439-036.
References
[1] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans.
Inf. Theor., vol. 22, no. 6, pp. 644–654, Sep. 1976. [Online]. Available:
http://dx.doi.org/10.1109/TIT.1976.1055638
[2] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining
digital signatures and public-key cryptosystems,” Commun. ACM,
vol. 21, no. 2, pp. 120–126, Feb. 1978. [Online]. Available: http:
//doi.acm.org/10.1145/359340.359342
[3] T. Elgamal, “A public key cryptosystem and a signature scheme based on
discrete logarithms,” IEEE Transactions on Information Theory, vol. 31,
no. 4, pp. 469–472, July 1985.
[4] K. Koyama, U. M. Maurer, T. Okamoto, and S. A. Vanstone, “New public-
key schemes based on elliptic curves over the ring zn, in Proceedings
of the 11th Annual International Cryptology Conference on Advances in
Cryptology, ser. CRYPTO ’91. London, UK, UK: Springer-Verlag,
1992, pp. 252–266. [Online]. Available: http://dl.acm.org/citation.cfm?
id=646756.705363
[5] P. W. Shor, “Polynomial-time algorithms for prime factorization
and discrete logarithms on a quantum computer, SIAM J. Comput.,
vol. 26, no. 5, pp. 1484–1509, Oct. 1997. [Online]. Available:
http://dx.doi.org/10.1137/S0097539795293172
[6] D. Aggarwal, G. Brennen, T. Lee, M. Santha, and M. Tomamichel,
“Quantum attacks on bitcoin, and how to protect against them, Ledger,
vol. 3, 10 2017.
[7] W. Buchanan and A. Woodward, “Will quantum computers be the end of
public key encryption?” Journal of Cyber Security Technology, pp. 1–22,
09 2016.
[8] J. Buchmann, C. Coronado, M. D¨oring, D. Engelbert, C. Ludwig,
R. Overbeck, A. Schmidt, A. Vollmer, and R.-P. Weinmann, “Post-
quantum signatures,” in IACR Cryptology ePrint Archive, 2004.
[9] J. Buchmann, E. Dahmen, and M. Szydlo, Hash-based Digital Signature
Schemes. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp.
35–93. [Online]. Available: https://doi.org/10.1007/978- 3-540-88702- 7_3
[10] C. Dods, N. P. Smart, and M. Stam, “Hash based digital signature
schemes,” in Cryptography and Coding, N. P. Smart, Ed. Berlin,
Heidelberg: Springer Berlin Heidelberg, 2005, pp. 96–115.
[11] D. Naor, A. Shenhav, and A. Wool, “One-time signatures revisited: Prac-
tical fast signatures using fractal merkle tree traversal, in 2006 IEEE 24th
Convention of Electrical Electronics Engineers in Israel, Nov 2006, pp.
255–259.
[12] J. Buchmann, E. Dahmen, and A. Hülsing, “Xmss - a practical forward
secure signature scheme based on minimal security assumptions,” in Post-
Quantum Cryptography, B.-Y. Yang, Ed. Berlin, Heidelberg: Springer
Berlin Heidelberg, 2011, pp. 117–129.
[13] L. Lamport, “Constructing digital signatures from a one-way function,” in
Tech. Rep, 1979.
[14] R. C. Merkle, “A certified digital signature,” in Advances in Cryptology
CRYPTO’ 89 Proceedings, G. Brassard, Ed. New York, NY: Springer
New York, 1990, pp. 218–238.
[15] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert, “On
the security of the winternitz one-time signature scheme,” in Progress in
Cryptology AFRICACRYPT 2011, A. Nitaj and D. Pointcheval, Eds.
Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 363–378.
[16] A. Hülsing, “W-ots+ shorter signatures for hash-based signature
schemes,” in Progress in Cryptology AFRICACRYPT 2013, A. Youssef,
A. Nitaj, and A. E. Hassanien, Eds. Berlin, Heidelberg: Springer Berlin
Heidelberg, 2013, pp. 173–188.
[17] L. Reyzin and N. Reyzin, “Better than biba: Short one-time signatures with
fast signing and verifying,” in Information Security and Privacy, L. Batten
and J. Seberry, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg,
2002, pp. 144–153.
[18] D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen,
L. Papachristodoulou, M. Schneider, P. Schwabe, and Z. Wilcox-O’Hearn,
“Sphincs: Practical stateless hash-based signatures,” in Advances in Cryp-
tology EUROCRYPT 2015, E. Oswald and M. Fischlin, Eds. Berlin,
Heidelberg: Springer Berlin Heidelberg, 2015, pp. 368–397.
[19] J.-P. Aumasson and G. Endignoux, “Improving stateless hash-based signa-
tures,” in Topics in Cryptology CT-RSA 2018, N. P. Smart, Ed. Cham:
Springer International Publishing, 2018, pp. 219–242.
[20] A. Hülsing, L. Rausch, and J. Buchmann, “Optimal parameters for
xmssmt,” in Security Engineering and Intelligence Informatics, A. Cuz-
zocrea, C. Kittl, D. E. Simos, E. Weippl, and L. Xu, Eds. Berlin,
Heidelberg: Springer Berlin Heidelberg, 2013, pp. 194–208.
[21] S. Gueron and N. Mouha, “Sphincs-simpira: Fast stateless hash-based
signatures with post-quantum security, IACR Cryptology ePrint Archive,
vol. 2017, p. 645, 2017.
[22] ——, “Simpira v2: A family of efficient permutations using the aes round
function,” in Advances in Cryptology ASIACRYPT 2016, J. H. Cheon
and T. Takagi, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2016,
pp. 95–125.
[23] S. Popov, “The tangle,” in IoTA white paper, 2017. [Online]. Available:
http://iotatoken.com/IOTA_Whitepaper.pdf
[24] theQRL, “The quantum resistant ledger,” in QRL white paper, 2016.
[Online]. Available: https://github.com/theQRL/Whitepaper/blob/master/
QRL_whitepaper.pdf
[25] E. Kiktenko, N. Pozhar, M. Anufriev, A. Trushechkin, R. Yunusov,
Y. Kurochkin, A. Lvovsky, and A. Fedorov, “Quantum-secured
blockchain,” Quantum Science and Technology, vol. 3, 05 2017.
[26] K. Ikeda, “qbitcoin: A peer-to-peer quantum cash system,” in Intelligent
Computing, K. Arai, S. Kapoor, and R. Bhatia, Eds. Cham: Springer
International Publishing, 2019, pp. 763–771.
[27] R. El Bansarkhani, M. Geihs, and J. Buchmann, “Pqchain: Strategic design
decisions for distributed ledger technologies against future threats,” IEEE
Security & Privacy, vol. 16, pp. 57–65, 07 2018.
[28] Y. Gao, X. Chen, Y. Sun, X. Niu, and Y. Yang, A secure cryptocurrency
scheme based on post-quantum blockchain,” IEEE Access, vol. PP, pp. 1–
1, 04 2018.
[29] C.-Y. Li, X.-B. Chen, Y.-L. Chen, Y.-Y. Hou, and J. Li, A new lattice-
based signature scheme in post-quantum blockchain network,” IEEE Ac-
cess, vol. PP, pp. 1–1, 12 2018.
VOLUME x, 20xx 11
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966259, IEEE Access
Shahid et al.: Novel One Time Signatures
[30] E. Dahmen, K. Okeya, T. Takagi, and C. Vuillaume, “Digital signatures
out of second-preimage resistant hash functions,” in Post-Quantum Cryp-
tography, J. Buchmann and J. Ding, Eds. Berlin, Heidelberg: Springer
Berlin Heidelberg, 2008, pp. 109–123.
[31] L. coronado garcía, “On the security and the efficiency of the merkle
signature scheme,” IACR Cryptology ePrint Archive, vol. 2005, p. 192,
01 2005.
[32] A. K. Lenstra, “Key length. contribution to the handbook of information
security, 2004.
[33] K. Chalkias, J. Brown, M. Hearn, T. Lillehagen, I. Nitto, and T. Schroeter,
“Blockchained post-quantum signatures,” 2018 IEEE International Con-
ference on Internet of Things (iThings) and IEEE Green Computing
and Communications (GreenCom) and IEEE Cyber, Physical and Social
Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 1196–1203,
2018.
[34] L. K. Grover, “A fast quantum mechanical algorithm for database search,
in ANNUAL ACM SYMPOSIUM ON THEORY OF COMPUTING.
ACM, 1996, pp. 212–219.
[35] D. Bernstein, “Cost analysis of hash collisions: Will quantum computers
make sharcs obsolete,” 01 2009.
FURQAN SHAHID is pursuing his Ph.D. degree
in Computer Science from COMSATS Univer-
sity Islamabad (CUI), Islamabad, Pakistan. Pre-
viously, he completed his MS/M.Phil in Software
Engineering from International Islamic University,
Islamabad (IIUI) in 2012. He got his Masters
degree in Computer Science from University of
Agriculture, Faisalabad (UAF). He completed his
Bachelor in Computer Science from Petroman
Training Institute, Faisalabad in affiliation with
Allama Iqbal Open University (AIOU) Islamabad. His research interests
include distributed ledgers, post-quantum cryptography, IoT, hash-based
digital signature schemes, cryptocurrencies, and garbled computing.
IFTIKHAR AHMAD is faculty member in In-
formation Technology department at Faculty of
computing and information technology. He also
served as a faculty member and a research super-
visor at various Universities from 2001. Further,
he has been involved in several funded projects as
PI and Co-PI. He holds a Ph.D. in the field of In-
formation Technology from Universiti Teknologi
PETRONAS, Malaysia, 2011. He obtained his
MS/M.Phil. degree in Computer Science from
COMSATS Institute of Information Technology, Abbottabad, Pakistan in
2007. He received the M.Sc. Computer Science from University of Agri-
culture, Faisalabad, Pakistan in 2001 and the B.Sc. degree from Islamia
University, Bahawalpur, Pakistan, in 1999. He has published several papers
in reputed journals and conferences. He is also a member of several scientific
and professional bodies.
MUHAMMAD IMRAN is an Associate Professor
in the College of Applied Computer Science at
King Saud University, Saudi Arabia. He received
a Ph. D in Information Technology from the Uni-
versity Teknologi PETRONAS, Malaysia in 2011.
His research interest includes Internet of Things,
Mobile and Wireless Networks, Big Data Analyt-
ics, Cloud computing, and Information Security.
His research is financially supported by several
grants. He has completed a number of interna-
tional collaborative research projects with reputable universities. He has
published more than 150 research articles in top conferences and journals.
European Alliance for Innovation (EAI) has appointed him as an Editor in
Chief for EAI Transactions on Pervasive Health and Technology. He also
serves as an associate editor for reputable international journals such as IEEE
Communications Magazine, Future Generation Computer Systems, IEEE
Access, Ad Hoc & Sensor Wireless Networks Journal (SCIE), IET Wireless
Sensor Systems, International Journal of Autonomous and Adaptive Com-
munication Systems (Inderscience). He served/serving as a guest editor for
more than a dozen special issues in journals such as IEEE Communications
Magazine, Computer Networks (Elsevier), Future Generation Computer
Systems (Elsevier), MDPI Sensors, International Journal of Distributed
Sensor Networks (Hindawi), Journal of Internet Technology, and Interna-
tional Journal of Autonomous and Adaptive Communications Systems. He
has been involved in more than seventy conferences and workshops in
various capacities such as a chair, co-chair and technical program committee
member.
MUHAMMAD SHOAIB received his Ph.D. de-
gree in Communication and Information System
from Beijing University of Posts and Telecommu-
nications, China (2010). He received his M.Eng.
(2005) and B.Eng. (1995) from NED University of
Engineering and Technology, Karachi. His areas
of research include video compression techniques,
multilayer video coding, commercial Data Center
facilities and IP packet based network, infrastruc-
ture and security. He worked as a Senior Manager
(IP Operations, South) in Pakistan Telecommunication Company Limited,
Pakistan. He also worked as a Maintenance Engineer in R. M. International.
Currently, he is working as an Assistant Professor in the College of Com-
puter and Information Sciences (Information Systems Department) in King
Saud University.
12 VOLUME x, 20xx
... • Shahid et al. [87] proposed a new one-time signature mechanism, called NOTS, to make the system resistant to quantum attacks. • It provided minimal key and signature sizes from all of the OTS/FTS methods that were already in use. ...
... Shahid et al. [87] (2020) ...
... Furthermore, the comparisons of quantum cryptography-based security schemes, i.e., quantum key distribution schemes, quantum digital signature schemes, and quantum hashing schemes, were provided. It was identified that the schemes of Al-Darwbi et al. [82] and Cao et al. [79] (in QKD schemes), the schemes of Shahid et al. [87], Li et al. [8] (in QDS schemes) and the scheme of Yang et al. [91] (in quantum hashing schemes) performed better as they provide more security and functionality features. ...
Article
Full-text available
Quantum cryptography has the potential to secure the infrastructures that are vulnerable to various attacks, like classical attacks, including quantum-related attacks. Therefore, quantum cryptography seems to be a promising technology for the future secure online infrastructures and applications, like blockchain-based frameworks. In this paper, we propose a generic quantum blockchain-envisioned security framework for an Internet of Things (IoT) environment. We then discuss some potential applications of the proposed framework. We also highlight the security advantages of quantum cryptography-based systems. We explain the working of blockchain, applications of blockchain, types of blockchain, the structure of blockchain, the structure of blockchain in a classical blockchain, and the structure of a block in a quantum blockchain context. Next, the adverse effects of quantum computing on the security of blockchain-based frameworks are highlighted. Furthermore, the comparisons of quantum cryptography-based security schemes, like quantum key distribution, quantum digital signature, and quantum hashing schemes, are provided. Finally, some future research directions related to the designed generic quantum blockchain-envisioned security framework for IoT are provided.
... Quantum-proof digital signatures are cryptographic signature schemes designed to withstand quantum computer attacks [96]. The advent of quantum computers poses a potential risk to various cryptographic algorithms, including those commonly used for digital signatures, potentially compromising their security. ...
... The quadratic polynomial problem is proved to be nondeterministic polynomial or NP-complete, and it seems that using quantum computers does not provide any advantage in attempting to solve it. However, NP-completeness does not exclude the possibility that for certain polynomials p1,... pm, it can efficiently find a solution [96]. The decryption process of an encrypted message without knowing the secret key is one example of the MQ problem, and it is difficult even for a quantum computer. ...
Article
Full-text available
Blockchain has shifted the paradigm of computer-based commercial applications during the last decade. Initially developed as a public ledger for Bitcoin transactions, it has already shown that it has the potential to revolutionize the world, where trust, security, privacy, and anonymity are the assurances. The data stored within the blockchain remains unchangeable, resistant to tampering, and distributed across multiple locations within a decentralized network. The existence and reliability of blockchain rely heavily on robust cryptographic primitives, as these are fundamental to its operation. While blockchain faces significant challenges in the ever-evolving landscape of hardware and software technologies, it has retained its reputation for being secure due to its underlying cryptographic primitives. The architecture of blockchain, various consensus protocols, and the impacts of quantum computing are also discussed here. This study reviews the existing academic literature on cryptographic primitives used in blockchain and endeavors to bridge the gaps and provide a detailed understanding of their role in blockchain security. An exploratory qualitative research methodology is used in this study and is based on the latest literature on the topics. The findings of this study provide a valuable reference to the knowledge body and enhance the comprehension of blockchain, cryptography, and cryptographic primitives in blockchain for both new and experienced researchers, enabling them to identify new opportunities and challenges in the domain.
... For example, [29] introduced an optimization in Gravity-SPHINCS that allowed for shorter keys without compromising security, thus making the scheme more practical. Similarly, [59] proposed a novel OTS scheme that achieved a considerable reduction in key size, which is particularly beneficial for applications with limited storage capabilities, such as IoT devices. These advancements are crucial as they reduce the storage requirements and bandwidth needed for cryptographic operations, making the deployment of such protocols more cost-effective and feasible, especially in environments where resources are constrained. ...
Article
Full-text available
The emergence of quantum computing poses significant risks to the security of current cryptographic systems, particularly those reliant on classical algorithms vulnerable to quantum attacks. This systematic literature review adopts the PRISMA model to critically assess the development, methodologies, and security of post-quantum hash-based signature schemes as resilient alternatives. Through a methodical selection process from leading academic databases, we identify and analyze key contributions to the field within the last decade, focusing on the schemes’ security proofs, enhanced performance, and efficiency metrics. Our analysis reveals a diverse landscape of hash-based signature schemes, their evolving security features against quantum threats, and their practical implementations in securing digital communications. The review highlights the importance of advancing these quantum-resistant technologies, discusses the challenges in their adoption, and outlines future directions for research and standardization efforts. The findings aim to provide a comprehensive resource for researchers, practitioners, and policymakers involved in the transition toward secure cryptographic practices in the quantum era.
... Moreover, CTR-DRBG finds application across various environments. In scenarios requiring secure random numbers, such as secure communication [10]- [12], authentication processes [13]- [15], digital signature generation [16]- [18], virtual private network (VPN) connections [19]- [21], and security protocols [22]- [24], CTR-DRBG ensures high reliability and safety. Consequently, communication networks can attain higher levels of safety and trustworthiness. ...
Article
Full-text available
This paper presents a study aimed at effectively implementing a deterministic random bit generator (DRBG) IP in verilog language, based on the standard encryption algorithm. By controlling the existing round generation and key generation blocks, the internal modules of the counter mode deterministic random bit generator (CTR-DRBG) were successfully implemented and operated, ensuring the secure and efficient generation of random bit sequences. The research focused on parallel operation of modules and optimized module placement to achieve improved clock frequencies. By concurrently operating two modules in the derivation and internal update modules of CTR-DRBG, the processing speed was enhanced compared to the conventional algorithm. Additionally, integrating the reseeding and initialization modules of CTR-DRBG into a single module successfully reduced size. Furthermore, this IP supports the special function register (SFR) interface. The safety of the CTR-DRBG was validated through known answer test (KAT) verification utilizing test vectors from certification. Future research should explore additional studies on CTR-DRBG operating on real FPGA or ASIC, not only using normal algorithm but also employing other block cipher algorithms.
... The paper concludes with recommendations for additional post-quantum cryptography research as well as an assessment of the most promising NIST standard contenders. This paper also identifies and outlines the most difficult issues in post-quantum cryptography for all families [7]. Utilising significant basic cryptosystems, each family is discussed. ...
Article
Full-text available
Cryptography is an art of hiding the significant data or information with some other codes. It is a practice and study of securing information and communication. Thus, cryptography prevents third party intervention over the data communication. The cryptography technology transforms the data into some other form to enhance security and robustness against the attacks. The thrust of enhancing the security among data transfer has been emerged ever since the need of Artificial Intelligence field came into a market. Therefore, modern way of computing cryptographic algorithm came into practice such as AES, 3DES, RSA, Diffie-Hellman and ECC. These public-key encryption techniques now in use are based on challenging discrete logarithms for elliptic curves and complex factorization. However, those two difficult problems can be effectively solved with the help of sufficient large-scale quantum computer. The Post Quantum Cryptography (PQC) aims to deal with an attacker who has a large-scale quantum computer. Therefore, it is essential to build a robust and secure cryptography algorithm against most vulnerable pre-quantum cryptography methods. That is called ‘Post Quantum Cryptography’. Therefore, the present crypto system needs to propose encryption key and signature size is very large.in addition to careful prediction of encryption/decryption time and amount of traffic over the communication wire is required. The post-quantum cryptography (PQC) article discusses different families of post-quantum cryptosystems, analyses the current status of the National Institute of Standards and Technology (NIST) post-quantum cryptography standardisation process, and looks at the difficulties faced by the PQC community.
... The authors have used a puncturable signature scheme where an adaptive signing is carried out based on the bloom filter and Diffie-Hellman structure. Another signature-based scheme was introduced by Shahid et al. [16], where hashing is used for performing one-time signatures. The outcome offers a significantly reduced size of signatures and keys. ...
Article
Full-text available
Blockchain technology is based on the idea of a distributed, consensus ledger, which it employs to create a secure, immutable data storage and management system. It is a publicly accessible and collectively managed ledger enabling unprecedented levels of trust and transparency between business and individual collaborations. It has both robust cryptographic security and a transparent design. The immutability feature of blockchain data has the potential to transform numerous industries. People have begun to view blockchain as a revolutionary technology capable of identifying "The Best Possible Solution" in various real-world scenarios. This paper provides a comprehensive insight into blockchains, fostering an objectual understanding of this cutting-edge technology by focusing on the theoretical fundamentals, operating principles, evolution, architecture, taxonomy, and diverse application-based manifestations. It investigates the need for decentralisation, smart contracts, permissioned and permissionless consensus mechanisms, and numerous blockchain development frameworks, tools, and platforms. Furthermore, the paper presents a novel compendium of existing and emerging blockchain technologies by examining the most recent advancements and challenges in blockchain-enabled solutions for a variety of application domains. This survey bridges multiple domains and blockchain technology, discussing how embracing blockchain technology is reshaping society's most important sectors. Finally, the paper delves into potential future blockchain ecosystems providing a clear picture of open research challenges and opportunities for academics, researchers, and companies with a strong fundamental and technical grounding.
Article
This work is to present a new approach – the Resource Allocation Weighted Random Walk (RA-WRW) algorithm, based on IOTA-Distributed Ledger Technology (DLT), for the optimization of transaction processing within the IOTA network. The objectives of improved execution time, better CPU usage, enhanced network efficiency, and better scalability are met in accordance with stringent security measures. The Python-based algorithm considers node resources and transaction weights for the selection of the best tips. The authentication operation of the sender with private keys ensures the integrity of the data, while verification procedures confirm the authenticity of the tips and the validity of transactions. Implementation of this algorithm greatly improves the efficiency of IOTA network transaction processing. The experiment is run on a commonly used dataset available in Kaggle and some system-specific configurations, which depicts a significant improvement in execution time, CPU usage, network efficiency, and scalability. The tips selected are very authentic and consistent, thus proving the efficacy of this algorithm. It proposes a new RA-WRW algorithm based on IOTA-DLT, efficiently fusing resource allocation with weighted random walk strategies for improving the security, efficiency, and scalability in distributed ledger transactions. This has been a colossal development toward the betterment of processing transactions across the IOTA network and feels the pulse of such a newer approach in applications across the real world.
Preprint
In recent years, with the advancement of quantum computing, mainstream asymmetric cryptographic methods in the current Public Key Infrastructure (PKI) systems are gradually being threatened. Therefore, this study explores X.509 security certificates based on Post-Quantum Cryptography (PQC) and discusses implemented solutions. This study compares mainstream asymmetric cryptographic methods (including RSA and Elliptic Curve Digital Signature Algorithm (ECDSA)) with standard PQC methods (including Falcon, Dilithium, SPHINCS+), comparing the efficiency of certificate generation, signature generation, and signature verification. Finally, recommendations for a solution based on PQC for X.509 security certificates are proposed.
Article
Full-text available
Blockchain technology has gained significant prominence in recent years due to its public, distributed, and decentration characteristics, which was widely applied in all walks of life requiring distributed trustless consensus. However, the most cryptographic protocols used in the current blockchain networks are susceptible to the quantum attack with rapid development of a sufficiently large quantum computer. In this paper, we first give an overview of the vulnerabilities of the modern blockchain networks to a quantum adversary and some potential post-quantum mitigation methods. Then, a new lattice-based signature scheme has been proposed, which can be used to secure the blockchain network over existing classical channels. Meanwhile, the public and private keys are generated by the Bonsai Trees technology with RandBasis algorithm from the root keys, which not only ensure the randomness, but also construct the lightweight nondeterministic wallets. Then, the proposed scheme can be proved secure in random oracle model, and it is also more efficient than similar literatures. In addition, we also give the detailed description of the post-quantum blockchain transaction. Furthermore, this work can help to enrich the research on the future post-quantum blockchain (PQB).
Article
Full-text available
Nowadays, blockchain has become one of the most cutting-edge technologies, which has been widely concerned and researched. However, the quantum computer attack seriously threatens the security of blockchain, and related research is still less. Targeting at this issue, in this paper, we present the definition of post-quantum blockchain (PQB) and propose a secure cryp-tocurrency scheme based on PQB, which can resist quantum computer attacks. Firstly, we propose a signature scheme based on lattice problem. We use lattice basis delegation algorithm to generate secret keys with selecting a random value, and sign message by preimage sampling algorithm. In addition, we design the first-signature and last-signature in our scheme which are defined as double-signature. It is used to reduce the correlation between the message and signature. Secondly, by combining the proposed signature scheme with blockchain, we construct the PQB and propose this cryptocurrency scheme. Its security can be reduced to the lattice short integer solution (SIS) problem. At last, through our analysis, the proposed cryptocurrency scheme is able to resist the quantum computer attack and its signature satisfies correctness and one-more unforgeability under the lattice SIS assumption. Furthermore, compared with previous signature schemes, the sizes of signature and secret keys are relatively shorter than that of others, which can decrease the computational complexity. These make our cryptocurrency scheme more secure and efficient.
Article
Full-text available
The key cryptographic protocols used to secure the internet and financial transactions of today are all susceptible to attack by the development of a sufficiently large quantum computer. One particular area at risk are cryptocurrencies, a market currently worth over 150 billion USD. We investigate the risk of Bitcoin, and other cryptocurrencies, to attacks by quantum computers. We find that the proof-of-work used by Bitcoin is relatively resistant to substantial speedup by quantum computers in the next 10 years, mainly because specialized ASIC miners are extremely fast compared to the estimated clock speed of near-term quantum computers. On the other hand, the elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027, by the most optimistic estimates. We analyze an alternative proof-of-work called Momentum, based on finding collisions in a hash function, that is even more resistant to speedup by a quantum computer. We also review the available post-quantum signature schemes to see which one would best meet the security and efficiency requirements of blockchain applications.
Article
Full-text available
Blockchain is a distributed database which is cryptographically protected against malicious modifications. While promising for a wide range of applications, current blockchain platforms rely on digital signatures, which are vulnerable to attacks by means of quantum computers. The same, albeit to a lesser extent, applies to cryptographic hash functions that are used in preparing new blocks, so parties with access to quantum computation would have unfair advantage in procuring mining rewards. Here we propose a possible solution to the quantum-era blockchain challenge and report an experimental realization of a quantum-safe blockchain platform that utilizes quantum key distribution across an urban fiber network for information-theoretically secure authentication. These results address important questions about realizability and scalability of quantum-safe blockchains for commercial and governmental applications.
Article
Full-text available
The emergence of practical quantum computers poses a significant threat to the most popular public key cryptographic schemes in current use. While we know that the well-understood algorithms for factoring large composites and solving the discrete logarithm problem run at best in superpolynomial time on conventional computers, new, less well understood algorithms run in polynomial time on certain quantum computer architectures. Many appear to be heralding this next step in computing as ‘the end of public key encryption’. We argue that this is not the case and that there are many fields of mathematics that can be used for creating ‘quantum resistant’ cryptographic schemes. We present a high-level review of the threat posed by quantum computers, using RSA and Shor’s algorithm as an example but we explain why we feel that the range of quantum algorithms that pose a threat to public key encryption schemes is likely to be limited in future. We discuss some of the other schemes that we believe could form the basis for public key encryption schemes, some of which could enter widespread use in the very near future, and indicate why some are more likely to be adopted.
Chapter
A decentralized online quantum cash system, called qBitcoin, is given. We design the system which has great benefits of quantization in the following sense. Firstly, quantum teleportation technology is used for coin transaction, which prevents from the owner of the coin keeping the original coin data even after sending the coin to another. This was a main problem in a classical circuit and a blockchain was introduced to solve this issue. In qBitcoin, the double-spending problem never happens and its security is guaranteed theoretically by virtue of quantum information theory. Making a block is time consuming and the system of qBitcoin is based on a quantum chain, instead of blocks. Therefore, a payment can be completed much faster than Bitcoin. Moreover we employ quantum digital signature so that it naturally inherits properties of peer-to-peer (P2P) cash system as originally proposed in Bitcoin.
Article
Blockchain technology has arisen as a promising protocol to replace centralized and less efficient systems. In fact, for the first time, it is possible to achieve decentralized consensus without the need for trusted authorities, resulting in more efficient processes and saving both money and time.
Conference Paper
This paper introduces Simpira, a family of cryptographic permutations that supports inputs of 128×b128 \times b bits, where b is a positive integer. Its design goal is to achieve high throughput on virtually all modern 64-bit processors, that nowadays already have native instructions for AES. To achieve this goal, Simpira uses only one building block: the AES round function. For b=1, Simpira corresponds to 12-round AES with fixed round keys, whereas for b2b\ge 2, Simpira is a Generalized Feistel Structure (GFS) with an F-function that consists of two rounds of AES. We claim that there are no structural distinguishers for Simpira with a complexity below 21282^{128}, and analyze its security against a variety of attacks in this setting. The throughput of Simpira is close to the theoretical optimum, namely, the number of AES rounds in the construction. For example, on the Intel Skylake processor, Simpira has throughput below 1 cycle per byte for b4b \le 4 and b=6. For larger permutations, where moving data in memory has a more pronounced effect, Simpira with b=32 (512 byte inputs) evaluates 732 AES rounds, and performs at 824 cycles (1.61 cycles per byte), which is less than 13%13\,\% off the theoretical optimum. If the data is stored in interleaved buffers, this overhead is reduced to less than 1%1\,\%. The Simpira family offers an efficient solution when processing wide blocks, larger than 128 bits, is desired.