Post-Quantum Two-Party Adaptor Signature Based on Coding Theory

Abstract

An adaptor signature can be viewed as a signature concealed with a secret value and, by design, any two of the trio yield the other. In a multiparty setting, an initial adaptor signature allows each party to create additional adaptor signatures without the original secret. Adaptor signatures help address scalability and interoperability issues in blockchain. They can also bring some important advantages to cryptocurrencies, such as low on-chain cost, improved transaction fungibility, and fewer limitations of a blockchain’s scripting language. In this paper, we propose a new two-party adaptor signature scheme that relies on quantum-safe hard problems in coding theory. The proposed scheme uses a hash-and-sign code-based signature scheme introduced by Debris-Alazard et al. and a code-based hard relation defined from the well-known syndrome decoding problem. To achieve all the basic properties of adaptor signatures formalized by Aumayr et al., we introduce further modifications to the aforementioned signature scheme. We also give a security analysis of our scheme and its application to the atomic swap. After providing a set of parameters for our scheme, we show that it has the smallest pre-signature size compared to existing post-quantum adaptor signatures.

1. Introduction

In cryptocurrencies and other blockchain applications, transactions are validated by miners, using decentralized consensus protocols. A transaction is akin to an application formed by scripts. The scripting language of a blockchain allows the encoding of potential functionalities and rules that make a transaction valid. Therefore, the fee for a transaction corresponds to the storage and computational cost of executing the transaction’s script by a miner. The fee sometimes can be excessively high for some cryptocurrencies with a scripting language that enables a more complex transaction logic. In addition to the high fee issue, the public verifiability feature of transactions and the permissionless nature of consensus protocols pose some other challenges with regard to scalability, privacy and transaction throughput.

The main approach to addressing the aforementioned issues is to reduce the size of on-chain transactions by handing off some transactions to off-chains. The goal is to use as few scripts as possible for on-chain transactions. Current promising solutions are payment channel networks (PCNs) [1,2,3,4,5,6,7]. They allow an off-chain payment between a sender and receiver through an intermediary. However, they do it by relying on the scripting-based functionality, which is available only with a few cryptocurrencies. To address this scripting issue, Poelstra [8] introduced a technique called scriptless script that enables us to create smart contracts without a script. The technique was later formalized as an adaptor signature by Fournier [9]. Recently, Aumayr et al. [10] have presented a full formalization of the adaptor signature as a cryptographic primitive.

An adaptor signature is a two-step signing algorithm bound to a secret. It is defined from a digital signature scheme and a hard relation. In the adaptor signature, the first pre-signature is generated by a user with knowledge of a witness of the hard relation.

The complete signature reveals the witness and can be verified by its corresponding verification algorithm. In blockchain applications, adaptor signatures bring some advantages to cryptocurrencies, such as a reduction in the on-chain cost and an improvement of each transaction’s fungibility.

Since the work by Poelstra, several articles on adaptor signature have appeared, e.g., [9,10,11,12,13,14,15,16,17]. In [10], the authors introduced two adaptor signature schemes based on Schnorr’s signature and the elliptic curve digital signature algorithm (ECDSA), respectively. Authors of [12] showed that signature schemes that are constructed from identification schemes with some additional homomorphic properties can be transformed into adaptor signature schemes. In [14], the authors showed how to provide an adaptor signature instance from any one-way homomorphic function. In [12] (respectively [17]), the authors designed a post-quantum adaptor signature based on lattices (respectively, isogenies).

1.1. Motivation

The adaptor signature is one of the central primitives in today’s cryptocurrency-based payment ecosystem. A few exceptions aside, most of the existing adaptor signature schemes will, however, be broken with the arrival of sufficiently large quantum computers. Thus, it is important to explore various ways to design efficient adaptor signature schemes that are quantum safe. Code-based cryptography, which has been studied for many years, is considered resistant against quantum-computer attacks and is one of the finalists in the current post-quantum cryptography (PQC) standardization process undertaken by the National Institute of Standards and Technology (NIST). To our knowledge, no adaptor signature scheme based on coding theory exists in the literature. Therefore, even if key sizes are large in code-based cryptography, designing a code-based adaptor signature is of interest to ensure the post-quantum security of blockchain applications.

1.2. Our Contributions

In this paper, we present a post-quantum adaptor signature scheme using cryptographic assumptions rooted in coding theory. To design our scheme, we use a hash-and-sign code-based signature scheme, called Wave, which was introduced by Debris-Alazard et al. [18]. The hard relation used in our scheme is defined from the well-known NP-complete problem in coding theory. However, in order to achieve the pre-signature correctness and pre-signature adaptability for adaptor signatures, we introduce a few modifications to Wave. After designing our scheme, we show that it satisfies the pre-signature correctness and the pre-signature adaptability property of the adaptor. We present a security analysis of our scheme and compare the latter with existing post-quantum adaptor signature schemes. We also give an application of our scheme to the atomic swap.

1.3. Organization

The remainder of the paper is organized as follows. Section 2 provides some preliminaries on coding theory and adaptor signature. In Section 3, we present the design of our code-based adaptor signature scheme and its security analysis. In Section 4, we provide a set of parameters for our scheme and its comparison with other post-quantum adaptor signature schemes. In Section 5, we give the application of our scheme in an atomic swap. Finally, we conclude in Section 6.

2. Preliminaries

2.1. Coding Theory

Let $\mathbb{F}$ be the finite field ${\mathbb{F}}_q$ with $q=p^m$ and p a prime number. A linear code $\mathcal{C}$ of length n and dimension k over $\mathbb{F}$ is a vector subspace of dimension k of ${\mathbb{F}}^n$. It can be specified by a full rank matrix $\mathbf{G}\in {\mathbb{F}}^{k\times n}$ called the generator matrix. The rows of $\mathbf{G}$ span the code $\mathcal{C}$. Specifically, a linear code can be defined by its generator matrix as follows:

$$\mathcal{C}=\left\{\mathit{m}\mathbf{G}\mathrm{s}\mathsf{.}\mathrm{t}\mathsf{.}\mathit{m}\in {\mathbb{F}}^k\right\}$$

A linear code can be also defined by the right kernel of matrix $\mathbf{H}$ called parity-check matrix of $\mathcal{C}$:

$$\mathcal{C}=\left\{\mathit{x}\in {\mathbb{F}}^n\mathrm{s}\mathsf{.}\mathrm{t}\mathsf{.}\mathit{x}{\mathbf{H}}^T=\mathbf{0}\right\}$$

The Hamming distance between two codewords is the number of positions (coordinates) where they differ. The minimal distance of a code is the minimal distance of all codewords.

The weight of a word/vector $\mathit{x}\in {\mathbb{F}}^n$ denoted by $wt\left(\mathit{x}\right)$ is the number of its non-zero positions. Then, the minimal weight of a code $\mathcal{C}$ is the minimal weight of all non-zero codewords. In the case of linear code $\mathcal{C}$, its minimal distance is equal to the minimal weight of the code.

In this paper, the set of vectors of length n and weight $\omega$ is denoted by ${\mathcal{S}}_{q,n,\omega }=\{\mathit{x}\in {\mathbb{F}}^n$$\mathrm{s}\mathsf{.}\mathrm{t}\mathsf{.}wt\left(\mathit{x}\right)=\omega \}$. For two given integers a and b, where $a<b<n$, we denote the set of vectors of length n with $wt\left(\mathit{x}\right)\in [a,b]$ by ${\mathcal{S}}_{q,n,[a,b]}=\{\mathit{x}\in {\mathbb{F}}^n\mathrm{s}\mathsf{.}\mathrm{t}\mathsf{.}a\le wt\left(\mathit{x}\right)\le b\}.$

2.2. Hard Problems in Coding Theory

In this subsection, we recall some NP-complete problems in coding theory.

Problem 1. (Binary Syndrome Decoding (SD) problem)

Input: A matrix $\mathbf{H}\in {\mathbb{F}}_2^{r\times n}$, a vector $\mathbf{s}\in {\mathbb{F}}_2^r$, and an integer $\omega >0$.

Output: A vector $\mathit{y}\in {\mathbb{F}}_2^n$ such that $wt\left(\mathit{y}\right)\le \omega$ and $\mathbf{s}=\mathit{y}{\mathbf{H}}^T$.

The SD problem was proved to be NP-complete in 1978 by McEliece and Van Tilbord [19]. Some of its instances can be solved in polynomial time, depending on the input. In particular, when the parameter $\omega$ is in the interval $\left[\frac{r}{2},n-\frac{r}{2}\right]$, solving it becomes easy—first, determine a pseudo-inverse ${\mathbf{H}}^{-1}$ of the matrix $\mathbf{H}$ and then compute the product $\mathit{s}{\mathbf{H}}^{-1}$ to return a valid solution with a high probability. However, when the value of the parameter $\omega$ is not in $\left[\frac{r}{2},n-\frac{r}{2}\right]$, if a single solution exists, finding it is much harder. For non-binary finite field ${\mathbb{F}}_q$, the corresponding interval is given by $\left[\frac{(q-1)r}{q},n-\frac{r}{q}\right]$ [18]. We now give the following definition.

Definition 1.

Let n, k, and ω be non-zero integers. Let $\mathbf{H}\in {\mathbb{F}}_q^{r\times n}$ be a matrix, where $r=n-k$. Let $\mathit{e}\in {\mathcal{S}}_{q,n,\omega }$ be an error vector such that $\mathbf{s}=\mathit{e}{\mathbf{H}}^T$. We say that an instance of a syndrome decoding problem is ϵ-hard if for all probabilistic polynomial time (PPT) algorithm $\mathcal{A}$ with input $(\mathbf{H},\mathit{s})$ we have

$$Pr[\mathit{e}⟵\mathcal{A}(\mathbf{H},\mathbf{s}\left)\right]\le ϵ$$

The syndrome decoding problem is equivalent to the following problem.

Problem 2 (General Decoding (GBD) problem).

Input: A matrix $\mathbf{G}\in {\mathbb{F}}_q^{k\times n}$, a vector $\mathit{y}\in {\mathbb{F}}_q^n$, and an integer $\omega >0$.

Output: Two vectors $\mathit{m}\in {\mathbb{F}}_q^k$ and $\mathit{e}\in {\mathbb{F}}_q^n$ such that $wt\left(\mathit{e}\right)=\omega$ and $\mathit{y}=\mathit{m}\mathbf{G}+\mathit{e}$.

Problem 3 (Generalized) code distinguishing problem).

Input: A matrix $\mathbf{H}\in {\mathbb{F}}_q^{r\times n}$.

Output: Decide whether $\mathbf{H}$ is a parity-check matrix of a generalized ($U,U+V$) code.

Problem 3 is one of the problems on which the security assumption of our adaptor signature scheme relies. It is hard in the worst case; for more information about its hardness or NP-completeness, we refer the reader to [18,20].

The following problem is used in the security proof of the underlying signature scheme that we use in this paper. It was first considered by Johansson and Jonsson in [21] and was analyzed later by Sendrier in [22].

Problem 4 (Decoding One Out of Many (DOOM) problem).

Input: A matrix $\mathbf{H}\in {\mathbb{F}}_q^{r\times n}$, a set of vectors ${\mathit{s}}_1$, ${\mathit{s}}_2$,...,${\mathit{s}}_N\in {\mathbb{F}}_q^r$ and an integer ω.

Output: A vector $\mathit{e}\in {\mathbb{F}}_q^n$ and an integer i such that $1\le i\le N$, $wt\left(\mathit{e}\right)=\omega$ and ${\mathit{s}}_i=\mathit{e}{\mathbf{H}}^T$.

2.3. Hard Relation

A hard relation is a relation $\mathcal{R}$ with a statement–witness pair such that the following hold:

•

There is a PPT algorithm $\mathsf{Gen}\left({\mathsf{1}}^{˘}\right)$ with input of the security parameter $\lambda$ and output of a statement–witness pair $(\mathit{Y},\mathit{x})$.

•

The relation $\mathcal{R}$ is in poly-time decidable.

•

For all PPT adversaries $\mathcal{A}$, there is a negligible function $ϵ$ such that

$$Pr\left[(\mathit{Y},{\mathit{x}}^{*})\in \mathcal{R}\begin{array}{c}(\mathit{Y},\mathit{x})⟵\mathsf{Gen}\left(1^{\lambda }\right)\\ {\mathit{x}}^{*}=\mathcal{A}\left(\mathit{Y}\right)\end{array}\right]\le ϵ\left(\lambda \right)$$

The language associated to the relation $\mathcal{R}$ is the set denoted by $L_{\mathcal{R}}$ and defined by

$$L_{\mathcal{R}}=\left\{\mathit{Y}\right|\exists \mathit{x}\mathrm{s}\mathsf{.}\mathrm{t}\mathsf{.}(\mathit{Y},\mathit{x})\in \mathcal{R}\}$$

2.4. Code-Based Signature Scheme

The first secure code-based signature is due to Courtois et al. (CFS) [23]. It uses two security assumptions: the indistinguishability of random binary linear codes and the hardness of the syndrome decoding problem. This scheme is not considered practical due to the difficulty of finding a random decodable syndrome. It was later modified by Dallot [24] and became to be known as the mCFS (modified Courtois–Finiasz–Sendrier) signature scheme. One of the security assumptions in mCFS is the indistinguishability of random Goppa binary codes. This led to the emergence of an attack [25]. Currently, the latest code-based signature scheme of this type is due to Debris-Alazard et al. [18]. Their scheme is called Wave and is based on generalized ($U,U+V$) codes over ${\mathbb{F}}_q$ with $q\ge 3$. Wave is currently one of the most secure and efficient code-based signature schemes designed from a framework other than the Fiat–Shamir transformation. A description of Wave is given in Figure 1.

2.5. Adaptor Signature Scheme

In this subsection, we recall the formal definition of the adaptor signature followed by its basic security properties.

Definition 2

(Adaptor signature [10]). An adaptor signature ${\mathsf{\prod }}_{\mathcal{R},\mathrm{\Xi }}$ defined with respect to hard relation $\mathcal{R}$ and a digital signature scheme $\mathrm{\Xi }=\left(\mathrm{Gen},\mathrm{Sign},\mathrm{Verif}\right)$ is a tuple of four algorithms $\left(\mathrm{PreSign},\mathrm{PreVerif},\mathrm{Adapt},\mathrm{Ext}\right)$, where the following hold:

•

$\mathrm{PreSign}(\mathrm{sk},\mathit{m},\mathit{Y})$ is a PPT algorithm that takes as input a secret key sk, a statement $\mathit{Y}$ and a message $\mathit{m}\in {\mathbb{F}}_2^{*}$, and outputs a pre-signature $\tilde{\sigma }$.

•

$\mathrm{PreVerif}(\mathrm{pk},\mathit{m},\mathit{Y},\tilde{\sigma })$ is a DPT algorithm that takes as input a public key pk, a statement $\mathit{Y}$, and a pre-signature $\tilde{\sigma }$, and produces 0 or 1 as output.

•

$\mathrm{Adapt}(\tilde{\sigma },\mathit{x})$ is a DPT algorithm that takes as input a pre-signature $\tilde{\sigma }$ and witness y and outputs a valid signature σ.

•

$\mathrm{Ext}(\mathit{Y},\sigma ,\tilde{\sigma })$ is a DPT algorithm that on input a signature σ, pre-signature $\tilde{\sigma }$ and statement $\mathit{Y}\in L_{\mathcal{R}}$, outputs a witness $\mathit{x}$ such that $(\mathit{Y},\mathit{x})\in \mathcal{R}$, or the symbol ⊥.

Note that adaptor signature schemes inherit the key generation, signature and verification algorithms of the underlying signature scheme and hence, acquire the correctness of the standard digital signature scheme. An adaptor signature scheme, however, has to verify some supplementary properties given by the following definitions.

Definition 3

(Pre-signature correctness [10]). An adaptor signature ${\mathsf{\prod }}_{\mathcal{R},\mathrm{\Xi }}$ satisfies pre-correctness if for every $\lambda \in \mathbb{N}$, every message $\mathit{m}\in {\{0;1\}}^{*}$ and every statement/witness pair $(\mathit{Y},\mathit{x})\in \mathcal{R}$, the following holds:

$$Pr\left[\begin{array}{cc}\mathsf{PreVerif}(\mathrm{pk},\mathit{m},\mathit{Y},\tilde{\sigma })=1& \\ \wedge & (\mathrm{sk},\mathrm{pk})\leftarrow \mathsf{Gen}\left(1^{\lambda }\right)\\ \mathrm{Verif}(\mathrm{pk},\mathit{m},\sigma )=1& \tilde{\sigma }\leftarrow \mathrm{PreSign}(sk,\mathit{m},\mathit{Y})\\ \wedge & \sigma :=\mathsf{Adapt}(\mathrm{pk},\mathit{x},\tilde{\sigma })\\ (\mathit{Y},{\mathit{x}}^{\prime })\in \mathcal{R}& {\mathit{x}}^{\prime }:=\mathsf{Ext}(\sigma ,\tilde{\sigma },\mathit{Y})\end{array}\right]=1$$

More precisely, the pre-signature correctness states that a valid pre-signature $\tilde{\sigma }$, which is honestly generated w.r.t. a statement $\mathit{Y}\in L_{{\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}}$, could be adapted into a valid signature. From this signature, we can extract a witness $\mathit{x}$ for the statement $\mathit{Y}$. The second basic required property for the adaptor signature is the pre-signature adaptability. This second one is stronger than the pre-signature correctness property. It is given by the following definition.

Definition 4

(Pre-signature adaptability). An adaptor signature ${\mathsf{\prod }}_{\mathcal{R},\mathrm{\Xi }}$ satisfies pre-signature adaptability if for any $\lambda \in \mathbb{N}$, any message $\mathit{m}\in {\{0;1\}}^{*}$, any statement/witness pair $(\mathit{Y},\mathit{x})\in \mathcal{R}$, any key pair $(\mathrm{sk},\mathrm{pk})⟵\mathsf{Gen}\left(1^{\lambda }\right)$ and any pre-signature $\tilde{\sigma }$ withPreVerif$(\mathrm{pk},\mathit{m},\mathit{Y},\tilde{\sigma })=1$, we have

$$Pr\left[\mathrm{Verif}(\mathrm{pk},\mathit{m},\mathsf{Adapt}(\mathrm{pk},\mathit{m},\tilde{\sigma })\right]=1$$

The pre-signature adaptability states that in reality, all valid pre-signature w.r.t. a statement $\mathit{Y}\in L_{\mathcal{R}}$ can be adapted to a valid one, using a witness $\mathit{x}$ such that $(\mathit{Y},\mathit{x})\in \mathcal{R}$.

For an adaptor signature, there are two main required security properties: the unforgeability under chosen message attacks and witness extractability. These security properties are defined formally by Aumayr et al. [10]. Below, we recall the formal definition of the existential unforgeability under the chosen message attack for the adaptor signature (aEUF-CMA) and that of witness extractability.

Definition 5

(aEUF–CMA security [10]). An adaptor signature scheme ${\mathsf{\prod }}_{\mathcal{R},\mathrm{\Xi }}$ is aEUF-CMA secure if for every PPT adversary $\mathcal{A}$, there exists a negligible function ϵ such that

$$Pr\left[{\mathrm{aSigForge}}_{\mathcal{A},{\mathsf{\prod }}_{\mathcal{R},\mathrm{\Xi }}}\left(\lambda \right)=1\right]\le ϵ\left(\lambda \right)$$

where ${\mathrm{aSigForge}}_{\mathcal{A},{\mathsf{\prod }}_{\mathcal{R},\mathrm{\Xi }}}$ is the experiment given below in Figure 2.

The definition of the unforgeability in tthe adaptor signature is similar to that of existential unforgeability under chosen message attacks in the standard digital signature. However, in the case of the adaptor signature, there are some additional requirements: even given a pre-signature on $\mathit{m}$ w.r.t. a random statement $\mathit{Y}\in L_{\mathcal{R}}$, producing a forgery $\sigma$ has to be hard.

The witness extractability experiment and criteria for an adaptor signature are given by the following definitions.

Definition 6

(Witness extractability [10]). An adaptor signature scheme ${\mathsf{\prod }}_{\mathcal{R},\mathrm{\Xi }}$ is witness extractability if for every PPT adversary $\mathcal{A}$, there exists a negligible function ϵ such that

$$Pr\left[{\mathrm{aWitExt}}_{\mathcal{A},{\mathsf{\prod }}_{\mathcal{R},\mathrm{\Xi }}}\left(\lambda \right)=1\right]\le ϵ\left(\lambda \right)$$

where ${\mathrm{aWitExt}}_{\mathcal{A},{\mathsf{\prod }}_{\mathcal{R},\mathrm{\Xi }}}$ is the experiment in Figure 3.

The main difference between the witness extractability and the aEUF-CMA experiment is that in the first one, the adversary is allowed to choose a forgery statement $\mathit{Y}$. Assuming that the adversary knows a witness for $\mathit{Y}$, it can therefore generate a valid signature for the forgery message $\mathit{m}$. Then, it wins when the valid signature does not reveal a witness for $\mathit{Y}$.

The following is the definition of a secure adaptor signature.

Definition 7

(Secure adaptor signature). An adaptor signature ${\mathsf{\prod }}_{\mathcal{R},\mathrm{\Xi }}$ is said to be secure, if it is aEUF-CMA secure, pre-signature adaptable and witness extractable.

3. Code-Based Adaptor Signature

3.1. Description of Our Scheme

In this section, we present our code-based adaptor signature scheme ${\mathsf{\prod }}_{{\mathcal{R}}_{{\mathrm{H}}_{\mathrm{pk}}},Wave}$. Its security relies on the hardness of the syndrome decoding problem.

Let $\mathcal{C}$ be a random q-ary linear code of length n, dimension k, with parity-check matrix ${\mathbf{H}}_{\mathrm{pk}}$ and error correction capability t. Let $\mathit{x}\in {\mathcal{S}}_{q,n,t}$ and $\mathit{Y}\in {\mathbb{F}}_q^{n-k}$. Let the relation ${\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$ be defined by

$${\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}=\{(\mathit{Y},\mathit{x})\mathrm{s}\mathsf{.}\mathrm{t}\mathsf{.}\mathit{Y}=\mathit{x}{\mathrm{H}}_{\mathrm{pk}}^{T}andwt\left(\mathit{x}\right)=t\}$$

We denote the language associated to the relation ${\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$ by $L_{{\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}}$, which is defined by

$$L_{{\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}}=\{\mathit{Y}\in {\mathbb{F}}_q^{n-k}|\exists \mathit{x}\in {\mathcal{S}}_{q,n,t}\mathrm{s}\mathsf{.}\mathrm{t}\mathsf{.}(\mathit{Y},\mathit{x})\in {\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}\}$$

For signing a message $\mathit{m}$ in Wave, the sender chooses a random vector $\mathit{r}\in {\mathbb{F}}_2^{2\lambda }$, computes $\mathit{s}={\mathcal{H}}_0(\mathit{m}\parallel \mathit{r})$ and decodes $\mathit{s}$ by using its secret key to find the error vector $\mathit{e}$ of weight $\omega$ such that $\mathit{s}=\mathit{e}{\mathbf{H}}^T$. Therefore, the signature corresponding to the message $\mathit{m}$ is given by the pair $\sigma =(\mathit{e}\mathbf{P},\mathit{r})$.

In our scheme, we use the ternary finite field ${\mathbb{F}}_3$. We also use two different hash functions ${\mathcal{H}}_0:{\{0;1\}}^{*}⟶{\mathbb{F}}_3^{n-k}$ and ${\mathcal{H}}_1:{\{0;1\}}^{*}⟶{\mathcal{S}}_{3,n,\delta }$ for a well-chosen value of the integer $\delta$. In the PreSign algorithm of our adaptor signature, we first randomly choose $\mathit{r}$ in ${\mathbb{F}}_2^{2\lambda }$. Then, for all given $(\mathit{Y},\mathit{Y})\in {\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$, we compute $\mathit{s}={\mathcal{H}}_0(\mathit{m}\parallel \mathit{Y}-{\mathit{H}}_1\left(\mathit{r}\right){\mathbf{H}}_{\mathrm{pk}}^T)\in {\mathbb{F}}_3^{n-k}$ instead of $\mathit{s}={\mathcal{H}}_0(\mathit{m}\parallel \mathit{r})$. The PreVerif algorithm of our scheme is similar to the verification algorithm Verif of Wave. Indeed, the receiver has to check that the following equality holds.

$$\mathit{e}{\mathbf{H}}_{\mathrm{pk}}^T={\mathcal{H}}_0(\mathit{m}\parallel \mathit{Y}-{\mathcal{H}}_1\left(\mathit{r}\right){\mathbf{H}}_{\mathrm{pk}}^T)$$

Compared to Wave, the signature of a message $\mathit{m}$ in our scheme is a pair $\sigma =(\mathit{e},{\mathit{r}}^{\prime })$ with $\mathit{e}{\mathbf{H}}_{\mathrm{pk}}^T={\mathcal{H}}_0(\mathit{m}\parallel {\mathit{r}}^{\prime }{\mathbf{H}}_{\mathrm{pk}}^T)$ and ${\mathit{r}}^{\prime }\in {\mathbb{F}}_2^n$ instead of $\mathit{e}{\mathbf{H}}_{\mathrm{pk}}^T={\mathcal{H}}_0(\mathit{m}\parallel {\mathit{r}}^{\prime })$ and ${\mathit{r}}^{\prime }\in {\mathbb{F}}_2^{2\lambda }$.

The Adapt algorithm in our scheme takes as input a tuple $((\tilde{\mathit{e}},\tilde{\mathit{r}}),\mathit{x})$ and output the pair $(\mathit{e},\mathit{r})$, where $\mathit{r}=\mathit{x}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)$ and $\mathit{e}=\tilde{\mathit{e}}$. To extract the witness corresponding to a statement $\mathit{Y}$, we execute the algorithm Ext which takes as input $(\mathit{Y},\tilde{\sigma },\sigma )$, where $\tilde{\sigma }=(\tilde{\mathit{e}},\tilde{\mathit{r}})$ is a pre-signature and $\sigma =(\mathit{e},\mathit{r})$ is the corresponding signature. The algorithm Ext outputs ${\mathit{x}}^{\prime }={\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)+\mathit{r}$ if $\mathit{Y}={\mathit{x}}^{\prime }{\mathbf{H}}_{\mathrm{pk}}^T$ and $wt\left({\mathit{x}}^{\prime }\right)=\omega$. Otherwise, it returns the abort symbol. See Figure 4 for the description of our scheme.

3.2. Security Analysis

Before giving the security analysis of our scheme, let us verify the pre-signature correctness and the pre-signature adaptability of our scheme.

Proposition 1.

The code-based adaptor signature ${\mathsf{\prod }}_{{\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}},Wave}$ described in Figure 4 satisfies the pre-signature adaptability.

Proof. 

Let $\mathrm{pk}:=(\mathbf{S},{\mathbf{H}}_{\mathrm{sk}},\mathbf{P})$ be an arbitrary secret key. Let $\mathit{m}\in {\mathbb{F}}_2^{*}$ be an arbitrary message. Let $\mathrm{pk}:={\mathbf{H}}_{\mathrm{pk}}$ be the corresponding public key of sk, where ${\mathbf{H}}_{\mathrm{pk}}:=\mathbf{S}{\mathbf{H}}_{\mathrm{pk}}\mathbf{P}$ and ${\mathbf{H}}_{\mathrm{pk}}$ is the parity-check matrix of a ($U,U+V$) code. Let us consider $(\mathit{Y},\mathit{x})\in {\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$. Let $\tilde{\sigma }$ be a pre-signature generated w.r.t. $\mathit{Y}$. Then $\tilde{\sigma }$ is the tuple ($\tilde{\mathit{e}},\tilde{\mathit{r}}$) so if $\mathrm{pk}(\mathrm{pk},\mathit{m},\mathit{Y},\tilde{\sigma })=1$, we know that $\tilde{\mathit{e}}$ is actually computed by the owner of the secret key sk.

According to the design of Adapt, we have $(\mathit{e},\mathit{r}):=\mathrm{Adapt}(\tilde{\sigma }:=(\tilde{\mathit{e}},\tilde{\mathit{r}}),\mathit{x})$ where $\mathit{r}:=\mathit{x}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)$. We can therefore verify that

$$\begin{array}{cc}{\mathcal{H}}_0(\mathit{m}\parallel \mathit{r}{\mathbf{H}}_{\mathrm{pk}}^T)\hfill & ={\mathcal{H}}_0(\mathit{m}\parallel (\mathit{x}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)){\mathbf{H}}_{\mathrm{pk}}^T\hfill \\ & ={\mathcal{H}}_0(\mathit{m}\parallel \mathit{x}{\mathbf{H}}_{\mathrm{pk}}^T-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right){\mathbf{H}}_{\mathrm{pk}}^T)\hfill \\ & ={\mathcal{H}}_0(\mathit{m}\parallel \mathit{Y}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right){\mathbf{H}}_{\mathrm{pk}}^T)\hfill \\ & =\tilde{\mathit{e}}{\mathbf{H}}_{\mathrm{pk}}^T\hfill \end{array}$$

□

Proposition 2.

The code-based adaptor signature ${\mathsf{\prod }}_{{\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}},Wave}$ described in Figure 4 satisfies the pre-signature correctness.

Proof. 

Let $\mathrm{pk}:=(\mathbf{S},{\mathbf{H}}_{\mathrm{pk}},\mathbf{P})$ be a secret key. Let $\mathit{m}\in {\mathbb{F}}_2^{*}$ be an arbitrary message. Let $\mathrm{pk}={\mathbf{H}}_{\mathrm{pk}}$ be the corresponding public key linked to sk, where ${\mathbf{H}}_{\mathrm{pk}}:=\mathbf{S}{\mathbf{H}}_{\mathrm{pk}}\mathbf{P}$ and ${\mathbf{H}}_{\mathrm{pk}}$ is the parity-check matrix of a ($U,U+V$) code with decoding algorithm $D_{{\mathbf{H}}_0}$. Let us consider $(\mathit{Y},\mathit{x})\in {\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$.

Using the public key pk (respectively, the secret key sk), we can compute the syndrome $\mathit{s}:={\mathcal{H}}_0(\mathit{m}\parallel \mathit{Y}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right){\mathbf{H}}_{\mathrm{pk}}^T)$ (respectively the corresponding error vector ${\tilde{\mathit{e}}}^{\prime }:=D_{{\mathbf{H}}_{\mathrm{sk}}}\left(\mathit{s}{\left({\mathbf{U}}^{-1}\right)}^T\right)$). Therefore, the pre-signature of the message $\mathit{m}$ is given by $\tilde{\sigma }:=(\tilde{\mathit{e}},\tilde{\mathit{r}})$, where $\tilde{\mathit{e}}={\tilde{\mathit{e}}}^{\prime }\mathbf{P}$. For the pre-verification, we have to check the following equality:

$$\tilde{\mathit{e}}{\mathbf{H}}_{\mathrm{pk}}^T={\mathcal{H}}_0(\mathit{m}\parallel \mathit{Y}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right){\mathbf{H}}_{\mathrm{pk}}^T)$$

(1)

When $\tilde{\mathit{e}}$ is honestly computed, equality (1) always holds and then $\mathrm{PreVerif}(\mathrm{pk},\mathit{m},\mathit{Y},\tilde{\sigma })=1$.

According to Figure 4, the output of the adaptor algorithm is given by $\sigma =(\mathit{e},\mathit{r})=\mathrm{Adapt}(\tilde{\sigma },\mathit{x})$, where $\mathit{r}=\mathit{x}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)$ with $(\mathit{Y},\mathit{x})\in {\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$ and that of the extractor algorithm is given by ${\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)+\mathit{r}=\mathit{x}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)+{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)=\mathit{x}$ with $(\mathit{Y},\mathit{x})\in {\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$. The fact that $\tilde{\mathit{e}}$ is honestly computed, we have

$${\mathcal{H}}_0(\mathit{m}\parallel \mathit{r}{\mathbf{H}}_{\mathrm{pk}}^T)={\mathcal{H}}_0(\mathit{m}\parallel (\mathit{x}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)){\mathbf{H}}_{\mathrm{pk}}^T)={\mathcal{H}}_0(\mathit{m}\parallel \mathit{Y}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right){\mathbf{H}}_{\mathrm{pk}}^T)=\tilde{\mathit{e}}$$

Therefore, in our scheme, $\sigma =(\mathit{e},\mathit{r})$ is a valid signature for the message $\mathit{m}$. □

For the security analysis of the scheme, below, we state the assumptions which the security of our scheme relies on:

Assumption A1.

The advantage of probabilistic polynomial time algorithm $\mathcal{A}$ to solve the syndrome decoding problem is negligible with respect to the length n and the dimension k of the code.

Assumption A2.

The advantage of probabilistic polynomial time algorithm $\mathcal{A}$ to solve the ($U,U+V$) code distinguishing problem is negligible with respect to the length n and dimension k of the code.

Assumption A3.

The advantage of probabilistic polynomial time algorithm $\mathcal{A}$ in solving the decoding out of many (DOOM) problem is negligible with respect to the length n and dimension k of the code.

Under Assumption 1, the relation ${\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$ defined in Section 3.1 is a hard relation and under Assumptions 1 and 2, the Wave signature is EUF-CMA secure [18]. Therefore, we have the following.

Theorem 1

(aEUF-CMA Security). Under Assumptions 1, 2 and 3, the code-based adaptor ${\mathsf{\prod }}_{{\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}},Wave}$ defined in Figure 4 is aEUF-CMA secure.

Proof. 

Let $\mathcal{A}$ be an adversary against our scheme in the aEUF-CMA game. Let ${ϵ}_{aCMA}$ be the probability that a PPT adversary wins against our scheme in the aEUF-CMA game. The proof of Theorem 1 consists of coming up with a bound for the adversary advantage $\mathsf{Adv}\left(\mathcal{A}\right)$. Suppose that there is a PPT adversary $\mathcal{A}$ which attacks the aEUF-CMA security of our code-based adaptor signature. That means that $\mathcal{A}$ is able to forge a valid signature ${\sigma }^{\prime }=({\mathit{e}}^{\prime },{\mathit{r}}^{\prime })$ on a targeted message ${\mathit{m}}^{*}$ after receiving the pair pre-signature/statement $(\tilde{\sigma },\mathit{Y})$ from the challenger. $\tilde{\sigma }=(\tilde{\mathit{e}},\tilde{\mathit{r}})$ is a pre-signature w.r.t. $\mathit{Y}$ of the target message ${\mathit{m}}^{*}$ sent to the challenger by $\mathcal{A}$. Let $\sigma =(\mathit{e},\mathit{r})$ be a valid signature obtained w.r.t. the witness $\mathit{x}$ of the $\mathit{Y}$ after executing the adaptor algorithm, i.e., $\mathit{r}=\mathit{x}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)$. If ${\sigma }^{\prime }$ is a valid signature, then we have either ${\sigma }^{\prime }=\sigma$ or ${\sigma }^{\prime }\ne \sigma$.

•

If ${\sigma }^{\prime }=\sigma$, which is equivalent to $({\mathit{e}}^{\prime },{\mathit{r}}^{\prime })=(\mathit{e},\mathit{r})$, then $\mathcal{A}$ is able to find ${\mathit{r}}^{\prime }\in {\mathcal{S}}_{3,n,\left[\right|\delta -t|,\delta +t]}$, such that ${\mathit{r}}^{\prime }=\mathit{r}=\mathit{x}-{\mathcal{H}}_1\left(\tilde{\mathit{r}}\right)$ for a given $\tilde{\mathit{r}}$ and $\mathit{Y}$ such that $\mathit{Y}=\mathit{x}{\mathbf{H}}_{\mathrm{pk}}^T$. The best way to find such a vector ${\mathit{r}}^{\prime }$ is to solve the equation $\mathit{Y}=\mathit{x}{\mathbf{H}}_{\mathrm{pk}}^T$, i.e., to solve a hard instance of the syndrome decoding problem.

•

If ${\sigma }^{\prime }\ne \sigma$, we have two cases:

⋆

${\mathit{e}}^{\prime }=\mathit{e}$ and ${\mathit{r}}^{\prime }\ne \mathit{r}$: this case implies that

$${\mathit{e}}^{\prime }{\mathbf{H}}_{\mathrm{pk}}^T={\mathcal{H}}_0({\mathit{m}}^{*}\parallel {\mathit{r}}^{\prime }{\mathbf{H}}_{\mathrm{pk}}^T)={\mathcal{H}}_0({\mathit{m}}^{*}\parallel \mathit{r}{\mathbf{H}}_{\mathrm{pk}}^T)=\mathit{e}{\mathbf{H}}_{\mathrm{pk}}^T$$

It means that either we have ${\mathit{r}}^{\prime }{\mathbf{H}}_{\mathrm{pk}}^T=\mathit{r}{\mathbf{H}}_{\mathrm{pk}}^T$ or $\mathcal{A}$ is able to find a collision of the hash function ${\mathcal{H}}_0$. With the collision resistance of the hash function ${\mathcal{H}}_0$, the probability that this case happen is less than

$$\frac{1}{3^{n-k}}+\nu \left(\lambda \right)$$

where $\frac{1}{3^{n-k}}$ is the probability for having the equality ${\mathit{r}}^{\prime }{\mathbf{H}}_{\mathrm{pk}}^T=\mathit{r}{\mathbf{H}}_{\mathrm{pk}}^T$ (see [18]).

⋆

${\mathit{e}}^{\prime }\ne \mathit{e}$ and $\mathit{r}\ne {\mathit{r}}^{\prime }$: this last case means that the adversary $\mathcal{A}$ is able to forge a valid signature using the modified version of Wave that we use in our scheme, which is EUF-CMA secure.

By putting it all together, we have

$$\mathrm{Adv}\left(\mathcal{A}\right)\le \frac{1}{3^{n-k}}+{\mathrm{Adv}}_{SD}+{\mathrm{Adv}}_{Wave}+\nu \left(\lambda \right)$$

where ${\mathsf{Adv}}_{\mathsf{Wave}}$ is the advantage of an adversary against Wave in the EUF-CMA game, and ${\mathsf{Adv}}_{\mathsf{SD}}$ is that for solving the syndrome decoding problem. □

Theorem 2.

(Witness Extractability) Under Assumptions 2 and 3, the code-based adaptor ${\mathsf{\prod }}_{{\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}},Wave}$ defined in Figure 4 is witness extractable.

Proof. 

Let $\tilde{\sigma }=(\tilde{\mathit{e}},\tilde{\mathit{r}})$ be the pre-signature correctly computed w.r.t. a statement $\mathit{Y}$. Let ${\sigma }^{\prime }=({\mathit{e}}^{\prime },{\mathit{r}}^{\prime })$ be a valid signature. Let ${\mathit{x}}^{\prime }=\mathrm{Ext}(\mathit{Y},\tilde{\sigma },\sigma )$ be the witness extracted from $\tilde{\sigma }$ and $\sigma$. According to the algorithm Ext in our scheme, we have $wt\left({\mathit{x}}^{\prime }\right)=t$ and $\mathit{Y}={\mathit{x}}^{\prime }{\mathbf{H}}_{\mathrm{pk}}^T$. That means if Ext outputs ${\mathit{x}}^{\prime }$, we have $(\mathit{Y},{\mathit{x}}^{\prime })\in {\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$ with a high probability.

Let $\sigma =(\mathit{e},\mathit{r})$ be a valid signature computed w.r.t. $\tilde{\sigma }$ by the honest witness owner. The fact that in the witness extractability game, we should have $(\mathit{Y},{\mathit{x}}^{\prime })\notin {\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$, we have

$$(\mathit{Y},{\mathit{x}}^{\prime })\notin {\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}⟹\mathit{r}\ne {\mathit{r}}^{\prime }⟹\sigma \ne {\sigma }^{\prime }.$$

Therefore, the rest of the proof corresponds to the second part of the proof of Theorem 1. □

4. Parameter Set and Experimental Results

4.1. Parameter Values and Signature Sizes

Referring to Figure 4 and [26], we can see that the length of pre-signature is given by $|\tilde{\sigma }|=k+2\lambda$ and that of the signature is given by $\left|\sigma \right|=k+n.$ For numerical values of the pre-signature and signature for security Level 1 of NIST PQC standard, our scheme will need to use $\delta =517$ and $t=12$. Using other necessary parameters from [26], specifically, $\lambda =128$, $q=3$, $n=8492$, $\omega =7980$, $k_U=3558$, $k_V=2047$ and $d=81$, we obtain the exact sizes of the pre-signature and the signature as 1143 bytes and 2793 bytes, respectively.

Using the above-mentioned parameter values, we give in

Table 1. Comparison of pre-signature and signature sizes (in bytes).

Post-Quantum Adaptor Signature	Pre-Signature	Signature
[17]	$18327\le |\tilde{\sigma }|\le 19944$	$263\le \left|\sigma \right|\le 1880$
[12]	$|\tilde{\sigma }|=3210$	$\left|\sigma \right|=3210$
Our paper	$|\tilde{\sigma }|=1143$	$\left|\sigma \right|=2793$

a numerical comparison of the pre-signature and signature sizes of our scheme with those of [12,17]. In the table, we see that for these parameter values, our scheme has a shorter pre-signature size but a slightly larger signature size. Specifically, for the parameter values given above, the pre-signature size of the scheme described in Figure 4 is more than $2.8$× and 16× smaller than those in [12,17], respectively. On the other hand, the signature size of the proposed scheme is $1.5$× lager than that of [17] and $0.97$× smaller than that of [12].

4.2. Software Prototype

We implemented the proposed scheme in software using the C programming language. For this, we adapted the source code of Bamegas et al. [26] by including necessary add ons, such as our code for the adaptor and extractor algorithms, the generation of random vectors of a given weight and transformation of their signature scheme to our pre-signature algorithm. The timing results of the execution of the code are based on VitualBox Intel@ core i7-1065G7 [email protected] GHZ, LLVM 10.0.0 128 bits, with 4 GB RAM under Ubuntu 18.04.6 64-bits. The code is compiled with GCC 10.3. The source code corresponding to our scheme is available at https://github.com/klambel-hash/Code-based-Adaptor-Signature (accessed on 24 January 2022).

For the purpose of comparison, we also ran the code of the adaptor signature scheme of [17] available at https://github.com/etairi/Adaptor-CSI-FiSh (accessed on 24 January 2022) on the aforementioned platform. In

Table 2. Timings (in ms) for various component algorithms.

Scheme	Parameters	Key Generation	Pre-signature	Pre-verification	Sign	Verify	Adapt	Extract
[17]	($2^1,56,16$)	151.28	14,708.86	14,780.20	3103.45	3031.59	5.07	5.09
	($2^2,38,14$)	267.59	13747.47	13,612.15	2077.47	2002.63	4.86	4.95
	($2^3,28,16$)	473.412	12,746.86	12,636.88	1552.05	1490.81	4.74	4.91
	($2^4,23,13$)	929.40	13,247.47	13,217.23	1290.09	1237.94	4.76	4.87
	($2^6,16,16$)	3411.34	12267.46	12,164.13	924.91	868.56	4.88	4.77
	($2^8,13,11$)	13,169.98	12,448.40	12,310.03	722.81	679.16	4.73	4.64
	($2^{10},11,7$)	56,174.03	13,861.66	13,512.42	717.34	607.41	5.13	5.07
This paper	Section 4.1	2552.53	2097.81	348.95	2097.81	348.95	0.13	0.11

, we report the timing results of our scheme as well as those of [17]. In the table, the parameters for [17] are given as $(S,t_S,k)$, where S is the number of pubic key used, $t_S$ is the number of repetitions performed and k is the rate of the slow hash function (see [17] page 16, for more details). Except for key generation and signature, our scheme consistently requires less time than [17] for all other components, namely, pre-signature, pre-verification, adaption and extraction.

5. An Application of Code-Based Adaptor Signature

In this section, we provide an example blockchain application, namely atomic swap, utilizing our adaptor signature. For this, we assume that the underlying blockchain is using the Wave signature based on coding theory or a full domain hash signature based on coding theory.

5.1. Atomic Swap in a Nutshell

Atomic swap is a peer-to-peer protocol which allows two different users to exchange cryptocurrencies without a trusted party. Its main goal is to allow an exchange of cryptocurrencies from two different blockchains.

During the atomic swap process, users have full ownership and control of their respective private keys. When one of the participants aborts a transaction or does not correctly fulfill the atomic swap process, funds are automatically returned to their original owners. This is possible in an atomic swap because of the use of a particular contract called hash timelock contract (HTLC). The main feature of HTLC is to technically enable the implementation of time-bound transactions between two users or participants. Indeed, when a user receives a HTLC transaction, it has to submit a cryptographic proof within a specific time frame. Otherwise, the funds will be returned to the original sender.

5.2. Atomic Swaps Using Code-Based Adaptor Signature

Let $({\mathrm{sk}}_i,{\mathrm{pk}}_i)$ be the key pair of user $u_i$ for $i=1,2$. Below, we describe how atomic swap could be executed, using our code-based adaptor signature.

•

We start with user $u_1$, who randomly generates $(\mathit{Y},\mathit{x})\in {\mathcal{R}}_{{\mathbf{H}}_{\mathrm{pk}}}$. The user also generates transaction $T{x}_1$ to spend currency c for user $u_2$.

•

User $u_1$ computes the pre-signature ${\tilde{\sigma }}_1=\mathrm{PreSign}({\mathrm{sk}}_1,T{x}_1,\mathit{Y})$ and then sends $({\tilde{\sigma }}_1,T{x}_1,\mathit{Y})$ to user $u_2$.

•

User $u_2$ checks ${\tilde{\sigma }}_1$ using the pre-verification algorithm PreVerif. If the verification is successful, it generates transaction $T{x}_2$ to spend currency $c^{\prime }$ for user $u_1$.

•

User $u_2$ computes a pre-signature ${\tilde{\sigma }}_2=\mathrm{PreSign}({\mathrm{sk}}_2,T{x}_2,\mathit{Y})$ and sends the tuple $({\tilde{\sigma }}_2,T{x}_2,\mathit{Y})$ to user $u_1$. Otherwise, it aborts the transaction.

•

After receiving $({\tilde{\sigma }}_2,\mathit{Y},T{x}_2)$, user $u_1$ computes the pre-verification algorithm on ${\tilde{\sigma }}_2$. If the pre-verification fails, it aborts the transaction. When the pre-verification on ${\tilde{\sigma }}_2$ is successful, user $u_1$ runs the adaptor algorithm Adapt to compute the signature ${\sigma }_2=\mathrm{Adapt}({\tilde{\sigma }}_2,\mathit{x})$, publishes ${\sigma }_2$ on the blockchain and sends it to user $u_2$.

•

After receiving ${\sigma }_2$, user $u_2$ computes the extractor algorithm Ext to extract the witness ${\mathit{x}}^{\prime }=\mathsf{Ext}(\mathit{Y},{\sigma }_2,{\tilde{\sigma }}_2)$. It then runs the adaptor algorithm Adapt to compute the signature ${\sigma }_1=\mathrm{Adapt}({\tilde{\sigma }}_1,{\mathit{x}}^{\prime })$. To finish, $u_2$ publishes ${\sigma }_1$ on the blockchain.

The above procedure is depicted in Figure 5.

6. Conclusions

In this paper, we proposed an adaptor signature scheme based on hard problems in coding theory. We used the code-based signature scheme Wave as our underlying signature scheme. In order to equip our scheme with common features and security properties, we presented some modifications to the Wave signature. We showed that the proposed adaptor signature scheme is secure under the hardness of the SD and the indistinguishability of generalized ($U,U+V$) code problems, both of which are considered quantum safe. We also gave a set of parameters for adaptor signature uses and compared the proposed scheme with other post-quantum adaptor signature schemes in terms of pre-signature and signature sizes. For parameter values corresponding to Level 1 NIST PQC security, our scheme has a slightly larger signature size compared to that of [17], but a considerably smaller pre-signature size than those of [12,17]. With the smaller pre-signature size, our scheme has the potential to reduce the overall communication cost in an atomic swap, as there are more exchanges of pre-signatures than signatures.